H3C SecPath F1800-A Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Firewall
  5. H3C SecPath F1800-A
  6. Operation manual
H3C SecPath F1800-A Operation Manual

H3C SecPath F1800-A Operation Manual

H3c secpath f1800-a firewall
Hide thumbs Also See for H3C SecPath F1800-A:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
Table of Contents

Advertisement

Quick Links

Download this manual
H3C SecPath F1800-A Firewall
Operation Manual
Hangzhou Huawei-3Com Technology Co., Ltd.
http://www.huawei-3com.com
Manual Version: T2-081659-20061015-C-1.01
Product Version: VRP3.30

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the H3C SecPath F1800-A and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C H3C SecPath F1800-A

Summary of Contents for H3C H3C SecPath F1800-A

  • Page 1 H3C SecPath F1800-A Firewall Operation Manual Hangzhou Huawei-3Com Technology Co., Ltd. http://www.huawei-3com.com Manual Version: T2-081659-20061015-C-1.01 Product Version: VRP3.30...
  • Page 2 All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou Huawei-3Com Technology Co., Ltd. Trademarks H3C, Aolynk, , IRF, H3Care, , Neocean, , TOP G, SecEngine, SecPath, COMWARE, VVG, V2G, VnG, PSPT, NetPilot, and XGbus are trademarks of Hangzhou Huawei-3Com Technology Co., Ltd.

  • Page 3: About This Manual

    Command Reference security defence, VPN and reliability of SecPath F1800-A firewall corresponding to the operation manual. Organization H3C SecPath F1800-A Firewall Operation Manual is organized as follows: Part Contents 1 Getting Started begins with the firewall development and security concept, introducing the...
  • Page 4 Part Contents 3 Interface presents various parameter configurations on the interfaces provided, such as Ethernet interface, AUX interface and logical interface. 4 Link Layer Protocol describes the fundamentals and configurations of various link layer protocols supported by the SecPath F1800-A firewall, including PPP, PPPoE, and VLAN.
  • Page 5 Convention Description Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by { x | y | ... } vertical bars. One is selected. Optional alternative items are grouped in square brackets [ x | y | ...

  • Page 6: Table Of Contents

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 Firewall Overview ......................1-1 1.1 Overview of Network Security.................... 1-1 1.1.1 Security Threats ...................... 1-1 1.1.2 Classification of Network Security Services............1-2 1.1.3 Implementation of Network Security Services ............1-2 1.2 Overview of Firewall System .....................
  • Page 7 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Table of Contents 2.5 User Management ......................1-47 2.5.1 Overview of User Management................1-47 2.5.2 User Management Configuration ................1-49 2.5.3 User Login Information Configuration ..............1-51 2.5.4 Typical Examples of Configuration................ 1-53 2.6 User Interface ........................

  • Page 8: Chapter 1 Firewall Overview

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview Chapter 1 Firewall Overview 1.1 Overview of Network Security As the rapid development of the Internet, more and more enterprises turn to network services to speed up their development. How to protect confidential data, resources and reputation in an open network environment has become a focus of attention.

  • Page 9: Classification Of Network Security Services

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview 1.1.2 Classification of Network Security Services Network security services are a set of security measures taken against the above security threats. They are shown in Table 1-2.
  • Page 10 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview Type Description Remark different security keys that separate the process of It includes: encryption from that of Public password decryption. One key is Diffie-Hellman (DH) mechanism called private key that...
  • Page 11 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview It provides the end-to-end security from this application on a host to that application on another host across the network. Application layer security mechanism depends on the specific application, and its security protocol is a supplement of the application protocol.

  • Page 12: Overview Of Firewall System

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview Classification encryption of data flow Data link layer security It provides a point-to-point security service, such as on a point-to-point link. Data link layer security is implemented through encryption and decryption at each end on the link using dedicated devices.
  • Page 13 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview The basic principle of packet filtering firewall is that: It filters packets through configuring Access Control List (ACL), based on: The source and destination IP address The source and destination port number...

  • Page 14: Overview Of The Secpath F1800-A

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview The stateful firewall can capture packets at network layer. Then the firewall extracts the state information needed by security policy from application layer, and saves it in the dynamic state tables. Finally it analyzes the state tables and the subsequent connection request related to the data packet to make a proper decision.

  • Page 15: Overview Of The Secpath F1800-A

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview High efficient packet filtering Transparent proxy service Improved stateful inspection security technology Many analysis and statistics Multiple security measures In addition, it provides: Multiple types of interfaces...

  • Page 16: Function Features List Of The Secpath F1800-A

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview Dual-system hot backup so that the service is not interrupted when state switches Load balancing for multiple machines so that state switches automatically when a fault occurs IV.
  • Page 17 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview Attribute Description Supports basic ACL, advanced ACL and firewall ACL. Supports time range ACL. Packet Supports blacklist, MAC and IP addresses filtering binding. Supports the ASPF and the state inspection.
  • Page 18 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview Attribute Description Prompt and help information in English and Chinese. Hierarchical protection of command lines from Command the intrusion from the unauthorized users. line interface Detailed debugging information helps network fault diagnosis.

  • Page 19: Chapter 2 Basic Secpath F1800-A Configuration

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Chapter 2 Basic SecPath F1800-A Configuration 2.1 Establishment of Configuration Environment Through the Console Interface 2.1.1 Establishing Configuration Environment You can configure the SecPath F1800-A locally through the console interface, which is a reliable configuration and maintenance mode.
  • Page 20 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Figure 2-2 Establishing a new connection Figure 2-3 Selecting serial interface Step 3: Select RS-232 serial interface on your computer. Step 4: Set terminal communication parameters as follows. It is shown in...
  • Page 21 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Flow control is none. Terminal emulation type is VT100. Figure 2-4 Setting port parameters 1-14...

  • Page 22: Configuring Successful Ping Between A Device And A Secpath F1800-A

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Figure 2-5 Selecting terminal emulation type Step 5: After the SecPath F1800-A passes power-on self test, the system will automatically perform the configuration. Then, the system prompts you to press Enter, and you will see a command line prompt (such as <SecPath>).
  • Page 23 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Ping a SecPath F1800-A from a device. Implement the reverse ping. Perform the following steps. Step 1: Connect the PC or terminal to the console interface of the SecPath F1800-A through the RS-232 serial port;...

  • Page 24: Configuring Successful Ping Between Two Devices Across A Secpath F1800-A

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Caution: By default, the SecPath F1800-A forbids any packet to pass. You need to allow packets to pass by default or configure interzone packet filtering rules; otherwise, the firewall is unavailable.
  • Page 25 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Server DMZ zone 10.2.2.254 ping Ethernet2/0/0 10.2.2.1 Console Untrust zone SecPath Router Ethernet1/0/0 RS-232 serial port 10.1.1.254 10.1.1.1 Figure 2-7 Networking diagram of pinging the two devices across the SecPath...

  • Page 26: Establishment Of Configuration Environment By Other Means

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.2 Establishment of Configuration Environment by Other Means To help the users to configure the SecPath F1800-A, the system supports the local and remote configuration. Each configuration environment has its relevant terminal service feature.
  • Page 27 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Step 3: Set the user’s privilege level to “3” and the authentication mode to “aaa”. SecPath] user-interface aux 0 [SecPath-ui-aux0] authentication-mode aaa [SecPath-ui-aux0] user privilege level 3 Step 4: Configure the Modem connected with the AUX interface to support bidirectional call, autoanswer, and no limit to timeout time.

  • Page 28: Establishment Through Telnet

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Figure 2-10 Starting dial-in program on remote computer Step 7: When a new remote terminal emulation program interface pops up, enter the user name and the password, such as user name ”auxuser” and the password “auxpwd”.
  • Page 29 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration [SecPath-aaa] authentication-scheme telnetuser [SecPath-aaa-authen-telnetuser] authentication-mode local radius [SecPath-aaa-authen-telnetuser] quit [SecPath-aaa] quit [SecPath] user-interface vty 0 4 [SecPath-ui-vty0-4] authentication-mode aaa Step 5: Set an ACL rule through the console interface for permitting Telnet packets from the remote PC to the SecPath F1800-A to pass, and apply the ACL rule in the inbound direction between the untrust zone and the local zone.
  • Page 30 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration PC running Telnet client programs Remote Ethernet Local Ethernet SecPath Server Router Server WAN port Figure 2-12 Establishing remote configuration environment through WAN Step 2: Run the Telnet program on your computer, and then enter the IP address of the Ethernet interface on the SecPath F1800-A (or enter the IP address of the WAN interface on the remote computer) to connect with the SecPath F1800-A.

  • Page 31: Establishment Through Ssh

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration <SecPath> Note: The host name can be either the SecPath F1800-A host name or the SecPath F1800-A IP address. Step 4: Enter commands to configure the SecPath F1800-A or view its running state.

  • Page 32: Command-Line Interface Management

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.3 Command-line Interface Management The system offers a series of configuration commands and a command-line interface, through which you can configure and manage the SecPath F1800-A.

  • Page 33: Command-Line View

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-1 Command-line level Level Level name Level authority number Includes network diagnosis tool commands ping and tracert without access to external devices (Telnet Visit level client and SSH client).
  • Page 34 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration FTP Client view Login User view User interface view System view RSA public key view RSA public key edition view Figure 2-14 Relationship between system maintenance views The following tables show the relative information about various views.
  • Page 35 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Item Description Exit command [SecPath-ui-console0] quit Prompt after exit [SecPath] Table 2-5 FTP client view Item Description Function Sets file transmission parameters at FTP client.
  • Page 36 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Login User view System view Interface view RIP view OSPF area view OSPF view BGP view Figure 2-15 Relationship between network interconnection views The following tables show the relative information about various views.
  • Page 37 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Item Description Exit command [SecPath-rip] quit Prompt after exit [SecPath] Table 2-10 OSPF view Item Description Function Sets parameters for the OSPF protocol. [SecPath] ospf...
  • Page 38 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Item Description [SecPath] bgp as-number as-number specifies the local AS number in the range of 1 Entry command to 65535. Prompt after entry [SecPath-bgp] Exit command...
  • Page 39 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Item Description [SecPath] radius-server template test test in the command is the name of RADIUS server Entry command template. Prompt after entry [SecPath-radius-test] Exit command...
  • Page 40 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Item Description [SecPath-aaa] recording-scheme test test in the command refers to the recording scheme, Entry command including HWTACACS server template. Prompt after entry [SecPath-aaa-recording-test] Exit command...
  • Page 41 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-19 ACL view Item Description Sets parameters of basic ACL rule (numbered from 2000 to 2999). Sets parameters of advanced ACL rule (numbered from Function 3000 to 3999).
  • Page 42 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Item Description Prompt after exit [SecPath] Table 2-22 IPSec proposal view Item Description Sets parameters of IPSec proposal, such as translation Function mode, security algorithm.
  • Page 43 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-25 IKE proposal view Item Description Sets parameters of IKE proposal, such as shared key, SA Function parameter. Entry command [SecPath] ike proposal 1...

  • Page 44: Online Help Of Command Line

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Item Description Entry command [SecPath] qos policy test Prompt after entry [SecPath-qospolicy-test] Exit command [SecPath-qospolicy-test] quit Prompt after exit [SecPath] Table 2-28 Class view Item...

  • Page 45: Error Information Of Command Line

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Type Help information Example Enters a command followed by “?” with a space between them. If the location is key word, the <SecPath> display ? system will list all key words and their brief description.

  • Page 46: History Commands

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Error information Cause Entered command is incomplete. For example, Incomplete command the required parameters are not input. Too many parameters Entered parameters are too many.

  • Page 47: Edition Feature

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.3.6 Edition Feature The command-line interface provides a basic command edition, and supports multiple-line edition. Each command consists of up to 256 characters. Table 2-33 shows the specific edition.

  • Page 48: Hotkey

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-34 Display function Action Key or command Stop viewing and executing the command. When display pauses, enter Ctrl+C. Continue to view the next screen.
  • Page 49 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Hotkey Function CTRL_Y Deletes all characters on the right of the cursor. CTRL_Z Returns to user view. CTRL_] Terminates or redirects call-in connections. ESC_B Moves the cursor a word position to the left.
  • Page 50 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration III. Hotkey Usage You can input the hotkey anywhere the command is allowed to be pressed. Then the system will display and use the command, just as you have input the entire command.

  • Page 51: Basic Configuration Of The Secpath F1800-A

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.4 Basic Configuration of the SecPath F1800-A 2.4.1 Entering and Quitting System View You can access user view after logging in to the SecPath F1800-A from the console interface, viewing the prompt <SecPath>.

  • Page 52: Configuring System Clock

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.4.4 Configuring System Clock An accurate system clock is needed to ensure the coordinated work of other devices. The SecPath F1800-A supports time zone and summer time.

  • Page 53: Displaying System Status Information

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Note: Each command has a default view and a privilege level. You do not need to reconfigure them. 2.4.6 Displaying System Status Information The display command is used to collect system status information, which can be...

  • Page 54: User Management

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.5 User Management 2.5.1 Overview of User Management When the SecPath F1800-A is booted for the first time, no user password is set. In this case, any user can operate on the SecPath F1800-A by connecting its PC with the SecPath F1800-A through the console interface.
  • Page 55 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration singles. Between the default priority and the specific priority, the higher one is the priority of the user. III. User Authentication After a user is specified, the system will authenticate the user when he logs on to the SecPath F1800-A.

  • Page 56: User Management Configuration

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration For the configuration of the PPP user, refer to the “AAA Configuration” in "06-Security Defence Operation" of this manual. 2.5.2 User Management Configuration User management configuration includes:...
  • Page 57 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-47 Setting the password of local authentication Action Command Set the password of local set authentication password { simple | cipher } authentication. password...

  • Page 58: User Login Information Configuration

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-48 Configuring user priority Operation Command Configure the priority of the login user. user privilege level level Restore the default priority of the login user.
  • Page 59 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-50 Configuring title text Action Command Configure title text login header login { file file-name | information authentication. information-text } Configure title text of the beginning header shell { file file-name | information of configuration.

  • Page 60: Typical Examples Of Configuration

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-53 Locking user interface Action Command Lock user interface. lock 2.5.4 Typical Examples of Configuration For the related configuration of user management and user login information configuration, refer to 2.2.2 “Establishment Through...

  • Page 61: Entering User Interface View

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration User interface of the system is classified into three types: the Console interface, the AUX interface and the VTY interface, which are arranged in a specific order.

  • Page 62: Configuring Asynchronous Interface Attributes

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration In user interface view, you can set and manage the attributes of each asynchronous interface. Table 2-56 Configuring attributes of asynchronous interfaces Type Description Configures transfer rate.
  • Page 63 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Action Command Restore its default value. undo speed II. Configuring Flow Control Mode Do as follows in user interface view. Table 2-59 Configuring flow control mode...

  • Page 64: Configuring Terminal Attributes

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Action Command Restore its default value. undo databits 2.6.4 Configuring Terminal Attributes I. Enabling Terminal Service Do as follows in user interface view. Table 2-63 Enabling terminal service...

  • Page 65: Configuring Modem Attributes

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-65 Configuring the length of terminal screen Action Command Configure length terminal screen-length screen-length screen. Restore its default value. undo screen-length IV. Configuring Buffer Size of History Commands Do as follows in user interface view.
  • Page 66 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-68 Configuring message transfer Action Command Configure transferring message send { all | number | type-name number } between user interfaces. II. Auto-Execute Command There are the following restrictions in using the auto-execute command command.

  • Page 67: Configuring Call-In Or Call-Out Restriction On Vty User Interface

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration III. Enabling Redirection on the AUX interface For example, you can use the redirect command in AUX user interface to enable the redirection of the user interface.

  • Page 68: Terminal Service

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.7 Terminal Service 2.7.1 Configuring Terminal Service on the Console Interface Table 2-73 shows terminal service features on the console interface. Table 2-73 Terminal service features on the console interface...

  • Page 69: Configuring Telnet Terminal Service

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.7.3 Configuring Telnet Terminal Service The Telnet protocol belongs to an application layer protocol in TCP/IP protocol suite. It provides the remote login and virtual terminal across the network. The SecPath F1800-A of Huawei-3Com supports Telnet service.
  • Page 70 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration By default, the terminal user is disconnected regularly every ten minutes. You can disable the disconnection using the idle-timeout 0 0 command in user interface view. After this function is disabled, the terminal user will not be disconnected.
  • Page 71 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration IV. Shortcut Key of Telnet Service During Telnet connection you can use a shortcut key to break the connection, as shown in Figure 2-21. Telnet Client...

  • Page 72: Configuring Ssh Terminal Service

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration 2.7.4 Configuring SSH Terminal Service I. SSH Overview After establishing local or remote SSH channel, you can set SSH terminal service parameters to ensure a secure configuration environment. SSH Client is used to connect SSH connection with the SecPath F1800-A and the UNIX host supporting SSH Server.
  • Page 73 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-80 Configuring protocols supported by user interface Action Command Configure protocols supported by user protocol inbound { all | ssh | Telnet } interface.
  • Page 74 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Table 2-82 Configuring SSH user authentication mode Action Command Configure SSH user authentication ssh user user-name authentication-type mode. { password | rsa | all }...
  • Page 75 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration Entering RSA public key view Using the task, you can enter RSA public key view to configure the client public key that is randomly generated by the client software supporting SSH1.5.
  • Page 76 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration III. Displaying and Debugging SSH You can use the display command in any view to view the running state and verify the configuration of SSH.
  • Page 77 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration # User login authentication mode is password. [SecPath] user-interface vty 0 4 [SecPath-ui-vty0-4] authentication-mode aaa [SecPath-ui-vty0-4] protocol inbound ssh [SecPath-ui-vty0-4] quit [SecPath] ssh user client001 authentication-type password...

  • Page 78: Chapter 3 Working Mode

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode Chapter 3 Working Mode 3.1 Working Mode Overview 3.1.1 Introduction to Working Mode At present, the SecPath F1800-A can work in three modes: Route mode Transparent mode...
  • Page 79 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode ACL packet filtering ASPF dynamic filtering However, network topology needs to be changed, for example, internal network users need to change their gateways and routers' routing configurations need to be changed, which will take great troubles.

  • Page 80: Working Process Of Route Mode

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode Figure 3-3 shows a typical networking in composite mode. SecPath (active) VRRP Trust zone Server Server Internal netw ork External netw ork ( Internet) 202.10.0.0/24 202.10.0.0/24 SecPath...

  • Page 81: Working Process Of Transparent Mode

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode 3.1.3 Working Process of Transparent Mode In transparent mode (or bridge mode), interfaces on the SecPath F1800-A cannot be configured with IP addresses and they reside in layer 2 security zone. Moreover, external users connected with the interfaces in layer 2 zone reside in the same subnet.
  • Page 82 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode 00e0.fcaa.aaaa 00e0.fcbb.bbbb Workstation A Workstation B Destination Source address address 00e0.fcbb.bbbb 00e0.fcaa.aaaa Ethernet segment 1 Port 1 00e0.fccc.cccc SecPath 00e0.fcdd.dddd Workstation C Port 2 Workstation D Ethernet...
  • Page 83 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode Reversely learning the relationship between the MAC address of workstation B and the port After workstation B responds to the Ethernet frame from workstation A, the firewall monitors the response Ethernet frame and is aware that workstation B is also connected with Port 1 on the firewall because Port 1 receives the frame.
  • Page 84 Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode 00e0.fcaa.aaaa 00e0.fcbb.bbbb Workstation A Workstation B Source Destination address address 00e0.fcaa.aaaa 00e0.fccc.cccc Address table Ethernet segment1 MAC address Port Port1 00e0.fcaa.aaaa 00e0.fccc.cccc 00e0.fcdd.dddd 00e0.fcbb.bbbb SecPath 00e0.fccc.cccc 00e0.fcdd.dddd...

  • Page 85: Working Process Of Composite Mode

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode that sends the frame. At this time, the firewall acts as a hub, so as to ensure continuous information transfer. This process is shown in Figure 3-9.

  • Page 86: Setting Other Parameters In Route Mode

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode Table 3-1 Configuring the SecPath F1800-A to work in route mode Action Command Configure the SecPath F1800-A to work in route mode. firewall mode route 3.2.2 Setting Other Parameters in Route Mode The SecPath F1800-A can serve as a router when it works in route mode so that it can carry out network interconnection and provide upper layer enhanced services.

  • Page 87: Configuring Processing Mode Of Ip Packets With Unknown Mac Address

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode Action Command undo mac-address mac-address vlan vlan-id Delete address entries. undo mac-address { dynamic | static | all | vlan vlan-id } 3.3.3 Configuring Processing Mode of IP Packets with Unknown MAC...

  • Page 88: Composite Mode Configuration

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode Table 3-5 Setting aging time of MAC address forwarding table Action Command Set aging time of MAC address firewall transparent-mode forwarding table. mac-aging-time seconds undo firewall transparent-mode Restore its default value.

  • Page 89: Typical Example For Configuring Firewall Working Mode

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode Table 3-7 Displaying and debugging working mode Action Command View current working mode of the display firewall mode firewall. display firewall transparent-mode View MAC address forwarding table.

  • Page 90: Connecting Multiple Lans With The Secpath F1800-A In Transparent Mode

    Operation Manual - Getting Started H3C SecPath F1800-A Firewall Chapter 3 Working Mode 3.6.2 Connecting Multiple LANs with the SecPath F1800-A in Transparent Mode I. Networking Requirements In a mansion, there are several PCs and servers in LAN1 on one floor, and several PCs and servers in LAN2 on another floor.
  • Page 91 Operation Manual - System Management H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 System Maintenance Management ................2-1 1.1 Introduction to System Maintenance Management ............2-1 1.2 Configuration File Management..................2-1 1.2.1 Content and Format of Configuration File............... 2-1 1.2.2 Displaying Current Configuration and Initial Configuration of the Firewall....
  • Page 92 Operation Manual - System Management H3C SecPath F1800-A Firewall Table of Contents 2.2.2 Configuring the FTP Server .................. 2-29 2.2.3 Displaying and Debugging the FTP Server............2-30 2.2.4 Typical Example for Configuring FTP Connection ..........2-30 2.3 TFTP Configuration ......................2-34 2.3.1 Introduction to TFTP .....................
  • Page 93 Operation Manual - System Management H3C SecPath F1800-A Firewall Table of Contents 4.2.10 Configuring sysLocation..................2-60 4.2.11 Specifying the Source Address to Send the Trap Packet........2-60 4.2.12 Creating or Updating View Information ............... 2-60 4.2.13 Setting Maximum Size of SNMP Messages Received by or Sent from Agent ... 2-61 4.2.14 Setting Length of a Message Queue Containing the Trap Packet......

  • Page 94: Configuration File Management

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Chapter 1 System Maintenance Management 1.1 Introduction to System Maintenance Management System maintenance management includes: Configuration file management System status information collection and maintenance debugging tool usage...

  • Page 95: Modifying And Saving The Current Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Table 1-1 Displaying firewall configuration Action Command View the initial configuration of the firewall. display saved-configuration View the current configuration of the firewall. display current-configuration View technical information on the firewall.

  • Page 96: Configuring File Usage

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Table 1-3 Resetting the configuration file in storage device Action Command Reset the configuration file in storage device. reset saved-configuration 1.2.5 Configuring File Usage I. Naming the System Software File Used for the Next Startup Do as follows in user view.

  • Page 97: Maintenance Debugging

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Table 1-7 Comparing the configuration file Action Command Compare the current configuration file with compare configuration the configuration file saved in the storage [ line-number1 line-number2 ] device.
  • Page 98 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Metacharacter Description The character before it does not appear or appear several times repeatedly in the target object. The character before it appears once or several times repeatedly in the target object.
  • Page 99 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management When the output contents are excessive and displayed in split screen, you can specify the filtering mode in the prompt of split screen “---- More ----“.

  • Page 100: System Status Information Collection

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management user-interface con 0 user-interface vty 0 14 <SecPath> 1.3.3 System Status Information Collection Using the display command, you can collect system status information. In terms of function, system status information can be classified as:...
  • Page 101 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management The command can output information as follows: If the system does not receive a response packet of the ping packet, it will output “Request time out”; otherwise, the system will display data bytes in response packet, packet sequence number, TTL, response time.
  • Page 102 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management For instance: <SecPath> tracert 35.1.1.48 traceroute to nis.nsf.net (35.1.1.48), 30 hops max, 56 byte packet helios.ee.lbl.gov (128.3.112.1) 19 ms 19 ms 0 ms lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms...
  • Page 103 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Debugging information is output under the control of two switches: Protocol debugging switch It is used to control whether to output debugging information of a protocol.

  • Page 104: Patch Software Upgrade

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Note: Since output of debugging information affects the running efficiency of the firewall, do not enable debugging at will. Especially, be cautious to use the debugging all command.

  • Page 105: Information Center

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management 1.5 Information Center 1.5.1 Introduction to Information Center Information center is an indispensable part to the firewall software. As information hub, it is in charge of the output of system information. Besides, it can also classify and select the information.
  • Page 106 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Note: By default, information center is enabled. As a result, when information center has more information to process, it can affect the system performance, due to information classification and output.
  • Page 107 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Table 1-19 Severity defined in syslog Severity level Threshold Description emergencies Extremely emergent errors alerts Errors needed to correct immediately critical Critical errors errors General errors...
  • Page 108 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Caution: If there are multiple Telnet users or dumb terminal users at the same time, users share some configuration parameters, such as filtering configuration based on modules, Chinese and English selection and severity threshold.
  • Page 109 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Action Command info-center loghost X.X.X.X [ channel Configure channel through which { channel-number | channel-name } | facility information is output to log host and local-number | language { chinese | other parameters.

  • Page 110: Displaying Terminal Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Table 1-23 Configuring the source address to send log information Action Command Configure the source address to info-center loghost source { interface-type send log information. interface-number } [ subinterface-type ] Cancel the current configuration.
  • Page 111 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management [SecPath] info-center source ppp channel console log level debugging # Enable PPP debugging. <SecPath> debugging ppp all II. Output Log Information to Log Host (UNIX Workstation) Configuring the firewall # Enable information center.
  • Page 112 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Note: In editing the file /etc/syslog.conf, Comment is only allowed to arrange in line independently, and starts with a symbol “#”. Adjacent selector or action pairs must be separated by a tab (not a space).

  • Page 113: Log Maintenance

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management 1.6 Log Maintenance 1.6.1 Introduction to Log I. Log Types Log can save system messages or packet filtering actions to the buffer, or direct them to the log host. By analyzing and managing log information, network administrators can detect security holes and when and who tries to break the security policy, the suffered attack types.

  • Page 114: Binary Flow Log Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management display the log information on the terminal view or output the Syslog log to the log server for storage and analysis. Conversely, log information on NAT or ASPF are generated in a large capacity, so the system directly outputs this type of log traffic in binary format to the log server for storage and analysis, regardless of the VRP-based information centre.

  • Page 115: Displaying And Debugging Log

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Table 1-26 Configuring the host address and port for receiving binary flow log Action Command Configure the host address and port firewall session log-type binary host or receiving binary flow log.
  • Page 116 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management Networking diagram SecPath 192.168.3.0/24 192.168.10.0/24 server Ethernet Ethernet Ethernet 192.168.8.0/24 server Figure 1-3 Configuring firewall log Configuration procedure # Configure the IP address of the interface Ethernet 0/0/0.
  • Page 117 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management # Enable port scan attack. [SecPath] firewall defend port-scan max-rate 100 # Add the source address of the attacker to blacklist, and set aging time to 10 minutes.
  • Page 118 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management [SecPath-zone-dmz] add interface Ethernet 2/0/0 # Configure the ACL rule. [SecPath] acl number 2001 [SecPath-acl-basic-2001] rule 0 permit # Enter interzone view to apply the ACL rule 2001 between security zones.

  • Page 119: Chapter 2 File Management

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management Chapter 2 File Management 2.1 File System 2.1.1 Introduction to File System File system is mainly used to manage and save files to storage devices. At present, storage devices supported by the firewall include Flash and hardware.

  • Page 120: Storage Device Operation

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management Restore a deleted file. Completely delete files in the recycle bin. Display files. Rename a file. Copy a file. Move a file. Use a batch file. Display the specified file and private file.

  • Page 121: Ftp Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management Table 2-4 Configuring prompt mode of file system Action Command Configure prompt mode of file system. file prompt { alert | quiet } 2.1.6 Configuration Example # Display files in the current directory. “fl” is a sub-directory of the directory “flash:/”.

  • Page 122: Configuring The Ftp Server

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management Table 2-5 FTP services provided by the firewall system Service type Description You can run the FTP client program to log on to the firewall FTP server service and access the files.

  • Page 123: Displaying And Debugging The Ftp Server

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management Configuration example: # Configure FTP user name as “testuser”, password as “huawei-3com” (plain text), and authorized working directory as “flash:/”. # Configure authentication information on a FTP user in AAA view.
  • Page 124 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management Note: If you upgrade the SecPath F1800-A on a remote PC without NAT, you can configure the firewall as the FTP Client. In this case, the configuration procedure is simple.
  • Page 125 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management <SecPath> ftp 30.3.3.3 Trying 30.3.3.3 ... Press CTRL+K to abort Connected to 30.3.3.3. 220-Serv-U FTP-Server v2.5 for WinSock ready... 220 This FTP server is an unregistered 45 day try-out version of Serv-U User(10.1.1.1:(none)): pcuser...
  • Page 126 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management First configure the related information for FTP packets (such as the ACL rule) on the SecPath F1800-A. Make sure that the PC can ping through the SecPath F1800-A mutually (refer to the section 2.1.2 "Configuring Successful Ping between a Device and a SecPath...

  • Page 127: Tftp Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management [SecPath-aaa] authentication-scheme ftpuser [SecPath-aaa-authen-ftpuser] authentication-mode local [SecPath-aaa-authen-ftpuser] quit [SecPath-aaa] quit [SecPath] user-interface vty 0 [SecPath-ui-vty0] authentication-mode aaa Step 6: Establish the FTP connection from the remote PC (the FTP client) to the SecPath F1800-A (the FTP server).

  • Page 128: Configuring Tftp

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management When a file needs to be uploaded, the client sends a write request packet to the TFTP server, then sends the data packet to the server, and finally receives an acknowledgement packet from the server.
  • Page 129 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management III. Setting ACL Using this task, you can set ACL to access the TFTP server. Namely, you can associate with the ACL through the ACL command, so as to perform the access control over TFTP server address.
  • Page 130 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 2 File Management If the check fails, the receiving program sends a denial packet, and the sending program will retransmit the data packet. Firewall software provides XModem receiving program which can be applied on the AUX interface, and supports the 128-byte data packet and CRC.

  • Page 131: Chapter 3 Ntp Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration Chapter 3 NTP Configuration 3.1 Introduction to NTP Network Time Protocol (NTP) belongs to the TCP/IP protocol suite, used to issue accurate time within the whole network. NTP transmission is based on UDP. Its basic principle is described as follows.

  • Page 132: Configuring Ntp

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration The SecPath F1800-A sends an NTP packet to the router, and then the packet carries the SecPath F1800-A time stamp T (10:00:00 am). When the NTP packet reaches the router, the router adds its time stamp T (11:00:01 am) in the packet.
  • Page 133 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration An interface on the local firewall to send NTP broadcast messages when the local firewall works in broadcast mode. An interface on the local firewall to receive NTP broadcast messages when the local firewall works in broadcast client mode.
  • Page 134 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration Table 3-2 Configuring NTP peer mode Action Command ntp-service unicast-peer X.X.X.X [ version number | Configure NTP peer mode. authentication-key key-id source-interface interface-type interface-number | priority ] * Cancel NTP peer mode.
  • Page 135 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration Note that you must configure this command on the interface through which NTP broadcast messages are received. V. Configuring NTP Multicast Server Mode For example, specify an interface on the local firewall to send NTP multicast messages.

  • Page 136: Configuring Ntp Authentication

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration 3.2.2 Configuring NTP Authentication For example, enable NTP authentication, configure MD5 authentication key and specify a reliable key. In this case, client can only be synchronized to the server with a reliable key.

  • Page 137: Configuring Ntp Master Clock

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration Do as follows in system view. Table 3-10 Configuring the interface through which NTP packets are sent Action Command Configure the interface through which ntp-service source-interface NTP packets are sent.

  • Page 138: Configuring Access Control Right For Local Firewall Service

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration 3.2.8 Configuring Access Control Right for Local Firewall Service The command provides a security measure to the least extent. A securer method is to perform ID authentication. When an access is requested, the system matches it in turn from the minimal access right to the maximal access right, that is, in the order of peer, server, server only, and query only.

  • Page 139: Typical Example For Configuring Ntp

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration Action Command debugging ntp-service { access | adjustment | authentication | event | Debug NTP. filter | packet | parameter | refclock | selection | synchronization | validity | all } 3.4 Typical Example for Configuring NTP...

  • Page 140: Configuring Ntp Peer Mode

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration [SecPath2] display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequency: 99.8562 Hz actual frequency: 99.8562 Hz clock precision: 2^7 clock offset: 0.0000 ms root delay: 0.00 ms...
  • Page 141 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration II. Networking Diagram As shown in Figure 3-2. III. Configuration Procedure Configuring SecPath 3 # Configure the local clock as NTP master clock, and its stratum to 2.

  • Page 142: Configuring Ntp Broadcast Mode

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration source refid poll reach delay offset ******************************************************************** [12345]127.127.7.1 LOCAL(0) 26.1 199.53 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured 3.4.3 Configuring NTP Broadcast Mode I. Networking Requirements Configure SecPath 3 clock as NTP master clock, and its stratum to 2. SecPath 3 sends broadcast messages through the interface Ethernet 1/0/0.

  • Page 143: Configuring Ntp Multicast Mode

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration clock status: synchronized clock stratum: 3 reference clock ID: 3.0.1.31 nominal frequency: 250.0000 Hz actual frequency: 249.9992 Hz clock precision: 2^19 clock offset: 198.7425 ms root delay: 27.47 ms root dispersion: 208.39 ms...
  • Page 144 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration # Configure SecPath 4 as a multicast client. <SecPath4> system-view [SecPath4] interface Ethernet 1/0/0 [SecPath4-Ethernet1/0/0] ntp-service multicast-client Configuring SecPath 1 # Configure SecPath 1 as a multicast client.

  • Page 145: Configuring Ntp Server Mode With Authentication

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration 3.4.5 Configuring NTP Server Mode with Authentication I. Networking Requirements Configure SecPath 1 clock as NTP master clock, and its stratum to 2. Configure SecPath 1 as time server of SecPath 2, and SecPath 1 works in server mode, while SecPath 2 works in client mode and is added authentication.
  • Page 146 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 3 NTP Configuration After the synchronization, the status of SecPath 2 is shown below. [SecPath2] display ntp-service status clock status: synchronized clock stratum: 3 reference clock ID: 1.0.1.11 nominal frequency: 250.0000 Hz actual frequency: 249.9992 Hz...

  • Page 147: Chapter 4 Snmp Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration Chapter 4 SNMP Configuration 4.1 Overview 4.1.1 Introduction to SNMP At present, Simple Network Management Protocol (SNMP) is widely used for network management and becomes an industrial standard. Its purpose is to ensure that management information can be transmitted between any two nodes.
  • Page 148 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration Figure 4-1 MIB tree structure As shown in Figure 4-1, management object B can be uniquely identified by a string of numbers {1.2.1.1} that is an object identifier of the management object. MIB is used to describe the hierarchical structure of the tree.

  • Page 149: Snmp Configuration

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration MIB attribute MIB content Standard or specifications Performance alarm MIB Device panel MIB Device resource MIB Private MIBs VLAN Configuration MIB System MIB 4.2 SNMP Configuration SNMP configuration includes:...

  • Page 150: Enabling Or Disabling Snmp Version

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration By default, SNMP Agent service is disabled. 4.2.2 Enabling or Disabling SNMP Version Do as follows in system view. Table 4-3 Enabling or disabling SNMP version Action...

  • Page 151: Adding A User To An Snmp Group

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration Table 4-5 Configuring an SNMP group Action Command snmp-agent group { v1 | v2c } group-name read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] Configure an SNMP group.

  • Page 152: Enabling Or Disabling Sending The Trap Packet

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration Table 4-7 Configuring sysContact Action Command Configure sysContact. snmp-agent sys-info contact syscontact Restore its default value. undo snmp-agent sys-info contact 4.2.7 Enabling or Disabling Sending the Trap Packet The firewall initiatively sends the Trap packet to NMS to report some emergent events.

  • Page 153: Assigning The Address To The Host Receiving The Trap Packet

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration 4.2.9 Assigning the Address to the Host Receiving the Trap Packet Do as follows in system view. Table 4-10 Assigning the address to the host receiving the Trap packet...

  • Page 154: Setting Maximum Size Of Snmp Messages Received By Or Sent From Agent

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration Table 4-13 Creating or updating view information Action Command snmp-agent mib-view included Create or update view information. excluded } view-name oid-tree Delete view information. undo snmp-agent mib-view view-name 4.2.13 Setting Maximum Size of SNMP Messages Received by or Sent from...

  • Page 155: Displaying And Debugging Snmp

    Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration 4.3 Displaying and Debugging SNMP You can use the display command in any view to view the running status and thus verify the effect of the SNMP server.
  • Page 156 Operation Manual - System Management H3C SecPath F1800-A Firewall Chapter 4 SNMP Configuration II. Networking Diagram 129.102.149.23 Ethernet 129.102.0.1 SecPath Figure 4-2 Configuring the SNMP III. Configuration Procedure Configuring the SecPath F1800-A. # Enter system view. <SecPath> system-view # Configure a community name and access authority.
  • Page 157 “iso.org.dod.internet.mgnt.mib-2.system”, and then click Start Query. The system will display the following information. SysDescr.0 : STRING: HUA WEI CORP. SNMP agent for H3C Routers SysUpTime.0 : (105300) 00:17:33:00 SysContact.0 : Mr.Wang-Tel:3306 SysName.0 : sysadm SysLocation.0 : telephone-closet,3rd-floor SysServices.0 :...
  • Page 158 Operation Manual - Interface H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 Interface Configuration Overview ................3-1 1.1 Interface Overview ......................3-1 1.2 Configuring Interfaces......................3-2 1.2.1 Entering Interface View ................... 3-2 1.2.2 Exiting Interface View....................3-2 1.2.3 Viewing All the Commands ..................
  • Page 159 Operation Manual - Interface H3C SecPath F1800-A Firewall Table of Contents 4.1.1 Introduction......................3-16 4.1.2 Configuring Ethernet Sub-interfaces ..............3-17 4.2 Virtual Template Interface and Virtual Access Interface ..........3-18 4.2.1 Introduction......................3-18 4.2.2 Configuring the Virtual Template Interface ............3-18 4.2.3 Displaying and Debugging the Virtual Template Interface........

  • Page 160: Interface Overview

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 1 Interface Configuration Overview Chapter 1 Interface Configuration Overview 1.1 Interface Overview The interface is an important part of the SecPath F1800-A. It can exchange data and interact with other devices in the network.

  • Page 161: Configuring Interfaces

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 1 Interface Configuration Overview Virtual interfaces 1.2 Configuring Interfaces To help a user to configure and maintain the interface, the SecPath F1800-A sets interface views. Every command about interfaces can only be used in the relevant interface view.

  • Page 162: Shutting Down An Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 1 Interface Configuration Overview 1.2.5 Shutting down an Interface Do as follows in interface view. Table 1-5 Shutting down an interface Action Command Shutdown an interface. shutdown Restart the interface. undo shutdown Note: Shutting down an interface will make this interface stop working.

  • Page 163: Displaying And Debugging Interfaces

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 1 Interface Configuration Overview Configure the network protocol address supported by the interface, usually refers to the IP address. Configure the static routing of the destination network reachable through the interface, or set the working parameters of the dynamic routing protocol on the interface.

  • Page 164: Chapter 2 Ethernet Interface Configuration

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration Chapter 2 Ethernet Interface Configuration LAN mainly includes: Ethernet Token-Ring network Now, the Ethernet has become the most important LAN networking technology due to: High flexibility Simplicity...

  • Page 165: Entering Ethernet Interface View

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration Setting operating rate of the Ethernet interface Configuring duplex operating mode of the Ethernet electrical interface Configuring loopback mode of the Ethernet interface Switching interface modes Disabling an interface The Ethernet interface can not be configured unless you enter its interface view.

  • Page 166: Setting Mtu Of The Ethernet Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration Table 2-2 Configuring static ARP mapping item Action Command Add static ARP mapping item. arp static ip-address mac-address Delete static ARP mapping item. undo arp static ip-address Static ARP mapping item keeps valid all the time when the SecPath F1800-A works normally;...

  • Page 167: Configuring Duplex Operating Mode Of The Ethernet Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration 2.2.6 Configuring Duplex Operating Mode of the Ethernet Interface As described above, the FE interface and the traditional Ethernet interface can work in full duplex or half-duplex mode.

  • Page 168: Switching Interface Modes

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration 2.2.8 Switching Interface Modes The command is used to switch the interface mode between WAN and LAN interfaces. Do as follows in Ethernet interface view. Table 2-7 Switching the interface mode...

  • Page 169: Displaying And Debugging The Ethernet Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration This mode takes effect only when the peer supports flow control. If the flow control mode is set to auto-negotiation mode, the physical status of the interface cannot be Up if the negotiation fails.

  • Page 170: Troubleshooting The Ethernet Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration [SecPath] ip route-static 202.38.2.0 24.20.20.20.2 Configuring the router <Router> system-view [Router] interface ethernet 2/0/0 [Router-Ethernet2/0/0] mtu 1492 [Router-Ethernet2/0/0] description Router [Router-Ethernet2/0/0] ip address 20.20.20.1 255.255.255.0 [Router-Ethernet2/0/0] quit [Router] ip route-static 10.10.10.0 24 20.20.20.1...
  • Page 171 Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 2 Ethernet Interface Configuration The network addresses must be the same, only the host addresses are different. If they are not in the same sub-net, reset the IP address. Step 3: Check whether the link layer protocols match one another.

  • Page 172: Chapter 3 Aux Interface Configuration

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 3 AUX Interface Configuration Chapter 3 AUX Interface Configuration 3.1 Introduction The AUX interface can only work in asynchronous mode. It can serve as asynchronous serial interface, through which the SecPath F1800-A is connected with Modem to carry out the remote configuration.

  • Page 173: Configuring Level Detection

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 3 AUX Interface Configuration Do as follows in AUX interface view. Table 3-2 Configuring link establishment mode Action Command Configure the AUX interface to establish links async mode protocol through protocol mode.

  • Page 174: Setting Link Layer Protocol Type

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 3 AUX Interface Configuration 3.2.5 Setting Link Layer Protocol Type Do as follows in AUX interface view. Table 3-5 Setting link layer protocol type Action Command Set link layer protocol as PPP.

  • Page 175: Chapter 4 Virtual Interface Configuration

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration Chapter 4 Virtual Interface Configuration The virtual interface refers to the interface that can exchange data, but does not exist physically and needs to be established through configuration.

  • Page 176: Configuring Ethernet Sub-Interfaces

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration Note: Why should sub-interface be used? Usually only one IP address can be configured on a physical interface. In point-to-point connection, one IP address can meet the application requirements.

  • Page 177: Virtual Template Interface And Virtual Access Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration 4.2 Virtual Template Interface and Virtual Access Interface 4.2.1 Introduction The virtual template interface, just as the name implies, is a template used to configure a virtual access interface. It is mainly used in such application environments such as VPN, MP and PPPoE.
  • Page 178 Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration I. Creating and Deleting the Virtual Template Interface Do as follows in system view. Table 4-2 Creating and deleting the virtual template interface Action Command Create a virtual template interface interface virtual-template and enter its view.
  • Page 179 Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration III. Associating an Virtual Template Interface with a Physical Interface In VPN application environment, it is necessary to set up relations between the L2TP group and the virtual template interface.

  • Page 180: Displaying And Debugging The Virtual Template Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration 4.2.3 Displaying and Debugging the Virtual Template Interface You can use the display command in all views to view the running state and thus verify the effect of the configuration.

  • Page 181: Loopback Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration The PPP authentication parameter is set incorrectly. If the opposite end is not the user defined by the SecPath F1800-A, PPP negotiation will also fail. 4.3 Loopback Interface 4.3.1 Introduction...

  • Page 182: Typical Example For Configuring The Loopback Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration The Maximum Transmit Unit is 1536 Internet Address is 10.10.1.1/8 4.3.4 Typical Example for Configuring the Loopback Interface As the Loopback interface remains Up status since it is created, it has the feature of loopback.

  • Page 183: Typical Example For Configuring The Null Interface

    Operation Manual - Interface H3C SecPath F1800-A Firewall Chapter 4 Virtual Interface Configuration The Maximum Transmit Unit is 1500 Internet protocol processing is disable 4.4.4 Typical Example for Configuring the Null Interface Since any packet reaching the null interface will be dropped, you can directly send those packets to be filtered to the Null0 interface, rather than configure ACL.
  • Page 184 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 VLAN Configuration ....................4-1 1.1 Introduction to VLAN......................4-1 1.1.1 The Potential Problems In LAN Interconnecting ............. 4-1 1.1.2 Why Using VLAN..................... 4-2 1.1.3 VLAN Aggregation ....................
  • Page 185 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Table of Contents 3.2 PPPoE Server Configuration ................... 4-23 3.2.1 Enabling or Disabling PPPoE................4-23 3.2.2 Setting PPPoE Parameters................... 4-24 3.3 Configuring PPPoE Client....................4-24 3.3.1 Configuring a Dialer Interface ................4-24 3.3.2 Configuring a PPPoE Session ................

  • Page 186: Chapter 1 Vlan Configuration

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration Chapter 1 VLAN Configuration 1.1 Introduction to VLAN 1.1.1 The Potential Problems In LAN Interconnecting The Ethernet is a kind of data network communication technology, which is based on the shared communication medium of Carrier Sense Multiple Access with Collision Detection (CSMA/CD).

  • Page 187: Why Using Vlan

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration 1.1.2 Why Using VLAN The LAN interconnection by means of switches cannot restrict the broadcast. The technology of Virtual Local Area Network (VLAN) comes into being to solve the problem.

  • Page 188: Vlan Aggregation

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration VLANs cannot directly communicate with one another, that is, the users in one VLAN cannot directly access those in other VLANs. They need help of such layer 3 devices as routers and Layer 3 switches to fulfill the access.

  • Page 189: Configuring Vlan

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration VLANs can share a same network segment. Thus, users can share the same IP address of the gateway. VLAN aggregation is realized by performing Address Resolution Protocol (ARP) Proxy over IP addresses of various VLANs.

  • Page 190: Creating An Ethernet Sub-Interface

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration 1.2.1 Creating an Ethernet Sub-interface Do as follows in system view. Table 1-1 Creating an Ethernet sub-interface Action Command interface ethernet Create an Ethernet sub-interface. gigabitethernet interface-number.subnumber...

  • Page 191: Configuring A Trunk Port

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration Do as follows in Ethernet interface view or GE interface view. Table 1-5 Adding or deleting the current port Action Command Add the current port to a VLAN.

  • Page 192: Typical Example For Configuring Vlan

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration Table 1-8 Displaying and debugging VLAN Action Command View the status of a VLAN and display vlan vlan-id the ports it contains. View the untagged ports of all or display vlan port-default [ vid vlan-id ] a specified VLAN.
  • Page 193 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration II. Networking Diagram Internet port1 non-trunk port eth 4/0/0.2 LAN Sw itch 4.0.0.1/8 SecPath VLAN 20 port4 trunk port port2 port3 eth 4/0/0.1 non-trunk port trunk port 3.0.0.1/8...
  • Page 194 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration # Set the encapsulation type of Ethernet 3/0/0.2 and the related VLAN ID. [SecPath-Ethernet3/0/0.2] vlan-type dot1q 20 # Create an Ethernet sub-interface Ethernet 4/0/0.1 and enter its view.

  • Page 195: Chapter 2 Ppp Configuration

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration Chapter 2 PPP Configuration 2.1 PPP Overview I. PPP The Point-to-Point Protocol (PPP) is one of link layer protocols that bearing network layer packets over the point-to-point link.
  • Page 196 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration The requester will look for the user password based on the authenticator’s hostname in the received packet and its own user list. If it finds the user in the user list with the same name as the authenticator’s hostname, the requester...

  • Page 197: Configuring Ppp

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration Opened Dead Establish Authenticate Fail Fail Success/None Closing Down Terminate Network Figure 2-1 PPP operation flow chart For detailed description of PPP, refer to RFC1661. 2.2 Configuring PPP...

  • Page 198: Setting Ppp Authentication Mode User Name And User Password

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration Table 2-2 Setting polling interval Action Command Set polling interval. timer hold seconds Disable link detection. undo timer hold 2.2.3 Setting PPP Authentication Mode User Name and User Password Two authentication modes are supported between the local and the peer: CHAP and PAP.
  • Page 199 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration III. Configuring the Peer to Authenticate the Local Device in CHAP Mode Table 2-5 Configuring the peer to authenticate the local device in CHAP mode Action...

  • Page 200: Configuring Ppp Authentication Mode Of Aaa

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration 2.2.4 Configuring PPP Authentication Mode of AAA After PPP authentication, whether the PPP user passes the authentication will be finally decided by AAA. AAA can authenticate the PPP user:...

  • Page 201: Configuring Ppp Compression

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration Table 2-9 Setting the interval of PPP negotiation timeout Action Command Set the interval of negotiation timeout. ppp timer negotiate seconds Restore the default interval of negotiation undo ppp timer negotiate timeout.

  • Page 202: Configuring Callback

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration Table 2-11 Configuring PPP link quality monitoring Action Command Enable PPP link quality monitoring. close-percentage [ resume-percentage ] Disable PPP link quality monitoring. undo ppp lqc...

  • Page 203: Configuring Dns Address Negotiation

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration Table 2-13 Configuring the dialing string needed for firewall callback Action Command Configure the dialing string needed for firewall ppp callback ntstring dial-string callback. undo callback ntstring Cancel the callback dialing string.

  • Page 204: Displaying And Debugging Ppp

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration 2.3 Displaying and Debugging PPP You can use the display command in any view to view the running state and thus verify the effect of PPP.

  • Page 205: Chap Authentication Example

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration 2.4.2 CHAP Authentication Example I. Networking Requirement Figure 2-3, the SecPath F1800-A is required to authenticate the router in CHAP mode. II. Networking Diagram Serial3/0/0 Serial3/0/0...
  • Page 206 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration Serial3/1/0 current state : DOWN Link layer protocol current state : DOWN The interface is activated, but link negotiation is not successful. Serial3/1/0 current state: UP Link layer protocol current state : DOWN The link negotiation, that is, the LCP negotiation on this interface succeeds.

  • Page 207: Chapter 3 Pppoe Configuration

    PPPoE client dialing software in order to access the Internet through ADSL. H3C series routers serve as PPPoE client (namely the PPPoE client dialing) while the SecPath F1800-A supplies PPPoE server, by which the user can access the Internet without installing client dialing software on his PC.

  • Page 208: Pppoe Server Configuration

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 3 PPPoE Configuration Ethernet PPPoE Client ADSL Modem PPPoE Session PPPoE Server Figure 3-1 Typical PPPoE networking diagram As shown in Figure 3-1, PCs in the Ethernet are connected with the router. PPPoE client runs on the router, while PPPoE server runs on the SecPath F1800-A.

  • Page 209: Setting Pppoe Parameters

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 3 PPPoE Configuration Table 3-1 Enabling or disabling PPPoE Action Command Enable PPPoE on the Ethernet pppoe-server bind virtual-template number interface. Disable PPPoE on the Ethernet undo pppoe-server bind interface.

  • Page 210: Configuring A Pppoe Session

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 3 PPPoE Configuration to a dialer bundle and each dialer bundle uniquely corresponds to a Dialer interface. Thus, a PPPoE session can be created through a Dialer interface. Use the dialer-rule and interface dialer commands in system view, and use other commands in Dialer interface view.

  • Page 211: Resetting Or Deleting A Pppoe Session

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 3 PPPoE Configuration Packet triggering mode When the physical line is Up, the router will not initiate PPPoE call to create a PPPoE session until data is to be transmitted. If the idle time of a PPPoE link exceeds the user-defined value, the firewall will automatically terminate the PPPoE session.

  • Page 212: Typical Examples For Configuring Pppoe

    Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 3 PPPoE Configuration Action Command View the status and statistics of the display pppoe-client session { summary PPPoE session. | packet } [ dial-bundle-number number ] debugging pppoe-client option [ interface Debug the PPPoE client.
  • Page 213 Operation Manual - Link Layer Protocol H3C SecPath F1800-A Firewall Chapter 3 PPPoE Configuration After PPPoE client software is installed and user name and password (herein as “testuser” and “testpwd” respectively) is set on hosts, every host on the Ethernet can use PPPoE to access the Internet through the SecPath F1800-A.
  • Page 214 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 IP Address and IP Performance Configuration ............5-1 1.1 IP Address Overview ......................5-1 1.2 Assigning IP Addresses..................... 5-5 1.2.1 Assigning IP Addresses to Interfaces ..............5-5 1.2.2 Displaying and Debugging the IP Address .............
  • Page 215 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Table of Contents 2.3 Routing Function of the SecPath F1800-A ..............5-27 Chapter 3 Static Route Configuration ..................5-29 3.1 Introduction to Static Route ..................... 5-29 3.1.1 Attributes and Functions of Static Route............... 5-29 3.1.2 Default Route ......................
  • Page 216 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Table of Contents 5.1.4 OSPF Packets....................... 5-49 5.1.5 Types of OSPF LSAs .................... 5-50 5.1.6 OSPF Features Supported by VRP ..............5-51 5.2 Configuring OSPF......................5-51 5.2.1 Setting Router ID....................5-52 5.2.2 Enabling OSPF Process ..................
  • Page 217 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Table of Contents 6.1.5 BGP Peer and Peer Group ................... 5-84 6.2 Configuring BGP ......................5-85 6.2.1 Enabling BGP......................5-86 6.2.2 Entering Extended Address Family View.............. 5-86 6.2.3 Configuring BGP Multiple Instances ..............5-87 6.2.4 Configuring Basic Features of BGP Peer .............

  • Page 218: Ip Address Overview

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Chapter 1 IP Address and IP Performance Configuration 1.1 IP Address Overview The IP address is a unique 32-bit address assigned to the host connected to Internet.
  • Page 219 Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration When using IP addresses, note that some of them are reserved for special uses, and are seldom used. The IP addresses you can use are listed in Table 1-1.
  • Page 220 Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration IP addresses are not in a hierarchical structure, which differs from the structure of telephone number. In other words, IP addresses can not reflect where the host is located.
  • Page 221 Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration there are 64 x 1022 = 65408 host IDs, which are 126 less than the sum before subnetting. If there is no subnetting in an enterprise, then its sub-net mask is the default value and the length of "1"...

  • Page 222: Assigning Ip Addresses

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration 1.2 Assigning IP Addresses 1.2.1 Assigning IP Addresses to Interfaces Each interface of a router can have several IP addresses, among which one is the primary IP address and the others are secondary IP addresses.
  • Page 223 Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Table 1-4 Deleting the IP address of an interface Action Command Delete the IP address of an undo ip address [ ip-address net-mask [ sub ] ] interface.

  • Page 224: Displaying And Debugging The Ip Address

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Note: Because PPP supports IP address negotiation, IP address negotiation on an interface can be set only when the interface is encapsulated with PPP. When the PPP is Down, the IP address generated from negotiation will be deleted.

  • Page 225: Troubleshooting

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration III. Configuration Procedure # Assign the primary and secondary IP address to Ethernet 1/0/0 of the router. [SecPath] interface ethernet 1/0/0 [SecPath-Ethernet1/0/0] ip address 129.2.2.1 255.255.255.0...

  • Page 226: Introduction To Arp Proxy

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Bind the packets whose destination address is not on the local network segment to a specific network adapter. In this way, the packets to reach that IP address can be forwarded through the gateway.
  • Page 227 Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration After the ARP proxy is used, the ARP aging time of the host must be shortened to make the expired ARP items invalid as soon as possible. This can reduce the number of the packets which are sent to the router but cannot be forwarded by the router.

  • Page 228: Configuring Static Arp

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Table 1-9 Enabling learning capability of multicast MAC addresses on an interface Action Command Enable learning capability multicast arp multi-mac-permit addresses on an interface.

  • Page 229: Configuring Dns

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration You can use the debugging command in user view to debug ARP. Table 1-12 Displaying and debugging ARP Action Command View ARP mapping table.

  • Page 230: Configuring Static Domain Name Resolution

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration specific domain name in the static domain name resolution table to obtain the IP address. Dynamic resolution It is used to receive the request of the client for domain name resolution through special domain name resolution server.

  • Page 231: Dhcp Relay

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration 1.5 DHCP Relay 1.5.1 Introduction to DHCP Relay As the network extends in scale and becomes more complex, it becomes more difficult to configure the network.

  • Page 232: Configuring Dhcp Relay

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Figure 1-6 is the schematic diagram of DHCP relay. Its working principle is as follows: After the DHCP client starts up and begins to initialize the DHCP, the configuration request packet is broadcasted in the local network.

  • Page 233: Displaying And Debugging Dhcp Relay

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Note: For DHCP relay, the IP relay address is an IP address of the DHCP server. Therefore, to add IP relay address for an interface is to specify a destination of forwarding DHCP request packets for the interface.

  • Page 234: Example For Configuring Dhcp Relay

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Table 1-17 Displaying and debugging DHCP relay Action Command View the IP relay address on the display interface interface-type interface. interface-number ] Debug the DHCP relay.

  • Page 235: Troubleshooting Dhcp Relay

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration The configuration of the DHCP server is omitted. 1.5.5 Troubleshooting DHCP Relay When DHCP relay fails to work normally, debug DHCP relay, and use the display command to locate the fault.

  • Page 236: Displaying And Debugging Ip Performance

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration When the TCP connection state turns from FIN_WAIT_1 to FIN_WAIT_2, FINwait timer will be started. If FIN packets are not received before fin timer times out, the TCP connection will be terminated.

  • Page 237: Troubleshooting Ip Performance

    Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Table 1-20 Displaying and debugging IP performance Action Command View state of TCP connection. display tcp status View statistics of TCP traffic.
  • Page 238 Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration You can enable the debugging to view the debugging information. Use the debugging udp command to debug UDP packets to trace the UDP packets.
  • Page 239 Operation Manual - Network and Routing Protocol Chapter 1 IP Address and IP Performance H3C SecPath F1800-A Firewall Configuration Then the TCP packets received or sent can be viewed in real time, and the detailed packet formats are the same as those mentioned above.

  • Page 240: Chapter 2 Ip Routing Protocol Overview

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 2 IP Routing Protocol Overview Chapter 2 IP Routing Protocol Overview 2.1 Introduction to IP Route and Routing Table 2.1.1 IP Route and Route Segment Routers are used for routing in the Internet. A router selects a proper route (through a network) based on the destination address of its received packet and then forwards the packet to the next router (the firewall).

  • Page 241: Routing Through The Routing Table

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 2 IP Routing Protocol Overview through the shortest route is not always the most ideal way. For example, routing through 3 LAN route segments may be much faster than that through 2 WAN route segments.

  • Page 242: Routing Management Policy

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 2 IP Routing Protocol Overview In addition, based on whether the network where the destination locates is directly connected to the router, routes fall into: Direct route The router is directly connected to the network where the destination locates.

  • Page 243: Routing Protocols And The Preferences Of The Discovered Routes

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 2 IP Routing Protocol Overview 2.2.1 Routing Protocols and the Preferences of the Discovered Routes Different routing protocols (as well as the static configuration) may discover different routes to the same destination, but not all these routes are optimal. In fact, at a certain moment, only one routing protocol can determine the current route to a specific destination.

  • Page 244: Routes Shared Between Routing Protocols

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 2 IP Routing Protocol Overview Caution: Load balancing can only be configured between routes of the same protocol. For example, load balancing cannot be set between RIP routes and OSPF routes.
  • Page 245 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 2 IP Routing Protocol Overview The SecPath F1800-A can act as both security protection of the firewall and networking of the router. As shown in Figure 2-3, The SecPath F1800-A firewall can act as the convergence layer device in all-sized networks to implement network hierarchical interconnection by connecting core layer and access layer.

  • Page 246: Chapter 3 Static Route Configuration

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 3 Static Route Configuration Chapter 3 Static Route Configuration 3.1 Introduction to Static Route 3.1.1 Attributes and Functions of Static Route A static route is a special route, which is configured by administrator manually. You can set up an interconnecting network through configuring the static route.

  • Page 247: Configuring Static Route

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 3 Static Route Configuration 3.2 Configuring Static Route Static route configuration includes: Configuring a static route Configuring a default route 3.2.1 Configuring a Static Route Do as follows in system view.

  • Page 248: Typical Example For Configuring Static Route

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 3 Static Route Configuration Action Command display ip routing-table ip-address View a specific route in detail. [ mask ] [ longer-match ] [ verbose ] View the routes of a specific address display ip routing-table ip-address1 range in detail.

  • Page 249: Troubleshooting Static Route

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 3 Static Route Configuration III. Configuration Procedure Configuring the static route for Router A # Configure the static route for Router A. [RouterA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [RouterA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2...

  • Page 250: Chapter 4 Rip Configuration

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration Chapter 4 RIP Configuration 4.1 RIP Overview Routing Information Protocol (RIP) is a simpler dynamic routing protocol. But it is widely applied in practice. 4.1.1 RIP Operating Principle RIP is a kind of Distance-Vector (D-V) algorithm-based protocol and exchanges routing information through UDP packets.

  • Page 251: Configuring Rip

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration 4.1.2 RIP Startup and Operation The whole process of RIP startup and running can be described as follows. When RIP is just enabled on a router, request packet is forwarded to a neighbor router in broadcast mode.

  • Page 252: Enabling Rip And Entering Rip View

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration Configuring RIP timer Configuring additional metric Configuring route filtering Do as follows in system view. 4.2.1 Enabling RIP and Entering RIP View Table 4-1 Enabling RIP and entering RIP view...

  • Page 253: Configuring Unicast Of A Packet

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration 4.2.3 Configuring Unicast of a Packet Generally, RIP sends packets in broadcast addresses. In order to exchange routing information on a link that does not support broadcast packets, it is necessary to adopt unicast.

  • Page 254: Configuring Zero Field Checking Over Interface Packets

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration 4.2.5 Configuring Zero Field Checking over Interface Packets As defined in RFC1058, some fields in an RIP-1 packet must be 0, and they are called zero fields.

  • Page 255: Disabling Host Route

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration The ip rip work command is equal to both rip input and rip output commands in function. By default, an interface both receives and sends RIP update packets.

  • Page 256: Configuring Split Horizon

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration Plain text authentication MD5 authentication MD5 authentication uses two packet formats: One follows RFC1723 (RIP Version 2 Carrying Additional Information). The other follows the RFC2082 (RIP-2 MD5 Authentication).

  • Page 257: Importing Routes Of Other Protocols

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration 4.2.11 Importing Routes of Other Protocols RIP allows its users to import routes of other routing protocols into the RIP routing table. Such routing protocols include:...

  • Page 258: Configuring Rip Timer

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration Table 4-13 Setting the RIP preference Action Command Set the RIP preference. preference value Restore the default value of RIP preference. undo preference 4.2.14 Configuring RIP Timer...

  • Page 259: Configuring Additional Metric

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration Note: During the RIP timer configuration, you should take the network performance into consideration when changing the timer value. Moreover, you should keep configuration consistent on all routers that run RIP. As a result, unnecessary network traffic will not be added or network route oscillation will not occur.

  • Page 260: Displaying And Debugging Rip

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration Action Command Cancel the filtering of the routing undo filter-policy gateway information imported from the specified ip-prefix-name import address. Filter the imported global routing filter-policy { acl-number | ip-prefix information.

  • Page 261: Typical Example For Configuring Rip

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration 4.4 Typical Example for Configuring RIP 4.4.1 Configuring the Operating State of the Specified Interface I. Networking Requirement The internal network of an enterprise is connected to the Internet through the SecPath F1800-A.

  • Page 262: Troubleshooting Rip

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 4 RIP Configuration [SecPath-Ethernet2/0/0] rip output [SecPath-Ethernet2/0/0] undo rip input Configuring Router B # Configure the interface Ethernet 2/0/0. [Router B] interface Ethernet 2/0/0 [Router B-Ethernet2/0/0] ip address 192.1.1.2 255.255.255.0 # Configure RIP.

  • Page 263: Ospf Overview

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Chapter 5 OSPF Configuration 5.1 OSPF Overview 5.1.1 Introduction to OSPF Open Shortest Path First (OSPF) is a link state-based internal gateway protocol developed by IETF organization. At present, OSPF version 2 (RFC2328) is used,...

  • Page 264: Basic Concepts Related To Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration A router uses the SPF algorithm to calculate the shortest path tree with itself as the root. The tree shows the routes to the nodes in AS. The external routing information is leaf node.
  • Page 265 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration also exchanged between them. Once a DR becomes invalid, the BDR will turn into a DR instantly. III. Area As the network keeps extending in scale, if more and more routers in a network run OSPF, LSDB will become very huge.

  • Page 266: Ospf Packets

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Area 12 19.1.1.0/24 Virtual Link Area 19 Area 0 19.12.0/24 19.1.3.0/24 Area 8 Figure 5-1 Area and route aggregation 5.1.4 OSPF Packets OSPF uses five types of packets: Hello message: It is a kind of most common packet, which is sent to the peer of a local router regularly.

  • Page 267: Types Of Ospf Lsas

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration 5.1.5 Types of OSPF LSAs I. Five Types of Basic LSAs The OSPF calculates and maintains the routing information mainly based on the LSAs. Five types of LSAs are defined in RFC2328.

  • Page 268: Ospf Features Supported By Vrp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Type-11: With the same spread scope with type-5 LSAs, type-11 LSAs are spread throughout the entire AS except stub and NSSA areas. Opaque LSAs consist of a standard 20-byte LSA header followed by a field related to application information.

  • Page 269: Setting Router Id

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Enabling OSPF in specified network segment If OSPF backbone fields are discontinuous, you may need to: Configuring OSPF virtual connection According to different types of OSPF networks, you may need to:...

  • Page 270: Enabling Ospf Process

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Usually, the router ID is set to be the same as the IP address of an interface on the router. Do as follows in system view.

  • Page 271: Enabling Ospf On The Specified Network Segment

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Action Command Delete a specified OSPF area. undo area area-id You can specify the area ID in the format of decimal integer or IP address, but the area ID is displayed in the format of IP address.

  • Page 272: Setting The Network Type On The Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration The virtual link is configured in Transit area. Do as follows in OSPF area view. Table 5-5 Configuring OSPF virtual link Action Command vlink-peer router-id...

  • Page 273: Configuring The Adjacent Point

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Change the interface type to p2p if the router has only one peer on the NBMA network. NBMA differs from p2mp in the following aspects.

  • Page 274: Configuring Ospf To Import Routes

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Preference set by the ospf dr-priority command differs from that set by the peer command in usage. Preference set by the ospf dr-priority command is used for the actual DR election.
  • Page 275 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Table 5-8 Configuring OSPF to import routes of other protocols Action Command import-route protocol [ cost value ] [ type Configure OSPF to import routes of { 1 | 2 } ] [ tag value ] [ route-policy other protocols.

  • Page 276: Configuring Ospf Route Filtering

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Table 5-10 Setting parameters for OSPF to import external routes Action Command Set the minimum interval for OSPF to import the default interval seconds external routes.

  • Page 277: Configuring The Route Aggregation Of Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration II. Filtering the Routes Distributed by OSPF Table 5-12 Filtering the routes distributed by OSPF Action Command Enable OSPF filter filter-policy acl-number ip-prefix distributed routes.

  • Page 278: Setting Ospf Route Preference

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Do as follows in OSPF view. Table 5-14 Configuring aggregation of imported routes by OSPF Action Command Configure aggregation of imported asbr-summary ip-address mask routes by OSPF.
  • Page 279 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration As defined in RFC2328, it is necessary to keep consistency of the Hello timer between network neighbors. Note that the value of Hello timer is in inverse proportion to route convergence speed and network load.

  • Page 280: Setting The Priority For Dr Election

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Action Command Restore the default LSA retransmission interval for the undo ospf timer neighboring routers. retransmit Note that you should not set the LSA retransmission interval too small. Otherwise, unnecessary retransmission will be caused.

  • Page 281: Setting The Cost For Sending Packets On An Interface

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Table 5-19 Setting the interface priority for DR election Action Command Set the priority for the interface during electing ospf dr-priority priority-number Restore the default interface priority.

  • Page 282: Configuring Ospf Authentication

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Do as follows in interface view. Table 5-22 Setting an interval for sending LSU packets Action Command Set an interval for sending LSU packets. ospf trans-delay seconds Restore the default interval of sending LSU packets.

  • Page 283: Disabling The Interface To Send Ospf Packets

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Table 5-24 Configuring the OSPF area to support packet authentication Action Command Configure the area to support MD5 authentication-mode { simple | md5 } authentication.

  • Page 284: Configuring Stub Area Of Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Action Command Enable the interface to send undo silent-interface silent-interface-type OSPF packets. silent-interface-number After an OSPF interface is set to be in silent status, the interface can still advertise its direct route.

  • Page 285: Setting Nssa Area Parameter Of Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration 5.2.21 Setting NSSA Area Parameter of OSPF A new area, NSSA area, and a new LSA, NSSA LSA (or Type-7 LSA) are added in RFC1587 NSSA Option. Deriving from STUB area, NSSA resembles STUB area in many ways.

  • Page 286: Enabling Opaque Capability Of Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration The keyword default-route-advertise is used to generate the default type-7 LSAs. The default type-7 LSA route will be generated on the ABR, even though no default route 0.0.0.0 is in the routing table.

  • Page 287: Resetting An Ospf Process

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Table 5-30 Configuring OSPF MIB binding Action Command Configure OSPF MIB binding. ospf mib-binding process-id Remove the default OSPF MIB binding. undo ospf mib-binding II. Configuring OSPF TRAP OSPF can be configured to send diversified SNMP TRAP packets and a certain OSPF process can be specified via process number to send SNMP TRAP packets.

  • Page 288: Displaying And Debugging Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Table 5-32 Resetting an OSPF process Action Command Reset an OSPF process. reset ospf [ statistics ] { all | process-id } Resetting the OSPF process can clear the invalid LSAs instantly, make the modified Router ID take effect at once or re-elect the DR and BDR.

  • Page 289: Typical Examples For Configuring Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration Action Command View the debugging of OSPF process. display debugging ospf Debug all OSPFs. debugging ospf all Disable all OSPF debugging. undo debugging ospf all debugging ospf packet [ ack | dd | Debug OSPF packets.
  • Page 290 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration II. Networking Diagram Loopback0 Ethernet1/0/0 Ethernet1/0/0 Router B Router A Loopback0 10.10.1.2/24 172.10.1.2/16 172.10.1.1/16 10.10.4.2/24 Process100 Ethernet2/0/0 Area 0 Ethernet2/0/0 131.108.1.3/16 202.38.169.2/24 Process200 Area 0 Ethernet2/0/0 131.108.1.1/16...

  • Page 291: Configuring Dr Election Based On Ospf Priority

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration [Router C-Ethernet2/0/0] ip address 131.108.1.1 255.255.0.0 [Router C-Ethernet2/0/0] quit [Router C] router id 10.10.3.2 [Router C] ospf 200 [Router C-ospf-200] area 0 [Router C-ospf-200-area-0.0.0.0] network 131.108.0.0 0.0.255.255 Use the display ospf peer command on Router B to view the neighbor creation.
  • Page 292 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration # Configure Router B. [Router B] interface ethernet 1/0/0 [Router B-Ethernet1/0/0] ip address 192.1.1.2 255.255.255.0 [Router B-Ethernet1/0/0] ospf dr-priority 0 [Router B-Ethernet1/0/0] quit [Router B] router id 2.2.2.2...

  • Page 293: Configuring Virtual Link

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration If all the routers in the network are removed, and then added on again, Router B will be elected as the DR (with a priority of 200), and Router A becomes the BDR (with a priority of 100).

  • Page 294: Configuring Ospf Peer Authentication

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration [Router B-Ethernet2/0/0] ip address 192.1.1.2 255.255.255.0 [Router B-Ethernet2/0/0] interface ethernet 1/0/0 [Router B-Ethernet1/0/0] ip address 193.1.1.2 255.255.255.0 [Router B-Ethernet1/0/0] quit [Router B] router id 2.2.2.2...
  • Page 295 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration II. Networking Diagram Router B 2.2.2.2 Area 0 Simple password Ethernet2/0/0 authentication 192.1.1.2/24 Ethernet2/0/0 192.1.1.1/24 Router A 1.1.1.1 POS1/0/0 193.1.1.1/24 POS1/0/0 193.1.1.2/24 Area 1 authentcation Router C 3.3.3.3...

  • Page 296: Troubleshooting Ospf

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration [Router A-ospf-area-0.0.0.1] authentication-mode md5 # Configure Router B. [Router B] interface ethernet 2/0/0 [Router B-Ethernet2/0/0] ip address 192.1.1.2 255.255.255.0 [Router B-Ethernet2/0/0] authentication-mode simple password [Router B] router id 2.2.2.2...
  • Page 297 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 5 OSPF Configuration same, and the network segments and the masks should also be consistent (the p2p and virtually linked network segments and masks can be different). Check and ensure that the value of the dead-interval in the same interface should at least be four times the value of the Hello-interval.

  • Page 298: Chapter 6 Bgp/Mbgp Configuration

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Chapter 6 BGP/MBGP Configuration 6.1 BGP/MBGP Overview 6.1.1 Introduction to BGP Border Gateway Protocol (BGP) is an inter-AS dynamic route discovery protocol. Three early versions of BGP:...

  • Page 299: Message Types Of Bgp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Note: With a brand-new perspective of IP address, Class-A network, Class-B network and Class-C network are no longer distinguished in CIDR. For example, by means of CIDR notation, an illegal Class-C network address 192.213.0.0 (255.255.0.0) will turn...
  • Page 300 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration other BGP speakers. When a BGP speaker receives a new route advertisement from another AS, it will advertise the route. If the route is better than the current route that has been learned or is a new route, to all the other BGP speakers in the AS.

  • Page 301: Bgp Peer And Peer Group

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration In order to support multiple network layer protocols, IETF extended BGP-4 and formed the Multiprotocol Extensions for BGP-4 (MBGP). The present MBGP standard is RFC2858.

  • Page 302: Configuring Bgp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration which can simplify the configuration in some cases and improve the efficiency of route advertisement. In the case of any changes in the configuration of the group, configuration of each group member changes accordingly.

  • Page 303: Enabling Bgp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Configuring BGP route reflector Setting BGP AS confederation attribute Other commands Resetting BGP connection Performing BGP route refresh 6.2.1 Enabling BGP To enable BGP, local AS number should be specified. After BGP is enabled, local router listens to BGP connection requests sent by adjacent routers.

  • Page 304: Configuring Bgp Multiple Instances

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Use the undo command to return to BGP view and delete MBGP extended application configuration. 6.2.3 Configuring BGP Multiple Instances Do as follows in BGP view.
  • Page 305 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Table 6-5 Specifying an AS number for an EBGP peer group Action Command Specify an AS number for an EBGP peer group-name as-number as-number peer group.
  • Page 306 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Do as follows in BGP view, multicast sub-address family view, VPNv4 sub-address family view or L2VPN address family view. Table 6-7 Configuring peer state Action Command Enable a peer.

  • Page 307: Configuring Application Features Of Bgp Peer

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Table 6-9 Configuring timer of a peer or peer group Action Command Set keep-alive interval and hold timer peer peer-address timer keepalive of a specified peer.
  • Page 308 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Action Command Establish the connection between EBGP undo peer peer-address peers only on directly connected networks. ebgp-max-hop Configure the local router to connect with an...
  • Page 309 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration IV. Taking the Local Address as the Next-Hop on Advertising Route Generally, a BGP speaker specifies itself as the next hop when advertising routes to an EBGP peer.
  • Page 310 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration VI. Sending the Community Attributes to a Peer Group Do as follows in BGP view, multicast sub-address family view, VPNv4 sub-address family view or VPN instance view.

  • Page 311: Configuring Route Filtering Of Bgp Peer

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Table 6-18 Configuring MD5 authentication for BGP Action Command Configure authentication peer group-name peer-address password. password { cipher | simple } password Cancel MD5 authentication.
  • Page 312 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Table 6-20 Configuring route filtering based on ACL Action Command peer { group-name | peer-address } Configure inbound filter policy. filter-policy acl-number import undo peer { group-name | peer-address } Remove the inbound filter policy.

  • Page 313: Configuring Network Routes Advertised By Bgp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration 6.2.7 Configuring Network Routes Advertised by BGP Do as follows in BGP view, multicast sub-address family view or VPN instance view. Table 6-23 Configuring network routes advertised by BGP...

  • Page 314: Configuring Bgp Route Aggregation

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Note: If the import-route command is configured a route-policy with apply clauses (apply A) to import routes discovered by other protocols, the routes that are sent to the peer will take effect in turn when the peer is configured an export route-policy with if-match clauses (if-match A).
  • Page 315 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Table 6-26 Configuring BGP to filter the imported routes Action Command Configure BGP to filter the routing filter-policy [ ip-prefix ip-prefix-name ] information imported from the specified gateway ip-prefix-name import address.

  • Page 316: Configuring Bgp Route Dampening

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration 6.2.11 Configuring BGP Route Dampening The route dampening can be adopted to deal with the unstable route. The main possible reason for unstable route is the intermittent disappearance and reemergence of the route that formerly existed in the routing table.

  • Page 317: Configuring The Bgp Timer

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Different sub-address families can be set with different BGP route preferences. Both unicast address family and multicast address family are supported currently. Do as follows in BGP view, multicast sub-address family view or VPN instance view.

  • Page 318: Setting Med For As

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Action Command Restore default local undo default local-preference preference. The local preference is sent only when the IBGP peers exchange the update packets and it will not be sent beyond the local AS.
  • Page 319 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration It is not recommended to use this configuration unless you can make sure that the ASs adopt the same IGP and routing method. 6.2.17 Configuring BGP Load Balancing I.
  • Page 320 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration RouterA RouterB AS 100 RouterC RouterE RouterD AS 200 Figure 6-1 EBGP load balancing Figure 6-1, Router D and Router E are IBGP peers of Router C. When Router A and...
  • Page 321 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration 6.2.18 Configuring BGP Route Reflector To ensure the interconnection between IBGP peers, it is necessary to establish fully meshed network. However, it will cost a lot in the case there are large numbers of IBGP peers.

  • Page 322: Setting Bgp As Confederation Attribute

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Table 6-36 Configuring route reflection between clients Action Command Enable route reflection between clients. reflect between-clients Disable route reflection between clients. undo reflect between-clients If the clients of the route reflector has be fully connected, it is recommended to disable the reflection between clients through the undo reflect between-clients command to reduce costs.
  • Page 323 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration topology be basically changed. Furthermore, the routing through confederation may not be the best path if there is no manually-set BGP policy. I. Configuring Confederation ID In the sight of the BGP speakers that are not included in the confederation, multiple sub-ASs that belong to the same confederation are a whole.

  • Page 324: Resetting Bgp Connection

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Table 6-40 Setting AS confederation attribute compatible with nonstandard router Action Command confederation attribute confederation nonstandard compatible with nonstandard router. Cancel AS confederation attribute undo confederation nonstandard compatible with nonstandard router.

  • Page 325: Displaying And Debugging Bgp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Action Command Refresh VPNv4 sub-address refresh bgp { all | peer-address | group family rotes. group-name } vpnv4 { import | export } Refresh L2VPN...
  • Page 326 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Action Command View the routing information display bgp routing-table peer peer-address advertised through the BGP. { advertised | received } View AS path information. display bgp paths as-regular-expression...

  • Page 327: Typical Examples For Configuring Bgp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Action Command debugging bgp [ peer-address ] { all | event | normal | timer | raw-packet } debugging bgp [ peer-address ] { keepalive | open | packet | route-refresh } [ receive | send ] Debug BGP.
  • Page 328 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration II. Networking Diagram Router B Router A AS1002 AS1001 172.68.10.1 Ethernet 172.168.10.2 172.68.10.3 Router D 172.68.1.1 156.10.1.1 Router C AS1003 156.10.1.2 Router E AS200 Figure 6-3 Configuring AS confederation III.
  • Page 329 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration [Router B-bgp] peer 172.68.10.3 group confed1003 # Configure Router C. [Router C] bgp 1003 [Router C-bgp] confederation id 100 [Router C-bgp] confederation peer-as 1001 1002...
  • Page 330 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration [Router A-Ethernet2/0/0] ip address 192.1.1.1 255.255.255.0 [Router A-Ethernet2/0/0] quit [Router A] interface ethernet 1/0/0 [Router A-Ethernet1/0/0] ip address 1.1.1.1 255.0.0.0 [Router A-Ethernet1/0/0] quit [Router A] bgp 100 [Router A-bgp] group ex external [Router A–bgp] peer 192.1.1.2 group ex as-number 200...

  • Page 331: Configuring Bgp Routing

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Using the display bgp routing-table command on Router B, you can see that Router B has known the existence of network 1.0.0.0. Using the display bgp routing-table command on Router D, you can see that Router D also knows the existence of network 1.0.0.0.
  • Page 332 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration [Router A-bgp] group ex192 external [Router A-bgp] peer 192.1.1.2 group ex192 as-number 200 [Router A-bgp] group ex193 external [Router A-bgp] peer 193.1.1.2 group ex193 as-number 200 [Router A-bgp] quit # Set MED attribute of Router A.
  • Page 333 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration [Router B-bgp] peer 194.1.1.1 group in # Configure Router C. [Router C] interface ethernet 1/0/0 [Router C-Ethernet1/0/0] ip address 193.1.1.2 255.255.255.0 [Router C-Ethernet1/0/0] quit [Router C] interface ethernet 2/0/0 [Router C-Ethernet2/0/0] ip address 195.1.1.2 255.255.255.0...
  • Page 334 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Add ACL 2010 on Router C and permit network 1.0.0.0 [Router C] acl number 2010 [Router C-acl-basic-2010] rule permit source 1.0.0.0 0.255.255.255 Define the route policy named “localpref”. Set the local preference matching ACL 1 to 200, and that not matching to 100.
  • Page 335 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration III. Configuration Procedure # Configure Router A. [Router A] router id 11.1.1.1 [Router A] ip route-static 9.0.0.0 255.0.0.0 null0 [Router A] bgp 100 [Router A-bgp] group ex external [Router A-bgp] peer 1.1.1.2 group ex as-number 200...

  • Page 336: Configuring Iteration-Based Bgp Load Balancing

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration 6.4.5 Configuring Iteration-Based BGP Load Balancing I. Networking Requirements Two Autonomous System Boundary Routers (ASBRs), Router A and Router B, connect with each other through two Ethernet links. It is required to implement load balancing of traffic between Router A and Router B on these two links.
  • Page 337 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration [RouterA-Ethernet2/0/0] quit # Configure two Loopback interfaces on Router A and take LoopBack0 as the dependent route. [RouterA] interface loopback 0 [RouterA-LoopBack0] ip address 1.0.0.1 255.255.255.255 [RouterA-LoopBack0] interface loopback 1 [RouterA-LoopBack1] ip address 30.0.0.1 255.0.0.0...
  • Page 338 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration # Configure OSPF and enable it on the network segment where the two Ethernet interfaces locate and on the network segment where Loopback0 resides. [RouterB] ospf 100 router-id 100.1.1.2 [RouterB-ospf-100] area 0 [RouterB-ospf-100-area-0.0.0.0] network 10.0.0.0 0.255.255.255...

  • Page 339: Configuring Mbgp Route Reflector

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration 6.4.6 Configuring MBGP Route Reflector I. Networking Requirements Router A, Router B, Router C and Router D have been configured with MBGP multicast extended applications. Router A and Router B are EBGP peers. Router C and Router B are IBGP peers, and Router C and Router D are IBGP peers respectively.
  • Page 340 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration [Router A] bgp 100 [Router A-bgp] group ex external [Router A-bgp] peer 192.1.1.2 group ex as-number 200 [Router A-bgp] ipv4-family multicast [Router A-bgp-af-mul] peer ex enable [Router A-bgp-af-mu] peer 192.1.1.2 group ex...

  • Page 341: Troubleshooting Bgp

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration [Router C-ospf-area-0.0.0.0] quit # Configure MBGP of Router C. [Router C] bgp 200 [Router C-bgp] group in internal [Router C-bgp] peer 193.1.1.2 group in [Router C-bgp] peer 194.1.1.2 group in...
  • Page 342 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 6 BGP/MBGP Configuration Check whether the configuration of the neighbor's AS number is correct. Check whether the neighbor's IP address is correct. If using the Loopback interface, check whether the connect- source loopback has been configured.

  • Page 343: Chapter 7 Policy Routing Configuration

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 7 Policy Routing Configuration Chapter 7 Policy Routing Configuration 7.1 Policy Routing Overview Different from the routing based on the destination address in IP packets, policy routing is a mechanism in which packets are transmitted and forwarded depending on user-defined policies.

  • Page 344: Defining Policy Routing Behavior

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 7 Policy Routing Configuration Table 7-1 Defining a class and entering class view Action Command Define a class and enter class traffic classifier tcl-name view. Delete the class.

  • Page 345: Defining A Policy

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 7 Policy Routing Configuration Table 7-4 Re-designating a next hop Action Command remark ip-nexthop nexthop-ip-address Re-designate a next hop. output-interface interface-type interface-number } Reset re-designating next hops. undo remark ip-nexthop 7.2.4 Defining a Policy...

  • Page 346: Setting Traffic Policing Parameters

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 7 Policy Routing Configuration Table 7-7 Associating a policy with security zones Action Command Associate a policy with the security apply policy policy-name zone. { inbound | outbound } undo qos apply policy { inbound | Delete the associated policy.

  • Page 347: Typical Example For Configuring Policy Routing

    Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 7 Policy Routing Configuration 7.3 Typical Example for Configuring Policy Routing I. Networking Requirement Connect the LAN and Internet through a SecPath F1800-A. Define a policy route named “mypolicy”. All TCP packets out of the Trust zone are sent to 202.1.1.10 through Ethernet 1/0/0.
  • Page 348 Operation Manual - Network and Routing Protocol H3C SecPath F1800-A Firewall Chapter 7 Policy Routing Configuration SecPath ] qos policy mypolicy # Designate the behavior “behavior1” for the class “class1” in policy view. SecPath -qospolicy-mypolicy] classifier class1 behavior behavior1 [SecPath-qospolicy-mypolicy] quit # Enter zone view.
  • Page 349 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 ACL..........................6-1 1.1 Introduction to ACL ......................6-1 1.1.1 ACL Definition ......................6-1 1.1.2 ACL Application....................... 6-1 1.1.3 Basic Procedure of ACL Application ............... 6-3 1.2 ACL on the SecPath F1800-A ...................
  • Page 350 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Table of Contents 2.4.1 Introduction to Attack Defence and Packet Statistics ........... 6-29 2.4.2 Attack Defence Configuration ................6-32 2.4.3 System Statistics Configuration ................6-42 2.4.4 IP Statistics Configuration ..................6-44 2.4.5 Displaying and Debugging Attack Defence and Packets Statistics ......
  • Page 351 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Table of Contents 3.5 Typical Example for Configuring NAT ................6-78 Chapter 4 IDS Cooperation......................6-81 4.1 Introduction to the IDS Cooperation ................6-81 4.2 IDS Cooperation Configuration..................6-82 4.2.1 Configuring the External IDS Server Address............6-82 4.2.2 Configuring a Firewall Port Communicating with the External IDS Server ...
  • Page 352 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Table of Contents 5.5 Domain Configuration ....................6-107 5.5.1 Creating a Domain ....................6-108 5.5.2 Configuring Authentication, Authorization in the Domain ........6-108 5.5.3 Configuring a RADIUS Server Template to the Domain ........6-108 5.5.4 Configuring an HWTACACS Server Template to the Domain......

  • Page 353: Chapter 1 Acl

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL Chapter 1 ACL 1.1 Introduction to ACL 1.1.1 ACL Definition The firewall must be capable of controlling network data stream so as to define: Network security QoS requirement Various policies Access Control List (ACL) is one of methods to control data stream.
  • Page 354 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL II. NAT Network Address Translation (NAT) is to translate an IP address in a data packet header into another IP address, so that private network can access external network.

  • Page 355: Basic Procedure Of Acl Application

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL There are many methods to filter routing information, in which ACL is one of the most important methods and widely used. A client can apply ACL to specify an IP address or subnet range as the destination address or the next hop address for matched routing information.

  • Page 356: Entering Acl View

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL II. ACL Creation Procedure Follow two steps to create ACL on the SecPath F1800-A: Entering ACL view Configuring ACL rule For basic ACL, advanced ACL and firewall ACL, use the acl command in system view to enter ACL view and then use the rule command to configure ACL rules.

  • Page 357: Basic Acl Rule

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL 1.2.3 Basic ACL Rule I. Basic Operation Basic ACL only uses source address information to define ACL rules. Using the acl command introduced in the former section, you can enter basic ACL view. In basic ACL view, using the following commands, you can define basic ACL rules for the firewall.

  • Page 358: Advanced Acl Rule

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL III. Basic ACL Rule Based on Time Range It is required to improve the flexibility on the control of resource access. For example, system administrator only permits passing some data streams during worktime or allows clients to access some resources in some time ranges.
  • Page 359 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL rule [ rule-id ] { permit | deny } protocol [ source { sour-addr sour-wildcard | any } ] [ destination { dest-addr dest-mask | any } ] [ source-port operator port1 [ port2 ] ]...
  • Page 360 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL Operator and syntax Meaning range port1 port2 Between port1 and port2. Some common port numbers can be replaced by the mnemonic symbols in Table 1-2. Table 1-2 Mnemonic symbol for port number...
  • Page 361 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL Mnemonic Protocol Meaning and number symbol Telnet Telnet (23) Time Time (37) Uucp Unix-to-Unix Copy Program (540) Whois Nicname (43) World Wide Web (HTTP, 80) biff Mail notify (512)
  • Page 362 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL II. Type of Packet Matched with ICMP Protocol Advanced ACL can also match ICMP packets based on the message type and message code in the ICMP packet header. For instance, the message type for ICMP packet of “destination addresses is unreachable”...

  • Page 363: Firewall Acl Rule

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL III. Advanced ACL Rule Edit When you edit a rule that has existed by specifying its number, the unedited part will not change. # Configure an ACL rule.

  • Page 364: Acl Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL For instance, there are 4 rules in ACL rule group1: 0, 1, 3 and 5. The step is set to 5. They will change into 0, 5, 10 and 15 after the undo step command is used and the step is still 5.

  • Page 365: Creating Advanced Acl

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL Table 1-5 Configuring basic ACL rule Action Command rule [ rule-id ] { permit | deny } [ source Configure basic ACL rule. source-address source-wildcard any } [ time-range time-name ] Delete basic ACL rule.

  • Page 366: Creating Firewall Acl

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL 1.3.3 Creating Firewall ACL I. Creating Firewall ACL Do as follows in system view. Table 1-8 Creating firewall ACL Action Command Create firewall ACL and enter ACL acl [ number ] acl-number view.

  • Page 367: Configuring Acl Step

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL Action Command undo time-range time-name [ start-time to Delete ACL effective time range. end-time days | from time1 date1 [ to time2 date2 ] ] 1.3.5 Configuring ACL Step Do as follows in ACL view.
  • Page 368 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL The enterprise accesses the Internet through Ethernet 1/0/0 of a SecPath F1800-A, which is in the untrust zone. The firewall is connected with the intranet through Ethernet 0/0/0, which is in the untrust zone. WWW server, FTP server and Telnet server are located in the intranet whose subnet is at 129.38.1.0, in which FTP server...
  • Page 369 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 1 ACL # Create ACL 3102. [SecPath] acl number 3102 # Configure a rule to permit the specific external client to access the internal server. [SecPath-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0...

  • Page 370: Chapter 2 Security Policy

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Chapter 2 Security Policy 2.1 Security Zone 2.1.1 Introduction to Security Zone Zone is a concept introduced in firewall, which is one of main features distinguishing the firewall from the router.
  • Page 371 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy In addition, clients can set new security zone and define its priority for the firewall as required. Note: Derived from military, DMZ is an intermediate zone between the severe military zone and the incompact public zone.
  • Page 372 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy connections accessing the firewall device are the accessing connections to the local zone, as shown in Figure 2-1. The relationship is shown in Figure 2-1. inbound outbound...

  • Page 373: Security Zone Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Caution: Data transmission direction on the router is determined based on the interface, which is also one of main features differentiating the firewall from the router. Data stream sent from the interface is called outbound data stream while inbound data stream contrarily.
  • Page 374 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy The system can support up to 16 security zones (including the four reserved zones). II. Configuring Priority for the Security Zone You can only configure priority for security zones that are created by yourself. The...

  • Page 375: Displaying And Debugging Security Zone

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Therefore, you are required to enter interzone view before configuring interzone security policies. Note: Security policy configuration will be introduced in the following chapters. Do as follows in system view.

  • Page 376: Typical Example For Configuring Security Zone

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.1.5 Typical Example for Configuring Security Zone I. Networking Requirements An enterprise adopts the SecPath F1800-A as its network edge protection device and sets its intranet in the trust zone, which connects with Ethernet 0/0/0 of the SecPath F1800-A.

  • Page 377: Session Table Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy [SecPath-Ethernet1/0/0] quit # Configure the IP address of the interface Ethernet 2/0/0. [SecPath] interface ethernet 2/0/0 [SecPath-Ethernet2/0/0] ip address 210.78.245.1 255.255.255.0 [SecPath-Ethernet2/0/0] quit # Add the Ethernet 0/0/0 to the trust zone.

  • Page 378: Configuring Timeout Time Of The Session Table

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-6 The operations of the SecPath F1800-A session table Then The six parameters of the packet match Forward this packet. the session table. interzone Forward this packet and create a...

  • Page 379: Displaying And Debugging Session Table

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.2.3 Displaying and Debugging Session Table You can use the display command in any view to view the running state and verify the effect of session table configuration.

  • Page 380: Displaying Default Packet Filter Rules

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy I. Configuring Default Filter Mode The default filtering mode on the firewall is that when there is not a proper rule to judge whether to pass a data packet or not, the firewall permits or denies the packet to pass.

  • Page 381: Typical Example For Configuring Packet Filter

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-11 Displaying the default packet filter rules Action Command View the default interzone display firewall packet-filter default { all | packet filter rules. interzone zone1 zone2 } 2.3.4 Typical Example for Configuring Packet Filter...
  • Page 382 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy The DoS attack differs from other types of attacks. In the DoS attack, attackers prevent valid users from accessing resources or routers. In other types of attacks, attackers search for ingresses of internal networks.
  • Page 383 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy WinNuke attack is to cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB) data packets to the NetBIOS port (139) of the specified target installed with the Windows system so as to make the target host crash.

  • Page 384: Attack Defence Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy whether the total number of TCP/UDP connections is greater than the configured value. For another example, if the firewall finds that the number of connections in the system exceeds the threshold, it speeds up the connection aging so that DoS will not occur and new connections can be set up.
  • Page 385 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Enabling the attack defence for the IP packet carrying timestamp record Enabling the Tracert packet control Enabling the Ping of Death attack defence Enabling the Teardrop attack defence...
  • Page 386 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-14 Enabling the Land attack defence Action Command Enable the Land attack defence. firewall defend land enable Disable Land attack undo firewall defend land enable defence.
  • Page 387 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy VII. Enabling the SYN Flood Attack Defence The SYN Flood attack defence can configure the security zone and the IP address. It can be enabled only when the SYN Flood attack defence is enabled and the inbound IP statistics of the protected zone (or the zone where the protected IP locates) is enabled.
  • Page 388 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Caution: The following are necessary to enable the SYN Flood attack defence: Enable the SYN Flood attack defence. Configure the specific SYN Flood attack defence. VIII. Enabling the ICMP Flood Attack Defence The ICMP Flood attack defence can configure the security zone or the IP address.
  • Page 389 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Action Command Disable all the ICMP Flood attack undo firewall defend icmp-flood defences. ICMP Flood attack defence can protect up to 1000 IP addresses at the same time.
  • Page 390 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Action Command Disable the UDP Flood attack defence undo firewall defend udp-flood for some IPs. [ ip-address ] Disable the UDP Flood attack defence undo firewall defend udp-flood ip for all IP addresses.
  • Page 391 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-25 Enabling the ICMP unreachable packet control Action Command Enable the ICMP unreachable packet control firewall defend function. icmp-unreachable enable Disable the ICMP unreachable packet undo...
  • Page 392 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy XIV. Enabling the Attack Defence for the IP Packet Carrying Source Route Do as follows in system view. Table 2-28 Enabling the attack defence for the IP packet carrying the source route...
  • Page 393 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-31 Enabling the Ping of Death attack defence Action Command Enable the Ping of Death attack defence. firewall defend ping-of-death enable Disable the Ping of Death attack defence.

  • Page 394: System Statistics Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy XXI. Enabling the Large ICMP Packet Control Do as follows in system view. Table 2-35 Enabling the large ICMP packet control Action Command Enable the large ICMP packet control.
  • Page 395 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy I. Enabling the System Statistics Enable the system statistics to take statistics of all the packets that pass the firewall. Do as follows in system view. Table 2-37 Enabling the system statistics...

  • Page 396: Ip Statistics Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.4.4 IP Statistics Configuration The SecPath F1800-A limits the number of connections based on the session table. If a data stream does not match the session table and the default interzone rules permit this stream to pass, the firewall does not limit or make statistics of this data flow.
  • Page 397 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy II. Enabling Limit to Bandwidth or the Number of IP Connections of Specific Traffic You can enable the limit to the bandwidth or the number of IP connections of specific traffic by specifying the ACL number.
  • Page 398 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-42 Enabling the monitor over the number of IP connections Action Command Enable the monitor over the statistic connect-number ip { tcp | udp } number of IP connections.

  • Page 399: Displaying And Debugging Attack Defence And Packets Statistics

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-44 Setting the TCP/UDP bandwidth received or sent by an IP address in a security zone Action Command Set the TCP or UDP bandwidth statistic car ip { inbound | outbound } car-class...
  • Page 400 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy SecPath 202.1.0.0/16 Ethernet 192.168.1.0/24 Ethernet Ethernet 10.110.0.0/8 Internet Server 10.110.1.1 Figure 2-4 The firewall attack defence configuration Configuration procedures # Configure the Ethernet 0/0/0 on the firewall.
  • Page 401 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy II. Enabling the SYN Flood Attack Defence Networking requirements Adopt the SecPath F1800-A in the network and add the Ethernet 0/0/0 to the trust zone, the Ethernet 0/1/0 to the untrust zone and the Ethernet 1/0/0 to the DMZ zone.
  • Page 402 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy III. Enabling the IP Sweep Attack Defence Networking requirements Adopt the SecPath F1800-A in the network and add the Ethernet 0/0/0 to the trust zone, the Ethernet 0/1/0 to the untrust zone and the Ethernet 1/0/0 to the DMZ zone.

  • Page 403: Troubleshooting The Attack Defence

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy [SecPath] firewall defend ip-sweep blacklist-timeout 5 2.4.7 Troubleshooting the Attack Defence Fault1: The SYN Flood attack defence is invalid. Troubleshooting: Do as follows. Check if the SYN Flood attack defence is enabled for the destination zone or for the destination IP.
  • Page 404 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy ActiveX Blocking can prevent network from being destroyed by harmful ActiveX. ASPF supports mappings from ports to applications, which specifies non-well-known ports for services based on the application layer protocols.

  • Page 405: Aspf Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Source IP address Source port Destination IP address Destination port Protocol number The lack of any of these five fields leads to the failure of the session.

  • Page 406: Typical Example For Configuring Aspf

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Note: The detect all command cannot set Java blocking or ActiveX blocking. The undo detect all command cannot disable Java Blocking or ActiveX Blocking. MSN uses the private protocol MSNP. Because the ports of MSNP sessions are...
  • Page 407 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy II. Networking Diagram Untrust Trust SecPath Ethernet1/0/0 Ethernet2/0/0 202.101.1.1 2.2.2.1 Server Host 202.101.1.2 2.2.2.11 Figure 2-5 Networking diagram of ASPF configuration III. Configuration Procedure # Configure ASPF detect policy to define the timeout time of FTP and HTTP to 3000 in seconds.

  • Page 408: Black List

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.6 Black List 2.6.1 Introduction to Black List Black list is to filter packets based on source address. Compared with ACL-based packet filter, the zones for black list to match are much simpler, so it can filter packets in a high speed, which effectively shields the packets sent from the specific IP address.
  • Page 409 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy In addition, if you repeatedly enter a wrong password for three times when logging on the firewall through Telnet or SSH, the system will automatically add the IP address of Telnet client or SSH client into the blacklist and set the aging time to ten minutes.

  • Page 410: Black List Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.6.2 Black List Configuration Black list configuration includes: Configuring black list entry Setting the filtering type and range of the black list Enabling or disabling black list I.

  • Page 411: Displaying Black List

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.6.3 Displaying Black List You can use the display command in any view to view the running state and verify the configuration of blacklist. Table 2-51 Displaying black list...

  • Page 412: Mac And Ip Address Binding

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.7 MAC and IP Address Binding 2.7.1 Introduction to MAC and IP Address Binding MAC and IP address binding means that the firewall associates the specific IP address and MAC address based on the client configuration.

  • Page 413: Mac And Ip Address Binding Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy undo firewall mac-binding enable By default, the address binding is disabled. 2.7.2 MAC and IP Address Binding Configuration MAC and IP address binding configuration includes: Configuring MAC and IP address binding map Enabling or disabling MAC and IP address binding I.

  • Page 414: Displaying Mac And Ip Address Binding

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.7.3 Displaying MAC and IP Address Binding You can use the display command in any view to view the running state and verify the configuration of MAC and IP address binding.

  • Page 415: Port Identification

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.8 Port Identification 2.8.1 Introduction to Port Identification Application layer protocols usually communicate through well-known port number. Port identification allows a client to define a group of new port numbers besides the system-defined port number for various applications and also provides some mechanisms to maintain and use the user-defined port configuration information.

  • Page 416: Displaying Port Mapping

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy Table 2-55 Configuring port mapping entries Action Command port-mapping application-name port Configure port identification. port-number acl acl-number Delete user-defined port undo port-mapping [ application-name port identification. port-number acl acl-number ] Notes: You cannot delete or modify system-defined port number.

  • Page 417: Typical Example For Configuring Port Mapping

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy 2.8.4 Typical Example for Configuring Port Mapping I. Networking Requirement As shown in Figure 2-8, an enterprise offers WWW and FTP services to the external. It configures a firewall to identify: The packets to 129.38.1.1 carrying the port number 80 as FTP packets;...
  • Page 418 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 2 Security Policy # View port mapping. [SecPath] display port-mapping SERVICE PORT TYPE ------------------------------------------------- system defined smtp system defined http system defined rtsp system defined h323 1720 system defined 2010...

  • Page 419: Chapter 3 Nat

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT Chapter 3 NAT 3.1 Introduction to NAT As described in RFC1631, NAT is to translate the IP address in IP data packet header into another IP address. It is mainly used for private network to access external network in practice.

  • Page 420: Nat On The Secpath F1800-A

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT NAT server such as the SecPath F1800-A is located at the joint between private network and public network. When the internal PC at 192.168.1.3 sends the data packet1 to the external server at 202.120.10.2, the data packet will traverse the NAT server.

  • Page 421: Many-To-Many Nat And Nat Control

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT 3.2.2 Many-to-Many NAT and NAT Control I. Overview As shown in Figure 3-1, NAT chooses a proper extranet address to replace the source address of the intranet. The public address of the outbound interface on the NAT...
  • Page 422 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT II. Basic Configuration The configuration procedure of many-to-many NAT on the SecPath F1800-A is as follows: Defining a need-based NAT address pool in system view nat address-group group-number start-addr end-addr [ vrrp virtual-router-ID ] group-number: refers to the address pool ID.

  • Page 423: Napt

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT 3.2.3 NAPT I. Overview The former section introduces one-to-one NAT, which cannot achieve the concurrent access, and many-to-many NAT, which can achieve the concurrent access. There is another way to achieve the concurrent access, that is, Network Address Port Translation (NAPT).

  • Page 424: Internal Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT NAT server can also differentiate them based on their destination addresses and port numbers and forward them to the internal hosts. II. Basic Configuration The NAT on the SecPath F1800-A effectively combines NAPT and many-to-many NAT together.
  • Page 425 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT Note: The internal servers serving for external hosts are usually located in DMZ zone of the SecPath F1800-A, which are not allowed to initiate connections to external hosts generally.

  • Page 426: Alg

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT 3.2.5 ALG I. Overview NAT and NAPT can translate the address in the IP packet header and the port number in the TCP/UDP packet header only. However, the IP address and port number...

  • Page 427: Gratuitous Arp Packets

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT II. Basic Configuration Using the detect protocol command, you can configure NAT ALG and ASPF detect for the protocol in interzone view. 3.2.6 Gratuitous ARP Packets You can use the nat arp-gratuitous send command on an FE or GE interface to send gratuitous ARP packets.

  • Page 428: Associating An Acl With An Address Pool

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT Do as follows in system view. Table 3-1 Defining a NAT address pool Action Command Define a NAT address pool. nat address-group group-number start-address end-address [ vrrp virtual-router-ID ]...

  • Page 429: Configuring An Internal Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT 3.3.3 Configuring an Internal Server Hosts on external networks can access the intranet by mapping their external addresses and port numbers to internal servers. Using the nat server command, you can configure a map table between internal servers and external hosts.

  • Page 430: Sending Gratuitous Arp Packets

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT By default, no NAT ALG is applied in interzone. 3.3.5 Sending Gratuitous ARP Packets Do as follows in Ethernet interface view or GE interface view. Table 3-4 Sending gratuitous ARP packets between NAT server address and...
  • Page 431 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT Requirement1: Only the PCs at 10.110.10.0/24 in the trust zone can access the Internet while the PCs at the other segments in the local zone cannot. The valid public IP address ranges from 202.169.10.2 to 202.169.10.6.
  • Page 432 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 3 NAT [SecPath-acl-basic-2001] rule 0 permit source 10.110.10.0 0.0.0.255 [SecPath-acl-basic-2001] rule 1 deny source 10.110.0.0 0.0.255.255 [SecPath] quit # Associate the ACL with the address pool to specify the NAT on the packets sent from 10.110.10.0/24.

  • Page 433: Chapter 4 Ids Cooperation

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 4 IDS Cooperation Chapter 4 IDS Cooperation 4.1 Introduction to the IDS Cooperation Usually, the SecPath F1800-A is mainly used to: Prevent users or information from entering some restricted sites.

  • Page 434: Ids Cooperation Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 4 IDS Cooperation Trust zone External netw ork Internal LAN (Internet) Router SecPath Administration server Untrust zone IDS server IDS detector Figure 4-1 Networking diagram of the IDS cooperation Based on...

  • Page 435: Configuring A Firewall Port Communicating With The External Ids Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 4 IDS Cooperation Table 4-1 Configuring the external IDS server address Action Command Configure the external IDS server firewall ids server ip-address address. Remove the external IDS server undo firewall ids server [ ip-address ] address.

  • Page 436: Enabling Or Disabling The External Ids

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 4 IDS Cooperation Action Command Remove the packet authentication mode between the firewall and the external IDS undo firewall ids authentication server. 4.2.4 Enabling or Disabling the External IDS Do as follows in system view.

  • Page 437: Typical Example For Configuring Ids Cooperation

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 4 IDS Cooperation 4.4 Typical Example for Configuring IDS Cooperation I. Networking Requirement The SecPath F1800-A works in the routing mode. Configure the packet authentication mode for the external IDS system and the address for the third-party IDS server, and then enable the external third-party IDS.

  • Page 438: Chapter 5 Aaa

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Chapter 5 AAA Note: This chapter describes the AAA configuration on the SecPath F1800-A. Here, the SecPath F1800-A serves as a router in function. So the router mentioned in this chapter is referred to as the SecPath F1800-A.

  • Page 439: Introduction To Radius Protocol

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA It completely trusts users and does not check their validity. It is not used usually. Local authentication It configures the user information, including the user name, password and attributes, on a Broadband Access Server (BAS).
  • Page 440 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA serial interfaces and modems, and then is widely used in the Network Access Server (NAS) system later. To obtain the right to access other networks or the right to use some network resources, you need to set up a connection with the NAS through some network (such as the telephony network).
  • Page 441 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA II. RADIUS Message Structure The RADIUS message structure is shown in Figure 5-2. 0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7-0-1-2-3-4-5-6 Length Code Identifier Authenticator Attribute Figure 5-2 RADIUS message structure Code: refers to the message type, such as an access request, access permit and accounting request.

  • Page 442: Introduction To The Hwtacacs Protocol

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA After receiving the AAA authentication or accounting message, enables the server detection process if the current status of the server is DOWN, and then transforms the message into a packet which functions as the server probe packet and is sent to the current server.

  • Page 443: Introduction To Domain

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA As a result, the authentication is performed over RADIUS while the authorization is performed over HWTACACS. 5.1.4 Introduction to Domain The BAS manages users in the following two modes:...

  • Page 444: Entering Aaa View

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.2.1 Entering AAA View The AAA is always enabled on the BAS and the AAA configuration is performed in AAA view. Do as follows in system view. Table 5-2 Entering AAA view...

  • Page 445: Configuring An Authorization Scheme

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA The system has a default scheme, which cannot be deleted but can be modified. It is adopted when no scheme is specified in the domain. II. Setting an Authentication Mode...

  • Page 446: Configuring A Recording Scheme

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Action Command undo authorization-scheme Delete an authorization scheme. scheme-name In the event that the specified authorization scheme does not exist, using the authorization-scheme command, you can create an authorization scheme and enter its view;...
  • Page 447 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Configuring a recording mode in recording scheme view Configuring a recording policy, namely, determining the contents to be recorded I. Creating a Recording Scheme Do as follows in AAA view.

  • Page 448: Setting Parameters For A Car Level

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Action Command Disable the recording about the undo outbound recording-scheme connection information. Record the system-level events. system recording-scheme scheme-name Disable the recording about the undo system recording-scheme system-level events.
  • Page 449 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA In the case that the BAS authenticates the user, it will assign an IP address to the user from the address pool in the domain where the user belongs; otherwise, it will assign an IP address to the user from the system address pool if necessary.

  • Page 450: Radius Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA If the user is not assigned with any IP address in the above two methods or the local authentication is used, the command configured on the corresponding interface will be used to assign an IP address to the user. In the event that the command is to allocate an IP address, the IP address of the interface is directly assigned to the user but the IP address can be assigned for once only.

  • Page 451: Creating A Radius Server Template

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.3.1 Creating a RADIUS Server Template The RADIUS server template refers to a group of RADIUS servers. To configure servers in the RADIUS server template, you must create a RADIUS server template first.

  • Page 452: Configuring A Protocol Version For The Radius Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA In the case that this command is used repeatedly, the new configuration will overwrite the previous one. This configuration can be modified only when the RADIUS server template is not used by any users.

  • Page 453: Configuring A User Name Format For The Radius Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.3.5 Configuring a User Name Format for the RADIUS Server User names are usually in the format of “username@domainname”. In the case that the RADIUS server does not accept the user name that is followed by the domain name, delete the latter part and then send the user name to the RADIUS server.

  • Page 454: Configuring Retransmission For The Radius Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.3.7 Configuring Retransmission for the RADIUS Server I. Configuring a Response Timeout for the RADIUS Server To judge whether a RADIUS server is invalid, the router will periodically send a request packet to it.

  • Page 455: Hwtacacs Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Table 5-21 Configuring a NAS port for the RADIUS server Action Command Adopt the new NAS-port format. radius-server nas-port-format new Adopt the old NAS-port format. radius-server nas-port-format old Adopt the new NAS-port-ID format.

  • Page 456: Configuring An Hwtacacs Authentication Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Table 5-22 Creating an HWTACACS server template Action Command Create HWTACACS server hwtacacs-server template template and enter HWTACACS view. template-name Delete HWTACACS server undo hwtacacs-server template template. template-name If the HWTACACS server template specified does not exist, you can create an HWTACACS server template with the name specified and enter HWTACACS view.

  • Page 457: Configuring An Hwtacacs Authorization Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.4.3 Configuring an HWTACACS Authorization Server Do as follows in HWTACACS view. Table 5-24 Configuring an HWTACACS authorization server Action Command Configure a primary HWTACACS hwtacacs-server authorization authorization server.

  • Page 458: Configuring A Traffic Unit For The Hwtacacs Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA In the case that the HWTACACS server does not accept the user name that is followed by the domain name, delete the latter part and then send the user name to the HWTACACS server.

  • Page 459: Configuring A Timer For The Hwtacacs Server

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.4.8 Configuring a Timer for the HWTACACS Server I. Configuring a Response Timeout for the HWTACACS Server Because HWTACACS is implemented based on TCP, either the server response timeout or TCP timeout may cause disconnection with the HWTACACS server.

  • Page 460: Creating A Domain

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Configuring a traffic level for the domain Configuring a priority to a domain user Configuring an access limitation to the domain Configuring a Web authentication server in the domain Applying an ACL to domain users 5.5.1 Creating a Domain...

  • Page 461: Configuring An Hwtacacs Server Template To The Domain

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Table 5-33 Configuring a RADIUS server template to the domain Action Command Configure RADIUS server radius-server template-name template to the current domain. Delete server template undo radius-server configured to the current domain.

  • Page 462: Configuring The Domain State

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Action Command Delete an address pool from the undo ip pool pool-number domain. Up to 100 address pools (numbered from 0 to 99) can be defined in a domain and an address pool can contain up to 4096 IP addresses.

  • Page 463: Configuring A Traffic Level For The Domain

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Table 5-38 Configuring the domain state Action Command Configure the domain to be in the active state. state active Configure the domain to be in the block state.

  • Page 464: Configuring A Web Authentication Server In The Domain

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Do as follows in domain view. Table 5-41 Setting an access limit to the domain Action Command Set the maximum number of the users allowed to access-limit max-number access the domain.

  • Page 465: Local User Management Configuration

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA The available range of ACL numbers is 2000 to 3999 and the new ACL will overlap the old one. 5.6 Local User Management Configuration 5.6.1 Creating a Local User Account Up to 1000 local user accounts can be configured in the system.

  • Page 466: Configuring A Service Type For A Local User

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Table 5-45 Configuring a batch of VLAN user accounts Action Command vlan-batch user interface interface-type Configure VLAN user accounts interface-number start-vlan-id number [ domain in batches. domain-name | password password ] *...

  • Page 467: Configuring Callback Check To Local Users

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA You can also configure a callback number to the RADIUS server. If the RADIUS authentication is enabled to the PPP users, the callback number configured on RADIUS server is sent to PPP.

  • Page 468: Configuring Local User States

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Do as follows in AAA view. Table 5-50 Configuring an FTP directory to a local user Action Command Configure an FTP directory to a local local-user user-name ftp-directory user.

  • Page 469: Setting A Priority For A Local User

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Action Command vlan-batch user user-car level interface Set a traffic level for VLAN users in interface-type interface-number batch. start-vlan-id number domain domain-name ] undo vlan-batch user user-car interface...

  • Page 470: Configuring A Mac Address Binding For A Local User

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA II. Configuring Access Limit to VLAN Users The access limit to VLAN users includes: Limiting the number of users that are allowed to access through a VLAN Limiting the number of connections that a VLAN user can set up Do as follows in AAA view.
  • Page 471 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Table 5-57 Displaying access users Action Command View all access users in brief. display access-user display access-user domain View access users by domain. domain-name display access-user username View access users by username.

  • Page 472: Displaying And Debugging Aaa

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA III. Configuring Idle-cut For the users who are charged by traffic, enabling idle-cut can stop accounting when users forget to get offline. Besides, cutting idle users improves system utilization.

  • Page 473: Typical Examples For Configuring Aaa

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA Table 5-61 Displaying and debugging AAA, RADIUS, HWTACACS Action Command View the AAA information. display aaa configuration View configuration display authentication-scheme authentication scheme. [ scheme-name ] View configuration...
  • Page 474 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA II. Networking Diagram 129.7.66.66 Ethernet Ethernet SecPath 129.7.66.67 PSTN Accessed Modem Modem netw ork Figure 5-3 Networking diagram of AAA and RADIUS configuration case III. Configuration Procedure # Configure RADIUS server template.

  • Page 475: Example Ii For Authenticating Access Users

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.8.2 Example II for Authenticating Access Users I. Networking Requirement Authenticate the users through the local database first, and then adopt the RADIUS authentication if the local authentication fails.

  • Page 476: Authenticating Telnet Users

    Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA 5.8.3 Authenticating Telnet Users I. Networking Requirement Authenticate the Telnet users through a RADIUS server first. If no response is received, none authentication is adopted. The server at 129.7.66.66 acts as the authentication server. There is no backup server.
  • Page 477 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA The authentication mode, authorization mode and RADIUS template adopted by the user are determined by the authentication scheme configured in the domain. The user can configure the authentication scheme and authorization scheme in AAA view, as well as the authentication mode and authorization mode under these schemes.
  • Page 478 Operation Manual - Security Defence H3C SecPath F1800-A Firewall Chapter 5 AAA configure this authentication scheme in the domain and configure the authentication mode as none-authentication under this scheme. Fault IV: A Telnet user cannot enter system view even if he has passed through the authentication when he configures RADIUS authentication.
  • Page 479 Operation Manual - VPN H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 VPN Overview ......................7-1 1.1 Introduction to VPN......................7-1 1.2 VPN Primary Technology ....................7-2 1.3 VPN Classification ......................7-5 Chapter 2 L2TP Configuration ..................... 7-7 2.1 L2TP Overview ........................
  • Page 480 Operation Manual - VPN H3C SecPath F1800-A Firewall Table of Contents 3.3.2 Displaying and Debugging IKE ................7-67 3.3.3 Resetting IPSec Packet Statistics ................. 7-68 3.3.4 Deleting an SA ...................... 7-68 3.3.5 Displaying and Resetting IPSec Card ..............7-69 3.4 Typical Example for Configuring IPSec ................7-70 3.4.1 Creating SA in Manual Mode ................

  • Page 481: Chapter 1 Vpn Overview

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 1 VPN Overview Chapter 1 VPN Overview 1.1 Introduction to VPN As a new technology, Virtual Private Network (VPN) rapidly develops as the Internet is widely used in recent years. It is used to build private network on public network.

  • Page 482: Vpn Primary Technology

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 1 VPN Overview Adding or deleting VPN users only by configuring software, without need of changing hardware device In this way, VPN can be applied more flexibly. Supporting the mobile access of foreign VPN users at any time in any place In this way, the increasing demand for mobile service can be met Creating VPN with service quality guarantee such as MPLS VPN.
  • Page 483 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 1 VPN Overview II. VPN Fundaments PSTN/ISDN PSTN/ISDN VPN User VPN User VPN Server VPN Server Figure 1-2 Diagram of VPN access As shown in Figure 1-2, through PSTN or ISDN network, the user accesses the ISP Network Access Server (NAS).
  • Page 484 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 1 VPN Overview It is a Cisco proprietary protocol. It supports the tunneling encapsulation for the higher-level link layer; it fulfills physical separation the dial-up server from dial-up protocol connection. Layer 2 Tunneling Protocol (L2TP) L2TP is drafted by IETF, Microsoft.

  • Page 485: Vpn Classification

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 1 VPN Overview and PPP session ends at NAS. Thus, user gateway doesn’t need to manage and maintain status of each PPP session. Thereby, system load reduces. In general, both L2TP and the layer 3 tunnel protocol are used separately. If they are used together, it may provide users better security and performance, such as using L2TP and IPSec together.
  • Page 486 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 1 VPN Overview Client-initiated VPN connection NAS-initiated VPN connection Extranet VPN Extranet VPN extends enterprise network to suppliers, cooperators and clients by using VPN. In this way, it can create VPN between different enterprises by public network.

  • Page 487: Chapter 2 L2Tp Configuration

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Chapter 2 L2TP Configuration 2.1 L2TP Overview 2.1.1 Introduction to VPDN VPDN realizes VPN by means of using dial-up of public network, such as ISDN and PSTN, and access network.

  • Page 488: Introduction To L2Tp

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Its disadvantages are: Users need to install dedicated software (usually Win2000 platform), which limits platforms available for users. There are three types of VPDN tunneling protocol: PPTP, L2F, and L2TP; among them, L2TP is the most popular.
  • Page 489 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration branches). It is used to encapsulate the packets received from remote system, based on L2TP and then send to LNS, and meanwhile, decapsulate packets received from LNS and send them to the remote system.
  • Page 490 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration More than one L2TP tunnels can be created between a LNS and LAC pair. A tunnel consists of a control connection, one or several sessions. The session must be conducted after tunnels are created successfully.
  • Page 491 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration LAC client HomeLAN Internet Remote PSTN/ISDN Client HomeLAN Internet Figure 2-3 Two typical L2TP tunnel modes Initiated by remote dial-up user Remote system dials in LAC by PSTN or ISDN. LAC sends the request for tunnel connection to LNS through the Internet.
  • Page 492 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration SecPath_A SecPath_B RADIUS Server RADIUS Server (1) Call Setup (2) PPP LCP Setup (3) PAP or CHAP authentication (4) access request (5) access accept (6) Tunnel establishment (7) PAP or CHAP authentication...
  • Page 493 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration 12) If local mandatory CHAP authentication is configured at LNS, LNS will authenticate the VPN user by sending challenge and the VPN user at PC sends back responses.

  • Page 494: Access To Vpn Supported By L2Tp

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Transmitted packet number and byte number Start time and end time of the connection L2TP can easily carry out network charging based on these data. Reliability L2TP supports backup LNS. When active LNS is inaccessible, LAC can reconnect with the backup LNS;...

  • Page 495: Configuring L2Tp

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration 2.2 Configuring L2TP 2.2.1 LNS Configuration During configuring the LNS, you need to enable L2TP and create L2TP group first. With respect to the configuration of L2TP in support of multi-instance, other configurations can only be valid after L2TP multi-instance is enabled.
  • Page 496 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Configuring L2TP flexibly on the router Realizing one-to-one and one-to-many networking applications between LAC and LNS L2TP group is numbered separately on LAC and LNS. So, you just need to make configurations of related L2TP group between LAC and LNS consistent.
  • Page 497 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration IP address for the virtual interface Address pool used for assigning addresses to the peer If you do not configure PPP authentication mode, communication will fail although you can dial up to the SecPath F1800-A normally.
  • Page 498 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration V. Setting Local Tunnel Name (Optional) You can set local tunnel name on LNS side. Do as follows in L2TP group view. Table 2-5 Setting local tunnel name...
  • Page 499 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Table 2-7 Setting hidden AVP data Action Command Transmit hidden AVP data. tunnel avp-hidden Restore the default transmission mode of AVP. undo tunnel avp-hidden VIII. Setting Time Interval at Which Hello Messages in the Tunnel are Sent...
  • Page 500 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration If only mandatory CHAP authentication is configured, LNS will perform CHAP authentication to users. In order to perform mandatory CHAP authentication on LNS side, you need to: Set user name, password and user authentication on LNS side.
  • Page 501 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Table 2-10 Configuring LCP re-negotiation Action Command Force LCP to re-negotiate. mandatory-lcp Remove LCP re-negotiation. undo mandatory-lcp There are three situations in application: LCP re-negotiation is not configured on LNS side, and access users are authenticated only on LAC side.
  • Page 502 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration XII. Configuring Domain Name Delimitor (Optional) When several enterprises are connected on LNS side, it takes time to separate names of enterprises from user names of packets. In this case, suffix delimiter can be set on LNS side to speed up processing.
  • Page 503 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Action Command Configure authentication scheme. authentication-scheme scheme-name authentication-mode { [ hwtacacs | Configure authentication mode. radius | local ]* [ none ] } When the user name is neither suffixed nor bound with any VT in the default domain, this user can belong to any created VPN.

  • Page 504: Displaying And Debugging L2Tp

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration XV. Disconnecting a Tunnel Forcibly (Optional) Tunnel clearing process occurs: When there is no user. When network fails. When the administrator requires disconnecting tunnel. Either LAC side or LNS side can send request for clearing tunnel initiatively. The side that receives clearing request must: Send acknowledgement (ACK) information;...

  • Page 505: Typical Examples For Configuring L2Tp

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Table 2-18 Displaying and debugging L2TP Action Command View the current L2TP tunnel. display l2tp tunnel View the current L2TP session. display l2tp session debugging l2tp { all | control | dump | error Debug L2TP.
  • Page 506 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration Other configurations are omitted. Configuration on NAS side # Enable L2TP. [SecPath2] l2tp enable # Configure the IP address of Ethernet 2/0/0. [SecPath2] interface Ethernet 2/0/0 [SecPath2-Ethernet4/0/1] ip address 2.2.2.1 16 # Configure a virtual template interface.

  • Page 507: Configuration Of Rental Secpath F1800-A

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration # Create an L2TP group to carry out L2TP negotiation. [SecPath2] l2tp-group 10 [SecPath2-l2tp10] allow l2tp virtual-template 1 remote lac [SecPath2-l2tp10] tunnel authentication [SecPath2-l2tp10] tunnel password simple hello [SecPath2-l2tp10] tunnel name lns # Configure a local user and address pool.
  • Page 508 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration II. Networking Diagram Ethernet1/0/1.1 Enterprise A Ethernet0/0/1 2.2.2.2 Internet 1.1.1.1 SecPath Enterprise B Ethernet1/0/1.2 1.1.2.1 tunnel IPSec+L2TP Figure 2-7 Networking diagram of rental SecPath F1800-A III. Configuration Procedure # Set the default filtering rules.
  • Page 509 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration [SecPath] interface ethernet 0/0/1 [SecPath-Ethernet0/0/1] ip address 2.2.2.2 255.255.0.0 [SecPath] interface ethernet 1/0/1.1 [SecPath-Ethernet1/0/1.1] vlan-type dot1q 100 [SecPath-Ethernet1/0/1.1] ip address 1.2.2.1 255.255.255.252 [SecPath] interface ethernet 1/0/1.2 [SecPath-Ethernet1/0/1.2] vlan-type dot1q 110 [SecPath-Ethernet1/0/1.2] ip address 1.2.2.2 255.255.255.252...
  • Page 510 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration [SecPath-ipsec-proposal-p100] esp encryption-algorithm 3des # Configure IPSEC template; apply IKE peer and security proposal. [SecPath] ipsec policy-template p100 1 [SecPath-ipsec-policy-templet-p100-1] ike-peer p100 [SecPath-ipsec-policy-templet-p100-1] proposal p100 # Apply the template to a security policy named “dialin_vpn”.

  • Page 511: Complex Networking

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration # Set user authentication mode and accounting mode. [SecPath] aaa [SecPath-aaa] authentication-scheme my_auth [SecPath-aaa-authen-my_auth] authentication-mode radius [SecPath-aaa] accounting-scheme my_acct [SecPath-aaa-accounting-my_acct] accounting-mode radius 2.4.3 Complex Networking The SecPath F1800-A can serve as LAC and LNS at the same time, supporting multiple users call in.
  • Page 512 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 2 L2TP Configuration if the following two commands are used to set the same parameter domain-name on LNS (router) in the tunnel. Fault 2: PPP negotiation fails. The reasons may be: User name and password are set incorrectly on LAC side, or the users are not set on LNS side.

  • Page 513: Chapter 3 Ipsec Configuration

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Chapter 3 IPSec Configuration Note: This chapter explains the IPSec configurations of the SecPath F1800-A. Because here the SecPath F1800-A acts as a router, so the terms and marks in this chapter are those of routers.

  • Page 514: Introduction To Ike Protocol

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration AH mainly provides: Data source authentication Data integrity check Anti-replay However, it cannot encrypt the packet. ESP protocol ESP can encrypt the packet besides supporting the above functions that AH provides.
  • Page 515 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Authenticate IDs Create IPSec SA II. IKE Security Mechanism Diffie-Hellman (DH) exchange and key distribution DH algorithm is a public key algorithm. The both parties in communication can: Exchange some data without transmitting the key.
  • Page 516 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Negotiate a specific SA for IPSec. Create an IPSec SA. The IPSec SA will be used for the final IP data security transmission. The relation between IKE and IPSec is shown in Figure 3-1.

  • Page 517: Ipsec Basic Concepts

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration IV. IKE Negotiation Modes As defined in RFC2409 (the Internet Key Exchange), IKE negotiation in the first stage can use two modes, that is, main mode and aggressive mode.
  • Page 518 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration SA is unidirectional. So at least two SAs are needed to protect data stream from two directions in a bi-directional communication. Moreover, if both AH and ESP are applied to protect data stream between peers, still two SAs are needed for AH and ESP respectively.
  • Page 519 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration In the tunnel mode, AH or ESP is inserted before the original IP header but after the new header. The data encapsulation format for various protocols in the transmission mode and the...

  • Page 520: Nat Traversal Of Ipsec

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Generally, IPSec uses two types of encryption algorithm. It encrypts a 64-bit clear text via a 56-bit key. 3DES It encrypts a clear text via three 56-bit keys (168 bits key in total).
  • Page 521 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Through IPSec, data streams between peers (here refer to the router and its peer) can be protected by means of authentication, encryption or both. Data streams are differentiated based on ACL.
  • Page 522 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Working mode supported by the SecPath F1800-A includes transport mode and tunnel mode. As for a data stream, peers should be configured with the same protocol, algorithm and working mode. Moreover, if IPSec is applied on two security gateways (such as between the SecPath F1800-A firewalls), the tunnel mode is recommended so as to hide the real source and destination addresses.

  • Page 523: Ipsec On Encryption Card Hardware

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration encryption algorithm, authentication algorithm and DH group). Strength varies from algorithm to algorithm. The higher strength the algorithm has, the harder it is to decrypt the protected data, but more calculation resource will be consumed.

  • Page 524: Ipsec Configuration

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration The host processes the data. The SecPath F1800-A offers a Plug and Play IPSec card. When the IPSec card is drawn out of the device or fails, data encryption or decryption will be processed instantly by software.
  • Page 525 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Selecting security protocol Selecting security algorithm Selecting packet encapsulation format Configuring IPSec policies Defining IPSec policy Quoting IPSec proposal to IPSec policy Quoting ACL to IPSec policy Configuring life duration for SA...

  • Page 526: Configuring Acl

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Setting the time interval for sending NAT update packets 3.2.1 Configuring ACL I. ACL Functions Whether an IP packet should be forwarded after IPSec process or be forwarded directly depends on whether it matches ACL or not.

  • Page 527: Configuring Ipsec Proposal

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Local: [SecPath] acl number 3101 [SecPath-acl-adv-3101] rule 1 permit ip source 173.1.1.1 0.255.255.255 destination 173.2.2.2 0.255.255.255 Peer: [SecPath] acl number 3101 [SecPath-acl-adv-3101] rule 1 permit ip source 173.2.2.2 0.255.255.255 destination 173.1.1.1 0.255.255.255...
  • Page 528 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Data source authentication Data integrity authentication Anti-replay Data encryption AH-ESP protocol offers both the functions of AH and ESP. Do as follows in IPSec proposal view. Table 3-3 Selecting security protocol...
  • Page 529 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Action Command Select an authentication algorithm esp authentication-algorithm { md5 | sha1 } for ESP. Remove authentication algorithm undo esp authentication-algorithm from ESP. Select an authentication algorithm ah authentication-algorithm { md5 | sha1 } for AH.

  • Page 530: Configuring Ipsec Policy

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration In this way, tunnel encapsulation should be performed on an IP packet, that is, add a new IP header into the packet so that it can be decrypted on another security gateway.
  • Page 531 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration I. Creating an IPSec Policy and Entering the IPSec Policy View Using the following command, you can create or modify an IPSec policy. A negotiation mode (manual or isakmp) should be specified when you create an IPSec policy.
  • Page 532 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Table 3-7 Setting ACL for IPSec policy Action Command Set ACL for IPSec policy. security acl acl-number Cancel ACL for IPSec policy. undo security acl An IPSec policy can apply an ACL rule only. If more than one ACL rules are applied to an IPSec policy, the latest one will take effect.
  • Page 533 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration IKE will select the shorter one between the local life duration and the peer life duration. Do as follows in IPSec policy view. Table 3-9 Configuring life duration for SA...
  • Page 534 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Table 3-11 Configuring SPI for SA Action Command Configure SPI for SA. sa spi { inbound | outbound } { ah | esp } spi-number Delete SPI of SA.
  • Page 535 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration VIII. Confiugring IKE Peer for IPSec Policy (in IKE Negotiation Mode Only) Compared with the manual mode, IKE can negotiate parameters such as peers, SPI and shared key automatically. Therefore, you just need to associate IPSec policies with IKE peer.

  • Page 536: Applying Ipsec Policy Group To Interface

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration 3.2.4 Applying IPSec Policy Group to Interface This configuration task is to apply an IPSec policy group to an interface so as to protect various data streams passing the interface. If the applied IPSec policy is to create an SA in manual mode, an SA will be generated instantly.
  • Page 537 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Traffic-based life duration The SA will be invalid if either life duration expires. Before the SA is invalid, IKE will negotiate a new SA for IPSec. Do as follows in system view.

  • Page 538: Setting Local Id Used In Ike Negotiation

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Action Command Delete IPSec policy undo ipsec policy-template template. policy-template-name [ seq-number ] Using the ipsec policy-template command, you will: Enter the IPSec policy template view. Set parameters for the policy template in this view.

  • Page 539: Specifying Attributes Of Ike Peer

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Table 3-19 Setting local ID used in IKE negotiation Action Command Set local ID used in IKE exchange. ike local-name router-name Delete the local ID. undo ike local-name 3.2.7 Specifying Attributes of IKE Peer...
  • Page 540 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Table 3-22 Configuring IKE proposal Action Command Configure IKE proposal. ike-proposal proposal-number Cancel the IKE proposal. undo ike-proposal IV. Setting ID Type for IKE Peer During IKE exchange, peer ID can be the peer IP address or the peer name.
  • Page 541 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration VII. Assigning the Remote IP Address Do as follows in IKE peer view. Table 3-26 Assigning the remote IP address Action Command Assign the remote IP address or IP...

  • Page 542: Creating Ike Ipsec Proposal

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration 3.2.8 Creating IKE IPSec Proposal IKE proposals define a set of attribute data to describe how IKE negotiation performs security communication. IKE proposal configuration includes: Creating IKE proposal...
  • Page 543 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration The same DH group ID The system provides a default IKE proposal of the lowest priority. The default proposal has: The default encryption algorithm The default authentication algorithm...
  • Page 544 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Table 3-31 Selecting authentication algorithm Action Command authentication-algorithm { md5 | Select authentication algorithm. sha } Restore default authentication undo authentication-algorithm algorithm. V. Selecting DH Group ID This configuration task is to specify a DH group ID for the IKE proposal.

  • Page 545: Other Configurations Of Ike

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration 3.2.9 Other Configurations of IKE I. Setting Time Interval for Sending Keepalive Packets Set time interval for ISAKMP SA to send keepalive packets to the peer. Do as follows in system view.

  • Page 546: Displaying And Debugging Ipsec

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Caution: These two parameters should be set on a router at the same time and should be matched with each other. Parameters interval and timeout should appear in pairs, that is, if timeout is set on a router, interval should be set on the peer router.

  • Page 547: Displaying And Debugging Ike

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Table 3-37 Displaying and debugging IPSec Action Command display ipsec sa [ brief | remote ip-address | View IPSec SA. policy policy-name [ seq-number ] | duration ]...

  • Page 548: Resetting Ipsec Packet Statistics

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Action Command debugging ike { error | exchange | Debug IKE. message | misc | secp-setting } [ secp [ slot/card/port ] ] undo debugging ike { error | exchange | Disable IKE debugging.

  • Page 549: Displaying And Resetting Ipsec Card

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Table 3-40 Deleting an SA Action Command reset ipsec sa [ remote ip-address | policy Delete an SA. policy-name [ seq-number ] | parameters dest-address protocol spi ]...

  • Page 550: Typical Example For Configuring Ipsec

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Action Command Enable the IPSec card. undo shutdown 3.4 Typical Example for Configuring IPSec 3.4.1 Creating SA in Manual Mode I. Networking Requirements A security tunnel is created between Router A and Router B. Data stream security protection will be setup between subnet (10.1.1.x) represented by PC A and subnet...
  • Page 551 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration [SecPath-ipsec-proposal-tran1] transform esp # Select algorithm. [SecPath-ipsec-proposal-tran1] esp encryption-algorithm des [SecPath-ipsec-proposal-tran1] esp authentication-algorithm sha1 # Return to system view. [SecPath-ipsec-proposal-tran1] quit # Create an IPSec policy and negotiation mode is manual.
  • Page 552 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration [SecPath] access-list 3101 deny ip any destination any # Configure the static route to PC A. [SecPath] ip route-static 10.1.1.0 255.255.255.0 202.38.162.2 # Create the IPSec proposal by the name of tran1.

  • Page 553: Creating Sa In Isakmp Mode

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration [SecPath-Ethernet1/0/0] ip address 202.38.162.1 255.255.255.0 # Apply IPSec policy group on the Ethernet interface. [SecPath-Ethernet1/0/0] ipsec policy use1 After the above configuration, the security tunnel between SecPath A and SecPath B is created.
  • Page 554 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration # Enter IKE peer view. [SecPath] ike peer a # Assign an IP address for the IKE peer. [SecPath-ike-peer-a] pre-shared-key abcde [SecPath-ike-peer-a] remote-address 202.38.162.1 # Return to system view.
  • Page 555 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration # Packet encapsulation mode is tunnel mode. [SecPath-ipsec-proposal-tran1] encapsulation-mode tunnel # Security protocol is ESP. [SecPath-ipsec-proposal-tran1] transform esp # Select algorithm. [SecPath-ipsec-proposal-tran1] esp encryption-algorithm des [SecPath-ipsec-proposal-tran1] esp authentication-algorithmsha1 # Return to system view.

  • Page 556: Typical Example For Configuring Ike

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration After the above configuration, if there is a packet transmitted between subnet 10.1.1.x and subnet 10.1.2.x of SecPath A and SecPath B, IKE will be triggered for negotiation to create SA.
  • Page 557 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration # Use the authentication method of pre-shared key. [SecPath-ike-proposal-10] authentication-method pre-share # Set the life duration of ISAKMP SA to 5000 seconds. [SecPath-ike-proposal-10] sa duration 5000 Do as follows on security gateway B (On gateway B, the default IKE proposal is used and the peer authenticator is configured).
  • Page 558 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration [SecPath-ipsec-proposal-prop1] transform esp # Select an algorithm. [SecPath-ipsec-proposal-prop1] esp encryption-algorithm des [SecPath-ipsec-proposal-prop1] esp authentication-algorithm sha1 # Return to system view. [SecPath-ipsec-proposal-prop1] quit # Create an IPSec policy in ISAKMP negotiation mode.

  • Page 559: Ike Troubleshooting

    Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration [SecPath-ipsec-proposal-tran1] encapsulation-mode tunnel # Security protocol is ESP. [SecPath-ipsec-proposal-tran1] transform esp # Select an algorithm. [SecPath-ipsec-proposal-tran1] esp encryption-algorithm des [SecPath-ipsec-proposal-tran1] esp authentication-algorithm sha1 # Return to system view.
  • Page 560 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Fault 1: Invalid user ID information Troubleshooting: User ID is the data that users who initiate IPSec communication used to identify themselves. In the actual application, you can protect data streams by creating different security channels through user ID.
  • Page 561 Operation Manual - VPN H3C SecPath F1800-A Firewall Chapter 3 IPSec Configuration Solution: Use the display ike sa command to check whether both parties have created SA at stage 1. If SA at stage 1 is not successfully created, you should check the following parts of both parties of IPSec communication.
  • Page 562 Operation Manual - Reliability H3C SecPath F1800-A Firewall Table of Contents Table of Contents Chapter 1 Route Redundancy Backup ..................8-1 1.1 VRRP Overview ......................... 8-1 1.1.1 Stand-alone Default Route..................8-1 1.1.2 Introduction to VRRP ....................8-1 1.2 Route Redundancy Backup on the SecPath F1800-A ............8-3 1.2.1 Disadvantages of Traditional VRRP on SecPath F1800-A Backup......
  • Page 563 Operation Manual - Reliability H3C SecPath F1800-A Firewall Table of Contents Chapter 2 Dual-System Hot Backup ..................8-39 2.1 Dual-System Hot Backup Overview................. 8-39 2.1.1 Introduction to HRP....................8-39 2.1.2 Relation Between VRRP Backup Group, Management Group and HRP..... 8-41 2.1.3 Dual-system Hot Backup in Composite Mode ............

  • Page 564: Chapter 1 Route Redundancy Backup

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Chapter 1 Route Redundancy Backup 1.1 VRRP Overview 1.1.1 Stand-alone Default Route Usually, each host on an internal network is configured with a default route to the next hop, which is the IP address of the egress router;...
  • Page 565 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup and are ready to take over task at any time based on the priority, and these inactive devices are named Backups. Figure 1-2 shows a backup group composed of three routers.

  • Page 566: Route Redundancy Backup On The Secpath F1800-A

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup As a result, the VRRP can make communication uninterrupted; communication becomes reliable. 1.2 Route Redundancy Backup on the SecPath F1800-A In the current networking application, users have higher demand for network reliability.
  • Page 567 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Backup group1 Virtual IP Address SecPath A 10.100.10.1 Master Trust zone 10.100.10.0/24 Untrust zone Backup group3 Virtual IP Address DMZ zone Backup 202.38.10.1 Backup group2 SecPath B Virtual IP Address 10.100.20.0/24...

  • Page 568: Vgmp Overview

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup In the case that a host in the Trust zone accesses a PC in the Untrust zone, a packet is sent from the Trust zone to the Untrust zone along the path (1)-(2)-(3)-(4) as shown Figure 1-4.
  • Page 569 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup backup group in it. As a result, VRRP backup groups can communicate with each other. Based on backup requirements, a backup group can be added to the VRRP management group.
  • Page 570 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup not agree to switch master or backup VRRP state, the SecPath F1800-A firewalls in this backup group cannot make it. In the traditional VRRP, the VRRP state is independent, but state consistency management makes it impossible.
  • Page 571 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Moreover, you can configure whether the data channel state will affect the state of each VRRP in the VRRP management group. Figure 1-6 shows the relation between service channels and data channels.
  • Page 572 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup The relation between VRRP management group and backup group is shown in Figure 1-7. Management group1 SecPath A Master Backup group1 Trust zone Untrust zone DMZ zone...

  • Page 573: Backup Mode Classification

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup group3. Similarly, interfaces B1, B2 and B3 on SecPath B belong to backup groups 1, 2 and 3 respectively. Relation between VRRP management groups on two firewalls Management group number as well as components on two firewalls must be completely the same.
  • Page 574 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup SecPath A Master Backup group1 Trust zone Untrust zone DMZ zone Backup group3 Backup group2 Backup SecPath B Actual connection A1, A2 and A3 are interfaces of SecPath A...
  • Page 575 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Load balancing is also called mutual backup. Each SecPath F1800-A is configured with, for which different numbers and different priorities are set, as shown in Figure 1-9.
  • Page 576 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Table 1-2 Device state in load balancing mode Management group1 Management group2 Transf nsfe Firew Compo erred Compo rred Priority State Priority State nent sessio nent sion...
  • Page 577 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Backup Backup group1 group2 SecPath A Master / Backup Backup group3 Trust zone Untrust zone DMZ zone Backup group6 Backup / Master SecPath B Backup Backup group5...

  • Page 578: Routing Redundancy Backup In Composite Mode

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup The backup firewall in VRRP management group1 The master firewall in VRRP management group2 1.2.4 Routing Redundancy Backup in Composite mode Routing redundancy backup of the SecPath F1800-A can work in composite mode as well as in routing mode.

  • Page 579: Assigning Virtual Ip Address To Backup Group

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup VRRP backup group configuration in composite mode is the same as that in routing mode, so it is not described in detail here. 1.3.1 Assigning Virtual IP Address to Backup Group It is necessary to assign a virtual IP address to a backup group no matter it is added into a VRRP management group or not.

  • Page 580: Setting Priority For The Backup Group

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Note: In the event that the virtual IP address is the same as the actual IP address of some interface, the interface is called the IP Address Owner. Therefore, if the...

  • Page 581: Setting Preemption Mode And Delay Time For Backup Group

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Note: The priority of IP Address Owner is fixed to be 255. Make sure that priorities of backup groups that join the VRRP management group are higher than those of unjoined backup groups.

  • Page 582: Configuring Authentication Mode And Authentication Key For Backup Groups

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup 1.3.4 Configuring Authentication Mode and Authentication Key for Backup Groups Authentication mode and authentication key are necessary for a backup group no matter it joins a VRRP management group.

  • Page 583: Setting Vrrp Timer For Backup Groups

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Note: The same authentication mode and authentication key should be configured for backup groups that are connected with the same interface. 1.3.5 Setting VRRP Timer for Backup Groups The VRRP timer should be configured for the backup group no matter it is added into a VRRP management group.

  • Page 584: Detecting Ttl Of Vrrp Packets

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup The backup can take effect: When the interface located in the backup group fails. When faults occur on other interfaces on the SecPath F1800-A. The following compare the role of a backup group on monitoring some interface with that after the backup group joins a VRRP management group.

  • Page 585: Vrrp Management Group Configuration

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Table 1-9 Detecting TTL of VRRP packets Action Command Disable the TTL detection of VRRP vrrp un-check ttl packets. Detect the TTL value of VRRP packets. undo vrrp un-check ttl 1.4 VRRP Management Group Configuration...

  • Page 586: Enabling The Vrrp Management Group

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup If two SecPath F1800-A firewalls are in master or backup mode, one VRRP management group is necessary for each firewall; if they are in load balancing mode, you should configure at least two VRRP management groups for each firewall.

  • Page 587: Setting Priority For The Vrrp Management Group

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Action Command Delete a backup group from undo interface interface-type the VRRP management group. interface-number vrrp vrid virtual-router-ID 1.4.4 Setting Priority for the VRRP Management Group Multiple management groups are configured for master and backup firewalls respectively.
  • Page 588 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup When interface 1 and interface 2 keep in Down state, the priority of the VRRP management group is still 92. It is due to the interface attribute transfer-only.

  • Page 589: Enabling Preemption Of The Vrrp Management Group

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Action Command Restore the added value to the default. undo vrrp-group priority plus Note: The command that calculates the priority of VRRP management group based on the VRRP priority only applies to the master device.

  • Page 590: Configuring Packet Group Transmit Flag

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Thus, the master and the backup firewalls can communicate with each other. Do as follows in VRRP management group view. Table 1-15 Setting the interval at which Hello message is sent...

  • Page 591: Associating Vlan With Vgmp Group Number (In Composite Mode)

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup The response ratio of management group packets Do as follows in VRRP management group view. Table 1-16 Configuring packet group transmit flag Action Command Configure packet group transmit flag.

  • Page 592: Displaying And Debugging Route Redundancy Backup

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Note: When the SecPath F1800-A and routers set up the network and serve as routing redundancy backup in composite mode, you can configure the SecPath F1800-A to permit backup forward.
  • Page 593 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup stably, two SecPath F1800-A firewalls are used in master or backup mode. SecPath A acts as the master firewall; SecPath B acts as the backup firewall. The protected network is in the Trust zone, whose IP address is 10.100.10.0/24;...
  • Page 594 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Configuring SecPath A # Configure VRRP backup group1 on Ethernet 1/0/0; assign a virtual IP address to the backup group. [SecPath] interface ethernet 1/0/0 [SecPath-Ethernet1/0/0] vrrp vrid 1 virtual-ip 10.100.10.1 [SecPath-Ethernet1/0/0] quit # Configure VRRP backup group2 on Ethernet 2/0/0;...

  • Page 595: Networking Of Vrrp Management Group In Load Balancing Mode

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup 1.6.2 Networking of VRRP Management Group in Load balancing Mode I. Networking Requirement Networking requirement here is almost same as that in 1.6.1 "Networking of VRRP Management Group in Master/Backup Mode"...
  • Page 596 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup [SecPath-Ethernet1/0/0] vrrp vrid 4 virtual-ip 10.100.10.101 [SecPath-Ethernet1/0/0] quit # Configure VRRP backup groups 2 and 5 on Ethernet 2/0/0; assign a virtual IP address to each backup group.

  • Page 597: Using Master/Backup Networking In Vrrp Management Groups In Composite Mode

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Configuring SecPath B The configuration on SecPath B is almost identical with that on SecPath A except the priority configuration of VRRP management groups. The priority of VRRP management group1 adopts the default value and that of VRRP management group2 is set to 105.
  • Page 598 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup [SecPath] vlan 2 [SecPath-vlan-2] set vgmp 16 # Configure the Ethernet interface; add it to the trust zone. [SecPath-interface-Ethernet1/0/2] ip address 3.3.3.1 255.0.0.0 [SecPath-interface-Ethernet1/0/2] vrrp vrid 16 virtual-ip 3.3.3.10...

  • Page 599: Using Master/Backup Networking In Vrrp Management Groups In Composite Mode

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup 1.6.4 Using Master/Backup Networking in VRRP Management Groups in Composite Mode I. Networking Requirement Without changing the current network topology, deploy two SecPath F1800-A firewalls at the egress of the network that is connected with both the internal network and the external network.

  • Page 600: Vrrp Troubleshooting

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup 1.7 VRRP Troubleshooting During the VRRP management group troubleshooting, using the debugging vrrp-group command, you can debug VRRP management group to search for system faults and causes.
  • Page 601 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 1 Route Redundancy Backup Fault4: On a network configured in load balancing mode, load balancing is invalid when a SecPath F1800-A breaks down. Troubleshooting: Do as follows. Check whether the firewall is configured with two VRRP management groups.

  • Page 602: Chapter 2 Dual-System Hot Backup

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup Chapter 2 Dual-System Hot Backup 2.1 Dual-System Hot Backup Overview 2.1.1 Introduction to HRP I. HRP Application The SecPath F1800-A is a stateful firewall; there is a session entry for each dynamic...
  • Page 603 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup Backup configuration commands Session entries User registration information Huawei Redundancy Protocol (HRP) is developed for this purpose. HRP is transmitted over VGMP packets on data channels in VRRP management group.

  • Page 604: Relation Between Vrrp Backup Group, Management Group And Hrp

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup Note: Master and slave configuration firewalls adapt to load balancing mode rather than master/backup mode. III. Configuration Command and State Information Backup So far, dual-system hot backup of the SecPath F1800-A supports:...

  • Page 605: Dual-System Hot Backup In Composite Mode

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup HRP module HRP packet VRRP management group VGMP packet VRRP backup group Figure 2-2 Hierarchical protocol relation between VRRP backup group, management group and HRP When the state of the VRRP management group changes, the system will notify HRP and master or slave configuration devices of changing their states.

  • Page 606: Enabling Dual-System Hot Backup

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup Note: In order to update backup configuration commands and session state information in time when the state of the SecPath F1800-A changes, you need to configure dual-system hot backup after configuring VRRP management group.

  • Page 607: Enabling Automatic Backup

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup as in the VRRP backup group; in this way, the backup firewall can smoothly take over the work. You can back up commands automatically or manually only after this function is enabled;...
  • Page 608 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup I. Backup of Configuration Command Automatic batch backup is that the master configuration device backs up all configuration commands to the slave configuration device: When the slave configuration device replaces the master configuration device...

  • Page 609: Enabling Manual Batch Backup

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup Table 2-2 Enabling automatic backup Action Command Enable automatic backup. hrp auto-sync [ config | connection-status ] undo auto-sync config Disable automatic backup. connection-status ] Note: The hrp auto-sync command can be used on the master configuration device only.

  • Page 610: Configuring The Channel Interface Of Backup Session Table

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup Action Command undo sync config Disable manual batch backup. connection-status ] Note: Manual batch backup is independent of automatic real-time backup. In this backup manner the undo and reset commands cannot be backed up.

  • Page 611: Typical Example Of Dual-System Hot Backup Networking

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup 2.4 Typical Example of Dual-system Hot Backup Networking 2.4.1 Typical Networking of Dual-system Hot Backup in Routing Mode I. Networking Requirement Networking requirement here is similar to that in 1.6.1...

  • Page 612: Dual-System Hot Backup Troubleshooting

    Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup II. Networking Diagram SecPathA Eth1/0/1 Eth1/0/0 Eth1/0/2 Eth1/0/2 192.168.1.3 192.168.1.4 Eth1/0/0 Eth1/0/1 SecPathB Figure 2-3 Networking diagram of dual-system hot backup in composite mode III. Configuration Procedure...
  • Page 613 Operation Manual - Reliability H3C SecPath F1800-A Firewall Chapter 2 Dual-System Hot Backup If the HRP state on the master firewall is HRP_STATE_UNKNOWN and the VRRP state is INITIALIZE, the state of the VRRP management group is wrong. Use the display vrrp-group command to view and enable VRRP management group.
  • Page 614 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Table of Contents Table of Contents Appendix A Abbreviations ......................A-1...
  • Page 615 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Appendix A Abbreviations Appendix A Abbreviations Authentication, Authorization and Accounting Access Control List Assured-forwarding Authentication Header Application Level Gateway ANSI American National Standards Institute Address Resolution Protocol Autonomous System ASPF Application Specific Packet Filter...
  • Page 616 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Appendix A Abbreviations CPE-based VPN Custom Provide Equipment VPN Custom Queueing Cyclic Redundancy Check CSMA/CD Carrier Sense Multiple Access/Collision Detect Channel Service Unit Data Carrier Detection Data Circuit-terminating Equipment Dial Control Center...
  • Page 617 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Appendix A Abbreviations Encapsulating Security Payload Fast Connect Modem Fast Ethernet Forwarding Equivalence Class FIFO First In, First Out Queueing File Transfer Protocol Gigabit Ethernet Generic Routing Encapsulation Gateway-Switch Generic Traffic Shaping...
  • Page 618 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Appendix A Abbreviations IPSec IP Security ISAKMP Internet Security Association & Key Management Protocol Inter-Switch Link the International Organization for Standardization Internet Service Provider International Telecommunication Union Telecommunications ITU-T Standardization Sector Layer Two Forwarding Protocol...
  • Page 619 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Appendix A Abbreviations NBMA Non Broadcast MultiAccess NetBIOS over TCP NETs Network Entity Titles Network Information Center Network Management Station Network-to-Network Interface NNTP Network News Transfer Protocol NPDU Network Protocol Data Unit...
  • Page 620 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Appendix A Abbreviations RADIUS Remote Authentication Dial In User Service Registration. Admission, and Status Request For Comments Routing Information Protocol RMON Remote MONitor Rivest, Shamir and Adleman RSVP Resource Reservation Protocol RTCP...
  • Page 621 Operation Manual - Abbreviations H3C SecPath F1800-A Firewall Appendix A Abbreviations VLAN Virtual Local Area Network VoIP Voice over IP VPDN Virtual Private Dialup Network VPLS Virtual Private Lan Segment Virtual Private Network VPRN Virtual Private Routing Network Versatile Routing Platform...
  • Page 622 Operation Manual H3C SecPath F1800-A Firewall Index Index setting system clock, 1-45 viewing system status information, 1-46 AAA configuration introduction, the, 6-86 BGP/MBGP configuration introduction, the, 5-81 configuring AAA, 6-91 BGP configuration, 5-85 configuring domain, 6-107 example, 5-110 configuring HWTACACS, 6-103...
  • Page 623 Operation Manual H3C SecPath F1800-A Firewall Index configuring the SecPath through Console interface, firewalls introduction, the, 1-5 1-12 status of the firewall, 1-5 completing ping between a device and SecPath, three generations firewalls, the, 1-5 1-15 FTP configuration introduction, the, 2-28...
  • Page 624 Operation Manual H3C SecPath F1800-A Firewall Index troubleshooting, 7-79 example, 6-78 maintaining, 6-78 network security common security threats on the Internet, 1-1 L2TP configuration introduction, the, 7-7 network security, 1-1 configuring, 7-15 network security example, 7-25 security services types, 1-2...
  • Page 625 Operation Manual H3C SecPath F1800-A Firewall Index PPPoE configuration introduction, the, 4-22 configuring telnet service, 1-62 configuring PPPoE client, 4-24 TFTP configuration introduction, the, 2-34 configuring PPPoE server, 4-23 configuring, 2-35 example, 4-27 translating a readable message to an unreadable...
  • Page 626 Operation Manual H3C SecPath F1800-A Firewall Index maintaining, 4-6 working process, 1-73, 1-74, 1-78 VPN classification introduction, the, 7-5 VPN introduction, the, 7-1 VPN primary tecknology introduction, the, 7-2 XModem protocol configuration introduction, the VRRP configuration introduction, the, 8-1 configuring, 2-37...

Table of Contents