00399155-Configuration Guide - Security (V300R003 - 03) - 1 PDF

Quidway NetEngine80E/40E Core Router V300R003
Configuration Guide - Security
Issue Date Part Number
03 2008-09-22 00399155
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Copyright Huawei Technologies Co., Ltd. 2008. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Quidway NetEngine80E/40E Core Router Configuration Guide - Security
Contents
Contents
About This Document.....................................................................................................................1 1 AAA and User Management Configurations.......................................................................1-1
1.1 Overview.........................................................................................................................................................1-2 1.1.1 Introduction to AAA and User Management.........................................................................................1-2 1.1.2 AAA and User Management Supported by the NE80E/40E.................................................................1-3 1.2 Configuring Local User Management.............................................................................................................1-3 1.2.1 Establishing the Configuration Task......................................................................................................1-3 1.2.2 Creating a Local User Account..............................................................................................................1-4 1.2.3 Configuring the Type of the Service That the Local User Accesses......................................................1-4 1.2.4 Configuring the Local User Authority of Accessing the FTP Directory...............................................1-5 1.2.5 Configuring Local User Status...............................................................................................................1-6 1.2.6 Configuring the Local User Level..........................................................................................................1-6 1.2.7 Setting the Maximum Number of Access Users with the Same User Name.........................................1-7 1.2.8 Cutting Off Online Users Forcibly.........................................................................................................1-7 1.2.9 Checking the Configuration...................................................................................................................1-8 1.3 Configuring AAA Schemes............................................................................................................................1-8 1.3.1 Establishing the Configuration Task......................................................................................................1-9 1.3.2 Configuring the Authentication Scheme..............................................................................................1-10 1.3.3 (Optional) Configuring the Authorization Scheme..............................................................................1-11 1.3.4 Configuring the Accounting Scheme...................................................................................................1-13 1.3.5 (Optional) Configuring the Recording Scheme...................................................................................1-14 1.3.6 Allocating IP Addresses to Users.........................................................................................................1-15 1.3.7 Checking the Configuration.................................................................................................................1-16 1.4 Configuring Server Templates......................................................................................................................1-18 1.4.1 Establishing the Configuration Task....................................................................................................1-18 1.4.2 Configuring the RADIUS Server Template.........................................................................................1-19 1.4.3 (Optional) Configuring the HWTACACS Server Template................................................................1-22 1.4.4 Checking the Configuration.................................................................................................................1-26 1.5 Configuring Domains....................................................................................................................................1-27 1.5.1 Establishing the Configuration Task....................................................................................................1-28 1.5.2 Creating a Domain...............................................................................................................................1-29 1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain..................1-29 1.5.4 Configuring the RADIUS Server Template.........................................................................................1-30 Issue 03 (2008-09-22) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. i
Contents
Quidway NetEngine80E/40E Core Router Configuration Guide - Security 1.5.5 Configuring the HWTACACS Server Template.................................................................................1-30 1.5.6 Configuring the Address-related Attributes of the Domain.................................................................1-31 1.5.7 Configuring the Domain State..............................................................................................................1-32 1.5.8 Configuring the Maximum of Access Users Allowed by the Domain................................................1-32 1.5.9 Configuring the Idle-Cut Parameters for a Domain.............................................................................1-33 1.5.10 Configuring the Idle-Cut Function for a Local User..........................................................................1-34 1.5.11 Checking the Configuration...............................................................................................................1-34
1.6 Maintaining...................................................................................................................................................1-35 1.6.1 Clearing the Statistics...........................................................................................................................1-35 1.6.2 Debugging AAA and User Management.............................................................................................1-35 1.7 Configuration Examples................................................................................................................................1-36 1.7.1 Example for Configuring the RADIUS Authentication and Accounting.............................................1-36 1.7.2 Example for Configuring the Local Authentication and HWTACACS Authentication, Authorization and Real-time Accounting...................................................................................................................................1-39
2 L2 Limit Configuration............................................................................................................. 2-1

2.1 Overview.........................................................................................................................................................2-2 2.1.1 Overview of L2 Limit............................................................................................................................2-2 2.1.2 L2 Limit Features Supported by the NE80E/40E..................................................................................2-2 2.2 Configuring MAC Address Learning Limit....................................................................................................2-4 2.2.1 Establishing the Configuration Task......................................................................................................2-4 2.2.2 Configuring the Rules of MAC Address Learning Limit Based on a VLAN........................................2-5 2.2.3 Configuring the Rules of MAC Address Learning Limit Based on a VSI............................................2-5 2.2.4 Configuring the Rules of MAC Address Learning Limit Based on an SI.............................................2-6 2.2.5 Configuring the Rules of MAC Address Learning Limit Based on a Port............................................2-7 2.2.6 Configuring the Rules of MAC Address Learning Limit Based on a Port in a VLAN.........................2-8 2.2.7 Configuring the Rules of MAC Address Learning Limit Based on a Sub-interface.............................2-9 2.2.8 Configuring the Rules of MAC Address Learning Limit Based on a QinQ Sub-interface..................2-10 2.2.9 Checking the Configuration.................................................................................................................2-11 2.3 Deleting Dynamic MAC Entries...................................................................................................................2-12 2.3.1 Establishing the Configuration Task....................................................................................................2-12 2.3.2 Deleting the Dynamic MAC Entries Based on a VLAN.....................................................................2-13 2.3.3 Deleting the Dynamic MAC Entries Based on a VSI..........................................................................2-13 2.3.4 Deleting the Dynamic MAC Entries Based on a Port..........................................................................2-13 2.3.5 Deleting the Dynamic MAC Entries Based on a Port in a VLAN.......................................................2-14 2.3.6 Deleting the Dynamic MAC Entries Based on a Port in a VSI............................................................2-14 2.4 Configuring Unknown Traffic Suppression..................................................................................................2-14 2.4.1 Establishing the Configuration Task....................................................................................................2-15 2.4.2 Configuring Unknown Traffic Suppression Based on a Port...............................................................2-15 2.4.3 Configuring Unknown Traffic Suppression Based on a Sub-interface................................................2-16 2.4.4 Configuring Unknown Traffic Suppression Based on a QinQ Sub-interface......................................2-18 2.4.5 Configuring Unknown Traffic Suppression Based on a Port in a VLAN............................................2-19 2.5 Configuration Examples................................................................................................................................2-20 ii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2008-09-22)
Contents
2.5.1 Example for Configuring MAC Address Learning Limit....................................................................2-20 2.5.2 Example for Configuring Unknown Traffic Suppression Based on a Port in a VLAN.......................2-22
3 ARP Security Configuration....................................................................................................3-1

3.1 Overview.........................................................................................................................................................3-2 3.1.1 Introduction to ARP Security.................................................................................................................3-2 3.1.2 ARP Security Supported by the NE80E/40E ........................................................................................3-2 3.2 Preventing Attacks on ARP Entries................................................................................................................3-4 3.2.1 Establishing the Configuration Task......................................................................................................3-5 3.2.2 Configuring Global Strict ARP Entry Learning.....................................................................................3-5 3.2.3 Configuring Strict ARP Entry Learning on Interfaces...........................................................................3-6 3.2.4 Checking the Destination IP Addresses of ARP Packets.......................................................................3-7 3.2.5 Configuring Speed Limit for ARP Packets............................................................................................3-7 3.2.6 Configuring Interface-based ARP Entry Restriction..............................................................................3-8 3.2.7 Enabling Alarm Functions for Potential Attack Behaviors....................................................................3-9 3.2.8 Checking the Configuration...................................................................................................................3-9 3.3 Preventing Scanning Attacks........................................................................................................................3-10 3.3.1 Establishing the Configuration Task....................................................................................................3-10 3.3.2 Configuring Speed Limit for ARP Miss Packets.................................................................................3-11 3.3.3 Enabling Alarm Functions for Potential Attack Behaviors..................................................................3-11 3.3.4 Checking the Configuration.................................................................................................................3-12 3.4 Configuring ARP Bidirectional Isolation, Filter ARP Packets and ARP VLAN CAR................................3-12 3.4.1 Establishing the Configuration Task....................................................................................................3-12 3.4.2 Enabling ARP Bidirectional Isolation..................................................................................................3-13 3.4.3 Filtering ARP Packets..........................................................................................................................3-13 3.4.4 Configuring ARP VLAN CAR............................................................................................................3-14 3.4.5 Checking the Configuration.................................................................................................................3-15 3.5 Maintaining...................................................................................................................................................3-16 3.5.1 Displaying Statistics About ARP Packets............................................................................................3-16 3.5.2 Clearing Statistics About ARP Packets................................................................................................3-16 3.5.3 Debugging ARP Packets......................................................................................................................3-17 3.6 Configuration Examples................................................................................................................................3-17 3.6.1 Example for Preventing Attacks on ARP Entries................................................................................3-17 3.6.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks.............................................3-20 3.6.3 Example for Configuring ARP Bidirectional Isolation, ARP filter packets and VLAN CAR............3-22
4 DHCP Snooping Configuration..............................................................................................4-1

4.1 Overview.........................................................................................................................................................4-3 4.1.1 Introduction to DHCP Snooping............................................................................................................4-3 4.1.2 DHCP Snooping Supported by the NE80E/40E....................................................................................4-4 4.2 Configuring Defense on the Layer 2 Device Against Attacks by Bogus DHCP Server.................................4-5 4.2.1 Establishing the Configuration Task......................................................................................................4-5 4.2.2 Enabling DHCP Snooping.....................................................................................................................4-5 4.2.3 Configuring Trusted/Untrusted Interfaces.............................................................................................4-6 Issue 03 (2008-09-22) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii
Contents
Quidway NetEngine80E/40E Core Router Configuration Guide - Security 4.2.4 Checking the Configuration...................................................................................................................4-7
4.3 Configuring Defense on the Layer 3 Device Against Attacks by Bogus DHCP Server.................................4-7 4.3.1 Establishing the Configuraiton Task......................................................................................................4-8 4.3.2 Enabling DHCP Snooping on the DHCP Relay.....................................................................................4-8 4.3.3 Setting Trusted or Untrusted Interfaces................................................................................................. 4-9 4.3.4 Checking the Configuration...................................................................................................................4-9 4.4 Configuring Defense on the Layer 2 Device Against Attacks by IP/MAC Spoofing...................................4-10 4.4.1 Establishing the Configuration Task....................................................................................................4-10 4.4.2 Enabling DHCP Snooping...................................................................................................................4-11 4.4.3 Enabling Checking Packets..................................................................................................................4-12 4.4.4 Configuring the DHCP Snooping Binding Table................................................................................4-12 4.4.5 Configuring Option 82.........................................................................................................................4-14 4.4.6 Checking the Configuration.................................................................................................................4-15 4.5 Configuring Defense on the Layer 3 Device Against Attacks by IP/MAC Spoofing...................................4-16 4.5.1 Establishing the Configuration Task....................................................................................................4-16 4.5.2 Enabling DHCP Snooping on the DHCP Relay...................................................................................4-17 4.5.3 Enabling Packet Check on the Interface...............................................................................................4-18 4.5.4 Configuring the DHCP Snooping Binding Table................................................................................4-18 4.5.5 Enabling ARP and DHCP Association................................................................................................4-20 4.5.6 Configuring Option 82.........................................................................................................................4-20 4.5.7 Checking the Configuration.................................................................................................................4-21 4.6 Configuring Defense on the Layer 2 Device Against Attacks by Changing CHADDRs.............................4-22 4.6.1 Establishing the Configuration Task....................................................................................................4-22 4.6.2 Enabling DHCP Snooping...................................................................................................................4-23 4.6.3 Enabling Checking CHADDRs in Packets..........................................................................................4-23 4.6.4 Checking the Configuration.................................................................................................................4-24 4.7 Configuring Defense on the Layer 3 Device Against Attacks by Changing CHADDRs.............................4-24 4.7.1 Establishing the Configuration Task....................................................................................................4-24 4.7.2 Enabling DHCP Snooping on the DHCP Relay...................................................................................4-25 4.7.3 Enabling Checking CHADDRs of Packets..........................................................................................4-26 4.7.4 Checking the Configuration.................................................................................................................4-26 4.8 Configuring Defense on the Layer 2 Device Against Attacks by Sending Bogus Messages for Extending IP Leases..................................................................................................................................................................4-27 4.8.1 Establishing the Configuration Task....................................................................................................4-27 4.8.2 Enabling DHCP Snooping...................................................................................................................4-28 4.8.3 Enabling Checking DHCP Request Messages.....................................................................................4-29 4.8.4 Configuring the DHCP Snooping Binding Table................................................................................4-29 4.8.5 Configuring Option 82.........................................................................................................................4-31 4.8.6 Checking the Configuration.................................................................................................................4-32 4.9 Configuring Defense on the Layer 3 Device Against Attacks by Sending Bogus Messages for Extending IP Leases..................................................................................................................................................................4-32 4.9.1 Establishing the Configuration Task....................................................................................................4-33 4.9.2 Enabling DHCP Snooping on the DHCP Relay...................................................................................4-33 iv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2008-09-22)
Contents
4.9.3 Enabling Checking DHCP Request Messages.....................................................................................4-34 4.9.4 Configuring the DHCP Snooping Binding Table................................................................................4-35 4.9.5 Enabling ARP and DHCP Association................................................................................................4-36 4.9.6 Configuring Option 82.........................................................................................................................4-37 4.9.7 Checking the Configuration.................................................................................................................4-38 4.10 Configuring Defense on the Device Against Attacks by Sending DHCP Request Messages....................4-38 4.10.1 Establishing the Configuration Task..................................................................................................4-39 4.10.2 Enabling DHCP Snooping.................................................................................................................4-39 4.10.3 Checking the Configuration...............................................................................................................4-40 4.11 Configuring Alarms for Packet Discarding.................................................................................................4-40 4.11.1 Establishing the Configuration Task..................................................................................................4-40 4.11.2 Configuring Alarms for Packet Discarding Globally.........................................................................4-41 4.11.3 Configuring Alarms for Packet Discarding on an Interface...............................................................4-41 4.11.4 Configuring Alarms for Packet Discarding on a VLAN....................................................................4-42 4.11.5 Checking the Configuration...............................................................................................................4-43 4.12 Maintaining.................................................................................................................................................4-43 4.12.1 Resetting DHCP Snooping Binding Table.........................................................................................4-43 4.12.2 Debugging DHCP Snooping..............................................................................................................4-43 4.13 Configuration Examples..............................................................................................................................4-44 4.13.1 Example for Preventing the Bogus DHCP Server Attack..................................................................4-44 4.13.2 Example for Preventing the Middleman and IP/MAC Spoofing Attacks..........................................4-47 4.13.3 Example for Preventing the Attacker from Changing CHADDR......................................................4-49 4.13.4 Example for Preventing the Attacker from Sending Bogus Messages for Extending Lease.............4-51 4.13.5 Example for Configuring DHCP Snooping on a Layer 2 Device......................................................4-54 4.13.6 Example for Configuring DHCP Snooping on a Layer 3 Interface...................................................4-59
5 URPF Configuration..................................................................................................................5-1
5.1 Overview.........................................................................................................................................................5-2 5.1.1 Introduction to URPF.............................................................................................................................5-2 5.1.2 URPF Supported by the NE80E/40E.....................................................................................................5-4 5.2 Configuring URPF..........................................................................................................................................5-4 5.2.1 Establishing the Configuration Task......................................................................................................5-4 5.2.2 Configuring Interface-based URPF........................................................................................................5-4 5.2.3 Configuring Flow-based URPF..............................................................................................................5-5 5.3 Example for Configuring URPF.....................................................................................................................5-7
6 Local Attack Defense Configuration...................................................................................... 6-1

6.1 Overview.........................................................................................................................................................6-2 6.1.1 Overview of Local Attack Defense........................................................................................................6-2 6.1.2 Local Attack Defense Features Supported by the NE80E/40E..............................................................6-5 6.2 Configuring the Rules for Filtering the Packets to Be Sent to the CPU.........................................................6-6 6.2.1 Establishing the Configuration Task......................................................................................................6-6 6.2.2 Creating the Attack Defense Policy.......................................................................................................6-7 6.2.3 Creating the User-Defined Whitelist......................................................................................................6-7 Issue 03 (2008-09-22) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
Quidway NetEngine80E/40E Core Router Configuration Guide - Security 6.2.4 Creating the User-Defined Blacklist......................................................................................................6-8 6.2.5 Configuring the User-Defined Flow...................................................................................................... 6-8 6.2.6 Setting the Processing Priority...............................................................................................................6-8 6.2.7 Applying the Attack Defense Policy......................................................................................................6-9 6.2.8 Checking the Configuration.................................................................................................................6-10
6.3 Configuring the Rules for Sending the Packets to the CPU..........................................................................6-11 6.3.1 Establishing the Configuration Task....................................................................................................6-11 6.3.2 Creating the Attack Defense Policy.....................................................................................................6-11 6.3.3 Configuring CAR.................................................................................................................................6-12 6.3.4 Applying the Attack Defense Policy....................................................................................................6-12 6.3.5 Checking the Configuration.................................................................................................................6-13 6.4 Configuring Queue Scheduling for the Packets to Be Sent to the CPU........................................................6-14 6.4.1 Establishing the Configuration Task....................................................................................................6-14 6.4.2 Creating the Attack Defense Policy.....................................................................................................6-15 6.4.3 Setting the Priority for Queue Scheduling...........................................................................................6-15 6.4.4 Setting the Total Rate of Sending the Packets to the CPU...................................................................6-15 6.4.5 Setting the Rate Threshold for Packet Discarding...............................................................................6-16 6.4.6 Applying the Attack Defense Policy....................................................................................................6-17 6.4.7 Checking the Configuration.................................................................................................................6-17 6.5 Maintaining Local Attack Defense................................................................................................................6-17 6.5.1 Clearing the Statistics on Local Attack Defense..................................................................................6-17 6.6 Configuration Example.................................................................................................................................6-18 6.6.1 Example for Configuring Local Attack Defense..................................................................................6-18
7 Mirroring Configuration...........................................................................................................7-1
7.1 Overview.........................................................................................................................................................7-2 7.1.1 Overview of Mirroring...........................................................................................................................7-2 7.1.2 Mirroring Supported by the NE80E/40E............................................................................................... 7-3 7.2 Configuring Port Mirroring.............................................................................................................................7-3 7.2.1 Establishing the Configuration Task......................................................................................................7-4 7.2.2 Specifying the Observing Port............................................................................................................... 7-4 7.2.3 Configuring the Observing Port to Observe All the Mirroring Ports on an LPU.................................. 7-5 7.2.4 Configuring Port Mirroring....................................................................................................................7-5 7.2.5 Checking the Configuration...................................................................................................................7-6 7.3 Configuring Flow Mirroring........................................................................................................................... 7-6 7.3.1 Establishing the Configuration Task......................................................................................................7-7 7.3.2 Configuring the Observing Port.............................................................................................................7-7 7.3.3 Configuring the Observing Port to Observe All the Mirroring Ports on an LPU.................................. 7-8 7.3.4 Defining a Traffic Class.........................................................................................................................7-8 7.3.5 Setting the Traffic Behavior and Enabling Flow Mirroring...................................................................7-9 7.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior..................7-10 7.3.7 Applying the Traffic Policy..................................................................................................................7-10 7.3.8 Checking the Configuration.................................................................................................................7-11 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2008-09-22)
Contents
7.4 Configuration Examples................................................................................................................................7-12 7.4.1 Example for Configuring Port Mirroring.............................................................................................7-12 7.4.2 Example for Configuring Flow Mirroring...........................................................................................7-15
8 Lawful Interception Configuration........................................................................................8-1

8.1 Overview.........................................................................................................................................................8-2 8.1.1 Overview of Lawful Interception...........................................................................................................8-2 8.1.2 Lawful Interception Supported by the NE80E/40E...............................................................................8-4 8.2 Configuring Lawful Interception....................................................................................................................8-7 8.2.1 Establishing the Configuration Task......................................................................................................8-7 8.2.2 Specifying the SPUC Board for Lawful Interception............................................................................8-8 8.2.3 Configuring the IP Address of the X3 Interface.....................................................................................8-8 8.2.4 Configuring the X3 Interface.................................................................................................................8-8 8.2.5 Enabling Lawful Interception.................................................................................................................8-9 8.2.6 Checking the Configuration.................................................................................................................8-10 8.3 Configuration Example.................................................................................................................................8-10 8.3.1 Example for Configuring Lawful Interception.....................................................................................8-10
A Attributes List of RADIUS and HWTACACS...................................................................A-1

A.1 RADIUS Attribute.........................................................................................................................................A-2 A.1.1 Standard RADIUS Attribute.................................................................................................................A-2 A.1.2 Huawei RADIUS Attribute..................................................................................................................A-5 A.2 HWTACACS Attribute.................................................................................................................................A-9
B Glossary......................................................................................................................................B-1 C Acronyms and Abbreviations................................................................................................C-1 Index.................................................................................................................................................i-1
Issue 03 (2008-09-22)
vii
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-37 Figure 1-2 Networking diagram of local authentication and HWTACACS authentication, authorization and accounting...........................................................................................................................................................1-39 Figure 2-1 Networking diagram for configuring MAC address learning limit..................................................2-20 Figure 2-2 Networking diagram for configuring unknown traffic suppression.................................................2-22 Figure 3-1 Networking diagram of preventing attacks on ARP entries.............................................................3-18 Figure 3-2 Network diagram of preventing attacks on ARP entries and scanning attacks................................3-20 Figure 3-3 Configuring ARP Bidirectional Isolation, ARP filter packets and VLAN CAR.............................3-22 Figure 4-1 Networking diagram of DHCP snooping application on a switch..................................................... 4-3 Figure 4-2 DHCP snooping application on a router.............................................................................................4-4 Figure 4-3 Networking diagram of preventing the bogus DHCP server attack.................................................4-45 Figure 4-4 Networking diagram of preventing the middleman attack and the IP/MAC spoofing attack..........4-47 Figure 4-5 Networking diagram of preventing the attacker from changing CHADDR.....................................4-50 Figure 4-6 Networking diagram of preventing the attacker from sending bogus DHCP request messages for extending IP leases..............................................................................................................................................4-52 Figure 4-7 Networking diagram of configuring DHCP snooping on a Layer 2 interface..................................4-54 Figure 4-8 Networking diagram of configuring DHCP snooping on a Layer 3 device.....................................4-60 Figure 5-1 Schematic diagram of the source address spoofing attack................................................................. 5-2 Figure 5-2 URPF applied on a single-homed client.............................................................................................5-2 Figure 5-3 Application environment of the URPF multi-homed client............................................................... 5-3 Figure 5-4 Applicable environment of multi-homed client and multi-ISPs.........................................................5-3 Figure 5-5 Networking diagram of configuring URPF........................................................................................5-7 Figure 6-1 Process of local attack defense...........................................................................................................6-4 Figure 6-2 Networking diagram of configuring local attack defense.................................................................6-19 Figure 7-1 Typical networking of mirroring........................................................................................................7-2 Figure 7-2 Networking diagram of port mirroring.............................................................................................7-13 Figure 7-3 Networking diagram of flow mirroring............................................................................................7-15 Figure 8-1 Scenario for lawful interception......................................................................................................... 8-2 Figure 8-2 Process of lawful interception supported by the NE80E/40E............................................................ 8-6 Figure 8-3 Networking of lawful interception....................................................................................................8-10
Issue 03 (2008-09-22)
ix
Tables
Tables
Table 4-1 Attack types and DHCP snooping working modes..............................................................................4-4 Table 8-1 Description of interfaces for lawful interception................................................................................. 8-4
Issue 03 (2008-09-22)
xi
About This Document
About This Document

Purpose
This document introduces AAA and user management, l2 limit, ARP security, DHCP snooping, URPF, local attack defense, mirroring, and lawful interception functions supported by the NE80E/40E,describes principles, configurations, and applications of these functions; introduces security defense policies supported by the NE80E/40E.
Related Versions
The following table lists the product versions related to this document. Product Name Quidway NetEngine80E/40E Router Version V300R003
Intended Audience
This document is intended for:
l l l l
Commissioning engineer Data configuration engineer Network monitoring engineer System maintenance engineer
Organization
This document is organized as follows.
Issue 03 (2008-09-22)
About This Document
Chapter 1 AAA and User Management Configurations
Description This chapter introduces Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management, local user management and their configuration steps, along with typical examples. This chapter describes the MAC address limit, unknown traffic suppression. It also describes the configuration steps, along with typical examples. This chapter describes the type of the security that NE80E/ 40E supported, and it also describes the configuration and applications of ARP Security, along with typical examples. This chapter describes the configuration and applications of DHCP snooping, along with typical examples. This chapter describes concepts and configuration steps of URPF. This chapter describes the principle, configuration, and application of Local Attack Defense. This chapter describes the mirroring configuration based on port and traffic classifier, along with typical examples. This chapter describes the configuration of Lawful Interception. This appendix covers the attribute of RADIUS and HWTACACS. This appendix collates frequently used glossaries in this document. This appendix collates frequently used acronyms and abbreviations in this document. This chapter collates important keywords used in this manual to help the reader to access the required information quickly.
2 L2 Limit Configuration
3 ARP Security Configuration 4 DHCP Snooping Configuration 5 URPF Configuration 6 Local Attack Defense Configuration 7 Mirroring Configuration 8 Lawful Interception Configuration A Attributes List of RADIUS and HWTACACS B Glossary C Acronyms and Abbreviations 5.3 Example for Configuring URPF
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Issue 03 (2008-09-22)
About This Document
Symbol
Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected.
Issue 03 (2008-09-22)
About This Document
Convention [ x | y | ... ] { x | y | ... }*
Description Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Issue 03 (2008-09-22)
About This Document
Action Click Double-click Drag
Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Updates in Issue 03 (2008-09-22)

This document is the third commercial release.

Second commercial release. The second commercial release has the following updates: 01-01 AAA & User Management Configurations The idle-cut time configured in the AAA domain view is modified to be enabled by default. 01-02 L2 Limit Configuration The parameter of unknown traffic suppression is more detail. 01-03 ARP Security Configuration ARP packet filtering and ARP VLAN CAR are added on the QinQ termination sub-interface. 01-08 Lawful Interception Configuration Specifying a SPUC for lawful interception is required and the configuration guide is optimized.

Initial commercial release.
Issue 03 (2008-09-22)
1 AAA and User Management Configurations
AAA and User Management Configurations
About This Chapter

This chapter describes Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management, PVC and VLAN local user management and their configuration steps, along with typical examples. 1.1 Overview This section describes the principle and concepts of AAA and user management. 1.2 Configuring Local User Management This section describes how to manage local users. 1.3 Configuring AAA Schemes This section describes how to configure various attributes of AAA. 1.4 Configuring Server Templates This section describes how to configure a RADIUS server template. 1.5 Configuring Domains This section describes how to configure a domain. 1.6 Maintaining This section describes how to the reset statistics and debug RADIUS or HWTACACS. 1.7 Configuration Examples This section provides two configuration examples of AAA and user management.
Issue 03 (2008-09-22)
1-1
1.1 Overview
This section describes the principle and concepts of AAA and user management. 1.1.1 Introduction to AAA and User Management 1.1.2 AAA and User Management Supported by the NE80E/40E
1.1.1 Introduction to AAA and User Management

Authentication, Authorization and Accounting (AAA) are three types of security services.
l l l
Authentication: determines the users who can access the network. Authorization: authorizes the user to use some services. Accounting: records the network resource utilization of the user.
AAA adopts the Server/Client model. In this model, the client runs on the administrated resource side and the server stores the user information. This model has good extensibility and is convenient for concentrated management over user information. AAA supports three kinds of authentication modes: non-authentication, local authentication, and remote authentication. The remote authentication mode supports two protocols: Remote Authentication Dial In User Service (RADIUS) and HuaWei Terminal Access Controller Access Control System (HWTACACS). AAA supports four kinds of authorization modes: direct authorization, local authorization, HWTACACS authorization, and if-authenticated authorization. AAA supports four kinds of accounting modes: non-accounting, remote accounting.
Domain-based User Management

The NAS can manage users in two ways.
l
Managing users basing on domains: Configurations such as the default authorization, RADIUS or HWTACACS template, and the authentication and accounting can be performed in a domain. Managing users by user accounts.
In current AAA implementations, users are categorized into different domains. The domain to which a user belongs depends on the character string that follows the "@" of a user name. For example, the user of "user@hua" belongs to the domain "hua". If there is no "@" in the user name, the user belongs to the domain "default". Besides the default domain, AAA users can create up to 254 domains. All the AAA users are configured in the domain view through the application of authentication scheme, authorization scheme, and accounting scheme. The corresponding modes are preconfigured respectively in the AAA view. AAA, by default, adopts local authentication, local authorization, and no accounting schemes respectively. To create a domain and apply no schemes in the domain, AAA adopts the default schemes for this domain. If a domain and a user within the domain are configured with some attributes at the same time, the user-based configuration takes precedence over the domain-based configuration.
1-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2008-09-22)
The authorization precedence configured within a domain is lower than that configured on an AAA server. In other words, the authorization attribute of the AAA server is used first. The domain authorization attribute is valid only when the AAA server does not have this authorization or does not support this authorization. In this way, you can add services flexibly when using domains regardless of the attribute limitations of the AAA server.
Local User Management

Local user management refers to setting up a local user database on a local router to maintain user information.
1.1.2 AAA and User Management Supported by the NE80E/40E

The NE80E/40E supports all the preceding authentication, authorization, and accounting schemes. In addition, it also supports management of users based on domains and management of local users.
1.2 Configuring Local User Management

This section describes how to manage local users. 1.2.1 Establishing the Configuration Task 1.2.2 Creating a Local User Account 1.2.3 Configuring the Type of the Service That the Local User Accesses 1.2.4 Configuring the Local User Authority of Accessing the FTP Directory 1.2.5 Configuring Local User Status 1.2.6 Configuring the Local User Level 1.2.7 Setting the Maximum Number of Access Users with the Same User Name 1.2.8 Cutting Off Online Users Forcibly 1.2.9 Checking the Configuration
1.2.1 Establishing the Configuration Task

Applicable Environment
You can create a single local user database on a Network Access Server (NAS) to manage access users. Generally, the router is used as NAS.
Pre-configuration Task
Before configuring local user management, complete the following tasks:
l
Creating an Access Control List (ACL) and set ACL rules if you need to apply the ACL to manage local users
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
Issue 03 (2008-09-22)
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 7 Data User name and password Type of the service that the local user accesses Name of the FTP directory that the local user can access Local user status Local user level Limited number of local access users Number of the ACL used to managing the local user
1.2.2 Creating a Local User Account

Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

aaa
The AAA view is displayed. Step 3 Run:

local-user user-name [ password { simple | cipher } password ]
A local user account is created. If the user name contains @, the character before @ is the user name and the character after @ is the domain name. If the user name does not contain @, the whole character string represents the user name and the domain name is default. ----End
1.2.3 Configuring the Type of the Service That the Local User Accesses
Context
NOTE
Through this configuration procedure, service-type-based user management is realized.
Procedure
Step 1 Run:
system-view

aaa

local-user user-name service-type { ftp | ppp | ssh | telnet | terminal } *
The type of the service that the local user accesses is configured. By default, all access types are available for local users. ----End
1.2.4 Configuring the Local User Authority of Accessing the FTP Directory
Context
NOTE
If the type of the service that the local user accesses is set to FTP, this configuration procedure is mandatory; otherwise, the FTP user cannot log in.
Procedure
Step 1 Run:
system-view

aaa

local-user user-name ftp-directory directory
The local user authority of accessing the FTP directory is configured.

Issue 03 (2008-09-22) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-5
By default, the FTP directory is null. ----End
1.2.5 Configuring Local User Status

Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name state { active | block }
The local user status is configured. By default, the local user is in the active state. ----End
Postrequisite
Do as follows to process the local user in the active or block state:
l
If the local user is in the active state, the authentication request from this user is allowed for further processing. If the local user is in the block state, the authentication request from this user is denied.
1.2.6 Configuring the Local User Level

Context
Procedure
Step 1 Run:
system-view

aaa
1-6
Issue 03 (2008-09-22)

local-user user-name level level
The local user level is configured. By default, the level of the local user is determined by the management module. ----End
Postrequisite
The login user has the same 16 levels like the command. They are Visit, Monitoring, Configure and Management, and are marked from 0 to 15. The higher the mark is, the higher the priority is. After the local user level is configured, the login user can run the command only when its level is equal to or higher than the command level.
1.2.7 Setting the Maximum Number of Access Users with the Same User Name
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name access-limit access-limit-number
The local user access limit is configured. By default, the number of access users with the same user name is not restricted. ----End
1.2.8 Cutting Off Online Users Forcibly

Context
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed. Step 3 Perform the following as required to configure to cut off online users forcibly.
l
To cut off online users based on domain names, run the cut access-user domain domainname command. To cut off online users based on user names, run the cut access-user username { local | hwtacacs | radius | none | all } [ user-name ] command. To cut off online users based on user IDs, run the cut access-user user-id start-no [ endno ] command.
NOTE
If cutting off online users based on domain names is configured, all online users in the specified domain are forcibly cut off. If cutting of online users based on user names or authentication modes is configured, the connections that match the condition are cut off simultaneously.
----End
1.2.9 Checking the Configuration

Run the following command to check the previous configuration. Action Check attributes of the local user. Command display local-user [ domain domain-name | username user-name ]
Run the display local-user command. If attributes of the local user are displayed, it means that the configuration succeeds. For example:
<Quidway> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------bbb Active T Dft No 1 ftp Active F Dft No 0 ---------------------------------------------------------------------------Total 2,2 printed
1.3 Configuring AAA Schemes

This section describes how to configure various attributes of AAA. 1.3.1 Establishing the Configuration Task
1.3.2 Configuring the Authentication Scheme 1.3.3 (Optional) Configuring the Authorization Scheme 1.3.4 Configuring the Accounting Scheme 1.3.5 (Optional) Configuring the Recording Scheme 1.3.6 Allocating IP Addresses to Users 1.3.7 Checking the Configuration

To provide access services for legal users and protect sensitive network devices from unauthorized access, configure AAA.
NOTE
AAA is always enabled on the NAS.
The PPP users can use the address negotiation function of PPP to obtain the IP address of the local interface from the NAS. AAA allocates addresses to PPP users on the BAS. The address allocation rules are as follows:
l
For the user not to be authenticated

If the interface has an IP address, NAS allocates the address to the peer directly. If the interface has an IP address pool, NAS allocates the address in the address pool to the peer.
For the default domain user passing the authentication process (The default user name has two types: the name excluded @, such as "aaa" and the name included @, such as "aaa@default".)

If the server has delivered the IP address, NAS allocates this address to the peer directly. If the server has delivered the IP address pool ID, NAS allocates the address in the global or domain address pool to the peer. If the server has not delivered the address pool ID but the interface has an IP address pool, NAS allocates the address in this global address pool to the peer. If the server has delivered the IP address, NAS directly allocates the address to the peer. If the server has delivered the IP address pool ID, NAS allocates the address in the specified domain address pool to the peer. If the server has not delivered either the IP address or the address pool ID, NAS traverse from the first address pool in the domain to search for the available IP address.
For the common domain user passing the authentication process

In the above three cases, both the global address pool and the domain address pool are traversed for one time . If all the addresses in the specified global address pool or the domain address pool are used, NAS no longer traverses the address pool for the available IP address and directly returns an invalid IP address 0. Addresses, such as Class A addresses XXX.255.255.255 and XXX.0.0.0, Class B addresses XXX.XXX.255.255 and XXX.XXX.0.0, and Class C addresses XXX.XXX.XXX.25 and
XXX.XXX.XXX.0, must not be configured as valid start or end addresses of the address pool. If the address pool contains these addresses, the addresses cannot be allocated.
NOTE
The IP address negotiation needs to be configured on the client and the server respectively.
Pre-configuration Tasks
None.
Data Preparation
To configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and the authentication mode (Optional) Name of the authorization scheme and the authorization mode, level of the user to be authorized through command lines, and timeout time of command-linebased authorization Name of the accounting scheme, the accounting mode, the interval of real-time accounting, accounting-start failure policy, real-time accounting failure policy, and the number of failed the real-time accounting (Optional) Name of the recording scheme, name of the HWTACACS server template related to the recording mode, and events to be recorded Interface type and interface number of the server or client, address pool ID and IP address range of the address pool, and the IP addresses to be allocated to users when no address pool is used
4 5
1.3.2 Configuring the Authentication Scheme

Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view

aaa

authentication-scheme authentication-scheme-name
1-10
Issue 03 (2008-09-22)
An authentication scheme is created and the authentication scheme view is displayed. Step 4 Run:
authentication-mode { hwtacacs | radius | local }* [ none ]
or
authentication-mode none
The authentication mode is configured. By default, the authentication mode is set to local. If one authentication scheme is configured with several authentication modes, the execution order to authentication modes is consistent with their configuration order. If the authentication mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
authentication-super { hwtacacs | super } * [ none ]
or
authentication-super none
The authentication scheme of upgrading user level is configured.

NOTE
The default authentication mode is local authentication. To allow the user to pass without being authenticated, you need to create an authentication scheme, configure non-authentication mode in the scheme, and apply the authentication scheme to the specified domain.
----End
1.3.3 (Optional) Configuring the Authorization Scheme

Context
Do as follow on the BAS:
NOTE
l l l
Only HWTACACS supports authorizing the command line to users at certain levels. For the commands containing the indications and values, such as interface ethernet2/2/0, you need to output commands in configuration file format. Otherwise, HWTACACS authorization fails. Command line authorization of HWTACACS has no relation with the authorization mode.
Configure the timeout time of authorization on the VTY view
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
aaa

authorization-scheme authorization-scheme-name
The authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }* [ none ]
Or Run:
authorization-mode none
The authorization mode is configured. By default, the authorization mode is set to local. If the authorization mode is set to HWTACACS, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
authorization-cmd privilege-level hwtacacs [ local ]
Command-line-based authorization is enabled. By default, command-line-based authorization is disabled. If command-line authorization is enabled, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 6 Run:
authorization-cmd no-response-policy { online | offline [ max-times max-timesvalue ] }
The policy used when the HWTACACS server is unavailable or the local user sends no response is set. Step 7 Run:
quit
Back to the AAA view. Step 8 Run:

quit
Back to the system view. Step 9 Run:

hwtacacs-server template template-name
The HWTACACS server template view is displayed. Step 10 Run:

hwtacacs-server timer response-timeout timeout-value
1-12
Issue 03 (2008-09-22)
The timeout time of the authorization response is set. ----End
1.3.4 Configuring the Accounting Scheme

Context
Procedure
Step 1 Run:
system-view

aaa

accounting-scheme accounting-scheme-name
The accounting scheme is created and the accounting scheme view is displayed. By default, an accounting scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is configured. By default, the account scheme is set to none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
accounting realtime interval
The real-time accounting is enabled and the accounting interval is set. By default, real-time accounting is enabled and the accounting interval is set to five minutes. The accounting interval depends on network situations. The too short interval may increase network traffic and burden the device that is enabled with real-time accounting. If the interval is set too long, accounting may be inaccurate. Step 6 (Optional) Run:
accounting start-fail { online | offline }
The policy for failing to start accounting at the remote end is configured. Step 7 (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
Issue 03 (2008-09-22)
1-13
The policy for failing real-time accounting is configured. By default, the user is cut off if real-time accounting fails for three times. If the login user cannot be charged, you can process the user according to the policies for realtime accounting failures. ----End
1.3.5 (Optional) Configuring the Recording Scheme

Context
NOTE
The recording function can be configured only when HWTACACS is used.
Procedure
Step 1 Run:
system-view

aaa

recording-scheme recording-scheme-name
The recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists. Step 4 Run:
recording-mode hwtacacs template-name
The recording mode is configured. By default, the recording scheme is not associated with the HWTACACS template. Step 5 Run:
quit
Back to the AAA view. Step 6 (Optional) Run:

cmd recording-scheme recording-scheme-name
The commands run on the router are recorded. Step 7 (Optional) Run:
outbound recording-scheme recording-scheme-name
The connections are recorded.

Step 8 Run:
system recording-scheme recording-scheme-name
The system events are recorded. ----End
1.3.6 Allocating IP Addresses to Users

Context
NOTE
It is not necessary to configure an address pool if there is only one user. Directly allocate a specific IP address to the user. In this case, Steps 2, 3, and 4 can be skipped. Commands in Steps 6 and 7 should be run on a POS or cPOS interface that supports PPP. If both local and remote interfaces are encapsulated with PPP, and the local interface has no IP address while the remote interface has an IP address, you can configure IP address negotiation on the local interface. Thus, the local interface can obtain the IP address allocated by the peer through PPP negotiation. When configuring IP address negotiation, you should note the following:
l l l l
The IP address negotiation can be set only when the interface supports PPP. When the PPP status is Down, the IP address generated through negotiation is deleted. No IP address needs be configured on the local interface because the IP address can be obtained through the negotiation. If the interface is already configured with an IP address, this IP address will be deleted. The IP address obtained by the earlier negotiation is deleted when the negotiation is reconfigured on this interface. The interface gets a new IP address through the negotiation. When the negotiated address is deleted, the interface has no address.
Procedure
Step 1 Run:
system-view

aaa

ip pool pool-number first-address [ last-address ]
The IP address pool of the local system is configured. Step 4 Run:

quit
Back to the system view. Step 5 Run:

interface interface-type interface-number
The interface view is displayed.

Step 6 Run:
remote address { ip-address | pool [ pool-number ] }
IP addresses are allocated to the remote users. Step 7 Run:

ip address ppp-negotiate
IP address negotiation is configured on the interface. ----End

Run the following commands to check the previous configuration: Action View the brief information on AAA. View the configuration about the accounting scheme. View the configuration about the authentication scheme. View the configuration about the authorization scheme. View the configuration about the recording scheme. View the usage of the address pool. Command display aaa configuration display accounting-scheme [ accounting-schemename ] display authentication-scheme [ authenticationscheme-name ] display authorization-scheme [ authorizationscheme-name ] display recording-scheme [ recording-schemename ] display ip pool { global | domain domain-name }
Run the display aaa configuration command. If brief information about AAA is displayed, it means that the configuration succeeds. For example:
<Quidway> display aaa configuration --------------------------------------------------------------------------AAA configuration information : --------------------------------------------------------------------------Domain : total: 255 used: 2 Authentication-scheme : total: 16 used: 2 Authorization-scheme : total: 16 used: 2 Accounting-scheme : total: 128 used: 2 Recording-scheme : total: 128 used: 0 AAA-access-user : total: 384 used: 0 Access-user-state : authen: 0 author: 0 accounting: 0 ---------------------------------------------------------------------------
Run the display authentication-scheme command. If information about the authentication scheme is displayed, it means that the configuration succeeds. For example:
<Quidway> display authentication-scheme scheme0 --------------------------------------------------------------------------Authentication-scheme-name : scheme0 Authentication-method : Local authentication Authentication-super method : Super authentication-super ---------------------------------------------------------------------------
1-16
Issue 03 (2008-09-22)
Run the display authorization-scheme command. If information about the authorization scheme is displayed, it means that the configuration succeeds. For example:
<Quidway> display authorization-scheme scheme0 --------------------------------------------------------------------------Authorization-scheme-name : scheme0 Authorization-method : Local authorization Authorization-cmd level 0 : disabled Authorization-cmd level 1 : disabled Authorization-cmd level 2 : enabled ( Hwtacacs ) Authorization-cmd level 3 : disabled Authorization-cmd level 4 : disabled Authorization-cmd level 5 : disabled Authorization-cmd level 6 : disabled Authorization-cmd level 7 : disabled Authorization-cmd level 8 : disabled Authorization-cmd level 9 : disabled Authorization-cmd level 10 : disabled Authorization-cmd level 11 : disabled Authorization-cmd level 12 : disabled Authorization-cmd level 13 : disabled Authorization-cmd level 14 : disabled Authorization-cmd level 15 : disabled Authorization-cmd no-response-policy : Online ---------------------------------------------------------------------------
Run the display accounting-scheme command. If information about the accounting scheme is displayed, it means that the configuration succeeds. For example:
<Quidway> display accounting-scheme scheme0 --------------------------------------------------------------------------Accounting-scheme-name : scheme0 Accounting-method : RADIUS accounting Realtime-accounting-switch : Open Realtime-accounting-interval(min) : 5 Start-accounting-fail-policy : Cut user Realtime-accounting-fail-policy : Cut user Realtime-accounting-failure-retries : 3 ---------------------------------------------------------------------------
Run the display recording-scheme command. If information about the recording scheme is displayed, it means that the configuration succeeds. For example:
<Quidway> display recording-scheme scheme0 --------------------------------------------------------------------------Recording-scheme-name : scheme0 HWTACACAS-template-name : template0 ---------------------------------------------------------------------------
Run the display access-user command. If brief information about all online users is displayed, it means that the configuration succeeds. For example:
<Quidway> display access-user ----------------------------------------------------------------------------Total users : 2 Wait authen-ack : 0 Authentication success : 2 Accounting ready : 2 Accounting state : 0 Wait leaving-flow-query : 0 Wait accounting-start : 0 Wait accounting-stop : 0 Wait authorization-client : 0 Wait authorization-server : 0 ------------------------------------------------------------------Domain-name Online-user ------------------------------------------------------------------default : 2 -------------------------------------------------------------------
Issue 03 (2008-09-22)
1-17
The used CID table are : 256 257 -----------------------------------------------------------------------------
1.4 Configuring Server Templates

This section describes how to configure a RADIUS server template. 1.4.1 Establishing the Configuration Task 1.4.2 Configuring the RADIUS Server Template 1.4.3 (Optional) Configuring the HWTACACS Server Template 1.4.4 Checking the Configuration

The RADIUS server template needs to be configured when RADIUS is adopted. When setting the authentication mode to remote, you need to configure a server template (RADIUS or HWTACACS) as required.
NOTE
Most of the items in the RADIUS configuration have default configurations. You can also configure them based on the actual networking. The RADIUS configuration can be modified only when the RADIUS server template is not used by any user. Note the following differences from the configurations of the RADIUS server template when you configure the HWTACACS server template:
l l
Except deleting the HWTACACS server, you can modify most of attributes of the HWTACACS server template without checking whether the template is in use. By default, no authentication key is configured.
None.
Data Preparation
To configure the RADIUS server, you need the following data.
1-18
Issue 03 (2008-09-22)
No. 1
Data Name of the RADIUS server template, IP addresses and source port numbers of the primary RADIUS authentication and accounting servers, source interface number, IP addresses and source port numbers of the secondary RADIUS authentication and accounting servers, protocol version used by the RADIUS server, shared keys, user name format (with or without domain name) of the RADIUS server, traffic unit on the RADIUS server, response timeout period of the RADIUS server and retransmission times, and NAS port format the RADIUS server and the corresponding port ID format (Optional) Name of the HWTACACS server template, IP addresses and source port numbers of the primary HWTACACS authentication, authorization, and accounting servers, IP addresses and source port numbers of the secondary HWTACACS authentication, authorization, and accounting servers, retransmission times of accounting-stop packets, source IP address of the HWTACACS server, key of the HWTACACS server, user name format (with or without domain name) of the HWTACACS server, traffic unit on the HWTACACS server, response timeout period of the HWTACACS server, and the time taken by the master HWTACACS server to restore the active state
1.4.2 Configuring the RADIUS Server Template

Context
Procedure
l Creating the RADIUS server template 1. Run:
system-view
The system view is displayed. 2. Run:

radius-server template template-name
The RADIUS server template is created and the RADIUS template view is displayed. l Configuring the RADIUS authentication server 1. Run:
system-view

The RADIUS server template view is displayed. 3. Run:

radius-server authentication ip-address port [ source loopback interfacenumber ]
Issue 03 (2008-09-22)
1-19
The primary RADIUS authentication server is configured. 4. Run:

radius-server authentication ip-address port [ source loopback interfacenumber ] secondary
The secondary RADIUS server is configured. l Configuring the RADIUS accounting function 1. Run:
system-view


radius-server accounting ip-address port [ source loopback interfacenumber ]
The master RADIUS accounting server is configured. By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port number is 0. 4. Run:
radius-server accounting ip-address port [ source loopback interfacenumber ] secondary
The secondary RADIUS accounting server is configured. By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port number is 0. l (Optional) Configuring the protocol version of the RADIUS server 1. Run:
system-view


radius-server type { standard | portal }
The protocol version of the RADIUS server is configured. By default, the NE80E/40E adopts standard RADIUS. l (Optional) Configuring the shared key of the RADIUS server 1. Run:
system-view

1-20
Issue 03 (2008-09-22)

radius-server shared-key key-string
The shared key of the RADIUS server is configured. l (Optional) Configuring the user name format of the RADIUS server 1. Run:
system-view


radius-server user-name domain-included
The user name format of the RADIUS server is configured. By default, the user name contains the domain name, that is, the name is in the format of user name@domain name. If the HWTACACS server does not accept the user name that contains the domain name, you can remove the domain name and then send it to the HWTACACS server.
NOTE
Commonly, a user name is in the format of "user name@domain name". The character string after @ indicates the domain name.
(Optional) Configuring the traffic unit of the RADIUS server 1. Run:

system-view


radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit of the RADIUS server is configured. By default, the traffic unit is set to byte.
NOTE
If standard RADIUS is used, this configuration is invalid.
(Optional) Configuring the retransmission parameters of the RADIUS server 1. Run:

system-view

Issue 03 (2008-09-22)
1-21

radius-server timeout seconds
The timeout period for the RADIUS server to send the response packet is configured. By default, the timeout period is set to 5 seconds. To check whether the RADIUS is valid, the NE80E/40E periodically sends request packets to the RADIUS server. If the RADIUS server does not return a response within the timeout period, the NE80E/40E must retransmit request packets. 4. Run:
radius-server retransmit retry-times
The number retransmission times of the RADIUS server is configured. By default, retransmission times are set to 3. After the NE80E/40E retransmits request packets for the configured times, it considers that the RADIUS is unavailable. l (Optional) Configuring the NAS port of the RADIUS server 1. Run:
system-view


radius-server nas-port-format { new | old }
The NAS port format is configured. By default, the NAS port format is set to new. 4. Run:
radius-server nas-port-id-format { new | old }
The ID format of the NAS port of the RADIUS server is configured. By default, the ID format of the NAS port is set to new. ----End
1.4.3 (Optional) Configuring the HWTACACS Server Template

Context
Procedure
l Creating the HWTACACS server template 1. Run:
system-view
1-22
Issue 03 (2008-09-22)

The HWTACACS server template is created and the corresponding view is displayed. l Configuring the HWTACACS authentication server 1. Run:
system-view

The HWTACACS server template view is displayed. 3. Run:

hwtacacs-server authentication ip-address [ port ]
The primary HATACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0. 4. Run:
hwtacacs-server authentication ip-address [ port ] secondary
The secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0. l Configuring the HWTACACS authorization server 1. Run:
system-view


hwtacacs-server authorization ip-address [ port ]
The primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0. 4. Run:
hwtacacs-server authorization ip-address [ port ] secondary
The secondary HWTACACS authorization server is configured. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0. l Configuring the HWTACACS accounting server 1. Run:
system-view

2.
Run:

hwtacacs-server accounting ip-address [ port ]
The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0. 4. Run:
hwtacacs-server accounting ip-address [ port ] secondary
The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0. 5. Run:
quit
Back to the system view. 6. Run:

hwtacacs-server accounting-stop-packet resend { disable | enable number }
Retransmitting the accounting-stop packets is configured. By default, the NE80E/40E allows retransmitting accounting-stop packets. The number of retransmitted packets is 100. Accounting-stop packets are used to inform the server to stop charging users. If the accounting server fails to receive the accounting-stop packets, it continues to charge users. Then, the NE80E/40E must retransmit the accounting-stop packets until the server receives the packets or until the retransmission times reach threshold. l (Optional) Configuring the source IP address of the HWTACACS server 1. Run:
system-view


hwtacacs-server source-ip ip-address
The source IP address of the packet is configured. By default, the source IP address of the packet is 0.0.0.0. That is, the NE80E/40E adopts the IP address of the outgoing interface as the source IP address of the HWTACACS packets. After the source IP address is specified, the HWTACACS template uses this IP address to communicate with the HWTACACS server. l
1-24
(Optional) Configuring the shared key of the HWTACACS server

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2008-09-22)
1.
Run:
system-view


hwtacacs-server shared-key key-string
The shared key of the HWTACACS server is configured. By default, the shared key of the HWTACACS server is null. Setting the shared key ensures the security of community between the NE80E/40E and the HWTACACS server.
NOTE
To ensure identify validity of two communication ends, the shared keys configured on the router and the HWTACACS server must be the same.
(Optional) Configuring the user name format of the HWTACACS server 1. Run:
system-view


hwtacacs-server user-name domain-included
The user name format of the HWTACACS server is configured. By default, the user name contains the domain name. If the HWTACACS server denies the user name containing the domain name, you can configure the device to remove the domain name from the user name before delivering the user name to HWTACACS server.
NOTE
Commonly, the user name is in the format of "user name@domain name". The character string after @ indicates the domain name.
(Optional) Configuring the traffic unit of the HWTACACS server 1. Run:

system-view


hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
Issue 03 (2008-09-22)
1-25
The traffic unit of the HWTACACS server is configured. By default, the traffic unit is set to byte. l (Optional) Configuring the timer of the HWTACACS server 1. Run:
system-view


hwtacacs-server timer response-timeout value
The timeout period for the HWTACACS server to send the response packets is configured. By default, the timeout period is set to five seconds. If the device receives no response from the HWTACACS server during this period, it considers the HWTACACS server as unavailable. The device then tries to perform authentication, authorization, or accounting through other methods. 4. Run:
hwtacacs-server timer quiet value
The time taken by the primary HWTACACS server to restore the active state is configured. By default, the primary HWTACACS server needs to wait for five minutes before restoration. ----End

Run the following commands to check the previous configuration: Action View information on the RADISU server. View information on the HWTACACS server. View information on Accountingstop packet on the HWTACACS server. Command display radius-server configuration [ template template-name ] display hwtacacs-server template [ template-name [ verbose ] ] display hwtacacs-server accounting-stop-packet { all | number | ip ip-address }
Run the display radius-server configuration command. If information about the RADIUS server template is displayed, it means that the configuration succeeds. For example:
<Quidway> display radius-server configuration template test
1-26
Issue 03 (2008-09-22)
------------------------------------------------------------------Server-template-name : test Protocol-version : standard Traffic-unit : KB Shared-secret-key : abcdef Timeout-interval(in second) : 6 Primary-authentication-server : 10.1.1.1:1812:LoopBack-1 Primary-accounting-server : 10.1.1.2:1813:LoopBack-1 Secondary-authentication-server : 10.1.1.2:1812:LoopBack-1 Secondary-accounting-server : 10.1.1.4:1813:LoopBack-1 Retransmission : 2 Domain-included : YES -------------------------------------------------------------------
Run the display hwtacacs-server template command. If information about the HWTACACS server template is displayed, it means that the configuration succeeds. For example:
<Quidway> display hwtacacs-server template ----------------------------------------------------------HWTACACS-server template name : 123 Primary-authentication-server : 0.0.0.0:0 Primary-authorization-server : 0.0.0.0:0 Primary-accounting-server : 0.0.0.0:0 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 0.0.0.0:0 Current-authorization-server : 0.0.0.0:0 Current-accounting-server : 0.0.0.0:0 Source-IP-address : 0.0.0.0 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------Are you sure to display more information (y/n)[y]:y ------------------------------------------------------------HWTACACS-server template name : test1 Primary-authentication-server : 1.1.11.1:49 Primary-authorization-server : 0.0.0.0:0 Primary-accounting-server : 1.1.1.1:49 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 1.1.1.1:12 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 1.1.11.1:49 Current-authorization-server : 1.1.1.1:12 Current-accounting-server : 1.1.1.1:49 Source-IP-address : 1.1.1.1 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------Total 2,2 printed
1.5 Configuring Domains

This section describes how to configure a domain. 1.5.1 Establishing the Configuration Task 1.5.2 Creating a Domain 1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain
1.5.4 Configuring the RADIUS Server Template 1.5.5 Configuring the HWTACACS Server Template 1.5.6 Configuring the Address-related Attributes of the Domain 1.5.7 Configuring the Domain State 1.5.8 Configuring the Maximum of Access Users Allowed by the Domain 1.5.9 Configuring the Idle-Cut Parameters for a Domain 1.5.10 Configuring the Idle-Cut Function for a Local User 1.5.11 Checking the Configuration

You must configure the domain to perform AAA management on access users. The domain can allocate IP addresses to access users, or uniformly deliver the addresses of the Domain Name System (DNS) server and NetBIOS Name Service (NBNS) server to access users.
Before configuring domains, complete the following tasks:
l l
Configuring authentication, authorization, and accounting schemes Configuring the RADIUS or HWTACACS server template if the authentication mode is set to remote
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 4 5 6 7 Data Domain name Names of the authentication scheme, authorization scheme and accounting scheme in the domain Name of the RADIUS or HWTACACS template of the domain Number, initial IP address and end IP address of the address pool used by the domain IP addresses of primary and secondary DNS servers used by the domain IP addresses of primary and secondary NBNS servers used by the domain Maximum number of users allowed access by the domain
1-28
Issue 03 (2008-09-22)
1.5.2 Creating a Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
A domain is created and the domain view is displayed. By default, a domain named default exists. This domain cannot be deleted but modified. ----End
1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain
Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
The domain view is displayed. Step 4 Run:

authentication-scheme authentication-scheme-name
The authentication scheme of the domain is configured.

By default, the domain uses the authentication scheme named default. Step 5 Run:
authorization-scheme authorization-scheme-name
The authorization scheme of the domain is configured. By default, the domain uses the authorization scheme named default. Step 6 Run:
accounting-scheme accounting-scheme-name
The accounting scheme of the domain is configured. By default, the domain uses the accounting scheme named default. ----End
1.5.4 Configuring the RADIUS Server Template

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

radius-server template-name
The RAIDUS server template of the domain is configured. By default, the RADIUS server template of the domain is null. If the authentication or accounting scheme of the domain is set to remote, you need to configure the RADIUS server template of the domain. ----End
1.5.5 Configuring the HWTACACS Server Template

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

hwtacacs-server template-name
The HWTACACS server template of the domain is configured. By default, the HWTACACS server template of the domain is null. If the authentication, authentication, or accounting scheme of the domain is set to remote, you need to configure the HWTACACS server template of the domain. ----End
1.5.6 Configuring the Address-related Attributes of the Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

ip pool pool-number first-address [ last-address ]
The address pool of the domain is configured. Step 5 Run:

dns primary-ip ip-address
Issue 03 (2008-09-22)
1-31
The primary DNS server is configured. Step 6 Run:

dns second-ip ip-address
The secondary DNS server is configured. Step 7 Run:

nbns primary-ip ip-address
The IP address of the primary NBNS server is configured. Step 8 Run:

nbns second-ip ip-address
The IP address of the secondary NBNS server is configured. ----End
1.5.7 Configuring the Domain State

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

state { active | block }
The domain state is configured. By default, the domain is in the active state after being created. If the domain is in the block state, the users in this domain cannot access the device. ----End
1.5.8 Configuring the Maximum of Access Users Allowed by the Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

access-limit max-number
The maximum of the access users allowed by the domain is configured. By default, the domain allows 384 access users. ----End
Postrequisite
If the number of access users in the domain exceeds the threshold, the new access users are denied.
1.5.9 Configuring the Idle-Cut Parameters for a Domain

Context
Do as follows on the routers.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
A domain is created and the domain view is displayed.

Step 4 Run:
idle-cut idle-time idle-data
The idle-cut parameters for a domain are configured. ----End
Postrequisite
If a user in the domain meets the conditions, the connection of the user is torn down.
NOTE
The modifications of a domain or a server take effect after a user re-log in to the domain.
1.5.10 Configuring the Idle-Cut Function for a Local User

Context
Do as follows on the routers.
Procedure
Step 1 Run:
system-view

aaa

local-user username idle-cut
The idle-cut function is enabled for the local users. By default, users can obtain the idle-cut time configured in the domain view. The idle-cut time obtained by users is prioritized: the idle-cut time delivered by the server has the highest priority; the idle-cut time set in the AAA domain view has the medium priority; the idle-cut time set in the user interface view has the lowest priority. ----End

Run the following commands to check the previous configuration. Action View the configuration information on the domain. Command display domain [ domain-name ]
1-34
Issue 03 (2008-09-22)
Run the display domain command. If information about the domain is displayed, it means that the configuration succeeds. For example:
<Quidway> display domain ----------------------------------------------------------------------Domain name State CAR Access-limit Online ----------------------------------------------------------------------default Active 0 384 0 huawei Active 5 384 0 ----------------------------------------------------------------------Total 2,2 printed
1.6 Maintaining
This section describes how to the reset statistics and debug RADIUS or HWTACACS. 1.6.1 Clearing the Statistics 1.6.2 Debugging AAA and User Management
1.6.1 Clearing the Statistics
CAUTION
Statistics cannot be restored after you clear it. So, confirm the action before you use the command. To clear the statistics, run the following reset commands in the user view. Action Clear the statistics of the HWTACACS server. Clear the statistics of accounting-stop packets of the HWTACACS server. Command reset hwtacacs-server statistics { all | accounting | authentication | authorization } reset hwtacacs-server accounting-stoppacket { all | ip ip-address }
1.6.2 Debugging AAA and User Management
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable the debugging immediately. When a RADIUS or HWTACACS fault occurs, run the following debugging commands in the user view to debug and locate the fault.
For the procedure of displaying the debugging information, refer to the chapter Maintenance and Debugging in the Quidway NetEngine80E/40E Router Configuration Guide - System Management. For explanations of the debugging commands, refer to the Quidway NetEngine80E/40E Router Command Reference. Action Enable the debugging of RADIUS packets. Enable the debugging of the HWTACACS server. Command debugging radius packet debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
1.7 Configuration Examples

This section provides two configuration examples of AAA and user management. 1.7.1 Example for Configuring the RADIUS Authentication and Accounting 1.7.2 Example for Configuring the Local Authentication and HWTACACS Authentication, Authorization and Real-time Accounting
1.7.1 Example for Configuring the RADIUS Authentication and Accounting

Networking Requirements
As shown in Figure 1-1, users belong to domain huawei and access the network through Router A. Router B acts as the access server of the destination network. If users need to access the destination network, they should first traverse the network between Router A and Router B and then access the destination network through Router B after they pass through remote authentication. In such a case, you can configure the remote authentication mode on Router B as follows:
l l
Use the RADIUS server to perform authentication and accounting for access users. The RADIUS server 129.7.66.66/24 acts as the primary authentication and accounting server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813 respectively.
1-36
Issue 03 (2008-09-22)
Figure 1-1 Networking diagram of RADIUS authentication and accounting
Domain huawei
RouterB Network RouterA

129.7.66.66/24
Destination network
129.7.66.67/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure a RADIUS server template, the authentication scheme, and accounting scheme. Apply the configured template and schemes in the domain.
Data Preparation
To complete the configuration task, you need the following data:
l l
IP address of the primary (secondary) RADIUS authentication server IP address of the primary (secondary) RADIUS accounting server
Configuration Procedure
1. Configure a RADIUS server template, the authentication scheme and accounting scheme. # Create a RADIUS server template named shiva.
[RouterA] radius-server template shiva
# Configure the IP addresses and ports of the primary RADIUS authentication and accounting servers.
[RouterA-radius-shiva] radius-server authentication 129.7.66.66 1812 [RouterA-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and ports of the secondary RADIUS authentication and accounting servers.
[RouterA-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [RouterA-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Configure the shared key and retransmission times of the RADIUS server.
[RouterA-radius-shiva] radius-server shared-key it-is-my-secret
Issue 03 (2008-09-22)
1-37
[RouterA-radius-shiva] radius-server retransmit 2 [RouterA-radius-shiva] quit
# Enter the AAA view.

[RouterA] aaa
# Configure authentication scheme 1 with the authentication mode as RADIUS.

[RouterAaaa] authentication-scheme 1 [RouterA-aaa-authen-1] authentication-mode radius [RouterA-aaa-authen-1] quit
# Configure accounting scheme 1 with the accounting mode as RADIUS.

[RouterAaaa] accounting-scheme 1 [RouterAaaa-accounting-1] accounting-mode radius [RouterAaaa-accounting-1] quit
2.
Apply the RADIUS authentication scheme 1, accounting scheme 1 and the RADIUS template shiva to the domain huawei.
[RouterA-aaa] domain huawei [RouterA-aaa-domain-huawei] authentication-scheme 1 [RouterA-aaa-domain-huawei] accounting-scheme 1 [RouterA-aaa-domain-huawei] radius-server shiva
3.
Verify the configuration. Run the display radius-server configuration template command on the router to check the RADIUS server template.
<Quidway> display radius-server configuration template shiva -------------------------------------------------------------------------Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : it-is-my-secret Timeout-interval(in second) : 5 Primary-authentication-server : 129.7.66.66:1812:LoopBack-1 Primary-accounting-server : 129.7.66.66:1813:LoopBack-1 Secondary-authentication-server : 129.7.66.67:1812:LoopBack-1 Secondary-accounting-server : 129.7.66.67:1813:LoopBack-1 Retransmission : 2 Domain-included : YES -------------------------------------------------------------------------
Configuration Files
# radius-server template shiva radius-server shared-key it-is-my-secret radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius # authorization-scheme default # accounting-scheme default accounting-scheme 1 accounting-mode radius # domain default domain huawei authentication-scheme 1 accounting-scheme 1
1-38
Issue 03 (2008-09-22)

radius-server shiva # return
1.7.2 Example for Configuring the Local Authentication and HWTACACS Authentication, Authorization and Real-time Accounting
As shown in Figure 1-2,
l
Access users are authenticated by the local database first, and then by the HWTACACS server if the local authentication fails. To upgrade the level of an access user, the HWTACACS authentication mode is used first. If this mode gives no response, the local database authentication mode is used. Access users are configured with the HWTACACS authorization. Accounting is necessary for all users. Real-time accounting is enabled to all users at the interval of 3 minutes. The HWTACACS server at 129.7.66.66 acts as the primary server and the authentication port and accounting port are 49 and 49 respectively. The HWTACACS server at 129.7.66.67 functions as the secondary server. The default authentication port, authorization port and accounting port are 49, 49 and 49 respectively.
l l l l
Figure 1-2 Networking diagram of local authentication and HWTACACS authentication, authorization and accounting
Domain huawei
RouterB Network RouterA Destination network

129.7.66.66/24
129.7.66.67/24
The configuration roadmap is as follows:
1. 2. 3.
Configure a HWTACACS server template. Configure the authentication, authorization, and accounting schemes. Apply the configured template and schemes in the domain.
Data Preparation
To complete the following configuration, you need the following data:
l l l
IP address of the primary (secondary) HWTACACS authentication server IP address of the primary (secondary) HWTACACS authorization server IP address of the primary (secondary) HWTACACS accounting server
1. Configure a HWTACACS server template. # Create a HWTACACS server template named ht.
[RouterA] hwtacacs-server template ht
# Configure the IP addresses and ports of the primary HWTACACS authentication, authorization and accounting.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and ports of the secondary HWTACACS authentication, authorization and accounting.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[RouterA-hwtacacs-ht] hwtacacs-server shared-key it-is-my-secret [RouterA-hwtacacs-ht] quit
2.
Configure the authentication, authorization, and accounting schemes. # Enter the AAA view.
[RouterA] aaa
# Configure an authentication scheme l-h with the authentication modes as local and hwtacacs in sequence. To upgrade the user level, configure the authentication modes as hwtacacs and super in sequence.
[RouterAaaa] authentication-scheme l-h [RouterA-aaa-authen-l-h] authentication-mode local hwtacacs [Quidway-aaa-authen-l-h] authentication-super hwtacacs super [RouterA-aaa-authen-l-h] quit
# Configure an authorization scheme hwtacacs with the authorization mode as hwtacacs.

[RouterAaaa] authorization-scheme hwtacacs [RouterAaaa-author-hwtacacs] authorization-mode hwtacacs
[RouterAaaa-author-hwtacacs] quit # Configure an accounting scheme hwtacacs with the accounting mode as hwtacacs.
[RouterAaaa] accounting-scheme hwtacacs [RouterAaaa-accounting-hwtacacs] accounting-mode hwtacacs
# Set the interval of real-time accounting to 3 minutes.

[RouterAaaa-accounting-hwtacacs] accounting realtime 3 [RouterAaaa-accounting-hwtacacs] quit
1-40
Issue 03 (2008-09-22)
3.
Apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs and HWTACACS server template ht to the domain huawei.
[RouterA-aaa] domain huawei [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht
4.
Verify the configuration. Run the display hwtacacs-server template command on the router to check the HWTACACS server template.
<Quidway> display hwtacacs-server template ht -------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49 Primary-authorization-server : 129.7.66.66:49 Primary-accounting-server : 129.7.66.66:49 Secondary-authentication-server : 129.7.66.67:49 Secondary-authorization-server : 129.7.66.67:49 Secondary-accounting-server : 129.7.66.67:49 Current-authentication-server : 129.7.66.66:49 Current-authorization-server : 129.7.66.66:49 Current-accounting-server : 129.7.66.66:49 Source-IP-address : 0.0.0.0 Shared-key : it-is-my-secret Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------------
Run the display domain command on the router to check the domain.
<Quidway>display domain huawei ------------------------------------------------------------------Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : hwtacacs Authorization-scheme-name : hwtacacs User-CAR : Web-IP-address : Next-hop : Primary-DNS-IP-address : Second-DNS-IP-address : Primary-NBNS-IP-address : Second-NBNS-IP-address : Acl-number : Idle-data-attribute (time,flow) : 0, 60 User-priority : User-access-limit : 256 Online-number : 0 RADIUS-server-template : HWTACACS-server-template : ht -------------------------------------------------------------------
Configuration Files
# hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 49 hwtacacs-server authentication 129.7.66.67 49 secondary hwtacacs-server authorization 129.7.66.66 49 hwtacacs-server authorization 129.7.66.67 49 secondary hwtacacs-server accounting 129.7.66.66 49 hwtacacs-server accounting 129.7.66.67 49 secondary hwtacacs-server shared-key it-is-my-secret #
Issue 03 (2008-09-22)
1-41

aaa authentication-scheme default authentication-scheme l-h authentication-mode local hwtacacs authentication-super hwtacacs super # authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs # accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 # domain default domain huawei authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht # return
1-42
Issue 03 (2008-09-22)
2
About This Chapter
L2 Limit Configuration
This chapter describes the MAC address limit, unknown traffic suppression. It also describes the configuration steps, along with typical examples. 2.1 Overview This section describes the principle and concepts of L2 limit. 2.2 Configuring MAC Address Learning Limit This section describes how to configure MAC address learning limit. 2.3 Deleting Dynamic MAC Entries This section describes how to delete dynamic MAC entries. 2.4 Configuring Unknown Traffic Suppression This section describes how to configure unknown traffic suppression. 2.5 Configuration Examples This section provides several configuration examples of L2 limit.
Issue 03 (2008-09-22)
2-1
2.1 Overview
This section describes the principle and concepts of L2 limit. 2.1.1 Overview of L2 Limit 2.1.2 L2 Limit Features Supported by the NE80E/40E
2.1.1 Overview of L2 Limit

MAC Address Learning Limit
With the rapid development of the Ethernet, security plays a more and more important role on the ingress of the Metropolitan Area Network (MAN). In the Ethernet MAN, a large number of individual users access the Internet through the Ethernet, making the network vulnerable to MAC-address-based attacks of network hackers and viruses. In this case, how to prevent these attacks becomes an urgent demand of carriers and enterprise users. MAC address learning is the basic feature of Layer 2 forwarding. It is auto-processed and is easy to use, but it is vulnerable and difficult to regulate. MAC addresses, however, are the basis of Layer 2 forwarding. Limiting the number of MAC addresses to be learnt can thus restrict the number of access users, preventing the new access users from rushing into the MAC address space of other users. In addition, MAC address learning limit enables the system to discard attack packets on the ingress, prohibiting the attack packets from occupying the bandwidth.
Deletion of Dynamic MAC Entries

As the basis of forwarding layer 2, MAC address tables are a kind of rare resources vulnerable to attacks. Although MAC tables have a regular aging mechanism, various deletion methods of MAC entries are needed. In this way, you can delete the invalid MAC entries in time to release MAC resources, minimizing the effect on other services. At the same time, new MAC entries can be generated.
Unknown Traffic Suppression

On the Ethernet, on one hand, you have to manage user traffic and allocate bandwidth to users; on the other hand, you need to suppress the unknown unicast as well as multicast and broadcast traffic to ensure the unicast traffic forwarding and properly utilize network bandwidth. In most network scenarios, the unicast traffic is should be higher than the broadcast traffic. If the broadcast traffic is not restricted, a great amount of network bandwidth is resumed when a great deal of broadcast traffic flows through the network. The network performance is thus degraded, and the communication is even interrupted.
2.1.2 L2 Limit Features Supported by the NE80E/40E

MAC Address Learning Limit
For the NE80E/40E, you can set the MAC address learning limit on:
l l l l l l l
VLAN Virtual Switch Instance (VSI) SI Inbound port Inbound port + VLAN Inbound sub-interface Inbound QinQ sub-interface
MAC address learning limit provides the following functions:

l l
Sets the maximum number of MAC addresses to be learnt. Discards or forwards the packets after the maximum number of the learnt MAC addresses is reached. Sets the system to generate alarms on an interface or sub-interface to notify the network administrator when the maximum number of MAC addresses to be learnt is reached.
NOTE
l l
NE80E/40E supports the configuration of MAC address learning limit on Ethernet sub-interfaces, GE sub-interfaces, Eth-Trunk sub-interfaces, Layer 2 GE interfaces, and Layer 2 Eth-Trunk interfaces. After the maximum number of MAC addresses is reached, the NE80E/40E supports the generation of alarms for MAC addresses learnt from upstream devices instead of downstream devices. That is, when the number of MAC addresses learned on the inbound ports, inbound ports in a VLAN, inbound subinterfaces, and inbound QinQ sub-interfaces on the NE80E/40E reaches the threshold, an alarm is generated. Alarms based on VLANs, VSIs, or SIs are not supported. The configuration of rate on learning MAC addresses does not take effect on the NE80E/40E . That is, when the MAC address learning limit is configured, configuring the learning rate does not take effect though you must configure it. The device has a fixed learning rate. The NE80E/40E can learn up to 16K MAC addresses of upstream devices. Each board supports the learning of up to 4K upstream MAC addresses.
Deletion of Dynamic MAC Entries

The NE80E/40E provides deletion methods of dynamic MAC entries. Network administrators can delete MAC entries through command lines. In addition, when an interface goes Down or a VLAN or a VSI is removed, the relevant MAC entries can be cleared at the same time. For the NE80E/40E , you can delete the dynamic MAC entries in batches on:
l l l l l
VLAN VSI Port Port + VLAN Port + VSI
Unknown Traffic Suppression

For the NE80E/40E you can suppress the unknown unicast, multicast, and broadcast traffic on:
l
Port
Issue 03 (2008-09-22)
l l l
Port + VLAN Sub-interface QinQ sub-interface
The committed access rate (CAR) function is used to suppress unknown traffic. The system performs CAR actions over the traffic that exceeds the limit, without differentiating packet priorities.
2.2 Configuring MAC Address Learning Limit

This section describes how to configure MAC address learning limit. 2.2.1 Establishing the Configuration Task 2.2.2 Configuring the Rules of MAC Address Learning Limit Based on a VLAN 2.2.3 Configuring the Rules of MAC Address Learning Limit Based on a VSI 2.2.4 Configuring the Rules of MAC Address Learning Limit Based on an SI 2.2.5 Configuring the Rules of MAC Address Learning Limit Based on a Port 2.2.6 Configuring the Rules of MAC Address Learning Limit Based on a Port in a VLAN 2.2.7 Configuring the Rules of MAC Address Learning Limit Based on a Sub-interface 2.2.8 Configuring the Rules of MAC Address Learning Limit Based on a QinQ Sub-interface 2.2.9 Checking the Configuration

MAC address learning limit can be applied in the network environment with fixed access users and lacking in security, such as the community access or the intranet without security management. When the number of access users exceeds the limit, the MAC addresses of the new access users are discarded instead of being learned. MAC address learning limit only applies to dynamic MAC address learning.
Before configuring MAC address learning limit, complete the following tasks:
l l
Configuring the physical parameters of the interfaces Keeping the physical layer status of the interface Up
Data Preparation
To configure MAC address learning limit, you need the following data.
No. 1
Data Rules of MAC address learning limit
2.2.2 Configuring the Rules of MAC Address Learning Limit Based on a VLAN
Context
CAUTION
If there are learned MAC addresses on a port, run the undo mac-address dynamic command in the system view to clear those addresses; otherwise, the number of the MAC address learning cannot be accurately limited. Do as follows on all the routers.
Procedure
Step 1 Run:
system-view

vlan vlan-id
The VLAN view is displayed. Step 3 Run:

mac-limit { action { discard | forward } | maximum max rate interval } *
The rules of MAC address learning limit based on the VLAN are set. When max is set to 0, it indicates that the MAC address learning is not restricted. discard indicates that the packets whose MAC address cannot be learnt are discarded when the MAC address learning limit is reached. forward indicates that the packets whose MAC address cannot be learnt are forwarded when the MAC address learning limit is reached. By default, the packets are discarded when their MAC addresses cannot be learnt.
NOTE
Before setting action, you must set maximum.
----End
2.2.3 Configuring the Rules of MAC Address Learning Limit Based on a VSI
Context
CAUTION
If there are learned MAC addresses on a VSI, run the undo mac-address dynamic command in the system view to clear those addresses; otherwise, the number of the MAC address learning cannot be accurately limited. Do as follows on all the routers.
Procedure
Step 1 Run:
system-view

vsi vsi-name [ auto | static ]
Step 3 Run:
mac-limit { action { discard | forward } | maximum max rate interval } *
The rules of MAC address learning limit based on the VSI are set. When max is set to 0, it indicates that the MAC address learning is not restricted. discard indicates that the packets whose MAC address cannot be learnt are discarded when the MAC address learning limit is reached. forward indicates that the packets whose MAC address cannot be learnt are forwarded when the MAC address learning limit is reached. By default, the packets are discarded when their MAC addresses cannot be learnt.
NOTE
Before setting action, you must set maximum.
----End
2.2.4 Configuring the Rules of MAC Address Learning Limit Based on an SI

Context
Do as follows on all the routers.
Procedure
Step 1 Run:
system-view

service-instance service-instance-name
2-6
Issue 03 (2008-09-22)
The SI view is displayed. Step 3 Run:

mac-limit { maximum max | action { discard | forward } } *
The rules of MAC address learning limit based on an SI are configured. When max is set to 0, it indicates that the MAC address learning is not restricted. discard indicates that the packets whose MAC address cannot be learnt are discarded when the MAC address learning limit is reached. forward indicates that the packets whose MAC address cannot be learnt are forwarded when the MAC address learning limit is reached. ----End
2.2.5 Configuring the Rules of MAC Address Learning Limit Based on a Port
Context
Procedure
Step 1 Run:
system-view

interface { ethernet | gigabitethernet | eth-trunk } interface-number
The interface view is displayed. Step 3 Run:

portswitch
The interface is switched to a Layer 2 port. Step 4 Run:

mac-limit maximum max rate interval
The rules of MAC address learning limit based on the port are set. When max is set to 0, it indicates that the MAC address learning is not restricted. Step 5 (Optional) Run:
mac-limit action { discard | forward }
The action, after the limit is reached, is configured. discard indicates that the packets whose MAC address cannot be learnt are discarded when the MAC address learning limit is reached. forward indicates that the packets whose MAC address cannot be learnt are forwarded when the MAC address learning limit is reached. Step 6 (Optional) Run:
mac-limit alarm { enable | disable }
Issue 03 (2008-09-22)
2-7
The alarm function, after the limit is reached, is disabled or enabled. By default, after the limit is exceeded, the packets are discarded and the alarm function is enabled.
NOTE
l l
Steps 4 to 6 can be performed through one command that is, mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max rate interval } *. Before setting action or alarm, you must set maximum.
----End
2.2.6 Configuring the Rules of MAC Address Learning Limit Based on a Port in a VLAN
Context
Procedure
Step 1 Run:
system-view


portswitch
The interface is switched to a Layer 2 port. The Ethernet or GE interface must be a switched port that is added to a VLAN or allows VLAN frames to pass through. Step 4 Run:
mac-limit vlan vlan-id1 [ to vlan-id2 ] maximum max rate interval
The rules of MAC address learning limit based on the port in a VLAN are set. When max is set to 0, it indicates that the MAC address learning is not restricted. This command can be committed to configure the rules of MAC address learning limit in batches. Each VLAN corresponds to a MAC address learning limit rule. The following shows an example: # Run the command in the port view.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] mac-limit vlan 1 to 4094 maximum 100 rate 100
After the command is run, 4094 rules of MAC address learning limit are configured.
Step 5 (Optional) Run:

mac-limit vlan vlan-id1 [ to vlan-id2 ] action { discard | forward }
mac-limit vlan vlan-id1 [ to vlan-id2 ] alarm { disable | enable }
The alarm function, after the limit is reached, is disabled or enabled. By default, after the limit is exceeded, the packets are discarded and the alarm function is enabled.
NOTE
l l
Steps 3 to 5 can be performed through one command that is, mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max rate interval } *. Before setting action or alarm, you must set maximum.
----End
2.2.7 Configuring the Rules of MAC Address Learning Limit Based on a Sub-interface
Context
Procedure
Step 1 Run:
system-view

interface { ethernet | gigabitethernet | eth-trunk } interface-number.subinterfacenumber
The sub-interface view is displayed. The sub-interface must be bound to a VSI; otherwise, the rules of MAC address learning limit cannot be set. If the sub-interface is already configured with the rule of MAC address learning limit, the rule is deleted when the VSI bound to the sub-interface is removed. Step 3 Run:
The rules of MAC address learning limit based on the sub-interface are set. When max is set to 0, it indicates that the MAC address learning is not restricted. Step 4 (Optional) Run:
Issue 03 (2008-09-22)
2-9
The alarm function, after the limit is reached, is disabled or enabled. By default, after the limit is exceeded, the packets are discarded and an alarm is generated.
NOTE
l l
Steps 3 to 5 can be performed through one command, that is, mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max rate interval } *. Before setting action or alarm, you must set maximum.
----End
2.2.8 Configuring the Rules of MAC Address Learning Limit Based on a QinQ Sub-interface
Context
NOTE
This section describes one of the procedures for configuring a QinQ Interface. For the procedure of configuring a QinQ sub-interface, refer to the Quidway NetEngine80E/40E Router Configuration Guide - LAN Access & MAN Access.
Procedure
Step 1 Run:
system-view

interface { gigabitethernet | eth-trunk } interface-number
The Ethernet interface view is displayed. Step 3 Run:

mode user-termination
The Ethernet interface is configured to run in user termination mode.

NOTE
This command can be run only on the main interface with no sub-interface configured.
Step 4 Run:
quit
Return to the system view.

Step 5 Run:
The sub-interface view is displayed. Step 6 Run:

control-vid vid qinq-termination [ local-switch | [ rt-protocol | flexible ] * ]
The unicast routing protocol is enabled on the sub-interface. Step 7 Run:

qinq termination pe-vid pe-vid ce-vid low-ce-vid [ to high-ce-vid ]
The VLAN ID of the sub-interface for QinQ VLAN tag termination is set and terminating the packets with double tags is configured. Step 8 Run:
The rules of MAC address learning limit based on the sub-interface are set. When max is set to 0, it indicates that the MAC address learning is not restricted. Step 9 (Optional) Run:
The alarm function, after the limit is reached, is disabled or enabled. By default, after the limit is exceeded, the packets are discarded and an alarm is generated.
NOTE
l l
Steps 8 to 10 can be performed through one command, that is, mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max rate interval } *. Before setting action or alarm, you must set maximum.
----End

Run the following commands to check the previous configuration. Action Display the rules of MAC address learning limit. Command display mac-limit [ vsi vsi-name | [ interface-type interfacenumber ] [ vlan vlan-id ] ]
Issue 03 (2008-09-22)
2-11
Run the display mac-limit command. You can view the number of limit rules, the maximum number of MAC addresses to be learnt, speed of MAC address learning, action performed, and whether to alarm after the limit is reached. For example:
<Quidway> display mac-limit MAC Limit is enabled Total MAC Limit rule count : 2 PORT VLAN/VSI Maximum Rate(ms) Action Alarm ---------------------------------------------------------------------GigabitEthernet1/0/0 10 0 discard enable 1 1000 100 forward enable <Quidway> display mac-limit eth-trunk 6 Eth-Trunk6 MAC limit: Maximum MAC count 32000, used count 5000 rate 10(ms) Action: discard, Alarm: enable
2.3 Deleting Dynamic MAC Entries

This section describes how to delete dynamic MAC entries. 2.3.1 Establishing the Configuration Task 2.3.2 Deleting the Dynamic MAC Entries Based on a VLAN 2.3.3 Deleting the Dynamic MAC Entries Based on a VSI 2.3.4 Deleting the Dynamic MAC Entries Based on a Port 2.3.5 Deleting the Dynamic MAC Entries Based on a Port in a VLAN 2.3.6 Deleting the Dynamic MAC Entries Based on a Port in a VSI

After the network topology changes, the router's failure to learn new MAC addresses interrupts the forwarding of user traffic if the dynamic MAC entries are not refreshed in time. The router needs to provide various entry deletion methods to:
l l l l
Minimize the effect on normal services Promptly delete the invalid MAC entries Release MAC address resources Ensure the generation of new MAC entries
Before deleting dynamic MAC entries, complete the following tasks:
l l
Data Preparation
None.
2.3.2 Deleting the Dynamic MAC Entries Based on a VLAN

Context
Procedure
Step 1 Run:
system-view

undo mac-address dynamic vlan vlan-id
The dynamic MAC entries based on a VLAN are deleted. ----End
2.3.3 Deleting the Dynamic MAC Entries Based on a VSI

Context
Procedure
Step 1 Run:
system-view

undo mac-address dynamic vsi vsi-name
The dynamic MAC entries based on a VSI are deleted. ----End
2.3.4 Deleting the Dynamic MAC Entries Based on a Port

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
undo mac-address dynamic { ethernet | gigabitethernet | eth-trunk } interface-number
The dynamic MAC entries based on a port are deleted. ----End
2.3.5 Deleting the Dynamic MAC Entries Based on a Port in a VLAN

Context
Procedure
Step 1 Run:
system-view

undo mac-address dynamic { ethernet | gigabitethernet | eth-trunk } interfacenumber vlan vlan-id
The dynamic MAC entries based on a port in a VLAN are deleted. ----End
2.3.6 Deleting the Dynamic MAC Entries Based on a Port in a VSI

Context
Procedure
Step 1 Run:
system-view

undo mac-address dynamic { ethernet | gigabitethernet | eth-trunk } interfacenumber vsi vsi-name
The dynamic MAC entries based on a port and the VSI are deleted. ----End
2.4 Configuring Unknown Traffic Suppression

This section describes how to configure unknown traffic suppression. 2.4.1 Establishing the Configuration Task
2.4.2 Configuring Unknown Traffic Suppression Based on a Port 2.4.3 Configuring Unknown Traffic Suppression Based on a Sub-interface 2.4.4 Configuring Unknown Traffic Suppression Based on a QinQ Sub-interface 2.4.5 Configuring Unknown Traffic Suppression Based on a Port in a VLAN

On the Ethernet, on one hand, you have to manage user traffic and allocate bandwidth to users; on the other hand, you need to suppress the unknown unicast traffic as well as multicast and broadcast traffic to ensure the unicast traffic forwarding and properly utilize the network bandwidth. In most networking scenarios, the unicast traffic is higher than the broadcast traffic. If the broadcast traffic is not suppressed, a great amount of network bandwidth is consumed when a great deal of broadcast traffic flows through the network. The network performance is thus degraded, even interrupting the communication.
Before configuring unknown traffic suppression, complete the following tasks:
l l
Data Preparation
To configure unknown traffic suppression, perform the following data. No. 1 2 3 4 Data Threshold for suppressing unknown traffic Committed information rate (CIR) of unknown traffic Committed burst size (CBS) of unknown traffic Direction in which CAR is applied: upstream or downstream
2.4.2 Configuring Unknown Traffic Suppression Based on a Port

Context
Procedure
Step 1 Run:
system-view


portswitch
The interface is switched to a Layer 2 port. Step 4 Run:

unknown-unicast-suppression { limit-percent | value limit-value } { inbound | outbound }
Unknown unicast traffic suppression is configured on the port. Step 5 Run:

multicast-suppression { limit-percent | value limit-value } { inbound | outbound }
Multicast traffic suppression is configured on the port. Step 6 Run:

broadcast-suppression { limit-percent | value limit-value } { inbound | outbound }
Broadcast traffic suppression is configured on the port. ----End
2.4.3 Configuring Unknown Traffic Suppression Based on a Subinterface

Context
Procedure
Step 1 Run:
system-view

vsi vsi-name { auto | static }
A VSI is created. Step 3 Run:

quit
Return to the system view.

Step 4 Run:
The main interface view is displayed. Step 5 Run:

The interface mode is configured as user-termination mode. When using the command on a main interface, ensure that no sub-interfaces are configured for the main interface Step 6 Run:
quit
Return to the system view. Step 7 Run:

interface { ethernet | gigabitethernet | eth-trunk } interface-number.subinterfacenumbert

control-vid vid dot1q-termination [ rt-protocol ]
The relationship between the control VLAN and termination sub-interface is specified. Step 9 (Optional) Run:
vlan-group group-id
A user VLAN group is created. Step 10 Run:

dot1q termination vid vid [vlan-group group-id ]
The termination function is configured for the dot1q sub-interface. Step 11 Run:
l2 bingding vsi vsi-name
A VSI is bound to the sub-interface. Step 12 Run:

unknown-unicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Unknown unicast traffic suppression is configured on the sub-interface. Step 13 Run:

multicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Multicast traffic suppression is configured on the sub-interface. Step 14 Run:

broadcast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Broadcast traffic suppression is configured on the sub-interface. ----End

2.4.4 Configuring Unknown Traffic Suppression Based on a QinQ Sub-interface

Context
Procedure
Step 1 Run:
system-view

vsi vsi-name { auto | static }
A VSI is created. Step 3 Run:

quit


The Ethernet interface is configured in user termination mode. When using the command on a main interface, ensure that no sub-interfaces are configured for the main interface. Step 6 Run:
quit


control-vid vid qinq-termination [ local-switch | [ rt-protocol | flexible ] * ]
The relationship between the control VLAN and termination sub-interface is specified. Step 9 (Optional) Run:
vlan-group group-id
A user VLAN group is created.

Step 10 Run:
qinq termination pe-vid pe-vid ce-vid low-ce-vid [ to high-ce-vid ]
QinQ VLAN tag termination is configured on the sub-interface.

NOTE
For the configuration of the QinQ sub-interface, refer to the Quidway NetEngine80E/40E Router Configuration Guide - LAN and MAN Access.
Step 11 Run:
l2 bingding vsi vsi-name
A VSI is bound to the sub-interface. Step 12 Run:

unknown-unicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Unknown unicast traffic suppression is configured on the QinQ sub-interface. Step 13 Run:
multicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Multicast traffic suppression is configured on the QinQ sub-interface. Step 14 Run:

broadcast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Broadcast traffic suppression is configured on the QinQ sub-interface. ----End
2.4.5 Configuring Unknown Traffic Suppression Based on a Port in a VLAN

Context
Procedure
Step 1 Run:
system-view


portswitch
The interface is switched to a Layer 2 port. The Ethernet or GE interface must be a switched port that is added to a VLAN or allows VLAN frames to pass through.
Step 4 Run:
unknown-unicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound } {vlan { vlan-id1 [ to vlan-id2 ] } &<1-12> }
Unknown unicast traffic suppression is configured on the port in a VLAN. Step 5 Run:
multicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound } {vlan { vlan-id1 [ to vlan-id2 ] } &<1-12> }
Multicast traffic suppression is configured on the port in a VLAN. Step 6 Run:

broadcast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound } {vlan { vlan-id1 [ to vlan-id2 ] } &<1-12> }
Broadcast traffic suppression is configured on the port in a VLAN. ----End

This section provides several configuration examples of L2 limit. 2.5.1 Example for Configuring MAC Address Learning Limit 2.5.2 Example for Configuring Unknown Traffic Suppression Based on a Port in a VLAN
2.5.1 Example for Configuring MAC Address Learning Limit

In Figure 2-1, GE 1/0/0 and GE 2/0/0 on router belong to VLAN 10. PC1 and PC2 are connected to router. To enhance the security, configure MAC address learning limit and enable the alarm function for VLAN 10. Figure 2-1 Networking diagram for configuring MAC address learning limit
RouterA
GE1/0/0 GE2/0/0
PC1
VLAN10
PC2
The configuration roadmap is as follows:
1. 2.
Create a VLAN and add the ports to it. Configure the limit rules.
Data Preparation
To complete the configuration, you need the following data:
l l l
ID of the VLAN as 10 Numbers of the ports as GE 1/0/0 and GE 2/0/0 Maximum number of MAC addresses that can be learnt as 100
1. Configure MAC address learning limit. # Add GE 1/0/0 and GE 2/0/0 to VLAN 10.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] undo shutdown [Quidway-GigabitEthernet1/0/0] portswitch [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] undo shutdown [Quidway-GigabitEthernet2/0/0] portswitch [Quidway-GigabitEthernet2/0/0] quit [Quidway] vlan 10 [Quidway-vlan10] port gigabitethernet 1/0/0 [Quidway-vlan10] port gigabitethernet 2/0/0 [Quidway-vlan10] mac-limit maximum 1000 rate 50 action discard alarm enable
2.
Verify the configuration. # Display whether the configuration takes effect.

<Quidway> display mac-limit MAC Limit is enabled Total MAC Limit rule count : 1 PORT VLAN/VSI Maximum Rate(ms) Action Alarm -------------------------------------------------------------------------10 100 50 discard enable
# Display the current status of the MAC address learning.

<Quidway> display mac-limit vlan 10 MAC limit: Maximum MAC count 100, used count 0 rate 50(ms) Action: discard, Alarm: enable
Configuration Files
# sysname Quidway # vlan 10 # vlan 10 mac-limit maximum 100 rate 50 # interface GigabitEthernet1/0/0 undo shutdown portswitch port default vlan 10 # interface GigabitEthernet2/0/0 undo shutdown portswitch
Issue 03 (2008-09-22)
2-21
port default vlan 10 # return
2.5.2 Example for Configuring Unknown Traffic Suppression Based on a Port in a VLAN
As shown in Figure 2-2, GE 1/0/0 and GE 2/0/0 of router belong to VLAN 10. PC1 and PC2 are connected to router. To enhance the security, suppress unknown broadcast traffic on GE 1/0/0 and multicast traffic and broadcast traffic on GE 2/0/0. Figure 2-2 Networking diagram for configuring unknown traffic suppression
Router
GE1/0/0 GE2/0/0
PC1
VLAN10
PC2
The configuration roadmap is as follows: 1. 2. Create a VLAN and add the ports to it. Configure the suppression rules.
Data Preparation
l l l
ID of the VLAN as 10 Numbers of the ports as GE 1/0/0 and GE 2/0/0 CIRs of unknown traffic
1. Configure unknown traffic suppression based on a port in a VLAN. # Add GE 1/0/0 and GE 2/0/0 to VLAN 10.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] undo shutdown [Quidway-GigabitEthernet1/0/0] portswitch [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] undo shutdown
2-22
Issue 03 (2008-09-22)

[Quidway-GigabitEthernet2/0/0] portswitch [Quidway-GigabitEthernet2/0/0] quit [Quidway] vlan 10 [Quidway-vlan10] port gigabitethernet 1/0/0 [Quidway-vlan10] port gigabitethernet 2/0/0
# Configure unknown unicast traffic suppression on GE 1/0/0 and set the CIR of packets to 38400 kbit/s. If the rate is not greater than the CIR, packets are sent normally; otherwise, the packets are discarded.
[Quidway] interface gigabitEthernet 1/0/0 [Quidway-GigabitEthernet1/0/0] unknown-unicast-suppression cir 38400 inbound vlan 10 [Quidway] quit
# Configure multicast and broadcast traffic suppression on GE 2/0/0.

[Quidway] interface gigabitEthernet 2/0/0 [Quidway-GigabitEthernet2/0/0] multicast-suppression cir 38400 inbound vlan 10 [Quidway-GigabitEthernet2/0/0] broadcast-suppression cir 38400 inbound vlan 10
2.
Verify the configuration Run the display this command in the interface view to view the configurations. For example, the configurations on GE 1/0/0 are displayed as follows:
[Quidway-GigabitEthernet1/0/0] display this # interface GigabitEthernet1/0/0 portswitch unknown-unicast-suppression cir 38400 cbs 38400 inbound vlan 10 port default vlan 10 #
Configuration Files
# sysname Quidway # vlan batch 10 # interface GigabitEthernet1/0/0 undo shutdown portswitch port default vlan 10 unknown-unicast-suppression cir 38400 cbs 38400 inbound vlan 10 # interface GigabitEthernet2/0/0 undo shutdown portswitch port default vlan 10 broadcast-suppression cir 38400 cbs 38400 inbound vlan 10 multicast-suppression cir 38400 cbs 38400 inbound vlan 10 # return
Issue 03 (2008-09-22)
2-23
3 ARP Security Configuration
3
About This Chapter
ARP Security Configuration
This chapter describes the type of the security that NE80E/40E supported, and it also describes the configuration and applications of ARP Security, along with typical examples. 3.1 Overview This section describes the principle and concepts of ARP security features. 3.2 Preventing Attacks on ARP Entries This section describes how to prevent attacks on ARP entries. 3.3 Preventing Scanning Attacks This section describes how to prevent scanning attacks. 3.4 Configuring ARP Bidirectional Isolation, Filter ARP Packets and ARP VLAN CAR This section describes how to configure ARP bidirectional isolation, filter ARP packets and ARP VLAN CAR. 3.5 Maintaining This section describes how to display and remove statistics about ARP packets and debug ARP packets. 3.6 Configuration Examples This section provides several configuration examples of ARP security features.
Issue 03 (2008-09-22)
3-1
3.1 Overview
This section describes the principle and concepts of ARP security features. 3.1.1 Introduction to ARP Security 3.1.2 ARP Security Supported by the NE80E/40E
3.1.1 Introduction to ARP Security

In current carrier networks, the Ethernet is commonly used for access. The Address Resolution Protocol (ARP), running as an open protocol on the Ethernet, offers chances for malicious attackers because of its simplicity, openness, and lack of security measures. The attacks to ARP are of several types and in multiple mode. The attacks may target a host or a gateway. The attacks may be performed through address spoofing or violent attacks. The attacks may originate from viruses or illegitimate software. Violent attacks are performed from the perspectives of space and time.
l
Space-based attacks indicate that the attacker resorts to the finite ARP buffer of a router. The attacker sends a larger number of illegitimate ARP request and response messages to the router. As a result, the ARP buffer is overflowed; and normal ARP entries cannot be buffered. Normal forwarding is thus interrupted. Time-based attacks indicate that the attacker resorts to the finity of the processing capability of a router. The attacker sends a large number of simulate ARP request, response, or other packets that can trigger the router to perform ARP processing. As a result, the computing resources of the router are busy with ARP processing during a long period; and other services cannot be processed. Normal forwarding is thus interrupted.
Address spoofing attacks include:

l l
Netcut A Netcut sends unicast ARP requests to a gateway and updates the ARP buffer of the gateway by using the incorrect MAC address of a host to attack the host. NetRobocop A NetRobocop sends incorrect unicast ARP responses to a host to provide an incorrect gateway address to the host.The gateway can hardly detect the unicast ARP responses.
l l
The ARP security, a feature based on ARP, can prevent ARP-oriented attacks and ARP-based network scanning attacks through the following measures:
l l l l
Filtering out untrusted ARP packets Performing timestamp suppression to some ARP packets Filtering out illegal ARP packets Performing dynamic Committed Access Rate (CAR) to the packets sent to a CPU
3.1.2 ARP Security Supported by the NE80E/40E

Currently, the NE80E/40E provides the following functions to avoid ARP attacks
Interface-based ARP Entry Restriction

Limiting the number of ARP entries that an interface can learn effectively avoids ARP buffer overflow and restricts the attacked range on the interface. In this manner, the security of ARP entries is ensured. You can limit the number of ARP entries that an interface can learn through the following operations:
l l l
Configuring strict ARP entry learning in the system view or the interface view Configuring speed limit for ARP packets on the interface Setting the maximum number of the ARP entries that the interface can learn
The NE80E/40E supports:

l l l
Layer 3 Ethernet interfaces and their sub-interfaces Eth-Trunk interfaces and their sub-interfaces Limit of ARP entries based on the VE interface in a VLAN
Timestamp-based Scanning-Proof
The timestamp-based scanning-proof function can identify the scanning attack on time and suppress the processing of requests generated by the scanning when a scanning attack occurs, regardless of whether it is an ARP scanning attack or IP scanning attack. In this way, the CPU is kept away from attacks. The NE80E/40E supports the timestamp suppression to ARP packets based on the destination IP address. ARP packets are discarded if they exceed the configured threshold during a certain period.
Preventing Network Scanning Attacks

A great number of network scanning packets generate abundant ARP Miss messages. Most resources of the router are then wasted in processing ARP Miss messages. This affects the processing of other services and hence is called scanning attacks. Therefore, to prevent network scanning attacks, you must reduce ARP Miss messages. The NE80E/40E limits the speed of ARP Miss packets by performing timestamp suppression based on the source IP address to the ARP Miss messages. Also, the NE80E/40E keeps logs and generates alarms to prevent network scanning attacks.
ARP Bidirectional Isolation

The device cannot differentiate between normal packets and attack packets when the ARP request packets carry valid IP addresses. The ARP attack traffic comprises 50% ARP request packets and 50% ARP response packets. Therefore, a solution to the attacks of numerous ARP packets must be based on the two aspects: ARP request packets and ARP response packets.
l
The device performs stateless responses for ARP request packets. That is, the device generates neither ARP entries nor relevant states after replying to the ARP request packets. Without sending the ARP request packets to the CPU for processing, the device defends the ARP table of the gateway against address spoofing attacks by ARP request packets.
Issue 03 (2008-09-22)

l
The device processes only the ARP response packets of the ARP request packets sent by its CPU. The ARP response packets of the ARP request packets that are not sent by its CPU are then discarded. The normal ARP request packets can thus be promptly processed.
ARP VLAN CAR

ARP VLAN CAR, mainly used on the specified interfaces in the VLAN, ensures that VLANs are isolated when attacks occur and only the attacked VLAN is affected by attacks. This significantly reduces the impact to the device and services. ARP VLAN CAR processes the packets sent to a CPU as follows: The device implements CAR of two levels for the packets that are sent to a CPU. ARP VLAN CAR is level-two CAR, and can be set by users. The device implements level-one CAR for packets before they are sent to a CPU.
l
If the sending rate of the ARP packets exceeds the level-one CAR, the ARP packets that exceeded the configured threshold are discarded. The device then compares the rate of the ARP packets surviving level-one CAR with the level-two CAR. If the rate exceeds the configured threshold, these ARP packets are limited. If ARP packets do not exceed the configured threshold of level-one CAR, all ARP packets are sent to the CPU.
When implementing level-two CAR to the packets, the system checks the rate of the received packets every five seconds. If the rate is found less than 75% of the configured threshold after four continuous checks, the system retracts the CAR resources.
ARP Packets Filtering

The NE80E/40E filters out the following ARP packets:
l l l
Invalid ARP packets Gratuitous ARP packets ARP request packets whose destination MAC address is not null
Invalid ARP packets are as follows:

l l l
ARP request packets whose destination MAC address is a unicast address ARP request packets whose source MAC address is not a unicast address ARP response packets whose destination MAC address is not a unicast address
3.2 Preventing Attacks on ARP Entries

This section describes how to prevent attacks on ARP entries. 3.2.1 Establishing the Configuration Task 3.2.2 Configuring Global Strict ARP Entry Learning 3.2.3 Configuring Strict ARP Entry Learning on Interfaces 3.2.4 Checking the Destination IP Addresses of ARP Packets 3.2.5 Configuring Speed Limit for ARP Packets
3.2.6 Configuring Interface-based ARP Entry Restriction 3.2.7 Enabling Alarm Functions for Potential Attack Behaviors 3.2.8 Checking the Configuration

In an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked. So, ARP security features need to be configured on the access layer or convergence layer to ensure network security.
NOTE
To prevent attacks on ARP entries, you can configure strict ARP entry learning, speed limit for ARP packets, and interface-based ARP entry restriction separately or configure these features in combination. In addition, you can also enable logging and generating alarms for potential attack behaviors to give early warnings and record attack events. It is not recommended to configure strict ARP entry learning because restrictions on ARP packets are too strict and hence some ARP entries cannot be learnt though they are useful. To implement similar function, deploy ARP bidirectional isolation.
Before configuring port mirroring, complete the following tasks:
l
Configuring the link layer parameters of the interface and the IP address to make the link layer status of the interface Up
Data Preparation
To prevent attacks on ARP entries, you need the following data. No. 1 Data Timestamp suppression rate
3.2.2 Configuring Global Strict ARP Entry Learning

Context
Do as follows on the router that needs to be configured with ARP security features:
Procedure
Step 1 Run:
system-view
Issue 03 (2008-09-22)
3-5
The system view is displayed Step 2 Run:

arp learning strict
The global strict ARP entry learning is configured. By default, strict ARP learning is disabled. After the arp learning strict command is run, the router learns only reply packets for the ARP request packets sent itself. ----End
3.2.3 Configuring Strict ARP Entry Learning on Interfaces

Context
Strict ARP entry learning adopts the following longest-match rules:
l
If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred. If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.
Do as follows on the router whose ARP entries are to be prevented from being attacked:
Procedure
Step 1 Run:
system-view

The interface view is displayed. NE80E/40E supports strict ARP entry learning on the following interfaces:
l l l
Ethernet interfaces and their sub-interfaces Eth-trunk interfaces and their sub-interfaces VLANIF interfaces
Step 3 Run:
arp learning strict { force-enable | force-disable | trust }
Strict ARP entry learning is configured on the interface.
3-6
Issue 03 (2008-09-22)

NOTE
l l l
If the key word force-enable of the command is selected, the interface router learns only reply packets for the ARP request packets sent itself. If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled. If the key word trust of the command is selected, the strict ARP entry learning function on the interface is disabled and the global ARP entry learning function is enabled.
----End
3.2.4 Checking the Destination IP Addresses of ARP Packets

Context
Do as follows on the router whose ARP entries are to be prevented from being attacked:
Procedure
Step 1 Run:
system-view

The interface view is displayed. NE80E/40E supports the check of the destination IP address of ARP packets on the following interfaces:
l l l
Ethernet interfaces GE interfaces Eth-trunk interfaces and their sub-interfaces
Step 3 Run:
arp check-destination-ip enable
The check of the destination IP address of ARP packets is enabled. The arp check-destination-ip enable command is used to protect the CPU. After the command is run, the system checks whether the destination IP addresses of the packets on the interface are correct. If the IP addresses are correct, packets are sent to the CPU; otherwise, packets are discarded. ----End
3.2.5 Configuring Speed Limit for ARP Packets

Context
Procedure
Step 1 Run:
system-view

arp speed-limit destination-ip maximum maximum slot slot-id
Speed limit for ARP packets is configured. ----End
3.2.6 Configuring Interface-based ARP Entry Restriction

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed. The following interfaces are supported:

l l l l l
Layer 3 Ethernet interfaces and sub-interfaces Layer 3 GE interfaces and sub-interfaces Layer 3 Eth-Trunk interfaces and sub-interfaces Layer 3 virtual Ethernet interfaces Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces that are configured as QinQ sub-interfaces Layer 2 Ethernet ports Layer 2 GE ports Layer 2 Eth-Trunk ports Layer 2 virtual Ethernet ports VLANIF interfaces
NOTE
l l l l l
A Layer 2 interface is the interface whose mode is switched to Layer 2 mode after the portswitch command is run.
Step 3 Run:
arp-limit [ vlan vlan-id [ to vlan-id2 ]] maximum maximum
3-8
Issue 03 (2008-09-22)
Interface-based ARP entry restriction is configured. vlan-id can be configured in the view of the Layer 2 interface or QinQ sub-interface. If you configure vlan-id in the QinQ sub-interface view, vlan-id specifies the external VLAN ID of the QinQ sub-interface.
NOTE
Ethernet interfaces, GE interfaces, virtual Ethernet interfaces, and Eth-Trunk interfaces can be Layer 3 interfaces or Layer 2 ports. If they function as Layer 3 interfaces, you cannot configure vlan-id for them. If they function as Layer 2 interfaces, you must configure vlan-id for them. Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces can be common subinterfaces or QinQ sub-interfaces. If they function as common sub-interfaces, you cannot configure vlan-id for them. If they function as QinQ sub-interfaces, you must configure vlan-id for them. vlanid specifies the external VLAN ID of the QinQ sub-interface. If ARP entry restriction has already been configured on the sub-interface, the ARP entry restriction function on the original sub-interface is removed after you configure the sub-interface to be a QinQ sub-interface. If ARP entry restriction has already been configured on the QinQ sub-interface, the ARP entry restriction function on the original QinQ sub-interface is also removed after you remove the QinQ configurations on the interface.
During configurations, if the number of learnt ARP entries may have exceeded the restricted number to be configured, the number of the learnt ARP entries is not limited but new ARP entry learning is not carried out. ----End
3.2.7 Enabling Alarm Functions for Potential Attack Behaviors

Context
Do as follows on the router that needs to be configured with ARP attack defense:
Procedure
Step 1 Run:
system-view

arp anti-attack log-trap-timer time
Generating and logging alarms for the potential attack behaviors are configured. ----End

Run the following commands to check the previous configuration.
Issue 03 (2008-09-22)
3-9
Action Check the limited speed of ARP packets. Check the limited number of ARP entries on the interface.
Command display arp speed-limit destination-ip [ slot slot-id ] display arp-limit [ interface interface-type interfacenumber ] [ vlan vlan-id ]
Run the display arp speed-limit destination-ip [ slot slot-id ] command, and you can check the timestamp suppression rate configured for the ARP packets. For example:
<Quidway> display arp speed-limit destination-ip slot 3 Slot SuppressType SuppressValue --------------------------------------------------3 ARP 500 <Quidway> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Eth-Trunk0 100 124 0 Eth-Trunk0 100 125 0 GigabitEthernet2/0/1 16384 0 0 GigabitEthernet4/0/1 100 0 0 GigabitEthernet4/0/2 16384 124 0 ---------------------------------------------------------------------------
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command, and you can check the limited number of ARP entries configured on the interface.
<Quidway> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Eth-Trunk0 100 124 0 Eth-Trunk0 100 125 0 GigabitEthernet2/0/1 16384 0 0 GigabitEthernet4/0/1 100 0 0 GigabitEthernet4/0/2 16384 124 0 ---------------------------------------------------------------------------
3.3 Preventing Scanning Attacks

This section describes how to prevent scanning attacks. 3.3.1 Establishing the Configuration Task 3.3.2 Configuring Speed Limit for ARP Miss Packets 3.3.3 Enabling Alarm Functions for Potential Attack Behaviors 3.3.4 Checking the Configuration

In an Ethernet MAN, scanning attacks may occur. So, ARP security features need to be configured on the access layer or convergence layer to restrict ARP Miss packets and hence to ensure network security.
None.
Data Preparation
To prevent scanning attacks, you need the following data: No. 1 Data Limited speed of ARP Miss packets
3.3.2 Configuring Speed Limit for ARP Miss Packets

Context
Do as follows on the router that needs to be configured with scanning attack defense:
Procedure
Step 1 Run:
system-view

arp-miss speed-limit source-ip maximum maximum slot slot-id
The speed of ARP Miss packets is limited. ----End
3.3.3 Enabling Alarm Functions for Potential Attack Behaviors

Context
Do as follows on the router that needs to be configured with scanning attack defense:
Procedure
Step 1 Run:
system-view

arp anti-attack log-trap-timer time
Generating and logging alarms for the potential attack behaviors are configured. ----End

Run the following commands to check the previous configuration. Action Check the limited speed of ARP Miss packets. Command display arp-miss speed-limit source-ip [ slot slot-id ]
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command, and you can check the timestamp suppression rate configured to the ARP Miss packets. For example:
<Quidway> display arp-miss speed-limit source-ip slot 3 Slot Supp-type Source-ip --------------------------------------------------3 ARP-miss 500
3.4 Configuring ARP Bidirectional Isolation, Filter ARP Packets and ARP VLAN CAR
This section describes how to configure ARP bidirectional isolation, filter ARP packets and ARP VLAN CAR. 3.4.1 Establishing the Configuration Task 3.4.2 Enabling ARP Bidirectional Isolation 3.4.3 Filtering ARP Packets 3.4.4 Configuring ARP VLAN CAR 3.4.5 Checking the Configuration

Configure ARP bidirectional isolation, filter ARP packets and ARP VLAN CAR in the following situations:
l
When many sub-interfaces are configured on a router, a large number of ARP request packets tend to burst. A large number of abnormal or normal ARP request packets are received by a router. The same ARP request packet is repetitively sent.
l l
Before configuring, filter ARP packets and ARP VLAN CAR, complete the following tasks:

l
Data Preparation
To configure ARP bidirectional isolation, filter ARP packets and ARP VLAN CAR, you need the following data. No. 1 2 Data Types of the ARP packets to be filtered out Receiving rate for the permitted ARP packets
3.4.2 Enabling ARP Bidirectional Isolation

Context
Do as follows on the router on which ARP bidirectional isolation is configured.
Procedure
Step 1 Run:
system-view

interface interface-type interface-number [ .sub-interface-number ]
The interface view is displayed. You can configure ARP bidirectional isolation to the following interfaces:
l l l
Ethernet interfaces and their sub-interfaces Eth-trunk interfaces and their sub-interfaces VLANIF interfaces
Step 3 Run:
arp-safeguard enable
ARP bidirectional isolation is enabled. By default, ARP bidirectional isolation is not enabled. ----End
3.4.3 Filtering ARP Packets

Context
Do as follows on the router to filter out invalid packets on its interfaces:
Procedure
Step 1 Run:
system view

interface interface-type interface-number [sub-interface-number]
The interface view is displayed. Invalid ARP packets can be filtered out on the following interfaces:
l l l l l
Ethernet interfaces and their sub-interfaces Eth-trunk interfaces and their sub-interfaces VLANIF interfaces Sub-interface for QinQ VLAN tag termination Sub-interface for dot1q VLAN tag termination
Step 3 Run:
arp filter { gratuitous | mac-illegal | tha-filled-request }
The interface is configured to filter out invalid ARP packets.

NOTE
You can decide which types of ARP packets are to be filtered out according to actual situations. The NE80E/ 40E can filter out of the following ARP packets:
l l l
Invalid ARP packets Gratuitous ARP packets ARP packets whose destination MAC address is not null
By default, invalid ARP packets and gratuitous ARP packets are filtered out. The ARP packets whose destination MAC address is not null are not filtered. ----End
3.4.4 Configuring ARP VLAN CAR

Context
Do as follows on the interface of the router that requires ARP attack defense:
Procedure
Step 1 Run:
system view

interface interface-type interface-number [ .sub-interface-number ]
The interface view is displayed.

You can set the receiving rate for the permitted ARP packets on the following interfaces:
l l l l l
Ethernet interfaces and their sub-interfaces Eth-trunk interfaces and their sub-interfaces VLANIF interfaces Sub-interfaces for QinQ VLAN tag termination Sub-interfaces for dot1q VLAN tag termination
Step 3 Run:
arp rate-limit rate
The threshold for discarding ARP packets is set for ARP VLAN CAR. By default, the threshold of the receiving rate for the permitted ARP packets is 20 pps. The receiving rate ranges from 21 pps to 1024 pps. When you set the value to 0, the receiving rate for the permitted ARP packets is not restricted. ----End

Run the following commands to check the previous configuration. Action Check ARP information about attacked interfaces. Check the statistics for ARP bidirectional isolation of the LPU. Check the configuration of the threshold of the receiving rate for the permitted ARP packets on the specified interface. Command display arp attack slot { slot-id | all }display arp attack interface interface-type interface-number [ .sub-interface-number ] display arp-safeguard statistics slot slot-id display arp rate-limit interface interface-type interface-number
Run the display arp attack slot { slot-id | all } command, and you can check ARP information about attacked interfaces. For example:
<Quidway> display arp attack slot all port name: GigabitEthernet4/0/2 QINQ sub-interface: GigabitEthernet4/0/2.1 ctrl-vlanid: 4 EnableArpCar: 1 (1:enable Passed: 3289152 Bytes 51393 Packets Dropped: 186973696 Bytes 2921464 Packets
0:disable)
Run the display arp-safeguard statistics slot slot-id command, and you can check the statistics for ARP bidirectional isolation of the specified interface board. For example:
<Quidway> display arp-safeguard statistics slot 3 ArpRequestToCp-Count: 23 ArpReplyToCp-Count 23
Issue 03 (2008-09-22)
3-15

FreeArpToCp-Count: 23 ArpRequestDrop-Count: 23 ArpReplyDrop-Count: 23
Run the display arp rate-limit interface interface-type interface-number command, and you can check the configuration of the threshold of the receiving rate for the permitted ARP packets on the specified interface.For example:
<Quidway> display arp rate-limit interface gigabitethernet 4/0/2 Interface: GigabitEthernet4/0/2 arp rate-limit: 1000
3.5 Maintaining
This section describes how to display and remove statistics about ARP packets and debug ARP packets. 3.5.1 Displaying Statistics About ARP Packets 3.5.2 Clearing Statistics About ARP Packets 3.5.3 Debugging ARP Packets
3.5.1 Displaying Statistics About ARP Packets

Action Check statistics about ARP packets. Command display arp packet statistic [ slot slot-id ]
Run the display arp packet statistics [ slot slot-id ] command, and you can check the statistics about ARP packets. For example:
<Quidway> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
3.5.2 Clearing Statistics About ARP Packets
CAUTION
Statistics about ARP packets cannot be restored after you clear it. So, confirm the action before you use the command.
3-16
Issue 03 (2008-09-22)
Action Clear statistics about ARP packets. Reset statistics about attacked interfaces or the attacked interfaces in the specified slots.
Command reset arp packet statistic [ slot slot-id ] reset arp attack slot { slot-id | all } reset arp attack interface interface-type interfacenumber
3.5.3 Debugging ARP Packets
CAUTION
Debugging affects the performance of the system. So, after debugging, execute the undo debugging all command to disable it immediately. For the procedure of displaying the debugging information, refer to the chapter Maintenance and Debugging in the Quidway NetEngine80E/40E Router Configuration Guide - System Management. For explanations of the debugging commands, refer to the NE80E/40E Router Command Reference. Action Enable ARP packet debugging. Enable the debugging of ARP packet processing. Command debugging arp packet [slot slot-id | interface interfacetype interface-number ] debugging arp process [ slot slot-id | interface interface-type interface-number ]

This section provides several configuration examples of ARP security features. 3.6.1 Example for Preventing Attacks on ARP Entries 3.6.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks 3.6.3 Example for Configuring ARP Bidirectional Isolation, ARP filter packets and VLAN CAR
3.6.1 Example for Preventing Attacks on ARP Entries
Issue 03 (2008-09-22)
3-17
As shown in Figure 3-1, a carrier accesses the core network through two routers. ARP security features need to be configured on the two routers to prevent the devices attached to the routers from attacking ARP entries. Figure 3-1 Networking diagram of preventing attacks on ARP entries
core network
Router A
Router B
The configuration roadmap is as follows: 1. 2. 3. 4. Configure strict ARP entry learning. Configure speed limit for ARP packets. Configure interface-based ARP entry restriction. Enable log and alarm functions for potential attack behaviors.
Configurations on Router A and Router B are the same. Here, take Router A as an example. # Configure Router A as follows. 1. Configure strict ARP entry learning.
<RouterA> system-view [RouterA] arp learning strict
2.
Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
[RouterA] arp speed-limit destination-ip maximum 50 slot 1
3.
Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
3-18

[RouterA] interface Gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] arp-limit maximum 20 [RouterA-GigabitEthernet1/0/0] quit
4.
Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.
[RouterA] arp anti-attack log-trap-timer 20
5.
Verify the configuration. Use certain tools to send gratuitous ARP packets to Router A and then run the display arp command on Router A. You can find that the actively sent gratuitous ARP packets are not learnt by Router A.
<RouterA> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on routers. You can view the limited speed.
<RouterA> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50
Run the display arp packet statistics command on routers. You can view the number of the discarded ARP packets and the learnt ARP entries.
<RouterA> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
Configuration Files
The configuration file of Router A is as follows:
# sysname RouterA # arp learning strict arp speed-limit destination-ip maximum 50 slot 1 arp anti-attack log-trap-timer 20 # interface GigabitEthernet1/0/0 arp-limit maximum 20 return
Issue 03 (2008-09-22)
3-19
3.6.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks
As shown in Figure 3-2, a cyber cafe accesses router through the Internet. ARP security features need to be configured to protect the cyber cafe from the ARP entry attack and scanning attack. Figure 3-2 Network diagram of preventing attacks on ARP entries and scanning attacks
Router
Internet
The configuration roadmap is as follows: 1. Configure as follows to prevent attacks on ARP entries:
l l l l
Configure strict ARP entry learning. Configure speed limit for ARP packets. Configure interface-based ARP entry restriction. Enable log and alarm functions for potential attack behaviors. Configure speed limit for ARP Miss packets.
2.
Configure as follows to prevent ARP scanning attacks:

l
# Configure ARP security features to avoid attacks on ARP entries. 1. Configure strict ARP entry learning.
<Quidway> system-view [Quidway] arp learning strict
2.
Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
[Quidway] arp speed-limit destination-ip maximum 50 slot 1
3.
Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
3-20

[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] arp-limit maximum 20 [Quidway-GigabitEthernet1/0/0] quit
4.
Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.
[Quidway] arp anti-attack log-trap-timer 20
# Configure scanning attack defense. 5. Configure destination-based speed limit for ARP Miss packets on each slot of the attached device. The speed is limited to 50 ARP Miss packets per second. Take slot 1 as an example.
[Quidway] arp-miss speed-limit source-ip maximum 50 slot 1
6.
Verify the configuration. Use certain tools to send gratuitous ARP packets to Router A and then run the display arp command on Router A. You can find that the actively sent gratuitous ARP packets are not learnt by Router A.
<Quidway> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on routers. You can view the limited speed. Run the display arp-miss speed-limit command on routers. You can view the limited speed of ARP Miss packets.
<Quidway> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50 <Quidway> display arp-miss speed-limit source-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP-miss 50
Use certain tools to scan Router A and then run the display arp packet statistics command Router A. You can view the number of the discarded ARP Miss messages.
<Quidway> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
Configuration Files
# sysname Quidway # arp learning strict
Issue 03 (2008-09-22)
3-21
arp speed-limit destination-ip maximum 50 slot 1 arp-miss speed-limit destination-ip maximum 50 slot 1 arp anti-attack log-trap-timer 20 # interface GigabitEthernet1/0/0 arp-limit maximum 20 return
3.6.3 Example for Configuring ARP Bidirectional Isolation, ARP filter packets and VLAN CAR
The ARP attack defense feature needs to be configured on only the interface that is vulnerable to ARP attacks on the router. For example, you can configure ARP attack defense on the router in the networking as shown in Figure 3-3. Figure 3-3 Configuring ARP Bidirectional Isolation, ARP filter packets and VLAN CAR
Router Internet
GE1/0/0
Convergence switch
VLAN100 Access switch
VLAN200 Access switch
User
User
The configuration roadmap is as follows: 1. 2. 3. Enable ARP bidirectional isolation. Configure the types of the ARP packets to be filtered out on the interface. Set the receiving rate for the permitted ARP packets on the interface.
Data Preparation
l
IP address of the GE interface

3-22

l
Threshold of ARP VLAN CAR
1. 2. Assign the IP address to the interface. The configuration details are not mentioned here. Enable ARP bidirectional isolation.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] arp-safeguard enable
3. 4.
Specify the type of ARP packets to be filtered out.

[Quidway-GigabitEthernet1/0/1] arp filter mac-illegal
Set the threshold of ARP VLAN CAR on the interface.

[Quidway-GigabitEthernet1/0/1] arp rate-limit 50 [Quidway-GigabitEthernet1/0/1] quit
5.
Verify the configuration. Check static ARP information about the Slot 1 interface board.
[Quidway] display arp packet statistic ARP Pkt Received : sum ARP-Miss Msg Received : sum ARP Learnned Count : sum ARP Pkt Discard For Limit : sum ARP Pkt Discard For SpeedLimit : sum ARP Pkt Discard For Other : sum ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other : sum 23 0 8 5 0 10 0 0
Check the statistics for ARP bidirection isolation of the Slot 1 interface board.
[Quidway] display arp-safeguard statistics slot 1 ArpRequest-Count: 0 ArpReply-Count 3 ArpToCp-Count: 0 ArpDrop-Count: 0
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.2 255.255.255.0 arp-safeguard enable arp filter mac-illegal arp rate-limit 50 # return
Issue 03 (2008-09-22)
3-23
4 DHCP Snooping Configuration
4
About This Chapter
DHCP Snooping Configuration
This chapter describes DHCP snooping and various types of attacks. It also describes how to configure DHCP snooping to prevent these attacks. 4.1 Overview This section describes the principles and concepts of Dynamic Host Configuration Protocol (DHCP) snooping. 4.2 Configuring Defense on the Layer 2 Device Against Attacks by Bogus DHCP Server This section describes how to prevent the bogus DHCP server attack on a Layer 2 device. 4.3 Configuring Defense on the Layer 3 Device Against Attacks by Bogus DHCP Server This section describes how to prevent the bogus DHCP server attack through a Layer 3 device. 4.4 Configuring Defense on the Layer 2 Device Against Attacks by IP/MAC Spoofing This section describes how to prevent the middleman attack and the IP/MAC spoofing attack on a Layer 2 device. 4.5 Configuring Defense on the Layer 3 Device Against Attacks by IP/MAC Spoofing This section describes how to prevent the middleman attack and the IP/MAC spoofing attack on a Layer 3 device. 4.6 Configuring Defense on the Layer 2 Device Against Attacks by Changing CHADDRs This section describes how to prevent the attacker from changing the Client Hardware Address (CHADDR) on a Layer 2 device. 4.7 Configuring Defense on the Layer 3 Device Against Attacks by Changing CHADDRs This section describes how to prevent the attacker by changing CHADDR on a Layer 3 device. 4.8 Configuring Defense on the Layer 2 Device Against Attacks by Sending Bogus Messages for Extending IP Leases This section describes how to prevent the attacker from sending bogus messages for extending IP leases on a Layer 2 device. 4.9 Configuring Defense on the Layer 3 Device Against Attacks by Sending Bogus Messages for Extending IP Leases This section describes how to prevent the attacker from sending bogus messages for extending IP leases on a Layer 3 device.
4.10 Configuring Defense on the Device Against Attacks by Sending DHCP Request Messages This section describes how to prevent the attacker from continuously sending DHCP request messages. 4.11 Configuring Alarms for Packet Discarding This section describes how to notify the attack to the NMS. 4.12 Maintaining This section describes how to reset statistics and debug DHCP snooping. 4.13 Configuration Examples This section provides several configuration examples of DHCP snooping.
4-2
Issue 03 (2008-09-22)
4.1 Overview
This section describes the principles and concepts of Dynamic Host Configuration Protocol (DHCP) snooping. 4.1.1 Introduction to DHCP Snooping 4.1.2 DHCP Snooping Supported by the NE80E/40E
4.1.1 Introduction to DHCP Snooping

DHCP snooping, a DHCP security feature, filters untrusted DHCP messages by creating and maintaining a binding table for DHCP snooping. This binding table contains MAC addresses, IP addresses, IP leases, binding types, VLAN IDs, and interface information. DHCP snooping acts as a firewall between clients and DHCP servers. DHCP snooping prevents DHCP Denial of Service (DOS) attacks, bogus DHCP server attacks, ARP middleman attacks, and IP/MAC spoofing attacks when DHCP is enabled on the device. In the NE80E/40E, security features, such as MAC address limitation, the binding table of DHCP snooping, IP + MAC binding, and Option 82 are all implemented. This ensures complete security when the device is enabled with DHCP. Since a router can function as both a Layer 2 device and a Layer 3 device, the Layer 2 device and Layer 3 device mentioned in the following section indicates the working modes (Layer 2 and Layer 3) of the router.DHCP snooping can be used on both Layer 2 and Layer 3 devices. Figure 4-1 and Figure 4-2 show DHCP snooping application on a Layer 2 device and a Layer 3 device respectively. Figure 4-1 Networking diagram of DHCP snooping application on a switch
ISP network L3 network DHCP relay
L2 network
DHCP snooping enable

Trusted Untrusted
DHCP server
Router
User network
Issue 03 (2008-09-22)
4-3
Figure 4-2 DHCP snooping application on a router
ISP network
L3 network
Trusted Untrusted DHCP relay L2 network DHCP server
User network
The functions of DHCP snooping are as follows:

l l l l
DHCP exhaustion attack Bogus DHCP server attack Middleman attack or IP/MAC address attack Attack by changing CHADDR
DHCP snooping provides various working modes to prevent different types of attacks. Table 4-1 shows the types of attacks and the corresponding working modes of DHCP snooping. Table 4-1 Attack types and DHCP snooping working modes Attack Type DHCP exhaustion attack Bogus DHCP server attack Middleman attack or IP/MAC address attack Attack by changing CHADDR DHCP Snooping Working Mode MAC address limitation Trusted/Untrusted Binding table of DHCP snooping Check on CHADDR of DHCP messages
4.1.2 DHCP Snooping Supported by the NE80E/40E

The DHCP snooping features supported by the NE80E/40E contains: MAC address limitation, Trusted/Untrusted, DHCP snooping binding table, and CHADDR field check.
DHCP snooping can be applied on the service router (SR) to ensure security of IPTV services.
4.2 Configuring Defense on the Layer 2 Device Against Attacks by Bogus DHCP Server
This section describes how to prevent the bogus DHCP server attack on a Layer 2 device. 4.2.1 Establishing the Configuration Task 4.2.2 Enabling DHCP Snooping 4.2.3 Configuring Trusted/Untrusted Interfaces 4.2.4 Checking the Configuration

A bogus DHCP server responds to the client with incorrect configuration information, such as the wrong IP address of the gateway, the wrong DNS server, and the wrong IP address to prevent the client from accessing the network. To prevent the bogus DHCP server attack, configure DHCP snooping on Layer 2 devices, set the interfaces on the client end as untrusted and set the interfaces on the network carrier end as trusted. DHCP reply messages from untrusted interfaces are all discarded.
Before preventing the bogus DHCP server attack on a Layer 2 device, complete the following tasks:
l
Configuring the DHCP server
Data Preparation
To prevent the bogus DHCP server attack on a Layer 2 device, you need the following data. No 1 2 Data ID of the VLAN to which the interface belongs Name of the interface in need of being set as trusted/untrusted
4.2.2 Enabling DHCP Snooping

Context
Procedure
Step 1 Run:
system-view

dhcp snooping enable
DHCP snooping is enabled. Enable DHCP snooping globally before enabling DHCP snooping on a VLAN. Step 3 Run:
vlan vlan-id

port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
Layer 2 interfaces are added to the VLAN. Interfaces added to the VLAN should be Layer 2 interfaces. If they are Layer 3 interfaces, run the command to switch them from Layer 3 mode to Layer 2 mode. Step 5 Run:
dhcp snooping enable [ interface interface-type interface-number ]
DHCP snooping is enabled. ----End
4.2.3 Configuring Trusted/Untrusted Interfaces

Context
NOTE
In general, the interface connected with the DHCP server (interfaces within a carrier's network) is set as trusted and other interfaces (interfaces outside a carrier's network) are set as untrusted.
l l
When DHCP snooping is disabled, the VLAN is trusted, by default. When DHCP snooping is enabled, the VLAN is untrusted, by default.
After DHCP snooping is enabled, the VLAN or the interface is in the untrusted state, by default. DHCP reply messages received from this VLAN or the interface are directly discarded. To configure the VLAN or the interface to be trusted, run the dhcp snooping trusted command.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

dhcp snooping trusted [ interface interface-type interface-number ]
The VLAN or the interface connected with the DHCP server is set as trusted. Configuring interface interface-type interface-number is optional. If it is a VLAN not an interface that is set as trusted, DHCP messages sent from this VLAN are all forwarded normally. ----End

Run the following commands to check the previous configuration. Action View global DHCP snooping information. View DHCP snooping information on the interface. Command display dhcp snooping global display dhcp snooping { vlan vlan-id [ interface interface-type interface-number ] }
Run the preceding commands. If the following results are displayed, it means that the configuration is successful:
l l l
DHCP snooping is enabled both in the system view and the interface view. The interface on the client end is untrusted while the interface on the network end is trusted. Statistics about the discarded ARP, IP, and DHCP packets.
<Quidway> display dhcp snooping vlan 10 interface Ethernet 1/0/0 dhcp snooping trusted interface Ethernet1/0/0 arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
4.3 Configuring Defense on the Layer 3 Device Against Attacks by Bogus DHCP Server
This section describes how to prevent the bogus DHCP server attack through a Layer 3 device. 4.3.1 Establishing the Configuraiton Task 4.3.2 Enabling DHCP Snooping on the DHCP Relay 4.3.3 Setting Trusted or Untrusted Interfaces 4.3.4 Checking the Configuration
4.3.1 Establishing the Configuraiton Task

A bogus DHCP server responds to the client with incorrect information, such as the wrong IP address of the gateway, the wrong DNS server, and the wrong IP address. This prevents the client from accessing the network. To prevent the bogus DHCP server attack, configure DHCP snooping on Layer 3 devices, set the interfaces on the client end to be untrusted and set the interfaces on the network carrier end to be trusted. DHCP reply messages from untrusted interfaces are all discarded.
Before preventing the bogus DHCP server attack on a Layer 3 device, complete the following tasks:
l l
Configuring the DHCP server Configuring the DHCP relay agent
Data Preparation
To prevent the bogus DHCP server attack on a Layer 3 device, you need the following data. No 1 Data Name of the interfaces that need to be set as trusted or untrusted.
4.3.2 Enabling DHCP Snooping on the DHCP Relay

Context
Do as follows on the DHCP relay agent:
Procedure
Step 1 Run:
system-view

DHCP snooping is enabled. Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface. Step 3 Run:
4-8
Issue 03 (2008-09-22)
The interface view is displayed. DHCP snooping can be enabled on the following Layer 3 interfaces, such as:
l l l l l
Ethernet interfaces (FE and GE) Ethernet sub-interfaces VLANIF interfaces Eth-Trunk interfaces Eth-Trunk sub-interfaces
Step 4 Run:
DHCP snooping is enabled on the interface. ----End
Postrequisite
If the DHCP snooping binding table contains no entries mapped to the received packets, the packets are discarded or forwarded based on user configurations.
4.3.3 Setting Trusted or Untrusted Interfaces

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed. You cannot set the VLANIF interface to be trusted or untrusted. Instead, you can set the VLAN to be trusted or untrusted in the VLAN view. Step 3 Run:
dhcp snooping trusted
The interface connected with the DHCP server is set as trusted. ----End

Action View global DHCP snooping information. View DHCP snooping information on the interface.
Command display dhcp snooping global display dhcp snooping interface interfacetype interface-number
l l
DHCP snooping is enabled both in the system view and the interface view. The interface on the client end is set as untrusted while the interface on the network end is set as trusted. Statistics about the discarded ARP, IP, and DHCP packets.
<Quidway> display dhcp snooping interface Ethernet 1/2/0 dhcp snooping enable dhcp snooping trusted arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
4.4 Configuring Defense on the Layer 2 Device Against Attacks by IP/MAC Spoofing
This section describes how to prevent the middleman attack and the IP/MAC spoofing attack on a Layer 2 device. 4.4.1 Establishing the Configuration Task 4.4.2 Enabling DHCP Snooping 4.4.3 Enabling Checking Packets 4.4.4 Configuring the DHCP Snooping Binding Table 4.4.5 Configuring Option 82 4.4.6 Checking the Configuration

When a middleman exists or the IP/MAC spoofing attack happens, the attacker pretends to be both the DHCP server and the client to exchange data with the actual server and client. The DHCP server considers that all the packets are transmitted to or received from the client while the client considers that all the packets are transmitted to or received from the DHCP server. In fact, all the packets are the "second-hand" packets processed by the middleman. This enables the attacker to obtain data from the server and the client.
To prevent the middleman attack and the IP/MAC spoofing attack, configure DHCP snooping on Layer 2 devices and use the binding table of DHCP snooping . The received packets are forwarded only when they match with the entries in the binding table; otherwise, packets are discarded.
Before preventing the middleman attack and the IP/MAC spoofing attack through a Layer 2 device, complete the following tasks:
l
Data Preparation
To prevent the middleman attack and the IP/MAC spoofing attack through a Layer 2 device, you need the following data. No 1 2 3 Data Name of the interface added to the VLAN ID of the VLAN to which the interface belongs Static IP addresses, packets from which are forwarded

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

Layer 2 interfaces are added to the VLAN.

Interfaces added to the VLAN should be Layer 2 interfaces. If they are Layer 3 interfaces, run the command to switch them from Layer 3 mode to Layer 2 mode. Step 5 Run:
4.4.3 Enabling Checking Packets

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

dhcp snooping check { arp | ip | dhcp-chaddr | dhcp-request } enable [interface interface-type interface-number ]
Checking the packets from the VLAN is enabled. ----End
4.4.4 Configuring the DHCP Snooping Binding Table

Context
The following steps are optional. If the client is assigned with a static IP address, configure static binding entries for these static IP addresses to prevent the static IP addresses from being embezzled. If the binding table is backed up, the system then automatically backs up the binding table to the specified path for every 60 minutes. The dynamic entries in the binding table of DHCP snooping require no configuration. They are automatically generated when DHCP snooping is enabled. The static entries, however, require to be configured through commands.
4-12
Issue 03 (2008-09-22)

NOTE
l l
If the IP address is dynamically assigned to the client, the device automatically learns the MAC address of the client and generates IP and MAC binding table. This binding table requires no configuration. If the IP address is statically assigned to the client, the device cannot automatically learn the MAC address of the client and the IP/MAC binding table cannot be generated. You need to create IP and MAC binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may be encountered:
l
If the packet without a matching entry is set to be forwarded, packets from all static IP addresses are forwarded and all the static clients can access the DHCP server normally. By default, the device forwards the unmatched packets. If the packet without a matching entry is set to be discarded, packets from all static IP addresses are discarded and no static clients can access the DHCP server.
To configure a binding table that covers detailed interface information, you need to enable Option 82. If Option82 is not enabled, the DHCP binding table generated after DHCP snooping is enabled on a VLANIF interface does not contain any information about the interface. For detailed configuration, see Configuring Option 82. After receiving an ARP or an IP packet, the interface matches its source IP address + source MAC address with the binding table of DHCP snooping to check the information about the MAC, IP, interface and VLAN.
l l
If they do not match, the packet is discarded. If they totally match, the packet is forwarded.
By default, the Discard policy is adopted on the NE80E/40E. After receiving an ARP or IP packet, an interface compares its source IP address and source MAC address with the entries in the DHCP snooping binding table. The packet is forwarded if a matching entry is found and is discarded if no matching entries are found.
Procedure
l Configuring static entries for the DHCP snooping binding table for a VLAN Do as follows on the router: 1. Run:
system-view

vlan vlan-id
The VLAN view is displayed. 3. Run:

dhcp snooping bind-table static ip-address ip-address mac-address macaddress [ interface interface-type interface-number ]
Static IP and MAC binding entries are configured. l Backing up the DHCP snooping binding table Do as follows on the router:
Issue 03 (2008-09-22)
4-13
1.
Run:
system-view

dhcp snooping bind-table autosave filename
The binding table of DHCP snooping is backed up. l Deleting the DHCP snooping binding table Do as follows on the router: 1. Run:
system-view

reset dhcp snooping bind-table { vlan vlan-id [ interface interface-type interface-number ] | static | dynamic }
The binding table of DHCP snooping is deleted from a VLAN. The preceding steps are optional. If the client is assigned with a static IP address, configure static binding entries for these static IP addresses to prevent the static IP addresses from being embezzled. If the binding table is backed up, the system then automatically backs up the binding table to the specified path for every 60 minutes. The dynamic entries in the binding table of DHCP snooping require no configuration. They are automatically generated when DHCP snooping is enabled. The static entries, however, require to be configured through commands. ----End
4.4.5 Configuring Option 82

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

dhcp option82 insert enable interface interface-type interface-number
Option 82 insertion is enabled.

Or
dhcp option82 rebuild enable interface interface-type interface-number
Forcible Option 82 insertion is enabled. A binding table covering accurate interface information can be created after Option 82 is enabled. ----End
Postrequisite
After the dhcp option82 insert enable command is configured, if the original message does not carry Option 82, Option 82 is appended to DHCP messages; if the message carries Option 82, it is not processed. After the dhcp option82 rebuild enable command is configured, Option 82 is appended to DHCP messages if the original DHCP message is not appended with Option 82. If the original DHCP message is appended with Option 82, the original Option 82 is forcibly removed and new Option 82 is appended. dhcp option82 rebuild has a higher priority than dhcp option82 insert. Configuring dhcp option82 insert and dhcp option82 rebuild simultaneously on an interface equals configuring dhcp option82 rebuild singly on the interface.

Run the following commands to check the previous configuration. Action View the global DHCP snooping information. View the information about the binding table of DHCP snooping. Command display dhcp snooping global display dhcp snooping bind-table { ip ip-address | mac mac-address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic | all } display dhcp snooping { vlan vlan-id [ interface interface-type interface-number ] } display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-number }
View DHCP snooping information on the interface. View Option 82 status.
Run the preceding commands. If the following results are displayed, it means the configuration is successful:
l l l l
DHCP snooping is enabled in the system view and the interface view. Option 82 is enabled on the interface. Statistics about the discarded ARP, IP, and DHCP packets. Interface names and the matching MAC addresses and IP addresses in the binding table of DHCP snooping are displayed.
Issue 03 (2008-09-22)
<Quidway> display dhcp snooping vlan 100 interface ethernet 1/0/0 dhcp snooping trusted interface Ethernet1/0/0 arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
4.5 Configuring Defense on the Layer 3 Device Against Attacks by IP/MAC Spoofing
This section describes how to prevent the middleman attack and the IP/MAC spoofing attack on a Layer 3 device. 4.5.1 Establishing the Configuration Task 4.5.2 Enabling DHCP Snooping on the DHCP Relay 4.5.3 Enabling Packet Check on the Interface 4.5.4 Configuring the DHCP Snooping Binding Table 4.5.5 Enabling ARP and DHCP Association 4.5.6 Configuring Option 82 4.5.7 Checking the Configuration

When a middleman exists or there are IP/MAC spoofing attacks, the attacker pretends to be the DHCP server and the client to exchange data with the actual server and client. The DHCP server considers that all the packets are transmitted to or received from the client while the client considers all the packets are transmitted to or received from the DHCP server. In fact, all the packets are the "second hand" packets processed by the middleman. This enables the attacker to obtain data from the server and the client. To prevent the middleman attack and IP/MAC spoofing attack, configure DHCP snooping on Layer 3 devices and use the binding table of DHCP snooping. The received packets can be forwarded only when they match the entries in the binding table; otherwise, packets are discarded.
Before preventing the middleman attack and the IP/MAC spoofing attack through a Layer 3 device, complete the following tasks:
l l
4-16
Issue 03 (2008-09-22)
Data Preparation
To prevent the middleman attack and the IP/MAC spoofing attack through a Layer 3 device, you need the following data. No 1 2 Data Name of the interface on which checking packet is enabled Static IP addresses, packets from which are to be forwarded

Context
Procedure
Step 1 Run:
system-view

l l l l l
Step 4 Run:

Postrequisite
4.5.3 Enabling Packet Check on the Interface

Context
Procedure
Step 1 Run:
system-view


dhcp snooping check { arp | ip | dhcp-chaddr | dhcp-request } enable
Packet check is enabled on the interface. ----End

Context
NOTE
l l

l
l l
Procedure
l Configuring static entries for the DHCP snooping binding table for a layer 3 interface Do as follows on the router: 1. Run:
system-view

The interface view is displayed. 3. Run:

dhcp snooping bind-table static ip-address ip-address mac-address macaddress
Static IP and MAC binding entries are configured. l Backing up the DHCP snooping binding table Do as follows on the router: 1. Run:
system-view

The binding table of DHCP snooping is backed up. l Deleting the DHCP snooping binding table Do as follows on the router:
1.
Run:
system-view

The binding table of DHCP snooping is deleted from a VLAN. ----End
4.5.5 Enabling ARP and DHCP Association

Context
Procedure
Step 1 Run:
system-view

arp dhcp-snooping-detect enable
ARP and DHCP association is enabled. If a user is disconnected because of abnormalities after obtaining an IP address, the user cannot send DHCP Release messages to release the IP address. In such a case, you can configure ARP and DHCP association. The system performs ARP detection for the IP addresses whose DHCP snooping entries expire and are not contained in ARP entries. If the system finds no user through a certain number probes, it automatically deletes the binding entry in the DHCP binding table and informs the DHCP server to release the IP address. ----End

Context
Procedure
Step 1 Run:
system-view

4-20
Issue 03 (2008-09-22)

dhcp option82 insert enable
Option 82 insertion is enabled. Or

dhcp option82 rebuild enable
Postrequisite

Run the following commands to check the previous configuration. Action View the global DHCP snooping information. View the information about the binding table of DHCP snooping. Command display dhcp snooping global display dhcp snooping bind-table { all | dynamic | ip-address ip-address | mac-address mac-address | [ vlan vlan-id ] interface interfacetype interface-number | static } display dhcp snooping interface interface-type interface-number display dhcp option82 interface interface-type interface-number

l l l l
DHCP snooping is enabled in the system view and the interface view. Option 82 is enabled on the interface. Statistics about the discarded ARP, IP, and DHCP packets. Interface names and their matching MAC addresses and IP addresses in the binding table of DHCP snooping are displayed.
4.6 Configuring Defense on the Layer 2 Device Against Attacks by Changing CHADDRs
This section describes how to prevent the attacker from changing the Client Hardware Address (CHADDR) on a Layer 2 device. 4.6.1 Establishing the Configuration Task 4.6.2 Enabling DHCP Snooping 4.6.3 Enabling Checking CHADDRs in Packets 4.6.4 Checking the Configuration

In the DHCP exhaustion attack, if the attacker changes the Client Hardware Address (CHADDR) carried in the DHCP message but not the source MAC address in the frame header to apply for IP addresses continuously. This prevents the MAC address limitation from taking effect because the router only checks the validity of packets according to the source MAC address in the frame header. To prevent the attacker from changing CHADDR, enable DHCP snooping to check the CHADDR field carried in the DHCP request message. If CHADDER field matches the source MAC address in the frame header, the packet is forwarded; otherwise, the packet is discarded.
Before preventing the attacker from changing CHADDR through a Layer 2 device, complete the following tasks:
l
Data Preparation
To prevent the attacker from changing CHADDR through a Layer 2 device, you need the following data. No 1 2
4-22
Data Name of the interface added to the VLAN ID of the VLAN to which the interface belong

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

4.6.3 Enabling Checking CHADDRs in Packets

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

dhcp snooping check dhcp-chaddr enable [ interface interface-type interfacenumber ]
Checking CHADDRs of packets from the specified VLAN is enabled. ----End

Run the following commands to check the previous configuration. Action View the global DHCP snooping information. View DHCP snooping information on the interface. Command display dhcp snooping global display dhcp snooping { vlan vlan-id [ interface interface-type interface-number ] }
l l
DHCP snooping is enabled in the system view and the interface view. Statistics about the discarded ARP, IP, and DHCP packets.
4.7 Configuring Defense on the Layer 3 Device Against Attacks by Changing CHADDRs
This section describes how to prevent the attacker by changing CHADDR on a Layer 3 device. 4.7.1 Establishing the Configuration Task 4.7.2 Enabling DHCP Snooping on the DHCP Relay 4.7.3 Enabling Checking CHADDRs of Packets 4.7.4 Checking the Configuration

In the DHCP exhaustion attack, if the attacker changes CHADDR carried in the DHCP message but not the source MAC address in the frame header to apply for IP addresses continuously. This
prevents the MAC address limitation from taking effect because the router only checks the validity of packets according to the source MAC address in the frame header. To prevent the attacker from changing CHADDR, enable DHCP snooping to check the CHADDR field carried in the DHCP request message. If CHADDER field matches the source MAC address in the frame header, the packet is forwarded; otherwise, the packet is discarded.
Before preventing the attacker from changing CHADDR through a Layer 3 device, complete the following tasks:
l l
Data Preparation
To prevent the attacker from changing CHADDR through a Layer 3 device, you need the following data. No 1 Data Name of the interface enabled with packet check

Context
Procedure
Step 1 Run:
system-view

l
Ethernet interfaces (FE and GE)

Issue 03 (2008-09-22)

l l l l
Ethernet sub-interfaces VLANIF interfaces Eth-Trunk interfaces Eth-Trunk sub-interfaces
Step 4 Run:
Postrequisite
4.7.3 Enabling Checking CHADDRs of Packets

Context
Procedure
Step 1 Run:
system-view


dhcp snooping check dhcp-chaddr enable
Checking CHADDRs of the packets is enabled on the interface. Enable checking CHADDRs to prevent the DHCP exhaustion attack. The device compares the CHADDR field in the received DHCP Request message with the source MAC address in the frame header. If they are inconsistent, the received DHCP request message is considered as an attack packet and is directly discarded. ----End

Action View the global DHCP snooping information. View the DHCP snooping information on the interface.
Command display dhcp snooping global display dhcp snooping interface interface-type interface-number
l l
DHCP snooping is enabled both in the system view and the interface view. Statistics about the discarded ARP, IP, and DHCP packets.
4.8 Configuring Defense on the Layer 2 Device Against Attacks by Sending Bogus Messages for Extending IP Leases
This section describes how to prevent the attacker from sending bogus messages for extending IP leases on a Layer 2 device. 4.8.1 Establishing the Configuration Task 4.8.2 Enabling DHCP Snooping 4.8.3 Enabling Checking DHCP Request Messages 4.8.4 Configuring the DHCP Snooping Binding Table 4.8.5 Configuring Option 82 4.8.6 Checking the Configuration

An attacker pretends to be a legal client and continuously sends DHCP request messages intending to extend the IP address lease. This prevents certain expired IP addresses from being reused normally, which is not the purpose of a legal client. To prevent the attacker from sending bogus messages to extend IP address leases, configure DHCP snooping on the Layer 2 device to check DHCP request messages and use the binding table of DHCP snooping. The received packet is then considered as a legal DHCP request message and is forwarded only when its information is consistent with the information in the binding table; otherwise, the packet is discarded.
Issue 03 (2008-09-22)
4-27
Before preventing the attacker from sending bogus messages for extending the IP lease through a Layer 2 device, complete the following tasks:
l
Data Preparation
To prevent the attacker from sending bogus messages for extending the IP lease through a Layer 2 device, you need the following data. No 1 2 3 Data Name of the interface that is added to a VLAN ID of the VLAN which the interface belongs to. Static IP addresses, packets from which are to be forwarded

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

4-28
Issue 03 (2008-09-22)
4.8.3 Enabling Checking DHCP Request Messages

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

dhcp snooping check dhcp-request enable [ interface interface-type interfacenumber ]
Checking DHCP request messages from the specified VLAN is enabled. ----End

Context
NOTE
l l

l
l l
Procedure
l Configuring static entries for the DHCP snooping binding table for a VLAN Do as follows on the router: 1. Run:
system-view

vlan vlan-id
The VLAN view is displayed. 3. Run:

dhcp snooping bind-table static ip-address ip-address mac-address macaddress [ interface interface-type interface-number ]
system-view

The binding table of DHCP snooping is backed up. l Deleting the DHCP snooping binding table Do as follows on the router:
1.
Run:
system-view

The binding table of DHCP snooping is deleted from a VLAN. The preceding steps are optional. If the client is assigned with a static IP address, configure static binding entries for these static IP addresses to prevent the static IP addresses from being embezzled. If the binding table is backed up, the system then automatically backs up the binding table to the specified path for every 60 minutes. The dynamic entries in the binding table of DHCP snooping require no configuration. They are automatically generated when DHCP snooping is enabled. The static entries, however, require to be configured through commands. ----End

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

dhcp option82 insert enable interface interface-type interface-number

dhcp option82 rebuild enable interface interface-type interface-number
Postrequisite

Run the following commands to check the previous configuration. Action View the global DHCP snooping information. View the information about the binding table of DHCP snooping. Command display dhcp snooping global display dhcp snooping bind-table { ip ipaddress | mac mac-address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic | all } display dhcp snooping { vlan vlan-id [ interface interface-type interface-number ] } display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-number }
l l l l
4.9 Configuring Defense on the Layer 3 Device Against Attacks by Sending Bogus Messages for Extending IP Leases
This section describes how to prevent the attacker from sending bogus messages for extending IP leases on a Layer 3 device.
4.9.1 Establishing the Configuration Task 4.9.2 Enabling DHCP Snooping on the DHCP Relay 4.9.3 Enabling Checking DHCP Request Messages 4.9.4 Configuring the DHCP Snooping Binding Table 4.9.5 Enabling ARP and DHCP Association 4.9.6 Configuring Option 82 4.9.7 Checking the Configuration

An attacker pretends to be a legal client and continuously sends DHCP request messages intending to extend the IP address lease. This prevents certain expired IP addresses from being reused normally, which is not the purpose of a legal client. To prevent the attacker from sending bogus messages to extend IP address leases, configure DHCP snooping on the Layer 3 device to check DHCP request messages and use the binding table of DHCP snooping. Upon receiving a message, the device looks for the according to the index. If no binding table that matches the entry is found, the message is forwarded. If a matching binding table exists, the device matches the message with the entry in the binding table. If matched, the message is forwarded; otherwise, the packet is discarded.
Before preventing the attacker from sending bogus messages for extending IP leases, complete the following tasks:
l l
Data Preparation
To prevent the attacker from sending bogus messages for extending IP leases, you need the following data. No 1 2 Data Name of the interface enabled with packet check Static IP addresses, packets from which are to be forwarded

Context
Procedure
Step 1 Run:
system-view

l l l l l
Step 4 Run:
Postrequisite
4.9.3 Enabling Checking DHCP Request Messages

Context
Procedure
Step 1 Run:
system-view
4-34
Issue 03 (2008-09-22)


dhcp snooping check dhcp-request enable
Checking DHCP request messages sent from the specified interface is enabled. ----End

Context
NOTE
l l
l
l
If they do not match, the packet is discarded.

Issue 03 (2008-09-22)

l
If they totally match, the packet is forwarded.
Procedure
l Configuring static entries for the DHCP snooping binding table for a layer 3 interface Do as follows on the router: 1. Run:
system-view

The interface view is displayed. 3. Run:

dhcp snooping bind-table static ip-address ip-address mac-address macaddress
system-view

The binding table of DHCP snooping is backed up. l Deleting the DHCP snooping binding table Do as follows on the router: 1. Run:
system-view

The binding table of DHCP snooping is deleted from a VLAN. ----End
4.9.5 Enabling ARP and DHCP Association

Context
Procedure
Step 1 Run:
system-view

arp dhcp-snooping-detect enable
ARP and DHCP association is enabled. If a user is disconnected because of abnormalities after obtaining an IP address, the user cannot send DHCP Release messages to release the IP address. In such a case, you can configure ARP and DHCP association. The system performs ARP detection for the IP addresses whose DHCP snooping entries expire and are not contained in ARP entries. If the system finds no user through a certain number probes, it automatically deletes the binding entry in the DHCP binding table and informs the DHCP server to release the IP address. ----End

Context
Procedure
Step 1 Run:
system-view


dhcp option82 insert enable

dhcp option82 rebuild enable
Postrequisite

Run the following commands to check the previous configuration. Action View the global DHCP snooping information. View the information about the binding table of DHCP snooping. Command display dhcp snooping global display dhcp snooping bind-table { ip-address ipaddress | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic | all } display dhcp snooping interface interface-type interface-number display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-number }
l l l l
4.10 Configuring Defense on the Device Against Attacks by Sending DHCP Request Messages
This section describes how to prevent the attacker from continuously sending DHCP request messages.
4-38
Issue 03 (2008-09-22)
4.10.1 Establishing the Configuration Task 4.10.2 Enabling DHCP Snooping 4.10.3 Checking the Configuration

If the attacker continuously sends DHCP request messages to apply for IP addresses, the DHCP entries of the device increase in number, which affects the protocol stack enabled on the device. To prevent the attacker from continuously sending DHCP request messages, enable DHCP snooping to check and limit the rate of sending DHCP request messages. This enables only a limited number of packets to be sent to the protocol stack during certain time period. The excess packets are discarded.
Before configuring preventing the attacker from continuously sending DHCP request messages, complete the following tasks:
l l
Data Preparation
To configure preventing the attacker from continuously sending DHCP request messages, you need the following data. No 1 Data Rate at which DHCP messages are sent to the CPU

Context
Procedure
Step 1 Run:
system-view

Issue 03 (2008-09-22)
4-39

Run the following commands to check the previous configuration. Action View the global DHCP snooping information. Command display dhcp snooping global
l l
DHCP snooping is enabled in the system view and the interface view. Checking the sending rate of DHCP messages is enabled on the interface.
4.11 Configuring Alarms for Packet Discarding

This section describes how to notify the attack to the NMS. 4.11.1 Establishing the Configuration Task 4.11.2 Configuring Alarms for Packet Discarding Globally 4.11.3 Configuring Alarms for Packet Discarding on an Interface 4.11.4 Configuring Alarms for Packet Discarding on a VLAN 4.11.5 Checking the Configuration

Alarms are sent when the number of ARP, IP, DHCP CHADDR, and DHCP reply messages discarded on untrusted interfaces reaches the maximum limit. The alarms are also simultaneously notified to the network management system. To configure the alarms, you should perform the following:
l
Enabling discarding DHCP reply messages received from the untrusted interfaces on the user end Checking the packets matching with the entries in the binding table of DHCP snooping Checking CHADDRs of the DHCP request messages
l l
Before configuring alarms for packet discarding, complete the following tasks:

l l l l l l
Configuring the DHCP server Configuring the DHCP relay agent Configuring discarding DHCP reply messages from untrusted interfaces Enabling checking the binding table of DHCP snooping Configuring checking CHADDRs of the DHCP request messages Configuring checking the sending rate of DHCP messages
Data Preparation
To configure alarms for packet discarding, you need the following data. No 1 2 3 4 5 Data Alarm threshold of the discarded ARP packets Alarm threshold of the discarded IP packets Alarm threshold of the discarded DHCP CHADDR messages Alarm threshold of the discarded DHCP reply messages Alarm threshold of the discarded DHCP request messages
4.11.2 Configuring Alarms for Packet Discarding Globally

Context
Procedure
Step 1 Run:
system-view
The system view is displayed. Packet discarding alarm is enabled globally. Step 2 Run:
dhcp snooping alarm threshold threshold
The alarm threshold of the discarded packets is set. ----End
4.11.3 Configuring Alarms for Packet Discarding on an Interface

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed. DHCP snooping can be enabled on Layer 3 interfaces, such as:
l l l l l
Step 3 Run:
dhcp snooping alarm { arp | ip |dhcp-request | dhcp-chaddr | dhcp-reply } enable
Packet discarding alarm is enabled. Step 4 Run:

dhcp snooping alarm { arp | ip |dhcp-request | dhcp-chaddr | dhcp- reply } threshold threshold
4.11.4 Configuring Alarms for Packet Discarding on a VLAN

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

dhcp snooping alarm { arp | ip | dhcp-request | dhcp-chaddr | dhcp-reply } enable [ interface interface-type interface-number ]
Packet discarding alarm is enabled on a VLAN.

Step 4 Run:
dhcp snooping alarm { arp | ip |dhcp-request | dhcp-chaddr | dhcp- reply } threshold threshold [ interface interface-type interface-number ]

Run the following commands to check the previous configuration. Action View the global DHCP snooping information. View DHCP snooping information on the interface. Command display dhcp snooping global display dhcp snooping { interface interfacetype interface-number | vlan vlanid [ interface interface-type interface-number ] }
l l
DHCP snooping is enabled in the system view and the interface view. Statistics about the discarded ARP, IP, and DHCP packets.
4.12 Maintaining
This section describes how to reset statistics and debug DHCP snooping. 4.12.1 Resetting DHCP Snooping Binding Table 4.12.2 Debugging DHCP Snooping
4.12.1 Resetting DHCP Snooping Binding Table

To reset the binding table of DHCP snooping,, run the following command in the system view. Action Rest the binding table of DHCP snooping. Command reset dhcp snooping bind-table { interface interfacetype interface-number | vlan vlanid [ interface interfacetype interface-number ] | static | dynamic }
4.12.2 Debugging DHCP Snooping

CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When an operation fault occurs, run the following debugging command in the user view to display the debugging information and locate the fault. For the procedure for displaying the debugging information, refer to the chapter "Debugging and Maintenance" in the Quidway NetEngine80E/40E Router Configuration Guide - System Management. Action Enable DHCP snooping debugging. Command debugging dhcp snooping

This section provides several configuration examples of DHCP snooping. 4.13.1 Example for Preventing the Bogus DHCP Server Attack 4.13.2 Example for Preventing the Middleman and IP/MAC Spoofing Attacks 4.13.3 Example for Preventing the Attacker from Changing CHADDR 4.13.4 Example for Preventing the Attacker from Sending Bogus Messages for Extending Lease 4.13.5 Example for Configuring DHCP Snooping on a Layer 2 Device 4.13.6 Example for Configuring DHCP Snooping on a Layer 3 Interface
4.13.1 Example for Preventing the Bogus DHCP Server Attack

As shown in Figure 4-3, set the interfaces on the user end as untrusted and the interfaces on the network carrier end as trusted. Enable sending alarms to the network management system (NMS).
4-44
Issue 03 (2008-09-22)
Figure 4-3 Networking diagram of preventing the bogus DHCP server attack
ISP network L3 network
Trusted
L2 network
DHCP relay
Eth2/0/0
DHCP server
Eth1/0/0 Untrusted User network
Suppose the DHCP server has been configured correctly. The configuration roadmap is as follows: 1. 2. 3. Set the interface connected with the DHCP server as trusted. Set other interfaces or VLANs as untrusted. DHCP reply messages, such as Offer, ACK and NAK messages, received from untrusted interfaces are all discarded.
Data Preparation
l l l
Group to which each VLAN interface belongs Setting the mode of each interface, trusted or untrusted Threshold that triggers sending alarms to the NMS
1. Configure DHCP snooping on the device. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp snooping enable
# Set the interfaces connected with the DHCP server as trusted and the interfaces connected with clients as untrusted. # Configure the VLANs to which the interfaces connected with clients belong.
[Quidway] vlan 1
Issue 03 (2008-09-22)
4-45

[Quidway-vlan1] port ethernet 1/0/0
# Set the interfaces connected with clients as untrusted. By default, the interfaces are untrusted after DHCP snooping is enabeld.
[Quidway-vlan1] dhcp snooping enable interface ethernet 1/0/0
# Set the interfaces connected with the DHCP server to be trusted.

[Quidway-vlan1] port ethernet 2/0/0 [Quidway-vlan1] dhcp snooping enable interface ethernet 2/0/0 [Quidway-vlan1] dhcp snooping trusted interface ethernet 2/0/0
2.
Send alarms to the NMS. # Enable sending alarms to the NMS.

[Quidway-vlan1] dhcp snooping alarm dhcp-reply enable interface ethernet 2/0/0
# Set the alarm threshold.

[Quidway-vlan1] dhcp snooping alarm dhcp-reply threshold 10 interface ethernet 2/0/0 [Quidway-vlan1] quit
3.
Verify the configuration. Run the display dhcp snooping command on the Layer 2 device. If DHCP snooping is enabled in the system view and in the interface view and you can also view the statistics about alarms sent to the NMS, it indicates that the configuration is successful.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp-rate discard count 0 dhcp-rate discard total count 0 [Quidway] display dhcp snooping vlan 1 interface ethernet 2/0/0 dhcp snooping enable interface ethernet 2/0/0 dhcp snooping trusted interface ethernet 2/0/0 dhcp snooping alarm dhcp-reply enable interface ethernet 2/0/0 dhcp snooping alarm dhcp-reply threshold 10 interface ethernet 2/0/0 arp total 145 ip total 120 dhcp-request total 115 chaddr&src mac total 108 dhcp-reply total 78
Configuration Files
# vlan 1 dhcp snooping enable interface Ethernet2/0/0 dhcp snooping trusted interface Ethernet2/0/0 dhcp snooping enable interface Ethernet1/0/0 dhcp snooping alarm dhcp-reply enable interface Ethernet1/0/0 .dhcp snooping alarm dhcp-reply threshold 10 interface ethernet 1/0/0 # # interface Ethernet1/0/0 portswitch port default vlan 1 # interface Ethernet2/0/0 portswitch port default vlan 1 # vlan batch 1 # dhcp snooping enable # return
4-46
Issue 03 (2008-09-22)
4.13.2 Example for Preventing the Middleman and IP/MAC Spoofing Attacks
As shown in Figure 4-4, the user is connected with a Layer 2 device in the ISP network. It is required to enable DHCP snooping on the Layer 2 device to prevent the middleman and IP/MAC spoofing attacks. Packets are forwarded only when they match the entries in the binding table; otherwise, packets are discarded and an alarm is triggered and sent to the NMS. Note that the binding table should cover the accurate interface information. Figure 4-4 Networking diagram of preventing the middleman attack and the IP/MAC spoofing attack
Trusted
L2 network
DHCP relay
Eth2/0/0
DHCP server
Assume that the DHCP server has been configured correctly. The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and in the VLAN view. Enable the binding table of DHCP snooping. The received ARP and IP packets are then matched with the binding entries. Enable sending alarms to the NMS. Configure Option 82 to create a binding table covering detailed interface information.
Data Preparation
l
Group to which each VLAN interface belongs

Issue 03 (2008-09-22)

l l
Specifying that all packets from static IP addresses can be forwarded Threshold that triggers sending alarms to the NMS
[Quidway] dhcp snooping enable
2.
Enable checking packets. # Configure the VLANs that the interfaces connected with clients belongs to.
[Quidway] vlan 1 [Quidway-vlan1] port ethernet 1/0/0
# Enable checking the received ARP and IP packets on the interfaces that are connected with clients.
[Quidway-vlan1] dhcp snooping enable interface ethernet 1/0/0 [Quidway-vlan1] dhcp snooping check arp enable interface ethernet 1/0/0 [Quidway-vlan1] dhcp snooping check ip enable interface ethernet 1/0/0
3.
Configure static binding entries. # Configure the static binding entries on the user end.
[Quidway-vlan1] dhcp snooping bind-table static ip-address 10.1.1.3 macaddress 0000-005e-008a interface ethernet 1/0/0 [Quidway-vlan1] quit
4.
Configure how to process unmatched packets. # Configure how to process unmatched ARP and IP packets globally.
[Quidway] dhcp snooping nomatch-packet arp action discard [Quidway] dhcp snooping nomatch-packet ip action discard
# Configure how to process unmatched ARP and IP packets on the interface.

[Quidway] vlan 1
[Quidway-vlan1] dhcp snooping nomatch-packet arp action discard interface Ethernet 1/0/0
[Quidway-vlan1] dhcp snooping nomatch-packet ip action discard interface Ethernet 1/0/0
5.

[Quidway] vlan 1 [Quidway-vlan1] dhcp snooping alarm arp enable interface ethernet 1/0/0

[Quidway-vlan1] dhcp snooping alarm arp threshold 10 interface ethernet 1/0/0
6. 7.
Configure Option 82 carrying the interface information.

[Quidway-vlan1] dhcp option82 insert enable interface ethernet 1/0/0
Verify the configuration. Run the display dhcp snooping command, the display dhcp snooping bind-table command, and the display dhcp option82 command. If DHCP snooping is enabled in the system view and in the interface view; and if you can also view the statistics about alarms sent to the NMS, it indicates that the configuration is successful.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping nomatch-packet arp action discard dhcp snooping nomatch-packet ip action discard [Quidway] display dhcp snooping vlan 1 interface ethernet 1/0/0
4-48
Issue 03 (2008-09-22)
dhcp snooping enable interface ethernet 1/0/0 dhcp snooping check arp enable interface ethernet 1/0/0 dhcp snooping alarm arp enable interface ethernet 1/0/0 dhcp snooping alarm arp threshold 10 interface ethernet 1/0/0 dhcp snooping nomatch-packet arp action discard interface ethernet 1/0/0 dhcp snooping check ip enable interface ethernet 1/0/0 dhcp snooping nomatch-packet ip action discard interface ethernet 1/0/0 arp total 145 ip total 120 dhcp-request total 115 chaddr&src mac total 108 dhcp-reply total 78 [Quidway] display dhcp snooping bind-table static bind-table: ifname vrf vsi p/cvlan mac-address ip-address tp lease -----------------------------------------------------------------------------Eth1/0/0 0000 0001/0000 0000-005e-008a 010.001.001.003 S 0 -----------------------------------------------------------------------------binditem count: 1 binditem total count: 1 [Quidway] display dhcp option82 vlan 1 interface ethernet 1/0/0 dhcp option82 enable insert interface ethernet1/0/0
Configuration Files
# vlan 1 dhcp snooping enable interface Ethernet1/0/0 dhcp snooping check arp enable interface Ethernet1/0/0 dhcp snooping check ip enable interface Ethernet1/0/0 dhcp option82 insert enable interface Ethernet1/0/0 dhcp snooping alarm arp enable interface Ethernet1/0/0 dhcp snooping nomatch-packet arp action discard dhcp snooping nomatch-packet ip action discard dhcp snooping bind-table static ip-address 10.1.1.3 mac-address 0000-005e-008a interface ethernet 1/0/0 # interface Ethernet1/0/0 portswitch port default vlan 1 # interface Ethernet2/0/0 portswitch port default vlan 1 # vlan batch 1 # dhcp snooping enable dhcp snooping nomatch-packet arp action discard dhcp snooping nomatch-packet ip action discard # return
4.13.3 Example for Preventing the Attacker from Changing CHADDR

As shown in Figure 4-5, the user is connected with a Layer 2 device. It is required to enable DHCP snooping on the Layer 2 device to prevent the DoS attack through changing CHADDR. Upon receiving a DHCP request message, the device matches CHADDR field with the source MAC address in the frame header. If they are inconsistent, the message is discarded and an alarm is triggered and sent to the NMS.
Figure 4-5 Networking diagram of preventing the attacker from changing CHADDR
Trusted
L2 network
DHCP relay
Eth2/0/0
DHCP server
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping in the system view and the interface view. Enable checking CHADDRs of the packets on the interfaces connected with clients. Enable sending alarms to the NMS.
Data Preparation
l l
Group to which VLAN each interface belongs Threshold that triggers sending alarms to the NMS
[Quidway] dhcp snooping enable
2.
Prevent the DHCP exhaustion attack. # Configure the VLANs to which the interfaces connected with clients belong.
[Quidway] vlan 1 [Quidway-vlan1] port ethernet 1/0/0
# Enable checking CHADDRs of the packets on the interfaces connected with clients.
[Quidway-vlan1] dhcp snooping enable interface ethernet 1/0/0 [Quidway-vlan1] dhcp snooping check dhcp-chaddr enable interface ethernet 1/0/0
3.
4-50
Issue 03 (2008-09-22)
[Quidway-vlan1] dhcp snooping alarm dhcp-chaddr enable interface ethernet 1/0/0

[Quidway-vlan1] dhcp snooping alarm dhcp-chaddr threshold 10 interface ethernet 1/0/0
4.
Verify the configuration. Run the display dhcp snooping command. If DHCP snooping is enabled in the system view and in the interface view and you can also view the statistics about alarms sent to the NMS, it indicates that the configuration successful.
[Quidway] display dhcp snooping global dhcp snooping enable [Quidway] display dhcp snooping vlan 1 interface ethernet 1/0/0 dhcp snooping enable interface ethernet 1/0/0 dhcp snooping check dhcp-chaddr enable interface ethernet 1/0/0 dhcp snooping alarm dhcp-chaddr enable interface ethernet 1/0/0 dhcp snooping alarm dhcp-chaddr threshold 10 interface ethernet 1/0/0 arp total 145 ip total 120 dhcp-request total 115 chaddr&src mac total 108 dhcp-reply total 78
Configuration Files
# vlan 1 dhcp snooping enable interface Ethernet1/0/0 dhcp snooping check dhcp-chaddr enable interface Ethernet1/0/0 dhcp snooping alarm dhcp-chaddr enable interface Ethernet1/0/0 dhcp snooping alarm dhcp-chaddr threshold 10 interface Ethernet1/0/0 # interface Ethernet1/0/0 portswitch port default vlan 1 # interface Ethernet2/0/0 portswitch port default vlan 1 # vlan batch 1 # dhcp snooping enable # return
4.13.4 Example for Preventing the Attacker from Sending Bogus Messages for Extending Lease
As shown in Figure 4-6, the client is connected with the Layer 2 device. It is required to enable DHCP snooping to check DHCP request messages and use the binding table of DHCP snooping. This is to ensure that only packets matching with the entries in the binding table are considered as applying for IP addresses and are forwarded; otherwise, the packets are discarded. At the same time, an alarm is triggered and sent to the NMS.
Issue 03 (2008-09-22)
4-51
Figure 4-6 Networking diagram of preventing the attacker from sending bogus DHCP request messages for extending IP leases
Trusted
L2 network
DHCP relay
Eth2/0/0
DHCP server
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and in the VLAN view. Enable the binding table of DHCP snooping. The received ARP and IP packets are then matched with the binding entries. Enable sending alarms to the NMS. Configure Option 82 to create an accurate binding table covering detailed interface information.
Data Preparation
l l l
Grouping to which VLAN each interface belong Specifying that packets from static IP addresses can be forwarded Threshold that triggers sending alarms to the NMS
<Quidway> system-view [Quidway] dhcp snooping enable
2.
Prevent the attacker from sending bogus DHCP request messages for extending IP lease. # Configure the VLANs that the interfaces connected with clients belongs to.
[Quidway] vlan 1
4-52
Issue 03 (2008-09-22)

[Quidway-vlan1] port ethernet 1/0/0
# Enable checking DHCP request messages on the interface connected with clients. Set forwarding packets when there are not matching entries.
[Quidway-vlan1] dhcp snooping enable interface ethernet 1/0/0 [Quidway-vlan1] dhcp snooping check dhcp-request enable interface ethernet 1/0/0
3.
Configure static binding entries. # Configure the static binding entries on the interface connected with clients.
[Quidway-vlan1] dhcp snooping bind-table static ip-address 10.1.1.3 macaddress 0000-005e-008a interface Ethernet 1/0/0
4.
Configure sending alarms to the NMS. # Enable sending alarms to the NMS.
[Quidway-vlan1] dhcp snooping alarm dhcp-request enable interface ethernet 1/0/0

[Quidway-vlan1] dhcp snooping alarm dhcp-request threshold 10 interface ethernet 1/0/0
5. 6.
Configure Option 82 carrying the interface information.

[Quidway-vlan1] dhcp option82 insert enable interface ethernet 1/0/0
Verify the configuration. Run the display dhcp snooping command, the display dhcp snooping bind-table command, and the display dhcp option82 command. If DHCP snooping is enabled in the system view and in the interface view and you can also view the statistics about alarms sent to the NMS, it indicates that the configuration successful.
[Quidway] display dhcp snooping global dhcp snooping enable [Quidway] display dhcp snooping vlan 1 interface ethernet 1/0/0 dhcp snooping enable interface ethernet 1/0/0 dhcp snooping check dhcp-request enable interface ethernet 1/0/0 dhcp snooping alarm dhcp-request enable interface ethernet 1/0/0 dhcp snooping alarm dhcp-request threshold 10 interface ethernet 1/0/0 arp total 145 ip total 120 dhcp-request total 115 chaddr&src mac total 108 dhcp-reply total 78 [Quidway] display dhcp snooping bind-table static bind-table: ifname p/cvlan mac-address ip-address tp lease -------------------------------------------------------------------------Ethernet1/0/0 0001/0000 0000-005e-008a 10.1.1.3 S 2006-7-1 [Quidway] display dhcp option82 vlan 1 interface ethernet 1/0/0 dhcp option82 enable insert interface ethernet1/0/0
Configuration Files
# vlan 1 dhcp snooping enable interface Ethernet1/0/0 dhcp snooping check dhcp-request enable interface Ethernet1/0/0 dhcp snooping alarm dhcp-request enable interface Ethernet1/0/0 dhcp option82 insert enable interface Ethernet1/0/0 dhcp snooping bind-table static ip-address 10.1.1.3 mac-address 0000-005e-008a interface Ethernet 1/0/0 # interface Ethernet1/0/0 port default vlan 1 # interface Ethernet2/0/0
Issue 03 (2008-09-22)
4-53

port default vlan 1 # vlan batch 1 # dhcp snooping enable # return
4.13.5 Example for Configuring DHCP Snooping on a Layer 2 Device

As shown in Figure 4-7, DHCP clients access Router through VLAN 10. It is required to configure DHCP snooping on the Layer 2 interfaces GE 1/0/0 and GE 1/0/1 on Router. Set the interface at the DHCP client side to be untrusted and the interface at the DHCP relay agent side to be trusted. In addition, Router is required to prevent the following attacks:
l l l l l
Bogus DHCP server attack Middleman attack or IP/MAC address attack DoS attack by changing CHADDR Attack by generating bogus DHCP messages to extend IP leases Attack by sending excessive DHCP Request messages
DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address. Figure 4-7 Networking diagram of configuring DHCP snooping on a Layer 2 interface
DHCP relay DHCP snooping Trusted enable Router

Untrusted GE1/0/0 GE1/0/1 GE2/0/0 Untrusted
DHCP server
VLAN 10
DHCP client2 DHCP IP:10.1.1.1/24 client1 MAC:00e0-fc5e-008a

The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the VLAN view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure DHCP snooping binding tables and enable matching ARP packets, IP packets, and DHCP Request messages with entries in the DHCP snooping tables to prevent middleman attack or IP/MAC address attacks and bogus DHCP messages to extend IP leases. Configure CHADDR check to prevent attackers from changing CHADDRs in the messages. Configure Option 82 to make the binding table more accurate. Enable sending alarms to the NMS.
4. 5. 6.
Data Preparation
To complete the configuration, you need the following data.
l l l
VLAN to which the interface belongs Static IP addresses from which packets are forwarded Threshold for sending alarms to the NMS
1. Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] sysname Router [Router] dhcp snooping enable
# Switch interfaces to Layer 2 interfaces.

[Router] interface gigabitethernet 1/0/0 [Router-GigabitEthernet1/0/0] portswitch [Router-GigabitEthernet1/0/0] quit [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] portswitch [Router-GigabitEthernet1/0/1] quit [Router] interface gigabitethernet 2/0/0 [Router-GigabitEthernet2/0/0] portswitch [Router-GigabitEthernet2/0/0] quit
NOTE
If the interfaces are already Layer 2 interface, you need not run the portswitch command.
# Enable DHCP snooping on Layer 2 interfaces.

[Router] vlan 10 [Router-vlan10] port [Router-vlan10] dhcp [Router-vlan10] port [Router-vlan10] dhcp [Router-vlan10] port [Router-vlan10] dhcp [Router-vlan10] quit gigabitethernet snooping enable gigabitethernet snooping enable gigabitethernet snooping enable 1/0/0 interface gigabitethernet 1/0/0 1/0/1 interface gigabitethernet 1/0/1 2/0/0 interface gigabitethernet 2/0/0
2.
Configure the interface to be trusted. # Configure the interface at the DHCP server side to be trusted and enable DHCP snooping on all interfaces at the DHCP client side. If the interfaces at the DHCP client side are not
Issue 03 (2008-09-22)
4-55
set to be trusted, they default to be untrusted after DHCP snooping is enabled. Configuring trusted or untrusted interfaces can prevent bogus DHCP server attacks.
[Router] vlan 10 [Router-vlan10] dhcp snooping trusted interface gigabitethernet 2/0/0 [Router-vlan10] quit
3.
Enable checking certain types of packets and configure DHCP snooping binding tables. # Enable checking ARP and IP packets on the interfaces at the DHCP client side to prevent IP/MAC spoofing attacks.
[Router] vlan 10 [Router-vlan10] dhcp [Router-vlan10] dhcp [Router-vlan10] dhcp [Router-vlan10] dhcp [Router-vlan10] quit snooping snooping snooping snooping check check check check arp enable interface gigabitethernet 1/0/0 arp enable interface gigabitethernet 1/0/1 ip enable interface gigabitethernet 1/0/0 ip enable interface gigabitethernet 1/0/1
# Enable checking DHCP Request messages on the interfaces at the DHCP client side to prevent attackers from sending bogus DHCP messages to extend IP leases.
[Router] vlan 10 [Router-vlan10] dhcp snooping check dhcp-request enable interface gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping check dhcp-request enable interface gigabitethernet 1/0/1 [Router-vlan10] quit
# Enable checking CHADDRs on the interfaces at the DHCP client side to prevent attackers from changing CHADDRs in the messages.
[Router] vlan 10 [Router-vlan10] dhcp snooping check dhcp-chaddr enable interface gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping check dhcp-chaddr enable interface gigabitethernet 1/0/1 [Router-vlan10] quit
# Configure static binding entries. If you use the static IP address, configuring DHCP snooping static entries is required.
[Router] vlan 10 [Router-vlan10] dhcp snooping bind-table static ip-address 10.1.1.1 macaddress 00e0-fc5e-008a interface gigabitethernet 1/0/1 [Router-vlan10] quit
4.
Configure Option 82. # Configure the interface information to be carried in DHCP messages to make the DHCP snooping table more accurate.
[Router] vlan 10 [Router-vlan10] dhcp option82 insert enable interface gigabitethernet 1/0/0 [Router-vlan10] dhcp option82 insert enable interface gigabitethernet 1/0/1 [Router-vlan10] quit
5.
Configure the behaviors to process the packets unmatched with entries. # Configure the global behaviors to process the ARP and IP packets unmatched with entries.
[Router] dhcp snooping nomatch-packet arp action discard [Router] dhcp snooping nomatch-packet ip action discard
# Configure the behaviors to process the ARP and IP packets unmatched with entries on the interface.
[Router-vlan10] gigabitethernet [Router-vlan10] gigabitethernet [Router-vlan10] gigabitethernet dhcp snooping nomatch-packet arp action discard interface 1/0/0 dhcp snooping nomatch-packet arp action discard interface 1/0/1 dhcp snooping nomatch-packet ip action discard interface 1/0/0
4-56
Issue 03 (2008-09-22)
[Router-vlan10] dhcp snooping nomatch-packet ip action discard interface gigabitethernet 1/0/1
6.
Enable sending alarms to the NMS. # Enable sending alarms to the NMS.
[Router] vlan 10 [Router-vlan10] dhcp snooping gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping gigabitethernet 1/0/1 [Router-vlan10] dhcp snooping [Router-vlan10] dhcp snooping [Router-vlan10] dhcp snooping gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping gigabitethernet 1/0/1 [Router-vlan10] dhcp snooping gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping gigabitethernet 1/0/1 [Router-vlan10] quit alarm dhcp-reply enable interface alarm dhcp-reply enable interface alarm arp enable interface gigabitethernet 1/0/0 alarm arp enable interface gigabitethernet 1/0/1 alarm dhcp-chaddr enable interface alarm dhcp-chaddr enable interface alarm dhcp-request enable interface alarm dhcp-request enable interface

[Router] vlan 10 [Router-vlan10] dhcp snooping alarm dhcp-reply threshold 10 interface gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping alarm dhcp-reply threshold 10 interface gigabitethernet 1/0/1 [Router-vlan10] dhcp snooping alarm arp threshold 10 interface gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping alarm arp threshold 10 interface gigabitethernet 1/0/1 [Router-vlan10] dhcp snooping alarm dhcp-chaddr threshold 10 interface gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping alarm dhcp-chaddr threshold 10 interface gigabitethernet 1/0/1 [Router-vlan10] dhcp snooping alarm dhcp-request threshold 10 interface gigabitethernet 1/0/0 [Router-vlan10] dhcp snooping alarm dhcp-request threshold 10 interface gigabitethernet 1/0/1 [Router-vlan10] quit [Router] dhcp snooping check dhcp-rate alarm threshold 40
7.
Verify the configuration. Run the display dhcp snooping global command on Router. You can view that DHCP snooping is enabled in the system view and in the interface view. You can also view the statistics on alarms sent to the NMS.
[Router] display dhcp snooping global dhcp snooping enable dhcp snooping nomatch-packet ip action discard dhcp snooping nomatch-packet arp action discard [Router] display dhcp snooping vlan 10 interface gigabitethernet 1/0/0 dhcp snooping enable interface GigabitEthernet1/0/0 dhcp snooping check arp enable interface GigabitEthernet1/0/0 dhcp snooping alarm arp enable interface GigabitEthernet1/0/0 dhcp snooping alarm arp threshold 10 interface GigabitEthernet1/0/0 dhcp snooping nomatch-packet arp action discard interface GigabitEthernet1/0/0 dhcp snooping check ip enable interface GigabitEthernet1/0/0 dhcp snooping nomatch-packet ip action discard interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/0 dhcp snooping check dhcp-chaddr enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/0 dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/0
Issue 03 (2008-09-22)
4-57
arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0 [Router] display dhcp snooping vlan 10 interface gigabitethernet 1/0/1 dhcp snooping enable interface GigabitEthernet1/0/1 dhcp snooping check arp enable interface GigabitEthernet1/0/1 dhcp snooping alarm arp enable interface GigabitEthernet1/0/1 dhcp snooping alarm arp threshold 10 interface GigabitEthernet1/0/1 dhcp snooping nomatch-packet arp action discard interface GigabitEthernet1/0/1 dhcp snooping check ip enable interface GigabitEthernet1/0/1 dhcp snooping nomatch-packet ip action discard interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/1 dhcp snooping check dhcp-chaddr enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/1 dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/1 arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0 [Router] display dhcp snooping vlan 10 interface gigabitethernet 2/0/0 dhcp snooping enable interface GigabitEthernet2/0/0 dhcp snooping trusted interface GigabitEthernet2/0/0 arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0 [Router] display dhcp snooping bind-table static bind-table: ifname vrf vsi p/cvlan mac-address ip-address tp lease -----------------------------------------------------------------------------GE1/0/1 0000 0010/0000 00e0-fc5e-008a 010.001.001.001 S 0 -----------------------------------------------------------------------------binditem count: 1 binditem total count: 1 [Router] display dhcp option82 vlan 10 interface gigabitethernet 1/0/0 dhcp option82 insert enable interface GigabitEthernet1/0/0 [Router] display dhcp option82 vlan 10 interface gigabitethernet 1/0/1 dhcp option82 insert enable interface GigabitEthernet1/0/1
Configuration Files
# sysname Router # vlan batch 10 # dhcp snooping enable dhcp snooping nomatch-packet ip action discard dhcp snooping nomatch-packet arp action discard # vlan 10 dhcp snooping enable interface GigabitEthernet2/0/0 dhcp snooping trusted interface GigabitEthernet2/0/0 dhcp snooping enable interface GigabitEthernet1/0/1 dhcp snooping check arp enable interface GigabitEthernet1/0/1 dhcp snooping alarm arp enable interface GigabitEthernet1/0/1 dhcp snooping alarm arp threshold 10 interface GigabitEthernet1/0/1 dhcp snooping nomatch-packet arp action discard interface GigabitEthernet1/0/1 dhcp snooping check ip enable interface GigabitEthernet1/0/1 dhcp snooping nomatch-packet ip action discard interface GigabitEthernet1/0/1
4-58
Issue 03 (2008-09-22)
dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/1 dhcp snooping check dhcp-chaddr enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/1 dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/1 dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/1 dhcp option82 insert enable interface GigabitEthernet1/0/1 dhcp snooping enable interface GigabitEthernet1/0/0 dhcp snooping check arp enable interface GigabitEthernet1/0/0 dhcp snooping alarm arp enable interface GigabitEthernet1/0/0 dhcp snooping alarm arp threshold 10 interface GigabitEthernet1/0/0 dhcp snooping nomatch-packet arp action discard interface GigabitEthernet1/0/0 dhcp snooping check ip enable interface GigabitEthernet1/0/0 dhcp snooping nomatch-packet ip action discard interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/0 dhcp snooping check dhcp-chaddr enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/0 dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/0 dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/0 dhcp option82 insert enable interface GigabitEthernet1/0/0 dhcp snooping bind-table static ip-address 10.1.1.1 mac-address 00e0-fc5e-008a interface GigabitEthernet1/0/1 # interface GigabitEthernet1/0/0 portswitch port default vlan 10 # interface GigabitEthernet1/0/1 portswitch port default vlan 10 # interface GigabitEthernet2/0/0 portswitch port default vlan 10 # return
4.13.6 Example for Configuring DHCP Snooping on a Layer 3 Interface

As shown in Figure 4-8, DHCP clients access the DHCP relay agent. It is required to configure DHCP snooping on the Layer 3 interfaces GE 1/0/0 and GE 1/0/1 on Router. Set the interface at the DHCP client side to be untrusted and the interface at the DHCP relay agent side to be trusted. In addition, it is required that the system automatically sense the disconnection of users that have obtained IP addresses, delete binding entries from the DHCP snooping binding table, and inform the DHCP server to release IP addresses. In such a case, Router is capable of preventing the following attacks:
l l l
Bogus DHCP server attack Middleman attack or IP/MAC address attack DoS attack by changing CHADDR
Issue 03 (2008-09-22)

l l
Attack by generating bogus DHCP messages to extend IP leases Attack by sending excessive DHCP Request messages
DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address. Figure 4-8 Networking diagram of configuring DHCP snooping on a Layer 3 device
DHCP server DHCP snooping Trusted enable DHCP relay

Untrusted GE1/0/0 100.1.1.2/24 GE2/0/0 100.1.1.1/24
GE1/0/0.1 10.1.1.1/24
Switch
DHCP client1
DHCP client2 IP:10.1.1.1/24 mac:00e0-fc5e-008a
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure DHCP snooping binding tables and enable matching ARP packets, IP packets, and DHCP Request messages with entries in the DHCP snooping tables to prevent middleman attack or IP/MAC address attacks and bogus DHCP messages to extend IP leases. Configure CHADDR check to prevent attackers from changing CHADDRs in the messages. Configure Option 82 and create a binding table covering accurate interface information. Configure the sending of alarms to the NMS.
4. 5. 6.
Data Preparation
To complete the configuration, you need the following data.
l
Static IP addresses from which packets are forwarded

4-60

l l
Rate at which DHCP messages are sent to the protocol stack Threshold for sending alarms to the NMS
1. Configuring basic functions of the DHCP relay agent. # Enable DHCP.
<Quidway> system-view [Quidway] sysname DHCP-Relay [DHCP-Relay] dhcp snooping enable
# Configure the IP address of GE 2/0/0.

[DHCP-Relay] interface gigabitethernet 2/0/0 [DHCP-Relay-GigabitEthernet2/0/0] ip address 100.1.1.1 24 [DHCP-Relay-GigabitEthernet2/0/0] quit
# Configure the sub-interface on which the DHCP relay agent is to be enabled and configure the IP address and mask of the sub-interface. The sub-interface and the DHCP client must be at the same network segment.
[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-RelayGigabitEthernet1/0/0] ip address 10.1.1.254 24 [DHCP-Relay-GigabitEthernet1/0/0] ip relay address 100.1.1.2 [DHCP-Relay-GigabitEthernet1/0/0] dhcp select relay
2.
Enable DHCP snooping. # Enable DHCP snooping in the system view and interface view.
[DHCP-Relay] dhcp snooping enable [DHCP-Relay] interface gigabitethernet [DHCP-Relay-GigabitEthernet1/0/0] dhcp [DHCP-Relay-GigabitEthernet1/0/0] quit [DHCP-Relay] interface gigabitethernet [DHCP-Relay-GigabitEthernet2/0/0] dhcp [DHCP-Relay-GigabitEthernet2/0/0] quit 1/0/0 snooping enable 2/0/0 snooping enable
3.
Configure the interface to be trusted. # Configure the interface at the DHCP server side to be trusted and enable DHCP snooping on all interfaces at the DHCP client side. If the interfaces at the DHCP client side are not set to be trusted, they default to be untrusted after DHCP snooping is enabled. Configuring trusted or untrusted interfaces can prevent bogus DHCP server attacks.
[DHCP-Relay] interface gigabitethernet 2/0/0 [DHCP-Relay-GigabitEthernet2/0/0] dhcp snooping trusted [DHCP-Relay-GigabitEthernet2/0/0] quit
4.
Enable checking certain types of packets and configure DHCP snooping binding tables. # Enable checking ARP and IP packets on the interfaces at the DHCP client side to prevent IP/MAC spoofing attacks.
[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping check arp enable [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping check ip enable [DHCP-Relay-GigabitEthernet1/0/0] quit
# Enable checking DHCP Request messages on the interfaces at the DHCP client side to prevent attackers from sending bogus DHCP messages to extend IP leases.
[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping check dhcp-request enable [DHCP-Relay-GigabitEthernet1/0/0] quit
# Enable checking CHADDRs on the interfaces at the DHCP client side to prevent attackers from changing CHADDRs in the messages.
[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping check dhcp-chaddr enable
Issue 03 (2008-09-22)
4-61

[DHCP-Relay-GigabitEthernet1/0/0] quit
# Configure static binding entries. If you use the static IP address, configuring DHCP snooping static entries is required.
[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping bind-table static ip-address 10.1.1.1 mac-address 00e0-fc5e-008a [DHCP-Relay-GigabitEthernet1/0/0] quit
5.
Configure Option 82. # Configure the interface information to be carried in DHCP messages to make the DHCP snooping table more accurate.
[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-Relay-GigabitEthernet1/0/0] dhcp option82 insert enable [DHCP-Relay-GigabitEthernet1/0/0] quit
6.
Configure the behaviors to process the packets unmatched with entries. # Configure the global behaviors to process the ARP and IP packets unmatched with entries.
[DHCP-Relay] dhcp snooping nomatch-packet arp action discard [DHCP-Relay] dhcp snooping nomatch-packet ip action discard
# Configure the behaviors to process the ARP and IP packets unmatched with entries on the interface.
[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping nomatch-packet arp action discard [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping nomatch-packet ip action discard [DHCP-Relay-GigabitEthernet1/0/0] quit
7.
Enable sending alarms to the NMS. # Enable sending alarms to the NMS.
[DHCP-Relay] interface gigabitethernet [DHCP-Relay-GigabitEthernet1/0/0] dhcp [DHCP-Relay-GigabitEthernet1/0/0] dhcp [DHCP-Relay-GigabitEthernet1/0/0] dhcp [DHCP-Relay-GigabitEthernet1/0/0] dhcp [DHCP-Relay-GigabitEthernet1/0/0] quit 1/0/0 snooping snooping snooping snooping alarm alarm alarm alarm dhcp-reply enable arp enable dhcp-chaddr enable dhcp-request enable

[DHCP-Relay] interface gigabitethernet 1/0/0 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-reply threshold 10 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping alarm arp threshold 10 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-chaddr threshold 10 [DHCP-Relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-request threshold 10 [DHCP-Relay-GigabitEthernet1/0/0] quit [DHCP-Relay] dhcp snooping check dhcp-rate alarm threshold 40
8.
Enable ARP and DHCP association. # The system performs ARP detection for the IP addresses whose DHCP snooping entries expire and are not contained in ARP entries. If the system probes no user for a certain number probes, it automatically deletes the binding entry in the DHCP binding table and informs the DHCP server to release the IP address.
[DHCP-Relay] arp dhcp-snooping-detect enable
9.
Verify the configuration. Run the display dhcp snooping global command on the DHCP relay agent. You can view that DHCP snooping is enabled in the system view and in the interface view. You also can view the statistics on alarms sent to the NMS.
[DHCP-Relay] display dhcp snooping global dhcp snooping enable dhcp snooping nomatch-packet ip action discard
4-62
Issue 03 (2008-09-22)
dhcp snooping nomatch-packet arp action discard [DHCP-Relay] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 10 dhcp snooping nomatch-packet arp action discard dhcp snooping check ip enable dhcp snooping nomatch-packet ip action discard dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 10 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 10 dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 10 arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0 [DHCP-Relay] display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping trusted arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0 [DHCP-Relay] display dhcp snooping bind-table static bind-table: ifname vrf vsi p/cvlan mac-address ip-address tp lease -----------------------------------------------------------------------------GE1/0/0 0000 0000/0000 00e0-fc5e-008a 010.001.001.001 S 0 -----------------------------------------------------------------------------binditem count: 1 binditem total count: 1 [DHCP-Relay] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable interface GigabitEthernet1/0/0
Configuration Files
# sysname DHCP-Relay # dhcp snooping enable dhcp snooping nomatch-packet ip action discard dhcp snooping nomatch-packet arp action discard # interface GigabitEthernet1/0/0 ip address 10.1.1.254 255.255.255.0 ip relay address 100.1.1.2 dhcp snooping enable dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 10 dhcp snooping nomatch-packet arp action discard dhcp snooping check ip enable dhcp snooping nomatch-packet ip action discard dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 10 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 10 dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 10
Issue 03 (2008-09-22)
4-63
dhcp option82 insert enable dhcp snooping bind-table static ip-address 10.1.1.1 mac-address 00e0-fc5e-008a # interface GigabitEthernet2/0/0 ip address 100.1.1.1 255.255.255.0 dhcp snooping enable dhcp snooping trusted # arp dhcp-snooping-detect enable # return
4-64
Issue 03 (2008-09-22)
5 URPF Configuration
5
About This Chapter
URPF Configuration
This chapter describes how to configure URPF snooping. 5.1 Overview This section describes the basic concepts of Unicast Reverse Path Forwarding (URPF). 5.2 Configuring URPF This section describes how to configure URPF. 5.3 Example for Configuring URPF This section provides a configuration example of URPF.
Issue 03 (2008-09-22)
5-1
5.1 Overview
This section describes the basic concepts of Unicast Reverse Path Forwarding (URPF). 5.1.1 Introduction to URPF 5.1.2 URPF Supported by the NE80E/40E
5.1.1 Introduction to URPF

URPF aims at preventing source address spoofing attacks across the network. URPF obtains the source address and inbound interface of the packet. Taking the source address as the destination address, URPF confirms whether the interface corresponding to the source address matches the outbound interface in the forwarding table. If they do not match, the source address is taken as spoofing and the packet is dropped. In this way, URPF can keep the network away from vicious attacks based on modifying the source address. The following diagram shows a kind of attack. Figure 5-1 Schematic diagram of the source address spoofing attack
1.1.1.1/24 2.1.1.1/24 Source Address 2.1.1.1/24
RouterA
RouterB
RouterC
Router A generates a packet with a pseudo source IP address 2.1.1.1 and sends the packet to Router B. Router B sends a response packet to Router C whose IP address actually is 2.1.1.1. In this way, Router A attacks Router B and Router C by sending the illegal packet. URPF can be applied on the upstream inbound interfaces of the router, including two application environments: single-homed client and multi-homed client.
l
Single-homed client Figure 5-2 shows the connection between the client and the aggregation router of the ISP. Enable URPF on GE 1/0/0 of the ISP router to protect the router and Internet from source address spoofing attacks from the client network.
Figure 5-2 URPF applied on a single-homed client
ISP Aggregation GE1/0/0 GE2/0/0 Source address 169.1.1.1/24 GE3/0/0 URPF 169.1.1.1/24
5-2
Issue 03 (2008-09-22)

l
Multi-homed client URPF can be applied in the case that multiple connections are set up between the client and the ISP, as shown in Figure 5-3. To make URPF work normally, ensure that the packet from the client to the host on the internet passes through the same link (between the client and the ISP router) with the packet from this host to the client, that is, route symmetry must be ensured; otherwise, URPF discards some normal packets because of mismatched interfaces.
Figure 5-3 Application environment of the URPF multi-homed client

packet path route path URPF
RouterA
Enterprise RouterC
URPF URPF
ISP
RouterB
Multi-homed client and multi-ISPs URPF can be applied in the case that a client is connected to multiple ISPs, as shown in Figure 5-4. In such a case, route symmetry also must be ensured. URPF applied in the scenario where a client is connected to multiple ISPs has the following features:
If route symmetry cannot be ensured, you can use loose detection. As long as a route with the source address exists, the packet can pass. The routers of users may only have a default route to the router of an ISP. Therefore, matching the default route entry should be supported. As the security system on the ingress, URPF is better than the traditional firewall in performance.
Figure 5-4 Applicable environment of multi-homed client and multi-ISPs

URPF
RouterA ISP A
RouterC Enterprise RouterB ISP B

URPF URPF
Internet
Issue 03 (2008-09-22)
5-3
5.1.2 URPF Supported by the NE80E/40E

NE80E/40E supports both loose and strict URPF check on physical interfaces, sub-interfaces, VLANIF interfaces, trunk interfaces, and RPR interfaces, and supports default route differentiation. NE80E/40E supports the URPF configuration in the traffic behavior view so that it can perform the URPF check for only the traffic matching the traffic policies.
5.2 Configuring URPF

This section describes how to configure URPF. 5.2.1 Establishing the Configuration Task 5.2.2 Configuring Interface-based URPF 5.2.3 Configuring Flow-based URPF

To prevent source address spoofing attacks across the network, configure URPF to check whether source IP addresses of packets match the inbound interfaces. If the source IP address matches with the inbound interface, the source IP address is considered as legal and the packet is allowed to pass; otherwise, the source IP address is considered as a pseudo one and the packet is discarded.
Preconfigured Tasks
Before configuring URPF, complete the following tasks:
l l
Configuring the link attributes of the interface Configuring an IP address for the interface
Data Preparations
To configure URPF, you need the following data. No 1 Data Number of the interface where URPF is to be enabled
5.2.2 Configuring Interface-based URPF

Context
Do as follows on the router.
Procedure
Step 1 Run:
system-view


ip urpf { loose | strict } [ allow-default]
URPF is enabled on the interface. If loose is selected, it indicates that the URPF loose check is to be performed. That is, when the forwarding table contains the corresponding entries, the packet can pass the URPF check. Interface match is not required. If strict is selected, it indicates that the URPF strict check is to be performed. That is, the packet can pass the URPF check only when the forwarding table contains the corresponding entries and the outbound interface matches the entry in the forwarding table. ----End
5.2.3 Configuring Flow-based URPF

Context
Procedure
l Defining a traffic class 1. Run:
system-view

traffic classifier classifier-name [ operator { and | or } ]
The traffic class is defined and its view is displayed. 3. Perform the following as required.

Run the if-match acl acl-number command to set the ACL-based rule. Run the if-match dscp dscp-value command to set the DSCP-based rule. Run the if-match tcp syn-flag tcpflag-value command to set the TCP-flag-based rule. Run the if-match 8021p 8021p-code command to set the 802.1p-based rule for VLAN packets. Run the if-match source-mac mac-address command to set the rule based on the source address of the packet.
Issue 03 (2008-09-22)
Run the if-match destination-mac mac-address command to set the rule based on the destination address of the packet. Run the if-match ip-precedence ip-precedence command to set the rule based on the IP priority of the packet. Run the if-match any command to set the rule matching all the packets.
You can select one or several matching rules in Step 3 as required. l Configuring traffic behaviors and enable URPF 1. Run:
system-view

traffic behavior behaviorname
The traffic behavior is defined and its view is displayed. 3. Run:

ip urpf { loose | strict } [ allow-default ]
Traffic behaviors are defined and the traffic behavior view is displayed. l Defining a traffic policy and associating the traffic class with the traffic behavior 1. Run:
system-view

traffic policy policy-name
The traffic policy is defined and its view is displayed. 3. Run:

classifier classifier-name behavior behavior-name
The traffic class is associated with the traffic behavior in the traffic policy. l Applying the traffic policy 1. Run:
system-view

The interface view is displayed. The observing port of the LPU where the interface resides must be already configured. 3. Run:
traffic-policy policy-name { inbound | outbound }
The traffic policy is applied on the interface. ----End

5.3 Example for Configuring URPF

This section provides a configuration example of URPF.
In this example, URPF is enabled on the inbound interface of the ISP. As shown in Figure 5-5, the client Router A connects to Router B (a router in the ISP network). Then enable URPF on GE 1/0/0 of Router B. Configure the URPF strict check on Router B and set the packet whose source IP address matches with ACL 2010 to pass the check at any time. Enable URPF on GE 1/0/0 of Router A, configure the URPF strict check, and enable the default route match. Figure 5-5 Networking diagram of configuring URPF
10.1.1.0/24
GE1/0/0 172.19.139.1/30 Router A
GE1/0/0 172.19.139.2/30 Router B
ISP
The configuration roadmap is as follows: 1. 2. Configure a traffic policy on the router in the ISP network, allowing the traffic from the specified network segment to pass the URPF check. Configure an IP address for the interface on Router A and enable URPF on the interface.
Data Preparations
To configure URPF, you need the following data:
l l
IP address of each interface Network segments that can pass the URPF check
Configuration Procedures
1. Configure Router B. # Configure ACL 2010, allowing the traffic from the network segment 10.1.1.0/24 to pass the URPF check.
<RouterB> system-view [RouterB] acl number 2010 [RouterB-acl-basic-2010] rule permit source 10.1.1.0.0 0.0.0.255 [RouterB-acl-basic-2010] quit
# Configure a traffic class and define an ACL rule.

[RouterB] traffic classifier classifier1 [RouterB-classifier-classifier1] if-match acl 2010 [RouterB-classifier-classifier1] quit
# Define a traffic behavior and enable the URPF function.

[RouterB] traffic behavior behavior1 [RouterB-behavior-behavior1] ip urpf strict [RouterB-behavior-behavior1] quit
# Define a traffic policy and associate the traffic class and the traffic behavior.
[RouterB] traffic policy policy1 [RouterB-trafficpolicy-policy1] classifier classifier1 behavior behavior1 [RouterB-trafficpolicy-policy1] quit
# Apply the traffic policy to an interface.

[RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] ip address 172.19.139.2 255.255.255.252 [RouterB-GigabitEthernet1/0/0] trafficq-policy policy1 inbound
2.
Configure Router A. # Configure GE 1/0/0.

<RouterA> system-view [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 172.19.139.1 255.255.255.252
# Enable URPF on GE 1/0/0, set the URPF check mode to strict, and enable default route match.
[RouterA-GigabitEthernet1/0/0] ip urpf strict allow-default
Configuration Files
l
Configuration file of Router A

# sysname RouterA # interface GigabitEthernet1/0/0 undoshutdown ip address 172.19.139.1 255.255.255.252 ip urpf strict allow-default # return
Configuration file of Router B

# sysname RouterB # acl number 2010 rule 5 permit source 10.1.1.0 0.0.0.255 # traffic classifier classifier1 operator or if-match acl 2010 # traffic behavior behavior1 ip urpf strict # traffic policy policy1 classifier classifier1 behavior behavior1 # interface GigabitEthernet1/0/0 undoshutdown ip address 172.19.139.2 255.255.255.252 traffic-policy policy1 inbound # return
5-8
Issue 03 (2008-09-22)
6 Local Attack Defense Configuration
Local Attack Defense Configuration
About This Chapter

This chapter describes the principle, configuration, and application of Local Attack Defense. 6.1 Overview This section describes the basic concepts and principle of local attack defense. 6.2 Configuring the Rules for Filtering the Packets to Be Sent to the CPU This section describes how to configure the rules for filtering the packets to be sent to the CPU. 6.3 Configuring the Rules for Sending the Packets to the CPU This section describes how to configure the rules for sending the packets to the CPU. 6.4 Configuring Queue Scheduling for the Packets to Be Sent to the CPU This section describes how to configure queue scheduling rules for the packets to be sent to the CPU. 6.5 Maintaining Local Attack Defense This section describes how to clear the statistics on local attack defense. 6.6 Configuration Example This section provides several configuration examples of local attack defense.
Issue 03 (2008-09-22)
6-1
6.1 Overview
This section describes the basic concepts and principle of local attack defense. 6.1.1 Overview of Local Attack Defense 6.1.2 Local Attack Defense Features Supported by the NE80E/40E
6.1.1 Overview of Local Attack Defense

Background of Local Attack Defense
With the development and wide application of the network, higher and higher requirements for the network security and device security are posed. On the network, a large number of various packets including the malicious attack packets need to be sent to the Central Processing Unit (CPU). The more the packets sent to the CPU are, the higher the CPU usage is. In this case, the CPU performance degrades, interrupting services. The malicious packets, which aim at attacking on the CPU, busy the CPU in processing the attack packets during a long period. Therefore, other normal services are interrupted and even the system is broken down. To protect the CPU and make the CPU keep on processing normal services, the following restrictions on the packets to be sent to the CPU are required:
l l l l l
Filtering the packets to be sent to the CPU Classifying the packets to be sent to the CPU Limiting the number of the packets to be sent to the CPU Limiting the rate of sending the packets to the CPU Setting the priority of scheduling the packets to be sent to the CPU
In this way, the packets that fail to match the sending rules are discarded, ensuring the processing on normal services of the CPU.
Implementation of Local Attack Defense

The local attack defense feature of the NE80E/40E is directed at the packets to be sent to the CPU and provides the following functions:
l l l
Ensuring the router security Guaranteeing the normal running of the existing services in the case of attacks Keeping all the services from affecting each other
The local attack defense feature of the NE80E/40E realizes the hierarchical protection of the router as follows: 1. 2. Level 1 protection: The system filters out the invalid packets to be sent to the CPU by the whitelist, blacklist, and user-defined flows. Level 2 protection: You can set the rules for the packets to be sent to the CPU. In this way, the system discards the invalid packets through double-level CAR flow control, ensuring the CPU security.
6-2
3.
Level 3 protection: You can set the priority of scheduling the packets to be sent to the CPU and the sending rate to control the speed of packet sending. The processing on normal services of the CPU is ensured.
On the NE80E/40E, local attack defense is implemented in the following ways:

l
Whitelist The whitelist refers to a group of valid users or users with the high priority. By setting the whitelist, you can enable the system to protect existing services or user services with the high priority. You can define the whitelist through Access Control Lists (ACLs). Then, the packets matching the whitelist are sent to the CPU in preference at a high rate. The valid users that normally access the system as confirmed and the users with the high priority can be added to the whitelist.
Blacklist The blacklist refers to a group of invalid users. You can define the blacklist through ACLs. Then, the packets matching the blacklist are discarded or sent to the CPU in a low priority. The invalid users that involve attacks as confirmed can be added to the blacklist.
User-defined flows User-defined flows indicate that the user defines ACLs. It is applied when unknown attacks emerge on the network. The user can flexibly specify the characteristics of the attack data flows and limit the data flows that match the specified characteristic.
ALP When a Border Gateway Protocol (BGP) session is set up, information about this session is synchronized to the whitelist. In this way, the reliability and stability of the relevant services are ensured. When detecting that the BGP session is deleted, the system deletes information about this session from the whitelist. The NE80E/40E protects the data based on the BGP session through the whitelist, which is called Active Link Protection (ALP). Through ALP, the running of the existing services can be ensured in the case of attacks.
GTSM The Generalized TTL Security Mechanism (GTSM) refers to the generic TTL security protection mechanism. GTSM protects services by checking whether the TTL value in the IP packet is within the specified range. The packets that pass the GTSM check are added to the whitelist and assigned the high priority. The packets that fail the GTSM check are discarded or sent to the CPU according to the default configuration or the user-defined GTSM rules.
CAR Committed Access Rate (CAR) is used to set the rate of sending the classified packets to the CPU. You can set the committed information rate (CIR), the committed burst size (CBS), and the priority for each type of packets. Through the different CAR rules for various packets, the system can make the packets be free from affecting each other to protect the CPU. CAR can also be used to set the total rate of sending the packets to the CPU. When the total rate exceeds the upper limit, the system discards the packets, avoiding the CPU overload.
Smallest packet compensation The NE80E/40E can efficiently solve the problem of small packets attack with the smallest packet compensation function. After receiving the packets to be sent to the CPU, the system detects the packet length.
Issue 03 (2008-09-22)
6-3
When the packet length is smaller than the preset minimum packet length, the system calculates the sending rate with the preset minimum length. When the packet length is greater than the preset minimum packet length, the system calculates the sending rate with the actual packet length.
NOTE
LPUA supports the presetting of the minimum packet length. The minimum packet length supported by LPUB is 128 bytes.
l
Application-layer service association The system dynamically detects the enabled application-layer information. When the application-layer services are started, the system accepts the packets of the applicationlayer services; when the application-layer services are closed, the system discards the packets of the services. The NE80E/40E realizes the application-layer service association of BGP. After BGP services are started, the BGP packets are sent to the CPU; after BGP services are terminated, the BGP packets are discarded.
Process of Local Attack Defense

Figure 6-1 shows the local attack defense process of the NE80E/40E. Figure 6-1 Process of local attack defense
Packets are discarded
(2) (3)
(7)
(9)
Whitelist
(6) (4) (1)

Blacklist Static CAR
(8)
Queue scheduling
(10)
Packets are sent to the CPU
Userdefined flow
(5)
1. 2. 3. 4.
The system classifies the packets to be sent to the CPU through ACLs. When the packets pass the GTSM check, the system checks the TTL value. If the TTL value is not valid, the packets are discarded and counted. When the packets match the whitelist and the TTL value is valid, the packets are assigned the CAR ID of the whitelist for further processing. When the packets match the blacklist, the packets are assigned the CAR ID of the blacklist for further processing.
6-4
5. 6. 7. 8. 9.
When the packets match the user-defined rules, the packets are assigned the CAR ID for further processing. When the packets fail the preceding matching, the CAR is performed. The packets are discarded in the CAR processing. The possible cause is the discarding action of the blacklist policy or the CAR rate threshold-crossing. The packets that are permitted by the CAR policy enter the queue for scheduling. Then, each packet goes to the relevant queue according to the priority. If the queue is full, some packets are discarded and the packet statistics are collected.
10. The packets in the queue are scheduled to limit the overall sending rate to the CPU.
6.1.2 Local Attack Defense Features Supported by the NE80E/40E

The NE80E/40E supports the configuration of 30 attack defense policies. The attack defense policies supported by each LPU are as follows:
l
LPUA, LPUG, LPUH, and LPUF-10 supports the attack defense policies numbered 1 to 10. In addition, the policies 1 to 3 are the system-defined attack defense policies that apply to the typical networking scenario. Policy 2 is the default one. LPUB and LPUF-20 supports the attack defense policies numbered 11 to 20. In addition, the policies 11 to 13 are the system-defined attack defense policies that apply to the typical networking scenario. Policy 12 is the default one. LPUF-D supports the attack defense policies numbered 21 to 30. Policy 21 is the default one.
NOTE
l l l
In the following description, LPUA stands for LPUA, LPUG, LPUH, and LPUF; LPUB stands for LPUB and LPUF-20. The system-defined attack defense policies can neither be modified nor deleted. You can configure other attack defense policies as required. The system-defined attack defense policies can be displayed through the display cpu-defend policy policy-number command.
When you apply an attack defense policy on an LPU, you only need to create the attack defense policy based on the actual attacks, set the rules for packet sending, and apply the policy on the LPU. When you apply the created attack defense policy, the LPU uses its default attack defense policy for the undefined attack defense rule. For example, When you apply attack defense policy 4 on LPUA, other configurations such as the scheduling priority of the packets destined for the CPU use the settings of Policy 2 if you set only the total rate of packet sending. In the application of the local attack defense feature, note the following:
l
The configuration of the attack defense policy is the premise of the configurations of other tasks. After the attack defense policy is configured, other configurations can be performed. You must apply the attack defense policy on the LPU; otherwise, the policy does not take effect. Only one attack defense policy can be applied on an LPU. By default, the whitelist and the blacklist functions are enabled. To disable one of them, run the whitelist disable or blacklist disable command. By default, the application-lay service association is enabled. To disable it, run the application-apperceive disable command.
l l
Issue 03 (2008-09-22)
After the NE80E/40E is enabled with the local attack defense feature, the performance of the existing data forwarding is not affected.
6.2 Configuring the Rules for Filtering the Packets to Be Sent to the CPU
This section describes how to configure the rules for filtering the packets to be sent to the CPU. 6.2.1 Establishing the Configuration Task 6.2.2 Creating the Attack Defense Policy 6.2.3 Creating the User-Defined Whitelist 6.2.4 Creating the User-Defined Blacklist 6.2.5 Configuring the User-Defined Flow 6.2.6 Setting the Processing Priority 6.2.7 Applying the Attack Defense Policy 6.2.8 Checking the Configuration

When a router accesses a large number of users, a lot of packets need be sent to the CPU for processing and then the router is vulnerable to the attacks of the packets sent to the CPU. In the preceding scenario, perform the following configuration.
Before configuring the rules for filtering the packets to be sent to the CPU, complete the following task:
l
Connecting the interfaces and configuring the physical parameters of the interfaces to make the physical status of the interface Up
Data Preparation
To configure the rules for filtering the packets to be sent to the CPU, you need the following data. No. 1 2 3 4 Data Number and description of the attack defense policy ACL rule and number Number of the user-defined flow Number of the LPU on which the attack defense policy is applied
6-6
Issue 03 (2008-09-22)
6.2.2 Creating the Attack Defense Policy

Context
Procedure
Step 1 Run:
system-view

cpu-defend policy policy-number
The attack defense policy is created. Step 3 (Optional) Run:

description text
The description of the attack defense policy is configured. ----End
6.2.3 Creating the User-Defined Whitelist

Context
Procedure
Step 1 Run:
system-view

The attack defense view is displayed. Step 3 Run:

whitelist acl acl-number
The user-defined whitelist is created. By default, the whitelist function is enabled. To disable the whitelist function, run the whitelist disable command. Up to 2048 whitelists can be configured on the NE80E/40E. ----End
6.2.4 Creating the User-Defined Blacklist

Context
Procedure
Step 1 Run:
system-view


blacklist acl acl-number
The user-defined blacklist is created. By default, the blacklist function is enabled. To disable the blacklist function, run the blacklist disable command. ----End
6.2.5 Configuring the User-Defined Flow

Context
Procedure
Step 1 Run:
system-view


user-defined-flow flow-id acl acl-number
The user-defined flow rules are set. ----End
6.2.6 Setting the Processing Priority

Context
Procedure
Step 1 Run:
system-view

The attack defense view is displayed. Step 3 Perform the following as required.
l
Run process-sequence blacklist { user-defined-flow | whitelist } * to set the processing priority of the packets matching the blacklist. Run process-sequence user-defined-flow { blacklist |whitelist } * to set the processing priority of the packets matching the user-defined flow rules. Run process-sequence whitelist { user-defined-flow | whitelist } * to set the processing priority of the packets matching the whitelist.
By default, the processing priority is whitelist, blacklist, and user-defined flow in the descending order. ----End
6.2.7 Applying the Attack Defense Policy

Context
Procedure
Step 1 Run:
system-view

slot slot-number
The slot view is displayed. Step 3 Run:

cpu-defend-policy policy-number
The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy fails. ----End

Run the following commands to check the previous configuration. Action Display the configured filtering rules for sending the packets to the CPU. Display the statistics on attack defense of the LPU. Command display cpu-defend policy { policy-number } display cpu-defend slot [ slot-number ] car { blacklist | index index | user-defined-flow flowid | whitelist }
After the configuration, you can run the display cpu-defend policy [ policy-number ] command to view the filtering rules for sending the packets to the CPU. For example, you can run the display cpu-defend policy 6 command to view the filtering rule of Policy 6.
<Quidway> display cpu-defend policy 6 Number : 6 Description : denfend the packets to cpu Related slot : <3> Configuration : Whitelist enable : open Blacklist enable : open Whitelist ACL number : 2001 Blacklist ACL number : 2002 Whitelist : CIR(4000) CBS(40000) Blacklist : CIR(1000) CBS(10000) Whitelist priority : high Blacklist priority : low Whitelist alarm enable : close Blacklist alarm enable : close Whitelist alarm : threshold(1000000) interval(3600) : Blacklist alarm : threshold(1000000) interval(3600) : Outbound ARP check enable : open Application apperceive enable : open Total packet speed : high Process-sequence : whitelist user-defined-flow blacklist Car index 0 alarm enable : close
After the configuration, you can run the display cpu-defend slot [ slot-number ] car { blacklist | index index | user-defined-flow flow-id | whitelist } command to view the statistics on attack defense of the LPU. For example, you can run the display cpu-defend slot 3 car whitelist command to view the statistics on attack defense of the LPU in slot 3.
<Quidway> display cpu-defend slot 3 car whitelist slot : 3 (255)Defend whitelist information: passed : 152 packets dropped : 0 packets cir : 4000kbps cbs : 40000bytes priority : high min-packet-length : 128bytes
6-10
Issue 03 (2008-09-22)
6.3 Configuring the Rules for Sending the Packets to the CPU
This section describes how to configure the rules for sending the packets to the CPU. 6.3.1 Establishing the Configuration Task 6.3.2 Creating the Attack Defense Policy 6.3.3 Configuring CAR 6.3.4 Applying the Attack Defense Policy 6.3.5 Checking the Configuration

When a router accesses a large number of users, a lot of packets need be sent to the CPU for processing and then the router is vulnerable to the attacks of the packets to be sent to the CPU. In the preceding scenario, perform the following configuration.
Before configuring the rules for sending the packets to the CPU, complete the following task:
l
Data Preparation
To configure the rules for sending the packets to the CPU, you need the following data. No. 1 2 3 4 Data The number and description of the attack defense policy The index of the packet to be sent, the number of the user-defined flow, and the minimum packet length for smallest packet compensation The CIR and CBS values of the packet to be sent The number of the LPU on which the attack defense policy is applied

Context
Procedure
Step 1 Run:
system-view


description text
6.3.3 Configuring CAR

Context
Procedure
Step 1 Run:
system-view

The attack defense view is displayed. Step 3 (Optional)Run:

car { blacklist | index index | user-defined-flow flow-id | whitelist } { cir cirvalue | cbs cbs-value | min-packet-length min-packet-length-value } *
The CAR action rules are set. Step 4 (Optional)Run:

deny { blacklist | index index | user-defined-flow flow-id | whitelist }
The action is set to deny for the packets sent to the CPU.
NOTE
You can either perform CAR or deny to the same packet sent to the CPU. When the deny and car commands are run successively, the command used latterly takes effect.
----End

Context
Procedure
Step 1 Run:
system-view

slot slot-number

The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy does not take effect. ----End

Run the following commands to check the previous configuration. Action Display the CAR statistics on the packets sent to the CPU. Display information about the attack defense policy. Display the statistics on attack defense of the LPU. Command display car information { default | current } [ index index ] display cpu-defend policy [ policy-number ] display cpu-defend slot [ slot-number ] car { blacklist | index index | user-defined-flow flow-id | whitelist }
After the configuration, you can run the display car information { default | current } [ index index ] command to view the CAR statistics on the packets sent to the CPU. For example, you can run the display car information default 6 command to view the filtering rule of Policy 6.
[Quidway-cpu-defend-policy-8] display car information default 6 Index Cir(kbps) Cbs(byte) Priority MinPacketLength Description ---------------------------------------------------------------------6 2000 20000 middle 128 IPV4 ARP packet
Issue 03 (2008-09-22)
6-13
6.4 Configuring Queue Scheduling for the Packets to Be Sent to the CPU
This section describes how to configure queue scheduling rules for the packets to be sent to the CPU. 6.4.1 Establishing the Configuration Task 6.4.2 Creating the Attack Defense Policy 6.4.3 Setting the Priority for Queue Scheduling 6.4.4 Setting the Total Rate of Sending the Packets to the CPU 6.4.5 Setting the Rate Threshold for Packet Discarding 6.4.6 Applying the Attack Defense Policy 6.4.7 Checking the Configuration

When a router accesses a large number of users, a lot of packets need be sent to the CPU for processing and then the router is vulnerable to the attacks of the packets to be sent to the CPU. In the preceding scenario, perform the following configuration.
Before configuring queue scheduling for the packets to be sent to the CPU, complete the following task:
l
Data Preparation
To configure queue scheduling for the packets to be sent to the CPU, you need the following data. No. 1 2 3 4 5 Data The number and description of the attack defense policy The index of the packets to be sent and the number of the user-defined flow The total rate of sending the packets to the CPU The rate threshold for packet discarding and alarm detection frequency The number of the LPU on which the attack defense policy is applied
6-14
Issue 03 (2008-09-22)

Context
Procedure
Step 1 Run:
system-view


description text
6.4.3 Setting the Priority for Queue Scheduling

Context
Procedure
Step 1 Run:
system-view


priority { blacklist | index index | user-defined-flow flow-id | whitelist } { high | middle | low }
The priority for queue scheduling is set. ----End
6.4.4 Setting the Total Rate of Sending the Packets to the CPU
Context
Procedure
Step 1 Run:
system-view

The attack defense view is displayed Step 3 Run:

car total-packet { high | low | middle | total-packet-rate }
The total rate of sending the packets to the CPU is set. ----End
6.4.5 Setting the Rate Threshold for Packet Discarding

Context
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed. Step 3 Run:

alarm drop-rate { blacklist | index index | total-packet | user-defined-flow flowid | whitelist } enable
The alarming for packet discarding because of rate threshold-crossing is enabled. Step 4 Run:
alarm drop-rate { blacklist | index index | total-packet | user-defined-flow flowid | whitelist } { threshold threshold-value | interval interval-value } *
The rate threshold for packet discarding and the alarm detection frequency are set. By default, alarming for packet discarding because of rate threshold-crossing is disabled. After the packet rate exceeds the threshold, the packet is discarded. ----End

Context
Procedure
Step 1 Run:
system-view

slot slot-number

The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy does not take effect. ----End

Run the following commands to check the previous configuration. Action Display information about the attack defense policy. Display the statistics on attack defense of the LPU. Command display cpu-defend policy { policy-number } display cpu-defend slot [ slot-number ] car [ blacklist | index index | user-defined-flow flow-id | whitelist ]
6.5 Maintaining Local Attack Defense

This section describes how to clear the statistics on local attack defense. 6.5.1 Clearing the Statistics on Local Attack Defense
6.5.1 Clearing the Statistics on Local Attack Defense

To clear the statistics on local attack defense, run the following reset commands in the user view.
Action Clear the statistics on local attack defense.
Commands reset cpu-defend statistics slot [ slot-number ] car { blacklist | index index | user-defined-flow flow-id | whitelist }
6.6 Configuration Example

This section provides several configuration examples of local attack defense. 6.6.1 Example for Configuring Local Attack Defense
6.6.1 Example for Configuring Local Attack Defense

As shown in Figure 6-2, three local user networks net1, net2, and net3 access the Internet through router. The router is connected to a large number of users, and receives many packets to be sent to the CPU. In this case, the router is vulnerable to the attack packets directing at the CPU. To protect the CPU and make the router processing other services normally, you need to configure local attack defense as follows:
l
As the users in net1 are fixed valid users, you need to add net1 to the whitelist and limit the CIR to 10 Mbit/s and the CBS to 5000 bytes. As the users in net2 are valid but unfixed users, you need to separately define the rules for sending the packets of net2 users to the CPU and limit the CIR to 5 Mbit/s and the CBS to 3000 bytes. As the users in net3 are unfixed and attacks usually come from net3, you need to add net3 to the blacklist and limit the CIR to 2 Mbit/s and the CBS to 90000 bytes. You need to set the total rate for sending the packets to the CPU to high. You need to set the length for smallest packet compensation to 256 bytes. You need to set the rate threshold for packet discarding to 600000 pps and the alarm detection frequency to 1800 seconds.
l l l
6-18
Issue 03 (2008-09-22)
Figure 6-2 Networking diagram of configuring local attack defense
net1 1.1.1.0/24
POS1/0/0 net2 2.2.2.0/24 POS3/0/0 POS4/0/0 POS2/0/0
Internet
Router
net3 3.3.3.0/24
The configuration roadmap is as follows: 1. 2. 3. 4. Connect the interfaces and configure the physical parameters of the interfaces to make the physical status of the interface Up. Configure the rules for filtering the packets to be sent to the CPU. Configure the rules for sending the packets to the CPU. Configure queue scheduling for the packets to be sent to the CPU.
Data Preparation
l l l l
Number of the attack defense policy Number of slot of the LPU on which the attack defense policy is applied ACL rule and number Rate threshold for packet discarding
The following provides only the configuration procedure of the local attack defense feature supported by the NE80E/40E. For the configurations of network protocols, refer to the Quidway NetEngine80E/40E Router Configuration Guide - IP Routing. 1. Configure the rules for filtering the packets to be sent to the CPU. # Define an ACL rule.
<Quidway> system-view [Quidway] acl number 2001 [Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255 [Quidway-acl-basic-2001] quit [Quidway] acl number 2002
Issue 03 (2008-09-22)
6-19
[Quidway-acl-basic-2002] rule permit source 2.2.2.0 0.0.0.255 [Quidway-acl-basic-2002] quit [Quidway] acl number 2003 [Quidway-acl-basic-2003] rule permit source 3.3.3.0 0.0.0.255 [Quidway-acl-basic-2003] quit
# Create the attack defense policy and configure the whitelist, blacklist, and the user-defined flow rules.
[Quidway] cpu-defend policy 6 [Quidway-cpu-defend-policy-6] whitelist acl 2001 [Quidway-cpu-defend-policy-6] user-defined-flow 2 acl 2002 [Quidway-cpu-defend-policy-6] blacklist acl 2003
# Set the processing priority for the blacklist, whitelist, and user-defined flow.
[Quidway -cpu-defend-policy-6] process-sequence whitelist user-defined-flow blacklist
2.
Configure the rules for sending the packets to the CPU.

[Quidway-cpu-defend-policy-6] length 256 [Quidway-cpu-defend-policy-6] length 256 [Quidway-cpu-defend-policy-6] packet-length 256 [Quidway-cpu-defend-policy-6] car whitelist cbs 10000 cir 5000 min-packetcar blacklist cbs 2000 cir 2000 min-packetcar user-defined-flow 2 cbs 5000 cir 3000 mincar total-packet high
3.
Set the scheduling priority for the packets to be sent to the CPU.
[Quidway-cpu-defend-policy-6] [Quidway-cpu-defend-policy-6] [Quidway-cpu-defend-policy-6] interval 1800 [Quidway-cpu-defend-policy-6] priority user-defined-flow 2 middle alarm drop-rate blacklist enable alarm drop-rate blacklist threshold 600000 quit
4.
Apply the attack defense policy on the LPU.

[Quidway] slot 1 [Quidway-slot-1] [Quidway-slot-1] [Quidway] slot 3 [Quidway-slot-3] [Quidway-slot-3] [Quidway] slot 4 [Quidway-slot-4] [Quidway-slot-4] cpu-defend-policy 6 quit cpu-defend-policy 6 quit cpu-defend-policy 6 quit
5.
Verify the configuration. # Display information about the configured attack defense policy.
[Quidway] display cpu-defend policy 6 Number : 6 Description : Related slot : <1, 3, 4> Configuration : Whitelist enable : open Blacklist enable : open Whitelist ACL number : 2001 Blacklist ACL number : 2003 Whitelist : CIR(5000) CBS(10000) Min-packet-length(256) Blacklist : CIR(2000) CBS(2000) Min-packet-length(256) Whitelist priority : high Blacklist priority : low Whitelist alarm enable : close Blacklist alarm enable : open Whitelist alarm : threshold(1000000) interval(3600) Blacklist alarm : threshold(600000) interval(1800) Outbound ARP check enable : open Application apperceive enable : open Total packet speed : high Process-sequence : whitelist user-defined-flow blacklist User-defined-flow 1 ACL number : 0
6-20
Issue 03 (2008-09-22)

User-defined-flow User-defined-flow User-defined-flow User-defined-flow 2 ACL number : 2002 3 ACL number : 0 4 ACL number : 0 2 priority : middle
Configuration Files
# sysname Quidway # acl number 2001 rule 5 permit source 1.1.1.0 0.0.0.255 # acl number 2002 rule 5 permit source 2.2.2.0 0.0.0.255 # acl number 2003 rule 5 permit source 3.3.3.0 0.0.0.255 # cpu-defend policy 6 whitelist acl 2001 blacklist acl 2003 user-defined-flow 2 acl 2002 car whitelist cbs 10000 min-packet-length 256 car blacklist cir 2000 cbs 2000 min-packet-length 256 car user-defined-flow 2 cir 3000 cbs 5000 min-packet-length 256 priority user-defined-flow 2 middle alarm drop-rate blacklist enable alarm drop-rate blacklist threshold 600000 interval 1800 process-sequence whitelist user-defined-flow blacklist # slot 1 cpu-defend-policy 6 # slot 3 cpu-defend-policy 6 # slot 4 cpu-defend-policy 6 # return
Issue 03 (2008-09-22)
6-21
7 Mirroring Configuration
7
About This Chapter
Mirroring Configuration
This chapter describes the mirroring configuration based on port and traffic classifier, along with typical examples. 7.1 Overview This section describes the basic concepts and principle of mirroring. 7.2 Configuring Port Mirroring This section describes how to configure port mirroring. 7.3 Configuring Flow Mirroring This section describes how to configure flow mirroring. 7.4 Configuration Examples This section provides several configuration examples of mirroring.
Issue 03 (2008-09-22)
7-1
7.1 Overview
This section describes the basic concepts and principle of mirroring. 7.1.1 Overview of Mirroring 7.1.2 Mirroring Supported by the NE80E/40E
7.1.1 Overview of Mirroring

Mirroring indicates that the system sends a copy of the packets on the current node to a specific observing port without interrupting services. You can specify the number of the port to be observed and connect the packet analysis equipment with the observing port to observe the traffic. Mirroring is divided into the following types according to the requirements for the packets to be copied:
l
Port mirroring: The packets received and sent by a mirroring port are completely copied to a specific observing port. Flow mirroring: On the basis of traffic classification, the packets that match specific rules are copied and other packets are filtered out. The efficiency of the packet analysis equipment can thus be improved.
Mirroring is divided into the following types according to the direction in which the packets are copied:
l
Inbound (upstream) mirroring, requires that the system copy the received packet on a port and send the copy to the specified port. Outbound (downstream) mirroring, requires that the system copy the packet to be sent on a port and send the copy to the specified port.
Figure 7-1 shows the typical networking of mirroring. Figure 7-1 Typical networking of mirroring
Network1
PortA
Inbound packets
PortB
Outbound packets Mirroring packets
Network2
PortC
Packet analysis equipment
To monitor the packets of Network 1 received by Port A or the packets forwarded from Port B to Network 2, configure Port C as the observing port and connect Port C to the packet analysis equipment. Configure mirroring on Port A or Port B to copy the packets received by Port A or
forwarded from Port B or the packets matching specific rules of traffic classification to Port C. Then the packet analysis equipment performs analysis.
7.1.2 Mirroring Supported by the NE80E/40E

The NE80E/40E supports port mirroring and flow mirroring. In port mirroring, the packets sent to the CPU can be independently mirrored. In the case of sufficient bandwidth, the packets are mirrored to the packet analysis equipment, regardless of whether the packets are discarded through ACLs or CAR.
NOTE
The packets sent to the CPU instead of the packets sent from the CPU are mirrored.
At present, the NE80E/40E provides the following mirroring functions:

l l l l
Supports the configuration of an observing port on each Line Processing Unit (LPU). Supports upstream and downstream port mirroring and flow mirroring. Independently mirrors the packets sent to the CPU. Supports upstream mirroring on the same board and between the boards, and downstream mirroring on the same board. The NE80E/40E supports upstream mirroring on the Layer 2 interface. That is, after using the portswitch command to switch the Layer 3 interface to a Layer 2 interface, you can use the port-mirroring inbound command to configure upstream mirroring.
When you configure mirroring on the NE80E/40E , note the following:

l l
You are not recommended to configure other services on the observing port. When NetStream integrated sampling is enabled on LPUB, you cannot configure mirroring on LPUB. The packets on the same LPU can be mirrored to the same observing port. Each LPU supports only one observing port. On LPUA, Ethernet interfaces and sub-interfaces, GE interfaces and sub-interfaces, POS interfaces, and FR sub-interfaces can serve as the mirroring ports; on LPUB, Ethernet, GE, and POS interfaces can be configured as the mirroring ports. The observing port can be the Ethernet, GE, or POS interface. The system supports mirroring between different types of interfaces, such as the mutual mirroring between the GE and POS interfaces. As the packet encapsulation formats vary with the interface types, errors may occur in packet analysis. In this case, the statistics on the packets mirrored by the observing port are not exact. Therefore, you are not recommended to configure mirroring between different types of interfaces.
l l
7.2 Configuring Port Mirroring

This section describes how to configure port mirroring. 7.2.1 Establishing the Configuration Task 7.2.2 Specifying the Observing Port 7.2.3 Configuring the Observing Port to Observe All the Mirroring Ports on an LPU 7.2.4 Configuring Port Mirroring

During the operation of the network, it is inconvenient to observe all the ports directly. You can perform the observation by configuring port mirroring.
Before configuring port mirroring, complete the following tasks:
l
Data Preparation
To configure port mirroring, you need the following data. No. 1 2 3 Data Interface type and number of the observing port Slot number of the LPU on which the mirroring port is configured Interface type and number of the mirroring port
7.2.2 Specifying the Observing Port

Context
Do as follows on the router to be configured with mirroring:
Procedure
Step 1 Run:
system-view


port-observing observe-index observe-index
The observing port is specified. ----End

7.2.3 Configuring the Observing Port to Observe All the Mirroring Ports on an LPU
Context
Procedure
Step 1 Run:
system-view

slot slot-id

mirror to observe-index observe-index
The observing port is configured to observe all the mirroring ports on the LPU. After the observing port is configured to observe all the mirroring ports on an LPU, the packets received on all the mirroring ports are mirrored to the observing port. The observing port used to observe all the mirroring ports on an LPU can reside on another LPU. ----End
7.2.4 Configuring Port Mirroring

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed The observing port of the LPU where the interface resides must be already configured. Step 3 Perform the following as required.Perform the following as required.
l
Run the port-mirroring inbound [ cpu-packet ] command to enable upstream mirroring on the observing port.
Issue 03 (2008-09-22)
l
Run the port-mirroring outbound command to enable downstream mirroring on the observing port.
The NE80E/40E supports upstream mirroring on the same board and between the boards, and downstream mirroring on the same board. ----End

Run the following commands to check the previous configuration. Action Display the port mirroring configuration on the LPU. Display the configuration of the observing port. Command display port-mirroring [ slot slot-id ] display port-observing [ slot slot-id ]
If the preceding configuration succeeds, run the display port-observing [ slot slot-id ] command. You can view the configuration of port mirroring. For example, run the display port-observing slot 2 command, and you can view the configurations of the observing port.
<Quidway> display port-observing slot 2 slot 2 [current configuration] LPU 2 observe-port is GigabitEthernet2/0/0 [reference relationship] slot 6
If the preceding configuration succeeds, run the display port-mirroring [ slot slot-id ] command. You can view the configuration of port mirroring. For example, run the display port-mirroring slot 6 command, and you can view the configurations of port mirroring on the LPU in slot 6.
<Quidway> display port-mirroring slot 6 slot 6 [current configuration] LPU 6 mirror to observe-index 2
7.3 Configuring Flow Mirroring

This section describes how to configure flow mirroring. 7.3.1 Establishing the Configuration Task 7.3.2 Configuring the Observing Port 7.3.3 Configuring the Observing Port to Observe All the Mirroring Ports on an LPU 7.3.4 Defining a Traffic Class 7.3.5 Setting the Traffic Behavior and Enabling Flow Mirroring
7.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior 7.3.7 Applying the Traffic Policy 7.3.8 Checking the Configuration

To provide exact control for packet analysis, the system can combine port mirroring and traffic classification to copy the packets that meet the requirements. As a result, the packets are filtered and the efficiency of packet analysis is improved.
Before configuring flow mirroring, complete the following tasks:
l
Configuring the link layer parameters and the IP address of the interface to make the link layer status of the interface Up
Data Preparation
To configure flow mirroring, you need the following data. No. 1 2 3 4 5 Data Interface type and number of the observing port Slot number of the LPU on which the mirroring port is configured Interface type and number of the mirroring port Traffic classification rules: ACL number, DSCP value, 802.1p precedence, TCP flag, the source or Destination MAC address of the packet, and the IP priority Names of the traffic policy, traffic class, and traffic behavior
7.3.2 Configuring the Observing Port

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

port-observing observe-index observe-index
The observing port is configured.

NOTE
The index number of the observing port must be the same as the slot number of the LPU where the observing port resides.
----End
7.3.3 Configuring the Observing Port to Observe All the Mirroring Ports on an LPU
Context
Procedure
Step 1 Run:
system-view

slot slot-id

mirror to observe-index observe-index
The observing port is configured to observe all the mirroring ports on the LPU. The observing port used to observe all the mirroring ports on an LPU can reside on another LPU. After the observing port is configured to observe all the mirroring ports on an LPU, the packets received on all the mirroring ports are mirrored to the observing port. The observing port used to observe all the mirroring ports on an LPU can reside on another LPU. ----End
7.3.4 Defining a Traffic Class

Context
Procedure
Step 1 Run:
system-view

traffic classifier classifier-name [ operator { and | or } ]
The traffic class is defined and its view is displayed. Step 3 Perform the following as required.
l l l l
Run the if-match acl acl-number command to set the ACL-based rule. Run the if-match dscp dscp-value command to set the DSCP-based rule. Run the if-match tcp syn-flag tcpflag-value command to set the TCP-flag-based rule. Run the if-match 8021p 8021p-code command to set the 802.1p-based rule for VLAN packets. Run the if-match source-mac mac-address command to set the rule based on the source address of the packet. Run the if-match destination-mac mac-address command to set the rule based on the destination address of the packet. Run the if-match ip-precedence ip-precedence command to set the rule based on the IP priority of the packet. Run the if-match any command to set the rule matching all the packets.
You can select one or several matching rules in Step 3 as required. ----End
7.3.5 Setting the Traffic Behavior and Enabling Flow Mirroring

Context
Do as follows on the router to be configured with flow mirroring:
Procedure
Step 1 Run:
system-view

traffic behavior behaviorname
The traffic behavior is defined and its view is displayed. Step 3 Run:
port-mirroring enable
Flow mirroring is enabled.

After flow mirroring is enabled, all the packets matching the rules of traffic classification are copied to the observing port. ----End
7.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior
Context
Procedure
Step 1 Run:
system-view

traffic policy policy-name
The traffic policy is defined and its view is displayed. Step 3 Run:
classifier classifier-name behavior behavior-name
The traffic class is associated with the traffic behavior in the traffic policy. ----End
7.3.7 Applying the Traffic Policy

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed. The observing port of the LPU where the interface resides must be already configured. Step 3 Run:
traffic-policy policy-name { inbound | outbound }
7-10
Issue 03 (2008-09-22)
The traffic policy is applied on the interface. ----End

Run the following commands to check the previous configuration. Action Display the configuration of the traffic behavior. Display the configuration of the traffic class. Display the configurations of the specified class in the specified policy, all the classes in all the policies, and behaviors related to classes. Display the port mirroring configuration on the LPU. Display the configuration of the observing port. Command display traffic behavior { system-defined | user-defined } [ behavior-name ] display traffic classifier { system-defined | user-defined } [ classifier-name ] display traffic policy { system-defined | userdefined } [ policy-name [ classifier classifiername ] ] display port-mirroring [ slot slot-id ] display port-observing [ slot slot-id ]
Run the display traffic behavior { system-defined | user-defined } [ behavior-name ] command. You can view the configuration of the traffic behavior. For example, run the display traffic behavior user-defined command, and you can view information about the user-defined traffic behavior.
<Quidway> display traffic behavior user-defined User Defined Behavior Information: Behavior: behavior1 port-mirroring enable Behavior: 1 -none-
Run the display traffic classifier { system-defined | user-defined } [ classifier-name ] command. You can view the configuration of the traffic class. For example, run the display traffic classifier user-defined command, and you can view information about the user-defined traffic class.
<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: classifier1 Operator: OR Rule(s) : if-match acl 2001 Classifier: c1 Operator: OR Rule(s) : -none-
Run the display traffic policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] command. You can view the configuration of the specified class in the specified policy, all the classes in all the policies, and behaviors related to classes.
For example, run the display traffic policy user-defined command, and you can view information about the user-defined traffic policy.
<Quidway> display traffic policy user-defined User Defined Traffic Policy Information: Policy: policy1 Classifier: default-class Behavior: be -noneClassifier: classifier1 Behavior: behavior1 port-mirroring enable Policy: 1 Classifier: default-class Behavior: be -none-
Run the display port-observing [ slot slot-id ] command. You can view the configuration of the observing port. For example, run the display port-observing slot 3 command, and you can view the configuration of the observing port on the LPU in slot 3.
<Quidway> display port-observing slot 3 slot 3 [current configuration] LPU 3 observe-port is GigabitEthernet3/0/2 [reference relationship] slot 3
Run the display port-mirroring [ slot slot-id ] command. You can view the configuration of port mirroring. For example, run the display port-mirroring slot 3 command, and you can view the configuration of port mirroring on the LPU in slot 3.
<Quidway> display port-mirroring slot 3 slot 3 [current configuration] LPU 3 mirror to observe-index 3

This section provides several configuration examples of mirroring. 7.4.1 Example for Configuring Port Mirroring 7.4.2 Example for Configuring Flow Mirroring
7.4.1 Example for Configuring Port Mirroring

As shown in Figure 7-2, to monitor the packets received on GE 3/0/0 from RouterA to RouterB, configure GE 1/0/0 of RouterB as the observing port and enable port mirroring on GE 3/0/0. Then all the packets received on GE 3/0/0 are copied to GE 1/0/0. All the mirrored packets are then sent to the packet analysis equipment Host D.
Figure 7-2 Networking diagram of port mirroring

RouterA
GE3/0/0 7.1.1.2/24
RouterB
GE3/0/1 8.1.1.2/24
RouterC
GE1/0/0 7.1.1.1/24
GE1/0/0 9.1.1.1/24
GE1/0/0 8.1.1.1/24
HostD
The configuration roadmap is as follows: 1. 2. Configure GE 1/0/0 of RouterB as the observing port. Configure GE 3/0/0 of RouterB as the mirroring port and enable port mirroring.
Data Preparation
l l
IP addresses of the interfaces Interface type and number of the observing port and the mirroring port
1. 2. Assign IP addresses to the interfaces, and ensure that the IP addresses are reachable. The detailed configurations are not mentioned. Configure GE 1/0/0 as the observing port.
<RouterB> system-view [RouterB] interface gigabitethernet1/0/0 [RouterB-GigabitEthernet1/0/0] port-observing observe-index 1 [RouterB-GigabitEthernet1/0/0] quit
3.
Configure the observing port to observe all the mirroring ports on the LPU.
[RouterB] slot 3 [RouterB-slot-3] mirror to observe-index 1 [RouterB-slot-3] quit
4.
Enable upstream mirroring on GE 3/0/0.

[RouterB] interface gigabitethernet3/0/0 [RouterB-GigabitEthernet3/0/0] port-mirroring inbound [RouterB-GigabitEthernet3/0/0] quit
After the preceding configuration, all the packets received on GE 3/0/0 and the packets sent to the CPU are mirrored to GE 1/0/0. 5. Verify the configuration. You can view traffic mirroring through the ping command or in other ways. For example, send 10 ping packets from RouterA to GE 3/0/0 of RouterB and all the packets should be received on Host D. You can view the statistics about the packets on GE 1/0/0.
<RouterB> display interface gigabitethernet1/0/0
Issue 03 (2008-09-22)
7-13

GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Description:HUAWEI, Quidway Series, GigabitEthernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet protocol processing : disabled IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc7d-a497 The Vendor PN is HFBR-5710L Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 550m Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and Receive Enable Statistics last cleared:never Last 300 seconds input rate: 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 0 bits/sec, 0 packets/sec Input: 107628 bytes, 1016 packets Output: 107628 bytes, 1016 packets Input: Unicast: 0, Multicast: 0 Broadcast: 0, JumboOctets: 0 CRC: 0, Symbol: 0 Overrun: 0 , InRangeLength: 0 LongPacket: 0 , Jabber: 0, Alignment: 0 Fragment: 0, Undersized Frame: 0 RxPause: 0 Output: Unicast: 10, Multicast: 0 Broadcast: 0, Jumbo: 0 Lost: 0, Overflow: 0, Underrun: 0 TxPause: 0
Configuration Files
l
Configuration file of RouterA

# sysname RouterA # interface GigabitEthernet1/0/0 ip address 7.1.1.1 255.255.255.0 # return
Configuration file of RouterB

# sysname RouterB # slot 3 # interface GigabitEthernet3/0/0 ip address 7.1.1.2 255.255.255.0 port-mirroring inbound port-mirroring inbound cpu-packet # interface GigabitEthernet3/0/1 ip address 8.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 ip address 9.1.1.1 255.255.255.0 port-observing observe-index 1 # slot 3 mirror to observe-index 1 # return
Configuration file of RouterC

# sysname RouterC #
7-14
Issue 03 (2008-09-22)

interface GigabitEthernet1/0/0 ip address 8.1.1.1 255.255.255.0 # return
7.4.2 Example for Configuring Flow Mirroring

As shown in Figure 7-3, to monitor the packets received on GE 3/0/0 of RouterB from RouterA, configure GE 3/0/2 of RouterB as the observing port and then enable flow mirroring on GE 3/0/0. To improve the working efficiency of Host D, configure a traffic policy on GE 3/0/0 of RouterB to copy only the packets with the source address 2.2.2.2 to GE 3/0/2. Figure 7-3 Networking diagram of flow mirroring
net1
GE2/0/0 1.1.1.0/24 GE3/0/0 2.2.2.2/24
RouterA
GE3/0/0 7.1.1.2/24
RouterB
GE3/0/1 8.1.1.2/24
RouterC
GE1/0/0 7.1.1.1/24
GE3/0/2 9.1.1.1/24
GE1/0/0 8.1.1.1/24
net2
HostD
The configuration roadmap is as follows: 1. 2. Configure GE 3/0/2 of RouterB as the observing port. Configure the traffic policy on GE 3/0/0 of RouterB and combine traffic classification with port mirroring.
Data Preparation
l l l
IP addresses of the interfaces Interface type and number of the observing port and the mirroring port ACL number and names of the traffic class, traffic behavior, and traffic policy
1. Assign IP addresses to the interfaces, and ensure that the IP addresses are reachable. The detailed configurations are not mentioned.
2.
Configure GE 3/0/2 as the observing port.

<RouterB> system-view [RouterB] interface gigabitethernet3/0/2 [RouterB-GigabitEthernet3/0/2] port-observing observe-index 3
3.
Configure the observing port to observe all the mirroring ports on the LPU.
[RouterB] slot 3 [RouterB-slot-3] mirror to observe-port 3 [RouterB-slot-3] quit
4.
Define the traffic policy on GE 3/0/0. # Set an ACL rule.

[RouterB] acl 2001 [RouterB-acl-basic-2001] rule permit source 2.2.2.2 0.0.0.0 [RouterB-acl-basic-2001] quit
# Configure traffic classification and set an ACL-based matching rule.

[RouterB] traffic classifier a [RouterB-classifier-a] if-match acl 2001 [RouterB-classifier-a] quit [RouterB] quit
# After the preceding configuration, you can run the display command to view the configuration of the traffic class.
<RouterB> display traffic classifier user-defined User Defined Classifier Information: Classifier: a Operator: OR Rule(s) : if-match acl 2001
# Set a traffic behavior and enable flow mirroring.

[RouterB] traffic behavior e [RouterB-behavior-e] port-mirroring enable [RouterB-behavior-e] quit
# Define a traffic policy and associate the traffic class with the traffic behavior.
[RouterB] traffic policy 1 [RouterB-trafficpolicy-1] classifier a behavior e [RouterB-trafficpolicy-1] quit
# Apply the traffic policy to the interface.

[RouterB] interface gigabitethernet3/0/0 [RouterB-GigabitEthernet3/0/0] traffic-policy 1 inbound [RouterB-GigabitEthernet3/0/0] quit
5.
Verify the configuration. You can view traffic mirroring through the ping command or in other ways. For example, send 10 ping packets with the source address 2.2.2.2/32 and another 10 packets with the source address 1.1.1.1/32 from RouterA to GE 3/0/0. Host D should receive the packets with the source address 2.2.2.2/32 from RouterA.
Configuration Files
l
Configuration file of RouterA

# sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 7.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0
7-16
Issue 03 (2008-09-22)

# interface GigabitEthernet3/0/0 undo shutdown ip address 2.2.2.2 255.255.255.0 # return l
Configuration file of RouterB

# sysname RouterB # slot 3 # acl number 2001 rule 5 permit source 2.2.2.2 0 # traffic classifier a operator or if-match acl 2001 # traffic behavior e port-mirroring enable # traffic policy 1 classifier a behavior e # interface GigabitEthernet3/0/0 undo shutdown ip address 7.1.1.2 255.255.255.0 traffic-policy 1 inbound # interface GigabitEthernet3/0/1 undo shutdown ip address 8.1.1.2 255.255.255.0 # interface GigabitEthernet3/0/2 undo shutdown port-observing observe-index 3 # slot 3 mirror to observe-index 3 # return
Configuration file of RouterC

# sysname RouterC # interface GigabitEthernet1/0/0 undo shutdown ip address 8.1.1.1 255.255.255.0 # return
Issue 03 (2008-09-22)
7-17
8 Lawful Interception Configuration
Lawful Interception Configuration
About This Chapter

This chapter describes the configuration of Lawful Interception. 8.1 Overview This section describes the concept and principle of lawful interception and the lawful interception function supported by the NE80E/40E. 8.2 Configuring Lawful Interception This section describes how to configure lawful interception. 8.3 Configuration Example This section provides a configuration example of lawful interception.
Issue 03 (2008-09-22)
8-1
8.1 Overview
This section describes the concept and principle of lawful interception and the lawful interception function supported by the NE80E/40E. 8.1.1 Overview of Lawful Interception 8.1.2 Lawful Interception Supported by the NE80E/40E
8.1.1 Overview of Lawful Interception

Lawful interception refers to that a certain authorized agency, such as the law enforcement agency, intercepts activities of online users. In lawful interception, the following information is intercepted:
l l
CC: the contents of the communication such as emails and VoIP packets IRI: information related to the communication, including the address, time, and network location
The contents of communication (CC) and intercepted related information (IRI) can be provided by the network devices of the carrier. The IRI is generally provided by the AAA server. The CC is provided by the interception device, for example, the NE80E/40E.
Scenario for Lawful Interception

Figure 8-1 shows the scenario for lawful interception.
NOTE
In this scenario, the IRI is provided by the AAA server and the CC is provided by the NE80E/40E.
Figure 8-1 Scenario for lawful interception

LIG management system AAA Server
HI1
Interception center 1
HI2
L1 X1,X2
Internet
Interception center 2 Interception HI3 management center
X1,X3
Interception center N
Interception management center
Router Interception Network device of management of the the carrier carrier Carrier's network
LIG
Lawful interception involves the following roles:


l
Interception center The law enforcement agency intercepts the activities of online users. The interception center initiates the interception and receives the interception result. The functions of the interception center are as follows:

Defining the intercepted target Initiating or terminating the interception Receiving and recording the interception result Analyzing the interception result
Interception management center The interception management center is the agent of the interception centers. The interception management center receives the interception request from the interception center, transforms the information in the request to the location and service identifier, and then delivers the configuration of interception to the network devices of the carrier.
LIG The lawful interception gateway (LIG) acts as the agent between the interception management center and the devices of the carrier. The LIG plays an important role in lawful interception. Its functions are as follows:
Receives the interception request from the interception management center through the L1 and HI1 interfaces. Delivers the configuration of interception to network devices and obtains intercepted contents through the X interfaces. Sends the intercepted contents to the interception management center through the HI2 and HI3 interfaces.
LIG management system The LIG management system receives the interception request from the interception management center and sends the request to the LIG. A LIG management system can manage multiple LIGs.
NOTE
The LIG management system delivers the configuration to the LIG through the L1 interface. The LIG is located in the network of the carrier. The LIG management system is managed by the interception management center.
l
Carrier The carrier deploys the lawful interception function on the network devices. The devices that support lawful interception receive the configuration from the interception management center, and then send the intercepted traffic to the interception management center.
Interfaces for Lawful Interception

Lawful interception involves seven interfaces. Table 8-1 provides the description of these interfaces.
Issue 03 (2008-09-22)
8-3
Table 8-1 Description of interfaces for lawful interception Interface L1 Description Connects the LIG management system to the LIG. The LI interface delivers the interception control command from the interception management center to the LIG.
NOTE If multiple LIGs are distributed in the carrier's network, the interception control command can be delivered through multiple L1interfaces so that the LIGs are uniformly controlled.
HI1
Connects the interception management center to the LIG management system. The interception management system delivers management commands to the LIG and receives responses through the H1 interface. Connects the interception management center to the LIG. The LIG sends the IRI to the interception management center through the H2 interface. Connects the interception management center to the LIG. The LIG sends the CC to the interception management center through the H3 interface. Connects the LIG to the signaling management interface of the network device of the carrier. Through the X1 interface, the LIG delivers the interception configuration, including the intercepted user and the interception task, to the network devices of the carrier. Connects the LIG to the data interface of the network device of the carrier. The network device of the carrier sends the IRI to the LIG through the X2 interface. This interface must guarantee reliability and privacy of the data. Connects the LIG to the data interface of the network device of the carrier. The network device of the carrier sends the CC heartbeat messages to the LIG through the X3 interface.NOTEThe network device and LIG send heartbeat packets to each other to check the connectivity between them. If receiving no response packet from the LIG for a certain period, the network device deletes the interception objects distributed by the LIG. After the heartbeat recovers, the LIG redistributes interception objects.
HI2 HI3 X1
X2
X3
NOTE
In lawful interception, the NE80E/40E acts as the device on the carrier's network and provides X1 and X3 interfaces. The implementation on the two interfaces is as follows:
l
The NE80E/40E provides no command lines for configuring the X1 interface. The LIG delivers the configuration to the X1 interface of the NE80E/40E through the Simple Network Management Protocol version 3 (SNMPv3). In addition, the relevant configuration is excluded from the configuration file. When the NE80E/40E restarts, the LIG needs to deliver the configuration of the X1 interface again. The NE80E/40E provides the command lines for configuring the X3 interface to set up the connection with the LIG.
8.1.2 Lawful Interception Supported by the NE80E/40E
8-4
Issue 03 (2008-09-22)
Application of the in Lawful Interception

The NE80E/40E acts as the network device of the carrier in lawful interception. The NE80E/ 40E sends the CC to the LIG through the X3 interface and obtains information about the interception objects distributed by the LIG through the X1 interface. The LIG sends information about the intercepted target through the X1 interface. The NE80E/ 40E generates the ACL rule according to the information about the intercepted target. The NE80E/40E copies the data matching the ACL rule and encapsulates the data in UDP packets as the CC, and then sends the CC to the LIG through the X3 interface. When information about the targeted user changes, the NE80E/40E updates the ACL rule. When the LIG stops intercepting the user activities, the NE80E/40E deletes the related ACL rule.
NOTE
The ACL rule generated by the NE80E/40E for lawful interception is not saved in the configuration file. When the NE80E/40E restarts, the LIG must send information about the intercepted target to the NE80E/40E again so that the ACL rule can be generated again. The NE80E/40E does not support the setting of ACL rules through command lines.
The NE80E/40E supports lawful interception for the following traffic:

l l
Internet service traffic VoIP service traffic
Lawful interception for less than 500 users does not impact normal services. The NE80E/40E supports lawful interception for 2 K users at most which can impact the performance of the device. An NE80E/40E can be connected to a maximum of 10 LIGs at the same time. But the interception objects distributed by LIGs cannot be the same. Otherwise, the distribution of the interception object fails.
Process of Lawful Interception Supported by the NE80E/40E
Issue 03 (2008-09-22)
8-5
Figure 8-2 Process of lawful interception supported by the NE80E/40E

Interception management center
2.Delivers the lawful interception configuration 1.Sends a lawful interception authorization letter
Interception center
6.The LIG sends the IRI to the interception center 9.Sends the intercepted information to the interception center
AAA/DHCP Server
Specifies the intercepted target 4.Monitors whether the targeted user goes online
3.Sets the interception rules on the interception device
LIG
Router
8.The interception device copies traffic of the targeted user to the LIG 5.The targeted user sends an authentication request to the AAA/DHCP server 7.The targeted user goes online and begins to send traffic Access
Device
Internet
user
The process of lawful interception supported by the NE80E/40E is as follows: 1. 2. 3. 4. The interception center delivers the contents of the lawful interception authorization letter to the interception management center. The interception management center delivers information about lawful interception to the LIG. The LIG specifies the intercepted target for the AAA or DHCP server and sets ACL rules on the NE80E/40E according to the received information. The interceptor such as the IP probe and Sniffer on the server intercepts the traffic of the preset target, generates the initial IRI when the user goes online, and sends the IRI to the LIG. The targeted user sends a login request to the AAA or DHCP server. After receiving the IRI of the targeted user, the LIG processes it and then sends it the interception center. The interception center intercepts all the interactive packets of the RADIUS and the DHCP servers. Once the targeted user goes online, the interception center notifies the NE80E/40E to be ready for interception. After successful login, the targeted user begins to send traffic and the AAA server starts accounting at the same time. When any data traffic flows from the targeted user, the NE80E/40E intercepts and copies the traffic, and then sends it to the LIG through UDP. The LIG sends the intercepted information to the interception center.
5. 6.
7. 8. 9.
8-6
10. When the targeted user logs out of the network or the interception expires, the LIG removes the interception configuration on the NE80E/40E . The interception is complete.
8.2 Configuring Lawful Interception

This section describes how to configure lawful interception. 8.2.1 Establishing the Configuration Task 8.2.2 Specifying the SPUC Board for Lawful Interception 8.2.3 Configuring the IP Address of the X3 Interface 8.2.4 Configuring the X3 Interface 8.2.5 Enabling Lawful Interception 8.2.6 Checking the Configuration

On the IP network, lawful interception must be configured to guarantee network security and monitor activities of online users. The NE80E/40Eintercepts user activities based on the IP address, without differentiating services. To implement lawful interception, the LIG delivers the configuration to the X1 interface of the NE80E/40E . You only need to enable lawful interception and configure the X3 interface on the NE80E/40E .
Before configuring lawful interception, connect the NE80E/40E to the LIG through the X1 interface correctly.
NOTE
The configuration of the X1 interface is delivered to the NE80E/40E through SNMPv3, so you must configure the SNMP agent on the NE80E/40E; otherwise, the NE80E/40E cannot communicate with the LIG. For the configuration of the SNMP agent, refer to the Quidway NetEngine80E/40E Router Configuration Guide System Management.
Data Preparation
To configure lawful interception, you need the following data. No. 1 2 3 Data Slot number of the SPUC board Port number of the X3 interface IP address of the X3 interface
Issue 03 (2008-09-22)
8-7
8.2.2 Specifying the SPUC Board for Lawful Interception

Context
Do as follows on the router where lawful interception is deployed:
Procedure
Step 1 Run:
system-view

lawful-interception { backup | slot } slot slot-id
The SPUC board is specified for lawful interception. ----End
8.2.3 Configuring the IP Address of the X3 Interface

Context
Procedure
Step 1 Run:
system-view


ip address ip-address { mask | mask-length }
The IP address of the X3 interface is configured. You are recommended to configure a Loopback interface as an X3 interface. ----End
8.2.4 Configuring the X3 Interface

Context
Before configuring the X3 interface, you must configure the IP address of the X3 interface. By default, no X3 interface is configured on the NE80E/40E.
Procedure
Step 1 Run:
system-view

lawful-interception x3-interface interface-type interface-number port port-number
The X3 interface for lawful interception is configured.

NOTE
An NE80E/40E can be connected to a maximum of 10 LIGs. The LIGs share an X3 interface and are connected to the X3 interface through their IP addresses.
----End
8.2.5 Enabling Lawful Interception

Context
Do as follows on the router where lawful interception is deployed: By default, lawful interception is disabled.
Procedure
Step 1 Run:
system-view

lawful-interception enable
Lawful interception is enabled. When enabling lawful interception, note the following:
l
Before enabling lawful interception, you must configure the X3 interface for lawful interception. After lawful interception is enabled, the IP address of the X3 interface cannot be deleted or changed. To change the IP address of the X3 interface, run the undo lawful-interception enable command to disable lawful interception first. After you run the undo lawful-interception enable command, the NE80E/40E deletes the following information delivered by the LIG:

IP address of the LIG Information about the X3 interface Information about the intercepted user
----End

Run the following command in the system view to check the previous configuration. Action Check the configuration of lawful interception. Command display lawful-interception
Run the display lawful-interception command. You can view the configuration of lawful interception. For example:
<Quidway> display lawful-interception Lawful Interception: Lawful Interception function is : Enabled Lawful Interception X3 interface is GigabitEthernet2/0/0 Lawful Interception X3 port is 3000
8.3 Configuration Example

This section provides a configuration example of lawful interception. 8.3.1 Example for Configuring Lawful Interception
8.3.1 Example for Configuring Lawful Interception

NOTE
In lawful interception, the NE80E/40E is an entity that provides intercepted information. You need to do only as follows:
l l l
Configure SNMP information. Configure the X3 interface. Enable lawful interception on the NE80E/40E .
In this example, only the configuration on the NE80E/40E is mentioned.
As shown in Figure 8-3, the NE80E/40E is the network device of the carrier. The NE80E/40E connects to the LIG through X3 interface Loopback0 and provides intercepted information. Figure 8-3 Networking of lawful interception
100.100.100.1/24 Loopback0
LIG
User
Switch
Router Internet RADIUS server
8-10
Issue 03 (2008-09-22)
The configuration roadmap is as follows: 1. 2. 3. 4. Configure SNMP Agent to enable the communication between the router and LIG. Configure the IP address of the X3 interface. Configure the X3 interface. Enable lawful interception.
Data Preparation
l l
SNMP version number IP address of the X3 interface
1. Configure the SNMP agent.
NOTE
In this example, only the basic configuration of SNMP is listed. For detailed configuration of SNMP, refer to the Quidway NetEngine80E/40E Router Configuration Guide - System Management.
<Quidway> system-view [Quidway] snmp-agent [Quidway] snmp-agent sys-info version all [Quidway] snmp-agent community read public [Quidway] snmp-agent community write private [Quidway] snmp-agent group v3 huawei authentication read-view snmpv3 writeview snmpv3 [Quidway] snmp-agent mib-view included snmpv3 iso [Quidway] snmp-agent usm-user v3 usera snmpv3huawei authentication-mode md5 123456789
NOTE
To enable the communication between the NE80E/40E and LIG, you should configure the following to the LIG after configuring SNMP Agent:
l l
IP addresses of the X2 and X3 interfaces Numbers of the X2 and X3 interfaces
Information about interception data flowFor details about the configuration of the LIG, refer to the document of the LIG device. The NE80E/40E implement lawful interception through cooperation with the LIG vendor. Huawei does not provide LIG devices to users.
2.
Configure the IP address of the X3 interface.

[Quidway] interface loopback0 [Quidway-loopback0] ip address 100.100.100.1 24 [Quidway-loopback0] quit
3. 4.
Specify the SPUC board in slot 1 for lawful interception.

[Quidway] lawful-interception slot 1
Configure the X3 interface and enable lawful interception.

[Quidway] lawful-interception x3-interface loopback0 port 3000 [Quidway] lawful-interception enable
Configuration Files
# sysname Quidway
Issue 03 (2008-09-22)
8-11
# lawful-interception x3-interface LoopBack0 port 3000 lawful-interception enable # snmp-agent trap type base-trap # interface LoopBack0 ip address 100.100.100.1 255.255.255.0 # snmp-agent snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all snmp-agent group v3 huawei authentication read-view snmpv3 write-view snmpv3 snmp-agent mib-view included snmpv3 iso snmp-agent usm-user v3 usera huawei authentication-mode md5 V_Q+IJ9I_GN*9-T^LW W,YQ!! # return
8-12
Issue 03 (2008-09-22)
A Attributes List of RADIUS and HWTACACS
Attributes List of RADIUS and HWTACACS
This appendix covers the attribute of RADIUS and HWTACACS. A.1 RADIUS Attribute This appendix covers the attribute of RADIUS. A.2 HWTACACS Attribute This appendix covers the attribute of HWTACACS.
Issue 03 (2008-09-22)
A-1
A.1 RADIUS Attribute

This appendix covers the attribute of RADIUS. A.1.1 Standard RADIUS Attribute A.1.2 Huawei RADIUS Attribute
A.1.1 Standard RADIUS Attribute

No 1 2 3 4 Name User-Name Password Challenge-Password NAS-IP-Address Description Indicate user name under authentication. Indicate user password under authentication, which is only effective on PAP authentication. Indicate user password under authentication, which is only effective on CHAP authentication. Indicate the IP address of the router. If RADIUS server group binds with the interface address, the address of the bound interface is chosen. Otherwise, the address of the interface to send packets is chosen. Indicate user access port in the format of "4-bit slot number + 2-bit card number + 5-bit port number + 21bit VLAN". Indicate the user service type, and the service type of access users is 2, and that of operation users is 6. It is fixed as 1, which refers to PPP. Indicate the IP address, which the RADIUS server assigns for users. 0xFFFFFFFE indicates the address is not assigned by the RADIUS sever but by the router. Indicate the IP address mask, which the RADIUS server assigned for users. Indicate user group. Indicate the IP address of the host connected with users. Indicate the type of login service, including, Telnet, Rlogin, TCP Clear, PortMaster (proprietary) and LAT. Indicate the message to reply whether authentication succeeds or not. Indicate the information from the server, which can be displayed for users, such as mobile phone number.
NAS-Port
6 7 8
Service-Type Framed-Protocol Framed-IP-Address
9 11 14 15 18 19
Framed-Net mask Filter-ID Login-IP-Host Login-Service Reply-Message Callback-Number
A-2
Issue 03 (2008-09-22)
No 24
Name State
Description If the access challenge packets sent from the RADIUS server to the router contains this value, the subsequent access request packets of the router must contain the same value. If the authentication accepted packets sent from the RADIUS server to the router contains this value, the subsequent accounting request packets of the router must contain the same value. For the standard RADIUS server, the router can use the class to signify CAR. Indicate the remaining time available for users with the unit of second, which acts as duration of reauthentication for users in EAP challenge packets. Indicate the idle breaking time of users with the unit of second. Indicate the service termination mode, such as, reauthentication or forcible user logout. Allow NAS to send the called number. Allow NAS to send the calling number. Indicate the hostname of the router. Indicate the type of accounting packets. 1 indicates beginning accounting packets. 2 indicates stopping accounting packet. 3 indicates real-time accounting packets. Indicate the time span to generate accounting packets with the unit of second. Indicate the octets for uplink with the unit of Byte, kbyte, Mbyte and Gbyte. Use the command to set which unit is used. Indicate the output octets with the unit of Byte, kbyte, Mbyte and Gbyte. Which unit is used depends on the command configuration. Indicate the session for accounting. For the start accounting packet, real-time accounting packet and stop accounting packets of the same session, their session IDs must be identical. Indicate the authentication model. 1 refers to RADIUS authentication, and 2 refers to the local authentication. Indicate the online time span of users with the unit of second. Indicate the number of input packets.
25
Class
27
Session-Timeout
28 29 30 31 32 40
Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Acct-Status-Type
41 42
Acct-Delay-Time Acct-Input-Octets
43
Acct-Output-Octets
44
Acct-Session-Id
45 46 47
Acct-Authentic Acct-Session-Time Acct-Input-Packets
Issue 03 (2008-09-22)
A-3
No 48 49
Name Acct-Output-Packets Terminate-Cause
Description Indicate the number of output packets. Causes for user connection interruption: User-Request (1): indicates user logs outLost Carrier (2): indicates handshake fails, including, ARP detection failure or PPP handshake failure. Lost Service (3): orders disconnection. Idle Timeout (4): indicates idle timeout. Session Timeout (5): indicates time limit disconnection or traffic limit disconnection. Admin Reset (6): indicates that the manager orders to break the connection. Admin Reboot (7): indicates the manager reset the router. Port Error (8): indicates the port is in error. NAS Error (9): indicates internal error occurs in the router. NAS Request (10): indicates the router breaks the connection for resources change. NAS Reboot (11): indicates that the router resets automatically. Port Unneeded (12): indicates the port is Down. Port Suspended (14): indicates the port is suspended. Service Unavailable (15): indicates the service is unavailable. User Error (17): indicates the user authentication fails or times out. Host Request (18): indicates receiving decline packets from the server. Indicate several session IDs, which are used to identify the relevant sessions in the log. Indicate how many times input Gigawords are as great as 4G(232)Byte, kbyte, Mbyte and Gbyte (Which unit is chosen depends on the command configuration). Indicate how many times output Gigawords are as great as 4G(232)Byte, kbyte, Mbyte and Gbyte (Which unit is chosen depends on the command configuration). Indicate the duration to generate accounting packets with the unit of second. Indicate the absolute seconds since zero o'clock, zero minute, zero second, January 1st, 1970. Indicate the challenge word of CHAP authentication, which is only used for CHAP authentication. Indicate the port type of NAS, which can be set in BAS interface view. Indicate the protocol type of the tunnel. It is fixed as 3, signifying the L2TP tunnel. Indicate the type of medium over the tunnel. It is fixed as 1, signifying IPv4. Indicate the IP address of the tunnel at the server side.
50 52
Acct-Multi-Session-ID Acct-Input-Gigawords
53
Acct-Output-Gigawords
55
Event-Timestamp
60 61 64 65 67
CHAP-Challenge NAS-Port-Type Tunnel-Type Tunnel-Medium-Type Tunnel-Server-Endpoint
A-4
Issue 03 (2008-09-22)
No 69
Name Tunnel-Password
Description Indicate the password of tunnel authentication. The first two bytes are SALT, while the latter 16 bytes are encrypted password. Indicate the group ID of the tunnel. Indicate the ID of the tunnel. Indicate the tunnel preference. Indicate the interval for real-time charging with the unit of second. Indicate the port ID of user access, whose format is "slot=XX; subslot=XX; port=XXX; VLANID=XXXX; "or" slot=XX; subslot=XX; port=XXX;VPI=XXX;VCI=XXXX" Indicate the name of the address pool and address segment number, which is effective on the IP address, which the local address pool of the router assigns to PPP. Its format is "the name of the address pool # address segment number". Indicate the transitive local user name under tunnel authentication. Indicate the transitive user name at the server side under tunnel authentication.
81 82 83 85 87
Tunnel-Private-Group-ID Tunnel-Assignment-ID Tunnel-Preference Acct-Interim-Interval NAS-Port-Id
88
Framed-Pool
90 91
Tunnel-Client-Auth-ID Tunnel_Server_Auth_id
A.1.2 Huawei RADIUS Attribute

No 26-1 26-2 26-3 26-4 26-5 26-6 Name Input-Peak-Rate Input-Average-Rate Input-Basic-Rate Output-Peak-Rate Output-Average-Rate Output-Basic-Rate Description Indicate peak rate for uplink with the unit of bit/s. Indicate average rate for uplink with the unit of bit/s. Indicate basic rate for uplink with the unit of bit/s. Indicate peak rate for downlink with the unit of bit/s. Indicate average rate for downlink with the unit of bit/ s. Indicate basic rate for downlink with the unit of bit/s.
Issue 03 (2008-09-22)
A-5
No 26-7
Name In-Kb-Before-T-Switch
Description Indicate the received traffic before charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow received by the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the sent traffic before charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow sent from the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of received packets before charge rate switch. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the number of packets received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets received by the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of sent packets before charge rate switch. If charge rate switch does not occur in the realtime accounting period, this attribute signifies the number of packets sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets sent from the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1).
26-8
Out-Kb-Before-T-Switch
26-9
In-Pkt-Before-T-Switch
26-10
Out-Pkt-Before-T-Switch
A-6
Issue 03 (2008-09-22)
No 26-11
Name In-Kb-After-T-Switch
Description Indicate the received traffic after charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow received by the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the sent traffic after charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow sent from the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of received packets after charge rate switch. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the number of packets received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets received by the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of sent packets after charge rate switch. If charge rate switch does not occur in the realtime accounting period, this attribute signifies the number of packets sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets sent from the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the remnant available traffic with the unit of KB.
26-12
Out-Kb-After-T-Switch
26-13
In-Pkt-After-T-Switch
26-14
Out-Pkt-After-T-Switch
26-15
Remnant-Volume
Issue 03 (2008-09-22)
A-7
No 26-16
Name Tariff-Switch-Interval
Description Indicate the time interval between the latest charge rate switch moment and the current time, with the unit of second. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). They are used to operate session control packets. Their values are as follows:1: indicates session triggering request.2: indicates session interruption request.3: indicates setting policy.4: indicates result. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the priority of user service, whose effective value ranges from 1 to 9. Indicate the identifier of retransmission packets. For retransmission packets in the same session, this attribute must be identical. For those at the client side, this attribute must remain intact when returning. In start accounting packet, real-time accounting packet and end accounting packet, this value is insignificant. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). When the 26-20 attribute is set as 3 or 4, result-code is valid. When result code is 0, it indicates success; When result code is not 0, it indicates failure. When the attribute numbered 26-20 is set as 3 or 4, it is valid. When it is displayed to be 0, This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the index of user connection. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate URL of forced Portal of PPP users.This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the initial directory of FTP users. Indicate the priority of such operation users as Telnet, whose values range from 0 to 3. Indicate the virtual template number used by MP users. Indicate the VPN instance name of VPN users. Indicate the virtual template number of VPN users.
26-20
Command
26-22 26-24
Priority Control-Identifier
26-25
Result-Code
26-26
Connect-ID
26-27
Portal-URL
26-28 26-29 26-30 26-31 26-32
Ftp-directory Exec-Privilege Radius-Mp-VT-Number VPN-instance VT-number
A-8
Issue 03 (2008-09-22)
No 26-59
Name Startup-stamp
Description Indicate the absolute seconds since zero o'clock, zero minute, zero second, January 1st, 1970. Indicate the startup timestamp of devices, with the unit of second, which signifying the absolute seconds when devices startup Indicate the IP address and MAC address of users carried in authentication packets and accounting packets, in the format of "A.B.C.D HH:HH:HH:HH:HH:HH". The IP address spaces out the MAC address. Indicate t the primary DNS server address delivered by the RADIUS server, after the user succeeds in authentication. Indicate the secondary DNS server address delivered by the RADIUS server, after the user succeeds in authentication. Indicate the version number of software of devices. Indicate product names.
26-60
Ip-Host-Address
26-135
Primary-DNS
26-136
Secondary-DNS
26-254 26-255
Version Product-ID
A.2 HWTACACS Attribute

This appendix covers the attribute of HWTACACS. Name Acl Ideltime Autocmd Priv-lvl Ftpdir Callback-line Nocallback-verify Nohangup Description Indicate an ACL of the connection, which can be used only when service=shell, and cmd=NULL. Indicate the idle timeout for a connection with the unit of minute. 0 refers to no timeout. Indicate an automatically running command, which can be used only when service=shell, and cmd=NULL. Indicate the assigned privilege level ranging from 0 to 3. Indicate the initial directory of FTP users. Indicate the information from the server, which can be displayed for users, such as mobile phone number. Indicate verification is needless after callback. Indicate that the connection is not broken after an automatically running command, which is used only when service=shell, and cmd=NULL. Indicate the network address.
Addr
Issue 03 (2008-09-22)
A-9
Name Addr-pool Dns-servers Tunnel-type Ip-addresses Tunnel-id L2tp-hello-interval L2tp-hidden-avp L2tp-nosession-timeout L2tp-tos-reflect L2tp-tunnel-authen Gw-password L2tp-udp-checksum Source-ip L2tp-group-num Upaverage Uppeak Dnaverage Dnpeak Task_id Timezone Service
Description Indicate an address pool, from which NAS must assign addresses. Indicate the DNS server. Indicate the type of the tunnel. Indicate IP addresses of LNS, and up to five such IP addresses exist. IP addresses are separated by ',' or ';'. Indicate the tunnel ID. Indicate interval time of L2TP hello message. Indicate hidden Attribute Value Pair (AVP) of L2TP. Indicate breaking time when L2TP has no session. Indicate the TOS value of L2TP. Indicate whether the tunnel authentication of L2TP is performed. Indicate the password of gateway. Indicate the check sum of UDP packets of L2TP. Indicate the source IP address. Indicate the L2TP group number. Indicate the average rate for uplink with the unit of bps. Indicate the peak rate for uplink with the unit of bits. Indicate the average rate for downlink with the unit of bps. Indicate the peak rate for downlink with the unit of bits. Indicate the ID of the task. Indicate the time zone. Indicate the primary services consisting of authorized services or accounting services, such as, "slip", "ppp", "arap", "shell", "ttydaemon", "connection", "system" and "firewall". Indicate that protocols are subset of services, such as, "lcp", "ip", "ipx", "atalk", "vines", "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp", "http", "deccp", "osicp" and "unknown". Indicate the maximum binding link number of MP. Indicate the current connection number of MP. Indicate the cause for log out. Indicate the extension of log out cause. Indicate the online time span of the user.
Protocol
Mlp_links_max Mlp_links_current Disc_cause Disc_cause_ext Elapsed_time
A-10
Issue 03 (2008-09-22)
Name Nas_rx_speed Nas_tx_speed
Description Indicate the output speed of NAS. Indicate the input speed of NAS.
Issue 03 (2008-09-22)
A-11
B Glossary
B
This appendix collates frequently used glossaries in this document. A AAA N NAS R RADIUS Remote Authentication Dial In User Service Network Access Server
Glossary
Authentication,Authorization and Accounting
Issue 03 (2008-09-22)
B-1
C Acronyms and Abbreviations
C
A AAA ACk ACL ARP B BGP BW C CAMS CAR CBS CC CID CIR CPOS CPU CRC D DHCP
Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.
Authentication, Authorization and Accounting ACKnowledgement Access Control List Address Resolution Protocol
Border Gateway Protocol Bandwidth
Comprehensive Access Management Server Committed Access Rate Committed Burst Size Content of communciation Channel Identifier Committed Information Rate Channelized-POS Central Processing Unit Cyclic Redundancy Check
Dynamic Host Configuration Protocol
Issue 03 (2008-09-22)
C-1
DNS DOS F FE FR G GE GTSM H HDLC HWTACACS I ICMP ID IP IPTV IRI ISP L LEA LIG LPU M MAC N NAK NAS NBNS NetBIOS
Domain Name System Denial of Service
Fast Ethernet File Transfer Protocol
GigabitEthernet Generalized TTL Security Mechanism
High level Data Link Control HuaWei Terminal Access Controller Access Control System
Internet Control Message Protocol IDentification Internet Protocol Internet Protocol Television Intercept related information Internet Service Provider
Law Enforcement Agency Lawful interception gateway Line Processing Unit
Medium Access Control
Negative ACKnowledgement Network Access Server NetBIOS Name Service Network Basic Input/Output System
C-2
Issue 03 (2008-09-22)
P POS PPP R RADIUS RFC S SNMP SR SSH T TACACS TCP TTL U UDP URPF V VLAN VPDN VPN VTY Virtual Local Area Network Virtual Private Dial Network Virtual Private Network Virtual Type Terminal User Datagram Protocol Unicast Reverse Path Forwarding Terminal Access Controller Access Control System Transmission Control Protocol Time to Live Simple Network Management Protocol Service Router Secure Shell Remote Authentication Dial in User Service Request for Comments Packet Over SDH/SONET Point-to-Point Protocol
Issue 03 (2008-09-22)
C-3
Index
Index
Symbols/Numerics
, 1-1, 1-2, 1-3, 1-8, 1-9, 1-16, 1-18, 1-26, 1-28, 1-34, 1-35, 1-36, 3-9, 3-10, 3-12, 3-16, 3-17, 4-1, 4-3, 4-5, 4-7, 4-9, 4-10, 4-15, 4-16, 4-21, 4-22, 4-24, 4-24, 4-26, 4-27, 4-32, 4-33, 4-38, 4-39, 4-40, 4-40, 4-43, 4-43, 4-44, 5-1, 5-2, 5-4, A-1 (Optional) Configuring the Authorization Scheme, 1-11 (Optional) Configuring the HWTACACS Server Template, 1-22 (Optional) Configuring the Recording Scheme, 1-14 (Optional) Configuring the Source IP Address of the HWTACACS Server, 1-24 configuration delete dynamic MAC entries, 2-12 Local Attack Defense, 6-6 MAC address learning limit, 2-4 unknown traffic suppression, 2-15 configure ARP bidirectional isolation, filter ARP packets and ARP VLAN CAR, 3-12 Configuring AAA Schemes, 1-8 Configuring Alarms for Packet Discarding, 4-40 Configuring Alarms for Packet Discarding Globally, 4-41 Configuring Alarms for Packet Discarding on a VLAN, 4-42 Configuring Alarms for Packet Discarding on an Interface, 4-41 Configuring ARP Bidirectional Isolation, Filter ARP Packets and ARP VLAN CAR, 3-12 Configuring ARP VLAN CAR, 3-14 Configuring CAR, 6-12 Configuring Defense on the Device Against Attacks by Sending DHCP Request Messages, 4-38 Configuring Defense on the Layer 2 Device Against Attacks by Bogus DHCP Server, 4-5 Configuring Defense on the Layer 2 Device Against Attacks by Changing CHADDRs, 4-22 Configuring Defense on the Layer 2 Device Against Attacks by IP/MAC Spoofing, 4-10 Configuring Defense on the Layer 2 Device Against Attacks by Sending Bogus Messages for Extending IP Leases, 4-27 Configuring Defense on the Layer 3 Device Against Attacks by Bogus DHCP Server, 4-7 Configuring Defense on the Layer 3 Device Against Attacks by Changing CHADDRs, 4-24 Configuring Defense on the Layer 3 Device Against Attacks by IP/MAC Spoofing, 4-16 Configuring Defense on the Layer 3 Device Against Attacks by Sending Bogus Messages for Extending IP Leases, 4-33 Configuring Domains, 1-27 Configuring Flow-based URPF, 5-5 Configuring Global Strict ARP Entry Learning, 3-5 Configuring Interface-based ARP Entry Restriction, 3-8
i-1
A
a client is connected to multiple ISPs, 5-3 AAA and User Management Supported by the NE80E/ 40E, 1-3 Accounting, 1-2 address pool, 1-15 Allocating IP Addresses to Users, 1-15 Applying the Attack Defense Policy, 6-9, 6-12, 6-17 Applying the Traffic Policy, 7-10 Applying the traffic policy, 5-6 ARP Bidirectional Isolation, 3-3 ARP middleman attacks, 4-3 ARP Security Supported by the NE80E/40E , 3-2 ARP VLAN CAR, 3-4 Authentication, 1-2 Authorization, 1-2
B
binding table for DHCP snooping, 4-3 bogus DHCP server attacks, 4-3
C
Checking the Destination IP Addresses of ARP Packets, 3-7 Clearing Statistics About ARP Packets, 3-16 Clearing the Statistics, 1-35 Clearing the Statistics on Local Attack Defense, 6-17
Issue 03 (2008-09-22)
Index
Configuring Interface-based URPF, 5-4 Configuring Local User Management, 1-3 Configuring Local User Status, 1-6 Configuring MAC Address Learning Limit, 2-4 Configuring Option 82, 4-14, 4-20, 4-31, 4-37 Configuring Port Mirroring, 7-5 Configuring Queue Scheduling for the Packets to Be Sent to the CPU, 6-14 Configuring Server Templates, 1-18 Configuring Speed Limit for ARP Miss Packets, 3-11 Configuring Speed Limit for ARP Packets, 3-7 Configuring Strict ARP Entry Learning on Interfaces, 3-6 Configuring the Accounting Scheme, 1-13 Configuring the Address-related Attributes of the Domain, 1-31 Configuring the Authentication Scheme, 1-10 Configuring the Authentication, Authorization and Accounting Schemes of the Domain, 1-29 Configuring the DHCP Snooping Binding Table, 4-12, 4-18, 4-29, 4-35 Configuring the Domain State, 1-32 Configuring the HWTACACS accounting server, 1-23 Configuring the HWTACACS authentication server, 1-23 Configuring the HWTACACS authorization server, 1-23 Configuring the HWTACACS Server Template, 1-30 Configuring the Idle-Cut Function for a Local User, 1-34 Configuring the Idle-Cut Parameters for a Domain, 1-33 Configuring the IP Address of the X3 Interface, 8-8 Configuring the Local User Authority of Accessing the FTP Directory, 1-5 Configuring the Local User Level, 1-6 Configuring the Maximum of Access Users Allowed by the Domain, 1-32 Configuring the NAS port of the RADIUS server, 1-22 Configuring the Observing Port, 7-7 Configuring the Observing Port to Observe All the Mirroring Ports on an LPU, 7-5, 7-8 Configuring the protocol version of the RADIUS server, 1-20 Configuring the RADIUS accounting function, 1-20 Configuring the RADIUS authentication server, 1-19 Configuring the RADIUS Server Template, 1-19, 1-30 Configuring the retransmission parameters of the RADIUS server, 1-21 Configuring the Rules for Filtering the Packets to Be Sent to the CPU, 6-6 Configuring the Rules for Sending the Packets to the CPU, 6-11 Configuring the Rules of MAC Address Learning Limit Based on a Port, 2-7 Configuring the Rules of MAC Address Learning Limit Based on a Port in a VLAN, 2-8
Configuring the Rules of MAC Address Learning Limit Based on a QinQ Sub-interface, 2-10 Configuring the Rules of MAC Address Learning Limit Based on a Sub-interface, 2-9 Configuring the Rules of MAC Address Learning Limit Based on a VLAN, 2-5 Configuring the Rules of MAC Address Learning Limit Based on a VSI, 2-5 Configuring the Rules of MAC Address Learning Limit Based on an SI, 2-6 Configuring the shared key of the HWTACACS server, 1-24 Configuring the shared key of the RADIUS server, 1-20 Configuring the timer of the HWTACACS server, 1-26 Configuring the traffic unit of the HWTACACS server, 1-25 Configuring the traffic unit of the RADIUS server, 1-21 Configuring the Type of the Service That the Local User Accesses, 1-4 Configuring the user name format of the HWTACACS server, 1-25 Configuring the user name format of the RADIUS server, 1-21 Configuring the User-Defined Flow, 6-8 Configuring the X3 Interface, 8-8 Configuring traffic behaviors and enable URPF, 5-6 Configuring Trusted/Untrusted Interfaces, 4-6 Configuring Unknown Traffic Suppression, 2-14 Configuring Unknown Traffic Suppression Based on a Port, 2-15 Configuring Unknown Traffic Suppression Based on a Port in a VLAN, 2-19 Configuring Unknown Traffic Suppression Based on a QinQ Sub-interface, 2-18 Configuring Unknown Traffic Suppression Based on a Sub-interface, 2-16 Configuring URPF, 5-4 confirms whether the interface corresponding to the source address matches the outbound interface in the forwarding table, 5-2 Creating a Domain, 1-29 Creating a Local User Account, 1-4 Creating the Attack Defense Policy, 6-7, 6-11, 6-15 Creating the HWTACACS server template, 1-22 Creating the RADIUS server template, 1-19 Creating the User-Defined Blacklist, 6-8 Creating the User-Defined Whitelist, 6-7 Cutting Off Online Users Forcibly, 1-7
D
Debugging AAA and User Management, 1-35 Debugging ARP Packets, 3-17 Debugging DHCP Snooping, 4-43 Defining a Traffic Class, 7-8
Issue 03 (2008-09-22)
i-2
Index
Defining a traffic class, 5-5 Defining a traffic policy and associating the traffic class with the traffic behavior, 5-6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior, 7-10 Deleting Dynamic MAC Entries, 2-12 Deleting the Dynamic MAC Entries Based on a Port, 2-13 Deleting the Dynamic MAC Entries Based on a Port in a VLAN, 2-14 Deleting the Dynamic MAC Entries Based on a Port in a VSI, 2-14 Deleting the Dynamic MAC Entries Based on a VLAN, 2-13 Deleting the Dynamic MAC Entries Based on a VSI, 2-13 DHCP Snooping Supported by the NE80E/40E, 4-4 Displaying Statistics About ARP Packets, 3-16
Example for Preventing the Attacker from Changing CHADDR, 4-49 Example for Preventing the Attacker from Sending Bogus Messages for Extending Lease, 4-51 Example for Preventing the Bogus DHCP Server Attack, 4-44 Example for Preventing the Middleman and IP/MAC Spoofing Attacks, 4-47
F
Filtering ARP Packets, 3-13 Filtering out ARP Packet, 3-4 filters untrusted DHCP messages, 4-3 four kinds of accounting modes, 1-2 four kinds of authentication modes, 1-2
H
Huawei RADIUS Attribute, A-5 HuaWei Terminal Access Controller Access Control System (HWTACACS), 1-2 HWTACACS Attribute, A-9
E
Enabling Alarm Functions for Potential Attack Behaviors, 3-9, 3-11 Enabling ARP and DHCP Association, 4-20, 4-36 Enabling ARP Bidirectional Isolation, 3-13 Enabling Checking CHADDRs in Packets, 4-23 Enabling Checking CHADDRs of Packets, 4-26 Enabling Checking DHCP Request Messages, 4-29, 4-34 Enabling Checking Packets, 4-12 Enabling DHCP Snooping, 4-5, 4-11, 4-23, 4-28, 4-39 Enabling DHCP Snooping on the DHCP Relay, 4-8, 4-17, 4-25, 4-33 Enabling Lawful Interception, 8-9 Enabling Packet Check on the Interface, 4-18 Example for Configuring ARP Bidirectional Isolation, ARP filter packets and VLAN CAR, 3-22 Example for Configuring DHCP Snooping on a Layer 2 Device, 4-54 Example for Configuring DHCP Snooping on a Layer 3 Interface, 4-59 Example for Configuring Lawful Interception, 8-10 Example for Configuring Local Attack Defense, 6-18 Example for Configuring MAC Address Learning Limit, 2-20 Example for Configuring Port Mirroring, 7-12 Example for Configuring the Local Authentication and HWTACACS Authentication, Authorization and Realtime Accounting, 1-39 Example for Configuring the RADIUS Authentication and Accounting, 1-36 Example for Configuring Unknown Traffic Suppression Based on a Port in a VLAN, 2-22 Example for Configuring URPF, 5-7 Example for Preventing Attacks on ARP Entries, 3-17 Example for Preventing Attacks on ARP Entries and Scanning Attacks, 3-20
I
Interface-based ARP Entry Restriction, 3-3 Introduction ARP Security, 3-2 introduction implementation of local attack defense, 6-2 Local Attack Defense, 6-2 process of Local Attack Defense, 6-4 Introduction to AAA and User Management, 1-2 Introduction to DHCP Snooping, 4-3 Introduction to URPF, 5-2 IP/MAC spoofing attacks, 4-3
L
l2 limit Configuration Examples, 2-20 L2 Limit Features Supported by the NE80E/40E, 2-2 lawful interception configuration, 8-7 interface, 8-3 process, 8-5 scenario, 8-2 Lawful Interception Supported by the NE80E/40E, 8-4 Local Attack Defense Features Supported by the NE80E/40E, 6-5 local user in the active or block state, 1-6
M
MAC limit supported by the router, 2-2 Managing users basing on domains, 1-2
i-3
Issue 03 (2008-09-22)
Index
Managing users by user accounts, 1-2 Mirroring Configuration Example for Configuring Flow Mirroring, 7-15 flow mirroring configuration, 7-6 port mirroring configuration, 7-3 Mirroring Supported by the NE80E/40E, 7-3 Multi-homed client, 5-3
the types of attacks and the corresponding working modes of DHCP snooping, 4-4 three kinds of authentication modes, 1-2 Timestamp-based Scanning-Proof, 3-3
U
URPF Supported by the NE80E/40E, 5-4 used on both Layer 2 and Layer 3 devices, 4-3
O
overview MAC address learning limit, 2-2 unknown traffic suppression, 2-2 Overview of L2 Limit, 2-2 Overview of Lawful Interception, 8-2 Overview of Mirroring, 7-2
P
Preventing Attacks on ARP Entries, 3-4, 3-5 Preventing Network Scanning Attacks, 3-3 Preventing Scanning Attacks, 3-10 preventing source address spoofing attacks across the network, 5-2 prevents DHCP Denial of Service (DOS) attacks, 4-3
R
RADIUS Attribute, A-2 Remote Authentication Dial In User Service (RADIUS), 1-2 Resetting DHCP Snooping Binding Table, 4-43
S
Server/Client model, 1-2 Setting the Maximum Number of Access Users with the Same User Name, 1-7 Setting the Priority for Queue Scheduling, 6-15 Setting the Processing Priority, 6-8 Setting the Rate Threshold for Packet Discarding, 6-16 Setting the Total Rate of Sending the Packets to the CPU, 6-15 Setting the Traffic Behavior and Enabling Flow Mirroring, 7-9 Setting Trusted or Untrusted Interfaces, 4-9 Single-homed client, 5-2 Specifying the Observing Port, 7-4 Specifying the SPUC Board for Lawful Interception, 8-8 Standard RADIUS Attribute, A-2
T
The domain to which a user belongs depends on the character string that follows the "@" of a user name, 1-2
i-4
Issue 03 (2008-09-22)

00399155-Configuration Guide - Security (V300R003 - 03) - 1 PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

00399155-Configuration Guide - Security (V300R003 - 03) - 1 PDF

Caricato da

Copyright:

Formati disponibili

Quidway NetEngine80E/40E Core Router V300R003

Configuration Guide - Security

Issue Date Part Number

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd.

Trademarks and Permissions

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

2 L2 Limit Configuration............................................................................................................. 2-1

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

3 ARP Security Configuration....................................................................................................3-1

4 DHCP Snooping Configuration..............................................................................................4-1

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

6 Local Attack Defense Configuration...................................................................................... 6-1

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

8 Lawful Interception Configuration........................................................................................8-1

A Attributes List of RADIUS and HWTACACS...................................................................A-1

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

Chapter 1 AAA and User Management Configurations

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

Convention [ x | y | ... ] { x | y | ... }*

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

About This Document

Action Click Double-click Drag

Updates in Issue 03 (2008-09-22)

Updates in Issue 02 (2008-05-08)

Updates in Issue 01 (2008-02-22)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

1 AAA and User Management Configurations

AAA and User Management Configurations

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 AAA and User Management Configurations

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

1.1.1 Introduction to AAA and User Management

Domain-based User Management

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

1 AAA and User Management Configurations

Local User Management

1.1.2 AAA and User Management Supported by the NE80E/40E

1.2 Configuring Local User Management

1.2.1 Establishing the Configuration Task

1 AAA and User Management Configurations

Quidway NetEngine80E/40E Core Router Configuration Guide - Security

1.2.2 Creating a Local User Account