Huawei Quidway S9300 Configuration Manual page 4

Contents
1.6.3 Configuring an HWTACACS Authentication Server..........................................................................1-23
1.6.4 Configuring an HWTACACS Authorization Server...........................................................................1-23
1.6.5 (Optional) Configuring the Source IP Address of the HWTACACS Server.......................................1-24
1.6.6 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-24
1.6.7 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-25
1.6.8 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-25
1.6.9 (Optional) Setting HWTACACS Timers.............................................................................................1-26
1.6.10 Checking the Configuration...............................................................................................................1-26
1.7 Configuring a Domain...................................................................................................................................1-27
1.7.1 Establishing the Configuration Task....................................................................................................1-27
1.7.2 Creating a Domain...............................................................................................................................1-28
1.7.3 Configuring Authentication and Authorization Schemes for a Domain..............................................1-29
1.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-29
1.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-30
1.7.6 (Optional) Setting the Status of a Domain...........................................................................................1-30
1.7.7 Checking the Configuration.................................................................................................................1-31
1.8 Maintaining AAA and User Management....................................................................................................1-32
1.8.1 Clearing the Statistics...........................................................................................................................1-32
1.8.2 Debugging............................................................................................................................................1-32
1.9 Configuration Examples................................................................................................................................1-33
1.9.1 Example for Using RADIUS to Authenticate Users............................................................................1-33
1.9.2 Example for Using HWTACACS to Authenticate and Authorize Users.............................................1-36
2 DHCP Snooping Configuration..............................................................................................2-1
2.1 Introduction to DHCP Snooping.....................................................................................................................2-2
2.2 DHCP Snooping Features Supported by the S9300........................................................................................2-2
2.3 Preventing the Bogus DHCP Server Attack....................................................................................................2-4
2.3.1 Establishing the Configuration Task......................................................................................................2-4
2.3.2 Enabling DHCP Snooping.....................................................................................................................2-5
2.3.3 Configuring an Interface as a Trusted Interface.....................................................................................2-6
2.3.4 (Optional) Enabling Detection of Bogus DHCP Servers.......................................................................2-6
2.3.5 Checking the Configuration...................................................................................................................2-7
2.4 Preventing the DoS Attack by Changing the CHADDR Field.......................................................................2-8
2.4.1 Establishing the Configuration Task......................................................................................................2-8
2.4.2 Enabling DHCP Snooping.....................................................................................................................2-9
2.4.3 Checking the CHADDR Field in DHCP Request Messages.................................................................2-9
2.4.4 Checking the Configuration.................................................................................................................2-10
2.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.............2-10
2.5.1 Establishing the Configuration Task....................................................................................................2-11
2.5.2 Enabling DHCP Snooping...................................................................................................................2-12
2.5.3 (Optional) Configuring Static User Binding Table..............................................................................2-12
2.5.4 Enabling the Checking of DHCP Request Messages...........................................................................2-13
2.5.5 (Optional) Configuring the Option 82 Function..................................................................................2-13
ii Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Issue 01 (2009-07-28)