Configuration Guide - Security(V100R006C00_01)

Quidway S2300 Series Ethernet SwitchesV100R006C00

Configuration Guide - Security

Issue 01

Date 2011-05-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2011-05-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Intended AudienceThis document provides the basic concepts, configuration procedures, and configurationexamples in different application scenarios of the security feature supported by the S2300.

This document describes how to configure the security feature.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security About This Document


iii

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change HistoryChanges between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 01 (2011-05-20)Initial commercial release.

About This DocumentQuidway S2300 Series Ethernet Switches


iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-20)

Contents

About This Document...................................................................................................................iii

1 AAA and User Management Configuration.........................................................................1-11.1 Introduction to AAA and User Management..................................................................................................1-21.2 AAA and User Management Features Supported by the S2300.....................................................................1-21.3 Configuring AAA Schemes............................................................................................................................1-4

1.3.1 Establishing the Configuration Task......................................................................................................1-41.3.2 Configuring an Authentication Scheme.................................................................................................1-51.3.3 Configuring an Authorization Scheme...................................................................................................1-61.3.4 Configuring an Accounting Scheme......................................................................................................1-71.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-81.3.6 Checking the Configuration.................................................................................................................1-10

1.4 Configuring a RADIUS Server Template.....................................................................................................1-101.4.1 Establishing the Configuration Task....................................................................................................1-111.4.2 Creating a RADIUS Server Template..................................................................................................1-111.4.3 Configuring a RADIUS Authentication Server...................................................................................1-121.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-121.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-131.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-131.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-141.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-141.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-151.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-151.4.11 Checking the Configuration...............................................................................................................1-17

1.5 Configuring an HWTACACS Server Template............................................................................................1-181.5.1 Establishing the Configuration Task....................................................................................................1-181.5.2 Creating an HWTACACS Server Template........................................................................................1-191.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-191.5.4 Configuring an HWTACACS Authorization Server...........................................................................1-201.5.5 Configuring the HWTACACS Accounting Server..............................................................................1-211.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-211.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-221.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-221.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security Contents


v

1.5.10 (Optional) Setting HWTACACS Timers...........................................................................................1-231.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet.................................................1-241.5.12 Checking the Configuration...............................................................................................................1-24

1.6 Configuring a Service Scheme......................................................................................................................1-251.6.1 Establishing the Configuration Task....................................................................................................1-251.6.2 Creating a Service Scheme...................................................................................................................1-261.6.3 Setting the Administrator Level...........................................................................................................1-271.6.4 Configuring a DHCP Server Group.....................................................................................................1-271.6.5 Configuring an Address Pool...............................................................................................................1-281.6.6 Configure Primary and Secondary DNS Servers.................................................................................1-281.6.7 Checking the Configuration.................................................................................................................1-29

1.7 Configuring a Domain...................................................................................................................................1-291.7.1 Establishing the Configuration Task....................................................................................................1-301.7.2 Creating a Domain...............................................................................................................................1-301.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain........................1-311.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-321.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-321.7.6 (Optional) Configuring a Service Scheme for a Domain.....................................................................1-331.7.7 (Optional) Setting the Status of a Domain...........................................................................................1-341.7.8 (Optional) Configuring the Domain Name Delimiter..........................................................................1-341.7.9 Checking the Configuration.................................................................................................................1-35

1.8 Configuring Local User Management...........................................................................................................1-351.8.1 Establishing the Configuration Task....................................................................................................1-361.8.2 Creating a Local User...........................................................................................................................1-361.8.3 (Optional) Setting the Access Type of the Local User.........................................................................1-371.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access.........................................1-371.8.5 (Optional) Setting the Status of a Local User......................................................................................1-381.8.6 (Optional) Setting the Level of a Local User.......................................................................................1-381.8.7 (Optional) Setting the Access Limit for a Local User..........................................................................1-391.8.8 Checking the Configuration.................................................................................................................1-39

1.9 Maintaining AAA and User Management....................................................................................................1-401.9.1 Clearing the Statistics...........................................................................................................................1-401.9.2 Monitoring the Running Status of AAA..............................................................................................1-411.9.3 Debugging............................................................................................................................................1-41

1.10 Configuration Examples..............................................................................................................................1-421.10.1 Example for Configuring RADIUS Authentication and Accounting................................................1-421.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................1-45

2 NAC Configuration...................................................................................................................2-12.1 Introduction to NAC........................................................................................................................................2-2

2.1.1 802.1x Authentication............................................................................................................................2-22.1.2 MAC Address Authentication................................................................................................................2-32.1.3 MAC address bypass authentication......................................................................................................2-3

ContentsQuidway S2300 Series Ethernet Switches


vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-20)

2.2 NAC Features Supported by the S2300..........................................................................................................2-32.3 Configuring 802.1x Authentication.................................................................................................................2-4

2.3.1 Establishing the Configuration Task......................................................................................................2-52.3.2 Enabling Global 802.1x Authentication.................................................................................................2-52.3.3 Enabling 802.1x Authentication on an Interface....................................................................................2-62.3.4 (Optional) Enabling MAC Bypass Authentication................................................................................2-62.3.5 Setting the Authentication Method for the 802.1x User........................................................................2-72.3.6 (Optional) Configuring the Interface Access Mode...............................................................................2-82.3.7 (Optional) Configuring the Authorization Status of an Interface...........................................................2-92.3.8 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................2-102.3.9 (Optional) Enabling DHCP Packets to Trigger Authentication...........................................................2-112.3.10 (Optional) Configuring 802.1x Timers..............................................................................................2-122.3.11 (Optional) Configuring the Quiet Timer Function.............................................................................2-132.3.12 (Optional) Configuring 802.1x Re-authentication.............................................................................2-132.3.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication................................................2-142.3.14 (Optional) Enabling the S2300 to Send Handshake Packets to Online Users....................................2-152.3.15 (Optional) Setting the Retransmission Count of the Authentication Request....................................2-162.3.16 Checking the Configuration...............................................................................................................2-16

2.4 Configuring MAC Address Authentication..................................................................................................2-172.4.1 Establishing the Configuration Task....................................................................................................2-182.4.2 Enabling Global MAC Address Authentication...................................................................................2-182.4.3 Enabling MAC Address Authentication on an Interface......................................................................2-192.4.4 Configuring a User Name for MAC Address Authentication..............................................................2-202.4.5 (Optional) Configuring the Domain for MAC Address Authentication..............................................2-202.4.6 (Optional) Setting the Timers of MAC Address Authentication.........................................................2-212.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication......................................2-222.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication.......................................................................................................................................................................2-222.4.9 (Optional) Re-Authenticating a User with the Specified MAC Address.............................................2-232.4.10 Checking the Configuration...............................................................................................................2-24

2.5 Maintaining NAC..........................................................................................................................................2-242.5.1 Clearing the Statistics About 802.1x Authentication...........................................................................2-252.5.2 Clearing Statistics About MAC Address Authentication.....................................................................2-25

2.6 Configuration Examples................................................................................................................................2-252.6.1 Example for Configuring the RADIUS Server to Deliver Authorization ACL...................................2-25

3 DHCP Snooping Configuration..............................................................................................3-13.1 Introduction to DHCP Snooping.....................................................................................................................3-33.2 DHCP Snooping Features Supported by the S2300........................................................................................3-33.3 Preventing the Bogus DHCP Server Attack....................................................................................................3-5

3.3.1 Establishing the Configuration Task......................................................................................................3-53.3.2 Enabling DHCP Snooping.....................................................................................................................3-63.3.3 Configuring an Interface as a Trusted Interface.....................................................................................3-7



vii

3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers.......................................................................3-83.3.5 Checking the Configuration...................................................................................................................3-8

3.4 Preventing the DoS Attack by Changing the CHADDR Field.......................................................................3-93.4.1 Establishing the Configuration Task......................................................................................................3-93.4.2 Enabling DHCP Snooping...................................................................................................................3-103.4.3 Checking the CHADDR Field in DHCP Request Messages...............................................................3-113.4.4 Checking the Configuration.................................................................................................................3-12

3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.............3-123.5.1 Establishing the Configuration Task....................................................................................................3-133.5.2 Enabling DHCP Snooping...................................................................................................................3-143.5.3 Enabling Checking of DHCP Request Messages.................................................................................3-153.5.4 (Optional) Configuring the Option 82 Function..................................................................................3-163.5.5 (Optional) Setting the Format of the Option 82 Field..........................................................................3-173.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 Request Messages.......................................................................................................................................................................3-183.5.7 Checking the Configuration.................................................................................................................3-18

3.6 Setting the Maximum Number of DHCP Snooping Users...........................................................................3-193.6.1 Establishing the Configuration Task....................................................................................................3-193.6.2 Enabling DHCP Snooping...................................................................................................................3-203.6.3 Setting the Maximum Number of DHCP Snooping Users..................................................................3-213.6.4 (Optional) Configuring MAC Address Security on an Interface.........................................................3-223.6.5 Checking the Configuration.................................................................................................................3-23

3.7 Limiting the Rate of Sending DHCP Messages............................................................................................3-243.7.1 Establishing the Configuration Task....................................................................................................3-243.7.2 Enabling DHCP Snooping...................................................................................................................3-253.7.3 Setting the Maximum Rate of Sending DHCP Messages....................................................................3-263.7.4 Checking the Configuration.................................................................................................................3-27

3.8 Configuring the Packet Discarding Alarm Function.....................................................................................3-283.8.1 Establishing the Configuration Task....................................................................................................3-283.8.2 Enabling DHCP Snooping...................................................................................................................3-293.8.3 Configuring the Packet Discarding Alarm Function............................................................................3-303.8.4 Checking the Configuration.................................................................................................................3-32

3.9 Maintaining DHCP Snooping.......................................................................................................................3-323.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-323.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-33

3.10 Configuration Examples..............................................................................................................................3-333.10.1 Example for Preventing Bogus DHCP Server Attacks......................................................................3-343.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field..........................................3-363.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP AddressLeases............................................................................................................................................................3-393.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-413.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-44

4 Source IP Attack Defense Configuration..............................................................................4-1



viii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-20)

4.1 Overview of IP Source Guard.........................................................................................................................4-24.2 IP Source Guard Features Supported by the S2300........................................................................................4-24.3 Configuring IP Source Guard..........................................................................................................................4-3

4.3.1 Establishing the Configuration Task......................................................................................................4-34.3.2 (Optional) Configuring a Static User Binding Entry............................................................................. 4-44.3.3 Enabling IP Source Guard......................................................................................................................4-54.3.4 Configuring the Check Items of IP Packets...........................................................................................4-54.3.5 (Optional) Configuring the Alarm Function of IP Source Guard.......................................................... 4-64.3.6 (Optional) Configuring the Function of Discarding IP Packets with the Same Source and Destination IPAddresses........................................................................................................................................................ 4-74.3.7 Checking the Configuration...................................................................................................................4-7

4.4 Configuration Examples..................................................................................................................................4-74.4.1 Example for Configuring IP Source Guard............................................................................................4-8

5 Local Attack Defense Configuration......................................................................................5-15.1 Configuring the Attack Defense Policy.......................................................................................................... 5-2

5.1.1 Establishing the Configuration Task......................................................................................................5-25.1.2 (Optional) Configuring the Rule for Sending Packets to the CPU........................................................ 5-2

6 PPPoE+ Configuration..............................................................................................................6-16.1 PPPoE+ Overview...........................................................................................................................................6-26.2 PPPoE+ Features Supported by the S2300..................................................................................................... 6-26.3 Configuring PPPoE+.......................................................................................................................................6-2

6.3.1 Establishing the Configuration Task......................................................................................................6-26.3.2 Enabling PPPoE+ Globally....................................................................................................................6-36.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................6-36.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................6-46.3.5 Configuring the PPPoE Trusted Interface..............................................................................................6-46.3.6 Checking the Configuration...................................................................................................................6-5

6.4 Configuration Examples..................................................................................................................................6-56.4.1 Example for Configuring PPPoE+.........................................................................................................6-5

7 MFF Configuration....................................................................................................................7-17.1 MFF Overview................................................................................................................................................7-27.2 MFF Features Supported by the S2300...........................................................................................................7-37.3 Configuring MFF............................................................................................................................................ 7-4

7.3.1 Establishing the Configuration Task......................................................................................................7-47.3.2 Enabling Global MFF.............................................................................................................................7-57.3.3 Configuring the MFF Network Interface...............................................................................................7-57.3.4 Enabling MFF in a VLAN..................................................................................................................... 7-67.3.5 (Optional) Configuring the Static Gateway Address............................................................................. 7-67.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................7-77.3.7 (Optional) Setting the Server Address................................................................................................... 7-77.3.8 (Optional) Transparently Transmitting User Status Detection Packets................................................. 7-77.3.9 (Optional) Discarding IPv6 Packets Sent from Users............................................................................7-8



ix

7.3.10 Checking the Configuration.................................................................................................................7-87.4 Configuration Examples..................................................................................................................................7-9

7.4.1 Example for Configuring MFF..............................................................................................................7-9

8 Traffic Suppression Configuration........................................................................................8-18.1 Introduction to Traffic Suppression................................................................................................................8-28.2 Traffic Suppression Features Supported by the S2300...................................................................................8-28.3 Configuring Traffic Suppression.....................................................................................................................8-2

8.3.1 Establishing the Configuration Task......................................................................................................8-28.3.2 Configuring Traffic Suppression on an Interface...................................................................................8-38.3.3 Checking the Configuration...................................................................................................................8-3

8.4 Configuration Examples..................................................................................................................................8-48.4.1 Example for Configuring Traffic Suppression.......................................................................................8-4

9 ACL Configuration....................................................................................................................9-19.1 Introduction to the ACL..................................................................................................................................9-29.2 Classification of ACLs Supported by the S2300............................................................................................9-29.3 Configuring an ACL........................................................................................................................................9-3

9.3.1 Establishing the Configuration Task......................................................................................................9-49.3.2 Creating an ACL....................................................................................................................................9-49.3.3 (Optional) Setting the Time Range When an ACL Takes Effect...........................................................9-59.3.4 (Optional) Configuring the Description of an ACL...............................................................................9-69.3.5 Configuring a Basic ACL.......................................................................................................................9-69.3.6 Configuring an Advanced ACL.............................................................................................................9-79.3.7 Configuring a Layer 2 ACL...................................................................................................................9-89.3.8 (Optional) Setting the Step Between ACL Rules...................................................................................9-89.3.9 Checking the Configuration...................................................................................................................9-9

9.4 Configuring ACL6........................................................................................................................................9-109.4.1 Establishing the Configuration Task....................................................................................................9-109.4.2 Creating an ACL6................................................................................................................................9-119.4.3 (Optional) Creating the Time Range of the ACL6...............................................................................9-129.4.4 Configuring a Basic ACL6...................................................................................................................9-129.4.5 Configuring an Advanced ACL6.........................................................................................................9-139.4.6 Checking the Configuration.................................................................................................................9-14

9.5 Configuration Examples................................................................................................................................9-159.5.1 Example for Configuring a Basic ACL................................................................................................9-159.5.2 Example for Configuring an Advanced ACL......................................................................................9-179.5.3 Example for Configuring a Layer 2 ACL............................................................................................9-219.5.4 Example for Configuring an ACL6 to Control FTP User Access........................................................9-24

10 ND Snooping Configuration...............................................................................................10-110.1 ND Snooping Overview..............................................................................................................................10-210.2 ND Snooping Features Supported by the S2300.........................................................................................10-210.3 Configuring ND Snooping..........................................................................................................................10-3



x Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-20)

10.3.1 Establishing the Configuration Task..................................................................................................10-310.3.2 Enabling ND Snooping......................................................................................................................10-410.3.3 Configuring an Interface as the Trusted Interface..............................................................................10-510.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding Table..............................10-610.3.5 Checking the Configuration...............................................................................................................10-7

10.4 Maintaining ND Snooping..........................................................................................................................10-810.4.1 Clearing the Prefix Management Table..............................................................................................10-810.4.2 Resetting the ND Dynamic Binding Table........................................................................................10-9

10.5 Configuration Examples..............................................................................................................................10-910.5.1 Example for Configuring ND Snooping on a Layer 2 Network........................................................10-9



xi

Figures

Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45Figure 2-1 Typical networking of NAC...............................................................................................................2-2Figure 2-2 Networking diagram for configuring 802.1x authentication............................................................2-26Figure 3-1 Networking diagram for applying DHCP snooping on the S2300 on a Layer 2 network..................3-4Figure 3-2 Networking diagram for preventing bogus DHCP server attacks....................................................3-34Figure 3-3 Networking diagram for preventing DoS attacks by changing the CHADDR field........................3-37Figure 3-4 Networking diagram for preventing attackers from sending bogus DHCP messages for extending IPaddress leases......................................................................................................................................................3-39Figure 3-5 Networking diagram for limiting the rate of sending DHCP messages...........................................3-42Figure 3-6 Networking diagram for configuring DHCP snooping....................................................................3-45Figure 4-1 Diagram of IP/MAC spoofing attack..................................................................................................4-2Figure 4-2 Networking diagram for configuring IP source guard........................................................................4-8Figure 6-1 Networking diagram for configuring PPPoE+...................................................................................6-6Figure 7-1 Networking diagram for configuring MFF.......................................................................................7-10Figure 8-1 Networking diagram for configuring traffic suppression...................................................................8-4Figure 9-1 Networking diagram for configuring a basic ACL...........................................................................9-15Figure 9-2 Networking diagram for configuring IPv4 ACLs.............................................................................9-17Figure 9-3 Networking diagram for configuring layer 2 ACLs.........................................................................9-22Figure 9-4 Networking diagram for configuring an ACL6 to control FTP users..............................................9-24Figure 10-1 ND snooping enabled on the S2300 of the Layer 2 network..........................................................10-3Figure 10-2 Networking diagram for configuring ND snooping on a Layer 2 network..................................10-10

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security Figures


xiii

Tables

Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-4Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-28

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security Tables


xv

1 AAA and User Management Configuration

About This Chapter

This chapter describes the principle and configuration of Authentication, Authorization, andAccounting (AAA), local user management, Remote Authentication Dial in User Service(RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), anddomain.

1.1 Introduction to AAA and User ManagementThis section describes the knowledge of AAA and user management.

1.2 AAA and User Management Features Supported by the S2300This section describes the AAA and user management features supported by the S2300.

1.3 Configuring AAA SchemesThis section describes how to configure an authentication scheme, an authorization scheme, anda recording scheme on the S2300.

1.4 Configuring a RADIUS Server TemplateThis section describes how to configure a RADIUS server template on the S2300.

1.5 Configuring an HWTACACS Server TemplateThis section describes how to configure an HWTACACS server template on the S2300.

1.6 Configuring a Service SchemeThis section describes how to configure a service scheme in the S2300 to store authorizationinformation about users.

1.7 Configuring a DomainThis section describes how to configure a domain on the S2300.

1.8 Configuring Local User ManagementThis section describes how to configure local user management on the S2300.

1.9 Maintaining AAA and User ManagementThis section describes how to maintain AAA and user management.

1.10 Configuration ExamplesThis section provides several configuration examples of AAA and user management.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 1 AAA and User Management Configuration


1-1

1.1 Introduction to AAA and User ManagementThis section describes the knowledge of AAA and user management.

AAAAAA provides the following types of services:

l Authentication: determines if the certain users can access the network.l Authorization: authorizes the user to use certain services.l Accounting: records network resource usage of the user.

AAA adopts the client/server model, which features good extensibility and facilitatesconcentrated management over user information.

Domain-based User ManagementUser authentication, authorization, and accounting are performed in the domain view. Users canbe managed based in the domain. You can configure authorization, authentication andaccounting schemes, and create RADIUS or HWTACACS server templates in the domain.

Local User ManagementTo perform local user management, you need to set up the local user database, maintain userinformation, and manage users on the local S2300.

1.2 AAA and User Management Features Supported by theS2300

This section describes the AAA and user management features supported by the S2300.

AAAThe S2300 provides authentication schemes in the following modes:

l Non-authentication: In this mode, the S2300 does not authenticate user validity when usersare trusted. This mode is not adopted in other scenarios.

l Local authentication: In this mode, user information such as user names, passwords, andother attributes is configured on theS2300. The S2300 authenticates users according to theinformation. In local authentication mode, the processing speed is fast, but the capacity ofinformation storage is restricted by the hardware.

l Remote authentication: In this mode, user information such as user names, passwords, andother attributes is configured on an authentication server. The S2300 functions as the clientto communicate with the authentication server through the RADIUS or HWTACACSprotocol.

NOTE

If both HWTACACS authentication and non-authentication are configured, HWTACACS authenticationis preferred.

1 AAA and User Management ConfigurationQuidway S2300 Series Ethernet Switches


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-20)

The S2300 provides authorization schemes in the following modes:

l Non-authorization: completely trusts users and directly authorizes them.l Local authorization: authorizes users according to the configured attributes of local user

accounts on the S2300.l Remote authorization: the S2300 functions as the client to communicate with the

authorization server through HWTACACS.l If-authenticated authorization: authorizes users after the users pass authentication in local

or remote authentication mode.

The S2300 provides the following accounting modes:l None: Users are not charged.l RADIUS accounting: The S2300 sends the accounting packets to the RADIUS server. Then

the RADIUS server performs accounting.l HWTACACS accounting: The S2300 sends the accounting packets to the HWTACACS

server. Then the HWTACACS server performs accounting.

In the RADIUS and HWTACACS accounting modes, the S2300 generates accounting packetswhen a user goes online or goes offline, and then sends them to the RADIUS or HWTACACSserver. The server then performs accounting based on the information in the packets, such aslogin time and logout time.

The S2300 supports realtime accounting. It means that the S2300 generates accounting packetsperiodically and sends the accounting packets to the accounting server when a user is online. Inthis way, the duration of abnormal accounting can be minimized when the communicationbetween the S2300 and the accounting server is interrupted.

Local User ManagementTo perform local user management, you need to set up the local user database, maintain userinformation, and manage users on the S2300.

In local authentication or local authorization mode, you need to perform the task of 1.8Configuring Local User Management.

Domain-based User ManagementThe S2300 manages users based on the domain. You can configure authentication, authorization,or accounting schemes in a domain. Then, the specified schemes are adopted to performauthentication and authorization for users that belong to the domain.

All the users of the S2300 belong to a certain domain. The domain that a user belongs to dependson the character string that follows the domain name delimiter. The domain name delimiter canbe @,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If thereis no "@" in the user name, the user belongs to the domain default.

By default, there are two domains named default and default_admin in the S2300, which cannotbe deleted but can be modified. If the domain of an access user cannot be obtained, the defaultdomain is used.l Domain default is used for common access user. By default, local authentication is

performed for the users in domain default.l Domain default_admin is used for administrators. By default, local authentication is

performed for the users in domain default_admin.



1-3

The S2300 supports up to 32 domains, including the two default domains.

The priority of authorization configured in a domain is lower than the priority configured on anAAA server. That is, the authorization attribute sent by the AAA server is used preferentially.The authorization attribute in the domain takes effect only when the AAA server does not haveor provide this authorization. In this manner, you can add services flexibly based on the domainmanagement, regardless of the attributes provided by the AAA server.

RADIUS and HWTACACS Server Templates

When RADIUS or HWTACACS is specified in an authentication or an authorization schemefor communication between the client and the server, you must configure a RADIUS or anHWTACACS server template in a domain.

l In a RADIUS server template, you can set the attributes such as the IP addresses, portnumber, and key of the authentication server and accounting server.

l In an HWTACACS template, you can set the attributes such as the IP addresses, portnumber, and key of the authentication server, accounting server, and authorization server.

NOTE

Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS aloneto perform authorization.

1.3 Configuring AAA SchemesThis section describes how to configure an authentication scheme, an authorization scheme, anda recording scheme on the S2300.

1.3.1 Establishing the Configuration Task

1.3.2 Configuring an Authentication Scheme

1.3.3 Configuring an Authorization Scheme

1.3.4 Configuring an Accounting Scheme

1.3.5 (Optional) Configuring a Recording Scheme

1.3.6 Checking the Configuration


Applicable Environment

AAA schemes of the S2300 consists of the authentication scheme, authorization scheme,accounting scheme, and recording scheme. The S2300 prescribes the authentication,authorization, accounting, and recording modes (local processing, remote processing, or noprocessing) and relevant parameters for users according to AAA schemes.

After AAA schemes are configured, you can apply AAA schemes to a domain. The S2300 thenuses the scheme to perform authentication, authorization, and accounting for users in the domain.You can configure different recording schemes for different transactions in the AAA view.




Issue 01 (2011-05-20)

Pre-configuration Tasks

None

Data Preparation

To configure AAA schemes, you need the following data.

No. Data

1 Name of the authentication scheme andauthentication mode

2 Name of the authorization scheme,authorization mode, (optional) user level incommand-line-based authorization mode onthe HWTACACS server, and (optional)timeout interval for command-line-basedauthorization

3 Name of the accounting scheme andaccounting mode

4 (Optional) Name of the recording scheme,name of the HWTACACS server templateassociated with the recording scheme, andrecording policy used to record events

1.3.2 Configuring an Authentication Scheme

ContextNOTE

By default, the local authentication mode is used.

If users are not authenticated, you must create an authentication scheme or modify the default authenticationscheme by setting the authentication mode to none. Then, you apply this authentication scheme to thedomain that users belong to.

You need to set the authentication modes for a user logging in to the S2300 and upgrading user levelsseparately.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:aaa

The AAA view is displayed.



1-5

Step 3 Run:authentication-scheme authentication-scheme-name

An authentication scheme is created and the authentication scheme view is displayed.

By default, there is an authentication scheme named default on the S2300. This scheme can bemodified but cannot be deleted.

Step 4 Run:authentication-mode { hwtacacs | radius | local }*[ none ]

The authentication mode is set.

none indicates the non-authentication mode. By default, the local authentication mode is used.

If multiple authentication modes are used in an authentication scheme, the non-authenticationmode must be used as the last authentication mode.

If the authentication mode is set to RADIUS or HWTACACS, you must configure a RADIUSor an HWTACACS server template and apply the template in the view of the domain that theuser belongs to.

NOTE

If multiple authentication modes are used in an authentication scheme, the authentication modes take effectaccording to their configuration sequence. The S2300 adopts the next authorization mode only when thecurrent authorization mode is invalid. The S2300, however, does not adopt any other authorization modewhen users fail to authorize in the current authorization mode.

Step 5 Run:authentication-super { hwtacacs | super }* [ none ]

Or,

authentication-super none

The authentication mode for upgrading user levels is set.

The none parameter indicates that the non-authentication mode is used. That is, user levels arechanged by users. By default, the local authentication mode is used for upgrading user levels.

When the local authentication mode is used for upgrading user levels, you need to run the superpassword command in the system view to set the password for upgrading user levels.

----End

1.3.3 Configuring an Authorization Scheme

ContextNOTE

You can configure command-line-based authorization only when HWTACACS is adopted.

Procedure





Issue 01 (2011-05-20)


Step 2 Run:aaa


Step 3 Run:authorization-scheme authorization-scheme-name

An authorization scheme is created and the authorization scheme view is displayed.

By default, an authorization scheme named default exists on the S2300. This scheme can bemodified but cannot be deleted.

Step 4 Run:authorization-mode [ hwtacacs ] { if-authenticated | local | none }

The authorization mode is set.

By default, the local authorization mode is used.

If multiple authorization modes are used in an authorization scheme, the if-authenticated modeor non-authorization mode must be used as the last authorization mode.

When using the HWTACACS authorization mode, you must create an HWTACACS servertemplate and apply the template to the domain that the user belongs to.

NOTE

If multiple authorization modes are used in an authorization scheme, the authentication modes take effectaccording to their configuration sequence. The S2300 adopts the next authorization mode only when thecurrent authorization mode is invalid. The S2300, however, does not adopt any other authorization modewhen users are not authorized in the current authorization mode.

Step 5 (Optional) Run:authorization-cmd privilege-level hwtacacs [ local ]

The command-line-based authorization function is configured for users at a level.

By default, the command-line-based authorization function is not configured for users at levels0 to 15.

If command-line authorization is enabled, you must create an HWTACACS server template andapply the template in the view of the domain that the user belongs to.

----End

1.3.4 Configuring an Accounting Scheme

Procedure



Step 2 Run:aaa



1-7


Step 3 Run:accounting-scheme accounting-scheme-name

An accounting scheme is created and the accounting scheme view is displayed.

By default, the S2300 provides an accounting scheme named default. This scheme can bemodified but cannot be deleted.

Step 4 Run:accounting-mode { hwtacacs | radius | none }

The accounting mode is set.

By default, the accounting mode is none.

If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS orHWTACACS server template and apply the template to the corresponding user domain.

Step 5 (Optional) Run:accounting realtime interval

Interim accounting is enabled and the accounting interval is set.

By default, interim accounting is disabled.

The accounting interval depends on network situations. A short interval increases the traffic onthe network and burdens the device that receive interim accounting packets. A long intervalincreases the errors of accounting when the communication between accounting server and theS2300 fails.

Step 6 (Optional) Run:accounting start-fail { online | offline }

The policy for remote accounting-start failure is set.

If accounting start fails when a user logs in, the S2300 processes the user according to the policyfor accounting start failure.

By default, the S2300 forbids a user to get online when accounting start fails.

Step 7 (Optional) Run:accounting interim-fail [ max-times times ] { online | offline }

The policy for remote interim accounting-start failure is set.

If the accounting fails after a user goes online, the S2300 processes the user according to thepolicy for interim accounting failure.

By default, the policy for remote interim accounting-start failure is disabled.

----End

1.3.5 (Optional) Configuring a Recording Scheme

ContextTo monitor the device and locate faults, you can configure a recording scheme to record thefollowing:




Issue 01 (2011-05-20)

l Commands that are run on the S2300l Information about connectionsl System events

NOTE

You can configure the recording function only when HWTACACS is adopted.

ProcedureStep 1 Run:

system-view


Step 2 Run:hwtacacs-server template

The HWTACACS server template is created.

Step 3 Run:aaa


Step 4 Run:recording-scheme recording-scheme-name

A recording scheme is created and the recording scheme view is displayed.

By default, no recording scheme exists on the S2300.

Step 5 Run:recording-mode hwtacacs template-name

An HWTACACS server template that is associated with the recording scheme is configured.

By default, a recording scheme is not associated with an HWTACACS server template.

Step 6 Run:quit

Return to the AAA view.

Step 7 Run:cmd recording-scheme recording-scheme-name

The commands that are used on the S2300 are recorded.

By default, the commands that are used on the S2300 are not recorded.

Step 8 Run:outbound recording-scheme recording-scheme-name

The information about connections is recorded.

By default, information about connections is not recorded.

Step 9 Run:system recording-scheme recording-scheme-name

System events are recorded.



1-9

By default, system events are not recorded.

----End


PrerequisiteThe configurations of AAA schemes are complete.

Procedurel Run the display aaa configuration command to check the summary of AAA.

l Run the display authentication-scheme [ authentication-scheme-name ] command tocheck the configuration of the authentication scheme.

l Run the display authorization-scheme [ authorization-scheme-name ] command to checkthe configuration of the authorization scheme.

l Run the display accounting-scheme [ accounting-scheme-name ] command to check theconfiguration of the accounting scheme.

l Run the display recording-scheme [ recording-scheme-name ] command to check theconfiguration of the recording scheme.

l Run the display access-user [ domain domain-name | ip-address ip-address [ vpn-instance instance-name ] | mac-address mac-address | slot slot-id | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | user-id user-number ]command to check the summary of all online users.

----End

1.4 Configuring a RADIUS Server TemplateThis section describes how to configure a RADIUS server template on the S2300.


1.4.2 Creating a RADIUS Server Template

1.4.3 Configuring a RADIUS Authentication Server

1.4.4 Configuring the RADIUS Accounting Server

1.4.5 Configuring a RADIUS Authorization Server

1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server

1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server

1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server

1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server





Issue 01 (2011-05-20)


Applicable EnvironmentIn remote authentication or authorization mode, you need to configure a server template asrequired. You need to configure a RADIUS server template if RADIUS is used in theauthentication scheme.

NOTE

There are default parameters of a RADIUS server template, and the default parameters can be changedaccording to the networking. You can modify the RADIUS configuration only when the RADIUS servertemplate is not in use.

Pre-configuration TasksNone

Data PreparationTo configure a RADIUS server template, you need the following data.

No. Data

1 IP address of the RADIUS authenticationserver

2 IP address of the RADIUS accounting server

3 (Optional) Shared key of the RADIUS server

4 (Optional) User name format supported bythe RADIUS server

5 (Optional) Traffic unit of the RADIUS server

6 (Optional) Timeout interval for a RADIUSserver to send response packets and numberof times for retransmitting request packets ona RADIUS server

7 (Optional) Format of the NAS port attributeof the RADIUS server

1.4.2 Creating a RADIUS Server Template

Procedure





1-11

Step 2 Run:radius-server template template-name

A RADIUS server template is created and the RADIUS server template view is displayed.

----End

1.4.3 Configuring a RADIUS Authentication Server

Procedure




The RADIUS server template view is displayed.

Step 3 Run:radius-server authentication ip-address port [ source loopback interface-number ]

The primary RADIUS authentication server is configured.

By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the portnumber is 0.

Step 4 (Optional) Run:radius-server authentication ip-address port [ source loopback interface-number ] secondary

The secondary RADIUS authentication server is configured.

By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the portnumber is 0.

----End

1.4.4 Configuring the RADIUS Accounting Server

Procedure





Step 3 Run:radius-server accounting ip-address port [ source loopback interface-number ]

The primary RADIUS accounting server is configured.




Issue 01 (2011-05-20)

By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the portnumber is 0.

Step 4 (Optional) Run:radius-server accounting ip-address port [ source loopback interface-number ] secondary

The secondary RADIUS accounting server is configured.

By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the portnumber is 0.

----End

1.4.5 Configuring a RADIUS Authorization Server

ContextThe RADIUS authorization server is mainly used to dynamically authorize users during serviceselection.

Procedure



Step 2 Run:radius-server authorization ip-address { server-group group-name | shared-key { cipher | simple } key-string } * [ ack-reserved-interval interval ]

The RADIUS authorization server is configured.

By default, no RADIUS authorization server is configured in the S2300.

----End

1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

ContextWhen exchanging authentication packets, the S2300 and the RADIUS server encrypt importantinformation such as the password by using the Message Digest 5 (MD5) algorithm to ensure thesecurity of information transmitted over a network. To guarantee the validity of the authenticatorand the authenticated, the keys on the S2300 and the RADIUS server must be the same.

Procedure



Step 2 Run:



1-13

radius-server template template-name


Step 3 Run:radius-server shared-key [ cipher | simple ] key-string

The shared key is set for a RADIUS server.

By default, the shared key of a RADIUS server is huawei.

----End

1.4.7 (Optional) Setting the User Name Format Supported by aRADIUS Server

ContextNOTE

A user name is in the user name@domain name format and the characters after @ refer to the domain name.In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of thefollowing symbols: \ / : < > | ' %

Procedure





Step 3 Run:radius-server user-name domain-included

The user name format supported by a RADIUS server is set.

By default, a user name supported by a RADIUS server contains the domain name. That is, theS2300 sends the user name, domain name, and domain name delimiter to the RADIUS serverfor authentication.

When the RADIUS server does not accept the user name that contains the domain name, youcan run the undo radius-server user-name domain-included command to delete the domainname before sending it to the RADIUS server.

----End

1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server

Procedure





Issue 01 (2011-05-20)




Step 3 Run:radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit is set for a RADIUS server.

By default, the traffic is expressed in bytes on the S2300.

----End

1.4.9 (Optional) Setting Retransmission Parameters on a RADIUSServer

Procedure





Step 3 Run:radius-server timeout timeout

The timeout interval for a RADIUS server to send response packets is set.

By default, the timeout interval for a RADIUS server to send response packets is five seconds.

To check whether a RADIUS server is available, the S2300 periodically sends request packetsto the RADIUS server. If no response is received from the RADIUS server within the timeoutinterval, the S2300 retransmits the request packets.

Step 4 Run:radius-server retransmit retry-times

The number of times for retransmitting request packets on a RADIUS server is set.

By default, the number of times for retransmitting request packets on a RADIUS server is 3.

After retransmitting request packets to a RADIUS server for the set number of times, theS2300 considers that the RADIUS server is unavailable.

----End

1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server



1-15

Context

The NAS port format and the NAS port ID format are developed by Huawei, which are used tomaintain connectivity and service cooperation among devices of Huawei. The NAS port formatand NAS port ID format have new and old forms respectively. The ID format of the physicalport that access users belong to depends on the format of the NAS port attribute.

For Ethernet access users:l NAS port

– New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8bits) + VLAN ID (12 bits).

– Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).l NAS port ID

– New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Whereslot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094.

– Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +card number (3 bytes) + VLANID (9 characters)

For ADSL access users:l NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) +

VPI (8 bits) + VCI (16 bits).l NAS port ID

– New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in whichslot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, andVCI 0 to 65535.

– Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixedwith 0s if they contain less bytes than specified.

Procedure





Step 3 Run:radius-server nas-port-format { new | old }

The format of NAS port used by the RADIUS server is specified.

By default, the new format of NAS port is used.

Step 4 Run:radius-server nas-port-id-format { new | old }

The format of the NAS port ID used by the RADIUS server is specified.




Issue 01 (2011-05-20)

By default, the new format of the NAS port ID is used.

----End


PrerequisiteThe configurations of the RADIUS server template are complete.

Procedurel Run the display radius-server configuration [ template template-name ] command to

check the configuration of the RADIUS server template.l Run the display_radius-attribute [ template template-name ] disable command to view

the disabled RADIUS attributes.l Run the display_radius-attribute [ template template-name ] translate command to

check the RADIUS attribute translation configuration.

----End

ExampleAfter completing the configurations of the RADIUS server template, you can run the displayradius-server configuration command to check the configuration of all templates.

<Quidway> display radius-server configuration-------------------------------------------------------------------

Server-template-name : rrr Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 100.1.1.1; 90; LoopBack:20 Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX ------------------------------------------------------------------- -------------------------------------------------------------------

Server-template-name : tr1 Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX ------------------------------------------------------------------- Total of radius template :2

Run the display_radius-attribute [ template template-name ] disable command, and you canview the disabled RADIUS attributes.



1-17

<Quidway> display radius-attribute disableServer-templet-name: rs--------------------------------------------------------------------------------Source-attr Dest-attr Direct--------------------------------------------------------------------------------NAS-IP-Address Disable send--------------------------------------------------------------------------------

Run the display_radius-attribute [ template template-name ] translate command, and youcan view the RADIUS attribute translation configuration.

<Quidway> display radius-attribute translateServer-templet-name: rs--------------------------------------------------------------------------------Source-attr Dest-attr Direct--------------------------------------------------------------------------------NAS-Identifier NAS-Port-Id send--------------------------------------------------------------------------------

1.5 Configuring an HWTACACS Server TemplateThis section describes how to configure an HWTACACS server template on the S2300.


1.5.2 Creating an HWTACACS Server Template

1.5.3 Configuring an HWTACACS Authentication Server

1.5.4 Configuring an HWTACACS Authorization Server

1.5.5 Configuring the HWTACACS Accounting Server

1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets

1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server

1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server

1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server

1.5.10 (Optional) Setting HWTACACS Timers

1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet




In remote authentication or authorization mode, you need to configure a server template asrequired. You need to configure an HWTACACS server template if HWTACACS is used in anauthentication or an authorization scheme.

NOTE

The S2300 does not check whether the HWTACACS template is in use when you modify attributes of theHWTACACS server except for deleting the configuration of the server.




Issue 01 (2011-05-20)


None

Data Preparation

To configure an HWTACACS server template, you need the following data.

No. Data

1 Name of the HWTACACS server template

2 IP addresses of HWTACACS authenticationauthorization, and accounting servers

3 (Optional) Source IP address of theHWTACACS server

4 (Optional) Shared key of the HWTACACSserver

5 (Optional) User name format supported bythe HWTACACS server

6 (Optional) Traffic unit of the HWTACACSserver

7 (Optional) Timeout interval for theHWTACACS server to send responsepackets and time when the primaryHWTACACS server is restored to the activestate

1.5.2 Creating an HWTACACS Server Template

Procedure



Step 2 Run:hwtacacs-server template template-name

An HWTACACS server template is created and the HWTACACS server template view isdisplayed.

----End

1.5.3 Configuring an HWTACACS Authentication Server



1-19

Procedure




The HWTACACS server template view is displayed.

Step 3 Run:hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ]

The IP address of the primary HWTACACS authentication server is configured.

By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0, the portnumber is 0, and the VPN instances are not bound to the server.

Step 4 (Optional) Run:hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] secondary

The IP address of the secondary HWTACACS authentication server is configured.

By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0, theport number is 0, and the VPN instances are not bound to the server.

----End

1.5.4 Configuring an HWTACACS Authorization Server

Procedure





Step 3 Run:hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ]

The IP address of the primary HWTACACS authorization server is configured.

By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0, the portnumber is 0, and the VPN instances are not bound to the server.

Step 4 (Optional) Run:hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] secondary

The IP address of the secondary HWTACACS authorization server is configured.




Issue 01 (2011-05-20)

By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0, theport number is 0, and the VPN instances are not bound to the server.

----End

1.5.5 Configuring the HWTACACS Accounting Server

Procedure





Step 3 Run:hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ]

The primary HWTACACS accounting server is configured.

By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0, the portnumber is 0, and the VPN instances are not bound to the server.

Step 4 Run:hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] secondary

The secondary HWTACACS accounting server is configured.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0, the portnumber is 0, and the VPN instances are not bound to the server.

----End

1.5.6 (Optional) Configuring the Source IP Address of HWTACACSPackets

Procedure





Step 3 Run:hwtacacs-server source-ip ip-address



1-21

The source IP address of HWTACACS packets is configured.

By default, the source IP address of an HWTACACS packet is 0.0.0.0. In this case, the S2300uses the IP address of the outgoing VLANIF interface as the source IP address of theHWTACACS packet.

After you specify the source IP address of HWTACACS packets, the specified address is usedfor the communication between the S2300 and the HWTACACS server. In this case, theHWTACACS server uses the specified IP address to communicate with the S2300.

----End

1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server

ContextSetting the shared key ensures the security of communication between the S2300 and anHWTACACS server. To ensure the validity of the authenticator and the authenticated, the sharedkeys set on the S2300 and the HWTACACS server must be the same.

Procedure





Step 3 Run:hwtacacs-server shared-key [ cipher | simple ] key-string

The shared key is set for the HWTACACS server.

By default, no shared key is set for the HWTACACS server.

----End

1.5.8 (Optional) Setting the User Name Format for an HWTACACSServer

ContextNOTE

A user name is in the user name@domain name format and the character string after "@" refers to thedomain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also beany of the following symbols: \ / : < > | ' %

Procedure

Step 1 Run:




Issue 01 (2011-05-20)

system-view




Step 3 Run:hwtacacs-server user-name domain-included

The user name format is set for an HWTACACS server.

By default, a user name supported by an HWTACACS server contains the domain name. Thatis, the S2300 sends the user name, domain name, and domain name delimiter to the RADIUSserver for authentication.

If an HWTACACS server does not accept the user name that contains the domain name, youcan use the undo hwtacacs-server user-name domain-included command to delete the domainname before sending it to the HWTACACS server.

----End

1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server

Procedure





Step 3 Run:hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit is set for an HWTACACS server.

By default, the traffic is expressed in bytes on the S2300.

----End

1.5.10 (Optional) Setting HWTACACS Timers

Procedure



Step 2 Run:



1-23

hwtacacs-server template template-name


Step 3 Run:hwtacacs-server timer response-timeout value

The timeout interval for an HWTACACS server to send response packets is set.

By default, the timeout interval for an HWTACACS server to send response packets is fiveseconds.

If the S2300 receives no response from an HWTACACS server during the timeout interval, itconsiders the HWTACACS server as unavailable. In this case, the S2300 performsauthentication or authorization in other modes.

Step 4 Run:hwtacacs-server timer quiet value

The time taken to restore an HWTACACS server to restore to the active state is set.

By default, the time taken by the primary HWTACACS server to restore to the active state isfive minutes.

----End

1.5.11 (Optional) Configuring Retransmission of Accounting-StopPacket

ContextIf the HWTACACS accounting mode is used, the S2300 sends an Accounting-Stop packet tothe HWTACACS server after a user goes offline. If the connectivity of the network is notdesirable, you can enable the function of retransmitting the Accounting-Stop packet to preventthe loss of accounting information.

Procedure



Step 2 Run:hwtacacs-server accounting-stop-packet resend { disable | enable number }

The function of retransmitting the Accounting-Stop packet is configured.

You can enable the function of retransmitting the Accounting-Stop packet and set theretransmission count, or disable the function. By default, the retransmission function is enabledand the retransmission count is 100.

----End





Issue 01 (2011-05-20)

PrerequisiteThe configurations of the HWTACACS server template are complete.

Procedurel Run the display hwtacacs-server template [ template-name ] command to check the

configuration of the HWTACACS server template.

----End

Example

After completing the configurations of the HWTACACS server template, you can run thedisplay hwtacacs-server template [ template-name ] command to view the configuration ofthe template.

<Quidway> display hwtacacs-server template huawei --------------------------------------------------------------------------- HWTACACS-server template name : huawei Primary-authentication-server : 0.0.0.0:0:- Primary-authorization-server : 0.0.0.0:0:- Primary-accounting-server : 0.0.0.0:0:- Secondary-authentication-server : 0.0.0.0:0:- Secondary-authorization-server : 0.0.0.0:0:- Secondary-accounting-server : 0.0.0.0:0:- Current-authentication-server : 0.0.0.0:0:- Current-authorization-server : 0.0.0.0:0:- Current-accounting-server : 0.0.0.0:0:- Source-IP-address : 0.0.0.0 Shared-key : - Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------

1.6 Configuring a Service SchemeThis section describes how to configure a service scheme in the S2300 to store authorizationinformation about users.


1.6.2 Creating a Service Scheme

1.6.3 Setting the Administrator Level

1.6.4 Configuring a DHCP Server Group

1.6.5 Configuring an Address Pool

1.6.6 Configure Primary and Secondary DNS Servers





1-25

Applicable EnvironmentAccess users must acquire authorization information before getting online. Authorizationinformation about users can be managed through the service scheme.

Pre-configuration TasksBefore configuring a service scheme, complete the following tasks:l Creating a DHCP server groupl Creating an IP address pool

Data PreparationTo configure a service scheme, you need the following data.

No. Data

1 Service scheme

2 Administrator level

3 User priority

4 Name of the DHCP server group

5 Name and position of the address pool

6 IP address of the primary and secondary DNSservers

1.6.2 Creating a Service Scheme

ContextThe service scheme is the aggregation of authorization information about users. After a servicescheme is created, you can set attributes of users in the service scheme view.

Procedure



Step 2 Run:aaa


Step 3 Run:service-scheme service-scheme-name

A service scheme is created.




Issue 01 (2011-05-20)

service-scheme-name is a string of 1 to 32 characters, excluding / \ : * ? " < > | @ ' %.

By default, no service scheme is configured in the S2300.

----End

1.6.3 Setting the Administrator Level

Procedure



Step 2 Run:aaa



The service scheme view is displayed.

Step 4 Run:admin-user privilege level level

The administrator is enabled to log in to the S2300 and the administrator level is set.

The value of level ranges from 0 to 15. If this command is not run, the administrator level isdisplayed as 16, which is invalid.

----End

1.6.4 Configuring a DHCP Server Group

PrerequisiteA DHCP server group is configured. For the procedure for configuring the DHCP server group,see the Configuration Guide - IP Services-DHCP Configuration.

Procedure



Step 2 Run:aaa





1-27


Step 4 Run:dhcp-server group group-name

A DHCP server group is configured.

----End

1.6.5 Configuring an Address Pool

PrerequisiteAn IP address pool is configured. For the procedure for configuring the DHCP server group, seethe Configuration Guide - IP Services-DHCP Configuration.

Procedure



Step 2 Run:aaa




Step 4 Run:ip-pool pool-name [ move-to new-position ]

An IP address pool is configured or the position of a configured address pool is moved.

----End

1.6.6 Configure Primary and Secondary DNS Servers

Procedure



Step 2 Run:aaa






Issue 01 (2011-05-20)


Step 4 Run:dns ip-address

The IP address of the primary DNS server is configured.

Step 5 Run:(Optional)dns ip-address secondary

The IP address of the secondary DNS server is configured.

----End


ProcedureStep 1 Run the display service-scheme [ name name ] command to view the configuration of a service

scheme.

----End

ExampleRun the display service-scheme command to view all the information about the service scheme.

<Quidway> display service-scheme ------------------------------------------------------------------- service-scheme-name scheme-index ------------------------------------------------------------------- huwei1 0 ------------------------------------------------------------------- Total of service scheme: 1

Run the display service-scheme name name command to view the configuration of servicescheme svcscheme1.

<Quidway> display service-scheme name svcscheme1 service-scheme-name : svcscheme1 service-scheme-primary-dns : - service-scheme-secondry-dns : - service-scheme-adminlevel : 16

1.7 Configuring a DomainThis section describes how to configure a domain on the S2300.


1.7.2 Creating a Domain

1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain

1.7.4 Configuring a RADIUS Server Template for a Domain

1.7.5 Configuring an HWTACACS Server Template for a Domain



1-29

1.7.6 (Optional) Configuring a Service Scheme for a Domain

1.7.7 (Optional) Setting the Status of a Domain

1.7.8 (Optional) Configuring the Domain Name Delimiter



Applicable EnvironmentTo perform authentication and authorization for a user logging in to the S2300, you need toconfigure a domain.

NOTE

The modification of a domain takes effect next time a user logs in.

Pre-configuration TasksBefore configuring a domain, complete the following tasks:l Configuring authentication and authorization schemesl Configuring a RADIUS server template if RADIUS is used in an authentication schemel Configuring an HWTACACS server template if HWTACACS is used in an authentication

or an authorization schemel Configuring local user management in local authentication or authorization mode

Data PreparationTo configure a domain, you need the following data.

No. Data

1 Name of the domain

2 Names of authentication and authorizationschemes of the domain

3 (Optional) Name of the RADIUS servertemplate or the HWTACACS server templateof the domain

4 (Optional) Status of the domain

1.7.2 Creating a Domain

Procedure

Step 1 Run:




Issue 01 (2011-05-20)

system-view


Step 2 Run:aaa


Step 3 Run:domain domain-name

A domain is created and the domain view is displayed.

The S2300 has two default domains: default and default_admin. Domain default is used forcommon access users, and domain default_admin is used for administrators.

The S2300 supports up to 32 domains, including the two default domains.

----End

Follow-up ProcedureAfter creating a domain, you can run the domain domain-name [ admin ] command in the systemview to configure the domain as the global default domain. The access users whose domainnames cannot be obtained are added to this domain.

If you do not run the domain domain-name [ admin ] command, the S2300 adds the commonusers and administrators whose domain names cannot be obtained to domains default anddefault_admin respectively.

1.7.3 Configuring Authentication , Authorization and AccountingSchemes for a Domain

Procedure



Step 2 Run:aaa



The domain view is displayed.

Step 4 Run:authentication-scheme authentication-scheme-name

An authentication scheme is configured for the domain.

By default, the authentication scheme named default is used for a domain.



1-31

Step 5 Run:authorization-scheme authorization-scheme-name

An authorization scheme is configured for the domain.

By default, no authorization scheme is bound to a domain.

Step 6 Run:accounting-scheme accounting-scheme-name

An accounting scheme is configured for the domain.

By default, the accounting scheme named default is used for a domain.

----End

1.7.4 Configuring a RADIUS Server Template for a Domain

ContextIf a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUSserver template to the domain.

Procedure



Step 2 Run:aaa




Step 4 Run:radius-server template-name

A RADIUS server template is configured for the domain.

By default, no RADIUS server template is configured for a domain.

----End

1.7.5 Configuring an HWTACACS Server Template for a Domain

ContextIf the remote HWTACACS authentication or authorization mode is used in a domain, you needto apply an HWTACACS server template to the domain.




Issue 01 (2011-05-20)

Procedure



Step 2 Run:aaa




Step 4 Run:hwtacacs-server template-name

An HWTACACS server template is configured for the domain.

By default, no HWTACACS server template is configured for a domain.

----End

1.7.6 (Optional) Configuring a Service Scheme for a Domain

ContextConfiguring a service scheme for a domain is to bind a service scheme to a domain. Users in thedomain obtain service information, such as the IP address and DNS server, from the servicescheme.

Procedure



Step 2 Run:aaa





A service scheme is bound to the domain.

By default, no service scheme is bound to the domain.



1-33

Before binding a service scheme to a domain, you must create the service scheme.

----End

1.7.7 (Optional) Setting the Status of a Domain

Procedure



Step 2 Run:aaa




Step 4 Run:state { active | block }

The status of the domain is set.

When a domain is in blocking state, users that belong to this domain cannot log in. By default,the domain is in active state after being created.

----End

1.7.8 (Optional) Configuring the Domain Name Delimiter

ContextA user account on the S2300 consists of a user name and a domain name. The user name anddomain name are separated by the domain name delimiter. For example, if the defined domainname delimiter is @, the user account of user1 in domain dom1 is user1@dom1.

Procedure



Step 2 Run:aaa


Step 3 Run:domain-name-delimiter delimiter

The domain name delimiter is configured.




Issue 01 (2011-05-20)

delimiter can be set to anyone of \, /, :, <, >, |, @, ', and %.

By default, the domain name delimiter is @.

----End


PrerequisiteThe configurations of the domain are complete.

Procedurel Run the display domain [ name domain-name ] command to check the configuration of

the domain.

----End

ExampleAfter the configuration, you can run the display domain command to view the summary of alldomains.

<Quidway> display domain ------------------------------------------------------------------------- DomainName index ------------------------------------------------------------------------- default 0 default_admin 1 huawei 2 -------------------------------------------------------------------------

Total: 3

Run the display domain [ name domain-name ] command, and you can view the configurationof a specified domain.

<Quidway> display domain name huawei Domain-name : huawei Domain-state : Active Authentication-scheme-name : scheme0 Accounting-scheme-name : default Authorization-scheme-name : - Service-scheme-name : - RADIUS-server-template : - HWTACACS-server-template : -

1.8 Configuring Local User ManagementThis section describes how to configure local user management on the S2300.


1.8.2 Creating a Local User

1.8.3 (Optional) Setting the Access Type of the Local User

1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access



1-35

1.8.5 (Optional) Setting the Status of a Local User

1.8.6 (Optional) Setting the Level of a Local User

1.8.7 (Optional) Setting the Access Limit for a Local User



Applicable EnvironmentYou can create a local user on the S2300, configure attributes of the local user, and performauthentication and authorization for users logging in to the S2300 according to information aboutthe local user.

Pre-configuration TasksNone

Data PreparationTo configure local user management, you need the following data.

No. Data

1 User name and password

2 Access type of the local user

3 Name of the FTP directory that the local usercan access

4 Status of the local user

5 Level of the local user

6 Maximum number of local access users

1.8.2 Creating a Local User

Procedure



Step 2 Run:aaa





Issue 01 (2011-05-20)

Step 3 Run:local-user user-name { password { simple | cipher } password | access-limit max-number | ftp-directory directory | privilege level level | state { block | active } } *

A local user is created and parameters of the user are set.

If the user name contains the domain name delimiter, such as @, |, and %, the character stringbefore @ refers to the user name and the character string after @ refers to the domain name. Ifthe user name does not contain domain name delimiter, the entire character string represents theuser name and the user is authenticated in default domain.

You can use the local-user command to create a local user and set parameters of the local user.To modify parameters of a local user, use the local-user access-limit, local-user ftp-directory, local-user service-type, local-user privilege level, or local-user state command.

----End

1.8.3 (Optional) Setting the Access Type of the Local User

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } *

The access type of the local user is set.

By default, a local user can use all access types.

A user can successfully log in only when its access type matches the specified access type.

----End

1.8.4 (Optional) Configuring the FTP Directory That a Local UserCan Access

ContextNOTE

If a local user log in to the device in FTP mode, configure the FTP directory; otherwise, the user cannotlog in.



1-37

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name ftp-directory directory

The FTP directory that a local user can access is configured.

By default, the FTP directory that a local user can access is null.

----End

1.8.5 (Optional) Setting the Status of a Local User

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name state { active | block }

The status of a local user is set.

By default, a local user is in active state.

The S2300 processes a local user in active or blocking state as follows:

l If the local user is in active state, the S2300 receives the authentication request of this userfor further processing.

l If the local user is in blocking state, the S2300 rejects the authentication request of this user.

----End

1.8.6 (Optional) Setting the Level of a Local User

ContextAfter the level of a local user is set, the login user can run the command only when the level isequal to or higher than the command level.




Issue 01 (2011-05-20)

Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greaterthe number, the higher the user level.

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name privilege level level

The level of a local user is set.

By default, the level of a local user is determined by the management module. For example,there is a user level in the user interface view. If a user level is not set, the user level is 0.

----End

1.8.7 (Optional) Setting the Access Limit for a Local User

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name access-limit max-number

The maximum number of online local users is set.

By default, the number of access users with the same user name is not restricted on the S2300.

----End


PrerequisiteThe configurations of the local user are complete.



1-39

Procedurel Run the display local-user [ username user-name ] command to check the attributes of

the local user.

----End

Example

After completing the configuration of local user management, you can run the display local-user command to view brief information about attributes of the local user.

<Quidway> display local-user ---------------------------------------------------------------------------- User-name State AuthMask AdminLevel ---------------------------------------------------------------------------- lsj A A - ---------------------------------------------------------------------------- Total 1 user(s)

Run the display local-user [ username user-name ] command, and you can view detailedinformation about a specified user.

<Quidway> display local-user username user-a The contents of local user(s): Password : admin State : active Service-type-mask : H Privilege level : - Ftp-directory : - Access-limit : - Accessed-num : 0

1.9 Maintaining AAA and User ManagementThis section describes how to maintain AAA and user management.

1.9.1 Clearing the Statistics

1.9.2 Monitoring the Running Status of AAA

1.9.3 Debugging

1.9.1 Clearing the Statistics

Context

CAUTIONStatistics cannot be restored after you clear them. So, confirm the action before you use thecommand.

Run the following command in the user view to clear the statistics.




Issue 01 (2011-05-20)

Procedurel Run the reset hwtacacs-server statistics { all | accounting | authentication |

authorization } command to clear the statistics on the HWTACACS server.l Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command

to clear the statistics about Accounting Stop packets.

----End

1.9.2 Monitoring the Running Status of AAA

Procedure

Step 1 Run the display aaa configuration command to view AAA running information.

----End

Example

Run the display aaa configuration command to view AAA running information.

<Quidway> display aaa configuration

Domain Name Delimiter : @ Domainname parse direction : Left to right Domainname location : After-delimiter Domain : total: 32 used: 5 Authentication-scheme : total: 16 used: 1 Accounting-scheme : total: 16 used: 3 Authorization-scheme : total: 16 used: 1 Service-scheme : total: 16 used: 0

1.9.3 Debugging

Context

CAUTIONDebugging affects the performance of the system. So, after debugging, run the undo debuggingall command to disable it immediately.

When a running fault occurs on the RADIUS or HWTACACS server, run the debuggingcommands in the user view to locate the fault.

Procedurel Run the debugging radius packet command to debug RADIUS packets.l Run the debugging hwtacacs { all | error | event | message | receive-packet | send-

packet } command to debug HWTACACS.

----End



1-41

1.10 Configuration ExamplesThis section provides several configuration examples of AAA and user management.

1.10.1 Example for Configuring RADIUS Authentication and Accounting

1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization

1.10.1 Example for Configuring RADIUS Authentication andAccounting

Networking RequirementsAs shown in Figure 1-1, users access the network through Switch A and are located in thedomain huawei. Switch B acts as the network access server of the destination network. Theaccess request of the user needs to pass the network of Switch A and Switch B to reach theauthentication server. The user can access the destination network through Switch B after passingthe remote authentication. The remote authentication mode on Switch B is as follows:

l The RADIUS server performs authentication and accounting for access users.l The RADIUS server 129.7.66.66/24 functions as the primary authentication and accounting

server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication andaccounting server. The default authentication port and accounting port are 1812 and 1813respectively.

Figure 1-1 Networking diagram of RADIUS authentication and accounting

SwitchASwitchB

DestinationNetwork

Domain Huawei

Network129.7.66.66/24

129.7.66.67/24




Issue 01 (2011-05-20)

Configuration RoadmapThe configuration roadmap is as follows:

1. Configure a RADIUS server template.2. Configure the authentication and accounting schemes.3. Apply the RADIUS server template, the authentication and accounting schemes to the

domain.

Data PreparationTo complete the configuration, you need the following data:

l Name of the domain that a user belongs tol Name of the RADIUS server templatel Name of the authentication scheme, authentication mode, name of the accounting scheme,

and accounting model IP addresses, authentication and accounting port numbers of the primary and secondary

RADIUS serversl Key and retransmission times of the RADIUS server

NOTE

The following configurations are performed on Switch B.

Procedure

Step 1 Configure a RADIUS server template.

# Configure the RADIUS template named shiva.

<Quidway> system-view[Quidway] radius-server template shiva

# Configure the IP addresses and port numbers of the primary RADIUS authentication andaccounting servers.

[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812[Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813

# Set the IP addresses and port numbers of the secondary RADIUS authentication and accountingservers.

[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary[Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary

# Set the key and retransmission count for the RADIUS server.

[Quidway-radius-shiva] radius-server shared-key cipher hello[Quidway-radius-shiva] radius-server retransmit 2[Quidway-radius-shiva] quit

Step 2 Configure the authentication and accounting schemes.

# Configure authentication scheme1, with the authentication mode being RADIUS.

[Quidway] aaa[Quidway-aaa] authentication-scheme 1Info: Create a new authentication scheme[Quidway-aaa-authen-1] authentication-mode radius[Quidway-aaa-authen-1] quit



1-43

# Configure the accounting scheme1, with the accounting mode being RADIUS.

[Quidway-aaa] accounting-scheme 1Info: Create a new accounting scheme[Quidway-aaa-accounting-1] accounting-mode radius[Quidway-aaa-accounting-1] quit

Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, andRADIUS template shiva to the domain.[Quidway-aaa] domain huawei[Quidway-aaa-domain-huawei] authentication-scheme 1[Quidway-aaa-domain-huawei] accounting-scheme 1[Quidway-aaa-domain-huawei] radius-server shiva

Step 4 Verify the configuration.

After running the display radius-server configuration template command on Switch B, youcan view that the configuration of the RADIUS server template meets the requirements.

<Quidway> display radius-server configuration template shiva ------------------------------------------------------------------- Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Timeout-interval(in second) : 5 Primary-authentication-server : 129.7.66.66 :1812 LoopBack:NULL Primary-accounting-server : 129.7.66.66 :1813 LoopBack:NULL Secondary-authentication-server : 129.7.66.67 :1812 LoopBack:NULL Secondary-accounting-server : 129.7.66.67 :1813 LoopBack:NULL Retransmission : 2 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX-------------------------------------------------------------------

----End

Configuration Files

#sysname Quidway#radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2#aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1 accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva#return




Issue 01 (2011-05-20)

1.10.2 Example for Configuring HWTACACS Authentication,Accounting, and Authorization

Networking Requirements

As shown in Figure 1-2:

l The HWTACACS server is adopted to authenticate access users. If HWTACACS serverauthentication fails, Access users are authenticated locally.

l HWTACACS authentication is required before the level of access users is promoted. If theHWTACACS authentication is not responded, local authentication is performed.

l HWTACACS authorization is performed to access users.l All access users need to be charged.l Interim accounting is performed every 3 minutes.l The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondary

HWTACACS server is 129.7.66.67/24. The port number of the server for authentication,accounting, and authorization is 49.

Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization

SwitchASwitchB

DestinationNetwork

Domain Huawei

Network129.7.66.66/24

129.7.66.67/24

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure an HWTACACS server template.2. Configure the authentication, authorization, and accounting schemes.



1-45

3. Apply the HWTACACS server template, authentication, authorization, and accountingschemes to the domain.


l Name of the domain that the user belongs tol Name of the HWTACACS server templatel Name of the authentication scheme, authentication mode, name of the authorization

scheme, authorization mode, name of the accounting scheme, and accounting model IP addresses, authentication port numbers, authorization port numbers, and accounting port

numbers of the primary and secondary HWTACACS serversl Key of the HWTACACS server

NOTE

The following configurations are performed on Switch B.

Procedure

Step 1 Configure an HWTACACS server template.

# Configure an HWTACACS server template named ht.

<Quidway> system-view[Quidway] hwtacacs-server template ht

# Configure the IP address and port number of the primary HWTACACS server forauthentication, authorization, and accounting.

[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49

# Configure the IP address and port number of the secondary HWTACACS server forauthentication, authorization, and accounting.

[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary

# Configure the key of the TACACS server.

[Quidway-hwtacacs-ht] hwtacacs-server shared-key cipher hello[Quidway-hwtacacs-ht] quit

Step 2 Configure the authentication, authorization, and accounting schemes.

# Create an authentication scheme 1-h and set the authentication mode to local-HWTACACS,that is, the system performs the local authentication first and then the HWTACACSauthentication. The HWTACACS authentication supersedes the local authentication when thelevel of a user is promoted.

[Quidway] aaa[Quidway-aaa] authentication-scheme l-h[Quidway-aaa-authen-l-h] authentication-mode hwtacacs local[Quidway-aaa-authen-l-h] authentication-super hwtacacs super[Quidway-aaa-authen-l-h] quit

# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.




Issue 01 (2011-05-20)

[Quidway-aaa] authorization-scheme hwtacacs[Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs[Quidway-aaa-author-hwtacacs] quit

# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.

[Quidway-aaa] accounting-scheme hwtacacs[Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs[Quidway–aaa-accounting-hwtacacs] accounting start-fail online

# Set the interval of interim accounting to 3 minutes.

[Quidway-aaa-accounting-hwtacacs] accounting realtime 3[Quidway-aaa-accounting-hwtacacs] quit

Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACSauthentication scheme, the HWTACACS accounting scheme, and the HWTACACS templateof ht to the domain.[Quidway-aaa] domain huawei[Quidway-aaa-domain-huawei] authentication-scheme l-h[Quidway-aaa-domain-huawei] authorization-scheme hwtacacs[Quidway-aaa-domain-huawei] accounting-scheme hwtacacs[Quidway-aaa-domain-huawei] hwtacacs-server ht[Quidway-aaa-domain-huawei] quit[Quidway-aaa] quit


Run the display hwtacacs-server template command on Switch B, and you can see that theconfiguration of the HWTACACS server template meets the requirements.

<Quidway> display hwtacacs-server template ht --------------------------------------------------------------------------- HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49:- Primary-authorization-server : 129.7.66.66:49:- Primary-accounting-server : 129.7.66.66:49:- Secondary-authentication-server : 129.7.66.67:49:- Secondary-authorization-server : 129.7.66.67:49:- Secondary-accounting-server : 129.7.66.67:49:- Current-authentication-server : 129.7.66.66:49:- Current-authorization-server : 129.7.66.66:49:- Current-accounting-server : 129.7.66.66:49:- Source-IP-address : 0.0.0.0 Shared-key : **************** Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------

Run the display domain command on Switch B, and you can see that the configuration of thedomain meets the requirements.

<Quidway> display domain name huawei

Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : hwtacacs Authorization-scheme-name : hwtacacs Service-scheme-name : - RADIUS-server-group : - HWTACACS-server-template : ht

----End



1-47

Configuration Files#sysname Quidway#hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!#aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs local authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting start-fail online accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht#return




Issue 01 (2011-05-20)

2 NAC Configuration

About This Chapter

This chapter describes the working principle and configuration of network access control (NAC).

ContextNOTE

S2300SI does not support NAC.

2.1 Introduction to NACThis section describes the working principle of NAC.

2.2 NAC Features Supported by the S2300This section describes the NAC features supported by the S2300.

2.3 Configuring 802.1x AuthenticationThis section describes how to configure the 802.1x authentication function.

2.4 Configuring MAC Address AuthenticationThis section describes how to configure the MAC address authentication function.

2.5 Maintaining NACThis section describes how to clear statistics about NAC and debug NAC.

2.6 Configuration ExamplesThis section provides several configuration examples of NAC.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 2 NAC Configuration


2-1

2.1 Introduction to NACThis section describes the working principle of NAC.

Traditional network security technologies focus on the threat brought by external computers,rather than the threat brought by internal computers. In addition, the current network devicescannot prevent the attacks initiated by the internal devices on the network. Network AdmissionControl (NAC) is an architecture of secure access, with the end-to-end security concept. NACconsiders the internal network security from the perspective of user terminals, rather thannetwork devices.

Figure 2-1 Typical networking of NAC

NAD ACS

Switch

Remediationserver

AAA server

Directoryserver

PVS & Aduitserver

User

As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includesthe following parts:l User: Access users who need to be authenticated. If 802.1x is adopted for user

authentication, users need to install client software.l NAD: Network access devices, including routers and switches (hereinafter referred to as

the S2300), which are used to authenticate and authorize users. The NAD needs to workwith the AAA server to prevent unauthorized terminals from accessing the network,minimize the threat brought by insecure terminals, prevent unauthorized access requestsfrom authorized terminals, and thus protect core resources.

l ACS: Access control server that is used to check terminal security and health, managepolicies and user behaviors, audit rule violations, strengthen behavior audit, and preventmalicious damages from terminals.

2.1.1 802.1x Authentication

2.1.2 MAC Address Authentication

2.1.3 MAC address bypass authentication

2.1.1 802.1x Authentication

The IEEE 802.1x standard (hereinafter referred to as 802.1x), is an interface-based networkaccess control protocol. Interface-based network access control is used to authenticate and

2 NAC ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

control access devices on an interface of a LAN access control device. User devices connectedto the interface can access the sources on the LAN only after they pass the authentication.

802.1x focuses on the status of the access interface only. When an authorized user accesses thenetwork by sending the user name and password, the interface is open. When an unauthorizeduser or no user accesses the network, the interface is closed. The authentication result is reflectedby the status of the interface. The IP address negotiation and allocation that are considered incommon authentication technologies are not involved. Therefore, 802.1x authentication is thesimplest implementation scheme among the authentication technologies.

802.1x supports the authentication mode based on the access interface and the MAC address.l Authentication mode based on the access interface: Other users can access network

resources without authentication when the first user under the interface is successfullyauthenticated. But other users are disconnected when the first user goes offline.

l Authentication mode based on the MAC address: Access users under this interface needbe authenticated.

802.1x supports the following authentication modes:l EAP termination mode: The network access device terminates EAP packets, obtains the

user name and password from the packets, encrypts the password, and sends the user nameand password to the RADIUS server for authentication.

l EAP transparent transmission authentication: Also called EAP relay authentication. Thenetwork access device directly encapsulates authentication information about 802.1x usersand EAP packets into the attribute field of RADIUS packets and sends them to the RADIUSserver. Therefore, the EAP packets do not need to be converted to the RADIUS packetsbefore they are sent to the RADIUS server.

2.1.2 MAC Address Authentication

MAC address authentication is an authentication method that controls the network accessauthority of a user based on the interface and MAC address. No client software needs to beinstalled. The user name and password are the MAC address of the user device. After detectingthe MAC address of a user for the first time, the device starts authenticating the user.

2.1.3 MAC address bypass authentication

MAC address bypass authentication: The S2300 triggers 802.1X authentication for a user. If theuser does not respond within 30 seconds, the S2300 sends the MAC address of the user to theRADIUS server, and then the RADIUS server uses the MAC address as the user name andpassword to authenticate the user.

2.2 NAC Features Supported by the S2300This section describes the NAC features supported by the S2300.

Functioning as the network access device (NAD), the S2300 supports the following NACfeatures:l Interface-based 802.1x authenticationl MAC address-based 802.1x authenticationl EAPOL termination authentication



2-3

l EAPOL transparent transmission authentication

l MAC address authentication

l MAC address bypass authentication

l The S2300 automatically specifies the VLAN for users after users pass 802.1xauthentication, MAC address authentication, or MAC address bypass authentication.

When passing 802.1x authentication, MAC address authentication, or MAC bypassauthentication, the system delivers a VLAN to the user according to the VLAN informationcarried in response packets of the authentication server in either of the following modes:

– If the VLAN ID carried in response packets of the authentication server is an integerranging from 1 to 4094, the system delivers the VLAN according to the VLAN ID.

– If the VLAN ID carried in response packets of the authentication server is not an integerranging from 1 to 4094, the system delivers the VLAN according to the VLANdescription.

l After users pass 802.1x authentication, MAC address authentication, or MAC addressbypass authentication, the S2300 automatically delivers ACLs to users to allow user packetsto pass through by default.

l Authorization ACL dynamically delivered by RADIUS server

If a RADIUS server is configured to deliver authorization ACL and RADIUS scheme isconfigured on the related interface of the S2300, then the S2300 controls user accesspermission according to the authorization ACL delivered by the RADIUS server. Thenetwork administrator can modify the access permission of a user by changing theauthorization ACL configuration on the RADIUS server or the ACL rules on the S2300.

2.3 Configuring 802.1x AuthenticationThis section describes how to configure the 802.1x authentication function.


2.3.2 Enabling Global 802.1x Authentication

2.3.3 Enabling 802.1x Authentication on an Interface

2.3.4 (Optional) Enabling MAC Bypass Authentication

2.3.5 Setting the Authentication Method for the 802.1x User

2.3.6 (Optional) Configuring the Interface Access Mode

2.3.7 (Optional) Configuring the Authorization Status of an Interface

2.3.8 (Optional) Setting the Maximum Number of Concurrent Access Users

2.3.9 (Optional) Enabling DHCP Packets to Trigger Authentication

2.3.10 (Optional) Configuring 802.1x Timers

2.3.11 (Optional) Configuring the Quiet Timer Function

2.3.12 (Optional) Configuring 802.1x Re-authentication

2.3.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication

2.3.14 (Optional) Enabling the S2300 to Send Handshake Packets to Online Users




Issue 01 (2011-05-20)

2.3.15 (Optional) Setting the Retransmission Count of the Authentication Request



Applicable EnvironmentYou can configure 802.1x to implement port-based network access control, that is, toauthenticate and control access devices on an interface of a LAN access control device.

Pre-configuration Tasks802.1x authentication is only an implementation scheme to authenticate the user identity. Tocomplete the user identity authentication, you need to select the RADIUS or local authenticationmethod. Before configuring 802.1x authentication, complete the following tasks:l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local

authentication schemes, for the 1x userl Configuring the user name and password on the RADIUS server if RADIUS authentication

is usedl Adding the user name and password manually on the S2300 if local authentication is used

Data PreparationTo configure 802.1x, you need the following data.

No. Data

1 Number of the interface on which 802.1x authentication is enabled

2.3.2 Enabling Global 802.1x Authentication

ContextBefore the configuration of 802.1x authentication, 802.1x needs to be globally enabled first.

Procedure



Step 2 Run:dot1x enable

802.1x authentication is globally enabled.

Running this command is equivalent to enabling 802.1x authentication globally. Relatedconfigurations of 802.1x authentication take effect only after 802.1x authentication is enabled.



2-5

By default, 802.1x authentication is disabled.

----End

2.3.3 Enabling 802.1x Authentication on an Interface

Context

CAUTIONIf 802.1x authentication is enabled on an interface, MAC address authentication cannot beenabled on the interface. If MAC address authentication is enabled on an interface, 802.1xauthentication cannot be enabled on the interface.

You can enable 802.1x authentication on an interface in the following ways.

Procedurel In the system view:

1. Run:system-view

The system view is displayed.2. Run:

dot1x enable interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

802.1x authentication is enabled on interfaces.

You can enable 802.1x authentication on interfaces in batches by specifying theinterface list in the dot1x enable command in the system view.

l In the interface view:1. Run:

system-view


interface interface-type interface-number

The interface view is displayed.3. Run:

dot1x enable

802.1x authentication is enabled on the interface.

If there are online users who log in through 802.1x authentication, disabling 802.1xauthentication is prohibited.

----End

2.3.4 (Optional) Enabling MAC Bypass Authentication




Issue 01 (2011-05-20)

ContextThe 802.1x client software cannot be installed or used on some special terminals, such as printers.In this case, the MAC bypass authentication can be adopted.

If 802.1x authentication on the terminal fails, the access device sends the user name andpassword, namely, the MAC address of the terminal, to the RADIUS server for authentication.This process is MAC address bypass authentication.

You can configure MAC address bypass authentication in the following ways.


1. Run:system-view


dot1x mac-bypass interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

MAC bypass authentication is enabled on interfaces.

You can configure MAC address bypass authentication on interfaces in batches byspecifying the interface list in the dot1x mac-bypass command in the system view.


system-view




dot1x mac-bypass

MAC address bypass authentication is enabled on the interface.

After you run the dot1x mac-bypass command, the commands of enabling 802.1xauthentication on the interface are overwritten. The details are as follows:– If 802.1x authentication is disabled on the interface, 802.1x authentication is enabled

after you run the dot1x mac-bypass command.– If 802.1x authentication has been enabled, the authentication mode is changed from

802.1x authentication to MAC address bypass authentication on the interface after yourun the dot1x mac-bypass command.

To disable MAC address bypass authentication, run the undo dot1x enable command.Note that 802.1x functions are disabled.

----End

2.3.5 Setting the Authentication Method for the 802.1x User



2-7

ContextThe authentication method for the 802.1x user can be set according to the actual networkingenvironment and security requirement.


system-view


Step 2 Run:dot1x authentication-method { chap | eap | pap }

The authentication method is set for the 802.1x user.

By default, CHAP authentication is used for an 802.1x user. If you run the dot1x authentication-method command repeatedly, the latest configuration takes effect.

l The Password Authentication Protocol (PAP) uses the two-way handshake mechanism andsends the password in plain text.

l The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshakemechanism. It transmits only the user name but not the password on the network; therefore,compared with PAP authentication, CHAP authentication is more secure and reliable andprotects user privacy better.

l In Extensible Authentication Protocol (EAP) authentication, the S2300 sends theauthentication information of an 802.1x user to the RADIUS server through EAP packetswithout converting EAP packets into RADIUS packets. To use the PEAP, EAP-TLS, EAP-TTLS, or EAP-MD5 authentication, you only need to enable the EAP authentication.

PAP authentication and CHAP authentication are two kinds of termination authenticationmethods and EAP authentication is a kind of relay authentication method.

CAUTIONOnly if RADIUS authentication is adopted, you can use the EAP authentication for 802.1x users.

----End

2.3.6 (Optional) Configuring the Interface Access Mode

ContextThe 802.1x protocol can work in the following modes:l Interface mode: If the MAC address of a device connected to an interface passes

authentication, all the MAC addresses of other devices connected to the interface can accessthe network without authentication.

l MAC mode: The MAC address of each device connected to the interface must passauthentication to access the network.

You can configure the access mode of an interface in the following ways.




Issue 01 (2011-05-20)


1. Run:system-view


dot1x port-method { mac | port } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The access mode of interfaces is configured.

You can configure the access mode of interfaces in batches by specifying the interfacelist in the dot1x port-method command in the system view.


system-view




dot1x port-method { mac | port }

The access mode of the interface is configured.

By default, the access mode of an interface is MAC mode.

CAUTIONWhen 802.1x users are online, you cannot use this command to change the access mode ofan interface.

----End

2.3.7 (Optional) Configuring the Authorization Status of anInterface

ContextDo as follows to authorize users and control their access scope after users pass authentication.

You can configure the authorization status of an interface in the following ways.


1. Run:



2-9

system-view


dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The authorization status of interfaces is set.

You can configure the authorization status of interfaces in batches by specifying theinterface list in the dot1x port-control command in the system view.


system-view




dot1x port-control { auto | authorized-force | unauthorized-force }

The authorization status of the interface is configured.

By default, the authorization status of an interface is auto.

– auto: An interface is initially in unauthorized state and sends and receives only EAPoLpackets. Therefore, users cannot access network resources. If a user passes theauthentication, the interface is in authorized state and allows users to access networkresources.

– authorized-force: An interface is always in authorized state and allows users to accessnetwork resources without authentication.

– unauthorized-force: An interface is always in unauthorized state and does not users toaccess network resources.

----End

2.3.8 (Optional) Setting the Maximum Number of ConcurrentAccess Users

ContextWhen the number of access users on interfaces reaches the maximum value, the S2300 does nottrigger authentication for subsequent access users. These subsequent access users thus cannotaccess the network.

You can set the maximum number of access users on interfaces in the following ways.





Issue 01 (2011-05-20)

1. Run:system-view


dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The maximum number of concurrent access users is set on the interfaces.

You can set the maximum number of concurrent access users on interfaces in batchesby specifying the interface list in the dot1x max-user command in the system view.


system-view




dot1x max-user user-number

The maximum number of concurrent access users is set on the interface.

By default, each interface allows up to 8 concurrent access users.

This command only takes effect for the interface where users are authenticated based onMAC addresses. If users are authenticated based on the interface, the maximum number ofaccess users is automatically set to 1. Therefore, only one user needs to be authenticatedsuccessfully on the interface, and other users can access the network after the first userpasses authentication.

NOTE

When users are online on the S2300, you can use this command. The command is invalid for existingonline users, but takes effect for users who undergo authentication after the command is run.

The maximum number of NAC users allowed by the S2300 is 8.

----End

2.3.9 (Optional) Enabling DHCP Packets to Trigger Authentication

ContextAfter DHCP packets are enabled to trigger authentication, 802.1x allows the S2300 to triggerthe user identity authentication when the access user runs DHCP to apply for the IP address. Inthis case, an 802.1x user is authenticated without dial-up by using the client software. This speedsup network deployment.

Procedure




2-11


Step 2 Run:dot1x dhcp-trigger

Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger userauthentication.

By default, DHCP packets do not trigger authentication.

After you run the dot1x dhcp-trigger command, users cannot obtain IP addresses throughDHCP if they do not pass the authentication.

----End

2.3.10 (Optional) Configuring 802.1x Timers

Context

When enabled, 802.1x starts many timers to ensure the reasonable and ordered exchangesbetween supplicants, the authenticator, and the authentication server.

To adjust the exchange process, you can run some commands to change values of some timers,but some timers cannot be adjusted. It may be necessary in certain cases or in poor networkingenvironment. Normally, it is recommended that you retain the default settings of the timers.

Procedure



Step 2 Run:dot1x timer { client-timeout client-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period tx-period-value }

The timers of 802.1x authentication are set.

l client-timeout: Authentication timeout timer of the client. By default, the timeout timer is30s.

l handshake-period: Interval of handshake packets from the S2300 to the 802.1X client. Bydefault, the handshake interval is 15s.

l quiet-period: Period of the quiet timer. By default, the quiet timer is 60s.

l reauthenticate-period: Re-authentication interval. By default, the re-authentication intervalis 3600s.

l server-timeout: Timeout timer of the authentication server. By default, the timeout timer ofthe authentication server is 30s.

l tx-period: Interval for sending authentication requests. By default, the interval for sendingthe authentication request packets is 30s.




Issue 01 (2011-05-20)

The dot1x timer command only sets the values of the timers, and you need to enable thecorresponding timers by running commands or adopting the default settings.

----End

2.3.11 (Optional) Configuring the Quiet Timer Function

ContextIf a user fails to pass 802.1x authentication after the quiet timer function is enabled, the S2300considers the user as quiet for a period and does not process authentication requests from theuser in this period. In this manner, the impact caused by frequent authentication is prevented.

In the case that the quiet timer function is enabled, to prevent the 802.1x user from entering thesilent state after the first authentication failure, you can set the number of authentication failuresbefore the 802.1x user enters the silent state to be greater than 1 on the S2300.

Procedure



Step 2 Run:dot1x quiet-period

The quiet timer function is enabled.

By default, the quiet timer function is disabled.

During the quite period, the S2300 discards the 802.1x authentication request packets from theuser. You can run the dot1x timer command to set the quiet period. For details, see 2.3.10(Optional) Configuring 802.1x Timers.

Step 3 Run:dot1x quiet-times fail-times

The number of authentication failures within 60 seconds before the 802.1x user enters the silentstate is set.

By default, the number of authentication failures within 60 seconds before the 802.1x user entersthe silent state is 3.

----End

2.3.12 (Optional) Configuring 802.1x Re-authentication

ContextThe S2300 re-authenticates users who pass 802.1x authentication after a period of time to ensurethe validity of users.

You can configure 802.1x re-authentication in the following ways.



2-13


1. Run:system-view


dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

Re-authentication is enabled on interfaces.

You can configure 802.1x re-authentication on interfaces in batches by specifying theinterface list in the dot1x reauthenticate command in the system view.


system-view




dot1x reauthenticate

Re-authentication is enabled on the interface.

By default, 802.1x re-authentication is disabled on an interface.

You can run the dot1x timer command to set the timeout interval of re-authentication. Fordetails, see 2.3.10 (Optional) Configuring 802.1x Timers.

----End

2.3.13 (Optional) Configuring the Guest VLAN for 802.1xAuthentication

ContextWhen the user access mode is mac and guest VLAN is enabled, the S2300 broadcastsauthentication request packets to all the 802.1x-enabled interfaces. If an interface does notrespond when the maximum number of re-authentications is reached, the S2300 adds thisinterface to the guest VLAN. Users in the guest VLAN can access resources in the guest VLANwithout authentication, but must be authenticated when they access external resources. The userswho fail to pass authentication are still allowed to access resources within the specified range.

When the user access mode is port and the interface access control mode is auto, the S2300adds the interface to the guest VLAN if 802.1x has been enabled in the system view and theinterface view. The users connected to this interface are allowed to access resources in the guestVLAN without authentication.

NOTE

The configured guest VLAN cannot be the default VLAN of the interface.




Issue 01 (2011-05-20)

You can configure the guest VLAN in the following ways.


1. Run:system-view


dot1x guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The guest VLAN is configured on interfaces.

You can configure the guest VLAN on interfaces in batches by specifying the interfacelist in the dot1x guest-vlan command in the system view.


system-view




dot1x guest-vlan vlan-id

The guest VLAN is configured on the interface.

By default, no guest VLAN is configured on an interface.

----End

2.3.14 (Optional) Enabling the S2300 to Send Handshake Packets toOnline Users

ContextThe S2300 can send handshake packets to a Huawei client to detect whether the user is online.

If the client does not support the handshake function, the S2300 will not receive handshakeresponse packets within the handshake interval. In this case, you need to disable the userhandshake function to prevent the S2300 from disconnecting users by mistake.

Procedure



Step 2 Run:



2-15

dot1x handshake

The handshake with 802.1x users is enabled.

By default, the S2300 is disabled to send handshake packets to online users.

You can run the dot1x timer command to set the handshake interval. For details, see 2.3.10(Optional) Configuring 802.1x Timers.

Step 3 (Optional) Run:dot1x handshake packet-type { request-identity | srp-sha1-part2 }The typeof 802.1x authentication handshake packets is set.

By default, the type of 802.1x authentication handshake packets is request-identity.

----End

2.3.15 (Optional) Setting the Retransmission Count of theAuthentication Request

Context

If the S2300 does not receive a response after sending an authentication request to a user, theS2300 retransmits the authentication request to the user. When no response is received when theauthentication request has been sent for the maximum number of times, the S2300 does notretransmit the authentication request to the user.

Procedure



Step 2 Run:dot1x retry max-retry-value

The retransmission count of the authentication request is set.

By default, the S2300 retransmits an authentication request to an access user twice.

----End


PrerequisiteThe configurations of 802.1x authentication are complete.

Procedurel Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10> ] command to check the configuration of 802.1xauthentication.




Issue 01 (2011-05-20)

l Run the display mac-address { authen | guest } [ vlan vlan-id ] command to check theconfiguration of 802.1x authentication and MAC address authentication or informationabout the MAC address added to the guest VLAN.

----End

ExampleView information about 802.1x authentication on GE 0/0/1.

<Quidway> display dot1x interface gigabitethernet 0/0/1 GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled[mac-bypass] Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Maximum users: 8 Current users: 2 Authentication Success: 1 Failure: 11 EAPOL Packets: TX : 24 RX : 4 Sent EAPOL Request/Identity Packets : 11 EAPOL Request/Challenge Packets : 1 Multicast Trigger Packets : 0 DHCP Trigger Packets : 0 EAPOL Success Packets : 1 EAPOL Failure Packets : 11 Received EAPOL Start Packets : 2 EAPOL LogOff Packets : 0 EAPOL Response/Identity Packets : 1 EAPOL Response/Challenge Packets: 1

View information about the MAC address used in 802.1x authentication or MAC addressauthentication.

<Quidway> display mac-address authenMAC address table of slot 0: ------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------- 0000-0000-0100 3000 - - GE0/0/1 authen - 0000-0000-0200 3000 - - GE0/0/1 authen - 0000-0000-0600 3000 - - GE0/0/1 authen - ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 64

View information about the MAC address added to the guest VLAN.

<Quidway> display mac-address guestMAC address table of slot 0: ------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------- 0000-0000-0404 3010 - - GE0/0/1 guest - 0000-0000-0407 3010 - - GE0/0/1 guest - 0000-0000-0410 3010 - - GE0/0/1 guest - ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 67

2.4 Configuring MAC Address AuthenticationThis section describes how to configure the MAC address authentication function.



2-17


2.4.2 Enabling Global MAC Address Authentication

2.4.3 Enabling MAC Address Authentication on an Interface

2.4.4 Configuring a User Name for MAC Address AuthenticationA fixed user name or a MAC address can be used for MAC address authentication.

2.4.5 (Optional) Configuring the Domain for MAC Address Authentication

2.4.6 (Optional) Setting the Timers of MAC Address Authentication

2.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication

2.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC AddressAuthentication

2.4.9 (Optional) Re-Authenticating a User with the Specified MAC Address



Applicable EnvironmentMAC address authentication can be configured to authenticate terminals on which clientsoftware cannot be installed, such as faxes and printers.

Pre-configuration TasksMAC address authentication is only an implementation scheme to authenticate the user identity.To complete the user identity authentication, you need to select the RADIUS or localauthentication method. Before configuring MAC address authentication, complete the followingtasks:l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local

authentication schemes, for the 802.1x user.l Configuring the user name and password on the RADIUS server if RADIUS authentication

is used.l Adding the user name and password manually on the S2300 if local authentication is used.

Data PreparationTo configure MAC address authentication, you need the following data.

No. Data

1 Number of the interface on which MAC address authentication is enabled

2.4.2 Enabling Global MAC Address Authentication




Issue 01 (2011-05-20)

ContextBefore the configuration of MAC address authentication, enable MAC address authenticationglobally.

Procedure



Step 2 Run:mac-authen

MAC address authentication is enabled globally.

Running this command is equivalent to enabling global MAC address authentication. Relatedconfigurations of MAC address authentication take effect only after MAC address authenticationis enabled.

By default, MAC address authentication is disabled globally.

----End

2.4.3 Enabling MAC Address Authentication on an Interface

Context

CAUTIONIf MAC address authentication is enabled on an interface, 802.1x authentication cannot beenabled on the interface. If 802.1x authentication is enabled on an interface, MAC addressauthentication cannot be enabled on the interface.

You can enable MAC address authentication on an interface in the following ways.


1. Run:system-view


mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

MAC address authentication is enabled on the interfaces.

If there are online users who log in through MAC address authentication, disablingMAC address authentication is prohibited.



2-19

l In the interface view:

1. Run:system-view


2. Run:interface interface-type interface-number

The interface view is displayed.

3. Run:mac-authen

MAC address authentication is enabled on the interface.

Ensure that no online user exists before disabling MAC address authentication by usingthe undo mac-authen command.

----End

2.4.4 Configuring a User Name for MAC Address AuthenticationA fixed user name or a MAC address can be used for MAC address authentication.

Context

When the fixed user name is used for MAC address authentication, you can set the password ornot. When the MAC address is used as a user name for MAC address authentication, the MACaddress is used as the authentication password.

Procedurel Setting the user name format in the system view

1. Run:system-view


2. Run:mac-authen username { fixed username [ password { cipher | simple } password ] | macaddress [ format { with-hyphen | without-hyphen } ] }

The user name format is set for MAC address authentication.

There are two formats for a MAC address used as the user name, that is, the MACaddress with hyphens (such as 0010-8300-0011) and the MAC address withouthyphens (such as 001083000011). By default, a MAC address without hyphens is usedas a user name for MAC address authentication.

----End

2.4.5 (Optional) Configuring the Domain for MAC AddressAuthentication




Issue 01 (2011-05-20)

ContextIf the user adopts MAC address authentication or the fixed user name that does not contain thedomain name, the default authentication domain is used when no authentication domain isconfigured. If the authentication domain is specified in the user name of a fixed format, theauthentication domain of the user is used.

NOTE

Before configuring the authentication domain for the user who uses MAC address authentication, you needto confirm that a domain is available. Otherwise, the system displays an error message during theconfiguration.


1. Run:system-view


mac-authen domain isp-name [ mac-address mac-address mask mask ]

A domain name is configured for a user who uses MAC address authentication.

----End

2.4.6 (Optional) Setting the Timers of MAC Address Authentication

Procedure



Step 2 Run:mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value | reauthenticate-period interval | server-timeout server-timeout-value }

Parameters of timers for MAC address authentication are set.

l guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. Bydefault, the re-authentication interval is 60s.

l offline-detect: Offline-detect timer used to set the interval for the S2300 to check whethera user goes offline. By default, the offline timer is 300s.

l quiet-period: Quiet timer. After the user authentication fails, the S2300 waits for a certainperiod before processing authentication requests of the user. During the quiet period, theS2300 does not process authentication requests from the user. By default, the quiet timer is60s.

l server-timeout: Server timeout timer. In the user authentication process, if the connectionbetween the S2300 and the RADIUS server times out, the authentication fails. By default,the time interval of the authentication server is 30s.

----End



2-21

2.4.7 (Optional) Configuring the Guest VLAN for MAC AddressAuthentication

Context

If the MAC authentication fails after the guest VLAN function is enabled, the S2300 adds theuser to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLANwithout MAC address authentication. Authentication, however, is required when such usersaccess external resources. Thus certain resources are available for users without authentication.

NOTE

The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLANof the interface.

You can configure the guest VLAN in the following ways.


1. Run:system-view


mac-authen guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The guest VLAN of interfaces is configured.

You can configure the guest VLAN of interfaces in batches by specifying the interfacelist in the mac-authen guest-vlan command in the system view.


system-view




mac-authen guest-vlan vlan-id

The guest VLAN of the interface is configured.

By default, no guest VLAN is configured on an interface.

----End

2.4.8 (Optional) Setting the Maximum Number of Access UsersWho Adopt MAC Address Authentication




Issue 01 (2011-05-20)

ContextWhen the number of access users on an interface reaches the limit, the S2300 does not triggerthe authentication for the users connecting to the interface later; therefore, these users cannotaccess the network.

You can configure the maximum number of access users who adopt MAC address authenticationin the following ways.


1. Run:system-view


mac-authen max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The maximum number of access users who adopt MAC address authentication is seton interfaces.

You can configure the maximum number of access users of interfaces in batches byspecifying the interface list in the mac-authen max-user command in the systemview.


system-view




mac-authen max-user user-number

The maximum number of access users who adopt MAC address authentication on theinterface is set.

By default, the maximum number of access users who adopt MAC address authenticationon an interface of the S2300 is 8.

The maximum number of NAC access users is 128.

----End

2.4.9 (Optional) Re-Authenticating a User with the Specified MACAddress

ContextThe system can re-authenticate a user who has passed MAC address authentication. If the userpasses re-authentication, the user needs to be re-authorized; otherwise, the user goes offline.



2-23

Procedure



Step 2 Run:mac-authen reauthenticate mac-address mac-address

A specified user who has passed MAC address authentication is re-authenticated.

If the user does not pass MAC address authentication, the user is not re-authenticated.

Step 3 Run:mac-authen reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

MAC address re-authentication on a specified interface is enabled.

Step 4 Run:interface interface-type interface-number


Step 5 Run:mac-authen reauthenticate

MAC address re-authentication on a specified interface is enabled.

----End


PrerequisiteThe configurations of MAC address authentication are complete.

Procedurel Run the display mac-authen [ interface { interface-type interface-number1 [ to interface-

number2 ] } &<1-10> ] command to view the configuration of MAC address authentication.l Run the display mac-address { authen | guest } [ vlan vlan-id ] command to check the

configuration of 802.1x authentication and MAC address authentication or informationabout the MAC address added to the guest VLAN.

----End

2.5 Maintaining NACThis section describes how to clear statistics about NAC and debug NAC.

2.5.1 Clearing the Statistics About 802.1x Authentication

2.5.2 Clearing Statistics About MAC Address Authentication




Issue 01 (2011-05-20)

2.5.1 Clearing the Statistics About 802.1x Authentication

Context

CAUTIONStatistics cannot be restored after being cleared. Therefore, confirm the action before you runthe following commands.

After you confirm to reset the statistics, do as follows in user view.

Procedurel Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interface-

number2 ] } ] command to clear the statistics about 802.1x authentication.

----End

2.5.2 Clearing Statistics About MAC Address Authentication

Context

CAUTIONStatistics cannot be restored after being cleared. Therefore, confirm the action before you runthe following commands.

After you confirm to reset the statistics, do as follows in user view.

Procedurel Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to

interface-number2 ] } ] command to clear the statistics about MAC address authentication.

----End

2.6 Configuration ExamplesThis section provides several configuration examples of NAC.

2.6.1 Example for Configuring the RADIUS Server to Deliver Authorization ACL

2.6.1 Example for Configuring the RADIUS Server to DeliverAuthorization ACL



2-25

Networking RequirementsAs shown in Figure 2-2, the PC accesses the network using 802.1x authentication. Theauthentication server is a RADIUS server. An HTTP server is located on the Internet. After theuser goes online, the RADIUS server is required to deliver ACL. The user then is allowed toconnect to the Internet, but cannot access the HTTP server.

Figure 2-2 Networking diagram for configuring 802.1x authentication

Switch

RadiusServer

Internet

PC

HTTPServer

192.168.1.10

192.168.1.1/24 192.168.1.2/24

100.1.1.1100.1.1.2

101.0.0.2


1. Configure the RADIUS authentication server to deliver the authorization ACL.2. Configure a RADIUS server template.3. Configure an AAA authentication template.4. Configure a domain.5. Configure an ACL, which is the same as the ACL on the RADIUS server, on the Switch

and configure the ACL rules.6. Configure 802.1x authentication.


l IP address of the RADIUS authentication server: 100.1.1.1; authentication port number:1812

l RADIUS server template: rd1l Shared key of the RADIUS server: hellol AAA authentication scheme: web1l Domain: isp1l ACL number: 3000

NOTEIn this example, only the configuration of the Switch is provided, and the configuration of RADIUS serveris not mentioned here.




Issue 01 (2011-05-20)

Procedure

Step 1 Configure a RADIUS server template.

# Configure a RADIUS server template rd1.

[Quidway] radius-server template rd1

# Configure the IP address and port number of the primary RADIUS authentication server.

[Quidway-radius-rd1] radius-server authentication 100.1.1.1 1812

# Configure the shared key of the RADIUS server.

[Quidway-radius-rd1] radius-server shared-key cipher hello[Quidway-radius-rd1] quit

Step 2 Create an authentication scheme web1 and set the authentication method to RADIUSauthentication.[Quidway] aaa[Quidway–aaa] authentication-scheme web1[Quidway-aaa-authen-1] authentication-mode radius[Quidway-aaa-authen-1] quit

Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to thedomain.[Quidway-aaa] domain isp1[Quidway-aaa-domain-isp1] authentication-scheme web1[Quidway-aaa-domain-isp1] accounting-scheme web1[Quidway-aaa-domain-isp1] radius-server rd1[Quidway-aaa-domain-isp1] quit[Quidway-aaa] quit

Step 4 Configure ACL 3000 to reject the packets with the destination address 101.0.0.2.[Quidway] acl 3000[Quidway-acl-adv-3000] rule 0 deny ip destination 101.0.0.2 0[Quidway-acl-adv-3000] quit

Step 5 Configure the 802.1x authentication.

# Enable the 802.1x authentication globally.

[Quidway] dot1x enable

Step 6 Verify the configuration.After the user goes online successfully, ping the HTTP server from the PC to check whetherACL 3000 takes effect.[Quidway] ping 101.0.0.2PING 101.0.0.2: 56 data bytes, press CTRL_C to breakRequest time outRequest time outRequest time outRequest time outRequest time out--- 10.0.0.1 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet loss

----End

Configuration Files

#



2-27

sysname Quidway#dot1x enable #radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 10.1.1.1 1812 radius-server accounting 100.1.1.2 1813# acl number 3000 rule 0 deny ip destination 101.0.0.2 0 #aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 accounting-scheme web1 radius-server rd1# return




Issue 01 (2011-05-20)

3 DHCP Snooping Configuration

About This Chapter

This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP)snooping on the S2300 to defend against DHCP attacks.

ContextNOTE

S2300SI does not support DHCP Snooping.

3.1 Introduction to DHCP SnoopingThis section describes the principle of DHCP snooping.

3.2 DHCP Snooping Features Supported by the S2300This section describes the DHCP snooping features supported by the S2300.

3.3 Preventing the Bogus DHCP Server AttackTo prevent the attack from the pseudo DHCP server, use the trusted/untrusted working mode ofDHCP snooping.

3.4 Preventing the DoS Attack by Changing the CHADDR FieldThis section describes how to prevent the attackers from attacking the DHCP server bymodifying the CHADDR.

3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP AddressLeasesThis section describes how to prevent the attackers from attacking the DHCP server by forgingthe DHCP messages for extending IP address leases.

3.6 Setting the Maximum Number of DHCP Snooping UsersThis section describes how to set the maximum number of DHCP snooping users. This is becauseauthorized users cannot access the network when an attacker applies for IP addressescontinuously.

3.7 Limiting the Rate of Sending DHCP MessagesThis section describes how to prevent attackers from sending a large number of DHCP Requestmessages to attack the S2300.

3.8 Configuring the Packet Discarding Alarm Function

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 3 DHCP Snooping Configuration


3-1

An alarm is generated when the number of discarded packets exceeds the threshold.

3.9 Maintaining DHCP SnoopingThis section describes how to maintain DHCP snooping.

3.10 Configuration ExamplesThis section provides several configuration examples of DHCP snooping.

3 DHCP Snooping ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

3.1 Introduction to DHCP SnoopingThis section describes the principle of DHCP snooping.

DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clientsand a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snoopingbinding table, and filters untrusted DHCP messages according to the table. The binding tablecontains the MAC address, IP address, lease, binding type, VLAN ID, and interface information.

DHCP snooping ensures that authorized users can access the network by recording the mappingbetween IP addresses and MAC addresses of clients. In this manner, DHCP snooping acts as afirewall between DHCP clients and a DHCP server.

DHCP snooping prevents attacks including DHCP Denial of Service (DoS) attacks, bogus DHCPserver attacks, and bogus DHCP messages for extending IP address leases.

NOTE

In this manual, DHCP snooping includes DHCPv4 snooping and DHCPv6 snooping.

3.2 DHCP Snooping Features Supported by the S2300This section describes the DHCP snooping features supported by the S2300.

The S2300 supports security features such as the trusted interface, DHCP snooping bindingtable, binding of the IP address, MAC address, interface, and VLANID, and Option 82. In thismanner, security of the device enabled with DHCP is ensured.

Applying DHCP Snooping on the S2300 on a Layer 2 NetworkWhen being deployed on a Layer 2 network, the S2300 is located between the DHCP relay andthe Layer 2 user network. Figure 3-1 shows the DHCP snooping application on the S2300 whereDHCP snooping is enabled.



3-3

Figure 3-1 Networking diagram for applying DHCP snooping on the S2300 on a Layer 2network

SwitchDHCP relay

DHCP server

Untrusted

Trusted

Usernetwork

L3 network

L2 network

DHCPv6 Snooping

The S2300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entriesare also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consistsof the IPv6 address, MAC address, interface number, and VLAN ID of a user.

Type of Attacks Defended Against by DHCP Snooping

DHCP snooping provides different operation modes according to the type of attacks, as shownin Table 3-1.

Table 3-1 Matching table between type of attacks and DHCP snooping operation modes

Type of Attacks DHCP Snooping Operation Mode

Bogus DHCP server attack Setting an interface to trusted or untrusted

DoS attack by changing the value of theCHADDR field

Checking the CHADDR field in DHCPmessages

Attack by sending bogus messages toextend IP address leases

Checking whether DHCP request messagesmatch entries in the DHCP snooping bindingtable

DHCP flooding attack Limiting the rate of sending DHCP messages




Issue 01 (2011-05-20)

3.3 Preventing the Bogus DHCP Server AttackTo prevent the attack from the pseudo DHCP server, use the trusted/untrusted working mode ofDHCP snooping.

3.3.1 Establishing the Configuration TaskEstablishing the Configuration Task of Preventing the Bogus DHCP Server Attack.

3.3.2 Enabling DHCP SnoopingAfter DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN.Otherwise, DHCP snooping does not take effect.

3.3.3 Configuring an Interface as a Trusted InterfaceGenerally, the interface connected to the DHCP server is configured as trusted and otherinterfaces are configured as untrusted.

3.3.4 (Optional) Enabling Detection of Bogus DHCP ServersBefore enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabledglobally and on the interface. Otherwise, the detection function does not take effect.

3.3.5 Checking the ConfigurationChecking the Configuration of Preventing the Bogus DHCP Server Attack.

3.3.1 Establishing the Configuration TaskEstablishing the Configuration Task of Preventing the Bogus DHCP Server Attack.


When a bogus DHCP server exists on a network, the bogus DHCP server on the network replieswith incorrect messages such as the incorrect IP address of the gateway, incorrect domain nameserver (DNS) server, and incorrect IP address to the DHCP client. As a result, the DHCP clientcannot access the network or cannot access the correct destination network.

To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S2300,configure the network-side interface to be trusted and the user-side interface to be untrusted, anddiscard DHCP Reply messages received from untrusted interfaces.

To locate a bogus DHCP server, you can configure detection of bogus DHCP servers on theS2300. In this case, the S2300 obtains related information about DHCP servers by checkingDHCP Reply messages, and records the information in the log. This facilitates networkmaintenance.


Before preventing the bogus DHCP server attack, complete the following tasks:

l Configuring the DHCP server

Data Preparation

To prevent the bogus DHCP server attack, you need the following data.



3-5

No. Data

1 Type and number of the interface that needsto be set to be trusted


ContextTo enable DHCP snooping, you need to comply with the following sequence:

l Enable DHCP globally.l Enable DHCP snooping globally.l Enable DHCP snooping on an interface or in a VLAN.

Procedurel Enabling DHCP snooping in the VLAN view

1. Run:system-view


dhcp enable

DHCP is enabled globally.3. Run:

dhcp snooping enable

DHCP snooping is enabled globally.4. Run:

vlan vlan-id

The VLAN view is displayed.5. Run:


DHCP snooping is enabled in a VLAN.6. Run:

quit

Return to the system view.7. (Optional) Run:


The interface view is displayed.8. (Optional) Run:

dhcp snooping disable




Issue 01 (2011-05-20)

DHCP snooping is disabled on the specified interface in the VLAN.

To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and7.

l Enabling DHCP snooping in the interface view1. Run:

system-view


dhcp enable





The interface view is displayed.5. Run: dhcp snooping enableDHCP snooping is enabled on an interface.

----End

3.3.3 Configuring an Interface as a Trusted InterfaceGenerally, the interface connected to the DHCP server is configured as trusted and otherinterfaces are configured as untrusted.

ContextAfter DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.

Procedure





The interface is the network-side interface connected to the DHCP server.

Or, run:

vlan vlan-id

The VLAN view is displayed.

Step 3 In the interface view, Run:dhcp snooping trusted



3-7

Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interface-number

The interface is configured as a trusted interface.

DHCP Reply messages sent from an untrusted interface are discarded.

The prerequisite for the dhcp snooping trusted interface command to take effect is the interfaceis added to the VLAN.

----End

3.3.4 (Optional) Enabling Detection of Bogus DHCP ServersBefore enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabledglobally and on the interface. Otherwise, the detection function does not take effect.


system-view


Step 2 Run:dhcp server detect

Detection of bogus DHCP servers is enabled.

By default, detection of bogus DHCP servers is disabled on the S2300.

----End

3.3.5 Checking the ConfigurationChecking the Configuration of Preventing the Bogus DHCP Server Attack.

PrerequisiteThe configurations of preventing the bogus DHCP server attack are complete.

Procedurel Run the display dhcp snooping global command to check information about global DHCP

snooping.l Run the display dhcp snooping interface interface-type interface-number command to

check information about DHCP snooping on the interface.l Run the display dhcp { snooping | static } user-bind { dai-status | interface interface-

type interface-number | ip-address ip-address | ipsg-status | mac-address mac-address |vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] }command tocheck the information about DHCP bind-table.

l Run the display dhcpv6 { snooping | static } user-bind { interface interface-typeinterface-number | ip-address ip-address | ipsg-status | mac-address mac-address |vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command tocheck the information about DHCPv6 bind-table.

----End




Issue 01 (2011-05-20)

3.4 Preventing the DoS Attack by Changing the CHADDRField

This section describes how to prevent the attackers from attacking the DHCP server bymodifying the CHADDR.

3.4.1 Establishing the Configuration TaskEstablishing the Configuration Task of Preventing the DoS Attack by Changing the CHADDRField.


3.4.3 Checking the CHADDR Field in DHCP Request MessagesIf the CHADDR field in DHCP Request messages matches the source MAC address in theEthernet frame header, the messages are forwarded. Otherwise, the messages are discarded.

3.4.4 Checking the ConfigurationChecking the Configuration of Preventing the DoS Attack by Changing the CHADDR Field.

3.4.1 Establishing the Configuration TaskEstablishing the Configuration Task of Preventing the DoS Attack by Changing the CHADDRField.

Applicable EnvironmentThe attacker may change the client hardware address (CHADDR) carried in DHCP messagesinstead of the source MAC address in the frame header to apply for IP addresses continuously.The S2300, however, only checks the validity of packets based on the source MAC address inthe frame header. The attack packets can still be forwarded normally. The MAC address limitcannot take effect in this manner.

To prevent the attacker from changing the CHADDR field, you can configure DHCP snoopingon the S2300 to check the CHADDR field carried in DHCP Request messages. If the CHADDRfield matches the source MAC address in the frame header, the message is forwarded. Otherwise,the message is discarded.

Pre-configuration TasksBefore preventing the DoS attack by changing the CHADDR field, complete the following tasks:l Configuring the DHCP server

Data PreparationTo prevent the DoS attack by changing the CHADDR field, you need the following data.



3-9

No. Data

1 Type and number of the interface enabledwith the check function





1. Run:system-view


dhcp enable




vlan vlan-id




quit








Issue 01 (2011-05-20)




system-view


dhcp enable






----End

3.4.3 Checking the CHADDR Field in DHCP Request MessagesIf the CHADDR field in DHCP Request messages matches the source MAC address in theEthernet frame header, the messages are forwarded. Otherwise, the messages are discarded.

Procedure





The interface is the user-side interface.

Step 3 Run:dhcp snooping check dhcp-chaddr enable [ alarm dhcp-chaddr { enable [ threshold threshold-value ] | threshold threshold-value } ]

The interface is configured to check if the CHADDR field in DHCP Request messages matchesthe source MAC address in the Ethernet frame header.

By default, an interface does not check the CHADDR field in DHCP Request messages, and thealarm threshold for the rate of discarding DHCP request messages is set to 100.

----End



3-11

3.4.4 Checking the ConfigurationChecking the Configuration of Preventing the DoS Attack by Changing the CHADDR Field.

PrerequisiteThe configurations of preventing the DoS attack by changing the CHADDR field are complete.



check information about DHCP snooping on the interface.

----End

3.5 Preventing the Attacker from Sending Bogus DHCPMessages for Extending IP Address Leases

This section describes how to prevent the attackers from attacking the DHCP server by forgingthe DHCP messages for extending IP address leases.

3.5.1 Establishing the Configuration TaskEstablishing the Configuration Task of Preventing the Attacker from Sending Bogus DHCPMessages for Extending IP Address Leases.


3.5.3 Enabling Checking of DHCP Request MessagesTo prevent unauthorized users from sending DHCP Request messages to request IP addressrenewal, the S2300 matches the received DHCP Request messages to determine whether toforward the DHCP Request messages.

3.5.4 (Optional) Configuring the Option 82 FunctionAfter the Option 82 function is enabled, the S2300 can generate binding entries for users ondifferent interfaces according to the Option 82 field in DHCP messages, which prevents thebogus DHCP server then replies incorrect messages.

3.5.5 (Optional) Setting the Format of the Option 82 FieldYou can set the format of the Option 82 field globally or on an interface. If the format of theOption 82 field is set on an interface, the format of the Option 82 field on the interface takeseffect. If the format of the Option 82 field is not set on an interface, the globally configuredformat of the Option 82 field takes effect.

3.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 RequestMessagesIf the DHCPv6 server needs to obtain information about the interface or MAC address of theclient, the S2300 can append the Option 18 or Option 37 field to DHCPv6 Request messagessent from a client to the DHCPv6 server.





Issue 01 (2011-05-20)

Checking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messagesfor Extending IP Address Leases.

3.5.1 Establishing the Configuration TaskEstablishing the Configuration Task of Preventing the Attacker from Sending Bogus DHCPMessages for Extending IP Address Leases.

Applicable EnvironmentThe attacker pretends to be a valid user and continuously sends DHCP Request messagesintending to extend the IP address lease. As a result, certain expired IP addresses cannot bereused.

To prevent the attacker from sending bogus DHCP messages to extend IP address leases, youcan create the DHCP snooping binding table on the S2300 to check DHCP Request messages.If the source IP address, source MAC address, VLAN, and interface of the DHCP Requestmessages match entries in the binding table, the DHCP Request messages are then forwarded.Otherwise, the DHCP Request messages are discarded.

NOTE

IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S2300 checks the source IPaddresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.

The S2300 checks DHCP Request messages as follows:

1. Checks whether the destination MAC address is all-f. If the destination MAC address isall-f, the S2300 considers that the DHCP Request message is a broadcast message that auser sends to goes online for the first time and does not check the DHCP Request messageagainst the binding table. Otherwise, the S2300 considers that the user sends the DHCPRequest message is renew lease of the IP address and checks the DHCP Request messageagainst the binding table.

2. Checks whether the CHADDR field in the DHCP Request message matches an entry in thebinding table. If not, a user goes online for the first time and the S2300 forwards the messagedirectly. If yes, the S2300 checks whether the VLAN ID, IP address, and interfaceinformation of the message match the binding table. If all these fields match the bindingtable, the S2300 forwards the message; otherwise, the S2300 discards the message.

Pre-configuration TasksBefore preventing the attacker from sending bogus DHCP messages for extending IP addressleases, complete the following tasks:l Configuring the DHCP server

Data PreparationTo prevent the attacker from sending bogus DHCP messages for extending IP address leases,you need the following data.

No. Data

1 Type and number of the interface enabledwith detection of bogus DHCP servers



3-13





1. Run:system-view


dhcp enable




vlan vlan-id




quit











Issue 01 (2011-05-20)

system-view


dhcp enable






----End

3.5.3 Enabling Checking of DHCP Request MessagesTo prevent unauthorized users from sending DHCP Request messages to request IP addressrenewal, the S2300 matches the received DHCP Request messages to determine whether toforward the DHCP Request messages.

Context

Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If auser uses a static IP address, you need to configure the binding entry of the user manually.

Procedure





The interface is a user-side interface.

Step 3 Run:dhcp snooping check dhcp-request enable [ alarm dhcp-request { enable [ threshold threshold-value ] | threshold threshold-value } ]

The interface is enabled to check DHCP Request messages.

By default, an interface is disabled from checking DHCP Request messages, and the alarmthreshold for the rate of discarding DHCP request messages is set to 100.

----End



3-15

3.5.4 (Optional) Configuring the Option 82 FunctionAfter the Option 82 function is enabled, the S2300 can generate binding entries for users ondifferent interfaces according to the Option 82 field in DHCP messages, which prevents thebogus DHCP server then replies incorrect messages.

Procedurel In the interface view:

1. Run:system-view




The interface is the user-side interface.3. Run:

dhcp option82 insert enable

The Option 82 is appended to DHCP messages.

Or, run:

dhcp option82 rebuild enable

The Option 82 is forcibly appended to DHCP messages.

– After the dhcp option82 insert enable command is used, the Option 82 isappended to DHCP messages if original DHCP messages do not carry the Option82 field; If the DHCP message contains an Option 82 field previously, theS2300 checks whether the Option 82 field contains the Remote-id. If the Option82 field contains the Remote-id, the S2300 retains the original Option 82 field. Ifnot, the S2300 inserts the Remote-id to the Option 82 field. By default, the Remote-id is the MAC address of the S2300.

– After the dhcp option82 rebuild enable command is used, the Option 82 field isappended to DHCP messages if original DHCP messages do not carry the Option82 field; the original Option 82 field is removed and a new one is appended if theoriginal DHCP messages carry the Option 82 field.

l In the VLAN view:1. Run:

system-view


vlan vlan-id


dhcp option82 insert enable interface { interface-name | interface-type interface-number } [ to interface-number ]

The Option 82 is appended to DHCP messages.




Issue 01 (2011-05-20)

Or, run:

dhcp option82 rebuild enable interface { interface-name | interface-type interface-number } [ to interface-number ]

The Option 82 is forcibly appended to DHCP messages.

The prerequisites for the upper commands to take effect are the interfaces are addedto the VLAN in step 2.

– After the dhcp option82 insert enable interface { interface-name | interface-type interface-number } [ to interface-number ] command is used, the Option 82is appended to DHCP messages if original DHCP messages do not carry the Option82 field; If the DHCP message contains an Option 82 field previously, theS2300 checks whether the Option 82 field contains the Remote-id. If the Option82 field contains the Remote-id, the S2300 retains the original Option 82 field. Ifnot, the S2300 inserts the Remote-id to the Option 82 field. By default, the Remote-id is the MAC address of the S2300.

– After the dhcp option82 rebuild enable interface { interface-name | interface-type interface-number } [ to interface-number ] command is used, the Option 82field is appended to DHCP messages if original DHCP messages do not carry theOption 82 field; the original Option 82 field is removed and a new one is appendedif the original DHCP messages carry the Option 82 field.

----End

3.5.5 (Optional) Setting the Format of the Option 82 FieldYou can set the format of the Option 82 field globally or on an interface. If the format of theOption 82 field is set on an interface, the format of the Option 82 field on the interface takeseffect. If the format of the Option 82 field is not set on an interface, the globally configuredformat of the Option 82 field takes effect.

Procedurel Setting the format of the Option 82 field in the system view

1. Run:system-view


dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

The format of the Option 82 field is set.

NOTE

If the customized format of the Option 82 field is used (that is, user-defined is specified), it isrecommended that you specify the interface type, slot ID, and interface number in text.

l Setting the format of the Option 82 field in the interface view1. Run:

system-view




3-17



3. Run:dhcp option82 [ vlan vlanid ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

The format of the Option 82 field is set.

NOTE

If the customized format of the Option 82 field is used (that is, user-defined is specified), it isrecommended that you specify the interface type, slot ID, and interface number in text.

----End

3.5.6 (Optional) Appending the Option 18 Field or the Option 37Field to DHCPv6 Request Messages

If the DHCPv6 server needs to obtain information about the interface or MAC address of theclient, the S2300 can append the Option 18 or Option 37 field to DHCPv6 Request messagessent from a client to the DHCPv6 server.

Procedure





Step 3 Run:dhcpv6 { option18 | option37 } insert enable

The S2300 is configured to append the Option 18 field or the Option 37 field to DHCPv6 Requestmessages.

The Option 18 field contains information about the interface of the client and the Option 37 fieldcontains information about the MAC address of the client.

----End

3.5.7 Checking the ConfigurationChecking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messagesfor Extending IP Address Leases.

PrerequisiteThe configurations of preventing the attacker from sending bogus DHCP messages for extendingIP address leases are complete.




Issue 01 (2011-05-20)


snooping.

l Run the display dhcp snooping interface interface-type interface-number command tocheck information about DHCP snooping on the interface.

l Run the display dhcp { snooping | static } user-bind { dai-status | interface interface-type interface-number | ip-address ip-address | ipsg-status | mac-address mac-address |vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command tocheck the information about DHCP bind-table.

l Run the display dhcpv6 { snooping | static } user-bind { interface interface-typeinterface-number | ipv6-address ipv6-address | ipsg-status | mac-address mac-address |vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command tocheck the information about DHCPv6 bind-table.

l Run the display dhcp option82 { interface interface-type interface-number | vlan vlan-id } command to check the status of the Option 82 field.

----End

3.6 Setting the Maximum Number of DHCP Snooping UsersThis section describes how to set the maximum number of DHCP snooping users. This is becauseauthorized users cannot access the network when an attacker applies for IP addressescontinuously.

3.6.1 Establishing the Configuration TaskThis section describes how to establish the configuration task of preventing attackers fromsending bogus DHCP messages for extending IP address leases.


3.6.3 Setting the Maximum Number of DHCP Snooping UsersIf an unauthorized user applies for IP addresses maliciously, authorized users cannot access thenetwork. To address this problem, you can set the maximum number of access users.

3.6.4 (Optional) Configuring MAC Address Security on an InterfaceMAC addresses of DHCP users in the dynamic binding table can be converted to static MACaddresses, and packets of these users can be forwarded. MAC addresses of static users in thestatic binding table cannot be converted to static MAC addresses. Therefore, you need toconfigure static MAC addresses for the static users to have the packets forwarded normally.

3.6.5 Checking the ConfigurationThis section describes how to check the configuration of the maximum number of DHCPsnooping users.

3.6.1 Establishing the Configuration TaskThis section describes how to establish the configuration task of preventing attackers fromsending bogus DHCP messages for extending IP address leases.



3-19

Applicable EnvironmentTo prevent malicious users from applying for IP addresses, you can set the maximum numberof DHDCP snooping users.

When the number of DHCP snooping users reaches the maximum value, users cannotsuccessfully apply for IP addresses.

Pre-configuration TasksBefore setting the maximum number of DHCP snooping users, complete the following tasks:l Enabling DHCP snooping globallyl Enabling check of the DHCP snooping binding table

Data PreparationTo set the maximum number of DHCP snooping users, you need the following data.

No. Data

1 Type and number of the interface, VLAN ID,and maximum number of DHCP snoopingusers





1. Run:system-view


dhcp enable






Issue 01 (2011-05-20)

DHCP snooping is enabled globally.

4. Run:vlan vlan-id


5. Run:dhcp snooping enable

DHCP snooping is enabled in a VLAN.

6. Run:quit

Return to the system view.

7. (Optional) Run:interface interface-type interface-number


8. (Optional) Run:dhcp snooping disable



l Enabling DHCP snooping in the interface view

1. Run:system-view


2. Run:dhcp enable

DHCP is enabled globally.

3. Run:dhcp snooping enable

DHCP snooping is enabled globally.



5. Run: dhcp snooping enableDHCP snooping is enabled on an interface.

----End

3.6.3 Setting the Maximum Number of DHCP Snooping UsersIf an unauthorized user applies for IP addresses maliciously, authorized users cannot access thenetwork. To address this problem, you can set the maximum number of access users.



3-21

Procedure



Step 2 Run:dhcp snooping global max-user-number max-user-numberThe maximum number ofaccess users allowed in the system view is set.

By default, the maximum number of access users allowed by all the interfaces of the S2300 is256.



Or, run:

vlan vlan-id


Step 4 Run:dhcp snooping max-user-number max-user-number

The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set.

By default, a maximum of 256 users can access an interface of the S2300 or a VLAN.

If the maximum number of access users is set on an interface, in a VLAN, or in the system, allthe configurations take effect.

----End

3.6.4 (Optional) Configuring MAC Address Security on an InterfaceMAC addresses of DHCP users in the dynamic binding table can be converted to static MACaddresses, and packets of these users can be forwarded. MAC addresses of static users in thestatic binding table cannot be converted to static MAC addresses. Therefore, you need toconfigure static MAC addresses for the static users to have the packets forwarded normally.

ContextNOTE

The S2300SI does not support configuring MAC address security on an interface.

Procedure








Issue 01 (2011-05-20)

The interface is a user-side interface.

Step 3 Run:dhcp snooping sticky-mac

MAC address security of DHCP snooping is enabled on the interface.

By default, MAC address security of DHCP snooping is disabled on the S2300.

The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabledglobally.

If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC addressof the received IP packet nor forwards or sends the received IP packet. The DHCP messagesreceived by the interface are sent to the CPU of the main control board, and then a dynamicbinding table is generated. After the dynamic binding table is generated, static MAC addressesare sent to the corresponding interface. That is, dynamic MAC addresses are converted to staticMAC addresses. The static MAC address entry includes information about the MAC addressand VLAN ID of the user. Subsequently, only the packets whose source MAC address matchesthe static MAC address can pass through the interface; otherwise, the packets are discarded.

MAC addresses of static users in the static binding table cannot be converted to static MACaddresses. You need to configure static MAC addresses for the static users to have the packetsforwarded normally.

Step 4 (Optional) Run:undo mac-address snooping [ interface-type interface-number [ vlan vlan-id ] | vlan vlan-id [interface-type interface-number ] ]

The static MAC entries converted from dynamic binding entries by the dhcp snooping sticky-mac command are deleted.

----End

3.6.5 Checking the ConfigurationThis section describes how to check the configuration of the maximum number of DHCPsnooping users.

Prerequisite

The configurations of setting the maximum number of users are complete.


snooping.

l Run the display dhcp snooping interface interface-type interface-number command tocheck information about DHCP snooping on an interface.

l Run the display mac-address snooping [ interface-type interface-number [ vlan vlan-id ] | vlan vlan-id [interface-type interface-number ] ] [ verbose ] view static MAC addressentries converted from dynamic MAC address entries by the dhcp snooping sticky-maccommand.

----End



3-23

3.7 Limiting the Rate of Sending DHCP MessagesThis section describes how to prevent attackers from sending a large number of DHCP Requestmessages to attack the S2300.

3.7.1 Establishing the Configuration TaskEstablishing the Configuration Task of Limiting the Rate of Sending DHCP Messages.


3.7.3 Setting the Maximum Rate of Sending DHCP MessagesYou can set the maximum rate of sending DHCP messages globally, in a VLAN, or on aninterface. If the maximum rate of sending DHCP messages is set globally, in a VLAN, and onan interface simultaneously, the maximum rate of sending DHCP messages takes effect on aninterface, in a VLAN, and globally in descending order.

3.7.4 Checking the ConfigurationChecking the Configuration of Limiting the Rate of Sending DHCP Messages.

3.7.1 Establishing the Configuration TaskEstablishing the Configuration Task of Limiting the Rate of Sending DHCP Messages.


If an attacker sends DHCP messages continuously on a network, the DHCP protocol stack ofthe S2300 is affected.

To prevent an attacker from sending a large number of DHCP messages, you can configureDHCP snooping on the S2300 to check DHCP messages and limit the rate of sending DHCPmessages. Only a certain number of DHCP messages can be sent to the protocol stack during acertain period. Excessive DHCP messages are discarded.


Before limiting the rate of sending packets, complete the following tasks:

l Configuring the DHCP server

Data Preparation

To limit the rate of sending packets, you need the following data.

No. Data

1 Rate at which DHCP messages are sent to theprotocol stack




Issue 01 (2011-05-20)





1. Run:system-view


dhcp enable




vlan vlan-id




quit










3-25

system-view


dhcp enable






----End

3.7.3 Setting the Maximum Rate of Sending DHCP MessagesYou can set the maximum rate of sending DHCP messages globally, in a VLAN, or on aninterface. If the maximum rate of sending DHCP messages is set globally, in a VLAN, and onan interface simultaneously, the maximum rate of sending DHCP messages takes effect on aninterface, in a VLAN, and globally in descending order.

Procedurel Setting the maximum rate of sending DHCP messages in the system view

1. Run:system-view


dhcp snooping check dhcp-rate enable

The function of checking the rate of sending DHCP messages is enabled.

By default, the function of checking the rate of sending DHCP messages is disabledglobally.

3. Run:dhcp snooping check dhcp-rate rate

The rate of sending DHCP messages is set.

By default, the maximum rate of sending DHCP messages is 100 pps. The DHCPmessages exceeding the rate are discarded.

l Setting the maximum rate of sending DHCP messages in the VLAN view1. Run:

system-view


vlan vlan-id




Issue 01 (2011-05-20)


3. Run:dhcp snooping check dhcp-rate enable

The function of checking the rate of sending DHCP messages is enabled in the VLANview.

By default, the function of checking the rate of sending DHCP messages is disabledin the VLAN view.

4. Run:dhcp snooping check dhcp-rate rate

The rate of sending DHCP messages is set.

By default, the maximum rate of sending DHCP messages is 100 pps. The DHCPmessages exceeding the rate are discarded.

l Setting the maximum rate of sending DHCP messages in the interface view

1. Run:system-view




3. Run:dhcp snooping check dhcp-rate { enable | enable rate | rate } [ alarm dhcp-rate [ enable ] [ threshold threshold-value ] ]

The following functions are configured on an interface:

– The function of checking the rate of sending DHCP messages to the DHCP stackis enabled.

– The rate limit of sending DHCP messages to the DHCP stack is set.

– The DHCP message discard alarm is enabled.

– The alarm threshold for discarded DHCP messages is set.

By default, the function of checking the rate of sending DHCP messages to the DHCPstack is disabled on an interface; the rate limit of sending DHCP messages to the DHCPstack is 100 pps; the DHCP message discard alarm is disabled; the alarm thresholdfor discarded DHCP messages is 100.

----End

3.7.4 Checking the ConfigurationChecking the Configuration of Limiting the Rate of Sending DHCP Messages.

PrerequisiteThe configurations of limiting the rate of sending DHCP messages are complete.



3-27


snooping.

----End

3.8 Configuring the Packet Discarding Alarm FunctionAn alarm is generated when the number of discarded packets exceeds the threshold.

3.8.1 Establishing the Configuration TaskEstablishing the Configuration Task of Packet Discarding Alarm Function.


3.8.3 Configuring the Packet Discarding Alarm FunctionAfter the alarm function is enabled, alarm messages are displayed if DHCP attacks occur.

3.8.4 Checking the ConfigurationChecking the Configuration of Packet Discarding Alarm Function.

3.8.1 Establishing the Configuration TaskEstablishing the Configuration Task of Packet Discarding Alarm Function.


With DHCP snooping configured, the S2300 discards packets sent from an attacker. Table3-2 shows the relation between the type of attacks and the type of discarded packets.

Table 3-2 Relation between the type of attacks and the type of discarded packets

Type of Attacks Type of Discarded Packets

Bogus attack DHCP Reply messages received fromuntrusted interfaces

DoS attack by changing the CHADDR field DHCP Request messages whose CHADDRfield does not match the source MAC addressin the frame header

Attack by sending bogus messages to extendIP address leases

DHCP Request messages that do not matchentries in the binding table

Attack by sending a large number of DHCPRequest messages and ARP packets

Messages exceeding the rate limit

After the packet discarding alarm function is enabled, an alarm is generated when the numberof discarded packets on the S2300 reaches the alarm threshold.




Issue 01 (2011-05-20)

Pre-configuration TasksBefore configuring the packet discarding alarm function, complete the following tasks:l Configuring the DHCP serverl Configuring the S2300 to discard DHCP Reply messages on the untrusted interface at the

user sidel Configuring the checking of DHCP messagesl Configuring the checking of the CHADDR field in DHCP Request messagesl Configuring the checking of the rate of sending DHCP messages

Data PreparationTo configure the packet discarding alarm function, you need the following data.

No. Data

1 Alarm threshold for the number of discardedpackets





1. Run:system-view


dhcp enable




vlan vlan-id



3-29




quit








system-view


dhcp enable






----End

3.8.3 Configuring the Packet Discarding Alarm FunctionAfter the alarm function is enabled, alarm messages are displayed if DHCP attacks occur.

ContextThe packet discarding alarm function can be configured globally and on the interface.l The packet discarding alarm function configured globally takes effect for all interfaces.l The packet discarding alarm function configured on an interface takes effect for a specified

interface. If the packet discarding alarm function is not configured on an interface, theglobal configuration is used.




Issue 01 (2011-05-20)

Procedurel Configuring the packet discarding alarm function globally

1. Run:system-view


dhcp snooping alarm threshold threshold

The alarm threshold of the number of globally discarded packets is set.

By default, the global alarm threshold of the number of discarded DHCP messages is100 pps.

l Configuring the packet discarding alarm function on an interface1. Run:

system-view




dhcp snooping check dhcp-chaddr enable [ alarm dhcp-chaddr [ enable [ threshold threshold-value ] | threshold threshold-value ] ]

The functions of checking the DHCP request messages refer to the CHADDR fieldand DHCP Request packet discarding alarm are enabled on the interface, and thethreshold that triggers the alarm is set.

By default, the S2300 does not check DHCP request messages refer to the CHADDRfield or generate alarms for packet discarded. The alarm threshold for the rate ofdiscarded DHCP request messages is 100 pps.

4. Run:dhcp snooping check dhcp-request enable [ alarm dhcp-request [ enable [ threshold threshold-value ] | threshold threshold-value ] ]

The functions of checking the DHCP request messages and DHCP Request packetdiscarded alarm are enabled on the interface, and the threshold that triggers the alarmis set.

By default, the S2300 does not check DHCP request messages field or generate alarmsfor packet discarded. The alarm threshold for the rate of discarded DHCP requestmessages is 100 pps.

5. (Optional) Run:dhcp snooping alarm { dhcp-chaddr | dhcp-reply | dhcp-request } { enable [ threshold threshold ] | threshold threshold }

The alarm function is enabled for discarding of DHCP messages received fromuntrusted interfaces, and the alarm threshold is set.

By default, the packet discarding alarm is disabled, and the threshold that triggers thealarm on discarded packets is 100.

After dhcp snooping alarm command is configured, the S2300 discards the followingtypes of packets:



3-31

– DHCP Request messages that do not match entries in the DHCP Snooping bindingtable

– DHCP Reply messages received by untrusted interfaces

– DHCP Request messages whose source MAC address does not match theCHADDR field

----End

3.8.4 Checking the ConfigurationChecking the Configuration of Packet Discarding Alarm Function.

PrerequisiteThe configurations of the packet discarding alarm function are complete.



check information about DHCP snooping on the interface.

----End

3.9 Maintaining DHCP SnoopingThis section describes how to maintain DHCP snooping.

3.9.1 Clearing DHCP Snooping StatisticsThe statistics on globally discarded packets and the statistics on discarded packets on theinterface are cleared.

3.9.2 Resetting the DHCP Snooping Binding TableAfter DHCP snooping is enabled, multiple binding entries are generated when DHCP users goonline. DHCP users can delete dynamic binding entries in batches according to the VLAN ID,interface, IP address of the VPLS.

3.9.1 Clearing DHCP Snooping StatisticsThe statistics on globally discarded packets and the statistics on discarded packets on theinterface are cleared.

ContextTo clear the statistics on DHCP snooping discarded packets, run the following commands in theuser view.

Procedurel Run the reset dhcp snooping statistics global command to clear the statistics on globally

discarded packets.




Issue 01 (2011-05-20)

l Run the reset dhcp snooping statistics interface interface-type interface-numbercommand to clear the statistics on discarded packets on the interface.

l Run the reset dhcp snooping statistics vlan vlan-id command to clear the statistics ondiscarded packets on the VLAN.

----End

3.9.2 Resetting the DHCP Snooping Binding TableAfter DHCP snooping is enabled, multiple binding entries are generated when DHCP users goonline. DHCP users can delete dynamic binding entries in batches according to the VLAN ID,interface, IP address of the VPLS.

ContextNOTE

After the networking environment changes, DHCP snooping binding entries do not age immediately.However, the following information in DHCP snooping binding entries may change, causing packetforwarding failure:

l VLAN ID in packets

l Interface information

Before changing the networking environment, clear all DHCP snooping binding entries manually so thata device generates a new DHCP snooping binding table according to the new networking environment.

To clear entries in the DHCP snooping binding table, run the following command in the userview or system view.

Procedurel Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interface-

number ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset theDHCP snooping binding table.

----End

3.10 Configuration ExamplesThis section provides several configuration examples of DHCP snooping.

3.10.1 Example for Preventing Bogus DHCP Server AttacksThis section describes the configuration of preventing bogus DHCP server attacks, includingthe configuration of the trusted interface and the alarm function for discarded DHCP Replypackets.

3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR FieldThis section describes the configuration of preventing DoS attacks by changing the CHADDRfield, including the configuration of the function of checking the CHADDR field of DHCPRequest messages on the user-side interface and the alarm function for discarded packets.

3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for ExtendingIP Address LeasesThis section describes the configuration of preventing attackers from sending bogus DHCPmessages for extending IP address leases, including the configuration of the function of checking



3-33

the DHCP Request messages on the user-side interface and the alarm function for discardedpackets.

3.10.4 Example for Limiting the Rate of Sending DHCP MessagesThis section describes the configuration of limiting the rate of sending DHCP messages,including the configuration of the rate of sending DHCP messages to the protocol stack and thealarm function for discarded packets.

3.10.5 Example for Applying DHCP Snooping on a Layer 2 NetworkThis section describes the configuration of DHCP snooping on a Layer 2 network, including theconfiguration of the trusted interface, the function of checking DHCP messages, the function oflimiting the rate of sending DHCP messages, and the Option 82 function.

3.10.1 Example for Preventing Bogus DHCP Server AttacksThis section describes the configuration of preventing bogus DHCP server attacks, includingthe configuration of the trusted interface and the alarm function for discarded DHCP Replypackets.


As shown in Figure 3-2, the Switch is deployed between the user network and the Layer 2network of the ISP. To prevent bogus DHCP server attacks, it is required that DHCP snoopingbe configured on the Switch, the user-side interface be configured as an untrusted interface, thenetwork-side interface be configured as the trusted interface, and the alarm function for discardedDHCP Reply packets be configured.

Figure 3-2 Networking diagram for preventing bogus DHCP server attacks

GE0/0/1DHCP relay

DHCPserver

ISP network

GE0/0/2

L2 network

L3 network

Switch

Usernetwork




Issue 01 (2011-05-20)

Configuration RoadmapThe configuration roadmap is as follows: (Assume that the DHCP server has been configured.)

1. Enable DHCP snooping globally and on the interface.2. Enable bogus DHCP server detection.3. Configure the interface connected to the DHCP server as the trusted interface.4. Configure the alarm function for discarded DHCP Reply packets.


l GE 0/0/1 being the trusted interface and GE 0/0/2 being the untrusted interfacel Alarm threshold being 120

NOTE

This configuration example provides only the commands related to the DHCP snooping configuration.

Procedure

Step 1 Enable DHCP snooping.

# Enable DHCP snooping globally.

<Quidway> system-view[Quidway] dhcp enable[Quidway] dhcp snooping enable

# Enable bogus DHCP server detection.

[Quidway] dhcp server detect

# Enable DHCP snooping on the user-side interface.

[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping enable[Quidway-GigabitEthernet0/0/2] quit

Step 2 Configure the interface as the trusted interface or an untrusted interface.

# Configure the interface on the DHCP server side as the trusted interface.

[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted[Quidway-GigabitEthernet0/0/1] quit

# Configure the user-side interface as an untrusted interface.

After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default.

Step 3 Configure the alarm function for discarded DHCP Reply packets.

# Configure the Switch to discard the Reply messages received by untrusted interfaces, and setthe alarm threshold.

[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-reply enable threshold 120[Quidway-GigabitEthernet0/0/2] quit




3-35

Run the display dhcp snooping global command on the Switch, and you can view that DHCPsnooping is enabled globally and in the interface view.

<Quidway> display dhcp snooping global dhcp snooping enable

Dhcp snooping enable is configured at vlan :NULL

Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2

Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1

Dhcp option82 insert is configured at interface :NULL

Dhcp option82 rebuild is configured at interface :NULL

Dhcp option82 insert is configured at vlan :NULL

Dhcp option82 rebuild is configured at vlan :NULL

dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 60

<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0

<Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp packet dropped by untrust-reply checking = 10

----End

Configuration Files# dhcp enable dhcp snooping enable dhcp server detect# interface GigabitEthernet0/0/1 dhcp snooping trusted#interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120#return

3.10.2 Example for Preventing DoS Attacks by Changing theCHADDR Field

This section describes the configuration of preventing DoS attacks by changing the CHADDRfield, including the configuration of the function of checking the CHADDR field of DHCPRequest messages on the user-side interface and the alarm function for discarded packets.

Networking RequirementsAs shown in Figure 3-3, the Switch is deployed between the user network and the ISP Layer 2network. To prevent DoS attacks by changing the CHADDR field, it is required that DHCP




Issue 01 (2011-05-20)

snooping be configured on the Switch. The CHADDR field of DHCP Request messages ischecked. If the CHADDR field of DHCP Request messages matches the source MAC addressin the frame header, the messages are forwarded. Otherwise, the messages are discarded. Thealarm function for discarded packets is configured.

Figure 3-3 Networking diagram for preventing DoS attacks by changing the CHADDR field

GE0/0/1DHCP relay

DHCPserver

ISP network

GE0/0/2

L2 network

L3 network

Switch

Usernetwork


1. Enable DHCP snooping globally and on the interface.2. Configure the interface connected to the DHCP server as the trusted interface.3. Enable the function of checking the CHADDR field of DHCP Request messages on the

user-side interface.4. Configure the alarm function for discarded packets.


l Alarm threshold

NOTE


Procedure




3-37

# Enable DHCP snooping globally.<Quidway> system-view[Quidway] dhcp enable[Quidway] dhcp snooping enable

# Enable DHCP snooping on the user-side interface.[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping enable[Quidway-GigabitEthernet0/0/2] quit


# Configure the interface on the DHCP server side as the trusted interface.[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted[Quidway-GigabitEthernet0/0/1] quit



Step 3 Enable the function of checking the CHADDR field of DHCP Request messages on the user-side interface, and configure the alarm function and threshold for discarded packets..[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120


Run the display dhcp snooping command on the Switch, and you can view that DHCP snoopingis enabled globally and in the interface view.<Quidway> display dhcp snooping global dhcp snooping enable



Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1

Dhcp option82 insert is configured at interface :NULL

Dhcp option82 rebuild is configured at interface :NULL

Dhcp option82 insert is configured at vlan :NULL

Dhcp option82 rebuild is configured at vlan :NULL


<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0<Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp packet dropped by dhcp-chaddr checking = 25 dhcp packet dropped by untrust-reply checking = 0

----End




Issue 01 (2011-05-20)

Configuration Files# dhcp enable dhcp snooping enable#interface GigabitEthernet0/0/1 dhcp snooping trusted#interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120#return

3.10.3 Example for Preventing Attackers from Sending BogusDHCP Messages for Extending IP Address Leases

This section describes the configuration of preventing attackers from sending bogus DHCPmessages for extending IP address leases, including the configuration of the function of checkingthe DHCP Request messages on the user-side interface and the alarm function for discardedpackets.


As shown in Figure 3-4, the Switch is deployed between the user network and the ISP Layer 2network. To prevent attackers from sending bogus DHCP messages for extending IP addressleases, it is required that DHCP snooping be configured on the Switch and the DHCP snoopingbinding table be created. If the received DHCP Request messages match entries in the bindingtable, they are forwarded; otherwise, they are discarded. The alarm function for discarded packetsis configured.

Figure 3-4 Networking diagram for preventing attackers from sending bogus DHCP messagesfor extending IP address leases

GE0/0/1DHCP relay

DHCPserver

ISP network

GE0/0/2

L2 network

L3 network

Switch

Usernetwork



3-39


1. Enable DHCP snooping globally and on the interface.2. Configure the interface connected to the DHCP server as the trusted interface.3. Use the operation mode of the DHCP snooping binding table to check DHCP Request

messages.4. Configure the alarm function for discarded packets.


l ID of the VLAN that each interface belongs tol Static IP addresses from which packets are forwardedl Alarm threshold

NOTE


Procedure




# Enable DHCP snooping on the user-side interface.

[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping enable[Quidway-GigabitEthernet0/0/2] quit






Step 3 Configure the function of checking DHCP Request messages and the alarm function fordiscarded packets.[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120[Quidway-GigabitEthernet0/0/2] quit

Step 4 Check the DHCP snooping binding entries.




Issue 01 (2011-05-20)

Run the display dhcp snooping user-bind all command, and you can view all the DHCPsnooping binding entries of users.<Quidway> display dhcp snooping user-bind allDHCP Dynamic Bind-table:Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease --------------------------------------------------------------------------------10.1.1.3 0000-005e-008a 3 /-- /-- Ethernet0/0/2 2010.08.14-12:58--------------------------------------------------------------------------------print count: 1 total count: 1


Run the display dhcp snooping global command on the Switch, and you can view that DHCPsnooping is enabled globally and on the interface.<Quidway> display dhcp snooping global dhcp snooping enable



Dhcp snooping trusted is configured at interface :NULL GigabitEthernet0/0/1 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 45

<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0<Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 dhcp packet dropped by dhcp-request checking = 45 dhcp packet dropped by untrust-reply checking = 0

----End

Configuration Files# dhcp enable dhcp snooping enable# interface GigabitEthernet0/0/1 dhcp snooping trusted#interface GigabitEthernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 #return

3.10.4 Example for Limiting the Rate of Sending DHCP MessagesThis section describes the configuration of limiting the rate of sending DHCP messages,including the configuration of the rate of sending DHCP messages to the protocol stack and thealarm function for discarded packets.

Networking RequirementsAs shown in Figure 3-5, to prevent the attacker from sending a large number of DHCP Requestmessages, it is required that DHCP snooping be enabled on the Switch to control the rate of



3-41

sending DHCP Request messages to the protocol stack. At the same time, the alarm function fordiscarded packets needs to be enabled.

Figure 3-5 Networking diagram for limiting the rate of sending DHCP messages

Switch DHCP relay

DHCP server

DHCP client

Attacker

L2 network

L2 network

L3 network

Ethernet0/0/1

GE0/0/1Ethernet0/0/2



1. Enable DHCP snooping globally and in the interface view.2. Configure the interface connected to the DHCP server as the trusted interface.3. Set the rate of sending DHCP Request messages to the protocol stack on interfaces.4. Configure the alarm function for discarded packets on interfaces.

Data Preparation

To complete the configuration, you need the following data:

l Rate of sending DHCP Request messagesl Alarm threshold

NOTE


Procedure







Issue 01 (2011-05-20)

# Enable DHCP snooping on the user-side interface. The configuration procedures of Ethernet0/0/2 and GE0/0/1 are similar to the configuration procedure of Ethernet 0/0/1, and is notmentioned here.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] dhcp snooping enable[Quidway-Ethernet0/0/1] quit





After DHCP snooping is enabled on Ethernet 0/0/1 and Ethernet 0/0/2, Ethernet 0/0/1 andEthernet 0/0/2 is an untrusted interface by default.

Step 3 Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarm functionfor discarded packets.

# Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarmfunction for discarded packets on interfaces. The configuration procedures of Ethernet 0/0/2andGE0/0/1 are similar to the configuration procedure of Ethernet 0/0/1, and is not mentionedhere.

[Quidway-Ethernet0/0/1] dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50[Quidway-Ethernet0/0/1] quit


Run the display dhcp snooping global command on the Switch, and you can view that DHCPsnooping is enabled globally or in interface view.

[Quidway] display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL

Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 GigabitEthernet0/0/1 Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at these interface :NULL

Dhcp option82 rebuild is configured at these interface :NULL

Dhcp option82 insert is configured at these vlan :NULL

Dhcp option82 rebuild is configured at these vlan :NULL


Run the display dhcp snooping interface command on the Switch, and you can view theconfiguration of DHCP snooping in interface view.

[Quidway] display dhcp snooping interface gigabitethernet0/0/1 dhcp snooping trusted dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0



3-43

dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0[Quidway] display dhcp snooping interface ethernet 0/0/1 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0[Quidway] display dhcp snooping interface Ethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0

----End

Configuration Files# dhcp enable dhcp snooping enable#interface ethernet0/0/1 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50#interface ethernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50#interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping trusted dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50#return

3.10.5 Example for Applying DHCP Snooping on a Layer 2 NetworkThis section describes the configuration of DHCP snooping on a Layer 2 network, including theconfiguration of the trusted interface, the function of checking DHCP messages, the function oflimiting the rate of sending DHCP messages, and the Option 82 function.

Networking RequirementsAs shown in Figure 3-6, DHCP clients are connected to the Switch through VLAN 10. DHCPclient1 uses the dynamically allocated IP address and DHCP client2 uses the statically configuredIP address. It is required that DHCP snooping be configured on user-side interfaces Ethernet0/0/1 and Ethernet 0/0/2 of the Switch to prevent the following type of attacks:

l Bogus DHCP server attacksl DoS attacks by changing the value of the CHADDR fieldl Attacks by sending bogus messages to extend IP address leasesl Attacks by sending a large number of DHCP Request messages




Issue 01 (2011-05-20)

Figure 3-6 Networking diagram for configuring DHCP snooping

GE0/0/1

DHCP relay DHCP server

DHCP client1

Ethernet0/0/1

DHCP client2IP:10.1.1.1/24

MAC:0001-0002-0003

SwitchEthernet

0/0/2


1. Enable DHCP snooping globally and in the interface view.2. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.3. Configure the DHCP snooping binding table and check DHCP Request messages by

matching them with entries in the binding table to prevent attackers from sending bogusDHCP messages for extending IP address leases.

4. Configure the function of checking the CHADDR field in DHCP Request messages toprevent attackers from changing the CHADDR field in DHCP Request messages.

5. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackersfrom sending a large number of DHCP Request messages.

6. Configure the Option 82 function.7. Configure the alarm function for discarded packets.


l VLAN that the interface belongs to being 10l Ethernet 0/0/1 and Ethernet0/0/2 being untrusted interfaces and GE 0/0/1 being the trusted

interfacel Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding

MAC address being 0001-0002-0003l Rate of sending DHCP messages to the protocol stack being 90l Mode of the Option 82 function being insertl Alarm threshold of the number of discarded packets being 120



3-45

NOTE


Procedure




# Enable DHCP snooping on the interface at the user side. The configuration procedure ofEthernet 0/0/2 is the same as the configuration procedure of Ethernet 0/0/1, and is not mentionedhere.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] dhcp snooping enable[Quidway-Ethernet0/0/1] quit

Step 2 Configure the interface as trusted.

# Configure the interface connecting to the DHCP server as the trusted interface and enableDHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the clientside is not configured as trusted, the default mode of the interface is untrusted after DHCPsnooping is enabled on the interface. This prevents bogus DHCP server attacks.


Step 3 Configure the checking for certain types of packets and alarm function.

# Enable the checking of DHCP Request messages and alarm function on the interfaces on theDHCP client side to prevent attackers from sending bogus DHCP messages for extending IPaddress leases. The configuration of Ethernet 0/0/2 is the same as the configuration ofEthernet 0/0/1, and is not mentioned here.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120

# Enable the checking of the CHADDR field and alarm function on the interfaces on the DHCPclient side to prevent attackers from changing the CHADDR field in DHCP Request messages.The configuration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is notmentioned here.

[Quidway-Ethernet0/0/1] dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120[Quidway-Ethernet0/0/1] quit

Step 4 Check the DHCP snooping binding entries.

Run the display dhcp snooping user-bind all command, and you can view the DHCP snoopingbinding entries of users.<Quidway> display dhcp snooping user-bind allDHCP Dynamic Bind-table:Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease --------------------------------------------------------------------------------10.1.1.1 0001-0002-0003 10 /-- /-- Ethernet0/0/2 2010.08.14-12:58




Issue 01 (2011-05-20)

--------------------------------------------------------------------------------print count: 1 total count: 1

Step 5 Limit the rate of sending DHCP messages.

# Check the rate of sending DHCP messages to prevent attackers from sending DHCP Requestmessages.

[Quidway] dhcp snooping check dhcp-rate enable[Quidway] dhcp snooping check dhcp-rate 90

Step 6 Configure the Option 82 function.

# Configure the user-side interface to append the Option 82 field to DHCP messages. Theconfiguration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is notmentioned here.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] dhcp option82 insert enable[Quidway-Ethernet0/0/1] quit

Step 7 Configure the alarm function for discarded packets.

# Enable the alarm function for discarded DHCP Reply packets, and set the alarm threshold ofthe number of discarded packets. The configuration of Ethernet 0/0/2 is similar to theconfiguration of Ethernet 0/0/1, and is not mentioned here.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] dhcp snooping alarm dhcp-reply enable threshold 120[Quidway-Ethernet0/0/1] quit


Run the display dhcp snooping global command on the Switch, and you can view that DHCPsnooping is enabled globally. You can also view the statistics on alarms.

[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 Dhcp snooping enable is configured at these vlan :NULL

Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2

Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1

Dhcp option82 insert is configured at these interface : Ethernet0/0/1 Ethernet0/0/2

Dhcp option82 rebuild is configured at these interface :NULL


Run the display dhcp snooping interface command, and you can view information about DHCPsnooping on the interface.

[Quidway] display dhcp snooping interface Ethernet 0/0/1 dhcp snooping enable dhcp option82 insert enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 dhcp packet dropped by dhcp-request checking = 0 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp packet dropped by dhcp-chaddr checking = 0



3-47

dhcp snooping alarm dhcp-reply enable threshold 120 dhcp packet dropped by untrust-reply checking = 0

[Quidway] display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0

Run the display dhcp static user-bind all command, and you can view all the DHCP staticbinding entries of users.<Quidway> display dhcp static user-bind allDHCP static Bind-table::Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease --------------------------------------------------------------------------------10.1.1.1 0001-0002-0003 10 /-- /-- Ethernet0/0/2 2010.08.14-12:58--------------------------------------------------------------------------------print count: 1 total count: 1

Run the display dhcp option82 interface command, and you can view the configuration ofOption 82 on the interface.[Quidway] display dhcp option82 interface Ethernet 0/0/1 dhcp option82 insert enable

----End

Configuration Files# dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90# user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface Ethernet 0/0/2 vlan 10#interface Ethernet0/0/1 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120

dhcp option82 insert enable#interface Ethernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120

dhcp option82 insert enable#interface GigabitEthernet0/0/1 dhcp snooping trusted#return




Issue 01 (2011-05-20)

4 Source IP Attack Defense Configuration

About This Chapter

This chapter describes the principle and configuration of attacking IP source addresses.

ContextNOTE

The source IP attack defense function cannot be used on the S2300SI.

4.1 Overview of IP Source GuardThis section describes the principle of the IP source Guard.

4.2 IP Source Guard Features Supported by the S2300This section describes how the IP Source Guard feature is supported in the S2300.

4.3 Configuring IP Source GuardThis section describes how to configure IP source guard.

4.4 Configuration ExamplesThis section provides a configuration example of IP source guard.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 4 Source IP Attack Defense Configuration


4-1

4.1 Overview of IP Source GuardThis section describes the principle of the IP source Guard.

The source IP address spoofing is a common attack on the network, for example, the attackerforges a valid user and sends IP packets to the server or forges the source IP address of users forcommunication. As a result, valid users cannot acquire normal network services. To tackle suchattacks, the S2300 provides IP Source Guard function.

IP Source Guard

IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannotpass through the interfaces and the security of the interfaces is improved.

The attacker sends a packet carrying the IP address and MAC address of an authorized user tothe server. The server considers the attacker as an authorized user and learns the IP address andMAC address. The actual user, however, cannot obtain service from the server. Figure 4-1 showsthe diagram of IP/MAC spoofing attack.

Figure 4-1 Diagram of IP/MAC spoofing attack

DHCP server

DHCP clientAttacker

IP:1.1.1.1/24MAC:1-1-1

IP:1.1.1.2/24MAC:2-2-2

IP:1.1.1.3/24MAC:3-3-3

SwitchIP:1.1.1.3/24MAC:3-3-3

To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on theS2300. Then the S2300 matches the IP packets reaching an interface with the entries in thebinding table. If the packets match entries in the binding table, the packets can pass through theinterface; otherwise, the packets are discarded.

4.2 IP Source Guard Features Supported by the S2300This section describes how the IP Source Guard feature is supported in the S2300.

4 Source IP Attack Defense ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

IP Source Guard

The IP Source Guard feature is used to check the IP packets according to the binding table,including source IP addresses, source MAC addresses, interface, and VLAN. For example, inthe interface view you can configure the IP packet check based on:

l IP+MAC

l IP+VLAN

l IP+MAC+VLAN

l ...

In the VLAN view you can configure the IP packet check based on:

l IP+MAC

l IP+Interface

l IP+MAC+Interface

l ……

The S2300 provides two binding mechanisms:

l After the DHCP snooping function is enabled for DHCP users, the binding table isdynamically generated for the DHCP users.

l When users use static IP addresses, you need to configure the binding table by runningcommands.

NOTE

For the configurations of DHCP snooping, see 3 DHCP Snooping Configuration.

4.3 Configuring IP Source GuardThis section describes how to configure IP source guard.


4.3.2 (Optional) Configuring a Static User Binding Entry

4.3.3 Enabling IP Source Guard

4.3.4 Configuring the Check Items of IP Packets

4.3.5 (Optional) Configuring the Alarm Function of IP Source GuardWhen the alarm function of IP source guard is enabled, the S2300 counts the number of receivedIP packets whose rate exceeds the threshold. If this number exceeds the alarm threshold, theS2300 sends a trap message to the NMS.

4.3.6 (Optional) Configuring the Function of Discarding IP Packets with the Same Source andDestination IP Addresses





4-3

Applicable EnvironmentAfter the IP source guard function is configured on the S2300, the S2300 checks the IP packetsaccording to the binding table. Only the IP packets that match the content of the binding tablecan be forwarded; the other IP packets are discarded.

Pre-configuration TasksBefore configuring IP source guard, complete the following tasks:l 3.3.2 Enabling DHCP Snooping if there are DHCP users

Data PreparationTo configure IP source guard, you need the following data.

No. Data

1 (Optional) User information in a staticbinding entry, including the IPv4 or IPv6address, MAC address, VLAN ID, andinterface number of the user

2 Type and number of the interface enabledwith the IP source guard function

3 The alarm threshold for checking the receivedIP packets.

4.3.2 (Optional) Configuring a Static User Binding Entry

ContextBefore forwarding the data of the users who assigned IP addresses statically, the S2300 cannotautomatically learn the MAC addresses of the users or generate binding table entries for theseusers. You need to create the binding table manually.

Procedure



Step 2 Run:user-bind static { { ip-address ip-address | ipv6-address ipv6-address } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

A static user binding entry is configured.

----End




Issue 01 (2011-05-20)

4.3.3 Enabling IP Source Guard

Procedure





This is a user-side interface.

Or, run:

vlan vlan-id


Step 3 Run:ip source check user-bind enable

The IP source guard function is enabled on the interface.

By default, the S2300 are not enabled with the IP source guard function.

----End

4.3.4 Configuring the Check Items of IP Packets

ContextAfter the function of checking IP packets is enabled, the S2300 checks the received IP packetsagainst the binding table. The check items include the source IPv4 address, source IPv6 address,source MAC address, VLAN ID, and interface number.

Procedure





This is a user-side interface.

Or, run:

vlan vlan-id



4-5


Step 3 In the interface view, run:ip source check user-bind check-item { ip-address | mac-address | vlan }*

Or in the VLAN view, run:

ip source check user-bind check-item { ip-address | mac-address | interface }*

The check items of IP packets are configured.

When receiving an IP packet, the interface checks the IP packet according to the check items,including the source IPv4 address, source MAC address, VLAN, or the combination of thesethree items. If the IP packet matches the binding table according to the check items, the packetis forwarded; otherwise, the packet is discarded.

By default, the check items consist of the IPv4 address, IPv6 address, MAC address, VLAN ID,and interface number.

NOTE

This command is valid only for dynamic binding entries.

----End

4.3.5 (Optional) Configuring the Alarm Function of IP SourceGuard

When the alarm function of IP source guard is enabled, the S2300 counts the number of receivedIP packets whose rate exceeds the threshold. If this number exceeds the alarm threshold, theS2300 sends a trap message to the NMS.

Procedure





Step 3 Run:ip source check user-bind alarm enable

The alarm function of IP source guard is enabled.

By default, the alarm function of IP source guard is disabled.

CAUTIONThe IP packets check function cannot be configured on both VLAN and interface; otherwise,the IP packets check alarm is valid.




Issue 01 (2011-05-20)

Step 4 Run:ip source check user-bind alarm threshold threshold

The alarm threshold of IP source guard is set.

By default, the alarm threshold of IP source guard is 100.

----End

4.3.6 (Optional) Configuring the Function of Discarding IP Packetswith the Same Source and Destination IP Addresses

Procedure



Step 2 Run:ip anti-attack source-ip equals destination-ip drop

The function of discarding IP packets with the same source and destination IP addresses isenabled.

By default, IP packets with the same source and destination IP addresses are not discarded.

----End


PrerequisiteThe configurations of IP source guard are complete.

Procedure

Step 1 display dhcp static user-bind { interface interface-type interface-number | ip-address ip-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-typeinterface-number ] | all [ verbose ] } command to view information about the static bindingtable.

Step 2 Run the display ip source check user-bind interface interface-type interface-numbercommand to view the configuration of the IP source guard function on the interface.

----End

4.4 Configuration ExamplesThis section provides a configuration example of IP source guard.

4.4.1 Example for Configuring IP Source Guard



4-7

4.4.1 Example for Configuring IP Source Guard


As shown in Figure 4-2, Host A is connected to the Switch through Ethernet 0/0/1 and Host Bis connected to the Switch through Ethernet 0/0/2. You need to configure the IP source guardfunction on the Switch so that Host B cannot forge the IP address and MAC address on Host Aand the IP packets from Host A can be sent to the server.

Figure 4-2 Networking diagram for configuring IP source guard

Host AIP:10.0.0.1/24MAC:1-1-1

Host BIP:10.0.0.2/24MAC:2-2-2

Switch

Server

(Attacker)

Packets:SIP:10.0.0.1/24

SMAC:2-2-2

Ethernet0/0/1 Ethernet0/0/2


Assume that the user obtains an IP address through DHCP. The configuration roadmap is asfollows:

1. Enable the IP source guard function on the interfaces connected to Host A and Host B.

2. Configure a static binding table.

Data Preparation


l Interface connected to Host A: Ethernet 0/0/1; interface connected to Host B: Ethernet 0/0/2

l IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1

l VLAN where Host A resides: VLAN 10

NOTE

This configuration example provides only the commands related to the IP Source Guard configuration.




Issue 01 (2011-05-20)

Procedure

Step 1 Enable the IP source guard function.

# Enable the IP source guard function on Ethernet 0/0/1 connected to Host A.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] ip source check user-bind enable

# Enable the alarm function for checking the received IP packets on Ethernet 0/0/1 connectedto Host A.

[Quidway-Ethernet0/0/1] ip source check user-bind alarm enable[Quidway-Ethernet0/0/1] ip source check user-bind alarm threshold 200[Quidway-Ethernet0/0/1] quit

# Enable the IP source guard function on Ethernet 0/0/2 connected to Host B.

[Quidway] interface ethernet 0/0/2[Quidway-Ethernet0/0/2] ip source check user-bind enable[Quidway-Ethernet0/0/2] quit

# Enable the alarm function for checking the received IP packets on Ethernet 0/0/2 connectedto Host B.

[Quidway-Ethernet0/0/2] ip source check user-bind alarm enable[Quidway-Ethernet0/0/2] ip source check user-bind alarm threshold 200[Quidway-Ethernet0/0/2] quit

Step 2 After user A goes online, the system allocates IP address 10.0.0.1/24 to the user and the useradopts MAC address 1-1-1.


Run the display dhcp snooping user-bind all command on the Switch to view informationabout the binding table.

<Quidway> display dhcp snooping user-bind allDHCP static Bind-table:,Flags:O - outer vlan ,I - inner vlan ,P - map vlan,IP Address MAC Address VSI/VLAN(O/I/P) Interface,--------------------------------------------------------------------------------, 10.0.0.1 0001-0001-0001 10 /-- /-- Eth0/0/1,--------------------------------------------------------------------------------,print count: 1 total count: 1,

The preceding information indicates that Host A exists in the static binding table, whereas HostB does not exist.

----End

Configuration Files# user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface Ethernet 0/0/1 vlan 10#interface Ethernet 0/0/1 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200#interface Ethernet 0/0/2 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200



4-9

#return




Issue 01 (2011-05-20)

5 Local Attack Defense Configuration

About This Chapter

This chapter describes the principle and configuration of local attack defense.

5.1 Configuring the Attack Defense PolicyThis section describes how to configure the attack defense policy.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 5 Local Attack Defense Configuration


5-1

5.1 Configuring the Attack Defense PolicyThis section describes how to configure the attack defense policy.

5.1.1 Establishing the Configuration TaskThis section describes how to establish the configuration task of an attack defense policy.

5.1.2 (Optional) Configuring the Rule for Sending Packets to the CPUThe rule for sending packets to the CPU can be car..

5.1.1 Establishing the Configuration TaskThis section describes how to establish the configuration task of an attack defense policy.


When a large number of users access the S2300, the CPU of the S2300 may be attacked by thepackets sent by attackers or the CPU needs to process a large number of packets.


Before configuring an attack defense policy, complete the following tasks.

l Connecting interfaces and setting the physical parameters of each interface to ensure thatthe physical layer is in Up state

5.1.2 (Optional) Configuring the Rule for Sending Packets to theCPU

The rule for sending packets to the CPU can be car..

Context

NOTE

The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, therule that was configured later takes effect.

You are advised to use the default CAR value on the S2300.

The rate limit for packets in queues takes precedence over the rate limit for all the packets on an interface.

Procedure



Step 2 Run:quit

Return to the system view.

5 Local Attack Defense ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

Step 3 Run:cp-car { total | queue queue-index } speed speed-value

The maximum rate of packets sent to the CPU is set. (S2300EI)

Run:cp-car total speed speed-value

The maximum rate of packets sent to the CPU is set. (S2300SI)

NOTE

The maximum rate of packets in a queue sent to the CPU cannot be set on the S2300SI.

CAUTIONAfter the cp-car command is used, the maximum rate of packets sent to the CPU is affected.Exercise caution when you run the cp-car command.

----End

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 5 Local Attack Defense Configuration


5-3

6 PPPoE+ Configuration

About This Chapter

This chapter describes how to configure PPPoE+.

NOTE

S2300SI does not support PPPOE+.

6.1 PPPoE+ OverviewThis section describes the principle of PPPoE+.

6.2 PPPoE+ Features Supported by the S2300This section describes the PPPoE+ features supported by the S2300.

6.3 Configuring PPPoE+This section describes how to configure PPPoE+.

6.4 Configuration ExamplesThis section provides several configuration examples of PPPoE+.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 6 PPPoE+ Configuration


6-1

6.1 PPPoE+ OverviewThis section describes the principle of PPPoE+.

Currently, PPPoE provides good authentication and security mechanism, but still has certaindisadvantages, for example, account embezzlement.

In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces ofdevices, they can access the newtork as long as their accounts are authenticated successfully onthe same RADIUS server. After PPPoE+ is enabled, you need to enter the user name andpassword in authentication and the authentication packet carries information including theinterface. If the port number identified by the RADIUS server is different from the configuredone, the authentication fails. In this manner, unauthorized users cannot embezzle the accountsof authorized users (mainly the company) to access the Internet.

6.2 PPPoE+ Features Supported by the S2300This section describes the PPPoE+ features supported by the S2300.

The S2300 can add the device type and interface number to the received PPPoE packets. In thismanner, the PPPoE server can perform policy control flexibly for the client according to theinformation in the received PPPoE packets, for example, IP address allocation control andflexible accounting.

6.3 Configuring PPPoE+This section describes how to configure PPPoE+.


6.3.2 Enabling PPPoE+ Globally

6.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets

6.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets

6.3.5 Configuring the PPPoE Trusted Interface



Applicable EnvironmentTo prevent the access of unauthorized users during PPPoE authentication, you need to configurePPPoE+ on the S2300. In this case, interface information is added to the PPPoE packets. Thesecurity of the network is thus ensured.

Pre-configuration TasksNone.

6 PPPoE+ ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

Data Preparation

To configure PPPoE+, you need the following data.

No. Data

1 Interface number related to PPPoE authentication

2 Format and contents of the fields to be added to PPPoE packets

6.3.2 Enabling PPPoE+ Globally

Procedure



Step 2 Run:pppoe intermediate-agent information enable

PPPoE+ is enabled globally.

After the pppoe intermediate-agent information enable command is run in the system view,PPPoE+ is enabled on all the interfaces.

By default, PPPoE+ is disabled globally.

----End

6.3.3 Configuring the Format and Contents of Fields to Be AddedTo PPPoE Packets

Context

After PPPoE+ is enabled globally, the user-side interface on the S2300 adds information incommon format to the received PPPoE packets. You can modify the format of the field to beappended through this task.

Procedure



Step 2 Run:pppoe intermediate-agent information format { circuit-id | remote-id } { common | extend | user-defined text }

The format and contents of fields to be added to PPPoE packets are set.



6-3

After the pppoe intermediate-agent information format command is run in the system view,all the interfaces add fields in specified format to the received PPPoE packets.

----End

6.3.4 Configuring the Action for Processing Original Fields inPPPoE Packets

ContextYou can configure the action for processing original fields in PPPoE packets in the system viewand in the interface view. The configuration in the system view is valid for all the interfaces. Toadopt a different action on an interface, run the pppoe intermediate-agent informationpolicy command in the interface view. In this case, the action for processing packets on theinterface depends on the configuration of the interface.


system-view


Step 2 Run:pppoe intermediate-agent information policy { drop | keep | replace }

The action for all the interfaces to process original fields in PPPoE packets is configured.

l drop: removes the original fields from PPPoE packets.l keep: reserves the contents and format of original fields in PPPoE packets.l replace: replaces the original fields in PPPoE packets according to the set field format

regardless of whether the packets carry the fields.

By default, the user-side interface on the S2300 replaces the original fields in the received PPPoEpackets after PPPoE+ is enabled globally.

Step 3 (Optional) Run:interface interface-type interface-number

The Ethernet interface view is displayed.

Then run:pppoe intermediate-agent information policy { drop | keep | replace }

The action for all the interfaces to process original fields in PPPoE packets is configured.

By default, the interface on the S2300 replaces the original information fields in PPPoE packets.

----End

6.3.5 Configuring the PPPoE Trusted Interface

ContextTo prevent bogus PPPoE servers and the security risk caused by PPPoE packets forwarded tonon-PPPoE service interfaces, you can configure the interface connecting the S2300 and the




Issue 01 (2011-05-20)

PPPoE server as the trusted interface. After the trusted interface is configured, PPPoE packetssent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only.In addition, only the PPPoE packets received from the trusted interface are forwarded to thePPPoE client.

NOTE

The trusted interface only controls protocol packets in PPPoE discovery period, and does not control servicepackets in PPPoE session period.

Procedure




The Ethernet interface view is displayed.

Step 3 Run:pppoe uplink-port trusted

The interface is configured as the trusted interface.

----End


Procedurel Run the display pppoe intermediate-agent information format command to check

information about the circuit ID and remote ID that are globally set.l Run the display pppoe intermediate-agent information policy command to check the

globally set action for processing original fields in PPPoE packets.

----End

6.4 Configuration ExamplesThis section provides several configuration examples of PPPoE+.

6.4.1 Example for Configuring PPPoE+

6.4.1 Example for Configuring PPPoE+

Networking RequirementsAs shown in Figure 6-1, the Switch is connected to the upstream device BRAS and thedownstream device PC; the PPPoE server is configured on the BRAS device. PPPoE+ is enabledon the Switch to control and monitor dialup users.



6-5

Figure 6-1 Networking diagram for configuring PPPoE+

Switch

BRASPPPoE server

PPPoE client PPPoE client

PPPoE+

GE0/0/1

Ethernet0/0/1

IP network

Ethernet0/0/2



1. Enable PPPoE+ globally.

NOTE

After PPPoE+ is enabled globally, PPPoE+ is enabled on all the interfaces.

2. Configure the contents and format of fields to be added to PPPoE packets on the Switch.3. Configure the action for the Switch to process PPPoE packets.4. Configure the interface connecting the Switch and the PPPoE server as the trusted interface.

Data Preparation

None.

Procedure

Step 1 Enable PPPoE+.<Quidway> system-view[Quidway] pppoe intermediate-agent information enable

Step 2 Configure the format of information fields.

Configure the Switch to add the circuit ID in extend format to PPPoE packets, that is, the formatin hexadecimal notation is used.

[Quidway] pppoe intermediate-agent information format circuit-id extend




Issue 01 (2011-05-20)

Step 3 Configure the action for processing original fields in PPPoE packets.

Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of theSwitch.

[Quidway] pppoe intermediate-agent information policy replace

Step 4 Configure the trusted interface.

Configure GE 0/0/1 as the trusted interface.

[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] pppoe uplink-port trusted[Quidway-GigabitEthernet0/0/1] quit

----End

Configuration Files# sysname Quidway# pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend#interface GigabitEthernet0/0/1 pppoe uplink-port trusted#return



6-7

7 MFF Configuration

About This Chapter

This section describes the principle and configuration of the MAC-Forced Forwarding (MFF)function.

ContextNOTE

S2300SI does not support MFF function.

7.1 MFF OverviewThis section describes the principle of the MFF function.

7.2 MFF Features Supported by the S2300This section describes the MFF features supported by the S2300.

7.3 Configuring MFFThe MFF function isolates users at Layer 2 and forwards traffic through the gateway.

7.4 Configuration ExamplesThis section provides a configuration example of MFF.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 7 MFF Configuration


7-1

7.1 MFF OverviewThis section describes the principle of the MFF function.

Background

In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer2 isolation and Layer 3 interconnection between clients. When many users need to be isolatedon Layer 2, a large number of VLANs are required. In addition, to enable the clients tocommunicate on Layer 3, each VLAN must be assigned an IP network segment and eachVLANIF interface needs an IP address. This wastes IP addresses. In addition, the network iseasy to attack and the malicious attacks from users on the network cannot be prevented.

The MFF function provides a solution to this problem and implements Layer 2 isolation andLayer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARPrequests from users and replies with ARP responses containing the MAC address of the gatewaythrough the ARP proxy. In this manner, the MFF forces users to send all traffic, including thetraffic on the same subnet, to the gateway so that the gateway can monitor data traffic. Thisprevents malicious attacks and improves network security.

MFF Interface Role

Two types of interfaces are involved in the MFF function: network interface and user interface.

l User interface

A user interface refers to an interface connected to a network terminal.

The user interface processes different packets as follows:

– Sends ARP and DHCP packets to the CPU.

– Allows ARP, DHCP, IGMP, EAPOL packets to pass through.

– Allows the unicast packets whose destination MAC address is the MAC address of thegateway to pass through and discards other packets if the interface has learned the MACaddress of the gateway; discards all packets if the interface does not learn the MACaddress of the gateway.

– Rejects multicast packets and broadcast packets.

l Network interface

A network interface is an interface connected to another network device, for example, anaccess switch, an aggregate switch, or a gateway.

MFF processes packets on a network interface as follows:

– Allows multicast and DHCP packets to pass through.

– Sends ARP packets to the CPU.

– Forwards packets directly without processing.

NOTE

l The interfaces receiving packets sent from the gateway must be configured as network-side interfaces.

l The interface role is irrelevant to the position of the interface on a network.

l On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.

7 MFF ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

7.2 MFF Features Supported by the S2300This section describes the MFF features supported by the S2300.

Static GatewayThe static gateway is applicable to the scenario where the IP addresses are set statically. Whenusers are assigned IP addresses statically, the users cannot obtain the gateway informationthrough the DHCP packets. In this case, a static gateway address needs to be configured for eachVLAN. If the static gateway address is not configured, all the users cannot communicate witheach other except for the DHCP users.

Gateway Address Detection and MaintenanceIf the function of timed gateway address detection is enabled, MFF sends detection packetsperiodically to check whether the gateway address needs to be updated.

The detection packet is a forged ARP packet whose source IP address and MAC address are theaddresses of the first user in the MFF user list. If the first user entry is deleted, the MFF selectsanother user entry to forge the ARP packet. If the gateway does not have any matching userinformation after the user entry is deleted, the MFF deletes the probe information.

ARP ProxyThe Layer 3 communication between users is implemented through the ARP proxy. The ARPproxy reduces the number of broadcast packets at the user side.

MFF processes ARP packets as follows:

l Responds to the ARP requests of users.MFF substitutes for the gateway to respond to the ARP requests of users. Therefore, all thepackets of users are forwarded at Layer 3 by the gateway. The ARP packet of a user maybe the request for the gateway address or the request for the IP addresses of other users.

l Responds to ARP request packets with the user IP address and MAC address.

Server Deployment on the NetworkThe IP address of the server can be the IP address of the DHCP server, the IP address of anotherserver, or the virtual IP address of the VRRP group.

If a network interface receives an ARP request whose source IP address is the IP address of theserver, the interface responds to the ARP request as a gateway. That is, the packets sent fromusers are forwarded to the gateway, and then sent to the server. The packets sent by the server,however, are not forwarded to the gateway.

Discarding IPv6 PacketsThe user-side interface of the MFF device S2300 can discard the IPv6 packets from users toprevent IPv6 packets from being broadcast on the VLAN. If the S2300 does not discard IPv6packets, users can learn the MAC addresses of each other, and the MFF user isolation functionwill be invalid.



7-3

Transparently Transmitting User Status Detection Packets

If the gateway provides accounting function, the gateway needs to detect whether users areonline. The MFF-enabled S2300 can transparently transmit user status detection packets so thatit is aware of user status changes immediately.

7.3 Configuring MFFThe MFF function isolates users at Layer 2 and forwards traffic through the gateway.


7.3.2 Enabling Global MFF

7.3.3 Configuring the MFF Network Interface

7.3.4 Enabling MFF in a VLAN

7.3.5 (Optional) Configuring the Static Gateway Address

7.3.6 (Optional) Enabling Timed Gateway Address Detection

7.3.7 (Optional) Setting the Server Address

7.3.8 (Optional) Transparently Transmitting User Status Detection Packets

7.3.9 (Optional) Discarding IPv6 Packets Sent from Users




At the access layer of the Metro Ethernet, you can configure the MFF function to implement theLayer 2 isolation between access users. The traffic between users is forwarded by the gatewayat the Layer 3. In this way, you can filter the user traffic, perform traffic scheduling based onpolicies, and charge users.


Before configuring basic MFF functions, complete the following tasks.

If DHCP users exist, you need to perform the following operations:

l Enabling DHCP snooping

l Configuring the trusted interface of DHCP snooping

Data Preparation

To configure the MFF function, you need the following data.




Issue 01 (2011-05-20)

No. Data

1 VLAN ID of the MFF device

2 Type and number of the network interface to be configured

3 (Optional) IP address of the static gateway to be configured

4 (Optional) IP address of the server to be configured

7.3.2 Enabling Global MFF

ContextYou can perform other MFF configurations only after enabling the global MFF.

Procedure



Step 2 Run:mac-forced-forwarding enable

The global MFF is enabled.

By default, the global MFF is disabled.

----End

7.3.3 Configuring the MFF Network Interface

ContextThe MFF function of a VLAN takes effect after you configure at least one network interface onthe VLAN.

NOTE

This task can be performed before the global MFF is enabled; however, it takes effect only after the globalMFF is enabled.

Procedure






7-5


Step 3 Run:mac-forced-forwarding network-port

The interface is configured as a network interface.

By default, the interface is a user interface.

----End

7.3.4 Enabling MFF in a VLAN

ContextIf an MFF-enabled network has multiple S2300s, at least one Network-to-Network Interface(NNI) must reside in the VLAN configured with MFF.

Procedure



Step 2 Run:vlan vlan-id


Step 3 Run:mac-forced-forwarding enable

The MFF function is enabled for the VLAN.

By default, the MFF function is disabled in a VLAN.

----End

7.3.5 (Optional) Configuring the Static Gateway Address

Procedure





Step 3 Run:mac-forced-forwarding static-gateway ip-address




Issue 01 (2011-05-20)

The IP address of the static gateway is set.

----End

7.3.6 (Optional) Enabling Timed Gateway Address Detection

Procedure





Step 3 Run:mac-forced-forwarding gateway-detect

The timed gateway address detection is enabled.

After the timed gateway address detection is enabled, the S2300 sends ARP packets periodicallyto detect the gateway.

By default, the timed gateway address detection is disabled.

----End

7.3.7 (Optional) Setting the Server Address

Procedure





Step 3 Run:mac-forced-forwarding server server-ip &<1-10>

The IP address of the server deployed on the network is set.

----End

7.3.8 (Optional) Transparently Transmitting User Status DetectionPackets



7-7

Procedure





Step 3 Run:mac-forced-forwarding user-detect_transparent

The gateway is allowed to detect online users by sending ARP request packets.

----End

7.3.9 (Optional) Discarding IPv6 Packets Sent from Users

Procedure





Step 3 Run:mac-forced-forwarding ipv6-isolate

The inbound interface of the MFF device is configured to discard the IPv6 packets from users.This prevents IPv6 packets from being broadcast on the VLAN.

----End


Procedurel Run the display mac-forced-forwarding network-port command to view the MFF

network interface.l Run the display mac-forced-forwarding vlan vlan-id command to view information about

MFF users and gateway on the VLAN.

----End

ExampleRun the display mac-forced-forwarding network-port command, and you can see informationabout the network-side interface matching the MFF VLAN.




Issue 01 (2011-05-20)

<Quidway> display mac-forced-forwarding network-port--------------------------------------------------------------------------------VLAN ID Network-ports--------------------------------------------------------------------------------VLAN 10 Ethernet0/0/1 Ethernet0/0/2 Ethernet0/0/3VLAN 100 Ethernet0/0/4 Ethernet0/0/5

Run the display mac-forced-forwarding vlan vlan-id command, and you can see informationabout MFF users and gateway on the VLAN.

<Quidway> display mac-forced-forwarding vlan 100Servers: 192.168.1.2 192.168.1.3--------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC--------------------------------------------------------------------192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03--------------------------------------------------------------------[Vlan 100] MFF host total count = 3

7.4 Configuration ExamplesThis section provides a configuration example of MFF.

7.4.1 Example for Configuring MFF

7.4.1 Example for Configuring MFF

Networking RequirementsAs shown in Figure 7-1, all the user hosts obtain IP addresses through the DHCP server and allthe devices are located in VLAN 10. To implement Layer 2 isolation and Layer 3 interconnectionbetween the hosts, you need to configure the MFF function on Switch A and Switch B.



7-9

Figure 7-1 Networking diagram for configuring MFF

DHCP server

SwitchA

SwitchB

10.10.10.1/24

SwitchC

GE0/0/1

GE0/0/1

GE0/0/2

GE0/0/2

GE0/0/3

GE0/0/4

GE0/0/3


1. Configure DHCP snooping.2. Enable global MFF.3. Configure the MFF network interfaces.4. Enable MFF for the VLAN.5. (Optional) Enable the function of timed gateway address detection.6. (Optional) Configure the server.


l VLAN ID of the MFF devicel Type and number of the network interface to be configuredl (Optional) IP address of the server to be configured

ProcedureStep 1 Configure DHCP snooping.

# Enable global DHCP snooping on Switch A.<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] dhcp enable[SwitchA] dhcp snooping enable




Issue 01 (2011-05-20)

# Enable DHCP snooping on the interfaces of the Switch A. Take the configuration on GE 0/0/1as an example. The configurations on GE 0/0/2, GE 0/0/3, and GE 0/0/4 are similar to theconfiguration on GE 0/0/1 and are not mentioned here.

[SwitchA] interface gigabitethernet 0/0/1[SwitchA-GigabitEthernet0/0/1] dhcp snooping enable[SwitchA-GigabitEthernet0/0/1] quit

# Set the status of interface GE 0/0/1 on Switch A to Trusted.

[SwitchA] interface gigabitethernet 0/0/1[SwitchA-GigabitEthernet0/0/1] dhcp snooping trusted[SwitchA-GigabitEthernet0/0/1] quit

# Enable global DHCP snooping on Switch B.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] dhcp enable[SwitchB] dhcp snooping enable

# Enable DHCP snooping on the interfaces of the Switch B. Take the configuration on GE 0/0/1as an example. The configurations on GE 0/0/2 is similar to the configuration on GE 0/0/1 andare not mentioned here.

[SwitchB] interface gigabitethernet 0/0/1[SwitchB-GigabitEthernet0/0/1 dhcp snooping enable[SwitchB-GigabitEthernet0/0/1] quit

# Set the status of interface GE 0/0/1 on Switch B to Trusted.

[SwitchB] interface gigabitethernet 0/0/1[SwitchB-GigabitEthernet0/0/1] dhcp snooping trusted[SwitchB-GigabitEthernet0/0/1] quit

Step 2 Enable global MFF.

# Enable global MFF on Switch A.

[SwitchA] mac-forced-forwarding enable

# Enable global MFF on Switch B.

[SwitchB] mac-forced-forwarding enable

Step 3 Configure the MFF network interfaces.

# Configure GE 0/0/1 of Switch A as the network interface.

[SwitchA] interface gigabitethernet 0/0/1[SwitchA-GigabitEthernet0/0/1] mac-forced-forwarding network-port[SwitchA-GigabitEthernet0/0/1] quit

# Configure GE 0/0/2 of Switch B as the network interfaces.

[SwitchB] interface gigabitethernet 0/0/2[SwitchB-GigabitEthernet0/0/2] mac-forced-forwarding network-port[SwitchB-GigabitEthernet0/0/2] quit

Step 4 Enable MFF for the VLAN.

# Enable MFF for VLAN 10 on Switch A.

[SwitchA] vlan 10[SwitchA-vlan10] mac-forced-forwarding enable

# Enable MFF for VLAN 10 on Switch B.



7-11

[SwitchB] vlan 10[SwitchB-vlan10] mac-forced-forwarding enable

Step 5 (Optional) Enable the function of timed gateway address detection.

# Enable the function of timed gateway address detection on Switch A.[SwitchA-vlan10] mac-forced-forwarding gateway-detect

# Enable the function of timed gateway address detection on Switch B.[SwitchB-vlan10] mac-forced-forwarding gateway-detect

Step 6 (Optional) Configure the server.

# Configure the server on Switch A.[SwitchA-vlan10] mac-forced-forwarding server 10.10.10.1

# Configure the server on Switch B.[SwitchB-vlan10] mac-forced-forwarding server 10.10.10.1

----End

Configuration Filesl Configuration file of Switch A# sysname SwitchA# vlan 10#dhcp enabledhcp snooping enablemac-forced-forwarding enable#vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1#interface GigabitEthernet0/0/1 port link-type access port default vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port#interface GigabitEthernet0/0/2 port link-type access port default vlan 10 dhcp snooping enable #interface GigabitEthernet0/0/3 port link-type access port default vlan 10 dhcp snooping enable #interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable #returnl Configuration file of Switch B# sysname SwitchB




Issue 01 (2011-05-20)

# vlan 10#dhcp enabledhcp snooping enablemac-forced-forwarding enable#vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable#interface GigabitEthernet0/0/2 port link-type access port default vlan 10 dhcp snooping enable mac-forced-forwarding network-port#return



7-13

8 Traffic Suppression Configuration

About This Chapter

This chapter describes the principle and configuration of traffic suppression .

8.1 Introduction to Traffic SuppressionThis section describes the principle of traffic suppression.

8.2 Traffic Suppression Features Supported by the S2300This section describes the traffic suppression features supported by the S2300.

8.3 Configuring Traffic SuppressionThis section describes how to configure traffic suppression on a specified interface.

8.4 Configuration ExamplesThis section provides several configuration examples of traffic suppression.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 8 Traffic Suppression Configuration


8-1

8.1 Introduction to Traffic SuppressionThis section describes the principle of traffic suppression.

Broadcast packets, multicast packets and unknown unicast packets entering the S2300 areforwarded on all the interfaces in a VLAN. These three types of packets consume greatbandwidth, reduces available bandwidth of the system, and affects normal forwarding andprocessing capabilities.

The traffic suppression function can be used to limit the traffic entering the interface, and toprotect the S2300 against the three types of traffic. It also guarantees available bandwidth andprocessing capabilities of the S2300 when the traffic is abnormal.

8.2 Traffic Suppression Features Supported by the S2300This section describes the traffic suppression features supported by the S2300.

The traffic suppression function can be configured on Ethernet interfaces of the S2300.

The S2300 can suppress the broadcast, multicast, and unicast traffic.

8.3 Configuring Traffic SuppressionThis section describes how to configure traffic suppression on a specified interface.


8.3.2 Configuring Traffic Suppression on an Interface




To limit the rate of incoming broadcast, multicast, and unknown unicast packets on an interfaceand protect the device against traffic attacks, you can configure traffic suppression on theinterface.


None

Data Preparation

To configure traffic suppression, you need the following data.

8 Traffic Suppression ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

No. Data

1 Type and number of the interface wheretraffic suppression needs to be configured

2 Type of traffic (broadcast, multicast, orunknown unicast traffic) that needs to besuppressed

3 Mode in which traffic is suppressed (ratepercentage on a physical interface)

4 Limited rate, including bandwidthpercentage.

8.3.2 Configuring Traffic Suppression on an Interface

ContextDo as follows on the S2300 where traffic suppression needs to be configured.

Procedure





Step 3 Run:{ broadcast-suppression | multicast-suppression | unicast-suppression } percent-value

Traffic suppression is configured.

l To configure traffic suppression based on the bandwidth percentage, you must select thepercent-value parameter.

NOTE

l S2300SI does not support configuring traffic suppression for unicast-suppression. The unknownunicast and multicast packets are all suppressed for multicast-suppression.

l If traffic suppression is configured for a type of traffic on an interface, the latest configurationoverrides the previous configuration when the configuration of traffic suppression for this type oftraffic at different rate is sent.

----End




8-3

PrerequisiteThe configurations of traffic suppression are complete.

Procedurel Run the display flow-suppression interface interface-type interface-number command to

check the configuration of traffic suppression.

----End

ExampleRun the display flow-suppression interface interface-type interface-number command, andyou can view the configuration of traffic suppression on a specified interface.

<Quidway> display flow-suppression interface gigabitethernet 0/0/1 storm type rate mode set rate value------------------------------------------------------------------------------- unknown-unicast percent percent: 80% multicast percent percent: 80% broadcast percent percent: 80%-------------------------------------------------------------------------------

8.4 Configuration ExamplesThis section provides several configuration examples of traffic suppression.

8.4.1 Example for Configuring Traffic Suppression

8.4.1 Example for Configuring Traffic Suppression

Networking RequirementsAs shown in Figure 8-1, the Switch is connected to the Layer 2 network and Layer 3 router. Tolimit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2network, you can configure traffic suppression on GE 0/0/1.

Figure 8-1 Networking diagram for configuring traffic suppression

Switch

L2 network L3 networkGE0/0/1 GE0/0/2

Configuration RoadmapConfigure traffic suppression in the interface view of GE 0/0/1.

8 Traffic Suppression ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

Data PreparationTo complete the configuration, you need the following data:l GE 0/0/1 where traffic suppression is configuredl Traffic suppression for broadcast, unknown unicast and multicast packets based on the rate

percentagel Maximum rate of broadcast, unknown unicast and multicast packets being 80 percent of

the interface rate after traffic suppression is configured

Procedure

Step 1 Enter the interface view.<Quidway> system-view[Quidway] interface gigabitethernet 0/0/1

Step 2 Configure traffic suppression for broadcast packets.[Quidway-GigabitEthernet0/0/1] broadcast-suppression 80

Step 3 Configure traffic suppression for multicast packets.[Quidway-GigabitEthernet0/0/1] multicast-suppression 80

Step 4 Configure traffic suppression for unknown unicast packets.[Quidway-GigabitEthernet0/0/1] unicast-suppression 80

NOTE

S2300SI does not support this command.


Run the display flow-suppression interface command, and you can view the configuration oftraffic suppression on GE 0/0/1.

<Quidway> display flow-suppression interface gigabitethernet 0/0/1 storm type rate mode set rate value------------------------------------------------------------------------------- unknown-unicast percent percent: 80% multicast percent percent: 80% broadcast percent percent: 80%-------------------------------------------------------------------------------

----End

Configuration Files# sysname Quidway#interface gigabitethernet0/0/1 unicast-suppression 80 multicast-suppression 80 broadcast-suppression 80 #return



8-5

9 ACL Configuration

About This Chapter

The ACL classifies packets according to the rules. After these rules are applied to the interfaceson the S2300, the S2300 can determine packets that are received and rejected.

9.1 Introduction to the ACLThis section describes the basic concepts and parameters of an ACL.

9.2 Classification of ACLs Supported by the S2300This section describes the classification of ACLs supported by the S2300.

9.3 Configuring an ACLThis section describes how to create an ACL, set the time range, configure the description of anACL, , and set the step of an ACL.

9.4 Configuring ACL6This section describes how to configure basic ACL6 and advanced ACL6.

9.5 Configuration ExamplesThis section provides configuration examples of the ACL.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 9 ACL Configuration


9-1

9.1 Introduction to the ACLThis section describes the basic concepts and parameters of an ACL.

To filter packets, a set of rules needs to be configured on the S2300 to determine the data packetsthat can pass through. These rules are defined in an ACL.

An ACL is a series of orderly rules composed of permit and deny clauses. The clauses aredescribed based on the source address, destination address, and port number of a packet, and soon. The ACL classifies packets according to the rules. After these rules are applied to theS2300, the S2300 can determine packets that are received and rejected.

9.2 Classification of ACLs Supported by the S2300This section describes the classification of ACLs supported by the S2300.

NOTE

In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refersto the access control list that is used to filter IPv6 packets.

Classification of ACLs

The S2300 supports basic ACLs, advanced ACLs, and layer 2 ACLs for IPv4 packets.

l Basic ACLs: classify and define data packets according to their source addresses,fragmentation flag, and effective time range.

l Advanced ACLs: classify and define data packets more refinedly according to the sourceaddress, destination address, source port number, destination port number, protocol type,precedence, and effective time range.

l Layer 2 ACLs: classify and define data packets according to the source MAC address,destination MAC address, and protocol type.

The S2300 supports basic ACL6s and advanced ACL6s for IPv6 packets.l A basic ACL6 can use the source IP address, fragmentation flag, and effective time range

as the elements of rules.l An advanced ACL6 can use the source IP address and destination IP address of data packets,

protocol type supported by IP, features of the protocol such as the source port number anddestination port number as the elements of rules.

Application of ACLs

ACLs defined on the S2300 can be applied in the following scenarios:l Hardware-based application: The ACL is sent to the hardware. For example, when QoS is

configured, the ACL is imported to classify packets. Note that when the ACL is importedby QoS, the packets matching the ACL rule in deny mode are discarded. If the action inthe ACL is set to be in permit mode, the packets matching the ACL are processed by theS2300 according to the action defined by the traffic behavior in QoS. For details on thetraffic behavior, see the Quidway S2300 Series Ethernet Switches Configuration Guide -QoS.

9 ACL ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

NOTE

The S2300SI does not support hardware-based ACL applications.

l Software-based application: When the ACL is imported by the upper-layer software, forexample, the ACL is imported when the control function is configured for login users, youcan use the ACL to control FTP, Telnet and SSH users. When the S2300 functions as aTFTP client, you can configure an ACL to specify the TFTP servers that the S2300 canaccess through TFTP.When the ACL is imported by the upper-layer software, the packets matching the ACL areprocessed by the S2300 according to the action deny or permit defined in the ACL. Fordetails on login user control, see the Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Basic Configurations.

NOTE

l When the ACL is sent to the hardware and is imported by QoS to classify packets, the S2300 does notprocess packets according to the action defined in the traffic behavior, if the packets does not matchthe ACL rule.

l When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSHlogin users, the S2300 discards the packets, if the packets does not match the ACL rule.

9.3 Configuring an ACLThis section describes how to create an ACL, set the time range, configure the description of anACL, , and set the step of an ACL.

9.3.1 Establishing the Configuration TaskEstablishing the Configuration Task of ACL.

9.3.2 Creating an ACLYou can create an ACL based on the number or name.

9.3.3 (Optional) Setting the Time Range When an ACL Takes EffectWhen a time range is specified for an ACL, the ACL takes effect only in this time range. If notime range is specified for the ACL, the ACL is always effective until it is deleted or the rulesof the ACL are deleted.

9.3.4 (Optional) Configuring the Description of an ACLYou can configure the description of an ACL to describe the function of an ACL.

9.3.5 Configuring a Basic ACLBasic ACLs can classify data packets based on the source IP address.

9.3.6 Configuring an Advanced ACLAdvanced ACLs can classify data packets based on the source IP address, destination IP address,source port number, destination port number, and protocol type.

9.3.7 Configuring a Layer 2 ACLLayer 2 ACLs can classify data packets according to the link layer information including thesource MAC address, source VLAN ID, Layer 2 protocol type, and destination MAC address.

9.3.8 (Optional) Setting the Step Between ACL RulesThe S2300 can automatically allocates numbers to ACLs according to the step between ACLrules.

9.3.9 Checking the ConfigurationChecking the Configuration of ACL.



9-3

9.3.1 Establishing the Configuration TaskEstablishing the Configuration Task of ACL.


ACLs can be used in multiple services, such as routing policies and packet filtering, to distinguishthe types of packets and process them accordingly.


None.

Data Preparation

To configure an ACL, you need the following data.

No. Data

1 Number or name of the ACL

2 Name of the time range when the ACL takes effect, start time, and end time

3 Description of the ACL

4 Number of ACL rule and the rule that identifies the type of packets, includingprotocol, source address, source port, destination address, destination port, the typeand code of Internet Control Message Protocol (ICMP), IP precedence, and Type ofService (ToS) value

5 Step of the ACL

9.3.2 Creating an ACLYou can create an ACL based on the number or name.

Context

An ACL is composed of multiple lists of rules containing permit or deny clauses. Beforecreating an ACL rule, you need to create an ACL.

To create an ACL, you need to specify the following parameters:

l When creating an ACL based on the number, you need to specify the ACL number. TheACL number specifies the type of an ACL. For example, the ACL with the number rangingfrom 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to3999 is an advanced ACL.

l When creating an ACL based on the name, you need to specify the ACL name. You canspecify the number or type for a named ACL. If the number of a named ACL is not specified,the system automatically allocates a number to the named ACL.




Issue 01 (2011-05-20)

Procedurel Creating an ACL based on the number

1. Run:system-view


acl [ number ] acl-number

An ACL with the specified number is created.

– The value of a basic ACL ranges from 2000 to 2999.– The value of an advanced ACL ranges from 3000 to 3999.– The value of a Layer 2 ACL ranges from 4000 to 4999.

l Creating an ACL based on the name1. Run:

system-view


acl name acl-name [ advance | basic | link | acl-number ]

An ACL with the specified name is created.

If the number of a named ACL is not specified, the S2300 automatically allocates anumber to the named ACL. The following situations are involved:

– If the type of a named ACL is specified, the number of the named ACL allocatedby the S2300 is the maximum value of the named ACL of the type.

– If the number and the type of a named ACL are not specified, the S2300 considersthe named ACL as the advanced ACL and allocates 3999 to the named ACL6.

The S2300 does not allocate the number to a named ACL repeatedly.

----End

9.3.3 (Optional) Setting the Time Range When an ACL Takes EffectWhen a time range is specified for an ACL, the ACL takes effect only in this time range. If notime range is specified for the ACL, the ACL is always effective until it is deleted or the rulesof the ACL are deleted.

Procedure



Step 2 Run:time-range time-range-name { starting-time to ending-time days | from time1 date1 [ to time2 date2 ] }

A time range is set.



9-5

You can set the same name for multiple time ranges to describe a special period. For example,three time ranges are set with the same name test:l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time rangel Time range 2: 8:00-18:00 on Monday to Friday, a periodic time rangel Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time rangeThe time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday andSunday in the year 2009.

----End

9.3.4 (Optional) Configuring the Description of an ACLYou can configure the description of an ACL to describe the function of an ACL.


system-view


Step 2 Run:acl acl-number

Or, run:

acl name acl-name

The ACL view is displayed.

Step 3 Run:description description

The description of the ACL is configured.

The description of an ACL is a string of up to 127 characters, describing the usage of the ACL.

By default, no description is configured for an ACL.

----End

9.3.5 Configuring a Basic ACLBasic ACLs can classify data packets based on the source IP address.


system-view


Step 2 Run:acl [ number ] acl-number

A basic ACL is created based on the number.

Or, run:




Issue 01 (2011-05-20)

acl name acl-name [ basic | acl-number ]

A basic ACL is created based on the name.

The value of a basic ACL ranges from 2000 to 2999.

Step 3 Run:rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-name ]*

An ACL rule is created.

----End

9.3.6 Configuring an Advanced ACLAdvanced ACLs can classify data packets based on the source IP address, destination IP address,source port number, destination port number, and protocol type.

Procedure




An advanced ACL is created based on the number.

Or, run:

acl name acl-name [ advance | acl-number ]

An advanced ACL is created based on the name.

The value of an advanced ACL ranges from 3000 to 3999.

Step 3 Run the following command as required:l When protocol is specified as the Transmission Control Protocol (TCP), run:

rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcp-flag { tcp-value | ack | fin | psh | rst | syn | urg }* | time-range time-name | tos tos ]*

An ACL rule is created.l When protocol is specified as the User Datagram Protocol (UDP), run:

rule [ rule-id ] { deny | permit } udp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ]*

An ACL rule is created.l When protocol is specified as ICMP, run:

rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destination-wildcard | any } | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ]*



9-7


l When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ]*


You can configure different advanced ACLs on the S2300 according to the protocol carried byIP. Different parameter combinations are available for different protocol types.

NOTE

dscp dscp and precedence precedence cannot be specified at the same time.

----End

9.3.7 Configuring a Layer 2 ACLLayer 2 ACLs can classify data packets according to the link layer information including thesource MAC address, source VLAN ID, Layer 2 protocol type, and destination MAC address.

Procedure




A layer 2 ACL is created based on the number.

Or, run:

acl name acl-name [ link | acl-number ]

A layer 2 ACL is created based on the name.

The value of a layer 2 ACL ranges from 4000 to 4999.

Step 3 Run:rule [ rule-id ] { permit | deny } [ { ether-ii | 802.3 | snap } | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value ] * [ time-range time-range-name ]


----End

9.3.8 (Optional) Setting the Step Between ACL RulesThe S2300 can automatically allocates numbers to ACLs according to the step between ACLrules.




Issue 01 (2011-05-20)

Procedure



Step 2 Run:acl acl-number

Or, run:

acl name acl-name

The ACL view is displayed.

Step 3 Run:step step-value

The step between ACL rules is set.

When changing ACL configurations, pay attention to the following point:

l The undo step command sets the default step of an ACL and re-arranges the numbers ofACL rules.

l By default, the value of step-value is 5.

----End

9.3.9 Checking the ConfigurationChecking the Configuration of ACL.

PrerequisiteThe configurations of the ACL are complete.

Procedurel Run the display acl { acl-number | all } command to check the ACL rule based on the

number.l Run the display acl name acl-name command to check the ACL rule based on the name.l Run the display time-range { all | time-name } command to check the time range.

----End

Example# Run the display acl command, and you can view the ACL number, rule IDs, and step, andrule contents.

<Quidway> display acl 3000Advanced ACL 3000, 1 ruleAcl's step is 5 rule 5 deny ip source 10.1.1.1 0

# Run the display acl name command, and you can view the ACL name, ACL number, rulequantity, step, and rule contents.



9-9

<Quidway> display acl name testAdvanced ACL test 3999, 1 ruleAcl's step is 5 rule 5 permit tcp

# Run the display time-range command, and you can view the configuration and status of thecurrent time range.

<Quidway> display time-range allCurrent time is 14:19:16 12-4-2008 TuesdayTime-range : time1 ( Inactive ) 10:00 to 12:00 dailyfrom 09:09 2008/9/9 to 23:59 2099/12/31

9.4 Configuring ACL6This section describes how to configure basic ACL6 and advanced ACL6.

9.4.1 Establishing the Configuration TaskEstablishing the Configuration Task of ACL6.

9.4.2 Creating an ACL6You can create an ACL6 based on the number or name.

9.4.3 (Optional) Creating the Time Range of the ACL6When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. Ifno time range is specified for the ACL6, the ACL6 is always effective until it is deleted or therules of the ACL6 are deleted.

9.4.4 Configuring a Basic ACL6Basic ACL6s can classify data packets based on the source IP address.

9.4.5 Configuring an Advanced ACL6Advanced ACL6s can classify data packets based on the source IP address, destination IPaddress, source port number, destination port number, and protocol type.

9.4.6 Checking the ConfigurationChecking the configuration of the ACL6s.

9.4.1 Establishing the Configuration TaskEstablishing the Configuration Task of ACL6.


An ACL6 can be applied to the following tasks:

l Configuring the packet filtering policy

l Configuring policy-based routing

l Configuring a routing policy


None




Issue 01 (2011-05-20)

Data Preparation

To configure an ACL6, you need the following data.

No. Data

1 Number or name of the ACL6

2 (Optional) Name of the time range during which the ACL6 is valid and the start timeand end time of the time range

3 Number of the ACL6 and the rule of identifying the packet type, including protocoltype, source address and source interface, destination address and destinationinterface, ICMPv6 type and code, precedence, and ToS

9.4.2 Creating an ACL6You can create an ACL6 based on the number or name.

Context

To create an ACL, you need to specify a number to identify the ACL6 type. For example, theACL6 with the number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with thenumber ranging from 3000 to 3999 is an advanced ACL6.

Procedurel Creating an ACL6 based on the number

1. Run:system-view


acl ipv6 [ number ] acl6-number

An ACL6 is created based on the number.

– The value of a basic ACL6 ranges from 2000 to 2999.

– The value of an advanced ACL6 ranges from 3000 to 3999.l Creating an ACL6 based on the name

1. Run:system-view


acl ipv6 name acl6-name [ advance | basic | acl6-number ]

An ACL6 is created based on the name.

If the number of a named ACL6 is not specified, the S2300 automatically allocates anumber to the named ACL6. The following situations are involved:



9-11

– If the type of a named ACL6 is specified, the number of the named ACL6 allocatedby the S2300 is the maximum value of the named ACL6 of the type.

– If the number and the type of a named ACL6 are not specified, the S2300 considersthe named ACL6 as the advanced ACL6 and allocates 3999 to the named ACL6.

The S2300 does not allocate the number to a named ACL6 repeatedly.

----End

9.4.3 (Optional) Creating the Time Range of the ACL6When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. Ifno time range is specified for the ACL6, the ACL6 is always effective until it is deleted or therules of the ACL6 are deleted.

Procedure



Step 2 Run:time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }

The time range is created.

You can set the same name for multiple time ranges to describe a special period. For example,three time ranges are set with the same name, that is, test.l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59l Time range 2: 8:00-18:00 on Monday to Fridayl Time range 3: 14:00-18:00 on Saturday and SundayThe time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday andSunday in the year 2009.

----End

9.4.4 Configuring a Basic ACL6Basic ACL6s can classify data packets based on the source IP address.

Procedure



Step 2 Run:acl ipv6 [ number ] acl6-number

A basic ACL6 is created based on the number.

Or, run:




Issue 01 (2011-05-20)


A basic ACL6 is created based on the name.

The value of a basic ACL6 ranges from 2000 to 2999.

Step 3 Run:rule [ rule-id ] { deny | permit } [ source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name ] *

The rule of the ACL6 is configured.

----End

9.4.5 Configuring an Advanced ACL6Advanced ACL6s can classify data packets based on the source IP address, destination IPaddress, source port number, destination port number, and protocol type.

Procedure



Step 2 Run:acl ipv6 [ number ] acl6-number

An advanced ACL6 is created based on the number.

Or, run:


An advanced ACL6 is created based on the name.

The value of an advanced ACL6 ranges from 3000 to 3999.

Step 3 Perform the following steps as required to configure rules for the ACL6:

You can configure the advanced ACL6 on the S2300 according to the type of the protocol carriedby IP. The parameters vary according to the protocol type.

l When protocol is TCP, run:rule [ rule-id ] { deny | permit } { tcp | protocol } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq | gt | lt | range } port | tcp-flag {tcp-value |ack | fin | psh | rst | syn | urg } * | time-range time-name | tos tos ]*

l When protocol is UDP, run:rule [ rule-id ] { deny | permit } { udp | protocol } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ]*



9-13

l When protocol is ICMPv6, run:rule [ rule-id ] { deny | permit } { icmpv6 | protocol } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos ]*

l When protocol is not TCP, UDP, or ICMPv6, run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos ]*

----End

9.4.6 Checking the ConfigurationChecking the configuration of the ACL6s.

PrerequisiteThe configurations of the ACL6 are complete.

Procedurel Run the display acl ipv6 { acl6-number | all } command to check the ACL6 rule based on

the number.l Run the display acl ipv6 name acl6-name command to check the ACL6 rule based on the

name.l Run the display time-range { all | time-name } command to view information about the

time range.

----End

Example# Run the display acl ipv6 command, and you can view the ACL6 number, rule IDs, and rulecontents.

<Quidway> display acl ipv6 2002Basic IPv6 ACL 2002, 2 rules rule 0 permit time-range time1 rule 1 permit

# Run the display acl ipv6 name command, and you can view the ACL6 name, ACL6 number,rule quantity, and rule contents.

<Quidway> display acl ipv6 name testAdvanced IPv6 ACL 3999 name test, 1 rule rule 0 permit udp

# Run the display time-range command, and you can see the configuration and status of thecurrent time range.

<Quidway> display time-range allCurrent time is 09:33:31 5-21-2009 Thursday




Issue 01 (2011-05-20)

Time-range : time1 ( Inactive ) 12:00 to 23:00 working-day

9.5 Configuration ExamplesThis section provides configuration examples of the ACL.

9.5.1 Example for Configuring a Basic ACL

9.5.2 Example for Configuring an Advanced ACL

9.5.3 Example for Configuring a Layer 2 ACL

9.5.4 Example for Configuring an ACL6 to Control FTP User Access

9.5.1 Example for Configuring a Basic ACL


As shown in Figure 9-1, GE 0/0/1 of the Switch is connected to the user, and GE 0/0/2 isconnected to the upstream router. It is required that the Switch does not trusts the packets fromuser A whose IP address is 10.0.0.2/24.

Figure 9-1 Networking diagram for configuring a basic ACL

Switch

PC AIP:10.0.0.2/24

PC B

GE0/0/1 GE0/0/2



1. Configure the ACL.2. Configure the traffic classifier.3. Configure the traffic behavior.4. Configure the traffic policy.5. Apply the traffic policy to an interface.



9-15


l ACL numberl IP address of user Al Names of traffic classifier, traffic behavior, and traffic policyl Interface where the traffic policy is applied

Procedure

Step 1 Configure the traffic classifier that is based on the ACL rules.

# Define the ACL rules.

[Quidway] acl 2000[Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255[Quidway-acl-basic-2000] quit

# Configure the traffic classifier and define the ACL rules.

[Quidway] traffic classifier tc1[Quidway-classifier-tc1] if-match acl 2000[Quidway-classifier-tc1] quit

Step 2 Configure the traffic behavior.[Quidway] traffic behavior tb1[Quidway-behavior-tb1] deny[Quidway-behavior-tb1] quit

Step 3 Configure the traffic policy.

# Define the traffic policy and associate the traffic classifier and traffic behavior with the trafficpolicy.

[Quidway] traffic policy tp1[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1[Quidway-trafficpolicy-tp1] quit

# Apply the traffic policy to GE 0/0/1.

[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] traffic-policy tp1 inbound[Quidway-GigabitEthernet0/0/1] quit


# Check the configuration of the ACL rules.

<Quidway> display acl 2000Basic ACL 2000, 1 ruleAcl's step is 5 rule 5 permit source 10.0.0.0 0.0.0.255

# Check the configuration of the traffic classifier.

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Operator: AND Rule(s) : if-match acl 2000

# Check the configuration of the traffic policy.




Issue 01 (2011-05-20)

<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: AND Behavior: tb1 Deny

----End

Configuration Files#acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255 #traffic classifier tc1 operator and if-match acl 2000 #traffic behavior tb1 deny#traffic policy tp1 classifier tc1 behavior tb1#interface GigabitEthernet0/0/1 traffic-policy tp1 inbound#return

9.5.2 Example for Configuring an Advanced ACL

Networking RequirementsAs shown in Figure 9-2, the departments of the company are connected through the Switchs. Itis required that the IPv4 ACL be configured correctly. The personnel of the R&D departmentand marketing department cannot access the salary query server at 10.164.9.9 from 8:00 to 17:30,whereas the personnel of the president's office can access the server at any time.

Figure 9-2 Networking diagram for configuring IPv4 ACLs

Salary query server10.164.9.9

Marketing department10.164.2.0/24 President's office

10.164.1.0/24

R&D department10.164.3.0/24

Ethernet0/0/4

Ethernet0/0/1

Ethernet0/0/3

Ethernet0/0/2

Switch



9-17



1. Assign IP addresses to interfaces.2. Configure the time range.3. Configure the ACL.4. Configure the traffic classifier.5. Configure the traffic behavior.6. Configure the traffic policy.7. Apply the traffic policy to an interface.

Data Preparation


l VLAN that the interface belongs to

l Name of the time range

l ACL ID and rules

l Name of the traffic classifier and classification rules

l Name of the traffic behavior and actions

l Name of the traffic policy, and traffic classifier and traffic behavior associated with thetraffic policy

l Interface that a traffic policy is applied to

Procedure

Step 1 Assign IP addresses to interfaces.

# Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces.

Add Ethernet 0/0/1, Ethernet 0/0/2, and Ethernet 0/0/3 to VLAN 10, VLAN 20, and VLAN 30respectively, and add Ethernet 0/0/4 to VLAN 100. The first IP address of the network segmentis taken as the address of the VLANIF interface. Take Ethernet 0/0/1 as an example. Theconfigurations of other interfaces are similar to the configuration of Ethernet 0/0/1, and are notmentioned here.

<Quidway> system-view[Quidway] vlan batch 10 20 30 100[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port link-type access[Quidway-Ethernet0/0/1] port default vlan 10[Quidway-Ethernet0/0/1] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0[Quidway-Vlanif10] quit

Step 2 Configure the time range.

# Configure the time range from 8:00 to 17:30.




Issue 01 (2011-05-20)

<Quidway> system-view[Quidway] time-range satime 8:00 to 17:30 working-day

Step 3 Configure ACLs.

# Configure the ACL for the personnel of the marketing department to access the salary queryserver.

[Quidway] acl 3002[Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime[Quidway-acl-adv-3002] quit

# Configure the ACL for the personnel of the R&D department to access the salary query server.

[Quidway] acl 3003[Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime[Quidway-acl-adv-3003] quit

Step 4 Configure ACL-based traffic classifiers.

# Configure the traffic classifier c_market to classify the packets that match ACL 3002.

[Quidway] traffic classifier c_market[Quidway-classifier-c_market] if-match acl 3002[Quidway-classifier-c_market] quit

# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.

[Quidway] traffic classifier c_rd[Quidway-classifier-c_rd] if-match acl 3003[Quidway-classifier-c_rd] quit

Step 5 Configure traffic behaviors.

# Configure the traffic behavior b_market to reject packets.

[Quidway] traffic behavior b_market[Quidway-behavior-b_market] deny[Quidway-behavior-b_market] quit

# Configure the traffic behavior b_rd to reject packets.

[Quidway] traffic behavior b_rd[Quidway-behavior-b_rd] deny[Quidway-behavior-b_rd] quit

Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier c_market and thetraffic behavior b_market with the traffic policy.

[Quidway] traffic policy p_market[Quidway-trafficpolicy-p_market] classifier c_market behavior b_market[Quidway-trafficpolicy-p_market] quit

# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the trafficbehavior b_rd with the traffic policy.

[Quidway] traffic policy p_rd[Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd[Quidway-trafficpolicy-p_rd] quit

Step 7 Apply the traffic policy.

# Apply the traffic policy p_market to Ethernet 0/0/2.



9-19

[Quidway] interface ethernet 0/0/2[Quidway-Ethernet0/0/2] traffic-policy p_market inbound[Quidway-Ethernet0/0/2] quit

# Apply the traffic policy p_rd to Ethernet 0/0/3.

[Quidway] interface ethernet 0/0/3[Quidway-Ethernet0/0/3] traffic-policy p_rd inbound[Quidway-Ethernet0/0/3] quit


# Check the configuration of ACL rules.

<Quidway> display acl all Total nonempty ACL number is 2

Advanced ACL 3002, 1 ruleAcl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-rangesatime (Inactive)

Advanced ACL 3003, 1 ruleAcl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-rangesatime (Inactive)


<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Operator: AND Rule(s) : if-match acl 3002

Classifier: c_rd Operator: AND Rule(s) : if-match acl 3003


<Quidway> display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_market Classifier: c_market Operator: AND Behavior: b_market Deny

Policy: p_rd Classifier: c_rd Operator: AND Behavior: b_rd Deny

----End

Configuration Files

# sysname Quidway# vlan batch 10 20 30 40 100 # time-range satime 08:00 to 17:30 working-day#acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range




Issue 01 (2011-05-20)

satime#acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-rangesatime#traffic classifier c_market operator or if-match acl 3002traffic classifier c_rd operator or if-match acl 3003#traffic behavior b_market denytraffic behavior b_rd deny#traffic policy p_market classifier c_market behavior b_markettraffic policy p_rd classifier c_rd behavior b_rd#interface Vlanif10 ip address 10.164.1.1 255.255.255.0#interface Vlanif20 ip address 10.164.2.1 255.255.255.0#interface Vlanif30 ip address 10.164.3.1 255.255.255.0#interface Vlanif100 ip address 10.164.9.1 255.255.255.0 #interface Ethernet0/0/1 port link-type access port default vlan 10#interface Ethernet0/0/2 port link-type access port default vlan 20 traffic-policy p_market inbound#interface Ethernet0/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound #interface Ethernet0/0/4 port link-type access port default vlan 100#return

9.5.3 Example for Configuring a Layer 2 ACL

Networking RequirementsAs shown in Figure 9-3, the Switch that functions as the gateway is connected to the PC. It isrequired that the ACL configured to prevent the packets with the source MAC address as 00e0-f201-0101 and the destination MAC address as 0260-e207-0002 from passing through.



9-21

Figure 9-3 Networking diagram for configuring layer 2 ACLs

IP network

00e0-f201-0101

Switch

GE0/0/1 GE0/0/2


1. Configure the ACL.2. Configure the traffic classifier.3. Configure the traffic behavior.4. Configure the traffic policy.5. Apply the traffic policy to an interface.


l ACL ID and rulesl Name of the traffic classifier and classification rulesl Name of the traffic behavior and actionsl Name of the traffic policy, and traffic classifier and traffic behavior associated with the

traffic policyl Interface that a traffic policy is applied to

Procedure

Step 1 Configure an ACL.

# Configure the required layer 2 ACL.

[Quidway] acl 4000[Quidway-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002 ffff-ffff-ffff [Quidway-acl-L2-4000] quit

Step 2 Configure the traffic classifier that is based on the ACL.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.

[Quidway] traffic classifier tc1[Quidway-classifier-tc1] if-match acl 4000[Quidway-classifier-tc1] quit

Step 3 Configure the traffic behavior.




Issue 01 (2011-05-20)

# Configure the traffic behavior tb1 to reject packets.

[Quidway] traffic behavior tb1[Quidway-behavior-tb1] deny[Quidway-behavior-tb1] quit

Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.

[Quidway] traffic policy tp1[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1[Quidway-trafficpolicy-tp1] quit

Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to GE 0/0/1.

[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] traffic-policy tp1 inbound[Quidway-GigabitEthernet0/0/1] quit


# Check the configuration of ACL rules.

<Quidway> display acl 4000L2 ACL 4000, 1 ruleAcl's step is 5 rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101


<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Operator: AND Rule(s) : if-match acl 4000


<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: AND Behavior: tb1 Deny

----End

Configuration Files

# sysname Quidway#acl number 4000 rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101#traffic classifier tc1 operator and if-match acl 4000#traffic behavior tb1 deny#traffic policy tp1 classifier tc1 behavior tb1#



9-23

interface GigabitEthernet0/0/1 traffic-policy tp1 inbound #return

9.5.4 Example for Configuring an ACL6 to Control FTP User Access


As shown in Figure 9-4, the IP address of the switch that functions as the FTP server is3002::1/64.

The routes between PC1, PC2, and the FTP server are reachable. It is required that an ACL6 beconfigured on the FTP server to prohibit PC2 with IP address 3001::2/64 from downloading anduploading files through FTP.

Figure 9-4 Networking diagram for configuring an ACL6 to control FTP users

SwitchBSwitchALoopback23002::2/64

3001::1/64 3001::2/64

VLAN 10GE0/0/1 GE0/0/1



1. Perform basic configurations on the FTP server.2. Configure a basic ACL6.3. Bind the basic ACL6 to the FTP server.

Data Preparation


l FTP user name and password configured on the FTP serverl Basic ACL6 number

Procedure

Step 1 Configure basic FTP functions.

See Example for Configuring the FTP Server.

Step 2 Configure a basic ACL6.<Quidway> system-view[Quidway] acl ipv6 number 2001[Quidway-acl-basic-2001] rule deny source 3001::2/128[Quidway-acl-basic-2001] quit




Issue 01 (2011-05-20)

Step 3 Bind the basic ACL6 to the FTP server.[Quidway] ftp ipv6 acl 2001


# Connect PC1 to the FTP server.

c:\ ftp 3002::1Connected to 3002::1220 FTP service ready.User (3003::5:(none)):u1331 Password required for u1Password:230 User logged in.ftp>

# Connect PC2 to the FTP server.

c:\ ftp 3002::1Connected to 3002::1Info:ACL6 was denied by remote host!Connection closed by remote host.

----End

Configuration Files#acl ipv6 number 2001 rule 0 deny source 3001::2/128#ftp ipv6 acl 2001#return



9-25

10 ND Snooping Configuration

About This Chapter

This chapter describes the principle and configuration method of neighbor discovery (ND)snooping and provides configuration examples.

ContextNOTE

S2300SI does not support ND Snooping.

10.1 ND Snooping OverviewThis section describes the principle of ND snooping.

10.2 ND Snooping Features Supported by the S2300This section describes ND snooping features supported by the S2300.

10.3 Configuring ND SnoopingThis section describes the basic concepts of ND snooping and the procedure for configuring NDsnooping, and provides configuration examples of ND snooping.

10.4 Maintaining ND SnoopingThis section describes how to reset the prefix management table and ND dynamic binding table.

10.5 Configuration ExamplesThis section provides a configuration example of ND snooping.

Quidway S2300 Series Ethernet SwitchesConfiguration Guide - Security 10 ND Snooping Configuration


10-1

10.1 ND Snooping OverviewThis section describes the principle of ND snooping.

Neighbor discovery (ND) is a group of messages and processes that identify relationshipsbetween neighboring nodes. IPv6 ND corresponds to a combination of the Address ResolutionProtocol (ARP), ICMP router discovery, and ICMP Redirect of IPv4. ND snooping provides thefollowing functions: Detecting address conflicts Resolving the neighboring node addressDetermining neighbor reachability Configuring the host address.

l Router Solicitation (RS): After startup, a host sends an RS message to a device, and waitsfor the device to respond with a Router Advertisement (RA) message.

l Router Advertisement (RA): A device periodically advertises RA messages that containprefixes and flag bits.

l Neighbor Solicitation (NS): Through NS messages, an IPv6 node obtains the link-layeraddress of its neighbor, checks whether the neighbor is reachable, and performs duplicateaddress detection.

l Neighbor Advertisement (NA): After receiving an NS message, an IPv6 node respondswith an NA message. In addition, the IPv6 node initiatively sends NA messages when thelink layer changes.

l Redirect: When finding that the inbound interface and outbound interface of a packet arethe same, a device can send Redirect messages to instruct the host that sends the packet tochoose a better next hop.

The ND snooping technology is a security feature of ND. By capturing and analyzing thepreceding types of messages, it filters out untrusted messages, and establishes and maintains theprefix management table and ND dynamic binding table. The prefix management table containsinformation about the prefix and the prefix lease. The ND dynamic binding table containsinformation about IPv6 addresses, MAC addresses, interfaces, and VLAN IDs.

By maintaining the prefix management table and ND dynamic binding table, the device enabledwith ND snooping allows authorized users to access the network and prevents unauthorizedusers from attacking network devices and authorized users.

10.2 ND Snooping Features Supported by the S2300This section describes ND snooping features supported by the S2300.

When being deployed on a Layer 2 network, the S2300 is located between the ND server (usuallya router) and the user network. To prevent unauthorized users from forging the ND server, youcan configure interfaces as trusted or untrusted interfaces on the S2300.

By maintaining the prefix management table and ND dynamic binding table, the S2300 enabledwith ND snooping allows authorized users to access the network and prevents unauthorizedusers from attacking network devices and authorized users.

Figure 10-1 shows ND snooping applied to the S2300.

10 ND Snooping ConfigurationQuidway S2300 Series Ethernet Switches



Issue 01 (2011-05-20)

Figure 10-1 ND snooping enabled on the S2300 of the Layer 2 network

Untrusted

Trusted

Usernetwork

L2network

L3network

Router(ND Server)

Switch

10.3 Configuring ND SnoopingThis section describes the basic concepts of ND snooping and the procedure for configuring NDsnooping, and provides configuration examples of ND snooping.

10.3.1 Establishing the Configuration TaskBefore configuring ND snooping, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This helps you complete theconfiguration task quickly and accurately.

10.3.2 Enabling ND SnoopingAfter ND snooping is enabled globally, you must enable ND snooping on interface or in a VLAN.Otherwise, ND snooping does not take effect.

10.3.3 Configuring an Interface as the Trusted InterfaceGenerally, the network-side interface of the S2300 is configured as the trusted interface anduser-side interfaces of the S2300 are configured as untrusted interfaces.

10.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding TableThrough the aging function, the S2300 can automatically manage the ND dynamic binding table.

10.3.5 Checking the ConfigurationAfter configuring ND snooping to improve the security of an IPv6 network, you can view thestatistics about ND snooping.

10.3.1 Establishing the Configuration TaskBefore configuring ND snooping, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This helps you complete theconfiguration task quickly and accurately.



10-3


When a bogus ND server exists on the network, it sends the incorrect information such as theincorrect gateway address, incorrect DNS server, and incorrect IP address to ND clients. As aresult, ND clients cannot access the destination network.

To protect the S2300 against attacks of the bogus ND server, you can configure ND snoopingon the S2300, configure the network-side interface as the trusted interface, and configure user-side interfaces as untrusted interfaces. The RA messages received from untrusted interfaces arediscarded.

Based on the RA messages received from the trusted interface, the S2300 establishes the prefixmanagement table. The prefix management table saves information about prefixes allocated bythe ND server to the S2300, and is used by the S2300 to manage client addresses.

According to information about prefixes in the ND snooping prefix management table, clientsautomatically generate IPv6 addresses and send NS messages to detect whether the IPv6addresses conflict. In this process, the S2300 generates the ND dynamic binding table based onNS messages. The ND dynamic binding table saves information about IPv6 addresses, MACaddresses, and VLAN IDs of clients. The S2300 delivers the ND dynamic binding entries to theACL that is automatically generated. Packets matching the entries in the ACL are permitted bydefault.


Before configuring ND snooping, complete the following task:

l Configuring the ND server

Data Preparation

To configure ND snooping, you need the following data.

No. Data

1 Type and number of interface that needs to be configured as the trusted interface

2 (Optional) Number of detection times for aging ND dynamic binding entries

3 (Optional) Detection interval for aging ND dynamic binding entries

10.3.2 Enabling ND SnoopingAfter ND snooping is enabled globally, you must enable ND snooping on interface or in a VLAN.Otherwise, ND snooping does not take effect.

Context

Before enabling ND snooping on interface or in a VLAN, you must enable ND snoopingglobally. By default, ND snooping is disabled globally, on interface or in a VLAN.




Issue 01 (2011-05-20)

Procedurel Configuring ND snooping on an interface

1. Run:system-view


dhcp enable


nd snooping enable

ND snooping is enabled globally.4. Run:



nd snooping enable

ND snooping is enabled on the interface.l Configuring ND snooping in a VLAN

1. Run:system-view


dhcp enable


nd snooping enable

ND snooping is enabled globally.4. Run:

vlan vlan-id


nd snooping enable

ND snooping is enabled in the VLAN.

----End

10.3.3 Configuring an Interface as the Trusted InterfaceGenerally, the network-side interface of the S2300 is configured as the trusted interface anduser-side interfaces of the S2300 are configured as untrusted interfaces.

ContextWhen RA messages sent from the ND server pass through the trusted interface of the S2300,the S2300 establishes the prefix management table according to the RA messages. The prefix



10-5

management table saves information about prefixes allocated to the S2300 in the RA messages.The S2300 discards the RA messages received from untrusted interfaces.

Generally, the interface connected to the ND server is configured as the trusted interface andother interfaces are configured as untrusted interfaces.

After ND snooping is enabled on an interface, the interface is an untrusted interface by default.

Procedurel Configuring ND snooping on an interface

1. Run:system-view




nd snooping trusted

The interface is configured as the trusted interface.l Configuring ND snooping in a VLAN

1. Run:system-view


vlan vlan-id


nd snooping trusted interface interface-type interface-number

The interface in the VLAN is configured as the trusted interface.

NOTE

When you run the nd snooping trusted command in the VLAN view, the specified interfacemust belong to the VLAN. Compared with the nd snooping trusted command run in theinterface view, the nd snooping trusted command run in the VLAN view is more accuratebecause a specified interface in a specified VLAN can be configured as a trusted interface.

----End

10.3.4 (Optional) Configuring the Aging Function of the NDDynamic Binding Table

Through the aging function, the S2300 can automatically manage the ND dynamic binding table.

ContextAfter ND snooping is enabled, the S2300 establishes the ND dynamic binding table based onthe user information.




Issue 01 (2011-05-20)

When the lease of ND dynamic binding entries expires, if the aging function of the ND dynamicbinding table is configured, the S2300 sends NS messages according to the number of detectiontimes and the detection interval for aging ND dynamic binding entries. If the user does not sendNA messages after the specified number of detection times, the S2300 considers that the user isnot online. Then the S2300 deletes the ND dynamic binding entry of the user and does notforward messages to the user.

Procedure



Step 2 Run:nd user-bind detect enable

The aging function of the ND dynamic binding table is enabled.

By default, the aging function of the ND dynamic binding table is disabled.

Step 3 Run:nd user-bind detect retransmit retransmit-times interval retransmit-interval

The detection interval and the number of detection times for aging ND dynamic binding entriesare set.

By default, the detection interval for aging ND dynamic binding entries is 1000 ms and thenumber of detection times for aging ND dynamic binding entries is 2.

----End

10.3.5 Checking the ConfigurationAfter configuring ND snooping to improve the security of an IPv6 network, you can view thestatistics about ND snooping.

PrerequisiteThe configurations of ND snooping are complete.

Procedurel Run the display nd snooping prefix command to check prefix management entries of ND

users.l Run the display nd snooping user-bind { all | ipv6-address ipv6-address | mac-

address mac-address | interface interface-type interface-number | vlan vlan-id | vlan vlan-id interface interface-type interface-number } command to check ND dynamic bindingentries.

l Run the display this command in the system view to check the configuration of NDsnooping.

Run the display this command, and you can view the enabling of ND snooping andinformation about the aging function of the ND dynamic binding table.

----End



10-7

ExampleAfter the configuration is successful, you can run the display nd snooping prefix command toview the prefix management table of ND users.

<Quidway> display nd snooping prefixprefix-table: Prefix Length Valid-Time Preferred-Time --------------------------------------------------------------------------------3001:: 64 100000 100000 --------------------------------------------------------------------------------Prefix table total count: 1

Run the display nd snooping user-bind allcommand, and you can view information about theND dynamic binding table.

<Quidway> display nd snooping user-bind allND Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Lease --------------------------------------------------------------------------------3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 30 /-- /-- 2011.05.06-20:09--------------------------------------------------------------------------------print count: 1 total count: 1

Run the display this command in the system view, and you can view the configuration of NDsnooping.

[Quidway] display this nd snooping enable nd user-bind detect enable nd user-bind detect retransmit 10 interval 1000

10.4 Maintaining ND SnoopingThis section describes how to reset the prefix management table and ND dynamic binding table.

10.4.1 Clearing the Prefix Management TableYou can manually delete prefix management entries on the S2300.

10.4.2 Resetting the ND Dynamic Binding TableYou can manually delete ND dynamic binding entries on the S2300.

10.4.1 Clearing the Prefix Management TableYou can manually delete prefix management entries on the S2300.

ContextThe ND server sends RA messages periodically to request clients to update prefixes. As theaccess device of the client, the S2300 maintains the prefix information and updates and ages theprefix information.

Generally, you are advised not to manually delete prefix management entries. You need tomanually delete prefix management entries if the following conditions are met:

l The user address lease does not expire; therefore, prefix management entries cannot ageautomatically.

l It is confirmed that the user does not connect to the network through the S2300.




Issue 01 (2011-05-20)

To manually delete prefix management entries, run the following command in the user view orin the system view.

Procedurel Run the reset nd snooping prefix [ ipv6-address/prefix-length ] command to reset the

prefix management table.

----End

10.4.2 Resetting the ND Dynamic Binding TableYou can manually delete ND dynamic binding entries on the S2300.

ContextYou need to manually delete ND dynamic binding entries if the following conditions are met:

l The ND dynamic binding table does not reach the aging time; therefore, ND dynamicbinding entries cannot age automatically.

l It is confirmed that the user does not connect to the network through the S2300.l The user VLAN or interface information changes.

NOTE

After the networking environment changes, ND dynamic binding entries do not age immediately. However,the following information in ND dynamic binding entries may change, causing packet forwarding failure:l VLAN ID in packetsl Interface informationBefore changing the networking environment, clear all ND dynamic binding entries manually so that adevice generates a new ND dynamic binding table according to the new networking environment.

To manually delete ND dynamic binding entries, run the following command in the user viewor in the system view.

Procedurel Run the reset nd snooping user-bind [ interface interface-type interface-number | ipv6-

address ipv6-address | mac-address mac-address | vlan vlan-id ] command to reset theND dynamic binding table.

----End

10.5 Configuration ExamplesThis section provides a configuration example of ND snooping.

10.5.1 Example for Configuring ND Snooping on a Layer 2 NetworkThis section describes the procedure for configuring ND snooping, including the configurationof the trusted interface and the ND dynamic binding table.

10.5.1 Example for Configuring ND Snooping on a Layer 2 NetworkThis section describes the procedure for configuring ND snooping, including the configurationof the trusted interface and the ND dynamic binding table.



10-9

Networking RequirementsAs shown in Figure 10-2, the Switch is deployed in the layer 2 network between the user networkand the ND server. To protect the Switch against the attacks of a bogus ND server, it is requiredthat ND snooping be configured on the Switch and the network-side interface of the carrier beconfigured as the trusted interface. By maintaining the prefix management table and ND dynamicbinding table, the Switch ensures that authorized users access the network and preventsunauthorized users from attacking network devices and authorized users.

Figure 10-2 Networking diagram for configuring ND snooping on a Layer 2 network

User network

L2 network

L3 network

Router(ND Server)

GE0/0/1GE0/0/2

Switch

Configuration RoadmapThe configuration roadmap is as follows (assume that the ND server is configured):

1. Enable ND snooping in the system view and interface view.2. Configure the interface connected to the ND server as the trusted interface.3. Configure the aging function of the ND dynamic binding table.


l Interfaces in trusted or untrusted mode: GE 0/0/1 in trusted mode and GE 0/0/2 in untrustedmode

l Detection interval for aging ND dynamic binding entriesl Number of detection times for aging ND dynamic binding entries

Procedure

Step 1 Configure ND snooping.

# Enable ND snooping globally.

<Quidway> system-view[Quidway] dhcp enable[Quidway] nd snooping enable




Issue 01 (2011-05-20)

# Enable DHCP snooping an interfaces.

[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] nd snooping enable[Quidway-GigabitEthernet0/0/2] quit

Step 2 Configure GE 0/0/1 as the trusted interface.[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] nd snooping trusted[Quidway-GigabitEthernet0/0/1] quit

After ND snooping is enabled on GE 0/0/2, the interface is the untrusted interface by default.

Step 3 Configure the aging function of the ND dynamic binding table.

# Set the detection interval and the number of detection times for aging ND dynamic bindingentries.

[Quidway] nd user-bind detect enable[Quidway] nd user-bind detect retransmit 5 interval 600


Run the display this command in the system view, and you can view that ND snooping is enabledglobally and on the interface.

[Quidway] display this nd snooping enable nd user-bind detect enable nd user-bind detect retransmit 5 interval 600

Run the display nd snooping prefix command, and you can view the prefix management tableof ND users.

<Quidway> display nd snooping prefixprefix-table:Prefix Length Valid-Time Preferred-Time-------------------------------------------------------------------------------2001:: 64 600 600Info: Prefix table total count:1

Run the display nd snooping user-bind all command, and you can view information about theND dynamic binding table.

<Quidway> display nd snooping user-bind allND Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Lease --------------------------------------------------------------------------------3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 30 /-- /-- 2011.05.06-20:093001::E58C:A2E7:AA4C:8D54 00e0-4c7c-afae 30 /-- /-- 2011.05.06-20:09--------------------------------------------------------------------------------Dynamic binditem count: 2 Dynamic binditem total count: 2

----End

Configuration Files# dhcp enable# nd snooping enable# nd user-bind detect enable# nd user-bind detect retransmit 5 interval 600#



10-11

interface GigabitEthernet0/0/1 nd snooping enable nd snooping trusted#interface GigabitEthernet0/0/2 nd snooping enable#return




Issue 01 (2011-05-20)

Documents

Configuration Guide - Security(V100R006C00_01)