Huawei Quidway S2700 Series Configuration Manual

Hide thumbs Also See for Quidway S2700 Series:

Configuration manual (354 pages)

Hardware installation and maintenance manual (183 pages)

Quick start manual (62 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

page of 201

/ 201
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual See also: Configuration Manual

Quidway S2700 Series Ethernet Switches

V100R006C00

Configuration Guide - Security

Issue

Date

2011-07-15

HUAWEI TECHNOLOGIES CO., LTD.

Table of Contents

Need help?

Do you have a question about the Quidway S2700 Series and is the answer not in the manual?

Questions and answers

Summary of Contents for Huawei Quidway S2700 Series

Page 1 Quidway S2700 Series Ethernet Switches V100R006C00 Configuration Guide - Security Issue Date 2011-07-15 HUAWEI TECHNOLOGIES CO., LTD.
Page 2 All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
Page 3: About This Document
Quidway S2700 Series Ethernet Switches Configuration Guide - Security About This Document About This Document Intended Audience This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the security feature supported by the S2700.
Page 4: Command Conventions
Quidway S2700 Series Ethernet Switches Configuration Guide - Security About This Document Command Conventions The command conventions that may be found in this document are defined as follows. Convention Description Boldface The keywords of a command line are in boldface.
Page 5: Table Of Contents
Quidway S2700 Series Ethernet Switches Configuration Guide - Security Contents Contents About This Document........................ii 1 AAA and User Management Configuration................1 1.1 Introduction to AAA and User Management.....................2 1.2 AAA and User Management Features Supported by the S2700................2 1.3 Configuring AAA Schemes..........................4 1.3.1 Establishing the Configuration Task......................4...
Page 6 Quidway S2700 Series Ethernet Switches Configuration Guide - Security Contents 1.5.10 (Optional) Setting HWTACACS Timers....................23 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet............23 1.5.12 Checking the Configuration........................24 1.6 Configuring a Service Scheme.........................24 1.6.1 Establishing the Configuration Task.......................25 1.6.2 Creating a Service Scheme........................25 1.6.3 Setting the Administrator Level......................26...
Page 7 Quidway S2700 Series Ethernet Switches Configuration Guide - Security Contents 2.3.1 Establishing the Configuration Task.......................50 2.3.2 Enabling Global 802.1x Authentication....................51 2.3.3 Enabling 802.1x Authentication on an Interface..................51 2.3.4 (Optional) Enabling MAC Bypass Authentication..................52 2.3.5 Setting the Authentication Method for the 802.1x User................53 2.3.6 (Optional) Configuring the Interface Access Mode................54...
Page 8 Quidway S2700 Series Ethernet Switches Configuration Guide - Security Contents 3.4 Preventing the DoS Attack by Changing the CHADDR Field.................81 3.4.1 Establishing the Configuration Task.......................81 3.4.2 Enabling DHCP Snooping........................82 3.4.3 Checking the CHADDR Field in DHCP Request Messages..............83 3.4.4 Checking the Configuration........................84 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases....84...
Page 9 Quidway S2700 Series Ethernet Switches Configuration Guide - Security Contents 4.3 Configuring IP Source Guard.........................122 4.3.1 Establishing the Configuration Task.....................122 4.3.2 (Optional) Configuring a Static User Binding Entry................123 4.3.3 Enabling IP Source Guard........................123 4.3.4 Configuring the Check Items of IP Packets...................124 4.3.5 (Optional) Configuring the Alarm Function of IP Source Guard............125...
Page 10 Quidway S2700 Series Ethernet Switches Configuration Guide - Security Contents 7.4.1 Example for Configuring MFF......................147 8 Traffic Suppression Configuration..................151 8.1 Introduction to Traffic Suppression........................152 8.2 Traffic Suppression Features Supported by the S2700..................152 8.3 Configuring Traffic Suppression........................152 8.3.1 Establishing the Configuration Task.....................152 8.3.2 Configuring Traffic Suppression on an Interface..................153...
Page 11 Quidway S2700 Series Ethernet Switches Configuration Guide - Security Contents 10.3.3 Configuring an Interface as the Trusted Interface................184 10.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding Table.......185 10.3.5 Checking the Configuration.........................186 10.4 Maintaining ND Snooping..........................187 10.4.1 Clearing the Prefix Management Table....................187 10.4.2 Resetting the ND Dynamic Binding Table..................187...
Page 12: Aaa And User Management Configuration
This chapter describes the principle and configuration of Authentication, Authorization, and Accounting (AAA), local user management, Remote Authentication Dial in User Service (RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and domain. 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management.
Page 13: Introduction To Aaa And User Management
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management. AAA provides the following types of services: Authentication: determines if the certain users can access the network.
Page 14: Local User Management
The domain name delimiter can be @,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain default.
Page 15: Configuring Aaa Schemes
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The S2700 supports up to 32 domains, including the two default domains. The priority of authorization configured in a domain is lower than the priority configured on an AAA server.
Page 16: Configuring An Authentication Scheme
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Data Name of the authentication scheme and authentication mode Name of the authorization scheme, authorization mode, (optional) user level in command-line-based authorization mode on the HWTACACS server, and (optional)
Page 17: Configuring An Authorization Scheme
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration authentication-mode { hwtacacs | radius | local } [ none ] The authentication mode is set. none indicates the non-authentication mode. By default, the local authentication mode is used.
Page 18: Configuring An Accounting Scheme
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration By default, an authorization scheme named default exists on the S2700. This scheme can be modified but cannot be deleted. Step 4 Run: authorization-mode [ hwtacacs ] { if-authenticated | local | none } The authorization mode is set.
Page 19: Optional) Configuring A Recording Scheme
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The accounting mode is set. By default, the accounting mode is none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS server template and apply the template to the corresponding user domain.
Page 20: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: hwtacacs-server template The HWTACACS server template is created. Step 3 Run: The AAA view is displayed.
Page 21: Configuring A Radius Server Template
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Prerequisite The configurations of AAA schemes are complete. Procedure Run the display aaa configuration command to check the summary of AAA. Run the display authentication-scheme [ authentication-scheme-name ] command to check the configuration of the authentication scheme.
Page 22: Creating A Radius Server Template
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Data IP address of the RADIUS authentication server IP address of the RADIUS accounting server (Optional) Shared key of the RADIUS server (Optional) User name format supported by...
Page 23: Configuring The Radius Accounting Server
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration radius-server authentication ip-address port [ source loopback interface-number ] The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0.
Page 24: Optional) Setting A Shared Key For A Radius Server
Step 3 Run: radius-server shared-key [ cipher | simple ] key-string The shared key is set for a RADIUS server. By default, the shared key of a RADIUS server is huawei. ----End 1.4.7 (Optional) Setting the User Name Format Supported by a...
Page 25: Optional) Setting The Traffic Unit For A Radius Server
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: radius-server template template-name The RADIUS server template view is displayed. Step 3 Run: radius-server user-name domain-included The user name format supported by a RADIUS server is set.
Page 26: Optional) Setting The Nas Port Format Of A Radius Server
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server Context The NAS port format and the NAS port ID format are developed by Huawei, which are used to maintain connectivity and service cooperation among devices of Huawei. The NAS port format and NAS port ID format have new and old forms respectively.
Page 27: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits).
Page 28: Configuring An Hwtacacs Server Template
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Example After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.
Page 29: Establishing The Configuration Task
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.5.1 Establishing the Configuration Task Applicable Environment In remote authentication or authorization mode, you need to configure a server template as required. You need to configure an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme.
Page 30: Configuring An Hwtacacs Authentication Server
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: hwtacacs-server template template-name An HWTACACS server template is created and the HWTACACS server template view is displayed.
Page 31: Configuring The Hwtacacs Accounting Server
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Step 3 Run: hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn- instance-name ] The IP address of the primary HWTACACS authorization server is configured.
Page 32: Optional) Setting The Shared Key Of An Hwtacacs Server
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: hwtacacs-server template template-name The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server source-ip ip-address The source IP address of HWTACACS packets is configured.
Page 33: Optional) Setting The User Name Format For An Hwtacacs Server
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server Context NOTE A user name is in the user name@domain name format and the character string after "@" refers to the domain name.
Page 34: Optional) Setting Hwtacacs Timers
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration By default, the traffic is expressed in bytes on the S2700. ----End 1.5.10 (Optional) Setting HWTACACS Timers Procedure Step 1 Run: system-view The system view is displayed.
Page 35: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: hwtacacs-server accounting-stop-packet resend { disable | enable number } The function of retransmitting the Accounting-Stop packet is configured.
Page 36: Establishing The Configuration Task
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.6.1 Establishing the Configuration Task Applicable Environment Access users must acquire authorization information before getting online. Authorization information about users can be managed through the service scheme.
Page 37: Setting The Administrator Level
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Step 3 Run: service-scheme service-scheme-name A service scheme is created. service-scheme-name is a string of 1 to 32 characters, excluding / \ : * ? " < > | @ ' %.
Page 38: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The service scheme view is displayed. Step 4 Run: dns ip-address The IP address of the primary DNS server is configured. Step 5 Run: (Optional)dns ip-address secondary The IP address of the secondary DNS server is configured.
Page 39: Creating A Domain
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration NOTE The modification of a domain takes effect next time a user logs in. Pre-configuration Tasks Before configuring a domain, complete the following tasks: Configuring authentication and authorization schemes...
Page 40: Configuring Authentication , Authorization And Accounting Schemes For A Domain
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The S2700 supports up to 32 domains, including the two default domains. ----End Follow-up Procedure After creating a domain, you can run the domain domain-name [ admin ] command in the system view to configure the domain as the global default domain.
Page 41: Configuring A Radius Server Template For A Domain
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.7.4 Configuring a RADIUS Server Template for a Domain Context If a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUS server template to the domain.
Page 42: Optional) Configuring A Service Scheme For A Domain
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The domain view is displayed. Step 4 Run: hwtacacs-server template-name An HWTACACS server template is configured for the domain. By default, no HWTACACS server template is configured for a domain.
Page 43: Optional) Configuring The Domain Name Delimiter
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Step 2 Run: The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed. Step 4 Run: state { active | block } The status of the domain is set.
Page 44: Configuring Local User Management
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Run the display domain [ name domain-name ] command to check the configuration of the domain. ----End Example After the configuration, you can run the display domain command to view the summary of all domains.
Page 45: Creating A Local User
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Data User name and password Access type of the local user Name of the FTP directory that the local user can access Status of the local user...
Page 46: Optional) Configuring The Ftp Directory That A Local User Can Access
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } The access type of the local user is set.
Page 47: Optional) Setting The Level Of A Local User
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name state { active | block } The status of a local user is set.
Page 48: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name access-limit max-number The maximum number of online local users is set.
Page 49: Maintaining Aaa And User Management
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.9 Maintaining AAA and User Management This section describes how to maintain AAA and user management. 1.9.1 Clearing the Statistics Context CAUTION Statistics cannot be restored after you clear them. So, confirm the action before you use the command.
Page 50: Configuration Examples
1-1, users access the network through Switch A and are located in the domain huawei. Switch B acts as the network access server of the destination network. The access request of the user needs to pass the network of Switch A and Switch B to reach the authentication server.
Page 51 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Figure 1-1 Networking diagram of RADIUS authentication and accounting Domain Huawei SwitchB SwitchA 129.7.66.66/24 Network 129.7.66.67/24 Destination Network Configuration Roadmap The configuration roadmap is as follows: Configure a RADIUS server template.
Page 52 [Quidway-aaa] accounting-scheme 1 Info: Create a new accounting scheme [Quidway-aaa-accounting-1] accounting-mode radius [Quidway-aaa-accounting-1] quit Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and RADIUS template shiva to the domain. [Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme 1 [Quidway-aaa-domain-huawei] accounting-scheme 1 [Quidway-aaa-domain-huawei] radius-server shiva Step 4 Verify the configuration.
Page 53: Example For Configuring Hwtacacs Authentication, Accounting, And Authorization
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Configuration Files sysname Quidway radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary...
Page 54 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization Domain Huawei SwitchB SwitchA 129.7.66.66/24 Network 129.7.66.67/24 Destination Network Configuration Roadmap The configuration roadmap is as follows: Configure an HWTACACS server template.
Page 55 # Set the interval of interim accounting to 3 minutes. [Quidway-aaa-accounting-hwtacacs] accounting realtime 3 [Quidway-aaa-accounting-hwtacacs] quit Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template of ht to the domain.
Page 56 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Run the display hwtacacs-server template command on Switch B, and you can see that the configuration of the HWTACACS server template meets the requirements. <Quidway> display hwtacacs-server template ht...
Page 57 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht return Issue 01 (2011-07-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 58: Nac Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration NAC Configuration About This Chapter This chapter describes the working principle and configuration of network access control (NAC). Context NOTE S2700SI does not support NAC. 2.1 Introduction to NAC This section describes the working principle of NAC.
Page 59: Introduction To Nac
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration 2.1 Introduction to NAC This section describes the working principle of NAC. Traditional network security technologies focus on the threat brought by external computers, rather than the threat brought by internal computers. In addition, the current network devices cannot prevent the attacks initiated by the internal devices on the network.
Page 60: Mac Address Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration user or no user accesses the network, the interface is closed. The authentication result is reflected by the status of the interface. The IP address negotiation and allocation that are considered in common authentication technologies are not involved.
Page 61: Configuring 802.1X Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The S2700 automatically specifies the VLAN for users after users pass 802.1x authentication, MAC address authentication, or MAC address bypass authentication. When passing 802.1x authentication, MAC address authentication, or MAC bypass...
Page 62: Enabling Global 802.1X Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Data Number of the interface on which 802.1x authentication is enabled 2.3.2 Enabling Global 802.1x Authentication Context Before the configuration of 802.1x authentication, 802.1x needs to be globally enabled first.
Page 63: Optional) Enabling Mac Bypass Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Run: dot1x enable interface { interface-type interface-number1 [ to interface- number2 ] } &<1-10> 802.1x authentication is enabled on interfaces. You can enable 802.1x authentication on interfaces in batches by specifying the interface list in the dot1x enable command in the system view.
Page 64: Setting The Authentication Method For The 802.1X User
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration In the interface view: Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. Run: dot1x mac-bypass MAC address bypass authentication is enabled on the interface.
Page 65: Optional) Configuring The Interface Access Mode
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration compared with PAP authentication, CHAP authentication is more secure and reliable and protects user privacy better. l In Extensible Authentication Protocol (EAP) authentication, the S2700 sends the authentication information of an 802.1x user to the RADIUS server through EAP packets without converting EAP packets into RADIUS packets.
Page 66: Optional) Configuring The Authorization Status Of An Interface
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration interface interface-type interface-number The interface view is displayed. Run: dot1x port-method { mac | port } The access mode of the interface is configured. By default, the access mode of an interface is MAC mode.
Page 67: Optional) Setting The Maximum Number Of Concurrent Access Users
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Run: dot1x port-control { auto | authorized-force | unauthorized-force } The authorization status of the interface is configured. By default, the authorization status of an interface is auto.
Page 68: Optional) Enabling Dhcp Packets To Trigger Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Run: dot1x max-user user-number The maximum number of concurrent access users is set on the interface. By default, each interface allows up to 8 concurrent access users. This command only takes effect for the interface where users are authenticated based on MAC addresses.
Page 69: Optional) Configuring The Quiet Timer Function
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration To adjust the exchange process, you can run some commands to change values of some timers, but some timers cannot be adjusted. It may be necessary in certain cases or in poor networking environment.
Page 70: Optional) Configuring 802.1X Re-Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The system view is displayed. Step 2 Run: dot1x quiet-period The quiet timer function is enabled. By default, the quiet timer function is disabled. During the quite period, the S2700 discards the 802.1x authentication request packets from the user.
Page 71: Optional) Configuring The Guest Vlan For 802.1X Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The interface view is displayed. Run: dot1x reauthenticate Re-authentication is enabled on the interface. By default, 802.1x re-authentication is disabled on an interface. You can run the dot1x timer command to set the timeout interval of re-authentication. For details, see 2.3.10 (Optional) Configuring 802.1x...
Page 72: Optional) Enabling The S2700 To Send Handshake Packets To Online Users
Online Users Context The S2700 can send handshake packets to a Huawei client to detect whether the user is online. If the client does not support the handshake function, the S2700 will not receive handshake response packets within the handshake interval. In this case, you need to disable the user handshake function to prevent the S2700 from disconnecting users by mistake.
Page 73: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration authentication request has been sent for the maximum number of times, the S2700 does not retransmit the authentication request to the user. Procedure Step 1 Run: system-view The system view is displayed.
Page 74: Configuring Mac Address Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration EAPOL LogOff Packets EAPOL Response/Identity Packets : 1 EAPOL Response/Challenge Packets: 1 View information about the MAC address used in 802.1x authentication or MAC address authentication. <Quidway> display mac-address authen...
Page 75: Enabling Global Mac Address Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Data Preparation To configure MAC address authentication, you need the following data. Data Number of the interface on which MAC address authentication is enabled 2.4.2 Enabling Global MAC Address Authentication...
Page 76: Configuring A User Name For Mac Address Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure In the system view: Run: system-view The system view is displayed. Run: mac-authen interface { interface-type interface-number1 [ to interface- number2 ] } &<1-10> MAC address authentication is enabled on the interfaces.
Page 77: Optional) Configuring The Domain For Mac Address Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration There are two formats for a MAC address used as the user name, that is, the MAC address with hyphens (such as 0010-8300-0011) and the MAC address without hyphens (such as 001083000011).
Page 78: Optional) Configuring The Guest Vlan For Mac Address Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration l guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. By default, the re-authentication interval is 60s. l offline-detect: Offline-detect timer used to set the interval for the S2700 to check whether a user goes offline.
Page 79: Optional) Setting The Maximum Number Of Access Users Who Adopt Mac Address Authentication
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The interface view is displayed. Run: mac-authen guest-vlan vlan-id The guest VLAN of the interface is configured. By default, no guest VLAN is configured on an interface. ----End 2.4.8 (Optional) Setting the Maximum Number of Access Users...
Page 80: Optional) Re-Authenticating A User With The Specified Mac Address
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration By default, the maximum number of access users who adopt MAC address authentication on an interface of the S2700 is 8. The maximum number of NAC access users is 128.
Page 81: Maintaining Nac
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure Run the display mac-authen [ interface { interface-type interface-number1 [ to interface- number2 ] } &<1-10> ] command to view the configuration of MAC address authentication. Run the display mac-address { authen | guest } [ vlan vlan-id ] command to check the configuration of 802.1x authentication and MAC address authentication or information...
Page 82: Configuration Examples
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to clear the statistics about MAC address authentication. ----End 2.6 Configuration Examples This section provides several configuration examples of NAC.
Page 83 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Configure 802.1x authentication. Data Preparation To complete the configuration, you need the following data: IP address of the RADIUS authentication server: 100.1.1.1; authentication port number: 1812 RADIUS server template: rd1...
Page 84 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration [Quidway] dot1x enable Step 6 Verify the configuration. After the user goes online successfully, ping the HTTP server from the PC to check whether ACL 3000 takes effect.
Page 85: Dhcp Snooping Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP Snooping Configuration About This Chapter This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S2700 to defend against DHCP attacks. Context NOTE S2700SI does not support DHCP Snooping.
Page 86 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration An alarm is generated when the number of discarded packets exceeds the threshold. 3.9 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping. 3.10 Configuration Examples This section provides several configuration examples of DHCP snooping.
Page 87: Introduction To Dhcp Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table.
Page 88: Dhcp Server
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-1 Networking diagram for applying DHCP snooping on the S2700 on a Layer 2 network L3 network Trusted DHCP relay Switch Untrusted DHCP server L2 network...
Page 89: Preventing The Bogus Dhcp Server Attack
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.3 Preventing the Bogus DHCP Server Attack To prevent the attack from the pseudo DHCP server, use the trusted/untrusted working mode of DHCP snooping. 3.3.1 Establishing the Configuration Task Establishing the Configuration Task of Preventing the Bogus DHCP Server Attack.
Page 90 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN. Procedure Enabling DHCP snooping in the VLAN view Run: system-view The system view is displayed.
Page 91: Configuring An Interface As A Trusted Interface
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP snooping is enabled globally. Run: interface interface-type interface-number The interface view is displayed. Run: dhcp snooping enableDHCP snooping is enabled on an interface. ----End 3.3.3 Configuring an Interface as a Trusted Interface Generally, the interface connected to the DHCP server is configured as trusted and other interfaces are configured as untrusted.
Page 92: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server detect Detection of bogus DHCP servers is enabled. By default, detection of bogus DHCP servers is disabled on the S2700.
Page 93: Enabling Dhcp Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Applicable Environment The attacker may change the client hardware address (CHADDR) carried in DHCP messages instead of the source MAC address in the frame header to apply for IP addresses continuously.
Page 94: Checking The Chaddr Field In Dhcp Request Messages
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Run: dhcp snooping enable DHCP snooping is enabled globally. Run: vlan vlan-id The VLAN view is displayed. Run: dhcp snooping enable DHCP snooping is enabled in a VLAN.
Page 95: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. The interface is the user-side interface.
Page 96: Enabling Dhcp Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Applicable Environment The attacker pretends to be a valid user and continuously sends DHCP Request messages intending to extend the IP address lease. As a result, certain expired IP addresses cannot be reused.
Page 97 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Context To enable DHCP snooping, you need to comply with the following sequence: Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Page 98: Enabling Checking Of Dhcp Request Messages
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP is enabled globally. Run: dhcp snooping enable DHCP snooping is enabled globally. Run: interface interface-type interface-number The interface view is displayed. Run: dhcp snooping enableDHCP snooping is enabled on an interface.
Page 99 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Procedure In the interface view: Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. The interface is the user-side interface.
Page 100: Optional) Setting The Format Of The Option 82 Field
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration The prerequisites for the upper commands to take effect are the interfaces are added to the VLAN in step 2. – After the dhcp option82 insert enable interface { interface-name | interface-...
Page 101: Optional) Appending The Option 18 Field Or The Option 37 Field To Dhcpv6 Request Messages
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration The format of the Option 82 field is set. NOTE If the customized format of the Option 82 field is used (that is, user-defined is specified), it is recommended that you specify the interface type, slot ID, and interface number in text.
Page 102: Setting The Maximum Number Of Dhcp Snooping Users
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to check the information about DHCP bind-table. Run the display dhcpv6 { snooping | static } user-bind { interface interface-type...
Page 103: Enabling Dhcp Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.6.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect.
Page 104: Setting The Maximum Number Of Dhcp Snooping Users
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration system-view The system view is displayed. Run: dhcp enable DHCP is enabled globally. Run: dhcp snooping enable DHCP snooping is enabled globally. Run: interface interface-type interface-number The interface view is displayed.
Page 105: Optional) Configuring Mac Address Security On An Interface
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.6.4 (Optional) Configuring MAC Address Security on an Interface MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC addresses, and packets of these users can be forwarded. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses.
Page 106: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.6.5 Checking the Configuration This section describes how to check the configuration of the maximum number of DHCP snooping users. Prerequisite The configurations of setting the maximum number of users are complete.
Page 107: Enabling Dhcp Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Data Rate at which DHCP messages are sent to the protocol stack 3.7.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN.
Page 108: Setting The Maximum Rate Of Sending Dhcp Messages
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and Enabling DHCP snooping in the interface view...
Page 109: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Setting the maximum rate of sending DHCP messages in the VLAN view Run: system-view The system view is displayed. Run: vlan vlan-id The VLAN view is displayed.
Page 110: Configuring The Packet Discarding Alarm Function
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Prerequisite The configurations of limiting the rate of sending DHCP messages are complete. Procedure Run the display dhcp snooping global command to check information about global DHCP snooping.
Page 111: Enabling Dhcp Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Configuring the checking of DHCP messages Configuring the checking of the CHADDR field in DHCP Request messages Configuring the checking of the rate of sending DHCP messages Data Preparation To configure the packet discarding alarm function, you need the following data.
Page 112: Configuring The Packet Discarding Alarm Function
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration quit Return to the system view. (Optional) Run: interface interface-type interface-number The interface view is displayed. (Optional) Run: dhcp snooping disable DHCP snooping is disabled on the specified interface in the VLAN.
Page 113 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration The system view is displayed. Run: dhcp snooping alarm threshold threshold The alarm threshold of the number of globally discarded packets is set. By default, the global alarm threshold of the number of discarded DHCP messages is 100 pps.
Page 114: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration – DHCP Request messages whose source MAC address does not match the CHADDR field ----End 3.8.4 Checking the Configuration Checking the Configuration of Packet Discarding Alarm Function.
Page 115: Configuration Examples
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Context NOTE After the networking environment changes, DHCP snooping binding entries do not age immediately. However, the following information in DHCP snooping binding entries may change, causing packet...
Page 116 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-2 Networking diagram for preventing bogus DHCP server attacks ISP network L3 network DHCP relay L2 network GE0/0/1 DHCP Switch server GE0/0/2 User network Configuration Roadmap The configuration roadmap is as follows: (Assume that the DHCP server has been configured.)
Page 117 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration # Enable bogus DHCP server detection. [Quidway] dhcp server detect # Enable DHCP snooping on the user-side interface. [Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping enable [Quidway-GigabitEthernet0/0/2] quit Step 2 Configure the interface as the trusted interface or an untrusted interface.
Page 118: Example For Preventing Dos Attacks By Changing The Chaddr Field
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Configuration Files dhcp enable dhcp snooping enable dhcp server detect interface GigabitEthernet0/0/1 dhcp snooping trusted interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 return 3.10.2 Example for Preventing DoS Attacks by Changing the...
Page 119 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Configuration Roadmap The configuration roadmap is as follows: Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as the trusted interface.
Page 120: Example For Preventing Attackers From Sending Bogus Dhcp Messages For Extending Ip Address Leases
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at interface :NULL Dhcp option82 rebuild is configured at interface :NULL...
Page 121 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-4 Networking diagram for preventing attackers from sending bogus DHCP messages for extending IP address leases ISP network L3 network DHCP relay L2 network GE0/0/1 DHCP...
Page 122 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable # Enable DHCP snooping on the user-side interface. [Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping enable [Quidway-GigabitEthernet0/0/2] quit Step 2 Configure the interface as the trusted interface or an untrusted interface.
Page 123: Example For Limiting The Rate Of Sending Dhcp Messages
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration dhcp packet dropped by dhcp-request checking = 45 dhcp packet dropped by untrust-reply checking = 0 ----End Configuration Files dhcp enable dhcp snooping enable interface GigabitEthernet0/0/1 dhcp snooping trusted...
Page 124 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Enable DHCP snooping globally and in the interface view. Configure the interface connected to the DHCP server as the trusted interface. Set the rate of sending DHCP Request messages to the protocol stack on interfaces.
Page 125 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally or in interface view. [Quidway] display dhcp snooping global...
Page 126: Example For Applying Dhcp Snooping On A Layer 2 Network
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network This section describes the configuration of DHCP snooping on a Layer 2 network, including the configuration of the trusted interface, the function of checking DHCP messages, the function of limiting the rate of sending DHCP messages, and the Option 82 function.
Page 127 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. Configure the Option 82 function.
Page 128 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120 # Enable the checking of the CHADDR field and alarm function on the interfaces on the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages.
Page 129 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at these interface :...
Page 130 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration dhcp option82 insert enable interface Ethernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120...
Page 131: Source Ip Attack Defense Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration Source IP Attack Defense Configuration About This Chapter This chapter describes the principle and configuration of attacking IP source addresses. Context NOTE The source IP attack defense function cannot be used on the S2700SI.
Page 132: Overview Of Ip Source Guard
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration 4.1 Overview of IP Source Guard This section describes the principle of the IP source Guard. The source IP address spoofing is a common attack on the network, for example, the attacker forges a valid user and sends IP packets to the server or forges the source IP address of users for communication.
Page 133: Configuring Ip Source Guard
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration IP Source Guard The IP Source Guard feature is used to check the IP packets according to the binding table, including source IP addresses, source MAC addresses, interface, and VLAN. For example, in...
Page 134: Optional) Configuring A Static User Binding Entry
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration Data (Optional) User information in a static binding entry, including the IPv4 or IPv6 address, MAC address, VLAN ID, and interface number of the user...
Page 135: Configuring The Check Items Of Ip Packets
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration Or, run: vlan vlan-id The VLAN view is displayed. Step 3 Run: ip source check user-bind enable The IP source guard function is enabled on the interface.
Page 136: Optional) Configuring The Alarm Function Of Ip Source Guard
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration NOTE This command is valid only for dynamic binding entries. ----End 4.3.5 (Optional) Configuring the Alarm Function of IP Source Guard When the alarm function of IP source guard is enabled, the S2700 counts the number of received IP packets whose rate exceeds the threshold.
Page 137: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration The system view is displayed. Step 2 Run: ip anti-attack source-ip equals destination-ip drop The function of discarding IP packets with the same source and destination IP addresses is enabled.
Page 138 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration Figure 4-2 Networking diagram for configuring IP source guard Server Switch Ethernet0/0/1 Ethernet0/0/2 Packets: SIP:10.0.0.1/24 SMAC:2-2-2 Host A Host B (Attacker) IP:10.0.0.1/24 IP:10.0.0.2/24 MAC:1-1-1 MAC:2-2-2 Configuration Roadmap Assume that the user obtains an IP address through DHCP.
Page 139 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 4 Source IP Attack Defense Configuration # Enable the IP source guard function on Ethernet 0/0/2 connected to Host B. [Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/2] ip source check user-bind enable [Quidway-Ethernet0/0/2] quit # Enable the alarm function for checking the received IP packets on Ethernet 0/0/2 connected to Host B.
Page 140: Local Attack Defense Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 5 Local Attack Defense Configuration Local Attack Defense Configuration About This Chapter This chapter describes the principle and configuration of local attack defense. 5.1 Configuring the Attack Defense Policy This section describes how to configure the attack defense policy.
Page 141: Configuring The Attack Defense Policy
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 5 Local Attack Defense Configuration 5.1 Configuring the Attack Defense Policy This section describes how to configure the attack defense policy. 5.1.1 Establishing the Configuration Task This section describes how to establish the configuration task of an attack defense policy.
Page 142 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 5 Local Attack Defense Configuration The maximum rate of packets sent to the CPU is set. (S2700SI) NOTE The maximum rate of packets in a queue sent to the CPU cannot be set on the S2700SI.
Page 143: Pppoe+ Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 6 PPPoE+ Configuration PPPoE+ Configuration About This Chapter This chapter describes how to configure PPPoE+. NOTE S2700SI does not support PPPOE+. 6.1 PPPoE+ Overview This section describes the principle of PPPoE+.
Page 144: Pppoe+ Overview
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 6 PPPoE+ Configuration 6.1 PPPoE+ Overview This section describes the principle of PPPoE+. Currently, PPPoE provides good authentication and security mechanism, but still has certain disadvantages, for example, account embezzlement. In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces of devices, they can access the newtork as long as their accounts are authenticated successfully on the same RADIUS server.
Page 145: Enabling Pppoe+ Globally
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 6 PPPoE+ Configuration 6.3.2 Enabling PPPoE+ Globally Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pppoe intermediate-agent information enable PPPoE+ is enabled globally. After the pppoe intermediate-agent information enable command is run in the system view, PPPoE+ is enabled on all the interfaces.
Page 146: Configuring The Pppoe Trusted Interface
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 6 PPPoE+ Configuration adopt a different action on an interface, run the pppoe intermediate-agent information policy command in the interface view. In this case, the action for processing packets on the interface depends on the configuration of the interface.
Page 147: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 6 PPPoE+ Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The Ethernet interface view is displayed. Step 3 Run: pppoe uplink-port trusted The interface is configured as the trusted interface.
Page 148 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 6 PPPoE+ Configuration Figure 6-1 Networking diagram for configuring PPPoE+ IP network PPPoE server GE0/0/1 PPPoE+ Switch Ethernet Ethernet 0/0/2 0/0/1 PPPoE client PPPoE client Configuration Roadmap The configuration roadmap is as follows: Enable PPPoE+ globally.
Page 149 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 6 PPPoE+ Configuration Step 3 Configure the action for processing original fields in PPPoE packets. Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the Switch.
Page 150: Mff Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration MFF Configuration About This Chapter This section describes the principle and configuration of the MAC-Forced Forwarding (MFF) function. Context NOTE S2700SI does not support MFF function. 7.1 MFF Overview This section describes the principle of the MFF function.
Page 151: Mff Overview
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration 7.1 MFF Overview This section describes the principle of the MFF function. Background In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer 2 isolation and Layer 3 interconnection between clients. When many users need to be isolated on Layer 2, a large number of VLANs are required.
Page 152: Mff Features Supported By The S2700
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration 7.2 MFF Features Supported by the S2700 This section describes the MFF features supported by the S2700. Static Gateway The static gateway is applicable to the scenario where the IP addresses are set statically. When users are assigned IP addresses statically, the users cannot obtain the gateway information through the DHCP packets.
Page 153: Configuring Mff
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration Transparently Transmitting User Status Detection Packets If the gateway provides accounting function, the gateway needs to detect whether users are online. The MFF-enabled S2700 can transparently transmit user status detection packets so that it is aware of user status changes immediately.
Page 154: Configuring The Mff Network Interface
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration Context You can perform other MFF configurations only after enabling the global MFF. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: mac-forced-forwarding enable The global MFF is enabled.
Page 155: Optional) Configuring The Static Gateway Address
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration Context If an MFF-enabled network has multiple S2700s, at least one Network-to-Network Interface (NNI) must reside in the VLAN configured with MFF. Procedure Step 1 Run: system-view The system view is displayed.
Page 156: Optional) Setting The Server Address
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration Step 2 Run: vlan vlan-id The VLAN view is displayed. Step 3 Run: mac-forced-forwarding gateway-detect The timed gateway address detection is enabled. After the timed gateway address detection is enabled, the S2700 sends ARP packets periodically to detect the gateway.
Page 157: Optional) Discarding Ipv6 Packets Sent From Users
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration The gateway is allowed to detect online users by sending ARP request packets. ----End 7.3.9 (Optional) Discarding IPv6 Packets Sent from Users Procedure Step 1 Run: system-view The system view is displayed.
Page 158: Configuration Examples
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration 192.168.1.3 -------------------------------------------------------------------- User IP User MAC Gateway IP Gateway MAC -------------------------------------------------------------------- 192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01 192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01 192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03 -------------------------------------------------------------------- [Vlan 100] MFF host total count = 3 7.4 Configuration Examples...
Page 159 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration Enable global MFF. Configure the MFF network interfaces. Enable MFF for the VLAN. (Optional) Enable the function of timed gateway address detection. (Optional) Configure the server. Data Preparation...
Page 160 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration # Enable global MFF on Switch A. [SwitchA] mac-forced-forwarding enable # Enable global MFF on Switch B. [SwitchB] mac-forced-forwarding enable Step 3 Configure the MFF network interfaces. # Configure GE 0/0/1 of Switch A as the network interface.
Page 161 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 7 MFF Configuration vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 interface GigabitEthernet0/0/1 port link-type access port default vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port interface GigabitEthernet0/0/2...
Page 162: Traffic Suppression Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 8 Traffic Suppression Configuration Traffic Suppression Configuration About This Chapter This chapter describes the principle and configuration of traffic suppression . 8.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression.
Page 163: Introduction To Traffic Suppression
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 8 Traffic Suppression Configuration 8.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression. Broadcast packets, multicast packets and unknown unicast packets entering the S2700 are forwarded on all the interfaces in a VLAN. These three types of packets consume great bandwidth, reduces available bandwidth of the system, and affects normal forwarding and processing capabilities.
Page 164: Configuring Traffic Suppression On An Interface
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 8 Traffic Suppression Configuration Data Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be suppressed Mode in which traffic is suppressed (rate percentage on a physical interface) Limited rate, including bandwidth percentage.
Page 165: Configuration Examples
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 8 Traffic Suppression Configuration Procedure Run the display flow-suppression interface interface-type interface-number command to check the configuration of traffic suppression. ----End Example Run the display flow-suppression interface interface-type interface-number command, and you can view the configuration of traffic suppression on a specified interface.
Page 166 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 8 Traffic Suppression Configuration Traffic suppression for broadcast, unknown unicast and multicast packets based on the rate percentage Maximum rate of broadcast, unknown unicast and multicast packets being 80 percent of...
Page 167: Acl Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration ACL Configuration About This Chapter The ACL classifies packets according to the rules. After these rules are applied to the interfaces on the S2700, the S2700 can determine packets that are received and rejected.
Page 168: Introduction To The Acl
ACL is set to be in permit mode, the packets matching the ACL are processed by the S2700 according to the action defined by the traffic behavior in QoS. For details on the traffic behavior, see the Quidway S2700 Series Ethernet Switches Configuration Guide - QoS.
Page 169: Configuring An Acl
When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S2700 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S2700 Series Ethernet Switches Configuration Guide - Basic Configurations.
Page 170: Creating An Acl
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration Data Number of ACL rule and the rule that identifies the type of packets, including protocol, source address, source port, destination address, destination port, the type and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of...
Page 171: Optional) Setting The Time Range When An Acl Takes Effect
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration If the number of a named ACL is not specified, the S2700 automatically allocates a number to the named ACL. The following situations are involved: – If the type of a named ACL is specified, the number of the named ACL allocated by the S2700 is the maximum value of the named ACL of the type.
Page 172: Configuring A Basic Acl
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration acl name acl-name The ACL view is displayed. Step 3 Run: description description The description of the ACL is configured. The description of an ACL is a string of up to 127 characters, describing the usage of the ACL.
Page 173: Configuring A Layer 2 Acl
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration acl [ number ] acl-number An advanced ACL is created based on the number. Or, run: acl name acl-name [ advance | acl-number ] An advanced ACL is created based on the name.
Page 174: Optional) Setting The Step Between Acl Rules
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration The system view is displayed. Step 2 Run: acl [ number ] acl-number A layer 2 ACL is created based on the number. Or, run: acl name acl-name [ link | acl-number ] A layer 2 ACL is created based on the name.
Page 175: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration 9.3.9 Checking the Configuration Checking the Configuration of ACL. Prerequisite The configurations of the ACL are complete. Procedure Run the display acl { acl-number | all } command to check the ACL rule based on the number.
Page 176: Creating An Acl6
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration Configuring policy-based routing Configuring a routing policy Pre-configuration Tasks None Data Preparation To configure an ACL6, you need the following data. Data Number or name of the ACL6...
Page 177: Optional) Creating The Time Range Of The Acl6
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration Run: acl ipv6 name acl6-name [ advance | basic | acl6-number ] An ACL6 is created based on the name. If the number of a named ACL6 is not specified, the S2700 automatically allocates a number to the named ACL6.
Page 178: Configuring An Advanced Acl6
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration The system view is displayed. Step 2 Run: acl ipv6 [ number ] acl6-number A basic ACL6 is created based on the number. Or, run: acl ipv6 name acl6-name [ advance | basic | acl6-number ] A basic ACL6 is created based on the name.
Page 179: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration l When protocol is UDP, run: rule [ rule-id ] { deny | permit } { udp | protocol } [ destination { destination- ipv6-address prefix-length | destination-ipv6-address/prefix-length |...
Page 180: Configuration Examples
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration <Quidway> display acl ipv6 name test Advanced IPv6 ACL 3999 name test, 1 rule rule 0 permit udp # Run the display time-range command, and you can see the configuration and status of the current time range.
Page 181 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration Data Preparation To complete the configuration, you need the following data: ACL number IP address of user A Names of traffic classifier, traffic behavior, and traffic policy Interface where the traffic policy is applied Procedure Step 1 Configure the traffic classifier that is based on the ACL rules.
Page 182: Example For Configuring An Advanced Acl
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration <Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: AND Behavior: tb1 Deny ----End Configuration Files acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255...
Page 183 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration Configuration Roadmap The configuration roadmap is as follows: Assign IP addresses to interfaces. Configure the time range. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior.
Page 184 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration <Quidway> system-view [Quidway] time-range satime 8:00 to 17:30 working-day Step 3 Configure ACLs. # Configure the ACL for the personnel of the marketing department to access the salary query server.
Page 185 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration [Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/2] traffic-policy p_market inbound [Quidway-Ethernet0/0/2] quit # Apply the traffic policy p_rd to Ethernet 0/0/3. [Quidway] interface ethernet 0/0/3 [Quidway-Ethernet0/0/3] traffic-policy p_rd inbound [Quidway-Ethernet0/0/3] quit Step 8 Verify the configuration.
Page 186: Example For Configuring A Layer 2 Acl
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration satime acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime traffic classifier c_market operator or if-match acl 3002 traffic classifier c_rd operator or...
Page 187 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration Figure 9-3 Networking diagram for configuring layer 2 ACLs GE0/0/1 GE0/0/2 IP network Switch 00e0-f201-0101 Configuration Roadmap The configuration roadmap is as follows: Configure the ACL. Configure the traffic classifier.
Page 188 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration # Configure the traffic behavior tb1 to reject packets. [Quidway] traffic behavior tb1 [Quidway-behavior-tb1] deny [Quidway-behavior-tb1] quit Step 4 Configure the traffic policy. # Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
Page 189: Example For Configuring An Acl6 To Control Ftp User Access
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration interface GigabitEthernet0/0/1 traffic-policy tp1 inbound return 9.5.4 Example for Configuring an ACL6 to Control FTP User Access Networking Requirements As shown in Figure 9-4, the IP address of the switch that functions as the FTP server is 3002::1/64.
Page 190 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 9 ACL Configuration Step 3 Bind the basic ACL6 to the FTP server. [Quidway] ftp ipv6 acl 2001 Step 4 Verify the configuration. # Connect PC1 to the FTP server. c:\ ftp 3002::1 Connected to 3002::1 220 FTP service ready.
Page 191: Nd Snooping Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration ND Snooping Configuration About This Chapter This chapter describes the principle and configuration method of neighbor discovery (ND) snooping and provides configuration examples. Context NOTE S2700SI does not support ND Snooping.
Page 192: Nd Snooping Overview
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration 10.1 ND Snooping Overview This section describes the principle of ND snooping. Neighbor discovery (ND) is a group of messages and processes that identify relationships between neighboring nodes. IPv6 ND corresponds to a combination of the Address Resolution Protocol (ARP), ICMP router discovery, and ICMP Redirect of IPv4.
Page 193: Configuring Nd Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration Figure 10-1 ND snooping enabled on the S2700 of the Layer 2 network Trusted Switch Untrusted Router network (ND Server) network User network 10.3 Configuring ND Snooping This section describes the basic concepts of ND snooping and the procedure for configuring ND snooping, and provides configuration examples of ND snooping.
Page 194: Enabling Nd Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration NS messages. The ND dynamic binding table saves information about IPv6 addresses, MAC addresses, and VLAN IDs of clients. The S2700 delivers the ND dynamic binding entries to the ACL that is automatically generated.
Page 195: Configuring An Interface As The Trusted Interface
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration Run: nd snooping enable ND snooping is enabled on the interface. Configuring ND snooping in a VLAN Run: system-view The system view is displayed. Run: dhcp enable DHCP is enabled globally.
Page 196: Optional) Configuring The Aging Function Of The Nd Dynamic Binding Table
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration The interface view is displayed. Run: nd snooping trusted The interface is configured as the trusted interface. Configuring ND snooping in a VLAN Run: system-view The system view is displayed.
Page 197: Checking The Configuration
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration By default, the aging function of the ND dynamic binding table is disabled. Step 3 Run: nd user-bind detect retransmit retransmit-times interval retransmit-interval The detection interval and the number of detection times for aging ND dynamic binding entries are set.
Page 198: Maintaining Nd Snooping
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration 3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 2011.05.06-20:09 -------------------------------------------------------------------------------- print count: total count: Run the display this command in the system view, and you can view the configuration of ND snooping. [Quidway] display this...
Page 199: Configuration Examples
Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration NOTE After the networking environment changes, ND dynamic binding entries do not age immediately. However, the following information in ND dynamic binding entries may change, causing packet forwarding failure:...
Page 200 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration Configuration Roadmap The configuration roadmap is as follows (assume that the ND server is configured): Enable ND snooping in the system view and interface view. Configure the interface connected to the ND server as the trusted interface.
Page 201 Quidway S2700 Series Ethernet Switches Configuration Guide - Security 10 ND Snooping Configuration Run the display nd snooping prefix command, and you can view the prefix management table of ND users. <Quidway> display nd snooping prefix prefix-table: Prefix Length Valid-Time...

Huawei Quidway S2700 Series Configuration Manual

About this Document

1 AAA and User Management Configuration

2 NAC Configuration

3 DHCP Snooping Configuration

4 Source IP Attack Defense Configuration

5 Local Attack Defense Configuration

6 Pppoe+ Configuration

7 MFF Configuration

8 Traffic Suppression Configuration

9 ACL Configuration

10 ND Snooping Configuration

Quick Links

Need help?

Questions and answers

Related Manuals for Huawei Quidway S2700 Series

Summary of Contents for Huawei Quidway S2700 Series