Configuration Guide - Security (V100R006C00 - 01)

Quidway S2300 Series Ethernet Switches V100R006C00
Configuration Guide - Security

Issue Date 01 2011-05-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 01 (2011-05-20)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Quidway S2300 Series Ethernet Switches Configuration Guide - Security
About This Document
About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the security feature supported by the S2300. This document describes how to configure the security feature. This document is intended for: l l l l Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 01 (2011-05-20)
iii
About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Change History
Changes between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Changes in Issue 01 (2011-05-20)

Initial commercial release.
iv
Issue 01 (2011-05-20)
Contents
Contents
About This Document...................................................................................................................iii 1 AAA and User Management Configuration.........................................................................1-1
1.1 Introduction to AAA and User Management..................................................................................................1-2 1.2 AAA and User Management Features Supported by the S2300.....................................................................1-2 1.3 Configuring AAA Schemes............................................................................................................................1-4 1.3.1 Establishing the Configuration Task......................................................................................................1-4 1.3.2 Configuring an Authentication Scheme.................................................................................................1-5 1.3.3 Configuring an Authorization Scheme...................................................................................................1-6 1.3.4 Configuring an Accounting Scheme......................................................................................................1-7 1.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-8 1.3.6 Checking the Configuration.................................................................................................................1-10 1.4 Configuring a RADIUS Server Template.....................................................................................................1-10 1.4.1 Establishing the Configuration Task....................................................................................................1-11 1.4.2 Creating a RADIUS Server Template..................................................................................................1-11 1.4.3 Configuring a RADIUS Authentication Server...................................................................................1-12 1.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-12 1.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-13 1.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-13 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-14 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-14 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-15 1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-15 1.4.11 Checking the Configuration...............................................................................................................1-17 1.5 Configuring an HWTACACS Server Template............................................................................................1-18 1.5.1 Establishing the Configuration Task....................................................................................................1-18 1.5.2 Creating an HWTACACS Server Template........................................................................................1-19 1.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-19 1.5.4 Configuring an HWTACACS Authorization Server...........................................................................1-20 1.5.5 Configuring the HWTACACS Accounting Server..............................................................................1-21 1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-21 1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-22 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-22 1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23 Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
Quidway S2300 Series Ethernet Switches Configuration Guide - Security 1.5.10 (Optional) Setting HWTACACS Timers...........................................................................................1-23 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet.................................................1-24 1.5.12 Checking the Configuration...............................................................................................................1-24
1.6 Configuring a Service Scheme......................................................................................................................1-25 1.6.1 Establishing the Configuration Task....................................................................................................1-25 1.6.2 Creating a Service Scheme...................................................................................................................1-26 1.6.3 Setting the Administrator Level...........................................................................................................1-27 1.6.4 Configuring a DHCP Server Group.....................................................................................................1-27 1.6.5 Configuring an Address Pool...............................................................................................................1-28 1.6.6 Configure Primary and Secondary DNS Servers.................................................................................1-28 1.6.7 Checking the Configuration.................................................................................................................1-29 1.7 Configuring a Domain...................................................................................................................................1-29 1.7.1 Establishing the Configuration Task....................................................................................................1-30 1.7.2 Creating a Domain...............................................................................................................................1-30 1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain........................1-31 1.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-32 1.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-32 1.7.6 (Optional) Configuring a Service Scheme for a Domain.....................................................................1-33 1.7.7 (Optional) Setting the Status of a Domain...........................................................................................1-34 1.7.8 (Optional) Configuring the Domain Name Delimiter..........................................................................1-34 1.7.9 Checking the Configuration.................................................................................................................1-35 1.8 Configuring Local User Management...........................................................................................................1-35 1.8.1 Establishing the Configuration Task....................................................................................................1-36 1.8.2 Creating a Local User...........................................................................................................................1-36 1.8.3 (Optional) Setting the Access Type of the Local User.........................................................................1-37 1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access.........................................1-37 1.8.5 (Optional) Setting the Status of a Local User......................................................................................1-38 1.8.6 (Optional) Setting the Level of a Local User.......................................................................................1-38 1.8.7 (Optional) Setting the Access Limit for a Local User..........................................................................1-39 1.8.8 Checking the Configuration.................................................................................................................1-39 1.9 Maintaining AAA and User Management....................................................................................................1-40 1.9.1 Clearing the Statistics...........................................................................................................................1-40 1.9.2 Monitoring the Running Status of AAA..............................................................................................1-41 1.9.3 Debugging............................................................................................................................................1-41 1.10 Configuration Examples..............................................................................................................................1-42 1.10.1 Example for Configuring RADIUS Authentication and Accounting................................................1-42 1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................1-45
2 NAC Configuration...................................................................................................................2-1
2.1 Introduction to NAC........................................................................................................................................2-2 2.1.1 802.1x Authentication............................................................................................................................2-2 2.1.2 MAC Address Authentication................................................................................................................2-3 2.1.3 MAC address bypass authentication......................................................................................................2-3 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Contents
2.2 NAC Features Supported by the S2300..........................................................................................................2-3 2.3 Configuring 802.1x Authentication.................................................................................................................2-4 2.3.1 Establishing the Configuration Task......................................................................................................2-5 2.3.2 Enabling Global 802.1x Authentication.................................................................................................2-5 2.3.3 Enabling 802.1x Authentication on an Interface....................................................................................2-6 2.3.4 (Optional) Enabling MAC Bypass Authentication................................................................................2-6 2.3.5 Setting the Authentication Method for the 802.1x User........................................................................2-7 2.3.6 (Optional) Configuring the Interface Access Mode...............................................................................2-8 2.3.7 (Optional) Configuring the Authorization Status of an Interface...........................................................2-9 2.3.8 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................2-10 2.3.9 (Optional) Enabling DHCP Packets to Trigger Authentication...........................................................2-11 2.3.10 (Optional) Configuring 802.1x Timers..............................................................................................2-12 2.3.11 (Optional) Configuring the Quiet Timer Function.............................................................................2-13 2.3.12 (Optional) Configuring 802.1x Re-authentication.............................................................................2-13 2.3.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication................................................2-14 2.3.14 (Optional) Enabling the S2300 to Send Handshake Packets to Online Users....................................2-15 2.3.15 (Optional) Setting the Retransmission Count of the Authentication Request....................................2-16 2.3.16 Checking the Configuration...............................................................................................................2-16 2.4 Configuring MAC Address Authentication..................................................................................................2-17 2.4.1 Establishing the Configuration Task....................................................................................................2-18 2.4.2 Enabling Global MAC Address Authentication...................................................................................2-18 2.4.3 Enabling MAC Address Authentication on an Interface......................................................................2-19 2.4.4 Configuring a User Name for MAC Address Authentication..............................................................2-20 2.4.5 (Optional) Configuring the Domain for MAC Address Authentication..............................................2-20 2.4.6 (Optional) Setting the Timers of MAC Address Authentication.........................................................2-21 2.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication......................................2-22 2.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication .......................................................................................................................................................................2-22 2.4.9 (Optional) Re-Authenticating a User with the Specified MAC Address.............................................2-23 2.4.10 Checking the Configuration...............................................................................................................2-24 2.5 Maintaining NAC..........................................................................................................................................2-24 2.5.1 Clearing the Statistics About 802.1x Authentication...........................................................................2-25 2.5.2 Clearing Statistics About MAC Address Authentication.....................................................................2-25 2.6 Configuration Examples................................................................................................................................2-25 2.6.1 Example for Configuring the RADIUS Server to Deliver Authorization ACL...................................2-25
3 DHCP Snooping Configuration..............................................................................................3-1

3.1 Introduction to DHCP Snooping.....................................................................................................................3-3 3.2 DHCP Snooping Features Supported by the S2300........................................................................................3-3 3.3 Preventing the Bogus DHCP Server Attack....................................................................................................3-5 3.3.1 Establishing the Configuration Task......................................................................................................3-5 3.3.2 Enabling DHCP Snooping.....................................................................................................................3-6 3.3.3 Configuring an Interface as a Trusted Interface.....................................................................................3-7 Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
Quidway S2300 Series Ethernet Switches Configuration Guide - Security 3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers.......................................................................3-8 3.3.5 Checking the Configuration...................................................................................................................3-8
3.4 Preventing the DoS Attack by Changing the CHADDR Field.......................................................................3-9 3.4.1 Establishing the Configuration Task......................................................................................................3-9 3.4.2 Enabling DHCP Snooping...................................................................................................................3-10 3.4.3 Checking the CHADDR Field in DHCP Request Messages...............................................................3-11 3.4.4 Checking the Configuration.................................................................................................................3-12 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.............3-12 3.5.1 Establishing the Configuration Task....................................................................................................3-13 3.5.2 Enabling DHCP Snooping...................................................................................................................3-14 3.5.3 Enabling Checking of DHCP Request Messages.................................................................................3-15 3.5.4 (Optional) Configuring the Option 82 Function..................................................................................3-16 3.5.5 (Optional) Setting the Format of the Option 82 Field..........................................................................3-17 3.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 Request Messages .......................................................................................................................................................................3-18 3.5.7 Checking the Configuration.................................................................................................................3-18 3.6 Setting the Maximum Number of DHCP Snooping Users...........................................................................3-19 3.6.1 Establishing the Configuration Task....................................................................................................3-19 3.6.2 Enabling DHCP Snooping...................................................................................................................3-20 3.6.3 Setting the Maximum Number of DHCP Snooping Users..................................................................3-21 3.6.4 (Optional) Configuring MAC Address Security on an Interface.........................................................3-22 3.6.5 Checking the Configuration.................................................................................................................3-23 3.7 Limiting the Rate of Sending DHCP Messages............................................................................................3-24 3.7.1 Establishing the Configuration Task....................................................................................................3-24 3.7.2 Enabling DHCP Snooping...................................................................................................................3-25 3.7.3 Setting the Maximum Rate of Sending DHCP Messages....................................................................3-26 3.7.4 Checking the Configuration.................................................................................................................3-27 3.8 Configuring the Packet Discarding Alarm Function.....................................................................................3-28 3.8.1 Establishing the Configuration Task....................................................................................................3-28 3.8.2 Enabling DHCP Snooping...................................................................................................................3-29 3.8.3 Configuring the Packet Discarding Alarm Function............................................................................3-30 3.8.4 Checking the Configuration.................................................................................................................3-32 3.9 Maintaining DHCP Snooping.......................................................................................................................3-32 3.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-32 3.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-33 3.10 Configuration Examples..............................................................................................................................3-33 3.10.1 Example for Preventing Bogus DHCP Server Attacks......................................................................3-34 3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field..........................................3-36 3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP Address Leases............................................................................................................................................................3-39 3.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-41 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-44
4 Source IP Attack Defense Configuration..............................................................................4-1

viii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Contents
4.1 Overview of IP Source Guard.........................................................................................................................4-2 4.2 IP Source Guard Features Supported by the S2300........................................................................................4-2 4.3 Configuring IP Source Guard..........................................................................................................................4-3 4.3.1 Establishing the Configuration Task......................................................................................................4-3 4.3.2 (Optional) Configuring a Static User Binding Entry............................................................................. 4-4 4.3.3 Enabling IP Source Guard......................................................................................................................4-5 4.3.4 Configuring the Check Items of IP Packets...........................................................................................4-5 4.3.5 (Optional) Configuring the Alarm Function of IP Source Guard.......................................................... 4-6 4.3.6 (Optional) Configuring the Function of Discarding IP Packets with the Same Source and Destination IP Addresses........................................................................................................................................................ 4-7 4.3.7 Checking the Configuration...................................................................................................................4-7 4.4 Configuration Examples..................................................................................................................................4-7 4.4.1 Example for Configuring IP Source Guard............................................................................................4-8
5 Local Attack Defense Configuration......................................................................................5-1

5.1 Configuring the Attack Defense Policy.......................................................................................................... 5-2 5.1.1 Establishing the Configuration Task......................................................................................................5-2 5.1.2 (Optional) Configuring the Rule for Sending Packets to the CPU........................................................ 5-2
6 PPPoE+ Configuration..............................................................................................................6-1
6.1 PPPoE+ Overview...........................................................................................................................................6-2 6.2 PPPoE+ Features Supported by the S2300..................................................................................................... 6-2 6.3 Configuring PPPoE+.......................................................................................................................................6-2 6.3.1 Establishing the Configuration Task......................................................................................................6-2 6.3.2 Enabling PPPoE+ Globally....................................................................................................................6-3 6.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................6-3 6.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................6-4 6.3.5 Configuring the PPPoE Trusted Interface..............................................................................................6-4 6.3.6 Checking the Configuration...................................................................................................................6-5 6.4 Configuration Examples..................................................................................................................................6-5 6.4.1 Example for Configuring PPPoE+.........................................................................................................6-5
7 MFF Configuration....................................................................................................................7-1
7.1 MFF Overview................................................................................................................................................7-2 7.2 MFF Features Supported by the S2300...........................................................................................................7-3 7.3 Configuring MFF............................................................................................................................................ 7-4 7.3.1 Establishing the Configuration Task......................................................................................................7-4 7.3.2 Enabling Global MFF.............................................................................................................................7-5 7.3.3 Configuring the MFF Network Interface...............................................................................................7-5 7.3.4 Enabling MFF in a VLAN..................................................................................................................... 7-6 7.3.5 (Optional) Configuring the Static Gateway Address............................................................................. 7-6 7.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................7-7 7.3.7 (Optional) Setting the Server Address................................................................................................... 7-7 7.3.8 (Optional) Transparently Transmitting User Status Detection Packets................................................. 7-7 7.3.9 (Optional) Discarding IPv6 Packets Sent from Users............................................................................7-8 Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
Quidway S2300 Series Ethernet Switches Configuration Guide - Security 7.3.10 Checking the Configuration.................................................................................................................7-8
7.4 Configuration Examples..................................................................................................................................7-9 7.4.1 Example for Configuring MFF..............................................................................................................7-9
8 Traffic Suppression Configuration........................................................................................8-1

8.1 Introduction to Traffic Suppression................................................................................................................8-2 8.2 Traffic Suppression Features Supported by the S2300...................................................................................8-2 8.3 Configuring Traffic Suppression.....................................................................................................................8-2 8.3.1 Establishing the Configuration Task......................................................................................................8-2 8.3.2 Configuring Traffic Suppression on an Interface...................................................................................8-3 8.3.3 Checking the Configuration...................................................................................................................8-3 8.4 Configuration Examples..................................................................................................................................8-4 8.4.1 Example for Configuring Traffic Suppression.......................................................................................8-4
9 ACL Configuration....................................................................................................................9-1
9.1 Introduction to the ACL..................................................................................................................................9-2 9.2 Classification of ACLs Supported by the S2300............................................................................................9-2 9.3 Configuring an ACL........................................................................................................................................9-3 9.3.1 Establishing the Configuration Task......................................................................................................9-4 9.3.2 Creating an ACL....................................................................................................................................9-4 9.3.3 (Optional) Setting the Time Range When an ACL Takes Effect...........................................................9-5 9.3.4 (Optional) Configuring the Description of an ACL...............................................................................9-6 9.3.5 Configuring a Basic ACL.......................................................................................................................9-6 9.3.6 Configuring an Advanced ACL.............................................................................................................9-7 9.3.7 Configuring a Layer 2 ACL...................................................................................................................9-8 9.3.8 (Optional) Setting the Step Between ACL Rules...................................................................................9-8 9.3.9 Checking the Configuration...................................................................................................................9-9 9.4 Configuring ACL6........................................................................................................................................9-10 9.4.1 Establishing the Configuration Task....................................................................................................9-10 9.4.2 Creating an ACL6................................................................................................................................9-11 9.4.3 (Optional) Creating the Time Range of the ACL6...............................................................................9-12 9.4.4 Configuring a Basic ACL6...................................................................................................................9-12 9.4.5 Configuring an Advanced ACL6.........................................................................................................9-13 9.4.6 Checking the Configuration.................................................................................................................9-14 9.5 Configuration Examples................................................................................................................................9-15 9.5.1 Example for Configuring a Basic ACL................................................................................................9-15 9.5.2 Example for Configuring an Advanced ACL......................................................................................9-17 9.5.3 Example for Configuring a Layer 2 ACL............................................................................................9-21 9.5.4 Example for Configuring an ACL6 to Control FTP User Access........................................................9-24
10 ND Snooping Configuration...............................................................................................10-1
10.1 ND Snooping Overview..............................................................................................................................10-2 10.2 ND Snooping Features Supported by the S2300.........................................................................................10-2 10.3 Configuring ND Snooping..........................................................................................................................10-3 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Contents
10.3.1 Establishing the Configuration Task..................................................................................................10-3 10.3.2 Enabling ND Snooping......................................................................................................................10-4 10.3.3 Configuring an Interface as the Trusted Interface..............................................................................10-5 10.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding Table..............................10-6 10.3.5 Checking the Configuration...............................................................................................................10-7 10.4 Maintaining ND Snooping..........................................................................................................................10-8 10.4.1 Clearing the Prefix Management Table..............................................................................................10-8 10.4.2 Resetting the ND Dynamic Binding Table........................................................................................10-9 10.5 Configuration Examples..............................................................................................................................10-9 10.5.1 Example for Configuring ND Snooping on a Layer 2 Network........................................................10-9
Issue 01 (2011-05-20)
xi
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42 Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45 Figure 2-1 Typical networking of NAC...............................................................................................................2-2 Figure 2-2 Networking diagram for configuring 802.1x authentication............................................................2-26 Figure 3-1 Networking diagram for applying DHCP snooping on the S2300 on a Layer 2 network..................3-4 Figure 3-2 Networking diagram for preventing bogus DHCP server attacks....................................................3-34 Figure 3-3 Networking diagram for preventing DoS attacks by changing the CHADDR field........................3-37 Figure 3-4 Networking diagram for preventing attackers from sending bogus DHCP messages for extending IP address leases......................................................................................................................................................3-39 Figure 3-5 Networking diagram for limiting the rate of sending DHCP messages...........................................3-42 Figure 3-6 Networking diagram for configuring DHCP snooping....................................................................3-45 Figure 4-1 Diagram of IP/MAC spoofing attack..................................................................................................4-2 Figure 4-2 Networking diagram for configuring IP source guard........................................................................4-8 Figure 6-1 Networking diagram for configuring PPPoE+...................................................................................6-6 Figure 7-1 Networking diagram for configuring MFF.......................................................................................7-10 Figure 8-1 Networking diagram for configuring traffic suppression...................................................................8-4 Figure 9-1 Networking diagram for configuring a basic ACL...........................................................................9-15 Figure 9-2 Networking diagram for configuring IPv4 ACLs.............................................................................9-17 Figure 9-3 Networking diagram for configuring layer 2 ACLs.........................................................................9-22 Figure 9-4 Networking diagram for configuring an ACL6 to control FTP users..............................................9-24 Figure 10-1 ND snooping enabled on the S2300 of the Layer 2 network..........................................................10-3 Figure 10-2 Networking diagram for configuring ND snooping on a Layer 2 network..................................10-10
Issue 01 (2011-05-20)
xiii
Tables
Tables
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-4 Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-28
Issue 01 (2011-05-20)
xv
1 AAA and User Management Configuration
AAA and User Management Configuration
About This Chapter

This chapter describes the principle and configuration of Authentication, Authorization, and Accounting (AAA), local user management, Remote Authentication Dial in User Service (RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and domain. 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management. 1.2 AAA and User Management Features Supported by the S2300 This section describes the AAA and user management features supported by the S2300. 1.3 Configuring AAA Schemes This section describes how to configure an authentication scheme, an authorization scheme, and a recording scheme on the S2300. 1.4 Configuring a RADIUS Server Template This section describes how to configure a RADIUS server template on the S2300. 1.5 Configuring an HWTACACS Server Template This section describes how to configure an HWTACACS server template on the S2300. 1.6 Configuring a Service Scheme This section describes how to configure a service scheme in the S2300 to store authorization information about users. 1.7 Configuring a Domain This section describes how to configure a domain on the S2300. 1.8 Configuring Local User Management This section describes how to configure local user management on the S2300. 1.9 Maintaining AAA and User Management This section describes how to maintain AAA and user management. 1.10 Configuration Examples This section provides several configuration examples of AAA and user management.
Issue 01 (2011-05-20)
1-1
1.1 Introduction to AAA and User Management

This section describes the knowledge of AAA and user management.
AAA
AAA provides the following types of services: l l l Authentication: determines if the certain users can access the network. Authorization: authorizes the user to use certain services. Accounting: records network resource usage of the user.
AAA adopts the client/server model, which features good extensibility and facilitates concentrated management over user information.
Domain-based User Management

User authentication, authorization, and accounting are performed in the domain view. Users can be managed based in the domain. You can configure authorization, authentication and accounting schemes, and create RADIUS or HWTACACS server templates in the domain.
Local User Management

To perform local user management, you need to set up the local user database, maintain user information, and manage users on the local S2300.
1.2 AAA and User Management Features Supported by the S2300

This section describes the AAA and user management features supported by the S2300.
AAA
The S2300 provides authentication schemes in the following modes: l l Non-authentication: In this mode, the S2300 does not authenticate user validity when users are trusted. This mode is not adopted in other scenarios. Local authentication: In this mode, user information such as user names, passwords, and other attributes is configured on theS2300. The S2300 authenticates users according to the information. In local authentication mode, the processing speed is fast, but the capacity of information storage is restricted by the hardware. Remote authentication: In this mode, user information such as user names, passwords, and other attributes is configured on an authentication server. The S2300 functions as the client to communicate with the authentication server through the RADIUS or HWTACACS protocol.
NOTE
If both HWTACACS authentication and non-authentication are configured, HWTACACS authentication is preferred.
1-2
Issue 01 (2011-05-20)
The S2300 provides authorization schemes in the following modes: l l l l Non-authorization: completely trusts users and directly authorizes them. Local authorization: authorizes users according to the configured attributes of local user accounts on the S2300. Remote authorization: the S2300 functions as the client to communicate with the authorization server through HWTACACS. If-authenticated authorization: authorizes users after the users pass authentication in local or remote authentication mode. None: Users are not charged. RADIUS accounting: The S2300 sends the accounting packets to the RADIUS server. Then the RADIUS server performs accounting. HWTACACS accounting: The S2300 sends the accounting packets to the HWTACACS server. Then the HWTACACS server performs accounting.
The S2300 provides the following accounting modes: l l l
In the RADIUS and HWTACACS accounting modes, the S2300 generates accounting packets when a user goes online or goes offline, and then sends them to the RADIUS or HWTACACS server. The server then performs accounting based on the information in the packets, such as login time and logout time. The S2300 supports realtime accounting. It means that the S2300 generates accounting packets periodically and sends the accounting packets to the accounting server when a user is online. In this way, the duration of abnormal accounting can be minimized when the communication between the S2300 and the accounting server is interrupted.
Local User Management

To perform local user management, you need to set up the local user database, maintain user information, and manage users on the S2300. In local authentication or local authorization mode, you need to perform the task of 1.8 Configuring Local User Management.
Domain-based User Management

The S2300 manages users based on the domain. You can configure authentication, authorization, or accounting schemes in a domain. Then, the specified schemes are adopted to perform authentication and authorization for users that belong to the domain. All the users of the S2300 belong to a certain domain. The domain that a user belongs to depends on the character string that follows the domain name delimiter. The domain name delimiter can be @,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain default. By default, there are two domains named default and default_admin in the S2300, which cannot be deleted but can be modified. If the domain of an access user cannot be obtained, the default domain is used. l l Domain default is used for common access user. By default, local authentication is performed for the users in domain default. Domain default_admin is used for administrators. By default, local authentication is performed for the users in domain default_admin.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
Issue 01 (2011-05-20)
The S2300 supports up to 32 domains, including the two default domains. The priority of authorization configured in a domain is lower than the priority configured on an AAA server. That is, the authorization attribute sent by the AAA server is used preferentially. The authorization attribute in the domain takes effect only when the AAA server does not have or provide this authorization. In this manner, you can add services flexibly based on the domain management, regardless of the attributes provided by the AAA server.
RADIUS and HWTACACS Server Templates

When RADIUS or HWTACACS is specified in an authentication or an authorization scheme for communication between the client and the server, you must configure a RADIUS or an HWTACACS server template in a domain. l l In a RADIUS server template, you can set the attributes such as the IP addresses, port number, and key of the authentication server and accounting server. In an HWTACACS template, you can set the attributes such as the IP addresses, port number, and key of the authentication server, accounting server, and authorization server.
NOTE
Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS alone to perform authorization.
1.3 Configuring AAA Schemes

This section describes how to configure an authentication scheme, an authorization scheme, and a recording scheme on the S2300. 1.3.1 Establishing the Configuration Task 1.3.2 Configuring an Authentication Scheme 1.3.3 Configuring an Authorization Scheme 1.3.4 Configuring an Accounting Scheme 1.3.5 (Optional) Configuring a Recording Scheme 1.3.6 Checking the Configuration
1.3.1 Establishing the Configuration Task

Applicable Environment
AAA schemes of the S2300 consists of the authentication scheme, authorization scheme, accounting scheme, and recording scheme. The S2300 prescribes the authentication, authorization, accounting, and recording modes (local processing, remote processing, or no processing) and relevant parameters for users according to AAA schemes. After AAA schemes are configured, you can apply AAA schemes to a domain. The S2300 then uses the scheme to perform authentication, authorization, and accounting for users in the domain. You can configure different recording schemes for different transactions in the AAA view.
1-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Pre-configuration Tasks
None
Data Preparation
To configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and authentication mode Name of the authorization scheme, authorization mode, (optional) user level in command-line-based authorization mode on the HWTACACS server, and (optional) timeout interval for command-line-based authorization Name of the accounting scheme and accounting mode (Optional) Name of the recording scheme, name of the HWTACACS server template associated with the recording scheme, and recording policy used to record events
3 4
1.3.2 Configuring an Authentication Scheme

Context
NOTE
By default, the local authentication mode is used. If users are not authenticated, you must create an authentication scheme or modify the default authentication scheme by setting the authentication mode to none. Then, you apply this authentication scheme to the domain that users belong to. You need to set the authentication modes for a user logging in to the S2300 and upgrading user levels separately.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

aaa
The AAA view is displayed.

Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-5
Step 3 Run:
authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view is displayed. By default, there is an authentication scheme named default on the S2300. This scheme can be modified but cannot be deleted. Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
The authentication mode is set. none indicates the non-authentication mode. By default, the local authentication mode is used. If multiple authentication modes are used in an authentication scheme, the non-authentication mode must be used as the last authentication mode. If the authentication mode is set to RADIUS or HWTACACS, you must configure a RADIUS or an HWTACACS server template and apply the template in the view of the domain that the user belongs to.
NOTE
If multiple authentication modes are used in an authentication scheme, the authentication modes take effect according to their configuration sequence. The S2300 adopts the next authorization mode only when the current authorization mode is invalid. The S2300, however, does not adopt any other authorization mode when users fail to authorize in the current authorization mode.
Step 5 Run:
authentication-super { hwtacacs | super }* [ none ]
Or,
authentication-super none
The authentication mode for upgrading user levels is set. The none parameter indicates that the non-authentication mode is used. That is, user levels are changed by users. By default, the local authentication mode is used for upgrading user levels. When the local authentication mode is used for upgrading user levels, you need to run the super password command in the system view to set the password for upgrading user levels. ----End
1.3.3 Configuring an Authorization Scheme

Context
NOTE
You can configure command-line-based authorization only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view
1-6
Issue 01 (2011-05-20)

aaa
The AAA view is displayed. Step 3 Run:

authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists on the S2300. This scheme can be modified but cannot be deleted. Step 4 Run:
authorization-mode [ hwtacacs ] { if-authenticated | local | none }
The authorization mode is set. By default, the local authorization mode is used. If multiple authorization modes are used in an authorization scheme, the if-authenticated mode or non-authorization mode must be used as the last authorization mode. When using the HWTACACS authorization mode, you must create an HWTACACS server template and apply the template to the domain that the user belongs to.
NOTE
If multiple authorization modes are used in an authorization scheme, the authentication modes take effect according to their configuration sequence. The S2300 adopts the next authorization mode only when the current authorization mode is invalid. The S2300, however, does not adopt any other authorization mode when users are not authorized in the current authorization mode.
Step 5 (Optional) Run:

authorization-cmd privilege-level hwtacacs [ local ]
The command-line-based authorization function is configured for users at a level. By default, the command-line-based authorization function is not configured for users at levels 0 to 15. If command-line authorization is enabled, you must create an HWTACACS server template and apply the template in the view of the domain that the user belongs to. ----End
1.3.4 Configuring an Accounting Scheme

Procedure
Step 1 Run:
system-view

aaa
Issue 01 (2011-05-20)
1-7

accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed. By default, the S2300 provides an accounting scheme named default. This scheme can be modified but cannot be deleted. Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is set. By default, the accounting mode is none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS server template and apply the template to the corresponding user domain. Step 5 (Optional) Run:
accounting realtime interval
Interim accounting is enabled and the accounting interval is set. By default, interim accounting is disabled. The accounting interval depends on network situations. A short interval increases the traffic on the network and burdens the device that receive interim accounting packets. A long interval increases the errors of accounting when the communication between accounting server and the S2300 fails. Step 6 (Optional) Run:
accounting start-fail { online | offline }
The policy for remote accounting-start failure is set. If accounting start fails when a user logs in, the S2300 processes the user according to the policy for accounting start failure. By default, the S2300 forbids a user to get online when accounting start fails. Step 7 (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The policy for remote interim accounting-start failure is set. If the accounting fails after a user goes online, the S2300 processes the user according to the policy for interim accounting failure. By default, the policy for remote interim accounting-start failure is disabled. ----End
1.3.5 (Optional) Configuring a Recording Scheme

Context
To monitor the device and locate faults, you can configure a recording scheme to record the following:
l l l
Commands that are run on the S2300 Information about connections System events
NOTE
You can configure the recording function only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view

hwtacacs-server template
The HWTACACS server template is created. Step 3 Run:

aaa

recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists on the S2300. Step 5 Run:
recording-mode hwtacacs template-name
An HWTACACS server template that is associated with the recording scheme is configured. By default, a recording scheme is not associated with an HWTACACS server template. Step 6 Run:
quit
Return to the AAA view. Step 7 Run:

cmd recording-scheme recording-scheme-name
The commands that are used on the S2300 are recorded. By default, the commands that are used on the S2300 are not recorded. Step 8 Run:
outbound recording-scheme recording-scheme-name
The information about connections is recorded. By default, information about connections is not recorded. Step 9 Run:
system recording-scheme recording-scheme-name
System events are recorded.

By default, system events are not recorded. ----End
1.3.6 Checking the Configuration

Prerequisite
The configurations of AAA schemes are complete.
Procedure
l l l l l l Run the display aaa configuration command to check the summary of AAA. Run the display authentication-scheme [ authentication-scheme-name ] command to check the configuration of the authentication scheme. Run the display authorization-scheme [ authorization-scheme-name ] command to check the configuration of the authorization scheme. Run the display accounting-scheme [ accounting-scheme-name ] command to check the configuration of the accounting scheme. Run the display recording-scheme [ recording-scheme-name ] command to check the configuration of the recording scheme. Run the display access-user [ domain domain-name | ip-address ip-address [ vpninstance instance-name ] | mac-address mac-address | slot slot-id | interface interfacetype interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | user-id user-number ] command to check the summary of all online users.
----End
1.4 Configuring a RADIUS Server Template

This section describes how to configure a RADIUS server template on the S2300. 1.4.1 Establishing the Configuration Task 1.4.2 Creating a RADIUS Server Template 1.4.3 Configuring a RADIUS Authentication Server 1.4.4 Configuring the RADIUS Accounting Server 1.4.5 Configuring a RADIUS Authorization Server 1.4.6 (Optional) Setting a Shared Key for a RADIUS Server 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server 1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server 1.4.11 Checking the Configuration

In remote authentication or authorization mode, you need to configure a server template as required. You need to configure a RADIUS server template if RADIUS is used in the authentication scheme.
NOTE
There are default parameters of a RADIUS server template, and the default parameters can be changed according to the networking. You can modify the RADIUS configuration only when the RADIUS server template is not in use.
None
Data Preparation
To configure a RADIUS server template, you need the following data. No. 1 2 3 4 5 6 Data IP address of the RADIUS authentication server IP address of the RADIUS accounting server (Optional) Shared key of the RADIUS server (Optional) User name format supported by the RADIUS server (Optional) Traffic unit of the RADIUS server (Optional) Timeout interval for a RADIUS server to send response packets and number of times for retransmitting request packets on a RADIUS server (Optional) Format of the NAS port attribute of the RADIUS server
1.4.2 Creating a RADIUS Server Template

Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
radius-server template template-name
A RADIUS server template is created and the RADIUS server template view is displayed. ----End
1.4.3 Configuring a RADIUS Authentication Server

Procedure
Step 1 Run:
system-view

The RADIUS server template view is displayed. Step 3 Run:

radius-server authentication ip-address port [ source loopback interface-number ]
The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server authentication ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS authentication server is configured. By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. ----End
1.4.4 Configuring the RADIUS Accounting Server

Procedure
Step 1 Run:
system-view


radius-server accounting ip-address port [ source loopback interface-number ]
The primary RADIUS accounting server is configured.

By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server accounting ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS accounting server is configured. By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port number is 0. ----End
1.4.5 Configuring a RADIUS Authorization Server

Context
The RADIUS authorization server is mainly used to dynamically authorize users during service selection.
Procedure
Step 1 Run:
system-view

radius-server authorization ip-address { server-group group-name | shared-key { cipher | simple } key-string } * [ ack-reserved-interval interval ]
The RADIUS authorization server is configured. By default, no RADIUS authorization server is configured in the S2300. ----End
1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

Context
When exchanging authentication packets, the S2300 and the RADIUS server encrypt important information such as the password by using the Message Digest 5 (MD5) algorithm to ensure the security of information transmitted over a network. To guarantee the validity of the authenticator and the authenticated, the keys on the S2300 and the RADIUS server must be the same.
Procedure
Step 1 Run:
system-view



radius-server shared-key [ cipher | simple ] key-string
The shared key is set for a RADIUS server. By default, the shared key of a RADIUS server is huawei. ----End
1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server
Context
NOTE
A user name is in the user name@domain name format and the characters after @ refer to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view


radius-server user-name domain-included
The user name format supported by a RADIUS server is set. By default, a user name supported by a RADIUS server contains the domain name. That is, the S2300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication. When the RADIUS server does not accept the user name that contains the domain name, you can run the undo radius-server user-name domain-included command to delete the domain name before sending it to the RADIUS server. ----End
1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server

Procedure
Step 1 Run:
system-view
1-14
Issue 01 (2011-05-20)


radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for a RADIUS server. By default, the traffic is expressed in bytes on the S2300. ----End
1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server

Procedure
Step 1 Run:
system-view


radius-server timeout timeout
The timeout interval for a RADIUS server to send response packets is set. By default, the timeout interval for a RADIUS server to send response packets is five seconds. To check whether a RADIUS server is available, the S2300 periodically sends request packets to the RADIUS server. If no response is received from the RADIUS server within the timeout interval, the S2300 retransmits the request packets. Step 4 Run:
radius-server retransmit retry-times
The number of times for retransmitting request packets on a RADIUS server is set. By default, the number of times for retransmitting request packets on a RADIUS server is 3. After retransmitting request packets to a RADIUS server for the set number of times, the S2300 considers that the RADIUS server is unavailable. ----End
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server

Context
The NAS port format and the NAS port ID format are developed by Huawei, which are used to maintain connectivity and service cooperation among devices of Huawei. The NAS port format and NAS port ID format have new and old forms respectively. The ID format of the physical port that access users belong to depends on the format of the NAS port attribute. For Ethernet access users: l NAS port New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits). Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits). l NAS port ID New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Where slot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VLANID (9 characters) For ADSL access users: l l NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits). NAS port ID New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in which slot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, and VCI 0 to 65535. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain less bytes than specified.
Procedure
Step 1 Run:
system-view


radius-server nas-port-format { new | old }
The format of NAS port used by the RADIUS server is specified. By default, the new format of NAS port is used. Step 4 Run:
radius-server nas-port-id-format { new | old }
The format of the NAS port ID used by the RADIUS server is specified.
By default, the new format of the NAS port ID is used. ----End

Prerequisite
The configurations of the RADIUS server template are complete.
Procedure
l l l Run the display radius-server configuration [ template template-name ] command to check the configuration of the RADIUS server template. Run the display_radius-attribute [ template template-name ] disable command to view the disabled RADIUS attributes. Run the display_radius-attribute [ template template-name ] translate command to check the RADIUS attribute translation configuration.
----End
Example
After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.
<Quidway> display radius-server configuration ------------------------------------------------------------------Server-template-name : rrr Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 100.1.1.1; 90; LoopBack:20 Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX ------------------------------------------------------------------------------------------------------------------------------------Server-template-name : tr1 Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX ------------------------------------------------------------------Total of radius template :2
Run the display_radius-attribute [ template template-name ] disable command, and you can view the disabled RADIUS attributes.
<Quidway> display radius-attribute disable Server-templet-name: rs -------------------------------------------------------------------------------Source-attr Dest-attr Direct -------------------------------------------------------------------------------NAS-IP-Address Disable send --------------------------------------------------------------------------------
Run the display_radius-attribute [ template template-name ] translate command, and you can view the RADIUS attribute translation configuration.
<Quidway> display radius-attribute translate Server-templet-name: rs -------------------------------------------------------------------------------Source-attr Dest-attr Direct -------------------------------------------------------------------------------NAS-Identifier NAS-Port-Id send --------------------------------------------------------------------------------
1.5 Configuring an HWTACACS Server Template

This section describes how to configure an HWTACACS server template on the S2300. 1.5.1 Establishing the Configuration Task 1.5.2 Creating an HWTACACS Server Template 1.5.3 Configuring an HWTACACS Authentication Server 1.5.4 Configuring an HWTACACS Authorization Server 1.5.5 Configuring the HWTACACS Accounting Server 1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets 1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server 1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server 1.5.10 (Optional) Setting HWTACACS Timers 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet 1.5.12 Checking the Configuration

In remote authentication or authorization mode, you need to configure a server template as required. You need to configure an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme.
NOTE
The S2300 does not check whether the HWTACACS template is in use when you modify attributes of the HWTACACS server except for deleting the configuration of the server.
1-18
Issue 01 (2011-05-20)
None
Data Preparation
To configure an HWTACACS server template, you need the following data. No. 1 2 3 4 5 6 7 Data Name of the HWTACACS server template IP addresses of HWTACACS authentication authorization, and accounting servers (Optional) Source IP address of the HWTACACS server (Optional) Shared key of the HWTACACS server (Optional) User name format supported by the HWTACACS server (Optional) Traffic unit of the HWTACACS server (Optional) Timeout interval for the HWTACACS server to send response packets and time when the primary HWTACACS server is restored to the active state
1.5.2 Creating an HWTACACS Server Template

Procedure
Step 1 Run:
system-view

hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is displayed. ----End
1.5.3 Configuring an HWTACACS Authentication Server

Procedure
Step 1 Run:
system-view

The HWTACACS server template view is displayed. Step 3 Run:

hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. Step 4 (Optional) Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. ----End
1.5.4 Configuring an HWTACACS Authorization Server

Procedure
Step 1 Run:
system-view


hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. Step 4 (Optional) Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authorization server is configured.

By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. ----End
1.5.5 Configuring the HWTACACS Accounting Server

Procedure
Step 1 Run:
system-view


hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. Step 4 Run:
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. ----End
1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets

Procedure
Step 1 Run:
system-view


hwtacacs-server source-ip ip-address
Issue 01 (2011-05-20)
1-21
The source IP address of HWTACACS packets is configured. By default, the source IP address of an HWTACACS packet is 0.0.0.0. In this case, the S2300 uses the IP address of the outgoing VLANIF interface as the source IP address of the HWTACACS packet. After you specify the source IP address of HWTACACS packets, the specified address is used for the communication between the S2300 and the HWTACACS server. In this case, the HWTACACS server uses the specified IP address to communicate with the S2300. ----End
1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server

Context
Setting the shared key ensures the security of communication between the S2300 and an HWTACACS server. To ensure the validity of the authenticator and the authenticated, the shared keys set on the S2300 and the HWTACACS server must be the same.
Procedure
Step 1 Run:
system-view


hwtacacs-server shared-key [ cipher | simple ] key-string
The shared key is set for the HWTACACS server. By default, no shared key is set for the HWTACACS server. ----End
1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server
Context
NOTE
A user name is in the user name@domain name format and the character string after "@" refers to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:

system-view


hwtacacs-server user-name domain-included
The user name format is set for an HWTACACS server. By default, a user name supported by an HWTACACS server contains the domain name. That is, the S2300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication. If an HWTACACS server does not accept the user name that contains the domain name, you can use the undo hwtacacs-server user-name domain-included command to delete the domain name before sending it to the HWTACACS server. ----End
1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server

Procedure
Step 1 Run:
system-view


hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for an HWTACACS server. By default, the traffic is expressed in bytes on the S2300. ----End
1.5.10 (Optional) Setting HWTACACS Timers

Procedure
Step 1 Run:
system-view



hwtacacs-server timer response-timeout value
The timeout interval for an HWTACACS server to send response packets is set. By default, the timeout interval for an HWTACACS server to send response packets is five seconds. If the S2300 receives no response from an HWTACACS server during the timeout interval, it considers the HWTACACS server as unavailable. In this case, the S2300 performs authentication or authorization in other modes. Step 4 Run:
hwtacacs-server timer quiet value
The time taken to restore an HWTACACS server to restore to the active state is set. By default, the time taken by the primary HWTACACS server to restore to the active state is five minutes. ----End
1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet

Context
If the HWTACACS accounting mode is used, the S2300 sends an Accounting-Stop packet to the HWTACACS server after a user goes offline. If the connectivity of the network is not desirable, you can enable the function of retransmitting the Accounting-Stop packet to prevent the loss of accounting information.
Procedure
Step 1 Run:
system-view

hwtacacs-server accounting-stop-packet resend { disable | enable number }
The function of retransmitting the Accounting-Stop packet is configured. You can enable the function of retransmitting the Accounting-Stop packet and set the retransmission count, or disable the function. By default, the retransmission function is enabled and the retransmission count is 100. ----End

Prerequisite
The configurations of the HWTACACS server template are complete.
Procedure
l Run the display hwtacacs-server template [ template-name ] command to check the configuration of the HWTACACS server template.
----End
Example
After completing the configurations of the HWTACACS server template, you can run the display hwtacacs-server template [ template-name ] command to view the configuration of the template.
<Quidway> display hwtacacs-server template huawei --------------------------------------------------------------------------HWTACACS-server template name : huawei Primary-authentication-server : 0.0.0.0:0:Primary-authorization-server : 0.0.0.0:0:Primary-accounting-server : 0.0.0.0:0:Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 0.0.0.0:0:Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 0.0.0.0:0:Current-authorization-server : 0.0.0.0:0:Current-accounting-server : 0.0.0.0:0:Source-IP-address : 0.0.0.0 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
1.6 Configuring a Service Scheme

This section describes how to configure a service scheme in the S2300 to store authorization information about users. 1.6.1 Establishing the Configuration Task 1.6.2 Creating a Service Scheme 1.6.3 Setting the Administrator Level 1.6.4 Configuring a DHCP Server Group 1.6.5 Configuring an Address Pool 1.6.6 Configure Primary and Secondary DNS Servers 1.6.7 Checking the Configuration

Access users must acquire authorization information before getting online. Authorization information about users can be managed through the service scheme.
Before configuring a service scheme, complete the following tasks: l l Creating a DHCP server group Creating an IP address pool
Data Preparation
To configure a service scheme, you need the following data. No. 1 2 3 4 5 6 Data Service scheme Administrator level User priority Name of the DHCP server group Name and position of the address pool IP address of the primary and secondary DNS servers
1.6.2 Creating a Service Scheme

Context
The service scheme is the aggregation of authorization information about users. After a service scheme is created, you can set attributes of users in the service scheme view.
Procedure
Step 1 Run:
system-view

aaa

service-scheme service-scheme-name
A service scheme is created.

service-scheme-name is a string of 1 to 32 characters, excluding / \ : * ? " < > | @ ' %. By default, no service scheme is configured in the S2300. ----End
1.6.3 Setting the Administrator Level

Procedure
Step 1 Run:
system-view

aaa

The service scheme view is displayed. Step 4 Run:

admin-user privilege level level
The administrator is enabled to log in to the S2300 and the administrator level is set. The value of level ranges from 0 to 15. If this command is not run, the administrator level is displayed as 16, which is invalid. ----End
1.6.4 Configuring a DHCP Server Group

Prerequisite
A DHCP server group is configured. For the procedure for configuring the DHCP server group, see the Configuration Guide - IP Services-DHCP Configuration.
Procedure
Step 1 Run:
system-view

aaa

Issue 01 (2011-05-20)
1-27

dhcp-server group group-name
A DHCP server group is configured. ----End
1.6.5 Configuring an Address Pool

Prerequisite
An IP address pool is configured. For the procedure for configuring the DHCP server group, see the Configuration Guide - IP Services-DHCP Configuration.
Procedure
Step 1 Run:
system-view

aaa


ip-pool pool-name [ move-to new-position ]
An IP address pool is configured or the position of a configured address pool is moved. ----End
1.6.6 Configure Primary and Secondary DNS Servers

Procedure
Step 1 Run:
system-view

aaa

1-28
Issue 01 (2011-05-20)

dns ip-address
The IP address of the primary DNS server is configured. Step 5 Run:

(Optional)dns ip-address secondary
The IP address of the secondary DNS server is configured. ----End

Procedure
Step 1 Run the display service-scheme [ name name ] command to view the configuration of a service scheme. ----End
Example
Run the display service-scheme command to view all the information about the service scheme.
<Quidway> display service-scheme ------------------------------------------------------------------service-scheme-name scheme-index ------------------------------------------------------------------huwei1 0 ------------------------------------------------------------------Total of service scheme: 1
Run the display service-scheme name name command to view the configuration of service scheme svcscheme1.
<Quidway> display service-scheme name svcscheme1 service-scheme-name service-scheme-primary-dns service-scheme-secondry-dns service-scheme-adminlevel : : : : svcscheme1 16
1.7 Configuring a Domain

This section describes how to configure a domain on the S2300. 1.7.1 Establishing the Configuration Task 1.7.2 Creating a Domain 1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain 1.7.4 Configuring a RADIUS Server Template for a Domain 1.7.5 Configuring an HWTACACS Server Template for a Domain
1.7.6 (Optional) Configuring a Service Scheme for a Domain 1.7.7 (Optional) Setting the Status of a Domain 1.7.8 (Optional) Configuring the Domain Name Delimiter 1.7.9 Checking the Configuration

To perform authentication and authorization for a user logging in to the S2300, you need to configure a domain.
NOTE
The modification of a domain takes effect next time a user logs in.
Before configuring a domain, complete the following tasks: l l l l Configuring authentication and authorization schemes Configuring a RADIUS server template if RADIUS is used in an authentication scheme Configuring an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme Configuring local user management in local authentication or authorization mode
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 Data Name of the domain Names of authentication and authorization schemes of the domain (Optional) Name of the RADIUS server template or the HWTACACS server template of the domain (Optional) Status of the domain
1.7.2 Creating a Domain

Procedure
Step 1 Run:

system-view

aaa

domain domain-name
A domain is created and the domain view is displayed. The S2300 has two default domains: default and default_admin. Domain default is used for common access users, and domain default_admin is used for administrators. The S2300 supports up to 32 domains, including the two default domains. ----End
Follow-up Procedure
After creating a domain, you can run the domain domain-name [ admin ] command in the system view to configure the domain as the global default domain. The access users whose domain names cannot be obtained are added to this domain. If you do not run the domain domain-name [ admin ] command, the S2300 adds the common users and administrators whose domain names cannot be obtained to domains default and default_admin respectively.
1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain

Procedure
Step 1 Run:
system-view

aaa

domain domain-name
The domain view is displayed. Step 4 Run:

authentication-scheme authentication-scheme-name
An authentication scheme is configured for the domain. By default, the authentication scheme named default is used for a domain.
Step 5 Run:
authorization-scheme authorization-scheme-name
An authorization scheme is configured for the domain. By default, no authorization scheme is bound to a domain. Step 6 Run:
accounting-scheme accounting-scheme-name
An accounting scheme is configured for the domain. By default, the accounting scheme named default is used for a domain. ----End
1.7.4 Configuring a RADIUS Server Template for a Domain

Context
If a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUS server template to the domain.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

radius-server template-name
A RADIUS server template is configured for the domain. By default, no RADIUS server template is configured for a domain. ----End
1.7.5 Configuring an HWTACACS Server Template for a Domain

Context
If the remote HWTACACS authentication or authorization mode is used in a domain, you need to apply an HWTACACS server template to the domain.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

hwtacacs-server template-name
An HWTACACS server template is configured for the domain. By default, no HWTACACS server template is configured for a domain. ----End
1.7.6 (Optional) Configuring a Service Scheme for a Domain

Context
Configuring a service scheme for a domain is to bind a service scheme to a domain. Users in the domain obtain service information, such as the IP address and DNS server, from the service scheme.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

A service scheme is bound to the domain. By default, no service scheme is bound to the domain.
Before binding a service scheme to a domain, you must create the service scheme. ----End
1.7.7 (Optional) Setting the Status of a Domain

Procedure
Step 1 Run:
system-view

aaa

domain domain-name

state { active | block }
The status of the domain is set. When a domain is in blocking state, users that belong to this domain cannot log in. By default, the domain is in active state after being created. ----End
1.7.8 (Optional) Configuring the Domain Name Delimiter

Context
A user account on the S2300 consists of a user name and a domain name. The user name and domain name are separated by the domain name delimiter. For example, if the defined domain name delimiter is @, the user account of user1 in domain dom1 is user1@dom1.
Procedure
Step 1 Run:
system-view

aaa

domain-name-delimiter delimiter
The domain name delimiter is configured.

delimiter can be set to anyone of \, /, :, <, >, |, @, ', and %. By default, the domain name delimiter is @. ----End

Prerequisite
The configurations of the domain are complete.
Procedure
l Run the display domain [ name domain-name ] command to check the configuration of the domain.
----End
Example
After the configuration, you can run the display domain command to view the summary of all domains.
<Quidway> display domain ------------------------------------------------------------------------DomainName index ------------------------------------------------------------------------default 0 default_admin 1 huawei 2 ------------------------------------------------------------------------Total: 3
Run the display domain [ name domain-name ] command, and you can view the configuration of a specified domain.
<Quidway> display domain name huawei Domain-name : huawei Domain-state : Active Authentication-scheme-name : scheme0 Accounting-scheme-name : default Authorization-scheme-name : Service-scheme-name : RADIUS-server-template : HWTACACS-server-template : -
1.8 Configuring Local User Management

This section describes how to configure local user management on the S2300. 1.8.1 Establishing the Configuration Task 1.8.2 Creating a Local User 1.8.3 (Optional) Setting the Access Type of the Local User 1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access
1.8.5 (Optional) Setting the Status of a Local User 1.8.6 (Optional) Setting the Level of a Local User 1.8.7 (Optional) Setting the Access Limit for a Local User 1.8.8 Checking the Configuration

You can create a local user on the S2300, configure attributes of the local user, and perform authentication and authorization for users logging in to the S2300 according to information about the local user.
None
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 Data User name and password Access type of the local user Name of the FTP directory that the local user can access Status of the local user Level of the local user Maximum number of local access users
1.8.2 Creating a Local User

Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed.

Step 3 Run:
local-user user-name { password { simple | cipher } password | access-limit maxnumber | ftp-directory directory | privilege level level | state { block | active } } *
A local user is created and parameters of the user are set. If the user name contains the domain name delimiter, such as @, |, and %, the character string before @ refers to the user name and the character string after @ refers to the domain name. If the user name does not contain domain name delimiter, the entire character string represents the user name and the user is authenticated in default domain. You can use the local-user command to create a local user and set parameters of the local user. To modify parameters of a local user, use the local-user access-limit, local-user ftpdirectory, local-user service-type, local-user privilege level, or local-user state command. ----End
1.8.3 (Optional) Setting the Access Type of the Local User

Procedure
Step 1 Run:
system-view

aaa

local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } *
The access type of the local user is set. By default, a local user can use all access types. A user can successfully log in only when its access type matches the specified access type. ----End
1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access
Context
NOTE
If a local user log in to the device in FTP mode, configure the FTP directory; otherwise, the user cannot log in.
Issue 01 (2011-05-20)
1-37
Procedure
Step 1 Run:
system-view

aaa

local-user user-name ftp-directory directory
The FTP directory that a local user can access is configured. By default, the FTP directory that a local user can access is null. ----End
1.8.5 (Optional) Setting the Status of a Local User

Procedure
Step 1 Run:
system-view

aaa

local-user user-name state { active | block }
The status of a local user is set. By default, a local user is in active state. The S2300 processes a local user in active or blocking state as follows: l If the local user is in active state, the S2300 receives the authentication request of this user for further processing. l If the local user is in blocking state, the S2300 rejects the authentication request of this user. ----End
1.8.6 (Optional) Setting the Level of a Local User

Context
After the level of a local user is set, the login user can run the command only when the level is equal to or higher than the command level.
Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater the number, the higher the user level.
Procedure
Step 1 Run:
system-view

aaa

local-user user-name privilege level level
The level of a local user is set. By default, the level of a local user is determined by the management module. For example, there is a user level in the user interface view. If a user level is not set, the user level is 0. ----End
1.8.7 (Optional) Setting the Access Limit for a Local User

Procedure
Step 1 Run:
system-view

aaa

local-user user-name access-limit max-number
The maximum number of online local users is set. By default, the number of access users with the same user name is not restricted on the S2300. ----End

Prerequisite
The configurations of the local user are complete.
Procedure
l Run the display local-user [ username user-name ] command to check the attributes of the local user.
----End
Example
After completing the configuration of local user management, you can run the display localuser command to view brief information about attributes of the local user.
<Quidway> display local-user ---------------------------------------------------------------------------User-name State AuthMask AdminLevel ---------------------------------------------------------------------------lsj A A ---------------------------------------------------------------------------Total 1 user(s)
Run the display local-user [ username user-name ] command, and you can view detailed information about a specified user.
<Quidway> display local-user username user-a The contents of local user(s): Password : admin State : active Service-type-mask : H Privilege level : Ftp-directory : Access-limit : Accessed-num : 0
1.9 Maintaining AAA and User Management

This section describes how to maintain AAA and user management. 1.9.1 Clearing the Statistics 1.9.2 Monitoring the Running Status of AAA 1.9.3 Debugging
1.9.1 Clearing the Statistics

Context
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the command. Run the following command in the user view to clear the statistics.
Procedure
l l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command to clear the statistics on the HWTACACS server. Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command to clear the statistics about Accounting Stop packets.
----End
1.9.2 Monitoring the Running Status of AAA

Procedure
Step 1 Run the display aaa configuration command to view AAA running information. ----End
Example
Run the display aaa configuration command to view AAA running information.
<Quidway> display aaa configuration Domain Name Delimiter Domainname parse direction Domainname location Domain Authentication-scheme Accounting-scheme Authorization-scheme Service-scheme : : : : : : : : @ Left to right After-delimiter total: 32 used: total: 16 used: total: 16 used: total: 16 used: total: 16 used:
5 1 3 1 0
1.9.3 Debugging
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a running fault occurs on the RADIUS or HWTACACS server, run the debugging commands in the user view to locate the fault.
Procedure
l l Run the debugging radius packet command to debug RADIUS packets. Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command to debug HWTACACS.
----End
1.10 Configuration Examples

This section provides several configuration examples of AAA and user management. 1.10.1 Example for Configuring RADIUS Authentication and Accounting 1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization
1.10.1 Example for Configuring RADIUS Authentication and Accounting

Networking Requirements
As shown in Figure 1-1, users access the network through Switch A and are located in the domain huawei. Switch B acts as the network access server of the destination network. The access request of the user needs to pass the network of Switch A and Switch B to reach the authentication server. The user can access the destination network through Switch B after passing the remote authentication. The remote authentication mode on Switch B is as follows: l l The RADIUS server performs authentication and accounting for access users. The RADIUS server 129.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813 respectively.
Figure 1-1 Networking diagram of RADIUS authentication and accounting Domain Huawei
SwitchA Network
SwitchB 129.7.66.66/24
129.7.66.67/24 Destination Network
1-42
Issue 01 (2011-05-20)
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a RADIUS server template. Configure the authentication and accounting schemes. Apply the RADIUS server template, the authentication and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that a user belongs to Name of the RADIUS server template Name of the authentication scheme, authentication mode, name of the accounting scheme, and accounting mode IP addresses, authentication and accounting port numbers of the primary and secondary RADIUS servers Key and retransmission times of the RADIUS server
NOTE
The following configurations are performed on Switch B.
Procedure
Step 1 Configure a RADIUS server template. # Configure the RADIUS template named shiva.
<Quidway> system-view [Quidway] radius-server template shiva
# Configure the IP addresses and port numbers of the primary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812 [Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Set the IP addresses and port numbers of the secondary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Set the key and retransmission count for the RADIUS server.
[Quidway-radius-shiva] radius-server shared-key cipher hello [Quidway-radius-shiva] radius-server retransmit 2 [Quidway-radius-shiva] quit
Step 2 Configure the authentication and accounting schemes. # Configure authentication scheme1, with the authentication mode being RADIUS.
[Quidway] aaa [Quidway-aaa] authentication-scheme 1 Info: Create a new authentication scheme [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Issue 01 (2011-05-20)
1-43
# Configure the accounting scheme1, with the accounting mode being RADIUS.
[Quidway-aaa] accounting-scheme 1 Info: Create a new accounting scheme [Quidway-aaa-accounting-1] accounting-mode radius [Quidway-aaa-accounting-1] quit
Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and RADIUS template shiva to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme 1 [Quidway-aaa-domain-huawei] accounting-scheme 1 [Quidway-aaa-domain-huawei] radius-server shiva
Step 4 Verify the configuration. After running the display radius-server configuration template command on Switch B, you can view that the configuration of the RADIUS server template meets the requirements.
<Quidway> display radius-server configuration template shiva ------------------------------------------------------------------Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Timeout-interval(in second) : 5 Primary-authentication-server : 129.7.66.66 :1812 LoopBack:NULL Primary-accounting-server : 129.7.66.66 :1813 LoopBack:NULL Secondary-authentication-server : 129.7.66.67 :1812 LoopBack:NULL Secondary-accounting-server : 129.7.66.67 :1813 LoopBack:NULL Retransmission : 2 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX -------------------------------------------------------------------
----End
Configuration Files
# sysname Quidway # radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1 accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva # return
1-44
Issue 01 (2011-05-20)
1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization

As shown in Figure 1-2: l l l l l l The HWTACACS server is adopted to authenticate access users. If HWTACACS server authentication fails, Access users are authenticated locally. HWTACACS authentication is required before the level of access users is promoted. If the HWTACACS authentication is not responded, local authentication is performed. HWTACACS authorization is performed to access users. All access users need to be charged. Interim accounting is performed every 3 minutes. The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondary HWTACACS server is 129.7.66.67/24. The port number of the server for authentication, accounting, and authorization is 49.
Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization Domain Huawei
SwitchA Network
SwitchB 129.7.66.66/24
129.7.66.67/24 Destination Network
The configuration roadmap is as follows: 1. 2.
Issue 01 (2011-05-20)
Configure an HWTACACS server template. Configure the authentication, authorization, and accounting schemes.
3.
Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that the user belongs to Name of the HWTACACS server template Name of the authentication scheme, authentication mode, name of the authorization scheme, authorization mode, name of the accounting scheme, and accounting mode IP addresses, authentication port numbers, authorization port numbers, and accounting port numbers of the primary and secondary HWTACACS servers Key of the HWTACACS server
NOTE
The following configurations are performed on Switch B.
Procedure
Step 1 Configure an HWTACACS server template. # Configure an HWTACACS server template named ht.
<Quidway> system-view [Quidway] hwtacacs-server template ht
# Configure the IP address and port number of the primary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP address and port number of the secondary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the key of the TACACS server.

[Quidway-hwtacacs-ht] hwtacacs-server shared-key cipher hello [Quidway-hwtacacs-ht] quit
Step 2 Configure the authentication, authorization, and accounting schemes. # Create an authentication scheme 1-h and set the authentication mode to local-HWTACACS, that is, the system performs the local authentication first and then the HWTACACS authentication. The HWTACACS authentication supersedes the local authentication when the level of a user is promoted.
[Quidway] aaa [Quidway-aaa] authentication-scheme l-h [Quidway-aaa-authen-l-h] authentication-mode hwtacacs local [Quidway-aaa-authen-l-h] authentication-super hwtacacs super [Quidway-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.
[Quidway-aaa] authorization-scheme hwtacacs [Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs [Quidway-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.
[Quidway-aaa] accounting-scheme hwtacacs [Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs [Quidwayaaa-accounting-hwtacacs] accounting start-fail online
# Set the interval of interim accounting to 3 minutes.

[Quidway-aaa-accounting-hwtacacs] accounting realtime 3 [Quidway-aaa-accounting-hwtacacs] quit
Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template of ht to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa] quit authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht quit
Step 4 Verify the configuration. Run the display hwtacacs-server template command on Switch B, and you can see that the configuration of the HWTACACS server template meets the requirements.
<Quidway> display hwtacacs-server template ht --------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49:Primary-authorization-server : 129.7.66.66:49:Primary-accounting-server : 129.7.66.66:49:Secondary-authentication-server : 129.7.66.67:49:Secondary-authorization-server : 129.7.66.67:49:Secondary-accounting-server : 129.7.66.67:49:Current-authentication-server : 129.7.66.66:49:Current-authorization-server : 129.7.66.66:49:Current-accounting-server : 129.7.66.66:49:Source-IP-address : 0.0.0.0 Shared-key : **************** Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
Run the display domain command on Switch B, and you can see that the configuration of the domain meets the requirements.
<Quidway> display domain name huawei Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name Service-scheme-name RADIUS-server-group HWTACACS-server-template : : : : : : : : huawei Active l-h hwtacacs hwtacacs ht
----End
Configuration Files
# sysname Quidway # hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! # aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs local authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting start-fail online accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht # return
1-48
Issue 01 (2011-05-20)
2 NAC Configuration
2
About This Chapter
Context
NOTE
NAC Configuration
This chapter describes the working principle and configuration of network access control (NAC).
S2300SI does not support NAC.
2.1 Introduction to NAC This section describes the working principle of NAC. 2.2 NAC Features Supported by the S2300 This section describes the NAC features supported by the S2300. 2.3 Configuring 802.1x Authentication This section describes how to configure the 802.1x authentication function. 2.4 Configuring MAC Address Authentication This section describes how to configure the MAC address authentication function. 2.5 Maintaining NAC This section describes how to clear statistics about NAC and debug NAC. 2.6 Configuration Examples This section provides several configuration examples of NAC.
Issue 01 (2011-05-20)
2-1
2 NAC Configuration
2.1 Introduction to NAC

This section describes the working principle of NAC. Traditional network security technologies focus on the threat brought by external computers, rather than the threat brought by internal computers. In addition, the current network devices cannot prevent the attacks initiated by the internal devices on the network. Network Admission Control (NAC) is an architecture of secure access, with the end-to-end security concept. NAC considers the internal network security from the perspective of user terminals, rather than network devices. Figure 2-1 Typical networking of NAC
User NAD ACS Remediation server AAA server
Directory server Switch PVS & Aduit server
As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includes the following parts: l l User: Access users who need to be authenticated. If 802.1x is adopted for user authentication, users need to install client software. NAD: Network access devices, including routers and switches (hereinafter referred to as the S2300), which are used to authenticate and authorize users. The NAD needs to work with the AAA server to prevent unauthorized terminals from accessing the network, minimize the threat brought by insecure terminals, prevent unauthorized access requests from authorized terminals, and thus protect core resources. ACS: Access control server that is used to check terminal security and health, manage policies and user behaviors, audit rule violations, strengthen behavior audit, and prevent malicious damages from terminals.
2.1.1 802.1x Authentication 2.1.2 MAC Address Authentication 2.1.3 MAC address bypass authentication
2.1.1 802.1x Authentication

The IEEE 802.1x standard (hereinafter referred to as 802.1x), is an interface-based network access control protocol. Interface-based network access control is used to authenticate and
2 NAC Configuration
control access devices on an interface of a LAN access control device. User devices connected to the interface can access the sources on the LAN only after they pass the authentication. 802.1x focuses on the status of the access interface only. When an authorized user accesses the network by sending the user name and password, the interface is open. When an unauthorized user or no user accesses the network, the interface is closed. The authentication result is reflected by the status of the interface. The IP address negotiation and allocation that are considered in common authentication technologies are not involved. Therefore, 802.1x authentication is the simplest implementation scheme among the authentication technologies. 802.1x supports the authentication mode based on the access interface and the MAC address. l Authentication mode based on the access interface: Other users can access network resources without authentication when the first user under the interface is successfully authenticated. But other users are disconnected when the first user goes offline. Authentication mode based on the MAC address: Access users under this interface need be authenticated. EAP termination mode: The network access device terminates EAP packets, obtains the user name and password from the packets, encrypts the password, and sends the user name and password to the RADIUS server for authentication. EAP transparent transmission authentication: Also called EAP relay authentication. The network access device directly encapsulates authentication information about 802.1x users and EAP packets into the attribute field of RADIUS packets and sends them to the RADIUS server. Therefore, the EAP packets do not need to be converted to the RADIUS packets before they are sent to the RADIUS server.
802.1x supports the following authentication modes: l
2.1.2 MAC Address Authentication

MAC address authentication is an authentication method that controls the network access authority of a user based on the interface and MAC address. No client software needs to be installed. The user name and password are the MAC address of the user device. After detecting the MAC address of a user for the first time, the device starts authenticating the user.
2.1.3 MAC address bypass authentication

MAC address bypass authentication: The S2300 triggers 802.1X authentication for a user. If the user does not respond within 30 seconds, the S2300 sends the MAC address of the user to the RADIUS server, and then the RADIUS server uses the MAC address as the user name and password to authenticate the user.
2.2 NAC Features Supported by the S2300

This section describes the NAC features supported by the S2300. Functioning as the network access device (NAD), the S2300 supports the following NAC features: l l l
Issue 01 (2011-05-20)
Interface-based 802.1x authentication MAC address-based 802.1x authentication EAPOL termination authentication
2 NAC Configuration
l l l l
EAPOL transparent transmission authentication MAC address authentication MAC address bypass authentication The S2300 automatically specifies the VLAN for users after users pass 802.1x authentication, MAC address authentication, or MAC address bypass authentication. When passing 802.1x authentication, MAC address authentication, or MAC bypass authentication, the system delivers a VLAN to the user according to the VLAN information carried in response packets of the authentication server in either of the following modes: If the VLAN ID carried in response packets of the authentication server is an integer ranging from 1 to 4094, the system delivers the VLAN according to the VLAN ID. If the VLAN ID carried in response packets of the authentication server is not an integer ranging from 1 to 4094, the system delivers the VLAN according to the VLAN description.
After users pass 802.1x authentication, MAC address authentication, or MAC address bypass authentication, the S2300 automatically delivers ACLs to users to allow user packets to pass through by default. Authorization ACL dynamically delivered by RADIUS server If a RADIUS server is configured to deliver authorization ACL and RADIUS scheme is configured on the related interface of the S2300, then the S2300 controls user access permission according to the authorization ACL delivered by the RADIUS server. The network administrator can modify the access permission of a user by changing the authorization ACL configuration on the RADIUS server or the ACL rules on the S2300.
2.3 Configuring 802.1x Authentication

This section describes how to configure the 802.1x authentication function. 2.3.1 Establishing the Configuration Task 2.3.2 Enabling Global 802.1x Authentication 2.3.3 Enabling 802.1x Authentication on an Interface 2.3.4 (Optional) Enabling MAC Bypass Authentication 2.3.5 Setting the Authentication Method for the 802.1x User 2.3.6 (Optional) Configuring the Interface Access Mode 2.3.7 (Optional) Configuring the Authorization Status of an Interface 2.3.8 (Optional) Setting the Maximum Number of Concurrent Access Users 2.3.9 (Optional) Enabling DHCP Packets to Trigger Authentication 2.3.10 (Optional) Configuring 802.1x Timers 2.3.11 (Optional) Configuring the Quiet Timer Function 2.3.12 (Optional) Configuring 802.1x Re-authentication 2.3.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication 2.3.14 (Optional) Enabling the S2300 to Send Handshake Packets to Online Users
2 NAC Configuration
2.3.15 (Optional) Setting the Retransmission Count of the Authentication Request 2.3.16 Checking the Configuration

You can configure 802.1x to implement port-based network access control, that is, to authenticate and control access devices on an interface of a LAN access control device.
802.1x authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1x authentication, complete the following tasks: l l l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 1x user Configuring the user name and password on the RADIUS server if RADIUS authentication is used Adding the user name and password manually on the S2300 if local authentication is used
Data Preparation
To configure 802.1x, you need the following data. No. 1 Data Number of the interface on which 802.1x authentication is enabled
2.3.2 Enabling Global 802.1x Authentication

Context
Before the configuration of 802.1x authentication, 802.1x needs to be globally enabled first.
Procedure
Step 1 Run:
system-view

dot1x enable
802.1x authentication is globally enabled. Running this command is equivalent to enabling 802.1x authentication globally. Related configurations of 802.1x authentication take effect only after 802.1x authentication is enabled.
2 NAC Configuration
By default, 802.1x authentication is disabled. ----End
2.3.3 Enabling 802.1x Authentication on an Interface

Context
CAUTION
If 802.1x authentication is enabled on an interface, MAC address authentication cannot be enabled on the interface. If MAC address authentication is enabled on an interface, 802.1x authentication cannot be enabled on the interface. You can enable 802.1x authentication on an interface in the following ways.
Procedure
l In the system view: 1. Run:
system-view
The system view is displayed. 2. Run:

dot1x enable interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
802.1x authentication is enabled on interfaces. You can enable 802.1x authentication on interfaces in batches by specifying the interface list in the dot1x enable command in the system view. l In the interface view: 1. Run:
system-view

interface interface-type interface-number
The interface view is displayed. 3. Run:

dot1x enable
802.1x authentication is enabled on the interface. If there are online users who log in through 802.1x authentication, disabling 802.1x authentication is prohibited. ----End
2.3.4 (Optional) Enabling MAC Bypass Authentication

2 NAC Configuration
Context
The 802.1x client software cannot be installed or used on some special terminals, such as printers. In this case, the MAC bypass authentication can be adopted. If 802.1x authentication on the terminal fails, the access device sends the user name and password, namely, the MAC address of the terminal, to the RADIUS server for authentication. This process is MAC address bypass authentication. You can configure MAC address bypass authentication in the following ways.
Procedure
system-view

dot1x mac-bypass interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
MAC bypass authentication is enabled on interfaces. You can configure MAC address bypass authentication on interfaces in batches by specifying the interface list in the dot1x mac-bypass command in the system view. l In the interface view: 1. Run:
system-view


dot1x mac-bypass
MAC address bypass authentication is enabled on the interface. After you run the dot1x mac-bypass command, the commands of enabling 802.1x authentication on the interface are overwritten. The details are as follows: If 802.1x authentication is disabled on the interface, 802.1x authentication is enabled after you run the dot1x mac-bypass command. If 802.1x authentication has been enabled, the authentication mode is changed from 802.1x authentication to MAC address bypass authentication on the interface after you run the dot1x mac-bypass command. To disable MAC address bypass authentication, run the undo dot1x enable command. Note that 802.1x functions are disabled. ----End
2.3.5 Setting the Authentication Method for the 802.1x User

2 NAC Configuration
Context
The authentication method for the 802.1x user can be set according to the actual networking environment and security requirement.
Procedure
Step 1 Run:
system-view

dot1x authentication-method { chap | eap | pap }
The authentication method is set for the 802.1x user. By default, CHAP authentication is used for an 802.1x user. If you run the dot1x authenticationmethod command repeatedly, the latest configuration takes effect. l The Password Authentication Protocol (PAP) uses the two-way handshake mechanism and sends the password in plain text. l The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshake mechanism. It transmits only the user name but not the password on the network; therefore, compared with PAP authentication, CHAP authentication is more secure and reliable and protects user privacy better. l In Extensible Authentication Protocol (EAP) authentication, the S2300 sends the authentication information of an 802.1x user to the RADIUS server through EAP packets without converting EAP packets into RADIUS packets. To use the PEAP, EAP-TLS, EAPTTLS, or EAP-MD5 authentication, you only need to enable the EAP authentication. PAP authentication and CHAP authentication are two kinds of termination authentication methods and EAP authentication is a kind of relay authentication method.
CAUTION
Only if RADIUS authentication is adopted, you can use the EAP authentication for 802.1x users. ----End
2.3.6 (Optional) Configuring the Interface Access Mode

Context
The 802.1x protocol can work in the following modes: l Interface mode: If the MAC address of a device connected to an interface passes authentication, all the MAC addresses of other devices connected to the interface can access the network without authentication. MAC mode: The MAC address of each device connected to the interface must pass authentication to access the network.
You can configure the access mode of an interface in the following ways.
2 NAC Configuration
Procedure
system-view

dot1x port-method { mac | port } interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The access mode of interfaces is configured. You can configure the access mode of interfaces in batches by specifying the interface list in the dot1x port-method command in the system view. l In the interface view: 1. Run:
system-view


dot1x port-method { mac | port }
The access mode of the interface is configured. By default, the access mode of an interface is MAC mode.
CAUTION
When 802.1x users are online, you cannot use this command to change the access mode of an interface. ----End
2.3.7 (Optional) Configuring the Authorization Status of an Interface

Context
Do as follows to authorize users and control their access scope after users pass authentication. You can configure the authorization status of an interface in the following ways.
Procedure
l In the system view: 1.
Issue 01 (2011-05-20)
Run:
2 NAC Configuration
system-view

dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The authorization status of interfaces is set. You can configure the authorization status of interfaces in batches by specifying the interface list in the dot1x port-control command in the system view. l In the interface view: 1. Run:
system-view


dot1x port-control { auto | authorized-force | unauthorized-force }
The authorization status of the interface is configured. By default, the authorization status of an interface is auto. auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. If a user passes the authentication, the interface is in authorized state and allows users to access network resources. authorized-force: An interface is always in authorized state and allows users to access network resources without authentication. unauthorized-force: An interface is always in unauthorized state and does not users to access network resources. ----End
2.3.8 (Optional) Setting the Maximum Number of Concurrent Access Users

Context
When the number of access users on interfaces reaches the maximum value, the S2300 does not trigger authentication for subsequent access users. These subsequent access users thus cannot access the network. You can set the maximum number of access users on interfaces in the following ways.
Procedure
l
2-10
In the system view:

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
2 NAC Configuration
1.
Run:
system-view

dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The maximum number of concurrent access users is set on the interfaces. You can set the maximum number of concurrent access users on interfaces in batches by specifying the interface list in the dot1x max-user command in the system view. l In the interface view: 1. Run:
system-view


dot1x max-user user-number
The maximum number of concurrent access users is set on the interface. By default, each interface allows up to 8 concurrent access users. This command only takes effect for the interface where users are authenticated based on MAC addresses. If users are authenticated based on the interface, the maximum number of access users is automatically set to 1. Therefore, only one user needs to be authenticated successfully on the interface, and other users can access the network after the first user passes authentication.
NOTE
When users are online on the S2300, you can use this command. The command is invalid for existing online users, but takes effect for users who undergo authentication after the command is run.
The maximum number of NAC users allowed by the S2300 is 8. ----End
2.3.9 (Optional) Enabling DHCP Packets to Trigger Authentication

Context
After DHCP packets are enabled to trigger authentication, 802.1x allows the S2300 to trigger the user identity authentication when the access user runs DHCP to apply for the IP address. In this case, an 802.1x user is authenticated without dial-up by using the client software. This speeds up network deployment.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-05-20)
2-11
2 NAC Configuration

dot1x dhcp-trigger
Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger user authentication. By default, DHCP packets do not trigger authentication. After you run the dot1x dhcp-trigger command, users cannot obtain IP addresses through DHCP if they do not pass the authentication. ----End
2.3.10 (Optional) Configuring 802.1x Timers

Context
When enabled, 802.1x starts many timers to ensure the reasonable and ordered exchanges between supplicants, the authenticator, and the authentication server. To adjust the exchange process, you can run some commands to change values of some timers, but some timers cannot be adjusted. It may be necessary in certain cases or in poor networking environment. Normally, it is recommended that you retain the default settings of the timers.
Procedure
Step 1 Run:
system-view

dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period txperiod-value }
The timers of 802.1x authentication are set. l client-timeout: Authentication timeout timer of the client. By default, the timeout timer is 30s. l handshake-period: Interval of handshake packets from the S2300 to the 802.1X client. By default, the handshake interval is 15s. l quiet-period: Period of the quiet timer. By default, the quiet timer is 60s. l reauthenticate-period: Re-authentication interval. By default, the re-authentication interval is 3600s. l server-timeout: Timeout timer of the authentication server. By default, the timeout timer of the authentication server is 30s. l tx-period: Interval for sending authentication requests. By default, the interval for sending the authentication request packets is 30s.
2 NAC Configuration
The dot1x timer command only sets the values of the timers, and you need to enable the corresponding timers by running commands or adopting the default settings. ----End
2.3.11 (Optional) Configuring the Quiet Timer Function

Context
If a user fails to pass 802.1x authentication after the quiet timer function is enabled, the S2300 considers the user as quiet for a period and does not process authentication requests from the user in this period. In this manner, the impact caused by frequent authentication is prevented. In the case that the quiet timer function is enabled, to prevent the 802.1x user from entering the silent state after the first authentication failure, you can set the number of authentication failures before the 802.1x user enters the silent state to be greater than 1 on the S2300.
Procedure
Step 1 Run:
system-view

dot1x quiet-period
The quiet timer function is enabled. By default, the quiet timer function is disabled. During the quite period, the S2300 discards the 802.1x authentication request packets from the user. You can run the dot1x timer command to set the quiet period. For details, see 2.3.10 (Optional) Configuring 802.1x Timers. Step 3 Run:
dot1x quiet-times fail-times
The number of authentication failures within 60 seconds before the 802.1x user enters the silent state is set. By default, the number of authentication failures within 60 seconds before the 802.1x user enters the silent state is 3. ----End
2.3.12 (Optional) Configuring 802.1x Re-authentication

Context
The S2300 re-authenticates users who pass 802.1x authentication after a period of time to ensure the validity of users. You can configure 802.1x re-authentication in the following ways.
2 NAC Configuration
Procedure
system-view

dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
Re-authentication is enabled on interfaces. You can configure 802.1x re-authentication on interfaces in batches by specifying the interface list in the dot1x reauthenticate command in the system view. l In the interface view: 1. Run:
system-view


dot1x reauthenticate
Re-authentication is enabled on the interface. By default, 802.1x re-authentication is disabled on an interface. You can run the dot1x timer command to set the timeout interval of re-authentication. For details, see 2.3.10 (Optional) Configuring 802.1x Timers. ----End
2.3.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication

Context
When the user access mode is mac and guest VLAN is enabled, the S2300 broadcasts authentication request packets to all the 802.1x-enabled interfaces. If an interface does not respond when the maximum number of re-authentications is reached, the S2300 adds this interface to the guest VLAN. Users in the guest VLAN can access resources in the guest VLAN without authentication, but must be authenticated when they access external resources. The users who fail to pass authentication are still allowed to access resources within the specified range. When the user access mode is port and the interface access control mode is auto, the S2300 adds the interface to the guest VLAN if 802.1x has been enabled in the system view and the interface view. The users connected to this interface are allowed to access resources in the guest VLAN without authentication.
NOTE
The configured guest VLAN cannot be the default VLAN of the interface.
2-14
Issue 01 (2011-05-20)
2 NAC Configuration
You can configure the guest VLAN in the following ways.
Procedure
system-view

dot1x guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The guest VLAN is configured on interfaces. You can configure the guest VLAN on interfaces in batches by specifying the interface list in the dot1x guest-vlan command in the system view. l In the interface view: 1. Run:
system-view


dot1x guest-vlan vlan-id
The guest VLAN is configured on the interface. By default, no guest VLAN is configured on an interface. ----End
2.3.14 (Optional) Enabling the S2300 to Send Handshake Packets to Online Users
Context
The S2300 can send handshake packets to a Huawei client to detect whether the user is online. If the client does not support the handshake function, the S2300 will not receive handshake response packets within the handshake interval. In this case, you need to disable the user handshake function to prevent the S2300 from disconnecting users by mistake.
Procedure
Step 1 Run:
system-view

2 NAC Configuration
dot1x handshake
The handshake with 802.1x users is enabled. By default, the S2300 is disabled to send handshake packets to online users. You can run the dot1x timer command to set the handshake interval. For details, see 2.3.10 (Optional) Configuring 802.1x Timers. Step 3 (Optional) Run:dot1x handshake packet-type { request-identity | srp-sha1-part2 }The type of 802.1x authentication handshake packets is set. By default, the type of 802.1x authentication handshake packets is request-identity. ----End
2.3.15 (Optional) Setting the Retransmission Count of the Authentication Request

Context
If the S2300 does not receive a response after sending an authentication request to a user, the S2300 retransmits the authentication request to the user. When no response is received when the authentication request has been sent for the maximum number of times, the S2300 does not retransmit the authentication request to the user.
Procedure
Step 1 Run:
system-view

dot1x retry max-retry-value
The retransmission count of the authentication request is set. By default, the S2300 retransmits an authentication request to an access user twice. ----End

Prerequisite
The configurations of 802.1x authentication are complete.
Procedure
l Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] command to check the configuration of 802.1x authentication.
2-16
2 NAC Configuration
Run the display mac-address { authen | guest } [ vlan vlan-id ] command to check the configuration of 802.1x authentication and MAC address authentication or information about the MAC address added to the guest VLAN.
----End
Example
View information about 802.1x authentication on GE 0/0/1.
<Quidway> display dot1x interface gigabitethernet 0/0/1 GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled[macbypass] Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Maximum users: 8 Current users: 2 Authentication Success: 1 Failure: EAPOL Packets: TX : 24 RX : Sent EAPOL Request/Identity Packets : EAPOL Request/Challenge Packets : Multicast Trigger Packets : DHCP Trigger Packets : EAPOL Success Packets : EAPOL Failure Packets : Received EAPOL Start Packets : EAPOL LogOff Packets : EAPOL Response/Identity Packets : EAPOL Response/Challenge Packets: 11 4 11 1 0 0 1 11 2 0 1 1
View information about the MAC address used in 802.1x authentication or MAC address authentication.
<Quidway> display mac-address authen MAC address table of slot 0: ------------------------------------------------------------------------------MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------0000-0000-0100 3000 GE0/0/1 authen 0000-0000-0200 3000 GE0/0/1 authen 0000-0000-0600 3000 GE0/0/1 authen ------------------------------------------------------------------------------Total matching items on slot 0 displayed = 64
View information about the MAC address added to the guest VLAN.
<Quidway> display mac-address guest MAC address table of slot 0: ------------------------------------------------------------------------------MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------0000-0000-0404 3010 GE0/0/1 guest 0000-0000-0407 3010 GE0/0/1 guest 0000-0000-0410 3010 GE0/0/1 guest ------------------------------------------------------------------------------Total matching items on slot 0 displayed = 67
2.4 Configuring MAC Address Authentication

This section describes how to configure the MAC address authentication function.
2 NAC Configuration
2.4.1 Establishing the Configuration Task 2.4.2 Enabling Global MAC Address Authentication 2.4.3 Enabling MAC Address Authentication on an Interface 2.4.4 Configuring a User Name for MAC Address Authentication A fixed user name or a MAC address can be used for MAC address authentication. 2.4.5 (Optional) Configuring the Domain for MAC Address Authentication 2.4.6 (Optional) Setting the Timers of MAC Address Authentication 2.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication 2.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication 2.4.9 (Optional) Re-Authenticating a User with the Specified MAC Address 2.4.10 Checking the Configuration

MAC address authentication can be configured to authenticate terminals on which client software cannot be installed, such as faxes and printers.
MAC address authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring MAC address authentication, complete the following tasks: l l l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 802.1x user. Configuring the user name and password on the RADIUS server if RADIUS authentication is used. Adding the user name and password manually on the S2300 if local authentication is used.
Data Preparation
To configure MAC address authentication, you need the following data. No. 1 Data Number of the interface on which MAC address authentication is enabled
2.4.2 Enabling Global MAC Address Authentication

2 NAC Configuration
Context
Before the configuration of MAC address authentication, enable MAC address authentication globally.
Procedure
Step 1 Run:
system-view

mac-authen
MAC address authentication is enabled globally. Running this command is equivalent to enabling global MAC address authentication. Related configurations of MAC address authentication take effect only after MAC address authentication is enabled. By default, MAC address authentication is disabled globally. ----End
2.4.3 Enabling MAC Address Authentication on an Interface

Context
CAUTION
If MAC address authentication is enabled on an interface, 802.1x authentication cannot be enabled on the interface. If 802.1x authentication is enabled on an interface, MAC address authentication cannot be enabled on the interface. You can enable MAC address authentication on an interface in the following ways.
Procedure
system-view

mac-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
MAC address authentication is enabled on the interfaces. If there are online users who log in through MAC address authentication, disabling MAC address authentication is prohibited.
2 NAC Configuration
In the interface view: 1. Run:

system-view


mac-authen
MAC address authentication is enabled on the interface. Ensure that no online user exists before disabling MAC address authentication by using the undo mac-authen command. ----End
2.4.4 Configuring a User Name for MAC Address Authentication

A fixed user name or a MAC address can be used for MAC address authentication.
Context
When the fixed user name is used for MAC address authentication, you can set the password or not. When the MAC address is used as a user name for MAC address authentication, the MAC address is used as the authentication password.
Procedure
l Setting the user name format in the system view 1. Run:
system-view

mac-authen username { fixed username [ password { cipher | simple } password ] | macaddress [ format { with-hyphen | without-hyphen } ] }
The user name format is set for MAC address authentication. There are two formats for a MAC address used as the user name, that is, the MAC address with hyphens (such as 0010-8300-0011) and the MAC address without hyphens (such as 001083000011). By default, a MAC address without hyphens is used as a user name for MAC address authentication. ----End
2.4.5 (Optional) Configuring the Domain for MAC Address Authentication

2 NAC Configuration
Context
If the user adopts MAC address authentication or the fixed user name that does not contain the domain name, the default authentication domain is used when no authentication domain is configured. If the authentication domain is specified in the user name of a fixed format, the authentication domain of the user is used.
NOTE
Before configuring the authentication domain for the user who uses MAC address authentication, you need to confirm that a domain is available. Otherwise, the system displays an error message during the configuration.
Procedure
system-view

mac-authen domain isp-name [ mac-address mac-address mask mask ]
A domain name is configured for a user who uses MAC address authentication. ----End
2.4.6 (Optional) Setting the Timers of MAC Address Authentication

Procedure
Step 1 Run:
system-view

mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value | reauthenticate-period interval | server-timeout server-timeout-value }
Parameters of timers for MAC address authentication are set. l guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. By default, the re-authentication interval is 60s. l offline-detect: Offline-detect timer used to set the interval for the S2300 to check whether a user goes offline. By default, the offline timer is 300s. l quiet-period: Quiet timer. After the user authentication fails, the S2300 waits for a certain period before processing authentication requests of the user. During the quiet period, the S2300 does not process authentication requests from the user. By default, the quiet timer is 60s. l server-timeout: Server timeout timer. In the user authentication process, if the connection between the S2300 and the RADIUS server times out, the authentication fails. By default, the time interval of the authentication server is 30s. ----End
2 NAC Configuration
2.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication
Context
If the MAC authentication fails after the guest VLAN function is enabled, the S2300 adds the user to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without MAC address authentication. Authentication, however, is required when such users access external resources. Thus certain resources are available for users without authentication.
NOTE
The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLAN of the interface.
You can configure the guest VLAN in the following ways.
Procedure
system-view

mac-authen guest-vlan vlan-id interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The guest VLAN of interfaces is configured. You can configure the guest VLAN of interfaces in batches by specifying the interface list in the mac-authen guest-vlan command in the system view. l In the interface view: 1. Run:
system-view


mac-authen guest-vlan vlan-id
The guest VLAN of the interface is configured. By default, no guest VLAN is configured on an interface. ----End
2.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication
2 NAC Configuration
Context
When the number of access users on an interface reaches the limit, the S2300 does not trigger the authentication for the users connecting to the interface later; therefore, these users cannot access the network. You can configure the maximum number of access users who adopt MAC address authentication in the following ways.
Procedure
system-view

mac-authen max-user user-number interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The maximum number of access users who adopt MAC address authentication is set on interfaces. You can configure the maximum number of access users of interfaces in batches by specifying the interface list in the mac-authen max-user command in the system view. l In the interface view: 1. Run:
system-view


mac-authen max-user user-number
The maximum number of access users who adopt MAC address authentication on the interface is set. By default, the maximum number of access users who adopt MAC address authentication on an interface of the S2300 is 8. The maximum number of NAC access users is 128. ----End
2.4.9 (Optional) Re-Authenticating a User with the Specified MAC Address

Context
The system can re-authenticate a user who has passed MAC address authentication. If the user passes re-authentication, the user needs to be re-authorized; otherwise, the user goes offline.
2 NAC Configuration
Procedure
Step 1 Run:
system-view

mac-authen reauthenticate mac-address mac-address
A specified user who has passed MAC address authentication is re-authenticated. If the user does not pass MAC address authentication, the user is not re-authenticated. Step 3 Run:
mac-authen reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
MAC address re-authentication on a specified interface is enabled. Step 4 Run:

The interface view is displayed. Step 5 Run:

mac-authen reauthenticate
MAC address re-authentication on a specified interface is enabled. ----End

Prerequisite
The configurations of MAC address authentication are complete.
Procedure
l l Run the display mac-authen [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to view the configuration of MAC address authentication. Run the display mac-address { authen | guest } [ vlan vlan-id ] command to check the configuration of 802.1x authentication and MAC address authentication or information about the MAC address added to the guest VLAN.
----End
2.5 Maintaining NAC

This section describes how to clear statistics about NAC and debug NAC. 2.5.1 Clearing the Statistics About 802.1x Authentication 2.5.2 Clearing Statistics About MAC Address Authentication
2 NAC Configuration
2.5.1 Clearing the Statistics About 802.1x Authentication

Context
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } ] command to clear the statistics about 802.1x authentication.
----End
2.5.2 Clearing Statistics About MAC Address Authentication

Context
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to clear the statistics about MAC address authentication.
----End

This section provides several configuration examples of NAC. 2.6.1 Example for Configuring the RADIUS Server to Deliver Authorization ACL
2.6.1 Example for Configuring the RADIUS Server to Deliver Authorization ACL
2 NAC Configuration
As shown in Figure 2-2, the PC accesses the network using 802.1x authentication. The authentication server is a RADIUS server. An HTTP server is located on the Internet. After the user goes online, the RADIUS server is required to deliver ACL. The user then is allowed to connect to the Internet, but cannot access the HTTP server. Figure 2-2 Networking diagram for configuring 802.1x authentication
Radius Server
100.1.1.1 100.1.1.2 192.168.1.1/24 192.168.1.2/24
HTTP Server Internet
PC
192.168.1.10
Switch
101.0.0.2
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the RADIUS authentication server to deliver the authorization ACL. Configure a RADIUS server template. Configure an AAA authentication template. Configure a domain. Configure an ACL, which is the same as the ACL on the RADIUS server, on the Switch and configure the ACL rules. Configure 802.1x authentication.
Data Preparation
To complete the configuration, you need the following data: l l l l l l IP address of the RADIUS authentication server: 100.1.1.1; authentication port number: 1812 RADIUS server template: rd1 Shared key of the RADIUS server: hello AAA authentication scheme: web1 Domain: isp1 ACL number: 3000
NOTE
In this example, only the configuration of the Switch is provided, and the configuration of RADIUS server is not mentioned here.
2-26
Issue 01 (2011-05-20)
2 NAC Configuration
Procedure
Step 1 Configure a RADIUS server template. # Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
# Configure the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 100.1.1.1 1812
# Configure the shared key of the RADIUS server.

[Quidway-radius-rd1] radius-server shared-key cipher hello [Quidway-radius-rd1] quit
Step 2 Create an authentication scheme web1 and set the authentication method to RADIUS authentication.
[Quidway] aaa [Quidwayaaa] authentication-scheme web1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme web1 accounting-scheme web1 radius-server rd1 quit
Step 4 Configure ACL 3000 to reject the packets with the destination address 101.0.0.2.
[Quidway] acl 3000 [Quidway-acl-adv-3000] rule 0 deny ip destination 101.0.0.2 0 [Quidway-acl-adv-3000] quit
Step 5 Configure the 802.1x authentication. # Enable the 802.1x authentication globally.
[Quidway] dot1x enable
Step 6 Verify the configuration. After the user goes online successfully, ping the HTTP server from the PC to check whether ACL 3000 takes effect.
[Quidway] ping 101.0.0.2 PING 101.0.0.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.0.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
----End
Configuration Files
#
Issue 01 (2011-05-20)
2-27
2 NAC Configuration
sysname Quidway # dot1x enable # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 10.1.1.1 1812 radius-server accounting 100.1.1.2 1813 # acl number 3000 rule 0 deny ip destination 101.0.0.2 0 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 accounting-scheme web1 radius-server rd1 # return
2-28
Issue 01 (2011-05-20)
3 DHCP Snooping Configuration
3
About This Chapter
Context
NOTE
DHCP Snooping Configuration
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S2300 to defend against DHCP attacks.
S2300SI does not support DHCP Snooping.
3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. 3.2 DHCP Snooping Features Supported by the S2300 This section describes the DHCP snooping features supported by the S2300. 3.3 Preventing the Bogus DHCP Server Attack To prevent the attack from the pseudo DHCP server, use the trusted/untrusted working mode of DHCP snooping. 3.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR. 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.6 Setting the Maximum Number of DHCP Snooping Users This section describes how to set the maximum number of DHCP snooping users. This is because authorized users cannot access the network when an attacker applies for IP addresses continuously. 3.7 Limiting the Rate of Sending DHCP Messages This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S2300. 3.8 Configuring the Packet Discarding Alarm Function
An alarm is generated when the number of discarded packets exceeds the threshold. 3.9 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping. 3.10 Configuration Examples This section provides several configuration examples of DHCP snooping.
3-2
Issue 01 (2011-05-20)
3.1 Introduction to DHCP Snooping

This section describes the principle of DHCP snooping. DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table. The binding table contains the MAC address, IP address, lease, binding type, VLAN ID, and interface information. DHCP snooping ensures that authorized users can access the network by recording the mapping between IP addresses and MAC addresses of clients. In this manner, DHCP snooping acts as a firewall between DHCP clients and a DHCP server. DHCP snooping prevents attacks including DHCP Denial of Service (DoS) attacks, bogus DHCP server attacks, and bogus DHCP messages for extending IP address leases.
NOTE
In this manual, DHCP snooping includes DHCPv4 snooping and DHCPv6 snooping.
3.2 DHCP Snooping Features Supported by the S2300

This section describes the DHCP snooping features supported by the S2300. The S2300 supports security features such as the trusted interface, DHCP snooping binding table, binding of the IP address, MAC address, interface, and VLANID, and Option 82. In this manner, security of the device enabled with DHCP is ensured.
Applying DHCP Snooping on the S2300 on a Layer 2 Network

When being deployed on a Layer 2 network, the S2300 is located between the DHCP relay and the Layer 2 user network. Figure 3-1 shows the DHCP snooping application on the S2300 where DHCP snooping is enabled.
Issue 01 (2011-05-20)
3-3
Figure 3-1 Networking diagram for applying DHCP snooping on the S2300 on a Layer 2 network
L3 network Trusted DHCP relay Switch
Untrusted
L2 network
DHCP server
User network
DHCPv6 Snooping
The S2300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entries are also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consists of the IPv6 address, MAC address, interface number, and VLAN ID of a user.
Type of Attacks Defended Against by DHCP Snooping

DHCP snooping provides different operation modes according to the type of attacks, as shown in Table 3-1. Table 3-1 Matching table between type of attacks and DHCP snooping operation modes Type of Attacks Bogus DHCP server attack DoS attack by changing the value of the CHADDR field Attack by sending bogus messages to extend IP address leases DHCP flooding attack DHCP Snooping Operation Mode Setting an interface to trusted or untrusted Checking the CHADDR field in DHCP messages Checking whether DHCP request messages match entries in the DHCP snooping binding table Limiting the rate of sending DHCP messages
3-4
Issue 01 (2011-05-20)
3.3 Preventing the Bogus DHCP Server Attack

To prevent the attack from the pseudo DHCP server, use the trusted/untrusted working mode of DHCP snooping. 3.3.1 Establishing the Configuration Task Establishing the Configuration Task of Preventing the Bogus DHCP Server Attack. 3.3.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect. 3.3.3 Configuring an Interface as a Trusted Interface Generally, the interface connected to the DHCP server is configured as trusted and other interfaces are configured as untrusted. 3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and on the interface. Otherwise, the detection function does not take effect. 3.3.5 Checking the Configuration Checking the Configuration of Preventing the Bogus DHCP Server Attack.

Establishing the Configuration Task of Preventing the Bogus DHCP Server Attack.
When a bogus DHCP server exists on a network, the bogus DHCP server on the network replies with incorrect messages such as the incorrect IP address of the gateway, incorrect domain name server (DNS) server, and incorrect IP address to the DHCP client. As a result, the DHCP client cannot access the network or cannot access the correct destination network. To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S2300, configure the network-side interface to be trusted and the user-side interface to be untrusted, and discard DHCP Reply messages received from untrusted interfaces. To locate a bogus DHCP server, you can configure detection of bogus DHCP servers on the S2300. In this case, the S2300 obtains related information about DHCP servers by checking DHCP Reply messages, and records the information in the log. This facilitates network maintenance.
Before preventing the bogus DHCP server attack, complete the following tasks: l Configuring the DHCP server
Data Preparation
To prevent the bogus DHCP server attack, you need the following data.
No. 1
Data Type and number of the interface that needs to be set to be trusted
3.3.2 Enabling DHCP Snooping

After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect.
Context
To enable DHCP snooping, you need to comply with the following sequence: l l l Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Procedure
l Enabling DHCP snooping in the VLAN view 1. Run:
system-view

dhcp enable
DHCP is enabled globally. 3. Run:

dhcp snooping enable
DHCP snooping is enabled globally. 4. Run:

vlan vlan-id
The VLAN view is displayed. 5. Run:

DHCP snooping is enabled in a VLAN. 6. Run:

quit
Return to the system view. 7. (Optional) Run:

The interface view is displayed. 8. (Optional) Run:

dhcp snooping disable
3-6
Issue 01 (2011-05-20)
DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1. Run:
system-view

dhcp enable


The interface view is displayed. 5. ----End Run: dhcp snooping enableDHCP snooping is enabled on an interface.
3.3.3 Configuring an Interface as a Trusted Interface

Generally, the interface connected to the DHCP server is configured as trusted and other interfaces are configured as untrusted.
Context
After DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface is the network-side interface connected to the DHCP server. Or, run:
vlan vlan-id
The VLAN view is displayed. Step 3 In the interface view, Run:

dhcp snooping trusted
Issue 01 (2011-05-20)
3-7
Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interfacenumber The interface is configured as a trusted interface. DHCP Reply messages sent from an untrusted interface are discarded. The prerequisite for the dhcp snooping trusted interface command to take effect is the interface is added to the VLAN. ----End
3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers

Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and on the interface. Otherwise, the detection function does not take effect.
Procedure
Step 1 Run:
system-view

dhcp server detect
Detection of bogus DHCP servers is enabled. By default, detection of bogus DHCP servers is disabled on the S2300. ----End

Checking the Configuration of Preventing the Bogus DHCP Server Attack.
Prerequisite
The configurations of preventing the bogus DHCP server attack are complete.
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp { snooping | static } user-bind { dai-status | interface interfacetype interface-number | ip-address ip-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] }command to check the information about DHCP bind-table. Run the display dhcpv6 { snooping | static } user-bind { interface interface-type interface-number | ip-address ip-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to check the information about DHCPv6 bind-table.
----End
3.4 Preventing the DoS Attack by Changing the CHADDR Field

This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR. 3.4.1 Establishing the Configuration Task Establishing the Configuration Task of Preventing the DoS Attack by Changing the CHADDR Field. 3.4.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect. 3.4.3 Checking the CHADDR Field in DHCP Request Messages If the CHADDR field in DHCP Request messages matches the source MAC address in the Ethernet frame header, the messages are forwarded. Otherwise, the messages are discarded. 3.4.4 Checking the Configuration Checking the Configuration of Preventing the DoS Attack by Changing the CHADDR Field.

Establishing the Configuration Task of Preventing the DoS Attack by Changing the CHADDR Field.
The attacker may change the client hardware address (CHADDR) carried in DHCP messages instead of the source MAC address in the frame header to apply for IP addresses continuously. The S2300, however, only checks the validity of packets based on the source MAC address in the frame header. The attack packets can still be forwarded normally. The MAC address limit cannot take effect in this manner. To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping on the S2300 to check the CHADDR field carried in DHCP Request messages. If the CHADDR field matches the source MAC address in the frame header, the message is forwarded. Otherwise, the message is discarded.
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks: l Configuring the DHCP server
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
Issue 01 (2011-05-20)
3-9
No. 1
Data Type and number of the interface enabled with the check function

Context
Procedure
system-view

dhcp enable


vlan vlan-id


quit


3-10
Issue 01 (2011-05-20)
system-view

dhcp enable


3.4.3 Checking the CHADDR Field in DHCP Request Messages

If the CHADDR field in DHCP Request messages matches the source MAC address in the Ethernet frame header, the messages are forwarded. Otherwise, the messages are discarded.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface is the user-side interface. Step 3 Run:
dhcp snooping check dhcp-chaddr enable [ alarm dhcp-chaddr { enable [ threshold threshold-value ] | threshold threshold-value } ]
The interface is configured to check if the CHADDR field in DHCP Request messages matches the source MAC address in the Ethernet frame header. By default, an interface does not check the CHADDR field in DHCP Request messages, and the alarm threshold for the rate of discarding DHCP request messages is set to 100. ----End

Checking the Configuration of Preventing the DoS Attack by Changing the CHADDR Field.
Prerequisite
The configurations of preventing the DoS attack by changing the CHADDR field are complete.
Procedure
l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.5.1 Establishing the Configuration Task Establishing the Configuration Task of Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases. 3.5.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect. 3.5.3 Enabling Checking of DHCP Request Messages To prevent unauthorized users from sending DHCP Request messages to request IP address renewal, the S2300 matches the received DHCP Request messages to determine whether to forward the DHCP Request messages. 3.5.4 (Optional) Configuring the Option 82 Function After the Option 82 function is enabled, the S2300 can generate binding entries for users on different interfaces according to the Option 82 field in DHCP messages, which prevents the bogus DHCP server then replies incorrect messages. 3.5.5 (Optional) Setting the Format of the Option 82 Field You can set the format of the Option 82 field globally or on an interface. If the format of the Option 82 field is set on an interface, the format of the Option 82 field on the interface takes effect. If the format of the Option 82 field is not set on an interface, the globally configured format of the Option 82 field takes effect. 3.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 Request Messages If the DHCPv6 server needs to obtain information about the interface or MAC address of the client, the S2300 can append the Option 18 or Option 37 field to DHCPv6 Request messages sent from a client to the DHCPv6 server. 3.5.7 Checking the Configuration
Checking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.

Establishing the Configuration Task of Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.
The attacker pretends to be a valid user and continuously sends DHCP Request messages intending to extend the IP address lease. As a result, certain expired IP addresses cannot be reused. To prevent the attacker from sending bogus DHCP messages to extend IP address leases, you can create the DHCP snooping binding table on the S2300 to check DHCP Request messages. If the source IP address, source MAC address, VLAN, and interface of the DHCP Request messages match entries in the binding table, the DHCP Request messages are then forwarded. Otherwise, the DHCP Request messages are discarded.
NOTE
IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S2300 checks the source IP addresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.
The S2300 checks DHCP Request messages as follows: 1. Checks whether the destination MAC address is all-f. If the destination MAC address is all-f, the S2300 considers that the DHCP Request message is a broadcast message that a user sends to goes online for the first time and does not check the DHCP Request message against the binding table. Otherwise, the S2300 considers that the user sends the DHCP Request message is renew lease of the IP address and checks the DHCP Request message against the binding table. Checks whether the CHADDR field in the DHCP Request message matches an entry in the binding table. If not, a user goes online for the first time and the S2300 forwards the message directly. If yes, the S2300 checks whether the VLAN ID, IP address, and interface information of the message match the binding table. If all these fields match the binding table, the S2300 forwards the message; otherwise, the S2300 discards the message.
2.
Before preventing the attacker from sending bogus DHCP messages for extending IP address leases, complete the following tasks: l Configuring the DHCP server
Data Preparation
To prevent the attacker from sending bogus DHCP messages for extending IP address leases, you need the following data. No. 1 Data Type and number of the interface enabled with detection of bogus DHCP servers
Issue 01 (2011-05-20)
3-13

Context
Procedure
system-view

dhcp enable


vlan vlan-id


quit


DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1.
3-14
Run:

system-view

dhcp enable


3.5.3 Enabling Checking of DHCP Request Messages

To prevent unauthorized users from sending DHCP Request messages to request IP address renewal, the S2300 matches the received DHCP Request messages to determine whether to forward the DHCP Request messages.
Context
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user uses a static IP address, you need to configure the binding entry of the user manually.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface is a user-side interface. Step 3 Run:
dhcp snooping check dhcp-request enable [ alarm dhcp-request { enable [ threshold threshold-value ] | threshold threshold-value } ]
The interface is enabled to check DHCP Request messages. By default, an interface is disabled from checking DHCP Request messages, and the alarm threshold for the rate of discarding DHCP request messages is set to 100. ----End
3.5.4 (Optional) Configuring the Option 82 Function

After the Option 82 function is enabled, the S2300 can generate binding entries for users on different interfaces according to the Option 82 field in DHCP messages, which prevents the bogus DHCP server then replies incorrect messages.
Procedure
l In the interface view: 1. Run:
system-view

The interface view is displayed. The interface is the user-side interface. 3. Run:
dhcp option82 insert enable
The Option 82 is appended to DHCP messages. Or, run:

dhcp option82 rebuild enable
The Option 82 is forcibly appended to DHCP messages. After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; If the DHCP message contains an Option 82 field previously, the S2300 checks whether the Option 82 field contains the Remote-id. If the Option 82 field contains the Remote-id, the S2300 retains the original Option 82 field. If not, the S2300 inserts the Remote-id to the Option 82 field. By default, the Remoteid is the MAC address of the S2300. After the dhcp option82 rebuild enable command is used, the Option 82 field is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; the original Option 82 field is removed and a new one is appended if the original DHCP messages carry the Option 82 field. l In the VLAN view: 1. Run:
system-view

vlan vlan-id

dhcp option82 insert enable interface { interface-name | interface-type interface-number } [ to interface-number ]
The Option 82 is appended to DHCP messages.

Or, run:
dhcp option82 rebuild enable interface { interface-name | interface-type interface-number } [ to interface-number ]
The Option 82 is forcibly appended to DHCP messages. The prerequisites for the upper commands to take effect are the interfaces are added to the VLAN in step 2. After the dhcp option82 insert enable interface { interface-name | interfacetype interface-number } [ to interface-number ] command is used, the Option 82 is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; If the DHCP message contains an Option 82 field previously, the S2300 checks whether the Option 82 field contains the Remote-id. If the Option 82 field contains the Remote-id, the S2300 retains the original Option 82 field. If not, the S2300 inserts the Remote-id to the Option 82 field. By default, the Remoteid is the MAC address of the S2300. After the dhcp option82 rebuild enable interface { interface-name | interfacetype interface-number } [ to interface-number ] command is used, the Option 82 field is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; the original Option 82 field is removed and a new one is appended if the original DHCP messages carry the Option 82 field. ----End
3.5.5 (Optional) Setting the Format of the Option 82 Field

You can set the format of the Option 82 field globally or on an interface. If the format of the Option 82 field is set on an interface, the format of the Option 82 field on the interface takes effect. If the format of the Option 82 field is not set on an interface, the globally configured format of the Option 82 field takes effect.
Procedure
l Setting the format of the Option 82 field in the system view 1. Run:
system-view

dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | user-defined text }
The format of the Option 82 field is set.

NOTE
If the customized format of the Option 82 field is used (that is, user-defined is specified), it is recommended that you specify the interface type, slot ID, and interface number in text.
Setting the format of the Option 82 field in the interface view 1. Run:
system-view
The system view is displayed. 2.

Issue 01 (2011-05-20)
Run:

dhcp option82 [ vlan vlanid ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text }
The format of the Option 82 field is set.

NOTE
If the customized format of the Option 82 field is used (that is, user-defined is specified), it is recommended that you specify the interface type, slot ID, and interface number in text.
----End
3.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 Request Messages
If the DHCPv6 server needs to obtain information about the interface or MAC address of the client, the S2300 can append the Option 18 or Option 37 field to DHCPv6 Request messages sent from a client to the DHCPv6 server.
Procedure
Step 1 Run:
system-view


dhcpv6 { option18 | option37 } insert enable
The S2300 is configured to append the Option 18 field or the Option 37 field to DHCPv6 Request messages. The Option 18 field contains information about the interface of the client and the Option 37 field contains information about the MAC address of the client. ----End

Checking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.
Prerequisite
The configurations of preventing the attacker from sending bogus DHCP messages for extending IP address leases are complete.
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp { snooping | static } user-bind { dai-status | interface interfacetype interface-number | ip-address ip-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to check the information about DHCP bind-table. Run the display dhcpv6 { snooping | static } user-bind { interface interface-type interface-number | ipv6-address ipv6-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to check the information about DHCPv6 bind-table. Run the display dhcp option82 { interface interface-type interface-number | vlan vlanid } command to check the status of the Option 82 field.
----End
3.6 Setting the Maximum Number of DHCP Snooping Users

This section describes how to set the maximum number of DHCP snooping users. This is because authorized users cannot access the network when an attacker applies for IP addresses continuously. 3.6.1 Establishing the Configuration Task This section describes how to establish the configuration task of preventing attackers from sending bogus DHCP messages for extending IP address leases. 3.6.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect. 3.6.3 Setting the Maximum Number of DHCP Snooping Users If an unauthorized user applies for IP addresses maliciously, authorized users cannot access the network. To address this problem, you can set the maximum number of access users. 3.6.4 (Optional) Configuring MAC Address Security on an Interface MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC addresses, and packets of these users can be forwarded. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. Therefore, you need to configure static MAC addresses for the static users to have the packets forwarded normally. 3.6.5 Checking the Configuration This section describes how to check the configuration of the maximum number of DHCP snooping users.

This section describes how to establish the configuration task of preventing attackers from sending bogus DHCP messages for extending IP address leases.
Issue 01 (2011-05-20)
3-19
To prevent malicious users from applying for IP addresses, you can set the maximum number of DHDCP snooping users. When the number of DHCP snooping users reaches the maximum value, users cannot successfully apply for IP addresses.
Before setting the maximum number of DHCP snooping users, complete the following tasks: l l Enabling DHCP snooping globally Enabling check of the DHCP snooping binding table
Data Preparation
To set the maximum number of DHCP snooping users, you need the following data. No. 1 Data Type and number of the interface, VLAN ID, and maximum number of DHCP snooping users

Context
Procedure
system-view

dhcp enable

3-20
Issue 01 (2011-05-20)

vlan vlan-id


quit


system-view

dhcp enable


3.6.3 Setting the Maximum Number of DHCP Snooping Users

If an unauthorized user applies for IP addresses maliciously, authorized users cannot access the network. To address this problem, you can set the maximum number of access users.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:dhcp snooping global max-user-number max-user-numberThe maximum number of access users allowed in the system view is set. By default, the maximum number of access users allowed by all the interfaces of the S2300 is 256. Step 3 Run:
The interface view is displayed. Or, run:

vlan vlan-id
The VLAN view is displayed. Step 4 Run:

dhcp snooping max-user-number max-user-number
The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set. By default, a maximum of 256 users can access an interface of the S2300 or a VLAN. If the maximum number of access users is set on an interface, in a VLAN, or in the system, all the configurations take effect. ----End
3.6.4 (Optional) Configuring MAC Address Security on an Interface

MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC addresses, and packets of these users can be forwarded. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. Therefore, you need to configure static MAC addresses for the static users to have the packets forwarded normally.
Context
NOTE
The S2300SI does not support configuring MAC address security on an interface.
Procedure
Step 1 Run:
system-view

The interface view is displayed.

The interface is a user-side interface. Step 3 Run:

dhcp snooping sticky-mac
MAC address security of DHCP snooping is enabled on the interface. By default, MAC address security of DHCP snooping is disabled on the S2300. The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabled globally. If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC address of the received IP packet nor forwards or sends the received IP packet. The DHCP messages received by the interface are sent to the CPU of the main control board, and then a dynamic binding table is generated. After the dynamic binding table is generated, static MAC addresses are sent to the corresponding interface. That is, dynamic MAC addresses are converted to static MAC addresses. The static MAC address entry includes information about the MAC address and VLAN ID of the user. Subsequently, only the packets whose source MAC address matches the static MAC address can pass through the interface; otherwise, the packets are discarded. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. You need to configure static MAC addresses for the static users to have the packets forwarded normally. Step 4 (Optional) Run:
undo mac-address snooping [ interface-type interface-number [ vlan vlan-id ] | vlan vlan-id [interface-type interface-number ] ]
The static MAC entries converted from dynamic binding entries by the dhcp snooping stickymac command are deleted. ----End

This section describes how to check the configuration of the maximum number of DHCP snooping users.
Prerequisite
The configurations of setting the maximum number of users are complete.
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on an interface. Run the display mac-address snooping [ interface-type interface-number [ vlan vlanid ] | vlan vlan-id [interface-type interface-number ] ] [ verbose ] view static MAC address entries converted from dynamic MAC address entries by the dhcp snooping sticky-mac command.
----End
3.7 Limiting the Rate of Sending DHCP Messages

This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S2300. 3.7.1 Establishing the Configuration Task Establishing the Configuration Task of Limiting the Rate of Sending DHCP Messages. 3.7.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect. 3.7.3 Setting the Maximum Rate of Sending DHCP Messages You can set the maximum rate of sending DHCP messages globally, in a VLAN, or on an interface. If the maximum rate of sending DHCP messages is set globally, in a VLAN, and on an interface simultaneously, the maximum rate of sending DHCP messages takes effect on an interface, in a VLAN, and globally in descending order. 3.7.4 Checking the Configuration Checking the Configuration of Limiting the Rate of Sending DHCP Messages.

Establishing the Configuration Task of Limiting the Rate of Sending DHCP Messages.
If an attacker sends DHCP messages continuously on a network, the DHCP protocol stack of the S2300 is affected. To prevent an attacker from sending a large number of DHCP messages, you can configure DHCP snooping on the S2300 to check DHCP messages and limit the rate of sending DHCP messages. Only a certain number of DHCP messages can be sent to the protocol stack during a certain period. Excessive DHCP messages are discarded.
Before limiting the rate of sending packets, complete the following tasks: l Configuring the DHCP server
Data Preparation
To limit the rate of sending packets, you need the following data. No. 1 Data Rate at which DHCP messages are sent to the protocol stack
3-24
Issue 01 (2011-05-20)

Context
Procedure
system-view

dhcp enable


vlan vlan-id


quit


DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1.
Issue 01 (2011-05-20)
Run:

system-view

dhcp enable


3.7.3 Setting the Maximum Rate of Sending DHCP Messages

You can set the maximum rate of sending DHCP messages globally, in a VLAN, or on an interface. If the maximum rate of sending DHCP messages is set globally, in a VLAN, and on an interface simultaneously, the maximum rate of sending DHCP messages takes effect on an interface, in a VLAN, and globally in descending order.
Procedure
l Setting the maximum rate of sending DHCP messages in the system view 1. Run:
system-view

dhcp snooping check dhcp-rate enable
The function of checking the rate of sending DHCP messages is enabled. By default, the function of checking the rate of sending DHCP messages is disabled globally. 3. Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set. By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP messages exceeding the rate are discarded. l Setting the maximum rate of sending DHCP messages in the VLAN view 1. Run:
system-view

vlan vlan-id
3-26
Issue 01 (2011-05-20)

dhcp snooping check dhcp-rate enable
The function of checking the rate of sending DHCP messages is enabled in the VLAN view. By default, the function of checking the rate of sending DHCP messages is disabled in the VLAN view. 4. Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set. By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP messages exceeding the rate are discarded. l Setting the maximum rate of sending DHCP messages in the interface view 1. Run:
system-view


dhcp snooping check dhcp-rate { enable | enable rate | rate } [ alarm dhcprate [ enable ] [ threshold threshold-value ] ]
The following functions are configured on an interface: The function of checking the rate of sending DHCP messages to the DHCP stack is enabled. The rate limit of sending DHCP messages to the DHCP stack is set. The DHCP message discard alarm is enabled. The alarm threshold for discarded DHCP messages is set. By default, the function of checking the rate of sending DHCP messages to the DHCP stack is disabled on an interface; the rate limit of sending DHCP messages to the DHCP stack is 100 pps; the DHCP message discard alarm is disabled; the alarm threshold for discarded DHCP messages is 100. ----End

Checking the Configuration of Limiting the Rate of Sending DHCP Messages.
Prerequisite
The configurations of limiting the rate of sending DHCP messages are complete.
Procedure
l Run the display dhcp snooping global command to check information about global DHCP snooping.
----End
3.8 Configuring the Packet Discarding Alarm Function

An alarm is generated when the number of discarded packets exceeds the threshold. 3.8.1 Establishing the Configuration Task Establishing the Configuration Task of Packet Discarding Alarm Function. 3.8.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect. 3.8.3 Configuring the Packet Discarding Alarm Function After the alarm function is enabled, alarm messages are displayed if DHCP attacks occur. 3.8.4 Checking the Configuration Checking the Configuration of Packet Discarding Alarm Function.

Establishing the Configuration Task of Packet Discarding Alarm Function.
With DHCP snooping configured, the S2300 discards packets sent from an attacker. Table 3-2 shows the relation between the type of attacks and the type of discarded packets. Table 3-2 Relation between the type of attacks and the type of discarded packets Type of Attacks Bogus attack DoS attack by changing the CHADDR field Type of Discarded Packets DHCP Reply messages received from untrusted interfaces DHCP Request messages whose CHADDR field does not match the source MAC address in the frame header DHCP Request messages that do not match entries in the binding table Messages exceeding the rate limit
Attack by sending bogus messages to extend IP address leases Attack by sending a large number of DHCP Request messages and ARP packets
After the packet discarding alarm function is enabled, an alarm is generated when the number of discarded packets on the S2300 reaches the alarm threshold.
Before configuring the packet discarding alarm function, complete the following tasks: l l l l l Configuring the DHCP server Configuring the S2300 to discard DHCP Reply messages on the untrusted interface at the user side Configuring the checking of DHCP messages Configuring the checking of the CHADDR field in DHCP Request messages Configuring the checking of the rate of sending DHCP messages
Data Preparation
To configure the packet discarding alarm function, you need the following data. No. 1 Data Alarm threshold for the number of discarded packets

Context
Procedure
system-view

dhcp enable


vlan vlan-id
Issue 01 (2011-05-20)
3-29


quit


system-view

dhcp enable


3.8.3 Configuring the Packet Discarding Alarm Function

After the alarm function is enabled, alarm messages are displayed if DHCP attacks occur.
Context
The packet discarding alarm function can be configured globally and on the interface. l l The packet discarding alarm function configured globally takes effect for all interfaces. The packet discarding alarm function configured on an interface takes effect for a specified interface. If the packet discarding alarm function is not configured on an interface, the global configuration is used.
3-30
Procedure
l Configuring the packet discarding alarm function globally 1. Run:
system-view

dhcp snooping alarm threshold threshold
The alarm threshold of the number of globally discarded packets is set. By default, the global alarm threshold of the number of discarded DHCP messages is 100 pps. l Configuring the packet discarding alarm function on an interface 1. Run:
system-view


dhcp snooping check dhcp-chaddr enable [ alarm dhcp-chaddr [ enable [ threshold threshold-value ] | threshold threshold-value ] ]
The functions of checking the DHCP request messages refer to the CHADDR field and DHCP Request packet discarding alarm are enabled on the interface, and the threshold that triggers the alarm is set. By default, the S2300 does not check DHCP request messages refer to the CHADDR field or generate alarms for packet discarded. The alarm threshold for the rate of discarded DHCP request messages is 100 pps. 4. Run:
dhcp snooping check dhcp-request enable [ alarm dhcp-request [ enable [ threshold threshold-value ] | threshold threshold-value ] ]
The functions of checking the DHCP request messages and DHCP Request packet discarded alarm are enabled on the interface, and the threshold that triggers the alarm is set. By default, the S2300 does not check DHCP request messages field or generate alarms for packet discarded. The alarm threshold for the rate of discarded DHCP request messages is 100 pps. 5. (Optional) Run:
dhcp snooping alarm { dhcp-chaddr | dhcp-reply | dhcp-request } { enable [ threshold threshold ] | threshold threshold }
The alarm function is enabled for discarding of DHCP messages received from untrusted interfaces, and the alarm threshold is set. By default, the packet discarding alarm is disabled, and the threshold that triggers the alarm on discarded packets is 100. After dhcp snooping alarm command is configured, the S2300 discards the following types of packets:
DHCP Request messages that do not match entries in the DHCP Snooping binding table DHCP Reply messages received by untrusted interfaces DHCP Request messages whose source MAC address does not match the CHADDR field ----End

Checking the Configuration of Packet Discarding Alarm Function.
Prerequisite
The configurations of the packet discarding alarm function are complete.
Procedure
l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
3.9 Maintaining DHCP Snooping

This section describes how to maintain DHCP snooping. 3.9.1 Clearing DHCP Snooping Statistics The statistics on globally discarded packets and the statistics on discarded packets on the interface are cleared. 3.9.2 Resetting the DHCP Snooping Binding Table After DHCP snooping is enabled, multiple binding entries are generated when DHCP users go online. DHCP users can delete dynamic binding entries in batches according to the VLAN ID, interface, IP address of the VPLS.
3.9.1 Clearing DHCP Snooping Statistics

The statistics on globally discarded packets and the statistics on discarded packets on the interface are cleared.
Context
To clear the statistics on DHCP snooping discarded packets, run the following commands in the user view.
Procedure
l Run the reset dhcp snooping statistics global command to clear the statistics on globally discarded packets.
3-32
l l
Run the reset dhcp snooping statistics interface interface-type interface-number command to clear the statistics on discarded packets on the interface. Run the reset dhcp snooping statistics vlan vlan-id command to clear the statistics on discarded packets on the VLAN.
----End
3.9.2 Resetting the DHCP Snooping Binding Table

After DHCP snooping is enabled, multiple binding entries are generated when DHCP users go online. DHCP users can delete dynamic binding entries in batches according to the VLAN ID, interface, IP address of the VPLS.
Context
NOTE
After the networking environment changes, DHCP snooping binding entries do not age immediately. However, the following information in DHCP snooping binding entries may change, causing packet forwarding failure: l l VLAN ID in packets Interface information
Before changing the networking environment, clear all DHCP snooping binding entries manually so that a device generates a new DHCP snooping binding table according to the new networking environment.
To clear entries in the DHCP snooping binding table, run the following command in the user view or system view.
Procedure
l Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interfacenumber ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset the DHCP snooping binding table.
----End

This section provides several configuration examples of DHCP snooping. 3.10.1 Example for Preventing Bogus DHCP Server Attacks This section describes the configuration of preventing bogus DHCP server attacks, including the configuration of the trusted interface and the alarm function for discarded DHCP Reply packets. 3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field This section describes the configuration of preventing DoS attacks by changing the CHADDR field, including the configuration of the function of checking the CHADDR field of DHCP Request messages on the user-side interface and the alarm function for discarded packets. 3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP Address Leases This section describes the configuration of preventing attackers from sending bogus DHCP messages for extending IP address leases, including the configuration of the function of checking
the DHCP Request messages on the user-side interface and the alarm function for discarded packets. 3.10.4 Example for Limiting the Rate of Sending DHCP Messages This section describes the configuration of limiting the rate of sending DHCP messages, including the configuration of the rate of sending DHCP messages to the protocol stack and the alarm function for discarded packets. 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network This section describes the configuration of DHCP snooping on a Layer 2 network, including the configuration of the trusted interface, the function of checking DHCP messages, the function of limiting the rate of sending DHCP messages, and the Option 82 function.
3.10.1 Example for Preventing Bogus DHCP Server Attacks

This section describes the configuration of preventing bogus DHCP server attacks, including the configuration of the trusted interface and the alarm function for discarded DHCP Reply packets.
As shown in Figure 3-2, the Switch is deployed between the user network and the Layer 2 network of the ISP. To prevent bogus DHCP server attacks, it is required that DHCP snooping be configured on the Switch, the user-side interface be configured as an untrusted interface, the network-side interface be configured as the trusted interface, and the alarm function for discarded DHCP Reply packets be configured. Figure 3-2 Networking diagram for preventing bogus DHCP server attacks
ISP network L3 network
L2 network GE0/0/1 Switch GE0/0/2 User network
DHCP relay
DHCP server
3-34
Issue 01 (2011-05-20)
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.) 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Enable bogus DHCP server detection. Configure the interface connected to the DHCP server as the trusted interface. Configure the alarm function for discarded DHCP Reply packets.
Data Preparation
To complete the configuration, you need the following data: l l GE 0/0/1 being the trusted interface and GE 0/0/2 being the untrusted interface Alarm threshold being 120
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
# Enable bogus DHCP server detection.

[Quidway] dhcp server detect
# Enable DHCP snooping on the user-side interface.

[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping enable [Quidway-GigabitEthernet0/0/2] quit
Step 2 Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] dhcp snooping trusted [Quidway-GigabitEthernet0/0/1] quit
# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default. Step 3 Configure the alarm function for discarded DHCP Reply packets. # Configure the Switch to discard the Reply messages received by untrusted interfaces, and set the alarm threshold.
[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-reply enable threshold 120 [Quidway-GigabitEthernet0/0/2] quit
Step 4 Verify the configuration.

Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at vlan :NULL Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at interface :NULL Dhcp option82 rebuild is configured at interface :NULL Dhcp option82 insert is configured at vlan :NULL Dhcp option82 rebuild is configured at vlan :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 60 <Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0 <Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp packet dropped by untrust-reply checking = 10
----End
Configuration Files
# dhcp enable dhcp snooping enable dhcp server detect # interface GigabitEthernet0/0/1 dhcp snooping trusted # interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 # return
3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field
This section describes the configuration of preventing DoS attacks by changing the CHADDR field, including the configuration of the function of checking the CHADDR field of DHCP Request messages on the user-side interface and the alarm function for discarded packets.
As shown in Figure 3-3, the Switch is deployed between the user network and the ISP Layer 2 network. To prevent DoS attacks by changing the CHADDR field, it is required that DHCP
snooping be configured on the Switch. The CHADDR field of DHCP Request messages is checked. If the CHADDR field of DHCP Request messages matches the source MAC address in the frame header, the messages are forwarded. Otherwise, the messages are discarded. The alarm function for discarded packets is configured. Figure 3-3 Networking diagram for preventing DoS attacks by changing the CHADDR field ISP network L3 network
DHCP relay
DHCP server
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as the trusted interface. Enable the function of checking the CHADDR field of DHCP Request messages on the user-side interface. Configure the alarm function for discarded packets.
Data Preparation
To complete the configuration, you need the following data: l Alarm threshold
NOTE
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.


# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default. Step 3 Enable the function of checking the CHADDR field of DHCP Request messages on the userside interface, and configure the alarm function and threshold for discarded packets..
[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable alarm dhcpchaddr enable threshold 120
Step 4 Verify the configuration. Run the display dhcp snooping command on the Switch, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at vlan :NULL Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at interface :NULL Dhcp option82 rebuild is configured at interface :NULL Dhcp option82 insert is configured at vlan :NULL Dhcp option82 rebuild is configured at vlan :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 25 <Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0 <Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp packet dropped by dhcp-chaddr checking = 25 dhcp packet dropped by untrust-reply checking = 0
----End
Configuration Files
# dhcp enable dhcp snooping enable # interface GigabitEthernet0/0/1 dhcp snooping trusted # interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 # return
3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP Address Leases
This section describes the configuration of preventing attackers from sending bogus DHCP messages for extending IP address leases, including the configuration of the function of checking the DHCP Request messages on the user-side interface and the alarm function for discarded packets.
As shown in Figure 3-4, the Switch is deployed between the user network and the ISP Layer 2 network. To prevent attackers from sending bogus DHCP messages for extending IP address leases, it is required that DHCP snooping be configured on the Switch and the DHCP snooping binding table be created. If the received DHCP Request messages match entries in the binding table, they are forwarded; otherwise, they are discarded. The alarm function for discarded packets is configured. Figure 3-4 Networking diagram for preventing attackers from sending bogus DHCP messages for extending IP address leases
ISP network L3 network
DHCP relay
DHCP server
Issue 01 (2011-05-20)
3-39
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as the trusted interface. Use the operation mode of the DHCP snooping binding table to check DHCP Request messages. Configure the alarm function for discarded packets.
Data Preparation
To complete the configuration, you need the following data: l l l ID of the VLAN that each interface belongs to Static IP addresses from which packets are forwarded Alarm threshold
NOTE
Procedure

# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default. Step 3 Configure the function of checking DHCP Request messages and the alarm function for discarded packets.
[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable alarm dhcprequest enable threshold 120 [Quidway-GigabitEthernet0/0/2] quit
Step 4 Check the DHCP snooping binding entries.

Run the display dhcp snooping user-bind all command, and you can view all the DHCP snooping binding entries of users.
<Quidway> display dhcp snooping user-bind all DHCP Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease -------------------------------------------------------------------------------10.1.1.3 0000-005e-008a 3 /-- /-Ethernet0/0/2 2010.08.14-12:58 -------------------------------------------------------------------------------print count: 1 total count: 1
Step 5 Verify the configuration. Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally and on the interface.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at vlan :NULL Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface :NULL GigabitEthernet0/0/1 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 45 <Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0 <Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 dhcp packet dropped by dhcp-request checking = 45 dhcp packet dropped by untrust-reply checking = 0
----End
Configuration Files
# dhcp enable dhcp snooping enable # interface GigabitEthernet0/0/1 dhcp snooping trusted # interface GigabitEthernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 # return
3.10.4 Example for Limiting the Rate of Sending DHCP Messages

This section describes the configuration of limiting the rate of sending DHCP messages, including the configuration of the rate of sending DHCP messages to the protocol stack and the alarm function for discarded packets.
As shown in Figure 3-5, to prevent the attacker from sending a large number of DHCP Request messages, it is required that DHCP snooping be enabled on the Switch to control the rate of
sending DHCP Request messages to the protocol stack. At the same time, the alarm function for discarded packets needs to be enabled. Figure 3-5 Networking diagram for limiting the rate of sending DHCP messages
Attacker L2 network Ethernet 0/0/1 L2 network DHCP client Ethernet GE0/0/1 0/0/2 Switch DHCP relay
L3 network
DHCP server
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and in the interface view. Configure the interface connected to the DHCP server as the trusted interface. Set the rate of sending DHCP Request messages to the protocol stack on interfaces. Configure the alarm function for discarded packets on interfaces.
Data Preparation
To complete the configuration, you need the following data: l l Rate of sending DHCP Request messages Alarm threshold
NOTE
Procedure
3-42
Issue 01 (2011-05-20)
# Enable DHCP snooping on the user-side interface. The configuration procedures of Ethernet 0/0/2 and GE0/0/1 are similar to the configuration procedure of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping enable [Quidway-Ethernet0/0/1] quit
# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on Ethernet 0/0/1 and Ethernet 0/0/2, Ethernet 0/0/1 and Ethernet 0/0/2 is an untrusted interface by default. Step 3 Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarm function for discarded packets. # Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarm function for discarded packets on interfaces. The configuration procedures of Ethernet 0/0/2 andGE0/0/1 are similar to the configuration procedure of Ethernet 0/0/1, and is not mentioned here.
[Quidway-Ethernet0/0/1] dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 [Quidway-Ethernet0/0/1] quit
Step 4 Verify the configuration. Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally or in interface view.
[Quidway] display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 GigabitEthernet0/0/1 Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL Dhcp option82 insert is configured at these vlan :NULL Dhcp option82 rebuild is configured at these vlan :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command on the Switch, and you can view the configuration of DHCP snooping in interface view.
[Quidway] display dhcp snooping interface gigabitethernet0/0/1 dhcp snooping trusted dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0
Issue 01 (2011-05-20)
3-43
dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface ethernet 0/0/1 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface Ethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0
----End
Configuration Files
# dhcp enable dhcp snooping enable # interface ethernet0/0/1 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 # interface ethernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping trusted dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 # return
3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network

This section describes the configuration of DHCP snooping on a Layer 2 network, including the configuration of the trusted interface, the function of checking DHCP messages, the function of limiting the rate of sending DHCP messages, and the Option 82 function.
As shown in Figure 3-6, DHCP clients are connected to the Switch through VLAN 10. DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address. It is required that DHCP snooping be configured on user-side interfaces Ethernet 0/0/1 and Ethernet 0/0/2 of the Switch to prevent the following type of attacks: l l l l Bogus DHCP server attacks DoS attacks by changing the value of the CHADDR field Attacks by sending bogus messages to extend IP address leases Attacks by sending a large number of DHCP Request messages
3-44
Issue 01 (2011-05-20)
Figure 3-6 Networking diagram for configuring DHCP snooping
DHCP relay GE0/0/1 Switch Ethernet 0/0/1 Ethernet 0/0/2
DHCP server
DHCP client1
DHCP client2 IP:10.1.1.1/24 MAC:0001-0002-0003
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. Configure the function of checking the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. Configure the Option 82 function. Configure the alarm function for discarded packets.
4. 5. 6. 7.
Data Preparation
To complete the configuration, you need the following data: l l l l l l
Issue 01 (2011-05-20)
VLAN that the interface belongs to being 10 Ethernet 0/0/1 and Ethernet0/0/2 being untrusted interfaces and GE 0/0/1 being the trusted interface Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding MAC address being 0001-0002-0003 Rate of sending DHCP messages to the protocol stack being 90 Mode of the Option 82 function being insert Alarm threshold of the number of discarded packets being 120

NOTE
Procedure
# Enable DHCP snooping on the interface at the user side. The configuration procedure of Ethernet 0/0/2 is the same as the configuration procedure of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping enable [Quidway-Ethernet0/0/1] quit
Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as the trusted interface and enable DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
Step 3 Configure the checking for certain types of packets and alarm function. # Enable the checking of DHCP Request messages and alarm function on the interfaces on the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases. The configuration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120
# Enable the checking of the CHADDR field and alarm function on the interfaces on the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages. The configuration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway-Ethernet0/0/1] dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 [Quidway-Ethernet0/0/1] quit
Step 4 Check the DHCP snooping binding entries. Run the display dhcp snooping user-bind all command, and you can view the DHCP snooping binding entries of users.
<Quidway> display dhcp snooping user-bind all DHCP Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease -------------------------------------------------------------------------------10.1.1.1 0001-0002-0003 10 /-- /-Ethernet0/0/2 2010.08.14-12:58
3-46
Issue 01 (2011-05-20)
-------------------------------------------------------------------------------print count: 1 total count: 1
Step 5 Limit the rate of sending DHCP messages. # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90
Step 6 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages. The configuration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp option82 insert enable [Quidway-Ethernet0/0/1] quit
Step 7 Configure the alarm function for discarded packets. # Enable the alarm function for discarded DHCP Reply packets, and set the alarm threshold of the number of discarded packets. The configuration of Ethernet 0/0/2 is similar to the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping alarm dhcp-reply enable threshold 120 [Quidway-Ethernet0/0/1] quit
Step 8 Verify the configuration. Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally. You can also view the statistics on alarms.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command, and you can view information about DHCP snooping on the interface.
[Quidway] display dhcp snooping interface Ethernet 0/0/1 dhcp snooping enable dhcp option82 insert enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 dhcp packet dropped by dhcp-request checking = 0 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp packet dropped by dhcp-chaddr checking = 0
Issue 01 (2011-05-20)
3-47
dhcp snooping alarm dhcp-reply enable threshold 120 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0
Run the display dhcp static user-bind all command, and you can view all the DHCP static binding entries of users.
<Quidway> display dhcp static user-bind all DHCP static Bind-table:: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease -------------------------------------------------------------------------------10.1.1.1 0001-0002-0003 10 /-- /-Ethernet0/0/2 2010.08.14-12:58 -------------------------------------------------------------------------------print count: 1 total count: 1
Run the display dhcp option82 interface command, and you can view the configuration of Option 82 on the interface.
[Quidway] display dhcp option82 interface Ethernet 0/0/1 dhcp option82 insert enable
----End
Configuration Files
# dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 # user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface Ethernet 0/0/2 vlan 10 # interface Ethernet0/0/1 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120 dhcp option82 insert enable # interface Ethernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120 dhcp option82 insert enable # interface GigabitEthernet0/0/1 dhcp snooping trusted # return
3-48
Issue 01 (2011-05-20)
4 Source IP Attack Defense Configuration
4
Context
Source IP Attack Defense Configuration
About This Chapter

This chapter describes the principle and configuration of attacking IP source addresses.
NOTE
The source IP attack defense function cannot be used on the S2300SI.
4.1 Overview of IP Source Guard This section describes the principle of the IP source Guard. 4.2 IP Source Guard Features Supported by the S2300 This section describes how the IP Source Guard feature is supported in the S2300. 4.3 Configuring IP Source Guard This section describes how to configure IP source guard. 4.4 Configuration Examples This section provides a configuration example of IP source guard.
Issue 01 (2011-05-20)
4-1
4.1 Overview of IP Source Guard

This section describes the principle of the IP source Guard. The source IP address spoofing is a common attack on the network, for example, the attacker forges a valid user and sends IP packets to the server or forges the source IP address of users for communication. As a result, valid users cannot acquire normal network services. To tackle such attacks, the S2300 provides IP Source Guard function.
IP Source Guard
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot pass through the interfaces and the security of the interfaces is improved. The attacker sends a packet carrying the IP address and MAC address of an authorized user to the server. The server considers the attacker as an authorized user and learns the IP address and MAC address. The actual user, however, cannot obtain service from the server. Figure 4-1 shows the diagram of IP/MAC spoofing attack. Figure 4-1 Diagram of IP/MAC spoofing attack DHCP server IP:1.1.1.1/24 MAC:1-1-1
IP:1.1.1.3/24 MAC:3-3-3
Switch
IP:1.1.1.2/24 MAC:2-2-2 Attacker
IP:1.1.1.3/24 MAC:3-3-3 DHCP client
To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on the S2300. Then the S2300 matches the IP packets reaching an interface with the entries in the binding table. If the packets match entries in the binding table, the packets can pass through the interface; otherwise, the packets are discarded.
4.2 IP Source Guard Features Supported by the S2300

This section describes how the IP Source Guard feature is supported in the S2300.
4-2
Issue 01 (2011-05-20)
IP Source Guard
The IP Source Guard feature is used to check the IP packets according to the binding table, including source IP addresses, source MAC addresses, interface, and VLAN. For example, in the interface view you can configure the IP packet check based on: l l l l IP+MAC IP+VLAN IP+MAC+VLAN ...
In the VLAN view you can configure the IP packet check based on: l l l l IP+MAC IP+Interface IP+MAC+Interface
The S2300 provides two binding mechanisms: l l After the DHCP snooping function is enabled for DHCP users, the binding table is dynamically generated for the DHCP users. When users use static IP addresses, you need to configure the binding table by running commands.
NOTE
For the configurations of DHCP snooping, see 3 DHCP Snooping Configuration.
4.3 Configuring IP Source Guard

This section describes how to configure IP source guard. 4.3.1 Establishing the Configuration Task 4.3.2 (Optional) Configuring a Static User Binding Entry 4.3.3 Enabling IP Source Guard 4.3.4 Configuring the Check Items of IP Packets 4.3.5 (Optional) Configuring the Alarm Function of IP Source Guard When the alarm function of IP source guard is enabled, the S2300 counts the number of received IP packets whose rate exceeds the threshold. If this number exceeds the alarm threshold, the S2300 sends a trap message to the NMS. 4.3.6 (Optional) Configuring the Function of Discarding IP Packets with the Same Source and Destination IP Addresses 4.3.7 Checking the Configuration

After the IP source guard function is configured on the S2300, the S2300 checks the IP packets according to the binding table. Only the IP packets that match the content of the binding table can be forwarded; the other IP packets are discarded.
Before configuring IP source guard, complete the following tasks: l 3.3.2 Enabling DHCP Snooping if there are DHCP users
Data Preparation
To configure IP source guard, you need the following data. No. 1 Data (Optional) User information in a static binding entry, including the IPv4 or IPv6 address, MAC address, VLAN ID, and interface number of the user Type and number of the interface enabled with the IP source guard function The alarm threshold for checking the received IP packets.
2 3
4.3.2 (Optional) Configuring a Static User Binding Entry

Context
Before forwarding the data of the users who assigned IP addresses statically, the S2300 cannot automatically learn the MAC addresses of the users or generate binding table entries for these users. You need to create the binding table manually.
Procedure
Step 1 Run:
system-view

user-bind static { { ip-address ip-address | ipv6-address ipv6-address } | macaddress mac-address } * [ interface interface-type interface-number ] [ vlan vlanid [ ce-vlan ce-vlan-id ] ]
A static user binding entry is configured. ----End

4.3.3 Enabling IP Source Guard

Procedure
Step 1 Run:
system-view

The interface view is displayed. This is a user-side interface. Or, run:

vlan vlan-id

ip source check user-bind enable
The IP source guard function is enabled on the interface. By default, the S2300 are not enabled with the IP source guard function. ----End
4.3.4 Configuring the Check Items of IP Packets

Context
After the function of checking IP packets is enabled, the S2300 checks the received IP packets against the binding table. The check items include the source IPv4 address, source IPv6 address, source MAC address, VLAN ID, and interface number.
Procedure
Step 1 Run:
system-view

The interface view is displayed. This is a user-side interface. Or, run:

vlan vlan-id
Issue 01 (2011-05-20)
4-5
The VLAN view is displayed. Step 3 In the interface view, run:

ip source check user-bind check-item { ip-address | mac-address | vlan }*
Or in the VLAN view, run:

ip source check user-bind check-item { ip-address | mac-address | interface }*
The check items of IP packets are configured. When receiving an IP packet, the interface checks the IP packet according to the check items, including the source IPv4 address, source MAC address, VLAN, or the combination of these three items. If the IP packet matches the binding table according to the check items, the packet is forwarded; otherwise, the packet is discarded. By default, the check items consist of the IPv4 address, IPv6 address, MAC address, VLAN ID, and interface number.
NOTE
This command is valid only for dynamic binding entries.
----End
4.3.5 (Optional) Configuring the Alarm Function of IP Source Guard

When the alarm function of IP source guard is enabled, the S2300 counts the number of received IP packets whose rate exceeds the threshold. If this number exceeds the alarm threshold, the S2300 sends a trap message to the NMS.
Procedure
Step 1 Run:
system-view


ip source check user-bind alarm enable
The alarm function of IP source guard is enabled. By default, the alarm function of IP source guard is disabled.
CAUTION
The IP packets check function cannot be configured on both VLAN and interface; otherwise, the IP packets check alarm is valid.
4-6
Issue 01 (2011-05-20)
Step 4 Run:
ip source check user-bind alarm threshold threshold
The alarm threshold of IP source guard is set. By default, the alarm threshold of IP source guard is 100. ----End
4.3.6 (Optional) Configuring the Function of Discarding IP Packets with the Same Source and Destination IP Addresses
Procedure
Step 1 Run:
system-view

ip anti-attack source-ip equals destination-ip drop
The function of discarding IP packets with the same source and destination IP addresses is enabled. By default, IP packets with the same source and destination IP addresses are not discarded. ----End

Prerequisite
The configurations of IP source guard are complete.
Procedure
Step 1 display dhcp static user-bind { interface interface-type interface-number | ip-address ipaddress | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to view information about the static binding table. Step 2 Run the display ip source check user-bind interface interface-type interface-number command to view the configuration of the IP source guard function on the interface. ----End

This section provides a configuration example of IP source guard. 4.4.1 Example for Configuring IP Source Guard
4.4.1 Example for Configuring IP Source Guard

As shown in Figure 4-2, Host A is connected to the Switch through Ethernet 0/0/1 and Host B is connected to the Switch through Ethernet 0/0/2. You need to configure the IP source guard function on the Switch so that Host B cannot forge the IP address and MAC address on Host A and the IP packets from Host A can be sent to the server. Figure 4-2 Networking diagram for configuring IP source guard Server
Switch Ethernet0/0/1 Ethernet0/0/2 Packets: SIP:10.0.0.1/24 SMAC:2-2-2 Host A IP:10.0.0.1/24 MAC:1-1-1 Host B (Attacker) IP:10.0.0.2/24 MAC:2-2-2
Assume that the user obtains an IP address through DHCP. The configuration roadmap is as follows: 1. 2. Enable the IP source guard function on the interfaces connected to Host A and Host B. Configure a static binding table.
Data Preparation
To complete the configuration, you need the following data: l l l Interface connected to Host A: Ethernet 0/0/1; interface connected to Host B: Ethernet 0/0/2 IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1 VLAN where Host A resides: VLAN 10
NOTE
This configuration example provides only the commands related to the IP Source Guard configuration.
4-8
Issue 01 (2011-05-20)
Procedure
Step 1 Enable the IP source guard function. # Enable the IP source guard function on Ethernet 0/0/1 connected to Host A.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] ip source check user-bind enable
# Enable the alarm function for checking the received IP packets on Ethernet 0/0/1 connected to Host A.
[Quidway-Ethernet0/0/1] ip source check user-bind alarm enable [Quidway-Ethernet0/0/1] ip source check user-bind alarm threshold 200 [Quidway-Ethernet0/0/1] quit
# Enable the IP source guard function on Ethernet 0/0/2 connected to Host B.

[Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/2] ip source check user-bind enable [Quidway-Ethernet0/0/2] quit
# Enable the alarm function for checking the received IP packets on Ethernet 0/0/2 connected to Host B.
[Quidway-Ethernet0/0/2] ip source check user-bind alarm enable [Quidway-Ethernet0/0/2] ip source check user-bind alarm threshold 200 [Quidway-Ethernet0/0/2] quit
Step 2 After user A goes online, the system allocates IP address 10.0.0.1/24 to the user and the user adopts MAC address 1-1-1. Step 3 Verify the configuration. Run the display dhcp snooping user-bind all command on the Switch to view information about the binding table.
<Quidway> display dhcp snooping user-bind all DHCP static Bind-table:,Flags:O - outer vlan ,I - inner vlan ,P - map vlan, IP Address MAC Address VSI/VLAN(O/I/P) Interface, --------------------------------------------------------------------------------, 10.0.0.1 0001-0001-0001 10 /-- /-Eth0/0/1, --------------------------------------------------------------------------------, print count: 1 total count: 1,
The preceding information indicates that Host A exists in the static binding table, whereas Host B does not exist. ----End
Configuration Files
# user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface Ethernet 0/0/1 vlan 10 # interface Ethernet 0/0/1 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200 # interface Ethernet 0/0/2 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200
Issue 01 (2011-05-20)
4-9

# return
4-10
Issue 01 (2011-05-20)
5 Local Attack Defense Configuration
Local Attack Defense Configuration
About This Chapter

This chapter describes the principle and configuration of local attack defense. 5.1 Configuring the Attack Defense Policy This section describes how to configure the attack defense policy.
Issue 01 (2011-05-20)
5-1
5.1 Configuring the Attack Defense Policy

This section describes how to configure the attack defense policy. 5.1.1 Establishing the Configuration Task This section describes how to establish the configuration task of an attack defense policy. 5.1.2 (Optional) Configuring the Rule for Sending Packets to the CPU The rule for sending packets to the CPU can be car..

This section describes how to establish the configuration task of an attack defense policy.
When a large number of users access the S2300, the CPU of the S2300 may be attacked by the packets sent by attackers or the CPU needs to process a large number of packets.
Before configuring an attack defense policy, complete the following tasks. l Connecting interfaces and setting the physical parameters of each interface to ensure that the physical layer is in Up state
5.1.2 (Optional) Configuring the Rule for Sending Packets to the CPU
The rule for sending packets to the CPU can be car..
Context
NOTE
The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, the rule that was configured later takes effect. You are advised to use the default CAR value on the S2300. The rate limit for packets in queues takes precedence over the rate limit for all the packets on an interface.
Procedure
Step 1 Run:
system-view

quit
Return to the system view.

Step 3 Run:
cp-car { total | queue queue-index } speed speed-value
The maximum rate of packets sent to the CPU is set. (S2300EI) Run:
cp-car total speed speed-value
The maximum rate of packets sent to the CPU is set. (S2300SI)

NOTE
The maximum rate of packets in a queue sent to the CPU cannot be set on the S2300SI.
CAUTION
After the cp-car command is used, the maximum rate of packets sent to the CPU is affected. Exercise caution when you run the cp-car command. ----End
Issue 01 (2011-05-20)
5-3
6 PPPoE+ Configuration
6
About This Chapter
NOTE
PPPoE+ Configuration
This chapter describes how to configure PPPoE+.
S2300SI does not support PPPOE+.
6.1 PPPoE+ Overview This section describes the principle of PPPoE+. 6.2 PPPoE+ Features Supported by the S2300 This section describes the PPPoE+ features supported by the S2300. 6.3 Configuring PPPoE+ This section describes how to configure PPPoE+. 6.4 Configuration Examples This section provides several configuration examples of PPPoE+.
Issue 01 (2011-05-20)
6-1
6.1 PPPoE+ Overview

This section describes the principle of PPPoE+. Currently, PPPoE provides good authentication and security mechanism, but still has certain disadvantages, for example, account embezzlement. In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces of devices, they can access the newtork as long as their accounts are authenticated successfully on the same RADIUS server. After PPPoE+ is enabled, you need to enter the user name and password in authentication and the authentication packet carries information including the interface. If the port number identified by the RADIUS server is different from the configured one, the authentication fails. In this manner, unauthorized users cannot embezzle the accounts of authorized users (mainly the company) to access the Internet.
6.2 PPPoE+ Features Supported by the S2300

This section describes the PPPoE+ features supported by the S2300. The S2300 can add the device type and interface number to the received PPPoE packets. In this manner, the PPPoE server can perform policy control flexibly for the client according to the information in the received PPPoE packets, for example, IP address allocation control and flexible accounting.
6.3 Configuring PPPoE+

This section describes how to configure PPPoE+. 6.3.1 Establishing the Configuration Task 6.3.2 Enabling PPPoE+ Globally 6.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets 6.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets 6.3.5 Configuring the PPPoE Trusted Interface 6.3.6 Checking the Configuration

To prevent the access of unauthorized users during PPPoE authentication, you need to configure PPPoE+ on the S2300. In this case, interface information is added to the PPPoE packets. The security of the network is thus ensured.
None.
Data Preparation
To configure PPPoE+, you need the following data. No. 1 2 Data Interface number related to PPPoE authentication Format and contents of the fields to be added to PPPoE packets
6.3.2 Enabling PPPoE+ Globally

Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information enable
PPPoE+ is enabled globally. After the pppoe intermediate-agent information enable command is run in the system view, PPPoE+ is enabled on all the interfaces. By default, PPPoE+ is disabled globally. ----End
6.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets
Context
After PPPoE+ is enabled globally, the user-side interface on the S2300 adds information in common format to the received PPPoE packets. You can modify the format of the field to be appended through this task.
Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information format { circuit-id | remote-id } { common | extend | user-defined text }
The format and contents of fields to be added to PPPoE packets are set.
After the pppoe intermediate-agent information format command is run in the system view, all the interfaces add fields in specified format to the received PPPoE packets. ----End
6.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets
Context
You can configure the action for processing original fields in PPPoE packets in the system view and in the interface view. The configuration in the system view is valid for all the interfaces. To adopt a different action on an interface, run the pppoe intermediate-agent information policy command in the interface view. In this case, the action for processing packets on the interface depends on the configuration of the interface.
Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information policy { drop | keep | replace }
The action for all the interfaces to process original fields in PPPoE packets is configured. l drop: removes the original fields from PPPoE packets. l keep: reserves the contents and format of original fields in PPPoE packets. l replace: replaces the original fields in PPPoE packets according to the set field format regardless of whether the packets carry the fields. By default, the user-side interface on the S2300 replaces the original fields in the received PPPoE packets after PPPoE+ is enabled globally. Step 3 (Optional) Run:
The Ethernet interface view is displayed. Then run:

pppoe intermediate-agent information policy { drop | keep | replace }
The action for all the interfaces to process original fields in PPPoE packets is configured. By default, the interface on the S2300 replaces the original information fields in PPPoE packets. ----End
6.3.5 Configuring the PPPoE Trusted Interface

Context
To prevent bogus PPPoE servers and the security risk caused by PPPoE packets forwarded to non-PPPoE service interfaces, you can configure the interface connecting the S2300 and the
PPPoE server as the trusted interface. After the trusted interface is configured, PPPoE packets sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only. In addition, only the PPPoE packets received from the trusted interface are forwarded to the PPPoE client.
NOTE
The trusted interface only controls protocol packets in PPPoE discovery period, and does not control service packets in PPPoE session period.
Procedure
Step 1 Run:
system-view

The Ethernet interface view is displayed. Step 3 Run:

pppoe uplink-port trusted
The interface is configured as the trusted interface. ----End

Procedure
l l Run the display pppoe intermediate-agent information format command to check information about the circuit ID and remote ID that are globally set. Run the display pppoe intermediate-agent information policy command to check the globally set action for processing original fields in PPPoE packets.
----End

This section provides several configuration examples of PPPoE+. 6.4.1 Example for Configuring PPPoE+
6.4.1 Example for Configuring PPPoE+

As shown in Figure 6-1, the Switch is connected to the upstream device BRAS and the downstream device PC; the PPPoE server is configured on the BRAS device. PPPoE+ is enabled on the Switch to control and monitor dialup users.
Figure 6-1 Networking diagram for configuring PPPoE+
IP network BRAS PPPoE server GE0/0/1 PPPoE+ Ethernet 0/0/1 Switch Ethernet 0/0/2
PPPoE client
PPPoE client
The configuration roadmap is as follows: 1. Enable PPPoE+ globally.
NOTE
After PPPoE+ is enabled globally, PPPoE+ is enabled on all the interfaces.
2. 3. 4.
Configure the contents and format of fields to be added to PPPoE packets on the Switch. Configure the action for the Switch to process PPPoE packets. Configure the interface connecting the Switch and the PPPoE server as the trusted interface.
Data Preparation
None.
Procedure
Step 1 Enable PPPoE+.
<Quidway> system-view [Quidway] pppoe intermediate-agent information enable
Step 2 Configure the format of information fields. Configure the Switch to add the circuit ID in extend format to PPPoE packets, that is, the format in hexadecimal notation is used.
[Quidway] pppoe intermediate-agent information format circuit-id extend
6-6
Issue 01 (2011-05-20)
Step 3 Configure the action for processing original fields in PPPoE packets. Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the Switch.
[Quidway] pppoe intermediate-agent information policy replace
Step 4 Configure the trusted interface. Configure GE 0/0/1 as the trusted interface.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] pppoe uplink-port trusted [Quidway-GigabitEthernet0/0/1] quit
----End
Configuration Files
# sysname Quidway # pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend # interface GigabitEthernet0/0/1 pppoe uplink-port trusted # return
Issue 01 (2011-05-20)
6-7
7 MFF Configuration
7
About This Chapter
Context
NOTE
MFF Configuration
This section describes the principle and configuration of the MAC-Forced Forwarding (MFF) function.
S2300SI does not support MFF function.
7.1 MFF Overview This section describes the principle of the MFF function. 7.2 MFF Features Supported by the S2300 This section describes the MFF features supported by the S2300. 7.3 Configuring MFF The MFF function isolates users at Layer 2 and forwards traffic through the gateway. 7.4 Configuration Examples This section provides a configuration example of MFF.
Issue 01 (2011-05-20)
7-1
7 MFF Configuration
7.1 MFF Overview

This section describes the principle of the MFF function.
Background
In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer 2 isolation and Layer 3 interconnection between clients. When many users need to be isolated on Layer 2, a large number of VLANs are required. In addition, to enable the clients to communicate on Layer 3, each VLAN must be assigned an IP network segment and each VLANIF interface needs an IP address. This wastes IP addresses. In addition, the network is easy to attack and the malicious attacks from users on the network cannot be prevented. The MFF function provides a solution to this problem and implements Layer 2 isolation and Layer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARP requests from users and replies with ARP responses containing the MAC address of the gateway through the ARP proxy. In this manner, the MFF forces users to send all traffic, including the traffic on the same subnet, to the gateway so that the gateway can monitor data traffic. This prevents malicious attacks and improves network security.
MFF Interface Role

Two types of interfaces are involved in the MFF function: network interface and user interface. l User interface A user interface refers to an interface connected to a network terminal. The user interface processes different packets as follows: Sends ARP and DHCP packets to the CPU. Allows ARP, DHCP, IGMP, EAPOL packets to pass through. Allows the unicast packets whose destination MAC address is the MAC address of the gateway to pass through and discards other packets if the interface has learned the MAC address of the gateway; discards all packets if the interface does not learn the MAC address of the gateway. Rejects multicast packets and broadcast packets. l Network interface A network interface is an interface connected to another network device, for example, an access switch, an aggregate switch, or a gateway. MFF processes packets on a network interface as follows: Allows multicast and DHCP packets to pass through. Sends ARP packets to the CPU. Forwards packets directly without processing.
NOTE
l l l
The interfaces receiving packets sent from the gateway must be configured as network-side interfaces. The interface role is irrelevant to the position of the interface on a network. On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.
7-2
Issue 01 (2011-05-20)
7 MFF Configuration
7.2 MFF Features Supported by the S2300

This section describes the MFF features supported by the S2300.
Static Gateway
The static gateway is applicable to the scenario where the IP addresses are set statically. When users are assigned IP addresses statically, the users cannot obtain the gateway information through the DHCP packets. In this case, a static gateway address needs to be configured for each VLAN. If the static gateway address is not configured, all the users cannot communicate with each other except for the DHCP users.
Gateway Address Detection and Maintenance

If the function of timed gateway address detection is enabled, MFF sends detection packets periodically to check whether the gateway address needs to be updated. The detection packet is a forged ARP packet whose source IP address and MAC address are the addresses of the first user in the MFF user list. If the first user entry is deleted, the MFF selects another user entry to forge the ARP packet. If the gateway does not have any matching user information after the user entry is deleted, the MFF deletes the probe information.
ARP Proxy
The Layer 3 communication between users is implemented through the ARP proxy. The ARP proxy reduces the number of broadcast packets at the user side. MFF processes ARP packets as follows: l Responds to the ARP requests of users. MFF substitutes for the gateway to respond to the ARP requests of users. Therefore, all the packets of users are forwarded at Layer 3 by the gateway. The ARP packet of a user may be the request for the gateway address or the request for the IP addresses of other users. l Responds to ARP request packets with the user IP address and MAC address.
Server Deployment on the Network

The IP address of the server can be the IP address of the DHCP server, the IP address of another server, or the virtual IP address of the VRRP group. If a network interface receives an ARP request whose source IP address is the IP address of the server, the interface responds to the ARP request as a gateway. That is, the packets sent from users are forwarded to the gateway, and then sent to the server. The packets sent by the server, however, are not forwarded to the gateway.
Discarding IPv6 Packets

The user-side interface of the MFF device S2300 can discard the IPv6 packets from users to prevent IPv6 packets from being broadcast on the VLAN. If the S2300 does not discard IPv6 packets, users can learn the MAC addresses of each other, and the MFF user isolation function will be invalid.
7 MFF Configuration
Transparently Transmitting User Status Detection Packets

If the gateway provides accounting function, the gateway needs to detect whether users are online. The MFF-enabled S2300 can transparently transmit user status detection packets so that it is aware of user status changes immediately.
7.3 Configuring MFF

The MFF function isolates users at Layer 2 and forwards traffic through the gateway. 7.3.1 Establishing the Configuration Task 7.3.2 Enabling Global MFF 7.3.3 Configuring the MFF Network Interface 7.3.4 Enabling MFF in a VLAN 7.3.5 (Optional) Configuring the Static Gateway Address 7.3.6 (Optional) Enabling Timed Gateway Address Detection 7.3.7 (Optional) Setting the Server Address 7.3.8 (Optional) Transparently Transmitting User Status Detection Packets 7.3.9 (Optional) Discarding IPv6 Packets Sent from Users 7.3.10 Checking the Configuration

At the access layer of the Metro Ethernet, you can configure the MFF function to implement the Layer 2 isolation between access users. The traffic between users is forwarded by the gateway at the Layer 3. In this way, you can filter the user traffic, perform traffic scheduling based on policies, and charge users.
Before configuring basic MFF functions, complete the following tasks. If DHCP users exist, you need to perform the following operations: l l Enabling DHCP snooping Configuring the trusted interface of DHCP snooping
Data Preparation
To configure the MFF function, you need the following data.
7-4
Issue 01 (2011-05-20)
7 MFF Configuration
No. 1 2 3 4
Data VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the static gateway to be configured (Optional) IP address of the server to be configured
7.3.2 Enabling Global MFF

Context
You can perform other MFF configurations only after enabling the global MFF.
Procedure
Step 1 Run:
system-view

mac-forced-forwarding enable
The global MFF is enabled. By default, the global MFF is disabled. ----End
7.3.3 Configuring the MFF Network Interface

Context
The MFF function of a VLAN takes effect after you configure at least one network interface on the VLAN.
NOTE
This task can be performed before the global MFF is enabled; however, it takes effect only after the global MFF is enabled.
Procedure
Step 1 Run:
system-view

Issue 01 (2011-05-20)
7-5
7 MFF Configuration

mac-forced-forwarding network-port
The interface is configured as a network interface. By default, the interface is a user interface. ----End
7.3.4 Enabling MFF in a VLAN

Context
If an MFF-enabled network has multiple S2300s, at least one Network-to-Network Interface (NNI) must reside in the VLAN configured with MFF.
Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding enable
The MFF function is enabled for the VLAN. By default, the MFF function is disabled in a VLAN. ----End
7.3.5 (Optional) Configuring the Static Gateway Address

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding static-gateway ip-address
7-6
Issue 01 (2011-05-20)
7 MFF Configuration
The IP address of the static gateway is set. ----End
7.3.6 (Optional) Enabling Timed Gateway Address Detection

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding gateway-detect
The timed gateway address detection is enabled. After the timed gateway address detection is enabled, the S2300 sends ARP packets periodically to detect the gateway. By default, the timed gateway address detection is disabled. ----End
7.3.7 (Optional) Setting the Server Address

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding server server-ip &<1-10>
The IP address of the server deployed on the network is set. ----End
7.3.8 (Optional) Transparently Transmitting User Status Detection Packets

7 MFF Configuration
Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding user-detect_transparent
The gateway is allowed to detect online users by sending ARP request packets. ----End
7.3.9 (Optional) Discarding IPv6 Packets Sent from Users

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding ipv6-isolate
The inbound interface of the MFF device is configured to discard the IPv6 packets from users. This prevents IPv6 packets from being broadcast on the VLAN. ----End

Procedure
l l Run the display mac-forced-forwarding network-port command to view the MFF network interface. Run the display mac-forced-forwarding vlan vlan-id command to view information about MFF users and gateway on the VLAN.
----End
Example
Run the display mac-forced-forwarding network-port command, and you can see information about the network-side interface matching the MFF VLAN.
7 MFF Configuration
<Quidway> display mac-forced-forwarding network-port -------------------------------------------------------------------------------VLAN ID Network-ports -------------------------------------------------------------------------------VLAN 10 Ethernet0/0/1 Ethernet0/0/2 Ethernet0/0/3 VLAN 100 Ethernet0/0/4 Ethernet0/0/5
Run the display mac-forced-forwarding vlan vlan-id command, and you can see information about MFF users and gateway on the VLAN.
<Quidway> display mac-forced-forwarding vlan 100 Servers: 192.168.1.2 192.168.1.3 -------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC -------------------------------------------------------------------192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01 192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01 192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03 -------------------------------------------------------------------[Vlan 100] MFF host total count = 3

This section provides a configuration example of MFF. 7.4.1 Example for Configuring MFF
7.4.1 Example for Configuring MFF

As shown in Figure 7-1, all the user hosts obtain IP addresses through the DHCP server and all the devices are located in VLAN 10. To implement Layer 2 isolation and Layer 3 interconnection between the hosts, you need to configure the MFF function on Switch A and Switch B.
Issue 01 (2011-05-20)
7-9
7 MFF Configuration
Figure 7-1 Networking diagram for configuring MFF
DHCP server SwitchC 10.10.10.1/24 SwitchB GE0/0/1 GE0/0/3 GE0/0/2 SwitchA GE0/0/2 GE0/0/1 GE0/0/4 GE0/0/3
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure DHCP snooping. Enable global MFF. Configure the MFF network interfaces. Enable MFF for the VLAN. (Optional) Enable the function of timed gateway address detection. (Optional) Configure the server.
Data Preparation
To complete the configuration, you need the following data: l l l VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the server to be configured
Procedure
Step 1 Configure DHCP snooping. # Enable global DHCP snooping on Switch A.
<Quidway> [Quidway] [SwitchA] [SwitchA] system-view sysname SwitchA dhcp enable dhcp snooping enable
7-10
Issue 01 (2011-05-20)
7 MFF Configuration
# Enable DHCP snooping on the interfaces of the Switch A. Take the configuration on GE 0/0/1 as an example. The configurations on GE 0/0/2, GE 0/0/3, and GE 0/0/4 are similar to the configuration on GE 0/0/1 and are not mentioned here.
[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] dhcp snooping enable [SwitchA-GigabitEthernet0/0/1] quit
# Set the status of interface GE 0/0/1 on Switch A to Trusted.

[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] dhcp snooping trusted [SwitchA-GigabitEthernet0/0/1] quit
# Enable global DHCP snooping on Switch B.

<Quidway> [Quidway] [SwitchB] [SwitchB] system-view sysname SwitchB dhcp enable dhcp snooping enable
# Enable DHCP snooping on the interfaces of the Switch B. Take the configuration on GE 0/0/1 as an example. The configurations on GE 0/0/2 is similar to the configuration on GE 0/0/1 and are not mentioned here.
[SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1 dhcp snooping enable [SwitchB-GigabitEthernet0/0/1] quit
# Set the status of interface GE 0/0/1 on Switch B to Trusted.

[SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] dhcp snooping trusted [SwitchB-GigabitEthernet0/0/1] quit
Step 2 Enable global MFF. # Enable global MFF on Switch A.

[SwitchA] mac-forced-forwarding enable
# Enable global MFF on Switch B.

[SwitchB] mac-forced-forwarding enable
Step 3 Configure the MFF network interfaces. # Configure GE 0/0/1 of Switch A as the network interface.
[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] mac-forced-forwarding network-port [SwitchA-GigabitEthernet0/0/1] quit
# Configure GE 0/0/2 of Switch B as the network interfaces.

[SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] mac-forced-forwarding network-port [SwitchB-GigabitEthernet0/0/2] quit
Step 4 Enable MFF for the VLAN. # Enable MFF for VLAN 10 on Switch A.
[SwitchA] vlan 10 [SwitchA-vlan10] mac-forced-forwarding enable
# Enable MFF for VLAN 10 on Switch B.

7 MFF Configuration
[SwitchB] vlan 10 [SwitchB-vlan10] mac-forced-forwarding enable
Step 5 (Optional) Enable the function of timed gateway address detection. # Enable the function of timed gateway address detection on Switch A.
[SwitchA-vlan10] mac-forced-forwarding gateway-detect
# Enable the function of timed gateway address detection on Switch B.

[SwitchB-vlan10] mac-forced-forwarding gateway-detect
Step 6 (Optional) Configure the server. # Configure the server on Switch A.

[SwitchA-vlan10] mac-forced-forwarding server 10.10.10.1
# Configure the server on Switch B.

[SwitchB-vlan10] mac-forced-forwarding server 10.10.10.1
----End
Configuration Files
l Configuration file of Switch A
# sysname SwitchA # vlan 10 # dhcp enable dhcp snooping enable mac-forced-forwarding enable # vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 dhcp snooping enable # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 dhcp snooping enable # interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable # return
Configuration file of Switch B
# sysname SwitchB
7-12
Issue 01 (2011-05-20)

# vlan 10 # dhcp enable dhcp snooping enable mac-forced-forwarding enable # vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 dhcp snooping enable mac-forced-forwarding network-port # return
7 MFF Configuration
Issue 01 (2011-05-20)
7-13
8 Traffic Suppression Configuration
Traffic Suppression Configuration
About This Chapter

This chapter describes the principle and configuration of traffic suppression . 8.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression. 8.2 Traffic Suppression Features Supported by the S2300 This section describes the traffic suppression features supported by the S2300. 8.3 Configuring Traffic Suppression This section describes how to configure traffic suppression on a specified interface. 8.4 Configuration Examples This section provides several configuration examples of traffic suppression.
Issue 01 (2011-05-20)
8-1
8.1 Introduction to Traffic Suppression

This section describes the principle of traffic suppression. Broadcast packets, multicast packets and unknown unicast packets entering the S2300 are forwarded on all the interfaces in a VLAN. These three types of packets consume great bandwidth, reduces available bandwidth of the system, and affects normal forwarding and processing capabilities. The traffic suppression function can be used to limit the traffic entering the interface, and to protect the S2300 against the three types of traffic. It also guarantees available bandwidth and processing capabilities of the S2300 when the traffic is abnormal.
8.2 Traffic Suppression Features Supported by the S2300

This section describes the traffic suppression features supported by the S2300. The traffic suppression function can be configured on Ethernet interfaces of the S2300. The S2300 can suppress the broadcast, multicast, and unicast traffic.
8.3 Configuring Traffic Suppression

This section describes how to configure traffic suppression on a specified interface. 8.3.1 Establishing the Configuration Task 8.3.2 Configuring Traffic Suppression on an Interface 8.3.3 Checking the Configuration

To limit the rate of incoming broadcast, multicast, and unknown unicast packets on an interface and protect the device against traffic attacks, you can configure traffic suppression on the interface.
None
Data Preparation
To configure traffic suppression, you need the following data.
8-2
Issue 01 (2011-05-20)
No. 1 2
Data Type and number of the interface where traffic suppression needs to be configured Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be suppressed Mode in which traffic is suppressed (rate percentage on a physical interface) Limited rate, including bandwidth percentage.
3 4
8.3.2 Configuring Traffic Suppression on an Interface

Context
Do as follows on the S2300 where traffic suppression needs to be configured.
Procedure
Step 1 Run:
system-view


{ broadcast-suppression | multicast-suppression | unicast-suppression } percentvalue
Traffic suppression is configured. l To configure traffic suppression based on the bandwidth percentage, you must select the percent-value parameter.
NOTE
l S2300SI does not support configuring traffic suppression for unicast-suppression. The unknown unicast and multicast packets are all suppressed for multicast-suppression. l If traffic suppression is configured for a type of traffic on an interface, the latest configuration overrides the previous configuration when the configuration of traffic suppression for this type of traffic at different rate is sent.
----End

Prerequisite
The configurations of traffic suppression are complete.
Procedure
l Run the display flow-suppression interface interface-type interface-number command to check the configuration of traffic suppression.
----End
Example
Run the display flow-suppression interface interface-type interface-number command, and you can view the configuration of traffic suppression on a specified interface.
<Quidway> display flow-suppression interface gigabitethernet 0/0/1 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast percent percent: 80% multicast percent percent: 80% broadcast percent percent: 80% -------------------------------------------------------------------------------

This section provides several configuration examples of traffic suppression. 8.4.1 Example for Configuring Traffic Suppression
8.4.1 Example for Configuring Traffic Suppression

As shown in Figure 8-1, the Switch is connected to the Layer 2 network and Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can configure traffic suppression on GE 0/0/1. Figure 8-1 Networking diagram for configuring traffic suppression
L2 network
GE0/0/1 Switch
GE0/0/2
L3 network
Configure traffic suppression in the interface view of GE 0/0/1.
Data Preparation
To complete the configuration, you need the following data: l l l GE 0/0/1 where traffic suppression is configured Traffic suppression for broadcast, unknown unicast and multicast packets based on the rate percentage Maximum rate of broadcast, unknown unicast and multicast packets being 80 percent of the interface rate after traffic suppression is configured
Procedure
Step 1 Enter the interface view.
<Quidway> system-view [Quidway] interface gigabitethernet 0/0/1
Step 2 Configure traffic suppression for broadcast packets.

[Quidway-GigabitEthernet0/0/1] broadcast-suppression 80
Step 3 Configure traffic suppression for multicast packets.

[Quidway-GigabitEthernet0/0/1] multicast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets.

[Quidway-GigabitEthernet0/0/1] unicast-suppression 80
NOTE
S2300SI does not support this command.
Step 5 Verify the configuration. Run the display flow-suppression interface command, and you can view the configuration of traffic suppression on GE 0/0/1.
<Quidway> display flow-suppression interface gigabitethernet 0/0/1 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast percent percent: 80% multicast percent percent: 80% broadcast percent percent: 80% -------------------------------------------------------------------------------
----End
Configuration Files
# sysname Quidway # interface gigabitethernet0/0/1 unicast-suppression 80 multicast-suppression 80 broadcast-suppression 80 # return
Issue 01 (2011-05-20)
8-5
9 ACL Configuration
9
About This Chapter
ACL Configuration
The ACL classifies packets according to the rules. After these rules are applied to the interfaces on the S2300, the S2300 can determine packets that are received and rejected. 9.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL. 9.2 Classification of ACLs Supported by the S2300 This section describes the classification of ACLs supported by the S2300. 9.3 Configuring an ACL This section describes how to create an ACL, set the time range, configure the description of an ACL, , and set the step of an ACL. 9.4 Configuring ACL6 This section describes how to configure basic ACL6 and advanced ACL6. 9.5 Configuration Examples This section provides configuration examples of the ACL.
Issue 01 (2011-05-20)
9-1
9 ACL Configuration
9.1 Introduction to the ACL

This section describes the basic concepts and parameters of an ACL. To filter packets, a set of rules needs to be configured on the S2300 to determine the data packets that can pass through. These rules are defined in an ACL. An ACL is a series of orderly rules composed of permit and deny clauses. The clauses are described based on the source address, destination address, and port number of a packet, and so on. The ACL classifies packets according to the rules. After these rules are applied to the S2300, the S2300 can determine packets that are received and rejected.
9.2 Classification of ACLs Supported by the S2300

This section describes the classification of ACLs supported by the S2300.
NOTE
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers to the access control list that is used to filter IPv6 packets.
Classification of ACLs
The S2300 supports basic ACLs, advanced ACLs, and layer 2 ACLs for IPv4 packets. l l Basic ACLs: classify and define data packets according to their source addresses, fragmentation flag, and effective time range. Advanced ACLs: classify and define data packets more refinedly according to the source address, destination address, source port number, destination port number, protocol type, precedence, and effective time range. Layer 2 ACLs: classify and define data packets according to the source MAC address, destination MAC address, and protocol type.
The S2300 supports basic ACL6s and advanced ACL6s for IPv6 packets. l l A basic ACL6 can use the source IP address, fragmentation flag, and effective time range as the elements of rules. An advanced ACL6 can use the source IP address and destination IP address of data packets, protocol type supported by IP, features of the protocol such as the source port number and destination port number as the elements of rules.
Application of ACLs
ACLs defined on the S2300 can be applied in the following scenarios: l Hardware-based application: The ACL is sent to the hardware. For example, when QoS is configured, the ACL is imported to classify packets. Note that when the ACL is imported by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in the ACL is set to be in permit mode, the packets matching the ACL are processed by the S2300 according to the action defined by the traffic behavior in QoS. For details on the traffic behavior, see the Quidway S2300 Series Ethernet Switches Configuration Guide QoS.
9-2

NOTE
9 ACL Configuration
The S2300SI does not support hardware-based ACL applications.
Software-based application: When the ACL is imported by the upper-layer software, for example, the ACL is imported when the control function is configured for login users, you can use the ACL to control FTP, Telnet and SSH users. When the S2300 functions as a TFTP client, you can configure an ACL to specify the TFTP servers that the S2300 can access through TFTP. When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S2300 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configurations.
NOTE
l When the ACL is sent to the hardware and is imported by QoS to classify packets, the S2300 does not process packets according to the action defined in the traffic behavior, if the packets does not match the ACL rule. l When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSH login users, the S2300 discards the packets, if the packets does not match the ACL rule.
9.3 Configuring an ACL

This section describes how to create an ACL, set the time range, configure the description of an ACL, , and set the step of an ACL. 9.3.1 Establishing the Configuration Task Establishing the Configuration Task of ACL. 9.3.2 Creating an ACL You can create an ACL based on the number or name. 9.3.3 (Optional) Setting the Time Range When an ACL Takes Effect When a time range is specified for an ACL, the ACL takes effect only in this time range. If no time range is specified for the ACL, the ACL is always effective until it is deleted or the rules of the ACL are deleted. 9.3.4 (Optional) Configuring the Description of an ACL You can configure the description of an ACL to describe the function of an ACL. 9.3.5 Configuring a Basic ACL Basic ACLs can classify data packets based on the source IP address. 9.3.6 Configuring an Advanced ACL Advanced ACLs can classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type. 9.3.7 Configuring a Layer 2 ACL Layer 2 ACLs can classify data packets according to the link layer information including the source MAC address, source VLAN ID, Layer 2 protocol type, and destination MAC address. 9.3.8 (Optional) Setting the Step Between ACL Rules The S2300 can automatically allocates numbers to ACLs according to the step between ACL rules. 9.3.9 Checking the Configuration Checking the Configuration of ACL.
9 ACL Configuration

Establishing the Configuration Task of ACL.
ACLs can be used in multiple services, such as routing policies and packet filtering, to distinguish the types of packets and process them accordingly.
None.
Data Preparation
To configure an ACL, you need the following data. No. 1 2 3 4 Data Number or name of the ACL Name of the time range when the ACL takes effect, start time, and end time Description of the ACL Number of ACL rule and the rule that identifies the type of packets, including protocol, source address, source port, destination address, destination port, the type and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of Service (ToS) value Step of the ACL
9.3.2 Creating an ACL

You can create an ACL based on the number or name.
Context
An ACL is composed of multiple lists of rules containing permit or deny clauses. Before creating an ACL rule, you need to create an ACL. To create an ACL, you need to specify the following parameters: l When creating an ACL based on the number, you need to specify the ACL number. The ACL number specifies the type of an ACL. For example, the ACL with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an advanced ACL. When creating an ACL based on the name, you need to specify the ACL name. You can specify the number or type for a named ACL. If the number of a named ACL is not specified, the system automatically allocates a number to the named ACL.
9-4
9 ACL Configuration
Procedure
l Creating an ACL based on the number 1. Run:
system-view

acl [ number ] acl-number
An ACL with the specified number is created. The value of a basic ACL ranges from 2000 to 2999. The value of an advanced ACL ranges from 3000 to 3999. The value of a Layer 2 ACL ranges from 4000 to 4999. l Creating an ACL based on the name 1. Run:
system-view

acl name acl-name [ advance | basic | link | acl-number ]
An ACL with the specified name is created. If the number of a named ACL is not specified, the S2300 automatically allocates a number to the named ACL. The following situations are involved: If the type of a named ACL is specified, the number of the named ACL allocated by the S2300 is the maximum value of the named ACL of the type. If the number and the type of a named ACL are not specified, the S2300 considers the named ACL as the advanced ACL and allocates 3999 to the named ACL6. The S2300 does not allocate the number to a named ACL repeatedly. ----End
9.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
When a time range is specified for an ACL, the ACL takes effect only in this time range. If no time range is specified for the ACL, the ACL is always effective until it is deleted or the rules of the ACL are deleted.
Procedure
Step 1 Run:
system-view

time-range time-range-name { starting-time to ending-time days | from time1 date1 [ to time2 date2 ] }
A time range is set.

9 ACL Configuration
You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name test: l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time range l Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range l Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
9.3.4 (Optional) Configuring the Description of an ACL

You can configure the description of an ACL to describe the function of an ACL.
Procedure
Step 1 Run:
system-view

acl acl-number
Or, run:
acl name acl-name
The ACL view is displayed. Step 3 Run:

description description
The description of the ACL is configured. The description of an ACL is a string of up to 127 characters, describing the usage of the ACL. By default, no description is configured for an ACL. ----End
9.3.5 Configuring a Basic ACL

Basic ACLs can classify data packets based on the source IP address.
Procedure
Step 1 Run:
system-view

A basic ACL is created based on the number. Or, run:


acl name acl-name [ basic | acl-number ]
9 ACL Configuration
A basic ACL is created based on the name. The value of a basic ACL ranges from 2000 to 2999. Step 3 Run:
rule [ rule-id ] { deny | permit } [ any } | time-range time-name ]* source { source-address source-wildcard |
An ACL rule is created. ----End
9.3.6 Configuring an Advanced ACL

Advanced ACLs can classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.
Procedure
Step 1 Run:
system-view

An advanced ACL is created based on the number. Or, run:

acl name acl-name [ advance | acl-number ]
An advanced ACL is created based on the name. The value of an advanced ACL ranges from 3000 to 3999. Step 3 Run the following command as required: l When protocol is specified as the Transmission Control Protocol (TCP), run:
rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcp-flag { tcp-value | ack | fin | psh | rst | syn | urg }* | time-range time-name | tos tos ]*
An ACL rule is created. l When protocol is specified as the User Datagram Protocol (UDP), run:
rule [ rule-id ] { deny | permit } udp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ]*
An ACL rule is created. l When protocol is specified as ICMP, run:

rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destination-wildcard | any } | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ]*
Issue 01 (2011-05-20)
9-7
9 ACL Configuration
An ACL rule is created. l When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ]*
An ACL rule is created. You can configure different advanced ACLs on the S2300 according to the protocol carried by IP. Different parameter combinations are available for different protocol types.
NOTE
dscp dscp and precedence precedence cannot be specified at the same time.
----End
9.3.7 Configuring a Layer 2 ACL

Layer 2 ACLs can classify data packets according to the link layer information including the source MAC address, source VLAN ID, Layer 2 protocol type, and destination MAC address.
Procedure
Step 1 Run:
system-view

A layer 2 ACL is created based on the number. Or, run:

acl name acl-name [ link | acl-number ]
A layer 2 ACL is created based on the name. The value of a layer 2 ACL ranges from 4000 to 4999. Step 3 Run:
rule [ rule-id ] { permit | deny } [ { ether-ii | 802.3 | snap } | l2-protocol typevalue [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | sourcemac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value ] * [ time-range time-range-name ]
An ACL rule is created. ----End
9.3.8 (Optional) Setting the Step Between ACL Rules

The S2300 can automatically allocates numbers to ACLs according to the step between ACL rules.
9 ACL Configuration
Procedure
Step 1 Run:
system-view

acl acl-number
Or, run:
acl name acl-name
The ACL view is displayed. Step 3 Run:

step step-value
The step between ACL rules is set. When changing ACL configurations, pay attention to the following point: l The undo step command sets the default step of an ACL and re-arranges the numbers of ACL rules. l By default, the value of step-value is 5. ----End

Checking the Configuration of ACL.
Prerequisite
The configurations of the ACL are complete.
Procedure
l l l Run the display acl { acl-number | all } command to check the ACL rule based on the number. Run the display acl name acl-name command to check the ACL rule based on the name. Run the display time-range { all | time-name } command to check the time range.
----End
Example
# Run the display acl command, and you can view the ACL number, rule IDs, and step, and rule contents.
<Quidway> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0
# Run the display acl name command, and you can view the ACL name, ACL number, rule quantity, step, and rule contents.
9 ACL Configuration
<Quidway> display acl name test Advanced ACL test 3999, 1 rule Acl's step is 5 rule 5 permit tcp
# Run the display time-range command, and you can view the configuration and status of the current time range.
<Quidway> display time-range all Current time is 14:19:16 12-4-2008 Tuesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily from 09:09 2008/9/9 to 23:59 2099/12/31
9.4 Configuring ACL6

This section describes how to configure basic ACL6 and advanced ACL6. 9.4.1 Establishing the Configuration Task Establishing the Configuration Task of ACL6. 9.4.2 Creating an ACL6 You can create an ACL6 based on the number or name. 9.4.3 (Optional) Creating the Time Range of the ACL6 When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. If no time range is specified for the ACL6, the ACL6 is always effective until it is deleted or the rules of the ACL6 are deleted. 9.4.4 Configuring a Basic ACL6 Basic ACL6s can classify data packets based on the source IP address. 9.4.5 Configuring an Advanced ACL6 Advanced ACL6s can classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type. 9.4.6 Checking the Configuration Checking the configuration of the ACL6s.

Establishing the Configuration Task of ACL6.
An ACL6 can be applied to the following tasks: l l l Configuring the packet filtering policy Configuring policy-based routing Configuring a routing policy
None
9-10
Issue 01 (2011-05-20)
9 ACL Configuration
Data Preparation
To configure an ACL6, you need the following data. No. 1 2 3 Data Number or name of the ACL6 (Optional) Name of the time range during which the ACL6 is valid and the start time and end time of the time range Number of the ACL6 and the rule of identifying the packet type, including protocol type, source address and source interface, destination address and destination interface, ICMPv6 type and code, precedence, and ToS
9.4.2 Creating an ACL6

You can create an ACL6 based on the number or name.
Context
To create an ACL, you need to specify a number to identify the ACL6 type. For example, the ACL6 with the number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with the number ranging from 3000 to 3999 is an advanced ACL6.
Procedure
l Creating an ACL6 based on the number 1. Run:
system-view

acl ipv6 [ number ] acl6-number
An ACL6 is created based on the number. The value of a basic ACL6 ranges from 2000 to 2999. The value of an advanced ACL6 ranges from 3000 to 3999. l Creating an ACL6 based on the name 1. Run:
system-view

acl ipv6 name acl6-name [ advance | basic | acl6-number ]
An ACL6 is created based on the name. If the number of a named ACL6 is not specified, the S2300 automatically allocates a number to the named ACL6. The following situations are involved:
9 ACL Configuration
If the type of a named ACL6 is specified, the number of the named ACL6 allocated by the S2300 is the maximum value of the named ACL6 of the type. If the number and the type of a named ACL6 are not specified, the S2300 considers the named ACL6 as the advanced ACL6 and allocates 3999 to the named ACL6. The S2300 does not allocate the number to a named ACL6 repeatedly. ----End
9.4.3 (Optional) Creating the Time Range of the ACL6

When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. If no time range is specified for the ACL6, the ACL6 is always effective until it is deleted or the rules of the ACL6 are deleted.
Procedure
Step 1 Run:
system-view

time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }
The time range is created. You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name, that is, test. l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59 l Time range 2: 8:00-18:00 on Monday to Friday l Time range 3: 14:00-18:00 on Saturday and Sunday The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
9.4.4 Configuring a Basic ACL6

Basic ACL6s can classify data packets based on the source IP address.
Procedure
Step 1 Run:
system-view

A basic ACL6 is created based on the number. Or, run:


9 ACL Configuration
A basic ACL6 is created based on the name. The value of a basic ACL6 ranges from 2000 to 2999. Step 3 Run:
rule [ rule-id ] { deny | permit } [ source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name ] *
The rule of the ACL6 is configured. ----End
9.4.5 Configuring an Advanced ACL6

Advanced ACL6s can classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.
Procedure
Step 1 Run:
system-view

An advanced ACL6 is created based on the number. Or, run:

An advanced ACL6 is created based on the name. The value of an advanced ACL6 ranges from 3000 to 3999. Step 3 Perform the following steps as required to configure rules for the ACL6: You can configure the advanced ACL6 on the S2300 according to the type of the protocol carried by IP. The parameters vary according to the protocol type. l When protocol is TCP, run:
rule [ rule-id ] { deny | permit } { tcp | protocol } [ destination { destinationipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq | gt | lt | range } port | tcp-flag {tcp-value |ack | fin | psh | rst | syn | urg } * | time-range time-name | tos tos ]*
l When protocol is UDP, run:

rule [ rule-id ] { deny | permit } { udp | protocol } [ destination { destinationipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ]*
Issue 01 (2011-05-20)
9-13
9 ACL Configuration
l When protocol is ICMPv6, run:

rule [ rule-id ] { deny | permit } { icmpv6 | protocol } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefixlength | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos ]*
l When protocol is not TCP, UDP, or ICMPv6, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | destinationipv6-address postfix postfix-length | any } | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/ prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos ]*
----End

Checking the configuration of the ACL6s.
Prerequisite
The configurations of the ACL6 are complete.
Procedure
l l l Run the display acl ipv6 { acl6-number | all } command to check the ACL6 rule based on the number. Run the display acl ipv6 name acl6-name command to check the ACL6 rule based on the name. Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl ipv6 command, and you can view the ACL6 number, rule IDs, and rule contents.
<Quidway> display acl ipv6 2002 Basic IPv6 ACL 2002, 2 rules rule 0 permit time-range time1 rule 1 permit
# Run the display acl ipv6 name command, and you can view the ACL6 name, ACL6 number, rule quantity, and rule contents.
<Quidway> display acl ipv6 name test Advanced IPv6 ACL 3999 name test, 1 rule rule 0 permit udp
# Run the display time-range command, and you can see the configuration and status of the current time range.
<Quidway> display time-range all Current time is 09:33:31 5-21-2009 Thursday
9-14
Issue 01 (2011-05-20)

Time-range : time1 ( Inactive ) 12:00 to 23:00 working-day
9 ACL Configuration

This section provides configuration examples of the ACL. 9.5.1 Example for Configuring a Basic ACL 9.5.2 Example for Configuring an Advanced ACL 9.5.3 Example for Configuring a Layer 2 ACL 9.5.4 Example for Configuring an ACL6 to Control FTP User Access
9.5.1 Example for Configuring a Basic ACL

As shown in Figure 9-1, GE 0/0/1 of the Switch is connected to the user, and GE 0/0/2 is connected to the upstream router. It is required that the Switch does not trusts the packets from user A whose IP address is 10.0.0.2/24. Figure 9-1 Networking diagram for configuring a basic ACL
PC A IP:10.0.0.2/24
GE0/0/1
GE0/0/2
Switch
PC B
The configuration roadmap is as follows: 1. 2. 3. 4. 5.
Issue 01 (2011-05-20)
Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
9 ACL Configuration
Data Preparation
To complete the configuration, you need the following data: l l l l ACL number IP address of user A Names of traffic classifier, traffic behavior, and traffic policy Interface where the traffic policy is applied
Procedure
Step 1 Configure the traffic classifier that is based on the ACL rules. # Define the ACL rules.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255 [Quidway-acl-basic-2000] quit
# Configure the traffic classifier and define the ACL rules.

[Quidway] traffic classifier tc1 [Quidway-classifier-tc1] if-match acl 2000 [Quidway-classifier-tc1] quit
Step 2 Configure the traffic behavior.

[Quidway] traffic behavior tb1 [Quidway-behavior-tb1] deny [Quidway-behavior-tb1] quit
Step 3 Configure the traffic policy. # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
# Apply the traffic policy to GE 0/0/1.

[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Quidway-GigabitEthernet0/0/1] quit
Step 4 Verify the configuration. # Check the configuration of the ACL rules.
<Quidway> display acl 2000 Basic ACL 2000, 1 rule Acl's step is 5 rule 5 permit source 10.0.0.0 0.0.0.255
# Check the configuration of the traffic classifier.

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Operator: AND Rule(s) : if-match acl 2000
# Check the configuration of the traffic policy.


<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: AND Behavior: tb1 Deny
9 ACL Configuration
----End
Configuration Files
# acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255 # traffic classifier tc1 operator and if-match acl 2000 # traffic behavior tb1 deny # traffic policy tp1 classifier tc1 behavior tb1 # interface GigabitEthernet0/0/1 traffic-policy tp1 inbound # return
9.5.2 Example for Configuring an Advanced ACL

As shown in Figure 9-2, the departments of the company are connected through the Switchs. It is required that the IPv4 ACL be configured correctly. The personnel of the R&D department and marketing department cannot access the salary query server at 10.164.9.9 from 8:00 to 17:30, whereas the personnel of the president's office can access the server at any time. Figure 9-2 Networking diagram for configuring IPv4 ACLs
Salary query server 10.164.9.9 Ethernet 0/0/4 Ethernet 0/0/1 Ethernet 0/0/3 President's office 10.164.1.0/24
Ethernet 0/0/2 Switch Marketing department 10.164.2.0/24
R&D department 10.164.3.0/24

9 ACL Configuration
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Assign IP addresses to interfaces. Configure the time range. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l VLAN that the interface belongs to Name of the time range ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces. # Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces. Add Ethernet 0/0/1, Ethernet 0/0/2, and Ethernet 0/0/3 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add Ethernet 0/0/4 to VLAN 100. The first IP address of the network segment is taken as the address of the VLANIF interface. Take Ethernet 0/0/1 as an example. The configurations of other interfaces are similar to the configuration of Ethernet 0/0/1, and are not mentioned here.
<Quidway> system-view [Quidway] vlan batch 10 20 30 100 [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port link-type access [Quidway-Ethernet0/0/1] port default vlan 10 [Quidway-Ethernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Quidway-Vlanif10] quit
Step 2 Configure the time range. # Configure the time range from 8:00 to 17:30.

<Quidway> system-view [Quidway] time-range satime 8:00 to 17:30 working-day
9 ACL Configuration
Step 3 Configure ACLs. # Configure the ACL for the personnel of the marketing department to access the salary query server.
[Quidway] acl 3002 [Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3002] quit
# Configure the ACL for the personnel of the R&D department to access the salary query server.
[Quidway] acl 3003 [Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers. # Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Quidway] traffic classifier c_market [Quidway-classifier-c_market] if-match acl 3002 [Quidway-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd [Quidway-classifier-c_rd] if-match acl 3003 [Quidway-classifier-c_rd] quit
Step 5 Configure traffic behaviors. # Configure the traffic behavior b_market to reject packets.
[Quidway] traffic behavior b_market [Quidway-behavior-b_market] deny [Quidway-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Quidway] traffic behavior b_rd [Quidway-behavior-b_rd] deny [Quidway-behavior-b_rd] quit
Step 6 Configure traffic policies. # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[Quidway] traffic policy p_market [Quidway-trafficpolicy-p_market] classifier c_market behavior b_market [Quidway-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd [Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd [Quidway-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy. # Apply the traffic policy p_market to Ethernet 0/0/2.
9 ACL Configuration
[Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/2] traffic-policy p_market inbound [Quidway-Ethernet0/0/2] quit
# Apply the traffic policy p_rd to Ethernet 0/0/3.

[Quidway] interface ethernet 0/0/3 [Quidway-Ethernet0/0/3] traffic-policy p_rd inbound [Quidway-Ethernet0/0/3] quit
Step 8 Verify the configuration. # Check the configuration of ACL rules.

<Quidway> display acl all Total nonempty ACL number is 2 Advanced ACL 3002, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (Inactive) Advanced ACL 3003, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (Inactive)

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Operator: AND Rule(s) : if-match acl 3002 Classifier: c_rd Operator: AND Rule(s) : if-match acl 3003

<Quidway> display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_market Classifier: c_market Operator: AND Behavior: b_market Deny Policy: p_rd Classifier: c_rd Operator: AND Behavior: b_rd Deny
----End
Configuration Files
# sysname Quidway # vlan batch 10 20 30 40 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
9-20
Issue 01 (2011-05-20)
9 ACL Configuration
satime # acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market operator or if-match acl 3002 traffic classifier c_rd operator or if-match acl 3003 # traffic behavior b_market deny traffic behavior b_rd deny # traffic policy p_market classifier c_market behavior b_market traffic policy p_rd classifier c_rd behavior b_rd # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface Ethernet0/0/1 port link-type access port default vlan 10 # interface Ethernet0/0/2 port link-type access port default vlan 20 traffic-policy p_market inbound # interface Ethernet0/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound # interface Ethernet0/0/4 port link-type access port default vlan 100 # return
9.5.3 Example for Configuring a Layer 2 ACL

As shown in Figure 9-3, the Switch that functions as the gateway is connected to the PC. It is required that the ACL configured to prevent the packets with the source MAC address as 00e0f201-0101 and the destination MAC address as 0260-e207-0002 from passing through.
Issue 01 (2011-05-20)
9-21
9 ACL Configuration
Figure 9-3 Networking diagram for configuring layer 2 ACLs
GE0/0/1
GE0/0/2 Switch
IP network
00e0-f201-0101
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data: l l l l l ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Configure an ACL. # Configure the required layer 2 ACL.
[Quidway] acl 4000 [Quidway-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002 ffff-ffff-ffff [Quidway-acl-L2-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL. # Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Quidway] traffic classifier tc1 [Quidway-classifier-tc1] if-match acl 4000 [Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior.

9 ACL Configuration
# Configure the traffic behavior tb1 to reject packets.

[Quidway] traffic behavior tb1 [Quidway-behavior-tb1] deny [Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy. # Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy. # Apply the traffic policy tp1 to GE 0/0/1.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Quidway-GigabitEthernet0/0/1] quit
Step 6 Verify the configuration. # Check the configuration of ACL rules.

<Quidway> display acl 4000 L2 ACL 4000, 1 rule Acl's step is 5 rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Operator: AND Rule(s) : if-match acl 4000

<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: AND Behavior: tb1 Deny
----End
Configuration Files
# sysname Quidway # acl number 4000 rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101 # traffic classifier tc1 operator and if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 classifier tc1 behavior tb1 #
Issue 01 (2011-05-20)
9-23
9 ACL Configuration
interface GigabitEthernet0/0/1 traffic-policy tp1 inbound # return
9.5.4 Example for Configuring an ACL6 to Control FTP User Access

As shown in Figure 9-4, the IP address of the switch that functions as the FTP server is 3002::1/64. The routes between PC1, PC2, and the FTP server are reachable. It is required that an ACL6 be configured on the FTP server to prohibit PC2 with IP address 3001::2/64 from downloading and uploading files through FTP. Figure 9-4 Networking diagram for configuring an ACL6 to control FTP users VLAN 10 SwitchA GE0/0/1 GE0/0/1 3001::1/64 3001::2/64 SwitchB Loopback2 3002::2/64
The configuration roadmap is as follows: 1. 2. 3. Perform basic configurations on the FTP server. Configure a basic ACL6. Bind the basic ACL6 to the FTP server.
Data Preparation
To complete the configuration, you need the following data: l l FTP user name and password configured on the FTP server Basic ACL6 number
Procedure
Step 1 Configure basic FTP functions. See Example for Configuring the FTP Server. Step 2 Configure a basic ACL6.
<Quidway> system-view [Quidway] acl ipv6 number 2001 [Quidway-acl-basic-2001] rule deny source 3001::2/128 [Quidway-acl-basic-2001] quit
9-24
Issue 01 (2011-05-20)
9 ACL Configuration
Step 3 Bind the basic ACL6 to the FTP server.

[Quidway] ftp ipv6 acl 2001
Step 4 Verify the configuration. # Connect PC1 to the FTP server.

c:\ ftp 3002::1 Connected to 3002::1 220 FTP service ready. User (3003::5:(none)):u1 331 Password required for u1 Password: 230 User logged in. ftp>
# Connect PC2 to the FTP server.

c:\ ftp 3002::1 Connected to 3002::1 Info:ACL6 was denied by remote host! Connection closed by remote host.
----End
Configuration Files
# acl ipv6 number 2001 rule 0 deny source 3001::2/128 # ftp ipv6 acl 2001 # return
Issue 01 (2011-05-20)
9-25
10 ND Snooping Configuration
10
About This Chapter
Context
NOTE
ND Snooping Configuration
This chapter describes the principle and configuration method of neighbor discovery (ND) snooping and provides configuration examples.
S2300SI does not support ND Snooping.
10.1 ND Snooping Overview This section describes the principle of ND snooping. 10.2 ND Snooping Features Supported by the S2300 This section describes ND snooping features supported by the S2300. 10.3 Configuring ND Snooping This section describes the basic concepts of ND snooping and the procedure for configuring ND snooping, and provides configuration examples of ND snooping. 10.4 Maintaining ND Snooping This section describes how to reset the prefix management table and ND dynamic binding table. 10.5 Configuration Examples This section provides a configuration example of ND snooping.
Issue 01 (2011-05-20)
10-1
10.1 ND Snooping Overview

This section describes the principle of ND snooping. Neighbor discovery (ND) is a group of messages and processes that identify relationships between neighboring nodes. IPv6 ND corresponds to a combination of the Address Resolution Protocol (ARP), ICMP router discovery, and ICMP Redirect of IPv4. ND snooping provides the following functions: Detecting address conflicts Resolving the neighboring node address Determining neighbor reachability Configuring the host address. l l l Router Solicitation (RS): After startup, a host sends an RS message to a device, and waits for the device to respond with a Router Advertisement (RA) message. Router Advertisement (RA): A device periodically advertises RA messages that contain prefixes and flag bits. Neighbor Solicitation (NS): Through NS messages, an IPv6 node obtains the link-layer address of its neighbor, checks whether the neighbor is reachable, and performs duplicate address detection. Neighbor Advertisement (NA): After receiving an NS message, an IPv6 node responds with an NA message. In addition, the IPv6 node initiatively sends NA messages when the link layer changes. Redirect: When finding that the inbound interface and outbound interface of a packet are the same, a device can send Redirect messages to instruct the host that sends the packet to choose a better next hop.
The ND snooping technology is a security feature of ND. By capturing and analyzing the preceding types of messages, it filters out untrusted messages, and establishes and maintains the prefix management table and ND dynamic binding table. The prefix management table contains information about the prefix and the prefix lease. The ND dynamic binding table contains information about IPv6 addresses, MAC addresses, interfaces, and VLAN IDs. By maintaining the prefix management table and ND dynamic binding table, the device enabled with ND snooping allows authorized users to access the network and prevents unauthorized users from attacking network devices and authorized users.
10.2 ND Snooping Features Supported by the S2300

This section describes ND snooping features supported by the S2300. When being deployed on a Layer 2 network, the S2300 is located between the ND server (usually a router) and the user network. To prevent unauthorized users from forging the ND server, you can configure interfaces as trusted or untrusted interfaces on the S2300. By maintaining the prefix management table and ND dynamic binding table, the S2300 enabled with ND snooping allows authorized users to access the network and prevents unauthorized users from attacking network devices and authorized users. Figure 10-1 shows ND snooping applied to the S2300.
10-2
Issue 01 (2011-05-20)
Figure 10-1 ND snooping enabled on the S2300 of the Layer 2 network
Trusted Switch Untrusted L2 network
Router (ND Server)
L3 network
User network
10.3 Configuring ND Snooping

This section describes the basic concepts of ND snooping and the procedure for configuring ND snooping, and provides configuration examples of ND snooping. 10.3.1 Establishing the Configuration Task Before configuring ND snooping, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately. 10.3.2 Enabling ND Snooping After ND snooping is enabled globally, you must enable ND snooping on interface or in a VLAN. Otherwise, ND snooping does not take effect. 10.3.3 Configuring an Interface as the Trusted Interface Generally, the network-side interface of the S2300 is configured as the trusted interface and user-side interfaces of the S2300 are configured as untrusted interfaces. 10.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding Table Through the aging function, the S2300 can automatically manage the ND dynamic binding table. 10.3.5 Checking the Configuration After configuring ND snooping to improve the security of an IPv6 network, you can view the statistics about ND snooping.

Before configuring ND snooping, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately.
When a bogus ND server exists on the network, it sends the incorrect information such as the incorrect gateway address, incorrect DNS server, and incorrect IP address to ND clients. As a result, ND clients cannot access the destination network. To protect the S2300 against attacks of the bogus ND server, you can configure ND snooping on the S2300, configure the network-side interface as the trusted interface, and configure userside interfaces as untrusted interfaces. The RA messages received from untrusted interfaces are discarded. Based on the RA messages received from the trusted interface, the S2300 establishes the prefix management table. The prefix management table saves information about prefixes allocated by the ND server to the S2300, and is used by the S2300 to manage client addresses. According to information about prefixes in the ND snooping prefix management table, clients automatically generate IPv6 addresses and send NS messages to detect whether the IPv6 addresses conflict. In this process, the S2300 generates the ND dynamic binding table based on NS messages. The ND dynamic binding table saves information about IPv6 addresses, MAC addresses, and VLAN IDs of clients. The S2300 delivers the ND dynamic binding entries to the ACL that is automatically generated. Packets matching the entries in the ACL are permitted by default.
Before configuring ND snooping, complete the following task: l Configuring the ND server
Data Preparation
To configure ND snooping, you need the following data. No. 1 2 3 Data Type and number of interface that needs to be configured as the trusted interface (Optional) Number of detection times for aging ND dynamic binding entries (Optional) Detection interval for aging ND dynamic binding entries
10.3.2 Enabling ND Snooping

After ND snooping is enabled globally, you must enable ND snooping on interface or in a VLAN. Otherwise, ND snooping does not take effect.
Context
Before enabling ND snooping on interface or in a VLAN, you must enable ND snooping globally. By default, ND snooping is disabled globally, on interface or in a VLAN.
10-4
Issue 01 (2011-05-20)
Procedure
l Configuring ND snooping on an interface 1. Run:
system-view

dhcp enable

nd snooping enable
ND snooping is enabled globally. 4. Run:


nd snooping enable
ND snooping is enabled on the interface. l Configuring ND snooping in a VLAN 1. Run:

system-view

dhcp enable

nd snooping enable
ND snooping is enabled globally. 4. Run:

vlan vlan-id

nd snooping enable
ND snooping is enabled in the VLAN. ----End
10.3.3 Configuring an Interface as the Trusted Interface

Generally, the network-side interface of the S2300 is configured as the trusted interface and user-side interfaces of the S2300 are configured as untrusted interfaces.
Context
When RA messages sent from the ND server pass through the trusted interface of the S2300, the S2300 establishes the prefix management table according to the RA messages. The prefix
management table saves information about prefixes allocated to the S2300 in the RA messages. The S2300 discards the RA messages received from untrusted interfaces. Generally, the interface connected to the ND server is configured as the trusted interface and other interfaces are configured as untrusted interfaces. After ND snooping is enabled on an interface, the interface is an untrusted interface by default.
Procedure
l Configuring ND snooping on an interface 1. Run:
system-view


nd snooping trusted
The interface is configured as the trusted interface. l Configuring ND snooping in a VLAN 1. Run:
system-view

vlan vlan-id

nd snooping trusted interface interface-type interface-number
The interface in the VLAN is configured as the trusted interface.

NOTE
When you run the nd snooping trusted command in the VLAN view, the specified interface must belong to the VLAN. Compared with the nd snooping trusted command run in the interface view, the nd snooping trusted command run in the VLAN view is more accurate because a specified interface in a specified VLAN can be configured as a trusted interface.
----End
10.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding Table
Through the aging function, the S2300 can automatically manage the ND dynamic binding table.
Context
After ND snooping is enabled, the S2300 establishes the ND dynamic binding table based on the user information.
When the lease of ND dynamic binding entries expires, if the aging function of the ND dynamic binding table is configured, the S2300 sends NS messages according to the number of detection times and the detection interval for aging ND dynamic binding entries. If the user does not send NA messages after the specified number of detection times, the S2300 considers that the user is not online. Then the S2300 deletes the ND dynamic binding entry of the user and does not forward messages to the user.
Procedure
Step 1 Run:
system-view

nd user-bind detect enable
The aging function of the ND dynamic binding table is enabled. By default, the aging function of the ND dynamic binding table is disabled. Step 3 Run:
nd user-bind detect retransmit retransmit-times interval retransmit-interval
The detection interval and the number of detection times for aging ND dynamic binding entries are set. By default, the detection interval for aging ND dynamic binding entries is 1000 ms and the number of detection times for aging ND dynamic binding entries is 2. ----End

After configuring ND snooping to improve the security of an IPv6 network, you can view the statistics about ND snooping.
Prerequisite
The configurations of ND snooping are complete.
Procedure
l l Run the display nd snooping prefix command to check prefix management entries of ND users. Run the display nd snooping user-bind { all | ipv6-address ipv6-address | macaddress mac-address | interface interface-type interface-number | vlan vlan-id | vlan vlanid interface interface-type interface-number } command to check ND dynamic binding entries. Run the display this command in the system view to check the configuration of ND snooping. Run the display this command, and you can view the enabling of ND snooping and information about the aging function of the ND dynamic binding table. ----End
Example
After the configuration is successful, you can run the display nd snooping prefix command to view the prefix management table of ND users.
<Quidway> display nd snooping prefix prefix-table: Prefix Length Valid-Time Preferred-Time -------------------------------------------------------------------------------3001:: 64 100000 100000 -------------------------------------------------------------------------------Prefix table total count: 1
Run the display nd snooping user-bind allcommand, and you can view information about the ND dynamic binding table.
<Quidway> display nd snooping user-bind all ND Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Lease -------------------------------------------------------------------------------3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 30 /-- /-2011.05.06-20:09 -------------------------------------------------------------------------------print count: 1 total count: 1
Run the display this command in the system view, and you can view the configuration of ND snooping.
[Quidway] display this nd snooping enable nd user-bind detect enable nd user-bind detect retransmit 10 interval 1000
10.4 Maintaining ND Snooping

This section describes how to reset the prefix management table and ND dynamic binding table. 10.4.1 Clearing the Prefix Management Table You can manually delete prefix management entries on the S2300. 10.4.2 Resetting the ND Dynamic Binding Table You can manually delete ND dynamic binding entries on the S2300.
10.4.1 Clearing the Prefix Management Table

You can manually delete prefix management entries on the S2300.
Context
The ND server sends RA messages periodically to request clients to update prefixes. As the access device of the client, the S2300 maintains the prefix information and updates and ages the prefix information. Generally, you are advised not to manually delete prefix management entries. You need to manually delete prefix management entries if the following conditions are met: l l
10-8
The user address lease does not expire; therefore, prefix management entries cannot age automatically. It is confirmed that the user does not connect to the network through the S2300.
To manually delete prefix management entries, run the following command in the user view or in the system view.
Procedure
l Run the reset nd snooping prefix [ ipv6-address/prefix-length ] command to reset the prefix management table.
----End
10.4.2 Resetting the ND Dynamic Binding Table

You can manually delete ND dynamic binding entries on the S2300.
Context
You need to manually delete ND dynamic binding entries if the following conditions are met: l l l The ND dynamic binding table does not reach the aging time; therefore, ND dynamic binding entries cannot age automatically. It is confirmed that the user does not connect to the network through the S2300. The user VLAN or interface information changes.
NOTE
After the networking environment changes, ND dynamic binding entries do not age immediately. However, the following information in ND dynamic binding entries may change, causing packet forwarding failure: l l VLAN ID in packets Interface information
Before changing the networking environment, clear all ND dynamic binding entries manually so that a device generates a new ND dynamic binding table according to the new networking environment.
To manually delete ND dynamic binding entries, run the following command in the user view or in the system view.
Procedure
l Run the reset nd snooping user-bind [ interface interface-type interface-number | ipv6address ipv6-address | mac-address mac-address | vlan vlan-id ] command to reset the ND dynamic binding table.
----End

This section provides a configuration example of ND snooping. 10.5.1 Example for Configuring ND Snooping on a Layer 2 Network This section describes the procedure for configuring ND snooping, including the configuration of the trusted interface and the ND dynamic binding table.
10.5.1 Example for Configuring ND Snooping on a Layer 2 Network

This section describes the procedure for configuring ND snooping, including the configuration of the trusted interface and the ND dynamic binding table.
As shown in Figure 10-2, the Switch is deployed in the layer 2 network between the user network and the ND server. To protect the Switch against the attacks of a bogus ND server, it is required that ND snooping be configured on the Switch and the network-side interface of the carrier be configured as the trusted interface. By maintaining the prefix management table and ND dynamic binding table, the Switch ensures that authorized users access the network and prevents unauthorized users from attacking network devices and authorized users. Figure 10-2 Networking diagram for configuring ND snooping on a Layer 2 network
Switch GE0/0/1 GE0/0/2 L2 network
Router (ND Server)
L3 network
User network
The configuration roadmap is as follows (assume that the ND server is configured): 1. 2. 3. Enable ND snooping in the system view and interface view. Configure the interface connected to the ND server as the trusted interface. Configure the aging function of the ND dynamic binding table.
Data Preparation
To complete the configuration, you need the following data: l l l Interfaces in trusted or untrusted mode: GE 0/0/1 in trusted mode and GE 0/0/2 in untrusted mode Detection interval for aging ND dynamic binding entries Number of detection times for aging ND dynamic binding entries
Procedure
Step 1 Configure ND snooping. # Enable ND snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] nd snooping enable
10-10
Issue 01 (2011-05-20)
# Enable DHCP snooping an interfaces.

[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] nd snooping enable [Quidway-GigabitEthernet0/0/2] quit
Step 2 Configure GE 0/0/1 as the trusted interface.

[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] nd snooping trusted [Quidway-GigabitEthernet0/0/1] quit
After ND snooping is enabled on GE 0/0/2, the interface is the untrusted interface by default. Step 3 Configure the aging function of the ND dynamic binding table. # Set the detection interval and the number of detection times for aging ND dynamic binding entries.
[Quidway] nd user-bind detect enable [Quidway] nd user-bind detect retransmit 5 interval 600
Step 4 Verify the configuration. Run the display this command in the system view, and you can view that ND snooping is enabled globally and on the interface.
[Quidway] display this nd snooping enable nd user-bind detect enable nd user-bind detect retransmit 5 interval 600
Run the display nd snooping prefix command, and you can view the prefix management table of ND users.
<Quidway> display nd snooping prefix prefix-table: Prefix Length Valid-Time Preferred-Time ------------------------------------------------------------------------------2001:: 64 600 600 Info: Prefix table total count:1
Run the display nd snooping user-bind all command, and you can view information about the ND dynamic binding table.
<Quidway> display nd snooping user-bind all ND Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Lease -------------------------------------------------------------------------------3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 30 /-- /-2011.05.06-20:09 3001::E58C:A2E7:AA4C:8D54 00e0-4c7c-afae 30 /-- /-2011.05.06-20:09 -------------------------------------------------------------------------------Dynamic binditem count: 2 Dynamic binditem total count: 2
----End
Configuration Files
# dhcp enable # nd snooping enable # nd user-bind detect enable # nd user-bind detect retransmit 5 interval 600 #
Issue 01 (2011-05-20)
10-11
interface GigabitEthernet0/0/1 nd snooping enable nd snooping trusted # interface GigabitEthernet0/0/2 nd snooping enable # return
10-12
Issue 01 (2011-05-20)

Configuration Guide - Security (V100R006C00 - 01)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - Security (V100R006C00 - 01)

Uploaded by

Copyright:

Available Formats

Quidway S2300 Series Ethernet Switches V100R006C00

Configuration Guide - Security

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

Changes in Issue 01 (2011-05-20)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

3 DHCP Snooping Configuration..............................................................................................3-1

4 Source IP Attack Defense Configuration..............................................................................4-1

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

5 Local Attack Defense Configuration......................................................................................5-1

8 Traffic Suppression Configuration........................................................................................8-1

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

1 AAA and User Management Configuration

AAA and User Management Configuration

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 AAA and User Management Configuration

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

1.1 Introduction to AAA and User Management

Domain-based User Management

Local User Management

1.2 AAA and User Management Features Supported by the S2300

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

1 AAA and User Management Configuration

The S2300 provides the following accounting modes: l l l

Local User Management

Domain-based User Management

1 AAA and User Management Configuration

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

RADIUS and HWTACACS Server Templates

1.3 Configuring AAA Schemes

1.3.1 Establishing the Configuration Task

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

1 AAA and User Management Configuration

1.3.2 Configuring an Authentication Scheme

The system view is displayed. Step 2 Run:

The AAA view is displayed.

1 AAA and User Management Configuration

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

1.3.3 Configuring an Authorization Scheme

You can configure command-line-based authorization only when HWTACACS is adopted.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S2300 Series Ethernet Switches Configuration Guide - Security

1 AAA and User Management Configuration

The system view is displayed. Step 2 Run: