AR150&200&1200&2200&3200 V200R003C01 Configuration Guide-Security 04

Huawei AR150&200&1200&2200&3200 Series
Enterprise Routers
V200R003C01
Configuration Guide - Security
Issue 04
Date 2014-01-16
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Issue 04 (2014-01-16) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
Huawei AR150&200&1200&2200&3200 Series Enterprise
Routers
Configuration Guide - Security About This Document
About This Document
Intended Audience
This document describes the concepts and configuration procedures of security features on the
AR150&200&1200&2200&3200, and provides the configuration examples.
This document provides guidance for configuring security features.
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death or
serious injury.

which, if not avoided, may result in minor or
moderate injury.
Issue 04 (2014-01-16) Huawei Proprietary and Confidential ii

Routers
Symbol Description

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
NOTE Calls attention to important information, best

practices and tips.
NOTE is used to address information not
related to personal injury, equipment damage,
and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Issue 04 (2014-01-16) Huawei Proprietary and Confidential iii

Routers
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 04 (2014-01-16)

This version has the following updates:
The following information is modified:
l 2 NAC Configuration (for wired users)

l 2 NAC Configuration (for wired users)
The following information is added:

l 3 NAC Configuration(for wireless users)

l 13.6.2.1 Creating a PKI Domain

Initial commercial release.
Issue 04 (2014-01-16) Huawei Proprietary and Confidential iv

Routers
Configuration Guide - Security Contents
Contents
About This Document.....................................................................................................................ii

1 AAA Configuration.......................................................................................................................1
1.1 Overview........................................................................................................................................................................2
1.2 Principles........................................................................................................................................................................2
1.2.1 Concepts......................................................................................................................................................................2
1.2.2 RADIUS Protocol........................................................................................................................................................4
1.2.2.1 RADIUS Protocol Overview....................................................................................................................................4
1.2.2.2 RADIUS Packet Overview.......................................................................................................................................5
1.2.2.3 RADIUS Interaction Process....................................................................................................................................8
1.2.2.4 RADIUS Attributes................................................................................................................................................11
1.2.3 HWTACACS Protocol..............................................................................................................................................23
1.2.3.1 HWTACACS Protocol Overview..........................................................................................................................23
1.2.3.2 HWTACACS Packet Overview.............................................................................................................................24
1.2.3.3 HWTACACS Interaction Process..........................................................................................................................32
1.2.3.4 HWTACACS Attributes.........................................................................................................................................34
1.2.4 Domain-based User Management.............................................................................................................................40
1.3 Use Scenario.................................................................................................................................................................41
1.4 AAA Configuration Tasks............................................................................................................................................43
1.5 Configuring AAA.........................................................................................................................................................44
1.5.1 Configuring Local Authentication and Authorization...............................................................................................44
1.5.1.1 Configuring AAA Schemes....................................................................................................................................45
1.5.1.2 Configuring a Local User.......................................................................................................................................46
1.5.1.3 (Optional) Configuring a Service Scheme..............................................................................................................48
1.5.1.4 Configuring a Domain............................................................................................................................................50
1.5.1.5 Checking the Configuration....................................................................................................................................52
1.5.2 Configuring RADIUS AAA......................................................................................................................................52
1.5.2.2 Configuring a RADIUS Server Template..............................................................................................................55
1.5.3 Configuring HWTACACS AAA...............................................................................................................................61
Issue 04 (2014-01-16) Huawei Proprietary and Confidential v

Routers

1.5.3.2 Configuring an HWTACACS Server Template.....................................................................................................65
1.6 Maintaining AAA.........................................................................................................................................................72
1.6.1 Clearing AAA Statistics............................................................................................................................................72
1.6.2 Clearing AAA Configuration....................................................................................................................................73
1.7 Configuration Examples...............................................................................................................................................74
1.7.1 Example for Configuring RADIUS Authentication and Accounting........................................................................74
1.7.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization.......................................77
1.7.3 Example for Configuring Domain-based User Management....................................................................................81
1.8 FAQ..............................................................................................................................................................................86
1.8.1 Why Does RADIUS Authentication Fail When the RADIUS Server Template and RADIUS Server Are Properly
Configured?........................................................................................................................................................................86
1.8.2 Why Does the Server Checking Error Occur During RADIUS Dynamic Authentication?......................................86
1.8.3 Why Does HWTACACS Authentication Fail When the HWTACACS Server Template and HWTACACS Server
Are Properly Configured?..................................................................................................................................................86
1.8.4 Why Are Accounting Packets Received When Commands Are Run on Devices?...................................................87
1.8.5 Why Are the 802.1x Users' IP Addresses Not Displayed After I Run the Display Access-User Command?..........87
1.9 References....................................................................................................................................................................87
2 NAC Configuration (for wired users)......................................................................................88

2.1 Overview......................................................................................................................................................................89
2.2 Principles......................................................................................................................................................................90
2.2.1 802.1x Authentication...............................................................................................................................................90
2.2.2 MAC Address Authentication...................................................................................................................................97
2.2.3 Portal Authentication.................................................................................................................................................97
2.3 Applications................................................................................................................................................................101
2.3.1 802.1x Authentication.............................................................................................................................................101
2.3.2 MAC Address Authentication.................................................................................................................................102
2.3.3 Portal Authentication...............................................................................................................................................102
2.4 Default Configuration.................................................................................................................................................103
2.5 Configuring NAC.......................................................................................................................................................104
2.5.1 Configuring 802.1x Authentication.........................................................................................................................104
2.5.1.1 Enabling 802.1x Authentication...........................................................................................................................105
2.5.1.2 (Optional) Configuring the Authorization State of an Interface...........................................................................106
2.5.1.3 (Optional) Configuring the Access Control Mode of an Interface.......................................................................107
2.5.1.4 (Optional) Setting the User Authentication Mode................................................................................................107
2.5.1.5 (Optional) Enabling MAC Address Bypass Authentication.................................................................................108
2.5.1.6 (Optional) Setting the Maximum Number of Concurrent Access Users for 802.1x Authentication on an Interface
..........................................................................................................................................................................................110
2.5.1.7 (Optional) Configuring Timers for 802.1x Authentication..................................................................................111
Issue 04 (2014-01-16) Huawei Proprietary and Confidential vi

Routers
2.5.1.8 (Optional) Configuring the Quiet Function in 802.1x Authentication.................................................................112

2.5.1.9 (Optional) Configuring Re-authentication for 802.1x Authentication Users.......................................................112
2.5.1.10 (Optional) Configuring the Handshake Function for 802.1x Online Users.......................................................114
2.5.1.11 (Optional) Configuring the Guest VLAN Function...........................................................................................114
2.5.1.12 (Optional) Configuring the Restrict VLAN Function........................................................................................115
2.5.1.13 (Optional) Configuring 802.1x Authentication Triggered by a DHCP Packet..................................................116
2.5.1.14 (Optional) Configuring the User Group Function..............................................................................................117
2.5.1.15 Checking the Configuration................................................................................................................................118
2.5.2 Configuring MAC Address Authentication.............................................................................................................118
2.5.2.1 Enabling MAC Address Authentication...............................................................................................................119
2.5.2.2 (Optional) Configuring the User Authentication Domain....................................................................................120
2.5.2.3 (Optional) Setting the Maximum Number of Access Users for MAC Address Authentication on an Interface
..........................................................................................................................................................................................121
2.5.2.4 (Optional) Configuring Timers of MAC Address Authentication.......................................................................121
2.5.2.5 (Optional) Configuring Re-authentication for MAC Address Authentication Users...........................................122
2.5.2.6 (Optional) Configuring the Guest VLAN Function.............................................................................................124
2.5.2.7 (Optional) Configuring the User Group Function................................................................................................125
2.5.2.8 Checking the Configuration..................................................................................................................................126
2.5.3 Configuring Portal Authentication..........................................................................................................................126
2.5.3.1 Configuring Portal Server Parameters..................................................................................................................127
2.5.3.2 Enabling Portal Authentication............................................................................................................................128
2.5.3.3 (Optional) Configuring Parameters for Information Exchange with the Portal server........................................129
2.5.3.4 (Optional) Setting Access Control Parameters for Portal Authentication Users..................................................131
2.5.3.5 (Optional) Setting the Offline Detection Interval for Portal Authentication Users..............................................132
2.5.3.6 (Optional) Configuring the Detection and Keepalive Function for Portal Authentication..................................133
2.5.3.7 (Optional) Configuring User Information Synchronization.................................................................................133
2.6 Maintaining NAC.......................................................................................................................................................135
2.6.1 Clearing 802.1x Authentication Statistics...............................................................................................................136
2.6.2 Clearing MAC Address Authentication Statistics...................................................................................................136
2.7 Configuration Examples.............................................................................................................................................136
2.7.1 Example for Configuring 802.1x Authentication....................................................................................................136
2.7.2 Example for Configuring MAC Address Authentication........................................................................................140
2.7.3 Example for Configuring Built-in Portal Authentication........................................................................................143
2.7.4 Example for Configuring External Portal Authentication.......................................................................................147
2.8 References..................................................................................................................................................................151
3 NAC Configuration(for wireless users)................................................................................152

3.1 Introduction to NAC...................................................................................................................................................153
3.2 Principles....................................................................................................................................................................154
Issue 04 (2014-01-16) Huawei Proprietary and Confidential vii

Routers

3.3 Applications................................................................................................................................................................163
3.5 Configuring NAC.......................................................................................................................................................166
3.5.1 Configuring 802.1x Authentication.........................................................................................................................166
3.5.1.1 Enabling 802.1x Authentication...........................................................................................................................166
3.5.1.2 (Optional) Setting the User Authentication Mode................................................................................................167
3.5.1.3 (Optional) Configuring Re-authentication for 802.1x Authentication Users.......................................................168
3.5.1.4 (Optional) Configuring the Guest VLAN Function.............................................................................................169
3.5.1.5 (Optional) Configuring the Restrict VLAN Function..........................................................................................170
3.5.2 Configuring MAC Address Authentication.............................................................................................................172
3.5.2.1 Enabling MAC Address Authentication...............................................................................................................172
3.5.3 Configuring Portal Authentication..........................................................................................................................174
3.5.3.1 Configuring Portal Server Parameters..................................................................................................................175
3.5.3.2 Enabling Portal Authentication............................................................................................................................175
3.5.3.3 (Optional) Configuring Parameters for Information Exchange with the Portal server........................................176
3.5.3.4 (Optional) Setting Access Control Parameters for Portal Authentication Users..................................................177
3.5.3.5 (Optional) Setting the Offline Detection Interval for Portal Authentication Users..............................................178
3.6.1 Example for Configuring 802.1x Authentication....................................................................................................180
3.6.2 Example for Configuring MAC Address Authentication........................................................................................182
3.6.3 Example for Configuring Portal Authentication.....................................................................................................184
3.7 References..................................................................................................................................................................187
4 ACL Configuration....................................................................................................................188
4.1 Overview....................................................................................................................................................................189
4.2 Principles....................................................................................................................................................................189
4.2.1 Principles of ACLs..................................................................................................................................................189
4.2.2 ACL Classification..................................................................................................................................................190
4.2.3 ACL Naming...........................................................................................................................................................191
4.2.4 Step of an ACL........................................................................................................................................................192
4.2.5 Matching Order of ACL Rules................................................................................................................................192
Issue 04 (2014-01-16) Huawei Proprietary and Confidential viii

Routers
4.2.6 Packet Fragmentation Supported by ACLs.............................................................................................................194

4.2.7 Time Range of an ACL...........................................................................................................................................194
4.2.8 IPv6 ACL.................................................................................................................................................................194
4.3 Applications................................................................................................................................................................195
4.3.1 Applying ACLs to Route Filtering..........................................................................................................................195
4.3.2 Applying ACLs to QoS...........................................................................................................................................196
4.3.3 Applying ACLs to the Firewall...............................................................................................................................197
4.3.4 Applying ACLs to IPSec.........................................................................................................................................197
4.5 Configuring ACL........................................................................................................................................................198
4.5.1 Configuring a Basic ACL........................................................................................................................................198
4.5.1.1 (Optional) Configuring the Validity Time Range of a Rule.................................................................................199
4.5.1.2 Creating a Basic ACL...........................................................................................................................................199
4.5.1.3 Configuring a Basic ACL Rule............................................................................................................................200
4.5.1.4 Applying the ACL to the Router..........................................................................................................................201
4.5.2 Configuring an Advanced ACL...............................................................................................................................202
4.5.2.2 Creating an Advanced ACL.................................................................................................................................203
4.5.2.3 Configuring an Advanced ACL Rule...................................................................................................................204
4.5.3 Configuring a Layer 2 ACL.....................................................................................................................................206
4.5.3.2 Creating a Layer 2 ACL.......................................................................................................................................207
4.5.3.3 Configuring a Layer 2 ACL Rule.........................................................................................................................208
4.5.4 Configuring a Basic ACL6......................................................................................................................................210
4.5.4.2 Creating a Basic ACL6.........................................................................................................................................211
4.5.4.3 Configuring a Basic ACL6 Rule..........................................................................................................................212
4.5.5 Configuring an Advanced ACL6.............................................................................................................................214
4.5.5.2 Creating an Advanced ACL6...............................................................................................................................215
4.5.5.3 Configuring an Advanced ACL6 Rule.................................................................................................................215
4.6 Maintaining an ACL...................................................................................................................................................218
Issue 04 (2014-01-16) Huawei Proprietary and Confidential ix

Routers
4.6.1 Clearing ACL Statistics...........................................................................................................................................218

4.6.2 Displaying ACL Resources.....................................................................................................................................218
4.7.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server............................................................219
4.7.2 Example for Using an Advanced ACL to Configure Traffic Classifiers.................................................................221
4.7.3 Example for Using an Advanced ACL to Configure the Firewall Function...........................................................225
4.7.4 Example for Using a Layer 2 ACL to Configure a Traffic Classifier.....................................................................228
4.7.5 Example for Using an ACL6 to Configure a Traffic Classifier...............................................................................230
4.8 FAQ............................................................................................................................................................................232
4.8.1 How Do I Control Access Through Specific Source or Destination Addresses?....................................................232
4.8.2 How Do I Restrict the Period During Which Users Can Access Specific Networks?............................................233
4.8.3 What Are the Method Used to Process Packets After Different Features Reference ACLs?.................................233
4.9 References..................................................................................................................................................................234
5 Firewall Configuration.............................................................................................................235
5.1 Overview....................................................................................................................................................................236
5.2 Principles....................................................................................................................................................................236
5.2.1 Security Zone and Interzone....................................................................................................................................236
5.2.2 Firewall Working Mode..........................................................................................................................................237
5.2.3 Packet Filtering Firewall.........................................................................................................................................238
5.2.4 Stateful Firewall......................................................................................................................................................238
5.2.5 Blacklist...................................................................................................................................................................241
5.2.6 Whitelist...................................................................................................................................................................242
5.2.7 Port Mapping...........................................................................................................................................................243
5.2.8 Attack Defense........................................................................................................................................................243
5.2.9 Traffic Statistics Collection and Monitoring...........................................................................................................251
5.2.10 Firewall Log..........................................................................................................................................................252
5.2.11 Virtual Firewall......................................................................................................................................................252
5.2.12 Firewall in HSB Mode...........................................................................................................................................253
5.3 Applications................................................................................................................................................................255
5.3.1 Firewall Between the Internal and External Networks............................................................................................255
5.3.2 Firewall on an Internal Network..............................................................................................................................255
5.5 Configuring firewall...................................................................................................................................................257
5.5.1 Configuring Basic Functions of the Firewall..........................................................................................................257
5.5.1.1 Creating a Zone and Adding Interfaces to the Zone.............................................................................................257
5.5.1.2 Creating an Interzone............................................................................................................................................258
5.5.1.3 Enabling Firewall in an Interzone........................................................................................................................259
5.5.1.4 (Optional) Configuring the Aging Time of the Firewall Session Table...............................................................259
5.5.2 Configuring the Packet Filtering Firewall...............................................................................................................261
5.5.2.1 (Optional) Configuring the Default Processing Mode for Unmatched Packets...................................................261
Issue 04 (2014-01-16) Huawei Proprietary and Confidential x

Routers
5.5.2.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................................261

5.5.3 Configuring Stateful Firewall (ASPF).....................................................................................................................263
5.5.4 Configuring the Blacklist.........................................................................................................................................263
5.5.4.1 Enabling the Blacklist Function...........................................................................................................................264
5.5.4.2 Configuring a Blacklist Entry...............................................................................................................................265
5.5.4.3 Configuring Blacklist or Whitelist Entries in Batches.........................................................................................265
5.5.5 Configuring the Whitelist........................................................................................................................................267
5.5.5.1 Configuring a Whitelist Entry..............................................................................................................................267
5.5.5.2 Configuring Blacklist or Whitelist Entries in Batches.........................................................................................267
5.5.6 Configuring Port Mapping.......................................................................................................................................269
5.5.7 Configuring Attack Defense....................................................................................................................................270
5.5.7.1 Enabling the Attack Defense Function.................................................................................................................270
5.5.7.2 (Optional) Setting the Parameters for Flood Attack Defense...............................................................................271
5.5.7.3 Configuring Large ICMP Packet Attack Defense................................................................................................272
5.5.7.4 Setting Parameters for Scanning Attack Defense.................................................................................................272
5.5.8 Configuring Traffic Statistics and Monitoring........................................................................................................273
5.5.8.1 Setting the Session Thresholds for System-Level Traffic Statistics and Monitoring...........................................273
5.5.8.2 Setting the Session Thresholds for Zone-Level Traffic Statistics and Monitoring..............................................274
5.5.8.3 Setting the Session Thresholds for IP Address-Level Traffic Statistics and Monitoring.....................................275
5.5.9 Configuring the Firewall Log Function...................................................................................................................276
5.5.10 Configuring Virtual Firewalls...............................................................................................................................277
5.5.10.1 Configuring a VPN Instance to Identify a Virtual Firewall...............................................................................278
5.5.10.2 Configuring Security Functions for a Virtual Firewall......................................................................................278
5.5.11 Configuring Firewalls in HSB Mode.....................................................................................................................281
5.5.11.1 Creating an HSB Service....................................................................................................................................281
5.5.11.2 Configuring an HSB Group................................................................................................................................282
5.5.11.3 Enabling an HSB Group.....................................................................................................................................283
5.6 Maintaining the Firewall............................................................................................................................................284
5.6.1 Displaying the Firewall Configuration....................................................................................................................284
5.6.2 Clearing the Firewall Statistics................................................................................................................................284
5.7.1 Example for Configuring the ACL-based Packet Filtering Firewall.......................................................................285
5.7.2 Example for Configuring ASPF and Port Mapping................................................................................................287
5.7.3 Example for Configuring the Blacklist....................................................................................................................290
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xi

Routers
5.7.4 Example for Configuring Blacklists on Virtual Firewalls.......................................................................................293

5.7.5 Example for Configuring Firewall HSB..................................................................................................................297
5.8 FAQ............................................................................................................................................................................303
5.8.1 How Do I Delete and View the Firewall and NAT Flow Table?............................................................................303
5.8.2 How Can I View the ACL Hit Count Configured on the Packet Filtering Firewall?..............................................303
5.8.3 Which Protocols Does the AR Firewall ASPF Support?........................................................................................303
5.8.4 What Are the Types of Blacklists? (Firewall).........................................................................................................303
5.9 References..................................................................................................................................................................303
6 Local Attack Defense Configuration.....................................................................................305

6.1 Local Attack Defense Overview.................................................................................................................................306
6.3 Configuring Local Attack Defense.............................................................................................................................308
6.3.1 Configuring CPU Attack Defense ..........................................................................................................................308
6.3.1.1 Creating an Attack Defense Policy.......................................................................................................................309
6.3.1.2 Configuring a Blacklist.........................................................................................................................................310
6.3.1.3 Configuring the Rate Limit for Packets Sent to the CPU.....................................................................................310
6.3.1.4 Setting the Priority for Packets of a Specified Protocol.......................................................................................311
6.3.1.5 Configuring ALP..................................................................................................................................................311
6.3.1.6 Configuring the Rate Limit for All Packets Sent to the CPU...............................................................................312
6.3.1.7 Applying an Attack Defense Policy.....................................................................................................................313
6.3.2 Configuring Attack Source Tracing........................................................................................................................314
6.3.2.1 Creating an Attack Defense Policy.......................................................................................................................314
6.3.2.2 Configuring the Threshold for Attack Source Tracing.........................................................................................315
6.3.2.3 Configuring an Attack Source Tracing Mode......................................................................................................315
6.3.2.4 Configuring the Types of Traced Packets............................................................................................................316
6.3.2.5 Configuring the Alarm Function for Attack Source Tracing................................................................................317
6.3.2.6 Configuring Attack Source Punishment...............................................................................................................318
6.3.2.7 Applying an Attack Defense Policy.....................................................................................................................318
6.4 Maintaining Local Attack Defense.............................................................................................................................319
6.4.1 Clearing Attack Source Information........................................................................................................................319
6.4.2 Clearing Statistics About Packets Sent to the CPU.................................................................................................320
6.5.1 Example for Configuring Local Attack Defense.....................................................................................................320
6.6 Common Configuration Errors...................................................................................................................................324
6.6.1 Attack Source Tracing Does Not Take Effect.........................................................................................................324
6.6.2 The Blacklist Does Not Take Effect........................................................................................................................325
6.7 FAQ............................................................................................................................................................................326
6.7.1 What Can I Do with Excess ACL Rules Used by a Blacklist in Local Attack Defense?........................................326
6.7.2 How Do I Configure CPCAR?................................................................................................................................326
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xii

Routers
6.7.3 Why Does the CPCAR Rate Limit Configuration Not Take Effect?......................................................................326
7 Attack Defense Configuration................................................................................................327

7.1 Overview....................................................................................................................................................................328
7.2 Principles....................................................................................................................................................................328
7.2.1 Defense Against Malformed Packet Attacks...........................................................................................................328
7.2.2 Defense Against Packet Fragment Attacks.............................................................................................................330
7.2.3 Defense Against Flood Attacks...............................................................................................................................335
7.3 Applications................................................................................................................................................................336
7.5 Configuring Attack Defense.......................................................................................................................................338
7.5.1 Configuring Defense Against Malformed Packet Attacks......................................................................................338
7.5.2 Configuring Defense Against Packet Fragment Attacks.........................................................................................339
7.5.3 Configuring Defense Against Flood Attacks...........................................................................................................339
7.5.3.1 Configuring Defense Against TCP SYN Flood Attacks......................................................................................339
7.5.3.2 Configuring Defense Against UDP Flood Attacks...............................................................................................340
7.5.3.3 Configuring Defense Against ICMP Flood Attacks.............................................................................................341
7.6 Maintaining Attack Defense.......................................................................................................................................342
7.6.1 Clearing Attack Defense Statistics..........................................................................................................................342
7.7.1 Example for Configuring Attack Defense...............................................................................................................342
7.8 References..................................................................................................................................................................344
8 Traffic Suppression Configuration........................................................................................345

8.1 Overview....................................................................................................................................................................346
8.2 Principles....................................................................................................................................................................346
8.2.1 Traffic Suppression..................................................................................................................................................346
8.3 Applications................................................................................................................................................................346
8.3.1 Traffic Suppression..................................................................................................................................................347
8.5 Configuring Traffic Suppression................................................................................................................................347
8.5.1 Configuring Traffic Suppression on an Interface....................................................................................................347
8.5.2 Limiting the Rate of ICMP Packets.........................................................................................................................348
8.5.3 Checking the Configuration.....................................................................................................................................349
8.6 Example for Configuring Traffic Suppression and Storm Control............................................................................350
8.6.1 Example for Setting the Rate Limit in pps for Traffic Suppression........................................................................350
8.7 Common Configuration Errors...................................................................................................................................351
8.7.1 Broadcast Traffic Suppression Does Not Take Effect.............................................................................................351
8.8 FAQ............................................................................................................................................................................352
8.8.1 Why Is the Actual Suppression Value Different from the Configured Traffic Suppression Value?......................352
8.9 References..................................................................................................................................................................353
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xiii

Routers
9 ARP Security Configuration....................................................................................................354

9.1 Overview....................................................................................................................................................................355
9.2 Principles....................................................................................................................................................................358
9.2.1 Rate Limit on ARP Packets.....................................................................................................................................358
9.2.2 Rate Limit on ARP Miss Messages.........................................................................................................................359
9.2.3 Strict ARP Learning................................................................................................................................................359
9.2.4 ARP Entry Limiting.................................................................................................................................................360
9.2.5 ARP Entry Fixing....................................................................................................................................................360
9.2.6 DAI..........................................................................................................................................................................362
9.2.7 ARP Gateway Anti-Collision..................................................................................................................................364
9.2.8 Gratuitous ARP Packet Sending..............................................................................................................................364
9.2.9 MAC Address Consistency Check in an ARP Packet.............................................................................................365
9.2.10 ARP Packet Validity Check..................................................................................................................................365
9.3 Applications................................................................................................................................................................366
9.3.1 Defense Against ARP Flood Attacks......................................................................................................................366
9.3.2 Defense Against ARP Spoofing Attacks.................................................................................................................368
9.5 Configuring ARP Security..........................................................................................................................................370
9.5.1 Configuring Defense Against ARP Flood Attacks..................................................................................................370
9.5.1.1 Configuring Rate Limit on ARP Packets based on the Source MAC Address....................................................371
9.5.1.2 Configuring Rate Limit on ARP Packets based on the Source IP Address..........................................................371
9.5.1.3 Configuring Rate Limit on ARP Packets Globally or on an Interface.................................................................372
9.5.1.4 Configuring Rate Limit on ARP Packets on the VLANIF Interface of a Super-VLAN......................................373
9.5.1.5 Configuring Rate Limit on ARP Miss Messages based on the Source IP Address..............................................374
9.5.1.6 Configuring Rate Limit on ARP Miss Messages Globally..................................................................................375
9.5.1.7 Configuring the Aging Time of Temporary ARP Entries....................................................................................376
9.5.1.8 Configuring Strict ARP Learning.........................................................................................................................377
9.5.1.9 Configuring Interface-based ARP Entry Limit....................................................................................................378
9.5.2 Configuring Defense Against ARP Spoofing Attacks............................................................................................380
9.5.2.1 Configuring ARP Entry Fixing.............................................................................................................................380
9.5.2.2 Configuring DAI...................................................................................................................................................381
9.5.2.3 Configuring ARP Gateway Anti-Collision...........................................................................................................383
9.5.2.4 Configuring Gratuitous ARP Packet Sending......................................................................................................383
9.5.2.5 Configuring MAC address Consistency Check in an ARP Packet......................................................................384
9.5.2.6 Configuring ARP Packet Validity Check.............................................................................................................385
9.5.2.7 Configuring Strict ARP Learning.........................................................................................................................386
9.6 ARP Security Maintenance........................................................................................................................................387
9.6.1 Monitoring ARP Running Status.............................................................................................................................388
9.6.2 Clearing ARP Security Statistics.............................................................................................................................388
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xiv

Routers
9.6.3 Configuring the Alarm Function for Potential ARP Attacks..................................................................................389

9.7.1 Example for Configuring ARP Security Functions.................................................................................................389
9.7.2 Example for Configuring Defense Against ARP MITM Attacks...........................................................................394
9.8 FAQ............................................................................................................................................................................397
9.8.1 After I Enable ARP Gateway Anti-Collision, and Send Gateway Collision ARP Packets from a MAC Address, Why
Can the MAC Address Not Forward Traffic?..................................................................................................................397
9.8.2 After I Send ARP Request Packets with the Same Source IP Address, Why Do I Sometimes Receive Response
Packets Only at the Rate of 5 Packets Per Second?..........................................................................................................397
9.8.3 How Do I Take Measures to Prevent Internal Network Attacks?...........................................................................397
9.9 References..................................................................................................................................................................397
10 DHCP Snooping Configuration...........................................................................................399

10.1 Overview..................................................................................................................................................................401
10.2 Principles..................................................................................................................................................................401
10.2.1 Basic Principles.....................................................................................................................................................401
10.2.2 Option 82 Supported by DHCP Snooping.............................................................................................................402
10.2.3 Option 18 and Option 37 Fields Supported by DHCPv6 Snooping......................................................................403
10.3 Application...............................................................................................................................................................404
10.3.1 Defense Against Bogus DHCP Server Attacks.....................................................................................................404
10.3.2 Defense Against Bogus DHCP Message Attacks..................................................................................................405
10.3.3 Defense Against DHCP Server DoS Attacks........................................................................................................405
10.3.4 Typical Application of the Option 82 Field...........................................................................................................406
10.4 Default Configuration...............................................................................................................................................407
10.5 Configuring DHCP Snooping...................................................................................................................................408
10.5.1 Configure Basic Functions of DHCP Snooping....................................................................................................408
10.5.1.1 Enabling DHCP Snooping..................................................................................................................................408
10.5.1.2 Configuring an Interface as the Trusted Interface..............................................................................................409
10.5.1.3 (Optional) Enabling Location Transition for a DHCP Snooping User.......................................................410
10.5.1.4 (Optional) Configuring Association Between ARP and DHCP Snooping.........................................................411
10.5.1.5 (Optional) Configuring the Device to Clear the MAC Address Entry Immediately When the User Is Disconnected
..........................................................................................................................................................................................412
10.5.1.6 (Optional) Configuring the Device to Discard DHCP Request Messages with Non-0 GIADDR Field............412
10.5.2 Configuring DHCP Snooping Attack Defense......................................................................................................413
10.5.2.1 Configuring Defense Against Bogus DHCP Server Attacks..............................................................................414
10.5.2.2 Configuring Defense Against Bogus DHCP Message Attacks..........................................................................414
10.5.2.3 Configuring Defense Against DHCP Server DoS Attacks.................................................................................416
10.5.3 Inserting the Option 82 Field to a DHCP Message...............................................................................................418
10.5.4 Inserting the Option 18 or Option 37 Field to a DHCPv6 Message......................................................................420
10.6 Maintaining DHCP Snooping...................................................................................................................................421
10.6.1 Clearing DHCP Snooping Statistics......................................................................................................................421
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xv

Routers
10.6.2 Clearing Dynamic DHCP Snooping Binding Entries............................................................................................421

10.6.3 Backing Up DHCP Snooping Binding Entries......................................................................................................422
10.7 Configuration Examples...........................................................................................................................................422
10.7.1 Example for Configuring DHCP Snooping Attack Defense.................................................................................422
10.8 Common Configuration Errors.................................................................................................................................426
10.8.1 DHCP Clients Cannot Go Online Due to DHCP Snooping..................................................................................426
10.9 FAQ..........................................................................................................................................................................427
10.9.1 Can a Router Provide DHCP Snooping Function Without Using a LAN Card?..................................................427
10.10 References..............................................................................................................................................................427
11 IPSG Configuration................................................................................................................429
11.1 Overview..................................................................................................................................................................430
11.2 Configuration Notes.................................................................................................................................................431
11.4 Configuring IPSG.....................................................................................................................................................432
11.4.1 Configuring a Binding Table.................................................................................................................................432
11.4.2 Configuring IP Packet Check................................................................................................................................433
11.4.3 Checking the Configuration...................................................................................................................................434
11.5.1 Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries...............................................435
12 URPF Configuration...............................................................................................................438
12.1 Overview..................................................................................................................................................................439
12.2 Principles..................................................................................................................................................................439
12.3 Applications..............................................................................................................................................................440
12.5 Configuring URPF....................................................................................................................................................442
12.5.1 Configuring the URPF Check Mode on an Interface............................................................................................443
12.6.1 Example for Configuring URPF............................................................................................................................444
13 PKI Configuration...................................................................................................................447
13.1 Overview..................................................................................................................................................................448
13.2 Principles..................................................................................................................................................................449
13.2.1 PKI Basics.............................................................................................................................................................449
13.2.2 PKI System............................................................................................................................................................450
13.2.3 PKI Implementation..............................................................................................................................................452
13.3 Applications..............................................................................................................................................................455
13.3.1 PKI in IPSec VPN Networking.............................................................................................................................455
13.3.2 PKI in SSL Networking.........................................................................................................................................456
13.3.3 PKI in WAPI Networking.....................................................................................................................................457
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xvi

Routers
13.5 Configuration Task Summary..................................................................................................................................458

13.6 Configuring PKI.......................................................................................................................................................460
13.6.1 Configuring a PKI Entity.......................................................................................................................................460
13.6.1.1 Configuring a PKI Entity Identifier....................................................................................................................460
13.6.1.2 (Optional) Configuring PKI Entity Attributes....................................................................................................460
13.6.2 Configuring a PKI Domain....................................................................................................................................462
13.6.2.1 Creating a PKI Domain......................................................................................................................................462
13.6.2.2 Configuring a PKI Entity Name.........................................................................................................................463
13.6.2.3 Configuring the Trusted CA Name and Enrollment URL..................................................................................463
13.6.2.4 Configuring CA Certificate Fingerprint.............................................................................................................464
13.6.2.5 (Optional) Configuring the RSA Key Length of Certificates.............................................................................465
13.6.2.6 (Optional) Configuring a Certificate Revocation Password...............................................................................465
13.6.2.7 (Optional) Configuring a Source Interface for TCP Connection Setup.............................................................466
13.6.3 Configuring Certificate Registration and Obtaining.............................................................................................466
13.6.3.1 Configuring Manual Certificate Enrollment.......................................................................................................467
13.6.3.2 Configuring Automatic Certificate Enrollment..................................................................................................467
13.6.3.3 Creating a Self-signed Certificate or Local Certificate......................................................................................468
13.6.3.4 Configuring Certificate Obtaining......................................................................................................................468
13.6.4 Configuring Certificate Authentication.................................................................................................................469
13.6.4.1 Configuring the Certificate Check Mode...........................................................................................................469
13.6.4.2 Checking Certificate Validity.............................................................................................................................471
13.6.5 Managing Certificates............................................................................................................................................472
13.6.5.1 Deleting a Certificate..........................................................................................................................................472
13.6.5.2 Importing a Certificate........................................................................................................................................472
13.6.5.3 Exporting a Certificate........................................................................................................................................473
13.6.5.4 Configuring the Default Path Where Certificates Are Stored............................................................................473
13.7.1 Example for Configuring Manual Certificate Enrollment.....................................................................................474
13.7.2 Example for Configuring PKI in IPSec.................................................................................................................475
13.7.3 Example for Importing Certificates Manually.......................................................................................................481
14 SSL Configuration...................................................................................................................484
14.1 SSL Overview...........................................................................................................................................................485
14.3 Configuring a Server SSL Policy.............................................................................................................................487
14.4 Configuring a Client SSL Policy..............................................................................................................................489
14.5.1 Example for Configuring a Server SSL Policy.....................................................................................................491
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xvii

Routers
14.5.2 Example for Configuring a Client SSL Policy......................................................................................................493
15 HTTPS Configuration.............................................................................................................498
15.1 HTTPS Overview.....................................................................................................................................................499
15.2 Configuring the Device as an HTTPS Server...........................................................................................................499
15.3.1 Example for Configuring the Device as an HTTPS Server...................................................................................500
16 Keychain Configuration.........................................................................................................503
16.1 Overview..................................................................................................................................................................504
16.2 Principles..................................................................................................................................................................504
16.2.1 Basic Concepts......................................................................................................................................................504
16.2.2 Principles of Applying Keychain to a Non-TCP Application...............................................................................506
16.2.3 Principles of Applying Keychain to TCP Applications.........................................................................................508
16.3 Applications..............................................................................................................................................................510
16.4 Configuration Notes.................................................................................................................................................511
16.5 Configuring a Keychain............................................................................................................................................511
16.5.1 Creating a Keychain..............................................................................................................................................511
16.5.2 Configuring a Key.................................................................................................................................................512
16.5.3 Applying the Keychain..........................................................................................................................................514
16.6 Example for Configuring a Keychain.......................................................................................................................515
16.6.1 Example for Applying the Keychain to RIP..........................................................................................................516
16.6.2 Example for Applying the Keychain to BGP........................................................................................................519
16.7 References................................................................................................................................................................522
Issue 04 (2014-01-16) Huawei Proprietary and Confidential xviii

Routers
Configuration Guide - Security 1 AAA Configuration
1 AAA Configuration
About This Chapter
The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
1.1 Overview
This section describes the definition, background, and functions of AAA.
1.2 Principles
This section describes the implementation of AAA.
1.3 Use Scenario

This section describes AAA use scenarios.
1.4 AAA Configuration Tasks

After AAA configuration is complete, the device authenticates users and authorizes users to use
particular services. In addition, the device also records the network resource usage of the user.
1.5 Configuring AAA

This section describes the AAA configuration procedure.
1.6 Maintaining AAA

AAA maintenance includes clearing AAA statistics and configuration.
1.7 Configuration Examples

This section provides several AAA configuration examples, including networking requirements,
configuration notes, and configuration roadmap.
1.8 FAQ
The FAQs on AAA are listed.
1.9 References
This section provides the AAA-related RFC recommendations.
Issue 04 (2014-01-16) Huawei Proprietary and Confidential 1

Routers
1.1 Overview
This section describes the definition, background, and functions of AAA.
Definition
Authentication, Authorization, and Accounting (AAA) provides a management mechanism for
network security.
AAA provides the following functions:
l Authentication: verifies whether users are authorized for network access.

l Authorization: authorizes users to use particular services.
l Accounting: records the network resources used by users.
Users can only use one or more security services provided by AAA. For example, if a company
wants to authenticate employees that access certain network resources, the network administrator
only needs to configure an authentication server. If the company also wants to record operations
performed by employees on the network, an accounting server is needed.
In summary, AAA authorizes users to access specific resources and records user operations.
AAA is widely used because it features good scalability and facilitates centralized user
information management. AAA can be implemented using multiple protocols. Currently, the
device uses the Remote Authentication Dial-In User Service (RADIUS) or Huawei Terminal
Access Controller Access Control System (HWTACACS) protocol to implement AAA. In most
cases, the RADIUS protocol is used.
Purpose
AAA prevents unauthorized users from logging in to the device and improves system security.
1.2 Principles
This section describes the implementation of AAA.
1.2.1 Concepts
AAA Architecture
AAA uses the client/server structure. AAA architecture features good scalability and facilitates
centralized user information management. Figure 1-1 shows the AAA architecture.

Routers
Figure 1-1 AAA architecture
AAA server
Internet
Access user Router(AAA Client)
Client/Server model of AAA
Authentication
AAA supports the following authentication modes:
l Non-authentication: Users are completely trusted without validity check. This mode is
rarely used.
l Local authentication: User information is configured on the network access server (NAS).
This mode features fast processing and low operation cost. The major limitation of local
authentication is that information storage is subject to the device hardware capacity.
l Remote authentication: User information is configured on the authentication server. AAA
can remotely authenticate users through the Remote Authentication Dial In User Service
(RADIUS) or Huawei Terminal Access Controller Access Control System
(HWTACACS) protocol.
Authorization
AAA supports the following authorization modes:
l Non-authorization: Users are not authorized.

l Local authorization: authorizes users according to the attributes configured on the NAS for
the local user accounts.
l HWTACACS authorization: authorizes users through the HWTACACS server.
l If-authenticated authorization: applies to scenarios where users must be authenticated and
the authentication process is separated from the authorization process. That is, this mode
is available for only local authentication and HWTACACS authentication, and is
unavailable for RADIUS authentication.
After local authentication is successful, local authorization is used.
After HWTACACS authentication is successful, all rights are enabled. That is,
HWTACACS authorization is not required.
l RADIUS authorization: Users pass the RADIUS authorization upon passing the RADIUS
authentication. RADIUS integrates authentication and authorization. Therefore, RADIUS
authorization cannot be performed separately.

Routers
Accounting
AAA supports the following accounting modes:
l Non-accounting: Users are not charged.
l Remote accounting: supports remote accounting through the RADIUS or HWTACACS
server.
1.2.2 RADIUS Protocol
1.2.2.1 RADIUS Protocol Overview

RADIUS uses the client/server model in distributed mode and protects a network from
unauthorized access. It is often used in network environments that require high security and
control remote user access. It defines the User Datagram Protocol (UDP)-based RADIUS packet
format and message transmission mechanism, and specifies UDP ports 1812 and 1813 as the
authentication and accounting ports respectively.
At the beginning, RADIUS was only the AAA protocol used for dial-up users. When diversified
user access modes are used, RADIUS can also be applied to these access modes such as Ethernet
access and ADSL access. RADIUS provides the access service through authentication and
authorization and records the network resources used by users through accounting.
RADIUS has the following characteristics:
l Client/Server model
RADIUS client: RADIUS clients run on the network access servers (NAS) to transmit
user information to the specified RADIUS server and process requests (for example,
accept or reject user access) based on the responses from the servers. RADIUS clients
can locate at any node on a network.
As the RADIUS client, the device supports:
Standard RADIUS protocol and its extensions, including Request For Comments
(RFC) 2865 and RFC 2866
Huawei-developed private attributes
Active detection on the RADIUS server status
Retransmission for Accounting Stop packets in the local buffer
Automatic switching function of the RADIUS server
l RADIUS server: RADIUS servers run on central computers and workstations to maintain
user authentication and network service access information. The servers receive connection
requests from users, authenticate the users, and send the responses (indicating that the
requests are accepted or rejected) to the clients. RADIUS servers need to maintain three
databases, as shown in Figure 1-2.
Figure 1-2 Databases maintained by the RADIUS servers
RADIUS servers
Users Clients Dictionary

Routers
Users: stores user information such as user names, passwords, protocols, and IP
addresses.
Clients: stores RADIUS client information such as the shared key and IP address of an
access device.
Dictionary: stores the attributes in the RADIUS protocol and their value descriptions.
l Security mechanism
RADIUS clients and servers exchange authentication messages using shared keys that
cannot be transmitted through networks, which enhances information exchange security.
In addition, passwords are encrypted using shared keys before being transmitted to avoid
theft on an insecure network.
l Fine scalability
RADIUS packets consist of the packet header and a certain number of attributes. After new
attributes are added to RADIUS packets, its implementation remains unchanged.
1.2.2.2 RADIUS Packet Overview
RADIUS Packet Format

RADIUS uses UDP packets to transmit information. Figure 1-3 shows the RADIUS packet
format.
Figure 1-3 RADIUS packet format

0 7 15 31
Code Id e n tifie r L e n g th
A u th e n tica to r
A ttrib u te
Fields in a RADIUS packet include:

l Code: 1 byte. It describes the RADIUS packet type. The Code value varies in different
types of RADIUS packets. For example, the value 1 indicates an Access-Request packet,
and the value 2 indicates an Access-Accept packet.
l Identifier: 1 byte. It is used to match request packets and reply packets, and detect the
request packets retransmitted within a certain period. After a client sends a request packet,
the server sends a reply packet with the same Identifier value as the request packet.
l Length: 2 bytes. It specifies the RADIUS packet length. Bytes out of the specified length
value are treated as padding and ignored on the receiver. If the length of a received packet
is smaller than the Length value, the packet is discarded.

Routers
l Authenticator: 16 bytes. It is used to verify the reply packets sent by the RADIUS server
and encrypt user password.
l Attribute: variable length. It is the content of a packet carrying authentication, authorization,
and accounting information and providing configuration details of request and reply
packets. An Attribute field may contain multiple attributes, each of which consists of Type,
Length, and Value. For details, see 1.2.2.4 RADIUS Attributes.
Type: 1 byte. It indicates the attribute type. The value ranges from 1 to 255.
Length: It indicates the length of an attribute (including type, length, and attribute). The
unit is byte.
Value: It indicates the attribute information. The format and content are dependent on
Type and Length. The maximum length is 253 bytes.
RADIUS Packet Type

RADIUS defines 16 tytes of packets. Table 1-1 describes the authentication packets, Table
1-2 describes the accounting packets, and Table 1-3 describes the authorization packets.
Table 1-1 RADIUS authentication packet
Packet Name Description
Access-Request This is the first packet transmitted in a RADIUS interaction process.

This packet carries user authentication information, such as user name
and password. The Access-Request packet is from the RADIUS client
to the RADIUS server. The RADIUS server determines whether a
user is allowed to access the network according to the user information
carried in this packet.
Access-Accept This packet is sent by the RADIUS server to respond to the Access-
Request packet sent by the client. If all attributes in the Access-
Request packet are acceptable, the server considers that the user
passes the authentication and sends this packet. After receiving this
packet, the client grants the network access rights to the user.
Access-Reject This packet is sent by the RADIUS server to respond to the Access-
Request packet sent by the client. If any attribute in the Access-
Request packet is unacceptable, the RADIUS server considers that
the user fails the authentication and sends this packet.
Access-Challenge During an EAP authentication, when the RADIUS server receives an

Access-Request packet carrying the user name, it generates a random
MD5 challenge and sends the MD5 challenge to the client through
this packet. After the client encrypts the user password using the MD5
challenge, the client sends the encrypted password in an Access-
Request packet to the RADIUS server. The RADIUS server compares
the encrypted password received from the client with the locally
encrypted password. If they are the same, the server considers the user
valid.

Routers
Table 1-2 RADIUS accounting packet
Accounting-Request If the client uses RADIUS accounting, the client sends this packet to
(Start) the server before accessing network resources.
Accounting- After receiving and recording the Accounting-Request (Start) packet,

Response (Start) the server returns this packet to the client.
Accounting-Request If the accounting server fails to receive the Accounting-Request

(Interim-update) (Stop) packet, the server cannot stop accounting for the user. To
address this problem, configure interim accounting on the client. The
client then periodically sends accounting packets to the server.
Accounting- After receiving an Accounting-Request (Interim-update) packet, the

Response (Interim- server returns this packet to the client.
update)
Accounting-Request When a user goes offline voluntarily or is forcibly disconnected, the

(Stop) client sends this packet carrying the network resource usage
information (including online duration and number of incoming/
outgoing bytes) to the server, requesting the server to stop accounting.
Accounting- After receiving an Accounting-Request (Stop) packet, the server

Response (Stop) sends this packet to the client.
Table 1-3 RADIUS authorization packet
CoA-Request When the administrator needs to modify the rights of an online user
(for example, prohibit the user from accessing a website), the server
sends this packet to the client, requesting the client to modify the user
rights.
CoA-ACK If the client successfully modifies the user rights, the client sends this
packet to the server.
CoA-NAK If the client cannot modify the user rights, the client sends this packet
to the server.
DM-Request When the administrator needs to disconnect a user, the server sends
this packet to the client, requesting the client to disconnect the user.
DM-ACK If the client successfully disconnects the user, the client sends this
packet to the server.
DM-NAK If the client cannot disconnect the user, the client sends this packet to
the server.

Routers
1.2.2.3 RADIUS Interaction Process
RADIUS Authentication, Authorization, and Accounting

The access device functions as a RADIUS client to collect user information, including user name
and password, and sends the information to the RADIUS server. The RADIUS server
authenticates users according to the information, and performs authorization and accounting for
the users after the users are authenticated. Figure 1-4 shows information exchanged between a
user, the RADIUS client, and the RADIUS server.
Figure 1-4 RADIUS authentication, authorization, and accounting process
User RADIUS client RADIUS server
1. A user enters the user name

and password
2. Authentication Request
4. Notify the user of 3. Authentication Accept/Reject

authentication result
5. Accounting Start Request
6. Accounting Start Response
7. The user accesses network resources
8. (Optional) Interim-Accounting
Request
9. (Optional) Interim-Accounting
Response
10. Request disconnection
11. Accounting Stop Request
13. Notify the user of 12. Accounting Stop Response

disconnection
1. A user sends a connection request carrying the user name and password to the RADIUS
client (access device).
2. The RADIUS client sends an Access-Request packet containing the user identity
information to the RADIUS server according to the user name and password.
3. The RADIUS server verifies the user identity:
l If the user identity is valid, the RADIUS server returns an Access-Accept packet to the
RADIUS client. The Access-Accept packet contains authorization information.

Routers
l If the user identity is invalid, the RADIUS server returns an Access-Reject packet to
the RADIUS client to reject access from the user.
4. The RADIUS client notifies the user whether authentication is successful.
5. The RADIUS client permits or rejects the user according to the authentication result. If the
user is permitted, the RADIUS client sends an Accounting-Request (Start) packet to the
RADIUS server.
6. The RADIUS server sends an Accounting-Response (Start) packet to the RADIUS client
and starts accounting.
7. The user starts to access network resources.
8. (Optional) If interim accounting is enabled, the RADIUS client periodically sends
Accounting-Request (Interim-update) packets to the RADIUS server, preventing incorrect
accounting result caused by unexpected user disconnection.
9. (Optional) The RADIUS server returns Accounting-Response (Interim-update) packets and
performs interim accounting.
10. The user sends a logout request.
11. The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS server.
12. The RADIUS server sends an Accounting-Response (Stop) packet to the RADIUS client
and stops accounting.
13. The RADIUS client notifies the user of the processing result, and the user stops accessing
network resources.
CoA
Change of Authorization (CoA) allows the administrator to change the right of an authenticated
online user through RADIUS. For example, a VLAN ID can be delivered to some access users
through CoA packets, so that they belong to the same VLAN no matter which interfaces they
connect to. Figure 1-5 shows the CoA interaction process.
Figure 1-5 CoA interaction process

The user is online
1. CoA-Request packet
2. Modify user rights
3. CoA-ACK/NAK packet
1. The RADIUS server sends a CoA-Request packet to the RADIUS client according to
service information, requesting the client to modify user authorization information. The

Routers
CoA-Request packet may contain the policy name (configured on the RADIUS client) or
ACL rules.
2. The RADIUS client modifies user authorization information according to the CoA-Request
packet without disconnecting the user.
3. The RADIUS client returns a CoA-ACK or CoA-NAK packet.
l If the authorization information is modified (for example, the policy name in the CoA
packet is the same as that configured on the client), the RADIUS client returns a CoA-
ACK packet to the RADIUS server.
l If the authorization information cannot be modified, the RADIUS client returns a CoA-
NAK packet to the RADIUS server.
DM
When a user needs to be disconnected forcibly, the RADIUS server sends a Disconnect Message
(DM) to the RADIUS client. Figure 1-6 shows the DM interaction process.
Figure 1-6 DM interaction process

The user is online
1. DM Request
2. Request the user
to go offline
3. DM ACK/NAK
1. The administrator forcibly disconnects a user on the RADIUS server. The RADIUS server
sends a DM Request packet to the RADIUS client, requesting the client to disconnect the
user.
2. When receiving the DM Request packet, the RADIUS client requests the user to go offline.
3. The RADIUS client returns a DM-ACK or DM-NAK packet.
l If the user successfully goes offline, the RADIUS client returns a DM ACK packet to
the RADIUS server.
l If the user cannot go offline, the RADIUS client returns a DM NAK packet to the
RADIUS server.

Routers
1.2.2.4 RADIUS Attributes

RADIUS attributes are classified into Standard RADIUS Attributes and Huawei Proprietary
RADIUS Attributes. Different RADIUS packets have different RADIUS attributes. For details,
see RADIUS Attributes Available in Packets.
Standard RADIUS Attributes

RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes, which are supported
by all mainstream vendors. For details, see Table 1-4.
Table 1-4 Standard RADIUS attributes
Attrib Attribute Description

ute Name
No.
1 User- User name for authentication. The user name format can be "user
Name name @ domain name", or just "user name."
2 User- User password for authentication, which is only valid for the
Password Password Authentication Protocol (PAP).
3 CHAP- User password for authentication, which is only valid for the
Password Challenge Handshake Authentication Protocol (CHAP).
4 NAS-IP- Internet Protocol (IP) address carried in the authentication request

Address packet sent by the NAS. If the RADIUS server is bound to an
interface, the attribute is set to the IP address of the bound interface.
Otherwise, the attribute is set to the IP address of the interface that
sends RADIUS packets.
5 NAS-Port User access physical port, which is in either of the following formats:
l new: slot ID (8 bits) + sub-slot ID (4 bits) + port number (8 bits)
+ Virtual Local Area Network (VLAN) ID (12 bits)
l old: slot ID (12 bits) + port number (8 bits) + VLAN ID (12 bits)
l The ADSL access physical port is in the format: slot ID (4 bits) +
sub-slot ID (2 bits) + port number (2 bits) + VPI (8 bits) + VCI
(16 bits).
6 Service- Service type of the user to be authenticated.

Type l 2 (Framed): PPP or 802.1x user
l 5 (Outbound): Web user
l 10 (Call Check): MAC address authentication user or MAC
address bypass authentication user
7 Framed- Encapsulation protocol of Frame services.

Protocol l For a non-management user, the value is fixed as 1.
l For a management user, the value is fixed as 6.

Routers

ute Name
No.
8 Framed- User IP address.

IP-Address
11 Filter-Id User group or user Access Control List (ACL) ID. A RADIUS packet
cannot carry the ACL ID and user group name simultaneously.
NOTE
This attribute can only carry the ACL IDs ranging from 3000 to 3999.
12 Framed- MTU of the data link between user and NAS. For example, in 802.1x
MTU Extensible Authentication Protocol (EAP) authentication, the NAS
specifies the maximum length of the EAP packet in this attribute. An
EAP packet larger than the link MTU will cause packet loss.
14 Login-IP- Management user IP address.

Host l If the value is 0 or 0xFFFFFFFF, the IP address of management
user is not checked.
l If this attribute uses other values, the device checks whether the
management user IP address is the same as the delivered attribute
value.
15 Login- Service type available to management users:

Service l 0: telnet
l 5: X25-PAD
l 50: SSH
l 51: FTP
l 52: Terminal
NOTE
An attribute can contain multiple service types.
18 Reply- Access-Accept or Access-Reject packet.

Message l The Access-Accept packet indicates that a user is successfully
authenticated.
l The Access-Reject packet indicates that a user fails in
authentication.
19 Callback- Information sent from the authentication server and to be displayed

Number to a user, such as the mobile number.
24 State If the RADIUS server sends a RADIUS Access-Challenge packet

carrying the State attribute to a device, the subsequent RADIUS
Access-Request packets sent from the device must carry the State
attribute with the same value.

Routers

ute Name
No.
25 Class If the RADIUS server sends a RADIUS Access-Accept packet

carrying the Class attribute to the NAS, the subsequent RADIUS
Accounting-Request packets sent from the NAS must carry the Class
attribute with the same value.
26 Vendor- Vendor-specific attribute. For details, see Table 1-5. A packet can
Specific carry one or multiple private attributes. Each private attribute contains
one or multiple sub-attributes.
27 Session- In the Access-Request packet, this attribute indicates the maximum

Timeout number of seconds of service to be provided to the user before
termination of the session or prompt.
In the Access-Challenge packet, this attribute indicates the
reauthentication duration of EAP authentication users.
NOTE
This attribute is only valid for 802.1x authentication users.
28 Idle- The maximum number of consecutive seconds of idle connection

Timeout allowed to the user before termination of the session or prompt.
NOTE
This attribute is only valid for Portal authentication users.
29 Terminatio The action taken by the NAS to finish user services.

n-Action l 0: forcible disconnection
l 1: Reauthentication
NOTE
This attribute is only valid for 802.1x authentication users.
30 Called- Number of the NAS. Generally, It is the NAS MAC address for wired
Station-Id users.
31 Calling- Number of the client. Generally, it is the MAC address of the client.
Station-Id
32 NAS- Host name of the NAS.

Identifier
40 Acct- Accounting-Request type:

Status- l 1: Accounting-Start packet
Type
l 2: Accounting-Stop packet
l 3: Interim-Accounting packet
41 Acct- Number of seconds the client has been trying to send the accounting
Delay- packet (excluding the network transmission time).
Time

Routers

ute Name
No.
44 Acct- Accounting session ID. The Accounting-Start, Interim-Accounting,

Session-Id and Accounting-Stop packets of the same accounting session must
have the same session ID.
The format of this attribute is: Host name (7 bits) + Slot ID (2 bits) +
Subcard number (1 bit) + Port number (2 bits) + Outer VLAN ID (4
bits) + Inner VLAN ID (5 bits) + Central Processing Unit (CPU) TICK
(6 bits) + user connection ID (6 bits).
45 Acct- User authentication mode:

Authentic l 1: RADIUS authentication
l 2: Local authentication
l 3: Other remote authentications
46 Acct- How long a user has been online, in seconds.

Session- NOTE
Time If the administrator modifies the system time after the user goes online, the
online time calculated by the device may be incorrect.

Routers

ute Name
No.
49 Acct- Reason why a user connection is torn down:

Terminate- l User-Request(1): The user requests termination of service.
Cause
l Lost Carrier (2): The connection is torn down due to a handshake
failure or heartbeat timeout, for example, an ARP probe failure or
PPP handshake failure.
l Lost Service (3): The connection initiated by the peer device is
torn down.
l Idle Timeout (4): The idle timer expires.
l Session Timeout (5): The session times out or the traffic threshold
is reached.
l Admin Reset (6): The administrator forces the user to go offline.
l Admin Reboot (7): The administrator restarts the NAS.
l Port Error (8): A port fails.
l NAS Error (9): The NAS encounters an internal error.
l NAS Request (10): The NAS ends session for resource change.
l NAS Reboot (11): The NAS automatically restarts.
l Port Unneeded (12): The port is Down.
l Port Preempted (13): The port is occupied.
l Port Suspended (14): The port is suspended.
l Service Unavailable (15): The service is unavailable.
l Callback (16): NAS is terminating current session in order to
perform callback for a new session.
l User Error (17): User authentication fails or times out.
l Host Request (18): A host sends a request.
55 Event- Time when an Accounting-Request packet is generated. The value is

Timestamp the number of seconds elapsed since 00:00:00 of January 1, 1970.
60 CHAP- Challenge field in CHAP authentication. This field is generated by

Challenge the NAS for Message Digest algorithm 5 (MD5) calculation.
61 NAS-Port- NAS port type. The attribute value can be configured in the interface
Type view. By default, the type is Ethernet (15).
64 Tunnel- Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.
Type
65 Tunnel- Medium type used on the tunnel. The value is fixed as 6, indicating
Medium- Ethernet.
Type

Routers

ute Name
No.
79 EAP- Encapsulates Extended Access Protocol packets so that RADIUS

Message supports EAP authentication. When an EAP packet is longer than 253
bytes, the packet is encapsulated into multiple attributes. A RADIUS
packet can carry multiple EAP-Message attributes.
80 Message- Authenticates and verifies authentication packets to prevent spoofing

Authentica packets. This attribute is used only when RADIUS supports EAP
tor authentication.
81 Tunnel- Tunnel private group ID, which is used to deliver user VLAN IDs.
Private-
Group-ID
85 Acct- Interim accounting interval.

Interim-
Interval
87 NAS-Port- User access port, in either of the following formats:

Id l New:
For Ethernet access users, the NAS port ID is in the format
"slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx", in which
"slot" ranges from 0 to 15, "subslot" 0 to 15, "port" 0 to 255,
and "VLAN ID" 1 to 4094.
For ADSL access users, the NAS port ID is in the format
"slot=xx; subslot=x; port=x; VPI=xxx; VCI=xxxxx", in which
"slot" ranges from 0 to 15, "subslot" 0 to 9, "port" 0 to 9, "VPI"
0 to 255, and "VCI" 0 to 65535.
l Old:
For Ethernet access users, the NAS port ID format is port
number (2 characters) + sub-slot ID (2 bytes) + card number
(3 bytes) + VLAN ID (9 characters).
For ADSL access users: port number (2 characters) + sub-slot
ID (2 bytes) + card number (3 bytes) + VPI (8 characters) +
VCI (16 characters). The fields are prefixed with 0s if they
contain less bytes than specified.
88 Framed- Address pool, which is only included in the Access-Accept packet. It

Pool is used as authorization information in Efficient VPN.
95 NAS- The authentication request packets sent by NAS carry the IPv6
IPv6- address of the device. Both the NAS-IPv6-Address and NAS-IP-
Address Address fields can be included in a packet.

Routers
Huawei Proprietary RADIUS Attributes

The RADIUS protocol has good extensibility. The No. 26 attribute (Vendor-Specific) defined
in RFC2865 is used to extend RADIUS to implement the functions not supported by standard
RADIUS attributes. Table 1-5 describes Huawei proprietary RADIUS attributes.
Table 1-5 Huawei proprietary RADIUS attributes
Attrib Attribute Name Description

ute
No.
26-1 HW-Input-Peak- Peak rate at which the user accesses the NAS, in bit/s.
Information-Rate
26-2 HW-Input-Committed- Average rate at which the user accesses the NAS, in
Information-Rate bit/s.
26-3 HW-Input-Committed- Committed burst size at which the user accesses the
Burst-Size NAS, in bit/s.
26-4 HW-Output-Peak- Peak rate at which the NAS connects to the user, in bit/
Information-Rate s.
26-5 HW-Output-Committed- Average rate at which the NAS connects to the user, in
Information-Rate bit/s.
26-6 HW-Output-Committed- Committed burst size at which the NAS connects to the
Burst-Size user, in bit/s.
26-22 HW-Priority Priority of user service.

NOTE
If the RADIUS server has delivered this attribute, the HW-
Up-Priority and HW-Down-Priority attributes are invalid.
26-26 HW_ConnectID Index of a user connection.
26-28 HW-FTP-Directory Initial directory of an FTP user.
26-29 HW-Exec-Privilege Management user (such as Telnet user) priority,

ranging from 0 to 16. The value 16 indicates that the
user does not have the administrator rights.
26-59 HW-Startup-Time-Stamp NAS start time, which is the number of seconds elapsed
since 00:00:00 of January 1, 1970.
26-60 HW-IP-Host-Address User IP address and MAC address carried in

authentication and accounting packets, in the format
A.B.C.D HH:HH:HH:HH:HH:HH. There is a space
between the IP address and MAC address.
If the user's IP address is detected invalid during
authentication, A.B.C.D is set to 255.255.255.255.
26-61 HW-Up-Priority Upstream priority of user service.

Routers
Attrib Attribute Name Description

ute
No.
26-62 HW-Down-Priority Downstream priority of user service.
26-77 HW-Input-Peak-Burst- Upstream peak rate, in bit/s.

Size
26-78 HW-Output-Peak-Burst- Downstream peak rate, in bit/s.

Size
26-82 HW-Data-Filter ACL rule delivered by RADIUS when user goes

online. Attribute format: acl acl-number key1 key-
value1... keyN key-valueN permit/deny, for example,
acl 10006 dest-ip 11.11.11.2 dest-ipmask 32 udp-
dstport 5070 deny.
l acl: ACL content is delivered.
l acl-number: specifies ACL number, ranging from
10000 to 10999.
l keyN: specifies IP address, IP address mask, and
port number.
l permit: permits the packets that match a rule.
l deny: rejects the packets that match a rule.
26-142 HW_User_Information User security check information delivered by the

RADIUS server to Extensible Authentication Protocol
over LAN (EAPoL) user to notify the user of check
items.
26-143 HW_Web_Proxy_Name Web proxy resource name of Secure Sockets Layer

virtual private network (SSL VPN).
26-144 HW_Port_Forward_Nam Port forwarding resource name of SSL VPN.

e
26-145 HW_IP_Forwarding_Na IP forwarding resource name of SSL VPN.

me
26-146 HW-Service-Scheme Service scheme name. A service scheme contains user

authorization information and policy.
26-156 HW-Portal-URL Forcibly pushed URL.
26-163 HW-LLDP-Info LLDP information. A packet can contain multiple HW-

LLDP-Info attributes to carry different options.
26-254 HW-Version Software version running on the device.
26-255 HW-Product-ID NAS product name.

Routers
RADIUS Attributes Available in Packets

Different RADIUS packets carry different RADIUS attributes. Different RADIUS attributes are
available for different packets:
l For the RADIUS attributes available in authentication packets, see Table 1-6.
l For the RADIUS attributes available in accounting packets, see Table 1-7.
l For the RADIUS attributes available in authorization packets, see Table 1-8.
NOTE
l 1: indicates that the attribute must appear once in the packet.

l 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is contained).
l 0-1: indicates that the attribute can appear once or does not appear in the packet.
l 0+: indicates that the attribute may appear multiple times or does not appear in the packet.
Table 1-6 RADIUS attributes available in authentication packets
Attribute No. Access- Access- Access- Access-

Request Accept Reject Challenge
User-Name(1) 1 0 0 0
User-Password(2) 0-1 0 0 0
Chap-Password(3) 0-1 0 0 0
NAS-IP-Address(4) 1 0 0 0
NAS-Port(5) 1 0 0 0
Service-Type(6) 1 0-1 0 0
Framed-Protocol(7) 1 0-1 0 0
Framed-IP-Address(8) 0-1 0 0 0
Filter-Id(11) 0 0-1 0 0
Framed-MTU(12) 0-1 0 0 0
Login-IP-Host(14) 0-1 0-1 0 0
Login-Service(15) 0 0-1 0 0
Reply-Message(18) 0 0-1 0-1 0
Callback-Number(19) 0 0-1 0 0
State(24) 0-1 0-1 0 0-1
Class(25) 0 0-1 0 0
Session-Timeout(27) 0 0-1 0 0-1
Idle-Timeout(28) 0 0-1 0 0
Termination-Action(29) 0 0-1 0 0-1

Routers

Called_Station_Id(30) 0-1 0 0 0
Calling-Station-Id(31) 1 0 0 0
NAS-Identifier(32) 1 0 0 0
Acct-session-id(44) 1 0 0 0
CHAP_Challenge(60) 0-1 0 0 0
NAS-Port-Type(61) 1 0 0 0
Tunnel-Type(64) 0 0-1 0 0
Tunnel-Medium-Type(65) 0 0-1 0 0
EAP-Message(79) 0-1 0-1 0-1 0-1
Message-Authenticator(80) 0-1 0-1 0-1 0-1
Tunnel-Private-Group-ID(81) 0 0-1 0 0
Acct_Interim_Interval(85) 0 0-1 0 0
NAS-Port-Id(87) 1 0 0 0
Framed-Pool(88) 0 1 0 0
NAS-IPv6-Address(95) 0-1 0 0 0
HW-Input-Peak-Information- 0 0-1 0 0
Rate(26-1)
HW-Input-Committed- 0 0-1 0 0
Information-Rate(26-2)
HW-Input-Committed-Burst- 0 0-1 0 0
Size(26-3)
HW-Output-Peak- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
Burst-Size(26-6)
HW-Priority(26-22) 0 0-1 0 0
HW_ConnectID(26-26) 1 0 0 0
Ftp_directory(26-28) 0 0-1 0 0
HW-Exec-Privilege(26-29) 0 0-1 0 0

Routers

HW_Startup_Timestamp 1 0 0 0
(26-59)
HW-IP-Host-Address(26-60) 1 0 0 0
HW-Up-Priority(26-61) 0 0-1 0 0
HW-Down-Priority(26-62) 0 0-1 0 0
HW-Input-Peak-Burst-Size 0 0-1 0 0
(26-77)
HW-Output-Peak-Burst-Size 0 0-1 0 0
(26-78)
hw-Data-Fliter(26-82) 0 0-1 0 0
HW-Primary-DNS(26-135) 0 1 0 0
HW-Secondary-DNS(26-136) 0 1 0 0
HW_Web_Proxy_Name 0 0-1 0 0
(26-143)
HW_Port_Forward_Name 0 0-1 0 0
(26-144)
HW_IP_Forwarding_Name 0 0-1 0 0
(26-145)
HW-Version(26-254) 1 0 0 0
HW-Product-ID(26-255) 1 0 0 0
Table 1-7 RADIUS attributes available in accounting packets
Attribute No. Accoun Accoun Accoun Accoun Accoun Accoun

ting- ting- ting- ting- ting- ting-
Reques Reques Reques Respon Respon Respon
t t t se se se
(Start) (Interi (Stop) (start) (Interi (Stop)
m- m-
Update Update
) )
User-Name(1) 1 1 1 0 0 0
NAS-IP-Address(4) 1 1 1 0 0 0
NAS-Port(5) 1 1 1 0 0 0

Routers
Attribute No. Accoun Accoun Accoun Accoun Accoun Accoun

ting- ting- ting- ting- ting- ting-
Reques Reques Reques Respon Respon Respon
t t t se se se
(Start) (Interi (Stop) (start) (Interi (Stop)
m- m-
Update Update
) )
Service-Type(6) 1 1 1 0 0 0
Framed-Protocol(7) 1 1 1 0 0 0
Framed-IP-Address(8) 1 1 1 0 0 0
Class(25) 0-1 0-1 0-1 0 0 0
Session-Timeout(27) 0 0 0 0-1 0-1 0
Called-Station-Id(30) 1 1 1 0 0 0
Calling-Station-Id(31) 1 1 1 0 0 0
NAS-Identifier(32) 1 1 1 0 0 0
Acct-Status-Type(40) 1 1 1 0 0 0
Acct-Delay-Time(41) 0 1 1 0 0 0
Acct-Session-Id(44) 1 1 1 0 0 0
Acct-Authentic(45) 1 1 1 0 0 0
Acct-Session-Time(46) 0 1 1 0 0 0
Acct-Terminate-Cause 0 0 1 0 0 0
(49)
Event-Timestamp(55) 1 1 1 0 0 0
NAS-Port-Type(61) 1 1 1 0 0 0
NAS-Port-Id(87) 1 1 1 0 0 0
NAS-IPv6-Address(95) 0-1 0-1 0-1 0 0 0
HW_ConnectID(26-26) 1 1 1 0 0 0
HW-IP-Host-Address 1 1 1 0 0 0
(26-60)

Routers
Table 1-8 RADIUS attributes available in COA/DM packets
Attribute No. COA COA COA DM DM DM

REQU ACK NAK REQU ACK NAK
EST EST
User-Name(1) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-IP-Address(4) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Port(5) 0-1 0-1 0-1 0-1 0-1 0-1
Framed-IP-Address(8) 0-1 0-1 0-1 0-1 0-1 0-1
Filter-Id(11) 0-1 0 0 0 0 0
Session-Timeout(27) 0-1 0 0 0 0 0
Calling-Station-Id(31) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Identifier(32) 0-1 0-1 0-1 0-1 0-1 0-1
Acct-Session-Id(44) 1 1 1 1 1 1
Acct_Interim_Interval 0-1 0 0 0 0 0
(85)
HW-Input-Peak- 0-1 0 0 0 0 0
HW-Input-Committed- 0-1 0 0 0 0 0
HW-Output-Peak- 0-1 0 0 0 0 0
HW-Output- 0-1 0 0 0 0 0
Committed-
HW-Priority(26-22) 0-1 0 0 0 0 0
HW-Up-Priority(26-61) 0-1 0 0 0 0 0
HW-Down-Priority 0-1 0 0 0 0 0
(26-62)
HW-Data-Filter(26-82) 0-1 0 0 0 0 0
1.2.3 HWTACACS Protocol
1.2.3.1 HWTACACS Protocol Overview

Routers
HWTACACS is an enhancement to TACACS (RFC 1492). Similar to RADIUS, HWTACACS

uses the client/server model to implement communication between NAS and HWTACACS
servers.
HWTACACS is used to perform authentication, authorization, and accounting for the users
accessing the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network
(VPDN) and the management users. For example, an HWTACACS server can be configured to
perform authentication, authorization, and accounting for the management users logging in to
the device. The device functions as the HWTACACS client to send the user names and passwords
to the HWTACACS server. The authorized users can log in to the device and perform operations.
Both HWTACACS and RADIUS protocols can implement authentication, authorization, and
accounting. They are similar in the following aspects:
l Client/server model
l Using a public key to encrypt user information
l Good flexibility and extensibility
Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is
more suitable for security control. Table 1-9 lists the differences between HWTACACS and
RADIUS.
Table 1-9 Comparisons between HWTACACS and RADIUS
HWTACACS RADIUS
Transmits data through TCP, which is more reliable. Transmits data through UDP, which is
more efficient.
Encrypts the entire packet except for the standard Encrypts only the password field in the
HWTACACS header. packet.
Separates authentication from authorization so that Combines authentication and

authentication and authorization can be authorization.
implemented on different security servers. For
example, an HWTACACS server can perform
authentication and the other one can perform
authorization.
Supports command line authorization. The Does not support command line
command line use is restricted by command level authorization. The commands that a
and AAA. When a user enters a command, the user can use depend on the user level.
command is executed only after being authorized A user can only use the commands of
by the HWTACACS server. the same level as or lower level than the
user level.
Applies to security control. Applies to accounting.
1.2.3.2 HWTACACS Packet Overview
Unlike RADIUS packets which all use the same format, HWTACACS packets use different
formats. However, the HWTACACS Authentication Packet, HWTACACS Authorization

Routers
Packet, and HWTACACS Accounting Packet use different formats except that they all share
the same HWTACACS Packet Header.
HWTACACS Packet Header

All HWTACACS packets have a 12-byte packet header, as shown in Figure 1-7.
Figure 1-7 HWTACACS packet header

0 4 7 15 24 31
m a jo r m in o r
ty p e seq_no fla g s
v e rs io n v e rs io n
s e s sio n _ id
le n g th
Table 1-10 Fields in HWTACACS packet header
Field Description
major version Major version of the HWTACACS protocol.

The current version is 0xc.
minor version Minor version of the HWTACACS protocol.

The current version is 0x0.
type HWTACACS protocol packet type,

including authentication (0x01),
authorization (0x02), and accounting (0x03).
seq_no Packet sequence number in a session, ranging

from 1 to 254.
flags Encryption flag on the packet body. Only the

first bit among the 8 bits is supported. The
value 0 indicates to encrypt the packet body,
and the value 1 indicates not to encrypt the
packet body.
session_id Session ID, which is the unique identifier of

a session.
length Length of the HWTACACS packet body,

excluding the packet header.
HWTACACS Authentication Packet Format

HWTACACS authentication packets include:

Routers
l Authentication Start: When an authentication starts, the client sends this packet carrying
the authentication type, user name, and authentication data to the server.
l Authentication Continue: When receiving the Authentication Response packet from the
server, the client returns this packet if the authentication process is not ended.
l Authentication Reply: When the server receives the Authentication Start or
Authentication Continue packet from the client, the server sends this packet to the client
to notify the client of the current authentication status.
The HWTACACS authentication packets have different formats.

l Figure 1-8 shows the format of HWTACACS Authentication Start packets.
Figure 1-8 HWTACACS Authentication Start packet format

0 7 15 24 31
a ctio n p riv _lvl a u th e n _typ e se rvice
u se r le n p o rt le n re m _a d d r le n d a ta le n
u se r...
p o rt...
re m _a d d r...
d a ta ...
Table 1-11 Fields in HWTACACS Authentication Start packet
Field Description
action Authentication action. Only the login authentication (0x01) action is

supported.
priv_lvl User privilege level.
authen_typ Authentication type, including:

e l CHAP(0x03)
l PAP(0x02)
l ASCII(0x01)
service Type of the service requesting authentication. The PPP(0x03), LOGIN

(0x01), and NONE(0x00) types are available, corresponding to PPP users,
administrators, and other users.
user len Length of the user name entered by a login user.
port len Length of the port field.
rem_addr rem_addr field length.

len
data len Authentication data length.

Routers
Field Description
user Name of the user requesting authentication. The maximum length is 129.
port Name of the user interface requesting authentication. The maximum length
is 47.
l For management users, this field indicates the user terminal interface,
for example, console0 and vty1. For example, the authen_type of Telnet
users is ASCII, service is LOGIN, and port is vtyx.
l For other users, this field indicates the user access interface.
rem_addr IP address of the login user.
data Authentication data. Different data is encapsulated depending on the

values of action and authen_type. For example, when PAP authentication
is used, the value of this field is PAP plain-text password.
l Figure 1-9 shows the format of HWTACACS Authentication Continue packets.
Figure 1-9 HWTACACS Authentication Continue packet format

0 7 15 31
u se r_m sg le n d a ta le n
fla g s u se r_ m sg ...
d a ta ...
Table 1-12 Fields in HWTACACS Authentication Continue packet
Field Description
user_msg Length of the character string entered by a login user.

len
flags Authentication continue flag. The value 0 indicates that the authentication
continues, and the value 1 indicates that the authentication has ended.
user_msg Character string entered by the login user. This field carries the user login
password to respond to the server_msg field in the Authentication
Response packet.
data Authentication data. Different data is encapsulated depending on the

values of action and authen_type. For example, when PAP authentication
is used, the value of this field is PAP cipher-text password.
l Figure 1-10 shows the format of HWTACACS Authentication Response packets.

Routers
Figure 1-10 HWTACACS Authentication Response packet format

0 7 15 31
s ta tu s fla g s s e rv e r_ m s g le n
d a ta le n s e rv e r_ m s g
d a ta ...
Table 1-13 Fields in HWTACACS Authentication Response packet
Field Description
status Authentication status, including:

l PASS (0x01): Authentication is successful.
l FAIL (0x02): Authentication is fail.
l GETDATA (0x03): Request user information.
l GETUSER (0x04): Request user name.
l GETPASS (0x05): Request password.
l RESTART (0x06): Request reauthentication.
l ERROR (0x07): An error occurs when the server receives
authentication packets.
l FOLLOW (0x21): The server requests reauthentication.
flags Whether the client displays the password entered by user in plain text. The
value 1 indicates that the password is not displayed in plain text.
server_ms Length of the server_msg field.

g len
server_ms Optional field. This field is sent by the server to the user to provide
g additional information.
data Authentication data, providing information to client.
HWTACACS Authorization Packet Format

HWTACACS authorization packets include:
l Authorization Request: HWTACACS separates authentication from authorization.
Therefore, a user can be authenticated by HWTACACS, and authorized using another
protocol. If a user is authenticated by HWTACACS, the client sends an Authorization
Request packet carrying authorization information to the server.
l Authorization Response: After receiving the Authorization Request packet, the server
sends this packet carrying the authorization result to the client.
The HWTACACS authorization packets have different formats.

Routers
l Figure 1-11 shows the format of HWTACACS Authorization Request packets.
Figure 1-11 HWTACACS Authorization Request packet format

0 7 15 24 31
a u th e n _m e th o d p riv_lvl a u th e n _typ e a u th e n _ se rvice
u se r le n p o rt le n re m _a d d r le n a rg _cn t
a rg 1 le n a rg 2 le n ... a rg N le n
u se r...
p o rt...
re m _a d d r...
a rg 1 ...
a rg 2 ...
...
a rg N ...
NOTE
The meanings of the priv_lvl, authen_type, authen_service, user len, port len, rem_addr len, port,
and rem_addr fields in the Authorization Request packet are the same as those in the Authentication
Start packet, and are not provided here.
Table 1-14 Fields in HWTACACS Authorization Request packet
Field Description
authen_me Authentication method, including

thod l No authentication method configured (0x00)
l None authentication (0x01)
l Local authentication (0x05)
l HWTACACS authentication (0x06)
l RADIUS authentication (0x10)
authen_ser Type of the service requesting authentication. The PPP(0x03), LOGIN

vice (0x01), and NONE(0x00) types are available, corresponding to PPP users,
arg_cnt Number of attributes carried in Authorization Request packet.
argN Attribute of the Authorization Request packet. including:

l cmd: the first keyword of the command line to be authorized.
l cmd-arg: parameter in the command line to be authorized. The cmd-
arg=<cr> is added at the end of the command line.

Routers
l Figure 1-12 shows the format of HWTACACS Authentication Response packets.

NOTE
The meanings of the server_msg len, data len, and server_msg fields are the same as those in
HWTACACS Authentication Response packet, and are not provided here.
Figure 1-12 HWTACACS Authorization Response packet format

0 7 15 24 31
sta tu s a rg _cn t se rve r_m sg le n
d a ta le n a rg 1 le n a rg 2 le n
... a rg N le n se rve r_ m sg ...
d a ta ...
a rg 1 ...
a rg 2 ...
...
a rg N ...
Table 1-15 Fields in HWTACACS Authorization Response packet

Field Description
status Authorization status, including:

l Authorization is successful (0x01)
l The attributes in Authorization Request packets are modified by the
TACACS server (0x02)
l Authorization is fail (0x10)
l An error occurs on the authorization server (0x11)
l An authorization server is respecified (0x21)
arg_cnt Number of attributes carried in Authorization Response packet.
argN Authorization attribute delivered by the HWTACACS authorization

server.
HWTACACS Accounting Packet Format

HWTACACS accounting packets include:
l Accounting Request: This packet contains authorization information.
l Accounting Response: After receiving and recording an Accounting Request packet, the
server returns this packet.
The HWTACACS accounting packets have different formats.

Routers
l Figure 1-13 shows the format of HWTACACS Accounting Request packets.
Figure 1-13 HWTACACS Accounting Request packet format

0 7 15 24 31
fla g s a u th e n _m e th o d p riv _lvl a u th e n _typ e
a u th e n _ se rvice u se r le n p o rt le n re m _a d d r le n
a rg _cn t a rg 1 le n a rg 2 le n ...
a rg N le n u se r...
p o rt...
re m _a d d r...
a rg 1 ...
a rg 2 ...
...
a rg N ...
NOTE
The meanings of the authen_method, priv_lvl, authen_type, user len, port len, rem_addr len, port,
and rem_addr fields in the Accounting Request packet are the same as those in the Authorization
Request packet, and are not provided here.
Table 1-16 Fields in HWTACACS Accounting Request packet
Field Description
flags Accounting type:

l Start accounting (0x02)
l Stop accounting (0x04)
l Interim accounting (0x08)
authen_ser Type of the service requesting authentication. The PPP(0x03), LOGIN

vice (0x01), and NONE(0x00) types are available, corresponding to PPP users,
arg_cnt Number of attributes carried in Accounting Request packet.
argN Attribute of the Accounting Request packet.
l Figure 1-14 shows the format of HWTACACS Accounting Response packets.

Routers
Figure 1-14 HWTACACS Accounting Response packet format

0 7 15 31
s e rv e r_ m s g le n d a ta le n
s ta tu s s e rv e r_ m s g ...
d a ta ...
Table 1-17 Fields in HWTACACS Accounting Request packet
Field Description
server_ms Length of the server_msg field.

g len
data len Length of the data field.
status Accounting status:

l Accounting is successful (0x01)
l Accounting is fail (0x02)
l No response (0x03)
server_ms Information sent by the accounting server to the client.

g
data Information sent by the accounting server to the administrator.
1.2.3.3 HWTACACS Interaction Process
This section describes how HWTACACS performs authentication, authorization, and

accounting for Telnet users. Figure 1-15 shows the message exchange process.

Routers
Figure 1-15 HWTACACS message interaction
User HWTACACS client HWTACACS server
A user logs in
Authentication Start
Authentication Response,
requesting the user name
Request the user name
Enter the user name

Authentication Continue
carrying the user name
requesting the password
Request the password
Enter the password

Authentication Continue
carrying the password
successful authentication
Authorization Request
Authorization Response,
The user logs in successful authorization
successfully
Accounting Start
Accounting Start Response

The user logs out
Accounting Stop
Accounting Stop Response
The HWTACACS message exchange process is as follows:
1. A Telnet user sends a request packet.

2. The HWTACACS client sends an Authentication Start packet to the HWTACACS server
after receiving the request packet.
3. The HWTACACS server sends an Authentication Reply packet to request the user name.
4. The HWTACACS client sends a packet to query the user name after receiving the
Authentication Reply packet.
5. The user enters the user name.

Routers
6. The HWTACACS client sends an Authentication Continue packet containing the user name
to the HWTACACS server.
7. The HWTACACS server sends an Authentication Reply packet to request the password.
8. The HWTACACS client queries the password after receiving the Authentication Reply
packet.
9. The user enters the password.
10. The HWTACACS client sends an Authentication Continue packet containing the password
to the HWTACACS server.
11. The HWTACACS server sends an Authentication Reply packet, indicating that the user
has been authenticated.
12. The HWTACACS client sends an Authorization Request packet to the HWTACACS
server.
13. The HWTACACS server sends an Authorization Response packet, indicating that the user
is authorized.
14. The HWTACACS client receives the Authorization Response packet and displays the login
page.
15. The HWTACACS client sends an Accounting Request (start) packet to the HWTACACS
server.
16. The HWTACACS server sends an Accounting Response packet.
17. The user requests to go offline.
18. The HWTACACS client sends an Accounting Request (stop) packet to the HWTACACS
server.
19. The HWTACACS server sends an Accounting Response packet.
NOTE
Both the HWTACACS protocol and TACACS+ protocol of other vendors can implement authentication,
authorization, and accounting. Their authentication procedures and implementations are the same, so the
HWTACACS protocol is completely compatible with the TACACS+ protocol.
1.2.3.4 HWTACACS Attributes

In the HWTACACS authorization or accounting packets, the argN field carries the information
exchanged between server and client.
HWTACACS Attributes
Table 1-18 describes the HWTACACS attributes supported by the device. The device cannot
parse the attributes not included in the table.
Table 1-18 Common HWTACACS attributes
Attribute Description
Name
acl Authorization ACL ID.
addr User IP address.

Routers
Name
autocmd Commands the system automatically executes after a user logs in.
bytes_in Number of bytes received by the device. K, M, and G indicate KByte, MByte,
and GByte. No unit is displayed if Byte is used
bytes_out Number of bytes sent by the device. K, M, and G indicate KByte, MByte, and
GByte. No unit is displayed if Byte is used
callback- Information sent from the authentication server and to be displayed to a user,
line such as the mobile number.
cmd Commands executed by shell. The maximum length is 251 characters. The
complete command is encapsulated when the command is recorded and the
first keyword is encapsulated when the command is authorized.
cmd-arg Parameter in the command line to be authorized. The cmd-arg=<cr> is added

at the end of the command line.
disc_cause Disconnection reason. Only accounting stop packets carry this attribute. The
reasons include:
l A user requests to go offline (1)
l Data forwarding is interrupted (2)
l Service is interrupted (3)
l Idle cut (4)
l Session timeout (5)
l The administrator requests to go offline (7)
l The NAS is faulty (9)
l The NAS requests to go offline (10)
l The port is suspended (12)
l User information is incorrect (17)
l A host requests to go offline (18)

Routers
Name
disc_cause_ Extended disconnection reason. Only accounting stop packets carry this
ext attribute. The reasons include:
l Unknown reason (1022)
l The EXEC terminal tears down the connection (1020)
l An online Telnet user forcibly disconnects this user (1022)
l The user cannot be switched to the SLIP/PPP client due to no remote IP
address (1023)
l PPP PAP authentication fails (1042)
l PPP receives the Terminate packet from the remote end (1045)
l The upper-layer device requests the device to tear down the PPP
connection (1046)
l PPP handshake fails (1063)
l Session times out (1100)
dnaverage Downstream average rate, in bit/s.
dnpeak Downstream peak rate, in bit/s.
dns-servers IP address of the primary DNS server.
elapsed_tim Online duration, in seconds.

e
ftpdir Initial directory of an FTP user.
gw- Tunnel password. The value is a string of 1 to 29 characters. If the value

password contains more than 29 characters, only the first 29 characters are valid.
ideltime Idle session timeout period. If a user does not perform any operation within
this period, the system disconnects the user.
ip-addresses LNS IP address. A maximum of 8 LNS IP addresses are supported. The excess
IP addresses are ignored. The IP addresses are separated by semicolons or
commas.
l2tp-hello- Interval for sending L2TP Hello packets. The device does not support this
interval attribute.
l2tp-hidden- The attribute value pair (AVP) of L2TP. The device does not support this
avp attribute.
l2tp- If no session exists within this period, the L2TP tunnel is torn down. The
nosession- device does not support this attribute.
timeout
l2tp-group- L2TP group number. Other L2TP attributes take effect only after this attribute
num is delivered. If this attribute is not delivered, other L2TP attributes are ignored.

Routers
Name
l2tp-tos- TOS of L2TP. The device does not support this attribute.
reflect
l2tp-tunnel- Whether the L2TP tunnel is authenticated. The value 0 indicates no

authen authentication, and the value 1 indicates authentication.
l2tp-udp- UPD packet checksum.

checksum
nocallback- No authentication is required for callback.

verify
nohangup Whether the device automatically disconnects a user. The value is true or false.
This attribute is valid only after the autocmd attribute is configured. It decides
whether to disconnect a user who has executed the autocmd command. The
value true indicates not to disconnect and the value false indicates to
disconnect.
paks_in Number of packets received by the device.
paks_out Number of packets sent by the device.
priv-lvl User level.
protocol Protocol type. It belongs to service type, and is only valid for PPP and
Connection services. The device supports four protocol types: pad, telnet, ip,
and vpdn.
l When the service type is connection, the protocol type can be pad or telnet.
l When the service type is ppp, the protocol type can be ip or vpdn.
l For other service types, this attribute is not used.
task_id Task ID. The task IDs recorded when a task starts and ends must be the same.
timezone Local time zone.
tunnel-id Local user name of the tunnel. The value is a string of 1 to 29 characters. If
the value contains more than 29 characters, only the first 29 characters are
valid.
tunnel-type Tunnel type. The device only supports the L2TP tunnel. The value of tunnel-
type is 3.
service Service type, accounting or authorization.
source-ip Local IP address of the tunnel.
upaverage Upstream average rate, in bit/s.
uppeak Upstream peak rate, in bit/s.

Routers
HWTACACS Attributes Available in Packets

Depending on packet types, HWTACACS authorization packets are classified into
Authorization Request packets and Authorization Response packets. Depending on use
scenarios, HWTACACS authorization packets are classified into EXEC user authorization
packets, command line authorization packets, and access user authorization packets. Different
authorization packets carry different attributes. For details, see Table 1-19.
l EXEC authorization: The HWTACACS server controls rights of the management users
logging in through Telnet, terminal, SSH, and FTP.
l Command line authorization: The device authorizes each command line executed by user.
Only authorized command lines can be executed.
l Access user authorization: The HWTACACS server controls the rights of NAC users such
as 802.1x and Portal users.
Depending on packet types, HWTACACS accounting packets are classified into Accounting
Request packets and Accounting Response packets. Depending on connection types,
HWTACACS accounting packets are classified into network accounting packets, connection
accounting packets, EXEC accounting packets, system accounting packets, and command
accounting packets. Different accounting packets carry different attributes. For details, see Table
1-20.
l Network accounting: applicable to the networks where PPP users access. For example,
when a PPP user connects to a network, the server sends an accounting start packet; when
the user is using network services, the server periodically sends interim accounting packets;
when the user goes offline, the server sends an accounting stop packet.
l Connection accounting: applicable to the scenarios where users log in to the server through
Telnet or FTP clients. When a user connects to the device, the user can run commands to
access a remote server and obtain files from the server. The device sends an accounting
start packet when the user connects to the remote server and an accounting stop packet
when the user disconnects from the remote server.
l EXEC accounting: applicable to the scenarios where users log in to the device through
Telnet or FTP. When a user connects to a network, the server sends an accounting start
packet; when the user is using network services, the server periodically sends interim
accounting packets; when the user goes offline, the server sends an accounting stop packet.
l System accounting: applicable to the fault diagnosis scenarios. The server records the
system-level events to help administrators monitor the device and locate network faults.
l Command accounting: When an administrator runs any command on the device, the device
sends the command to the HWTACACS server through a command accounting stop packet
so that the server can record the operations performed by the administrator.
NOTE
l Y: The packet supports this attribute.

l N: The packet does not support this attribute.

Routers
Table 1-19 HWTACACS attributes available in authorization packets
Attribute Command Line EXEC Access User

Authorization Authorization Authorization
Packet Response Packet Response
Packet
acl N Y N
addr N N Y
addr-pool N N Y
autocmd N Y N
callback-line N Y Y
cmd Y N N
cmd-arg Y N N
dnaverage N N Y
dnpeak N N Y
dns-servers N N Y
ftpdir N Y N
gw-password N N Y
idletime N Y N
ip-addresses N N Y
l2tp-group-num N N Y
l2tp-tunnel-authen N N Y
nocallback-verify N Y N
nohangup N Y N
priv-lvl N Y N
source-ip N N Y
tunnel-type N N Y
tunnel-id N N Y
upaverage N N Y

Routers
Table 1-20 HWTACACS attributes available in accounting packets
Attribut Net Net Net Con Con EXE EXE EXE Syst Com
e wor wor wor necti necti C C C em man
k k k on on Acco Acco Inter Acco d
Acco Acco Inter Acco Acco unti unti im unti Line
unti unti im unti unti ng ng Acco ng Acco
ng ng Acco ng ng Start Stop unti Stop unti
Start Stop unti Start Stop Pack Pack ng Pack ng
Pack Pack ng Pack Pack et et Pack et Stop
et et Pack et et et Pack
et et
addr Y Y Y Y Y N N N N N
bytes_in N Y Y N Y N Y Y N N
bytes_out N Y Y N Y N Y Y N N
cmd N N N Y Y N N N N Y
disc_caus N Y N N N N Y Y N N
e
disc_caus N Y N N N N Y Y N N
e_ext
elapsed_ti N Y Y N Y N Y Y Y N
me
paks_in N Y Y N Y N Y Y N N
paks_out N Y Y N Y N Y Y N N
priv-lvl N N N N N N N N N Y
protocol Y Y Y Y Y N N N N N
service Y Y Y Y Y Y Y Y Y Y
task_id Y Y Y Y Y Y Y Y Y Y
timezone Y Y Y Y Y Y Y Y Y Y
tunnel-id N N N N N N N N N N
tunnel- Y N N N N N N N N N
type
1.2.4 Domain-based User Management

A domain is a group of users.
A NAS manages users based on domains. Each access user belongs to a domain that is
determined by the user name provided for login, as shown in Figure 1-16.

Routers
Figure 1-16 Using the user name to determine the domain
NAS
Enter user-name@domain- Does the user name Yes Use the

name or user-name contain domain- domain-name
name?
No
Use the default

domain
The device has two default domains: default (global default domain for common access users)
and default_admin (global default domain for administrators). The two domains can be
modified but cannot be deleted. If the domain of an access user cannot be obtained, the default
domain is used.
l The default domain is used for access users such as NAC access users. By default, local
authentication is performed for users in this domain.
l The default_admin domain is used for administrators such as the administrators who log
in using HTTP, SSH, Telnet, FTP, and terminals. By default, local authentication is
performed for users in this domain.
NOTE
A user-defined domain can be configured as a global default domain for common access users and administrators.
The preconfigured authentication, authorization, and accounting scheme is used in the

corresponding domain view to implement authentication, authorization, and accounting for
users. AAA provides the default scheme including local authentication, local authorization, and
local accounting. If no authentication, authorization, and accounting scheme is used in the
domain of a user, the default scheme is used.
Authorization information configured in a domain has a lower priority than authorization

information delivered by an AAA server. That is, the authorization information delivered by an
AAA server is used preferentially. When the AAA server does not have or does not support
authorization, the authorization attributes configured in a domain take effect. In this manner,
you can increase services flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.
1.3 Use Scenario

This section describes AAA use scenarios.

Routers
Deploying AAA for Internet Access Users
Figure 1-17 AAA deployment for Internet access users

AAA Server AAA Server
(Master) (Backup)
Network
Internet
User LAN Switch Router
As shown in Figure 1-17, an enterprise network connects to the Router through LAN Switch.
Users on the enterprise network need to connect to the Internet. To ensure network security, the
administrator controls the Internet access rights of the users.
The administrator configures AAA on the Router to allow the Router to communicate with the
AAA server. The AAA server then can manage users centrally. After a user enters the user name
and password on the client, the Router forwards the authentication information including user
name and password to the AAA server, and the AAA server authenticates the user. After being
successfully authenticated, the user can access the Internet. The AAA server also records the
network resource usage of the user.
Two AAA servers can be deployed in active/standby mode to improve reliability. When the
active server fails, the standby one takes over the AAA services, ensuring uninterrupted services.
Deploying AAA for Management Users

As shown in Figure 1-18, the management user (Admin) connects to the Router to manage,
configure, and maintain the Router.
After the management user logs in to the Router with AAA configured, the Router sends the
user name and password of the user to the AAA server. The AAA server then authenticates the
user and records the user operations.
Figure 1-18 AAA deployment for management users

Admin
Network
User Router
AAA Server

Routers
Deploying AAA for VPN Users

AAA is also applicable to VPN users. For example, AAA can provide authentication,
authorization, and accounting for PPP dial-up users in an L2TP VPN.
As shown in Figure 1-19, an enterprise has some branches located in other cities, and branches
use Ethernet networks. Users in a branch need to establish VPDN connections with the
headquarters. L2TP is deployed between the branch and the headquarters. The branch has no
dial-up network, and its gateway functions as a PPPoE server to allow PPP dial-up data to be
transmitted over the Ethernet. The branch gateway also functions as an L2TP access concentrator
(LAC) to establish L2TP tunnels with the headquarters. The gateway at the enterprise
headquarters is configured as an L2TP network server (LNS) to establish L2TP connections with
the branch.
The LNS needs to manage access users, so LNS must have AAA authentication configured to
communicate with the AAA server. When the LNS receives authentication information of dial-
up users, the LNS sends the authentication information to the AAA server, and the AAA server
centrally manages the users.
Figure 1-19 AAA deployment for VPN users
LAC
Branch (PPPoE server) LNS Headquarters
Internet
PPPoE
PPP terminal L2TP tunnel

AAA Server
(PPPoE client)
1.4 AAA Configuration Tasks

After AAA configuration is complete, the device authenticates users and authorizes users to use
particular services. In addition, the device also records the network resource usage of the user.
The device supports the combination of local, Remote Authentication Dial In User Service
(RADIUS), and Huawei Terminal Access Controller Access Control System (HWTACACS)
authentication, authorization, and accounting. For example, the device provides local
authentication, local authorization, and RADIUS accounting.
In practice, as shown in Table 1-21, the following schemes are used separately. Multiple
authentication or authorization modes can be used in a scheme. For example, local authentication
is used as a backup of RADIUS authentication and HWTACACS authentication, and local
authorization is used as a backup of HWTACACS authorization.

Routers
Table 1-21 AAA configuration tasks

Configuration Overview Task
Task
Local If users need to be authenticated or 1.5.1 Configuring Local

authentication authorized but no RADIUS server Authentication and
and authorization or HWTACACS server is deployed Authorization
on the network, use local
authentication and authorization.
Local authentication and
authorization feature fast
processing and low operation cost,
whereas the amount of information
that can be stored is limited by the
device hardware capacity.
Local authentication and
authorization are often used for
administrators.
RADIUS RADIUS protects a network from 1.5.2 Configuring RADIUS AAA

authentication, unauthorized access, which is often
authorization, used on the networks demanding
and accounting high security and remote user
access control.
HWTACACS HWTACACS protects a network 1.5.3 Configuring HWTACACS

authentication, from unauthorized access and AAA
authorization, supports command-line
and accounting authorization. Compared with
RADIUS, HWTACACS is more
reliable in transmission and
encryption, and is more suitable for
security control.
1.5 Configuring AAA

1.5.1 Configuring Local Authentication and Authorization

After local authentication and authorization are configured, the device authenticates and
authorizes access users based on the local user information.
Local Authentication and Authorization

In local authentication and authorization, user information including the local user name,
password, and attributes is configured on the device. Local authentication and authorization
feature fast processing and low operation cost, whereas the amount of information that can be
stored is limited by the device hardware capacity.

Routers
Pre-configuration Tasks
Before configuring local authentication and authorization, completing the following task:
l Configuring physical attributes for interfaces to ensure that the physical layer status of the
interfaces is Up
1.5.1.1 Configuring AAA Schemes
Context
To use local authentication and authorization, set the authentication mode in an authentication
scheme to local authentication and the authorization mode in an authorization scheme to local
authorization.
By default, the device performs local authentication and authorization for access users.
Procedure
l Configuring an authentication scheme
1. Run:
system-view
The system view is displayed.

2. Run:
aaa
The AAA view is displayed.

3. Run:
authentication-scheme authentication-scheme-name
An authentication scheme is created, and the corresponding authentication scheme

view or an existing authentication scheme view is displayed.
By default, there is an authentication scheme named default on the device. This default
scheme can be modified but cannot be deleted.
4. Run:
authentication-mode local
The authentication mode is set to local authentication.
By default, local authentication is used.

5. (Optional) Run:
authentication-super { hwtacacs | super } * [ none ]
The authentication mode used to upgrade user levels is configured.

6. Run:
quit

7. (Optional) Run:
domainname-parse-direction { left-to-right | right-to-left }

Routers
The direction in which the user name and domain name are parsed is configured.
By default, a domain name is parsed from left to right.

l Configuring an authorization scheme
1. Run:
system-view

2. Run:
aaa

3. Run:
authorization-scheme authorization-scheme-name
An authorization scheme is created, and the corresponding authorization scheme view

or an existing authorization scheme view is displayed.
By default, there is a default authorization scheme named default on the device. This
default authorization scheme can be modified but cannot be deleted.
4. Run:
authorization-mode local [ none ]
The authorization mode is configured.
By default, local authorization is used.

5. Run:
quit

6. (Optional) Run:
authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the authorization

server is configured.
By default, the update mode of user authorization information delivered by the

authorization server is overlay.
----End
1.5.1.2 Configuring a Local User
Context
When local authentication and authorization are configured, configure authentication and
authorization information on the device, including the user name, password, and user level.
NOTE
After you change the rights (including the password, access type, FTP directory, and level) of a local
account, the rights of users already online do not change. The change takes effect to users who go online
after the change.

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name password cipher password
A local user is created and the user password is configured.
NOTE
If the user name contains a domain name delimiter such as @, |, and %, the character string before the
delimiter is the user name and the character string behind the delimiter is the domain name. If the user
name does not contain a domain name delimiter, the entire character string is the user name and the domain
name is default.
Step 4 Run:
local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | sslvpn
| telnet | terminal | web | x25-pad } *
The access type is configured for the local user.

By default, a local user can use any access type.
Step 5 (Optional) Run:
local-user user-name idle-timeout minutes [ seconds ]
The idle timeout interval is configured for the local user.

local-user user-name ftp-directory directory
The FTP directory is configured for the local user.

By default, the FTP directory of a local user is empty.
NOTE
When the device functions as an FTP server, you must configure the FTP directory that FTP users can access.
Otherwise, FTP users cannot access the device.
Step 7 (Optional) Configure the level of the local user or the group to which the local user belongs to.
l Run the local-user user-name privilege level level command to configure the level of the
local user.
l Run the local-user user-name user-group group-name command to add the local user to the
specified user group.
local-user user-name state { active | block }
The state of the local user is configured.

By default, a local user is in active state.

Routers
The device processes requests from users in different states as follows:
l If a local user is in active state, the device accepts and processes the authentication request
from the user.
l If a local user is in blocking state, the device rejects the authentication request from the user.

local-user user-name access-limit max-number
The maximum number of connections that can be established by the local user is configured.
By default, the number of connections established by a user is not limited.

local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time
block-time block-time
Local account locking is enabled and the retry interval, consecutive authentication failure counts,
and locking duration are set.
By default, local account locking is disabled.
Step 11 Run:
return
The user view is displayed.

local-user change-password
The password of the local user is changed.
----End
1.5.1.3 (Optional) Configuring a Service Scheme
Context
Access users must obtain authorization information before going online. Authorization
information about users can be managed by configuring a service scheme.
NOTE
In the service scheme, you only need to run the admin-user privilege level command to configure AAA.
Other commands need to be configured only when they are referenced by other features such as IPSec in
the service scheme.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa

Routers
Step 3 Run:
service-scheme service-scheme-name
A service scheme is created and the service scheme view is displayed.
By default, no service scheme is configured on the device.
Step 4 Run:
admin-user privilege level level
The user is configured to log in to the device as the administrator and the administrator level for
login is specified.
level ranges from 0 to 15. By default, the user level is not configured.

dhcp-server group group-name
A Dynamic Host Configuration Protocol (DHCP) server group is configured.
By default, no DHCP server group is specified in a service scheme.

ip-pool pool-name [ move-to new-position ]
An IP address pool is configured in the service scheme or an existing IP address pool is moved.
By default, no IP address pool is set for a service scheme.

dns ip-address
The IP address of the primary DNS server is configured.
By default, no primary DNS server address is configured in a service scheme.

dns ip-address secondary
The IP address of the secondary DNS server is configured.
By default, no secondary DNS server address is configured in a service scheme.

auto-update url url-string version version-number
The URL and version number of the service scheme are configured.
By default, the URL and version number of a service scheme are not configured.

dns-name domain-name
The default DNS domain name is configured in the service scheme.
By default, no default DNS domain name is configured in a service scheme.

wins ip-address

Routers
The IP address of the primary wins server is configured.
By default, no primary wins server address is configured in a service scheme.

wins ip-address [ secondary ]
The IP address of the secondary wins server is configured.
By default, no secondary wins server address is configured in a service scheme.
----End
1.5.1.4 Configuring a Domain
Context
The created authentication and authorization schemes take effect only after being applied to a
domain. When local authentication and authorization are used, non-accounting is used by
default.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
A domain is created and the domain view is displayed, or an existing domain view is displayed.
The device has two default domains: default and default_admin. The default domain is used
by common access users and the default_admin domain is used by administrators.
Step 4 Run:
An authentication scheme is applied to the domain.
By default, the authentication scheme named default is applied to a domain.
Step 5 Run:
An authorization scheme is applied to the domain.
By default, no authorization scheme is applied to a domain.

user-group group-name

Routers
A user group is applied to the domain.
By default, no user group is applied to a domain.

A service scheme is applied to the domain.
By default, no service scheme is applied to a domain.

state { active | block }
The domain state is configured.
When a domain is in blocking state, users in this domain cannot log in. By default, a domain is
in active state after being created.
Step 9 Run:
quit
Exit from the domain view.

domain-name-delimiter delimiter
A domain name delimiter is configured.
A domain name delimiter can be any of the following: \ / : < > | @ ' %.
The default domain name delimiter is @.
Step 11 Run:
quit
Return to the system view.
Step 12 (Optional) Run the following commands as required.

l Run:
interface wlan-ess wlan-ess-number
A WLAN-ESS interface is created and its view is displayed.

l Run:
interface wlan-bss wlan-bss-number
A WLAN-BSS interface is created and its view is displayed.

NOTE
This step is mandatory for wireless users.

force-domain domain-name
The forcible authentication domain is configured on an interface.
By default, no forcible authentication domain is configured on an interface.

Routers
NOTE
This step is applicable to only wireless users.

permit-domain domain-name &<1-4>
The permitted domain is configured for wireless users.
By default, no permitted domain is specified for wireless users.
NOTE
----End
1.5.1.5 Checking the Configuration
Procedure
l Run the display aaa configuration command to check the AAA summary.
l Run the display authentication-scheme [ authentication-scheme-name ] command to
check the authentication scheme configuration.
l Run the display authorization-scheme [ authorization-scheme-name ] command to check
the authorization scheme configuration.
l Run the display access-user [ domain domain-name | interface interface-type interface-
number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-
instance-name ] | mac-address mac-address | slot slot-id | ssid ssid-name | user-id user-
number ] command to check the summary of all online users.
l Run the display domain [ name domain-name ] command to check the domain
configuration.
l Run the display local-user [ domain domain-name | state { active | block } | username
username ] * command to check the brief information about local users.
----End
1.5.2 Configuring RADIUS AAA

RADIUS is often used to implement authentication, authorization, and accounting (AAA).
RADIUS Authentication, Authorization, and Accounting

RADIUS uses the client/server model and protects a network from unauthorized access. It is
often used in network environments that require high security and control remote user access.
Before configuring RADIUS AAA, completing the following task:
interfaces is Up

Routers
Context
To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and
the accounting mode in an accounting scheme to RADIUS.
If RADIUS authentication is configured, you can also configure local authentication or non-
authentication as the backup. This allows local authentication or non-authentication to be
implemented if RADIUS authentication fails.
Procedure
1. Run:
system-view

2. Run:
aaa

3. Run:
Create an authentication scheme and enter its view, or directly enter the view of an
existing authentication scheme.
By default, there is an authentication scheme named default on the device. The default
authentication scheme can only be modified, but cannot be deleted.
4. Run:
authentication-mode radius
RADIUS authentication is configured.
To use local authentication as the backup authentication mode, run the

authentication-mode radius local command to configure local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, these

authentication modes are used according to the sequence in which they were configured. The
device uses the authentication mode that was configured later only when it does not receive
any response in the current authentication. The device stops the authentication if the current
authentication fails.
5. (Optional) Run:
authentication-super { hwtacacs | super } * [ none ]

6. Run:
quit

Routers
Return to the AAA view.

7. (Optional) Run:
l Configuring an accounting scheme
1. Run:
system-view

2. Run:
aaa

3. Run:
accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed.
There is a default accounting scheme named default on the device. The default
accounting scheme can only be modified, but cannot be deleted.
4. Run:
accounting-mode radius
The accounting mode is configured.
By default, the accounting mode is none.

5. (Optional) Run:
accounting start-fail { online | offline }
A policy for accounting-start failures is configured.
By default, users cannot go online if accounting-start fails.

6. (Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set.
By default, the device performs accounting based on user online duration, the real-
time accounting function is disabled, and the interval for real-time accounting is not
set.
7. (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting requests is set and a policy used after
a real-time accounting failure is configured.
After real-time accounting is enabled, the maximum number of real-time accounting

requests is 3 and the device keeps paid users online after a real-time accounting failure
by default.
----End

Routers
1.5.2.2 Configuring a RADIUS Server Template
Context
In a RADIUS server template, you must specify the IP address, port number, and shared key of
a specified RADIUS server. Other settings such as the RADIUS user name format, traffic unit,
and number of times RADIUS request packets are retransmitted have default values and can be
changed based on network requirements.
The RADIUS server template settings such as the RADIUS user name format and shared key
must be the same as those on the RADIUS server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
radius-server template template-name
The RADIUS server template view is displayed.

Step 3 Run:
radius-server authentication ip-address port [ vpn-instance vpn-instance-name |
source { loopback interface-number | ip-address ip-address } ] * or radius-server
authentication ipv6-address port [ source { loopback interface-number | ip-address
ipv6-address } ]
The primary RADIUS authentication server is configured.

By default, no primary RADIUS authentication server is configured.
radius-server authentication ip-address port [ vpn-instance vpn-instance-name |
source { loopback interface-number | ip-address ip-address } ] * secondary or
radius-server authentication ipv6-address port [ source { loopback interface-
number | ip-address ipv6-address } ] secondary
The secondary RADIUS authentication server is configured.

By default, no secondary RADIUS authentication server is configured.
Step 5 Run:
radius-server accounting ip-address port [ vpn-instance vpn-instance-name | source
{ loopback interface-number | ip-address ip-address } ] * or radius-server
accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-
address } ]
The primary RADIUS accounting server is configured.

By default, no primary RADIUS accounting server is configured.
radius-server accounting ip-address port [ vpn-instance vpn-instance-name | source
{ loopback interface-number | ip-address ip-address } ] * secondary or radius-
server accounting ipv6-address port [ source { loopback interface-number | ip-
address ipv6-address } ] secondary

Routers
The secondary RADIUS accounting server is configured.

By default, no secondary RADIUS accounting server is configured.
Step 7 Run:
radius-server shared-key [ cipher | simple ] key-string
The RADIUS shared key is set.

By default, the RADIUS shared key is huawei and the password is in plain text.
radius-server user-name domain-included
The RADIUS user name format is configured.

By default, the device to encapsulates the domain name in the user name when sending RADIUS
packets to a RADIUS server.
If the RADIUS server does not accept the user name with the domain name, run the undo radius-
server user-name domain-included command to delete the domain name from the user name.
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The RADIUS traffic unit is set.

The default RADIUS traffic unit is byte on the device.
radius-server { retransmit retry-times | timeout time-value } *
The number of times that RADIUS request packets are retransmitted and timeout interval are
set.
By default, the number of retransmission times is 3 and the timeout interval is 5 seconds.
radius-server nas-port-format { new | old }
The NAS port format of the RADIUS server is configured.

By default, the new NAS port format is used.
radius-server nas-port-id-format { new | old }
The ID format of the NAS port on the RADIUS server is set.

By default, the new format of the NAS port ID attribute is used.
radius-attribute nas-ip ip-address or radius-attribute nas-ipv6 ipv6-address
The RADIUS NAS-IP-Address or NAS-IPv6-Address attribute is set.

radius-server accounting-stop-packet resend [ resend-times ]
Retransmission of accounting-stop packets is enabled and the number of accounting-stop packets

that can be retransmitted each time is set.

Routers
By default, the retransmission times is 0. That is, accounting-stop packets are not retransmitted.
Step 15 Run:
radius-server dead-time dead-time
The time for the primary RADIUS server to return to the active state is set.
By default, the time for the primary RADIUS server to return to the active state is 5 minutes.
Step 16 Run:
quit

radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-
group group-name | shared-key { cipher | simple } key-string } * [ ack-reserved-
interval interval ]
A RADIUS authorization server is configured.
By default, no RADIUS authorization server is configured.
Step 18 Run:
return

test-aaa user-name user-password radius-template template-name [ chap | pap ]
The device is configured to test whether a user can be authenticated using RADIUS
authentication.
----End
Context
NOTE
the service scheme.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa

Routers
Step 3 Run:
Step 4 Run:
login is specified.



dns ip-address




wins ip-address

Routers

----End
Context
The created authentication scheme, accounting scheme, and RADIUS server template take effect
only after being applied to a domain.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
By default, the device has two domains: default and default_admin. The two domains can be
modified but cannot be deleted.
Step 4 Run:
By default, the authentication scheme named default is applied to a domain.

An accounting scheme is applied to the domain.
By default, the accounting scheme named default is applied to a domain. In this default
accounting scheme, non-accounting is used and the real-time accounting function is disabled.


Routers

Step 8 Run:
radius-server template-name
A RADIUS server template is configured for the domain.
By default, no RADIUS server template is applied to a domain.

Step 10 Run:
quit

Step 12 Run:
quit

l Run:

l Run:

NOTE


Routers
NOTE

NOTE
----End
Procedure
l Run the display accounting-scheme [ accounting-scheme-name ] command to check the
accounting scheme configuration.
l Run the display service-scheme [ name name ] command to check the configuration about
the service scheme.
l Run the display radius-server configuration [ template template-name ] command to
check the RADIUS server template configuration.
l Run the display radius-server authorization configuration command to check the
RADIUS authorization server configuration.
l Run the display radius-attribute [ template template-name ] disable command to check
the disabled RADIUS attributes.
l Run the display radius-attribute [ template template-name ] translate command to check
the RADIUS attribute translation configuration.
configuration.
l Run the display radius-server accounting-stop-packet { all | ip { ip-address | ipv6-
address } } command to check the accounting-stop packets of the RADIUS server.
----End
1.5.3 Configuring HWTACACS AAA

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is
more suitable for security control.

Routers
HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access
users by communicating with the HWTACACS server.
HWTACACS protects a network from unauthorized access and supports command-line

authorization. Compared with RADIUS, HWTACACS is more suitable for security control.
Before configuring HWTACACS AAA, completing the following task:
interfaces is Up
Context
To use HWTACACS authentication, authorization, and accounting, set the authentication mode
in an authentication scheme to HWTACACS, the authorization mode in an authorization scheme
to HWTACACS, and the accounting mode in an accounting scheme to HWTACACS.
When HWTACACS authentication is used, you can configure local authentication or non-
authentication as a backup. This allows local authentication or non-authentication to be
implemented if HWTACACS authentication fails. When HWTACACS authorization is used,
you can configure local authorization or non-authorization as a backup.
NOTE
By default, the same default authentication, authorization, and accounting schemes are bound to the default and
default_admin domains. If the default schemes are modified, user authentication, authorization, or accounting
may fail in a domain. Confirm the action before you modify the default schemes.
Procedure
1. Run:
system-view

2. Run:
aaa

3. Run:
An authentication scheme is created, and the corresponding authentication scheme

view or an existing authentication scheme view is displayed.
By default, there is an authentication scheme named default on the device. This default
scheme can be modified but cannot be deleted.

Routers
4. Run:
authentication-mode hwtacacs
HWTACACS authentication is configured.
To use local authentication as the backup authentication mode, run the

authentication-mode hwtacacs local command to configure local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, these

authentication modes are used according to the sequence in which they were configured. The
device uses the authentication mode that was configured later only when it does not receive
any response in the current authentication. The device stops the authentication if the current
authentication fails.
5. (Optional) Run:
authentication-super { hwtacacs | super * [ none ]

6. Run:
quit

7. (Optional) Run:
8. Run:
quit

9. (Optional) Run:
aaa-authen-bypass enable time time-value
The bypass authentication duration is set.
By default, no bypass authentication duration is set.

l Configuring an authorization scheme
1. Run:
system-view

2. Run:
aaa

3. Run:
An authorization scheme is created, and the corresponding authorization scheme view

or an existing authorization scheme view is displayed.

Routers
By default, there is a default authorization scheme named default on the device. This
default authorization scheme can be modified but cannot be deleted.
4. Run:
authorization-mode { hwtacacs | local }* [ none ]
The authorization mode is configured.
By default, local authorization is used.
If HWTACACS authorization is configured, you must configure an HWTACACS

server template and apply the template to the corresponding user domain.
NOTE
If multiple authorization modes are configured in an authorization scheme, authorization modes

are used in the sequence in which they were configured. The device uses the authorization
mode that was configured later only after the current authorization fails.
5. (Optional) Run:
authorization-cmd privilege-level hwtacacs [ local ] [ none ]
Command-line authorization is enabled for users at a certain level.
By default, command-line authorization is disabled for users of levels 0 to 15.
If command line authorization is enabled, you must configure an HWTACACS server

template and apply the template to the corresponding user domain.
6. Run:
quit

7. Run:
quit

8. Run:
quit

9. (Optional) Run:
aaa-author-bypass enable time time-value
The bypass authorization duration is set.
By default, no bypass authorization duration is set.

10. (Optional) Run:
aaa-author-cmd-bypass enable time time-value
The command-line bypass authorization duration is set.
By default, no command-line bypass authorization duration is set.

l Configuring an accounting scheme
1. Run:
system-view

Routers
2. Run:
aaa

3. Run:
An accounting scheme is created, and the corresponding accounting scheme view or

an existing accounting scheme view is displayed.
There is a default accounting scheme named default on the device. This default
accounting scheme can be modified but cannot be deleted.
4. Run:
accounting-mode hwtacacs
The accounting mode is configured.
By default, non-accounting is used.

5. (Optional) Run:
accounting start-fail { online | offline }
A policy for accounting-start failures is configured.
By default, users cannot go online if accounting-start fails.

6. (Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set.
By default, real-time accounting is disabled.

7. (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting requests is set and a policy used after
a real-time accounting failure is configured.
After real-time accounting is enabled, the maximum number of real-time accounting

requests is 3 and the device keeps paid users online after a real-time accounting failure
by default.
----End
1.5.3.2 Configuring an HWTACACS Server Template
Context
In an HWTACACS server template, you must specify the IP address, port number, and shared
key of a specified HWTACACS server. Other settings such as the HWTACACS user name
format and traffic unit have default values and can be changed based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name format and
shared key must be the same as those on the HWTACACS server.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
hwtacacs enable
HWTACACS is enabled.
By default, HWTACACS is enabled.
Step 3 Run:
hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
Step 4 Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-
instance-name ] or hwtacacs-server authentication ipv6-address [ port ] [ public-
net ]
The primary HWTACACS authentication server is configured.
By default, no primary HWTACACS authentication server is configured.

hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-
instance-name ] secondary or hwtacacs-server authentication ipv6-address [ port ]
[ public-net ] secondary
The secondary HWTACACS authentication server is configured.
By default, no secondary HWTACACS authentication server is configured.
Step 6 Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-
instance-name ] or hwtacacs-server authorization ipv6-address [ port ] [ public-
net ]
The primary HWTACACS authorization server is configured.
By default, no primary HWTACACS authorization server is configured.

hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-
instance-name ] secondary or hwtacacs-server authorization ipv6-address [ port ]
The secondary HWTACACS authorization server is configured.
By default, no secondary HWTACACS authorization server is configured.
Step 8 Run:
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-
instance-name ] or hwtacacs-server accounting ipv6-address [ port ] [ public-net ]
The primary HWTACACS accounting server is configured.

Routers
By default, no primary HWTACACS accounting server is configured.

hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-
instance-name ] secondary or hwtacacs-server accounting ipv6-address [ port ]
The secondary HWTACACS accounting server is configured.

By default, no secondary HWTACACS accounting server is configured.
hwtacacs-server user-name domain-included
The HWTACACS user name format is configured.

By default, the device encapsulates the domain name in the user name when sending
HWTACACS packets to an HWTACACS server.
hwtacacs-server source-ip ip-address or hwtacacs-server source-ipv6 ipv6-address
The HWTACACS source IP address or source IPv6 address is set.

By default, the HWTACACS source IP address is 0.0.0.0. The device uses the IP address of the
actual outbound interface as the source IP address in HWTACACS packets.
After you set the source IP address of HWTACACS packets on the device, this IP address is
used by the device to communicate with the HWTACACS server. The HWTACACS server also
uses a specified IP address to communicate with the device.
hwtacacs-server shared-key cipher | simple key-string
The HWTACACS shared key is configured.

By default, no HWTACACS shared key is configured.
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The HWTACACS traffic unit is set.

The default HWTACACS traffic unit is byte on the device.
hwtacacs-server timer response-timeout interval
The response timeout interval for the HWTACACS server is set.

By default, the response timeout interval for an HWTACACS server is 5 seconds.
If the device does not receive the response from the HWTACACS server within the timeout
period, the HWTACACS server is faulty. The device then uses other authentication and
authorization methods.
hwtacacs-server timer quiet interval
The interval for the primary HWTACACS server to return to the active state is set.

Routers
By default, the interval for the primary HWTACACS server to return to the active state is 5
minutes.
Step 16 Run:
quit

hwtacacs-server accounting-stop-packet resend { disable | enable number }
Retransmission of accounting-stop packets is enabled.
By default, the retransmission function is enabled and the number of retransmission times is
100.
Step 18 Run:
return

hwtacacs-user change-password hwtacacs-server template-name
The password saved on the HWTACACS server is changed.
----End
Context
NOTE
the service scheme.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:

Routers
Step 4 Run:
login is specified.



dns ip-address




wins ip-address


Routers
----End
Context
The created authentication scheme, authorization scheme, accounting scheme, and
HWTACACS server template take effect only after being applied to a domain.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
By default, the device has two domains: default and default_admin. The two domains can be
modified but cannot be deleted.
Step 4 Run:
By default, the default authentication scheme is used for a domain.

An authorization scheme is applied to the domain.
By default, no authorization scheme is applied to a domain.

An accounting scheme is applied to the domain.
By default, the accounting scheme named default is applied to a domain. In this default
accounting scheme, non-accounting is used and the real-time accounting function is disabled.


Routers

Step 9 Run:
hwtacacs-server template-name
An HWTACACS server template is applied to the domain.
By default, no HWTACACS server template is applied to a domain.

Step 11 Run:
quit

Step 13 Run:
quit

l Run:

l Run:

NOTE


Routers
NOTE

NOTE
----End
Procedure
l Run the display authorization-scheme [ authorization-scheme-name ] command to check
the authorization scheme configuration.
l Run the display accounting-scheme [ accounting-scheme-name ] command to check the
accounting scheme configuration.
l Run the display service-scheme [ name name ] command to check the configuration about
the service scheme.
l Run the display hwtacacs-server template [ template-name [ verbose ] ] command to
check the HWTACACS server template configuration.
l Run the display hwtacacs-server accounting-stop-packet { all | number | ip { ip-
address | ipv6-address } } command to check the accounting-stop packets of the
HWTACACS server.
configuration.
----End
1.6 Maintaining AAA

AAA maintenance includes clearing AAA statistics and configuration.
1.6.1 Clearing AAA Statistics

Routers
Context
NOTICE
The AAA statistics cannot be restored after being cleared. Confirm your operation before
clearing the AAA statistics.
Run the following commands to clear the statistics.
Procedure
l Run the reset aaa { offline-record | online-fail-record } command to clear the offline
records and login failures statistics.
l Run the reset hwtacacs-server statistics { accounting | all | authentication |
authorization } command to clear the statistics on HWTACACS authentication,
accounting, and authorization.
l Run the reset hwtacacs-server accounting-stop-packet { all | ip { ip-address | ipv6-
address } } command to clear the statistics on HWTACACS accounting-stop packets.
l Run the reset radius-server accounting-stop-packet { all | ip { ip-address | ipv6-
address } } command to clear the statistics on RADIUS accounting-stop packets.
----End
1.6.2 Clearing AAA Configuration
Context
NOTICE
If the AAA configuration is cleared, the AAA-related services are disabled. Confirm your
operation before clearing the AAA configuration. If the domain or service scheme configured
for AAA is referenced by other modules, this domain or service scheme is not deleted, but the
domain state is initialized. In this case, only the default authentication scheme and accounting
scheme are bound, and the authorization scheme, RADIUS server, and HWTACACS server are
not bound.
Run the following command in the system view to clear the AAA configuration.
Procedure
l Run the undo aaa command to clear the AAA configuration.
----End

Routers

This section provides several AAA configuration examples, including networking requirements,
configuration notes, and configuration roadmap.
1.7.1 Example for Configuring RADIUS Authentication and

Accounting
Networking Requirements
As shown in Figure 1-20, users access the network through Router A and belong to the domain
huawei. Router B functions as the network access server of the destination network. Request
packets from users need to traverse the network where Router A and Router B are located to
reach the authentication server. Users can access the destination network through Router B only
after being authenticated. The remote authentication on Router B is described as follows:
l The RADIUS server will authenticate access users for RouterB. If RADIUS authentication
fails, local authentication is used.
l The RADIUS server at 129.7.66.66/24 functions as the primary authentication and
accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondary
authentication and accounting server. The default authentication port and accounting port
are 1812 and 1813.
Figure 1-20 Networking diagram of RADIUS authentication and accounting
Domain Huawei
RADIUS Server (Master)

129.7.66.66/24
Router A Router B
Network
RADIUS Server (Backup)

Destination 129.7.66.67/24
Network

Routers
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server template.

2. Configure an authentication scheme and an accounting scheme.
3. Apply the RADIUS server template, authentication scheme, and accounting scheme to the
domain.
NOTE
Perform the following configurations only on Router B.
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS template shiva.

<Huawei> system-view
[Huawei] radius-server template shiva
# Configure the IP address and port numbers of the primary RADIUS authentication and
accounting server.
[Huawei-radius-shiva] radius-server authentication 129.7.66.66 1812
[Huawei-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and port numbers of the secondary RADIUS authentication and
accounting server.
[Huawei-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary
[Huawei-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Set the key and retransmission count for the RADIUS server, and configure the device not to
encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS
server.
[Huawei-radius-shiva] radius-server shared-key cipher hello
[Huawei-radius-shiva] radius-server retransmit 2
[Huawei-radius-shiva] undo radius-server user-name domain-included
[Huawei-radius-shiva] quit
Step 2 Configure authentication and accounting schemes.
# Create an authentication scheme auth. In the authentication scheme, the system performs
RADIUS authentication first, and performs local authentication if RADIUS authentication fails.
[Huawei] aaa
[Huawei-aaa] authentication-scheme auth
[Huawei-aaa-authen-auth] authentication-mode radius local
[Huawei-aaa-authen-auth] quit
# Configure the accounting scheme abc that uses RADIUS accounting and the policy that the
device is kept online when accounting fails.
[Huawei-aaa] accounting-scheme abc
[Huawei-aaa-accounting-abc] accounting-mode radius
[Huawei-aaa-accounting-abc] accounting start-fail online
[Huawei-aaa-accounting-abc] quit

Routers
Step 3 Configure a domain huawei and apply authentication scheme auth, accounting scheme abc,
and RADIUS server template shiva to the domain.
[Huawei-aaa] domain huawei
[Huawei-aaa-domain-huawei] authentication-scheme auth
[Huawei-aaa-domain-huawei] accounting-scheme abc
[Huawei-aaa-domain-huawei] radius-server shiva
[Huawei-aaa-domain-huawei] quit
[Huawei-aaa] quit
[Huawei] quit
NOTE
After the domain huawei is configured, if a user enters the user name in the format of user@huawei, the device
authenticates the user in the domain huawei. If the user name does not contain the domain name or the domain
name in the user name does not exist, the device authenticates the user in the default domain.
The domain that a user belongs to depends on the RADIUS client but not the RADIUS server. After the undo
radius-server user-name domain-included command is executed on RouterB, RouterB sends the user name
without the domain name to the RADIUS server when receiving the user name in the format of user@huawei.
However, RouterB places the user in the domain huawei for authentication.
Step 4 Verify the configuration.
Run the display radius-server configuration template command on Router B, and you can
see that the configuration of the RADIUS server template meets the requirements.
<Huawei> display radius-server configuration template shiva
------------------------------------------------------------------------------
Server-template-name : shiva
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : %$%$1"y;E[c;<.(_RS/w*!`IOxof%$%$
Timeout-interval(in second) : 5
Retransmission : 2
EndPacketSendTime : 0
Dead time(in minute) : 5
Domain-included : NO
NAS-IP-Address : 0.0.0.0
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Authentication Server 1 : 129.7.66.66 Port:1812
Vrf:- LoopBack:NULL
Source IP: ::
Authentication Server 2 : 129.7.66.67 Port:1812
Vrf:- LoopBack:NULL
Source IP: ::
Accounting Server 1 : 129.7.66.66 Port:1813
Vrf:- LoopBack:NULL
Source IP: ::
Accounting Server 2 : 129.7.66.67 Port:1813
Vrf:- LoopBack:NULL
Source IP: ::
------------------------------------------------------------------------------
----End
Configuration Files
Configuration files on Router B
#
radius-server template shiva
radius-server shared-key cipher %$%$1"y;E[c;<.(_RS/w*!`IOxof%$%$
radius-server authentication 129.7.66.66 1812
radius-server authentication 129.7.66.67 1812 secondary

Routers
radius-server accounting 129.7.66.66 1813

radius-server accounting 129.7.66.67 1813 secondary
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting start-fail online
domain huawei
radius-server shiva
#
return
1.7.2 Example for Configuring HWTACACS Authentication,

Accounting, and Authorization
As shown in Figure 1-21, the customer requirements are as follows:
l The HWTACACS server will authenticate access users for RouterB. If HWTACACS
authentication fails, local authentication is used.
l HWTACACS authentication is required before the level of access users is upgraded. If
HWTACACS authentication fails, local authentication is used.
l The HWTACACS server will authorize access users for RouterB. If HWTACACS
authorization fails, local authorization is used.
l HWTACACS accounting is used by RouterB for access users.
l Real-time accounting is performed every 3 minutes.
l The IP addresses of primary and secondary HWTACACS servers are 129.7.66.66/24 and
129.7.66.67/24. The port number for authentication, accounting, and authorization is 49.

Routers
Figure 1-21 Networking diagram of HWTACACS authentication, accounting, and authorization
Domain Huawei
HWTACACS Server (Master)

129.7.66.66/24
Router A Router B
Network
HWTACACS Server (Backup)

Destination 129.7.66.67/24
Network
1. Configure an HWTACACS server template.
2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and
accounting scheme to the domain.
NOTE
Perform the following configurations only on RouterB.
Procedure
Step 1 Enable HWTACACS.
[Huawei] hwtacacs enable
NOTE
The HWTACACS function is enabled by default. If the HWTACACS configuration has not been modified,
you do not need to run this command.
Step 2 Configure an HWTACACS server template.

# Configure the HWTACACS server template ht.
[Huawei] hwtacacs-server template ht
# Configure the IP addresses and port numbers of the primary HWTACACS authentication,
authorization, and accounting servers.

Routers
[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49

[Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
[Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and port numbers of the secondary HWTACACS authentication,
authorization, and accounting servers.
[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary
[Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary
[Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[Huawei-hwtacacs-ht] hwtacacs-server shared-key cipher hello
[Huawei-hwtacacs-ht] quit
Step 3 Configure the authentication scheme, authorization scheme, and accounting scheme.
# Create an authentication scheme l-h. In the authentication scheme, the system performs
HWTACACS authentication first, and performs local authentication if HWTACACS
authentication fails. HWTACACS authentication is used if the level of users is upgraded.
[Huawei] aaa
[Huawei-aaa] authentication-scheme l-h
[Huawei-aaa-authen-l-h] authentication-mode hwtacacs local
[Huawei-aaa-authen-l-h] authentication-super hwtacacs
[Huawei-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs. In the authorization scheme, the system performs
HWTACACS authorization first, and performs local authorization if HWTACACS
authorization fails.
[Huawei-aaa] authorization-scheme hwtacacs
[Huawei-aaa-author-hwtacacs] authorization-mode hwtacacs local
[Huawei-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs and set HWTACACS accounting.

[Huawei-aaa] accounting-scheme hwtacacs
[Huawei-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[Huawei-aaa-accounting-hwtacacs] accounting start-fail online
# Set the interval of real-time accounting to 3 minutes.

[Huawei-aaa-accounting-hwtacacs] accounting realtime 3
[Huawei-aaa-accounting-hwtacacs] quit
Step 4 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme
hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.
[Huawei-aaa] domain huawei
[Huawei-aaa-domain-huawei] authentication-scheme l-h
[Huawei-aaa-domain-huawei] authorization-scheme hwtacacs
[Huawei-aaa-domain-huawei] accounting-scheme hwtacacs
[Huawei-aaa-domain-huawei] hwtacacs-server ht
[Huawei-aaa-domain-huawei] quit
[Huawei-aaa] quit
[Huawei] quit
Run the display hwtacacs-server template command on RouterB, and you can see that the
configuration of the HWTACACS server template meets the requirements.
<Huawei> display hwtacacs-server template ht
---------------------------------------------------------------------------

Routers
HWTACACS-server template name : ht

Primary-authentication-server : 129.7.66.66:49:-
Primary-authorization-server : 129.7.66.66:49:-
Primary-accounting-server : 129.7.66.66:49:-
Secondary-authentication-server : 129.7.66.67:49:-
Secondary-authorization-server : 129.7.66.67:49:-
Secondary-accounting-server : 129.7.66.67:49:-
Current-authentication-server : 129.7.66.66:49:-
Current-authorization-server : 129.7.66.66:49:-
Current-accounting-server : 129.7.66.66:49:-
Source-IP-address : 0.0.0.0
Source-IPv6-address : ::
Shared-key : ****************
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
---------------------------------------------------------------------------
Run the display domain command on RouterB, and you can see that the configuration of the
domain meets the requirements.
<Huawei> display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : hwtacacs
Authorization-scheme-name : hwtacacs
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : ht
User-group : -
----End
Configuration Files
Configuration files on Router B
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66
hwtacacs-server authentication 129.7.66.67 secondary
hwtacacs-server authorization 129.7.66.66
hwtacacs-server authorization 129.7.66.67 secondary
hwtacacs-server accounting 129.7.66.66
hwtacacs-server accounting 129.7.66.67 secondary
hwtacacs-server shared-key cipher %$%$|)&LT+J>dN>=IqD<gO/Fj$xo%$%$
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode hwtacacs local
authentication-super hwtacacs
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs local
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
accounting start-fail online
domain default

Routers
domain default_admin
domain huawei
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
#
return
1.7.3 Example for Configuring Domain-based User Management
As shown in Figure 1-22, enterprise users access the network through SwitchA and RouterB.
The user names do not contain any domain name.
The enterprise requires that common users should access the network and obtain rights after
passing RADIUS authentication and the administrator user should log in to the device for
management after passing local authentication on RouterB.
Figure 1-22 Configuring domain-based user management

RADIUS server
Common user 192.168.2.30
Eth2/0/1

VLANIF11
192.168.2.29/24
Common user
Eth2/0/0
Internet
SwitchA RouterB
Administrator
user
1. Create a VLAN and a VLANIF interface so that RouterB can communicate with the
RADIUS server.
2. Configure authentication and accounting schemes for common users and apply the schemes
to the default domain to authenticate common users such as users using 802.1x or Portal
authentication. The user names of the users do not carry domain names.

Routers
3. Configure authentication and authorization schemes for the administrator user and apply
the schemes to the default_admin domain to authenticate the administrator user such as the
user logging in through Telnet, SSH, or FTP. The user name of the administrator user does
not carry the domain name.
NOTE
Ensure that the RADIUS server address, port number, and shared key in the RADIUS server template are
the same as the settings on the RADIUS server.
Ensure that users have been configured on the RADIUS server. In this example, a user with the user name
test1 and password 123456 has been configured on the RADIUS server.
This example provides only the configuration of RouterB. The configurations of RouterA and the RADIUS
server are not mentioned here.
Procedure
Step 1 Create a VLAN and configure an interface.
# Create VLAN 11 on RouterB.
[Huawei] vlan batch 11
# Configure Eth2/0/1 connecting RouterB and the RADIUS server and add Eth2/0/1 to VLAN
11.
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] port link-type access
[Huawei-Ethernet2/0/1] port default vlan 11
[Huawei-Ethernet2/0/1] quit
# Create VLANIF 11 and configure IP address 192.168.2.29/24 for it.

[Huawei] interface vlanif11
[Huawei-Vlanif11] ip address 192.168.2.29 24
[Huawei-Vlanif11] quit
Step 2 Configure RADIUS AAA for common users using 802.1x authentication.
# Create and configure a RADIUS server template rd1.
[Huawei] radius-server template rd1
[Huawei-radius-rd1] radius-server authentication 192.168.2.30 1812
[Huawei-radius-rd1] radius-server accounting 192.168.2.30 1813
[Huawei-radius-rd1] radius-server shared-key cipher hello
[Huawei-radius-rd1] radius-server retransmit 2
[Huawei-radius-rd1] quit
# Create authentication and accounting schemes abc in which the authentication and accounting
modes are both RADIUS.
[Huawei] aaa
[Huawei-aaa] authentication-scheme abc
[Huawei-aaa-authen-abc] authentication-mode radius
[Huawei-aaa-authen-abc] quit
[Huawei-aaa] accounting-scheme abc
[Huawei-aaa-accounting-abc] accounting-mode radius
[Huawei-aaa-accounting-abc] quit
# Test the connection between RouterB and the RADIUS server. The test user test1 with
password 123456 has been configured on the RADIUS server.
[Huawei] test-aaa test1 123456 radius-template rd1
Info: Account test succeed.

Routers
# Bind authentication and accounting schemes abc, and RADIUS server template rd1 to the
default domain.
[Huawei-aaa] domain default
[Huawei-aaa-domain-default] authentication-scheme abc
[Huawei-aaa-domain-default] accounting-scheme abc
[Huawei-aaa-domain-default] radius-server rd1
[Huawei-aaa-domain-default] quit
[Huawei-aaa] quit
# Enable 802.1x authentication globally and on an interface.

[Huawei] dot1x enable
[Huawei-Ethernet2/0/0] dot1x enable
[Huawei-Ethernet2/0/0] dot1x max-user 20
# Set the global default domain for common users to default. After common users enter their
user names in the format of user@default, the device performs AAA authentication on these
users in the default domain. If a user name does not contain a domain name or the domain name
does not exist, the device authenticates the common user in the default common domain.
[Huawei] domain default
Step 3 Configure local authentication and authorization for the administrator user test.
# Configure the device to use AAA for the Telnet user that logs in through the VTY user interface.
[Huawei] user-interface vty 0 14
[Huawei-ui-vty0-14] authentication-mode aaa
[Huawei-ui-vty0-14] quit
# Configure a local user named test with password admin@12345 and user level 3.
[Huawei] aaa
[Huawei-aaa] local-user test password cipher admin@12345 privilege level 3
# Configure the access type of the user test as Telnet.

[Huawei-aaa] local-user test service-type telnet
# Configure local account locking, and set the retry count to 5 minutes, consecutive
authentication failure count to 3, and local account locking duration to 5 minutes.
[Huawei-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-
time 5
# Configure the authentication scheme auth in which local authentication is used.

[Huawei-aaa] authentication-scheme auth
[Huawei-aaa-authen-auth] authentication-mode local
[Huawei-aaa-authen-auth] quit
# Configure the authorization scheme autho in which local authorization is used.

[Huawei-aaa] authorization-scheme autho
[Huawei-aaa-author-autho] authorization-mode local
[Huawei-aaa-author-autho] quit
# Configure the default_admin domain, and apply the authentication scheme auth and
authorization scheme autho to the domain.

Routers
[Huawei-aaa] domain default_admin

[Huawei-aaa-domain-default_admin] authentication-scheme auth
[Huawei-aaa-domain-default_admin] authorization-scheme autho
[Huawei-aaa-domain-default_admin] quit
[Huawei-aaa] quit
# Set the global default domain for administrative users to default_admin. After administrative
users enter their user names in the format of user@default_admin, the device performs AAA
authentication on these users in the default_admin domain. If a user name does not contain a
domain name or the domain name does not exist, the device authenticates the administrative
user in the default administrative domain.
[Huawei] domain default_admin admin
[Huawei] quit

Run the display dot1x interface command on RouterB. You can see 802.1x authentication.
<Huawei> display dot1x interface ethernet 2/0/0
Ethernet2/0/0 status: UP 802.1x protocol is Enabled
Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Maximum users: 20
Current users: 0
Guest VLAN 10 is not effective
Restrict VLAN is disabled
Authentication Success: 0 Failure: 0

EAPOL Packets: TX : 0 RX : 0
Sent EAPOL Request/Identity Packets : 0
EAPOL Request/Challenge Packets : 0
Multicast Trigger Packets : 0
EAPOL Success Packets : 0
EAPOL Failure Packets : 0
Received EAPOL Start Packets : 0
EAPOL Logoff Packets : 0
EAPOL Response/Identity Packets : 0
EAPOL Response/Challenge Packets: 0
When common users go online and enter the user name test1 and password 123456 on the 802.1x
client, run the display access-user domain and display access-user user-id commands. You
can view the domain that users belong to and the access type.
<Huawei> display access-user domain default
------------------------------------------------------------------------------
UserID Username IP address MAC
------------------------------------------------------------------------------
16040 test1 - 00e0-4c97-31f6
------------------------------------------------------------------------------
<Huawei> display access-user user-id 16040
Bsic:
User id : 16040
User name : test1
Domain-name : default
User MAC : 00e0-4c97-31f6
User IP address : -
User access time : 2009/02/15 19:10:52
User accounting session ID : Huawei255255000000000f910d2016040
Option82 information : -
User access type : 802.1x
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS

Routers
Current authorization method : -

Current accounting method : RADIUS
When the user logs in through Telnet and enters the user name test and password
admin@12345, run the display access-user domain and display access-user user-id
commands. You can view the domain that the user belongs to and the access type.
<Huawei> display access-user domain default_admin
------------------------------------------------------------------------------
UserID Username IP address MAC
------------------------------------------------------------------------------
16009 test 10.135.18.217 -
------------------------------------------------------------------------------
<Huawei> display access-user user-id 16009
Basic:
User id : 16009
User name : test
Domain-name : default_admin
User MAC : -
User IP address : 10.135.18.217
User access time : 2009/02/15 05:10:52
User accounting session ID : Huawei255255000000000f910d2016009
Option82 information : -
User access type : Telnet
Idle Timeout : 4294967236(s)
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : None
----End
Configuration File
Configuration file of RouterB
#
vlan batch 10 11
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %$%$lrWRXXUmJ/5W\uBqID/6EULC%$%$
radius-server accounting 192.168.2.30 1813
#
aaa
authentication-scheme abc
authorization-scheme autho
domain isp1
radius-server rd1
domain default
domain default_admin
authorization-scheme autho

Routers
local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
local-user admin service-type http
local-user test password cipher %$%$NK\l,"a|M(0+3J)Yl;U%W&;k%$%$
local-user test privilege level 3
local-user test service-type telnet
#
interface Vlanif11
ip address 192.168.2.29 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
dot1x enable
dot1x max-user 20
#
#
user-interface vty 0 14
authentication-mode aaa
#
return
1.8 FAQ
The FAQs on AAA are listed.
1.8.1 Why Does RADIUS Authentication Fail When the RADIUS

Server Template and RADIUS Server Are Properly Configured?
This problem has the following possible causes:
l The IP address of the router (a RADIUS client) is not configured on the RADIUS server,
so the RADIUS server cannot send an authentication response packet to the router.
l Different shared keys are configured on the router and the RADIUS server.
1.8.2 Why Does the Server Checking Error Occur During RADIUS
Dynamic Authentication?
This error occurs because the RADIUS authentication server is not configured properly.
1.8.3 Why Does HWTACACS Authentication Fail When the

HWTACACS Server Template and HWTACACS Server Are
Properly Configured?
This failure has the following possible causes:
l The IP address of the router (a client) is not configured on the HWTACACS server, so the
HWTACACS server cannot send an authentication response packet to the router .
l Different shared keys are configured on the router and the HWTACACS server.

Routers
1.8.4 Why Are Accounting Packets Received When Commands Are

Run on Devices?
This occurs so that devices can record history commands. To disable this function, run the undo
cmd recording-scheme command in the AAA view.
1.8.5 Why Are the 802.1x Users' IP Addresses Not Displayed After
I Run the Display Access-User Command?
The device learns the IP address of an authenticated online user from ARP packets that the user
sends. If the user does not send any ARP packets, the device cannot learn or display the user's
IP address.
1.9 References
This section provides the AAA-related RFC recommendations.
Document Description Remarks
RFC 2093 Generic AAA Architecture -
RFC 2094 AAA Authorization Framework -
RFC 2095 AAA Authorization Application -

Examples
RFC 2096 AAA Authorization Requirements -
RFC 2058 Remote Authentication Dial In User -

Service (RADIUS)
RFC 2059 RADIUS Accounting -

Service (RADIUS)
RFC 2809 Implementation of L2TP Compulsory -

Tunneling via RADIUS

Service (RADIUS)
RFC 2868 RADIUS Attributes for Tunnel Protocol -

Support
RFC 2869 RADIUS Extensions -
RFC 0927 TACACS user identification Telnet -

option

Routers
Configuration Guide - Security 2 NAC Configuration (for wired users)
2 NAC Configuration (for wired users)
About This Chapter
This section describes principles and configuration methods of NAC for wired users and provides
configuration examples.
2.1 Overview
This section describes the definition, background, and functions of NAC.
2.2 Principles
This section describes the implementation of NAC.
2.3 Applications
This section describes the applicable scenario of NAC.
2.4 Default Configuration

This section provides the default NAC configuration. You can change the configuration as
needed.
2.5 Configuring NAC

This chapter describes NAC configuration methods.
2.6 Maintaining NAC

This section describes how to clear statistics for 802.1x authentication and MAC address
authentication.

This section provides several NAC configuration examples, including network requirements,
configuration roadmap, and configuration procedure.
2.8 References

Routers
2.1 Overview
Definition
Network Admission Control (NAC) is an end-to-end access security framework and includes
802.1x authentication, MAC address authentication, and Portal authentication.
With the development of enterprise network, threats increasingly bring risks, such as viruses,
Trojan horses, spyware, and malicious network attacks. On a traditional enterprise network, the
intranet is considered as secure and threats come from extranet. However, 80% security threats
actually come from the intranet. The intranet threats will cause serious damage in a wide range.
Even worse, the system and network will break down. In addition, when internal users browse
websites on the external network, the spyware and Trojan horse software may be automatically
installed on users' computers, which cannot be sense by the users. Te malicious software may
spread on the internal network.
The traditional security measures cannot meet requirements on border defense due to increasing
security challenges. The security model should be converted into active mode to solve security
problems from the roots (terminals), improving information security level of the entire
enterprise.
The NAC solution integrates terminal security and access control and takes the check, audit,
secure, and isolation measures to improve the proactive protection capability of terminals. This
solution ensures security of each terminal and the entire enterprise network.
As shown in Figure 2-1, NAC includes three components: NAC terminal, network access
device, and access server.
Figure 2-1 Typical NAC networking diagram
Network
NAC terminal Access server
access device
Intranet
l NAC terminal: functions as the NAC client and interacts with network access devices to
authenticate access users. If 802.1x authentication is used, users must install client software.

Routers
l Network access device: function as the network access control point that enforces enterprise
security policies. It allows, rejects, isolates, or restricts users based on the security policies
customized for enterprise networks.
l Access server: includes the access control server, management server, antivirus server, and
patch server. It authenticates users, checks terminal security, repairs and upgrades the
system, and monitors and audits user actions.
Purpose
Traditional network security technologies focus on threats from external computers, but typically
neglect threats from internal computers. In addition, current network devices cannot prevent
attacks initiated by devices on internal networks.
The NAC security framework was developed to ensure the security of network communication
services. The NAC security framework improves internal network security by focusing on user
terminals, and implement security control over access users to provide end-to-end security.
2.2 Principles
2.2.1 802.1x Authentication
Overview
To resolve wireless local area network (LAN) security issues, the Institute of Electrical and
Electronics Engineers (IEEE) 802 LAN/wide area network (WAN) committee developed the
802.1x protocol. Later, the 802.1x protocol was widely applied as a common access control
mechanism on LAN interfaces for authentication and security on Ethernet networks.
The 802.1x protocol is an interface-based network access control protocol. It controls users'
access to network resources by authenticating the users on access interfaces.
As shown in Figure 2-2, an 802.1x system uses a standard client/server architecture with three
components: client, device, and server.
Figure 2-2 Diagram of 802.1x authentication system

EAPOL RADIUS
Client Device Server
l The client is the entity at an end of the LAN segment and is authenticated by a device at
the other end of the link. The client is usually a user terminal. The user initiates 802.1x
authentication using client software. The client must support Extensible Authentication
Protocol over LAN (EAPOL).
l The device is the entity at an end of the LAN segment, which authenticates the connected
client. The device is usually a network device that supports the 802.1x protocol. The device
provides an interface, either physical or logical, for the client to access the LAN.

Routers
l The authentication server is the entity that provides authentication service for the device.
The authentication server carries out authentication, authorization, and accounting on users,
and is usually a RADIUS server.
Basic Concepts
1. Controlled and uncontrolled interfaces
The device provides an interface for LAN access. The interface is classified into two logical
interfaces: the controlled interface and the uncontrolled interface.
l The uncontrolled interface is mainly used to transmit EAPOL frames in both directions to
ensure that the client consistently sends and receives authentication packets.
l In Authorized state, the controlled interface transmits service packets in both directions; in
Unauthorized state, the controlled interface cannot receive packets from the client.
2. Authorized and Unauthorized states
The device uses the authentication server to authenticate clients that require LAN access and
controls the authorization state (Authorized or Unauthorized) of a controlled interface based on
the authentication result (Accept or Reject).
Figure 2-3 shows the impact of a controlled interface's authorization state on packets capable
of passing through the port in two 802.1x authentication systems. The controlled interface in
system 1 is in Unauthorized state; the controlled interface in system 2 is in Authorized state.
Figure 2-3 Impact of a controlled interface's authorization state in two 802.1x authentication
systems
Authenticator system 1 Authenticator system 2

Controlled port Uncontrolled port Controlled port Uncontrolled port
Port unauthorized Port authorized
LAN LAN
Authentication Triggering Modes

802.1x authentication can be initiated by either the client or device. The device supports the
following authentication triggering modes:
1. Client trigger: The client sends an EAPOL-Start packet to the device to initiate
authentication.
2. Device trigger: This mode is used when the client cannot send an EAPOL-Start packet, for
example, the built-in 802.1x client in the Windows XP operating system.

Routers
Authentication Modes
The 802.1x authentication system exchanges authentication information among the client,
device, and authentication server using the Extensible Authentication Protocol (EAP). The
exchange of EAP packets among the components is described as follows:
1. The EAP packets transmitted between the client and device are encapsulated in EAPOL
format and transmitted across the LAN.
2. The device and RADIUS server exchange EAP packets in the following modes:
l EAP relay: The device relays EAP packets. The device encapsulates EAP packets in
EAP over RADIUS (EAPoR) format and sends the packets to the RADIUS server for
authentication. This authentication mode simplifies device processing and supports
various EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP.
However, the RADIUS server must support the corresponding authentication methods.
l EAP termination: The device terminates EAP packets. The device encapsulates client
authentication information into standard RADIUS packets, which are then authenticated
by the RADIUS server using the Password Authentication Protocol (PAP) or Challenge
Handshake Authentication Protocol (CHAP). This authentication mode is applicable
since the majority of RADIUS servers support PAP and CHAP authentication and server
update is unnecessary. However, device processing is complex, and the device supports
only the MD5-Challenge EAP authentication method.
The 802.1X authentication system can complete authentication by exchanging information with
the RADIUS server in EAP relay mode and EAP termination mode. Figure 2-4 and Figure
2-5 demonstrate both of these authentication modes using the client triggering mode.
1. EAP relay authentication

Routers
Figure 2-4 Service process in EAP relay mode
EAPOL EAPOR
Client Device RADIUS server
1EAPOL-Start
2EAP-Request/Identity
4RADIUS Access-Request
3EAP-Response/Identity
(EAP-Response/Identity)
5RADIUS Access-Challenge
(EAP-Request/MD5 challenge)
6EAP-Request/MD5 challenge
7EAP-Response/MD5
challenge 8RADIUS Access-Request
(EAP-Response/MD5 challenge)
9RADIUS Access-Accept
10EAP-Success (EAP-Success)
Port authorized
11Handshake request
EAP-Request/Identity
Handshake timer
12Handshake reponse
EAP-Response/Identity
......
13EAPOL-Logoff
Port unauthorized
14EAP-Failure
The EAP relay authentication process is described as follows:
1. When a user needs to access an external network, the user starts the 802.1x client program,
enters the applied and registered user name and password, and initiates a connection request.
At this point, the client sends an authentication request frame (EAPOL-Start) to the device
to start the authentication process.
2. After receiving the authentication request frame, the device returns an identity request
frame (EAP-Request/Identity), requesting the client to send the previously entered user
name.
3. In response to the request sent by the device, the client sends an identity response frame
(EAP-Response/Identity) containing the user name to the device.
4. The device encapsulates the EAP packet in the response frame sent by the client into a
RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the
authentication server for processing.

Routers
5. After receiving the user name forwarded by the device, the RADIUS server searches the
user name table in the database for the corresponding password, encrypts the password with
a randomly generated MD5 challenge value, and sends the MD5 challenge value in a
RADIUS Access-Challenge packet to the device.
6. The device forwards the MD5 challenge value sent by the RADIUS server to the client.
7. After receiving the MD5 challenge value from the device, the client encrypts the password
with the MD5 challenge value, generates an EAP-Response/MD5-Challenge packet, and
sends the packet to the device.
8. The device encapsulates the EAP-Response/MD5-Challenge packet into a RADIUS packet
(RADIUS Access-Request) and sends the RADIUS packet to the RADIUS server.
9. The RADIUS server compares the received encrypted password and the locally encrypted
password. If the two passwords match, the user is considered authorized and the RADIUS
server sends a packet indicating successful authentication (RADIUS Access-Accept) to the
device.
10. After receiving the RADIUS Access-Accept packet, the device sends a frame indicating
successful authentication (EAP-Success) to the client, changes the interface state to
Authorized, and allows the user to access the network using the interface.
11. When the user is online, the device periodically sends a handshake packet to the client to
monitor the online user.
12. After receiving the handshake packet, the client sends a response packet to the device,
indicating that the user is still online. By default, the device disconnects the user if it receives
no response from the client after sending two handshake packets. The handshake
mechanism allows the server to detect unexpected user disconnections.
13. If the user wants to go offline, the client sends an EAPOL-Logoff frame to the device.
14. The device changes the interface state from Authorized to Unauthorized and sends an EAP-
Failure packet to the client.
2. EAP termination authentication

Routers
Figure 2-5 Service process in EPA termination mode

EAPOL RADIUS
1EAPOL-Start
4EAP-Request/MD5
challenge
5EAP-Response/MD5
challenge
(CHAP-Response/MD5 challenge)
(CHAP-Success)
8EAP-Success
Port authorized
9Handshake request
EAP-Request/Identity Handshake timer
10Handshake reponse
.......
11EAPOL-Logoff
Port unauthorized
12EAP-Failure
Compared with the EAP relay mode, in EAP termination mode, the device randomly generates
an MD5 challenge value for encrypting the user password in Step 4, and sends the user name,
the MD5 challenge value, and the password encrypted on the client to the RADIUS server for
authentication.
MAC Address Bypass Authentication

MAC address bypass authentication enables authentication using the device MAC address as
the user name and password. You cannot install or use 802.1x client software on some devices,
such as the printers, in the 802.1x authentication system.
During the 802.1x authentication process, a device first triggers the user to use 802.1X
authentication. If the user does not perform 802.1X authentication for a predefined period of

Routers
time, the user's MAC address is used as the user name and password, and is sent to an
authentication server for authentication.
As shown in Figure 2-6, if the device receives no response after sending multiple authentication
requests, MAC address bypass authentication is used.
Figure 2-6 Diagram of MAC address bypass authentication
Supplicant EAPOL Authenticator EAPOR

system PAE RADIUS server
system PAE
EAP-timeout
Learn MAC-Address
RADIUS Access-Request
RADIUS Access-Accept
(EAP-Success)
Port authorized
802.1x Authentication Supports Dynamic VLAN Authorization

1. Guest VLAN
When the Guest VLAN function is enabled, if the user does not respond to the 802.1x request,
the device adds the interface where the user resides to the Guest VLAN. For example, this occurs
if no 802.1x client software is installed. In this way, the user can access resources in the Guest
VLAN, enabling unauthorized users to acquire client software, update client, or perform
operations such as user upgrade programs.
2. Restrict VLAN
When the Restrict VLAN function is enabled, if the user authentication fails, the device adds
the interface where the user resides to the Restrict VLAN. For example, this occurs if the
incorrect user name or password is entered. Similar to the Guest VLAN function, the Restrict
VLAN function allows users to access limited network resources before being authenticated.
The Restrict VLAN typically limits access to network resources from unauthenticated users
more strictly than the Guest VLAN.

Routers
User Group Authorization

The device can authorize users based on the user group. After users are authenticated, the
authentication server groups users together. Each user group is bound to an ACL so that users
in the same user group share an ACL.
2.2.2 MAC Address Authentication
Overview
MAC address authentication controls a user's network access permission based on the user's
interface and MAC address. The user does not need to install any client software. After detecting
the user's MAC address for the first time on an interface where MAC address authentication is
running, the device begins authenticating the user. During the authentication, the user does not
need to enter a user name or password.
According to the format and contents of the user name that the device finally uses to authenticate
the user, MAC address authentication user name formats are classified into two types:
l MAC address user name: The user's MAC address is used as the user name and password
during authentication.
l Fixed user name: Regardless of users' MAC addresses, all users use a fixed name and
password specified on the device rather than their MAC address as an identity for
authentication. Many users may be authenticated on the same interface. In this case, all
users requiring MAC address authentication on the interface use the same fixed user name,
and the server only needs to configure one user account to meet the authentication demands
of all users, which is applicable to a network environment with reliable access clients.
Guest VLAN
When the guest VLAN function is enabled, if the user does not respond to the MAC address
authentication request, the device adds the interface where the user resides into the guest VLAN,
so that the user can access resources in the guest VLAN. In this manner, the user can access
some network resources without being authenticated.

2.2.3 Portal Authentication
Introduction to Portal Authentication

Portal authentication is also called web authentication. Generally, Portal authentication websites
are also called Portal websites.
When an unauthenticated user accesses the Internet, the device forcibly redirects the user to a
specific site. The user then can access resources in the specific site for free. When the user needs
to access resources outside the specific site, the user must pass authentication on the portal
authentication website first.

Routers
A user can access a known Portal authentication website and enter a user name and password
for authentication. This mode is called active authentication. If a user attempts to access other
external networks through HTTP, the device forcibly redirects the user to the Portal
authentication website for Portal authentication. This mode is called forcible authentication.
System Architecture
A Portal server can be an external Portal server, or a built-in Portal server.
l Using an external Portal server
As shown in Figure 2-7, typical networking of a Portal authentication system consists of four
entities: authentication client, access device, Portal server, and authentication/accounting server.
Figure 2-7 Portal authentication system using an external Portal server
Authentication
client
Authentication/accounting
server
Authentication Access
client device
Portal server
Authentication
client
1. Authentication client: is a client system installed on a user terminal. The user terminal can
be a browser running HTTP/HTTPS or a host running Portal client software.
2. Access device: is a broadband access device such as switch or router. It provides the
following functions:
l Redirects all HTTP requests from users on authentication subnets to the Portal server
before authentication.
l Interacts with the Portal server and the authentication/accounting server to implement
identity authentication/accounting during authentication.
l Allows the user to access authorized Internet resources after the authentication is passed.
3. Portal server: receives authentication requests from the Portal client. It provides free Portal
services and an interface based on web authentication, and exchanges authentication
information of the authentication client with the access device.
4. Authentication/accounting server: interacts with the access device to implement user
authentication and accounting.
l Portal authentication system using a built-in Portal server

Routers
The access device with the built-in Portal server implements all Portal server functions. In this
case, the Portal authentication system only includes three entities: authentication client, access
device, and authentication/accounting server, as shown in Figure 2-8.
Figure 2-8 Portal authentication system using a built-in Portal server
Authentication Access
client device/built-in
server
Portal server
The built-in Portal server provides Portal authentication, without the need to deploy an extra
Portal server.
The built-in Portal server implements basic functions of the Portal server, including web-based
login and logout. It cannot replace the independent Portal server or extensions.
Different Portal authentication modes can be used in different networking modes. Portal
authentication is classified into Layer 2 and Layer 3 authentication according to the network
layer on which it is implemented.
l Layer 2 authentication
The authentication client and access device are directly connected (or only Layer 2 devices exist
between the authentication client and an access device). The device can learn a user's MAC
address, and uses an IP address and a MAC address to identify the user. Portal authentication is
configured as Layer 2 authentication.
Layer 2 authentication is simple and highly secure. However, it requires that the user reside on
the same subnet as the access device, which makes the networking inflexible.
Figure 2-9 illustrates the packet interaction process when the user goes online and Layer 2
authentication is used.

Routers
Figure 2-9 Layer 2 authentication flowchart

Authentication client Portal server Access device RADIUS server
(1) Initiate (2) CHAP

authentication authentication
interaction
(3) Authentication
request (4) Authentication
interaction of
Timer (5) Authentication RADIUS protocol
(6) Notify the user of reply
successful
(7) Authentication
authentication
reply
acknowledgment
1. A Portal user initiates an authentication request through HTTP. The access device allows
an HTTP packet destined for the Portal server or an HTTP packet destined for the
configured authentication-free network resources to pass. The access device redirects
HTTP packets accessing other addresses to the Portal server. The Portal server provides a
web page where the user can enter a user name and password for authentication.
2. The Portal server exchanges information with the access device to implement CHAP
authentication. If PAP authentication is used, the Portal service directly performs step 3
without exchanging information with the access device to implement PAP authentication.
3. The Portal server sends the user name and password entered by the user to the access device
through an authentication request packet, and meanwhile, starts a timer to wait for an
authentication reply packet.
4. The access device exchanges a RADIUS protocol packet with the RADIUS server.
5. The access device sends an authentication reply packet to the Portal server.
6. The Portal server sends a packet to the client indicating that the authentication succeeded
and notifying the client that the authentication succeeded.
7. The Portal server sends an authentication reply acknowledgment to the access server.
When the device is deployed at the aggregation or core layer, Layer 3 forwarding devices exist
between the authentication client and device. In this case, the device may not obtain the MAC
address of the authentication client. Therefore, only the IP address identifies the user. Portal
authentication is configured as Layer 3 authentication.
The Layer 3 authentication process is the same as the Layer 2 authentication process. Networking
of Layer 3 authentication is flexible, which facilitates remote control. However, only an IP
address can be used to identify a user, so Layer 3 authentication has low security.
Detection and Survival

If the Portal server fails or communication is interrupted due to a network failure between the
device and Portal server, new Portal authentication users cannot go online, and online Portal

Routers
users cannot go offline normally. User information on the Portal server and the device may be
different, resulting in accounting errors.
With the Portal detection and survival function, even if the network fails or the Portal server
cannot function properly, the device still allows users with certain access rights to use the
network normally, and reports failures using logs and traps. Meanwhile, the user information
synchronization mechanism ensures that user information on the Portal server matches that on
the device, preventing accounting errors.

2.3 Applications

As shown in Figure 2-10, users' network access needs to be controlled to ensure network
security. Only authenticated users are allowed to access network resources authorized by the
administrator.
Figure 2-10 Typical application of 802.1x authentication

Authentication
server
User
Internet
Access
device
User
The user terminal is a PC with 802.1x client software installed on it. The user can use the 802.1x
client software to initiate an authentication request to the access device. After exchanging
information with the user terminal, the access device sends the user information to the
authentication server for authentication. If the authentication succeeds, the access device sets
the interface connected to the user to the Up state and allows the user to access the network. If
the authentication fails, the access device rejects the user's access request.

Routers
NOTE
802.1x authentication results in the change of the interface state, but does not involve IP address negotiation
or assignment. 802.1x authentication is the simplest authentication solution. However, the 802.1x client
software must be installed on the user terminal.

As shown in Figure 2-11, user terminals' network access needs to be controlled to ensure network
administrator.
Figure 2-11 Typical application of MAC address authentication

Authentication
server
User
Access
device
Internet
interface1
Printer
The 802.1x client cannot be installed on printers. In this case, enable MAC address authentication
on interface1 connected to the printer. After that, the access device uses the printer's MAC
address as the user name and password, and reports the MAC address to the authentication server
for authentication. If the authentication succeeds, the access device sets the interface connected
to the printer to the Up state and allows the printer to access the network. If the authentication
fails, the access device rejects the printer's access request.
NOTE
Apart from MAC address authentication, terminals with simple functions that cannot install the 802.1x
client software and do not require high security (such as printers) can also be authenticated using 802.1x
MAC address bypass authentication.

administrator.

Routers
Figure 2-12 Typical application of Portal authentication

Authentication
Portal server server
User
Internet
Access
device
User
If the user only requires Portal authentication using a web browser, enable Portal authentication
on the access device.
When an unauthenticated user accesses the Internet, the access device redirects the user to the
Portal authentication website to start Portal authentication. If the authentication succeeds, the
access device sets the interface connected to the user to the Up state and allows the user to access
the network. If the authentication fails, the access device rejects the user's access request.

needed.
Table 2-1 describes the default configuration of 802.1x authentication.
Table 2-1 Default configuration of 802.1x authentication
Parameter Default setting
802.1x authentication Disabled
Interface authorization status Auto
Access control mode on the interface MAC address-based
User authentication mode CHAP authentication
Table 2-2 describes the default configuration of MAC address authentication.

Routers
Table 2-2 Default configuration of MAC address authentication
MAC address authentication Disabled
User name format User names and passwords in MAC address

authentication are MAC addresses without
hyphens.
User authentication domain Default
Table 2-3 describes the default configuration of Portal authentication.
Table 2-3 Default configuration of Portal authentication
Portal authentication Disabled
Portal protocol versions supported by the v2, v1

device
Number of the destination port that the device 50100

uses to send packets to the Portal server
Number of the port that the device uses to 2000

listen to Portal protocol packets
Source subnet for Portal authentication 0.0.0.0/0
Portal authentication mode of the built-in CHAP mode

Portal server
Offline detection period 300 seconds
2.5 Configuring NAC

2.5.1 Configuring 802.1x Authentication

You can configure 802.1x authentication to implement interface-based network access control.
This means you can authenticate and control access users connected to an access control device
interface.
NOTE
The 4GE-2S card does not support 802.1x authentication.

Layer 3 Ethernet interfaces (including logical Layer 3 interfaces) do not support 802.1x authentication. In
this document, 802.1x authentication enabled interfaces refer to Layer 2 Ethernet interfaces.

Routers
Prerequisites
802.1x only provides a user authentication solution. To implement this solution, the AAA
function must also be configured. Therefore, the following tasks must be complete before you
configure 802.1x authentication:
l Configuring the authentication domain and AAA scheme on the AAA client.
l Configuring the user name and password on the RADIUS or HWTACACS server if
RADIUS or HWTACACS authentication is used.
l Configuring the user name and password manually on the network access device if local
For the configuration of AAA client, see 1 AAA Configuration in the Huawei
AR150&200&1200&2200&3200 Series Enterprise Routers Configuration Guide-Security.
2.5.1.1 Enabling 802.1x Authentication
Context
The 802.1x configuration takes effect on an interface only after 802.1x authentication is enabled
globally and on the interface.
If there are online users who log in through 802.1x authentication on the interface, disabling the
802.1x authentication is prohibited.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dot1x enable
Global 802.1x authentication is enabled.
By default, global 802.1x authentication is disabled.
Step 3 Enable 802.1x authentication on the interface in the system or interface view.
l In the system view:
1. Run:
dot1x enable interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10>
802.1x authentication of the interface is enabled.

l In the interface view:
1. Run:
interface interface-type interface-number
The interface view is displayed.

2. Run:
dot1x enable

Routers
802.1x authentication of the interface is enabled.
By default, 802.1x authentication of an interface is disabled.
----End
2.5.1.2 (Optional) Configuring the Authorization State of an Interface
Context
You can configure the authorization state of an interface to control whether an access user must
be authenticated before accessing network resources. The interface supports the following
authentication states:
l Auto mode: The interface is initially in Unauthorized state and sends and receives EAPOL
packets only. Users cannot access network resources. After a user passes the authentication,
the interface turns to Authorized state. Users are allowed to access network resources in
this state.
l Authorized-force mode: The interface is always in Authorized state and allows users to
access network resources without authentication.
l Unauthorized-force mode: The interface is always in Unauthorized state and does not allow
users to access network resources.
Procedure
Step 1 Run:
system-view
Step 2 Configure the authorization state of an interface in the system or interface view.
1. Run:
dot1x port-control { auto | authorized-force | unauthorized-force } interface
{ interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The authorization state of the interface is configured.

1. Run:

2. Run:
dot1x port-control { auto | authorized-force | unauthorized-force }
The authorization state of the interface is configured.
By default, the authorization state of an interface is auto.
----End

Routers
2.5.1.3 (Optional) Configuring the Access Control Mode of an Interface
Context
After 802.1x authentication is enabled, the device supports two access control modes of an
interface:
l Interface-based mode: After the first user of the interface passes the authentication, other
access users can access the network without being authenticated. However, when the
authenticated user goes offline, other users can no longer access the network. The
authentication scheme is applicable to group users.
l MAC address-based mode: All users of the interface must be authenticated. When a user
goes offline, other users can still access the network. The authentication mode is applicable
to individual users.
NOTE
When 802.1x authentication users are online, you cannot change the access control mode of an interface.
Procedure
Step 1 Run:
system-view

Step 2 Configure the access control mode of an interface in the system or interface view.
1. Run:
dot1x port-method { mac | port } interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
The access control mode of the interface is configured.

1. Run:

2. Run:
dot1x port-method { mac | port }
The access control mode of the interface is configured.

By default, an interface uses the MAC address-based mode.
----End
2.5.1.4 (Optional) Setting the User Authentication Mode
Context
During 802.1x authentication, users exchange authentication information with the device using
EAP packets. The device uses two modes to exchange authentication information with the
RADIUS server.

Routers
l EAP termination: The device directly parses EAP packets, encapsulates user authentication
information into a RADIUS packet, and sends the packet to the RADIUS server for
authentication. EAP termination is classified into PAP or CHAP authentication.
PAP is a two-way handshake authentication protocol. It transmits passwords in plain
text format in RADIUS packets.
CHAP is a three-way handshake authentication protocol. It transmits only the user
names (not passwords) in RADIUS packets. CHAP is more secure and reliable than
PAP. If high security is required, CHAP is recommended.
After the device directly parses EAP packets, user information in the EAP packets is
authenticated by a local AAA module, or sent to a RADIUS or HWTACACS server.
l EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets
and sends the RADIUS packets to the RADIUS server. The device does not parse the
received EAP packets but encapsulates them into RADIUS packets. This mechanism is
called EAP over Radius (EAPoR).
The EAP relay mechanism requires that the RADIUS server be capable of parsing many EAP
packets and carrying out authentication. Therefore, if the RADIUS server has high processing
capabilities, the EAP relay is used. If the RADIUS server has low processing capabilities, EAP
termination is recommended, and the device helps the RADIUS server to parse EAP packets.
NOTE
The EAP relay can be configured for 802.1x users only when RADIUS authentication is used.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x authentication-method { chap | eap | pap }
The authentication mode is set for 802.1x users.

By default, the CHAP authentication mode is used.
----End
2.5.1.5 (Optional) Enabling MAC Address Bypass Authentication
Context
You can enable MAC address bypass authentication for terminals (for example, printers) on
which the 802.1x client software cannot be installed or used. After MAC address bypass
authentication is configured on the interface, the device performs 802.1x authentication on a
user. Once 802.1x authentication fails, the device sends the MAC address of the user as the user
name and password to the authentication server.
On an interface where MAC address bypass authentication is enabled, if the terminal on which
the 802.1x client software cannot be installed or used requires fast authentication, MAC address
authentication is performed first during bypass authentication. The interface uses the MAC
address of the terminal for authentication first, and triggers 802.1x authentication after MAC
address authentication fails.

Routers
NOTE
After MAC address bypass authentication is configured on the interface where 802.1x authentication is
not enabled, 802.1x authentication is enabled on the interface.
AR150&200 series products do not support MAC address bypass authentication.
Procedure
Step 1 Run:
system-view
Step 2 Enable MAC address bypass authentication on the interface in the system view or interface view.
1. Run:
dot1x mac-bypass interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10>
MAC address bypass authentication is enabled on the interface.
By default, MAC address bypass authentication is disabled on an interface.

2. (Optional) Run:
dot1x mac-bypass mac-auth-first interface { interface-type interface-number1
MAC address authentication is performed first during MAC address bypass authentication.
By default, MAC address authentication is not performed first during MAC address bypass
authentication.
1. Run:

2. Run:
dot1x mac-bypass
MAC address bypass authentication is enabled on the interface.
By default, MAC address bypass authentication is disabled on an interface.

3. (Optional) Run:
dot1x mac-bypass mac-auth-first
MAC address authentication is performed first during MAC address bypass authentication.
By default, MAC address authentication is not performed first during MAC address bypass
authentication.
4. Run:
quit

Routers
NOTE
802.1x authentication is disabled on the interface when MAC address bypass authentication is disabled on
the interface using the undo dot1x mac-bypass command.
----End
2.5.1.6 (Optional) Setting the Maximum Number of Concurrent Access Users for
802.1x Authentication on an Interface
Context
The administrator can set the maximum number of concurrent access users for 802.1x
authentication on the interface. When the number of access users reaches the maximum number
allowed, new users for 802.1x authentication cannot access networks through the interface.
NOTE
l If the number of current online users on an interface has exceeded the maximum number, online users
are not affected but new access users are limited.
l This function is effective only when the MAC address-based access mode is configured on the
interface. When the interface-based access mode is configured on the interface, the maximum number
of concurrent access users on the interface is automatically set to 1. In this case, after one user is
authenticated on the interface, other users can go online without being authenticated.
Procedure
Step 1 Run:
system-view
Step 2 Set the maximum number of concurrent access users on an interface in the system or interface
view.
1. Run:
dot1x max-user user-number interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
The maximum number of concurrent access users is set for 802.1x authentication on the
interface.
1. Run:

2. Run:
dot1x max-user user-number
The maximum number of concurrent access users is set for 802.1x authentication on the
interface.

Routers
By default, the number of 802.1x authentication users is the maximum number of 802.1x
authentication users supported by the device.
----End
2.5.1.7 (Optional) Configuring Timers for 802.1x Authentication
Context
During 802.1x authentication, multiple timers implement systematic interactions between access
users, access devices, and the authentication server. You can change the values of timers by
running the dot1x timer command to adjust the interaction process. This command is necessary
in special network environments. It is recommended that you retain the default settings of the
timers. You can configure the following types of timers in 802.1x authentication:
l Client timeout timer (client-timeout): After sending an EAP-Request/MD5-Challenge
request packet to the client, the device starts this timer. If the client does not respond within
the period set by the timer, the device retransmits the packet.
l Server timeout timer (server-timeout): The device starts this timer after sending a RADIUS
Access-Request packet to the authentication server. If the authentication server does not
respond within the period set by the timer, the device retransmits the authentication request
packet to the authentication server.
l User name request timeout timer (tx-period): This timer defines two intervals. After
sending an EAP-Request/Identity request packet to the client, the device starts the timer.
If the client does not respond within the first interval set by the timer, the device retransmits
the authentication request packet. The device multicasts the EAP-Request/Identity request
packet at the second interval to detect the client that does not actively send the EAPOL-
Start connection request packet for compatibility. The timer defines the interval for sending
the multicast packet.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dot1x timer { client-timeout client-timeout-value | server-timeout server-timeout-
value | tx-period tx-period-value }
The 802.1x timers are configured.
By default, client-timeout is set to 30 seconds; server-timeout is set to 30 seconds; tx-

period is set to 30 seconds.
NOTE
The client timeout timer, and the user name request timeout timer are enabled by default.
----End

Routers
2.5.1.8 (Optional) Configuring the Quiet Function in 802.1x Authentication
Context
After the quiet function is enabled, when the number of times that a user fails 802.1x
authentication reaches the maximum number allowed, the device quiets the user, and during the
quiet period, the device discards the 802.1x authentication requests from the user. This prevents
the impact of frequent user authentications on the system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dot1x quiet-period
The quiet function is enabled.
By default, the quiet function is disabled.

dot1x quiet-times fail-times
The maximum number of authentication failures within 60 seconds before the device quiets the
802.1x authentication user is configured.
By default, an 802.1x user enters the quiet state after three authentication failures within 60
seconds.

dot1x timer quiet-period quiet-period-value
The quiet timer is set.
By default, the quiet timer is 60 seconds.
----End
2.5.1.9 (Optional) Configuring Re-authentication for 802.1x Authentication Users
Context
If the administrator modifies user information on the authentication server, parameters such as
the user access permission and authorization attribute are changed. If a user has passed 802.1x
authentication, you must re-authenticate the user to ensure user validity.
After the user goes online, the device saves user authentication information. After re-
authentication is enabled for 802.1x authentication users, the device sends the saved
authentication information of the online user to the authentication server for re-authentication.
If the user's authentication information does not change on the authentication server, the user is
kept online. If the authentication information has been changed, the user is forced to go offline,
and then re-authenticated according to the changed authentication information.

Routers
You can configure re-authentication for 802.1x authentication users using either of the following
methods:
l Re-authenticate all online 802.1x authentication users on a specified interface periodically.
l Re-authenticate an online 802.1x authentication user once with a specified MAC address.
Procedure
l Configure periodic re-authentication for all online 802.1x authentication users on a
specified interface.
1. Run:
system-view

2. Enable periodic re-authentication for all online 802.1x authentication users on the
specified interface in the system or interface view.
In the system view:
a. Run:
dot1x reauthenticate interface { interface-type interface-number1
Periodic 802.1x re-authentication is enabled on the interface.

In the interface view:
a. Run:

b. Run:
dot1x reauthenticate
Periodic 802.1x re-authentication is enabled on the interface.

c. Run:
quit

By default, periodic 802.1x re-authentication is disabled on an interface.
3. (Optional) Run:
dot1x timer reauthenticate-period reauthenticate-period-value
The re-authentication interval for online 802.1x authentication users is set.

By default, the device re-authenticates online 802.1x authentication users at the
interval of 3600 seconds.
l Configure re-authentication for an online 802.1x authentication user with a specified MAC
address.
1. Run:
system-view

2. Run:
dot1x reauthenticate mac-address mac-address
Re-authentication is enabled for the online 802.1x authentication user with the
specified MAC address.

Routers
By default, re-authentication for the online 802.1x authentication user with a specified
MAC address is disabled.
----End
2.5.1.10 (Optional) Configuring the Handshake Function for 802.1x Online Users
Context
You can configure the handshake function for online users to ensure that the users are online in
real time. The device sends a handshake request packet at intervals to online users that pass the
authentication. If the user does not respond to the handshake packet after the maximum number
of retransmission times, the device disconnects the user.
If the 802.1x client cannot exchange the handshake packet with the device, the device does not
receive any handshake response packet within the handshake period. You must disable the
handshake function for online users to prevent the device from mistakenly disconnecting the
users.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x handshake
The handshake function is enabled for 802.1x online users.

By default, the handshake function is disabled for 802.1x online users.
dot1x timer handshake-period handshake-period-value
The interval at which the device handshakes with 802.1x online users is set.
By default, the interval for sending handshake packets is 60.
dot1x retry max-retry-value
The maximum number of times an authentication request can be sent is set.

By default, an authentication request can be set twice.
----End
2.5.1.11 (Optional) Configuring the Guest VLAN Function
Context
After the guest VLAN function is enabled, the device allows users to access resources in the
Guest VLAN without 802.1x authentication. For example, the users can obtain the client
software, upgrade the client, or run other upgrade programs.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Configure the guest VLAN function in the system or interface view.
1. Run:
authentication guest-vlan vlan-id interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
The guest VLAN to which the interface is added is configured.

1. Run:

2. Run:
authentication guest-vlan vlan-id
By default, an interface is not added to the guest VLAN.
NOTE
When 802.1x authentication and MAC address-based access method are used, run the port link-type
hybrid command to set the link type on the interface to Hybrid.
----End
2.5.1.12 (Optional) Configuring the Restrict VLAN Function
Context
You can configure the restrict VLAN function on the device interface to enable users who fail
authentication to access some network resources (for example, to update the virus library). The
users are added to the restrict VLAN when failing authentication and can access resources in
the restrict VLAN. The user fails authentication in this instance because the authentication server
rejects the user for some reasons (for example, the user enters an incorrect password) not because
the authentication times out or the network is disconnected.
Similar to the guest VLAN, the restrict VLAN allows users to access limited network resources
before passing 802.1x authentication. Generally, fewer network resources are deployed in the
restrict VLAN than in the guest VLAN; therefore, the restrict VLAN limits access to network
resources from unauthenticated users more strictly.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Configure the restrict VLAN function in the system or interface view.
1. Run:
authentication restrict-vlan vlan-id interface { interface-type interface-
A restrict VLAN where the interface is added is configured.

1. Run:

2. Run:
authentication restrict-vlan vlan-id
A restrict VLAN where the interface is added is configured.
By default, an interface is not added to the restrict VLAN.
NOTE
When 802.1x authentication and MAC address-based access method are used, run the port link-type
hybrid command to set the link type on the interface to Hybrid.
----End
2.5.1.13 (Optional) Configuring 802.1x Authentication Triggered by a DHCP Packet
Context
In the 802.1x authentication network, if a user uses a built-in 802.1x client of a PC operating
system (such as Windows XP), the user cannot enter the user name and password proactively
to trigger authentication.
For such users, the administrator configures 802.1x authentication triggered by a DHCP packet.
After 802.1x authentication triggered by a DHCP packet is enabled, the device triggers 802.1x
authentication for a user upon receiving a DHCP packet from the user. A built-in 802.1x
authentication page of the operating system is automatically displayed on the user terminal. The
user enters the user name and password for authentication.
Alternatively, 802.1x authentication triggered by a DHCP packet enables the user to implement
authentication using the built-in 802.1x client of the operating system. After being authenticated,
the user accesses an 802.1x client download web page to download and install the 802.1x client
software, which facilitates fast network deployment.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Run:
dot1x dhcp-trigger
802.1x authentication triggered by a DHCP packet is enabled.
By default, 802.1x authentication triggered by a DHCP packet is disabled
----End
2.5.1.14 (Optional) Configuring the User Group Function
Context
In NAC applications, there are many access users, but user types are limited. You can create
user groups on the device and associate each user group to an ACL. In this way, users in the
same group share rules in the ACL.
After creating user groups, you can set priorities and VLANs for the user groups, so that users
in different user groups have different priorities and network access rights. The administrator
can then flexibly manage users.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A user group is created and the user group view is displayed.
Step 3 Run:
acl-id acl-number
An ACL is bound to the user group.
By default, no ACL is bound to a user group.
NOTE
Before running this command, ensure that the ACL has been created using the acl (system view) or acl
name command.
Step 4 Run:
user-vlan vlan-id
The user group VLAN is configured.
By default, no user group VLAN is configured.
NOTE
Before running this command, ensure that the VLAN has been created using the vlan command.
Step 5 Run:
remark { 8021p 8021p-value | dscp dscp-value | exp exp-value | lp lp-value }*

Routers
The user group priority is configured.
By default, no user group priority is configured.
----End
Context
You can run the commands to check the configured parameters after completing the 802.1x
authentication configuration.
Procedure
l Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ] command to check the 802.1x authentication
configuration.
l Run the display mac-address { authen | guest } [ interface-type interface-number |
vlan vlan-id ] command to check the current authen or guest MAC address entries in the
system.
l Run the display user-group [ group-name ] command to check the user group
configuration.
l Run the display access-user user-group group-name command to check information
about online users in a user group.
----End
2.5.2 Configuring MAC Address Authentication

MAC address authentication controls a user's network access right based on the user's access
interface and MAC address. The user does not need to install any client software. The user device
MAC address is used as the user name and password. When detecting the user's MAC address
the first time, the network access device starts authenticating the user.
NOTE
The 4GE-2S card does not support MAC address authentication.

AR150&200 series products do not support MAC address authentication.
Layer 3 Ethernet interfaces (including logical Layer 3 interfaces) do not support MAC address
authentication. In this document, MAC address authentication enabled interfaces refer to Layer 2 Ethernet
interfaces.
Prerequisites
MAC address authentication only provides a user authentication solution. To implement this
solution, the AAA function must also be configured. Therefore, the following tasks must be
complete before you configure MAC address authentication:

Routers
2.5.2.1 Enabling MAC Address Authentication
Context
The MAC address authentication configuration takes effect on an interface only after MAC
address authentication is enabled globally and on the interface.
After MAC address authentication is enabled, if there are online users who log in through MAC
address authentication on the interface, disabling MAC address authentication is prohibited.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-authen
Global MAC address authentication is enabled.
By default, global MAC address authentication is disabled.
Step 3 Enable MAC address authentication on an interface in the system or interface view.
In the system view:
1. Run:
mac-authen interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10>
MAC address authentication is enabled on the interface.

1. Run:

2. Run:
mac-authen
MAC address authentication is enabled on the interface.
By default, MAC address authentication is disabled on an interface.
----End

Routers
2.5.2.2 (Optional) Configuring the User Authentication Domain
Context
When the MAC address or the fixed user name without a domain name is used as the user name
in MAC address authentication, the user is authenticated in a default domain if the administrator
does not configure an authentication domain. In this case, many users are authenticated in the
default domain, making the authentication scheme inflexible.
The authentication domain for the MAC address authentication user can be configured globally
or on an interface.
l When configured globally, the authentication domain is valid for all interfaces.
l When configured on an interface, the authentication domain is valid for this interface only.
The priority of the user name configured on the interface is higher than that of the user
name configured globally. If no authentication domain is configured on the interface, you
can use the globally configured authentication domain.
NOTE
l When the fixed user name is used for MAC address authentication and the authentication domain is
specified in the user name, the user is authenticated in the specified authentication domain.
l Before configuring an authentication domain for the MAC address authentication user, ensure that the
authentication domain has been created.
Procedure
1. Run:
system-view

2. Run:
mac-authen domain isp-name [ mac-address mac-address mask mask ]
The authentication domain is configured for the MAC address authentication user.
By default, MAC address authentication uses the default domain.
1. Run:
system-view

2. Run:

3. Run:
mac-authen domain isp-name
The authentication domain is configured for the MAC address authentication user.
By default, MAC address authentication uses the default domain.
----End

Routers
2.5.2.3 (Optional) Setting the Maximum Number of Access Users for MAC Address
Authentication on an Interface
Context
To limit the number of access users for MAC address authentication on an interface, the
administrator can set the maximum number of access users. When the number of access users
reaches the limit, new users cannot access the network through the interface.
Procedure
Step 1 Run:
system-view
Step 2 Set the maximum number of concurrent access users on an interface in the system or interface
view.
1. Run:
mac-authen max-user user-number interface { interface-type interface-number1
The maximum number of access users for MAC address authentication is set on the
interface.
1. Run:

2. Run:
mac-authen max-user user-number
The maximum number of access users for MAC address authentication is set on the
interface.
By default, the number of MAC authentication users is the maximum number of MAC
----End
2.5.2.4 (Optional) Configuring Timers of MAC Address Authentication
Context
During MAC address authentication, multiple timers implement systematic interactions between
access users or devices and the authentication server. You can configure the following types of
timers in MAC address authentication:
l Re-authentication timer for users in the guest VLAN (guest-vlan reauthenticate-
period): After a user is added to the guest VLAN, the device initiates re-authentication for

Routers
the user at an interval set by this timer. If re-authentication is successful, the user exits the
guest VLAN.
l Offline detection timer (offline-detect): To make sure that a user is online, the device sends
a detection packet to the user. If the user does not respond within a detection period, the
device considers the user offline.
l Quiet timer (quiet-period): The device must enter a quiet period after the user fails to be
authenticated. During the quiet period, the device does not process authentication requests
from the user.
l Server timeout timer (server-timeout): The device starts this timer after sending a RADIUS
Access-Request packet to the authentication server. If the authentication server does not
respond within the period set by the timer, the device retransmits the authentication request
packet to the authentication server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect
offline-detect-value | quiet-period quiet-value | server-timeout server-timeout-
value }
The timer parameters are set for MAC address authentication.

By default, guest-vlan reauthenticate-period is set to 60 seconds, offline-detect is set to 300
seconds, quiet-period is set to 60 seconds, and server-timeout is set to 30 seconds.
NOTE
Timers for setting guest-vlan reauthenticate-period, offline-detect, quiet-period, and server-timeout

are enabled by default.
----End
2.5.2.5 (Optional) Configuring Re-authentication for MAC Address Authentication

Users
Context
the user access permission and authorization attribute are changed. If a user has passed MAC
address authentication, you must re-authenticate the user to ensure user validity.
authentication is enabled for MAC address authentication users, the device sends the saved
kept online. If the authentication information has been changed, the user is forced to go offline,
and then re-authenticated according to the changed authentication information.
You can configure re-authentication for MAC address authentication users using either of the
following methods:

Routers
l Re-authenticate all online MAC address authentication users on a specified interface at an

interval.
l Re-authenticate the online user once with a specified MAC address.
Procedure
l Re-authenticate all online MAC address authentication users on a specified interface at an
interval.
1. Run:
system-view

2. Enable periodic re-authentication for all online MAC address authentication users on
the specified interface in the system or interface view.
In the system view:
a. Run:
mac-authen reauthenticate interface { interface-type interface-
Periodic re-authentication is enabled for all online MAC address authentication

users on the specified interface.
a. Run:

b. Run:
mac-authen reauthenticate
Periodic re-authentication is enabled for all online MAC address authentication

users on the specified interface.
c. Run:
quit
By default, periodic re-authentication is enabled for all online MAC address

authentication users on the specified interface.
3. (Optional) Run:
mac-authen timer reauthenticate-period reauthenticate-period-value
The re-authentication interval for online MAC address authentication users is set.
By default, the device re-authenticates online MAC address authentication users at

the interval of 1800 seconds.
l Configure re-authentication for an online MAC address authentication user with a specified
MAC address.
1. Run:
system-view

2. Run:
mac-authen reauthenticate mac-address mac-address

Routers
Re-authentication is enabled for the online MAC address authentication user with the
specified MAC address.
By default, re-authentication for an online MAC address authentication user with a

specified MAC address is disabled.
----End
Context
You can configure a guest VLAN on a device interface so that users can access some network
resources without being authenticated. The user is added to the guest VLAN before being
authenticated to access resources in the guest VLAN. However, the users still must be
authenticated before accessing network resources outside the guest VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Configure the guest VLAN function in the system or interface view.
1. Run:
authentication guest-vlan vlan-id interface { interface-type interface-

1. Run:

2. Run:
authentication guest-vlan vlan-id
By default, an interface is not added to the guest VLAN.
NOTE
If MAC address authentication is used, run the port link-type hybrid command to set the link type on the
interface to Hybrid.
----End

Routers
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
acl-id acl-number
NOTE
name command.
Step 4 Run:
user-vlan vlan-id
NOTE
Before running this command, ensure that the VLAN has been created using the vlan command.
Step 5 Run:
----End

Routers
Context
You can run the commands to check the configured parameters after completing the MAC
address authentication configuration.
Procedure
l Run the display mac-authen [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> ] command to check the configuration of MAC address
authentication.
l Run the display mac-address { authen | guest } [ interface-type interface-number |
vlan vlan-id ] command to check the current authen or guest MAC address entries in the
system.
l Run the display user-group [ group-name ] command to check the user group
configuration.
l Run the display access-user user-group group-name command to check information
about online users in a user group.
----End
2.5.3 Configuring Portal Authentication

In Portal authentication, users do not need a specific client. The Portal server provides users with
free portal services and a Portal authentication page. Portal authentication uses an external Portal
server and a built-in Portal server.
NOTE
The 4GE-2S card does not support built-in portal authentication.

Layer 2 Ethernet interfaces support only built-in Portal authentication, and Layer 3 Ethernet interfaces
including Layer 3 logical interfaces support both external and built-in Portal authentication.
Prerequisites
Portal authentication only provides a user authentication solution. To implement this solution,
the AAA function must also be configured. Therefore, the following tasks must be complete
before you configure Portal authentication:

Routers
2.5.3.1 Configuring Portal Server Parameters
Context
During Portal authentication, you must configure parameters for the Portal server (for example,
the IP address for the Portal server) to ensure smooth communication between the device and
the Portal server.
The Portal server is classified as either the external Portal server or the built-in Portal server.
The external Portal server has independent hardware, while the built-in Portal server is an entity
embedded in the access device (that is, functions of the Portal server are implemented by the
access device).
Procedure
l Configuring parameters for the external Portal server
1. Run:
system-view

2. Run:
web-auth-server server-name
A Portal server template is created and the Portal server template view is displayed.
By default, no Portal server template is created.

3. Run:
server-ip server-ip-address &<1-4>
An IP address is configured for the Portal server.
By default, no IP address is configured for the Portal server.

NOTE
The IP address for the Portal server is the IP address for the external Portal server.
4. Run:
url url-string
A URL is configured for the portal server.
By default, a Portal server does not have a URL.

5. Run:
shared-key { cipher | simple } key-string
The shared key that the device uses to exchange information with the Portal server is
configured.
By default, no shared key is configured.

l Configuring parameters for the built-in Portal server
1. Run:
system-view

Routers
2. Run:
portal local-server ip ip-address
The IP address is configured for the built-in Portal server.
By default, no IP address is configured for a built-in Portal server.

NOTE
The IP address for the built-in Portal server is an IP address of a Layer 3 interface that can be
reached by a route between the device and the client.
----End
2.5.3.2 Enabling Portal Authentication
Context
The device can communicate with the Portal server after the parameters of the Portal server are
configured. To enable Portal authentication for access users, you must enable Portal
authentication of the device.
To enable Portal authentication on an external Portal server, you must only bind the configured
Portal server template to a VLANIF or WAN interface. To enable Portal authentication on a
built-in Portal server, you must enable the built-in Portal server and enable Portal authentication
on a Layer 2 interface of the device.
Procedure
l Enable Portal authentication on the device if the authentication server is an external Portal
server.
1. Run:
system-view

2. Run:

3. Run:
web-auth-server server-name { direct | layer3 }
The Portal server template is bound to the interface.
By default, no Portal server template is bound to an interface.
NOTE
This command does not support the parameter direct in the WAN interface view.
For wireless users, the Portal server template can be bound to only the VLANIF interface.
l Enable Portal authentication on the device if the authentication server is a built-in Portal
server.
1. Run:
system-view

Routers

2. Run:
portal local-server https ssl-policy policy-name [ port port-num ]
The built-in Portal server is enabled on the device.
By default, the built-in Portal server is disabled on the device.

NOTE
The SSL policy must be configured and the digital certificate must be loaded.
3. Enable Portal authentication on the interface in the system or interface view.
In the system view:
portal local-server enable interface interface-type interface-
number1 [ to interface-number2 ] &<1-10>
Portal authentication is enabled on the interface.

NOTE
This command can only configure Portal authentication on the Layer 2 interface in the system
view. To enable Portal authentication on the VLANIF and WAN interfaces, you can only use
the command syntax in the interface view.
a. Run:

b. Run:
portal local-server enable
By default, Portal authentication is disabled on an interface.
----End
2.5.3.3 (Optional) Configuring Parameters for Information Exchange with the

Portal server
Context
In Portal authentication network deployment, if the Portal server is an external Portal server,
you can configure parameters for information exchange between the device and the Portal server
to improve communication security.
NOTE
This function applies only to external Portal servers.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Run:
web-auth-server version v2 [ v1 ]
Portal protocol versions supported by the device are configured.
By default, the device uses Portal of v1 and v2.
NOTE
To ensure smooth communication, use the default setting so that the device uses both versions.
Step 3 Run:
web-auth-server listening-port port-number
The port number through which the device listens to Portal protocol packets is set.
By default, the device listens to the Portal protocol packets through port 2000.
Step 4 Run:
web-auth-server reply-message
The device is enabled to transparently transmit the authentication responses sent by the
authentication server to the Portal server.
By default, the device transparently transmits the authentication responses sent by the
Step 5 Run:
The Portal server template view is displayed.
Step 6 Run:
source-ip ip-address
The source IP address for communication with a Portal server is configured.
By default, no source IP address is configured on the device.
Step 7 Run:
port port-number [ all ]
The destination port number through which the device sends packets to the Portal server is set.
By default, port 50100 is used as the destination port when the device sends packets to the Portal
server.
Step 8 Run:
vpn-instance vpn-instance-name
The VPN instance used by the device to communicate with the portal server is configured.
By default, no VPN instance is configured for communication between the device and Portal
server.
----End

Routers
2.5.3.4 (Optional) Setting Access Control Parameters for Portal Authentication

Users
Context
During deployment of the Portal authentication network, you can set access control parameters
for Portal authentication users to flexibly control the user access. For example, you can set
authentication free rules for Portal authentication users so that the users can access specified
network resources without being authenticated or when the users fail authentication. You can
configure the source authentication subnet to allow the device to authenticate only users in the
source authentication subnet, while users in other subnets cannot pass Portal authentication.
Procedure
l Set access control parameters for Portal authentication users when an external Portal server
is used.
1. Run:
system-view

2. Run:
portal free-rule rule-id { destination { any | ip { ip-address mask { mask-
length | ip-mask } | any } } | source { any | ip { ip-address mask { mask-
length | ip-mask } | any } } } *
The Portal authentication free rule is set.
By default, no Portal authentication free rule is set.

3. After an authentication-free rule is configured for wireless users, commit the
configuration.
a. Run the wlan ac command to enter the WLAN view.
b. Run the commit all command to commit all the configurations of AP.
c. Run the quit command to return to the system view.
4. Run:
portal max-user user-number
The maximum number of concurrent Portal users is set.
By default, the number of Portal authentication users is the maximum number of Portal
5. Run:
interface vlanif vlan-id
The Vlanif interface view is displayed.

6. Run:
portal auth-network network-address { mask-length | mask-address }
The source subnet is set for Portal authentication.
By default, the source authentication subnet is 0.0.0.0/0, indicating that users in all
subnets must pass Portal authentication.

Routers
NOTE
The command takes effect for only Layer 3 Portal authentication. In Layer 2 Portal
authentication, users on all subnets must be authenticated.
7. Run:
portal domain domain-name
A forcible Portal authentication domain name is set.
By default, no forcible Portal authentication domain name is set.

l Set access control parameters for Portal authentication users when a built-in Portal server
is used.
1. Run:
system-view

2. Run:
portal local-server authentication-method { chap | pap }
The authentication mode of the built-in Portal server is set.
By default, the built-in Portal server uses CHAP to authenticate Portal users.
----End
2.5.3.5 (Optional) Setting the Offline Detection Interval for Portal Authentication
Users
Context
If a Portal authentication user goes offline due to power failure or network interruption, the
device and Portal server may still store user information, which leads to incorrect accounting.
In addition, a limit number of users can access the device. If a user goes offline improperly but
the device still stores user information, other users cannot access the network.
After the offline detection interval is set for Portal authentication users, if a user does not respond
within the interval, the device considers the user offline. The device and Portal server then delete
the user information and release the occupied resources to ensure efficient resource use.
NOTE
This function applies only to Layer 2 Portal authentication and takes effect on external Portal servers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
portal timer offline-detect time-length
The period for detecting Portal authentication user logout is set.

Routers
By default, the interval for detecting Portal authentication user logout is 300s.
----End
2.5.3.6 (Optional) Configuring the Detection and Keepalive Function for Portal
Authentication
Context
In practical networking applications of Portal authentication, if communication is interrupted
due to a network failure between the device and the Portal server or because the Portal server
fails, new Portal authentication users cannot go online, and online Portal users cannot go offline
normally.
With the Portal detection and keepalive function, even if the network fails or the Portal server
cannot work properly, the device still allows the user to use the network and have certain network
access rights. The device reports failures using logs and traps.
NOTE
This function applies only to external Portal servers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
server-detect { interval interval-period | max-times times | critical-num critical-
num | action { log | trap | permit-all } * } *
The detection and keepalive function of the Portal server is enabled.
By default, the detection and keepalive function of the Portal server is disabled.
----End
2.5.3.7 (Optional) Configuring User Information Synchronization
Context
If communication is interrupted because the network between the device and Portal server is
disconnected or the Portal server is faulty, online Portal authentication users cannot go offline.
Therefore, user information on the device and on the Portal server may be inconsistent and
accounting may be inaccurate.
The user information synchronization function ensures that user information on the Portal server
is the same as that on the device, ensuring accurate accounting.

Routers
NOTE
This function is valid for only external Portal servers.

For Layer 3 Portal authentication, the device currently can synchronize user information with the Huawei-
Symantec TSM Portal server. When the device is connected to other Portal servers, user information may
fail to be synchronized and users cannot go offline in real time. In this case, you can run the cut access-
user command or use the NMS or RADIUS DM to force users to go offline.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
user-sync [ interval interval-period | max-times times ] *
User information synchronization is enabled.

By default, user information synchronization is disabled.
----End
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
acl-id acl-number

Routers
NOTE
name command.
Step 4 Run:
----End
Context
You can run the commands to check the configured parameters after completing the Portal
Procedure
l When an external Portal server is used, run the following commands to check the
configuration.
Run the display portal [ interface vlanif vlan-id ] command to check the Portal
authentication configuration on the VLANIF interface.
Run the display web-auth-server configuration command to check the configuration
of the Portal authentication server.
Run the display server-detect state [ web-auth-server server-name ] command to
check the status of a Portal server.
Run the display user-group [ group-name ] command to check the user group
configuration.
Run the display access-user user-group group-name command to check summary
information about online users in a user group.
l When a built-in Portal server is used, run the following commands to check the
configuration.
Run the display portal local-server command to check the configuration of a built-in
Portal server.
Run the display portal local-server connect [ user-ip ip-address ] command to check
the connection status of Portal authentication users on the built-in Portal server.
----End
2.6 Maintaining NAC

This section describes how to clear statistics for 802.1x authentication and MAC address
authentication.

Routers
2.6.1 Clearing 802.1x Authentication Statistics

Context
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when you run the following
command.
Procedure
l Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> ] command in the user view to clear the statistics for 802.1x
authentication.
----End
2.6.2 Clearing MAC Address Authentication Statistics
Context
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when you run the following
command.
Procedure
l Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ] command in the user view to clear the statistics for MAC
address authentication.
----End

2.7.1 Example for Configuring 802.1x Authentication

As shown in Figure 2-13, many users on a company access network through Eth2/0/0 of the
Router (used as an access device). After the network operates for a period of time, attacks are

Routers
detected. The administrator must control network access rights of user terminals to ensure
network security. The Router allows user terminals to access Internet resources only after they
are authenticated.
Figure 2-13 Networking diagram for configuring 802.1x authentication

User
RADIUS Server
192.168.2.30

User
Eth2/0/0 Eth2/0/1 Intranet
VLAN 10 VLAN 20
LAN Switch Router
Update Server
VLAN100
Printer
To control the network access permission of users, the administrator can configure 802.1x
authentication on the Router after the server with the IP address 192.168.2.30 is used as the
RADIUS server.
The configuration roadmap is as follows (configured on the Router):
1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The Router
can then exchange information with the RADIUS server.
2. Configure 802.1x authentication.
a. Enable 802.1x authentication globally and on the interface.
b. Enable MAC address bypass authentication to authenticate terminals (such as printers)
that cannot install 802.1x authentication client software.
c. A maximum of 200 802.1x authentication users are allowed to access an interface,
preventing excessive concurrent access users.
d. Set the maximum number of times that an authentication request packet is sent to a
user to 3 to avoid repeated authentication.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.

[Huawei] vlan batch 10 20

Routers
# On the Router, set Eth2/0/0 connecting to users as a hybrid interface, and add Eth2/0/0 to
VLAN 10.
[Huawei-Ethernet2/0/0] port link-type hybrid
[Huawei-Ethernet2/0/0] port hybrid tagged vlan 10
NOTE
Configure the interface type and VLANs according to the actual situation. In this example, users are added
to VLAN 10.
# On the Router, set Eth2/0/1 connecting to the RADIUS server as an access interface, and add
Eth2/0/1 to VLAN 20.
# Create VLANIF10 and VLANIF20 and assign IP addresses to the VLANIF interfaces so that
user terminals, Router, and internal devices on the enterprise network can set up routes. In this
example, the IP address of VLANIF10 is 192.168.1.20/24 and the IP address of VLANIF20 is
192.168.2.29/24.
[Huawei] interface vlanif 10
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create and configure RADIUS server template rd1.

# Create AAA scheme abc and set the authentication mode to RADIUS.
[Huawei] aaa
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template
rd1 to authentication domain isp1.
[Huawei-aaa] domain isp1
[Huawei-aaa-domain-isp1] authentication-scheme abc
[Huawei-aaa-domain-isp1] radius-server rd1
[Huawei-aaa-domain-isp1] quit
[Huawei-aaa] quit
# Configure the default domain isp1 in the system view.When a user enters the user name in the
format of user@isp1, the user is authenticated in the authentication domain isp1. If the user name
does not carry the domain name or carries a nonexistent domain name, the user is authenticated
in the default domain.

Routers
[Huawei] domain isp1
Step 3 Configure 802.1x authentication.

# Enable 802.1x authentication globally and on an interface.
[Huawei] dot1x enable
[Huawei-Ethernet2/0/0] dot1x enable
# Configure MAC address bypass authentication.

[Huawei-Ethernet2/0/0] dot1x mac-bypass
# Set the maximum number of concurrent access users for 802.1x authentication on an interface
to 200.
[Huawei-Ethernet2/0/0] dot1x max-user 200
# Set the maximum number of times that an authentication request packet is sent to the user to
3.
[Huawei] dot1x retry 3
# Configure VLAN100 as the guest VLAN in 802.1x authentication.

[Huawei] authentication guest-vlan 100 interface ethernet 2/0/0
Step 4 View the 802.1x configuration.

<Huawei> display dot1x interface ethernet 2/0/0
Ethernet2/0/0 status: UP 802.1x protocol is Enabled[mac-bypass]
Maximum users: 200
Current users: 0
Guest VLAN 100 is not
effective
Authentication Success: 0 Failure: 0

EAPOL Packets: TX : 0 RX : 0
Sent EAPOL Request/Identity Packets : 0
EAPOL Request/Challenge Packets : 0
Multicast Trigger Packets : 0
EAPOL Success Packets : 0
EAPOL Failure Packets : 0
Received EAPOL Start Packets : 0
EAPOL Logoff Packets : 0
EAPOL Response/Identity Packets : 0
EAPOL Response/Challenge Packets: 0
----End
Configuration Files
# Configuration file of the Router
#
vlan batch 10 20 100
#
domain isp1
#
dot1x enable

Routers
dot1x retry 3
#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
port hybrid tagged vlan 10
dot1x mac-bypass
dot1x max-user 200
authentication guest-vlan 100
#
#
return
2.7.2 Example for Configuring MAC Address Authentication
As shown in Figure 2-14, many printers on a company access network through Eth2/0/0 of the
Router (used as an access device). After the network operates for a period of time, the
administrator controls the network access rights of the printers to improve network security. The
Router allows a printer to access Internet resources only after the printer is authenticated.
Figure 2-14 Networking diagram for configuring MAC address authentication

RADIUS Server
192.168.2.30
Printer

Eth2/0/0 Eth2/0/1 Intranet

VLAN 10 VLAN 20
LAN Switch Router
Update Server
VLAN100
Printer

Routers
Printers cannot install and use the 802.1x client. The administrator can configure MAC address
authentication on the Router to control the network access rights of the printers.
1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain;
bind the RADIUS server template and the AAA scheme to the ISP domain. The Router can
then exchange information with the RADIUS server.
2. Configure MAC address authentication.
a. Enable MAC address authentication globally and on the interface.
b. A maximum of 100 MAC address authentication users are allowed to access an
interface, preventing excessive concurrent access users.
Procedure
communication.

VLAN 10.
NOTE
to VLAN 10.
192.168.2.29/24.
domain.

Routers

[Huawei] aaa
[Huawei-aaa] quit
Step 3 Configure MAC address authentication.
# Enable MAC address authentication globally and on the interface.

[Huawei] mac-authen
[Huawei-Ethernet2/0/0] mac-authen
# Configure the isp1 domain as the authentication domain for MAC address authentication users.
[Huawei-Ethernet2/0/0] mac-authen domain isp1
#Set the maximum number of concurrent MAC authentication access users on the interface to
100.
[Huawei-Ethernet2/0/0] mac-authen max-user 100
# Configure VLAN100 as the guest VLAN for MAC address authentication.

[Huawei] authentication guest-vlan 100 interface ethernet 2/0/0
Step 4 Run the display mac-authen interface command to view the configuration of MAC address
authentication.
[Huawei] display mac-authen interface ethernet 2/0/0
Ethernet2/0/0 state: UP. MAC address authentication is enabled
Maximum users: 100
Current users: 0
Current domain is isp1
Authentication Success: 0, Failure: 0
----End

Routers
Configuration Files
#
vlan batch 10 20 100
#
domain isp1
#
mac-authen
#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
authentication guest-vlan 100
mac-authen
mac-authen max-user 100
mac-authen domain isp1
#
#
return
2.7.3 Example for Configuring Built-in Portal Authentication
are authenticated.

Routers
Figure 2-15 Networking diagram for configuring built-in Portal authentication

User
RADIUS Server
192.168.2.30
Eth2/0/0 Eth2/0/1

Intranet
VLAN 10 VLAN 20
LAN Switch Router/built-in
Portal server
192.168.1.30
User
To control the network access permission of users, the administrator can configure Portal
authentication on the Router after the server with the IP address 192.168.2.30 is configured as
the RADIUS server. Due to limited device resources, the administrator uses the built-in Portal
server and configures the IP address 192.168.1.30 of a loopback interface of the Router as the
IP address for the built-in Portal server.
2. Configure built-in Portal authentication so that terminals can connect to the network using
Portal authentication.
Procedure
communication.

VLAN 10.
NOTE
to VLAN 10.

Routers

192.168.2.29/24.
domain.

[Huawei] aaa
[Huawei-aaa] quit
Step 3 Configure Portal authentication.
# Create a loopback interface and assign an IP address to the loopback interface.

[Huawei] interface loopback 6
[Huawei-LoopBack6] ip address 192.168.1.30 32
[Huawei-LoopBack6] quit
# Configure the IP address for the built-in Portal server.

[Huawei] portal local-server ip 192.168.1.30
# Enable Portal authentication.

Routers
[Huawei] portal local-server https ssl-policy huawei

[Huawei] portal local-server enable interface ethernet 2/0/0
NOTE
When the portal local-server https ssl-policy huawei command is executed, ensure that SSL policy
huawei has been configured.
Step 4 # View the parameters of the configured built-in Portal server.

<Huawei> display portal local-server
Portal local-server config:
server status : enable
server ip :
192.168.1.30
authentication method : chap
protocol : https
https ssl-policy : huawei
----End
Configuration Files
#
vlan batch 10 20
#
domain isp1
#
portal local-server ip
192.168.1.30
portal local-server https ssl-policy huawei
#
#
pki entity abc
common-name hello
country CN
#
pki realm admin
entity abc
ca id ca_root
enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra
fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF
#
ssl policy huawei type server
pki-realm admin
session cachesize 20 timeout 7200
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
portal local-server enable

Routers
#
#
interface LoopBack6
ip address 192.168.1.30 255.255.255.255
#
return
2.7.4 Example for Configuring External Portal Authentication
are authenticated.
Figure 2-16 Networking diagram for configuring Portal authentication
User RADIUS Server

192.168.2.30
Eth2/0/0 Eth2/0/1

Intranet
VLAN 10 VLAN 20
LAN Switch Router
Portal Server
User 192.168.2.20
To control the network access permission of users, the administrator can configure Portal
RADIUS server, and configure the IP address 192.168.2.20 as the IP address for the Portal server.
2. Configure Portal authentication.
a. Create and configure a Portal server template to ensure normal information exchange
between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.

Routers
c. Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
d. Configure the maximum number of concurrent Portal authentication users to prevent
excessive concurrent users.
e. Configure the offline detection period for Portal authentication users to ensure that
the device deletes the information of offline users.
f. Configure the detection and keepalive function of Portal authentication, so that users
can still access networks when the Portal server is faulty.
Procedure
communication.
VLAN 10.
NOTE
to VLAN 10.
192.168.2.29/24.
domain.

Routers
[Huawei] aaa
[Huawei-aaa] quit
# Create and configure Portal server template abc.

[Huawei] web-auth-server abc
[Huawei-web-auth-server-abc] server-ip 192.168.2.20
[Huawei-web-auth-server-abc] url http://192.168.2.30:8080/webagent
[Huawei-web-auth-server-abc] quit

[Huawei-Vlanif10] web-auth-server abc direct
# Set the shared key in cipher text to 12345.

[Huawei-web-auth-server-abc] shared-key cipher 12345
# Set the maximum number of concurrent Portal users to 100.

[Huawei] portal max-user 100
# Set the user offline detection period to 500s.

[Huawei] portal timer offline-detect 500
# Configure the detection and keepalive function of Portal authentication.

[Huawei-web-auth-server-abc] server-detect action log
[Huawei-web-auth-server-abc] user-sync
[Huawei] quit
Step 4 # Verify the configuration.
# Run the display portal command to view Portal parameters set in the system view.
<Huawei> display portal
Portal timer offline-detect length:500
Portal max-user number:100
Vlanif10 protocol status: up, web-auth-server layer2(direct)

Routers
# Run the display portal interface command to view Portal parameters set in the VLANIF
interface view.
<Huawei> display portal interface vlanif 10
Vlanif10 protocol status: up, web-auth-server layer2(direct)
# Run the display web-auth-server configuration command to check the configuration of the
Portal authentication server.
<Huawei> display web-auth-server configuration
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled
------------------------------------------------------------------------
Web-auth-server Name : abc
IP-address : 192.168.2.20
Shared-key : %$%$qqZ$ZM:$i&2T9sF7KE~Xi%yp%$%$
Source-IP : -
Port / PortFlag : 50100 / NO
URL : http://192.168.2.30:8080/webagent
Redirection : Enable
Sync : Enable
Sync Seconds : 300
Sync Max-times : 3
Detect : Enable
Detect Seconds : 60
Detect Max-times : 3
Detect Action : log
Bounded Vlanif : 10
VPN instance :
Bound WAN Interface :
------------------------------------------------------------------------
1 Web authentication server(s) in total
----End
Configuration Files
#
vlan batch 10 20
#
domain isp1
#
portal max-user 100
portal timer offline-detect 500
#
web-auth-server abc
server-ip 192.168.2.20
port 50100
shared-key cipher %$%$9|vQ32`Js#[:m\+~xK:W7cZQ%$%$
url http://192.168.2.30:8080/webagent
server-detect interval 60 max-times 3 critical-num 0 action
log
user-sync
#
#
aaa
domain isp1

Routers
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
web-auth-server abc direct
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
#
#
return
2.8 References
The following table lists the references of this document.
RFC3748 Extensible Authentication Protocol -

(EAP)
Portal 2.0 Portal protocol standard for Huawei -

broadband products (V2.01)

Routers
Configuration Guide - Security 3 NAC Configuration(for wireless users)
3 NAC Configuration(for wireless users)
About This Chapter
This chapter describes NAC principles for wireless users and configuration methods and
provides configuration examples.
3.1 Introduction to NAC

3.2 Principles
3.3 Applications

needed.
3.5 Configuring NAC


3.7 References

Routers
3.1 Introduction to NAC

Definition
Network Admission Control (NAC) is an end-to-end access security framework and includes
802.1x authentication, MAC address authentication, and Portal authentication.
With the development of enterprise network, threats increasingly bring risks, such as viruses,
Trojan horses, spyware, and malicious network attacks. On a traditional enterprise network, the
intranet is considered as secure and threats come from extranet. However, 80% security threats
actually come from the intranet. The intranet threats will cause serious damage in a wide range.
Even worse, the system and network will break down. In addition, when internal users browse
websites on the external network, the spyware and Trojan horse software may be automatically
installed on users' computers, which cannot be sense by the users. Te malicious software may
spread on the internal network.
The traditional security measures cannot meet requirements on border defense due to increasing
security challenges. The security model should be converted into active mode to solve security
problems from the roots (terminals), improving information security level of the entire
enterprise.
The NAC solution integrates terminal security and access control and takes the check, audit,
secure, and isolation measures to improve the proactive protection capability of terminals. This
solution ensures security of each terminal and the entire enterprise network.
As shown in Figure 3-1, NAC includes three components: NAC terminal, network access
device, and access server.
Figure 3-1 Typical NAC networking diagram
Network
NAC terminal Access server
access device
Intranet
l NAC terminal: functions as the NAC client and interacts with network access devices to
authenticate access users. If 802.1x authentication is used, users must install client software.

Routers
l Network access device: function as the network access control point that enforces enterprise
security policies. It allows, rejects, isolates, or restricts users based on the security policies
customized for enterprise networks.
l Access server: includes the access control server, management server, antivirus server, and
patch server. It authenticates users, checks terminal security, repairs and upgrades the
system, and monitors and audits user actions.
Purpose
Traditional network security technologies focus on threats from external computers, but typically
neglect threats from internal computers. In addition, current network devices cannot prevent
attacks initiated by devices on internal networks.
The NAC security framework was developed to ensure the security of network communication
services. The NAC security framework improves internal network security by focusing on user
terminals, and implement security control over access users to provide end-to-end security.
3.2 Principles
Overview
To resolve wireless local area network (LAN) security issues, the Institute of Electrical and
Electronics Engineers (IEEE) 802 LAN/wide area network (WAN) committee developed the
802.1x protocol. Later, the 802.1x protocol was widely applied as a common access control
mechanism on LAN interfaces for authentication and security on Ethernet networks.
The 802.1x protocol is an interface-based network access control protocol. It controls users'
access to network resources by authenticating the users on access interfaces.
As shown in Figure 3-2, an 802.1x system uses a standard client/server architecture with three
components: client, device, and server.
Figure 3-2 Diagram of 802.1x authentication system
EAPOL RADIUS
Client Device Server
l The client is the entity at an end of the LAN segment and is authenticated by a device at
the other end of the link. The client is usually a user terminal. The user initiates 802.1x
authentication using client software. The client must support Extensible Authentication
Protocol over LAN (EAPOL).

Routers
l The device is the entity at an end of the LAN segment, which authenticates the connected
client. The device is usually a network device that supports the 802.1x protocol. The device
provides an interface, either physical or logical, for the client to access the LAN.
l The authentication server is the entity that provides authentication service for the device.
The authentication server carries out authentication, authorization, and accounting on users,
and is usually a RADIUS server.
Basic Concepts
1. Controlled and uncontrolled interfaces
The device provides an interface for LAN access. The interface is classified into two logical
interfaces: the controlled interface and the uncontrolled interface.
l The uncontrolled interface is mainly used to transmit EAPOL frames in both directions to
ensure that the client consistently sends and receives authentication packets.
l In Authorized state, the controlled interface transmits service packets in both directions; in
Unauthorized state, the controlled interface cannot receive packets from the client.
2. Authorized and Unauthorized states
The device uses the authentication server to authenticate clients that require LAN access and
controls the authorization state (Authorized or Unauthorized) of a controlled interface based on
the authentication result (Accept or Reject).
Figure 3-3 shows the impact of a controlled interface's authorization state on packets capable
of passing through the port in two 802.1x authentication systems. The controlled interface in
system 1 is in Unauthorized state; the controlled interface in system 2 is in Authorized state.
Figure 3-3 Impact of a controlled interface's authorization state in two 802.1x authentication
systems
Authenticator system 1 Authenticator system 2

Controlled port Uncontrolled port Controlled port Uncontrolled port
Port unauthorized Port authorized
LAN LAN
Authentication Triggering Modes

802.1x authentication can be initiated by either the client or device. The device supports the
following authentication triggering modes:

Routers
1. Client trigger: The client sends an EAPOL-Start packet to the device to initiate
authentication.
2. Device trigger: This mode is used when the client cannot send an EAPOL-Start packet, for
example, the built-in 802.1x client in the Windows XP operating system.
The 802.1x authentication system exchanges authentication information among the client,
device, and authentication server using the Extensible Authentication Protocol (EAP). The
exchange of EAP packets among the components is described as follows:
1. The EAP packets transmitted between the client and device are encapsulated in EAPOL
format and transmitted across the LAN.
2. The device and RADIUS server exchange EAP packets in the following modes:
l EAP relay: The device relays EAP packets. The device encapsulates EAP packets in
EAP over RADIUS (EAPoR) format and sends the packets to the RADIUS server for
authentication. This authentication mode simplifies device processing and supports
various EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP.
However, the RADIUS server must support the corresponding authentication methods.
l EAP termination: The device terminates EAP packets. The device encapsulates client
authentication information into standard RADIUS packets, which are then authenticated
by the RADIUS server using the Password Authentication Protocol (PAP) or Challenge
Handshake Authentication Protocol (CHAP). This authentication mode is applicable
since the majority of RADIUS servers support PAP and CHAP authentication and server
update is unnecessary. However, device processing is complex, and the device supports
only the MD5-Challenge EAP authentication method.
The 802.1X authentication system can complete authentication by exchanging information with
the RADIUS server in EAP relay mode and EAP termination mode. Figure 3-4 and Figure
3-5 demonstrate both of these authentication modes using the client triggering mode.
1. EAP relay authentication

Routers
Figure 3-4 Service process in EAP relay mode
EAPOL EAPOR
1EAPOL-Start
(EAP-Response/Identity)
5RADIUS Access-Challenge
(EAP-Request/MD5 challenge)
6EAP-Request/MD5 challenge
7EAP-Response/MD5
challenge 8RADIUS Access-Request
(EAP-Response/MD5 challenge)
10EAP-Success (EAP-Success)
Port authorized
11Handshake request
Handshake timer
12Handshake reponse
......
13EAPOL-Logoff
Port unauthorized
14EAP-Failure
The EAP relay authentication process is described as follows:
1. When a user needs to access an external network, the user starts the 802.1x client program,
enters the applied and registered user name and password, and initiates a connection request.
At this point, the client sends an authentication request frame (EAPOL-Start) to the device
to start the authentication process.
2. After receiving the authentication request frame, the device returns an identity request
frame (EAP-Request/Identity), requesting the client to send the previously entered user
name.
3. In response to the request sent by the device, the client sends an identity response frame
(EAP-Response/Identity) containing the user name to the device.
4. The device encapsulates the EAP packet in the response frame sent by the client into a
RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the
authentication server for processing.

Routers
5. After receiving the user name forwarded by the device, the RADIUS server searches the
user name table in the database for the corresponding password, encrypts the password with
a randomly generated MD5 challenge value, and sends the MD5 challenge value in a
RADIUS Access-Challenge packet to the device.
6. The device forwards the MD5 challenge value sent by the RADIUS server to the client.
7. After receiving the MD5 challenge value from the device, the client encrypts the password
with the MD5 challenge value, generates an EAP-Response/MD5-Challenge packet, and
sends the packet to the device.
8. The device encapsulates the EAP-Response/MD5-Challenge packet into a RADIUS packet
(RADIUS Access-Request) and sends the RADIUS packet to the RADIUS server.
9. The RADIUS server compares the received encrypted password and the locally encrypted
password. If the two passwords match, the user is considered authorized and the RADIUS
server sends a packet indicating successful authentication (RADIUS Access-Accept) to the
device.
10. After receiving the RADIUS Access-Accept packet, the device sends a frame indicating
successful authentication (EAP-Success) to the client, changes the interface state to
Authorized, and allows the user to access the network using the interface.
11. When the user is online, the device periodically sends a handshake packet to the client to
monitor the online user.
12. After receiving the handshake packet, the client sends a response packet to the device,
indicating that the user is still online. By default, the device disconnects the user if it receives
no response from the client after sending two handshake packets. The handshake
mechanism allows the server to detect unexpected user disconnections.
13. If the user wants to go offline, the client sends an EAPOL-Logoff frame to the device.
14. The device changes the interface state from Authorized to Unauthorized and sends an EAP-
Failure packet to the client.
2. EAP termination authentication

Routers
Figure 3-5 Service process in EPA termination mode
EAPOL RADIUS
1EAPOL-Start
4EAP-Request/MD5
challenge
5EAP-Response/MD5
challenge
(CHAP-Success)
8EAP-Success
Port authorized
9Handshake request
EAP-Request/Identity Handshake timer
10Handshake reponse
.......
11EAPOL-Logoff
Port unauthorized
12EAP-Failure
Compared with the EAP relay mode, in EAP termination mode, the device randomly generates
an MD5 challenge value for encrypting the user password in Step 4, and sends the user name,
the MD5 challenge value, and the password encrypted on the client to the RADIUS server for
authentication.
802.1x Authentication Supports Dynamic VLAN Authorization

1. Guest VLAN
When the Guest VLAN function is enabled, if the user does not respond to the 802.1x request,
the device adds the interface where the user resides to the Guest VLAN. For example, this occurs
if no 802.1x client software is installed. In this way, the user can access resources in the Guest

Routers
VLAN, enabling unauthorized users to acquire client software, update client, or perform
operations such as user upgrade programs.
2. Restrict VLAN
When the Restrict VLAN function is enabled, if the user authentication fails, the device adds
the interface where the user resides to the Restrict VLAN. For example, this occurs if the
incorrect user name or password is entered. Similar to the Guest VLAN function, the Restrict
VLAN function allows users to access limited network resources before being authenticated.
The Restrict VLAN typically limits access to network resources from unauthenticated users
more strictly than the Guest VLAN.

Overview
MAC address authentication controls a user's network access permission based on the user's
interface and MAC address. The user does not need to install any client software. After detecting
the user's MAC address for the first time on an interface where MAC address authentication is
running, the device begins authenticating the user. During the authentication, the user does not
need to enter a user name or password.

Introduction to Portal Authentication

Portal authentication is also called web authentication. Generally, Portal authentication websites
are also called Portal websites.
When an unauthenticated user accesses the Internet, the device forcibly redirects the user to a
specific site. The user then can access resources in the specific site for free. When the user needs
to access resources outside the specific site, the user must pass authentication on the portal
authentication website first.
A user can access a known Portal authentication website and enter a user name and password
for authentication. This mode is called active authentication. If a user attempts to access other
external networks through HTTP, the device forcibly redirects the user to the Portal
authentication website for Portal authentication. This mode is called forcible authentication.

Routers
System Architecture
As shown in Figure 3-6, typical networking of a Portal authentication system consists of four
entities: authentication client, access device, Portal server, and authentication/accounting server.
Figure 3-6 Portal authentication system using an external Portal server
Authentication
client
server
Authentication
client Access device
Portal server
Authentication
client
1. Authentication client: is a client system installed on a user terminal. The user terminal can
be a browser running HTTP/HTTPS or a host running Portal client software.
2. Access device: is a broadband access device such as switch or router. It provides the
following functions:
l Redirects all HTTP requests from users on authentication subnets to the Portal server
before authentication.
l Interacts with the Portal server and the authentication/accounting server to implement
identity authentication/accounting during authentication.
l Allows the user to access authorized Internet resources after the authentication is passed.
3. Portal server: receives authentication requests from the Portal client. It provides free Portal
services and an interface based on web authentication, and exchanges authentication
information of the authentication client with the access device.
4. Authentication/accounting server: interacts with the access device to implement user
authentication and accounting.
Different Portal authentication modes can be used in different networking modes. Portal
authentication is classified into Layer 2 and Layer 3 authentication according to the network
layer on which it is implemented.
The authentication client and access device are directly connected (only Layer 2 devices exist
between the authentication client and an access device). The device can learn a user's MAC
address, and uses an IP address and a MAC address to identify the user. Portal authentication is
configured as Layer 2 authentication.

Routers
Layer 2 authentication is simple and highly secure. However, it requires that the user reside on
the same subnet as the access device, which makes the networking inflexible.
Figure 3-7 illustrates the packet interaction process when the user goes online and Layer 2
Figure 3-7 Layer 2 authentication flowchart
Authentication client Portal server Access device RADIUS server
(1) Initiate (2) CHAP

authentication authentication
interaction
(3) Authentication
request (4) Authentication
interaction of
Timer (5) Authentication RADIUS protocol
(6) Notify the user of reply
successful
(7) Authentication
authentication
reply
acknowledgment
1. A Portal user initiates an authentication request through HTTP. The access device allows
an HTTP packet destined for the Portal server or an HTTP packet destined for the
configured authentication-free network resources to pass. The access device redirects
HTTP packets accessing other addresses to the Portal server. The Portal server provides a
web page where the user can enter a user name and password for authentication.
2. The Portal server exchanges information with the access device to implement CHAP
authentication. If PAP authentication is used, the Portal service directly performs step 3
without exchanging information with the access device to implement PAP authentication.
3. The Portal server sends the user name and password entered by the user to the access device
through an authentication request packet, and meanwhile, starts a timer to wait for an
authentication reply packet.
4. The access device exchanges a RADIUS protocol packet with the RADIUS server.
5. The access device sends an authentication reply packet to the Portal server.
6. The Portal server sends a packet to the client indicating that the authentication succeeded
and notifying the client that the authentication succeeded.
7. The Portal server sends an authentication reply acknowledgment to the access server.
When the device is deployed at the aggregation or core layer, Layer 3 forwarding devices exist
between the authentication client and device. In this case, the device may not obtain the MAC
address of the authentication client. Therefore, only the IP address identifies the user. Portal
authentication is configured as Layer 3 authentication.

Routers
The Layer 3 authentication process is the same as the Layer 2 authentication process. Networking
of Layer 3 authentication is flexible, which facilitates remote control. However, only an IP
address can be used to identify a user, so Layer 3 authentication has low security.
Detection and Survival

If the Portal server fails or communication is interrupted due to a network failure between the
device and Portal server, new Portal authentication users cannot go online, and online Portal
users cannot go offline normally. User information on the Portal server and the device may be
different, resulting in accounting errors.
With the Portal detection and survival function, even if the network fails or the Portal server
cannot function properly, the device still allows users with certain access rights to use the
network normally, and reports failures using logs and traps. Meanwhile, the user information
synchronization mechanism ensures that user information on the Portal server matches that on
the device, preventing accounting errors.

3.3 Applications

As shown in Figure 3-8, users' network access needs to be controlled to ensure network security.
Only authenticated users are allowed to access network resources authorized by the
administrator.
Figure 3-8 Typical application of 802.1x authentication

Authentication
server
User
Internet
Access
device
User
The user terminal is a PC with 802.1x client software installed on it. The user can use the 802.1x
client software to initiate an authentication request to the access device. After exchanging

Routers
information with the user terminal, the access device sends the user information to the
authentication server for authentication. If the authentication succeeds, the access device sets
the interface connected to the user to the Up state and allows the user to access the network. If
the authentication fails, the access device rejects the user's access request.
NOTE
802.1x authentication results in the change of the interface state, but does not involve IP address negotiation
or assignment. 802.1x authentication is the simplest authentication solution. However, the 802.1x client
software must be installed on the user terminal.

administrator.
Figure 3-9 Typical application of MAC address authentication

Authentication
server
User
Access
device
Internet
Printer
The 802.1x client cannot be installed on printers. In this case, enable MAC address authentication
on interface1 connected to the printer. After that, the access device uses the printer's MAC
address as the user name and password, and reports the MAC address to the authentication server
for authentication. If the authentication succeeds, the access device sets the interface connected
to the printer to the Up state and allows the printer to access the network. If the authentication
fails, the access device rejects the printer's access request.

administrator.

Routers
Figure 3-10 Typical application of Portal authentication

Authentication
Portal server server
User
Internet
Access device
User
If the user only requires Portal authentication using a web browser, enable Portal authentication
on the access device.
When an unauthenticated user accesses the Internet, the access device redirects the user to the
Portal authentication website to start Portal authentication. If the authentication succeeds, the
access device sets the interface connected to the user to the Up state and allows the user to access
the network. If the authentication fails, the access device rejects the user's access request.

needed.
Table 3-1 describes the default configuration of 802.1x authentication.
Table 3-1 Default configuration of 802.1x authentication
802.1x authentication Disabled
User authentication mode CHAP authentication
Periodic re-authentication timer 3600 seconds

(reauthenticate-period)
Table 3-2 describes the default configuration of MAC address authentication.
Table 3-2 Default configuration of MAC address authentication
MAC address authentication Disabled

Routers
Table 3-3 describes the default configuration of Portal authentication.
Table 3-3 Default configuration of Portal authentication
Portal authentication Disabled
Portal protocol versions supported by the v2, v1

device
Number of the destination interface that the 50100

device uses to send packets to the Portal
server
Number of the interface that the device uses 2000

to listen to Portal protocol packets
Offline detection period 300 seconds
3.5 Configuring NAC

3.5.1 Configuring 802.1x Authentication

You can configure 802.1x authentication to implement interface-based network access control.
This means you can authenticate and control access users connected to an access control device
interface.
Prerequisites
802.1x authentication is only an implementation scheme to authenticate the user identity. To
complete the user identity authentication, you must select the RADIUS or local authentication
method and complete the following configuration tasks:
l Configure an Internet Service Provider (ISP) authentication domain to which the users
belong, and a local authentication scheme or a RADIUS authentication scheme.
l Configure the corresponding user name and password on the RADIUS server if RADIUS
l Add the user name and password manually on the network access device if local
3.5.1.1 Enabling 802.1x Authentication
Context
If there are online users who log in through 802.1x authentication on the interface, disabling the
802.1x authentication is prohibited.

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x enable
Global 802.1x authentication is enabled.

By default, global 802.1x authentication is disabled.
Step 3 Enter the WLAN-ESS or WLAN-BSS interface view:
l When the device functions as an AC, run the interface wlan-ess wlan-ess-number command
in the WLAN-ESS interface view to create a WLAN-ESS interface and enter the interface
view.
l When the device functions as a fat AP, run the interface wlan-bss wlan-bss-number
command in the WLAN-BSS interface view to create a WLAN-BSS interface and enter the
interface view.
Step 4 Run:
dot1x-authentication enable
802.1X authentication is configured on the interface.
----End
3.5.1.2 (Optional) Setting the User Authentication Mode
Context
During 802.1x authentication, users exchange authentication information with the device using
EAP packets. The device uses two modes to exchange authentication information with the
RADIUS server.
l EAP termination: The device directly parses EAP packets, encapsulates user authentication
information into a RADIUS packet, and sends the packet to the RADIUS server for
authentication. EAP termination is classified into PAP or CHAP authentication.
PAP is a two-way handshake authentication protocol. It transmits passwords in plain
text format in RADIUS packets.
CHAP is a three-way handshake authentication protocol. It transmits only the user
names (not passwords) in RADIUS packets. CHAP is more secure and reliable than
PAP. If high security is required, CHAP is recommended.
After the device directly parses EAP packets, user information in the EAP packets is
authenticated by a local AAA module, or sent to a RADIUS or HWTACACS server.
l EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets
and sends the RADIUS packets to the RADIUS server. The device does not parse the
received EAP packets but encapsulates them into RADIUS packets. This mechanism is
called EAP over Radius (EAPoR).
The EAP relay mechanism requires that the RADIUS server be capable of parsing many EAP
packets and carrying out authentication. Therefore, if the RADIUS server has high processing

Routers
capabilities, the EAP relay is used. If the RADIUS server has low processing capabilities, EAP
termination is recommended, and the device helps the RADIUS server to parse EAP packets.
NOTE
The EAP relay can be configured for 802.1x users only when RADIUS authentication is used.
Procedure
Step 1 Run:
system-view

view.
interface view.
Step 3 Run:
dot1x authentication-method { chap | eap | pap }
The authentication mode is set for 802.1x users.
By default, the CHAP authentication mode is used for 802.1x users.
----End
3.5.1.3 (Optional) Configuring Re-authentication for 802.1x Authentication Users
Context
the user access permission and authorization attribute are changed. If a user has passed 802.1x
authentication, you must re-authenticate the user to ensure user validity.
authentication is enabled for 802.1x authentication users, the device sends the saved
online normally. If the authentication information has been changed, the user is forced to go
offline. The user then must be re-authenticated according to the changed authentication
information.
Procedure
Step 1 Run:
system-view

Routers
view.
interface view.
Step 3 Run:
dot1x timer reauthenticate-period reauthenticate-period-value
802.1x re-authentication is enabled and the re-authentication interval is set on an interface.
By default, 802.1x re-authentication is disabled and the re-authentication interval is 3600

seconds.
NOTE
In local forwarding mode, if 802.1x re-authentication is enabled, the PVID on the WLAN-ESS bound to
the VAP must be the same as the VLAN ID in the EAP packets sent from users to the device. Otherwise,
users will fail in re-authentication and be forced offline.
----End
Context
After the guest VLAN function is enabled, the device allows users to access resources in the
Guest VLAN without 802.1x authentication. For example, the users can obtain the client
software, upgrade the client, or run other upgrade programs.
NOTE
The device does not support Guest VLAN when functioning as a fat AP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A WLAN-ESS interface is created, and the WLAN-ESS interface view is displayed.
Step 3 Run:
dot1x guest-vlan vlan-id
A guest VLAN is configured on the WLAN-ESS interface.
By default, no guest VLAN is configured on a WLAN-ESS interface.
----End

Routers
3.5.1.5 (Optional) Configuring the Restrict VLAN Function
Context
You can configure the restrict VLAN function on the device interface to enable users who fail
authentication to access some network resources (for example, to update the virus library). The
users are added to the restrict VLAN when failing authentication and can access resources in
the restrict VLAN. The user fails authentication in this instance because the authentication server
rejects the user for some reasons (for example, the user enters an incorrect password) not because
the authentication times out or the network is disconnected.
Similar to the guest VLAN, the restrict VLAN allows users to access limited network resources
before passing 802.1x authentication. Generally, fewer network resources are deployed in the
restrict VLAN than in the guest VLAN; therefore, the restrict VLAN limits access to network
resources from unauthenticated users more strictly.
NOTE
The device does not support Restrict VLAN when functioning as a fat AP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A WLAN-ESS interface is created, and the WLAN-ESS interface view is displayed.
Step 3 Run:
dot1x restrict-vlan vlan-id
A restrict VLAN is configured on a WLAN-ESS interface.
By default, no restrict VLAN is configured on the WLAN-ESS interface.
----End
Context
After creating user groups, you can set VLANs for the user groups, so that users in different user
groups have different network access rights. The administrator can then flexibly manage users.
Isolation flags can be set in user groups to isolate users in the same group or in different groups.
The inter-group isolation flag isolates users in the same group, and the intra-group isolation flat
isolates users in a group from users in other groups.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
acl-id acl-number
NOTE
Before running this command, ensure that an ACL has been created using the acl command and ACL rules
are configured using the rule command.
Step 4 Run:
user-vlan vlan-id
Step 5 Run:
Step 6 Run:
user-isolated { inter-group | inner-group }*
Inter-group and intra-group user isolation are configured.
By default, inter-group or intra-group isolation is not configured in a user group.
----End
Context
You can run the commands to check the configured parameters after completing the 802.1x
Procedure
Step 1 Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> ] command to check the 802.1x authentication configuration.

Routers
Step 2 Run the display user-group [ group-name ] command to check the user group configuration.
Step 3 Run the display access-user user-group group-name command to check brief information
about all users bound to the user group.
----End
3.5.2 Configuring MAC Address Authentication

MAC address authentication controls a user's network access right based on the user's access
interface and MAC address. The user does not need to install any client software. The user device
MAC address is used as the user name and password. When detecting the user's MAC address
the first time, the network access device starts authenticating the user.
Prerequisite
MAC address authentication is only an implementation scheme to authenticate the user identity.
To complete the user identity authentication, you must select the RADIUS or local authentication
method and complete the following configuration tasks:
l Configure an ISP authentication domain to which users belong, and a local authentication
scheme or a RADIUS authentication scheme.
3.5.2.1 Enabling MAC Address Authentication
Context
The MAC address authentication configuration takes effect on an interface only after MAC
address authentication is enabled on the interface.
After MAC address authentication is enabled, if there are online users who log in through MAC
address authentication on the interface, disabling MAC address authentication is prohibited.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-authen
Global MAC address authentication is enabled.
By default, global MAC address authentication is disabled.

Routers
view.
interface view.
Step 4 Run:
mac-authentication enable
MAC address authentication is configured on the interface.
----End
Context
After creating user groups, you can set VLANs for the user groups, so that users in different user
groups have different network access rights. The administrator can then flexibly manage users.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
acl-id acl-number

NOTE
Step 4 Run:
user-vlan vlan-id

Routers
Step 5 Run:
Step 6 Run:
----End
Context
You can run the commands to check the configured parameters after completing the MAC
Procedure
Step 1 Run the display user-group [ group-name ] command to check the user group configuration.
----End
3.5.3 Configuring Portal Authentication

In Portal authentication, users do not need a specific client. The Portal server provides users with
free portal services and a Portal authentication page.
NOTE
The built-in Portal authentication does not apply to wireless users.
Prerequisites
Portal authentication is only an implementation scheme to authenticate user identities. To
complete user identity authentication, select either RADIUS authentication or local
authentication and complete the following configuration tasks:
l Configure an ISP authentication domain to which users belong, and a local authentication
scheme or a RADIUS authentication scheme.

Routers
3.5.3.1 Configuring Portal Server Parameters
Context
During Portal authentication, you must configure parameters for the Portal server (for example,
the IP address for the Portal server) to ensure smooth communication between the device and
the Portal server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A Portal server template is created and the Portal server template view is displayed.
By default, no Portal server template is created.
Step 3 Run:
server-ip server-ip-address &<1-10>
An IP address is configured for the Portal server.
By default, no IP address is configured for the Portal server.
Step 4 Run:
url url-string
A URL is configured for the portal server.
By default, a Portal server does not have a URL.
----End
3.5.3.2 Enabling Portal Authentication
Context
The device can communicate with the Portal server after the parameters of the Portal server are
configured. To enable Portal authentication for access users, you must enable Portal
authentication of the device.
To enable Portal authentication on a Portal server, you must only bind the configured Portal
server template to a VLANIF interface.
Procedure
Step 1 Run:
system-view

Routers

view.
interface view.
Step 3 Run:
web-authentication enable
By default, Portal authentication is disabled on an interface.

web-authentication first-mac
The function that prefers MAC addresses as accounts for Portal authentication is enabled.
By default, MAC addresses are not preferred as accounts for Portal authentication.
NOTE
When Portal authentication with the MAC address as the account is used, ensure that the MAC address without
hyphen (-) is added on the RADIUS server. For example, you can use the MAC address 286ED488B74F but
not 286E-D488-B74F.
----End
3.5.3.3 (Optional) Configuring Parameters for Information Exchange with the

Portal server
Context
In Portal authentication network deployment, you can configure parameters for information
exchange between the device and the Portal server to improve communication security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
web-auth-server version v2 [ v1 ]
Portal protocol versions supported by the device are configured.
By default, the device uses Portal of v1 and v2.
NOTE
To ensure smooth communication, use the default setting so that the device uses both versions.
Step 3 Run:

Routers
web-auth-server listening-port port-number
The port number through which the device listens to Portal protocol packets is set.
By default, the device listens to the Portal protocol packets through port 2000.
Step 4 Run:
web-auth-server reply-message
The device is enabled to transparently transmit the authentication responses sent by the
By default, the device transparently transmits the authentication responses sent by the
Step 5 Run:
Step 6 Run:
source-ip ip-address
The source IP address for communication with a Portal server is configured.
By default, no source IP address is configured on the device.
Step 7 Run:
port port-number [ all ]
The destination port number through which the device sends packets to the Portal server is set.
By default, port 50100 is used as the destination port when the device sends packets to the Portal
server.
Step 8 Run:
shared-key { cipher | simple } key-string
The shared key that the device uses to exchange information with the Portal server is configured.
By default, no shared key is configured.
----End
3.5.3.4 (Optional) Setting Access Control Parameters for Portal Authentication

Users
Context
During deployment of the Portal authentication network, you can set access control parameters
for Portal authentication users to flexibly control the user access. For example, you can set
authentication free rules for Portal authentication users so that the users can access specified
network resources without being authenticated or when the users fail authentication. You can
configure the source authentication subnet to allow the device to authenticate only users in the
source authentication subnet, while users in other subnets cannot pass Portal authentication.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length
| ip-mask } | any } } | source { any | ip { ip-address mask { mask-length | ip-
mask } | any } } } *
The Portal authentication free rule is set.
By default, no Portal authentication free rule is set.
Step 3 Run:
portal max-user user-number
The maximum number of concurrent Portal users is set.
By default, the number of Portal authentication users is the maximum number of Portal
----End
3.5.3.5 (Optional) Setting the Offline Detection Interval for Portal Authentication
Users
Context
If a Portal authentication user goes offline due to power failure or network interruption, the
device and Portal server may still store user information, which leads to incorrect accounting.
In addition, a limit number of users can access the device. If a user goes offline improperly but
the device still stores user information, other users cannot access the network.
After the offline detection interval is set for Portal authentication users, if a user does not respond
within the interval, the device considers the user offline. The device and Portal server then delete
the user information and release the occupied resources to ensure efficient resource use.
Procedure
Step 1 Run:
system-view
Step 2 Run:
portal timer offline-detect time-length
The offline detection interval is set for Portal authentication users.
By default, the offline detection interval is 300 seconds.
----End

Routers
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
acl-id acl-number

NOTE
Step 4 Run:

Step 5 Run:

----End
Context
You can run the commands to check the configured parameters after completing the Portal

Routers
Procedure
l When an external Portal server is used, run the following commands to check the
configuration.
Run the display portal [ interface vlanif interface-number ] command to check the
Portal authentication configuration.
Run the display portal free-rule [ rule-id ] command to show the configuration of
authentication-free rules.
Run the display web-auth-server configuration command to check the configuration
of the Portal authentication server.
Run the display user-group [ group-name ] command to check the user group
configuration.
Run the display access-user user-group group-name command to check summary
information about all users in the user group.
----End

3.6.1 Example for Configuring 802.1x Authentication

As shown in Figure 3-11, a large number of user terminals in a company connect to the Internet
through a wireless medium. The administrator needs to control network access rights of user
terminals to ensure network security. The Router allows user terminals to access Internet
resources only after they are authenticated.
Figure 3-11 Networking diagram for configuring 802.1x authentication

Update Server RADIUS Server
192.168.2.30
VLAN 10
Internet

LAN Switch Router

AP
To control network access rights of user terminals to the Internet, the administrator can configure
802.1x authentication on the Router after the server with the IP address 192.168.2.30 is used as
the RADIUS server.

Routers
2. Configure 802.1x authentication.
a. Enable 802.1x authentication globally.
b. Create a WLAN-ESS interface and enable 802.1x authentication on the interface.
c. Set the authentication mode to EAP.
d. Configure VLAN10 as the guest VLAN so that users can access resources in the guest
VLAN without authentication.
e. Configure re-authentication for 802.1x users.
NOTE
This example provides only the configuration procedure used when the device functions as an AC, and the
configuration procedure used when the device functions as a fat AP is not provided here.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.

[Huawei] aaa
# Create ISP domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to ISP
domain isp1.
[Huawei-aaa] quit
Step 2 Configure 802.1x authentication.
# Enable 802.1x authentication globally.
# Create a WLAN-ESS interface 0 and enable 802.1x authentication on the interface.

[Huawei] interface wlan-ess 0
[Huawei-Wlan-Ess0] dot1x-authentication enable
# Set the authentication mode for 802.1x users.

[Huawei-Wlan-Ess0] dot1x authentication-method eap
# Configure VLAN10 as the guest VLAN in 802.1x authentication.

Routers
[Huawei-Wlan-Ess0] dot1x guest-vlan 10

[Huawei-Wlan-Ess0] quit
# Configure re-authentication for 802.1x users.

[Huawei] dot1x timer reauthenticate-period 1000
Step 3 View the 802.1x configuration.

[Huawei] display dot1x
Global 802.1x is Enabled
Authentication method is CHAP
Max users: 256
Current users: 0
DHCP-trigger is Disabled
Handshake is Disabled
Quiet function is Disabled
Parameter set:Handshake Period 15s Reauthen Period 1000s
Client Timeout 30s Server Timeout 120s
Quiet Period 120s Quiet-times 3
Wlan-Ess0 status: DOWN 802.1x protocol is Enabled

Maximum users: 256
----End
Configuration Files
#
vlan batch 10
#
dot1x enable
#
#
aaa
domain isp1
radius-server rd1
#
interface Wlan-Ess0
dot1x-authentication enable
dot1x authentication-method eap
dot1x guest-vlan 10
3.6.2 Example for Configuring MAC Address Authentication

Routers
resources only after they are authenticated. The company requires that user terminals do not
need to install a dial-in software for access authentication.
Figure 3-12 Networking diagram for configuring MAC address authentication

Update Server RADIUS Server
192.168.2.30
VLAN 10
Internet

LAN Switch Router

AP
To control network access rights of user terminals to the Internet and allow them to be
authenticated without installing a dial-in software, the administrator can configure MAC address
RADIUS server.
2. Configure MAC address authentication.
NOTE
Procedure
[Huawei] aaa
domain isp1.

Routers

[Huawei-aaa] quit
Step 2 Configure MAC address authentication.

# Enable MAC address authentication globally.
[Huawei] mac-authen
# Create a WLAN-ESS interface 0 and enable MAC address authentication on the interface.
[Huawei-Wlan-Ess0] mac-authentication enable
Step 3 View MAC address authentication.

[Huawei] display mac-authen
MAC address authentication is Enabled.
Username format: use MAC address without-hyphen as username
Quiet period is 60s
Offline detect period is 300s
Server response timeout value is 30s
Reauthenticate period is 60s
Guest user reauthenticate period is 180s
Maximum users: 256
Current users: 0
Global domain is not configured
Wlan-Ess1 state: UP. MAC address authentication is enabled

Maximum users: 256
----End
Configuration Files
#
mac-authen
#
#
aaa
domain isp1
radius-server rd1
#
interface Wlan-Ess0
mac-authentication enable
3.6.3 Example for Configuring Portal Authentication


Routers
resources only after they are authenticated.
Figure 3-13 Networking diagram for configuring Portal authentication

Portal Server RADIUS Server
192.168.3.20 192.168.2.30
Internet

LAN Switch Router

AP
To control network access rights of user terminals to the Internet, the administrator can configure
Portal authentication on the Router after the server with the IP address 192.168.2.30 is used as
the RADIUS server, and configure the IP address 192.168.3.20 as the IP address for the Portal
server.
2. Configure Portal authentication.
a. Create and configure a Portal server template to ensure normal information exchange
between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.
c. Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
d. Configure the maximum number of concurrent Portal authentication users to prevent
excessive concurrent users.
e. Configure the offline detection period for Portal authentication users to ensure that
the device deletes the information of offline users.
NOTE
Procedure


Routers

[Huawei] aaa
domain isp1.
[Huawei-aaa] quit

# Create and configure Portal server template abc.
[Huawei-web-auth-server-abc] server-ip 192.168.3.20

[Huawei-Wlan-Ess0] web-authentication enable
[Huawei-Wlan-Ess0] quit
# Set the shared key in cipher text to 12345.

[Huawei-web-auth-server-abc] shared-key cipher 12345
# Set the maximum number of concurrent Portal users to 100.

[Huawei] portal max-user 100
# Set the user offline detection period to 500s.

[Huawei] portal timer offline-detect 500
Step 3 # Verify the configuration.

# Run the display portal command to view Portal parameters set in the system view.
<Huawei> display portal
Portal timer offline-detect length:500
Portal max-user number:100
# Run the display web-auth-server configuration command to check the configuration of the
Portal authentication server.
<Huawei> display web-auth-server configuration
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled
------------------------------------------------------------------------
Web-auth-server Name : abc
IP-address : 192.168.3.20
Shared-key : %$%$qqZ$ZM:$i&]T9sF7KE~Xi%yp%$%$
Source-IP : -
Port / PortFlag : 50100 / NO
URL :
Redirection : Enable

Routers
Sync : Disable
Sync Seconds : 300
Sync Max-times : 3
Detect : Disable
Detect Seconds : 60
Detect Max-times : 3
Detect Critical-num : 0
Detect Action :
Bound Vlanif :
VPN Instance :
Bound WAN Interface :
------------------------------------------------------------------------
1 Web authentication server(s) in total
----End
Configuration Files
#
portal max-user 100
portal timer offline-detect 500
#
web-auth-server abc
server-ip 192.168.3.20
port 50100
shared-key cipher %$%$9|vQ3(`Js#[:m\+~xK:W7cZQ%$%$
#
#
aaa
domain isp1
radius-server rd1
#
interface Wlan-Ess0
web-authentication enable
#
return
3.7 References
RFC3748 Extensible Authentication Protocol -

(EAP)
Portal 2.0 Portal protocol standard for Huawei -

broadband products (V2.01)

Routers
Configuration Guide - Security 4 ACL Configuration
4 ACL Configuration
About This Chapter
An access control list (ACL) is a set of rules that classify packets into different types. This chapter
explains how to configure an ACL on a Router to filter packets.
Context
The 4GE-2S board does not support ACL.
4.1 Overview
This section describes the definition and functions of ACL.
4.2 Principles
This section describes the implementation of ACL.
4.3 Applications
This section describes the applicable scenario of ACL.

This section describes the default ACL configurations.
4.5 Configuring ACL

This section describes the procedures for configuring ACL.
4.6 Maintaining an ACL

The section describes how to maintain an ACL.

This section provides several configuration examples of ACLs.
4.8 FAQ
4.9 References
This section lists references of ACL.

Routers
4.1 Overview
This section describes the definition and functions of ACL.
Definition
An Access Control List (ACL) is composed of a list of rules. ACL rules classify packets so that
the device processes classified packets in different manners.
Purpose
Devices need to communicate with each other on stable networks with reliable data transmission.
Example:
l Defend against various network attacks, such as Internet Protocol (IP), Transmission
Control Protocol (TCP), and Internet Control Message Protocol (ICMP) packet attacks.
l Control network access. For example, control the access of enterprise network users to
external networks, specific network resources that users can access, and time ranges in
which users can access networks.
l Limit network traffic and improve network performance. For example, limit bandwidth for
upstream and downstream traffic, charge for the bandwidth that users have applied for, and
make full use of high-bandwidth network resources.
The ACL solves the preceding problems and ensures stability and reliability of network
transmission.
4.2 Principles
This section describes the implementation of ACL.
4.2.1 Principles of ACLs

An ACL manages all configured rules and provides the matching algorithm for packets.
ACL Rule Management

An ACL can contain multiple rules. A rule is identified by a rule ID, which can be set by a user
or automatically generated based on the ACL step. All rules in an ACL are arranged in ascending
order of rule IDs.
There is an ACL step between rule IDs. For example, if an ACL step is set to 5, rules are numbered
5, 10, 15, and so on. If an ACL step is set to 2 and rule IDs are configured to be automatically
generated, the system automatically generates rule IDs starting from 2. The step makes it possible
to add a new rule between existing rules.

Routers
ACL Rule Matching

When a packet reaches a device, the search engine retrieves information from the packet to
constitute the key value and matches it with ACL rules. Once a matching rule is found, the system
stops matching. If no rule matches the packet, the system does not process the packet.
ACL rules can be classified into permit rules and deny rules.
In summary, the ACL classifies packets into the following types:

l Packets matching permit rules.
l Packets matching deny rules.
l Packets that do not match rules.
Different features have different manners to process the three types of packets. For details, see
feature manuals.
4.2.2 ACL Classification

ACLs can be classified into different types according to different rules.
l ACLs can be classified into numbered ACLs and named ACLs according to the ACL
naming mode.
A numbered ACL is identified by a number.
NOTE
The number is the identifier of the ACL. For example, the ACL with the number ranging from
2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an
advanced ACL.
A named ACL is identified by a name.
l The Table 4-1 lists the ACL classification.
Table 4-1 ACL classification
Category IP Version Function Note
Basic IPv4 A basic ACL matches packets A basic IPv4 ACL is

ACL only based on the source IP also called a basic
address, VPN instance, fragment ACL.
flag, and time range. Basic ACLs are
numbered from
2000 to 2999.

Routers
Category IP Version Function Note
Advanced IPv4 An advanced ACL matches An advanced IPv4

ACL packets based on the source IPv4 ACL is also called
address, destination IPv4 address, an advanced ACL.
IP precedence, Type of Service Advanced ACLs are
(ToS), DiffServ Code Point numbered from
(DSCP) priority, IP protocol type, 3000 to 3999.
Internet Control Message Protocol
(ICMP) type, TCP source/
destination port, and User
Datagram Protocol (UDP) source/
destination port.
Layer 2 IPv4&IPv6 A Layer 2 ACL matches packets The number of a

ACL based on Layer 2 information in Layer 2 ACL ranges
packets, such as source and from 4000 to 4999.
destination Media Access Control
(MAC) addresses, and Layer 2
protocol types.
Basic IPv6 A basic ACL6 matches packets A basic IPv6 ACL is

ACL6 based on the source IP address, also called a basic
fragmentation flag, and time ACL6.
range. Basic ACL6
numbers range from
2000 to 2999.
Advanced IPv6 An advanced ACL6 matches An advanced IPv6

ACL6 packets based on the source IP ACL is also called
address and destination IP address an advanced ACL6.
of data packets, protocol type Advanced ACL6
supported by IP, features of the numbers range from
protocol such as the source port 3000 to 3999.
number and destination port
number, ICMPv6 protocol, and
ICMPv6 code.
NOTE
A basic ACL and a basic ACL6 can use the same number, and an advanced ACL and an advanced
ACL6 can use the same number.
4.2.3 ACL Naming

You can specify a unique name to an ACL. Each ACL has only one name. A named ACL is
identified by the name, which can be specified to reference the ACL.
You can choose whether to specify a name when an ACL is created. After the ACL is created,
you cannot modify or delete the ACL name, or specify names to unnamed ACLs.

Routers
You can configure a number for a named ACL. If no ACL number is specified for a named ACL,
the system allocates an ACL number to the named ACL.
NOTE
A basic ACL and a basic ACL6 or an advanced ACL and an advanced ACL6 can use the same number.
4.2.4 Step of an ACL
Definition
The step is the difference between rule IDs when the system automatically assigns rule IDs. For
example, if the step is set to 5, the rule IDs are multiples of 5 (beginning with 5), such as 5, 10,
and 15.
l If the step value is changed, ACL rule IDs are arranged automatically. For example, the
original rule numbers 5, 10, 15, and 20 will become 2, 4, 6, and 8 if you change the ACL
step to 2.
l When the step restores to the default value, the device arranges ACL rule IDs using the
default step value. For example, ACL rule group 3001 contains four rules with IDs being
2, 4, 6, and 8, and the step is 2. After the ACL rule restores to the default value, the ACL
rule IDs become 5, 10, 15, and 20 and the step value is 5.
Function
The step value can be used to add a new rule between existing rules so that the matching order
of ACL rules is configured. For example, four rules are configured in the ACL rule group: rules
5, 10, 15, and 20. To insert a new rule after rule 5 (the first rule), run the command to insert rule
7 between rule 5 and rule 10.
In addition, you do not need to specify a rule ID for an ACL rule. In this case, the system allocates
the rule ID which is the sum of the current maximum ID and a step value. For example, the
current maximum rule ID is 25 and the step value is 5, the system allocates the rule ID 30 to a
new rule.
NOTE
ACL6 does not support step setting, and the default step value is 1, but you can configure rule IDs for ACL6
rules.
4.2.5 Matching Order of ACL Rules

An ACL is composed of a list of rules. Each rule contains a permit or deny clause. These rules
may overlap or conflict. One rule can contain another rule, but the two rules must be different.
The device supports two types of matching order: configuration order and automatic order. The
matching order determines the priorities of the rules in an ACL. Rule priorities resolve the
conflict between overlapping rules.
Configuration Order
The configuration order indicates that ACL rules are matched in ascending order of rule IDs.
The rule with the smallest rule ID is matched first. The configuration order is used by default.

Routers
Automatic Order
The automatic order follows the depth first principle.
ACL rules are arranged in sequence based on rule precision. Stricter conditions (such as the
protocol type, source IP address range, or destination IP address range), the stricter in an ACL
rule makes the rule more precise. For example, an ACL rule can be configured based on the
wildcard of IP addresses. A smaller wildcard identifies a narrower network segment and
therefore makes a stricter ACL rule.
If the ACL rules have the same priority according the depth first principle, they are matched
based on rule IDs in ascending order.
NOTE
Similar to inverse mask, a wildcard mask is in dotted decimal notation. In a binary wildcard mask, the
value 0 indicates that the bit in the IP address needs to be matched and the value 1 indicates that the bit in
the IP address does not need to be matched. The value 0 and 1 in a wildcard mask can be discontinuous.
For example, if the IP address is 192.168.1.169 and the wildcard mask is 0.0.0.172, the address is
192.168.1.x0x0xx01. The value x can be 0 or 1.
Table 4-2 lists the matching rules according to the depth first principle.
Table 4-2 Depth first principle
ACL Matching rules

Type
Basic ACL 1. The rule that defines a VPN instance is matched first.
and basic 2. The rule that defines the smallest source IP address range is matched first.
ACL6 The wildcard mask with the most 0 bits identifies the smallest source IP
address range.
3. If the source IP address ranges are the same, the rule with the smallest ID is
matched first.
Advanced 1. The rule that defines a VPN instance is matched first.

ACL and 2. The rule that defines a protocol type is matched first.
advanced
ACL6 3. If the protocol types are the same, the rule that defines the smallest source
IP address range is matched first. The wildcard mask with the most 0 bits
identifies the smallest source IP address range.
4. If the protocol types and source IP address ranges are the same, the rule that
defines the smallest destination IP address range is matched first. The
wildcard mask with the most 0 bits identifies the smallest destination IP
address range.
5. If the protocol types, source IP address ranges, and destination IP address
ranges are the same, the rule that defines the smallest Layer 4 port number
(TCP/UDP port number) range is matched first.
6. If the preceding ranges are all the same, the rule with the smallest ID is
matched first.

Routers
ACL Matching rules

Type
Layer 2 1. The rule with the largest protocol type wildcard (with the most "1"s in the
ACL wildcard mask) is matched first.
2. The rule that defines the smallest source MAC address range is matched
first. The wildcard mask with the most 1 bits identifies the smallest source
MAC address range.
3. If the source MAC address ranges are the same, the rule that defines the
smallest destination MAC address range is matched first. The wildcard mask
with the most 1 bits identifies the smallest destination MAC address range.
4. If the source and destination MAC address ranges are the same, the rule with
the smallest ID is matched first.
4.2.6 Packet Fragmentation Supported by ACLs

The Router can filter fragmented packets. It can match all Layer 3 IP packets with Layer 3
filtering rules.
An ACL rule can be configured as valid for all the packets, all fragmented packets, or only non-
initial fragmented packets.
When attackers construct fragmented packets to attack the network, you can configure an ACL
rule to match non-initial fragmented packets only. This prevents the device from filtering other
non-fragmented packets to protect normal service transmission and ensures that the device
processes non-initial fragmented packets to protect against attacks from fragmented packets.
4.2.7 Time Range of an ACL

A time range specifies a period of time. In practice, some ACL rules are required to be valid
during a certain period of time, and invalid outside of that period of time, meaning that ACL
rules are used to filter packets based on the time range. For example, if staff members are
prohibited from browsing entertainment websites during business hours but are allowed to visit
these entertainment websites during after-hours, a time range must be defined for an ACL to
execute these conditions. To implement this function, configure one or more time ranges, and
reference time ranges using commands.
If no time range referenced by the rule is configured, the rule does not take effect until the
referenced time range is specified and the system time is within the specified time range.
4.2.8 IPv6 ACL

IPv6 ACL classifies IPv6 packets based on configured rules. The implementation of IPv6 ACL
is the same as that of ACL.
IPv6 ACL can also be called ACL6.
ACL6 Classification
ACL6 can be classified into the following types:

Routers
Category Number Range Usage Scenario
Basic ACL6 The number ranges from A basic ACL6 filters packets based only on
2000 to 2999. the source IPv6 address, Virtual Private
Network (VPN) instance, fragment flag, and
time range.
Advanced The number ranges from An advanced ACL6 filters packets based on
ACL6 3000 to 3999. the source IPv6 address and destination IPv6
address of data packets, protocol type
supported by IPv6, features of the protocol
such as the source port number and
destination port number, ICMPv6 protocol,
and ICMPv6 Code.
NOTE
An ACL6 and an ACL can use the same number because their commands are different.
4.3 Applications
This section describes the applicable scenario of ACL.
4.3.1 Applying ACLs to Route Filtering

ACLs can be applied to various dynamic routing protocols to filter advertised and received
routes.
Enterprise users can access the Internet using the Router. Some users such as R&D staff members
are prohibited from accessing the Internet, and some servers such as salary query servers reject
external access to ensure information security. To meet the preceding requirements, define ACL
rules on the Router connected to the Internet to filter packets.

Routers
Figure 4-1 Applying ACLs to route filtering
RouterB
Department
1
Internet
RouterA
OSPF 172.1.17.0/24
172.1.18.0/24
172.1.19.0/24

Department
2
RouterC
As shown in Figure 4-1, Router A connects the intranet running Open Shortest Path First (OSPF)
to the Internet. ACLs are defined on Router A and applied to OSPF to control route advertisement
and receiving.
l Router A provides routes 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 for Router B.

l Router C only receives routes 172.1.18.0/24.
4.3.2 Applying ACLs to QoS

As shown in Figure 4-2, NetworkA and NetworkB connect to NetworkC using the Router, all
having different requirements for voice, video, and data services. For example, NetworkA has
high requirements for video services. To ensure quality of video services on NetworkA,
configure an ACL on the Router and reference the ACL in a traffic policy so that all the packets
sent to NetworkA are processed by the Router before being forwarded. Packets from other
networks are forwarded without Quality of Service (QoS) guarantee because no ACL is matched.

Routers
Figure 4-2 Applying ACLs to QoS
NetworkA
Router
NetworkC
NetworkB
Packets sent to NetworkA

Qos-guaranteed packets
Unqos-guaranteed packets
4.3.3 Applying ACLs to the Firewall

The firewall is deployed between the internal and external networks to prevent the external
network from attacking the internal network and protect the mainframes and key resources such
as data on internal networks.
Figure 4-3 Applying ACLs to the firewall
External Internal
network network
PC A
PC B
Router Data center
Allowed access
Rejected access
As shown in Figure 4-3, only PC A is allowed to access the data center on the internal network.
You can deploy an ACL and configure the firewall on Router to meet the requirement.
4.3.4 Applying ACLs to IPSec

Communicating parties encrypt data and authenticate the data source by using IPSec on an IP
network to ensure confidentiality, integrity, authenticity, and anti-replay. An IPSec tunnel is

Routers
established on the two devices connecting two networks, whereas users on LANs have different
requirements for security. Configure an ACL on the LAN egress device to filter packets entering
the IPSec tunnel so that service packets allowed by the ACL are protected and service packets
rejected by the ACL are not protected.
Figure 4-4 Applying ACLs to IPSec
Network1
Network2
PC A
PC C
PC B
RouterA RouterB
Packets passing through the IPSec tunnel

Packets failing to pass through the IPSec tunnel
As shown in Figure 4-4, Router A and Router B establish an IPSec tunnel. Configure an ACL
on Router A to permit all packets from PC A to pass through and reference the ACL in the IPSec
policy so that all packets from PC A are forwarded through the IPSec tunnel. All packets from
PC B are forwarded directly because no ACL is matched.

This section describes the default ACL configurations.
Table 4-3 describes default configurations of the ACL.
Table 4-3 Default ACL configuration
Parameter Default Value
Step 5
Matching order Configuration order
4.5 Configuring ACL

This section describes the procedures for configuring ACL.
4.5.1 Configuring a Basic ACL

A basic ACL classifies IPv4 packets based on information such as source IP addresses.

Routers
4.5.1.1 (Optional) Configuring the Validity Time Range of a Rule
Context
Some services or functions are restricted within a specified period of time, for example, Quality
of Service (QoS) is started only during peak hours. You can create a time range and reference
the time range in an ACL applied to these services or functions so that the ACL takes effect only
in the time range. The services or functions that reference the ACL is also started in the specified
time range.
NOTICE
The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use
this command with caution.
Procedure
Step 1 Run:
system-view

Step 2 Run:
time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1
[ to time2 date2 ] }
A time range is created.

To configure multiple time ranges with the same name on the Router, run the preceding command
with the same value of time-name repeatedly.
NOTE
If multiple time ranges are configured using the same time-name value, the system takes the union of periodic
time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final
time range. In this example, the name test is used to configure the following time ranges:
l Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
l Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
l Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.
You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the
same system time. For the NTP configuration, see Configuring Basic NTP Functions in the Huawei
AR150&200&1200&2200&3200 Series Enterprise Routers Configuration Guide - Network Management.
----End
4.5.1.2 Creating a Basic ACL
Context
Basic ACLs classify IPv4 packets based on source IP addresses, fragment flags, time ranges,
and VPN instances in the packets.

Routers
Before configuring a basic ACL, you need to create a basic ACL.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
A numbered basic ACL is created and the basic ACL view is displayed.
Or run:
acl name acl-name { basic | acl-number } [ match-order { auto | config } ]
A named basic ACL is created and the basic ACL view is displayed.
acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.
By default, no ACL is created.

step step
The ACL step is configured.
By default, the step between ACL rule IDs is 5.

description text
The ACL description is configured.
By default, no description is configured for an ACL.
----End
4.5.1.3 Configuring a Basic ACL Rule
Context
A basic ACL classifies packets by matching packet information with its rules. After a basic ACL
is created, configure rules in the basic ACL.
Adding new rules to an ACL will not affect the existing rules. If the new rule conflicts with an
existing rule, the new rule takes effect. To modify an existing rule, delete the old rule, and then
create a new rule. Otherwise, the configuration result may be incorrect. If different rules are
ANDed or ORed, configure a correct matching order to prevent incorrect configurations.
NOTE
When the device receives a packet, it matches the packet with ACL rules one by one based on the matching
order. Once the packet matches a rule, the device stops the matching process and performs the action specified
in the matching rule on the packet.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
A numbered basic ACL is created and the basic ACL view is displayed.
Or run:
acl name acl-name { basic | acl-number } [ match-order { auto | config } ]
A named basic ACL is created and the basic ACL view is displayed.
acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard |
any } | vpn-instance vpn-instance-name | [ fragment | none-first-fragment ] | time-
range time-name ] *
A basic ACL rule is configured. To configure multiple rules, repeat this step.
NOTE
After the first rule is configured in an ACL, the device uses the step value as the number of this rule if the
rule-id parameter is not specified. If the rule-id parameter is not specified for the later rules, the device
uses the multiples of the next step of the last rule ID to number the rules. For example, if an ACL includes
rule 7 and the step is 5, the system assigns 10 to a new rule without rule-id specified.
When you specify the time-range parameter to reference a time range to the ACL, if the specified time-
name does not exit, the ACL does not take effect.

rule rule-id description description
The description of a basic ACL rule is configured.
By default, no description is configured for an ACL rule.
The device only supports the description configured for the rules with rule IDs. You are not
allowed to configure the description for a rule that has not been created.
----End
4.5.1.4 Applying the ACL to the Router
Context
An ACL is a set of rules that differentiate packets and determines whether packets are permitted
and denied. The device then processes the permitted packets and discards the denied packets.

Routers
Procedure
l Apply the ACL.
ACL can be applied to many features. For example, to process different types of traffic,
you can use basic ACLs, advanced ACLs, Layer 2 ACLs, basic ACL6s, or advanced ACL6s
to perform traffic policing, traffic shaping, or traffic classification on the traffic that matches
the ACL rules.
NOTE
ACL can be applied to different services, and devices running these services process the classified packets
according to service requirements. For details about the services referencing ACLs, see the configuration
guide.
----End
Procedure
l Run the display acl { acl-number | name acl-name | all } command to view the
configuration about a specific ACL or all ACLs.
l Run the display time-range { all | time-name } command to view information about the
time range.
----End
4.5.2 Configuring an Advanced ACL

Advanced ACLs classify IPv4 packets based on information such as source and destination IP
addresses, source and destination port numbers, packet priorities, and time ranges.
Context
time range.
NOTICE
Procedure
Step 1 Run:

Routers
system-view
Step 2 Run:
NOTE
----End
4.5.2.2 Creating an Advanced ACL
Context
Advanced ACLs classify IPv4 packets based on the source IP address, destination IP address,
IP precedence, Type of Service (ToS), DiffServ Code Point (DSCP) priority, IP protocol type,
Internet Control Message Protocol (ICMP) type, TCP source/destination port number, and User
Datagram Protocol (UDP) source/destination port.
Before configuring an advanced ACL, you need to create an advanced ACL.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A numbered advanced ACL is created and the advanced ACL view is displayed.
Or run:
acl name acl-name { advance | acl-number } [ match-order { auto | config } ]
A named advanced ACL is created and the advanced ACL view is displayed.
acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999.

Routers

step step

description text
----End
4.5.2.3 Configuring an Advanced ACL Rule
Context
An advanced ACL classifies packets by matching packet information with its rules. After an
advanced ACL is created, configure rules in the advanced ACL.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
A numbered advanced ACL is created and the advanced ACL view is displayed.
Or run:
acl name acl-name { advance | acl-number } [ match-order { auto | config } ]
A named advanced ACL is created and the advanced ACL view is displayed.
acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999.
Step 3 Configure an advanced ACL rule based on the IP protocol version or the protocol type over IP.

Routers
l Configure an advanced ACL rule based on the IP protocol version. When IPv4 is used, run:
rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-
wildcard | any } | source { source-address source-wildcard | any } | time-range time-
name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ]
* ] | [ fragment | none-first-fragment ] ] *
l Configure an advanced ACL rule based on the protocol type over IP.
When the ICMP protocol is used, run:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-
address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } |
source { source-address source-wildcard | any } | time-range time-name | vpn-
instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] |
[ fragment | none-first-fragment ] ] *
When the TCP protocol is used, run:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-
address destination-wildcard | any } | destination-port { eq port | gt port | lt port |
range port-start port-end } | source { source-address source-wildcard | any } | source-
port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | fin | psh |
rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name | [ dscp
dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] *
When the UDP protocol is used, run:
rule [ rule-id ] { deny | permit }{ protocol-number | udp } [ destination { destination-
address destination-wildcard | any } | destination-port { eq port | gt port | lt port |
range port-start port-end } | source { source-address source-wildcard | any } | source-
port { eq port | gt port | lt port | range port-start port-end } | time-range time-name |
vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] |
[ fragment | none-first-fragment ] ] *
When GRE, IGMP, IPinIP, or OSPF is used, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ipinip | ospf }
[ destination { destination-address destination-wildcard | any } | source { source-
address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-
name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-
fragment ] ] *
To configure multiple rules, repeat this step.
NOTE
The dscp dscp and precedence precedence parameters cannot be set simultaneously for the same rule.
The dscp dscp and tos tos parameters cannot be set simultaneously for the same rule.

The description of an advanced ACL rule is configured.

Routers

----End
Context
Procedure
l Apply the ACL.
the ACL rules.
NOTE
guide.
----End
Procedure
time range.
----End
4.5.3 Configuring a Layer 2 ACL

A Layer 2 ACL classifies data packets according to the link layer information, including the
source MAC address, VLAN ID, Layer 2 protocol type, and destination MAC address.
Context

Routers
time range.
NOTICE
Procedure
Step 1 Run:
system-view

Step 2 Run:

NOTE
----End
4.5.3.2 Creating a Layer 2 ACL
Context
A Layer 2 ACL classifies packets based on the source MAC address, destination MAC address,
and Layer 2 protocol type in the packet.
Before configuring a Layer 2 ACL, you need to create a Layer 2 ACL.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Run:
A numbered Layer 2 ACL is created and the Layer 2 ACL view is displayed.
Or run:
acl name acl-name { link | acl-number } [ match-order { auto | config } ]
A named Layer 2 ACL is created and the Layer 2 ACL view is displayed.
acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999.

step step

description text
----End
4.5.3.3 Configuring a Layer 2 ACL Rule
Context
ACLs classify packets by matching packet information with its rules. After an ACL is created,
configure rules in the ACL.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:

Routers
A numbered Layer 2 ACL is created and the Layer 2 ACL view is displayed.
Or run:
acl name acl-name { link | acl-number } [ match-order { auto | config } ]
A named Layer 2 ACL is created and the Layer 2 ACL view is displayed.
acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999.
Step 3 Run:
rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] |
destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address
[ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value |
[ time-range time-name ] ] *
A Layer 2 ACL rule is configured.

NOTE

The description of a Layer 2 ACL rule is configured.

----End
Context
Procedure
l Apply the ACL.
the ACL rules.

Routers
NOTE
guide.
----End
Procedure
time range.
----End
4.5.4 Configuring a Basic ACL6

Basic ACL6s classify data packets based on the source IP address.
Context
time range.
NOTICE
Procedure
Step 1 Run:
system-view
Step 2 Run:

Routers
NOTE
----End
4.5.4.2 Creating a Basic ACL6
Context
A basic ACL6s classifies IPv6 packets based on source IP addresses, fragment flags, and time
ranges in the packets.
Before configuring a basic ACL6, create a basic ACL6. acl-number specifies the number of a
basic ACL6. The value ranges from 2000 to 2999.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
A numbered basic ACL6 is created and the basic ACL6 view is displayed.
Or run:
acl ipv6 name acl6-name { basic | acl6-number } [ match-order { auto | config } ]
A named basic ACL6 is created and the basic ACL6 view is displayed.
acl-number specifies the number of a basic ACL6. The value ranges from 2000 to 2999.
By default, no ACL6 is created.

step step
The ACL6 step is configured.
By default, the step between ACL6 rule IDs is 5.

Routers
description text
The ACL6 description is configured.
By default, no description is configured for an ACL6.
----End
4.5.4.3 Configuring a Basic ACL6 Rule
Context
A basic ACL6 classifies packets by matching packet information with its rules. After a basic
ACL6 is created, configure rules in the ACL6.
Adding new rules to an ACL6 will not affect the existing rules. If the new rule conflicts with an
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
A numbered basic ACL6 is created and the basic ACL6 view is displayed.
Or run:
acl ipv6 name acl6-name { basic | acl6-number } [ match-order { auto | config } ]
A named basic ACL6 is created and the basic ACL6 view is displayed.
acl-number specifies the number of a basic ACL6. The value ranges from 2000 to 2999.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ [ fragment | none-first-fragment ] | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name ] *
A basic ACL6 rule is configured.

Routers
NOTE
After the first rule is configured in an ACL6, the device uses the step value as the number of this rule if
the rule-id is not specified. If the rule-id parameter is not specified for the later rules, the device uses the
multiples of the next step of the last rule ID to number the rules. For example, if an ACL6 includes rule 5
and rule 7, and the step is 5, the system assigns 10 to a new rule without rule-id specified.
When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-
name does not exit, the ACL6 does not take effect.

The description of a basic ACL6 rule is configured.
----End
Context
Procedure
l Apply the ACL.
the ACL rules.
NOTE
guide.
----End
Procedure
l Run the display acl ipv6 { acl6-number | name acl6-name | all } command to view the
configuration about a specific ACL6 or all ACL6s.
l Run the display time-range { all | time-name } command to display information about the
time range.
----End

Routers
4.5.5 Configuring an Advanced ACL6

Advanced ACL6s classify data packets based on the source IP address, destination IP address,
source port number, destination port number, and protocol type.
Context
time range.
NOTICE
Procedure
Step 1 Run:
system-view
Step 2 Run:
NOTE
----End

Routers
4.5.5.2 Creating an Advanced ACL6
Context
An advanced ACL6 can classify IPv6 packets based on the following attributes:source IP
address, destination IP address, protocol type supported by IP, and protocol-specific features
such as the source and destination TCP port numbers, ICMPv6 protocol type, and ICMPv6 Code.
Before configuring an advanced ACL6, you need to create an advanced ACL6.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A numbered advanced ACL6 is created and the advanced ACL6 view is displayed.
Or run:
acl ipv6 name acl6-name { advance | acl6-number } [ match-order { auto | config } ]
A named advanced ACL6 is created and the advanced ACL6 view is displayed.
acl-number specifies the number of an advanced ACL6. The value ranges from 3000 to 3999.
step step
The ACL6 step is configured.

By default, the step between ACL6 rule IDs is 5.
description text
The ACL6 description is configured.

By default, no description is configured for an ACL6.
----End
4.5.5.3 Configuring an Advanced ACL6 Rule
Context
ACL6s classify packets by matching packet information with its rules. After an advanced ACL6
is created, configure rules in the advanced ACL6.
Adding new rules to an ACL6 will not affect the existing rules. If the new rule conflicts with an

Routers
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
A numbered advanced ACL6 is created and the advanced ACL6 view is displayed.
Or run:
acl ipv6 name acl6-name { advance | acl6-number } [ match-order { auto | config } ]
A named advanced ACL6 is created and the advanced ACL6 view is displayed.
acl-number specifies the number of an advanced ACL6. The value ranges from 3000 to 3999.
Step 3 Perform the following steps as required to configure rules for the advanced ACL6.
You can configure the advanced ACL6 on the device according to the protocol type over IP.
The parameters vary according to the protocol type.
l When the TCP protocol is used, run:
rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-
address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port
{ eq port | gt port | lt port | range port-start port-end } | dscp dscp | precedence
precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-
length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-
flag { ack | fin | psh | rst | syn | urg } * | time-range time-name | tos tos ] *
l When the UDP protocol is used, run:
rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-
address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port
{ eq port | gt port | lt port | range port-start port-end } | dscp dscp | precedence
precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-
length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-
range time-name | tos tos ] *
l When the ICMPv6 protocol is used, run:
rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-
ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | dscp dscp |
icmp6-type { icmp6-type-name | icmp6-type icmp6-code } | precedence precedence |
source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name | tos tos ] *
l When the IPv6 protocol is used, run:
rule [ rule-id ] { deny | permit } { protocol-number | ipv6 } [ destination { destination-

Routers
[ fragment | none-first-fragment ] | precedence precedence | source { source-ipv6-

address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name |
tos tos ] *
l When other protocols are used, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | ospf } [ destination { destination-
precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | any } | time-range time-name | tos tos ] *
NOTE
To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively
in the command.
The dscp dscp and precedence precedence parameters cannot be set simultaneously for the same rule.
The dscp dscp and tos tos parameters cannot be set simultaneously for the same rule.
When the protocol value is not IPv6, the fragment and none-first-fragment parameters cannot be set.
After the first rule is configured in an ACL6, the device uses the step value as the number of this rule if
the rule-id is not specified. If the rule-id parameter is not specified for the later rules, the device uses the
multiples of the next step of the last rule ID to number the rules. For example, if an ACL6 includes rule 5
and rule 7, and the step is 5, the system assigns 10 to a new rule without rule-id specified.
When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-
name does not exit, the ACL6 does not take effect.

The description of an advanced ACL6 rule is configured.
----End
Context
Procedure
l Apply the ACL.
the ACL rules.

Routers
NOTE
guide.
----End
Procedure
l Run the display acl ipv6 { acl6-number | name acl6-name | all } command to view the
configuration about a specific ACL6 or all ACL6s.
l Run the display time-range { all | time-name } command to display information about the
time range.
----End
4.6 Maintaining an ACL

The section describes how to maintain an ACL.
4.6.1 Clearing ACL Statistics
Context
NOTICE
The deleted ACL statistics cannot be restored. Exercise caution when you run the command.
Procedure
l Run the reset acl counter { name acl-name | acl-number | all } command in the user view
to clear ACL statistics.
l Run the reset acl ipv6 counter { name acl6-name | acl6-number | all } command in the
user view to clear ACL6 statistics.
----End
4.6.2 Displaying ACL Resources
Context
If an ACL fails to be created, the available ACL resources in the system may be insufficient.
You can view ACL resource usage in the system to check whether the ACL resources have been
used up.

Routers
Procedure
l Run the display acl resource [ slot slot-id ] command in any view to check information
about ACL resources.
----End

This section provides several configuration examples of ACLs.
4.7.1 Example for Configuring a Basic ACL to Limit Access to the

FTP Server
As shown in Figure 4-5, the Router functions as an FTP server (172.16.104.110/24). The
requirements are as follows:
l All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server at any
time.
l All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only at
the specified period of time.
l Other users are not allowed to access the FTP server.
The routes between the Router and subnets are reachable. You need to configure the Router to
limit user access to the FTP server.
Figure 4-5 Configuring a basic ACL to limit user access to the FTP server
PC A
172.16.105.111/24
FTP Server
PC B
Network
172.16.107.111/24
Router
172.16.104.110/24
PC C
10.10.10.1/24
l Create a basic ACL on the Router and configure rules in the basic ACL.
l Configure basic FTP functions on the Router.

Routers
l Apply a basic ACL to the Router to limit user access.
Procedure
Step 1 Configure a time range.
[Huawei] sysname Router
[Router] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31
[Router] time-range ftp-access 14:00 to 18:00 off-day
Step 2 Configure a basic ACL.

[Router] acl number 2001
[Router-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255
[Router-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-
access
[Router-acl-basic-2001] rule deny source any
[Router-acl-basic-2001] quit
Step 3 Configure basic FTP functions.

[Router] ftp server enable
[Router] aaa
[Router-aaa] local-user huawei password cipher SetUesrPasswd@123
[Router-aaa] local-user huawei privilege level 15
[Router-aaa] local-user huawei service-type ftp
[Router-aaa] local-user huawei ftp-directory flash:
[Router-aaa] quit
Step 4 Configure access permissions on the FTP server.

[Router] ftp acl 2001
Run the ftp 172.16.104.110 command on PC A (172.16.105.111/24) in subnet 1. PC A can

connect to the FTP server.
Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in

2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B
(172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. PC B can connect to the FTP
server.
Run the ftp 172.16.104.110 command on PC C (10.10.10.1/24). PC C cannot connect to the FTP
server.
----End
Configuration Files
#
sysname Router
ftp server enable
ftp acl 2001
#
aaa
local-user huawei password cipher %$%$k$Xg7H;w4HZP5nE4-E4(FcZQ%$%$
local-user huawei privilege level 15
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
time-range ftp-access 14:00 to 18:00 off-day

Routers
time-range ftp-access from 00:00 2009/1/1 to 23:59 2011/12/31

#
acl number 2001
rule 5 permit source 172.16.105.0 0.0.0.255
rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
return
4.7.2 Example for Using an Advanced ACL to Configure Traffic

Classifiers
As shown in Figure 4-6, the departments of the company are connected through the Router. An
IPv4 ACL needs to be configured to prevent the R&D department and marketing department
from accessing the salary query server from 8:00 to 17:30 and allow the president's office to
access the salary query server at any time.
Figure 4-6 Using an advanced ACL to configure traffic classifiers
Salary query server

10.164.9.9
Eth2/0/3
Eth2/0/1
Eth2/0/0
Router
Eth2/0/2
Marketing
department President's office
10.164.2.0/24 10.164.1.0/24
R&D department
10.164.3.0/24
1. Assign IP addresses to interfaces.

2. Configure the time range.
3. Configure ACLs.
4. Configure traffic classifiers.
5. Configure traffic behaviors.
6. Configure traffic policies.

Routers
7. Apply traffic policies to interfaces.
Procedure
Step 1 Assign IP addresses to interfaces.
# Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
Add Eth 2/0/0, Eth 2/0/1, and Eth 2/0/2 to VLAN 10, VLAN 20, and VLAN 30 respectively,
and add Eth 2/0/3 to VLAN 100. The first IP address of a network segment is taken as the address
of the VLANIF interface of the same network segment. The configuration on Eth 2/0/0 is used
as an example here. The configurations of other interfaces are similar to the configuration on
Eth 2/0/0, and are not mentioned here.
[Huawei] vlan batch 10 20 30 100
[Huawei-Vlanif10] ip address 10.164.1.1 255.255.255.0
Step 2 Configure the time range.
# Configure the time range from 8:00 to 17:30.

[Huawei] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs.
# Configure the ACL for the marketing department to access the salary query server.
[Huawei] acl 3002
[Huawei-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[Huawei-acl-adv-3002] quit
# Configure the ACL for the R&D department to access the salary query server.
[Huawei] acl 3003
[Huawei-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
Step 4 Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Huawei] traffic classifier c_market
[Huawei-classifier-c_market] if-match acl 3002
[Huawei-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Huawei] traffic classifier c_rd
[Huawei-classifier-c_rd] if-match acl 3003
[Huawei-classifier-c_rd] quit
Step 5 Configure traffic behaviors.
# Configure the traffic behavior b_market to reject packets.

Routers
[Huawei] traffic behavior b_market

[Huawei-behavior-b_market] deny
[Huawei-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Huawei] traffic behavior b_rd
[Huawei-behavior-b_rd] deny
[Huawei-behavior-b_rd] quit
Step 6 Configure traffic policies.
# Configure the traffic policy p_market and associate the traffic classifier c_market and the
traffic behavior b_market with the traffic policy.
[Huawei] traffic policy p_market
[Huawei-trafficpolicy-p_market] classifier c_market behavior b_market
[Huawei-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[Huawei] traffic policy p_rd
[Huawei-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Huawei-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.
# Apply the traffic policy p_market to Eth 2/0/1.

[Huawei-Ethernet2/0/1] traffic-policy p_market inbound
# Apply the traffic policy p_rd to Eth 2/0/2.

[Huawei-Ethernet2/0/2] traffic-policy p_rd inbound
# Check the configuration of ACL rules.

[Huawei] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c_market
Operator: OR
Rule(s) :
if-match acl 3002
Classifier: c_rd
Operator: OR
Rule(s) :
if-match acl 3003
# Check the configuration of the traffic classifier.

Operator: OR
Rule(s) : if-match acl 3002
Classifier: c_rd
Operator: OR
Rule(s) : if-match acl 3003

Routers
# Check the configuration of the traffic policy.

[Huawei] display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: p_market
Operator: OR
Behavior: b_market
Deny
Policy: p_rd
Classifier: c_rd
Operator: OR
Behavior: b_rd
Deny
----End
Configuration Files
#
time-range satime 08:00 to 17:30 working-day
#
vlan batch 10 20 30 100
#
acl number 3002
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
acl number 3003
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
traffic classifier c_market operator or
if-match acl 3002
traffic classifier c_rd operator or
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
#

Routers
traffic-policy p_market inbound

#
traffic-policy p_rd inbound
#
#
return
4.7.3 Example for Using an Advanced ACL to Configure the Firewall

Function
As shown in Figure 4-7, an enterprise network running the Web, FTP, and Telnet services
accesses an external network through GE1/0/0 and joins a VLAN through Eth2/0/0.
The enterprise network segment is 202.169.10.0/24 and the IP addresses of the Web server, FTP
server, and Telnet server are 202.169.10.5/24, 202.169.10.6/24, and 202.169.10.7/24.
To ensure security, the Router provides the firewall function. Only specified users are allowed
to access internal servers of the enterprise and only internal servers of the enterprise are allowed
to access the external network.
Figure 4-7 Using advanced an ACL to configure the firewall function

FTP server WWW server
202.169.10.6 202.169.10.5
Eth2/0/0 GE1/0/0
Internet
Router 202.39.2.3
Internal
network
Telnet server
202.169.10.7
l Configure zones on the internal and external networks.

l Configure an interzone and enable the firewall function in the interzone.
l Configure advanced ACLs to restrict the rights to access the internal servers and external
network.

Routers
l Configure ACL-based packet filtering in the interzone.
Procedure
Step 1 Configure zones.
# Configure a zone on the internal network.

[Router] firewall zone company
[Router-zone-company] priority 12
[Router-zone-company] quit
# Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces. Add VLANIF
100 to the zone company.
[Router] vlan batch 100
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 100
[Router] interface vlanif 100
[Router-Vlanif100] ip address 202.169.10.1 255.255.255.0
[Router-Vlanif100] zone company
[Router-Vlanif100] quit
# Configure a zone on the external network.
[Router] firewall zone external

[Router-zone-external] priority 5
[Router-zone-external] quit
# Add GigabitEthernet 1/0/0 to the zone external.

[Router] interface gigabitethernet 1/0/0
[Router-gigabitethernet1/0/0] ip address 129.39.10.8 255.255.255.0
[Router-gigabitethernet1/0/0] zone external
[Router-gigabitethernet1/0/0] quit
Step 2 Configure an interzone.

[Router] firewall interzone company external
[Router-interzone-company-external] firewall enable
[Router-interzone-company-external] quit
Step 3 Configure ACL 3001.
# Create ACL 3001.

[Router] acl 3001
# Configure a rule in ACL 3001 to allow specified users to access internal servers.
[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination
202.169.10.5 0.0.0.0
202.169.10.6 0.0.0.0
202.169.10.7 0.0.0.0
# Configure a rule in ACL 3001 to prevent other users from accessing any host of the enterprise.
[Router-acl-adv-3001] rule deny ip
[Router-acl-adv-3001] quit

Routers
Step 4 Configure ACL 3002.

# Create ACL 3002.
[Router] acl 3002
# Configure a rule in ACL 3002 to allow internal servers to access the external network.
[Router-acl-adv-3002] rule permit ip source 202.169.10.5 0.0.0.0
# Configure a rule in ACL 3002 to prevent other users of the enterprise from accessing the
external network.
[Router-acl-adv-3002] rule deny ip
[Router-acl-adv-3002] quit
Step 5 Configure ACL-based packet filtering in the interzone.

[Router] firewall interzone company external
[Router-interzone-company-external] packet-filter 3001 inbound
[Router-interzone-company-external] packet-filter 3002 outbound
[Router-interzone-company-external] quit

After the configuration is complete, only the host at 202.39.2.3 can access internal servers and
only internal servers can access the external network.
Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router. The
result is as follows:
[Router] display firewall interzone company external
interzone company external
firewall enable
packet-filter default deny inbound
packet-filter default permit outbound
packet-filter 3001 inbound
packet-filter 3002 outbound
----End
Configuration Files
#
sysname Router
#
vlan batch 100
#
acl number 3001
rule 5 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0
rule 20 deny ip
#
acl number 3002
rule 5 permit ip source 202.169.10.5 0.0.0.0
rule 10 permit ip source 202.169.10.6
0.0.0.0
rule 15 permit ip source 202.169.10.7
0.0.0.0
rule 20 deny ip
#

Routers
interface Vlanif100
ip address 202.169.10.1 255.255.255.0
zone company
#
firewall zone company
priority 12
#
firewall zone external
priority 5
#
firewall interzone company
external
firewall enable
packet-filter 3002 outbound
#
#
interface GigabitEthernet1/0/0
ip address 129.39.10.8 255.255.255.0
zone external
#
return
4.7.4 Example for Using a Layer 2 ACL to Configure a Traffic

Classifier
As shown in Figure 4-8, the Router that functions as the gateway is connected to PCs. ACL
needs to be configured to prevent the packets with the source MAC address 00e0-f201-0101 and
the destination MAC address 0260-e207-0002 from passing through.
Figure 4-8 Using a Layer 2 ACL to configure a traffic classifier
PC1
GE2/0/0 GE1/0/0
IP network
Router
PC2
00e0-f201-0101
1. Configure an ACL.
2. Configure a traffic classifier.
3. Configure a traffic behavior.

Routers
4. Configure a traffic policy.

5. Apply the traffic policy to an interface.
Procedure
Step 1 Configure an ACL.
# Configure a Layer 2 ACL.
[Huawei] acl 4000
[Huawei-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff
destination-mac 0260-e207-0002 ffff-ffff-ffff
[Huawei-acl-L2-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Huawei] traffic classifier tc1
[Huawei-classifier-tc1] if-match acl 4000
[Huawei-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.
[Huawei] traffic behavior tb1
[Huawei-behavior-tb1] deny
[Huawei-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Huawei] traffic policy tp1
[Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1
[Huawei-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to GE 2/0/0.
[Huawei] interface gigabitethernet 2/0/0
[Huawei-GigabitEthernet2/0/0] traffic-policy tp1 inbound
[Huawei-GigabitEthernet2/0/0] quit

# Check the configuration of ACL rules.
[Huawei] display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101

Classifier: tc1
Operator: OR
Rule(s) :
if-match acl 4000

Routers
[Huawei] display traffic policy user-defined tp1

Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
----End
Configuration Files
#
acl number 4000
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101
#
traffic classifier tc1 operator or
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
4.7.5 Example for Using an ACL6 to Configure a Traffic Classifier
As shown in Figure 4-9, RouterA and RouterB are connected through GE interfaces. An ACL6
needs to be configured on RouterA to deny the IPv6 packets with source IP address 3001::2/64
on GE 1/0/0.
Figure 4-9 Configuring ACL6 to filter IPv6 packets

RouterA GE1/0/0 GE1/0/0 RouterB
3001::1/64 3001::2/64 Loopback2
3002::2/64
1. Configure an ACL6.
2. Configure a traffic classifier.
3. Configure a traffic behavior.
4. Configure a traffic policy.
5. Apply the traffic policy to an interface

Routers
Procedure
Step 1 Enable IPv6 forwarding capability on RouterA and RouterB, and set the parameters for the
interfaces.
# Configure RouterA.
[Huawei] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address 3001::1 64
[RouterA-GigabitEthernet1/0/0] quit
# Configure a static route on RouterA.

[RouterA] ipv6 route-static 3002:: 64 3001::2
# Configure RouterB.
[Huawei] sysname RouterB
[RouterB] ipv6
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ipv6 enable
[RouterB-GigabitEthernet1/0/0] ipv6 address 3001::2 64
[RouterB-GigabitEthernet1/0/0] quit
Step 2 Create an ACL6 rule and apply the rule to the interface to deny the IPv6 packets from 3001::2.
[RouterA] acl ipv6 number 3001
[RouterA-acl6-adv-3001] rule deny ipv6 source 3001::2/64
[RouterA-acl6-adv-3001] quit
[RouterA] traffic classifier class1
[RouterA-classifier-class1] if-match ipv6 acl 3001
[RouterA-classifier-class1] quit
[RouterA] traffic behavior behav1
[RouterA-behavior-behav1] deny
[RouterA-behavior-behav1] quit
[RouterA] traffic policy policy1
[RouterA-trafficpolicy-policy1] classifier class1 behavior behav1
[RouterA-trafficpolicy-policy1] quit
[RouterA-GigabitEthernet1/0/0] traffic-policy policy1 inbound
# Check the configuration of ACL6 rules.

[RouterA] display acl ipv6 3001
Advanced IPv6 ACL 3001, 1 rule

Acl's step is 5
rule 0 deny ipv6 source 3001::2/64

[RouterA] display traffic classifier user-defined
Classifier: class1
Operator: OR
Rule(s) :

Routers
if-match ipv6 acl 3001

[RouterA] display traffic policy user-defined
Policy: policy1
Classifier: class1
Operator: OR
Behavior: behav1
Deny
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
acl ipv6 number 3001
rule 0 deny ipv6 source 3001::2/64
#
ipv6
#
traffic classifier class1 operator or
if-match ipv6 acl 3001
#
traffic behavior behav1
deny
#
traffic policy policy1
classifier class1 behavior behav1
#
ipv6 enable
ipv6 address 3001::1/64
traffic-policy policy1 inbound
#
ipv6 route-static 3002:: 64 3001::2
#
return
l Configuration file of Router B

#
sysname RouterB
#
ipv6
#
ipv6 enable
ipv6 address 3001::2/64
#
return
4.8 FAQ
4.8.1 How Do I Control Access Through Specific Source or

Destination Addresses?

Routers
You can configure access control lists (ACLs) to match source or destination addresses. For
example, under the following configuration, the host at 10.1.1.1 can only access hosts on the
10.1.1.18/26 network segment.
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.1 0 destination 10.1.1.18
0.0.0.63
[Huawei-acl-adv-3000] rule deny ip source 10.1.1.1 0
For configurations of other traffic classifiers, behaviors (actions set to permit), and policies, see
Traffic Policy Configuration in the AR Configuration Guide - QoS.
4.8.2 How Do I Restrict the Period During Which Users Can Access
Specific Networks?
You can define access control lists (ACLs) with time ranges. For example, under the following
configuration, users cannot access 2.2.2.0/24 from 00:00 to 08:00 daily.
[Huawei] time-range wb 00:00 to 08:00 daily
[Huawei] acl number 3000
[Huawei-acl-adv-3000] rule deny ip destination 2.2.2.0 0.0.0.255 time-range wb
[Huawei-acl-adv-3000] rule permit ip
For configurations of other traffic classifiers, behaviors, and policies, see Traffic Policy
Configuration in the AR Configuration Guide - QoS.
4.8.3 What Are the Method Used to Process Packets After Different
Features Reference ACLs?
The methods used to process packets are as follows.
Feature Processing Method
Basic l FTP
Configuratio An FTP connection is established if packets match the permit rule; no
n FTP connection can be established if packets match the deny rule or match
no rule.
l Telnet
An Telnet connection is established if packets match the permit rule; no
Telnet connection can be established if packets match the deny rule or
match no rule.
IP Service When an ACL is referenced in NAT, the system processes packets according
to the rules they match. If a packet matches a rule with the permit action, the
system processes translates source addresses of data packets. Packets that do
not match any rules or matches a rule with the deny action in the ACL are
forwarded normally.

Routers
Feature Processing Method
QoS When an ACL is referenced in a traffic policy, the system processes packets
according to the rules they match. If a packet matches a rule with the permit
action, the system processes the packet according to the traffic policy. If a
packet matches a rule with the deny action, the system drops the packet
directly. Packets that do not match any rules in the ACL are forwarded
normally.
Security l Firewall
When ACL-based packet filtering firewall references ACLs, the AR
router forwards packets matching permit rules, discards packets matching
deny rules, and applies default rules to packets not matching any rule.
When port mapping references ACLs, the AR router maps packets
matching permit rules, and does not map packets matching deny rules or
no rule.
When session log references an ACL, the AR router records logs for
packets matching permit rules, and does not records logs for packets
matching deny rules or no rule.
l Local attack defense
When a blacklist references an ACL, the AR router discards packets
matching permit and deny rules, and forwards packets that do not match
any rule.
4.9 References
This section lists references of ACL.
RFC 4314 Defines several new access -

control rights and clarifies which
rights are required for different
IMAP (Internet Message Access
Protocol) commands.

Routers
Configuration Guide - Security 5 Firewall Configuration
5 Firewall Configuration
About This Chapter
The attack defense system protects an internal network against attacks from external networks;
therefore, firewalls are generally deployed between the internal and external networks.
5.1 Overview
This section describes the definition, background, and functions of firewall.
5.2 Principles
This section describes the implementation of firewall.
5.3 Applications
This section describes the applicable scenario of firewall.

This section describes the firewall default configuration. You can change the configuration based
on the site requirements.
5.5 Configuring firewall

This section describes the firewall configuration procedure.
5.6 Maintaining the Firewall

The firewall maintenance includes Displaying the firewall Configuration and Clearing the
firewall Statistics.

This section provides several firewall configuration examples.
5.8 FAQ
The FAQs on Firewall are listed.
5.9 References
This section provides the firewall-related RFC recommendations.

Routers
5.1 Overview
This section describes the definition, background, and functions of firewall.
Definition
A firewall separates an internal network from external networks to protect the internal network
from unauthorized access.
Purpose
A firewall provides the following functions:
l Prevents hazards on external networks from spreading to internal networks.
l Protects devices and key resources on internal networks.
l Controls internal users' access to external networks.
5.2 Principles
This section describes the implementation of firewall.
5.2.1 Security Zone and Interzone

Security Zone
Firewall functions are implemented based on security zones and interzones.
A security zone (zone for short) is an interface or a group of interfaces with the same security
attributes. Each zone has a globally unique security priority.
The firewall considers data flows transmitted within a zone reliable and implements no security
policy for these data flows. It checks security and implements security policies for data flows
transmitted from one zone to another.
Interzone
Any two zones form an interzone, which has an independent interzone view. Most firewall
configurations are performed in the interzone view.
For example, zone1 and zone2 form an interzone. You can configure an ACL-based packet filter
in the interzone view to filter data flows transmitted between zone1 and zone2.
After the firewall is enabled in an interzone, when a user in the high-priority zone connects to
the low-priority zone, the firewall records information such as the IP address and VPN in the
request packet and generates a session. When receiving the response packet, the firewall checks
the packet information. Because the packet information has been recorded in the session table,
the firewall allows the response packet to pass. By default, a user in the low-priority zone cannot
connect to the high-priority zone. To allow internal users to access the external network and
prevent external users from accessing the internal network, configure the internal network as a
high-priority zone and the external network as a low-priority zone.

Routers
Advantages of the Zone-based Firewall

On traditional switches and routers, policies are configured based on inbound or outbound
interfaces. As the firewall technology develops, a firewall controls communication between an
internal network, an external network, and a demilitarized zone (DMZ). Interface-based policy
configuration increases workload of the network administrator, and incorrect configurations
bring security risks.
Some firewalls support global security policy configuration. This configuration method does
not allow different security policies on interfaces or zones, which limit application of firewalls.
Compared with interface based and global configuration, zone-based firewall configuration adds
a group of interfaces to security zones and applies security policies to zones, which simplifies
configuration while maintaining flexibility. zone-based firewall configuration reduces workload
of the network administrator and allows different security policies to be applied in complex
networking.
5.2.2 Firewall Working Mode
To improve networking flexibility, a firewall device defines the working mode of each interface
but not the entire device. An interface has the following modes.
Routed Mode
A device is located between the internal network and the external network. On the device, the
interfaces connecting to internal network and external network are assigned IP addresses on
different network segments. The network topology needs to be changed.
As shown in Figure 5-1, two zones are configured on the device, Trust zone and Untrust zone.
The interface in the Trust zone is connected to the internal network, and the interface in the
Untrust zone is connected to the external network.
Note that, the interfaces in the Trust zone and Untrust zone locate in different subnets.
Figure 5-1 Networking diagram of routed mode

Internal External
PC PC PC
Network Network
202.10.1.1/24 202.10.0.1/24
LAN Internet
Firewall Untrust
Trust
Server Server
When forwarding packets among the interfaces in Layer 3 zones, the device searches the routing
table according to IP addresses of packets. The device is similar to a router in this case. However,
unlike a router, the device filters the packets and determines whether to allow them to pass
according to the session table or ACL rules. In addition, the firewall takes other attack defense
measures.

Routers
5.2.3 Packet Filtering Firewall

A packet filtering firewall uses access control lists (ACLs) to filter packets based on the upper-
layer protocol ID, source and destination IP addresses, source and destination port numbers, and
packet transmission direction.
When receiving an IP datagram, the firewall obtains the packet header, and then compares the
packet header information with ACL rules to determine whether to forward or discard the IP
datagram. Figure 5-2 shows how packet filtering is implemented on the firewall.
Figure 5-2 Packet filtering firewall
Packet from
external network to
internal network
External
network Internal
network
Router Firewall
Packet structure
IP TCP/UDP DATA
Check source/destination IP Check

addresses source/destination
Check upper-layer protocol port numebrs
number
Packet Filtering Firewall on the Device

The device supports packet filtering firewall and can filter the following packets:
l Common IP packets: The firewall checks the source and destination IP addresses, source
and destination port numbers, and protocol IDs of IP packets against an ACL. It forwards
the packets permitted by the ACL and discards the packets denied by the ACL. The
information that the firewall checks is contained in the IP, TCP, or UDP header.
l Fragment packets: The firewall can identify the packet types, including non-fragment
packets, initial fragment packets, and non-initial fragment packets.
When receiving the initial fragment of a packet, the firewall compares Layer 3 and Layer
4 information of the initial fragment with the ACL. If the fragment is permitted by the ACL,
the firewall records information about this fragment and creates a matching table for the
following fragments. When the following fragments arrive, the firewall directly forwards
them according to the matching table.
In addition, the firewall has a default method to process the packets that do not match the
ACL. The default method can be set by users.
5.2.4 Stateful Firewall

A packet filtering firewall is a static firewall and has the following problems:

Routers
l Some security policies cannot be configured for multi-channel application-layer protocols

such as FTP and SIP.
l Some attacks (such as TCP SYN and Java Applets) from the transport and application layers
cannot be detected.
l ICMP attacks cannot be prevented because bogus ICMP error packets cannot be identified.
l The first packet of TCP connections must be an SYN packet. If the first packet of a TCP
connection is not an SYN packet, the packet is discarded. When a firewall device connects
to a network for the first time, non-first packets of existing TCP connections are all
discarded if they pass through the new firewall, and the TCP connections are torn down.
Application specific packet filter (ASPF), a stateful firewall, is introduced to solve the preceding
problems. ASPF can detect attacks related to the following protocols:
l Application-layer protocols, including File Transfer Protocol (FTP), Hypertext Transfer

Protocol (HTTP), Session Initiation Protocol (SIP) and Real Time Streaming Protocol
(RTSP)
l Transport-layer protocols, including TCP and UDP
ASPF Functions
Major functions:
l Checks application-layer protocol information, such as the protocol type and port number,
and monitors the connection-based application-layer protocol status. ASPF maintains status
information of each connection and uses the status information to determine whether to
forward or discard data packets.
l Checks transport-layer protocol information and determines whether to forward or discard
TCP or UDP packets based on the source IP address, destination IP address, and port
number.
Additional functions:
l Checks contents of application-layer packets.

l Checks the first packet of a TCP connection.
l Filters ICMP error packets. An ICMP error packet carries information about a connection.
If information in an ICMP error packet matches no connection, ASPF determines whether
to discard the packet based on the current configuration.
The ASPF function and the packet filtering firewall can be used together on network edges to
provide more comprehensive security policies on an enterprise's internal network.
Basic Concepts of ASPF

l Single-channel protocol
A single-channel protocol uses only one channel to exchange from session setup to deletion.
An example is HTTP.
l Multi-channel protocol
A multi-channel protocol uses a control channel to exchange control information and
several control channels to exchange data. An example is FTP or RTSP.

Routers
Basic Principle of Application-Layer Protocol Detection
Figure 5-3 Basic principle of application-layer protocol detection

Packets of other sessions
are blocked
Client A PC PC
User A initializes
a session
LAN Internet
Trust Firewall Untrust

The reply packet in
response to the
Client B session is allowed to Server
pass through
As shown in Figure 5-3, an ACL is configured on the device to allow internal hosts to access
external networks but reject access from external networks, which ensures internal network
security. However, the ACL will filter out reply packets sent in response to connection requests,
leading to connection failures.
After application-layer protocol detection is configured on the router, ASPF monitors each
application-layer session and creates a status entry and a temporary access control list (TACL).
1. ASPF creates a status entry when detecting the first packet sent to an external network. The
status entry maintains the status of a session at a specified time and checks whether the
session status transition is correct.
2. A TACL is created when a status entry is created and is deleted after the session is
disconnected. A TACL is an extended permit item of the ACL. A TACL matches all reply
packets in a session and helps set up a temporary return channel on the external interface
of the firewall for reply packets.
The following uses FTP as an example to describe the multi-channel protocol detection process.
Figure 5-4 FTP detection process

Port 1333 Port 21
FTP command and response
Control channel connection
FTP client FTP server
Data channel connection

Port 1600 Port 20
Figure 5-4 shows the FTP connection setup process. Assume that the FTP client uses port 1333
to initiate an FTP control channel connection to port 21 on the FTP server. After negotiation,
the FTP server uses port 20 to initiate a data channel connection to port 1600 on the FTP client.
If data transmission times out or ends, the connections are deleted.
The FTP detection process is as follows:

Routers
1. Check whether IP packets sent from the outbound interface are TCP-based FTP packets.
2. Check the port number and verify that the connection is a control connection. Create a
status entry and TACL for the reply packets.
3. Check FTP control connection packets, resolve FTP commands, and update the status entry
based on the commands. If there is a data channel setup command, create a TACL for the
data connection. The firewall does not perform status detection on data connections.
4. Perform matching check on reply packets based on the protocol type. Determine whether
to allow reply packets to pass based on the status entry and TACL.
5. Delete the status entry and TACL when the FTP connection is deleted.
The process for detecting single-channel application layer protocols is simple. When a
connection is initiated, the firewall creates a TACL. When the connection is deleted, the firewall
deletes the TACL.
Basic Principle of Transport-Layer Protocol Detection

Transport-layer protocol detection is common TCP/UDP detection. Different from application-
layer protocol detection, transport-layer protocol detection checks transport-layer information
in packets, such as the source address, destination address, and port number. In common TCP/
UDP detection, reply packets returned to the external interface of ASPF must exactly match the
packet sent from the interface. That is, the source address, destination address, source port and
destination port of the reply packet must be the same as the destination address, source address,
destination port, and source port of the packet sent from the interface. Otherwise, reply packets
are rejected. If you configure TCP detection without application-layer protocol detection for
multi-channel application layer protocols (such as FTP), data connections cannot be set up.
5.2.5 Blacklist
A blacklist filters packets based on source VPNs and source IP addresses. Compared with ACLs,
the blacklist uses simpler matching rules and therefore can filter packets at a higher speed. The
blacklist can effectively block the packets sent from specific IP addresses. Blacklist entries can
be manually configured or dynamically generated.
As shown in Figure 5-5, the IP address of user B is in the blacklist, so packets from user B are
discarded by the firewall.

Routers
Figure 5-5 Blacklist
User A
1.1.1.1/24
User
VPN 1 As
pack ends
ets
Internal
network
User B
2.2.2.2/24 Firewall
VPN 2 Blacklist
ds
s en
B ts VPN2 2.2.2.2
er e
Us pack
Blacklist Features Supported by the Device

You add entries to the blacklist manually. In addition, if the device detecting an IP sweeping
attack or port scanning attack, it adds the attacking IP address or port to the blacklist. Then, all
the packets from this IP address or port are rejected within a certain period. You can set an aging
time for entries in the blacklist.
The firewall discards all the packets from the blacklisted IP addresses no matter whether the
packets are permitted by the ACL.
You can export entries in a blacklist to a file or import entries to a blacklist from a file.
5.2.6 Whitelist
IP addresses in the whitelist will not be added to the blacklist statically or dynamically. An entry
in the whitelist is represented by a source VPN and a source IP address, and must be manually
configured.
If valid service packets sent from some devices are similar to IP sweeping attack or port scanning
attack packets, you can add these devices to the whitelist so that packets sent from the devices
will not be discarded by the firewall.
Functions of Whitelist
If you add the VPN or IP address of a host to the whitelist, the firewall does not check packets
sent from the host for IP sweeping or port scanning attack, and does not add the IP address of
the host to the blacklist.
Whitelist Features Supported by the Device

After receiving a packet, the device checks whether the packet is sent from an IP address in the
whitelist. If the packet is sent from an IP address in the whitelist, the device does not check the
packet for IP sweeping or port scanning attack, or add the IP address to the blacklist. However,
the device still performs other security checks, such as ACL-based packet filtering, ASPF, and
traffic statistics and monitoring, to ensure network security.

Routers
You can set an aging time for whitelist entries.
You can export whitelist entries to a file or import entries to a whitelist from a file.
5.2.7 Port Mapping

The application-layer protocols use well-known ports for communication. Port mapping allows
you to define new port numbers for different applications or specify the range of hosts that use
non-well-known port numbers.
Port mapping applies to service-sensitive features such as application specific packet filter
(ASPF) and Network Address Translation (NAT). For example, the FTP server 10.10.10.10 on
an enterprise intranet provides the FTP service through port 2121. When accessing the FTP
server through a NAT server, users must use port 2121. By default, port 21 is used for FTP
packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need
to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP
packets that use port 2121 and send the FTP packets to the FTP server. In this way, users can
access the FTP server.
Port Mapping Supported by the Device

The device provides ACL-based port mapping and performs port mapping only for the packets
matching the specified ACL. Port mapping employs basic ACLs (2000 to 2999). In ACL-based
packet filtering, the device matches the destination IP addresses of the packets with the IP address
in the basic ACL rules.
As shown in Figure 5-6, the PC on the external network access the WWW server (port 8080)
on the internal network. When the device receives packets sent by the PC, it matches the packets
with the ACL. Only packets with the destination IP address 129.38.2.4 can pass through the
device.
Figure 5-6 Port mapping diagram
WWW Server PC
129.38.2.4 Firewall 202.39.2.3
5.2.8 Attack Defense
Attack defense is an important network security function of the firewall. With this function, the
firewall can detect various network attack behaviors and take measures to protect the network,
ensuring normal running of the internal network and systems.
Types of Network Attacks

Network attacks are classified into three types: Denial of Service (DoS) attacks, scanning and
snooping attacks, and malformed packet attacks.
l DoS attack

Routers
An attacker sends a large number of data packets to the target system to prevent the system
from processing requests from authorized users or make the host stop responding. DoS
attackers include SYN Flood attacks and Fraggle attacks.
DoS attacks are different from other attacks because DoS attackers do not search for the
ingress of a network but prevent authorized users from accessing resources or firewall.
l Scanning and snooping attack
Scanning and snooping attacks identify existing systems on a network through ping
scanning (including ICMP and TCP scanning), and then find out potential targets. By
scanning TCP and UDP ports, the attackers can know the operating system and the
monitored services.
Through scanning and snooping, an attacker can generally know the service type of the
system and prepare for further intrusion to the system.
l Malformed packet attack
An attacker sends malformed IP packets to a target system. The target system crashes when
processing the malformed IP packets. Malformed packet attacks include Ping of Death and
Teardrop.
The following describes typical attacks on networks.
Land Attack
An attacker initiates a Land attack by setting the source and destination addresses of a TCP SYN
packet to the IP address of a target host. The target host then sends a SYN-ACK message to its
own IP address, and the ACK message is sent back to the target host. This forms a null session.
Every null session exists until it times out. Figure 5-7 shows a Land attack.
Figure 5-7 Land attack
Attacker Target host

SYN
destin packet w
a ith th
being tion and e
the t s o
arge urce
t hos
t
SYN, ACK
ACK
The responses to the Land attack vary according to the targets. For instance, many UNIX hosts
crash while Windows NT hosts slow down.

Routers
Smurf Attack
A simple Smurf attack is used to attack a network. The attacker sends an ICMP Echo request to
the broadcast address of the network. All the hosts on the network respond to the request and
the network is congested. Figure 5-8 shows a simple Smurf attack.
Figure 5-8 Simple Smurf attack
Internet
Attacker Target
network
Request packet sent by the attacker
Reponse packet sent by the target
An advanced Smurf attack targets hosts. The attacker sends an ICMP Echo request packet to the
network where the target host is located. The source IP address of the packet is the IP address
of the target host; therefore, all ICMP Echo Reply packets are sent to the target host. This slows
down packet processing on the target host or can even make the host crash. Figure 5-9 shows
an advanced Smurf attack.
Figure 5-9 Advanced Smurf attack
Internet
Attacker Target host
Request packet sent by the attacker
Response packet sent by the target network

Routers
Sending attack packets generates certain traffic and lasts for some time. Theoretically, the attack
causes severe damages when there are more hosts on the network.
WinNuke Attack
Network Basic Input/Output System (NetBIOS) is a network access interface that is widely used
in file sharing, print sharing, interprocess communication (IPC), and data exchange between
different operating systems. Generally, NetBIOS is a multicast-based interface and runs over
the Logical Link Control Type 2 (LLC2) protocol. To implement NetBIOS on the TCP/IP
protocol stack, RFC defines a series of interaction standards and common TCP/UDP ports:
l 139: a TCP port used for the NetBIOS sessions.
l 137: a UDP port used for the NetBIOS name service.
l 136: a UDP port used for the NetBIOS datagram service.
Windows operating systems implement NetBIOS over TCP/IP and open port 139.
WinNuke attacks use the vulnerability of Windows operating systems. An attacker sends data
packets carrying TCP out-of-band (OOB) packets to port 139. These attack packets differ from
normal OOB packets in that the pointer field in the packets does not match the actual location
of data. When the Windows operating system processes these packets, it may crash.
SYN Flood Attack

A SYN Flood attack uses the three-way handshake mechanism of the TCP protocol to attack the
target host. An attacker sends a SYN packet to the target host to request for a TCP connection,
but it does not respond to the SYN-ACK packet sent from the target host. If the target host does
not receive the response from the attacker, it keeps waiting and forms a half connection. Figure
5-10 shows a SYN Flood attack.
Figure 5-10 Half connection

Attacker Target
SYN
SYN,ACK
ACK
Wait
The attacker sends a lot of TCP SYN packets to make the target host set up many half
connections, which occupy a large number of resources. When the resources on the target host
are used up, data processing on the host slows down and authorized users cannot access the host.

Routers
The attacker can also generate a SYN packet with a pseudo or non-existent source address to
attack the target host.
ICMP Flood Attack

A network administrator uses the ping program to monitor networks and locate faults. The ping
process is as follows:
1. A source host sends an ICMP Echo Request packet to a destination host.

2. After receiving the ICMP Echo Request packet, the destination host returns an ICMP Echo
Reply packet to the source host.
ICMP packets are processed by the CPU and may consume many CPU resources in some cases.
If an attacker sends a large number of ICMP Echo Request packets to a target host, the target
host becomes busy processing these Echo Request packets and cannot process other data packets.
Figure 5-11 shows an ICMP Flood attack.
Figure 5-11 ICMP Flood attack
Attacker Target
ICMP ECHO
ICMP Reply
ICMP ECHO
ICMP Reply
ICMP ECHO
ICMP ECHO
ICMP ECHO
ICMP ECHO
UDP Flood Attack

A UDP flood attack is similar to an ICMP flood attack. An attacker sends a large number of
UDP packets to a target host. The target host becomes busy processing these UDP packets and
cannot process normal data packets.
IP Sweeping and Port Scanning Attack

An attacker uses a scanning tool to probe target IP addresses and ports. The targets then respond
to the probes, through which the attacker can know which target systems are active and connected
to the network and which ports are open or closed.

Routers
Ping of Death Attack

Ping of Death is an attack to a system by sending oversized ICMP packets.
The Length field of an IP packet is 16 bits, indicating that the maximum length of an IP packet
is 65535 bytes. If the data field of an ICMP Echo Request packet is longer than 65507 bytes,
the length of the ICMP Echo Request packet (ICMP data + 20-byte IP header + 8-byte ICMP
header) is larger than 65535 bytes. Some systems or devices cannot process oversized ICMP
packets. If they receive such packets, they may stop responding, crash, or restart. Figure 5-12
shows an oversized ICMP packet.
Figure 5-12 Oversized ICMP packet
IP Header ICMP Header ICMP Data
20 bytes 8 bytes More than

65507 bytes
Large-ICMP Attack
Similar to a Ping of Death attack, a Large-ICMP attack sends oversize ICMP packets to attack
a system. Although the length of Large-ICMP packets does not exceed the maximum length of
an IP packet (65535 bytes), the Large-ICMP packets also have great impact on some operating
systems.
To prevent Large-ICMP attack, set the maximum length of ICMP packets on the firewall.
ICMP-Unreachable Attack
After receiving an ICMP network-unreachable packet (packet type field is 3 and code is 0) or
host-unreachable packet (packet type is 3 and code is 1), some systems consider the subsequent
packets sent to this destination unreachable. The systems then disconnect the destination from
the host. Figure 5-13 shows an ICMP-Unreachable attack.
Figure 5-13 ICMP-unreachable attack

Fake ICMP-Unreachable packet
Attacker
Target
The attacker sends ICMP-Unreachable packets to the target hosts to change routes on the target
hosts. In this case, packet forwarding on the hosts is abnormal.
ICMP-Redirect Attack
An ICMP-Redirect attack is similar to an ICMP-Unreachable attack.
A network device can send ICMP Redirect packets to a host in the same subnet, requesting the
host to change its routes.

Routers
Similarly, an attacker sends a fake Redirect packet to the target host on another network segment,
requesting the target host to modify the routing table. The attack changes routes on the target
host and affects packet forwarding. Figure 5-14 shows an ICMP-Redirect attack.
Figure 5-14 ICMP-Redirect attack

Attacker
Fake ICMP-Redirect packet
Target Destination
IP Fragment Attack
The fields related to fragmentation of an IP packet are Don't Fragment (DF) bit, More fragments
(MF) bit, Fragment Offset, and Length.
If the previous fields conflict and a device does not processes the fields properly, the device may
stop running or even crash. In the following cases, the fields conflict:
l The DF bit is set, but the MF bit is also set or the fragment offset is not 0.
l The DF bit is 0, but the sum of Fragment Offset and Length is larger than 65535.
In addition, the device must directly discard the fragment packets destined for itself because the
fragment packets result in a heavy load in packet caching and reassembly.
Teardrop Attack
During packet transmission, an IP packet must be fragmented when it is longer than the
maximum transmission unit (MTU) of the link layer. The IP packet header contains an offset
field and an MF field. If the MF field is set to 1, the IP packet is a fragment. The offset field
indicates the location of this fragment in the whole IP packet. The receiver can reassemble the
IP packet based on the information carried in the IP packet header.
For example, if a large packet is transmitted over a link with a smaller MTU, the packet is
fragmented into two IP packets. The receiver then reassembles the two IP packets into the
original IP packet. Figure 5-15 shows the normal packet reassembling process.
Figure 5-15 Packet reassembly
IP Header TCP IP Data A

Header
IP Header IP Data B
IP Header TCP IP Data A IP Data B

Header

Routers
If an attacker sets the offset field to an incorrect value, the receiver cannot correctly assemble
packets. Some TCP/IP protocol stacks may crash when they receive a pseudo fragment
containing an overlapping offset. This is a Teardrop attack. Figure 5-16 shows a Teardrop attack
packet.
Figure 5-16 Teardrop attack diagram
IP Header TCP IP Data A

Header
Wrong
...
offset
IP Header IP Data B
IP Header TCP ???

Header
Fraggle Attack
A Fraggle attack is similar to a Smurf attack, except that the Fraggle attack sends UDP packets
but not ICMP packets. Therefore, the Fraggle attack packets can traverse some firewalls that
prevent ICMP packets.
A Fraggle attack can be successful because both UDP port 7 (ECHO) and port 19 (Chargen)
return responses after receiving UDP packets. The details are as follows:
l UDP port 7 returns a response (similar to the ICMP Echo-Reply packet) after receiving a
packet.
l UDP port 19 generates a character flow after receiving the packet.
The two UDP ports send a lot of response packets, which occupy high network bandwidth.
The attacker can send a UDP packet to the target network. The source address of the UDP packet
is the IP address of the attacked host and its destination address is the broadcast address or
network address of the host's subnet. The destination port number of the packet is 7 or 19. All
the hosts with the port open on the subnet send response packets to the attacked host. This
generates heavy traffic, which blocks the network or makes the host crash.
The hosts with the port closed on the subnet generate ICMP Unreachable packets, which still
consume high bandwidth. If the attacker sets the source port to 19 (Chargen) and the destination
port to 7 (ECHO), severer damages are caused because the response packets are generated
automatically and continuously.
Tracert Attack
Tracert is to discover the packet transmission path through the ICMP timeout packets that is
returned when time to live (TTL) value is 0 or through the returned ICMP port-unreachable
packets.
An attack can obtain the network structure through Tracert. This brings security risks to the
network.

Routers
Malformed TCP Packet Attacks

A malformed TCP packet is a packet with an incorrect 6-bit TCP header. An error will occur
when the TCP protocol stack on the receiver processes the TCP packet.
5.2.9 Traffic Statistics Collection and Monitoring

A firewall not only monitors data traffic, but also detects the setup of connections between
internal and external networks, generates statistics, and analyzes the data. The firewall can use
software to analyze the logs after events occur and can also analyze the data in real time.
By checking whether the number of TCP/UDP sessions initiated from external networks to the
internal network exceeds the threshold, the firewall decides whether to restrict new sessions
from external networks to the internal network or to an IP address in the internal network.
Figure 5-17 shows an application of the firewall. The IP address-based statistics function is
enabled for the packets from external networks to the internal network. If the number of TCP
sessions initiated by external networks to web server 129.1.9.1 exceeds the threshold, the firewall
device rejects new sessions initiated from the external network until the number of sessions is
smaller than the threshold.
Figure 5-17 Setup of TCP connections
External
network Internal
network
Firewall
Web server
TCP connection 129.1.9.1
The device supports system-level, zone-level, and IP address-level traffic statistics collection
and monitoring.
System-Level Traffic Statistics Collection and Monitoring

System-level traffic statistics collection and monitoring take effect on all the data flows in
interzones with the firewall feature enabled. That is, the firewall device collects statistics about
the ICMP, TCP, and UDP sessions in the interzones. When the number of sessions exceeds the
threshold, the device restricts the sessions until the number of sessions falls within the threshold.
Zone-Level Traffic Statistics Collection and Monitoring

The zone-level traffic statistics collection and monitoring take effect on the data flows between
zones. That is, the firewall device counts the total number of TCP and UDP sessions between
the local zone and other zones. When the number of connections between the local zone and all
the other zones or the number of connections in a certain direction exceeds the threshold, the
device rejects new sessions until the number of sessions falls within the threshold.

Routers
IP Address-Level Traffic Statistics Collection and Monitoring

The IP address-level traffic statistics collection and monitoring count and monitor the TCP and
UDP sessions set up on an IP address in a zone. The firewall device determines whether to restrict
the connections in a certain direction by checking whether the number of the TCP or UDP
connection requests sent from a source IP address (or received by a destination address) exceeds
the threshold. This function prevents DoS caused by the malicious attacks or busy systems.
When the number of TCP and UDP sessions falls below the threshold, the source IP address can
initiate sessions and the destination address can receive sessions.
5.2.10 Firewall Log

A firewall device records the actions and status of the firewall in real time. For example, the
measures taken against IP address spoofing and the detected malicious attacks are recorded in
firewall logs.
These logs help you find out the security risks, detect the attempts to violate the security policies,
and learn the type of a network attack. The real-time logs are also used to detect the intrusion
that is underway.
You can configure the firewall logging function to monitor behaviors and status of the firewall,
find security risks, and detect the network attacks and intrusions.
Firewall Logs Supported by the Device

The device supports the following firewall logs:
l Blacklist logs
When detecting attacks such as an IP sweeping attack and port scanning attack, the device
generates blacklist logs if the blacklist function is enabled.
A blacklist log is also generated when you add an entry to the blacklist, or when an entry
in the blacklist expires.
l Attack logs
When detecting an attack, the device generates an attack log to record the attack type and
parameters.
l Traffic monitoring logs
When the number of inbound and outbound sessions of the entire system or a zone exceeds
the upper threshold or is smaller than the lower threshold, the device generates a log.
l Packet-filter log
Records information about packet filtering.
l Session logs
When an entry in the session table expires, the device sends a log to the log server.
5.2.11 Virtual Firewall

Increasing small-scale private networks have been established. Most of these private networks
belong to small-scale enterprises. Such enterprises require high security and cannot afford a
private security device.

Routers
The device can be divided into multiple virtual firewalls to serve multiple small-scale private
networks.
A virtual firewall integrates a VPN instance and a security instance. It provides a private routing
plane and security service for the virtual firewall users.
VPN Instance
A VPN instance provides separated VPN routes for the users under a virtual firewall. These
VPN routes are used to forward the packets received by a virtual firewall.
Security Instance
A security instance provides separated security services for the users under a virtual firewall.
The security instances contain private interfaces, zones, interzones, ACL rules, and NAT rules.
They provide the security services such as address binding, blacklist, packet filtering, traffic
statistics and monitoring, attack defense, ASPF, and NAT for the users under the virtual
firewalls.
5.2.12 Firewall in HSB Mode

A firewall is a node that traffic must pass through on a network. If the firewall is faulty, traffic
is interrupted. To ensure uninterrupted traffic, prevent firewall single-point failures.
To prevent firewall single-point failures, deploy two firewalls in hot standby (HSB) mode. One
functions as the master firewall, and the other functions as the backup firewall. Interfaces on the
master and backup firewalls connect to corresponding security zones. The Virtual Router
Redundancy Protocol (VRRP) determines the master and backup firewalls. The firewall session
entry synchronization is performed using HSB.
Firewall in HSB Mode

The firewall is a stateful firewall that checks only the first packet in a session and dynamically
generates session entries. A session entry records the status of a session. Only subsequent packets
(including response packets) that match the session entry can pass through the firewall.
Figure 5-18 Networking diagram of firewalls in HSB mode
LAN
Firewall A
Master Session
entries
PC1 Trust LAN
Untrust PC2
LAN Backup
Firewall B
DMZ

Routers
As shown in Figure 5-18, Firewall A functions as the master firewall that traffic must pass
through. Firewall B is in backup state and no traffic pass through it.
If Firewall A is faulty or links are faulty, traffic is switched to Firewall B. Before master/backup
switchover, if session entries are not backed up on Firewall B, previous sessions that pass through
Firewall A match no entry on Firewall B and are interrupted.
To ensure that the backup firewall takes over the work of the master firewall smoothly when the
master firewall is faulty, back up session entries and status information between the master
firewall and the backup firewall in real time. Currently, session entries and status information
between the master firewall and the backup firewall are backed up using HSB.
Interface Status Requirement
Figure 5-19 Packets forwarding routes
LAN
Firewall A
Master Session
(2)
entries LAN
(1)
(3)
PC1
(8) (7)
Trust (6) (4)
PC2
(9) (5)
LAN Backup
Firewall B Untrust
Physical link
Packet path
DMZ
On a firewall, interfaces that connect to security zones must be in the same state, that is, all
interfaces are in master or backup state at the same time.
As shown in Figure 5-19:
l Assume that all interfaces on Firewall A are in master state, and all interfaces on Firewall
B are in backup state. PC1 in Trust zone connects to PC2 in Untrust zone. Packets are
forwarded along (1) > (2) > (3) > (4). When forwarding the access packet, Firewall A
dynamically generates a session entry. The response packet sent from PC2 is forwarded
along (5) > (6) > (7) > (8). When reaching Firewall A, the response packet can match the
session entry and passes through Firewall A. Communication between Firewall A and
Firewall B is successful.
l Assume that interfaces on Firewall B that connect to Trust zone are in backup state, but
interfaces that connect to Untrust zone are in master state. When a packet sent from PC1
passes through Firewall A and reaches PC2, Firewall A dynamically generates a session
entry. The response packet sent from PC2 is forwarded along (5) > (9), and reaches Firewall

Routers
B. No matched session entry is recorded on Firewall B. If the response packet is not allowed
based on other rules, Firewall B discards the packet, and communicate is interrupted.
Smart Link ensures the stability of links connected to switches. A directly connected link is
deployed between the master and backup firewalls to ensure that traffic is forwarded to the peer
firewall when a link is faulty.
NOTE
l Data configured by users are not backed up on the master and backup firewalls. Users must perform
the same configuration on the master and backup firewalls.
l Firewalls that back up each other must be of the same model, have the same memory, CPU, and
configurations.
l Firewalls that back up each other must use the same software version.
l Backup interfaces cannot be service interfaces on the firewall and must be dedicated interfaces. Backup
interfaces do not forward data.
l Firewall HSB in the asymmetry route mode is not supported. The bidirectional traffic of a session must
pass through the same firewall.
l Statistics data synchronization is not supported. Only TCP/UDP sessions are synchronized.
5.3 Applications
This section describes the applicable scenario of firewall.
5.3.1 Firewall Between the Internal and External Networks

As shown in Figure 5-20, a firewall is deployed between the internal and external networks to
prevent the external network from attacking the internal network. On an internal network that
uses private addresses, the firewall can be used together with NAT and application level gateway
(ALG) to improve network security.
Figure 5-20 Firewall between the internal and external networks
Department A
Internal
External network
network Department B
Firewall
Data
center
5.3.2 Firewall on an Internal Network

As shown in Figure 5-21, a firewall is deployed on an internal network to prevent internal attacks
and ensure data security. The data center stores important information of a company. Therefore,
the firewall must enforce strict policy to protect the data center.

Routers
Figure 5-21 Firewall on an internal network
Firewall
Department A
Department B
Data
center

This section describes the firewall default configuration. You can change the configuration based
on the site requirements.
Table 5-1 shows the firewall default configuration.
Table 5-1 Firewall default configuration
Parameter Default Setting
Aging time of the firewall session table The value varies according to the protocol.
l DNS: 120 seconds
l FTP: 120 seconds
l FTP-DATA: 120 seconds
l HTTP: 120 seconds
l ICMP: 20 seconds
l TCP: 600 seconds
l TCP-PROXY: 10 seconds
l UDP: 120 seconds
l SIP: 1800 seconds
l SIP-MEDIA: 120 seconds
l RTSP: 60 seconds
l RTSP-MEDIA: 120 seconds
Default packet filtering mode Allows outbound packets and denies inbound
packets.
Maximum session rate for Flood attacks 1000 pps
Maximum length of an ICMP packet 4000 bytes

Routers
Maximum session rate for IP address 4000 pps

sweeping
Blacklist timeout in IP address sweeping 20 minutes
Maximum session rate for port scanning 4000 pps
Blacklist timeout in port scanning 20 minutes
Thresholds for system traffic statistics and The firewall zones support the upper and
monitoring lower thresholds of protocol packet
connections. To view the thresholds, run the
display firewall statistics system command.
Thresholds for zone-based traffic statistics The firewall zones support the upper and
and monitoring lower thresholds of protocol packet
display firewall statistics zone-ip
command.
Thresholds for IP address-based traffic The firewall zones support the upper and
statistics and monitoring lower thresholds of protocol packet
display firewall statistics zone-ip
command.
5.5 Configuring firewall

This section describes the firewall configuration procedure.
5.5.1 Configuring Basic Functions of the Firewall

After basic functions of the firewall are configured, users in a high-priority zone can access a
low-priority zone, but users in a low-priority zone cannot access a high-priority zone.
5.5.1.1 Creating a Zone and Adding Interfaces to the Zone
Context
To configure firewall functions, create zones. Then you can deploy security services according
to the priorities of the zones. The device considers that data transmission within a zone is reliable
and does not enforce any security policy on intra-zone data transmission. The device verifies
data and enforces security policies only when the data is transmitted from one zone to another.
You must configure a priority for a zone before making other configurations. The priority cannot
be changed. Each zone must have a different priority. A larger priority value indicates a higher
priority.
The firewall takes effect only after interfaces are added to zones.

Routers
The device automatically creates a zone named Local. The Local zone has the highest priority
and cannot be deleted. In addition, the priority of this zone cannot be changed, and no interface
can be added to this zone. To apply the firewall function to the control packets that need to be
processed by the device, use the Local zone.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall zone zone-name
A zone is created.
By default, no zone is created on the Router.
Step 3 Run:
priority security-priority
A priority is set for the zone.
Step 4 Run:
quit
Step 5 Run:
Step 6 Run:
zone zone-name
The interface is added to the zone.
Each zone has multiple interfaces, but an interface can be added to only one zone.
----End
5.5.1.2 Creating an Interzone
Context
Any two zones form an interzone. Each interzone has an independent interzone view. Most
firewall configurations are performed in the interzone views. After the firewall function is
configured, the device checks data transmitted between zones.
In an interzone, data is transmitted in the inbound or outbound direction.

l Inbound: Data flows from a zone with lower priority to a zone with higher priority.
l Outbound: Data flows from a zone with higher priority to a zone with lower priority.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall interzone zone-name1 zone-name2
An interzone is created.
The zones specified for an interzone must have been created on the device.
----End
5.5.1.3 Enabling Firewall in an Interzone
Context
The configured firewall functions take effect only after you enable firewall in an interzone.
To make the firewall function take effect in an interzone that contains the Local zone, run the
ip soft-forward enhance enable command in the system view to enable the enhanced IP
forwarding function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interzone view is displayed.
The zones zone-name1 and zone-name2 must have been created using the firewall zone
command.
Step 3 Run:
firewall enable
The firewall is enabled.
By default, the firewall function is disabled in an interzone.
----End
5.5.1.4 (Optional) Configuring the Aging Time of the Firewall Session Table
Context
The Router creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP,
to record the connection status of the protocol. An aging time is set for the session table. If a

Routers
record in the session table does not match any packet within the aging time, the system deletes
the record.
To change the aging time of protocol sessions, set the aging time of the firewall session table.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp
| sip | sip-media | rtsp | rtsp-media } aging-time time-value
The aging time of the firewall session table is set.
By default, the aging time of each protocol is as follows:

l DNS: 120 seconds
l FTP: 120 seconds
l FTP-data: 120 seconds
l HTTP: 120 seconds
l ICMP: 20 seconds
l TCP: 600 seconds
l TCP-proxy: 10 seconds
l UDP: 120 seconds
l SIP: 1800 seconds
l SIP-media: 120 seconds
l RTSP: 60 seconds
l RTSP-media: 120 seconds
NOTE
The default aging time is recommended.
----End
Procedure
l Run the display firewall zone [ zone-name ] [ interface | priority ] command to check
information about a zone.
l Run the display firewall interzone [ zone-name1 zone-name2 ] command to check
information about an interzone.
l Run the display firewall-nat session aging-time command to check the aging time of the
firewall session table.
----End

Routers
5.5.2 Configuring the Packet Filtering Firewall

The packet filtering firewall filters packets by using an ACL.
5.5.2.1 (Optional) Configuring the Default Processing Mode for Unmatched

Packets
Context
By default, a firewall allows all the outbound packets and denies all the inbound packets.
If an ACL is applied to the inbound or outbound packets in an interzone, the firewall filters
packets according to the ACL rules. If packets do not match the ACL, the firewall uses the default
processing mode for the packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
packet-filter default { deny | permit } { inbound | outbound }
The default processing mode for unmatched packets is configured.
----End
5.5.2.2 Configuring ACL-based Packet Filtering in an Interzone
Context
When data is transmitted between two zones, the ACL-based packet filtering firewall enforces
the packet filtering policies according to the ACL rules.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl [ number ] acl-number [ match-order { config | auto }]
An ACL is created, and the ACL view is displayed.

Routers
NOTE
The ACLs for filtering packet include basic ACLs and advanced ACLs.
Step 3 Run:
rule
An ACL rule is configured.
Step 4 Run:
quit
Step 5 Run:
Step 6 Run:
packet-filter acl-number { inbound | outbound }
The ACL-based packet filtering is configured.
You can configure ACL-based packet filtering in the interzone for inbound or outbound packets.
NOTE
1. When permit is used in the ACL rule:

l When the ACL is applied to the inbound traffic, the system forwards the packets matching the
ACL rule sent from the low-priority zone to the high-priority zone.
l When the ACL is applied to the outbound traffic, the system forwards the packets matching the
ACL rule sent from the high-priority zone to the low-priority zone.
2. When deny is used in the ACL rule:
l When the ACL is applied to the inbound traffic, the system discards the packets matching the ACL
rule sent from the low-priority zone to the high-priority zone.
l When the ACL is applied to the outbound traffic, the system discards the packets matching the
ACL rule sent from the high-priority zone to the low-priority zone.
3. When an ACL does not contain rules:
l When the ACL is applied to the inbound traffic, the ACL does not take effect, and the system
discards all packets sent from the low-priority zone to the high-priority zone.
l When the ACL is applied to the outbound traffic, the ACL does not take effect, and the system
discards all packets sent from the high-priority zone to the low-priority zone.
----End
Procedure
information about packet filtering.
l Run the display acl acl-number command to check the ACL configuration.
----End

Routers
5.5.3 Configuring Stateful Firewall (ASPF)

ASPF can detect and filter FTP, HTTP, SIP, and RTSP packets at the application layer.
Context
Application specific packet filter (ASPF) is status-based packet filtering. ASPF detects the
application-layer sessions that attempt to pass the firewall, and discards undesired packets.
After ActiveX blocking is configured, ASPF blocks ActiveX controls transmitted by HTTP,
preventing insecure and malicious controls. After Java blocking is configured, ASPF blocks the
requests to obtain Java Applet programs on web pages.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
detect aspf { all | ftp | http [ activex-blocking | java-blocking ] | rtsp | sip }
ASPF is configured.
Generally, application-layer protocol packets are transmitted bidirectionally, so the direction

does not need to be specified. The firewall automatically checks the packets in both directions.
By default, ASPF is not configured in an interzone.
----End
Checking the Configuration

l Run the display firewall interzone [ zone-name1 zone-name2 ] command to check ASPF
information in the interzone.
5.5.4 Configuring the Blacklist

Entries can be added to the blacklist manually or dynamically. After IP address scanning and
port scanning defense is enabled on the attack defense module, the firewall can dynamically
create blacklist entries. When the connection rate of an IP address or a port exceeds the threshold,
the firewall considers that a scanning attack occurs and adds the source IP address to the blacklist.
All the packets from this source IP address are then filtered out.

Routers
5.5.4.1 Enabling the Blacklist Function
Context
A blacklist filters packets based on source IP addresses. Compared with ACLs, the blacklist uses
simpler matching fields and therefore filters packets at a higher speed. Packets from certain IP
addresses can be filtered out.
The firewall can dynamically add IP addresses to the blacklist. When detecting an attack from
an IP address, the firewall adds the IP address to the blacklist to filter out all packets from this
IP address. To enable the firewall to dynamically create blacklist entries, enable IP address
scanning attack defense and port scanning attack defense.
Procedure
Step 1 Run:
system-view

firewall defend ip-sweep enable
The IP address sweeping attack defense is enabled.

firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }
The parameters for IP address sweeping attack defense are set.

firewall defend port-scan enable
The port scanning attack defense is enabled.

firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters for port scanning attack defense are set.
For scanning attack defense, the following two parameters need to be set:
l Maximum session rate: When the session rate of an IP address or a port exceeds the limit,
the firewall considers that a scanning attack occurs. Then the firewall adds the IP address or
port to the blacklist to reject new sessions from the IP address or port.
l Blacklist timeout: After an IP address or a port stays in the blacklist for a specified period,
it is deleted from the blacklist. Then new connections can be initiated from this IP address
or port.
By default, the maximum session rate for IP address sweeping and port scanning attack defense
is 4000 pps, and the blacklist timeout is 20 minutes.
Step 6 Run:
firewall blacklist enable
The blacklist function is enabled.

Routers
By default, the blacklist function is disabled.
----End
5.5.4.2 Configuring a Blacklist Entry
Context
After an IP address is added to the blacklist, the firewall denies packets from this IP address
until this entry expires.
When adding an entry to the blacklist, you can specify the IP address, aging time, and VPN
instance. The aging time refers to the amount of time the IP address is effective in the blacklist.
When the aging time expires, the IP address is released from the blacklist. If the aging time is
not specified, the IP address is always valid in the blacklist.
An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not.
You can add entries to the blacklist when the blacklist is disabled, but the entries do not take
effect until the blacklist is enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time
minutes ]
An entry is added to the blacklist.
NOTE
The blacklist entries without an aging time are saved in the configuration file. The entries configured with
an aging time are not saved in to the configuration file, but you can view them by using the display firewall
blacklist command.

firewall black-white-list save configuration-file configuration-file-name
The blacklist and whitelist are saved to the specified configuration file. You can use the blacklist
and whitelist later by loading this configuration file.
----End
5.5.4.3 Configuring Blacklist or Whitelist Entries in Batches
Context
You can configure blacklist and whitelist entries in a batch by loading a configuration file. The
configuration file for storing the blacklist and whitelist must be available.
The entries in the whitelist take effect immediately, and you do not need to enable the whitelist
function.

Routers
The configuration file must be in txt format and contain the following fields:
[FirewallBlacklist] # A blacklist entry
IPAddress = # An IP address in the blacklist, in dotted decimal
notation
VPNName = # (Optional) VPN instance of the blacklist entry
[FirewallWhitelist] # A whitelist entry
IPAddress = # An IP address in the whitelist, in dotted decimal
notation
VPNName = # (Optional) VPN instance of the whitelist entry
A configuration file can contain multiple entries, but each entry must be edited separately. Blank
lines are allowed between lines.
[FirewallBlacklist]
IPAddress = 210.10.10.1
VPNName = vpna
[FirewallBlacklist]
IPAddress = 220.10.10.2
VPNName =
[FirewallWhitelist]
IPAddress = 10.10.10.1
VPNName = vpnb
[FirewallWhitelist]
IPAddress =20.20.20.1
VPNName =
NOTE
A configuration file can contain up to 50000 lines.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall black-white-list load configuration-file configuration-file-name
A blacklist and whitelist configuration file is loaded.
Step 3 Run:
Step 4 (Optional)Run:
The blacklist and whitelist are saved to the specified configuration file.
----End
Procedure
l Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] |
dynamic | static | vpn-instance vpn-instance-name } command to check information about
the blacklist.

Routers
l Run the display firewall blacklist configuration command to check the status of the
blacklist function.
----End
5.5.5 Configuring the Whitelist

The whitelist is applicable to networks where packets sent from some devices are valid service
packets similar to IP address sweeping or port scanning attack packets. The whitelist prevents
these devices from being added to the blacklist.
5.5.5.1 Configuring a Whitelist Entry
Context
The whitelist prevents specified IP addresses from being added to the blacklist. The IP addresses
in the whitelist will not be added to the blacklist statically or dynamically. An entry in the
whitelist is identified by a source VPN and a source IP address.
You can specify the IP address, aging time, and VPN instance when adding an entry to the
whitelist. The aging time refers to amount of time the IP address is effective in the whitelist.
When the aging time expires, the IP address is released from the whitelist. If the aging time is
not specified, the IP address is always valid in the whitelist.
Entries in the whitelist take effect directly and you do not need to enable the whitelist function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-time
minutes ]
An entry is added to the whitelist.

The blacklist and whitelist are saved to the specified configuration file. You can use the blacklist
and whitelist later by loading this configuration file.
----End
5.5.5.2 Configuring Blacklist or Whitelist Entries in Batches
Context
You can configure blacklist and whitelist entries in a batch by loading a configuration file. The
configuration file for storing the blacklist and whitelist must be available.

Routers
The entries in the whitelist take effect immediately, and you do not need to enable the whitelist
function.
The configuration file must be in txt format and contain the following fields:
[FirewallBlacklist] # A blacklist entry
IPAddress = # An IP address in the blacklist, in dotted decimal
notation
VPNName = # (Optional) VPN instance of the blacklist entry
[FirewallWhitelist] # A whitelist entry
IPAddress = # An IP address in the whitelist, in dotted decimal
notation
VPNName = # (Optional) VPN instance of the whitelist entry
A configuration file can contain multiple entries, but each entry must be edited separately. Blank
lines are allowed between lines.
[FirewallBlacklist]
IPAddress = 210.10.10.1
VPNName = vpna
[FirewallBlacklist]
IPAddress = 220.10.10.2
VPNName =
[FirewallWhitelist]
IPAddress = 10.10.10.1
VPNName = vpnb
[FirewallWhitelist]
IPAddress =20.20.20.1
VPNName =
NOTE
A configuration file can contain up to 50000 lines.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall black-white-list load configuration-file configuration-file-name
A blacklist and whitelist configuration file is loaded.
Step 3 Run:
Step 4 (Optional)Run:
The blacklist and whitelist are saved to the specified configuration file.
----End

Routers
Procedure
l Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] |
vpn-instance vpn-instance-name } command to check information about the whitelist.
l Run the display firewall blacklist { { all | ip-address [ vpn-instance vpn-instance-
name ] | dynamic | static | vpn-instance vpn-instance-name } command to check
information about the blacklist.
----End
5.5.6 Configuring Port Mapping

Port mapping maps protocols to ports based on a basic ACL. Port mapping applies to the
application-layer protocols such as FTP, DNS, HTTP, SIP and RTSP.
Context
Application-layer protocols use well-known ports for communication. Port mapping enables
you to define new port numbers for application-layer protocols, which protect servers against
service-specific attacks. Port mapping applies to service-sensitive features such as application
specific packet filter (ASPF) and Network Address Translation (NAT).
Port mapping is implemented based on basic ACLs (2000 to 2999). The firewall matches
destination IP addresses of packets with the IP addresses configured in basic ACL rules and
performs port mapping only for the packets matching the ACL rules.
Procedure
Step 1 Run:
system-view
Step 2 Run:
port-mapping { dns | ftp | http | sip | rtsp } port port-number acl acl-number
Port mapping is configured.
You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings,
however, must be distinguished by ACLs. That is, packets matching different ACL rules use
different mapping entries.
NOTE
Port mapping identifies the protocol type of the packets destined for an IP address (such as the IP address
of a WWW server). Therefore, when configuring the basic ACL rules, match the destination IP addresses
of the packets with the source IP addresses defined in ACL rules.
----End

Routers

l Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command
to check information about port mapping.
5.5.7 Configuring Attack Defense

The attack defense function protects the CPU of a server against attacks to ensure that the server
operates normally when it is attacked.
5.5.7.1 Enabling the Attack Defense Function
Context
You enable different types of attack defense as required.
Procedure
Step 1 Run:
system-view
Step 2 Enable attack defense.

l firewall defend all enable
All the attack defense functions are enabled.

l firewall defend fraggle enable
The Fraggle attack defense is enabled.

l firewall defend icmp-flood enable
The ICMP Flood attack defense is enabled.

l firewall defend icmp-redirect enable
The ICMP Redirect attack defense is enabled.

l firewall defend icmp-unreachable enable
The ICMP Unreachable attack defense is enabled.

l firewall defend ip-fragment enable
The IP-Fragment attack defense is enabled.

l firewall defend ip-sweep enable
The IP address sweeping attack defense is enabled.

l firewall defend land enable
The Land attack defense is enabled.

l firewall defend large-icmp enable
The large ICMP packet attack defense is enabled.

l firewall defend ping-of-death enable
The Ping of Death attack defense is enabled.

Routers
l firewall defend port-scan enable
The port scanning attack defense is enabled.

l firewall defend smurf enable
The Smurf attack defense is enabled.

l firewall defend syn-flood enable
The SYN Flood attack defense is enabled.

l firewall defend tcp-flag enable
The TCP flag attack defense is enabled.

l firewall defend teardrop enable
The Teardrop attack defense is enabled.

l firewall defend tracert enable
The Tracert attack defense is enabled.

l firewall defend udp-flood enable
The UDP Flood attack defense is enabled.

l firewall defend winnuke enable
The WinNuke attack defense is enabled.
By default, no attack defense function is enabled.
----End
5.5.7.2 (Optional) Setting the Parameters for Flood Attack Defense
Context
When configuring Flood attack defense, specify the zones or IP addresses to be protected;
otherwise, the attack defense parameters are invalid. You can also specify the maximum session
rate. When the session rate exceeds the limit, the firewall considers that an attack occurs and
takes measures.
Flood attack defense parameters configured for an IP address take precedence over those
configured for a zone. If Flood attack defense is configured for both a specified IP address and
the zone where the IP address resides, the configuration for the IP address takes effect. If you
delete the attack defense configuration for the IP address, the attack defense configuration for
the zone takes effect.
Steps 2-4 are optional and can be performed in any sequence. You can perform any of these
steps as required.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-name ] |
zone zone-name } [ max-rate rate-value ]

Routers
The parameters for ICMP Flood attack defense are set.
Step 3 Run:
firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] |
zone zone-name } [ max-rate rate-value ] [ tcp-proxy { auto | off | on } ]
The parameters for SYN Flood attack defense are set.
Step 4 Run:
firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] |
zone zone-name } [ max-rate rate-value ]
The parameters for UDP Flood attack defense are set.
By default, the maximum session rate for Flood attacks is 1000 pps, and TCP proxy is enabled
for the SYN Flood attack defense.
----End
5.5.7.3 Configuring Large ICMP Packet Attack Defense
Context
For large ICMP packet attack defense, you only need set the maximum packet length. When the
length of an ICMP packet exceeds the limit, the firewall considers the packet as an attack packet
and discards it.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall defend large-icmp max-length length
The maximum length of ICMP packet is set.
By default, the maximum length of an ICMP packet is 4000 bytes.
----End
5.5.7.4 Setting Parameters for Scanning Attack Defense
Context
For scanning attack defense, the following two parameters need to be set:
l Maximum session rate: When an IP address accesses another IP address or port at a rate
higher than this value, the firewall considers that a scanning attack occurs. Then the firewall
adds the IP address or port to the blacklist to reject new sessions from the IP address or
port.

Routers
l Blacklist timeout: After an IP address or port stays in the blacklist for a specified period,
the firewall deletes the IP address or port from the blacklist and allows new sessions from
the IP address or port.
Step 2 and step 3 are optional and can be performed in any sequence. You can perform the steps
as required.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }
The parameters for IP address sweeping attack defense are set.
Step 3 Run:
firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters for port scanning attack defense are set.
By default, the maximum session rate for IP address sweeping and port scanning attack defense
is 4000 pps, and the blacklist timeout is 20 minutes.
----End
Procedure
l Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-
address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }
command to check information about attack defense.
----End
5.5.8 Configuring Traffic Statistics and Monitoring

The Router supports traffic statistics and monitoring at the system level, zone level, and IP
address level.
5.5.8.1 Setting the Session Thresholds for System-Level Traffic Statistics and
Monitoring
Context
System-level traffic statistics and monitoring take effect on all the data flows in interzones that
are enabled with the firewall feature. That is, the Router collects statistics about the ICMP, TCP,
and UDP sessions in the interzones. When the number of sessions exceeds the threshold, the
Router restricts the sessions until the number of sessions is less than the threshold.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall statistics system enable
The system-level traffic statistics and monitoring are enabled.
By default, the system-level traffic statistics and monitoring is disabled.

firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp }
high high-threshold low low-threshold
The session thresholds for the system-level traffic statistics and monitoring are set.
For the system-level traffic statistics, you can set the thresholds for each type of session. For
example, you can set the upper threshold for TCP sessions to 15000 and lower threshold to
12000. When the number of TCP sessions in all interzones exceeds 15000, the Router denies all
new TCP sessions in the interzone and reports an alarm to the information center. If the number
of TCP sessions falls below 12000, the Router generates a recovery log and sends the log to the
information center.
----End
5.5.8.2 Setting the Session Thresholds for Zone-Level Traffic Statistics and
Monitoring
Context
The zone-level traffic statistics and monitoring take effect on the data flows between zones. That
is, the Router counts the total number of TCP and UDP sessions between the local zone and
other zones. When the number of connections between the local zone and all the other zones or
the number of connections in a certain direction exceeds the threshold, the Router forbids new
sessions until the number of sessions is smaller than the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The zone view is displayed.
Step 3 Run:
statistics zone enable { inzone | outzone }
The zone-level traffic statistics and monitoring are enabled.

Routers
By default, the zone-level traffic statistics and monitoring is disabled.

statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-
threshold low low-threshold
The session thresholds for the zone-level traffic statistics and monitoring are set.
You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions.
For example, you can set the threshold for inbound TCP sessions to 15000. When the number
of TCP sessions initiated by this zone exceeds 15000, the Router denies new TCP sessions from
this zone.
----End
5.5.8.3 Setting the Session Thresholds for IP Address-Level Traffic Statistics and
Monitoring
Context
The IP address-level traffic statistics and monitoring counts and monitors the TCP and UDP
sessions set up on an IP address in a zone. The Router determines whether to restrict the
connections in a certain direction by checking whether the number of the TCP or UDP connection
requests sent from a source IP address (or received by a destination address) exceeds the
threshold. This function prevents DoS caused by the malicious attack or busy systems.
When the number of TCP and UDP sessions falls below the threshold, the source IP address can
initiate sessions and the destination address can receive sessions.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The zone view is displayed.
Step 3 Run:
statistics ip enable { inzone | outzone }
The IP address-level traffic statistics and monitoring are enabled.
By default, the IP address-level traffic statistics and monitoring is disabled.

statistics connect-number ip [ range beginip endip ] { inzone | outzone } { icmp |
tcp | udp } high high-threshold low low-threshold
The session thresholds for the IP address-level traffic statistics and monitoring are set.
You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions.
For example, you can set the threshold for inbound TCP sessions to 10000. When the number

Routers
of TCP sessions initiated from an IP address in the local zone exceeds 10000, the Router denies
new TCP sessions from this IP address.
----End
Procedure
l Run the display firewall statistics system command to check information about system-
level traffic statistics and monitoring.
l Run the display firewall statistics zone zone-name { inzone | outzone } all command to
check information about zone-level traffic statistics and monitoring.
l Run the display firewall statistics zone-ip zone-name command to check information
about IP address-level traffic statistics and monitoring.
----End
5.5.9 Configuring the Firewall Log Function

Firewall logs include session logs, statistics logs, attack defense logs, packet filtering logs and
blacklist logs.
Context
The session logs are exported to a log host in real time; therefore, you need to configure the log
host first. To configure the log host, configure the IP address and port number of the log host as
well as the source IP address and source port number that the Router uses to communicate with
the log host.
An ACL is referenced in the interzone view to determine the sessions to be recorded in the logs.
The ACLs can be configured for incoming and outgoing traffic.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall log binary-log host host-ip-address host-port source source-ip-address
source-port [ vpn-instance vpn-instance-name ]
A session log host is configured.
By default, no session log host is configured.

firewall log { blacklist | defend | session | statistics } log-interval time
The interval for exporting logs is set.
By default, logs are exported every 30 seconds.

Routers
Step 4 Run:
firewall log { all | blacklist | defend | session | statistics | packet-filter }
enable
The log function is enabled on the firewall.
By default, the log function is disabled on a firewall.
NOTE
To improve configuration efficiency, run the firewall log all enable command to enable the firewall log function.
After the command is executed, the traffic statistics, attack, and blacklist log functions take effect on the firewall.
To enable the packet filtering log function, you also need to perform Configuring packet filtering log in the
interzone; to enable the flow log function, you also need to perform Configuring flow log in the interzone.
l Configuring packet filtering log in the interzone
1. Run:

2. Run:
packet-filter logging
The packet filtering log is enabled in the interzone.

By default, the packet filtering log is disabled in the interzone.
3. Run:
quit

l Configuring flow log in the interzone
1. Run:

2. Run:
session-log acl-number { inbound | outbound }
The conditions of recording flow logs are configured.

By default, no condition is configured in an interzone for recording flow logs.
3. Run:
quit
----End

l Run the display firewall log configuration command to check logs on the firewall.
5.5.10 Configuring Virtual Firewalls

You can configure a VPN instance on the device to divide the firewall into multiple virtual
firewalls. These virtual firewalls provide security for small-sized private networks.

Routers
5.5.10.1 Configuring a VPN Instance to Identify a Virtual Firewall
Context
You can configure VPN instances to identify virtual firewalls. A VPN instance corresponds to
a virtual firewall. Before configuring a virtual firewall, create a VPN instance and bind interfaces
to the VPN instance. The interfaces bound to a VPN instance belong to the same firewall and
can be configured with independent security policies.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip vpn-instance vpn-instance-name
A VPN instance is created, and the VPN instance view is displayed.

description description-information
The description of the VPN instance is configured.
Step 4 Run:
route-distinguisher route-distinguisher
The RD of the VPN instance is configured.
After a VPN instance is created, you must specify the RD for the VPN instance. Otherwise, you
cannot perform subsequent operations.
Step 5 Run:
Step 6 Run:
ip binding vpn-instance vpn-instance-name
The interface is bound to the VPN instance.
Bind the interface to the VPN instance before configuring an IP address for the interface. If the
interface IP address is configured before the interface is bound to the VPN instance, the interface
IP address is deleted. You need to reconfigure the IP address for the interface.
Step 7 Run:
ip address ip-address { mask | mask-length }
An IP address is configured for the interface.
----End
5.5.10.2 Configuring Security Functions for a Virtual Firewall

Routers
Context
The procedure for configuring security functions on a virtual firewall is similar to the procedure
for configuring security functions on a firewall. You must configure security functions on each
virtual firewall independently to meet different service requirements. You can configure the
following security functions:
l Packet filtering firewall
l ASPF
l Port mapping
l Aging time of the firewall session table
l Attack defense
When configuring the following functions on a virtual firewall, you must specify a VPN instance:
l Configuring a blacklist on the virtual firewall
l Configuring a whitelist on the virtual firewall
l Configuring defense against ICMP Flood attacks
l Configuring defense against SYN Flood attacks
l Configuring defense against UDP Flood attacks
Procedure
l Configuring a blacklist on the virtual firewall
1. Run:
system-view

2. Run:

3. Run:
firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-
time minutes ]
An entry is added to the blacklist.

l Configuring a whitelist on the virtual firewall
1. Run:
system-view

2. Run:
firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-
time minutes ]
An entry is added to the whitelist.

l Configuring defense against ICMP Flood attacks
1. Run:
system-view

Routers

2. Run:
firewall defend icmp-flood enable
The ICMP Flood attack defense function is enabled.

3. Run:
firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-
name ] | zone zone-name } [ max-rate rate-value ]
The parameters of ICMP Flood attack defense are set.

l Configuring defense against SYN Flood attacks
1. Run:
system-view

2. Run:
firewall defend syn-flood enable
The SYN Flood attack defense function is enabled.

3. Run:
firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-
name ] | zone zone-name } [ max-rate rate-value ] [ tcp-proxy { auto |
off | on } ]
The parameters of SYN Flood attack defense are set.

l Configuring defense against UDP Flood attacks
1. Run:
system-view

2. Run:
firewall defend udp-flood enable
The UDP Flood attack defense function is enabled.

3. Run:
firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-
name ] | zone zone-name } [ max-rate rate-value ]
The parameters of UDP Flood attack defense are set.
----End
Procedure
l Run the display firewall zone [ zone-name ] [ interface | priority ] command to check
information about a zone.
information about an interzone.

Routers

dynamic | static | vpn-instance vpn-instance-name } command to check information about
the blacklist.
vpn-instance vpn-instance-name } command to check information about the whitelist.
command to check information about attack defense.
----End
5.5.11 Configuring Firewalls in HSB Mode

A firewall is a node that traffic must pass through on a network. If the firewall is faulty, traffic
is interrupted. To solve this problem, deploy two firewalls in hot standby (HSB) mode.
5.5.11.1 Creating an HSB Service
Context
An HSB service establishes an HSB channel for transmitting packets of other services and
maintains the link status by notifying the HSB group of the faulty link.
An HSB service provides the following functions:

l Establishing an HSB channel: A TCP channel is established for sending HSB packets by
setting the IP addresses and port numbers of the local and peer devices. The HSB service
provides packet sending and receiving for other services and notifies link status changes.
l Maintaining the link status of the HSB channel: HSB packets are sent and retransmitted to
prevent long TCP interruption that is not detected by the protocol stack. If a device does
not receive an HSB packet from the peer device within the period (retransmission interval
x retransmission times), the local device receives a message indicating the exception and
then re-establishes a channel to the peer.
After the HSB service configuration is complete, you cannot modify the HSB channel
parameters. The channel parameters take effect only after the HSB function is enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hsb-service service-index
An HSB service is created and the HSB service view is displayed.
Step 3 Run:
service-ip-port local-ip local-ip-address peer-ip peer-ip-address local-data-port
local-port peer-data-port peer-port

Routers
An HSB channel is established.
The channel parameters must be set at the local device and the peer device. The destination IP
address and port number of the local device must be the same as the IP address and port number
of the peer device.

service-keep-alive detect retransmit retransmit-times interval interval-value
The retransmission times and interval of HSB packets are set.
NOTE
l By default, the HSB packet retransmission interval is 3 seconds and retransmission times is 5.
l The HSB packet parameters, including retransmission interval and retransmission times, must be set
the same on both ends.
----End
5.5.11.2 Configuring an HSB Group
Context
An HSB group instructs service modules to perform batch backup, real-time backup, and status
synchronization. The backup of services depends on the status negotiation and event notification
mechanisms provided by the HSB group, synchronizing services on the master and backup
devices.
An HSB group synchronizes backup information and responds to link status changes through
the HSB channel established by the HSB service. To make the HSB group work properly, bind
an HSB service to the HSB group. In addition, the HSB group must be bound to a VRRP group
to negotiate the service status based on the VRRP status. By monitoring the changes in the bound
channel status and VRRP status, the HSB group instructs service modules to perform batch
backup, real-time backup, and status synchronization.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hsb-group group-index
An HSB group is created and the HSB group view is displayed.
Step 3 Run:
bind-service service-index
An HSB service is configured for binding to the HSB group.
Step 4 Run:
track vrrp vrid vitual-router-id interface interface-type interface-number
A VRRP group is configured for binding to the HSB group.

Routers
Step 5 Run:
quit

hsb-service-type firewall hsb-group group-index
The firewall service is bound to the HSB group
NOTE
STP, VRRP, and MTU cannot be configured on the HSB link.
Bind firewall service to an HSB group before enabling the HSB group.
----End
5.5.11.3 Enabling an HSB Group
Context
An HSB group takes effect and notifies the service modules of status changes only after the HSB
group is enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hsb-group group-index
The HSB group view is displayed.
Step 3 Run:
hsb enable
The HSB group is enabled.
----End
Procedure
l Run the display hsb-group group-index command to view information about the HSB
group.
l Run the display hsb-service service-index command to view information about the HSB
service.
----End

Routers
5.6 Maintaining the Firewall

The firewall maintenance includes Displaying the firewall Configuration and Clearing the
firewall Statistics.
5.6.1 Displaying the Firewall Configuration
Procedure
l Run the display firewall zone [ zone-name ] [ interface | priority ] command to view the
configurations of all zones or a specified zone.
l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view the
configurations of an interzone.
l Run the display firewall blacklist configuration command to view the status of the
blacklist function.
dynamic | static | vpn-instance vpn-instance-name } command to view the blacklist
entries.
vpn-instance vpn-instance-name } command to view the whitelist entries.
l Run the display firewall statistics system [ normal all | defend ] command to view the
system-level traffic statistics.
l Run the display firewall statistics zone zone-name { inzone | outzone } all command to
view the zone-level traffic statistics and traffic monitoring information.
l Run the display firewall statistics zone-ip zone-name command to view the status of traffic
monitoring function and session thresholds for each protocol.
l Run the display firewall-nat session aging-time command to view the timeout of entries
in the session table.
l Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command
to view the mappings between application-layer protocols and ports.
command to view the status and configuration of the attack defense functions.
l Run the display firewall log configuration command to view the global configuration of
the log function.
l Run the display firewall session { all [ verbose ] | number } or display firewall
session protocol { protocol-number | protocol-name } [ source source-address [ source-
port ] ] [ destination destination-address [ destination-port ] ] [ verbose ] command to
view the session table of the firewall.
----End
5.6.2 Clearing the Firewall Statistics

Routers
Context
To view the communication packets of a device within a specified period, clear the previous
packet statistics first.
Procedure
l Run the clear firewall statistics system normal command in the system view to clear the
statistics about normal packets in the system.
l Run the clear firewall statistics zone zone-name command in the system view to clear the
statistics about normal packets in a zone.
----End

This section provides several firewall configuration examples.
5.7.1 Example for Configuring the ACL-based Packet Filtering

Firewall
As shown in Figure 5-22, Eth2/0/0 of the Router is connected to a highly secure internal network,
and GE3/0/0 is connected to an insecure external network. The Router must filter the packets
between the internal network and the external network. The following requirements must be
met:
l A host (202.39.2.3) on the external network is allowed to access the servers in the internal
network.
l Other hosts are not allowed to access servers on the internal network.
Figure 5-22 Network diagram for configuring ACL-based packet filtering
FTP Server WWW Server

129.38.1.2 129.38.1.4
Eth2/0/0 GE3/0/0
Router 202.39.2.3
Internal
Network
Telnet Server
129.38.1.3

Routers
1. Configure zones and an interzone.

2. Add interfaces to the zones.
3. Configure an ACL.
4. Configure ACL-based packet filtering in the interzone.
Procedure
Step 1 Configure zones and an interzone on the Router .
[Huawei] firewall zone trust
[Huawei-zone-trust] priority 14
[Huawei-zone-trust] quit
[Huawei] firewall zone untrust
[Huawei-zone-untrust] priority 1
[Huawei-zone-untrust] quit
[Huawei] firewall interzone trust untrust
[Huawei-interzone-trust-untrust] firewall enable
[Huawei-interzone-trust-untrust] quit
Step 2 Add Router interfaces to zones.

[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei-Vlanif100] zone trust
[Huawei-GigabitEthernet3/0/0] ip address 202.39.2.1 24
[Huawei-GigabitEthernet3/0/0] zone untrust
Step 3 Configure an ACL on the Router .

[Huawei] acl 3102
[Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination
129.38.1.2 0.0.0.0
129.38.1.3 0.0.0.0
129.38.1.4 0.0.0.0
[Huawei-acl-adv-3102] rule deny ip
Step 4 Configure packet filtering on the Router .

[Huawei-interzone-trust-untrust] packet-filter 3102 inbound
After the configuration is complete, only the specified host (202.39.2.3) can access servers on
the internal network.

Routers
Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and
the result is as follows:
[Huawei] display firewall interzone trust untrust
interzone trust untrust
firewall enable
----End
Configuration Files
#
vlan batch 100
#
acl number 3102
rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0
rule 20 deny ip
#
interface Vlanif100
ip address 129.38.1.1 255.255.255.0
zone trust
#
firewall zone trust
priority 14
#
firewall zone untrust
priority 1
#
firewall interzone trust untrust
firewall enable
#
#
ip address 202.39.2.1 255.255.255.0
zone untrust
#
return
5.7.2 Example for Configuring ASPF and Port Mapping
and GE3/0/0 is connected to an insecure external network. The Router must filter the packets
and perform ASPF check between the internal network and the external network. The following
requirements must be met:
l A host (202.39.2.3) on the external network is allowed to access the servers in the internal
network.
l Other hosts are not allowed to access servers on the internal network.
l The Router checks the FTP status of the connections and filters out undesired packets.

Routers
l The packets from the external host are sent to the FTP server through port 2121, which is
used as the port of the FTP protocol.
Figure 5-23 Network diagram of ASPF and port mapping

FTP Server WWW Server
129.38.1.2 129.38.1.4
Eth2/0/0 GE3/0/0
Router 202.39.2.3
Internal
Network
Telnet Server
129.38.1.3

3. Configure ACLs.
4. Configure ACL-based packet filtering in the interzone.
5. Configure ASPF in the interzone.
6. Map port 2121 to the FTP protocol.
Procedure
Step 2 Add the interfaces of Router to zones.

[Huawei] vlan 100

Routers
Step 3 Configure ACLs on Router .

[Huawei] acl 2102
[Huawei-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0
[Huawei-acl-basic-2102] quit
[Huawei] acl 3102
129.38.1.2 0.0.0.0
129.38.1.3 0.0.0.0
129.38.1.4 0.0.0.0
[Huawei-acl-adv-3102] rule deny ip
Step 4 Configure packet filtering on Router .

[Huawei-interzone-trust-untrust] packet-filter 3102 inbound
Step 5 Configure ASPF on the Router .

[Huawei-interzone-trust-untrust] detect aspf ftp
Step 6 Configure port mapping on the Router .

[Huawei] port-mapping ftp port 2121 acl 2102

Run the display firewall interzone zone-name1 zone-name2 command on the Router , and the
command output is as follows:
firewall enable
detect aspf ftp
Run the display port-mapping ftp command on the Router , and the command output is as
follows:
[Huawei] display port-mapping ftp
-------------------------------------------------
Service Port Acl Type
-------------------------------------------------
ftp 21 system defined
ftp 2121 2102 user defined
-------------------------------------------------
Total number is : 2
----End
Configuration Files
#
vlan batch 100

Routers
#
acl number 2102
rule 5 permit source 129.38.1.2
0
#
acl number 3102
rule 20 deny ip
#
port-mapping ftp port 2121 acl 2102
#
interface Vlanif100
ip address 129.38.1.1 255.255.255.0
zone trust
#
firewall zone trust
priority 14
#
priority 1
#
firewall enable
detect aspf ftp
#
#
ip address 202.39.2.1 255.255.255.0
zone untrust
#
return
5.7.3 Example for Configuring the Blacklist
and GE3/0/0 is connected to the insecure external network.
The Router needs to apply IP address sweeping defense and blacklist functions to the packets
sent from the Internet to the enterprise intranet. If the Router detects that an IP address sweeping
attack defense from an IP address, it adds the IP address to the blacklist. The maximum session
rate is 5000 pps, and the blacklist timeout is 30 minutes.
If an IP address, for example, 202.39.1.2, attempts to attack the enterprise intranet multiple times,
you can manually add the IP address to the blacklist. Then the IP address will be always in the
blacklist.

Routers
Figure 5-24 Network diagram of blacklist configuration
Server
Enterprise Eth2/0/0 GE3/0/0

Network
Router

3. Enable the blacklist function.
4. Add an entry to the blacklist.
5. Enable the defense against IP address sweeping and port scanning.
6. Configure the maximum session rate and blacklist timeout for the defense against IP address
sweeping and port scanning.
Procedure
Step 2 Add Router interfaces to zones.

[Huawei] vlan 100

Routers

Step 3 Enable the blacklist function.

[Huawei] firewall blacklist enable
Step 4 Add an entry to the blacklist.

[Huawei] firewall blacklist 202.39.1.2
Step 5 Enable the defense against IP address sweeping and port scanning.
[Huawei] firewall defend ip-sweep enable
[Huawei] firewall defend port-scan enable
Step 6 Configure the maximum session rate and blacklist timeout for the defense against IP address
sweeping and port scanning.
[Huawei] firewall defend ip-sweep max-rate 5000
[Huawei] firewall defend ip-sweep blacklist-expire-time 30
[Huawei] firewall defend port-scan max-rate 5000
[Huawei] firewall defend port-scan blacklist-expire-time 30
Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and
the command output is as follows:
firewall enable
packet-filter default permit
outbound
Run the display firewall blacklist all command on the Router , and the command output is as
follows:
[Huawei] display firewall blacklist all
Firewall Blacklist Items :
------------------------------------------------------------------------
IP-Address Reason Expire-Time(m) VPN-Instance
------------------------------------------------------------------------
202.39.1.2 Manual Permanent
------------------------------------------------------------------------
total number is : 1
Run the display firewall defend command on the Router , and the command output is as follows:
[Huawei] display firewall defend port-scan
defend-flag : enable
max-rate : 5000 (pps)
blacklist-expire-time : 30 (m)
[Huawei] display firewall defend ip-sweep

defend-flag : enable
max-rate : 5000 (pps)
blacklist-expire-time : 30 (m)
----End
Configuration Files
#

Routers
firewall defend ip-sweep enable

firewall defend port-scan enable
firewall defend ip-sweep max-rate 5000
firewall defend ip-sweep blacklist-expire-time 30
firewall defend port-scan max-rate 5000
firewall defend port-scan blacklist-expire-time 30
#
firewall blacklist
202.39.1.2
#
vlan batch
100
#
interface Vlanif100
ip address 129.38.1.1 255.255.255.0
zone trust
#
firewall zone trust
priority 14
#
priority 1
#
firewall enable
#
#
ip address 202.39.2.1 255.255.255.0
zone untrust
#
return
5.7.4 Example for Configuring Blacklists on Virtual Firewalls
On the Router, virtual firewalls can be independently deployed on VPN instances.
As shown in Figure 5-25, virtual firewalls are configured for VPN instances on the Router to
isolate department A and department B. Firewall policies are deployed independently and zones
are configured for each VPN. Department A detects attack packets from 10.3.1.2 on VPN1. A
blacklist needs to be configured on VPN1 to discard packets with source IP address 10.3.1.2.

Routers
Figure 5-25 Networking diagram of blacklist configuration on virtual firewalls
DepartmentA DepartmentA
VPN1 trust_a untrust_a VPN1
PC3
PC1
10.1.1.2/24 10.3.1.2/24
GE1/0/0 Router GE3/0/0
10.1.1.1/24 10.3.1.1/24
GE2/0/0 GE4/0/0
10.2.1.1/24 10.4.1.1/24
PC2
PC4
10.2.1.2/24
10.4.1.2/24
DepartmentB trust_b untrust_b DepartmentB

VPN2 VPN2
1. Configure VPN instances on the Router to isolate department A from department B.

2. Configure zones on the Router.
3. Configure a blacklist for VPN1 on the Router to filter out packets with source IP address
10.3.1.2.
Procedure
Step 1 Configure VPN instances on the Router.
# Configure VPN instances vpn1 and vpn2 for department A and department B.
[Router] ip vpn-instance vpn1
[Router-vpn-instance-vpn1] ipv4-family
[Router-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[Router-vpn-instance-vpn1-af-ipv4] quit
[Router-vpn-instance-vpn1] quit
[Router] ip vpn-instance vpn2
[Router-vpn-instance-vpn2] ipv4-family
[Router-vpn-instance-vpn2-af-ipv4] route-distinguisher 200:1
[Router-vpn-instance-vpn2-af-ipv4] quit
[Router-vpn-instance-vpn2] quit

Routers
# Bind VPN instances to private interfaces and configure private IP addresses as gateway
addresses.
[Router-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[Router-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.0
[Router-GigabitEthernet1/0/0] quit
Step 2 Configure zones on the Router.

# Configure zones and an interzone for vpn1 on the Router.
[Router] firewall zone trust_a
[Router-zone-trust_a] priority 15
[Router-zone-trust_a] quit
[Router] firewall zone untrust_a
[Router-zone-untrust_a] priority 1
[Router-zone-untrust_a] quit
[Router] firewall interzone trust_a untrust_a
[Router-interzone-trust_a-untrust_a] firewall enable
[Router-interzone-trust_a-untrust_a] quit
# Configure zones and an interzone for vpn2 on the Router.

[Router] firewall zone trust_b
[Router-zone-trust_b] priority 30
[Router-zone-trust_b] quit
[Router] firewall zone untrust_b
[Router-zone-untrust_b] priority 5
[Router-zone-untrust_b] quit
[Router] firewall interzone trust_b untrust_b
[Router-interzone-trust_b-untrust_b] firewall enable
[Router-interzone-trust_b-untrust_b] quit
# On the Router, add interfaces to zones.

[Router-GigabitEthernet1/0/0] zone trust_a
[Router-GigabitEthernet2/0/0] zone trust_b
[Router-GigabitEthernet3/0/0] zone untrust_a
[Router-GigabitEthernet4/0/0] zone untrust_b
Step 3 Configure the blacklist for vpn1 on the Router.

# Enable the blacklist function.
[Router] firewall blacklist enable
# Add a blacklist entry in vpn1.

Routers
[Router] firewall blacklist 10.3.1.2 vpn-instance vpn1

# After the configuration is complete, run the display firewall interzone command on the
Router to view interzone policies.
[Router] display firewall interzone
interzone trust_a untrust_a
firewall enable
interzone trust_b untrust_b

firewall enable
total number is : 2
# Run the display firewall blacklist all command on the Router to view blacklist information.
[Router] display firewall blacklist all
Firewall blacklist items :
------------------------------------------------------------------------------
IP-Address Reason Expire-Time(m) VPN-Instance
------------------------------------------------------------------------------
10.3.1.2 Manual Permanent vpn1
------------------------------------------------------------------------------
Total number is : 1
# Packets of PC3 cannot pass through virtual firewall vpn1.
----End
Configuration Files
l Configuration file of the Router
#
sysname Router
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 200:1
#
firewall zone trust_a
priority 15
#
firewall zone trust_b
priority 30
#
firewall zone untrust_a
priority 1
#
firewall zone untrust_b
priority 5
#
firewall interzone trust_a untrust_a
firewall enable
#
firewall interzone trust_b untrust_b
firewall enable

Routers
#
firewall blacklist 10.3.1.2 vpn-instance vpn1
#
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
zone trust_a
#
ip address 10.2.1.1 255.255.255.0
zone trust_b
#
ip address 10.3.1.1 255.255.255.0
zone untrust_a
#
ip address 10.4.1.1 255.255.255.0
zone untrust_b
#
return
5.7.5 Example for Configuring Firewall HSB
To ensure enterprise intranet security, Enterprise A deploys a firewall between the intranet and
extranet. All traffic must pass through the firewall device; therefore, the firewall device failure
leads to interruption of all traffic. To enhance network reliability, Enterprise A deploys two
firewall devices in HSB mode to ensure uninterrupted network upon the failure of a firewall
device, as shown in Figure 5-26.

Routers
Figure 5-26 Networking diagram for configuring firewall HSB
Internet
RouterC
GE3/0/0 GE3/0/0
192.168.2.1/24 192.168.2.2/24
GE1/0/0
Master 192.168.1.1/24 Backup
RouterA GE1/0/0 RouterB
GE2/0/0 192.168.1.2/24 GE2/0/0
10.1.1.1/24 VRRP 10.1.1.2/24
Virtual Ip
10.10.1.111/24
GE0/0/1 GE0/0/2
VLAN 100 VLAN 100
Switch
Enterprise A
In normal cases, hosts in Enterprise A use RouterA as the default gateway to access the Internet.
When RouterA becomes faulty, RouterB takes over services on RouterA. The configuration
roadmap is as follows:
1. Assign an IP address to each interface of devices and configure a routing protocol on each
device to ensure network connectivity.
2. Configure the firewall function on RouterA and RouterB to implement security isolation
between the enterprise intranet and extranet.
3. Configure VRRP groups on RouterA and RouterB. Configure a high priority for RouterA
as the master device to forward traffic, and a low priority for RouterB as the backup device.
4. Configure the HSB function for RouterA and RouterB so that service information on
RouterA is backed up to RouterB in batches in real time, ensuring smooth service
switchover from the master device to the backup device.
5. Enable the firewall HSB function on RouterA and RouterB so that the backup firewall
device RouterB starts the firewall function upon RouterA failure, ensuring non-stop
network running.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface on RouterA. The configuration on RouterB is similar
to that on RouterA.

Routers

[RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
# Configure Layer 2 transparent transmission on Switch.

[Huawei] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/2] quit
Step 2 Configure the firewall function.
# Configure the firewall function for RouterA. The configuration on RouterB is similar to that
on RouterA.
[RouterA] firewall zone trust
[RouterA-zone-trust] priority 15
[RouterA-zone-trust] quit
[RouterA] firewall zone untrust
[RouterA-zone-untrust] priority 1
[RouterA-zone-untrust] quit
[RouterA] firewall interzone trust untrust
[RouterA-interzone-trust-untrust] firewall enable
[RouterA-interzone-trust-untrust] quit
# Add an interface on RouterA to the security zone. The configuration on RouterB is similar to
that on RouterA.
[RouterA-GigabitEthernet1/0/0] zone untrust
[RouterA-GigabitEthernet2/0/0] zone trust
[RouterA-GigabitEthernet3/0/0] zone untrust
Step 3 Configure VRRP groups.
# Create VRRP group 1 on RouterA and set the VRRP priority to 120.
[RouterA-GigabitEthernet2/0/0] vrrp vrid 1 virtual-ip 10.1.1.111
[RouterA-GigabitEthernet2/0/0] vrrp vrid 1 priority 120
# Create VRRP group 1 on RouterB and set the VRRP priority to 100.
[RouterB-GigabitEthernet2/0/0] vrrp vrid 1 virtual-ip 10.1.1.111

Routers
Step 4 Configure the HSB function and enable HSB for the firewall devices.
# Create HSB service 0 on RouterA and configure the IP addresses and port numbers for the
local and peer devices.
[RouterA] hsb-service 0
[RouterA-hsb-service-0] service-ip-port local-ip 192.168.1.1 peer-ip 192.168.1.2
local-data-port 10241 peer-data-port 10241
[RouterA-hsb-service-0] quit
# Create HSB service 0 on RouterB and configure the IP addresses and port numbers for the
local and peer devices.
[RouterB] hsb-service 0
[RouterB-hsb-service-0] service-ip-port local-ip 192.168.1.2 peer-ip 192.168.1.1
local-data-port 10241 peer-data-port 10241
[RouterB-hsb-service-0] quit
# Create HSB group 0 on RouterA, and bind HSB group 0 to VRRP group 1. The configuration
on RouterB is similar to that on RouterA.
[RouterA] hsb-group 0
[RouterA-hsb-group-0] bind-service 0
[RouterA-hsb-group-0] track vrrp vrid 1 interface gigabitethernet 2/0/0
[RouterA-hsb-group-0] quit
# Enable the firewall function for RouterA. The configuration on RouterB is similar to that on
RouterA.
[RouterA] hsb-service-type firewall hsb-group 0
# Enable HSB group 0 on RouterA to make it take effect. The configuration on RouterB is similar
to that on RouterA.
[RouterA] hsb-group 0
[RouterA-hsb-group-0] hsb enable
[RouterA-hsb-group-0] quit
# Run the display hsb-group group-index command on RouterA and RouterB to check the HSB
group running status. The command output on Router A and Router B is as follows:
<RouterA> display hsb-group 0
Hot Standby Group Configuration:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 2
Vrrp Interface : GigabitEthernet2/0/0
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Backup Service Type : Firewall
Firewall Backup Process :
----------------------------------------------------------
<RouterB> display hsb-group 0
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 2
Service Index : 0
Group Vrrp Status : Backup

Routers

----------------------------------------------------------
# Run the shutdown command on an interface GE2/0/0 of RouterA to simulate a fault on

RouterA.
[RouterA-GigabitEthernet2/0/0] shutdown
# Run the display hsb-group group-index command on RouterB to check the HSB group status.
The command output shows that RouterB is Master.
<RouterB> display hsb-group 0
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 2
Service Index : 0
Group Vrrp Status : Master
----------------------------------------------------------
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
hsb-service-type firewall hsb-group 0
#
ip address 192.168.1.1 255.255.255.0
zone untrust
#
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
zone trust
#
ip address 192.168.2.1 255.255.255.0
zone untrust
#
hsb-service 0
service-ip-port local-ip 192.168.1.1 peer-ip 192.168.1.2 local-data-port
10241 peer-data-port 10241
#
firewall zone trust
priority 15
#
firewall zone
untrust
priority
1
#
firewall interzone trust
untrust
firewall enable

Routers
#
hsb-group 0
track vrrp vrid 1 interface GigabitEthernet2/0/0
bind-service 0
hsb enable
#
return
l Configuration file of RouterB

#
sysname RouterB
#
hsb-service-type firewall hsb-group 0
#
ip address 192.168.1.2 255.255.255.0
zone untrust
#
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
zone trust
#
ip address 192.168.2.2 255.255.255.0
zone untrust
#
firewall zone trust
priority 15
#
firewall zone
untrust
priority
1
#
firewall interzone trust
untrust
firewall enable
#
hsb-service 0
service-ip-port local-ip 192.168.1.2 peer-ip 192.168.1.1 local-data-port
10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface GigabitEthernet2/0/0
bind-service 0
hsb enable
#
return
l Configuration file of Switch

#
sysname Switch
#
vlan batch 100
#
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return

Routers
5.8 FAQ
The FAQs on Firewall are listed.
5.8.1 How Do I Delete and View the Firewall and NAT Flow Table?
Run the reset session all command in the system view to clear the firewall and NAT flow table.
Run the display session command in any view to check the firewall and NAT flow table.
5.8.2 How Can I View the ACL Hit Count Configured on the Packet
Filtering Firewall?
1. In the system view, run the traffic classifier classifier-name command to create a traffic
classifier and access the traffic classifier view. Run the if-match acl { acl-number | acl-
name } command to configure ACL rules for traffic classification.
2. In the system view, run the traffic behavior behavior-name command to create a traffic
behavior and access the traffic behavior view. Run the statistic enable command to enable
the traffic statistics function.
3. In the system view, run the traffic policy policy-name command to create a traffic policy
and access the traffic policy view. Run the classifier classifier-name behavior behavior-
name command to associate a traffic classifier and a traffic behavior with the traffic policy.
4. In the interface view, run the traffic-policy policy-name inbound command.
5. Run the display traffic policy statistics interface interface-type interface-number
inbound verbose rule-base command to view the ACL hit count configured on the packet
filtering firewall.
5.8.3 Which Protocols Does the AR Firewall ASPF Support?

The following protocols are supported:
l File Transfer Protocol (FTP)

l Hypertext Transfer Protocol (HTTP)
l Session Initiation Protocol (SIP)
l Real-Time Streaming Protocol (RTSP)
5.8.4 What Are the Types of Blacklists? (Firewall)

There are two types of blacklists:
l Static blacklists that are configured manually.
l Dynamic blacklist that are generated when the system detects scanning attacks.
5.9 References
This section provides the firewall-related RFC recommendations.

Routers
The following table lists The references for this feature.
Document Description
RFC 791 Internet Protocol
RFC 792 Internet Control Message Protocol
RFC 793 Transmission Control Protocol

Routers
Configuration Guide - Security 6 Local Attack Defense Configuration
6 Local Attack Defense Configuration
About This Chapter
Local attack defense limits the rate of packets sent to the CPU, ensuring device security and
uninterrupted services when attacks occur.
6.1 Local Attack Defense Overview

Local attack defense prevents the CPU from being attacked by a large number of packets or
malicious packets.

This section provides the default configuration of local attack defense. You can change the
configuration as required.
6.3 Configuring Local Attack Defense

This section describes the procedures for configuring local attack defense.
6.4 Maintaining Local Attack Defense

This section describes how to maintain local attack defense, including clearing attack source
information and statistics on packets sent to the CPU. This helps locate the attack source or check
whether the attack is eliminated.

This topic provides several configuration examples of local attack defense, including networking
requirements and configuration roadmaps.
6.6 Common Configuration Errors

This section describes common faults caused by incorrect local attack defense configurations
and provides the troubleshooting procedure.
6.7 FAQ

Routers
6.1 Local Attack Defense Overview

Local attack defense prevents the CPU from being attacked by a large number of packets or
malicious packets.
Definition
A large number of packets including malicious attack packets are sent to the Central Processing
Unit (CPU) on a network. If malicious attack packets are sent to the CPU, the CPU is busy with
processing these attack packets for a long period. Services are interrupted and even the system
fails. If a large number of packets are sent to the CPU, the CPU usage becomes high and CPU
performance deteriorates. In this case, services cannot be processed in a timely manner.
To protect the CPU and ensure that the CPU can process services, the device provides local
attack defense. Local attack defense protects the device against attacks. When an attack occurs,
this function ensures uninterrupted services and minimizes the impact on network services.
Basic Principles
The device supports two types of local attack defense: CPU attack defense and attack source
tracing.
l The device can limit the rate of all packets sent to the CPU to protect the CPU.
1. The device provides hierarchical device protection:
Level 1: The device filters invalid packets sent to the CPU using blacklists.
Level 2: The device limits the rate of packets sent to the CPU based on the protocol
type to prevent excess packets of a protocol from being sent to the CPU.
Level 3: The device schedules packets sent to the CPU based on priorities of
protocol packets to ensure that packets with higher protocol priorities are processed
first.
Level 4: The device uniformly limits the rate of packets with the same priority sent
to the CPU and randomly discards the excess packets to protect the CPU.
2. When the device detects setup of an HTTP session, an FTP session, or a BGP
session, ALP is enabled to protect the session. The packets matching characteristics
of the session are sent at a high rate; therefore, reliability and stability of session-
related services are ensured.
l The attack source tracing function protects the CPU against Denial of Service (DoS) attacks.
The device enabled with attack source tracing analyzes packets sent to the CPU, collects
statistics on the packets, and applies a threshold to the packets. The device considers excess
packets as attack packets. The device finds the source user address or source interface of
the attack by analyzing the attack packets and generates logs or alarms. Accordingly, the
network administrator can take measures to defend against the attacks, for example,
discarding packets from the attack source.
As shown in Figure 6-1, attack source tracing involves the following processes: Parsing
packets, Analyzing traffic, Identifying an attack source, Generating logs or alarms to alert
the network administrator

Routers
Figure 6-1 Attack source tracing processes
Attack source tracing
Logs and
Attack alarms
Packet Traffic
source
parsing analysis Attack
identification
source
punishment
Chip forwarding
The device locates the attack source, and the network administrator limits the rate of packets
sent from the attack source by configuring ACLs or blacklists to protect the CPU.

This section provides the default configuration of local attack defense. You can change the
configuration as required.
Table 6-1 and Table 6-2 list the default configuration of local attack defense.
Table 6-1 Default configuration of CPU attack defense
CPU attack defense policy CPU attack defense policy named default
Blacklist None
Rate limit and protocol priority The CPU attack defense policy limits the rate
of different types of packets sent to the CPU,
and the default rate and priority are the same
as those in the default policy. To view the
default rate and priority settings, run the
display cpu-defend configuration
command.
Rate limit l AR150&200 series: 1000pps

l AR1200 series, AR2201-48FE,
AR2202-48FE, and AR2204: 1000pps
l AR2220 and AR2240: 1500pps
l AR3200 series: 2000pps

Routers
Rate limit after ALP is enabled During setup of an HTTP connection, an FTP
connection, or a BGP connection, if the
application-apperceive command is not
used, the default rate limit specified by
application-apperceive is applied to HTTP,
BGP, or FTP packets.
l HTTP: 512 pps
l FTP: 1024 pps
l BGP: 512 pps
Table 6-2 Default configuration of attack source tracing
Attack defense policy Attack defense policy named default
Automatic attack source tracing Disabled
Threshold for attack source tracing 128 pps
Attack source tracing mode Attack source tracing based on source MAC
addresses, source IP addresses, or source
ports+VLANs
Types of traced packets ARP, DHCP, ICMP, IGMP, Telnet, TCP, and
TTL-expired packets
Alarm function for attack source tracing Disabled
Alarm threshold for attack source tracing 128 pps
Punishment for attack source tracing Disabled
6.3 Configuring Local Attack Defense

This section describes the procedures for configuring local attack defense.
6.3.1 Configuring CPU Attack Defense

With the CPU attack defense function, the device limits the rate of packets sent to the CPU to
protect the CPU.
Before configuring CPU attack defense, complete the following task:

Routers
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
l Configuring an ACL for blacklist if necessary
Configuration Process
Before configuring CPU attack defense, create an attack defense policy first. The other tasks are
performed in any sequence and can be selected as required. An attack defense policy takes effect
only after it is applied to an object. There is no limitation on when the attack defense policy is
applied.
6.3.1.1 Creating an Attack Defense Policy
Context
Before configuring local attack defense in an attack defense policy, you must create an attack
defense policy.
NOTE
The attack defense policy does not take effect for protocol packets sent from 3G cellular interfaces to the
CPU of the MPU.
The attack defense policy does not take effect for Layer 3 protocol packets sent from LAN-side interface
cards to the CPU of the MPU on the AR1200.
Procedure
Step 1 Run:
system-view
Step 2 Run:
cpu-defend policy policy-name
An attack defense policy is created and the attack defense policy view is displayed.
The device supports a maximum of 19 attack defense policies, including the default attack
defense policy. The default attack defense policy is generated in the system by default and is
applied to all boards. The default attack defense policy cannot be deleted or modified. The other
18 policies can be created, modified and deleted.

description text
The description of the attack defense policy is configured.
By default, no description is configured for an attack defense policy.
----End

Routers
6.3.1.2 Configuring a Blacklist
Context
A blacklist is a group of unauthorized users. You can apply an ACL to a blacklist to add users
with the specific characteristics to the blacklist. The device discards packets from users in the
blacklist.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The attack defense policy view is displayed.

Step 3 Run:
blacklist blacklist-id acl acl-number
A blacklist is created.
A maximum of eight blacklists can be configured on the device.
The ACL applied to a blacklist can be a basic ACL, an advanced ACL, or a Layer 2 ACL. For
details on how to create an ACL, see 4 ACL Configuration.
By default, no blacklist is configured on the device.
----End
6.3.1.3 Configuring the Rate Limit for Packets Sent to the CPU
Context
The device applies different rate limits to packets of different types or discards packets of a
specified type to protect the CPU.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Configure a rate limit for packets sent to the CPU.
l Run:
packet-type packet-type rate-limit rate-value

Routers
The rate limit for packets sent to the CPU is set. Excess packets are discarded.
l Run:
deny packet-type packet-type
The device is configured to discard packets of a specified type sent to the CPU. That is, the
rate limit for packets sent to the CPU is 0.
By default, the device applies the rate limit defined in the default attack defense policy to limit
the packets sent to the CPU.
----End
6.3.1.4 Setting the Priority for Packets of a Specified Protocol
Context
After an attack defense policy is created, set priorities of protocol packets in the attack defense
policy so that packets with higher priorities are processed first.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
packet-type packet-type priority priority-level
The priority for packets of a specified protocol sent to the CPU is set.
By default, the priority defined in the default attack defense policy is used for packets of a
specified protocol sent to the CPU.
----End
6.3.1.5 Configuring ALP
Context
Active link protection (ALP) protects session-based application layer data, including data of
HTTP sessions, BGP session, and FTP sessions to ensure uninterrupted services when attacks
occur.
The rate limit for packets after ALP is enabled can be set in the local attack defense view and
applied to the LPU or MPU with local attack defense. The cpu-defend application-
apperceive command enables the ALP function.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
application-apperceive packet-type { bgp | ftp | http } rate-limit rate-value
The rate limit for HTTP packets, BGP packets, or FTP packets is set.
By default, the rate limit for HTTP packets is 512 pps, the rate limit for BGP packets is 512
pps, and the rate limit for FTP packets is 1024 pps.
NOTE
During setup of an HTTP, a BGP, or an FTP connection, if the application-apperceive command is not
used, the default rate limit specified by application-apperceive is applied to HTTP, BGP, or FTP packets.
After ALP is configured for FTP packets, it also takes effect for TFTP packets.
Step 4 Run:
quit
Step 5 Run:
cpu-defend application-apperceive [ bgp | ftp | http ] enable
ALP is enabled.
By default, ALP is enabled for FTP and TFTP and disabled for BGP.
----End
6.3.1.6 Configuring the Rate Limit for All Packets Sent to the CPU
Context
After an attack defense policy is created, set the rate limit for all packets sent to the CPU in the
attack defense policy. The device uniformly limits the rate of packets with the same priority sent
to the CPU and randomly discards the excess packets to protect the CPU.
Procedure
Step 1 Run:
system-view
Step 2 Run:

Routers
Step 3 Run:
rate-limit all-packets pps pps-value
The rate limit for all packets sent to the CPU is set.
By default, the rate limit is as follows:

l AR150&200 series:1000pps
l AR1200 series, AR2201-48FE, AR2202-48FE, and AR2204: 1000pps
l AR2220 and AR2240: 1500pps
l AR3200 series: 2000pps
----End
6.3.1.7 Applying an Attack Defense Policy
Context
After an attack defense policy is created, you must apply the attack defense policy to the SRU
or all LAN-side interface cards in the system view, or specified LAN-side interface cards.
Otherwise, the attack defense policy does not take effect.
NOTE
If the attack defense policy is applied to a LAN-side interface card or SRU, the policy takes effect for only
the packets sent to the CPU of the LAN-side interface card or SRU.
Procedure
Step 1 Run:
system-view
Step 2 Run:
cpu-defend-policy policy-name [ global | slot slot-id ]
The attack defense policy is applied.
----End
Procedure
l Run the display cpu-defend policy [ policy-name ] command to check the attack defense
policy.
l Run the display cpu-defend statistics [ packet-type packet-type ] command to check
statistics on packets sent to the CPU.

Routers
l Run the display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-
id | sru } command to check the rate limits for protocol packets sent to the CPU.
----End
6.3.2 Configuring Attack Source Tracing

Attack source tracing enables the device to check attack packets sent to the CPU and notify the
administrator by sending logs or alarms so that the administrator can take measures to defend
against attacks.
Before configuring attack source tracing, complete the following task:
To configure attack source tracing, you must create an attack defense policy. All other
configuration tasks are optional and are not listed in sequence. You can configure them as
required. After an attack defense policy is created, you must apply it at any time to make it take
effect.
6.3.2.1 Creating an Attack Defense Policy
Context
Before configuring local attack defense in an attack defense policy, you must create an attack
defense policy.
NOTE
The attack defense policy does not take effect for protocol packets sent from 3G cellular interfaces to the
CPU of the MPU.
The attack defense policy does not take effect for Layer 3 protocol packets sent from LAN-side interface
cards to the CPU of the MPU on the AR1200.
Procedure
Step 1 Run:
system-view
Step 2 Run:
An attack defense policy is created and the attack defense policy view is displayed.
The device supports a maximum of 19 attack defense policies, including the default attack
defense policy. The default attack defense policy is generated in the system by default and is

Routers
applied to all boards. The default attack defense policy cannot be deleted or modified. The other
18 policies can be created, modified and deleted.

description text
The description of the attack defense policy is configured.
By default, no description is configured for an attack defense policy.
----End
6.3.2.2 Configuring the Threshold for Attack Source Tracing
Context
A large number of attack packets may attack the CPUs of network devices. You can configure
attack source tracing and set the alarm threshold for attack source tracing so that the device can
analyze packets sent to the CPU. If the number of protocol packets sent from an attack source
in a specified period exceeds the alarm threshold, the device sends logs or alarms to notify the
administrator so that the administrator can take measures to defend against the attacks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
auto-defend enable
Automatic attack source tracing is enabled.
By default, automatic attack source tracing is disabled.
Step 4 Run:
auto-defend threshold threshold-value
The checking threshold for attack source tracing is set.
By default, the checking threshold for attack source tracing is 128 pps.
----End
6.3.2.3 Configuring an Attack Source Tracing Mode
Context
After attack source tracing is enabled, the device uses a specified mode to trace attack sources.
The device supports the following attack source tracing modes:

Routers
l Source IP address-based tracing: defends against Layer 3 attack packets.

l Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed
source MAC address.
l Source port+VLAN based tracing: defends against Layer 2 attack packets with different
source MAC addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
auto-defend enable
Step 4 Run:
auto-defend trace-type { source-ip | source-mac | source-portvlan } *
The attack source tracing mode is specified.
By default, the device traces attack sources based on source MAC addresses, source IP addresses,
and source ports+VLANs.
----End
6.3.2.4 Configuring the Types of Traced Packets
Context
When an attack occurs, the device traces packets of different types. Therefore, the administrator
cannot identify the type of attack packets. You can flexibly specify the types of traced packets.
The device traces the source of the specified packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:

Routers
Step 3 Run:
auto-defend enable
Step 4 Run:
auto-defend protocol { all | { arp | dhcp | icmp | igmp | tcp | telnet | ttl-
expired } * }
The type of traced packets is specified.
By default, the device traces sources of Address Resolution Protocol (ARP), Dynamic Host
Configuration Protocol (DHCP), Internet Control Message Protocol (ICMP), Internet Group
Management Protocol (IGMP), Telnet, Transmission Control Protocol (TCP), and Time To
Live-expired (TTL-expired) packets in attack source tracing.
----End
6.3.2.5 Configuring the Alarm Function for Attack Source Tracing
Context
An attack source may send packets of a specified type to the device. After you enable the alarm
function of attack source tracing and configure an alarm threshold, the device generates alarms
when the number of packets sent in a specified period exceeds the threshold. This prevents the
device from attacks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
auto-defend enable
Step 4 Configure the alarm function for attack source tracing.

1. Run:
auto-defend alarm enable
The alarm function for attack source tracing is enabled.
By default, the alarm function for attack source tracing is disabled.

2. Run:

Routers
auto-defend alarm threshold threshold
The alarm threshold for attack source tracing is set.
By default, the alarm threshold for attack source tracing is 128 pps.
----End
6.3.2.6 Configuring Attack Source Punishment
Context
After you configure the device to punish attack sources, the device discards packets sent from
the attacker to prevent attacks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
auto-defend enable
Attack source tracing is enabled.
By default, attack source tracing is disabled.
Step 4 Run:
auto-defend action deny [ timer time-length ]
Attack source punishment is enabled.
By default, attack source punishment is disabled.
----End
6.3.2.7 Applying an Attack Defense Policy
Context
After an attack defense policy is created, you must apply the attack defense policy to the SRU
or all LAN-side interface cards in the system view, or specified LAN-side interface cards.
Otherwise, the attack defense policy does not take effect.
NOTE
If the attack defense policy is applied to a LAN-side interface card or SRU, the policy takes effect for only
the packets sent to the CPU of the LAN-side interface card or SRU.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
cpu-defend-policy policy-name [ global | slot slot-id ]
The attack defense policy is applied.
----End
Procedure
l Run the display auto-defend attack-source [ detail ] command to check attack sources
on the SRU.
l Run the display auto-defend configuration [ cpu-defend policy policy-name ] command
to check the configuration of attack source tracing in an attack defense policy.
l Run the display cpu-defend policy [ policy-name ] command to check the attack defense
policy.
----End
6.4 Maintaining Local Attack Defense

This section describes how to maintain local attack defense, including clearing attack source
information and statistics on packets sent to the CPU. This helps locate the attack source or check
whether the attack is eliminated.
6.4.1 Clearing Attack Source Information
Context
When you need to clear information about attack sources, you can run the following
commands in the user view.
NOTICE
The cleared attack source information cannot be restored. Exercise caution when you use the
command.

Routers
Procedure
Step 1 Run the reset auto-defend attack-source command to clear information about the attack
sources on the main control board.
----End
6.4.2 Clearing Statistics About Packets Sent to the CPU
Context
Before recollecting statistics on packets sent to the CPU, run the following command in the user
view to clear the existing statistics.
NOTICE
The cleared statistics cannot be restored. Exercise caution when you use the command.
Procedure
Step 1 Run the reset cpu-defend statistics [ packet-type packet-type ] command to clear statistics
about packets sent to the CPU.
----End

This topic provides several configuration examples of local attack defense, including networking
requirements and configuration roadmaps.
6.5.1 Example for Configuring Local Attack Defense
As shown in Figure 6-2, users on different LANs access the Internet through RouterA. To locate
attacks on RouterA, attack source tracing needs to be configured to trace the attack source. The
following situations occur:
l A user on Net1 frequently initiates attacks to RouterA.

l The attacker sends a large number of ARP Request packets, degrading CPU performance.
l The administrator needs to upload files to RouterA using FTP. An FTP connection between
the administrator's host and RouterA needs to be set up.
l Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process
dhcp-client packets sent to the CPU.
l The Telnet server is not enabled on the RouterA, whereas RouterA often receives a large
number of Telnet packets.

Routers
Configurations need to be performed on RouterA to solve the preceding problems.
Figure 6-2 Networking diagram for configuring local attack defense
Eth
ern
Net1: 1.1.1.0/24 et 2
/0/
1
et2/0/2 Internet
Ethern
/3
RouterA RouterB
/0
t2
e
rn
he
Et
Net2: 2.2.2.0/24
Net3: 3.3.3.0/24
1. Configure a blacklist and add attackers on Net1 to the blacklist to prevent users on Net1
from accessing the network.
2. Configure the rate limit for ARP Request packets sent to the CPU to ensure that the CPU
can process normal services.
3. Configure active link protection (ALP) for FTP so that file data can be transmitted between
the administrator's host and RouterA.
4. Configure a high priority for dhcp-client packets so that RouterA first processes dhcp-client
packets sent to the CPU.
5. Disable the Telnet server on the RouterA so that RouterA discards all received Telnet
packets.
Procedure
Step 1 Configure an ACL to be referenced by the blacklist.
[RouterA] acl number 4001
[RouterA-acl-L2-4001] rule 5 permit source-mac 0001-c0a8-0102
[RouterA-acl-L2-4001] quit
Step 2 Create an attack defense policy.

[RouterA] cpu-defend policy devicesafety
Step 3 Configure the alarm threshold for attack source tracing.

[RouterA-cpu-defend-policy-devicesafety] auto-defend enable
[RouterA-cpu-defend-policy-devicesafety] auto-defend threshold 50

Routers
Step 4 Configure a blacklist.

[RouterA-cpu-defend-policy-devicesafety] blacklist 1 acl 4001
Step 5 Configure the rate limit for ARP Request packets sent to the CPU.
[RouterA-cpu-defend-policy-devicesafety] packet-type arp-request rate-limit 64
Step 6 Configure the rate limit for FTP packets after ALP is enabled.
[RouterA-cpu-defend-policy-devicesafety] application-apperceive packet-type ftp
rate-limit 2000
Step 7 Set the priority of dhcp-client packets.

[RouterA-cpu-defend-policy-devicesafety] packet-type dhcp-client priority 3
[RouterA-cpu-defend-policy-devicesafety] quit
Step 8 Apply the attack defense policy.
# Enable ALP for FTP.

[RouterA] cpu-defend application-apperceive ftp enable
# Apply the attack defense policy to the main control board.

[RouterA] cpu-defend-policy devicesafety
Step 9 Disable the Telnet server.

[RouterA] undo telnet server enable
NOTE
You do not need to disable application layer association. The Router discards all received Telnet packets
after the Telnet server is disabled on the Router.
# View information about the configured attack defense policy.

[RouterA] display cpu-defend policy devicesafety
Related slot : <0>
BlackList Status :
Slot<0> : Success
Configuration :
Blacklist 1 ACL number : 4001
Packet-type arp-request rate-limit : 64(pps)
Packet-type dhcp-client priority : 3
Rate-limit all-packets : 2000(pps)
(default)
Application-apperceive packet-type ftp : 2000(pps)
Application-apperceive packet-type tftp : 2000(pps)
# View the rate limit configuration on the main control board. You can see that application layer
association for Telnet is configured successfully and the rate limit for ARP Request packets sent
to the CPU and the priority for dhcp-client packets are set successfully.
<Huawei> display cpu-defend configuration sru
Rate configurations on main board.
-----------------------------------------------------------------
Packet-type Status Rate-limit(PPS) Priority
-----------------------------------------------------------------
8021X Disabled 160 2
arp-miss Enabled 64 2
arp-reply Enabled 128 2
arp-request Enabled 64 2
bfd Disabled 512 4
bgp Enabled 256 3
bgp4plus Enabled 256 3

Routers
dhcp-client Enabled 128 3

......
telnet-server Disabled 128 4
ttl-expired Enabled 256 1
udp-helper Disabled 32 2
unknown-multicast Enabled 128 1
unknown-packet Enabled 256 1
voice Enabled 256 4
vrrp Disabled 256 3
-----------------------------------------------------------------
# The log about attack source tracing of Net1 indicates that attack source tracing has taken effect.
Dec 18 2010 09:55:50-05:13 device %%01SECE/4/USER_ATTACK(l)[0]:User attack
occurred.(Slot=MPU, SourceAttackInterface=Ethernet2/0/1, OuterVlan/
InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per
second)
# View the statistics on packets sent to the SRU. The discarded packets indicate that the rate
limit is set for ARP Request packets.
<Huawei> display cpu-defend statistics
-----------------------------------------------------------------------
Packet Type Pass Packets Drop Packets
-----------------------------------------------------------------------
8021X 0 0
arp-miss 5 0
arp-reply 8090 0
arp-request 1446576 127773
bfd 0 0
bgp 0 0
bgp4plus 0 0
dhcp-client 879 0
dhcp-server 0 0
dhcpv6-reply 0 0
dhcpv6-request 0 0
dns 4 0
fib-hit 0 0
fr 0 0
ftp-client 0 0
ftp-server 0 0
fw-dns 0 0
fw-ftp 0 0
fw-http 0 0
fw-rtsp 0 0
fw-sip 0 0
gre-keepalive 0 0
gvrp 0 0
hdlc 0 0
http-client 0 0
http-server 0 0
hw-tacacs 0 0
icmp 59 0
icmpv6 224 0
igmp 539 0
ip-option 0 0
ipsec-ike 0 0
ipsec-isa 0 0
ipsec-osa 0 0
isis 70252 0
isisv6 0 0
l2tp 0 0
lacp 0 0
lldp 0 0
nd 358 0
nd-miss 0 0
nhrp 0 0

Routers
ntp 0 0
ospf 0 0
ospfv3 0 0
pim 0 0
ppp 0 0
pppoe 0 0
radius 0 0
rip 11306 0
ripng 7385 0
snmp 0 0
ssh-client 0 0
ssh-server 0 0
sslvpn 0 0
stp 0 0
tcp 15 0
telnet-client 81476 0
telnet-server 0 0
ttl-expired 0 0
udp-helper 0 0
unknown-multicast 0 0
unknown-packet 66146 0
voice 0 0
vrrp 0 0
---------------------------------------------------------------------
----End
Configuration Files
#
sysname RouterA
#
acl number 4001
rule 5 permit source-mac 0001-c0a8-0102
#
cpu-defend policy devicesafety
blacklist 1 acl 4001
packet-type arp-request rate-limit 64
packet-type dhcp-client priority 3
application-apperceive packet-type ftp rate-limit 2000
auto-defend enable
auto-defend threshold 50
#
cpu-defend-policy devicesafety
#
undo telnet server enable
#
return

This section describes common faults caused by incorrect local attack defense configurations
and provides the troubleshooting procedure.
6.6.1 Attack Source Tracing Does Not Take Effect
Fault Description
Attack source tracing does not take effect after attack source tracing is configured.

Routers
Common Causes
Possible causes are as follows:
l The attack defense policy is not applied to the correct SRU
l The checking threshold for attack source tracing is large.
Procedure
Step 1 Determining the attacked object
1. Run the display cpu-usage slot slot-id command to check the CPU usage of the SRU to
check whether the SRU is attacked.
2. If the SRU is attacked, go to the next step.
Step 2 Determine whether the attack defense policy configured with attack source tracing is applied to
the attacked LPU or main control board.
1. Run the display this command in the system view to check whether the cpu-defend-
policy command is configured.
2. Or run the display auto-defend configuration command to check the name of the attack
defense policy and the slot ID that the policy is applied to.
3. If the policy is not configured, run the cpu-defend-policy command in the system view to
configure the policy. If the policy is configured, go to the next step.
Step 3 Check whether the checking threshold for attack source tracing is large.
Run the display auto-defend configuration command to check the value in the auto-defend
threshold field. If the value is large, run the auto-defend threshold command in the attack
defense policy view to reduce the value.
----End
6.6.2 The Blacklist Does Not Take Effect
Fault Description
The Blacklist does not take effect after the Blacklist is configured.
Common Causes
Possible causes are as follows:
l Rules in the blacklist does not match the packet.
l ACL resources are insufficient.
Procedure
Step 1 Run the display cpu-defend policy policy-name command to check the attack defense policy.
Step 2 Check the ACL of the blacklist in the displayed attack defense policy information, and run the
display acl acl-number command to check whether service packets match the ACL rule.

Routers
Step 3 If service packets do not match the ACL rule, run the rule command in the ACL view to modify
the ACL rule. If service packets match the ACL rule, the blacklist may fail to be applied because
ACL resources are insufficient.
----End
6.7 FAQ
6.7.1 What Can I Do with Excess ACL Rules Used by a Blacklist in

Local Attack Defense?
Excess ACL rules used by a blacklist do not take effect.
6.7.2 How Do I Configure CPCAR?

Perform the following operations to configure Control Plane Committed Access Rate (CPCAR):
l Run the cpu-defend policy policy-name command to create an attack defense policy.
l Run the packet-type packet-type rate-limit rate-value command to set the rate limit for
packets sent to the CPU.
l Run the cpu-defend-policy policy-name [ global | slot slot-id ] command to apply the attack
defense policy.
6.7.3 Why Does the CPCAR Rate Limit Configuration Not Take
Effect?
The CPU committed access rate (CPCAR) is configured in the attack defense policy view. The
CPCAR takes effect only when the attack defense policy is applied on the main control board
or interface board on the local area network (LAN) side.

Routers
Configuration Guide - Security 7 Attack Defense Configuration
7 Attack Defense Configuration
About This Chapter
Attack defense is a network security feature. Attack defense allows the device to identify various
types of network attacks and protect itself and the connected network against malicious attacks
to ensure device and network operation.
7.1 Overview
This section describes the definition and functions of Attack defense.
7.2 Principles
This section describes the implementation of Attack defense.
7.3 Applications
This section describes the applicable scenario of Attack defense.

This section provides default settings of attack defense.
7.5 Configuring Attack Defense

This section describes the procedures for configuring attack defense.
7.6 Maintaining Attack Defense

This section describes how to maintain attack defense, including clearing attack defense
statistics.

This section provides a configuration example of attack defense, including networking
requirements, configuration roadmaps, and configuration procedure.
7.8 References
This section lists references of Attack defense.

Routers
7.1 Overview
This section describes the definition and functions of Attack defense.
Definition
Attack defense is a network security feature. This feature enables the device to analyze the
content and behavior of packets sent to the CPU for processing, check whether packets are attack
packets, and take measures for attack packets.
Attack defense is classified into malformed packet attack defense, packet fragment attack
defense, and flood attack defense.
Purpose
Due to defects of communications protocols and network deployment problems, increasing
network attacks have great impact on networks. In particular, attacks to a network device cause
the device or network to crash.
The attack defense feature enables the device to discard or limit the rate of different types of
attack packets sent to the CPU, protecting the device and ensuring normal services.
7.2 Principles
This section describes the implementation of Attack defense.
7.2.1 Defense Against Malformed Packet Attacks

The malformed packet attack is to send malformed IP packets to the system. If such an attack
occurs, the system may break down when processing the malformed IP packets. Defense against
malformed packet attacks allows the device to detect malformed packets in real time and discard
them to protect the device.
Malformed packet attacks are classified into the following types.
Flood Attacks From IP Null Payload Packets

An IP packet with a 20-byte IP header only is considered as an IP null payload packet. An attacker
often constructs IP packets with the IP header only and without any high-layer data. When the
device processes these packets, errors may occur or the device may break down.
After defense against malformed packet attacks is enabled, the device directly discards the
received IP packets without payloads.
Attacks from IGMP Null Payload Packets

An IGMP packet consists of a 20-byte IP header and a 8-byte IGMP body. The device considers
IGMP packets with less than 28 bytes as IGMP null payload packets. When the device processes
IGMP null payload packets, errors may occur or the device may break down.

Routers
After defense against malformed packet attacks is enabled, the device directly discards the
received IGMP null payload packets.
LAND Attacks
Because of defects in the three-way handshake mechanism of TCP, a LAND attacker sends SYN
packets of which the source address and port of a device are the same as the destination address
and port respectively. After receiving the SYN packet, the target host creates a null TCP
connection with the source and destination addresses as the address of the target host. The
connection is kept until expiration. The target host will create many null TCP connections,
wasting many resources or causing device breakdown.
After defense against malformed packet attacks is enabled, the device checks source and
destination addresses in TCP SYN packets to prevent LAND attacks. The device considers TCP
SYN packets with the same source and destination addresses as malformed packets and discards
them.
Smurf Attack
An attacker sends an ICMP Request packets of which the source address is the target host address
and the destination address is the broadcast address of the target network. After all hosts of the
target network receive the ICMP request packet, they send ICMP Reply packets to the target
host. The target host receives excess packets and consumes many resources, causing device
breakdown or network blocking.
After defense against malformed packet attacks is enabled, the device checks whether the
destination address in ICMP Request packets is the broadcast address or subnet broadcast address
to prevent Smurf attacks. When detecting the ICMP Request packets with the destination address
as the broadcast address or subnet broadcast address, the device directly discards them.
Attacks from Packets with Invalid TCP Flag Bits

A TCP packet contains six flag bits: URG, ACK, PSH, RST, SYN, and FIN. Different systems
respond differently to the combination of these flag bits.
l If the six flag bits are all 1s, the attack is a Christmas tree attack. When the Christmas tree
attack is launched, the device may break down.
l If both the SYN and FIN are 1 and the interface is disabled, the receiver replies with an
RST | ACK message. If the interface is enabled, the receiver replies with an SYN | ACK
message. This method is used to detect the host (online or offline) and interface (enabled
or disabled).
l The six flag bits are all 0s.
If the interface is disabled, the receiver replies with an RST | ACK message to detect
whether the host is online or offline.
If the interface is enabled, Linux and UNIX operating systems do not respond but the
Windows operating system replies with an RST | ACK message. This helps you learn
the type of the operating system (Windows, Linux, or UNIX).
After defense against malformed packet attacks is enabled, the device checks each flag bit of
TCP packets to prevent attacks from packets with invalid TCP flag bits. If any of the following
condition is met, the device discards the TCP packets:

Routers

l The SYN and FIN bits are all 1s.
7.2.2 Defense Against Packet Fragment Attacks

If an attacker sends error packet fragments to attack the device, the device may consume a large
number of CPU resources, restart, or even break down, affecting normal services. Defense
against packet fragment attacks allows the device to detect packet fragments in real time and
discard them or limit the rate of the packets to protect the device.
Attacks of packet fragments are classified into the following types.
Excess-Fragment Attacks
The offset of IP packets is in the unit of 8 bytes. Normally, an IP header has 20 bytes and the
maximum payload of an IP packet is 65515 bytes. An IP packet can be fragmented into up to
8189 fragments. The device consumes many CPU resources to reassemble the packets with over
8189 fragments.
After defense against packet fragment attacks is enabled, the device considers a packet with over
8189 fragments malicious and discards all the fragments of the packet.
Excess-Offset Attacks
An attacker sends a fragment with a larger offset value to the target host. As a result, the target
host allocates much memory space to store all fragments, consuming a large number of resources.
The maximum value of the offset is 65528. Generally, the offset value does not exceed 8190. If
the offset value is 8189 multiplied by 8 and the IP header is 20, the last fragment can have only
3-byte IP payload. Therefore, the maximum value of the offset is 8189 in normal situations. The
device considers packets with the offset value larger than 8190 malicious and directly discards
them.
After defense against packet fragment attacks is enabled, the device checks whether the offset
value multiplied by 8 is greater than 65528. If the offset value multiplied by 8 is greater than
65528, the device considers the fragments malicious and discards them.
Repeated Packet Fragment Attacks

An attacker sends repeated fragments to the target host multiple times:
l The attacker sends the same fragments to the target host multiple times, causing abnormality
in CPU and memory usage of the target host.
l The attacker sends different fragments with the same offset to the target host. As a result,
the target host cannot determine how to process these packet fragments and there is
abnormality in CPU and memory usage of the target host.
After defense against packet fragment attacks is enabled, the device applies the committed access
rate (CAR) limit to packet fragments, reserves the first fragment, and discards all the remaining
repeated fragments to protect the device CPU.

Routers
Tear Drop Attack

Tear Drop attack is the frequently used IP packet fragment attack. IP packets are incorrectly
fragmented and the second fragment is contained in the first one. The offset of the second
fragment is smaller than the offset of the first fragment, and the offset plus the Data field of the
second fragment does not exceed the the tail of the first fragment.
l In the first fragment, the IP payload is 36 bytes, the total length of the IP packet is 56 bytes,
the protocol is UDP, and the UDP checksum is 0 (namely, unchecked).
l In the second fragment, the IP payload is 4 bytes, the total length of the IP packet is 24
bytes, the protocol is UDP, and the offset is 24 (this is incorrectly calculated and the correct
offset is 36).
Figure 7-1 Tear Drop attack
Seq
IP UDP
IP
-20 0 4 24 28 36 Length
Tear Drop attacks cause system breakdown or restart. After defense against packet fragment
attacks is enabled, the device discards all the fragments of Tear Drop attacks.
Syndrop Attack
Syndrop attack is similar to Tear Drop attack. The difference is that Syndrop attacks use TCP
packets with SYN flag and IP payload.
l In the first fragment, the IP payload is 28 bytes, and the IP header is 20 bytes.
l In the second fragment, the IP payload is 4 bytes, the IP header is 20 bytes, and the offset
is 24 (this is incorrectly calculated and the correct offset is 28).

Routers
Figure 7-2 Syndrop attack
Seq
IP TCP-syn
IP
-20 0 4 24 28 Length
Syndrop attacks cause system breakdown or restart. After defense against packet fragment
attacks is enabled, the device discards all the fragments of Syndrop attacks.
Newtear Attack
NewTear attack is the attack from error fragments. As shown in Figure 7-3, the used protocol
is UDP.
l The IP payload of the first fragment is 28 bytes including the UDP header. The UDP
checksum is 0.
l The IP payload of the second fragment is 4 bytes. The offset is 24, which is incorrectly
calculated. The correct offset is 28.
Figure 7-3 NewTear attack
Seq
IP UDP
IP
-20 0 4 24 28 Length
NewTear attacks cause system breakdown or restart. After defense against packet fragment
attacks is enabled, the device discards all the fragments of NewTear attacks.
Bonk Attack
Bonk attack is the attack from error fragments. As shown in Figure 7-4, the used protocol is
UDP.

Routers
l The IP payload of the first fragment is 36 bytes including the UDP header. The UDP
checksum is 0.
l The IP payload of the second fragment is 4 bytes. The offset is 32, which is incorrectly
calculated. The correct offset is 36.
Figure 7-4 Bonk attack
Seq
IP UDP
IP
-20 0 12 32 36 Length
Bonk attacks cause system breakdown or restart. After defense against packet fragment attacks
is enabled, the device discards all the fragments of Bonk attacks.
Nesta Attack
Nesta attack is the attack from error fragments. As shown in Figure 7-5:
l In the first fragment, the IP payload is 18 bytes, the used protocol is UDP, and the checksum
is 0.
l In the second fragment, the offset is 48 and the IP payload is 116 bytes.
l In the third fragment, the offset is 0, the more frag is 1 (that is, there are more fragments),
the IP option (all EOLs) is 40 bytes, and the IP payload is 224 bytes.
Figure 7-5 Nesta attack
Seq
IP UDP frag1
IP Option-EOL frag3
frag2
-20 0 18 28 40 48 164 Length
Nesta attacks cause system breakdown or restart. After defense against packet fragment attacks
is enabled, the device discards all the fragments of Nesta attacks.

Routers
Rose Attack
The use protocol can be UDP or TCP.
If Rose attacks use TCP:
l In the first fragment, the IP payload is 48 bytes (including the TCP header) and the length
of the IP header is 20 bytes.
l In the second fragment, the IP payload is 32 bytes, the offset is 65408, and the more
frag is 0 (last fragment).
If Rose attacks use UDP:
l In the first fragment, the IP payload is 40 bytes (including the UDP header, with UDP
checksum 0), and the IP header is 20 bytes.
l In the second fragment, the IP payload is 32 bytes, the offset is 65408, and the more
frag is 0 (last fragment).
Figure 7-6 Rose attack
Seq
IP UDP
IP UDP
-20 0 40 65408 65440 Length
Rose attacks cause system breakdown or restart. After defense against packet fragment attacks
is enabled, the device discards all the fragments of Rose attacks.
Fawx Attack
Fawx attack uses error fragments of IGMP packets. As shown in Figure 7-7, two fragments of
an IGMP packet is sent. In the first fragment, the IP payload is 9 bytes. In the second fragment,
the offset is 8, and the IP payload is 16 bytes.

Routers
Figure 7-7 Fawx attack
Seq
IP IGMPV0
IP
-20 0 8 9 20 Length
Fawx attacks cause system breakdown or restart. After defense against packet fragment attacks
is enabled, the device discards all the fragments of Fawx attacks.
Ping of Death Attack

An attacker sends ICMP packets with the Data field longer than 65507 bytes to attack the device.
If the device incorrectly processes ICMP packets with the Data field longer than 65507 bytes,
the protocol stack may crash.
After defense against packet fragment attacks is enabled, the device discards ICMP packets with
the Data field longer than 65507 bytes.
Jolt Attack
An attacker sends packets longer than 65535 bytes to attack the device. Jolt attack uses 173
packet fragments. The IP payload of each packet fragment is 380 bytes. The total length is 65760
(173 x 380 + 20) bytes, which is greater than 65535. If the device incorrectly processes such
packets, the device may stop responding, crash, or restart.
After defense against packet fragment attacks is enabled, the device discards Jolt attack packets.
7.2.3 Defense Against Flood Attacks

If an attacker sends a large number of bogus packets to the target host, the target host is busy
with these bogus packets and cannot process normal services.
Defense against flood attacks allows the device to detect flood packets in real time and discard
them or limit the rate of the packets to protect the device.
Flood attacks include TCP SYN flood attacks, UDP flood attacks, and ICMP flood attacks.
TCP SYN Flood Attack

TCP SYN flood attack uses vulnerability of TCP three-way handshake. During TCP three-way
handshake, when receiving the first SYN message from a sender, the receiver sends an SYN
+ACK message. When the receiver is waiting for the final ACK packet from the sender, the
connection is in half-connected mode. If the receiver does not receive the ACK packet, the
receiver retransmits a SYN+ACK packet to the sender. If the receiver does not receive the ACK
message from the sender after many attempts, the receiver shuts down the session and then

Routers
updates the session in the memory. The period from the time to send the first SYN+ACK message
to the session teardown time is about 30s.
During this period, an attacker may send thousands of SYN messages to the started interfaces
and does not respond to the SYN+ACK message from the receiver. The memory of the receiver
is overloaded and the receiver cannot accept any new connection requests. Then the receiver
disconnects all existing connections.
After defense against TCP SYN flood attacks is enabled, the device limits the rate of TCP SYN
packets so that system resources are not exhausted upon attacks.
UDP Flood Attack

If an attacker sends a large number of UDP packets to the target host, the target host is busy with
these UDP packets. As a result, the target host is overloaded and cannot process normal services.
UDP flood attacks are classified into two types:
l Fraggle attack
An attacker sends UDP packets of which the source address is the target host address, the
destination address is the broadcast address of the target network, and the destination port
number is port 7. If multiple hosts use UDP echo services on the broadcast network, the
target host receives excess response packets. As a result, the system becomes busy.
The device considers packets from UDP port 7 as attack packets and directly discards them.
l UDP diagnosis port attack
An attacker sends many packets to the UDP diagnosis port (7-echo, 13-daytime, and 19-
Chargen) simultaneously, packets are flooded and network devices cannot work properly.
The device considers packets from UDP ports 7, 13, and 19 as attack packets and directly
discards them.
ICMP Flood Attack

Generally, a network administrator monitors a network and rectifies network faults with the ping
tool as follows:
l The source host sends an ICMP Echo message to the destination host.
l When receiving the ICMP Echo message, the destination host sends an ICMP Echo Reply
message to the source host.
If an attacker sends many ICMP Echo messages to the target host, the target host is busy with
these Echo messages and cannot process other data packets. Therefore, normal services are
affected.
The device applies the committed access rate (CAR) limit to packets of ICMP flood attacks to
protect the CPU and ensure that the network can work properly.
7.3 Applications
This section describes the applicable scenario of Attack defense.
As shown in Figure 7-8, RouterA is prone to various types of network attacks, causing high
CPU usage and affecting network services. To provide secure network services, the following
attack defense functions is configured on RouterA:

Routers
l Defense against malformed packet attacks

l Defense against packet fragment attacks and rate limit for packet fragments, preventing
fragments from affecting the CPU and protecting CPU and device resources
l Defense against flood attacks
Defense against TCP SYN flood attacks and rate limit for TCP SYN packets, protecting
the CPU
Defense against UDP flood attacks used to discard UDP packets sent from specified
ports
Defense against ICMP flood attacks and rate limit for ICMP packets, protecting the
CPU
Figure 7-8 Networking diagram of attack defense
Attack Attack Hacker

Defense
Internet
Campus Network
RouterA
User

This section provides default settings of attack defense.
Table 7-1 describes the default settings of attack defense.
Table 7-1 Default settings of attack defense
Defense against malformed Enabled

packet attacks
Defense against packet fragment Enabled

attacks
Rate at which packet fragments 155000000 bit/s

are sent
Defense against TCP SYN flood Enabled

attacks
Rate at which TCP SYN flood 155000000 bit/s

packets are sent
Defense against UDP flood Enabled

attacks

Routers
Defense against ICMP flood Enabled

attacks
Rate at which ICMP flood 155000000 bit/s

packets are sent
7.5 Configuring Attack Defense

This section describes the procedures for configuring attack defense.
7.5.1 Configuring Defense Against Malformed Packet Attacks

Malformed packet attacks include flood attacks without IP payloads, attacks from IGMP null
payload packets, LAND attacks, Smurf attacks, and attacks from packets with invalid TCP flag
bits.
Context
The malformed packet attack is to send malformed IP packets to the system. If such an attack
occurs, the system may break down when processing the malformed IP packets.
To prevent the system from breaking down and to ensure normal network services, enable
defense against malformed packet attacks. After detecting malformed packets, the device
directly discards them.
Procedure
Step 1 Run:
system-view
Step 2 Run:
anti-attack abnormal enable
Defense against malformed packet attacks is enabled.
By default, defense against malformed packet attacks is enabled.
NOTE
You can also run the anti-attack enable command in the system view to enable attack defense against all attack
packets including malformed packets.
----End

l Run the display anti-attack statistics abnormal command to check statistics on defense
against malformed packet attacks on the interface board.

Routers
7.5.2 Configuring Defense Against Packet Fragment Attacks

Packet fragment attacks include attacks from many fragments, attacks from many packets with
offsets, attacks from repeated packet fragments, Tear Drop attacks, Syndrop attacks, NewTear
attacks, Bonk attacks, Nesta attacks, Rose attacks, Fawx attacks, Ping of Death attacks, and Jolt
attacks.
Context
If an attacker sends error packet fragments to attack the device, the device consumes a large
number of resources to process the error packet fragments, affecting normal services.
To prevent the system from breaking down and to ensure normal network services, enable
defense against packet fragment attacks. The device limits the rate of fragment packets to ensure
that the CPU runs properly when the device is being attacked by many packet fragments.
Procedure
Step 1 Run:
system-view
Step 2 Run:
anti-attack fragment enable
Defense against packet fragment attacks is enabled.
By default, defense against packet fragment attacks is enabled.
NOTE
packets including packet fragments.
Step 3 Run:
anti-attack fragment car cir cir
The rate limit of packet fragments is set.
By default, the rate limit of packet fragments is 155000000 bit/s.
----End

l Run the display anti-attack statistics fragment command to check statistics on defense
against packet fragment attacks on the interface board.
7.5.3 Configuring Defense Against Flood Attacks

Flood attacks include TCP SYN flood attacks, UDP flood attacks, and ICMP flood attacks.
7.5.3.1 Configuring Defense Against TCP SYN Flood Attacks

Routers
Context
An attacker sends a SYN packet to the target host to initiate a TCP connection but does not
respond to the SYN+ACK sent from the target host. If the target host receives no ACK packet
from the attacker, the device keeps waiting for the ACK packet. A half-open connection is
formed. The attacker keeps sending SYN packets, so many half-open connections are set up on
the target host. This wastes a large number of resources.
To prevent TCP SYN flood attacks, enable defense against TCP SYN flood attacks and set the
rate limit of TCP SYN flood attack packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
anti-attack tcp-syn enable
Defense against TCP SYN flood attacks is enabled.
By default, defense against TCP SYN flood attacks is enabled.
NOTE
packets including TCP SYN flood attack packets.
Step 3 Run:
anti-attack tcp-syn car cir cir
The rate limit at which TCP SYN packets are received is set.
By default, the rate limit at which TCP SYN packets are received is 155000000 bit/s.
----End
7.5.3.2 Configuring Defense Against UDP Flood Attacks
Context
If an attacker sends a large number of UDP packets with specified destination port numbers to
the target host in a short time, the target host is busy with these UDP packets. As a result, the
target host is overloaded and cannot process normal services. To prevent UDP flood
attacks,enable defense against UDP flood attacks.
The device enabled with defense against UDP flood attacks directly discards UDP packets with
port numbers 7, 13, and 19.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Run:
anti-attack udp-flood enable
Defense against UDP flood attacks is enabled.
By default, defense against UDP flood attacks is enabled.
NOTE
packets including UDP flood attack packets.
----End
7.5.3.3 Configuring Defense Against ICMP Flood Attacks
Context
If an attacker sends a large number of ICMP request packets to the target host in a short time,
the target host is busy with these ICMP request packets. As a result, the target host is overloaded
and cannot process normal services. To prevent ICMP flood attacks, enable defense against
ICMP flood attacks.
After defense against ICMP flood attacks is enabled, set the rate limit of ICMP flood attack
packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
anti-attack icmp-flood enable
Defense against ICMP flood attacks is enabled.
By default, defense against ICMP flood attacks is enabled.
NOTE
packets including ICMP flood attack packets.
Step 3 Run:
anti-attack icmp-flood car cir cir
The rate limit of ICMP flood attack packets is set.
By default, the rate limit of ICMP flood attack packets is 155000000 bit/s.
----End

Routers
Procedure
l Run the display anti-attack statistics [ tcp-syn | udp-flood | icmp-flood ] command to
check statistics on defense against flood attacks.
----End
7.6 Maintaining Attack Defense

This section describes how to maintain attack defense, including clearing attack defense
statistics.
7.6.1 Clearing Attack Defense Statistics
Context
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when you run the reset
command.
To clear attack defense statistics, run the following command.
Procedure
l Run the reset anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmp-
flood ] command to clear attack defense statistics.
----End

This section provides a configuration example of attack defense, including networking
requirements, configuration roadmaps, and configuration procedure.
7.7.1 Example for Configuring Attack Defense
As shown in Figure 7-9, if a hacker on the LAN initiates malformed packet attacks, packet
fragment attacks, and flood attacks to RouterA, RouterA may break down. The administrator
requires that attack defense measures be deployed on RouterA to provide a secure network
environment and ensure normal services.

Routers
Figure 7-9 Networking of attack defense
Attack Attack Hacker

Defense
Internet
Campus Network
RouterA
User
1. Enable defense against malformed packet attacks so that RouterA can defend against such
attacks.
2. Enable defense against packet fragment attacks so that RouterA can defend against such
attacks.
3. Enable defense against packet flood attacks so that RouterA can defend against such attacks.
Procedure
Step 1 Enable defense against malformed packet attacks.
[RouterA] anti-attack abnormal enable
Step 2 Enable defense against packet fragment attacks and set the rate limit at which packet fragments
are received to 15000 bit/s.
[RouterA] anti-attack fragment enable
[RouterA] anti-attack fragment car cir 15000
Step 3 Enable defense against flood attacks.
# Enable defense against TCP SYN flood attacks and set the rate limit at which TCP SYN flood
packets are received to 15000 bit/s.
[RouterA] anti-attack tcp-syn enable
[RouterA] anti-attack tcp-syn car cir 15000
# Enable defense against UDP flood attacks to discard UDP packets sent from specified ports.
[RouterA] anti-attack udp-flood enable
# Enable defense against ICMP flood attacks and set the rate limit at which ICMP flood packets
are received to 15000 bit/s.
[RouterA] anti-attack icmp-flood enable
[RouterA] anti-attack icmp-flood car cir 15000
# After the configuration is complete, run the display anti-attack statistics command to view
attack defense statistics.

Routers
<RouterA> display anti-attack statistics

Packets Statistic Information:
-------------------------------------------------------------------------------
AntiAtkType TotalPacketNum DropPacketNum PassPacketNum
(H) (L) (H) (L) (H) (L)
-------------------------------------------------------------------------------
Abnormal 0 0 0 0 0 0
Fragment 0 0 0 0 0 0
Tcp-syn 0 34 0 28 0 6
Udp-flood 0 0 0 0 0 0
Icmp-flood 0 0 0 0 0 0
-------------------------------------------------------------------------------
On RouterA, there are statistics on discarded TCP SYN packets, indicating that the attack defense
function takes effect.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
anti-attack fragment car cir 15000
anti-attack tcp-syn car cir 15000
anti-attack icmp-flood car cir 15000
#
return
7.8 References
This section lists references of Attack defense.
None.

Routers
Configuration Guide - Security 8 Traffic Suppression Configuration
8 Traffic Suppression Configuration
About This Chapter
This chapter describes basic concepts, configuration procedures and examples, and common
configuration errors.
8.1 Overview
This section describes the definition, and functions of traffic suppression.
8.2 Principles
This section describes the implementation of traffic suppression.
8.3 Applications
This section describes the applicable scenario of traffic suppression.

This section describes the default configuration of traffic suppression of the device.
8.5 Configuring Traffic Suppression

Traffic suppression prevents broadcast storms and ensures device forwarding performance.
8.6 Example for Configuring Traffic Suppression and Storm Control

This section provides traffic suppression and storm control examples.

This section describes common configuration errors and troubleshooting roadmap of traffic
suppression and storm control.
8.8 FAQ
8.9 References
This section lists references of traffic suppression.

Routers
8.1 Overview
This section describes the definition, and functions of traffic suppression.
Definition
Traffic suppressionis security technologies to control broadcast packets, multicast packets, and
unknown unicast packets and prevent broadcast storms caused by these packets.
Traffic suppression limits the traffic by setting a threshold.
NOTE
Unknown unicast packets refer to unicast packets whose destination MAC addresses are not learned by the
device.
Purpose
When receiving broadcast packets, multicast packets, and unknown unicast packets, the device
forwards the packets to other Layer 2 Ethernet interfaces in the same VLAN if the device cannot
determine the outbound interface based on destination MAC addresses of packets. In this case,
broadcast storms may occur on the network and forwarding performance of the device
deteriorates.
Traffic suppression can control these packets and prevent broadcast storms.
8.2 Principles
This section describes the implementation of traffic suppression.
8.2.1 Traffic Suppression
Traffic suppression prevents broadcast storms caused by broadcast packets, multicast packets,
and unknown unicast packets in the following modes:
l In the interface view, the device performs traffic suppression for these packets per second,
and bits per second on the inbound interface.
The device detects rates of these packets on the interface and compares the rates with the
thresholds. When the inbound traffic reaches the threshold, the system discards excess
traffic.
l In the interface view, the device can block outgoing broadcast packets, multicast packets,
and unknown unicast packets on the outbound interface.
8.3 Applications
This section describes the applicable scenario of traffic suppression.

Routers
8.3.1 Traffic Suppression
Figure 8-1 Networking diagram
Eth2/0/0 Eth2/0/1 L3 network

L2 network
Router Gateway
As shown in Figure 8-1,

l Router is connected to a Layer 2 network and to a router. To limit the number of broadcast,
multicast, and unknown unicast packets forwarded on the Layer 2 network, you can
configure traffic suppression on the Layer 2 Ethernet interface Eth2/0/0 of Router.
l Outbound broadcast packets, multicast packets, and unknown unicast packets are blocked
on Eth2/0/0 to ensure security of users and other network devices on the Layer 2 network.

This section describes the default configuration of traffic suppression of the device.
Table 8-1 lists default parameter settings of traffic suppression and storm control.
Table 8-1 Traffic suppression
Traffic suppression on an interface Disabled
Traffic suppression for Internet Control Disabled

Message Protocol (ICMP) packets
Traffic suppression threshold for ICMP 100 pps

Packets
8.5 Configuring Traffic Suppression

Traffic suppression prevents broadcast storms and ensures device forwarding performance.
8.5.1 Configuring Traffic Suppression on an Interface

Routers
Context
To limit the rate of incoming and outgoing packets and prevent broadcast storms, configure
traffic suppression on an interface.
Before configuring traffic suppression on an interface, complete the following task:
l Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
{ broadcast-suppression | multicast-suppression | unicast-suppression } { cir cir-
value | packets packets-per-second }
Traffic suppression is configured.

NOTE
Different types of interfaces support different modes for traffic suppression:

l The CIR value for traffic suppression can be set on the LAN-side Ethernet interfaces of the main control
board.
l The rate limit in pps can be set on the LAN-side GE interfaces and Ethernet interfaces of the LPU.
l The 4GE-2S board does not support traffic suppression on interfaces.
Traffic Suppression CIR Rate Limit PPS Rate Limit

Mode
AR150&200 series Supported Not supported
AR1200 series Supported Supported
AR2200 series Not supported Supported
AR3200 series Not supported Supported
----End
8.5.2 Limiting the Rate of ICMP Packets

Applicable Environment
The device receives a large number of ICMP packets from the network, and these packets
consume a lot of CPU resources. Limiting the rate at which ICMP packets are received can help

Routers
reduce the burden of the CPU, ensuring nonstop service transmission. After this function is
configured, the device discards excess packets.
NOTE
After rate limiting of ICMP packets is configured, the device may fail to respond to ping packets. To make
suppression of ICMP packets take effect, disable the fast ICMP reply function.
Procedure
l Configuring the global rate limit for ICMP packets
1. Run:
system-view

2. Run:
icmp rate-limit enable
The global ICMP packet rate limiting function is enabled.

By default, the global ICMP packet rate limiting function is disabled on an device.
3. (Optional) Run:
icmp rate-limit threshold threshold-value
The global rate limit for ICMP packets is set.

By default, the global rate limit for ICMP packets is 100 pps.
l Configuring the rate limit for ICMP packets on a specified interface
1. Run:
system-view

2. Run:

The Router can limit the rate at which ICMP packets are received on GE interfaces,
Ethernet interfaces and Eth-Trunk interfaces.
3. Run:
icmp rate-limit enable
The ICMP packet rate limiting function is enabled on the interface.

By default, the ICMP packet rate limiting function is disabled on an device.
4. (Optional) Run:
icmp rate-limit threshold threshold-value
The highest rate at which ICMP packets are received on the interface is set.
By default, the rate limit for ICMP packets on an interface is 100 pps.
----End
8.5.3 Checking the Configuration

Routers
Procedure
l Run the display flow-suppression interface interface-type interface-number command to
check the traffic suppression configuration.
----End
8.6 Example for Configuring Traffic Suppression and Storm

Control
This section provides traffic suppression and storm control examples.
8.6.1 Example for Setting the Rate Limit in pps for Traffic
Suppression
As shown in Figure 8-2, RouterA is connected to a Layer 2 network and a Layer 3 RouterB. To
limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2
network, you can set the rate limit in pps on Ethernet 2/0/0.
NOTE
As shown in Figure 8-2, RouterA is an enterprise router and RouterB is an aggregation router.
Figure 8-2 Network diagram of Setting the Rate Limit in pps for Traffic Suppression
Eth2/0/0
L2 network L3 network
RouterA RouterB
l Set the rate limit in pps for traffic suppression on Ethernet 2/0/0.
Procedure
Step 1 Enter the interface view.
[RouterA] interface ethernet 2/0/0
Step 2 Set the rate limit in pps for broadcast packets.

[RouterA-Ethernet2/0/0] broadcast-suppression packets 12600

Routers
Step 3 Set the rate limit in pps for multicast packets.

[RouterA-Ethernet2/0/0] multicast-suppression packets 25200
Step 4 Set the rate limit in pps for unknown unicast packets.
[RouterA-Ethernet2/0/0] unicast-suppression packets 12600
[RouterA-Ethernet2/0/0] quit
Run the display flow-suppression interface command, and you can view the traffic suppression
configuration on Ethernet 2/0/0.
[RouterA] display flow-suppression interface Ethernet 2/0/0
storm type rate mode set rate value
-------------------------------------------------------------------------------
unknown-unicast pps pps: 12600(packet/s)
multicast pps pps: 25200(packet/s)
broadcast pps pps: 12600(packet/s)
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname RouterA
#
unicast-suppression packets 12600
multicast-suppression packets 25200
broadcast-suppression packets 12600
#
return

This section describes common configuration errors and troubleshooting roadmap of traffic
suppression and storm control.
8.7.1 Broadcast Traffic Suppression Does Not Take Effect
Fault Description
After traffic suppression for broadcast packets is configured on an interface, a broadcast storm
caused by broadcast packets still occurs and traffic is interrupted.
Common Causes
This fault is commonly caused by one of the following:
l Broadcast suppression is not configured on interfaces, or the broadcast suppression
threshold is set too high.
l Broadcast packets are not discarded on the inbound interface.

Routers
NOTE
l Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
l Troubleshooting for traffic suppression of multicast packets and unknown unicast packets is similar to
that of broadcast packets.
Procedure
Step 1 Check that traffic suppression is correctly configured on the related interface.
Run the display flow-suppression interface interface-type interface-number command in the

user view to check whether the values of rate mode and set rate value in the broadcast field
are proper.
l If these values are proper, go to step 2.
Step 2 Check whether broadcast packets are discarded in the inbound direction of the interface.
You can check whether broadcast packets are discarded in the inbound direction of the interface
by using the following methods:
l Run the display interface interface-type interface-number command in the user view to
check whether the value of Input bandwidth utilization changes greatly after traffic
suppression is configured. Normally, after traffic suppression is configured, the interface
bandwidth usage decreases if the interface discards excess packets. If the value of Input
bandwidth utilization does not change or changes a little, go to step 3.
l Configure another interface (interface B), and add it and the interface configured with traffic
suppression (interface A) to the same VLAN. Then check whether the volume of the outgoing
traffic on interface B is the same as the volume of the traffic on interface A. If they are
different, no packet is discarded in the inbound direction of interface A. Go to step 3.
Step 3 Please collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration file, logs, and alarms of the member switch
----End
8.8 FAQ
8.8.1 Why Is the Actual Suppression Value Different from the

Configured Traffic Suppression Value?
The traffic suppression supported by AR series routers is a type of granularity-based suppression.
l The AR1200 series use the committed information rate (CIR) mode.
If the traffic suppression value is between 64 kbit/s and 1000 kbit/s, the granularity is
64 kbit/s. For example, if the traffic suppression value is set to 65 kbit/s, the effective
traffic suppression value is 64 kbit/s. If the traffic suppression value is set to 200 kbit/
s, the effective traffic suppression value is 128 kbit/s, and so on.

Routers
If the traffic suppression value is between 1000 kbit/s and 100,000 kbit/s, the granularity
is 1000 kbit/s. For example, if the traffic suppression value is set to 1001 kbit/s, the
effective traffic suppression value is 1000 kbit/s. If the traffic suppression value is set
to 2999 kbit/s, the effective traffic suppression value is 2000 kbit/s, and so on.
l The AR2200 and AR3200 series use the packet mode. The granularity is 125 packets per
second (pps). If the traffic suppression value is set to 10 pps, the effective traffic suppression
value is 0 pps. If the traffic suppression value is set to 126 pps, the effective traffic
suppression value is 125 pps, and so on.
Therefore, if the traffic suppression value is not set to a multiple of the granularity, the actual
suppression value is different from the traffic suppression value that is set. Within a specified
granularity range, all suppression values are correct.
8.9 References
This section lists references of traffic suppression.
IEEE 802.1d Media Access Control (MAC) Bridges Specifies an -

architecture and protocol for the interconnection of
IEEE802 LANs below the MAC service boundary.

Routers
Configuration Guide - Security 9 ARP Security Configuration
9 ARP Security Configuration
About This Chapter
This chapter describes the principle and configuration methods of ARP security and provides
9.1 Overview
This section describes the definition and functions of ARP Security.
9.2 Principles
This section describes the implementation of ARP Security.
9.3 Applications
This section describes the applicable scenario of ARP Security.

This section describes the ARP security default configuration. You can change the configuration
based on the site requirements.
9.5 Configuring ARP Security

This section describes the procedures for configuring ARP security.
9.6 ARP Security Maintenance

The section describes the ARP security maintenance, including monitoring ARP running status,
clearing statistics on ARP packets, clearing statistics on discarded ARP packets, and configuring
the alarm and log functions for potential ARP attacks.

This chapter describes configuration examples of ARP security including networking
requirements, configuration roadmap, and configuration procedure.
9.8 FAQ
9.9 References
This section lists references of ARP Security.

Routers
9.1 Overview
This section describes the definition and functions of ARP Security.
Definition
Address Resolution Protocol (ARP) security prevents ARP attacks and ARP-based network
scanning attacks using a series of methods such as strict ARP learning, dynamic ARP inspection
(DAI), ARP anti-spoofing, and rate limit on ARP packets.
Purpose
ARP is easy to use but has no security mechanisms. Attackers often use ARP to attack network
devices. The following ARP attack modes are commonly used on networks:
l ARP flood attack: ARP flood attacks, also called denial of service (DoS) attacks, occur in
the following scenarios:
System resources are consumed when the device processes ARP packets and maintains
ARP entries. To ensure that ARP entries can be queried efficiently, a maximum number
of ARP entries is set on the device. Attackers send a large number of bogus ARP packets
with variable source IP addresses to the device. In this case, APR entries on the device
are exhausted and the device cannot generate ARP entries for ARP packets from
authorized users. Consequently, communication is interrupted.
When attackers scan hosts on the local network segment or other network segments, the
attackers send many IP packets with unresolvable destination IP addresses to attack the
device. As a result, the device triggers many ARP Miss messages, generates a large
number of temporary ARP entries, and broadcasts ARP Request packets to resolve the
destination IP addresses, leading to Central Processing Unit (CPU) overload.
l ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The
devices then modify ARP entries, causing communication failures.
ARP attacks cause the following problems:

l Network connections are unstable and communication is interrupted, leading to economic
loss.
l Attackers initiate ARP spoofing attacks to intercept user packets to obtain accounts and
passwords of systems such as the game, online bank, and file server, leading to losses.
To avoid the preceding problems, the device provides multiple techniques to defend against ARP
attacks.
Table 9-1 and Table 9-2 describes various ARP security techniques for defending against
different ARP attacks.

Routers
Table 9-1 ARP security techniques for defending against ARP flood attack
Attack Defense Description Deployment

Function
Rate limit on ARP This function limits the rate of ARP You are advised to enable
packets packets, ensuring that the device has this function on the
sufficient CPU resources to process gateway.
other services when processing a
large number of ARP packets.
Rate limit on ARP This function limits the rate of ARP You are advised to enable
Miss messages Miss messages to defend against this function on the
attacks from a large number of IP gateway.
packets with unresolvable
destination IP addresses.
Strict ARP learning This function allows the device to You are advised to enable
learn only ARP entries for ARP this function on the
Reply packets in response to ARP gateway.
Request packets sent by itself. This
prevents ARP entries from being
exhausted for invalid ARP packets.
ARP entry limiting This function enables a device You are advised to enable
interface to dynamically learn a this function on the
maximum number of ARP entries, gateway.
preventing ARP entries from being
exhausted when a host connected to
the interface attacks the device.
Table 9-2 ARP security techniques for defending against ARP spoofing attack

Function
ARP entry fixing After the device with this function You are advised to enable
enabled learns an ARP entry for the this function on the
first time, it does not change the ARP gateway.
entry, only updates part of the entry,
or sends a unicast ARP Request
packet to check validity of the ARP
packet for updating the entry.
The device supports three ARP entry
fixing modes: fixed-all, fixed-mac,
and send-ack.

Routers

Function
DAI Dynamic ARP inspection (DAI) You are advised to enable

allows the device to compare the this function on an access
source IP address, source MAC device.
address, interface number, and
VLAN ID of an ARP packet with a
binding entry. If an entry is matched,
the device considers the ARP packet
valid and allows the packet to pass
through. If no entry is matched, the
device considers the ARP packet
invalid and discards the packet.
This function is available only for
DHCP snooping scenarios.
ARP gateway anti- ARP gateway anti-collision prevents You are advised to enable
collision gateway ARP entries on hosts from this function on the
being modified by attackers using gateway.
bogus gateway IP addresses.
Gratuitous ARP packet This function allows the device used You are advised to enable
sending as the gateway to periodically send this function on the
ARP Request packets with its IP gateway.
address as the destination IP address
to update the gateway MAC address
in ARP entries. This function ensures
that packets of authorized users are
forwarded to the gateway and
prevents hackers from intercepting
these packets.
MAC address This function defends against attacks You are advised to enable
consistency check in an from bogus ARP packets in which this function on the
ARP packet the source and destination MAC gateway.
addresses are different from those in
the Ethernet frame header.
ARP packet validity This function allows the device to You are advised to enable
check filter out packets in which the source this function on the gateway
MAC addresses are different from or an access device.
those in the Ethernet frame header.
Strict ARP learning This function allows the device to You are advised to enable
learn only ARP entries for ARP this function on the
Reply packets in response to ARP gateway.
Request packets sent by itself. This
prevents the device from incorrectly
updating ARP entries for the
received bogus ARP packets.

Routers
Benefits
l Reduces maintenance costs for network operating and security.
l Provides users with stable services on a secure network.
9.2 Principles
This section describes the implementation of ARP Security.
9.2.1 Rate Limit on ARP Packets
The device has no sufficient CPU resource to process other services when processing a large
number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.
The device provides the following mechanisms for limiting the rate of ARP packets:
l Limiting the rate of ARP packets based on the source MAC address or source IP address
When detecting that a host sends a large number of ARP packets in a short period, the
device limits the rate of ARP packets sent from this host based on the source MAC address
or source IP address. If the number of ARP packets received within 1 second exceeds the
threshold, the device discards the excess ARP packets.
Limiting the rate of ARP packets based on the source MAC address: If a MAC address
is specified, the device applies the rate limit to ARP packets from this source MAC
address; otherwise, the device applies the rate limit to all ARP packets.
Limiting the rate of ARP packets based on the source IP address: If an IP address is
specified, the device applies the rate limit to ARP packets from this source IP address;
otherwise, the device applies the rate limit to all ARP packets.
l Limiting the rate of ARP packets on a VLANIF interface of a super-VLAN
A VLANIF interface of a super-VLAN is triggered to learn ARP entries in the following
scenarios:
The VLANIF interface receives IP packets triggering ARP Miss messages. For details
about ARP Miss messages, see 9.2.2 Rate Limit on ARP Miss Messages.
The VLANIF interface enabled with ARP proxy receives ARP packets with the
destination IP address matching proxy conditions but matching no ARP entry.
The VLANIF interface replicates ARP Request packets in each sub-VLAN when learning
ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the
device generates a large number of ARP Request packets. As a result, the CPU is busy
processing ARP Request packets, and other services are affected. To prevent this problem,
limit the rate of ARP packets on the VLANIF interface of a super-VLAN.
l Limiting the rate on ARP packets globally or on an interface
The maximum rate and rate limit duration of ARP packets can be set globally or on an
interface. The configurations on an interface and globally takes effect in descending order
of priority.
Limiting the rate of ARP packets globally: limits the number of ARP packets to be
processed by the system. When an ARP attack occurs, the device limits the rate of ARP
packets globally.

Routers
Limiting the rate of ARP packets on an interface: limits the number of ARP packets to
be processed on an interface. The configuration on an interface does not affect ARP
entry learning on other interfaces.
9.2.2 Rate Limit on ARP Miss Messages
If a host sends a large number of IP packets with unresolvable destination IP addresses to attack
a device, that is, if the device has a route to the destination IP address of a packet but has no
ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss
messages. IP packets triggering ARP Miss messages are sent to the master control board for
processing. The device generates a large number of temporary ARP entries and sends many ARP
Request packets to the network, consuming a large number of CPU and bandwidth resources.
To avoid the preceding problems, the device provides multiple techniques to limit the rate on
ARP Miss messages.
l Limiting the rate of ARP Miss messages based on the source IP address
If the number of ARP Miss messages triggered by IP packets from a source IP address in
1 second exceeds the limit, the device considers that an attack is initiated from the source
IP address.
If a source IP address is specified, the rate of ARP Miss messages triggered by IP packets
from the source IP address is limited. If no source IP address is specified, the rate of ARP
Miss messages triggered by IP packets from each source IP address is limited.
l Limiting the rate of ARP Miss messages globally
The device can limit the number of ARP Miss messages processed by the system.
l Limiting the rate of ARP Miss messages by setting the aging time of temporary ARP entries
When IP packets trigger ARP Miss messages, the device generates temporary ARP entries
and sends ARP Request packets to the destination network.
In the aging time of temporary ARP entries:
An IP packet that is received before the ARP Reply packet and matches a temporary
ARP entry is discarded and triggers no ARP Miss message.
After receiving the ARP Reply packet, the device generates a correct ARP entry to
replace the temporary entry.
When temporary ARP entries age out, the device clears them. If no ARP entry matches
the IP packets forwarded by the device, ARP Miss messages are triggered again and
temporary ARP entries are regenerated. This process continues.
When ARP Miss attacks occur on the device, you can extend the aging time of temporary
ARP entries and reduce the frequency of triggering ARP Miss messages to minimize the
impact on the device.
9.2.3 Strict ARP Learning
If many users send a large number of ARP packets to a device at the same time, or attackers
send bogus ARP packets to the device, the following problems occur:
l Many CPU resources are consumed to process a large number of ARP packets. The device
learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device

Routers
from learning ARP entries for ARP packets from authorized users. Consequently,
communication of authorized users is interrupted.
l After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a
result, authorized users cannot communicate with each other.
To avoid the preceding problems, deploy the strict ARP learning function on the gateway.
After strict ARP learning function is enabled, the device learns only ARP entries for ARP reply
packets in response to ARP request packets sent by itself. In this way, the device can defend
against most ARP attacks.
Figure 9-1 Strict ARP learning
UserA
Gateway
Internet
UserB
The gateway responds to ARP Request

packets from User A but does not learn
the packets
UserC The gateway learns only the ARP Reply

packets in response to the ARP Request
packets sent by itself
As shown in Figure 9-1, after receiving an ARP Request packet from UserA, the gateway sends
an ARP Reply packet to UserA and adds or updates an ARP entry matching UserA. After the
strict ARP learning function is enabled on the gateway:
l When receiving an ARP Request packet from UserA, the gateway adds or updates no ARP
entry matching UserA. If the ARP Request packet requests the MAC address of the
gateway, the gateway sends an ARP Reply packet to UserA.
l If the gateway sends an ARP Request packet to UserB, the gateway adds or updates an
ARP entry matching UserB after receiving the ARP Reply packet.
9.2.4 ARP Entry Limiting
The ARP entry limiting function controls the number of ARP entries that a gateway interface
can learn. By default, the number of ARP entries that an interface can dynamically learn is the
same as the default number of ARP entries supported by the device. After the ARP entry limiting
function is deployed, if the number of ARP entries that a specified interface dynamically learned
reaches the maximum, the interface cannot learn any ARP entry. This prevents ARP entries from
being exhausted when a host connecting to this interface initiates ARP attacks.
9.2.5 ARP Entry Fixing

Routers
As shown in Figure 9-2, an attacker simulates UserA to send a bogus ARP packet to the gateway.
The gateway then records an incorrect ARP entry for UserA. As a result, UserA cannot
communicate with the gateway.
Figure 9-2 ARP gateway spoofing attack

ARP entry of the gateway ARP entry is updated to
MAC MAC
IP address Type IP address Type
address address
10.1.1.2 2-2-2 Dynamic 10.1.1.2 5-5-5 Dynamic
IP: 10.1.1.2
MAC: 2-2-2
Co m IP: 10.1.1.1
muni MAC: 1-1-1
ca tion i
s block Gateway
UserA ed
Switch Internet
erA
e ss of Us
add r
MAC s 5-5-5
The i
Bogus ARP packets send by an attacker who
Attacker forges the gateway address
IP10.1.1.3 Data sent to UserA through the gateway from
MAC3-3-3 the Internet
To defend against ARP gateway spoofing attacks, deploy the ARP entry fixing function on the
gateway. After the gateway with this function enabled learns an ARP entry for the first time, it
does not change the ARP entry, only updates part of the entry, or sends a unicast ARP Request
packet to check validity of the ARP packet for updating the entry.
The device supports three ARP entry fixing modes, as described in Table 9-3.
Table 9-3 ARP entry fixing modes
Mode Description
fixed-all When receiving an ARP packet, the device discards the packet if the
MAC address, interface number, or VLAN ID matches no ARP
entry. This mode applies to networks where user MAC addresses and
user access locations are fixed.

Routers
Mode Description
fixed-mac When receiving an ARP packet, the device discards the packet if the
MAC address does not match the MAC address in the corresponding
ARP entry. If the MAC address in the ARP packet matches that in
the corresponding ARP entry while the interface number or VLAN
ID does not match that in the ARP entry, the device updates the
interface number or VLAN ID in the ARP entry. This mode applies
to networks where user MAC addresses are unchanged but user
access locations often change.
send-ack When the device receives ARP packet A with a changed MAC
address, interface number, or VLAN ID, it does not immediately
update the corresponding ARP entry. Instead, the device sends a
unicast ARP Request packet to the user with the IP address mapped
to the original MAC address in the ARP entry, and then determines
whether to change the MAC address, VLAN ID, or interface number
in the ARP entry depending on the response from the user.
l If the device receives ARP Reply packet B within 3 seconds, and
the IP address, MAC address, interface number, and VLAN ID
of the ARP entry are the same as those in ARP Reply packet B,
the device considers ARP packet A as an attack packet and does
not update the ARP entry.
l If the device receives no ARP Reply packet within 3 seconds or
the IP address, MAC address, interface number, and VLAN ID
of the ARP entry are different from those in ARP Reply packet
B, the device sends a unicast ARP Request packet to the user with
the IP address mapped to the original MAC address again.
If the device receives ARP Reply packet C within 3 seconds,
and the IP address, MAC address, interface number, and
VLAN ID of the ARP packet A are the same as those in ARP
Reply packet C, the device considers ARP packet A as a valid
packet and update the ARP entry based on ARP packet A.
If the device receives no ARP Reply packet within 3 seconds
or the IP address, MAC address, interface number, and VLAN
ID of ARP packet A are different from those in ARP Reply
packet C, the device considers ARP packet A as an attack
packet and does not update the ARP entry.
This mode applies to networks where user MAC addresses and user
access locations often change.
9.2.6 DAI
A man-in-the-middle (MITM) attack is a common ARP spoofing attack.
Figure 9-3 shows an MITM attack scenario. An attacker simulates UserB to send a bogus ARP
packet to UserA. UserA then records an incorrect ARP entry for UserB. The attacker easily

Routers
obtains information exchanged between UserA and UserB. Information security between UserA
and UserB is not protected.
Figure 9-3 Man-in-the-middle attack

ARP entry of UserA ARP entry is updated to
MAC MAC
address address
10.1.1.3 3-3-3 Dynamic 10.1.1.3 2-2-2 Dynamic
ARP entry of UserB ARP entry is updated to

MAC MAC
address address
10.1.1.1 1-1-1 Dynamic 10.1.1.1 2-2-2 Dynamic
IP: 10.1.1.1
MAC: 1-1-1
UserA
Router
IP: 10.1.1.2
Internet
MAC: 2-2-2
Attacker
IP: 10.1.1.3 Bogus ARP packets sent to

MAC: 3-3-3 UserA by an attacker who
simulates UserB
Bogus ARP packets sent to

UserB
UserB by an attacker who
simulates UserA
To defend against MITM attacks, deploy Dynamic ARP Inspection ( DAI ) on the Router.
DAI defends against MITM attacks using DHCP snooping. When a device receives an ARP
packet, it compares the source IP address, source MAC address, interface number, and VLAN
ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device
considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches
no binding entry, the device considers the ARP packet invalid and discards the packet.
NOTE
This function is available only when DHCP snooping is configured. The device enabled with DHCP snooping
generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you
need to manually configure a static binding entry for the user. For details about DHCP snooping, see description
in 10.2.1 Basic Principles.
When an attacker connects to the Router enabled with DAI and sends bogus ARP packets, the
Router detects the attacks based on the binding entries and discards the bogus ARP packets.
When both the DAI and packet discarding alarm functions are enabled on the Router, the
Router generates alarms when the number of discarded ARP packets matching no binding entry
exceeds the alarm threshold.

Routers
9.2.7 ARP Gateway Anti-Collision

As shown in Figure 9-4, UserA and UserB connect to the gateway. An attacker forges the
gateway address to send bogus ARP packets to UserA and UserB. UserA and UserB record
incorrect ARP entries for the gateway. As a result, all traffic from UserA and UserB to the
gateway is sent to the attacker and the attacker intercepts user information.
Figure 9-4 ARP gateway collision
UserA
Gateway
Internet
UserB
Bogus ARP packets sent to other

users by an attacker who forges
Attacker the gateway address
To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The
gateway considers that a gateway collision occurs when a received ARP packet meets either of
the following conditions:
l The source IP address in the ARP packet is the same as the IP address of the VLANIF
interface matching the physical inbound interface of the packet.
l The source IP address in the ARP packet is the virtual IP address of the inbound interface
but the source MAC address in the ARP packet is not the virtual MAC address of the Virtual
Router Redundancy Protocol (VRRP) group.
NOTE
A VRRP group, also called a virtual router, serves as the default gateway for hosts on a LAN. A
virtual router has a virtual MAC address that is generated based on the virtual router ID. The virtual
MAC address is in the format of 00-00-5E-00-01-{VRID}(VRRP). The virtual router sends ARP
Reply packets using the virtual MAC address instead of the interface MAC address.
For details about VRRP, see Basic Concepts of VRRP in the Feature Description Reliability.
The device generates an ARP anti-collision entry and discards the received packets with the
same source MAC address and VLAN ID in a specified period. This function prevents ARP
packets with the bogus gateway address from being broadcast in a VLAN.
In addition, you can enable gratuitous ARP packet sending on the device to send correct
gratuitous ARP packets. The gratuitous ARP packet is broadcast to all users so that incorrect
ARP entries are corrected.
9.2.8 Gratuitous ARP Packet Sending

Routers
As shown in Figure 9-5, an attacker forges the gateway address to send a bogus ARP packet to
UserA. UserA then records an incorrect ARP entry for the gateway. As a result, the gateway
cannot receive packets from UserA.
Figure 9-5 Bogus gateway attack
ARP entry of UserA ARP entry is updated to
MAC MAC
address address
10.1.1.1 1-1-1 Dynamic 10.1.1.1 3-3-3 Dynamic
IP: 10.1.1.2
MAC: 2-2-2
Com IP: 10.1.1.1
muni MAC: 1-1-1
catio
n is b
lo cked Gateway
UserA
The MAC Internet
address of the
gateway is 3-3-3
Switch
Bogus ARP packets send by an attacker

Attacker who forges the gateway address
IP: 10.1.1.3 Data sent from UserA to the
MAC: 3-3-3 gateway
To avoid the preceding problem, deploy gratuitous ARP packet sending on the gateway. Then
the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized
users so that the ARP entries contain the correct MAC address of the gateway.
9.2.9 MAC Address Consistency Check in an ARP Packet
This function defends against attacks from bogus ARP packets in which the source and
destination MAC addresses are different from those in the Ethernet frame header.
This function enables the gateway to check the MAC address consistency in an ARP packet
before ARP learning. If the source and destination MAC addresses in an ARP packet are different
from those in the Ethernet frame header, the device discards the packet as an attack. If the source
and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame
header, the device performs ARP learning.
9.2.10 ARP Packet Validity Check
After receiving an ARP packet, the device checks validity of the ARP packet, including:

Routers
l Packet length
l Validity of the source and destination MAC addresses in the ARP packet
l ARP Request type and ARP Reply type
l MAC address length
l IP address length
l Whether the ARP packet is an Ethernet frame
The preceding check items are used to determine whether an ARP packet is valid. The packet
with different source MAC addresses in the ARP packet and Ethernet frame header is possibly
an attack packet although it is allowed by the ARP protocol.
After ARP packet validity check is enabled on the gateway or an access device, the device checks
the source MAC addresses in the ARP packet and Ethernet frame header, and discards the packets
with inconsistent source MAC addresses.
9.3 Applications
This section describes the applicable scenario of ARP Security.
9.3.1 Defense Against ARP Flood Attacks

As shown in Figure 9-6, hosts connect to the gateway to access the Internet using SwitchA and
SwitchB. If a large number of ARP packets are broadcast on the network, the device cannot
process other services due to CPU overload. An ARP flood occupies high bandwidth and leads
to network congestion, affecting network communication.

Routers
Figure 9-6 Defending against ARP flood attacks
Internet
Gateway
SwitchA SwitchB
UserA UserB UserC UserD Attacker
To avoid the preceding problems, deploy ARP flood defense functions on the gateway, including
rate limit on ARP packets, rate limit on ARP Miss messages, strict ARP learning, and ARP entry
limit.
l After rate limit on ARP packets is deployed, the gateway collects statistics on received
ARP packets. If the number of ARP packets received within a specified period exceeds the
threshold (the maximum number of ARP packets), the gateway discards the excess ARP
packets to prevent CPU overload.
l After rate limit on ARP Miss messages is deployed, the gateway collects statistics on
ARP Miss messages. If the number of ARP Miss messages generated within a specified
period exceeds the threshold (the maximum number of ARP Miss messages), the gateway
discards the IP packets triggering the excess ARP Miss messages. This prevents CPU
overload when the gateway processes a large number of IP packets with unresolvable IP
addresses.
l After strict ARP learning is deployed, the gateway learns only the ARP Reply packets in
response to the ARP Request packets sent by itself. This prevents ARP entries on the
gateway from being exhausted when the gateway processes many ARP packets.
l After ARP entry limit is deployed, the gateway limits the number of ARP entries
dynamically learned by each interface. When the number of the ARP entries dynamically
learned by an interface reaches the maximum number, no dynamic entry can be added. This
prevents ARP entries from being exhausted when a host connected to the interface attacks
the gateway.

Routers
9.3.2 Defense Against ARP Spoofing Attacks

As shown in Figure 9-7, UserA, UserB, and UserC use Switch to connect to the gateway to
access the Internet.
Generally, when UserA, UserB, and UserC go online and exchange ARP packets, ARP entries
are created on UserA, UserB, UserC, and the gateway. At the same time, an attacker can send
bogus ARP packets to UserA, UserB, UserC, or the gateway in the broadcast domain to modify
ARP entries, intercept information, and interrupt communication.
Figure 9-7 Defending against ARP spoofing attacks
UserA
UserB Switch Gateway

Internet
UserC
Attacker
To avoid the preceding problems, deploy ARP spoofing defense functions on the gateway,
including rate ARP entry fixing, strict ARP learning, and gratuitous ARP packet sending.
l After ARP entry fixing is deployed and the gateway learns an ARP entry for the first time,
the gateway does not change the ARP entry, only updates part of the entry, or sends a unicast
ARP Request packet to check validity of the ARP packet for updating the entry. This
function prevents ARP entries from being modified by bogus ARP packets.
l After strict ARP learning is deployed, the gateway learns only the ARP Reply packets in
response to the ARP Request packets sent by itself. This prevents ARP entries from being
modified by bogus ARP packets.
l After gratuitous ARP packet sending is deployed, the gateway periodically sends ARP
Request packets with its IP address as the destination IP address to update the gateway
MAC address in ARP entries. This function ensures that packets of authorized users are
forwarded to the gateway and prevents hackers from intercepting these packets.

Routers

This section describes the ARP security default configuration. You can change the configuration
Table 9-4 describes the default ARP security configuration.
Table 9-4 Default ARP security configuration
Rate limit on ARP packets based on the If the rate of ARP packets from each source
source MAC address MAC address is set to 0, the rate of ARP
packets is not limited based on the source
MAC address.
Rate limit on ARP packets based on the The device allows a maximum of 5 ARP
source IP address packets from the same source IP address to
pass through in 1 second.
Rate limit on ARP packets globally or on an Disabled

interface
Maximum rate and rate limit duration of ARP The device allows a maximum of 100 ARP
packets globally or on an interface packets to pass through in 1 second.
Alarm of ARP packets discarded when the Disabled

rate limit is exceeded globally or on an
interface
Alarm threshold of ARP packets discarded 100

when the rate limit is exceeded globally or on
an interface
Maximum rate of broadcasting ARP Request 1000 pps

packets on the VLANIF interface of the
super-VLAN
Rate limit on ARP Miss messages based on The device can process a maximum of 5 ARP
the source IP address Miss messages triggered by IP packets from
the same source IP address.
Rate limit on ARP Miss messages globally Disabled
Maximum rate and rate limit duration of ARP The device can process a maximum of 100
Miss messages globally ARP Miss messages in 1 second.
Alarm of ARP Miss messages discarded Disabled

when the rate limit is exceeded globally
Alarm threshold of ARP Miss messages 100

discarded when the rate limit is exceeded
globally

Routers
Aging time of temporary ARP entries 1 second
Strict ARP learning Disabled
Interface-based ARP entry limit The maximum number of ARP entries that an
interface can dynamically learn is the same as
the number of ARP entries supported by the
device.
ARP entry fixing Disabled
DAI Disabled
ARP gateway anti-collision Disabled
Gratuitous ARP packet sending Disabled
Interval for sending gratuitous ARP packets 90 seconds
MAC address consistency check in an ARP Disabled

packet
ARP packet validity check Disabled
9.5 Configuring ARP Security

This section describes the procedures for configuring ARP security.
9.5.1 Configuring Defense Against ARP Flood Attacks

Configuring defense against ARP flood attacks prevents ARP entries from being exhausted and
CPU overload, ensures user communication.
Before configuring defense against ARP flood attacks, complete the following task:
Operations in the configuration process can be performed in any sequence as required.
NOTE
When rate limit on ARP packets is configured globally or on an interface and rate limit on ARP packets based
on the source MAC address or source IP address is also configured, the smallest rate is used.
When rate limit on ARP Miss messages is configured globally or on an interface and rate limit on ARP Miss
messages based on the source MAC address or source IP address is also configured, the smallest rate is used.

Routers
9.5.1.1 Configuring Rate Limit on ARP Packets based on the Source MAC Address
Context
When processing a large number of ARP packets with fixed source MAC addresses but variable
IP addresses, the CPU is overloaded and ARP entries are exhausted.
To prevent this problem, limit the rate of ARP packets based on the source MAC address. The
device collects statistics on ARP packets from a specified source MAC address. If the number
of ARP packets from the specified source IP address in 1 second exceeds the threshold, the
device discards the excess ARP packets.
Procedure
Step 1 Run:
system-view
Step 2 Configuring rate limit on ARP packets based on the source MAC address
l Run:
arp speed-limit source-mac maximum maximum
The maximum rate of ARP packets from a source MAC address is set
l Run:
arp speed-limit source-mac mac-addrress maximum maximum
The maximum rate of ARP packets from a specified source MAC address is set.
When the preceding configurations are both performed, the maximum rate set using the arp
speed-limit source-mac mac-address maximum maximum command takes effect on ARP
packets from the specified source MAC address, and the maximum rate set using the arp speed-
limit source-mac maximum maximum command takes effect on ARP packets from other source
MAC addresses.
By default, the maximum rate of ARP packets from each source MAC address is set to 0, that
is, the rate of ARP packets is not limited based on the source MAC address.
----End
9.5.1.2 Configuring Rate Limit on ARP Packets based on the Source IP Address
Context
When processing a large number of ARP packets with fixed IP addresses, the CPU is overloaded
and cannot process other services.
To prevent this problem, limit the rate of ARP packets based on the source IP address. The device
collects statistics on ARP packets from a specified source IP address. If the number of ARP
packets from the specified source IP address in 1 second exceeds the threshold, the device
discards the excess ARP packets.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Configuring rate limit on ARP packets based on the source IP address
l Run:
arp speed-limit source-ip maximum maximum
The maximum rate of ARP packets from a source IP address is set.

l Run:
arp speed-limit source-ip ip-address maximum maximum
The maximum rate of ARP packets from a specified source IP address is set.
When the preceding configurations are both performed, the maximum rate set using the arp
speed-limit source-ip ip-address maximum maximum command takes effect on ARP packets
from the specified source IP address, and the maximum rate set using the arp speed-limit
source-ip maximum maximum command takes effect on ARP packets from other source IP
addresses.
By default, the device allows a maximum of 5 ARP packets from the same source IP address to
pass through in 1 second.
----End
9.5.1.3 Configuring Rate Limit on ARP Packets Globally or on an Interface
Context
The device has no sufficient CPU resource to process other services when processing a large
number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.
After rate limit on ARP packets is enabled, set the maximum rate and rate limit duration of ARP
packets globally or on an interface. In the rate limit duration, if the number of received ARP
packets exceeds the limit, the device discards the excess ARP packets.
l Limiting the rate of ARP packets globally: limits the number of ARP packets to be
processed by the system. When an ARP attack occurs, the device limits the rate of ARP
packets globally.
l Limiting the rate of ARP packets on an interface: limits the number of ARP packets to be
processed on an interface. The configuration on an interface does not affect ARP entry
learning on other interfaces.
If the maximum rate and rate limit duration are set globally or on an interface at the same time,
the configurations on an interface and globally take effect in descending order of priority.
If you want that the device can generate alarms to notify the network administrator of a large
number of discarded excess ARP packets, enable the alarm function. When the number of
discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

Routers
NOTE
If the alarm function is enabled, you need to run the arp anti-attack log-trap-timer time command to set the
interval for sending alarms.
Procedure
Step 1 Run:
system-view

NOTE
If you configure rate limit on ARP packets in the system view, skip this step.
Step 3 Run:
arp anti-attack rate-limit enable
Rate limit on ARP packets is enabled.
By default, rate limit on ARP packet is disabled.
Step 4 Run:
arp anti-attack rate-limit packet-number [ interval-value ]
The maximum rate and rate limit duration of ARP packets are set.
By default, a maximum of 100 ARP packets are allowed to pass in 1 second.

arp anti-attack rate-limit alarm enable
The alarm function for discarded ARP packets when the rate of ARP Miss packets exceeds the
limit is enabled.
By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds
the limit is disabled.

arp anti-attack rate-limit alarm threshold threshold
The alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit
is set.
By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds
the limit is 100.
----End
9.5.1.4 Configuring Rate Limit on ARP Packets on the VLANIF Interface of a Super-
VLAN

Routers
Context
A VLANIF interface in a super-VLAN is triggered to learn ARP entries in the following
scenarios:
l The VLANIF interface receives IP packets triggering ARP Miss messages.

l The VLANIF interface is enabled with ARP proxy and receives ARP packets whose
destination IP addresses meet the proxy requirements and match no ARP entry.
The VLANIF interface replicates ARP Request packets in each sub-VLAN when learning ARP
entries. If a large number of sub-VLANs are configured for the super-VLAN, the device
generates a large number of ARP Request packets. As a result, the CPU is busy processing ARP
Request packets, and other services are affected. To prevent this problem, limit the rate of ARP
packets on the VLANIF interface of a super-VLAN.
When the CPU is busy processing packets, set the maximum rate of broadcasting ARP Request
packets to a small value. When the CPU is idle, set the maximum rate of broadcasting ARP
Request packets to a large value to broadcast packets efficiently. You can set the maximum rate
of broadcasting ARP Request packets based on the actual network environment.
Procedure
Step 1 Run:
system-view
Step 2 Run:
arp speed-limit flood-rate rate
The maximum rate of broadcasting ARP Request packets on VLANIF interfaces of all super-
VLANs is set.
By default, the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in
all super-VLANs is 1000 pps.
----End
9.5.1.5 Configuring Rate Limit on ARP Miss Messages based on the Source IP
Address
Context
If the number of ARP Miss messages triggered by IP packets from a source IP address in 1
second exceeds the limit, the device considers that an attack is initiated from the source IP
address.
The administrator can set the maximum number of ARP Miss messages that the device can
process within a specified duration based on the actual network environment, protecting the
system resources and ensuring proper running of other services.

Routers
Procedure
Step 1 Run:
system-view

Step 2 Configuring rate limit on ARP Miss messages based on the source IP address
l Run:
arp-miss speed-limit source-ip maximum maximum
The maximum rate of ARP Miss messages from a specified source IP address is set.
l Run:
arp-miss speed-limit source-ip ip-address maximum maximum
The maximum rate of ARP Miss messages triggered by IP packets from a specified source
IP address is set.
When the preceding configurations are both performed, the maximum rate set using the arp-
miss speed-limit source-ip ip-address maximum maximum command takes effect on ARP
Miss messages triggered IP packets from the specified source IP address, and the maximum rate
set using the arp-miss speed-limit source-ip maximum maximum command takes effect on
ARP Miss messages triggered by IP packets from other source IP addresses.
If the maximum rate of ARP Miss messages is set to 0, the rate of ARP Miss messages is not
limited based on the source IP address. By default, the device processes a maximum of 5 ARP
Miss messages triggered by IP packets from the same source IP address in 1 second.
----End
9.5.1.6 Configuring Rate Limit on ARP Miss Messages Globally
Context
If a host sends a large number of IP packets with unresolvable destination IP addresses to attack
a device, that is, if the device has a route to the destination IP address of a packet but has no
ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss
messages. IP packets triggering ARP Miss messages are sent to the master control board for
processing. The device generates a large number of temporary ARP entries and sends many ARP
Request packets to the network, consuming a large number of CPU and bandwidth resources.
To avoid the preceding problems, configure rate limit on ARP Miss messages.
If you want that the device can generate alarms to notify the network administrator of a large
number of discarded excess ARP Miss messages, enable the alarm function. When the number
of discarded ARP Miss messages exceeds the alarm threshold, the device generates an alarm.
NOTE
If the alarm function is enabled, you need to run the arp anti-attack log-trap-timer time command to set the
interval for sending alarms.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Run:
arp-miss anti-attack rate-limit enable
Rate limit on ARP Miss messages is enabled.
By default, rate limit on ARP Miss messages is disabled.
Step 3 Run:
arp-miss anti-attack rate-limit packet-number [ interval-value ]
The maximum rate and rate limit duration of ARP Miss messages are set.
By default, the device can process a maximum of 100 ARP Miss messages in 1 second.

arp-miss anti-attack rate-limit alarm enable
The alarm function for discarded ARP Miss messages when the rate of ARP Miss packets
exceeds the limit is enabled.
By default, the alarm function is disabled.

arp-miss anti-attack rate-limit alarm threshold threshold
The alarm threshold for ARP Miss messages discarded when the rate of ARP Miss messages
exceeds the limit is set.
By default, the alarm threshold is 100.
----End
9.5.1.7 Configuring the Aging Time of Temporary ARP Entries
Context
When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and
sends ARP Request packets to the destination network.
l In the aging time of temporary ARP entries:
An IP packet that is received before the ARP Reply packet and matches a temporary
ARP entry is discarded and triggers no ARP Miss message.
After receiving the ARP Reply packet, the device generates a correct ARP entry to
replace the temporary entry.
l When temporary ARP entries age out, the device clears them. If no ARP entry matches the
IP packets forwarded by the device, ARP Miss messages are triggered again and temporary
ARP entries are regenerated. This process continues.
You can limit the rate of ARP Miss messages by setting the aging time of temporary ARP entries.
When ARP Miss attacks occur on the device, you can extend the aging time of temporary ARP
entries to reduce the frequency of triggering ARP Miss messages so that the impact on the device
is minimized.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interface type can be Ethernet, GE, Eth-Trunk, or VLANIF.
Step 3 Run:
arp-fake expire-time expire-time
The aging time of temporary ARP entries is set.
By default, the aging time of temporary ARP entries is 1 second.
----End
9.5.1.8 Configuring Strict ARP Learning
Context
To avoid the preceding problems, configure the strict ARP learning function on the gateway.
This function indicates that the device learns only ARP entries for ARP Reply packets in
response to ARP Request packets sent by itself. In this way, the device can defend against most
ARP attacks.
Strict ARP learning can be configured in globally or in the interface view.
l If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries
strictly.
l If strict ARP learning is enabled in the interface view, only the interface learns ARP entries
strictly.
When strict ARP learning is enabled globally and in the interface view simultaneously, the
configuration on the interface takes precedence over the global configuration.

Routers
NOTE
When strict ARP learning is enabled globally:

l If you run the arp learning strict force-disable command on a specified interface, strict ARP
learning is forced to be disabled on the interface.
l If you run the arp learning strict trust command on a specified interface, strict ARP learning
configured globally takes effect on the interface.
Procedure
l Configuring strict ARP learning globally
1. Run:
system-view

2. Run:
arp learning strict
Strict ARP learning is enabled globally.

By default, strict ARP learning is disabled.
l Configuring strict ARP learning on the interface
1. Run:
system-view

2. Run:

3. Run:
arp learning strict { force-enable | force-disable | trust }
Strict ARP learning on the interface is enabled.

By default, strict ARP learning is disabled on the interface.
----End
9.5.1.9 Configuring Interface-based ARP Entry Limit
Context
To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an
interface on the device, set the maximum number of ARP entries that the interface can
dynamically learn. When the number of the ARP entries learned by a specified interface reaches
the maximum number, no dynamic ARP entry can be added.
Procedure
l Configuring ARP entry limiting on the Ethernet interface
1. Run:
system-view

Routers

2. Run:

3. Run:
arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum
ARP entry limit on the Ethernet interface is configured.

The interface type can be Ethernet, GE, VE, or Eth-Trunk. These interfaces can work
at Layer 3 or Layer 2. When they work at Layer 3, you cannot configure the VLAN
ID. When they work at Layer 2, you must configure the VLAN ID.
l Configuring ARP entry limit on the VLANIF interface
1. Run:
system-view

2. Run:
interface vlanif interface-number
The VLANIF interface view is displayed.

3. Run:
arp-limit maximum maximum
ARP entry limit on the VLANIF interface is configured.

l Configuring ARP entry limit on the sub-interface
1. Run:
system-view

2. Run:
interface interface-type interface-number [.subnumber ]
The sub-interface view is displayed.

3. Run:
arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum
ARP entry limit on the sub-interface is configured.

The interface type can be Ethernet, GE, VE, or Eth-Trunk. These interfaces can work
at Layer 3 or Layer 2. When they work at Layer 3, you cannot configure the VLAN
ID. When they work at Layer 2, you must configure the VLAN ID.
----End
Procedure
l Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit |
arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | packet-
check | all } command to check the ARP anti-attack configuration.

Routers
l Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]

command to check the maximum number of ARP entries that an interface can learn.
l Run the display arp learning strict command to check strict ARP learning globally and
on all interfaces.
----End
9.5.2 Configuring Defense Against ARP Spoofing Attacks

An attacker sends bogus ARP packets to the device or host on a network. The device or hosts
modify their ARP entries, leading to packet forwarding failures.
Before configuring defense against ARP spoofing attacks, complete the following task:
Operations in the configuration process can be performed in any sequence as required.
9.5.2.1 Configuring ARP Entry Fixing
Context
To defend against ARP address spoofing attacks, configure ARP entry fixing. The fixed-mac,
fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
l fixed-mac mode: When receiving an ARP packet, the device discards the packet if the
MAC address does not match that in the corresponding ARP entry. If the MAC address in
the ARP packet matches that in the corresponding ARP entry while the interface number
or VLAN ID does not match that in the ARP entry, the device updates the interface number
or VLAN ID in the ARP entry. This mode applies to networks where user MAC addresses
are unchanged but user access locations often change. When a user connects to a different
interface on the device, the device updates interface information in the ARP entry of the
user timely.
l fixed-all mode: When the MAC address, interface number, and VLAN ID of an ARP packet
match those in the corresponding ARP entry, the device updates other information about
the ARP entry. This mode applies to networks where user MAC addresses and user access
locations are fixed.
l send-ack mode: When the device receives an ARP packet with a changed MAC address,
interface number, or VLAN ID, it does not immediately update the corresponding ARP
entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address
mapped to the original MAC address in the ARP entry, and then determines whether to
change the MAC address, VLAN ID, or interface number in the ARP entry depending on
the response from the user. This mode applies to networks where user MAC addresses and
user access locations often change.
You can configure ARP entry fixing globally. If ARP entry fixing is enabled globally, all
interfaces have this function enabled by default.

Routers
Procedure
Step 1 Configure ARP entry fixing globally
1. Run:
system-view

2. Run:
arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
ARP entry fixing is enabled.
By default, ARP entry fixing is disabled.
----End
9.5.2.2 Configuring DAI
Context
To prevent MITM attacks and theft on authorized user information, enable DAI. When a device
receives an ARP packet, it compares the source IP address, source MAC address, VLAN ID,
and interface number of the ARP packet with binding entries. If the ARP packet matches a
binding entry, the device considers the ARP packet valid and allows the packet to pass through.
If the ARP packet matches no binding entry, the device considers the ARP packet invalid and
discards the packet.
You can enable DAI in the interface view or the VLAN view. When DAI is enabled in an
interface view, the device checks all ARP packets received on the interface against binding
entries. When DAI is enabled in the VLAN view, the device checks the ARP packets received
on all interfaces belonging to the VLAN against binding entries.
If you want to receive an alarm when a large number of ARP packets are generated, enable the
alarm function for the ARP packets discarded by DAI. After the alarm function is enabled, the
device will generate an alarm when the number of discarded ARP packets exceeds a specified
threshold.
NOTE
The AR150&200 series does not support DAI.

The AR1200 series does not support DAI.
The 4GE-2S board does not support DAI.
This function is available only for DHCP snooping scenarios. The device enabled with DHCP snooping
generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address,
you need to manually configure a static binding entry for the user. For details about the DHCP snooping
configuration, see 10 DHCP Snooping Configuration. For details on how to configure a static binding
entry, see 11.4.1 Configuring a Binding Table.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Run:
or,
vlan vlan-id
The interface view or VLAN view is displayed.
Step 3 Run:
arp anti-attack check user-bind enable
DAI is enabled.
By default, DAI is disabled.
Step 4 (Optional) In the interface view, run:

arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }*
Or in the VLAN view, run:

arp anti-attack check user-bind check-item { ip-address | mac-address | interface }
*
Check items for checking of ARP packets based on binding entries are configured.
By default, the check items consist of IP address, MAC address, VLAN ID, and interface number.
To allow some special ARP packets that match only one or two items in binding entries to pass
through, configure the device to check ARP packets according to one or two specified items in
binding entries.
NOTE
Check items configured for ARP packet check based on binding entries do not take effect on hosts that are
configured with static binding entries. These hosts check ARP packets based on all items in static binding
entries.

arp anti-attack check user-bind alarm enable
The alarm function for ARP packets discarded by DAI is enabled.
By default, the alarm function for ARP packets discarded by DAI is disabled.
NOTICE
This type of alarm is generated for the ARP packets discarded by DAI on interfaces. Therefore,
do not run the arp anti-attack check user-bind enable command in a VLAN and the arp anti-
attack check user-bind alarm enable command on an interface in this VLAN at the same time;
otherwise, the actual number of discarded ARP packets in the VLAN is different from the number
of discarded packets on the interface.
Since the default interval for sending ARP alarms is 0 (that is, no ARP alarm is sent), you must
run the arp anti-attack log-trap-timer time command to increase the alarm sending interval
after enabling the alarm for packets discarded by DAI.

Routers

arp anti-attack check user-bind alarm threshold threshold
The alarm threshold of ARP packets discarded by DAI is set.

By default, the threshold on an interface is consistent with the threshold set by the arp anti-
attack check user-bind alarm threshold threshold command in the system view. If the alarm
threshold is not set in the system view, the default threshold on the interface is 100.
----End
9.5.2.3 Configuring ARP Gateway Anti-Collision
Context
If an attacker forges the gateway address to send ARP packets with the source IP address being
the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the incorrect
gateway address. As a result, all traffic from hosts to the gateway is sent to the attacker and the
attacker intercepts user information. Communication of users is interrupted.
To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The
gateway considers that a gateway collision occurs when a received ARP packet meets either of
the following conditions:
l The source IP address in the ARP packet is the same as the IP address of the VLANIF
interface matching the physical inbound interface of the packet.
l The source IP address in the ARP packet is the virtual IP address of the inbound interface
but the source MAC address in the ARP packet is not the virtual MAC address of the VRRP
group.
The device generates an ARP anti-collision entry and discards the received packets with the
same source MAC address and VLAN ID in a specified period. This function prevents ARP
packets with the bogus gateway address from being broadcast in a VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack gateway-duplicate enable
ARP gateway anti-collision is enabled.

By default, ARP gateway anti-collision is disabled.
----End
9.5.2.4 Configuring Gratuitous ARP Packet Sending
Context
If an attacker forges the gateway address to send ARP packets to other hosts, ARP entries on
the hosts record the incorrect gateway address. As a result, the gateway cannot receive data sent

Routers
from the hosts. You can enable gratuitous ARP packet sending on the gateway. Then the gateway
sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that
the ARP entries contain the correct MAC address of the gateway.
You can configure gratuitous ARP packet sending globally or on a VLANIF interface.
l If gratuitous ARP packet sending is enabled globally, all interfaces have this function
enabled by default.
l If gratuitous ARP packet sending is enabled globally and on a VLANIF interface
simultaneously, the configuration on the VLANIF interface takes precedence over the
global configuration.
Procedure
Step 1 Run:
system-view

interface vlanif interface-number
The VLANIF interface view is displayed.
NOTE
If you configure gratuitous ARP packet sending in the system view, skip this step.
Step 3 Run:
arp gratuitous-arp send enable
Gratuitous ARP packet sending is enabled.
By default, gratuitous ARP packet sending is disabled.

arp gratuitous-arp send interval interval-time
The interval for sending gratuitous ARP packets is set.
By default, the interval for sending gratuitous ARP packets is 90 seconds.
----End
9.5.2.5 Configuring MAC address Consistency Check in an ARP Packet
Context
This function defends against attacks from bogus ARP packets in which the source and
destination MAC addresses are different from those in the Ethernet frame header.
This function enables the gateway to check the MAC address consistency in an ARP packet
before ARP learning. If the source and destination MAC addresses in an ARP packet are different
from those in the Ethernet frame header, the device discards the packet as an attack. If the source
and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame
header, the device performs ARP learning.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
arp validate { source-mac | destination-mac }*
MAC address consistency check in an ARP packet is enabled. This function compares the source
and destination MAC addresses in ARP packets with those in the Ethernet frame header.
By default, MAC address consistency check in an ARP packet is disabled.
NOTE
Sub-interfaces do not support the arp validate { source-mac | destination-mac }* command. When receiving
ARP packets, a sub-interface checks MAC address consistency based on the rule configured on the primary
interface.
VLANIF interfaces do not support the arp validate { source-mac | destination-mac }* command. When
receiving ARP packets, a VLANIF interface checks MAC address consistency based on the rule configured on
the member interface.
----End
9.5.2.6 Configuring ARP Packet Validity Check
Context
After receiving an ARP packet, the device checks validity of the ARP packet, including:
l Packet length
l Validity of the source and destination MAC addresses in the ARP packet
l ARP Request type and ARP Reply type
l MAC address length
l IP address length
l Whether the ARP packet is an Ethernet frame
The preceding check items are used to determine whether an ARP packet is valid. The packet
with different source MAC addresses in the ARP packet and Ethernet frame header is possibly
an attack packet although it is allowed by the ARP protocol.
After ARP packet validity check is enabled, the device checks the source MAC addresses in the
ARP packet and Ethernet frame header, and discards the packets with inconsistent source MAC
addresses.
Procedure
Step 1 Run:

Routers
system-view
Step 2 Run:
arp anti-attack packet-check sender-mac
ARP packet validity check is enabled.
By default, ARP packet validity check is disabled.
----End
9.5.2.7 Configuring Strict ARP Learning
Context
To avoid the preceding problems, configure the strict ARP learning function on the gateway.
This function indicates that the device learns only ARP entries for ARP Reply packets in
response to ARP Request packets sent by itself. In this way, the device can defend against most
ARP attacks.
Strict ARP learning can be configured in globally or in the interface view.
l If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries
strictly.
l If strict ARP learning is enabled in the interface view, only the interface learns ARP entries
strictly.
When strict ARP learning is enabled globally and in the interface view simultaneously, the
configuration on the interface takes precedence over the global configuration.
NOTE
When strict ARP learning is enabled globally:

l If you run the arp learning strict force-disable command on a specified interface, strict ARP
learning is forced to be disabled on the interface.
l If you run the arp learning strict trust command on a specified interface, strict ARP learning
configured globally takes effect on the interface.
Procedure
l Configuring strict ARP learning globally
1. Run:
system-view

Routers

2. Run:
arp learning strict
Strict ARP learning is enabled globally.
By default, strict ARP learning is disabled.

l Configuring strict ARP learning on the interface
1. Run:
system-view

2. Run:

3. Run:
arp learning strict { force-enable | force-disable | trust }
Strict ARP learning on the interface is enabled.
By default, strict ARP learning is disabled on the interface.
----End
Procedure
l Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit |
arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | packet-
check | all } command to check the ARP anti-attack configuration.
l Run the display arp anti-attack check user-bind interface interface-type interface-
number command to check the configuration of the ARP packet check on an interface.
l Run the display arp learning strict command to check strict ARP learning globally and
on all interfaces.
l Run the display arp anti-attack gateway-duplicate item command to check the anti-
collision entries.
----End
9.6 ARP Security Maintenance

The section describes the ARP security maintenance, including monitoring ARP running status,
clearing statistics on ARP packets, clearing statistics on discarded ARP packets, and configuring
the alarm and log functions for potential ARP attacks.

Routers
9.6.1 Monitoring ARP Running Status
Procedure
l Run:
display arp packet statistics
Statistics on ARP-based packets is displayed.

l Run:
display arp flood statistics
Statistics on ARP Request packets on VLANIF interfaces of all super-VLANs is displayed.
----End
9.6.2 Clearing ARP Security Statistics
Context
NOTICE
ARP security statistics cannot be restored after being cleared. Confirm the action before you use
the command.
To clear ARP security statistics, run the following commands in the user view:
Procedure
l Run:
reset arp packet statistics
Statistics on ARP packets is cleared.

l Run:
reset arp flood statistics
Statistics on ARP Request packets on VLANIF interfaces of all super-VLANs is cleared.

l Run:
reset arp anti-attack statistics check user-bind interface interface-type
interface-number
Statistics on ARP packets discarded because they do not match binding entries is cleared.
l Run:
reset arp anti-attack statistics rate-limit { global | interface interface-
type interface-number }
Statistics about ARP packets discarded when the number of ARP packets exceeds the limit
is cleared.
----End

Routers
9.6.3 Configuring the Alarm Function for Potential ARP Attacks
Context
To allow the administrator to learn the ARP running status in real time, define potential attacks,
and take measures, the device provides the alarm function for potential ARP attacks. This
function records exceptions of ARP running in real time. To avoid excessive alarms when ARP
attacks occur, reduce the alarm quantity by setting a proper interval for sending alarms.
NOTE
The configuration takes effect only on the following alarms:
l SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.4 hwARPSDaiDropALarm
l SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.5 hwARPGlobleSpeedLimitALarm
l SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.8 hwARPMissGlobleSpeedLimitALarm
l SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.3 hwARPSPacketCheck
l SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.1 hwARPSGatewayConflict
l SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.2 hwARPSEntryCheck
Procedure
Step 1 Run:
system-view
Step 2 Run:
arp anti-attack log-trap-timer time
The interval for sending ARP alarms is set.
The default interval for sending alarms is 0, indicating that the device does not send ARP alarms.
----End

This chapter describes configuration examples of ARP security including networking
9.7.1 Example for Configuring ARP Security Functions
As shown in Figure 9-8, Router connects to a server using Eth2/0/3 and connects to four users
in VLAN 10 and VLAN 20 using Eth2/0/1 and Eth2/0/2. The following ARP threats exist on
the network:
l Attackers send bogus ARP packets or bogus gratuitous ARP packets to Router. ARP entries
on Router are modified, leading to packet sending and receiving failures.

Routers
l Attackers send a large number of IP packets with unresolvable destination IP addresses to

Router, leading to CPU overload.
l User1 sends a large number of ARP packets with fixed MAC addresses but variable source
IP addresses to Router. As a result, ARP entries on Router are exhausted and the CPU is
insufficient to process other services.
l User3 sends a large number of ARP packets with fixed source IP addresses to Router. As
a result, the CPU of Router is insufficient to process other services.
The administrator wants to prevent the preceding ARP flood attacks and provide users with
stable services on a secure network.
Figure 9-8 Networking for configuring ARP security functions
VLAN 30
VLANIF 30
10.10.10.2/24 10.10.10.3/24
Eth2/0/3
Router
Eth2/0/1 Eth2/0/2
Server
VLANIF 10 VLANIF 20
8.8.8.4/24 9.9.9.4/24
VLAN10 VLAN20
User1 User2 User3 User4

8.8.8.2/24 8.8.8.3/24 9.9.9.2/24 9.9.9.3/24
1-1-1 2-2-2 3-3-3 4-4-4
1. Configure strict ARP learning and ARP entry fixing to prevent ARP entries from being
modified by bogus ARP packets.
2. Configure rate limit on ARP Miss messages based on the source IP address. This function
defends against attacks from ARP Miss messages triggered by a large number of IP packets
with unresolvable IP addresses. At the same time, Router must have the capability to process
a large number of ARP Miss packets from the server to ensure network communication.
3. Configure ARP entry limit and rate limit on ARP packets based on the source MAC address.
These functions defend against ARP flood attacks caused by a large number of ARP packets
with fixed MAC addresses but variable IP addresses and prevent ARP entries from being
exhausted and CPU overload.

Routers
4. Configure rate limit on ARP packets based on the source IP address. This function defends
against ARP flood attacks from User3 with a fixed IP address and prevents CPU overload.
Procedure
Step 1 Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.
# Create VLAN 10, VLAN 20, and VLAN 30, add Eth2/0/1 to VLAN 10, Eth2/0/2 to VLAN
20, and Eth2/0/3 to VLAN 30.
[Huawei] vlan batch 10 20 30
[Huawei-Ethernet2/0/1] port link-type trunk
[Huawei-Ethernet2/0/1] port trunk allow-pass vlan 10
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
Step 2 Configure strict ARP learning.

[Huawei] arp learning strict
Step 3 Configure ARP entry fixing.
# Set the ARP entry fixing mode to fixed-mac.

[Huawei] arp anti-attack entry-check fixed-mac enable
Step 4 Configure rate limit on ARP Miss messages based on the source IP address.
# Set the maximum rate of ARP Miss messages triggered by the server with the IP address
10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss messages triggered by other hosts
to 20 pps.
[Huawei] arp-miss speed-limit source-ip maximum 20
[Huawei] arp-miss speed-limit source-ip 10.10.10.2 maximum 40
Step 5 Configure interface-based ARP entry limit.
# Configure that Eth2/0/1 can learn a maximum of 20 dynamic ARP entries.

[Huawei-Ethernet2/0/1] arp-limit vlan 10 maximum 20
Step 6 Configure rate limit on ARP packets based on the source MAC address.

Routers
# Set the maximum rate of ARP packets from User1 with the source MAC address
0001-0001-0001 to 10 pps.
[Huawei] arp speed-limit source-mac 0001-0001-0001 maximum 10
Step 7 Configure rate limit on ARP packets based on the source IP address.
# Set the maximum rate of ARP packets from User3 with the source IP address 9.9.9.2 to 10
pps.
[Huawei] arp speed-limit source-ip 9.9.9.2 maximum 10
# Run the display arp learning strict command to check the global configuration of strict ARP
entry learning.
[Huawei] display arp learning strict
The global configuration:arp learning strict
Interface LearningStrictState
------------------------------------------------------------
------------------------------------------------------------
Total:0
Force-enable:0
Force-disable:0
# Run the display arp-limit command to check the maximum number of ARP entries that the
interface can dynamically learn.
[Huawei] display arp-limit interface ethernet 2/0/1
Interface LimitNum VlanID LearnedNum(Mainboard)
---------------------------------------------------------------------------
Ethernet2/0/1 20 10 0
---------------------------------------------------------------------------
Total:1
# Run the display arp anti-attack configuration all command to check the configuration of
ARP anti-attack.
[Huawei] display arp anti-attack configuration all
ARP anti-attack packet-check function: disable
ARP anti-attack entry-check mode: fixed-mac
ARP gateway-duplicate anti-attack function: disabled
ARP rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
-------------------------------------------------------------------------------
ARP miss rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
-------------------------------------------------------------------------------
ARP speed-limit for source-MAC configuration:

MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
0001-0001-0001 10
Others 0
-------------------------------------------------------------------------------
1 specified MAC addresses are configured, spec is 256 items.

Routers
ARP speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
9.9.9.2 10
Others 5
-------------------------------------------------------------------------------
1 specified IP addresses are configured, spec is 256 items.
ARP miss speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.10.10.2 40
Others 20
-------------------------------------------------------------------------------
1 specified IP addresses are configured, spec is 256 items.
# Run the display arp packet statistics command to check statistics on ARP-based packets.
[Huawei] display arp packet statistics
ARP Pkt Received: sum
8678904
ARP Learnt Count: sum 37
ARP Pkt Discard For Limit: sum 146
ARP Pkt Discard For SpeedLimit: sum
40529
ARP Pkt Discard For Proxy Suppress: sum 0
ARP Pkt Discard For Other: sum 8367601
In the preceding command output, the number of ARP packets discarded by Router is displayed,
indicating that the ARP security functions have taken effect.
----End
Configuration File
#
vlan batch 10 20 30
#
arp-miss speed-limit source-ip maximum 20
#
arp learning strict
#
arp-miss speed-limit source-ip 10.10.10.2 maximum 40
arp speed-limit source-ip 9.9.9.2 maximum 10
arp speed-limit source-mac 0001-0001-0001 maximum 10
arp anti-attack entry-check fixed-mac enable
#
interface Vlanif10
ip address 8.8.8.4 255.255.255.0
#
interface Vlanif20
ip address 9.9.9.4 255.255.255.0
#
interface Vlanif30
ip address 10.10.10.3
255.255.255.0
#
port link-type trunk
port trunk allow-pass vlan 10
arp-limit vlan 10 maximum 20
#
#

Routers

#
return
9.7.2 Example for Configuring Defense Against ARP MITM Attacks
As shown in Figure 9-9, the users of a department access the Internet through RouterA. Among
the users connected to RouterA, some users obtain IP addresses through DHCP and some users
are allocated static IP addresses. All users are in the same VLAN as the DHCP server. If attackers
initiate MITM attacks, the data of authorized users will leak; therefore, the administrator requires
that RouterA can prevent MITM attacks and record the frequency and range of MITM attacks.
Figure 9-9 Networking diagram for defending against ARP MITM attacks
Internet
DHCP Server
VLAN10
Eth2/0/4
RouterA
Eth2/0/1 Eth2/0/3
Eth2/0/2
UserA UserB UserC

DHCP Client IP:10.0.0.2/24
DHCP Client
MAC:1-1-1
Attacker VLAN ID:10
VLAN10
1. Configure the DHCP snooping function so that RouterA can generate the address and port
binding entries for dynamic users and the binding entries can be manually configured for
static users. These binding entries are used for ARP packet validity check.
2. Enable DAI so that RouterA compares the source IP address, source MAC address, VLAN
ID, and interface number of the ARP packet with binding entries and filter out invalid
packets. This prevents ARP MITM attacks.

Routers
3. Enable the alarm function for the ARP packets discarded by DAI so that RouterA collects
statistics on ARP packets matching no binding entry and generates alarms when the number
of discarded ARP packets exceeds the alarm threshold. The administrator learns the
frequency and range of the current ARP MITM attacks based on the alarms and the number
of discarded ARP packets.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Create VLAN 10, and add Eth2/0/1, Eth2/0/2, Eth2/0/3, and Eth2/0/4 to VLAN 10.
[RouterA] vlan batch 10
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 10
[RouterA-Ethernet2/0/4] port link-type trunk
[RouterA-Ethernet2/0/4] port trunk allow-pass vlan 10
Step 2 Configure DHCP snooping.
# Enable DHCP snooping globally.

[RouterA] dhcp enable
[RouterA] dhcp snooping enable
# Enable DHCP snooping in VLAN 10.

[RouterA] vlan 10
[RouterA-vlan10] dhcp snooping enable
[RouterA-vlan10] quit
# Configure Eth2/0/4 as a trusted interface.

[RouterA-Ethernet2/0/4] dhcp snooping trusted
Step 3 Configure a static binding table.

[RouterA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001
interface ethernet 2/0/3 vlan 10
Step 4 Enable DAI and the packet discarding alarm function.
# Enable DAI and packet discarding alarm function on Eth2/0/1, Eth2/0/2, and Eth2/0/3.
Eth2/0/1 is used as an example. Configurations of other interfaces are similar to the configuration
of Eth2/0/1, and are not mentioned here.
[RouterA-Ethernet2/0/1] arp anti-attack check user-bind enable

Routers
[RouterA-Ethernet2/0/1] arp anti-attack check user-bind alarm enable

# Run the display arp anti-attack check user-bind interface command to check the DAI
configuration on each interface. Eth2/0/1 is used as an example.
[RouterA] display arp anti-attack check user-bind interface ethernet 2/0/1
ARP packet drop count = 966
In the preceding command output, the number of discarded ARP packets on Eth2/0/1 is
displayed, indicating that the defense against ARP MITM attacks has taken effect.
When you run the display arp anti-attack check user-bind interface command for multiple
times on each interface, the administrator can learn the frequency and range of ARP MITM
attacks based on the value of ARP packet drop count.
----End
Configuration File
#
sysname RouterA
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface
Ethernet2/0/3 vlan 10
#
vlan 10
#
#
#
#
dhcp snooping trusted
#
return

Routers
9.8 FAQ
9.8.1 After I Enable ARP Gateway Anti-Collision, and Send

Gateway Collision ARP Packets from a MAC Address, Why Can
the MAC Address Not Forward Traffic?
After the Address Resolution Protocol (ARP) anti-collision function detects gateway collision
ARP packets, the system prohibits the source media access control (MAC) address from
forwarding packets for three minutes.
9.8.2 After I Send ARP Request Packets with the Same Source IP
Address, Why Do I Sometimes Receive Response Packets Only at
the Rate of 5 Packets Per Second?
By default, AR series routers limit the rate of Address Resolution Protocol (ARP) packets with
the same source IP address to prevent ARP attacks. The default rate limit is 5 packets per second.
9.8.3 How Do I Take Measures to Prevent Internal Network

Attacks?
Internal network attacks refer to attacks from Layer 2 protocol packets. Attacks often use ARP
to attack network devices. ARP attack defense measures are often used:
l Strict ARP learning: The device learns only the ARP Reply packets in response to the ARP
Request packets sent by itself. Run the arp learning strict command to enable strict ARP
learning.
l ARP gateway anti-collision: If an attacker sends an ARP packet with the source IP address
as the gateway address, ARP entries are modified incorrectly. ARP gateway anti-collision
can solve this problem. Run the arp anti-attack gateway-duplicate enable command to
enable the ARP gateway anti-collision function.
l Sending gratuitous ARP packets: To ensure that packets sent by hosts on the internal
network are forwarded to the gateway or prevent malicious users from intercepting these
packets, the device sends gratuitous ARP packets at intervals to update the gateway address
in ARP entries of the hosts. Run the arp gratuitous-arp send enable command to enable
the device to send gratuitous ARP packets. By default, the device sends gratuitous ARP
packets every 90s.
NOTE
If too many security measures are used, device performance may deteriorate.
9.9 References
This section lists references of ARP Security.

Routers
RFC826 Ethernet Address Resolution Protocol -
RFC903 Reverse Address Resolution Protocol -
RFC1027 Using ARP to Implement Transparent Subnet -

Gateways
RFC1042 Standard for the Transmission of IP Datagrams over -

IEEE 802 Networks

Routers
Configuration Guide - Security 10 DHCP Snooping Configuration
10 DHCP Snooping Configuration
About This Chapter
This chapter describes the principle and configuration method of DHCP snooping and provides
NOTE
The 4GE-2S card does not support DHCP snooping.

The AR150&200 series products do not support DHCP snooping.
The AR1200 series products do not support DHCP snooping.
10.1 Overview
This section describes the definition, background, and functions of DHCP snooping.
10.2 Principles
This section describes the implementation of DHCP snooping.
10.3 Application
This section lists references of DHCP snooping.

This section describes the default DHCP snooping configuration, which can be changed
according to network requirements.
10.5 Configuring DHCP Snooping

This chapter describes DHCP snooping configuration methods.
10.6 Maintaining DHCP Snooping

You can clear DHCP snooping statistics and dynamic binding table or back up the DHCP
snooping binding table.

This section provides several DHCP snooping configuration examples, including network

This section describes common faults caused by incorrect DHCP snooping configurations and
provides the troubleshooting procedure.

Routers
10.9 FAQ
10.10 References

Routers
10.1 Overview
This section describes the definition, background, and functions of DHCP snooping.
Definition
The Dynamic Host Configuration Protocol (DHCP) snooping feature ensures that DHCP clients
obtain IP addresses from authorized DHCP servers and records mappings between IP addresses
and MAC addresses of DHCP clients, preventing DHCP attacks on the network.
Purpose
Some attacks are launched on DHCP (RFC 2131). These attacks include the bogus DHCP server
attack, DHCP server DoS attack, and bogus DHCP message attack.
DHCP snooping acts as a firewall between DHCP clients and the DHCP server to prevent DHCP
attacks on the network, ensuring security for communication services.
Benefits
l The device can defend against DHCP attacks on the network. The DHCP attack defense
capability enhances device reliability and ensures stable network operating.
l Users are provided with more stable services on a more secure network.
10.2 Principles
This section describes the implementation of DHCP snooping.
10.2.1 Basic Principles

DHCP snooping provides the trusted interface and listening functions.
Trusted Interface
DHCP snooping supports the trusted interface and untrusted interfaces to ensure that DHCP
clients obtain IP (Internet Protocol) addresses from an authorized DHCP server.
If a private DHCP server exists on a network, a DHCP client may obtain an incorrect IP address
and network configuration parameters from it, leading to communication failure. The trusted
interface controls the source of DHCP Reply messages to prevent bogus or unauthorized DHCP
servers from assigning IP addresses and other configurations to other DHCP clients.
The trusted interface and untrusted interfaces process DHCP messages as follows:
l The device forwards DHCP Reply messages on the trusted interface.
l The device discards DHCP ACK messages, NAK messages, and Offer messages on
untrusted interfaces.

Routers
NOTE
The administrator configures the interface directly or indirectly connected to an authorized DHCP server
as the trusted interface, and other interfaces as untrusted interfaces. This ensures that DHCP clients obtain
IP addresses from authorized DHCP servers.
Listening
DHCP snooping supports the listening function to record mappings between IP addresses and
MAC (Media Access Control) addresses of DHCP clients.
After DHCP snooping is enabled, the device generates a DHCP snooping binding table by
listening to DHCP Request messages and Reply messages. A binding entry contains the MAC
address, IP address, interface number, and VLAN (Virtual Local Area Network) ID of the DHCP
client.
The DHCP snooping binding entries are aged out when the DHCP release expires, or the entries
are deleted when users send DHCP Release packets to release IP addresses.
The administrator needs to record IP addresses of DHCP clients and identify the mappings
between the IP addresses and MAC addresses of the DHCP clients. The DHCP snooping binding
table helps the administrator conveniently record the mappings.
NOTE
To ensure that the device obtains parameters such as MAC addresses for generating a DHCP snooping
binding table, apply DHCP snooping to Layer 2 access devices or the first DHCP relay agent from the
device to the DHCP server.
The DHCP snooping binding table records the mapping between IP addresses and MAC addresses of DHCP
clients. The device can check DHCP messages against the DHCP snooping binding table to prevent bogus
DHCP message attacks.
10.2.2 Option 82 Supported by DHCP Snooping
Overview
During the traditional dynamic IP address allocation, a DHCP server cannot detect the DHCP
client location based on the received DHCP Request message. As a result, DHCP clients in the
same VLAN have the same right to access network resources. The network administrator cannot
control network access of clients in the same VLAN, which brings challenges to security control.
RFC 3046 defines DHCP Relay Agent Information Option, that is, the Option 82 field, which
records the location of a DHCP client. A DHCP snooping-enabled device or a DHCP relay agent
inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP
client location. The DHCP server can properly assign an IP address and other configurations to
the DHCP client, ensuring DHCP client security.
The Option 82 field contains two commonly used suboptions: circuit ID and remote ID. The
circuit ID distinguishes VLAN ID and interface number of a client, and the remote ID
distinguishes the MAC address of the client.

Routers
NOTE
l As a DHCP relay agent, the device supports the Option 82 field no matter whether DHCP snooping is
enabled on the device. However, as an access device on a Layer 2 network, the device supports the
Option 82 field only after DHCP snooping is enabled.
l The Option 82 field records the location of a DHCP client and is encapsulated in a DHCP Request
message sent to the DHCP server. To deploy different IP addresses or security policies for different
clients, the DHCP server must support the Option 82 field and be configured with IP address assignment
or security policies.
l The Option 82 field is different from parameters recorded in a DHCP snooping binding table. The
device adds the Option 82 field to the DHCP Request message when the DHCP client requests an IP
address. At this time, the client does not have an IP address. A DHCP snooping binding table is
generated based on the DHCP ACK messages replied by the DHCP server. At this time, the client
obtains an IP address.
Implementation
As a DHCP relay agent or an access device on the Layer 2 network, the device supports the
Option 82 field after DHCP snooping is enabled. The device inserts the Option 82 field to a
DHCP Request message in two modes:
l Insert mode: Upon receiving a DHCP Request message without the Option 82 field, the
device inserts the Option 82 field. If the DHCP Request message contains the Option 82
field, the device checks whether the Option 82 field contains the remote ID. If so, the device
retains the Option 82 field; if not, the device inserts the remote ID.
l Rebuild mode: Upon receiving a DHCP Request message without the Option 82 field, the
device inserts the Option 82 field. If the DHCP Request message contains the Option 82
field, the device deletes the original Option 82 field and inserts the Option 82 field set by
the administrator.
The device handles the reply packets from the DHCP server in the same way no matter whether
the Insert or Rebuild method is used.
l The DHCP reply packets contain Option 82 field:

If the DHCP request packets received by the device do not contain Option 82 field, the
device deletes Option 82 field from the DHCP reply packets, and forwards the packets
to the DHCP client.
If the DHCP request packets contain Option 82 field, the device changes the Option 82
format in the DHCP reply packets into the Option 82 format in the DHCP request
packets, and then forwards the packets to the DHCP client.
l If the DHCP reply packets do not contain Option 82 field, the device directly forwards the
packets.
10.2.3 Option 18 and Option 37 Fields Supported by DHCPv6

Snooping
The function of the Option 18 and Option 37 fields is similar to that of the Option 82 field. The
device inserts the Option 82 field to a DHCPv4 message, and the Option 18 and Option 37 fields
to a DHCPv6 message to record the DHCPv6 client location.
NOTE
The device supports the Option 18 and Option 37 fields only after DHCPv6 snooping is enabled.

Routers
10.3 Application
This section lists references of DHCP snooping.
10.3.1 Defense Against Bogus DHCP Server Attacks

Mechanism
Due to lack of authentication mechanisms between DHCP servers and DHCP clients, each
DHCP server newly configured on a network assigns IP addresses and other network parameters
to DHCP clients. If the assigned IP addresses and other network parameters are incorrect, errors
may occur on the network.
In Figure 10-1, authorized and unauthorized DHCP servers can receive DHCP Discover
messages broadcast by DHCP clients.
Figure 10-1 DHCP client sending DHCP Discover messages
DHCP pseudo server
Router DHCP
server
DHCP client
DHCP Discover from DHCP Client
If a bogus DHCP server sends a bogus DHCP Reply message with the incorrect gateway address,
Domain Name System (DNS) server address, and IP address to a DHCP client, as shown in
Figure 10-2, the DHCP client cannot obtain the correct IP address and required information.
The authorized user then fails to access the network and user information security is affected.
Figure 10-2 Bogus DHCP server attack
DHCP pseudo server
Router DHCP
server
DHCP client
DHCP reply from DHCP pseudo server
DHCP reply from DHCP server

Routers
Solution
To prevent attacks from a bogus DHCP server, configure the trusted interface and untrusted
interfaces on the device.
You can configure the interface directly or indirectly connected to the authorized DHCP server
as the trusted interface and other interfaces as untrusted interfaces. The device then discards
DHCP Reply messages received on untrusted interfaces, preventing bogus DHCP server attacks,
as shown in Figure 10-3.
Figure 10-3 Trusted interface and untrusted interfaces
DHCP pseudo server

DHCP Snooping
Untru enable
sted
Trusted
x
ed
ntrust
U Router DHCP
server
DHCP client
DHCP Reply from DHCP pseudo server
DHCP Reply from DHCP server
10.3.2 Defense Against Bogus DHCP Message Attacks

Mechanism
An authorized DHCP client that has obtained an IP address sends a DHCP Request message or
Release message to extend the lease or to release the IP address. If attackers continuously send
DHCP Request messages to the DHCP server to extend the lease, the IP addresses cannot be
reclaimed or obtained by authorized users. If attackers forge DHCP Release messages of
authorized users to the DHCP server, the authorized users may be disconnected.
Solution
To prevent bogus DHCP message attacks, you can use the DHCP snooping binding table. The
device checks DHCP Request messages and Release messages against binding entries to
determine whether the messages are valid. If a message matches a binding entry, the device
forwards the message; if a message matches no binding entry, the device discards the message.
10.3.3 Defense Against DHCP Server DoS Attacks

Mechanism
In Figure 10-4, if a large number of attackers request IP addresses on Interface1, IP addresses

in the IP address pool are exhausted, which leaves no IP addresses for authorized users.
A DHCP server identifies the MAC address of a client based on the client hardware address
(CHADDR) field in the DHCP Request message. If an attacker continuously applies for IP
addresses by changing the CHADDR field, IP addresses in the address pool on the DHCP server
may be exhausted. As a result, authorized users cannot obtain IP addresses.

Routers
Figure 10-4 Defense against DHCP server DoS attacks

Attacker

interface1 DHCP Server
Router DHCP Relay
DHCP Client
Solution
To prevent the DHCP server DoSattack, you can set the maximum number of access DHCP
clients allowed on the device or an interface after enabling DHCP snooping on the device. When
the number of DHCP clients reaches the maximum value, no DHCP client can obtain the IP
address through the device or interface.
You can enable the device to check whether the MAC address in the Ethernet frame header
matches the CHADDR field in the DHCP message. If the two values match, the message is
forwarded; otherwise, the message is discarded.
10.3.4 Typical Application of the Option 82 Field

The DHCP Relay Agent Information Option (Option 82) field records the location of a DHCP
client. A DHCP snooping-enabled device or a DHCP relay agent inserts the Option 82 field to
a DHCP Request message to notify the DHCP server of the DHCP client location. Based on the
Option 82 field, the DHCP server can properly assign an IP address and other configurations to
the DHCP client, ensuring DHCP client security.

Routers
Option 82 Networking
Figure 10-5 Networking diagram of the Option 82 field
DHCP client1
Interface1
VLAN10
DHCP server
DHCP client2 RouterA
(DHCP snooping)
RouterC
(DHCP relay)
DHCP client3 RouterB
In Figure 10-5, the clients obtain IP addresses using DHCP. To improve network security, the
administrator configures the device to control network access of clients connected to Interface1.
The DHCP server cannot detect the DHCP client location only based on the DHCP Request
message. As a result, users in the same VLAN have the same right to access network resources.
To address this problem, the administrator can enable the Option 82 field after DHCP snooping
is enabled on RouterA. Upon receiving a DHCP Request message to apply for an IP address,
RouterA inserts the Option 82 field to the message to notify the DHCP server of the DHCP client
location, including the MAC address, VLAN ID, and interface number of the client. The DHCP
server can properly assign an IP address and other configurations to the client based on the IP
address assignment or security policies on the server.
NOTE
The Option 82 field records the location of a DHCP client and is encapsulated in a DHCP Request message
sent to the DHCP server. To deploy different IP addresses or security policies for different clients, the
DHCP server must support the Option 82 field and be configured with IP address assignment or security
policies.

This section describes the default DHCP snooping configuration, which can be changed
according to network requirements.
Table 10-1 lists the default DHCP snooping configuration.
Table 10-1 Default DHCP snooping configuration
DHCP snooping globally and on an interface Disabled

Routers
Interface status Untrusted
Location transition for DHCP snooping users Enabled
Association between DHCP snooping and Disabled

ARP
Option 82 Disabled
Checking DHCP messages against the DHCP Disabled

snooping binding table
Checking whether the CHADDR field Disabled

matches the source MAC address in the
header of a DHCP Request message
Checking whether the GIADDR field in a Disabled

DHCP Request message is 0
10.5 Configuring DHCP Snooping

This chapter describes DHCP snooping configuration methods.
NOTE
The AR150&200 series and AR1200 series do not support the following functions:
l DHCPv6 Snooping
l Configuring an interface as the trusted interface
l Clearing MAC address entries after users go offline
l Detecting user locations through LDRA
l Adding Option 18 or Option 37 field to DHCPv6 packets
l Backing Up DHCP Snooping Binding Entries
10.5.1 Configure Basic Functions of DHCP Snooping

DHCP snooping enables DHCP clients to obtain IP addresses from authorized servers and
records mappings between IP addresses and MAC addresses of DHCP clients to generate the
binding table.
NOTE
DHCPv6 snooping also supports the first two of the following topics.
10.5.1.1 Enabling DHCP Snooping
Context
Before configuring DHCP snooping security functions, you need to enable DHCP snooping.
You must enable DHCP snooping in the system view, and then on an interface or in a VLAN
(Virtual Local Area Network).

Routers
NOTE
Enable DHCP globally using the dhcp enable command before enabling DHCP snooping.
Procedure
Step 1 Run:
system-view
Step 2 Run:
DHCP snooping is globally enabled.
By default, DHCP snooping is globally disabled on the device.
Step 3 Enable DHCP snooping on an interface or in a VLAN.

1. Run:
vlan vlan-id
The VLAN view is displayed.
Or run:

2. Run:
DHCP snooping is enabled on the interface or in a VLAN.
If you run this command in the VLAN view, the command takes effect on all the DHCP
messages in the specified VLAN received by all the interfaces on the device.
By default, DHCP snooping is disabled on the device.
NOTE
Running the dhcp snooping enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command in the system
view is equivalent to running the dhcp snooping enable command in the VLAN view.
If a single VLAN ID for dot1q encapsulation on a sub-interface is configured using the dot1q
termination vid command, DHCP snooping cannot be enabled in the specified VLAN.
----End
10.5.1.2 Configuring an Interface as the Trusted Interface
Context
To enable DHCP clients to obtain IP addresses from authorized DHCP servers, you need to
configure the interface directly or indirectly connected to a DHCP server trusted by the
administrator as the trusted interface, and other interfaces as untrusted interfaces.
l DHCP Reply messages are forwarded on the trusted interface.

Routers
l The device discards DHCP ACK messages, NAK messages, and Offer messages on
untrusted interfaces.
This prevents bogus DHCP servers from assigning IP addresses to DHCP clients.
After enabling DHCP snooping on the interface or in the VLAN connected to the user, configure
the interface connected to the DHCP server as the trust interface, so that the dynamic DHCP
snooping binding table is generated.
Procedure
Step 1 Run:
system-view
Step 2 Configure the interface as the trusted interface in the interface view or VLAN view.
1. Run:

2. Run:
The interface is configured as the trusted interface.
By default, an interface is an untrusted interface.

l In the VLAN view:
1. Run:
vlan vlan-id

2. Run:
dhcp snooping trusted interface interface-type interface-number
By default, an interface is an untrusted interface.
NOTE
If you run this command in the VLAN view, the command takes effect only on DHCP messages in
this VLAN received from interfaces that belong to this VLAN.
----End
10.5.1.3 (Optional) Enabling Location Transition for a DHCP Snooping User
Context
In mobile applications, if a user goes online from interfaceA and then switches to interfaceB,
you need to enable location transition for DHCP snooping users.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp snooping user-transfer enable
Location transition is enabled for DHCP snooping users.
By default, location transition is enabled for DHCP snooping users.
----End
10.5.1.4 (Optional) Configuring Association Between ARP and DHCP Snooping
Context
When a DHCP snooping-enabled device receives a DHCP Release message sent from a DHCP
client, the device deletes the binding entry of the DHCP client. However, if a client is
disconnected and cannot send a DHCP Release message, the device cannot immediately delete
the binding table of the DHCP client.
After association between ARP and DHCP snooping is enabled, when the ARP entry mapping
an IP address ages, the DHCP snooping-enabled device detects the IP address by performing
ARP probe. If the DHCP client is not detected after a specified number of probes, the device
deletes the ARP entry. The device then detects the IP address again by performing ARP probe.
If the DHCP client still cannot be detected after a specified number of probes, the device deletes
the binding entry of the DHCP client.
NOTE
The device supports association between ARP and DHCP snooping only when the device functions as a DHCP
relay agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
arp dhcp-snooping-detect enable
Association between ARP and DHCP snooping is enabled.
By default, association between ARP and DHCP snooping is disabled.
----End

Routers
10.5.1.5 (Optional) Configuring the Device to Clear the MAC Address Entry
Immediately When the User Is Disconnected
Context
If a DHCP client is disconnected but its MAC address entry is not aged, the device forwards the
message whose destination address is the IP address of the DHCP client based on the dynamic
MAC address entries. This deteriorates device performance.
The DHCP client sends a DHCP Release message when it is disconnected. Upon receiving the
message, the device immediately deletes the DHCP snooping binding entry of the DHCP client.
You can enable the device to delete the mapping MAC address entry when a dynamic DHCP
snooping binding entry is deleted.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the dhcp snooping user-offline remove mac-address command to enable the device to
delete the MAC address entry of a DHCP client when the dynamic binding entry is deleted.
By default, the device does not delete the MAC address entry of a DHCP client when the dynamic
binding entry is deleted.
----End
10.5.1.6 (Optional) Configuring the Device to Discard DHCP Request Messages

with Non-0 GIADDR Field
Context
The GIADDR field in a DHCP Request message records the IP address of the first DHCP relay
agent that the DHCP Request message passes through. If the DHCP server and client are on
different network segments, the first DHCP relay agent fills its own IP address in the GIADDR
field before forwarding the DHCP Request message. The DHCP server then locates the DHCP
client and selects an appropriate address pool to assign an IP address to the client.
To ensure that the device obtains parameters such as MAC addresses for generating a binding
table, apply DHCP snooping to Layer 2 access devices or the first DHCP relay agent. Therefore,
the GIADDR field in the DHCP Request messages received by the DHCP snooping-enabled
device is 0. If the GIADDR field is not 0, the message is unauthorized and then discarded.
Procedure
Step 1 Run:
system-view

Step 2 Enable the device to check whether the GIADDR field in the DHCP Request message is 0 in
the VLAN view or interface view.
1. Run:
vlan vlan-id

Routers
Or run:

2. Run:
dhcp snooping check dhcp-giaddr enable
The device is enabled to check whether the GIADDR field in a DHCP Request message is
0.
By default, the device does not check whether the GIADDR field in a DHCP Request
message is 0.
NOTE
If you run this command in the VLAN view, the command takes effect on all the DHCP messages
in the specified VLAN received by all the interfaces on the device. If you run this command in the
interface view, the command takes effect on all the DHCP messages received by the specified
interface.
----End
Context
You can check the DHCP snooping configuration after the configuration is complete.
Procedure
l Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-
id ] command to view DHCP snooping running information.
l Run the display dhcp snooping configuration [ vlan vlan-id | interface interface-type
interface-number ] command to view the DHCP snooping configuration.
l Run the display dhcp snooping user-bind { { interface interface-type interface-number
| ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]
command to check the DHCP snooping binding table.
l Run the display dhcpv6 snooping user-bind { { interface interface-type interface-
number | ipv6-address ipv6-address | mac-address mac-address | vlan vlan-id }* | all }
[ verbose ] command to check the DHCPv6 snooping binding table.
----End
10.5.2 Configuring DHCP Snooping Attack Defense

After basic DHCP snooping functions are configured, DHCP clients can obtain IP addresses
from the authorized DHCP server, preventing bogus DHCP server attacks on the network.
However, many other DHCP attacks exist on the network. The administrator can configure
DHCP snooping attack defense on the device as required.

Routers
NOTE
In this chapter, the function in Configuring Defense Against Bogus DHCP Message Attacks and the
function in step 2 of Configuring Defense Against DHCP Server DoS Attacks are also applicable to
DHCPv6 snooping.
Prerequisites
Basic DHCP snooping functions have been completely configured.
10.5.2.1 Configuring Defense Against Bogus DHCP Server Attacks
Context
After DHCP snooping is enabled and an interface is configured as the trusted interface, the device
enables DHCP clients to obtain IP addresses from the authorized DHCP server, preventing bogus
DHCP server attacks. However, the location of the bogus DHCP server cannot be detected,
which brings security risks on the network.
After detection of DHCP servers is enabled, the DHCP snooping-enabled device checks and
records information about the DHCP server, such as the IP address and port number, in the
DHCP Reply messages in the log. The network administrator identifies whether bogus DHCP
servers exist on the network based on logs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server detect
Detection of DHCP servers is enabled.
By default, detection of DHCP servers is disabled.
----End
10.5.2.2 Configuring Defense Against Bogus DHCP Message Attacks
Context
If an attacker sends a bogus DHCP Request message to the DHCP server to extend the lease,
the IP address cannot be released after the lease expires and authorized users cannot use the IP
address. If the attacker forges a DHCP Release message of an authorized user and sends it to
the DHCP server, the authorized user may be disconnected.
After a DHCP snooping binding table is generated, the device checks DHCP Request and Release
messages against the binding table. Only DHCP messages that match entries are forwarded. This
prevents unauthorized users from sending bogus DHCP Request messages or Release messages
to extend the lease or to release IP addresses.

Routers
Procedure
Step 1 Run:
system-view
Step 2 You can enable the device to check the DHCP messages against the binding table in the VLAN
view or interface view.
1. Run:
vlan vlan-id
Or run:

2. Run:
dhcp snooping check user-bind enable
The device is enabled to check DHCP messages against the DHCP snooping binding table.
By default, the device does not check DHCP messages against the DHCP snooping binding
table.
NOTE
in the specified VLAN received by all the interfaces on the device.
3. Run:
quit
Step 3 Enable the trap function for DHCP snooping in the interface view.
1. Run:

2. Run:
dhcp snooping alarm user-bind enable
An alarm is generated when the number of DHCP messages discarded because they do not
match DHCP snooping binding entries reaches the threshold.
By default, the trap function for discarded DHCP messages is disabled.

3. Run:
quit
Step 4 (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in
the system view or interface view.

Routers
1. Run:
dhcp snooping alarm threshold threshold
The alarm threshold for the number of discarded messages by DHCP snooping is set.
If you run this command in the system view, the command takes effect on all the interfaces
of the device.
By default, the alarm threshold for the number of messages discarded by DHCP snooping
is 100.
1. Run:

2. Run:
dhcp snooping alarm user-bind threshold threshold
The alarm threshold for the number of messages discarded because they do not match the
DHCP snooping binding entries is set.
By default, an alarm is generated in the system when at least 100 DHCP snooping messages
are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm
threshold command in the system view.
NOTE
If the alarm threshold is set in the system view and interface view, the smaller value takes effect.
----End
10.5.2.3 Configuring Defense Against DHCP Server DoS Attacks
Context
Malicious use of IP addresses exhausts IP addresses in the IP address pool, which leaves no IP
address for authorized users. The DHCP server generally identifies the MAC address of a DHCP
client based on the CHADDR (client hardware address) field in the DHCP Request message. If
attackers continuously apply for IP addresses by changing the CHADDR field, IP addresses in
the address pool on the DHCP server may be exhausted. As a result, authorized users cannot
obtain IP addresses.
To prevent malicious IP address application, you can set the maximum number of DHCP
snooping binding entries to be learne on an interface. When the number of DHCP snooping
binding entries reaches the maximum value, no DHCP client can obtain an IP address through
the interface. To prevent attackers from continuously changing the CHADDR field in the DHCP
Request message, you can enable the device to check whether the MAC address in the Ethernet
frame header matches the CHADDR field in the DHCP message. If the two values match, the
message is forwarded; if the two values do not match, the message is discarded.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Set the maximum number of DHCP snooping binding entries to be learned by an interface in
the VLAN view, or interface view.
1. Run:
vlan vlan-id
Or run:

2. Run:
dhcp snooping max-user-number max-number
The maximum number of DHCP snooping binding entries is set on the interface.
If you run this command in the VLAN view, the command takes effect for all the interfaces
in the VLAN.
By default, a maximum of 1024 DHCP snooping binding entries can be learned on an

interface.
Step 3 Enable the device to check the CHADDR field in the message in the VLAN view or interface
view.
1. Run:
vlan vlan-id
Or run:

2. Run:
dhcp snooping check mac-address enable
The device is enabled to check whether the MAC address in the Ethernet frame header
matches the CHADDR field in the DHCP message.
By default, the device does not check whether the MAC address in the Ethernet frame
header matches the CHADDR field in the DHCP message.
NOTE
in the specified VLAN received by all the interfaces on the device.
3. Run:
quit
Step 4 (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in
the system view or interface view.

Routers

1. Run:
dhcp snooping alarm threshold threshold
The global alarm threshold for the number of discarded messages by DHCP snooping is
set.
If you run this command in the system view, the command takes effect for all the interfaces
on the device.
By default, the global alarm threshold for the number of messages discarded by DHCP
snooping is 100.
1. Run:

2. Run:
dhcp snooping alarm mac-address threshold threshold
The alarm threshold for the number of DHCP messages discarded because the CHADDR
field in the DHCP messages does not match the source MAC address in the Ethernet frame
header is set.
By default, an alarm is generated in the system when at least 100 DHCP snooping messages
are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm
threshold command in the system view.
NOTE
If the alarm threshold is set in the system view and interface view, the smaller value takes effect.
----End
Context
After DHCP snooping attack defense is completely configured, you can check configured
parameters.
Procedure
l Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-
id ] command to view DHCP snooping running information.
l Run the display dhcp snooping configuration [ vlan vlan-id | interface interface-type
iinterface-number ] command to view the DHCP snooping configuration.
----End
10.5.3 Inserting the Option 82 Field to a DHCP Message

You can configure a device to insert the Option 82 field to a DHCP message to notify the DHCP
server of the DHCP client location.

Routers
Context
The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field
to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP
server can assign an IP address and other configurations to the DHCP client, ensuring DHCP
client security.
NOTE
DHCP Option 82 must be configured on the user-side of a device; otherwise, the DHCP message sent to the
DHCP server will not carry Option 82.
Procedure
Step 1 Run:
system-view
Step 2 You can configure the device to insert the Option 82 field to a DHCP message in the interface
view or VLAN view. If the configuration is performed in the VLAN view, the configuration
takes effect for all the DHCP message from this VLAN received by the interface. If the
configuration is performed in the interface view, the configuration takes effect only for the
specified interface.
View Steps
VLAN view 1. Run the vlan vlan-id command to enter the vlan view.
2. Run the dhcp option82 { insert | rebuild } enable command to
enable the device to insert the Option 82 field to a DHCP message.
By default, the device is disabled from inserting the Option 82 field
to a DHCP message.
3. Run the quit command to return to the system view.
Interface view 1. Run the interface interface-type interface-number command to

enter the interface view.
2. Run the dhcp option82 { insert | rebuild } enable command to
enable the device to insert the Option 82 field to a DHCP message.
By default, the device is disabled from inserting the Option 82 field
to a DHCP message.
3. Run the quit command to return to the system view.
Step 3 (Optional) You can configure the format of the Option 82 field in the system view or interface
view. If the configuration is performed in the system view, the configuration takes effect for all
interfaces on the device. If the configuration is performed in the interface view, the configuration
takes effect only for the specified interface.

Routers
View Steps
System view 1. Run the dhcp option82 [ circuit-id | remote-id ] format { default
| common | extend | user-defined text } command to configure the
format of the Option 82 field in a DHCP message.
By default, the format of the Option 82 field in a DHCP message is
default.
Interface view 1. Run the interface interface-type interface-number command to

enter the interface view.
2. Run the dhcp option82 [ vlan vlanid ] [ circuit-id | remote-id ]
format { default | common | extend | user-defined text } command
to configure the format of the Option 82 field in a DHCP message.
By default, the format of the Option 82 field in a DHCP message is
default.
----End

l Run the display dhcp option82 configuration [ vlan vlan-id | interface interface-type
interface-number ] command to view the DHCP Option 82 configuration.
10.5.4 Inserting the Option 18 or Option 37 Field to a DHCPv6

Message
You can configure a device to insert the Option 18 or Option 37 field to a DHCPv6 message to
notify the DHCP server of the DHCPv6 client location.
Context
The function of the Option 18 and Option 37 field in a DHCPv6 message is similar to that of
the Option 82 field in a DHCPv4 message. The Option 18 field contains the port number of a
client and the Option 37 field contains the MAC address of the client. A device inserts the Option
18 or Option 37 field to a DHCPv6 Request message to notify the DHCP server of the DHCPv6
client location. The DHCP server can assign an IP address and other configurations to the
DHCPv6 client, ensuring DHCP client security.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcpv6 { option18 | option37 } { insert | rebuild } enable

Routers
The device is enabled to insert the Option 18 or Option 37 field to a DHCPv6 Request message.
By default, the device is disabled from inserting the Option 18 or Option 37 field to a DHCPv6
message.
----End
10.6 Maintaining DHCP Snooping

You can clear DHCP snooping statistics and dynamic binding table or back up the DHCP
snooping binding table.
10.6.1 Clearing DHCP Snooping Statistics
Context
NOTICE
The cleared statistics cannot be restored. Exercise caution when you run the command.
Procedure
l Run the reset dhcp snooping statistics global command in the user view to clear statistics
on globally discarded DHCP messages.
l Run the reset dhcp snooping statistics interface interface-type interface-number [ vlan
vlan-id ] command in the user view to clear statistics on discarded DHCP messages on an
interface.
l Run the reset dhcp snooping statistics vlan vlan-id [ interface interface-type interface-
number ] command in the user view to clear statistics on discarded DHCP messages in a
VLAN.
----End
10.6.2 Clearing Dynamic DHCP Snooping Binding Entries
Context
After the networking environment changes, DHCP snooping binding entries do not age
immediately. The following information in DHCP snooping binding entries may change, causing
packet forwarding failure:
l VLAN that a DHCP client belongs to
l Interface to which DHCP clients are connected.
Before changing the networking environment, clear all DHCP snooping binding entries
manually so that the device generates a new DHCP snooping binding table according to the new
networking environment.

Routers
NOTICE
After dynamic DHCP snooping binding entries are cleared, all the DHCP users connected to the
device need to re-log in. Exercise caution when you run the command.
Procedure
l Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interface-
number ] * | ip-address ip-address | ipv6-address ipv6-address ] command in the user view
to clear dynamic DHCP snooping binding entries.
----End
10.6.3 Backing Up DHCP Snooping Binding Entries

Context
If binding entries are not backed up, the binding entries will be lost after the device restarts.
DHCP users must log in again so that the device can generate DHCP snooping binding entries
for DHCP users to communicate. After DHCP snooping binding entries are backed up, DHCP
snooping binding entries can be restored after the device restarts.
After the device is enabled to back up dynamic DHCP snooping binding entries, the system
backs up dynamic DHCP binding entries every two days.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp snooping user-bind autosave file-name
The device is enabled to back up dynamic DHCP snooping binding entries.

By default, local automatic backup of the DHCP snooping binding table is disabled.
----End

This section provides several DHCP snooping configuration examples, including network
10.7.1 Example for Configuring DHCP Snooping Attack Defense

In Figure 10-6, RouterA and RouterB are access devices, and RouterC is a DHCP relay agent.
Client1 and Client2 are connected to RouterA through Eth2/0/0 and Eth2/0/1 respectively.

Routers
Client3 is connected to RouterB through Eth2/0/0. Client1 and Client3 obtain IP addresses using
DHCP, while Client2 uses the static IP address. Attacks from unauthorized users prevent
authorized users from obtaining IP addresses. The administrator needs to enable the device to
defend against DHCP attacks on the network and provide better services to DHCP clients.
Figure 10-6 Networking diagram for configuring DHCP snooping attack defense
DHCP Client1
Eth2/0/0
Eth2/0/2
IP:10.1.1.1/24
DHCP Server
MAC:0001-0002-0003 Eth2/0/1 RouterA Eth2/0/0
Eth2/0/1 Eth2/0/2
Client2 RouterC
DHCP Relay
Eth2/0/2
Eth2/0/0
RouterB
DHCP Client3
1. Enable DHCP snooping.
2. Configure an interface as the trusted interface to ensure that DHCP clients obtain IP
addresses from the authorized server.
3. Enable association between ARP and DHCP snooping to enable the device to update the
binding entries when a DHCP user is disconnected.
4. Enable the device to check DHCP messages against the binding table to prevent bogus
DHCP message attacks.
5. Set the maximum number of access DHCP clients and enable the device to check whether
the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP
message to prevent DHCP server DoS attacks.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
[Huawei] sysname RouterC
[RouterC] dhcp enable
[RouterC] dhcp snooping enable
# Enable DHCP snooping on the user-side interface. Eth2/0/0 is used as an example. The
configuration on Eth2/0/1 is the same as the configuration on Eth2/0/0 and is not mentioned
here.

Routers
[RouterC] interface ethernet 2/0/0

[RouterC-Ethernet2/0/0] dhcp snooping enable
[RouterC-Ethernet2/0/0] quit
Step 2 Configure the interface connected to the DHCP server as the trusted interface.
[RouterC-Ethernet2/0/2] dhcp snooping trusted
Step 3 Enable association between ARP and DHCP snooping.

[RouterC] arp dhcp-snooping-detect enable
Step 4 Enable the device to check DHCP messages against the DHCP snooping binding table.
# Configure the user-side interface. Eth2/0/0 is used as an example. The configuration on

Eth2/0/1 is the same as the configuration on Eth2/0/0 and is not mentioned here.
[RouterC-Ethernet2/0/0] dhcp snooping check user-bind enable
Step 5 Enable the device to check whether the GIADDR field in a DHCP Request message is 0.

[RouterC-Ethernet2/0/0] dhcp snooping check dhcp-giaddr enable
Step 6 Set the maximum number of access users allowed on the interface and enable the device to check
the CHADDR field.

[RouterC-Ethernet2/0/0] dhcp snooping max-user-number 20
[RouterC-Ethernet2/0/0] dhcp snooping check mac-address enable
Step 7 Configure the trap function for the number of discarded messages and the rate limit.
# Enable the trap function for discarding messages and set the alarm threshold. Eth2/0/0 is used
as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth2/0/0 and
is not mentioned here.
[RouterC-Ethernet2/0/0] dhcp snooping alarm mac-address enable
[RouterC-Ethernet2/0/0] dhcp snooping alarm user-bind enable
[RouterC-Ethernet2/0/0] dhcp snooping alarm untrust-reply enable
[RouterC-Ethernet2/0/0] dhcp snooping alarm mac-address threshold 120
[RouterC-Ethernet2/0/0] dhcp snooping alarm user-bind threshold 120
[RouterC-Ethernet2/0/0] dhcp snooping alarm untrust-reply threshold 120
# Run the display dhcp snooping configuration command to view the DHCP snooping
configuration.
[RouterC] display dhcp snooping configuration
#

Routers

#
dhcp snooping alarm user-bind threshold 120
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
dhcp snooping max-user-number 20
#
#
#
# Run the display dhcp snooping interface command to view DHCP snooping information on
an interface.
[RouterC] display dhcp snooping interface ethernet 2/0/0

DHCP snooping running information for interface Ethernet2/0/0 :
DHCP snooping : Enable
Trusted interface : No
Dhcp user max number : 20
Current dhcp user number : 0
Check dhcp-giaddr : Enable
Check dhcp-chaddr : Enable
Alarm dhcp-chaddr : Enable
Alarm dhcp-chaddr threshold : 120
Discarded dhcp packets for check chaddr : 0
Check dhcp-request : Enable
Alarm dhcp-request : Enable
Alarm dhcp-request threshold : 120
Discarded dhcp packets for check request : 0
Alarm dhcp-reply : Enable
Alarm dhcp-reply threshold : 120
Discarded dhcp packets for check reply : 0
[RouterC] display dhcp snooping interface ethernet 2/0/2
DHCP snooping running information for interface Ethernet2/0/2 :
DHCP snooping : Disable (default)
Trusted interface : Yes
Dhcp user max number : 512 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)

Routers
Alarm dhcp-request : Disable (default)

Alarm dhcp-reply : Disable (default)
----End
Configuration Files
# Configuration file of the RouterC
#
sysname RouterC
#
dhcp enable
#
#
#
#
#
return

This section describes common faults caused by incorrect DHCP snooping configurations and
provides the troubleshooting procedure.
10.8.1 DHCP Clients Cannot Go Online Due to DHCP Snooping
Fault Description
The possible causes are as follows:
l The network-side interface connected to the DHCP server is not configured as the trusted
interface.

Routers
l The number of DHCP clients connected to the user-side interface reaches the maximum
value.
Procedure
Step 1 Check whether the trusted interface is correctly configured.
1. Run the display dhcp snooping configuration command to check in which VLANs and
on which interfaces is DHCP snooping enabled and whether "dhcp snooping trusted" is
displayed on the network-side interface.
NOTE
After DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.
When receiving messages from the network-side interfaces, the device processes only the DHCP
Reply messages received on the trusted interface and discards those on untrusted interfaces. When
receiving messages from user-side interfaces, the device forwards the messages only to the trusted
interface.
2. Check whether the network-side interface on the DHCP server is the trusted interface. If it
is not the trusted interface, run the dhcp snooping trusted command in the VLAN view
or interface view to configure the interface as the trusted interface.
Step 2 If the interface is correctly configured, check whether the number of access DHCP clients reaches
the threshold.
1. Run the display dhcp snooping configuration command to check whether "DHCP user
max number: XX" is displayed globally, in the VLAN or on the user-side interface.
NOTE
If "DHCP user max number: XX" is not displayed, the default maximum number of DHCP clients
is 512. The configured value takes preference.
If you set the maximum value in the system view, VLAN view, and the interface view, the smallest
value takes effect.
2. Run the display dhcp snooping user-bind all command to view the number of dynamic
DHCP snooping entries on the DHCP snooping-enabled interface. If the number of entries
on the interface reaches the maximum value, new DHCP clients cannot access the network.
----End
10.9 FAQ
10.9.1 Can a Router Provide DHCP Snooping Function Without

Using a LAN Card?
No, DHCP snooping function can only be provided by the LAN card.
To restrict source MAC addresses without a LAN card installed, the router can use Layer 2 ACL.
However, Layer 2 ACL is not a replacement for DHCP snooping.
10.10 References
For more information about DHCP snooping, see the following documents.

Routers
Document No. Description
RFC 3046 DHCP Relay Agent Information Option
RFC 2132 DHCP Options and BOOTP Vendor Extensions

Routers
Configuration Guide - Security 11 IPSG Configuration
11 IPSG Configuration
About This Chapter
You can configure IPSG to enable an interface to filter and control forwarded packets, preventing
invalid packets.
NOTE
The AR150&200 series products do not support IPSG.

The AR1200 series products do not support IPSG.
11.1 Overview
This section describes the definition, background, and functions of IPSG.
11.2 Configuration Notes

This section describes the precautions for IP source guard configuration.

This section describes the IPSG default configuration, which can be changed according to
network requirements.
11.4 Configuring IPSG

IPSG enables the device to check the received IP packets against the binding entries, preventing
network attacks based on source IP address spoofing.

This section provides several IPSG configuration examples, including networking requirements
and configuration roadmap.

Routers
11.1 Overview
This section describes the definition, background, and functions of IPSG.
Definition
IP Source Guard (IPSG) defends against source address spoofing attacks.
Some attacks on networks aim at source IP addresses by accessing and using network resources
through spoofing IP addresses, stealing users' information or blocking authorized users from
accessing networks. IPSG can prevent source address spoofing attacks.
Purpose
IPSG enables the device to check IP packets against dynamic and static DHCP entries. Before
the device forwards an IP packet, it compares the source IP address, source MAC address,
interface, and VLAN information in the IP packet with entries in the binding table. If an entry
is matched, the device takes the IP packet as a valid packet and forwards an IP packet. Otherwise,
the device takes the IP packet as an attack packet and discards the packet.
As shown in Figure 11-1, an attacker sends bogus packets to modify the outbound interface in
the MAC address table on the Router. Then replies are sent from the server to the attacker.
Figure 11-1 IP/MAC address spoofing attack
DHCP server
IP:1.1.1.1/24
MAC:1-1-1
Router
IP:1.1.1.3/24
MAC:3-3-3
IP:1.1.1.2/24 IP:1.1.1.3/24
MAC:2-2-2 MAC:3-3-3
Attacker DHCP client
To prevent these attacks, you can configure IPSG on the Router to check incoming IP packets
against the binding entries. IP packets that match the binding entries are forwarded, and IP
packets that do not match the binding entries are discarded.

Routers

This section describes the precautions for IP source guard configuration.
NOTE
AR150&200 series does not support IPSG.

AR1200 series does not support IPSG.
The 4GE-2S board does not support IPSG.
IPSG enables the device to check IP packets against the binding entries. The check items contains
the source IP address, source MAC address, VLAN ID, and interface number. The device
supports IPSG to check the combination of the following items:

l Interface and IP address
l Interface and MAC address
l Interface, IP address, and MAC address
l Interface, IP address, and VLAN ID
l Interface, MAC address, and VLAN ID
l Interface, IP address, MAC address, and VLAN ID
NOTE
An IPSG-enabled device checks only IP packets against the binding table. The device does not check other
types of packets, such as Point-to-Point Protocol over Ethernet (PPPoE) packets.
In the VLAN view:

l VLAN ID and IP address
l VLAN ID and MAC address
l VLAN ID, IP address, and MAC address
l VLAN ID, IP address, and interface
l VLAN ID, MAC address, and interface
l VLAN ID, IP address, MAC address, and interface

This section describes the IPSG default configuration, which can be changed according to
Table 11-1 describes IPSG default configurations.
Table 11-1 IPSG default configuration
IP packet check in the VLAN view Disabled

Routers
IP packet check in the interface view Disabled
IP packet check items in the VLAN view Source IP address, source MAC address, and
interface
IP packet check items in the interface view Source IP address, source MAC address, and
VLAN ID
11.4 Configuring IPSG

IPSG enables the device to check the received IP packets against the binding entries, preventing
network attacks based on source IP address spoofing.
Before configuring IPSG, complete the following task:
l Configuring an IP address for the interface to ensure that the link protocol is in the Up state.
Configuration Procedure
To configure IPSG, you must configure a binding table and enable IP packet check. All other
configuration tasks are optional and are not listed in sequence. You can configure them as
required.
11.4.1 Configuring a Binding Table
Context
IPSG enables the device to check IP packets against the binding table, including dynamic and
static entries.
If user IP addresses are dynamically allocated by DHCP, a dynamic binding table is generated
after DHCP snooping is enabled. If user IP addresses are configured statically, static binding
entries are configured manually.
Procedure
l For users dynamically obtaining IP addresses through DHCP:
1. Run:
system-view

2. Run:
dhcp enable
DHCP is enabled globally.

By default, DHCP is disabled globally.

Routers
3. Run:
DHCP snooping is globally enabled.

By default, DHCP snooping is disabled globally.
4. Enter the VLAN or interface view.
Run:
vlan vlan-id

Run:

5. Run:
DHCP snooping is enabled in a VLAN or on an interface.

By default, DHCP snooping is disabled in a VLAN or on an interface.
6. Configure the trusted interface.
Run:
dhcp snooping trusted interface interface-type interface-number
The interface in the VLAN is configured as the trusted interface.

Run:

By default, interfaces are untrusted after DHCP snooping is enabled.
NOTE
The interface directly or indirectly connected to the server is generally configured as the trusted
interface. After DHCP snooping is enabled and the trusted interface is configured, the interface
on the user side generates dynamic binding entries based on DHCP Reply messages.
l For users using manually configured IP addresses:
1. Run:
system-view

2. Run:
user-bind static { { ip-address | ipv6-address } start-ip [ to end-ip ]
&<1-10> | mac-address mac-address } * [ interface interface-type interface-
number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]
A static binding entry is configured.

By default, no static binding table is configured.
11.4.2 Configuring IP Packet Check
Context
IPSG enables the device to check IP packets in the VLAN and on the interface.

Routers
Procedure
l In the VLAN:
1. Run:
system-view

2. Run:
vlan vlan-id

3. Run:
ip source check user-bind enable
IP packet check is enabled.

By default, IP packet check is disabled in the VLAN.
4. Run:
ip source check user-bind check-item { ip-address | mac-address |
interface }*
IP packet check items are configured.

By default, the device checks the source IP address, source MAC address, and interface
number in IP packets in the VLAN view.
NOTE
This command is valid only for dynamic binding entries. IPSG enables the device to check all
the static binding entries.
l On the interface:
1. Run:
system-view

2. Run:

3. Run:
IP packet check is enabled.

By default, IP packet check is disabled on the interface.
4. Run:
ip source check user-bind check-item { ip-address | mac-address | vlan }*
IP packet check items are configured.

By default, the device checks the source IP address, source MAC address, and VLAN
ID in IP packets in the interface view.
NOTE
This command is valid only for dynamic binding entries. IPSG enables the device to check all
the static binding entries.

Routers
Procedure
Step 1 Run the display dhcp static user-bind { { interface interface-type interface-number | ip-
address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] to view
static binding entries.
Step 2 Run the display ip source check user-bind { vlan vlan-id | interface interface-type interface-
number } command to view IPSG configurations in the VLAN and on the interface.
Step 3 Run the display dhcp snooping user-bind { { interface interface-type interface-number | ip-
address ip-address | mac-address mac-address | vlan vlan-id }* | all } [ verbose ] to view
dynamic DHCP snooping binding entries.
----End

This section provides several IPSG configuration examples, including networking requirements
11.5.1 Example for Configuring IPSG to Check Interface + IP + MAC

Binding Entries
As shown in Figure 11-2, host A and host B belong to the same department and RouterA is
directly connected to host A and host B in this department. Host A and host B are dynamically
allocated IP addresses by DHCP and added to the same VLAN through different interfaces of
RouterA. HostB communicates with a server on the Internet by using the IP address and MAC
address of HostA. As a result, HostA cannot use services provided by the server. RouterA is
required to defend against attack packet sent from host B so that host A can use services provided
by the server.

Routers
Figure 11-2 Networking diagram of configuring IPSG

Server
IP:2.1.1.1/24
MAC:0000-0000-0001
Internet
RouterB
IP:1.1.1.3/24
MAC:0000-0000-0003
RouterA
Etherent2/0/1 Etherent2/0/0
IP:1.1.1.2/24 IP:1.1.1.3/24
MAC:0000-0000-0002 MAC:0000-0000-0003
Host B Host A
Attacker
VLAN 10
l Enable DHCP snooping on RouterA so that a dynamic binding table is generated.
NOTE
Before configuring IPSG, ensure that DHCP snooping is enabled. For details on how to enable DHCP
snooping, see 10.5.1 Configure Basic Functions of DHCP Snooping.
l Configure IP packet check in the VLAN view to check the source IP address, source MAC
address and interface number against the binding table. In this way, the device discards
attack packets from HostB.
Procedure
Step 1 Globally enable DHCP snooping.
[RouterA] dhcp enable
[RouterA] dhcp snooping enable
Step 2 Configure IP packet check in VLAN 10.

[RouterA] vlan 10
[RouterA-vlan10] dhcp snooping enable

Routers
[RouterA-vlan10] ip source check user-bind enable

[RouterA-vlan10] quit
# Run the display ip source check user-bind command to view the configuration of IP packet
check.
[RouterA] display ip source check user-bind vlan 10
----End
Configuration Files
#
sysname RouterA
#
vlan batch 10
#
dhcp enable
#
vlan 10
#
return

Routers
Configuration Guide - Security 12 URPF Configuration
12 URPF Configuration
About This Chapter
URPF can prevent network attacks based on source IP address spoofing.
12.1 Overview
This section describes the definition, background, and functions of URPF.
12.2 Principles
This section describes the implementation of URPF.
12.3 Applications
This section describes the applicable scenario of URPF.

This section describes the URPF default configuration, which can be changed according to
12.5 Configuring URPF

This section describes how to configure URPF.

This section provides several URPF configuration examples, including networking requirements

Routers
12.1 Overview
This section describes the definition, background, and functions of URPF.
Definition
Unicast Reverse Path Forwarding (URPF) prevents network attacks based on source IP address
spoofing.
Purpose
A Denial of Service (DoS) attack disables users from connecting to the server. DoS attacks aim
to occupy excess resources by sending a large number of connection requests. As a result,
authorized users cannot receive responses from the server.
URPF searches the outbound interface in the FIB table according to the source IP address of the
packet, and checks whether the outbound interface matches the source interface of the packet.If
the source IP address does not match the outbound interface of the packet, the packet is discarded.
This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.
Benefits
l URPF prevents source IP address spoofing attacks and reduces maintenance costs.
l URPF improves network security and stability and defends against malicious attacks.
12.2 Principles
This section describes the implementation of URPF.
Working Mode
On a complex network, the routes recorded on the local end and remote end may be different.
A URPF-enabled device on this network may discard the packets transmitted along the correct
path, but forward the invalid packets.
The device provides the following URPF modes to solve the preceding problem:
l Strict check
In strict mode, a packet passes the check only when the source IP address of the packet
exists in the FIB table and the interface of the default route matches the inbound interface
of the packet.
If route symmetry is ensured, you are advised to use the URPF strict check. For example,
if there is only one path between two network edge devices, URPF strict check can be used
to ensure network security.
l Loose check
In loose mode, a packet passes the check as long as the source IP address of the packet
matches an entry in the FIB table.

Routers
If route symmetry is not ensured, you are advised to use the URPF loose check. For example,
if there are multiple paths between two network edge devices, URPF loose check can be
used to ensure network security.
Principles
URPF enables the device to search for the source IP address of a received packet in the FIB table
to obtain the matching inbound interface. If this inbound interface is different from the inbound
interface of the packet, the device considers the source address as a spoofing one and discards
the packet. In this manner, URPF can effectively protect the device against malicious attacks by
modifying source IP addresses in packets.
Figure 12-1 Principle
1.1.1.1 Source 2.1.1.1

2.1.1.1
RouterA RouterB RouterC
As shown in Figure 12-1, a bogus packet with source IP address 2.1.1.1 is sent from RouterA
to RouterB. After receiving the bogus packet, RouterB sends a response packet to the actual
destination device RouterC at 2.1.1.1. RouterB and RouterC are attacked by the bogus packets.
When RouterB with URPF strict check enabled receives the bogus packet with source IP address
2.1.1.1, URPF discards the packet because the inbound interface of the source IP address is not
the interface that receives the packet.
12.3 Applications
This section describes the applicable scenario of URPF.
URPF Strict Check

As shown in Figure 12-2, AS1, AS2, and AS3 are unidirectionally connected. URPF is enabled
on Interface1 and Interface2 of SwitchC to protect AS3 from source address spoofing attacks
from AS1 and AS2.
Assumes that PC A in AS1 generates a packet with the bogus source IP address 2.2.2.2 and sends
the packet to the server in AS3. After receiving the packet, RouterC checks the inbound interface
of the packet and finds that the packet with the destination IP address 2.2.2.2 must reach
RouterC through Interface2. RouterC considers the packet as a bogus packet and discards it.
The packet sent from AS2 to the server is forwarded after passing URPF check.

Routers
Figure 12-2 URPF strict check application
AS1
PC A
1.1.1.1/24
RouterA AS3
source:2.2.2.2
Interface1
destination:3.3.3.3
URPF
enabled
AS2 Interface2
2.2.2.2/24 RouterB RouterC 3.3.3.3/24
PC B Server
source:2.2.2.2
destination:3.3.3.3
URPF Loose Check

URPF is often used when multiples connections are set up between two network edge devices.
l Single-homed client connected to one ISP
Figure 12-3 URPF enabled on single-homed client connected to one ISP

URPF RouterA
Enterprise ISP
Router
URPF RouterB
URPF
As shown in Figure 12-3, two connections are set up between the enterprise and the ISP
device to ensure reliability. In this case, route symmetry between the enterprise and the ISP
device cannot be ensured. Therefore, URPF loose check is used.

Routers
l Multi-homed client connected to several ISPs
Figure 12-4 URPF enabled on multi-homed client connected to several ISPs
URPF
ISP A
Router
RouterA
Enterprise Internet
RouterB
URPF ISP B
URPF
As shown in Figure 12-4, the enterprise is connected to several ISPs. Route symmetry
between the enterprise and the two ISP devices cannot be ensured. Therefore, URPF loose
check is used.
URPF enabled on multi-homed client connected to several ISPs can be applied to the
following situations:
If specified packets are required to pass the URPF check in any situations, you can create
an ACL to permit packets with specified source IP addresses to pass through.
The devices connected to users may only have a default route to the ISP. Therefore,
matching the default routing entry needs to be supported.

This section describes the URPF default configuration, which can be changed according to
Table 12-1 lists the default URPF configurations.
Table 12-1 URPF default configuration
URPF check Disabled
12.5 Configuring URPF

This section describes how to configure URPF.
Before configuring URPF, complete the following task:

Routers
l Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
12.5.1 Configuring the URPF Check Mode on an Interface
Context
On a complex network, the routes recorded on the local end and remote end may be different.
A URPF-enabled device on this network may discard the packets transmitted along the correct
path, but forward the invalid packets.
The device provides the following URPF modes to solve the preceding problem:
l Strict check
In strict mode, a packet can pass the check only when the source IP address of the packet
exists in the Forwarding Information Base (FIB) table and the related entries and interfaces
match.
If route symmetry is ensured, you are advised to use the URPF strict check. For example,
if there is only one path between two network edge devices, URPF strict check can be used
to ensure network security.
l Loose check
In loose mode, a packet can pass the check as long as the source IP address of the packet
exists in the FIB table.
If route symmetry is not ensured, you are advised to use the URPF loose check. For example,
if there are multiple paths between two network edge devices, URPF loose check can be
used to ensure network security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Configuring URPF check for packets on the interface

l Configure the URPF check mode for IPv4 packets on the interface.
Run:
urpf { loose | strict } [ allow-default-route ]
The URPF check mode for IPv4 packets is configured on the interface.
l Configure the URPF check mode for IPv6 packets on the interface.
Run:
ipv6 urpf { loose | strict } [ allow-default-route ]
The URPF check mode for IPv6 packets is configured on the interface.

Routers
NOTE
To configure URPF check for IPv6 packets on an interface, enable the IPv6 function on the interface
first. Run the ipv6 command in the system view, and run the ipv6 enable command in the interface
view.
----End
Procedure
Step 1 Run the display this command in the interface view to check whether URPF is enabled on the
interface.
----End

This section provides several URPF configuration examples, including networking requirements
12.6.1 Example for Configuring URPF
As show in Figure 12-5, the R&D department of an enterprise connects to GE1/0/0 of
RouterA, and the marketing department connects to GE2/0/0. RouterA has a reachable route to
an external server, and users in the R&D and marketing departments are allowed to connect to
the server through RouterA. RouterA is required to prevent staff in other departments from
accessing the server without permission using source IP address spoofing.
NOTE
RouterA is an access router of the enterprise, and RouterB is an aggregation router.

Routers
Figure 12-5 Networking diagram of URPF configuration
PC A
10.10.1.1/24
Marketing
department Source: 10.10.2.1
Destination: 10.10.2.10
GE2/0/0 RouterA RouterB Server

Internet 10.2.2.10/24
GE1/0/0
PC B
10.10.2.1/24
R&D
department
Configure URPF on GE1/0/0 and GE2/0/0, and allow special processing for the default route.
Procedure
Step 1 Configure URPF on the interface.
[RouterA-GigabitEthernet1/0/0] urpf strict allow-default-route
[RouterA-GigabitEthernet2/0/0] urpf strict allow-default-route
Run the display this command on GE1/0/0 to check the URPF configuration.
[RouterA-gigabitethernet1/0/0] display this
#
ip address 10.10.1.5 255.255.255.0
urpf strict allow-default-route
#
return
Run the display this command on GE2/0/0 to check the URPF configuration.

Routers
[RouterA-gigabitethernet2/0/0] display this

#
ip address 10.10.2.5 255.255.255.0
#
return
----End
Configuration Files
#
sysname RouterA
#
ip address 10.10.1.5 255.255.255.0
#
ip address 10.10.2.5 255.255.255.0
#
return

Routers
Configuration Guide - Security 13 PKI Configuration
13 PKI Configuration
About This Chapter
Using the PKI function, the device can obtain a digital certificate, which is used to verify the
identifies of the two communication parties.
13.1 Overview
This section describes the definition, background, and functions of PKI.
13.2 Principles
This section describes the implementation of PKI.
13.3 Applications
This section describes the applicable scenario of PKI.

This topic describes the default configuration for the PKI. The configuration can be modified
13.5 Configuration Task Summary

After the PKI configurations are complete, the device can obtain the digital certificates for
identity verification, data encryption, and data signing.
13.6 Configuring PKI


This section provides PKI configuration examples.

Routers
13.1 Overview
This section describes the definition, background, and functions of PKI.
Definition
The public key infrastructure (PKI) is a key management platform. It provides key services
including encryption and digit certificates and required key and certificate management system
for all network applications. That is, PKI provides information security services using public
key theories and technologies. PKI is the core of information security technologies and e-
commerce.
Usage Scenarios
The PKI provides network communication and trade (especially e-government and e-commerce)
with a set of transparent security services, including identity authentication, confidentiality, and
data consistency and non-repudiation.
The PKI technology develops fast and is widely used. The following are common application
scenarios of PKI:
1. Virtual private network

A virtual private network (VPN) is built on a public communications infrastructure. On a
VPN, PKI's encryption and digital signature functions can work with network layer security
protocols such as Internet Security (IPSec) to help protect data confidentiality.
2. Email security
PKI also helps ensure confidentiality, integrity, non-repudiation, and authentication of
emails. It is the basis of secure email protocols, such as Secure/Multipurpose Internet Mail
Extensions (S/MIME) that allows users to send encrypted emails with signatures.
3. Web security
Before two entities start to exchange data in a server/browser model, they establish a Secure
Sockets Layer (SSL) connection. The SSL protocol uses the PKI technology to encrypt
data exchanged between the browser and server. The server and browser use digital
certificates to authenticate each other. This process is transparent to application layer
protocols.
Benefits
l Benefits to users
The certificate authentication technology allows users to authenticate network devices
to which they connect, ensuring that users connect to secure and legal networks.
The encryption technology protects data against tampering and eavesdropping so that
data is transmitted securely on networks.
The digital signature technology ensures that data is accessible to only authorized
devices and users, protecting data privacy.
l Benefits to enterprises
PKI prevents unauthorized users from connecting to enterprise networks.

Routers
PKI establishes secure connections between enterprise branches to ensure data security.
13.2 Principles
This section describes the implementation of PKI.
13.2.1 PKI Basics
Public Key Encryption Algorithm

Public key encryption algorithm is also called asymmetric encryption algorithm or double-key
encryption algorithm. It uses two keys to encrypt and decrypt data respectively.
Public key encryption algorithm uses a pair of keys, namely, a public key and a private key. The
public key can be distributed to any user, and the private key is kept secret by the intended data
receiver. Data encrypted using one key can be decrypted only by the other key in the key pair.
RSA Key Pair

The digital certificate system depends on the public key system. The RSA encryption system is
most widely used in the PKI.
The RSA uses a pair of asymmetric RSA keys, namely, an RSA public key and an RSA private
key. When an entity applies for a digital certificate, the request must contain the RSA public
key.
The RSA key length (in bits) equals the modulus of the RSA key. A larger modulus provides
stronger key security but it takes a longer time to generate keys, and encrypt or decrypt data
using the key pair.
Digital Fingerprint
A digital fingerprint is a digit sequence of a fixed length computed by an algorithm. This digit
sequence is also called an information digest and is usually obtained from the original data using
a one-way hash algorithm.
Digital Signature
Digital signature is the data that the data sender generates by encrypting the digital fingerprint
of the original data using the private key.
The data receiver decrypts the digital signature attached in the original data using the sender's
public key to obtain the digital fingerprint. Then the receiver matches the obtained digital
fingerprint with that obtained in an outband method and determines whether the original data is
tampered according to the match result.
Digital Certificate
A digital certificate is a file that is signed by a CA and contains the public key and identity of
an entity.A digital certificate associates the identity of an entity with the public key of the entity,

Routers
providing the basis for implementing secure communication.A certificate is signed by a CA to

ensure its legality and authority.
A certificate contains multiple fields, including the name of a certificate issuer, public key of an
entity, digital signature of a CA, and certificate validity period.
NOTE
This document involves two types of digital certificates: local certificates and CA certificates. A local
certificate is issued by a CA to an entity. A CA certificate is issued to a CA itself. If multiple CAs exist in
the PKI system, a CA hierarchy is formed. At the top of the hierarchy is a root CA, which has a self-signed
certificate.
Certificate Revocation List

When an entity name is changed, a private key is revealed, or a service is ceased, there must be
a method to revoke the certificate of the entity, namely, unbind the public key from the identity
of the entity. In the PKI, a certificate revocation list (CRL) is used to revoke certificates.
After a certificate is revoked, the CA must issue a CRL to declare that the certificate is invalid.
The CRL lists the serial numbers of all revoked certificates. The CRL provides a method to
verify certificate validity.
If a CRL lists many revoked certificates, the CRL size is large, which deteriorates the
performance of network resources. To avoid this, a CA issues multiple CRLs and uses CRL
distribution points (CDPs) to indicate the location of these CRLs.
CRL Distribution Point

A CRL distribution point (CDP) is a location from which a CRL is obtained. It is specified in a
digital certificate. A CDP is a uniform resource locator (URL) in the Hypertext Transfer Protocol
(HTTP) or Lightweight Directory Access Protocol (LDAP) format, an LDAP directory, or a
URL of another type.
13.2.2 PKI System
PKI System Architecture

The PKI system consists of the entity, CA, RA, and Certificate/CRL repository, as shown in
Figure 13-1.

Routers
Figure 13-1 PKI system architecture
Operational Outband
interaction certificate
End entity
loading
Management PKI end entity

interaction PKI management
Certificate/CRL repository
entity
Management
interaction
Management
RA interaction
Issue
certificate
Outband
Issue certificate and CRL issuing
CA
Issue CRL CDP Certificate
CA
l End entity
An entity is an end user of PKI products or services. An entity can be an individual, an
organization, a device (for example, a router or a switch), or a computer process.
l CA
The CA is the trust basis of the PKI and the trusted entity used to issue and manage digital
certificates. A CA is used to issue certificates, specify certificate validity periods, and
release CRLs.
l RA
The registration authority (RA) is the extension of the CA. The RA can be an independent
agent or a part of the CA. The RA authenticates individual identities, manages CRLs, and
generates and backs up key pairs. The international standard of PKI recommends to use an
independent RA to manage registrations, which can improve the security o application
systems.
l Certificate/CRL repository
The certificate or CRL repository stores certificates and CRLs for PKI entities to query and
manage.
CA
l CA hierarchy
The PKI system uses a multi-layer CA hierarchy, in which the CA on the top is the root
CA and the other CAs are subordinate CAs. Upper-layer CAs issue and manage certificates
for lower-layer CAs, and the CAs at the lowest layer issue certificates to end entities.

Routers
Certificates issued by CAs at different layers form a certificate chain, in which each
certificate is signed by the subsequent certificate. The end of a certificate chain is the root
CA, which has a self-signed certificate.
The root CA is the first CA (trustpoint) in the PKI system. It issues certificates to
subordinate CAs, PCs, users, and servers. In most certificate-based applications, users
can find the root CA in certificate chains.
A subordinate CA must obtain a certificate from the root CA or another subordinate CA
that has been authorized by the root CA to issue CA certificates.
In a CA hierarchy, a subordinate CA obtains its CA certificate from the upper-layer CA,
and the root CA creates a self-signed certificate.
l CA types
CAs are classified into the following types:
Self-signed CA: uses a self-signed certificate. The public key in the certificate is the
same as the public key used to certify the digital signature.
Subordinate CA: uses a certificate issued by an upper-layer CA. The public key in the
certificate is different from the public key used to certify the digital signature.
Root CA: is on the top of the CA hierarchy and trusted unconditionally by users. The
root CA is the end of all certificate chains and signs its own certificate.
l CA functions
The main function of CAs is to issue and manage certificates. A CA is responsible for the
following:
Receiving and verifying certificate applications from users
Determining whether to accept certificate applications from users
Issuing certificates to users or rejecting certificate applications
Receiving and processing certificate renewal requests
Responding to user requests to query or revoke certificates
Creating and issuing CRLs
Archiving certificates
Backing up and recovering keys
Archiving historical data
RA
An RA helps CAs issue and manage certificates. It verifies user identities when receiving
certificate enrollment and revocation requests, and determines whether to submit the requests
to the corresponding CA.
An RA is usually integrated with a CA. Independent RAs can also be used to reduce CA
workloads and enhance CA system security.
13.2.3 PKI Implementation

Working Process
On a PKI network, PKI is configured to apply to a CA for a local certificate for a specified entity
and verify certificate validity. The PKI working process is as follows:

Routers
1. An entity applies to an RA for a certificate.

2. The RA authenticates the entity's identity and sends the entity's identity information and
public key as a digital signature to a CA.
3. The CA authenticates the digital signature and issues a certificate to the RA.
4. The RA receives the certificate and notifies the entity that the certificate is issued.
5. The entity obtains the certificate and uses it to securely communicate with other entities in
encryption and digital signature modes.
6. The entity sends a revocation request to the CA to revoke a certificate. The CA approves
the entity's revocation request and updates the CRL.
Working Principle
PKI uses public key theories and technologies to provide secure services for various network
applications.
Because public keys are transmitted on a network, the public key encryption system must solve
public key management problems. The digital certificate mechanism in the PKI better solves
the problem. PKI core technologies involve digitical certificate application, issuing, usage, and
revocation.
Certificate Enrollment
Certificate enrollment is a process in which an entity registers with a CA and obtains a certificate
from the CA. During this process, the subject provides the identity information and public key,
which will be added to the certificate issued to the subject.
A subject can apply to a CA for a certificate online or offline. In offline enrollment mode, the
subject provides the identity information and public key in outband mode(for example, through
phone call, disk, or email). In online enrollment mode, an enrollment request can be initiated
manually or automatically. The following enrollment modes are often used:
l PKCS#10 mode (offline certificate enrollment)
If a PKI entity use cannot SCEP to request a certificate online, it can save the certificate
request information in PKCS#10 format to a file, and then send the file to the CA in outband
mode.
l Simple Certificate Enrollment Protocol (SCEP) mode (online certificate enrollment and
downloading)
A PKI entity uses the Hypertext Transfer Protocol (HTTP) to communicate with a CA or
a registration authority (RA). It sends an SCEP certificate enrollment request to apply for
a local certificate or sends a certificate download request to download the CA/RA certificate
or local certificate. This mode is most commonly used.
l Self-signed certificate
A PKI entity issues a self-signed certificate, in which the certificate issuer and subject are
the same.
Certificate Renewal
The device supports the certificate renewal function. It applies for a shadow certificate before
the current certificate expires. When the current certificate expires, the shadow certificate takes
effect.
The device completes a certificate enrollment process to obtain the shadow certificate.

Routers
The certificate renewal function can be used only when the CA server supports this function.
Certificate Downloading
An end entity can use the SCEP protocol to query and download issued certificates from a CA
server. It can also use the CDP mechanism to download certificates from the specified CDP
URL. Entities can download their own certificates, CA certificates, or certificates of other
entities.
Certificate Revocation
Certificate revocation unbinds the public key of a subject from the subject's identity. A certificate
subject needs to revoke its certificate when the subject's identity, information, or public key
changes or the service for the subject ceases. A CA issues a CRL to revoke certificates, and an
end entity submits a certificate revocation request to the CA server administrator in outband
mode.
The administrator requires the end entity to provide the challenge password. The challenge
password has been sent to the CA with a PKCS10# certificate enrollment request during
certificate enrollment. If the challenge password provided by the end entity is the same as that
saved on the CA server, the CA issues a CRL to revoke the certificate of the end entity.
CRL Downloading
CAs and RAs send CRLs to end entities only when they receive CRL query requests from end
entities. Entities download CRLs from CAs or RAs in CDP or SCEP mode.
If a CA supports CDPs, it encodes a CDP URL and encapsulates the URL in the certificate issued
to an end entity. The end entity then downloads the CRL from the URL.
If the certificate of an end entity does not contain the CDP information and no CDP URL is
configured on the end entity, the end entity sends an SCEP message to request the CRL from
the CA server. The SCEP message contains the certificate issuer name and certificate serial
number.
Certificate Status Checking
When an end entity verifies a peer certificate, it checks the status of the peer certificate. For
example, the end entity checks whether the peer certificate expires and whether the certificate
is in a CRL. An end entity uses any of the following methods to check the peer certificate status:
l CRL
If a CA supports CRL distribution points (CDPs), a certificate that the CA issues to an end
entity contains the CDP information, specifying how and where to obtain the CRL for the
certificate. The end entity then uses the specified method to find the CRL from the specified
location and download the CRL.
If a CDP URL is configured in a PKI domain, the end entity bound to the PKI domain
obtains the CRL from the CDP URL.
l OCSP
If a certificate does not specify any CDP and no CDP URL is configured in the PKI domain,
an end entity can use the Online Certificate Status Protocol (OCSP) to check the certificate
status.
l None

Routers
This mode is used when no CRL or OCSP server is available to an end entity or the end
entity does not need to check the peer certificate status. In this mode, an end entity does
not check whether a certificate has been revoked.
Certificate Legality Verification
When an end entity needs to authenticate a peer, it checks the validity of the peer certificate. For
example, when an end entity needs to set up a secure tunnel or connection with a peer, it verifies
the peer certificate and issuer's certificate. If the certificate of a CA is invalid or has expired, all
certificates issued by this CA are invalid. This invalidation seldom occurs because a device
usually renews the CA/RA certificate before the certificate expires.
During certificate authentication, the local device must obtain the peer certificate and the
following information: trusted CA certificate, CRL, local certificate and private key in the local
certificate, and certificate authentication configuration.
The local device authenticates a certificate as follows:
1. Uses the public key of the CA to verify the digital signature of the CA.
2. Checks whether the certificate has expired.
3. Checks whether the certificate has been revoked in CRL, OCSP, or None mode.
Certificate Chain Authentication
A user must obtain the public key of a certificate issuer before verifying the private key signature
in the certificate. Each CA certificate is certified by an upper-layer CA, and the certificate
authentication process is performed along a certificate chain. A certificate chain ends at a
trustpoint, which is the root CA holding a self-signed certificate or a trusted intermediate CA.
A certificate chain is a series of trusted certificates, which starts at an end entity's certificate and
ends at a root certificate. Entities that have the same root CA or subordinate CA and have obtained
CA certificates can authenticate each other's certificates (peer certificates). Authentication of a
peer certificate chain ends at the first trusted certificate or CA.
In brief, certificate chain authentication starts at an entity certificate and ends at a trustpoint
certificate.
13.3 Applications
This section describes the applicable scenario of PKI.
13.3.1 PKI in IPSec VPN Networking

Figure 13-2 shows an example of the IPSec VPN networking.

Routers
Figure 13-2 Networking of an IPSec VPN application

CA/RA server SCEP server OCSP server
Router A IKE negotiation IKE negotiation RouterB

Internet
IPSec tunnel
Subnet A Subnet B
Subnet A and Subnet B communicate through the Internet. The devices function as the egress
gateways for the subnets. To transmit data securely on the insecure Internet, the devices establish
an IPSec tunnel with each other.
To establish an IPSec tunnel, the devices use a security association (SA) that is established
manually or negotiated using the Internet Key Exchange (IKE) protocol. The IKE protocol
provides key negotiation, SA establishment, and SA maintenance to simplify IPSec use and
management.
The devices use IKE to authenticate each other. They exchange certificates and authenticate
each other's certificate. After completing certificate authentication, the devices (RouterA and
RouterB) establish an IPSec SA. In this way, private keys can be transmitted securely on a
network without robust security.
In IPSec VPN applications, PKI implements certificate application, certificate renewal, and
certificate authentication. IKE peers authenticate each other's certificate during IKE negotiation.
13.3.2 PKI in SSL Networking

Figure 13-3 shows an example of Secure Sockets Layer (SSL) networking.

Routers
Figure 13-3 Networking of an SSL application

CA/RA server SCEP server OCSP server
HTTPS SSL SSL HTTPS

client negotiation negotiation server
Internet
SSL connection
The SSL protocol provides secure connections for application layer protocols based on the
Transmission Control Protocol (TCP). For example, SSL is combined with the Hypertext
Transfer Protocol (HTTP) in the Hypertext Transfer Protocol Secure (HTTPS) application. SSL
provides secure communication for ecommerce and online banking services.
To establish a secure connection, an HTTPS client authenticates an HTTPS server. The HTTPS
server can also authenticate the HTTPS client. When authenticating each other, the HTTPS client
and server exchange and verify each other's certificate. PKI implements certificate application,
certificate renewal, and certificate authentication.
13.3.3 PKI in WAPI Networking

Figure 13-4 shows an example of networking of WLAN authentication and privacy
infrastructure (WAPI) networking.
Figure 13-4 Networking of a WAPI application
FIT AP
ASU
STA
Internet
Switch Router
STA CA
FIT AP
Key negotiation

Routers
As shown in Figure 13-4, WLAN stations (STAs) use the WAPI certificate authentication mode
(WAPI-CERT) to connect to the Internet. The authentication service unit (ASU) authenticates
STAs and access points (APs). The CA server issues certificates. Generally, the ASU and CA
server are deployed on the same device.
During WAPI-CERT authentication, both STAs and APs must be authenticated. Before
authentication, STAs and APs must obtain their certificates. The ASU checks their certificates
to authenticate them.
An AP does not check an STA's certificate. Instead, it sends its own certificate and the STA's
certificate to the ASU for authentication.
In WAPI applications, the PKI module reads a certificate file from a device's storage device and
loads the certificate to the memory.

This topic describes the default configuration for the PKI. The configuration can be modified
Table 13-1 lists the PKI default configuration.
Table 13-1 PKI default configuration
PKI Entity Unspecified
PKI Domain default
Length of the RSA key 1024
Certificate status check mode CRL mode
13.5 Configuration Task Summary

After the PKI configurations are complete, the device can obtain the digital certificates for
identity verification, data encryption, and data signing.
Table 13-2 lists the PKI configuration tasks. The device obtains certificates in one of the
following ways. The certificates include CA certificates and device certificate. The device uses
the device certificate to show its own identity, and uses the CA certificates to verify the validity
of the device certificate.

Routers
Table 13-2 Configuration task summary
Scenario Description Task
Applying for An entity submits the identity 1. 13.6.1 Configuring a PKI

certificates information to the CA server and Entity
obtains the certificates. In this 2. 13.6.2 Configuring a PKI
process, the entity submits the Domain
identity information and public key
to the CA server. The CA server 3. 13.6.3 Configuring
adds the identity information and Certificate Registration and
public key into the certificate Obtaining
issued to the entity. Depending on 4. 13.6.4 Configuring
whether there is a reachable route Certificate Authentication
between the device and CA server,
two ways to apply for certificates
are available:
l Online: When a reachable route
exists between the device and
CA server, the device
communicates with the CA
server through SCEP to obtain
certificates.
l Offline: When no reachable
route exists between the device
and CA server, the user needs to
manually generate a certificate
request file on the device, and
sends the file to the CA server
through disk or email.
Importing The user uploads the certificate 13.6.5.2 Importing a Certificate

certificates files to the storage device on the
device through FTP or TFTP, and
imports the files to the memory.
This mode is applicable when the
user has bought certificates from
the IAOPC or has obtained
certificates from the CA server.
Self-signed A self-signed certificate is issued 13.6.3.3 Creating a Self-signed

certificate by the device. That is, the Certificate or Local Certificate
certificate requester and issuer are
the same. This mode is applicable
when the user requires a temporary
certificate or has low requirement
on data security.

Routers
13.6 Configuring PKI

13.6.1 Configuring a PKI Entity

A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A
PKI entity identifies a certificate applicant.
13.6.1.1 Configuring a PKI Entity Identifier
Context
You can configure a common name to uniquely identify a PKI entity.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki entity entity-name
A PKI entity is created and the PKI entity view is displayed.
By default, no PKI entity is configured on the device.
Step 3 Run:
common-name common-name
A common name is configured on the device.
By default, no common name is configured on the device.
----End
13.6.1.2 (Optional) Configuring PKI Entity Attributes
Context
In addition to configuring a common name or an FQDN for a PKI entity, you can configure the
fully qualified domain name (FQDN), country code, state name or province name, and
department name for the PKI entity to identify this PKI entity.
Procedure
Step 1 Run:
system-view

Routers
Step 2 Run:
pki entity entity-name
The PKI entity view is displayed.
Step 3 Run:
fqdn fqdn-name
A FQDN is configured for the PKI entity.
By default, no FQDN is configured on the device.
Step 4 Run:
country country-code
A country code is configured for the PKI entity.
By default, no country code is configured for a PKI entity.
Step 5 Run:
locality locality-name
A geographic area is configured for the PKI entity.
By default, no geographic area is configured for a PKI entity on the device.
Step 6 Run:
state state-name
A state name or province name is configured for the PKI entity.
By default, no state name or province name is configured for a PKI entity.
Step 7 Run:
organization organization-name
An organization name is configured for the PKI entity.
By default, no organization name is configured for a PKI entity.
Step 8 Run:
organization-unit organization-unit-name
A department name is configured for the PKI entity.
By default, no department name is configured for a PKI entity.
Step 9 Run:
ip-address ip-address
An IP address is configured for the PKI entity.
By default, no IP address is configured for a PKI entity.
----End

Routers
Context
After a PKI entity is configured, you can view the PKI entity configuration.
Procedure
l Run the display pki entity [ entity-name ] command to check the PKI entity configuration.
----End
13.6.2 Configuring a PKI Domain

Before an entity applies for a PKI certificate, registration information needs to be configured
for the entity. A set of the registration information is the PKI domain of the entity.
13.6.2.1 Creating a PKI Domain
Context
A PKI domain is a set of identity information required when a PKI entity enrolls a certificate.
A PKI domain allows other applications, such as Internet Key Exchange (IKE) and Secure
Sockets Layer (SSL), to reference the PKI configuration easily.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki realm realm-name
A PKI domain is created.
By default, the PKI domain default exists on the device.

enrollment self-signed
Self-signed certificate obtaining is configured for the PKI domain.
By default, the certificate in a PKI domain, except the default PKI domain, is obtained in SCEP
mode.
NOTE
The default certificate obtaining method for the PKI domain default is self-signed.
----End

Routers
13.6.2.2 Configuring a PKI Entity Name
Context
In a PKI domain, configure a name for the PKI entity applying for a certificate. A PKI entity
name binds to only one PKI entity.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The PKI domain view is displayed.
Step 3 Run:
entity entity-name
A PKI entity is specified.
By default, no PKI entity is specified on the device.
----End
13.6.2.3 Configuring the Trusted CA Name and Enrollment URL
Context
A trusted authentication authority enrolls and issues certificates to entities. Therefore, a trusted
CA name and enrollment URL must be configured.
A registration authority (RA) receives registration requests from users, checks users' certificate
credentials, and decides whether a CA can issue digital certificates to the users. An RA does not
issue certificates to users and it only checks users' certificate credentials. Sometimes, a CA
implements the registration management function and therefore no independent RA is required.
Before an entity requests a certificate, an enrollment URL must be specified. The entity requests
a certificate using the Simple Certificate Enrollment Protocol (SCEP) with the server specified
by the enrollment URL. SCEP is used by entities to communicate with CAs.
Procedure
Step 1 Run:
system-view
Step 2 Run:

Routers
Step 3 Run:
ca id ca-name
A trusted CA name is configured.
By default, no trusted CA is configured on the device.
Step 4 Run:
enrollment-url url [ interval minutes ] [ times count ] [ ra ]
An enrollment URL is configured.
By default, no enrollment URL is configured on the device.
----End
13.6.2.4 Configuring CA Certificate Fingerprint
Context
Before the device obtains a CA certificate, the device needs to check the CA certificate
fingerprint to ensure that the content of the certificate is not tampered by unauthorized users.
The CA certificate fingerprint is unique to each certificate. If the CA certificate fingerprint is
different from the fingerprint configured in a specified PKI domain, the device refuses the issued
certificate.
NOTE
A CA certificate fingerprint is usually sent to the device in outband mode (for example, through phone
call, disk, or email).
If a certificate is applied for in automatic mode, the CA certificate fingerprint must be configured. If a
certificate is applied for in manual mode, the configuration of the CA certificate fingerprint is optional. If
the CA certificate fingerprint is not configured, users must authenticate the CA certificate fingerprint by
themselves.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
fingerprint { md5 | sha1 } fingerprint
The CA certificate fingerprint used in CA certificate authentication is configured.
By default, no CA certificate fingerprint is configured on the device.
----End

Routers
13.6.2.5 (Optional) Configuring the RSA Key Length of Certificates
Context
The digital certificate system depends on the public key system. The device supports the RSA
public key system. The RSA uses a pair of asymmetric RSA keys, namely, an RSA public key
and an RSA private key. When an entity applies for a digital certificate, the request must contain
the RSA public key.
The length of the RSA key equals the modulus of the RSA key. A larger modulus provides
stronger key security but it takes a longer time to generate keys, and encrypt or decrypt data
using the key pair.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
rsa-key-size size
The RSA key length of certificates is set.
By default, the RSK key length of certificates is 1024 on the device.
----End
13.6.2.6 (Optional) Configuring a Certificate Revocation Password
Context
Configuring a certificate revocation password prevents users from incorrectly revoking
certificates. This improves operation security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
password { cipher | simple } password

Routers
A certificate revocation password is configured.
By default, no certificate revocation password is configured on the device.
----End
13.6.2.7 (Optional) Configuring a Source Interface for TCP Connection Setup
Context
The device uses the IP address of a specified source interface to establish a TCP connection with
the Simple Certificate Enrollment Protocol (SCEP) server or Online Certificate Status Protocol
(OCSP) server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
source interface interface-type interface-number
The source interface is specified.
By default, the device uses the outbound interface as the source interface for TCP connection
setup.
----End
Context
After a PKI domain is configured, you can check the PKI domain configuration.
Procedure
l Run the display pki realm [ pki-realm-name ] command to check the PKI domain
configuration.
----End
13.6.3 Configuring Certificate Registration and Obtaining

The device supports manual and automatic certificate enrollment and manual certificate
obtaining.

Routers
13.6.3.1 Configuring Manual Certificate Enrollment
Prerequisites
A PKI domain has been created and configured. For details, see 13.6.2 Configuring a PKI
Domain.
Context
An entity can apply to a CA for a certificate online or offline. In offline enrollment mode, the
entity provides the identity information and public key in outband mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pki enroll-certificate pki-realm-name [ pkcs10 [ filename filename ] ]
Manual certificate enrollment is configured.

l If pkcs10 is specified, an entity applies to a CA for a certificate in offline mode. The entity
saves the certificate request information in a file in PKCS#10 format and sends the file to
the CA in outband mode.
l If pkcs10 is not specified, an entity applies to a CA for a certificate in online mode.
NOTE
When a certificate is enrolled manually, the CA certificate and local certificate are downloaded and saved
in the default path automatically. Refer to 13.6.5.4 Configuring the Default Path Where Certificates
Are Stored to configure the default path.
----End
13.6.3.2 Configuring Automatic Certificate Enrollment
Prerequisites
A PKI domain has been created and configured. For details, see 13.6.2 Configuring a PKI
Domain.
Context
Automatic certificate enrollment: A PKI device uses the Simple Certification Enrollment
Protocol (SCEP) to request a certificate from a CA when the configuration required for certificate
enrollment is complete but no local certificate is available. When the certificates are unavailable,
will expire, or have expired, an entity automatically requests a new certificate or renews the
certificate using the Simple Certification Enrollment Protocol (SCEP).
After the automatic certificate enrollment and update function is enabled, users do not need to
manually download certificates. When an external application requires a CA or local certificate,
it instructs the system to download a CA or local certificate.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
auto-enroll [ percent ] [ regenerate ]
The automatic certificate enrollment and update function is enabled.
By default, the automatic certificate enrollment and update function is disabled on the device.
----End
13.6.3.3 Creating a Self-signed Certificate or Local Certificate
Context
A PKI device can generate a self-signed certificate or local certificate and issue the certificate
to a user.
NOTICE
The device does not provide lifecycle management for self-signed certificates. For example,
self-signed certificates cannot be updated, or revoked on the device. To ensure security of the
device and certificates, it is recommended the user's certificate be used.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki create-certificate [ self-signed ] filename file-name
A self-signed certificate or local certificate is created.
----End
13.6.3.4 Configuring Certificate Obtaining

Routers
Context
Certificate obtaining is configured so that an entity can query and download an issued certificate
from a CA server. Entities can download their own certificates, CA certificates, or certificates
of other entities.
The purposes of obtaining a certificate are as follows:
l Stores certificates on a local computer to improve certificate query efficiency and reduce
the times of querying the PKI certificate repository.
l Prepares for certificate authentication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pki get-certificate { ca | local } pki-realm-name
A CA or local certificate is obtained.
----End
Context
After a certificate is obtained from a CA, or a self-signed certificate or local certificate is created,
you can view certificate information.
Procedure
l Run the display pki certificate { local | ca } pki-realm-name [ verbose ] command to view
information about the CA certificate or local certificate.
l Run the display pki certificate enroll-status pki-realm-name command to view the
certificate enrollment status.
----End
13.6.4 Configuring Certificate Authentication

Before a certificate is used, it must be authenticated.
13.6.4.1 Configuring the Certificate Check Mode
Context
When an end entity verifies a peer certificate, it checks the status of the peer certificate. For
example, the end entity checks whether the peer certificate expires and whether the certificate
is in a CRL. An end entity uses any of the following methods to check the peer certificate status:

Routers
l CRL
If a CA supports CRL distribution points (CDPs), a certificate that the CA issues to an end
entity contains the CDP information, specifying how and where to obtain the CRL for the
certificate. The end entity then uses the specified method to find the CRL from the specified
location and download the CRL.
If a CDP URL is configured in a PKI domain, the end entity bound to the PKI domain
obtains the CRL from the CDP URL.
l OCSP
If a certificate does not specify any CDP and no CDP URL is configured in the PKI domain,
an end entity can use the Online Certificate Status Protocol (OCSP) to check the certificate
status.
l None
This mode is used when no CRL or OCSP server is available to an end entity or the end
entity does not need to check the peer certificate status. In this mode, an end entity does
not check whether a certificate has been revoked.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
certificate-check { crl | none | ocsp }
The certificate check mode is configured.
By default, the device checks certificates using CRLs.
l When the CRL mode is used:

1. Run the cdp-url cdp-url command to configure the CDP URL.
By default, the CDR URL is not configured.

2. Run the crl update-period hours command to configure the interval for an PKI entity to
download CRLs from a CRL server.
By default, the CRLs are updated at the next update time that is specified in the certificate.
3. (Optional) Run the crl cache command to permit PKI domains to use cached CRLs.
By default, the PKI domain is permitted to use the cached CRLs.

4. Run the quit command to go back to the system view.
5. (Optional) Run the pki get-crl pki-realm-name command to configure the device to
download CRLs form CA servers.

Routers
NOTE
When suspecting that the local CRLs are outdated, users can run the command to download the latest
CRLs from CA servers.
l When the OCSP mode is used:
1. Run the ocsp-url ocsp-url command to configure the URL of the OCSP server.
This URL overrides the OCSP server's address in the certificate.
----End
13.6.4.2 Checking Certificate Validity
Context
When an end entity needs to authenticate a peer, it checks the validity of the peer certificate. For
example, when an end entity needs to set up a secure tunnel or connection with a peer, it verifies
the peer certificate and issuer's certificate. If the certificate of a CA is invalid or has expired, all
certificates issued by this CA are invalid. This invalidation seldom occurs because a device
usually renews the CA/RA certificate before the certificate expires.
During certificate authentication, the local device must obtain the peer certificate and the
following information: trusted CA certificate, CRL, local certificate and private key in the local
certificate, and certificate authentication configuration.
The local device authenticates a certificate as follows:
1. Uses the public key of the CA to verify the digital signature of the CA.
2. Checks whether the certificate has expired.
3. Checks whether the certificate has been revoked in CRL, OCSP, or None mode.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki validate-certificate { ca | local } pki-realm-name
The CA certificate validity or local certificate validity is checked.
----End
Context
After the certificate authentication mode is configured, you can view certificate information.

Routers
Procedure
l Run the display pki certificate enroll-status pki-realm-name command to check the
certificate enrollment status.
l Run the display pki crl pki-realm-name command to check CRL information.
----End
13.6.5 Managing Certificates

Managing certificates include deleting, importing, and exporting certificates, and configuring
the default path where certificates are stored.
13.6.5.1 Deleting a Certificate
Context
When a certificate expires or a user wants to request a new certificate, you can delete the existing
certificate.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki delete-certificate { ca | local | ocsp } pki-realm-name
The certificate is deleted.
----End
13.6.5.2 Importing a Certificate
Context
To use an external certificate, copy it to a storage device in outband mode and import it to the
device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki import-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }

Routers
The external certificate is imported to the device.
----End
13.6.5.3 Exporting a Certificate
Context
To provide a certificate for another device, export the certificate.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki export-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }
The certificate is exported and saved in a file.
----End
13.6.5.4 Configuring the Default Path Where Certificates Are Stored
Context
You can configure the default path where certificate files are stored.
Procedure
Step 1 Run:
system-view
Step 2 Run:
pki credential-storage local-dir
The default path and directory where the CA certificate, local certificate, and private key are
stored are configured.
By default, the CA certificate, local certificate, and private key are stored in flash:/.
----End

This section provides PKI configuration examples.

Routers
13.7.1 Example for Configuring Manual Certificate Enrollment
Configure the PKI entity Router to apply for a certificate from a CA, as shown in Figure 13-5.
Figure 13-5 Configuring a PKI entity to request a certificate from a CA

PKI entity
Internet
Router CA Server
1. Configure a PKI entity to identify a certificate applicant.
2. Configure a PKI domain and specify identity information required for certificate
enrollment, including the trusted CA name, bound entity name, enrollment URL, and CA
certificate fingerprint.
3. Enroll the certificate manually.
Procedure
Step 1 Configure a PKI entity to identify a certificate applicant.
# Configure a PKI entity user01.

[Huawei] pki entity user01
[Huawei-pki-entity-user01] common-name hello
[Huawei-pki-entity-user01] country cn
[Huawei-pki-entity-user01] state jiangsu
[Huawei-pki-entity-user01] organization huawei
[Huawei-pki-entity-user01] organization-unit info
[Huawei-pki-entity-user01] quit
Step 2 Configure a PKI domain and specify the identity information required for certificate enrollment
in the PKI domain.
# Configure the trusted CA, bound entity, enrollment URL, and CA certificate fingerprint.
[Huawei] pki realm abc
[Huawei-pki-realm-abc] ca id ca_root
[Huawei-pki-realm-abc] entity user01
[Huawei-pki-realm-abc] enrollment-url http://10.137.145.158:8080/certsrv/mscep/
mscep.dll ra
[Huawei-pki-realm-abc] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF
[Huawei-pki-realm-abc] quit
Step 3 Enroll the certificate manually.

[Huawei] pki enroll-certificate abc
Create a challenge password. You will need to verbally provide this password to

Routers
the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration. Plea
se make a note of it.
Choice no password ,please enter the enter-key.
Please enter Password:
Start certificate enrollment ...
Certificate is enrolling now,It will take a few minutes or more.
Please waiting...
The certificate enroll successful.
You will be prompted to enter the password during certificate enrollment. If you do not have a
password, press Enter.
After the preceding configurations are complete, the CA issues a certificate to the PKI entity.
In the certificate information, the issued to field value is the entity common name hello.
Run the display pki certificate local command on the PKI entity to view the certificate.
[Huawei] display pki certificate local abc
Certificate
Status : Available
Version: 3
Serial Number:
19 36 41 af 00 00 00 00 02 ba
Subject:
C=CN
ST=jiangsu
O=huawei
OU=info
CN=hello
Associated Pki Realm : abc
Total Number: 1
----End
Configuration Files
#
pki entity user01
country CN
state jiangsu
organization huawei
organization-unit info
common-name hello
#
pki realm abc
ca id ca_root
entity user01
fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf
#
return
13.7.2 Example for Configuring PKI in IPSec
Users in Group 1 communicate with users in Group 2 through public network, as shown in
Figure 13-6. Router A and Router B are the outgoing gateways of Group 1 and Group 2

Routers
respectively. The public network is not safe. Therefore, the communication between Group 1
and Group 2 is not safe. For example, the communication information may be intercepted.
Figure 13-6 Configuring PKI in IPSec

CA Server
RouterA RouterB
Internet
Eth2/0/0 Eth2/0/0
1.1.1.1/24 2.2.2.1/24
Eth2/0/1 Eth2/0/1
10.1.1.1/24 IPSec Tunnel 11.1.1.1/24
Group 1 Group 2
10.1.1.0/24 11.1.1.0/24
To ensure security of data, the administrator can establish an IPSec tunnel between the two
gateways to protect the security of data flows transmitted between Group 1 and Group 2. The
administrator can also establish a security tunnel between the two gateways using Internet Key
Exchange (IKE) negotiation. During IKE negotiation, PKI certificates are used for identity
authentication.
1. Configure a PKI entity to identify a certificate applicant.
2. Configure a PKI domain and specify the identity information required for certificate
enrollment in the PKI domain.
3. Configure IKE to use a digital signature for identity authentication.
4. Configure IPSec to protect data flows between two subnets.
5. Request a certificate and download it for IKE negotiation.
Procedure
Step 1 Configure a PKI entity.
[Huawei] pki entity routera
[Huawei-pki-entity-routera] common-name helloa
[Huawei-pki-entity-routera] country cn
[Huawei-pki-entity-routera] state jiangsu
[Huawei-pki-entity-routera] organization huawei

Routers
[Huawei-pki-entity-routera] organization-unit info

[Huawei-pki-entity-routera] quit
[Huawei] pki entity routerb
[Huawei-pki-entity-routerb] common-name hellob
[Huawei-pki-entity-routerb] country cn
[Huawei-pki-entity-routerb] state jiangsu
[Huawei-pki-entity-routerb] organization huawei
[Huawei-pki-entity-routerb] organization-unit marketing
[Huawei-pki-entity-routerb] quit
Step 2 Configure a PKI domain.
[Huawei] pki realm abca
[Huawei-pki-realm-abca] ca id ca_root
[Huawei-pki-realm-abca] entity routera
[Huawei-pki-realm-abca] enrollment-url http://10.137.145.158:8080/certsrv/mscep/
mscep.dll ra
[Huawei-pki-realm-abca] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF
[Huawei-pki-realm-abca] certificate-check none
[Huawei-pki-realm-abca] quit
#Configure RouterB.
[Huawei] pki realm abcb
[Huawei-pki-realm-abcb] ca id ca_root
[Huawei-pki-realm-abcb] entity routerb
[Huawei-pki-realm-abcb] enrollment-url http://10.137.145.158:8080/certsrv/mscep/
mscep.dll ra
[Huawei-pki-realm-abcb] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF
[Huawei-pki-realm-abcb] certificate-check none
[Huawei-pki-realm-abcb] quit
Step 3 Configure IKE to use a digital signature for identity authentication.
[Huawei] ike proposal 1
[Huawei-ike-proposal-1] encryption-algorithm 3des-cbc
[Huawei-ike-proposal-1] authentication-method rsa-signature
[Huawei-ike-proposal-1] authentication-algorithm sha1
[Huawei-ike-proposal-1] quit
[Huawei] ike peer routera v2
[Huawei-ike-peer-routera] ike-proposal 1
[Huawei-ike-peer-routera] local-address 1.1.1.1
[Huawei-ike-peer-routera] remote-address 2.2.2.1
[Huawei-ike-peer-routera] pki realm abca
[Huawei] ike proposal 1
[Huawei-ike-proposal-1] encryption-algorithm 3des-cbc
[Huawei-ike-proposal-1] authentication-method rsa-signature
[Huawei-ike-proposal-1] authentication-algorithm sha1
[Huawei-ike-proposal-1] quit
[Huawei] ike peer routerb v2
[Huawei-ike-peer-routerb] ike-proposal 1
[Huawei-ike-peer-routerb] local-address 2.2.2.1
[Huawei-ike-peer-routerb] remote-address 1.1.1.1
[Huawei-ike-peer-routerb] pki realm abcb

Routers
Step 4 Configure access control lists (ACLs) and define the data flows to be protected in the ACLs.
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1
0
[Huawei-acl-adv-3000] rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0
[Huawei] acl 3000
Step 5 Configure IPSec to protect data flows between two subnets.
[Huawei] ipsec proposal routera
[Huawei-ipsec-proposal-routera] transform esp
[Huawei-ipsec-proposal-routera] esp authentication-algorithm sha1
[Huawei-ipsec-proposal-routera] esp encryption-algorithm 3des
[Huawei-ipsec-proposal-routera] quit
[Huawei] ipsec policy routera 1 isakmp
[Huawei-ipsec-policy-isakmp-routera-1] security acl 3000
[Huawei-ipsec-policy-isakmp-routera-1] ike-peer routera
[Huawei-ipsec-policy-isakmp-routera-1] proposal routera
[Huawei-ipsec-policy-isakmp-routera-1] quit
[Huawei] ipsec proposal routerb
[Huawei-ipsec-proposal-routerb] transform esp
[Huawei-ipsec-proposal-routerb] esp authentication-algorithm sha1
[Huawei-ipsec-proposal-routerb] esp encryption-algorithm 3des
[Huawei-ipsec-proposal-routerb] quit
[Huawei] ipsec policy routerb 1 isakmp
[Huawei-ipsec-policy-isakmp-routerb-1] security acl 3000
[Huawei-ipsec-policy-isakmp-routerb-1] ike-peer routerb
[Huawei-ipsec-policy-isakmp-routerb-1] proposal
routerb
[Huawei-ipsec-policy-isakmp-routerb-1] quit
Step 6 Bind IPSec policies to interfaces.
[Huawei-Ethernet2/0/0] ipsec policy routera
[Huawei-Ethernet2/0/0] ipsec policy routerb
Step 7 Configure devices to request a certificate and download it for IKE negotiation.
[Huawei] pki enroll-certificate abca

Routers
Please waiting...
[Huawei] pki enroll-certificate abcb
Please waiting...
Run the display ike sa v2 command on RouterA and RouterB to view IKE SA information. The
command output shows that RouterA and RouterB have established an IKE SA and can ping
each other successfully.
The display on RouterA is as follows.

[Huawei] display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
898 2.2.2.1 0 RD|ST 2
895 2.2.2.1 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
The display on RouterB is as follows.

[Huawei] display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
874 1.1.1.1 0 RD 2
873 1.1.1.1 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
Ping RouterB from RouterA. RouterA can ping RouterB successfully.

[Huawei] ping 2.2.2.1
PING 2.2.2.1: 56 data bytes, press CTRL_C to break
Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=255 time=3 ms
--- 2.2.2.1 ping statistics ---

5 packet(s) transmitted
5 packet(s) received

Routers
0.00% packet loss

round-trip min/avg/max = 2/2/3
ms
NOTE
During IKE negotiation, if RouterA and Router B do not obtain CA certificates or local certificates, IKE
negotiation fails.
----End
Configuration Files
#
acl number 3000
rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0
#
ipsec proposal routera
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-method rsa-signature
#
ike peer routera v2
ike-proposal 1
local-address 1.1.1.1
remote-address 2.2.2.1
pki realm abca
#
ipsec policy routera 1 isakmp
security acl 3000
ike-peer routera
proposal routera
#
ipsec policy routera
#
pki entity routera
country CN
state jiangsu
organization huawei
common-name helloa
#
pki realm abca
ca id ca_root
entity routera
certificate-check none
#
return
Configuration file of RouterB
#
acl number 3000
#

Routers
ipsec proposal routerb

esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-method rsa-signature
#
ike peer routerb v2
ike-proposal 1
local-address 2.2.2.1
remote-address 1.1.1.1
pki realm abcb
#
ipsec policy routerb 1 isakmp
security acl 3000
ike-peer routerb
proposal routerb
#
ipsec policy routerb
#
pki entity routerb
country CN
state jiangsu
organization huawei
organization-unit marketing
common-name hellob
#
pki realm abcb
ca id ca_root
entity routerb
certificate-check none
#
return
13.7.3 Example for Importing Certificates Manually
An enterprise has bought the following certificates from a branch of the International Association
of Professional Certification (IAOPC):
l localcert.pem: local certificate, which can be used as the identity information of a device
to ensure device security.
l privatekey.pem: private key file of the local certificate, using abcd@huawei20091201 as
the password.
l middlecert.pem: CA certificate (level-3 CA certificate) issued by the subordinate CA
server, which verifies the validity of the device certificate.
l crosscert.pem: CA certificate (level-2 CA certificate) issued by the root CA server, through
which the CA server verifies the validity of the level-3 CA certificate.
As shown in Figure 13-7, the administrator needs to import the certificates to the device so that
the applications such as SSL can reference the certificates.

Routers
Figure 13-7 Importing certificates manually
Admin Router
1. Create a PKI domain so that the applications such as SSL can reference the PKI
configurations.
2. Import the local certificate to the device so that the device can encrypt and sign on the data
and securely communicate with other devices.
3. Import the CA certificates to the device to verify the validity of the local certificate.
NOTE
Ensure that the crosscert.pem, localcert.pem, middlecert.pem, and privatekey.pem files have been
loaded to the device through FTP or SFTP.
Procedure
Step 1 Create a PKI domain.
[Huawei] pki realm abc
[Huawei-pki-realm-abc] quit
Step 2 Import the local certificate.
# Import the local certificate localcert.pem and private key privatekey.pem.

[Huawei] pki import-certificate local abc pem
Please enter the name of certificate file <length 1-127>: localcert.pem
You are importing a local certificate,
You can directly enter "Enter" only the local certificate getting by pkcs10
message in security realm
Please enter the name of private key file <length 1-127>: privatekey.pem
Please enter the type of private key file(pem , p12 , der): pem
The current password is required, please enter your password <length 1-31>:
*******************
Successfully imported the certificate.
Step 3 Import the CA certificates.
# Import the CA certificate middlecert.pem issued by the subordinate CA server.

[Huawei] pki import-certificate ca abc pem
Please enter the name of certificate file <length 1-127>:
middlecert.pem
The CA's Subject is C=US,O=GeoTrust Inc.,OU=Domain Validated SSL,CN=GeoTrust DV
SSL CA
The CA's fingerprint is:
MD5 fingerprint: f4858289 ead55c53 b36d4b55 3f267837
SHA1 fingerprint: bae30b15 dbb1544c f194d076 b75b7bb9 e3d6b760
Is the fingerprint correct? [Y/N]: y
# Import the CA certificate crosscert.pem issued by the root CA server.

Routers
[Huawei] pki import-certificate ca abc pem

Please enter the name of certificate file <length 1-127>: crosscert.pem
The CA's Subject is C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA
The CA's fingerprint is:
MD5 fingerprint: 2e7db2a3 1d0e3da4 b25f49b9 542a2e1a
SHA1 fingerprint: 7359755c 6df9a0ab c3060bce 369564c8 ec4542a3
Is the fingerprint correct? [Y/N]: y
After the configurations are complete, run the display pki certificate local and display pki
certificate ca command on the device to view the imported local certificate and CA certificates.
[Huawei] display pki certificate local abc
Certificate
Status : Available
Version: 3
Serial Number:
07 1e 39
Subject:
OU=GT51268791
CN=securelogin.huawei.com
Total Number: 1
[Huawei] display pki certificate ca abc
CA certificate
Status : Available
Version: 3
Serial Number:
12 bb e6
Subject:
C=US
O=GeoTrust Inc.
CN=GeoTrust Global CA
CA certificate
Status : Available
Version: 3
Serial Number:
02 36 d2
Subject:
C=US
O=GeoTrust Inc.
OU=Domain Validated SSL
CN=GeoTrust DV SSL CA
Total Number: 2
----End
Configuration Files
Configuration file of the Router
#
pki realm abc
#
return

Routers
Configuration Guide - Security 14 SSL Configuration
14 SSL Configuration
About This Chapter
The Secure Sockets Layer (SSL) protocol protects information privacy on the Internet.
14.1 SSL Overview

The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and
message integrity check to ensure security of TCP-based application layer protocols.

This section provides the default SSL configuration. You can change the configuration as
needed.
14.3 Configuring a Server SSL Policy

A server SSL policy defines parameters that an SSL server uses in SSL handshakes, including
the PKI domain name, maximum number of sessions that can be saved, timeout period of a saved
session, and cipher suite. Among these parameters, the PKI domain name is mandatory, and the
others are optional.
14.4 Configuring a Client SSL Policy

A client SSL policy defines the parameters that an SSL client uses in SSL handshakes, including
the PKI domain name, SSL protocol version, and cipher suite.

This section provides several SSL configuration examples.

Routers
14.1 SSL Overview

The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and
message integrity check to ensure security of TCP-based application layer protocols.
Introduction to SSL
SSL is a cryptographic protocol that provides communication security over the Internet. It allows
a client and a server to communicate in a way designed to prevent eavesdropping. The server
must be authenticated by the client before they start to communicate, and the client can also be
authenticated by the server. SSL is widely used in ecommerce and online banking. It has the
following advantages:
l High security: SSL ensures secure data transmission by using data encryption, identity
authentication, and message integrity check.
l Support for various application layer protocols: SSL was originally designed to secure
World Wide Web traffic. SSL functions between the application layer and the transport
layer, so it can provide security for any TCP-based application.
l Easy to deploy: SSL has become a world-wide communications standard used to
authenticate websites and web users, and to encrypt data transmitted between browser users
and web servers.
SSL improves device security using the following functions:
l Allows only authorized users to connect to servers.
l Encrypts data transmitted between a client and a server to secure data transmission and
computes a digest to ensure data integrity.
l Defines an access control policy on a device based on certificate attributes to control access
rights of clients. This access control policy prevents unauthorized users from attacking the
device.
Terms
l Certificate Authority (CA)
A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks
validity of digital certificate owners, signs digital certificates to prevent eavesdropping and
tampering, and manages certificates and keys. A world-wide trusted CA is called a root
CA. The root CA can authorize other CAs as subordinate CAs. The CA identities are
described in a trusted-CA file.
In the certificate issuing process, CA1 functions as the root CA and issues a certificate for
CA2, and CA2 issues a certificate for CA3. The process repeats until CAn issues the final
server certificate.
In the certificate authentication process, the client first authenticates the server's certificate.
If CA3 issues the server certificate, the client uses CA3 certificate to authenticate the server
certificate. If the server certificate is authenticated, the client uses CA2 certificate to
authenticate the CA3 certificate. After CA2 certificate is authenticated, the client uses CA1
certificate to authenticate CA2 certificate. The client considers the server certificate valid
only when CA2 certificate has been authenticated.
Figure 14-1 shows the certificate issuing and authentication processes.

Routers
Figure 14-1 Certificate issuing and authentication

Certificate issuing
Server
CA1 CA2 CAn
certificate
Certificate verification
l Digital certificate
A digital certificate is an electronic document issued by a CA to bind a public key with a
certificate subject (an applicant that has obtained a certificate). Information in a digital
certificate includes the applicant name, public key, digital signature of the CA that issues
the digital certificate, and validity period of the digital certificate. A digital certificate
verifies the identities of two communicating parties, improving communication reliability.
A user must obtain the public key certificate of the information sender to decrypt and
authenticate information in the certificate. The user also needs the CA certificate of the
information sender to verify the identity of the information sender.
l Certificate Revocation List (CRL)
A CRL is issued by a CA to specify certificates that have been revoked.
Each certificate has a validity period. A CA can issue a CRL to revoke certificates before
their validity periods expire. The validity period of a certificate specified in the CRL is
shorter than the original validity period of the certificate. If a CA revokes a digital
certificate, the key pair defined in the certificate cannot be used. After a certificate in a
CRL expires, the certificate is deleted from the CRL to shorten the CRL.
Information in a CRL includes the issuer and serial number of each certificate, the issuing
date of the CRL, certificate revocation date, and time when the next CRL will be issued.
Clients use CRLs to check validity of certificates. When verifying a server's digital
certificate, a client checks the CRL. If the certificate is in the CRL, the client considers the
certificate invalid.
Security Mechanisms
SSL provides the following security mechanisms:
l Connection privacy
SSL uses symmetric cryptography to encrypt data. It uses the Rivest-Shamir-Adleman
(RSA) algorithm (an asymmetric algorithm) to encrypt the key used by the symmetric
cryptography.
l Identity authentication
Digital certificates are used to authenticate a server and a client that need to communicate
with each other. The SSL server and client use the mechanism provided by the public key
infrastructure (PKI) to apply to a CA for a certificate.
l Message integrity
A keyed message authentication code (MAC) is used to verify message integrity during
transmission.
A MAC algorithm computes a key and data of an arbitrary length to generate a MAC of a
fixed length.

Routers
A message sender uses a MAC algorithm and a key to compute a MAC, appends it to
a message, and send the message to a receiver.
The receiver uses the same key and MAC algorithm to compute a MAC and compares
it with the MAC in the received message.
If the two MACs are the same, the message has not been tampered during transmission. If
the two MACs are different, the message has been tampered, and the receiver discards this
message.

This section provides the default SSL configuration. You can change the configuration as
needed.
Table 14-1 describes the default SSL configuration.
Table 14-1 Default SSL configuration
SSL protocol version in a client SSL policy TLS1.0
Cipher suite in a client SSL policy rsa_aes_128_cbc_sha, rsa_des_cbc_sha,

rsa_rc4_128_md5, and rsa_rc4_128_sha
Cipher suite in a server SSL policy rsa_aes_128_cbc_sha, rsa_des_cbc_sha,

rsa_rc4_128_md5, and rsa_rc4_128_sha
Maximum number of sessions that can be By default, a maximum of 3600 sessions can
saved and timeout period of a saved session be saved, and the timeout period of a saved
session is as follows:
l AR150&160 series: 16
l AR200 series: 32
l AR1200 series: 128
14.3 Configuring a Server SSL Policy

A server SSL policy defines parameters that an SSL server uses in SSL handshakes, including
the PKI domain name, maximum number of sessions that can be saved, timeout period of a saved
session, and cipher suite. Among these parameters, the PKI domain name is mandatory, and the
others are optional.
Prerequisites
The PKI domain has been configured.

Routers
Context
The SSL protocol uses data encryption, identity authentication, and message integrity check to
ensure security of TCP-based application layer protocols. To use an Router as an SSL server,
configure a server SSL policy on the Router. A server SSL policy can be applied to application
layer protocols such as HTTP to provide secure connections.
Figure 14-2 Router functions as an SSL server
SSL client SSL server
Internet
As shown in Figure 14-2, the Router functions as an SSL server and has a server SSL policy
configured. During an SSL handshake, the Router uses the SSL parameters in the server SSL
policy to negotiate session parameters with an SSL client. After the handshake is complete, the
Router establishes a session with the client.
The Router is authenticated by the SSL client, but it cannot authenticate the client.
NOTE
When functioning as an SSL server, the Router can communicate with SSL clients running SSL3.0, TLS1.0, or
TLS1.1. The Router determines the SSL protocol version used for this communication and sends a Server Hello
message to notify the client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssl policy policy-name type server
A server SSL policy is created, and the server SSL policy view is displayed.
Step 3 Run:
pki-realm realm-name
A PKI domain is specified for the server SSL policy.
By default, no PKI domain is specified for a server SSL policy on the Router.
NOTE
The Router obtains a digital certificate from a CA in the specified PKI domain. SSL clients can then authenticate
the Router by checking the digital certificate.

session { cachesize size | timeout time } *
The maximum number of sessions that can be saved and the timeout period of a saved session
are set.

Routers
By default, a maximum of 3600 sessions can be saved, and the timeout period of a saved session
is as follows:
l AR150&160 series: 16
l AR200 series: 32

ciphersuite { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
A cipher suite is specified.
By default, a server SSL policy supports all the cipher suites: rsa_aes_128_cbc_sha,
rsa_des_cbc_sha, rsa_rc4_128_md5, and rsa_rc4_128_sha.
----End

Run the display ssl policy policy-name command to view the configuration of the SSL policy.
14.4 Configuring a Client SSL Policy

A client SSL policy defines the parameters that an SSL client uses in SSL handshakes, including
the PKI domain name, SSL protocol version, and cipher suite.
Prerequisites
The PKI domain has been configured.
Context
The SSL protocol uses data encryption, identity authentication, and message integrity check to
ensure security of TCP-based application layer protocols. To use an Router as an SSL client,
configure a client SSL policy on the Router. A client SSL policy can be applied to application
layer protocols such as the CPE WAN Management Protocol (CWMP) to provide secure
connections.
Figure 14-3 Router functions as an SSL client
SSL client SSL server
Internet
As shown in Figure 14-3, the Figure 14-3 functions as an SSL client and has a client SSL policy
configured. During an SSL handshake, the Router uses the SSL parameters in the client SSL

Routers
policy to negotiate session parameters with the SSL server. After the handshake is complete, the
Router establishes a session with the server.
When functioning as an SSL client, the Router does not allow SSL servers to authenticate it, but
it can authenticate SSL servers. When the Router functions as an SSL client, enable it to
authenticate servers to ensure secure communication.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssl policy policy-name type client
A server SSL policy is created, and the client SSL policy view is displayed.
Step 3 Run:
server-verify enable
SSL server authentication is enabled.
By default, SSL server authentication is disabled in a client SSL policy.
Step 4 Run:
pki-realm realm-name
A PKI domain is specified for the client SSL policy.
By default, no PKI domain is specified for a client SSL policy on the Router.
NOTE
The Router obtains a CA certificate chain from CAs in the specified PKI domain. The Router authenticates an
SSL server by checking the server certificate and CA certificates against the CA certificate chain.

version { ssl3.0 | tls1.0 | tls1.1 }
The SSL protocol version is specified.
By default, a client SSL policy uses Transport Layer Security (TLS) version 1.0.
NOTE
Ensure that the specified SSL protocol version is supported by the SSL server. Before performing this step,
check the SSL protocol versions that the SSL server supports.

prefer-ciphersuite { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha }
A cipher suite is specified.
By default, a client SSL policy uses all the cipher suites: rsa_aes_128_cbc_sha,
rsa_des_cbc_sha, rsa_rc4_128_md5, and rsa_rc4_128_sha.

Routers
NOTE
Ensure that the specified cipher suite is supported by the SSL server. Before performing this step, check the
cipher suites that the SSL server supports.
----End

Run the display ssl policy policy-name command to view the configuration of the SSL policy.

This section provides several SSL configuration examples.
14.5.1 Example for Configuring a Server SSL Policy
Networking Environment
As shown in Figure 14-4, enterprise users use a web browser to connect to the Router. To prevent
eavesdropping and tampering during data transmission, a network administrator requires users
to use HTTPS to access the Router securely.
To meet this requirement, configure the Router as an HTTPS server and associate the HTTPS
server with a server SSL policy so that users can securely access and manage the device through
web pages.
Figure 14-4 Networking diagram of the server SSL policy configuration
CA Server
11.137.145.158/24
Headquarters
Branch
GE1/0/0 PC
11.1.1.1/24
Internet
Router PC
PC
1. Configure a PKI entity and a PKI domain.

2. Configure a server SSL policy.
3. Configure the Router as an HTTPS server.

Routers
Procedure
Step 1 Configure a PKI entity and a PKI domain.
# Configure a PKI entity.

[Router] pki entity users
[Router-pki-entity-users] common-name hello
[Router-pki-entity-users] country cn
[Router-pki-entity-users] state jiangsu
[Router-pki-entity-users] organization huawei
[Router-pki-entity-users] organization-unit info
[Router-pki-entity-users] quit
NOTE
If the entity name and entity common name are not set to the Router's IP address 11.1.1.1, the system will
display a message indicating that the certificate is invalid when the client opens a website. This does not
affect HTTPS application.
# Configure a PKI domain, and enable the automatic certificate enrollment and update function.
[Router] pki realm users
[Router-pki-realm-users] entity users
[Router-pki-realm-users] ca id ca_root
[Router-pki-realm-users] enrollment-url http://11.137.145.158:8080/certsrv/mscep/
mscep.dll ra
[Router-pki-realm-users] fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4
[Router-pki-realm-users] auto-enroll regenerate
[Router-pki-realm-users] quit
Step 2 Configure a server SSL policy sslserver.
# Create a server SSL policy and specify PKI domain users in the policy. This allows the
Router to obtain a digital certificate from the CA specified in the PKI domain.
[Router] ssl policy sslserver type server
[Router-ssl-policy-sslserver] pki-realm users
# Set the maximum number of sessions that can be saved and the timeout period of a session.
[Router-ssl-policy-sslserver] session cachesize 40 timeout 7200
[Router-ssl-policy-sslserver] quit
Step 3 Configure the Router as an HTTPS server.
# Apply the SSL policy sslserver to the HTTPS service.

[Router] http secure-server ssl-policy sslserver
# Enable the HTTPS server function on the Router.

[Router] http secure-server enable
# Configure the port number of the HTTPS service.

[Router] http secure-server port 1278
# Run the display ssl policy command to view the configuration of the SSL policy sslserver.
[Router] display ssl policy sslserver
------------------------------------------------------------------------------
Policy name :

Routers
sslserver
Policy ID :
1
Policy type :
Server
Cache number : 40
Time out(second) :
7200
Server certificate load status :
loaded
Bind number :
1
SSL connection number :
1
--------------------------------------------------------------------------
# Start the web browser on a PC, and enter https://11.1.1.1:1278 in the address box. The web
management system of the Router is displayed, and you can manage the Router on the web
pages.
----End
Example
#
sysname Router
#
pki entity users
country CN
state jiangsu
organization huawei
common-name hello
#
pki realm users
ca id ca_root
entity users
auto-enroll regenerate
fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4
#
ssl policy sslserver type server
pki-realm users
#
http secure-server port 1278
http secure-server ssl-policy sslserver
http secure-server enable
#
return
14.5.2 Example for Configuring a Client SSL Policy

As shown in Figure 14-5, the Router functions as a CPE to connect to phones, and fax machines.
An ACS uses CWMP to manage and control the Router.
The ACS functions as an SSL server and has obtained a digital certificate from the CA. You
need to configure the Router as an SSL client to authenticate the ACS. This ensures privacy and
integrity of data exchanged between the Router and the ACS.

Routers
Figure 14-5 Networking diagram of the client SSL policy configuration
CA Server
11.137.145.158/24
GE1/0/0
11.1.1.1/24
Fax Internet ACS
Router 11.2.2.58/24
IP phone
CWMP
1. Configure a PKI entity and a PKI domain.

2. Configure a client SSL policy on the Router and enable SSL server authentication in the
policy.
3. Apply the client SSL policy to the CWMP service so that the Router authenticates the ACS
to ensure data privacy and integrity.
4. Enable the Router to automatically initiate connections to the ACS and set the CWMP
parameters. This enables the ACS to manage and control the Router using CWMP.
Procedure
Step 1 Configure an IP address for the GE1/0/0 interface
[Router-GigabitEthernet1/0/0] ip address 11.1.1.1 24
Step 2 Configure a PKI entity and a PKI domain.
# Configure a PKI entity.

[Router] pki entity cwmp0
[Router-pki-entity-cwmp0] common-name hello
[Router-pki-entity-cwmp0] country CN
[Router-pki-entity-cwmp0] state jiangsu
[Router-pki-entity-cwmp0] organization huawei
[Router-pki-entity-cwmp0] organization-unit info
[Router-pki-entity-cwmp0] quit
# Configure a PKI domain, and enable the automatic certificate enrollment and update function.
[Router] pki realm cwmp0

[Router-pki-realm-cwmp0] entity cwmp0
[Router-pki-realm-cwmp0] ca id ca_root
[Router-pki-realm-cwmp0] enrollment-url http://11.137.145.158:8080/certsrv/mscep/
mscep.dll ra

Routers
[Router-pki-realm-cwmp0] fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4

[Router-pki-realm-cwmp0] auto-enroll regenerate
[Router-pki-realm-cwmp0] quit
Step 3 Configure a client SSL policy.
# Enable SSL server authentication.
[Router] ssl policy sslclient type client

[Router-ssl-policy-sslclient] server-verify enable
# Specify the PKI domain cwmp0 in the client SSL policy.

[Router-ssl-policy-sslclient] pki-realm cwmp0
[Router-ssl-policy-sslclient] quit
Step 4 Enable the CWMP function on the Router.
[Router] cwmp
[Router-cwmp] cwmp enable
Step 5 Apply the SSL policy to CWMP.
[Router-cwmp] cwmp ssl-client ssl-policy sslclient
Step 6 Configure the Router to automatically initiate connections to the ACS.
# Configure the URL used by the Router to connect to the ACS.

[Router-cwmp] cwmp acs url https://www.acs.com:80/acs
# Enable the Router to send Inform messages.

[Router-cwmp] cwmp cpe inform interval enable
# Set the interval at which the Router sends Inform messages to 1000 seconds.
[Router-cwmp] cwmp cpe inform interval 1000
# Configure the Router to send an Inform message at 2011-01-01 20:00:00.

[Router-cwmp] cwmp cpe inform time 2011-01-01T20:00:00
Step 7 Set CWMP parameters on the Router.
# Configure the interface that the Router uses to connect to the ACS.
[Router-cwmp] cwmp cpe connect interface gigabitethernet 1/0/0
# Set the user name and password that the Router uses for authentication by the ACS.
[Router-cwmp] cwmp acs username newacsname
[Router-cwmp] cwmp acs password cipher newacspsw
# Configure the user name and password that the Router uses to authenticate the ACS.
[Router-cwmp] cwmp cpe username newcpename
[Router-cwmp] cwmp cpe password cipher newcpepsw
# Set the maximum number of connection attempts to 5.

[Router-cwmp] cwmp cpe connect retry 5
# Set the close-wait timer of the Router to 100 seconds. If no data is transmitted within 100
seconds, the connection is torn down.

Routers
[Router-cwmp] cwmp cpe wait timeout 100

# Run the display current-configuration command. The command output shows that SSL has
been successfully configured for CWMP.
<Router> display current-configuration

...
cwmp
cwmp cpe inform interval enable
cwmp acs url https://www.acs.com:80/acs
cwmp acs username newacsname
cwmp acs password cipher %$%$"\~.1[)4MGN=d\4zy`$,"ne\%$%
$
cwmp cpe username newcpename
cwmp cpe password cipher %$%$"\~.1[)4MGN=d\4zy`$,"ne\%$%
$
cwmp cpe inform interval 1000
cwmp cpe connect retry 5
cwmp cpe wait timeout 100
cwmp cpe connect interface GigabitEthernet 1/0/0
cwmp ssl-client ssl-policy sslclient
...
# Run the display cwmp configuration command. The command output shows that CWMP is
enabled, and the Router is configured to send Inform packets at intervals.
<Router> display cwmp configuration

CWMP is enabled
ACS URL: https://www.acs.com:80/acs
ACS username: newacsname
ACS password: %$%$"\~.1[)4MGN=d\4zy`$,"ne\%$%$
Inform enable status: enabled
Inform interval: 1000s
Inform time: 2011-01-01T20:00:00
Wait timeout: 100s
Reconnection times: 5
# Run the display cwmp status command. The command output shows that CWMP is enabled,
and the CWMP connection status is connected.
<Router> display cwmp status

CWMP is enabled
ACS URL: https://www.acs.com:80/acs
Acs information is set by: user
ACS username: newacsname
ACS password: %$%$.h(P;/FO7%q"9H6D1]/O"90'%$%$
Connection status: connected
Time of last successful connection: 2010-12-01T20:00:00
----End
Example
#
sysname Router
#
interface GigabitEthernet 1/0/0
ip address 11.1.1.1 255.255.255.0

Routers
#
cwmp
cwmp cpe inform interval enable
cwmp acs url https://www.acs.com:80/acs
cwmp acs username newacsname
cwmp acs password cipher %$%$"\~.1[)4MGN=d\4zy`$,"ne\%$%
$
cwmp cpe username newcpename
cwmp cpe password cipher %$%$"\~.1[)4MGN=d\4zy`$,"ne\%$%
$
cwmp cpe inform interval 1000
cwmp cpe connect retry 5
cwmp cpe wait timeout 100
cwmp cpe connect interface GigabitEthernet 1/0/0
cwmp ssl-client ssl-policy sslclient
#
pki entity cwmp0
country CN
state jiangsu
organization huawei
common-name hello
#
pki realm cwmp0
ca id ca_root
entity cwmp0
auto-enroll regenerate
fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4
#
ssl policy sslclient type client
server-verify enable
pki-realm cwmp0
#
return

Routers
Configuration Guide - Security 15 HTTPS Configuration
15 HTTPS Configuration
About This Chapter
The Hypertext Transfer Protocol Secure (HTTPS) protocol provides secure web access using
security mechanisms provided by the Secure Sockets Layer (SSL) protocol, including data
encryption, identity authentication, and message integrity check.
15.1 HTTPS Overview

Secure HTTP (HTTPS) effectively improves device security.
15.2 Configuring the Device as an HTTPS Server

The HTTPS server function allows users to securely access the device on web pages.

This section provides an HTTPS configuration example.

Routers
15.1 HTTPS Overview

Secure HTTP (HTTPS) effectively improves device security.
HTTPS supports the secure sockets Layer (SSL).
HTTPS improves device security using SSL:

l Allows authorized clients access the device securely and rejects unauthorized clients
l Encrypts data exchanged between clients and the device to ensure data transmission
security and integrity and implement secure management.
l Defines access control policies based on certificate attributes and controls access rights of
clients to defend against attacks from unauthorized clients.
As shown in Figure 15-1, an SSL policy is configured on the device (an HTTP server). After
the HTTPS server function is enabled on the device, users can use a web browser to log in to
the device (an HTTPS server) and manage the device on web pages.
Figure 15-1 Logging in to an HTTPS server through the web browser
Network
PC HTTPS Server
15.2 Configuring the Device as an HTTPS Server

The HTTPS server function allows users to securely access the device on web pages.
Prerequisites
A server SSL policy has been configured. For details on how to configure a server SSL policy,
see 14.3 Configuring a Server SSL Policy.
Context
When users access a remote device functioning as an HTTP server, the following problems exist:
l Users cannot authenticate the device.

l Privacy and integrity of data transmitted between users and the device cannot be ensured.
To solve the preceding problems, configure the device as an HTTPS server. The device uses the
SSL protocol's data encryption, identity authentication, and message integrity check mechanisms
to protect security of data transmitted between users and the device. These mechanisms ensure
that users securely access a remote device on web pages.

Routers
Procedure
Step 1 Run:
system-view
Step 2 Run:
http secure-server ssl-policy ssl-policy
An SSL policy is applied to the HTTPS service.
By default, no SSL policy is applied to the HTTPS service on the device.

http secure-server port port-number
The port number is set for the HTTPS service.
By default, the port number of the HTTPS service is 443.
Step 4 Run:
The HTTPS server function is enabled on the device.
By default, the HTTPS server function is disabled on the device.
----End

# Run the display current-configuration command to check the configuration of the HTTPS
server.
<Huawei> display current-configuration | include http secure-server
http secure-server port
1026
http secure-server ssl-policy
user

This section provides an HTTPS configuration example.
15.3.1 Example for Configuring the Device as an HTTPS Server
As shown in Figure 15-2, users access the gateway Router through web.
To prevent data intercepting and tampering during data transmission, a network administrator
requires that users use HTTPS to access the Router securely.

Routers
Figure 15-2 Networking diagram of HTTPS server configuration

Router User
Eth2/0/0
VLAN 11
1. Create a VLAN and a VLANIF interface, and configure the interface to allow enterprise
users to access the router.
2. Configure a server SSL policy and apply the default PKI domain to the server SSL policy.
The CA server is not required.
3. Configure an HTTPS server to ensure confidentiality and integrity of data transmission
between users and the Router.
Procedure
Step 1 Create a VLAN and configure the interface.
# Create VLAN 11 on the Router.

# Add Eth2/0/0 connecting to users to VLAN 11.

# Create VLANIF 11 and assign IP address 192.168.2.29/24 to VLANIF 11.

[Huawei] interface vlanif11
Step 2 Configure a server SSL policy.
# Apply the default PKI domain default to the server SSL policy.
[Huawei] ssl policy userserver type server
[Huawei-ssl-policy-userserver] pki-realm default
# Set the maximum number of sessions that can be saved and the timeout period of a saved
session are set.
[Huawei-ssl-policy-userserver] session cachesize 20 timeout 7200
[Huawei-ssl-policy-userserver] quit
Step 3 Configure the HTTPS server.
# Bind the SSL policy userserver to the HTTPS server.

[Huawei] http secure-server ssl-policy userserver
# Configure the port number of the HTTPS service.

Routers
[Huawei] http secure-server port 1278
# Enable the HTTPS server function on the Router.

[Huawei] http secure-server enable
Warning: The HTTP server has not configured with SSL policy. Continue starting HTTP
secure server? [Y/N]: y
This operation will take several minutes, please
wait.........................................................
Info: Succeeded in starting the HTTPS server
[Huawei] quit
# Run the display ssl policy policy-name command to view the configuration of the SSL policy
userserver.
<Huawei> display ssl policy userserver

------------------------------------------------------------------------------
Policy name : userserver
Policy ID : 0
Policy type : Server
Cache number : 20
Time out(second) : 7200
Server certificate load status : loaded
Bind number : 1
SSL connection number : 0
-----------------------------------------------------------------------------
# Start the web browser on a computer, and enter https://12.1.1.1:1278 in the address box. The
web management system is displayed, and you can manage the Router on the web pages.
----End
Configuration File
#
ssl policy adminserver type server
pki-realm admin
#
http secure-server ssl-policy userserver
http secure-server port 1278
#
vlan batch 11
#
interface Vlanif11
ip address 12.1.1.1 255.255.255.0
#
#
return

Routers
Configuration Guide - Security 16 Keychain Configuration
16 Keychain Configuration
About This Chapter
A keychain is a widely used application that controls authentication algorithms and key-string
in a centralized way.
16.1 Overview
This section describes the definition, and functions of Keychain.
16.2 Principles
This section describes the implementation of Keychain.
16.3 Applications
This section describes the applicable scenario of Keychain.

This section describes the precautions for keychain configuration.
16.5 Configuring a Keychain

You can configure the keychain to periodically change authentication keys and algorithms to
ensure data transmission security.
16.6 Example for Configuring a Keychain

This chapter describes configuration examples of Keychain including networking requirements,
16.7 References
This section lists references of Keychain.

Routers
16.1 Overview
This section describes the definition, and functions of Keychain.
Definition
A keychain is a set of encryption rules, called keys. It authenticates applications and dynamically
changes algorithms and keys during authentication. The keychain periodically changes
authentication keys and algorithms to improve transmission security.
Purpose
When two applications communicate, some unauthorized users may try to modify data packets
or forge authorized users on the network, which may cause security problems. To identify
modified packets and forged users, applications authenticate information by defining
authentication rules. An application may use independent authentication rules.
However, an authentication rule may be cracked by unauthorized users if it is used for a long
time. Modifying authentication rules by administrators is complicated and may cause faults.
Besides, if each application has an independent authentication rule, many applications may use
the same authentication mode, duplicating data and configuration.
Therefore, the keychain is used to manage all the authentication algorithms and keys. The
keychain can control the authentication and dynamically change algorithms and key strings
during authentication, which improves communication security.
16.2 Principles
This section describes the implementation of Keychain.
16.2.1 Basic Concepts

A keychain is a set of encryption rules, called keys. A key includes an algorithm, a key string,
and the send/receive time. The algorithm and key string are used to encrypt and decrypt packets.
The send and receive time indicate that during the period, packets are sent and received using
the algorithm and key string.
key
A key includes an algorithm, a key string, and the send/receive time. The keychain support
algorithms such as MD5, SHA-1, SHA-256, HMAC-MD5, HMAC-SHA1-12, and HMAC-
SHA1-20. An application must support the algorithm configured in the keychain if the keychain
is applied to the application. The key string is a string configured by users.
The active time includes the active send time and the active receive time. The device dynamically
changes keys by setting the send and receive time. Keys are classified into the following types:

Routers
l Active send key: When the system time is within the send time range, the key is the active
send key. When the application sends a packet, the algorithm and key configured by the
key generate a Message Authentication Code (MAC) on the sending end.
l Active receive key: When the system time is within the receive time range, the key is the
active receive key. When the application receives a packet, the algorithm and key
configured by the key generate a MAC on the receiving end.
Message Authentication Code

A MAC is a character string. The MAC is calculated from data packets and key string using the
algorithm.
Keychain Time Mode

Keychain time has an absolute time mode and a periodic time mode. A keychain can have only
one time mode set. You must specify the time mode when you create a keychain. Send/receive-
active times for a key-id must be configured based on the time mode of the keychain.
Absolute time mode uses the Coordinated Universal Time (UTC) format.
Periodic time mode sets a specific time period during which a keychain functions. Periodic time
mode includes the following types:
l Daily: The key in a keychain takes effect at a specified time each day.
l Weekly: The key in a keychain takes effect on a specified day or days each week.
l Monthly: The key in a keychain takes effect on a specified day or days each month.
l Yearly: The key in a keychain takes effect in a specified month or months each year.
Only one time mode can be specified in a keychain. The time mode must be specified when the
keychain is created. The send time and receive time of the key are configured based on the time
mode of the keychain.
Default Send Key

If no key is configured in a period, no send key is active in that period. Therefore, applications
do not send authentication packets to each other. A default send key can be configured to prevent
this situation. When no other send keys are active, the default send key takes effect.
Receive Tolerance Time

When the send key on the device changes, the receive key on the receiving end must be changed.
A delay may occur when keys change due to time asynchronization. Packets may be lost during
this period. To prevent this situation, a smooth transit is needed in the receive key change. The
smooth transit time is called the receive tolerance time.
The receive tolerance time only takes effect on the receive key and can be configured on each
keychain. As shown in Figure 16-1, when the receive tolerance time is configured, the start
receive time is advanced and the end receive time is delayed.

Routers
Figure 16-1 Valid Time Range of Tolerance Time
Validity period
Tolerance Active
receive Tolerance
time time
time
TCP kind-value and TCP algorithm-id

TCP applications are connected using TCP authentication. TCP uses enhanced TCP
authentication options to send TCP authentication packets.
l Vendors use different kind-values to represent the enhanced TCP authentication option and
different IDs to represent different algorithms. To enable devices of different vendors to
communicate with each other, the kind-value can be configured based on the TCP kind of
the peer device.
l There is an algorithm-id field in the enhanced TCP authentication option, indicating the
type of the algorithm. The algorithm-id is not defined by the Internet Assigned Numbers
Authority (IANA), so different vendors use different algorithm-id to represent algorithms.
The mapping between the algorithm-id and the algorithm can be configured to enable
devices of different vendors to communicate with each other.
16.2.2 Principles of Applying Keychain to a Non-TCP Application

The keychain provides authentication for application-layer protocols. A keychain only takes
effect after it is applied to applications. Based on processing procedures, the keychain can be
applied to non-TCP applications and TCP applications.
A Non-TCP Application Sends Packets Using the Keychain

A non-TCP application sends packets using the keychain in the procedures as shown in Figure
16-2.
1. The application requests the ID of the active send key and the algorithm of the keychain.
2. If an active send key exists, the keychain module provides the ID and algorithm of the
active send key. If no active send key exists, the application sends the packet without
encryption.
3. After receiving the ID and algorithm of the active send key, the application converts the
algorithm into the algorithm ID in a protocol and encapsulates the algorithm ID and the
key ID in the packet.
4. The application provides data for MAC calculation.
5. The keychain module calculates the MAC using the algorithm and key defined by the active
send key and returns the MAC to the application.
6. The application generates a packet carrying authentication information and sends the
packet.

Routers
Figure 16-2 A non-TCP application sends packets using the keychain
Non-TCP
Keychain
application
1. Request the ID of the active send
key and the algorithm of the
keychain
2. If an active send key exists, the
keychain module provides the ID and
algorithm of the active send key.
3. Convert the algorithm
into the algorithm ID
in a protocol and
update the packet
using the algorithm
ID and the key ID. 4. Provide data for MAC calculation.
6.Generate a packet 5. Return the MAC.

carrying authentication
information and send
the packet.
A Non-TCP Application Receives Packets Using the Keychain

A non-TCP application receives packets using the keychain in the procedures as shown in Figure
16-3.
1. The receiving end receives a packet carrying authentication information.
2. The application on the receiving end converts the received algorithm ID into the keychain
algorithm.
3. The application on the receiving end provides data packets, key ID, algorithm, and the
MAC to be verified.
4. The keychain module checks whether the receive key having the same key ID with the
received packet is active. If the receive key is not active, the keychain sends a Reject packet.
5. If the receive key is active, the keychain module uses the algorithm and key string
configured on the key to recalculate the MAC and checks whether the new MAC and the
received MAC are the same.
6. A message indicating authentication success or failure is returned.
7. The application receives or discards the packets based on the authentication result.

Routers
Figure 16-3 A non-TCP application receives packets using the keychain
Non-TCP
Keychain
application
1.Receive a
packet carrying
authentication
information.
2.Convert the
received
algorithm ID 3. Provide data packets, key ID,
into the algorithm, and the MAC to be
keychain verified. 4. Check whether the
algorithm. receive key is active.
5. Recalculate the
6.Return a message MAC and check
7.Receive or whether the new
discard the indicating authentication
success or failure. MAC and the
packet. received MAC are
the same.
NOTE
IS-IS uses the keychain authentication and the packet does not carry the key ID. When the receive end
receives the IS-IS packet carrying authentication information, the device will check all the active receive
keys to find a receive key which has the same algorithm for verification.
16.2.3 Principles of Applying Keychain to TCP Applications
TCP Applications Send Packets Using the Keychain

In the donica draft, TCP uses enhanced TCP authentication options to send TCP authentication
packets. Figure 16-4 shows the format of the enhanced authentication option packet:
Figure 16-4 Format of enhanced TCP authentication option
Kind Length T K Alg-id Res Key-id
Authentication Data
The donica draft has not been standardized, and IANA has not defined the kind value and
algorithm ID. Vendors use different kind values and algorithm IDs. To enable devices of
different vendors to communication with each other, you can configure the TCP kind value and
the mapping between the TCP algorithm and algorithm ID.
The command output is as follows: A TCP application sends packets using the keychain in the
procedures as shown in Figure 16-5.
1. The application requests the ID, TCP kind value, and TCP algorithm ID of the active send
key.
2. If the active send key exists, the keychain provides information about the request.

Routers
3. The application fills the specified TCP kind value, TCP algorithm ID, and key ID entries
in the enhanced TCP authentication options.
4. The application provides data for MAC calculation.
5. The keychain module calculates the MAC based on the algorithm and key string configured
for the active send key and returns the MAC.
6. The application fills the MAC entry in the enhanced TCP authentication options and sends
the packet.
Figure 16-5 A TCP application sends packets using the keychain
TCP
Keychain
application
1.Request the ID, TCP kind value, and

TCP algorithm ID of the active send key.
2. If the active send key exists, the keychain

provides information about the request.
3. Fill the specified TCP
kind value, TCP
algorithm ID, and key
ID entries in the
enhanced TCP
authentication options. 4. Provide data for MAC calculation.
6. Generate a packet
carrying 5. Return the MAC.
authentication
information and send
the packet.
A TCP Application Receives Packets Using the Keychain

A TCP application receives packets using the keychain in the procedures, as shown in Figure
16-6.
1. The receiving end receives a TCP packet carrying authentication information.

2. The receiving end provides data packets, key ID, TCP algorithm ID, TCP kind value, and
the MAC to be verified for the keychain.
3. The keychain checks whether the TCP type value and algorithm ID in the received packet
is the same as those in the local end. If not, the keychain sends a Reject packet.
4. The keychain module checks whether the receive key having the same key ID with the
received packet is active. If the receive key is not active, the keychain sends a Reject packet.
5. If the receive key is active, the keychain module uses the algorithm and key string
configured on the key to recalculate the MAC and checks whether the new MAC and the
received MAC are the same.
6. A message indicating authentication success or failure is returned.
7. The application receives or discards the packets based on the authentication result.

Routers
Figure 16-6 A TCP application receives packets using the keychain
TCP
Keychain
Application
1. Receive a TCP
packet carrying 3. Check whether
authentication the TCP kind
2. Provide data, key ID, TCP and TCP
information.
algorithm-id, TCP kind, and algorithm-id are
information to be verified. coherent.
4. Check whether
the receive key
is active.
6. Return a message
indicating success or 5. Recalculate the
7.Receive or
failure. MAC and
discard the
compare with the
packet.
received MAC.
16.3 Applications
This section describes the applicable scenario of Keychain.
Keychain provides authentication for applications. The following application protocols support
Keychain authentication: Routing Information Protocol (RIP), Intermediate System to
Intermediate System (IS-IS), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP),
Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP), and Multicast
Source Discovery Protocol (MSDP). Applications use the same Keychain authentication
procedures. Create a Keychain and then use the Keychain to perform an authentication.
IS-IS Using Keychain for Authentication

IS-IS is a commonly used routing protocol, and IS-IS security is needed. You can configure a
fixed authentication algorithm and key to authenticate IS-IS packets. But fixed authentication
algorithms and keys may be decrypted. The use of Keychain to authenticate the IS-IS packets
makes IS-IS more secure.
As shown in Figure 16-7, Router A, Router B, Router C, Router D, and Router E use IS-IS to
communicate. Router A, Router B, and Router C belong to area 10; Router D and Router E
belong to area 20. Router A and Router B are Level-1 devices; Router D and Router E are Level-2
devices; Router C is a Level-1-2 device. Create a Keychain on each device to authenticate the
IS-IS packets. Configure area and domain authentication in the IS-IS process, and configure
interface authentication on the interface as well.

Routers
Figure 16-7 IS-IS using Keychain for authentication
RouterB
L1 RouterD RouterE
L2 L2
Area 10
RouterC
L1/2
RouterA Area 20
L1

This section describes the precautions for keychain configuration.
The keychain only manages authentication algorithms and keys and takes effect only after it is
applied to an application.
The keychain supports the following protocols:

l RIP
l OSPF
l IS-IS
l MSDP
l MPLS
l BGP and BGP4+
16.5 Configuring a Keychain

You can configure the keychain to periodically change authentication keys and algorithms to
ensure data transmission security.
Before configuring the keychain, complete the following task:
l Powering on all the devices and performing self-check
16.5.1 Creating a Keychain
Context
A keychain must be created before applications are authenticated and encrypted. Deleting the
keychain in use may interrupt communication. Exercise caution when you delete the keychain.
Transmission Control Protocol (TCP) applications are connected using TCP authentication. TCP
uses enhanced TCP authentication options to send TCP authentication packets. Vendors use
different kind values to represent the enhanced TCP authentication option and different IDs to

Routers
represent different algorithms. When a keychain is applied to a TCP application, you must
configure the kind value and the mapping between the TCP algorithm and algorithm ID based
on the peer configuration so that devices of different vendors can communicate.
Procedure
Step 1 Run:
system-view
Step 2 Run:
keychain keychain-name mode { absolute | periodic { daily | weekly | monthly |
yearly } }
A keychain is created and the keychain view is displayed.
Step 3 (Optional) Configure parameters in TCP authentication.

1. Run:
tcp-kind kind-value
The TCP kind value of the keychain is configured.

2. Run:
tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 |
md5 | sha-1 | sha-256 } algorithm-id
The mapping between the TCP algorithm and algorithm ID is configured.

receive-tolerance { value | infinite }
The receive tolerance time is configured.
NOTE
You are advised to set the receive tolerance time to advance the start receive time and delay the end receive
time so that packets are not lost due to time asynchronization on the network.
----End
16.5.2 Configuring a Key
Context
A key is the authentication rule of a keychain. A key includes an algorithm, a key string, active
send time, active receive time, and the key status. A keychain supports a maximum of 64 keys.
There is only one key ID in a keychain. Keys in different keychain may use the same key ID.
Only one send key takes effect in a keychain, otherwise applications cannot determine which
send key is used to encrypt packets. However, multiple receive keys may take effect in a
keychain. A receive key that has the same key ID with the receiving packet is used for decryption.
If the key on the sending end changes, the key on the receiving end also needs to be changed.
A delay may occur when the receiving end and the sending end change keys due to time
asynchronization on the network. Packets may be lost during the delay. The receive tolerance
time can be configured to prevent packet loss during the key change. The receive tolerance time

Routers
only takes effect on keys on the receiving end. The receive tolerance time advances the start
receive time and delays the end receive time.
If no key is configured in a period, no send key is active in that period. Therefore, applications
do not send authentication packets to each other. A default send key can be configured to prevent
this situation. All keys can be specified as the default send key. A keychain has only one default
send key. When no other send keys are active, the default send key takes effect.
Procedure
Step 1 Run:
system-view
Step 2 Run:
keychain keychain-name
The keychain view is displayed.
Step 3 Run:
key-id key-id
A key-id is configured and the key-id view is displayed to configure a key.
Step 4 Run:
algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 |
sha-256 | simple }
An algorithm is configured.
NOTE
Different protocols support different algorithms.

RIP supports MD5 and simple. BGP and BGP4+ support MD5. IS-IS supports MD5 and simple. OSPF
supports MD5, simple and hmac-md5. MSDP supports MD5. MPLS LDP supports MD5. MPLS TE
supports HMAC-MD5.
Step 5 Run:
key-string { plain plain-text | [ cipher ] cipher-text }
A key string is configured.
Step 6 Configure the send time. Different time modes use different commands to configure the send
time. Table 16-1 shows commands to configure the send time based on different time modes.
Table 16-1 Configuring the send time
Time Mode Command to Configure the Send Time
absolute send-time utc start-time start-date { duration { duration-value |

infinite } | { to end-time end-date } }
periodic daily send-time daily start-time to end-time
periodic send-time day { start-day-name to end-day-name | day-name &<1-7> }

weekly

Routers
Time Mode Command to Configure the Send Time
periodic send-time date { start-date-value to end-date-value | date-value

monthly &<1-31> }
periodic send-time month { start-month-name to end-month-name | month-name

yearly &<1-12> }
NOTE
You are advised to enable network time protocol (NTP) to keep time consistency.
Step 7 Configure the receive time. Different time modes use different commands to configure the
receive time. Table 16-2 shows commands to configure the receive time based on different time
modes.
Table 16-2 Configure the receive time
Time Mode Command to Configure Receive Time
absolute receive-time utc start-time start-date { duration { duration-value |

infinite } | { to end-time end-date } }
periodic daily receive-time daily start-time to end-time
periodic receive-time day { start-day-name to end-day-name | day-name

weekly &<1-7> }
periodic receive-time date { start-date-value to end-date-value | date-value

monthly &<1-31> }
periodic receive-time month { start-month-name to end-month-name | month-

yearly name &<1-12> }

default send-key-id
The key is configured as the default key for sending packets.
----End
16.5.3 Applying the Keychain
Context
The keychain only takes effect after it is applied to an application.
This section uses RIP as an example to describe how to apply the keychain to applications.
Different applications may use different commands to apply the Keychain. Table 16-3 lists the
commands used by different applications.

Routers
Table 16-3 Protocols that support the keychain authentication
Protocol Link
RIP rip authentication-mode
MSDP peer keychain(MSDP)
OSPF authentication-mode(OSPF)
IS-IS isis authentication-mode
BGP\BGP4+ peer keychain (BGP)
MPLS LDP authentication key-chain
MPLS RSVP mpls rsvp-te_authentication
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
rip authentication-mode md5 nonstandard { keychain keychain-name | { plain plain-
text | [ cipher ] password-key } key-id }
The keychain used by RIP is configured.
----End
Procedure
l Run the display keychain keychain-name command to check the keychain configuration.
l Run the display keychain keychain-name key-id key-id command to check the key-id
configuration.
----End
16.6 Example for Configuring a Keychain

This chapter describes configuration examples of Keychain including networking requirements,

Routers
16.6.1 Example for Applying the Keychain to RIP
As shown in Figure 16-8, RouterA and RouterB are connected using RIP-2.
The RIP connection needs to be retained during data transmission.
Figure 16-8 Networking diagram of applying the keychain to RIP

192.168.1.1/24 192.168.1.2/24
GE1/0/0 GE1/0/0
RouterA RouterB
To ensure stable RIP connections, RIP protocol packets must be correctly transmitted. You are
advised to authenticate and encrypt the packets to ensure transmission security. In addition, to
prevent unauthorized users from forging algorithms and key strings used in authentication and
encryption, you are advised to dynamically change algorithms and key strings to ensure secure
RIP packet transmission. Therefore, the keychain protocol is used to ensure stability of RIP
connections.
1. Configure basic RIP functions.

2. Configure a keychain.
3. Apply the keychain to RIP.
Procedure
Step 1 Configure basic RIP functions.
# Configure Router A.
[RouterA] rip 1
[RouterA-rip-1] version 2
[RouterA-rip-1] network 192.168.1.0
[RouterA-rip-1] quit
# Configure Router B.
[RouterB] rip 1
[RouterB-rip-1] version 2
[RouterB-rip-1] network 192.168.1.0
[RouterB-rip-1] quit
Step 2 Configure a keychain.
[RouterA] keychain huawei mode absolute

Routers
[RouterA-keychain] receive-tolerance 100

[RouterA-keychain] key-id 1
[RouterA-keychain-keyid-1] algorithm md5
[RouterA-keychain-keyid-1] key-string plain hello
[RouterA-keychain-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[RouterA-keychain-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[RouterA-keychain-keyid-1] quit
[RouterA-keychain] quit
[RouterB] keychain huawei mode absolute
[RouterB-keychain] receive-tolerance 100
[RouterB-keychain] key-id 1
[RouterB-keychain-keyid-1] algorithm md5
[RouterB-keychain-keyid-1] key-string plain hello
[RouterB-keychain-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[RouterB-keychain-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[RouterB-keychain-keyid-1] quit
[RouterB-keychain] quit
Step 3 Apply the keychain to RIP.

[RouterA-GigabitEthernet1/0/0] rip authentication-mode md5 nonstandard keychain
huawei
[RouterA] quit
[RouterB-GigabitEthernet1/0/0] ip address 192.168.1.2 24
[RouterB-GigabitEthernet1/0/0] rip authentication-mode md5 nonstandard keychain
huawei
[RouterB] quit

Run the display keychain keychain-name command to check the key-id status of the keychain.
<RouterA> display keychain huawei
Keychain Information:
----------------------
Keychain Name : huawei
Timer Mode : Absolute
Receive Tolerance(min) : 100
TCP Kind : 254
TCP Algorithm IDs :
HMAC-MD5 : 5
HMAC-SHA1-12 : 2
HMAC-SHA1-20 : 6
HMAC-SHA-256 : 7
SHA-256 : 8
MD5 : 3
SHA1 : 4
Number of Key IDs : 1
Active Send Key ID : 1
Active Receive Key IDs : 01
Default send Key ID : Not configured
Key ID Information:
----------------------
Key ID : 1

Routers
Key string : hello (plain)

Algorithm : MD5
SEND TIMER :
Start time : 2012-03-12 00:00
End time : 2012-03-12 23:59
Status : Active
RECEIVE TIMER :
Start time : 2012-03-12 00:00
End time : 2012-03-12 23:59
Status : Active
After the keychain is applied to RIP, run the display rip process-id interface verbose command
to check the authentication mode of RIP packets. The display on Router A is used as an example.
<RouterA> display rip 1 interface verbose
GigabitEthernet1/0/0(192.168.1.1)
State : UP MTU : 500
Metricin : 0
Metricout : 1
Input : Enabled Output : Enabled
Protocol : RIPv2 Multicast
Send version : RIPv2 Multicast Packets
Receive version : RIPv2 Multicast and Broadcast Packets
Poison-reverse : Disabled
Split-Horizon : Enabled
Authentication type : MD5 (Non-standard - Keychain: huawei)
Last Sequence Number Sent : 0x0
Replay Protection : Disabled
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
keychain huawei mode absolute
receive-tolerance 100
key-id 1
algorithm md5
key-string plain hello
send-time utc 00:00 2012-03-12 to 23:59 2012-03-12
receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12
#
ip address 192.168.1.1 255.255.255.0
rip authentication-mode md5 nonstandard keychain huawei
#
rip 1
version 2
network 192.168.1.0
#
return
l Configuration file of Router B

#
sysname RouterB
#
keychain huawei mode absolute
key-id 1
algorithm md5
send-time utc 00:00 2012-03-12 to 23:59 2012-03-12

Routers
receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12

#
ip address 192.168.1.2 255.255.255.0
rip authentication-mode md5 nonstandard keychain huawei
#
rip 1
version 2
network 192.168.1.0
#
return
16.6.2 Example for Applying the Keychain to BGP

As shown in Figure 16-9, RouterA and RouterB are connected using BGP.
The BGP connection needs to be retained during data transmission.
Figure 16-9 Networking diagram of applying the keychain to BGP

192.168.1.1/24 192.168.1.2/24
GE1/0/0 GE1/0/0
RouterA RouterB
1. Configure the basic keychain functions.
2. Configure a keychain for Router to authenticate BGP.
Procedure
Step 1 Configure a keychain.
[RouterA] keychain huawei mode periodic weekly
[RouterA-keychain] tcp-kind 182
[RouterA-keychain] tcp-algorithm-id md5 17
[RouterA-keychain] receive-tolerance 100
[RouterA-keychain] key-id 1
[RouterA-keychain-keyid-1] algorithm md5
[RouterA-keychain-keyid-1] key-string plain hello
[RouterA-keychain-keyid-1] send-time day fri sat
[RouterA-keychain-keyid-1] receive-time day fri sat
[RouterA-keychain-keyid-1] quit
[RouterA-keychain] quit
[RouterB] keychain huawei mode periodic weekly
[RouterB-keychain] tcp-kind 182

Routers
[RouterB-keychain] tcp-algorithm-id md5 17

[RouterB-keychain] receive-tolerance 100
[RouterB-keychain] key-id 1
[RouterB-keychain-keyid-1] algorithm md5
[RouterB-keychain-keyid-1] key-string plain hello
[RouterB-keychain-keyid-1] send-time day fri sat
[RouterB-keychain-keyid-1] receive-time day fri sat
[RouterB-keychain-keyid-1] quit
[RouterB-keychain] quit
Step 2 Apply the keychain to BGP for authentication and encryption.

[RouterA] bgp 1
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] peer 192.168.1.2 as-number 1
[RouterA-bgp] peer 192.168.1.2 keychain huawei
[RouterA-bgp] quit
[RouterA] quit
[RouterB-GigabitEthernet1/0/0] ip address 192.168.1.2 24
[RouterB] bgp 1
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] peer 192.168.1.1 as-number 1
[RouterB-bgp] peer 192.168.1.1 keychain huawei
[RouterB-bgp] quit
[RouterB] quit

Run the display keychain keychain-name command to check the key-id status of the keychain.
<RouterA> display keychain huawei
Keychain Information:
---------------------
Keychain Name : huawei
Timer Mode : Weekly periodic
Receive Tolerance(min) : 100
TCP Kind : 182
TCP Algorithm IDs :
HMAC-MD5 : 5
HMAC-SHA1-12 : 2
HMAC-SHA1-20 : 6
HMAC-SHA-256 : 7
SHA-256 : 8
MD5 : 17
SHA1 : 4
Number of Key IDs : 1
Active Send Key ID : 1
Active Receive Key IDs : 01
Default send Key ID : Not configured
Key ID Information:
-------------------
Key ID : 1
Key string : hello (plain)
Algorithm : MD5
SEND TIMER :
Day(s) : Fri Sat

Routers
Status : Active
RECEIVE TIMER :
Day(s) : Fri Sat
Status : Active
After the keychain is applied to BGP, run the display bgp peer ipv4-address verbose command
to check authentication information about the BGP peer. The display on Router A is used as an
example.
<RouterA> display bgp peer 192.168.1.2 verbose
BGP Peer is 192.168.1.2, remote AS 1

Type: IBGP link
BGP version 4, Remote router ID 2.2.2.2
Update-group ID: 1
BGP current state: Established, Up for 00h43m34s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 179 Remote - 55828
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 45 messages
Update messages 0
Open messages 1
KeepAlive messages 44
Notification messages 0
Refresh messages 0
Sent: Total 48 messages
Update messages 0
Open messages 2
KeepAlive messages 46
Notification messages 0
Refresh messages 0
Authentication type configured: Keychain(huawei)
Last keepalive received: 2012/04/20 11:37:27
Last keepalive sent : 2012/04/20 11:37:27
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
----End
Configuration Files
l # Configuration file of Router A
#
sysname RouterA
#
keychain huawei mode periodic weekly
tcp-kind 182
tcp-algorithm-id md5 17

Routers
key-id 1
algorithm md5
send-time day fri sat
receive-time day fri sat
#
ip address 192.168.1.1 255.255.255.0
#
bgp 1
router-id 1.1.1.1
peer 192.168.1.2 as-number 1
peer 192.168.1.2 keychain huawei
#
ipv4-family unicast
undo synchronization
peer 192.168.1.2 enable
#
return
l #Configuration file of Router B

#
sysname RouterB
#
keychain huawei mode periodic weekly
tcp-kind 182
tcp-algorithm-id md5 17
key-id 1
algorithm md5
send-time day fri sat
receive-time day fri sat
#
ip address 192.168.1.2 255.255.255.0
#
bgp 1
router-id 2.2.2.2
peer 192.168.1.1 as-number 1
peer 192.168.1.1 keychain huawei
#
ipv4-family unicast
undo synchronization
peer 192.168.1.1 enable
#
return
16.7 References
This section lists references of Keychain.
The following table lists the references.
draft-bonica-tcp- "Authentication for TCP-based Routing and -

auth-06.txt Management Protocols" B. Weis, S. Viswanathan,
A. Lange, O. Wheeler.


AR150&amp;200&amp;1200&amp;2200&amp;3200 V200R003C01 Configuration Guide-Security 04

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

AR150&amp;200&amp;1200&amp;2200&amp;3200 V200R003C01 Configuration Guide-Security 04

Caricato da

Copyright:

Formati disponibili

Huawei AR150&200&1200&2200&3200 Series

Configuration Guide - Security

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 04 (2014-01-16) Huawei Proprietary and Confidential i

About This Document

This document provides guidance for configuring security features.

This document is intended for:

l Data configuration engineers

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 04 (2014-01-16) Huawei Proprietary and Confidential ii

Indicates a potentially hazardous situation

NOTE Calls attention to important information, best

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 04 (2014-01-16) Huawei Proprietary and Confidential iii

Changes in Issue 04 (2014-01-16)

The following information is modified:

l 2 NAC Configuration (for wired users)

Changes in Issue 03 (2013-04-15)

The following information is modified:

l 2 NAC Configuration (for wired users)

The following information is added:

Changes in Issue 02 (2013-03-10)

The following information is modified:

l 13.6.2.1 Creating a PKI Domain

Changes in Issue 01 (2013-01-31)

Issue 04 (2014-01-16) Huawei Proprietary and Confidential iv

About This Document.....................................................................................................................ii

Issue 04 (2014-01-16) Huawei Proprietary and Confidential v

1.5.3.1 Configuring AAA Schemes....................................................................................................................................62

2 NAC Configuration (for wired users)......................................................................................88

Issue 04 (2014-01-16) Huawei Proprietary and Confidential vi

2.5.1.8 (Optional) Configuring the Quiet Function in 802.1x Authentication.................................................................112

3 NAC Configuration(for wireless users)................................................................................152

Issue 04 (2014-01-16) Huawei Proprietary and Confidential vii

3.2.2 MAC Address Authentication.................................................................................................................................160

Issue 04 (2014-01-16) Huawei Proprietary and Confidential viii

4.2.6 Packet Fragmentation Supported by ACLs.............................................................................................................194

Issue 04 (2014-01-16) Huawei Proprietary and Confidential ix

4.6.1 Clearing ACL Statistics...........................................................................................................................................218

Issue 04 (2014-01-16) Huawei Proprietary and Confidential x

5.5.2.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................................261

Issue 04 (2014-01-16) Huawei Proprietary and Confidential xi

5.7.4 Example for Configuring Blacklists on Virtual Firewalls.......................................................................................293

6 Local Attack Defense Configuration.....................................................................................305

Issue 04 (2014-01-16) Huawei Proprietary and Confidential xii

7 Attack Defense Configuration................................................................................................327

8 Traffic Suppression Configuration........................................................................................345

Issue 04 (2014-01-16) Huawei Proprietary and Confidential xiii

9 ARP Security Configuration....................................................................................................354

Issue 04 (2014-01-16) Huawei Proprietary and Confidential xiv

9.6.3 Configuring the Alarm Function for Potential ARP Attacks..................................................................................389

10 DHCP Snooping Configuration...........................................................................................399

AR150&200&1200&2200&3200 V200R003C01 Configuration Guide-Security 04

AR150&200&1200&2200&3200 V200R003C01 Configuration Guide-Security 04