Professional Documents
Culture Documents
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: Email:
Issue 01 (2011-05-20)
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 01 (2011-05-20)
iii
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Change History
Changes between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
iv
Issue 01 (2011-05-20)
Contents
Contents
About This Document...................................................................................................................iii 1 AAA and User Management Configuration.........................................................................1-1
1.1 Introduction to AAA and User Management..................................................................................................1-2 1.2 AAA and User Management Features Supported by the S2300.....................................................................1-2 1.3 Configuring AAA Schemes............................................................................................................................1-4 1.3.1 Establishing the Configuration Task......................................................................................................1-4 1.3.2 Configuring an Authentication Scheme.................................................................................................1-5 1.3.3 Configuring an Authorization Scheme...................................................................................................1-6 1.3.4 Configuring an Accounting Scheme......................................................................................................1-7 1.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-8 1.3.6 Checking the Configuration.................................................................................................................1-10 1.4 Configuring a RADIUS Server Template.....................................................................................................1-10 1.4.1 Establishing the Configuration Task....................................................................................................1-11 1.4.2 Creating a RADIUS Server Template..................................................................................................1-11 1.4.3 Configuring a RADIUS Authentication Server...................................................................................1-12 1.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-12 1.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-13 1.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-13 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-14 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-14 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-15 1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-15 1.4.11 Checking the Configuration...............................................................................................................1-17 1.5 Configuring an HWTACACS Server Template............................................................................................1-18 1.5.1 Establishing the Configuration Task....................................................................................................1-18 1.5.2 Creating an HWTACACS Server Template........................................................................................1-19 1.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-19 1.5.4 Configuring an HWTACACS Authorization Server...........................................................................1-20 1.5.5 Configuring the HWTACACS Accounting Server..............................................................................1-21 1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-21 1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-22 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-22 1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23 Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
Quidway S2300 Series Ethernet Switches Configuration Guide - Security 1.5.10 (Optional) Setting HWTACACS Timers...........................................................................................1-23 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet.................................................1-24 1.5.12 Checking the Configuration...............................................................................................................1-24
1.6 Configuring a Service Scheme......................................................................................................................1-25 1.6.1 Establishing the Configuration Task....................................................................................................1-25 1.6.2 Creating a Service Scheme...................................................................................................................1-26 1.6.3 Setting the Administrator Level...........................................................................................................1-27 1.6.4 Configuring a DHCP Server Group.....................................................................................................1-27 1.6.5 Configuring an Address Pool...............................................................................................................1-28 1.6.6 Configure Primary and Secondary DNS Servers.................................................................................1-28 1.6.7 Checking the Configuration.................................................................................................................1-29 1.7 Configuring a Domain...................................................................................................................................1-29 1.7.1 Establishing the Configuration Task....................................................................................................1-30 1.7.2 Creating a Domain...............................................................................................................................1-30 1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain........................1-31 1.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-32 1.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-32 1.7.6 (Optional) Configuring a Service Scheme for a Domain.....................................................................1-33 1.7.7 (Optional) Setting the Status of a Domain...........................................................................................1-34 1.7.8 (Optional) Configuring the Domain Name Delimiter..........................................................................1-34 1.7.9 Checking the Configuration.................................................................................................................1-35 1.8 Configuring Local User Management...........................................................................................................1-35 1.8.1 Establishing the Configuration Task....................................................................................................1-36 1.8.2 Creating a Local User...........................................................................................................................1-36 1.8.3 (Optional) Setting the Access Type of the Local User.........................................................................1-37 1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access.........................................1-37 1.8.5 (Optional) Setting the Status of a Local User......................................................................................1-38 1.8.6 (Optional) Setting the Level of a Local User.......................................................................................1-38 1.8.7 (Optional) Setting the Access Limit for a Local User..........................................................................1-39 1.8.8 Checking the Configuration.................................................................................................................1-39 1.9 Maintaining AAA and User Management....................................................................................................1-40 1.9.1 Clearing the Statistics...........................................................................................................................1-40 1.9.2 Monitoring the Running Status of AAA..............................................................................................1-41 1.9.3 Debugging............................................................................................................................................1-41 1.10 Configuration Examples..............................................................................................................................1-42 1.10.1 Example for Configuring RADIUS Authentication and Accounting................................................1-42 1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................1-45
2 NAC Configuration...................................................................................................................2-1
2.1 Introduction to NAC........................................................................................................................................2-2 2.1.1 802.1x Authentication............................................................................................................................2-2 2.1.2 MAC Address Authentication................................................................................................................2-3 2.1.3 MAC address bypass authentication......................................................................................................2-3 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Contents
2.2 NAC Features Supported by the S2300..........................................................................................................2-3 2.3 Configuring 802.1x Authentication.................................................................................................................2-4 2.3.1 Establishing the Configuration Task......................................................................................................2-5 2.3.2 Enabling Global 802.1x Authentication.................................................................................................2-5 2.3.3 Enabling 802.1x Authentication on an Interface....................................................................................2-6 2.3.4 (Optional) Enabling MAC Bypass Authentication................................................................................2-6 2.3.5 Setting the Authentication Method for the 802.1x User........................................................................2-7 2.3.6 (Optional) Configuring the Interface Access Mode...............................................................................2-8 2.3.7 (Optional) Configuring the Authorization Status of an Interface...........................................................2-9 2.3.8 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................2-10 2.3.9 (Optional) Enabling DHCP Packets to Trigger Authentication...........................................................2-11 2.3.10 (Optional) Configuring 802.1x Timers..............................................................................................2-12 2.3.11 (Optional) Configuring the Quiet Timer Function.............................................................................2-13 2.3.12 (Optional) Configuring 802.1x Re-authentication.............................................................................2-13 2.3.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication................................................2-14 2.3.14 (Optional) Enabling the S2300 to Send Handshake Packets to Online Users....................................2-15 2.3.15 (Optional) Setting the Retransmission Count of the Authentication Request....................................2-16 2.3.16 Checking the Configuration...............................................................................................................2-16 2.4 Configuring MAC Address Authentication..................................................................................................2-17 2.4.1 Establishing the Configuration Task....................................................................................................2-18 2.4.2 Enabling Global MAC Address Authentication...................................................................................2-18 2.4.3 Enabling MAC Address Authentication on an Interface......................................................................2-19 2.4.4 Configuring a User Name for MAC Address Authentication..............................................................2-20 2.4.5 (Optional) Configuring the Domain for MAC Address Authentication..............................................2-20 2.4.6 (Optional) Setting the Timers of MAC Address Authentication.........................................................2-21 2.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication......................................2-22 2.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication .......................................................................................................................................................................2-22 2.4.9 (Optional) Re-Authenticating a User with the Specified MAC Address.............................................2-23 2.4.10 Checking the Configuration...............................................................................................................2-24 2.5 Maintaining NAC..........................................................................................................................................2-24 2.5.1 Clearing the Statistics About 802.1x Authentication...........................................................................2-25 2.5.2 Clearing Statistics About MAC Address Authentication.....................................................................2-25 2.6 Configuration Examples................................................................................................................................2-25 2.6.1 Example for Configuring the RADIUS Server to Deliver Authorization ACL...................................2-25
Contents
Quidway S2300 Series Ethernet Switches Configuration Guide - Security 3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers.......................................................................3-8 3.3.5 Checking the Configuration...................................................................................................................3-8
3.4 Preventing the DoS Attack by Changing the CHADDR Field.......................................................................3-9 3.4.1 Establishing the Configuration Task......................................................................................................3-9 3.4.2 Enabling DHCP Snooping...................................................................................................................3-10 3.4.3 Checking the CHADDR Field in DHCP Request Messages...............................................................3-11 3.4.4 Checking the Configuration.................................................................................................................3-12 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.............3-12 3.5.1 Establishing the Configuration Task....................................................................................................3-13 3.5.2 Enabling DHCP Snooping...................................................................................................................3-14 3.5.3 Enabling Checking of DHCP Request Messages.................................................................................3-15 3.5.4 (Optional) Configuring the Option 82 Function..................................................................................3-16 3.5.5 (Optional) Setting the Format of the Option 82 Field..........................................................................3-17 3.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 Request Messages .......................................................................................................................................................................3-18 3.5.7 Checking the Configuration.................................................................................................................3-18 3.6 Setting the Maximum Number of DHCP Snooping Users...........................................................................3-19 3.6.1 Establishing the Configuration Task....................................................................................................3-19 3.6.2 Enabling DHCP Snooping...................................................................................................................3-20 3.6.3 Setting the Maximum Number of DHCP Snooping Users..................................................................3-21 3.6.4 (Optional) Configuring MAC Address Security on an Interface.........................................................3-22 3.6.5 Checking the Configuration.................................................................................................................3-23 3.7 Limiting the Rate of Sending DHCP Messages............................................................................................3-24 3.7.1 Establishing the Configuration Task....................................................................................................3-24 3.7.2 Enabling DHCP Snooping...................................................................................................................3-25 3.7.3 Setting the Maximum Rate of Sending DHCP Messages....................................................................3-26 3.7.4 Checking the Configuration.................................................................................................................3-27 3.8 Configuring the Packet Discarding Alarm Function.....................................................................................3-28 3.8.1 Establishing the Configuration Task....................................................................................................3-28 3.8.2 Enabling DHCP Snooping...................................................................................................................3-29 3.8.3 Configuring the Packet Discarding Alarm Function............................................................................3-30 3.8.4 Checking the Configuration.................................................................................................................3-32 3.9 Maintaining DHCP Snooping.......................................................................................................................3-32 3.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-32 3.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-33 3.10 Configuration Examples..............................................................................................................................3-33 3.10.1 Example for Preventing Bogus DHCP Server Attacks......................................................................3-34 3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field..........................................3-36 3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP Address Leases............................................................................................................................................................3-39 3.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-41 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-44
Contents
4.1 Overview of IP Source Guard.........................................................................................................................4-2 4.2 IP Source Guard Features Supported by the S2300........................................................................................4-2 4.3 Configuring IP Source Guard..........................................................................................................................4-3 4.3.1 Establishing the Configuration Task......................................................................................................4-3 4.3.2 (Optional) Configuring a Static User Binding Entry............................................................................. 4-4 4.3.3 Enabling IP Source Guard......................................................................................................................4-5 4.3.4 Configuring the Check Items of IP Packets...........................................................................................4-5 4.3.5 (Optional) Configuring the Alarm Function of IP Source Guard.......................................................... 4-6 4.3.6 (Optional) Configuring the Function of Discarding IP Packets with the Same Source and Destination IP Addresses........................................................................................................................................................ 4-7 4.3.7 Checking the Configuration...................................................................................................................4-7 4.4 Configuration Examples..................................................................................................................................4-7 4.4.1 Example for Configuring IP Source Guard............................................................................................4-8
6 PPPoE+ Configuration..............................................................................................................6-1
6.1 PPPoE+ Overview...........................................................................................................................................6-2 6.2 PPPoE+ Features Supported by the S2300..................................................................................................... 6-2 6.3 Configuring PPPoE+.......................................................................................................................................6-2 6.3.1 Establishing the Configuration Task......................................................................................................6-2 6.3.2 Enabling PPPoE+ Globally....................................................................................................................6-3 6.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................6-3 6.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................6-4 6.3.5 Configuring the PPPoE Trusted Interface..............................................................................................6-4 6.3.6 Checking the Configuration...................................................................................................................6-5 6.4 Configuration Examples..................................................................................................................................6-5 6.4.1 Example for Configuring PPPoE+.........................................................................................................6-5
7 MFF Configuration....................................................................................................................7-1
7.1 MFF Overview................................................................................................................................................7-2 7.2 MFF Features Supported by the S2300...........................................................................................................7-3 7.3 Configuring MFF............................................................................................................................................ 7-4 7.3.1 Establishing the Configuration Task......................................................................................................7-4 7.3.2 Enabling Global MFF.............................................................................................................................7-5 7.3.3 Configuring the MFF Network Interface...............................................................................................7-5 7.3.4 Enabling MFF in a VLAN..................................................................................................................... 7-6 7.3.5 (Optional) Configuring the Static Gateway Address............................................................................. 7-6 7.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................7-7 7.3.7 (Optional) Setting the Server Address................................................................................................... 7-7 7.3.8 (Optional) Transparently Transmitting User Status Detection Packets................................................. 7-7 7.3.9 (Optional) Discarding IPv6 Packets Sent from Users............................................................................7-8 Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
Quidway S2300 Series Ethernet Switches Configuration Guide - Security 7.3.10 Checking the Configuration.................................................................................................................7-8
9 ACL Configuration....................................................................................................................9-1
9.1 Introduction to the ACL..................................................................................................................................9-2 9.2 Classification of ACLs Supported by the S2300............................................................................................9-2 9.3 Configuring an ACL........................................................................................................................................9-3 9.3.1 Establishing the Configuration Task......................................................................................................9-4 9.3.2 Creating an ACL....................................................................................................................................9-4 9.3.3 (Optional) Setting the Time Range When an ACL Takes Effect...........................................................9-5 9.3.4 (Optional) Configuring the Description of an ACL...............................................................................9-6 9.3.5 Configuring a Basic ACL.......................................................................................................................9-6 9.3.6 Configuring an Advanced ACL.............................................................................................................9-7 9.3.7 Configuring a Layer 2 ACL...................................................................................................................9-8 9.3.8 (Optional) Setting the Step Between ACL Rules...................................................................................9-8 9.3.9 Checking the Configuration...................................................................................................................9-9 9.4 Configuring ACL6........................................................................................................................................9-10 9.4.1 Establishing the Configuration Task....................................................................................................9-10 9.4.2 Creating an ACL6................................................................................................................................9-11 9.4.3 (Optional) Creating the Time Range of the ACL6...............................................................................9-12 9.4.4 Configuring a Basic ACL6...................................................................................................................9-12 9.4.5 Configuring an Advanced ACL6.........................................................................................................9-13 9.4.6 Checking the Configuration.................................................................................................................9-14 9.5 Configuration Examples................................................................................................................................9-15 9.5.1 Example for Configuring a Basic ACL................................................................................................9-15 9.5.2 Example for Configuring an Advanced ACL......................................................................................9-17 9.5.3 Example for Configuring a Layer 2 ACL............................................................................................9-21 9.5.4 Example for Configuring an ACL6 to Control FTP User Access........................................................9-24
10 ND Snooping Configuration...............................................................................................10-1
10.1 ND Snooping Overview..............................................................................................................................10-2 10.2 ND Snooping Features Supported by the S2300.........................................................................................10-2 10.3 Configuring ND Snooping..........................................................................................................................10-3 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Contents
10.3.1 Establishing the Configuration Task..................................................................................................10-3 10.3.2 Enabling ND Snooping......................................................................................................................10-4 10.3.3 Configuring an Interface as the Trusted Interface..............................................................................10-5 10.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding Table..............................10-6 10.3.5 Checking the Configuration...............................................................................................................10-7 10.4 Maintaining ND Snooping..........................................................................................................................10-8 10.4.1 Clearing the Prefix Management Table..............................................................................................10-8 10.4.2 Resetting the ND Dynamic Binding Table........................................................................................10-9 10.5 Configuration Examples..............................................................................................................................10-9 10.5.1 Example for Configuring ND Snooping on a Layer 2 Network........................................................10-9
Issue 01 (2011-05-20)
xi
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42 Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45 Figure 2-1 Typical networking of NAC...............................................................................................................2-2 Figure 2-2 Networking diagram for configuring 802.1x authentication............................................................2-26 Figure 3-1 Networking diagram for applying DHCP snooping on the S2300 on a Layer 2 network..................3-4 Figure 3-2 Networking diagram for preventing bogus DHCP server attacks....................................................3-34 Figure 3-3 Networking diagram for preventing DoS attacks by changing the CHADDR field........................3-37 Figure 3-4 Networking diagram for preventing attackers from sending bogus DHCP messages for extending IP address leases......................................................................................................................................................3-39 Figure 3-5 Networking diagram for limiting the rate of sending DHCP messages...........................................3-42 Figure 3-6 Networking diagram for configuring DHCP snooping....................................................................3-45 Figure 4-1 Diagram of IP/MAC spoofing attack..................................................................................................4-2 Figure 4-2 Networking diagram for configuring IP source guard........................................................................4-8 Figure 6-1 Networking diagram for configuring PPPoE+...................................................................................6-6 Figure 7-1 Networking diagram for configuring MFF.......................................................................................7-10 Figure 8-1 Networking diagram for configuring traffic suppression...................................................................8-4 Figure 9-1 Networking diagram for configuring a basic ACL...........................................................................9-15 Figure 9-2 Networking diagram for configuring IPv4 ACLs.............................................................................9-17 Figure 9-3 Networking diagram for configuring layer 2 ACLs.........................................................................9-22 Figure 9-4 Networking diagram for configuring an ACL6 to control FTP users..............................................9-24 Figure 10-1 ND snooping enabled on the S2300 of the Layer 2 network..........................................................10-3 Figure 10-2 Networking diagram for configuring ND snooping on a Layer 2 network..................................10-10
Issue 01 (2011-05-20)
xiii
Tables
Tables
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-4 Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-28
Issue 01 (2011-05-20)
xv
Issue 01 (2011-05-20)
1-1
AAA
AAA provides the following types of services: l l l Authentication: determines if the certain users can access the network. Authorization: authorizes the user to use certain services. Accounting: records network resource usage of the user.
AAA adopts the client/server model, which features good extensibility and facilitates concentrated management over user information.
AAA
The S2300 provides authentication schemes in the following modes: l l Non-authentication: In this mode, the S2300 does not authenticate user validity when users are trusted. This mode is not adopted in other scenarios. Local authentication: In this mode, user information such as user names, passwords, and other attributes is configured on theS2300. The S2300 authenticates users according to the information. In local authentication mode, the processing speed is fast, but the capacity of information storage is restricted by the hardware. Remote authentication: In this mode, user information such as user names, passwords, and other attributes is configured on an authentication server. The S2300 functions as the client to communicate with the authentication server through the RADIUS or HWTACACS protocol.
NOTE
If both HWTACACS authentication and non-authentication are configured, HWTACACS authentication is preferred.
1-2
Issue 01 (2011-05-20)
The S2300 provides authorization schemes in the following modes: l l l l Non-authorization: completely trusts users and directly authorizes them. Local authorization: authorizes users according to the configured attributes of local user accounts on the S2300. Remote authorization: the S2300 functions as the client to communicate with the authorization server through HWTACACS. If-authenticated authorization: authorizes users after the users pass authentication in local or remote authentication mode. None: Users are not charged. RADIUS accounting: The S2300 sends the accounting packets to the RADIUS server. Then the RADIUS server performs accounting. HWTACACS accounting: The S2300 sends the accounting packets to the HWTACACS server. Then the HWTACACS server performs accounting.
In the RADIUS and HWTACACS accounting modes, the S2300 generates accounting packets when a user goes online or goes offline, and then sends them to the RADIUS or HWTACACS server. The server then performs accounting based on the information in the packets, such as login time and logout time. The S2300 supports realtime accounting. It means that the S2300 generates accounting packets periodically and sends the accounting packets to the accounting server when a user is online. In this way, the duration of abnormal accounting can be minimized when the communication between the S2300 and the accounting server is interrupted.
Issue 01 (2011-05-20)
The S2300 supports up to 32 domains, including the two default domains. The priority of authorization configured in a domain is lower than the priority configured on an AAA server. That is, the authorization attribute sent by the AAA server is used preferentially. The authorization attribute in the domain takes effect only when the AAA server does not have or provide this authorization. In this manner, you can add services flexibly based on the domain management, regardless of the attributes provided by the AAA server.
Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS alone to perform authorization.
Pre-configuration Tasks
None
Data Preparation
To configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and authentication mode Name of the authorization scheme, authorization mode, (optional) user level in command-line-based authorization mode on the HWTACACS server, and (optional) timeout interval for command-line-based authorization Name of the accounting scheme and accounting mode (Optional) Name of the recording scheme, name of the HWTACACS server template associated with the recording scheme, and recording policy used to record events
3 4
By default, the local authentication mode is used. If users are not authenticated, you must create an authentication scheme or modify the default authentication scheme by setting the authentication mode to none. Then, you apply this authentication scheme to the domain that users belong to. You need to set the authentication modes for a user logging in to the S2300 and upgrading user levels separately.
Procedure
Step 1 Run:
system-view
Step 3 Run:
authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view is displayed. By default, there is an authentication scheme named default on the S2300. This scheme can be modified but cannot be deleted. Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
The authentication mode is set. none indicates the non-authentication mode. By default, the local authentication mode is used. If multiple authentication modes are used in an authentication scheme, the non-authentication mode must be used as the last authentication mode. If the authentication mode is set to RADIUS or HWTACACS, you must configure a RADIUS or an HWTACACS server template and apply the template in the view of the domain that the user belongs to.
NOTE
If multiple authentication modes are used in an authentication scheme, the authentication modes take effect according to their configuration sequence. The S2300 adopts the next authorization mode only when the current authorization mode is invalid. The S2300, however, does not adopt any other authorization mode when users fail to authorize in the current authorization mode.
Step 5 Run:
authentication-super { hwtacacs | super }* [ none ]
Or,
authentication-super none
The authentication mode for upgrading user levels is set. The none parameter indicates that the non-authentication mode is used. That is, user levels are changed by users. By default, the local authentication mode is used for upgrading user levels. When the local authentication mode is used for upgrading user levels, you need to run the super password command in the system view to set the password for upgrading user levels. ----End
Procedure
Step 1 Run:
system-view
1-6
Issue 01 (2011-05-20)
An authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists on the S2300. This scheme can be modified but cannot be deleted. Step 4 Run:
authorization-mode [ hwtacacs ] { if-authenticated | local | none }
The authorization mode is set. By default, the local authorization mode is used. If multiple authorization modes are used in an authorization scheme, the if-authenticated mode or non-authorization mode must be used as the last authorization mode. When using the HWTACACS authorization mode, you must create an HWTACACS server template and apply the template to the domain that the user belongs to.
NOTE
If multiple authorization modes are used in an authorization scheme, the authentication modes take effect according to their configuration sequence. The S2300 adopts the next authorization mode only when the current authorization mode is invalid. The S2300, however, does not adopt any other authorization mode when users are not authorized in the current authorization mode.
The command-line-based authorization function is configured for users at a level. By default, the command-line-based authorization function is not configured for users at levels 0 to 15. If command-line authorization is enabled, you must create an HWTACACS server template and apply the template in the view of the domain that the user belongs to. ----End
Issue 01 (2011-05-20)
1-7
An accounting scheme is created and the accounting scheme view is displayed. By default, the S2300 provides an accounting scheme named default. This scheme can be modified but cannot be deleted. Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is set. By default, the accounting mode is none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS server template and apply the template to the corresponding user domain. Step 5 (Optional) Run:
accounting realtime interval
Interim accounting is enabled and the accounting interval is set. By default, interim accounting is disabled. The accounting interval depends on network situations. A short interval increases the traffic on the network and burdens the device that receive interim accounting packets. A long interval increases the errors of accounting when the communication between accounting server and the S2300 fails. Step 6 (Optional) Run:
accounting start-fail { online | offline }
The policy for remote accounting-start failure is set. If accounting start fails when a user logs in, the S2300 processes the user according to the policy for accounting start failure. By default, the S2300 forbids a user to get online when accounting start fails. Step 7 (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The policy for remote interim accounting-start failure is set. If the accounting fails after a user goes online, the S2300 processes the user according to the policy for interim accounting failure. By default, the policy for remote interim accounting-start failure is disabled. ----End
l l l
Commands that are run on the S2300 Information about connections System events
NOTE
You can configure the recording function only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view
A recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists on the S2300. Step 5 Run:
recording-mode hwtacacs template-name
An HWTACACS server template that is associated with the recording scheme is configured. By default, a recording scheme is not associated with an HWTACACS server template. Step 6 Run:
quit
The commands that are used on the S2300 are recorded. By default, the commands that are used on the S2300 are not recorded. Step 8 Run:
outbound recording-scheme recording-scheme-name
The information about connections is recorded. By default, information about connections is not recorded. Step 9 Run:
system recording-scheme recording-scheme-name
Procedure
l l l l l l Run the display aaa configuration command to check the summary of AAA. Run the display authentication-scheme [ authentication-scheme-name ] command to check the configuration of the authentication scheme. Run the display authorization-scheme [ authorization-scheme-name ] command to check the configuration of the authorization scheme. Run the display accounting-scheme [ accounting-scheme-name ] command to check the configuration of the accounting scheme. Run the display recording-scheme [ recording-scheme-name ] command to check the configuration of the recording scheme. Run the display access-user [ domain domain-name | ip-address ip-address [ vpninstance instance-name ] | mac-address mac-address | slot slot-id | interface interfacetype interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | user-id user-number ] command to check the summary of all online users.
----End
There are default parameters of a RADIUS server template, and the default parameters can be changed according to the networking. You can modify the RADIUS configuration only when the RADIUS server template is not in use.
Pre-configuration Tasks
None
Data Preparation
To configure a RADIUS server template, you need the following data. No. 1 2 3 4 5 6 Data IP address of the RADIUS authentication server IP address of the RADIUS accounting server (Optional) Shared key of the RADIUS server (Optional) User name format supported by the RADIUS server (Optional) Traffic unit of the RADIUS server (Optional) Timeout interval for a RADIUS server to send response packets and number of times for retransmitting request packets on a RADIUS server (Optional) Format of the NAS port attribute of the RADIUS server
Step 2 Run:
radius-server template template-name
A RADIUS server template is created and the RADIUS server template view is displayed. ----End
The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server authentication ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS authentication server is configured. By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. ----End
By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server accounting ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS accounting server is configured. By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port number is 0. ----End
Procedure
Step 1 Run:
system-view
The RADIUS authorization server is configured. By default, no RADIUS authorization server is configured in the S2300. ----End
Procedure
Step 1 Run:
system-view
The shared key is set for a RADIUS server. By default, the shared key of a RADIUS server is huawei. ----End
1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server
Context
NOTE
A user name is in the user name@domain name format and the characters after @ refer to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view
The user name format supported by a RADIUS server is set. By default, a user name supported by a RADIUS server contains the domain name. That is, the S2300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication. When the RADIUS server does not accept the user name that contains the domain name, you can run the undo radius-server user-name domain-included command to delete the domain name before sending it to the RADIUS server. ----End
1-14
Issue 01 (2011-05-20)
The traffic unit is set for a RADIUS server. By default, the traffic is expressed in bytes on the S2300. ----End
The timeout interval for a RADIUS server to send response packets is set. By default, the timeout interval for a RADIUS server to send response packets is five seconds. To check whether a RADIUS server is available, the S2300 periodically sends request packets to the RADIUS server. If no response is received from the RADIUS server within the timeout interval, the S2300 retransmits the request packets. Step 4 Run:
radius-server retransmit retry-times
The number of times for retransmitting request packets on a RADIUS server is set. By default, the number of times for retransmitting request packets on a RADIUS server is 3. After retransmitting request packets to a RADIUS server for the set number of times, the S2300 considers that the RADIUS server is unavailable. ----End
Context
The NAS port format and the NAS port ID format are developed by Huawei, which are used to maintain connectivity and service cooperation among devices of Huawei. The NAS port format and NAS port ID format have new and old forms respectively. The ID format of the physical port that access users belong to depends on the format of the NAS port attribute. For Ethernet access users: l NAS port New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits). Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits). l NAS port ID New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Where slot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VLANID (9 characters) For ADSL access users: l l NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits). NAS port ID New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in which slot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, and VCI 0 to 65535. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain less bytes than specified.
Procedure
Step 1 Run:
system-view
The format of NAS port used by the RADIUS server is specified. By default, the new format of NAS port is used. Step 4 Run:
radius-server nas-port-id-format { new | old }
The format of the NAS port ID used by the RADIUS server is specified.
1-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Procedure
l l l Run the display radius-server configuration [ template template-name ] command to check the configuration of the RADIUS server template. Run the display_radius-attribute [ template template-name ] disable command to view the disabled RADIUS attributes. Run the display_radius-attribute [ template template-name ] translate command to check the RADIUS attribute translation configuration.
----End
Example
After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.
<Quidway> display radius-server configuration ------------------------------------------------------------------Server-template-name : rrr Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 100.1.1.1; 90; LoopBack:20 Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX ------------------------------------------------------------------------------------------------------------------------------------Server-template-name : tr1 Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX ------------------------------------------------------------------Total of radius template :2
Run the display_radius-attribute [ template template-name ] disable command, and you can view the disabled RADIUS attributes.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-17
<Quidway> display radius-attribute disable Server-templet-name: rs -------------------------------------------------------------------------------Source-attr Dest-attr Direct -------------------------------------------------------------------------------NAS-IP-Address Disable send --------------------------------------------------------------------------------
Run the display_radius-attribute [ template template-name ] translate command, and you can view the RADIUS attribute translation configuration.
<Quidway> display radius-attribute translate Server-templet-name: rs -------------------------------------------------------------------------------Source-attr Dest-attr Direct -------------------------------------------------------------------------------NAS-Identifier NAS-Port-Id send --------------------------------------------------------------------------------
The S2300 does not check whether the HWTACACS template is in use when you modify attributes of the HWTACACS server except for deleting the configuration of the server.
1-18
Issue 01 (2011-05-20)
Pre-configuration Tasks
None
Data Preparation
To configure an HWTACACS server template, you need the following data. No. 1 2 3 4 5 6 7 Data Name of the HWTACACS server template IP addresses of HWTACACS authentication authorization, and accounting servers (Optional) Source IP address of the HWTACACS server (Optional) Shared key of the HWTACACS server (Optional) User name format supported by the HWTACACS server (Optional) Traffic unit of the HWTACACS server (Optional) Timeout interval for the HWTACACS server to send response packets and time when the primary HWTACACS server is restored to the active state
An HWTACACS server template is created and the HWTACACS server template view is displayed. ----End
Procedure
Step 1 Run:
system-view
The IP address of the primary HWTACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. Step 4 (Optional) Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. ----End
The IP address of the primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. Step 4 (Optional) Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. ----End
The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. Step 4 Run:
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0, the port number is 0, and the VPN instances are not bound to the server. ----End
Issue 01 (2011-05-20)
1-21
The source IP address of HWTACACS packets is configured. By default, the source IP address of an HWTACACS packet is 0.0.0.0. In this case, the S2300 uses the IP address of the outgoing VLANIF interface as the source IP address of the HWTACACS packet. After you specify the source IP address of HWTACACS packets, the specified address is used for the communication between the S2300 and the HWTACACS server. In this case, the HWTACACS server uses the specified IP address to communicate with the S2300. ----End
Procedure
Step 1 Run:
system-view
The shared key is set for the HWTACACS server. By default, no shared key is set for the HWTACACS server. ----End
1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server
Context
NOTE
A user name is in the user name@domain name format and the character string after "@" refers to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
1-22 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
The user name format is set for an HWTACACS server. By default, a user name supported by an HWTACACS server contains the domain name. That is, the S2300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication. If an HWTACACS server does not accept the user name that contains the domain name, you can use the undo hwtacacs-server user-name domain-included command to delete the domain name before sending it to the HWTACACS server. ----End
The traffic unit is set for an HWTACACS server. By default, the traffic is expressed in bytes on the S2300. ----End
The timeout interval for an HWTACACS server to send response packets is set. By default, the timeout interval for an HWTACACS server to send response packets is five seconds. If the S2300 receives no response from an HWTACACS server during the timeout interval, it considers the HWTACACS server as unavailable. In this case, the S2300 performs authentication or authorization in other modes. Step 4 Run:
hwtacacs-server timer quiet value
The time taken to restore an HWTACACS server to restore to the active state is set. By default, the time taken by the primary HWTACACS server to restore to the active state is five minutes. ----End
Procedure
Step 1 Run:
system-view
The function of retransmitting the Accounting-Stop packet is configured. You can enable the function of retransmitting the Accounting-Stop packet and set the retransmission count, or disable the function. By default, the retransmission function is enabled and the retransmission count is 100. ----End
Prerequisite
The configurations of the HWTACACS server template are complete.
Procedure
l Run the display hwtacacs-server template [ template-name ] command to check the configuration of the HWTACACS server template.
----End
Example
After completing the configurations of the HWTACACS server template, you can run the display hwtacacs-server template [ template-name ] command to view the configuration of the template.
<Quidway> display hwtacacs-server template huawei --------------------------------------------------------------------------HWTACACS-server template name : huawei Primary-authentication-server : 0.0.0.0:0:Primary-authorization-server : 0.0.0.0:0:Primary-accounting-server : 0.0.0.0:0:Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 0.0.0.0:0:Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 0.0.0.0:0:Current-authorization-server : 0.0.0.0:0:Current-accounting-server : 0.0.0.0:0:Source-IP-address : 0.0.0.0 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
Applicable Environment
Access users must acquire authorization information before getting online. Authorization information about users can be managed through the service scheme.
Pre-configuration Tasks
Before configuring a service scheme, complete the following tasks: l l Creating a DHCP server group Creating an IP address pool
Data Preparation
To configure a service scheme, you need the following data. No. 1 2 3 4 5 6 Data Service scheme Administrator level User priority Name of the DHCP server group Name and position of the address pool IP address of the primary and secondary DNS servers
Procedure
Step 1 Run:
system-view
service-scheme-name is a string of 1 to 32 characters, excluding / \ : * ? " < > | @ ' %. By default, no service scheme is configured in the S2300. ----End
The administrator is enabled to log in to the S2300 and the administrator level is set. The value of level ranges from 0 to 15. If this command is not run, the administrator level is displayed as 16, which is invalid. ----End
Procedure
Step 1 Run:
system-view
Issue 01 (2011-05-20)
1-27
Procedure
Step 1 Run:
system-view
An IP address pool is configured or the position of a configured address pool is moved. ----End
1-28
Issue 01 (2011-05-20)
Example
Run the display service-scheme command to view all the information about the service scheme.
<Quidway> display service-scheme ------------------------------------------------------------------service-scheme-name scheme-index ------------------------------------------------------------------huwei1 0 ------------------------------------------------------------------Total of service scheme: 1
Run the display service-scheme name name command to view the configuration of service scheme svcscheme1.
<Quidway> display service-scheme name svcscheme1 service-scheme-name service-scheme-primary-dns service-scheme-secondry-dns service-scheme-adminlevel : : : : svcscheme1 16
1.7.6 (Optional) Configuring a Service Scheme for a Domain 1.7.7 (Optional) Setting the Status of a Domain 1.7.8 (Optional) Configuring the Domain Name Delimiter 1.7.9 Checking the Configuration
The modification of a domain takes effect next time a user logs in.
Pre-configuration Tasks
Before configuring a domain, complete the following tasks: l l l l Configuring authentication and authorization schemes Configuring a RADIUS server template if RADIUS is used in an authentication scheme Configuring an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme Configuring local user management in local authentication or authorization mode
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 Data Name of the domain Names of authentication and authorization schemes of the domain (Optional) Name of the RADIUS server template or the HWTACACS server template of the domain (Optional) Status of the domain
A domain is created and the domain view is displayed. The S2300 has two default domains: default and default_admin. Domain default is used for common access users, and domain default_admin is used for administrators. The S2300 supports up to 32 domains, including the two default domains. ----End
Follow-up Procedure
After creating a domain, you can run the domain domain-name [ admin ] command in the system view to configure the domain as the global default domain. The access users whose domain names cannot be obtained are added to this domain. If you do not run the domain domain-name [ admin ] command, the S2300 adds the common users and administrators whose domain names cannot be obtained to domains default and default_admin respectively.
An authentication scheme is configured for the domain. By default, the authentication scheme named default is used for a domain.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-31
Step 5 Run:
authorization-scheme authorization-scheme-name
An authorization scheme is configured for the domain. By default, no authorization scheme is bound to a domain. Step 6 Run:
accounting-scheme accounting-scheme-name
An accounting scheme is configured for the domain. By default, the accounting scheme named default is used for a domain. ----End
Procedure
Step 1 Run:
system-view
A RADIUS server template is configured for the domain. By default, no RADIUS server template is configured for a domain. ----End
Procedure
Step 1 Run:
system-view
An HWTACACS server template is configured for the domain. By default, no HWTACACS server template is configured for a domain. ----End
Procedure
Step 1 Run:
system-view
A service scheme is bound to the domain. By default, no service scheme is bound to the domain.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-33
Before binding a service scheme to a domain, you must create the service scheme. ----End
The status of the domain is set. When a domain is in blocking state, users that belong to this domain cannot log in. By default, the domain is in active state after being created. ----End
Procedure
Step 1 Run:
system-view
delimiter can be set to anyone of \, /, :, <, >, |, @, ', and %. By default, the domain name delimiter is @. ----End
Procedure
l Run the display domain [ name domain-name ] command to check the configuration of the domain.
----End
Example
After the configuration, you can run the display domain command to view the summary of all domains.
<Quidway> display domain ------------------------------------------------------------------------DomainName index ------------------------------------------------------------------------default 0 default_admin 1 huawei 2 ------------------------------------------------------------------------Total: 3
Run the display domain [ name domain-name ] command, and you can view the configuration of a specified domain.
<Quidway> display domain name huawei Domain-name : huawei Domain-state : Active Authentication-scheme-name : scheme0 Accounting-scheme-name : default Authorization-scheme-name : Service-scheme-name : RADIUS-server-template : HWTACACS-server-template : -
1.8.5 (Optional) Setting the Status of a Local User 1.8.6 (Optional) Setting the Level of a Local User 1.8.7 (Optional) Setting the Access Limit for a Local User 1.8.8 Checking the Configuration
Pre-configuration Tasks
None
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 Data User name and password Access type of the local user Name of the FTP directory that the local user can access Status of the local user Level of the local user Maximum number of local access users
Step 3 Run:
local-user user-name { password { simple | cipher } password | access-limit maxnumber | ftp-directory directory | privilege level level | state { block | active } } *
A local user is created and parameters of the user are set. If the user name contains the domain name delimiter, such as @, |, and %, the character string before @ refers to the user name and the character string after @ refers to the domain name. If the user name does not contain domain name delimiter, the entire character string represents the user name and the user is authenticated in default domain. You can use the local-user command to create a local user and set parameters of the local user. To modify parameters of a local user, use the local-user access-limit, local-user ftpdirectory, local-user service-type, local-user privilege level, or local-user state command. ----End
The access type of the local user is set. By default, a local user can use all access types. A user can successfully log in only when its access type matches the specified access type. ----End
1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access
Context
NOTE
If a local user log in to the device in FTP mode, configure the FTP directory; otherwise, the user cannot log in.
Issue 01 (2011-05-20)
1-37
Procedure
Step 1 Run:
system-view
The FTP directory that a local user can access is configured. By default, the FTP directory that a local user can access is null. ----End
The status of a local user is set. By default, a local user is in active state. The S2300 processes a local user in active or blocking state as follows: l If the local user is in active state, the S2300 receives the authentication request of this user for further processing. l If the local user is in blocking state, the S2300 rejects the authentication request of this user. ----End
Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater the number, the higher the user level.
Procedure
Step 1 Run:
system-view
The level of a local user is set. By default, the level of a local user is determined by the management module. For example, there is a user level in the user interface view. If a user level is not set, the user level is 0. ----End
The maximum number of online local users is set. By default, the number of access users with the same user name is not restricted on the S2300. ----End
Procedure
l Run the display local-user [ username user-name ] command to check the attributes of the local user.
----End
Example
After completing the configuration of local user management, you can run the display localuser command to view brief information about attributes of the local user.
<Quidway> display local-user ---------------------------------------------------------------------------User-name State AuthMask AdminLevel ---------------------------------------------------------------------------lsj A A ---------------------------------------------------------------------------Total 1 user(s)
Run the display local-user [ username user-name ] command, and you can view detailed information about a specified user.
<Quidway> display local-user username user-a The contents of local user(s): Password : admin State : active Service-type-mask : H Privilege level : Ftp-directory : Access-limit : Accessed-num : 0
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the command. Run the following command in the user view to clear the statistics.
1-40 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Procedure
l l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command to clear the statistics on the HWTACACS server. Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command to clear the statistics about Accounting Stop packets.
----End
Example
Run the display aaa configuration command to view AAA running information.
<Quidway> display aaa configuration Domain Name Delimiter Domainname parse direction Domainname location Domain Authentication-scheme Accounting-scheme Authorization-scheme Service-scheme : : : : : : : : @ Left to right After-delimiter total: 32 used: total: 16 used: total: 16 used: total: 16 used: total: 16 used:
5 1 3 1 0
1.9.3 Debugging
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a running fault occurs on the RADIUS or HWTACACS server, run the debugging commands in the user view to locate the fault.
Procedure
l l Run the debugging radius packet command to debug RADIUS packets. Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command to debug HWTACACS.
----End
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-41
Figure 1-1 Networking diagram of RADIUS authentication and accounting Domain Huawei
SwitchA Network
SwitchB 129.7.66.66/24
1-42
Issue 01 (2011-05-20)
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a RADIUS server template. Configure the authentication and accounting schemes. Apply the RADIUS server template, the authentication and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that a user belongs to Name of the RADIUS server template Name of the authentication scheme, authentication mode, name of the accounting scheme, and accounting mode IP addresses, authentication and accounting port numbers of the primary and secondary RADIUS servers Key and retransmission times of the RADIUS server
NOTE
Procedure
Step 1 Configure a RADIUS server template. # Configure the RADIUS template named shiva.
<Quidway> system-view [Quidway] radius-server template shiva
# Configure the IP addresses and port numbers of the primary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812 [Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Set the IP addresses and port numbers of the secondary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Set the key and retransmission count for the RADIUS server.
[Quidway-radius-shiva] radius-server shared-key cipher hello [Quidway-radius-shiva] radius-server retransmit 2 [Quidway-radius-shiva] quit
Step 2 Configure the authentication and accounting schemes. # Configure authentication scheme1, with the authentication mode being RADIUS.
[Quidway] aaa [Quidway-aaa] authentication-scheme 1 Info: Create a new authentication scheme [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Issue 01 (2011-05-20)
1-43
# Configure the accounting scheme1, with the accounting mode being RADIUS.
[Quidway-aaa] accounting-scheme 1 Info: Create a new accounting scheme [Quidway-aaa-accounting-1] accounting-mode radius [Quidway-aaa-accounting-1] quit
Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and RADIUS template shiva to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme 1 [Quidway-aaa-domain-huawei] accounting-scheme 1 [Quidway-aaa-domain-huawei] radius-server shiva
Step 4 Verify the configuration. After running the display radius-server configuration template command on Switch B, you can view that the configuration of the RADIUS server template meets the requirements.
<Quidway> display radius-server configuration template shiva ------------------------------------------------------------------Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Timeout-interval(in second) : 5 Primary-authentication-server : 129.7.66.66 :1812 LoopBack:NULL Primary-accounting-server : 129.7.66.66 :1813 LoopBack:NULL Secondary-authentication-server : 129.7.66.67 :1812 LoopBack:NULL Secondary-accounting-server : 129.7.66.67 :1813 LoopBack:NULL Retransmission : 2 Domain-included : YES Calling-station-id MAC-format : XX.XX.XX.XX.XX.XX -------------------------------------------------------------------
----End
Configuration Files
# sysname Quidway # radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1 accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva # return
1-44
Issue 01 (2011-05-20)
Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization Domain Huawei
SwitchA Network
SwitchB 129.7.66.66/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2.
Issue 01 (2011-05-20)
Configure an HWTACACS server template. Configure the authentication, authorization, and accounting schemes.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-45
3.
Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that the user belongs to Name of the HWTACACS server template Name of the authentication scheme, authentication mode, name of the authorization scheme, authorization mode, name of the accounting scheme, and accounting mode IP addresses, authentication port numbers, authorization port numbers, and accounting port numbers of the primary and secondary HWTACACS servers Key of the HWTACACS server
NOTE
Procedure
Step 1 Configure an HWTACACS server template. # Configure an HWTACACS server template named ht.
<Quidway> system-view [Quidway] hwtacacs-server template ht
# Configure the IP address and port number of the primary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP address and port number of the secondary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
Step 2 Configure the authentication, authorization, and accounting schemes. # Create an authentication scheme 1-h and set the authentication mode to local-HWTACACS, that is, the system performs the local authentication first and then the HWTACACS authentication. The HWTACACS authentication supersedes the local authentication when the level of a user is promoted.
[Quidway] aaa [Quidway-aaa] authentication-scheme l-h [Quidway-aaa-authen-l-h] authentication-mode hwtacacs local [Quidway-aaa-authen-l-h] authentication-super hwtacacs super [Quidway-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.
1-46 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.
[Quidway-aaa] accounting-scheme hwtacacs [Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs [Quidwayaaa-accounting-hwtacacs] accounting start-fail online
Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template of ht to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa] quit authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht quit
Step 4 Verify the configuration. Run the display hwtacacs-server template command on Switch B, and you can see that the configuration of the HWTACACS server template meets the requirements.
<Quidway> display hwtacacs-server template ht --------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49:Primary-authorization-server : 129.7.66.66:49:Primary-accounting-server : 129.7.66.66:49:Secondary-authentication-server : 129.7.66.67:49:Secondary-authorization-server : 129.7.66.67:49:Secondary-accounting-server : 129.7.66.67:49:Current-authentication-server : 129.7.66.66:49:Current-authorization-server : 129.7.66.66:49:Current-accounting-server : 129.7.66.66:49:Source-IP-address : 0.0.0.0 Shared-key : **************** Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
Run the display domain command on Switch B, and you can see that the configuration of the domain meets the requirements.
<Quidway> display domain name huawei Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name Service-scheme-name RADIUS-server-group HWTACACS-server-template : : : : : : : : huawei Active l-h hwtacacs hwtacacs ht
----End
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-47
Configuration Files
# sysname Quidway # hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! # aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs local authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting start-fail online accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht # return
1-48
Issue 01 (2011-05-20)
2 NAC Configuration
2
About This Chapter
Context
NOTE
NAC Configuration
This chapter describes the working principle and configuration of network access control (NAC).
2.1 Introduction to NAC This section describes the working principle of NAC. 2.2 NAC Features Supported by the S2300 This section describes the NAC features supported by the S2300. 2.3 Configuring 802.1x Authentication This section describes how to configure the 802.1x authentication function. 2.4 Configuring MAC Address Authentication This section describes how to configure the MAC address authentication function. 2.5 Maintaining NAC This section describes how to clear statistics about NAC and debug NAC. 2.6 Configuration Examples This section provides several configuration examples of NAC.
Issue 01 (2011-05-20)
2-1
2 NAC Configuration
As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includes the following parts: l l User: Access users who need to be authenticated. If 802.1x is adopted for user authentication, users need to install client software. NAD: Network access devices, including routers and switches (hereinafter referred to as the S2300), which are used to authenticate and authorize users. The NAD needs to work with the AAA server to prevent unauthorized terminals from accessing the network, minimize the threat brought by insecure terminals, prevent unauthorized access requests from authorized terminals, and thus protect core resources. ACS: Access control server that is used to check terminal security and health, manage policies and user behaviors, audit rule violations, strengthen behavior audit, and prevent malicious damages from terminals.
2.1.1 802.1x Authentication 2.1.2 MAC Address Authentication 2.1.3 MAC address bypass authentication
2 NAC Configuration
control access devices on an interface of a LAN access control device. User devices connected to the interface can access the sources on the LAN only after they pass the authentication. 802.1x focuses on the status of the access interface only. When an authorized user accesses the network by sending the user name and password, the interface is open. When an unauthorized user or no user accesses the network, the interface is closed. The authentication result is reflected by the status of the interface. The IP address negotiation and allocation that are considered in common authentication technologies are not involved. Therefore, 802.1x authentication is the simplest implementation scheme among the authentication technologies. 802.1x supports the authentication mode based on the access interface and the MAC address. l Authentication mode based on the access interface: Other users can access network resources without authentication when the first user under the interface is successfully authenticated. But other users are disconnected when the first user goes offline. Authentication mode based on the MAC address: Access users under this interface need be authenticated. EAP termination mode: The network access device terminates EAP packets, obtains the user name and password from the packets, encrypts the password, and sends the user name and password to the RADIUS server for authentication. EAP transparent transmission authentication: Also called EAP relay authentication. The network access device directly encapsulates authentication information about 802.1x users and EAP packets into the attribute field of RADIUS packets and sends them to the RADIUS server. Therefore, the EAP packets do not need to be converted to the RADIUS packets before they are sent to the RADIUS server.
Interface-based 802.1x authentication MAC address-based 802.1x authentication EAPOL termination authentication
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-3
2 NAC Configuration
l l l l
EAPOL transparent transmission authentication MAC address authentication MAC address bypass authentication The S2300 automatically specifies the VLAN for users after users pass 802.1x authentication, MAC address authentication, or MAC address bypass authentication. When passing 802.1x authentication, MAC address authentication, or MAC bypass authentication, the system delivers a VLAN to the user according to the VLAN information carried in response packets of the authentication server in either of the following modes: If the VLAN ID carried in response packets of the authentication server is an integer ranging from 1 to 4094, the system delivers the VLAN according to the VLAN ID. If the VLAN ID carried in response packets of the authentication server is not an integer ranging from 1 to 4094, the system delivers the VLAN according to the VLAN description.
After users pass 802.1x authentication, MAC address authentication, or MAC address bypass authentication, the S2300 automatically delivers ACLs to users to allow user packets to pass through by default. Authorization ACL dynamically delivered by RADIUS server If a RADIUS server is configured to deliver authorization ACL and RADIUS scheme is configured on the related interface of the S2300, then the S2300 controls user access permission according to the authorization ACL delivered by the RADIUS server. The network administrator can modify the access permission of a user by changing the authorization ACL configuration on the RADIUS server or the ACL rules on the S2300.
2 NAC Configuration
2.3.15 (Optional) Setting the Retransmission Count of the Authentication Request 2.3.16 Checking the Configuration
Pre-configuration Tasks
802.1x authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1x authentication, complete the following tasks: l l l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 1x user Configuring the user name and password on the RADIUS server if RADIUS authentication is used Adding the user name and password manually on the S2300 if local authentication is used
Data Preparation
To configure 802.1x, you need the following data. No. 1 Data Number of the interface on which 802.1x authentication is enabled
Procedure
Step 1 Run:
system-view
802.1x authentication is globally enabled. Running this command is equivalent to enabling 802.1x authentication globally. Related configurations of 802.1x authentication take effect only after 802.1x authentication is enabled.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-5
2 NAC Configuration
CAUTION
If 802.1x authentication is enabled on an interface, MAC address authentication cannot be enabled on the interface. If MAC address authentication is enabled on an interface, 802.1x authentication cannot be enabled on the interface. You can enable 802.1x authentication on an interface in the following ways.
Procedure
l In the system view: 1. Run:
system-view
802.1x authentication is enabled on interfaces. You can enable 802.1x authentication on interfaces in batches by specifying the interface list in the dot1x enable command in the system view. l In the interface view: 1. Run:
system-view
802.1x authentication is enabled on the interface. If there are online users who log in through 802.1x authentication, disabling 802.1x authentication is prohibited. ----End
2 NAC Configuration
Context
The 802.1x client software cannot be installed or used on some special terminals, such as printers. In this case, the MAC bypass authentication can be adopted. If 802.1x authentication on the terminal fails, the access device sends the user name and password, namely, the MAC address of the terminal, to the RADIUS server for authentication. This process is MAC address bypass authentication. You can configure MAC address bypass authentication in the following ways.
Procedure
l In the system view: 1. Run:
system-view
MAC bypass authentication is enabled on interfaces. You can configure MAC address bypass authentication on interfaces in batches by specifying the interface list in the dot1x mac-bypass command in the system view. l In the interface view: 1. Run:
system-view
MAC address bypass authentication is enabled on the interface. After you run the dot1x mac-bypass command, the commands of enabling 802.1x authentication on the interface are overwritten. The details are as follows: If 802.1x authentication is disabled on the interface, 802.1x authentication is enabled after you run the dot1x mac-bypass command. If 802.1x authentication has been enabled, the authentication mode is changed from 802.1x authentication to MAC address bypass authentication on the interface after you run the dot1x mac-bypass command. To disable MAC address bypass authentication, run the undo dot1x enable command. Note that 802.1x functions are disabled. ----End
2 NAC Configuration
Context
The authentication method for the 802.1x user can be set according to the actual networking environment and security requirement.
Procedure
Step 1 Run:
system-view
The authentication method is set for the 802.1x user. By default, CHAP authentication is used for an 802.1x user. If you run the dot1x authenticationmethod command repeatedly, the latest configuration takes effect. l The Password Authentication Protocol (PAP) uses the two-way handshake mechanism and sends the password in plain text. l The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshake mechanism. It transmits only the user name but not the password on the network; therefore, compared with PAP authentication, CHAP authentication is more secure and reliable and protects user privacy better. l In Extensible Authentication Protocol (EAP) authentication, the S2300 sends the authentication information of an 802.1x user to the RADIUS server through EAP packets without converting EAP packets into RADIUS packets. To use the PEAP, EAP-TLS, EAPTTLS, or EAP-MD5 authentication, you only need to enable the EAP authentication. PAP authentication and CHAP authentication are two kinds of termination authentication methods and EAP authentication is a kind of relay authentication method.
CAUTION
Only if RADIUS authentication is adopted, you can use the EAP authentication for 802.1x users. ----End
You can configure the access mode of an interface in the following ways.
2-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
2 NAC Configuration
Procedure
l In the system view: 1. Run:
system-view
The access mode of interfaces is configured. You can configure the access mode of interfaces in batches by specifying the interface list in the dot1x port-method command in the system view. l In the interface view: 1. Run:
system-view
The access mode of the interface is configured. By default, the access mode of an interface is MAC mode.
CAUTION
When 802.1x users are online, you cannot use this command to change the access mode of an interface. ----End
Procedure
l In the system view: 1.
Issue 01 (2011-05-20)
Run:
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-9
2 NAC Configuration
system-view
The authorization status of interfaces is set. You can configure the authorization status of interfaces in batches by specifying the interface list in the dot1x port-control command in the system view. l In the interface view: 1. Run:
system-view
The authorization status of the interface is configured. By default, the authorization status of an interface is auto. auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. If a user passes the authentication, the interface is in authorized state and allows users to access network resources. authorized-force: An interface is always in authorized state and allows users to access network resources without authentication. unauthorized-force: An interface is always in unauthorized state and does not users to access network resources. ----End
Procedure
l
2-10
2 NAC Configuration
1.
Run:
system-view
The maximum number of concurrent access users is set on the interfaces. You can set the maximum number of concurrent access users on interfaces in batches by specifying the interface list in the dot1x max-user command in the system view. l In the interface view: 1. Run:
system-view
The maximum number of concurrent access users is set on the interface. By default, each interface allows up to 8 concurrent access users. This command only takes effect for the interface where users are authenticated based on MAC addresses. If users are authenticated based on the interface, the maximum number of access users is automatically set to 1. Therefore, only one user needs to be authenticated successfully on the interface, and other users can access the network after the first user passes authentication.
NOTE
When users are online on the S2300, you can use this command. The command is invalid for existing online users, but takes effect for users who undergo authentication after the command is run.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-05-20)
2-11
2 NAC Configuration
Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger user authentication. By default, DHCP packets do not trigger authentication. After you run the dot1x dhcp-trigger command, users cannot obtain IP addresses through DHCP if they do not pass the authentication. ----End
Procedure
Step 1 Run:
system-view
The timers of 802.1x authentication are set. l client-timeout: Authentication timeout timer of the client. By default, the timeout timer is 30s. l handshake-period: Interval of handshake packets from the S2300 to the 802.1X client. By default, the handshake interval is 15s. l quiet-period: Period of the quiet timer. By default, the quiet timer is 60s. l reauthenticate-period: Re-authentication interval. By default, the re-authentication interval is 3600s. l server-timeout: Timeout timer of the authentication server. By default, the timeout timer of the authentication server is 30s. l tx-period: Interval for sending authentication requests. By default, the interval for sending the authentication request packets is 30s.
2-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
2 NAC Configuration
The dot1x timer command only sets the values of the timers, and you need to enable the corresponding timers by running commands or adopting the default settings. ----End
Procedure
Step 1 Run:
system-view
The quiet timer function is enabled. By default, the quiet timer function is disabled. During the quite period, the S2300 discards the 802.1x authentication request packets from the user. You can run the dot1x timer command to set the quiet period. For details, see 2.3.10 (Optional) Configuring 802.1x Timers. Step 3 Run:
dot1x quiet-times fail-times
The number of authentication failures within 60 seconds before the 802.1x user enters the silent state is set. By default, the number of authentication failures within 60 seconds before the 802.1x user enters the silent state is 3. ----End
2 NAC Configuration
Procedure
l In the system view: 1. Run:
system-view
Re-authentication is enabled on interfaces. You can configure 802.1x re-authentication on interfaces in batches by specifying the interface list in the dot1x reauthenticate command in the system view. l In the interface view: 1. Run:
system-view
Re-authentication is enabled on the interface. By default, 802.1x re-authentication is disabled on an interface. You can run the dot1x timer command to set the timeout interval of re-authentication. For details, see 2.3.10 (Optional) Configuring 802.1x Timers. ----End
The configured guest VLAN cannot be the default VLAN of the interface.
2-14
Issue 01 (2011-05-20)
2 NAC Configuration
Procedure
l In the system view: 1. Run:
system-view
The guest VLAN is configured on interfaces. You can configure the guest VLAN on interfaces in batches by specifying the interface list in the dot1x guest-vlan command in the system view. l In the interface view: 1. Run:
system-view
The guest VLAN is configured on the interface. By default, no guest VLAN is configured on an interface. ----End
2.3.14 (Optional) Enabling the S2300 to Send Handshake Packets to Online Users
Context
The S2300 can send handshake packets to a Huawei client to detect whether the user is online. If the client does not support the handshake function, the S2300 will not receive handshake response packets within the handshake interval. In this case, you need to disable the user handshake function to prevent the S2300 from disconnecting users by mistake.
Procedure
Step 1 Run:
system-view
2 NAC Configuration
dot1x handshake
The handshake with 802.1x users is enabled. By default, the S2300 is disabled to send handshake packets to online users. You can run the dot1x timer command to set the handshake interval. For details, see 2.3.10 (Optional) Configuring 802.1x Timers. Step 3 (Optional) Run:dot1x handshake packet-type { request-identity | srp-sha1-part2 }The type of 802.1x authentication handshake packets is set. By default, the type of 802.1x authentication handshake packets is request-identity. ----End
Procedure
Step 1 Run:
system-view
The retransmission count of the authentication request is set. By default, the S2300 retransmits an authentication request to an access user twice. ----End
Procedure
l Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] command to check the configuration of 802.1x authentication.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
2-16
2 NAC Configuration
Run the display mac-address { authen | guest } [ vlan vlan-id ] command to check the configuration of 802.1x authentication and MAC address authentication or information about the MAC address added to the guest VLAN.
----End
Example
View information about 802.1x authentication on GE 0/0/1.
<Quidway> display dot1x interface gigabitethernet 0/0/1 GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled[macbypass] Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Maximum users: 8 Current users: 2 Authentication Success: 1 Failure: EAPOL Packets: TX : 24 RX : Sent EAPOL Request/Identity Packets : EAPOL Request/Challenge Packets : Multicast Trigger Packets : DHCP Trigger Packets : EAPOL Success Packets : EAPOL Failure Packets : Received EAPOL Start Packets : EAPOL LogOff Packets : EAPOL Response/Identity Packets : EAPOL Response/Challenge Packets: 11 4 11 1 0 0 1 11 2 0 1 1
View information about the MAC address used in 802.1x authentication or MAC address authentication.
<Quidway> display mac-address authen MAC address table of slot 0: ------------------------------------------------------------------------------MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------0000-0000-0100 3000 GE0/0/1 authen 0000-0000-0200 3000 GE0/0/1 authen 0000-0000-0600 3000 GE0/0/1 authen ------------------------------------------------------------------------------Total matching items on slot 0 displayed = 64
View information about the MAC address added to the guest VLAN.
<Quidway> display mac-address guest MAC address table of slot 0: ------------------------------------------------------------------------------MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------0000-0000-0404 3010 GE0/0/1 guest 0000-0000-0407 3010 GE0/0/1 guest 0000-0000-0410 3010 GE0/0/1 guest ------------------------------------------------------------------------------Total matching items on slot 0 displayed = 67
2 NAC Configuration
2.4.1 Establishing the Configuration Task 2.4.2 Enabling Global MAC Address Authentication 2.4.3 Enabling MAC Address Authentication on an Interface 2.4.4 Configuring a User Name for MAC Address Authentication A fixed user name or a MAC address can be used for MAC address authentication. 2.4.5 (Optional) Configuring the Domain for MAC Address Authentication 2.4.6 (Optional) Setting the Timers of MAC Address Authentication 2.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication 2.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication 2.4.9 (Optional) Re-Authenticating a User with the Specified MAC Address 2.4.10 Checking the Configuration
Pre-configuration Tasks
MAC address authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring MAC address authentication, complete the following tasks: l l l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 802.1x user. Configuring the user name and password on the RADIUS server if RADIUS authentication is used. Adding the user name and password manually on the S2300 if local authentication is used.
Data Preparation
To configure MAC address authentication, you need the following data. No. 1 Data Number of the interface on which MAC address authentication is enabled
2 NAC Configuration
Context
Before the configuration of MAC address authentication, enable MAC address authentication globally.
Procedure
Step 1 Run:
system-view
MAC address authentication is enabled globally. Running this command is equivalent to enabling global MAC address authentication. Related configurations of MAC address authentication take effect only after MAC address authentication is enabled. By default, MAC address authentication is disabled globally. ----End
CAUTION
If MAC address authentication is enabled on an interface, 802.1x authentication cannot be enabled on the interface. If 802.1x authentication is enabled on an interface, MAC address authentication cannot be enabled on the interface. You can enable MAC address authentication on an interface in the following ways.
Procedure
l In the system view: 1. Run:
system-view
MAC address authentication is enabled on the interfaces. If there are online users who log in through MAC address authentication, disabling MAC address authentication is prohibited.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-19
2 NAC Configuration
MAC address authentication is enabled on the interface. Ensure that no online user exists before disabling MAC address authentication by using the undo mac-authen command. ----End
Context
When the fixed user name is used for MAC address authentication, you can set the password or not. When the MAC address is used as a user name for MAC address authentication, the MAC address is used as the authentication password.
Procedure
l Setting the user name format in the system view 1. Run:
system-view
The user name format is set for MAC address authentication. There are two formats for a MAC address used as the user name, that is, the MAC address with hyphens (such as 0010-8300-0011) and the MAC address without hyphens (such as 001083000011). By default, a MAC address without hyphens is used as a user name for MAC address authentication. ----End
2 NAC Configuration
Context
If the user adopts MAC address authentication or the fixed user name that does not contain the domain name, the default authentication domain is used when no authentication domain is configured. If the authentication domain is specified in the user name of a fixed format, the authentication domain of the user is used.
NOTE
Before configuring the authentication domain for the user who uses MAC address authentication, you need to confirm that a domain is available. Otherwise, the system displays an error message during the configuration.
Procedure
l In the system view: 1. Run:
system-view
A domain name is configured for a user who uses MAC address authentication. ----End
Parameters of timers for MAC address authentication are set. l guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. By default, the re-authentication interval is 60s. l offline-detect: Offline-detect timer used to set the interval for the S2300 to check whether a user goes offline. By default, the offline timer is 300s. l quiet-period: Quiet timer. After the user authentication fails, the S2300 waits for a certain period before processing authentication requests of the user. During the quiet period, the S2300 does not process authentication requests from the user. By default, the quiet timer is 60s. l server-timeout: Server timeout timer. In the user authentication process, if the connection between the S2300 and the RADIUS server times out, the authentication fails. By default, the time interval of the authentication server is 30s. ----End
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-21
2 NAC Configuration
2.4.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication
Context
If the MAC authentication fails after the guest VLAN function is enabled, the S2300 adds the user to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without MAC address authentication. Authentication, however, is required when such users access external resources. Thus certain resources are available for users without authentication.
NOTE
The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLAN of the interface.
Procedure
l In the system view: 1. Run:
system-view
The guest VLAN of interfaces is configured. You can configure the guest VLAN of interfaces in batches by specifying the interface list in the mac-authen guest-vlan command in the system view. l In the interface view: 1. Run:
system-view
The guest VLAN of the interface is configured. By default, no guest VLAN is configured on an interface. ----End
2.4.8 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication
2-22 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
2 NAC Configuration
Context
When the number of access users on an interface reaches the limit, the S2300 does not trigger the authentication for the users connecting to the interface later; therefore, these users cannot access the network. You can configure the maximum number of access users who adopt MAC address authentication in the following ways.
Procedure
l In the system view: 1. Run:
system-view
The maximum number of access users who adopt MAC address authentication is set on interfaces. You can configure the maximum number of access users of interfaces in batches by specifying the interface list in the mac-authen max-user command in the system view. l In the interface view: 1. Run:
system-view
The maximum number of access users who adopt MAC address authentication on the interface is set. By default, the maximum number of access users who adopt MAC address authentication on an interface of the S2300 is 8. The maximum number of NAC access users is 128. ----End
2 NAC Configuration
Procedure
Step 1 Run:
system-view
A specified user who has passed MAC address authentication is re-authenticated. If the user does not pass MAC address authentication, the user is not re-authenticated. Step 3 Run:
mac-authen reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
Procedure
l l Run the display mac-authen [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to view the configuration of MAC address authentication. Run the display mac-address { authen | guest } [ vlan vlan-id ] command to check the configuration of 802.1x authentication and MAC address authentication or information about the MAC address added to the guest VLAN.
----End
2 NAC Configuration
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } ] command to clear the statistics about 802.1x authentication.
----End
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to clear the statistics about MAC address authentication.
----End
2.6.1 Example for Configuring the RADIUS Server to Deliver Authorization ACL
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-25
2 NAC Configuration
Networking Requirements
As shown in Figure 2-2, the PC accesses the network using 802.1x authentication. The authentication server is a RADIUS server. An HTTP server is located on the Internet. After the user goes online, the RADIUS server is required to deliver ACL. The user then is allowed to connect to the Internet, but cannot access the HTTP server. Figure 2-2 Networking diagram for configuring 802.1x authentication
Radius Server
100.1.1.1 100.1.1.2 192.168.1.1/24 192.168.1.2/24
PC
192.168.1.10
Switch
101.0.0.2
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the RADIUS authentication server to deliver the authorization ACL. Configure a RADIUS server template. Configure an AAA authentication template. Configure a domain. Configure an ACL, which is the same as the ACL on the RADIUS server, on the Switch and configure the ACL rules. Configure 802.1x authentication.
Data Preparation
To complete the configuration, you need the following data: l l l l l l IP address of the RADIUS authentication server: 100.1.1.1; authentication port number: 1812 RADIUS server template: rd1 Shared key of the RADIUS server: hello AAA authentication scheme: web1 Domain: isp1 ACL number: 3000
NOTE
In this example, only the configuration of the Switch is provided, and the configuration of RADIUS server is not mentioned here.
2-26
Issue 01 (2011-05-20)
2 NAC Configuration
Procedure
Step 1 Configure a RADIUS server template. # Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
# Configure the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 100.1.1.1 1812
Step 2 Create an authentication scheme web1 and set the authentication method to RADIUS authentication.
[Quidway] aaa [Quidwayaaa] authentication-scheme web1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme web1 accounting-scheme web1 radius-server rd1 quit
Step 4 Configure ACL 3000 to reject the packets with the destination address 101.0.0.2.
[Quidway] acl 3000 [Quidway-acl-adv-3000] rule 0 deny ip destination 101.0.0.2 0 [Quidway-acl-adv-3000] quit
Step 5 Configure the 802.1x authentication. # Enable the 802.1x authentication globally.
[Quidway] dot1x enable
Step 6 Verify the configuration. After the user goes online successfully, ping the HTTP server from the PC to check whether ACL 3000 takes effect.
[Quidway] ping 101.0.0.2 PING 101.0.0.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.0.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
----End
Configuration Files
#
Issue 01 (2011-05-20)
2-27
2 NAC Configuration
sysname Quidway # dot1x enable # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 10.1.1.1 1812 radius-server accounting 100.1.1.2 1813 # acl number 3000 rule 0 deny ip destination 101.0.0.2 0 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 accounting-scheme web1 radius-server rd1 # return
2-28
Issue 01 (2011-05-20)
3
About This Chapter
Context
NOTE
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S2300 to defend against DHCP attacks.
3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. 3.2 DHCP Snooping Features Supported by the S2300 This section describes the DHCP snooping features supported by the S2300. 3.3 Preventing the Bogus DHCP Server Attack To prevent the attack from the pseudo DHCP server, use the trusted/untrusted working mode of DHCP snooping. 3.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR. 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.6 Setting the Maximum Number of DHCP Snooping Users This section describes how to set the maximum number of DHCP snooping users. This is because authorized users cannot access the network when an attacker applies for IP addresses continuously. 3.7 Limiting the Rate of Sending DHCP Messages This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S2300. 3.8 Configuring the Packet Discarding Alarm Function
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-1
An alarm is generated when the number of discarded packets exceeds the threshold. 3.9 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping. 3.10 Configuration Examples This section provides several configuration examples of DHCP snooping.
3-2
Issue 01 (2011-05-20)
In this manual, DHCP snooping includes DHCPv4 snooping and DHCPv6 snooping.
Issue 01 (2011-05-20)
3-3
Figure 3-1 Networking diagram for applying DHCP snooping on the S2300 on a Layer 2 network
Untrusted
L2 network
DHCP server
User network
DHCPv6 Snooping
The S2300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entries are also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consists of the IPv6 address, MAC address, interface number, and VLAN ID of a user.
3-4
Issue 01 (2011-05-20)
Applicable Environment
When a bogus DHCP server exists on a network, the bogus DHCP server on the network replies with incorrect messages such as the incorrect IP address of the gateway, incorrect domain name server (DNS) server, and incorrect IP address to the DHCP client. As a result, the DHCP client cannot access the network or cannot access the correct destination network. To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S2300, configure the network-side interface to be trusted and the user-side interface to be untrusted, and discard DHCP Reply messages received from untrusted interfaces. To locate a bogus DHCP server, you can configure detection of bogus DHCP servers on the S2300. In this case, the S2300 obtains related information about DHCP servers by checking DHCP Reply messages, and records the information in the log. This facilitates network maintenance.
Pre-configuration Tasks
Before preventing the bogus DHCP server attack, complete the following tasks: l Configuring the DHCP server
Data Preparation
To prevent the bogus DHCP server attack, you need the following data.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-5
No. 1
Data Type and number of the interface that needs to be set to be trusted
Context
To enable DHCP snooping, you need to comply with the following sequence: l l l Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Procedure
l Enabling DHCP snooping in the VLAN view 1. Run:
system-view
3-6
Issue 01 (2011-05-20)
DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1. Run:
system-view
The interface view is displayed. 5. ----End Run: dhcp snooping enableDHCP snooping is enabled on an interface.
Context
After DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is the network-side interface connected to the DHCP server. Or, run:
vlan vlan-id
Issue 01 (2011-05-20)
3-7
Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interfacenumber The interface is configured as a trusted interface. DHCP Reply messages sent from an untrusted interface are discarded. The prerequisite for the dhcp snooping trusted interface command to take effect is the interface is added to the VLAN. ----End
Procedure
Step 1 Run:
system-view
Detection of bogus DHCP servers is enabled. By default, detection of bogus DHCP servers is disabled on the S2300. ----End
Prerequisite
The configurations of preventing the bogus DHCP server attack are complete.
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp { snooping | static } user-bind { dai-status | interface interfacetype interface-number | ip-address ip-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] }command to check the information about DHCP bind-table. Run the display dhcpv6 { snooping | static } user-bind { interface interface-type interface-number | ip-address ip-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to check the information about DHCPv6 bind-table.
----End
3-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Applicable Environment
The attacker may change the client hardware address (CHADDR) carried in DHCP messages instead of the source MAC address in the frame header to apply for IP addresses continuously. The S2300, however, only checks the validity of packets based on the source MAC address in the frame header. The attack packets can still be forwarded normally. The MAC address limit cannot take effect in this manner. To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping on the S2300 to check the CHADDR field carried in DHCP Request messages. If the CHADDR field matches the source MAC address in the frame header, the message is forwarded. Otherwise, the message is discarded.
Pre-configuration Tasks
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks: l Configuring the DHCP server
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
Issue 01 (2011-05-20)
3-9
No. 1
Data Type and number of the interface enabled with the check function
Context
To enable DHCP snooping, you need to comply with the following sequence: l l l Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Procedure
l Enabling DHCP snooping in the VLAN view 1. Run:
system-view
3-10
Issue 01 (2011-05-20)
DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1. Run:
system-view
The interface view is displayed. 5. ----End Run: dhcp snooping enableDHCP snooping is enabled on an interface.
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is the user-side interface. Step 3 Run:
dhcp snooping check dhcp-chaddr enable [ alarm dhcp-chaddr { enable [ threshold threshold-value ] | threshold threshold-value } ]
The interface is configured to check if the CHADDR field in DHCP Request messages matches the source MAC address in the Ethernet frame header. By default, an interface does not check the CHADDR field in DHCP Request messages, and the alarm threshold for the rate of discarding DHCP request messages is set to 100. ----End
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-11
Prerequisite
The configurations of preventing the DoS attack by changing the CHADDR field are complete.
Procedure
l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.5.1 Establishing the Configuration Task Establishing the Configuration Task of Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases. 3.5.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect. 3.5.3 Enabling Checking of DHCP Request Messages To prevent unauthorized users from sending DHCP Request messages to request IP address renewal, the S2300 matches the received DHCP Request messages to determine whether to forward the DHCP Request messages. 3.5.4 (Optional) Configuring the Option 82 Function After the Option 82 function is enabled, the S2300 can generate binding entries for users on different interfaces according to the Option 82 field in DHCP messages, which prevents the bogus DHCP server then replies incorrect messages. 3.5.5 (Optional) Setting the Format of the Option 82 Field You can set the format of the Option 82 field globally or on an interface. If the format of the Option 82 field is set on an interface, the format of the Option 82 field on the interface takes effect. If the format of the Option 82 field is not set on an interface, the globally configured format of the Option 82 field takes effect. 3.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 Request Messages If the DHCPv6 server needs to obtain information about the interface or MAC address of the client, the S2300 can append the Option 18 or Option 37 field to DHCPv6 Request messages sent from a client to the DHCPv6 server. 3.5.7 Checking the Configuration
3-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Checking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.
Applicable Environment
The attacker pretends to be a valid user and continuously sends DHCP Request messages intending to extend the IP address lease. As a result, certain expired IP addresses cannot be reused. To prevent the attacker from sending bogus DHCP messages to extend IP address leases, you can create the DHCP snooping binding table on the S2300 to check DHCP Request messages. If the source IP address, source MAC address, VLAN, and interface of the DHCP Request messages match entries in the binding table, the DHCP Request messages are then forwarded. Otherwise, the DHCP Request messages are discarded.
NOTE
IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S2300 checks the source IP addresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.
The S2300 checks DHCP Request messages as follows: 1. Checks whether the destination MAC address is all-f. If the destination MAC address is all-f, the S2300 considers that the DHCP Request message is a broadcast message that a user sends to goes online for the first time and does not check the DHCP Request message against the binding table. Otherwise, the S2300 considers that the user sends the DHCP Request message is renew lease of the IP address and checks the DHCP Request message against the binding table. Checks whether the CHADDR field in the DHCP Request message matches an entry in the binding table. If not, a user goes online for the first time and the S2300 forwards the message directly. If yes, the S2300 checks whether the VLAN ID, IP address, and interface information of the message match the binding table. If all these fields match the binding table, the S2300 forwards the message; otherwise, the S2300 discards the message.
2.
Pre-configuration Tasks
Before preventing the attacker from sending bogus DHCP messages for extending IP address leases, complete the following tasks: l Configuring the DHCP server
Data Preparation
To prevent the attacker from sending bogus DHCP messages for extending IP address leases, you need the following data. No. 1 Data Type and number of the interface enabled with detection of bogus DHCP servers
Issue 01 (2011-05-20)
3-13
Context
To enable DHCP snooping, you need to comply with the following sequence: l l l Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Procedure
l Enabling DHCP snooping in the VLAN view 1. Run:
system-view
DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1.
3-14
Run:
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
The interface view is displayed. 5. ----End Run: dhcp snooping enableDHCP snooping is enabled on an interface.
Context
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user uses a static IP address, you need to configure the binding entry of the user manually.
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is a user-side interface. Step 3 Run:
dhcp snooping check dhcp-request enable [ alarm dhcp-request { enable [ threshold threshold-value ] | threshold threshold-value } ]
The interface is enabled to check DHCP Request messages. By default, an interface is disabled from checking DHCP Request messages, and the alarm threshold for the rate of discarding DHCP request messages is set to 100. ----End
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-15
Procedure
l In the interface view: 1. Run:
system-view
The interface view is displayed. The interface is the user-side interface. 3. Run:
dhcp option82 insert enable
The Option 82 is forcibly appended to DHCP messages. After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; If the DHCP message contains an Option 82 field previously, the S2300 checks whether the Option 82 field contains the Remote-id. If the Option 82 field contains the Remote-id, the S2300 retains the original Option 82 field. If not, the S2300 inserts the Remote-id to the Option 82 field. By default, the Remoteid is the MAC address of the S2300. After the dhcp option82 rebuild enable command is used, the Option 82 field is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; the original Option 82 field is removed and a new one is appended if the original DHCP messages carry the Option 82 field. l In the VLAN view: 1. Run:
system-view
Or, run:
dhcp option82 rebuild enable interface { interface-name | interface-type interface-number } [ to interface-number ]
The Option 82 is forcibly appended to DHCP messages. The prerequisites for the upper commands to take effect are the interfaces are added to the VLAN in step 2. After the dhcp option82 insert enable interface { interface-name | interfacetype interface-number } [ to interface-number ] command is used, the Option 82 is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; If the DHCP message contains an Option 82 field previously, the S2300 checks whether the Option 82 field contains the Remote-id. If the Option 82 field contains the Remote-id, the S2300 retains the original Option 82 field. If not, the S2300 inserts the Remote-id to the Option 82 field. By default, the Remoteid is the MAC address of the S2300. After the dhcp option82 rebuild enable interface { interface-name | interfacetype interface-number } [ to interface-number ] command is used, the Option 82 field is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; the original Option 82 field is removed and a new one is appended if the original DHCP messages carry the Option 82 field. ----End
Procedure
l Setting the format of the Option 82 field in the system view 1. Run:
system-view
If the customized format of the Option 82 field is used (that is, user-defined is specified), it is recommended that you specify the interface type, slot ID, and interface number in text.
Setting the format of the Option 82 field in the interface view 1. Run:
system-view
Run:
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-17
If the customized format of the Option 82 field is used (that is, user-defined is specified), it is recommended that you specify the interface type, slot ID, and interface number in text.
----End
3.5.6 (Optional) Appending the Option 18 Field or the Option 37 Field to DHCPv6 Request Messages
If the DHCPv6 server needs to obtain information about the interface or MAC address of the client, the S2300 can append the Option 18 or Option 37 field to DHCPv6 Request messages sent from a client to the DHCPv6 server.
Procedure
Step 1 Run:
system-view
The S2300 is configured to append the Option 18 field or the Option 37 field to DHCPv6 Request messages. The Option 18 field contains information about the interface of the client and the Option 37 field contains information about the MAC address of the client. ----End
Prerequisite
The configurations of preventing the attacker from sending bogus DHCP messages for extending IP address leases are complete.
3-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp { snooping | static } user-bind { dai-status | interface interfacetype interface-number | ip-address ip-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to check the information about DHCP bind-table. Run the display dhcpv6 { snooping | static } user-bind { interface interface-type interface-number | ipv6-address ipv6-address | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to check the information about DHCPv6 bind-table. Run the display dhcp option82 { interface interface-type interface-number | vlan vlanid } command to check the status of the Option 82 field.
----End
Issue 01 (2011-05-20)
3-19
Applicable Environment
To prevent malicious users from applying for IP addresses, you can set the maximum number of DHDCP snooping users. When the number of DHCP snooping users reaches the maximum value, users cannot successfully apply for IP addresses.
Pre-configuration Tasks
Before setting the maximum number of DHCP snooping users, complete the following tasks: l l Enabling DHCP snooping globally Enabling check of the DHCP snooping binding table
Data Preparation
To set the maximum number of DHCP snooping users, you need the following data. No. 1 Data Type and number of the interface, VLAN ID, and maximum number of DHCP snooping users
Context
To enable DHCP snooping, you need to comply with the following sequence: l l l Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Procedure
l Enabling DHCP snooping in the VLAN view 1. Run:
system-view
3-20
Issue 01 (2011-05-20)
DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1. Run:
system-view
The interface view is displayed. 5. ----End Run: dhcp snooping enableDHCP snooping is enabled on an interface.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:dhcp snooping global max-user-number max-user-numberThe maximum number of access users allowed in the system view is set. By default, the maximum number of access users allowed by all the interfaces of the S2300 is 256. Step 3 Run:
interface interface-type interface-number
The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set. By default, a maximum of 256 users can access an interface of the S2300 or a VLAN. If the maximum number of access users is set on an interface, in a VLAN, or in the system, all the configurations take effect. ----End
Context
NOTE
The S2300SI does not support configuring MAC address security on an interface.
Procedure
Step 1 Run:
system-view
MAC address security of DHCP snooping is enabled on the interface. By default, MAC address security of DHCP snooping is disabled on the S2300. The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabled globally. If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC address of the received IP packet nor forwards or sends the received IP packet. The DHCP messages received by the interface are sent to the CPU of the main control board, and then a dynamic binding table is generated. After the dynamic binding table is generated, static MAC addresses are sent to the corresponding interface. That is, dynamic MAC addresses are converted to static MAC addresses. The static MAC address entry includes information about the MAC address and VLAN ID of the user. Subsequently, only the packets whose source MAC address matches the static MAC address can pass through the interface; otherwise, the packets are discarded. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. You need to configure static MAC addresses for the static users to have the packets forwarded normally. Step 4 (Optional) Run:
undo mac-address snooping [ interface-type interface-number [ vlan vlan-id ] | vlan vlan-id [interface-type interface-number ] ]
The static MAC entries converted from dynamic binding entries by the dhcp snooping stickymac command are deleted. ----End
Prerequisite
The configurations of setting the maximum number of users are complete.
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on an interface. Run the display mac-address snooping [ interface-type interface-number [ vlan vlanid ] | vlan vlan-id [interface-type interface-number ] ] [ verbose ] view static MAC address entries converted from dynamic MAC address entries by the dhcp snooping sticky-mac command.
----End
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-23
Applicable Environment
If an attacker sends DHCP messages continuously on a network, the DHCP protocol stack of the S2300 is affected. To prevent an attacker from sending a large number of DHCP messages, you can configure DHCP snooping on the S2300 to check DHCP messages and limit the rate of sending DHCP messages. Only a certain number of DHCP messages can be sent to the protocol stack during a certain period. Excessive DHCP messages are discarded.
Pre-configuration Tasks
Before limiting the rate of sending packets, complete the following tasks: l Configuring the DHCP server
Data Preparation
To limit the rate of sending packets, you need the following data. No. 1 Data Rate at which DHCP messages are sent to the protocol stack
3-24
Issue 01 (2011-05-20)
Context
To enable DHCP snooping, you need to comply with the following sequence: l l l Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Procedure
l Enabling DHCP snooping in the VLAN view 1. Run:
system-view
DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1.
Issue 01 (2011-05-20)
Run:
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-25
The interface view is displayed. 5. ----End Run: dhcp snooping enableDHCP snooping is enabled on an interface.
Procedure
l Setting the maximum rate of sending DHCP messages in the system view 1. Run:
system-view
The function of checking the rate of sending DHCP messages is enabled. By default, the function of checking the rate of sending DHCP messages is disabled globally. 3. Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set. By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP messages exceeding the rate are discarded. l Setting the maximum rate of sending DHCP messages in the VLAN view 1. Run:
system-view
3-26
Issue 01 (2011-05-20)
The function of checking the rate of sending DHCP messages is enabled in the VLAN view. By default, the function of checking the rate of sending DHCP messages is disabled in the VLAN view. 4. Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set. By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP messages exceeding the rate are discarded. l Setting the maximum rate of sending DHCP messages in the interface view 1. Run:
system-view
The following functions are configured on an interface: The function of checking the rate of sending DHCP messages to the DHCP stack is enabled. The rate limit of sending DHCP messages to the DHCP stack is set. The DHCP message discard alarm is enabled. The alarm threshold for discarded DHCP messages is set. By default, the function of checking the rate of sending DHCP messages to the DHCP stack is disabled on an interface; the rate limit of sending DHCP messages to the DHCP stack is 100 pps; the DHCP message discard alarm is disabled; the alarm threshold for discarded DHCP messages is 100. ----End
Prerequisite
The configurations of limiting the rate of sending DHCP messages are complete.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-27
Procedure
l Run the display dhcp snooping global command to check information about global DHCP snooping.
----End
Applicable Environment
With DHCP snooping configured, the S2300 discards packets sent from an attacker. Table 3-2 shows the relation between the type of attacks and the type of discarded packets. Table 3-2 Relation between the type of attacks and the type of discarded packets Type of Attacks Bogus attack DoS attack by changing the CHADDR field Type of Discarded Packets DHCP Reply messages received from untrusted interfaces DHCP Request messages whose CHADDR field does not match the source MAC address in the frame header DHCP Request messages that do not match entries in the binding table Messages exceeding the rate limit
Attack by sending bogus messages to extend IP address leases Attack by sending a large number of DHCP Request messages and ARP packets
After the packet discarding alarm function is enabled, an alarm is generated when the number of discarded packets on the S2300 reaches the alarm threshold.
3-28 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Pre-configuration Tasks
Before configuring the packet discarding alarm function, complete the following tasks: l l l l l Configuring the DHCP server Configuring the S2300 to discard DHCP Reply messages on the untrusted interface at the user side Configuring the checking of DHCP messages Configuring the checking of the CHADDR field in DHCP Request messages Configuring the checking of the rate of sending DHCP messages
Data Preparation
To configure the packet discarding alarm function, you need the following data. No. 1 Data Alarm threshold for the number of discarded packets
Context
To enable DHCP snooping, you need to comply with the following sequence: l l l Enable DHCP globally. Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN.
Procedure
l Enabling DHCP snooping in the VLAN view 1. Run:
system-view
Issue 01 (2011-05-20)
3-29
DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and 7. l Enabling DHCP snooping in the interface view 1. Run:
system-view
The interface view is displayed. 5. ----End Run: dhcp snooping enableDHCP snooping is enabled on an interface.
Context
The packet discarding alarm function can be configured globally and on the interface. l l The packet discarding alarm function configured globally takes effect for all interfaces. The packet discarding alarm function configured on an interface takes effect for a specified interface. If the packet discarding alarm function is not configured on an interface, the global configuration is used.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
3-30
Procedure
l Configuring the packet discarding alarm function globally 1. Run:
system-view
The alarm threshold of the number of globally discarded packets is set. By default, the global alarm threshold of the number of discarded DHCP messages is 100 pps. l Configuring the packet discarding alarm function on an interface 1. Run:
system-view
The functions of checking the DHCP request messages refer to the CHADDR field and DHCP Request packet discarding alarm are enabled on the interface, and the threshold that triggers the alarm is set. By default, the S2300 does not check DHCP request messages refer to the CHADDR field or generate alarms for packet discarded. The alarm threshold for the rate of discarded DHCP request messages is 100 pps. 4. Run:
dhcp snooping check dhcp-request enable [ alarm dhcp-request [ enable [ threshold threshold-value ] | threshold threshold-value ] ]
The functions of checking the DHCP request messages and DHCP Request packet discarded alarm are enabled on the interface, and the threshold that triggers the alarm is set. By default, the S2300 does not check DHCP request messages field or generate alarms for packet discarded. The alarm threshold for the rate of discarded DHCP request messages is 100 pps. 5. (Optional) Run:
dhcp snooping alarm { dhcp-chaddr | dhcp-reply | dhcp-request } { enable [ threshold threshold ] | threshold threshold }
The alarm function is enabled for discarding of DHCP messages received from untrusted interfaces, and the alarm threshold is set. By default, the packet discarding alarm is disabled, and the threshold that triggers the alarm on discarded packets is 100. After dhcp snooping alarm command is configured, the S2300 discards the following types of packets:
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-31
DHCP Request messages that do not match entries in the DHCP Snooping binding table DHCP Reply messages received by untrusted interfaces DHCP Request messages whose source MAC address does not match the CHADDR field ----End
Prerequisite
The configurations of the packet discarding alarm function are complete.
Procedure
l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
Context
To clear the statistics on DHCP snooping discarded packets, run the following commands in the user view.
Procedure
l Run the reset dhcp snooping statistics global command to clear the statistics on globally discarded packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
3-32
l l
Run the reset dhcp snooping statistics interface interface-type interface-number command to clear the statistics on discarded packets on the interface. Run the reset dhcp snooping statistics vlan vlan-id command to clear the statistics on discarded packets on the VLAN.
----End
Context
NOTE
After the networking environment changes, DHCP snooping binding entries do not age immediately. However, the following information in DHCP snooping binding entries may change, causing packet forwarding failure: l l VLAN ID in packets Interface information
Before changing the networking environment, clear all DHCP snooping binding entries manually so that a device generates a new DHCP snooping binding table according to the new networking environment.
To clear entries in the DHCP snooping binding table, run the following command in the user view or system view.
Procedure
l Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interfacenumber ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset the DHCP snooping binding table.
----End
the DHCP Request messages on the user-side interface and the alarm function for discarded packets. 3.10.4 Example for Limiting the Rate of Sending DHCP Messages This section describes the configuration of limiting the rate of sending DHCP messages, including the configuration of the rate of sending DHCP messages to the protocol stack and the alarm function for discarded packets. 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network This section describes the configuration of DHCP snooping on a Layer 2 network, including the configuration of the trusted interface, the function of checking DHCP messages, the function of limiting the rate of sending DHCP messages, and the Option 82 function.
Networking Requirements
As shown in Figure 3-2, the Switch is deployed between the user network and the Layer 2 network of the ISP. To prevent bogus DHCP server attacks, it is required that DHCP snooping be configured on the Switch, the user-side interface be configured as an untrusted interface, the network-side interface be configured as the trusted interface, and the alarm function for discarded DHCP Reply packets be configured. Figure 3-2 Networking diagram for preventing bogus DHCP server attacks
DHCP relay
DHCP server
3-34
Issue 01 (2011-05-20)
Configuration Roadmap
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.) 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Enable bogus DHCP server detection. Configure the interface connected to the DHCP server as the trusted interface. Configure the alarm function for discarded DHCP Reply packets.
Data Preparation
To complete the configuration, you need the following data: l l GE 0/0/1 being the trusted interface and GE 0/0/2 being the untrusted interface Alarm threshold being 120
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
Step 2 Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] dhcp snooping trusted [Quidway-GigabitEthernet0/0/1] quit
# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default. Step 3 Configure the alarm function for discarded DHCP Reply packets. # Configure the Switch to discard the Reply messages received by untrusted interfaces, and set the alarm threshold.
[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-reply enable threshold 120 [Quidway-GigabitEthernet0/0/2] quit
Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at vlan :NULL Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at interface :NULL Dhcp option82 rebuild is configured at interface :NULL Dhcp option82 insert is configured at vlan :NULL Dhcp option82 rebuild is configured at vlan :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 60 <Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0 <Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp packet dropped by untrust-reply checking = 10
----End
Configuration Files
# dhcp enable dhcp snooping enable dhcp server detect # interface GigabitEthernet0/0/1 dhcp snooping trusted # interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 # return
3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field
This section describes the configuration of preventing DoS attacks by changing the CHADDR field, including the configuration of the function of checking the CHADDR field of DHCP Request messages on the user-side interface and the alarm function for discarded packets.
Networking Requirements
As shown in Figure 3-3, the Switch is deployed between the user network and the ISP Layer 2 network. To prevent DoS attacks by changing the CHADDR field, it is required that DHCP
3-36 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
snooping be configured on the Switch. The CHADDR field of DHCP Request messages is checked. If the CHADDR field of DHCP Request messages matches the source MAC address in the frame header, the messages are forwarded. Otherwise, the messages are discarded. The alarm function for discarded packets is configured. Figure 3-3 Networking diagram for preventing DoS attacks by changing the CHADDR field ISP network L3 network
DHCP relay
DHCP server
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as the trusted interface. Enable the function of checking the CHADDR field of DHCP Request messages on the user-side interface. Configure the alarm function for discarded packets.
Data Preparation
To complete the configuration, you need the following data: l Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-37
Step 2 Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] dhcp snooping trusted [Quidway-GigabitEthernet0/0/1] quit
# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default. Step 3 Enable the function of checking the CHADDR field of DHCP Request messages on the userside interface, and configure the alarm function and threshold for discarded packets..
[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable alarm dhcpchaddr enable threshold 120
Step 4 Verify the configuration. Run the display dhcp snooping command on the Switch, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at vlan :NULL Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at interface :NULL Dhcp option82 rebuild is configured at interface :NULL Dhcp option82 insert is configured at vlan :NULL Dhcp option82 rebuild is configured at vlan :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 25 <Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0 <Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp packet dropped by dhcp-chaddr checking = 25 dhcp packet dropped by untrust-reply checking = 0
----End
3-38 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Configuration Files
# dhcp enable dhcp snooping enable # interface GigabitEthernet0/0/1 dhcp snooping trusted # interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 # return
3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP Address Leases
This section describes the configuration of preventing attackers from sending bogus DHCP messages for extending IP address leases, including the configuration of the function of checking the DHCP Request messages on the user-side interface and the alarm function for discarded packets.
Networking Requirements
As shown in Figure 3-4, the Switch is deployed between the user network and the ISP Layer 2 network. To prevent attackers from sending bogus DHCP messages for extending IP address leases, it is required that DHCP snooping be configured on the Switch and the DHCP snooping binding table be created. If the received DHCP Request messages match entries in the binding table, they are forwarded; otherwise, they are discarded. The alarm function for discarded packets is configured. Figure 3-4 Networking diagram for preventing attackers from sending bogus DHCP messages for extending IP address leases
DHCP relay
DHCP server
Issue 01 (2011-05-20)
3-39
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as the trusted interface. Use the operation mode of the DHCP snooping binding table to check DHCP Request messages. Configure the alarm function for discarded packets.
Data Preparation
To complete the configuration, you need the following data: l l l ID of the VLAN that each interface belongs to Static IP addresses from which packets are forwarded Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
Step 2 Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] dhcp snooping trusted [Quidway-GigabitEthernet0/0/1] quit
# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default. Step 3 Configure the function of checking DHCP Request messages and the alarm function for discarded packets.
[Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable alarm dhcprequest enable threshold 120 [Quidway-GigabitEthernet0/0/2] quit
Run the display dhcp snooping user-bind all command, and you can view all the DHCP snooping binding entries of users.
<Quidway> display dhcp snooping user-bind all DHCP Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease -------------------------------------------------------------------------------10.1.1.3 0000-005e-008a 3 /-- /-Ethernet0/0/2 2010.08.14-12:58 -------------------------------------------------------------------------------print count: 1 total count: 1
Step 5 Verify the configuration. Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally and on the interface.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at vlan :NULL Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface :NULL GigabitEthernet0/0/1 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 45 <Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0 <Quidway> display dhcp snooping interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 dhcp packet dropped by dhcp-request checking = 45 dhcp packet dropped by untrust-reply checking = 0
----End
Configuration Files
# dhcp enable dhcp snooping enable # interface GigabitEthernet0/0/1 dhcp snooping trusted # interface GigabitEthernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 # return
Networking Requirements
As shown in Figure 3-5, to prevent the attacker from sending a large number of DHCP Request messages, it is required that DHCP snooping be enabled on the Switch to control the rate of
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-41
sending DHCP Request messages to the protocol stack. At the same time, the alarm function for discarded packets needs to be enabled. Figure 3-5 Networking diagram for limiting the rate of sending DHCP messages
Attacker L2 network Ethernet 0/0/1 L2 network DHCP client Ethernet GE0/0/1 0/0/2 Switch DHCP relay
L3 network
DHCP server
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and in the interface view. Configure the interface connected to the DHCP server as the trusted interface. Set the rate of sending DHCP Request messages to the protocol stack on interfaces. Configure the alarm function for discarded packets on interfaces.
Data Preparation
To complete the configuration, you need the following data: l l Rate of sending DHCP Request messages Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
3-42
Issue 01 (2011-05-20)
# Enable DHCP snooping on the user-side interface. The configuration procedures of Ethernet 0/0/2 and GE0/0/1 are similar to the configuration procedure of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping enable [Quidway-Ethernet0/0/1] quit
Step 2 Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] dhcp snooping trusted [Quidway-GigabitEthernet0/0/1] quit
# Configure the user-side interface as an untrusted interface. After DHCP snooping is enabled on Ethernet 0/0/1 and Ethernet 0/0/2, Ethernet 0/0/1 and Ethernet 0/0/2 is an untrusted interface by default. Step 3 Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarm function for discarded packets. # Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarm function for discarded packets on interfaces. The configuration procedures of Ethernet 0/0/2 andGE0/0/1 are similar to the configuration procedure of Ethernet 0/0/1, and is not mentioned here.
[Quidway-Ethernet0/0/1] dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 [Quidway-Ethernet0/0/1] quit
Step 4 Verify the configuration. Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally or in interface view.
[Quidway] display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 GigabitEthernet0/0/1 Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL Dhcp option82 insert is configured at these vlan :NULL Dhcp option82 rebuild is configured at these vlan :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command on the Switch, and you can view the configuration of DHCP snooping in interface view.
[Quidway] display dhcp snooping interface gigabitethernet0/0/1 dhcp snooping trusted dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0
Issue 01 (2011-05-20)
3-43
dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface ethernet 0/0/1 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface Ethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0 dhcp packet dropped by untrust-reply checking = 0
----End
Configuration Files
# dhcp enable dhcp snooping enable # interface ethernet0/0/1 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 # interface ethernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping trusted dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50 # return
Networking Requirements
As shown in Figure 3-6, DHCP clients are connected to the Switch through VLAN 10. DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address. It is required that DHCP snooping be configured on user-side interfaces Ethernet 0/0/1 and Ethernet 0/0/2 of the Switch to prevent the following type of attacks: l l l l Bogus DHCP server attacks DoS attacks by changing the value of the CHADDR field Attacks by sending bogus messages to extend IP address leases Attacks by sending a large number of DHCP Request messages
3-44
Issue 01 (2011-05-20)
DHCP server
DHCP client1
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. Configure the function of checking the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. Configure the Option 82 function. Configure the alarm function for discarded packets.
4. 5. 6. 7.
Data Preparation
To complete the configuration, you need the following data: l l l l l l
Issue 01 (2011-05-20)
VLAN that the interface belongs to being 10 Ethernet 0/0/1 and Ethernet0/0/2 being untrusted interfaces and GE 0/0/1 being the trusted interface Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding MAC address being 0001-0002-0003 Rate of sending DHCP messages to the protocol stack being 90 Mode of the Option 82 function being insert Alarm threshold of the number of discarded packets being 120
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-45
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
# Enable DHCP snooping on the interface at the user side. The configuration procedure of Ethernet 0/0/2 is the same as the configuration procedure of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping enable [Quidway-Ethernet0/0/1] quit
Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as the trusted interface and enable DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] dhcp snooping trusted [Quidway-GigabitEthernet0/0/1] quit
Step 3 Configure the checking for certain types of packets and alarm function. # Enable the checking of DHCP Request messages and alarm function on the interfaces on the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases. The configuration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120
# Enable the checking of the CHADDR field and alarm function on the interfaces on the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages. The configuration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway-Ethernet0/0/1] dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 [Quidway-Ethernet0/0/1] quit
Step 4 Check the DHCP snooping binding entries. Run the display dhcp snooping user-bind all command, and you can view the DHCP snooping binding entries of users.
<Quidway> display dhcp snooping user-bind all DHCP Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease -------------------------------------------------------------------------------10.1.1.1 0001-0002-0003 10 /-- /-Ethernet0/0/2 2010.08.14-12:58
3-46
Issue 01 (2011-05-20)
Step 5 Limit the rate of sending DHCP messages. # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90
Step 6 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages. The configuration of Ethernet 0/0/2 is the same as the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp option82 insert enable [Quidway-Ethernet0/0/1] quit
Step 7 Configure the alarm function for discarded packets. # Enable the alarm function for discarded DHCP Reply packets, and set the alarm threshold of the number of discarded packets. The configuration of Ethernet 0/0/2 is similar to the configuration of Ethernet 0/0/1, and is not mentioned here.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping alarm dhcp-reply enable threshold 120 [Quidway-Ethernet0/0/1] quit
Step 8 Verify the configuration. Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally. You can also view the statistics on alarms.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command, and you can view information about DHCP snooping on the interface.
[Quidway] display dhcp snooping interface Ethernet 0/0/1 dhcp snooping enable dhcp option82 insert enable dhcp snooping check dhcp-request enable alarm dhcp-request threshold 120 dhcp packet dropped by dhcp-request checking = 0 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp packet dropped by dhcp-chaddr checking = 0
Issue 01 (2011-05-20)
3-47
dhcp snooping alarm dhcp-reply enable threshold 120 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0
Run the display dhcp static user-bind all command, and you can view all the DHCP static binding entries of users.
<Quidway> display dhcp static user-bind all DHCP static Bind-table:: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease -------------------------------------------------------------------------------10.1.1.1 0001-0002-0003 10 /-- /-Ethernet0/0/2 2010.08.14-12:58 -------------------------------------------------------------------------------print count: 1 total count: 1
Run the display dhcp option82 interface command, and you can view the configuration of Option 82 on the interface.
[Quidway] display dhcp option82 interface Ethernet 0/0/1 dhcp option82 insert enable
----End
Configuration Files
# dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 # user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface Ethernet 0/0/2 vlan 10 # interface Ethernet0/0/1 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120 dhcp option82 insert enable # interface Ethernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120 dhcp option82 insert enable # interface GigabitEthernet0/0/1 dhcp snooping trusted # return
3-48
Issue 01 (2011-05-20)
4
Context
NOTE
4.1 Overview of IP Source Guard This section describes the principle of the IP source Guard. 4.2 IP Source Guard Features Supported by the S2300 This section describes how the IP Source Guard feature is supported in the S2300. 4.3 Configuring IP Source Guard This section describes how to configure IP source guard. 4.4 Configuration Examples This section provides a configuration example of IP source guard.
Issue 01 (2011-05-20)
4-1
IP Source Guard
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot pass through the interfaces and the security of the interfaces is improved. The attacker sends a packet carrying the IP address and MAC address of an authorized user to the server. The server considers the attacker as an authorized user and learns the IP address and MAC address. The actual user, however, cannot obtain service from the server. Figure 4-1 shows the diagram of IP/MAC spoofing attack. Figure 4-1 Diagram of IP/MAC spoofing attack DHCP server IP:1.1.1.1/24 MAC:1-1-1
IP:1.1.1.3/24 MAC:3-3-3
Switch
To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on the S2300. Then the S2300 matches the IP packets reaching an interface with the entries in the binding table. If the packets match entries in the binding table, the packets can pass through the interface; otherwise, the packets are discarded.
4-2
Issue 01 (2011-05-20)
IP Source Guard
The IP Source Guard feature is used to check the IP packets according to the binding table, including source IP addresses, source MAC addresses, interface, and VLAN. For example, in the interface view you can configure the IP packet check based on: l l l l IP+MAC IP+VLAN IP+MAC+VLAN ...
In the VLAN view you can configure the IP packet check based on: l l l l IP+MAC IP+Interface IP+MAC+Interface
The S2300 provides two binding mechanisms: l l After the DHCP snooping function is enabled for DHCP users, the binding table is dynamically generated for the DHCP users. When users use static IP addresses, you need to configure the binding table by running commands.
NOTE
Applicable Environment
After the IP source guard function is configured on the S2300, the S2300 checks the IP packets according to the binding table. Only the IP packets that match the content of the binding table can be forwarded; the other IP packets are discarded.
Pre-configuration Tasks
Before configuring IP source guard, complete the following tasks: l 3.3.2 Enabling DHCP Snooping if there are DHCP users
Data Preparation
To configure IP source guard, you need the following data. No. 1 Data (Optional) User information in a static binding entry, including the IPv4 or IPv6 address, MAC address, VLAN ID, and interface number of the user Type and number of the interface enabled with the IP source guard function The alarm threshold for checking the received IP packets.
2 3
Procedure
Step 1 Run:
system-view
The IP source guard function is enabled on the interface. By default, the S2300 are not enabled with the IP source guard function. ----End
Procedure
Step 1 Run:
system-view
Issue 01 (2011-05-20)
4-5
The check items of IP packets are configured. When receiving an IP packet, the interface checks the IP packet according to the check items, including the source IPv4 address, source MAC address, VLAN, or the combination of these three items. If the IP packet matches the binding table according to the check items, the packet is forwarded; otherwise, the packet is discarded. By default, the check items consist of the IPv4 address, IPv6 address, MAC address, VLAN ID, and interface number.
NOTE
----End
Procedure
Step 1 Run:
system-view
The alarm function of IP source guard is enabled. By default, the alarm function of IP source guard is disabled.
CAUTION
The IP packets check function cannot be configured on both VLAN and interface; otherwise, the IP packets check alarm is valid.
4-6
Issue 01 (2011-05-20)
Step 4 Run:
ip source check user-bind alarm threshold threshold
The alarm threshold of IP source guard is set. By default, the alarm threshold of IP source guard is 100. ----End
4.3.6 (Optional) Configuring the Function of Discarding IP Packets with the Same Source and Destination IP Addresses
Procedure
Step 1 Run:
system-view
The function of discarding IP packets with the same source and destination IP addresses is enabled. By default, IP packets with the same source and destination IP addresses are not discarded. ----End
Procedure
Step 1 display dhcp static user-bind { interface interface-type interface-number | ip-address ipaddress | ipsg-status | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to view information about the static binding table. Step 2 Run the display ip source check user-bind interface interface-type interface-number command to view the configuration of the IP source guard function on the interface. ----End
Switch Ethernet0/0/1 Ethernet0/0/2 Packets: SIP:10.0.0.1/24 SMAC:2-2-2 Host A IP:10.0.0.1/24 MAC:1-1-1 Host B (Attacker) IP:10.0.0.2/24 MAC:2-2-2
Configuration Roadmap
Assume that the user obtains an IP address through DHCP. The configuration roadmap is as follows: 1. 2. Enable the IP source guard function on the interfaces connected to Host A and Host B. Configure a static binding table.
Data Preparation
To complete the configuration, you need the following data: l l l Interface connected to Host A: Ethernet 0/0/1; interface connected to Host B: Ethernet 0/0/2 IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1 VLAN where Host A resides: VLAN 10
NOTE
This configuration example provides only the commands related to the IP Source Guard configuration.
4-8
Issue 01 (2011-05-20)
Procedure
Step 1 Enable the IP source guard function. # Enable the IP source guard function on Ethernet 0/0/1 connected to Host A.
[Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] ip source check user-bind enable
# Enable the alarm function for checking the received IP packets on Ethernet 0/0/1 connected to Host A.
[Quidway-Ethernet0/0/1] ip source check user-bind alarm enable [Quidway-Ethernet0/0/1] ip source check user-bind alarm threshold 200 [Quidway-Ethernet0/0/1] quit
# Enable the alarm function for checking the received IP packets on Ethernet 0/0/2 connected to Host B.
[Quidway-Ethernet0/0/2] ip source check user-bind alarm enable [Quidway-Ethernet0/0/2] ip source check user-bind alarm threshold 200 [Quidway-Ethernet0/0/2] quit
Step 2 After user A goes online, the system allocates IP address 10.0.0.1/24 to the user and the user adopts MAC address 1-1-1. Step 3 Verify the configuration. Run the display dhcp snooping user-bind all command on the Switch to view information about the binding table.
<Quidway> display dhcp snooping user-bind all DHCP static Bind-table:,Flags:O - outer vlan ,I - inner vlan ,P - map vlan, IP Address MAC Address VSI/VLAN(O/I/P) Interface, --------------------------------------------------------------------------------, 10.0.0.1 0001-0001-0001 10 /-- /-Eth0/0/1, --------------------------------------------------------------------------------, print count: 1 total count: 1,
The preceding information indicates that Host A exists in the static binding table, whereas Host B does not exist. ----End
Configuration Files
# user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface Ethernet 0/0/1 vlan 10 # interface Ethernet 0/0/1 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200 # interface Ethernet 0/0/2 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200
Issue 01 (2011-05-20)
4-9
4-10
Issue 01 (2011-05-20)
Issue 01 (2011-05-20)
5-1
Applicable Environment
When a large number of users access the S2300, the CPU of the S2300 may be attacked by the packets sent by attackers or the CPU needs to process a large number of packets.
Pre-configuration Tasks
Before configuring an attack defense policy, complete the following tasks. l Connecting interfaces and setting the physical parameters of each interface to ensure that the physical layer is in Up state
5.1.2 (Optional) Configuring the Rule for Sending Packets to the CPU
The rule for sending packets to the CPU can be car..
Context
NOTE
The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, the rule that was configured later takes effect. You are advised to use the default CAR value on the S2300. The rate limit for packets in queues takes precedence over the rate limit for all the packets on an interface.
Procedure
Step 1 Run:
system-view
Step 3 Run:
cp-car { total | queue queue-index } speed speed-value
The maximum rate of packets sent to the CPU is set. (S2300EI) Run:
cp-car total speed speed-value
The maximum rate of packets in a queue sent to the CPU cannot be set on the S2300SI.
CAUTION
After the cp-car command is used, the maximum rate of packets sent to the CPU is affected. Exercise caution when you run the cp-car command. ----End
Issue 01 (2011-05-20)
5-3
6 PPPoE+ Configuration
6
About This Chapter
NOTE
PPPoE+ Configuration
6.1 PPPoE+ Overview This section describes the principle of PPPoE+. 6.2 PPPoE+ Features Supported by the S2300 This section describes the PPPoE+ features supported by the S2300. 6.3 Configuring PPPoE+ This section describes how to configure PPPoE+. 6.4 Configuration Examples This section provides several configuration examples of PPPoE+.
Issue 01 (2011-05-20)
6-1
6 PPPoE+ Configuration
Pre-configuration Tasks
None.
6-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
6 PPPoE+ Configuration
Data Preparation
To configure PPPoE+, you need the following data. No. 1 2 Data Interface number related to PPPoE authentication Format and contents of the fields to be added to PPPoE packets
PPPoE+ is enabled globally. After the pppoe intermediate-agent information enable command is run in the system view, PPPoE+ is enabled on all the interfaces. By default, PPPoE+ is disabled globally. ----End
6.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets
Context
After PPPoE+ is enabled globally, the user-side interface on the S2300 adds information in common format to the received PPPoE packets. You can modify the format of the field to be appended through this task.
Procedure
Step 1 Run:
system-view
The format and contents of fields to be added to PPPoE packets are set.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-3
6 PPPoE+ Configuration
After the pppoe intermediate-agent information format command is run in the system view, all the interfaces add fields in specified format to the received PPPoE packets. ----End
6.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets
Context
You can configure the action for processing original fields in PPPoE packets in the system view and in the interface view. The configuration in the system view is valid for all the interfaces. To adopt a different action on an interface, run the pppoe intermediate-agent information policy command in the interface view. In this case, the action for processing packets on the interface depends on the configuration of the interface.
Procedure
Step 1 Run:
system-view
The action for all the interfaces to process original fields in PPPoE packets is configured. l drop: removes the original fields from PPPoE packets. l keep: reserves the contents and format of original fields in PPPoE packets. l replace: replaces the original fields in PPPoE packets according to the set field format regardless of whether the packets carry the fields. By default, the user-side interface on the S2300 replaces the original fields in the received PPPoE packets after PPPoE+ is enabled globally. Step 3 (Optional) Run:
interface interface-type interface-number
The action for all the interfaces to process original fields in PPPoE packets is configured. By default, the interface on the S2300 replaces the original information fields in PPPoE packets. ----End
6 PPPoE+ Configuration
PPPoE server as the trusted interface. After the trusted interface is configured, PPPoE packets sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only. In addition, only the PPPoE packets received from the trusted interface are forwarded to the PPPoE client.
NOTE
The trusted interface only controls protocol packets in PPPoE discovery period, and does not control service packets in PPPoE session period.
Procedure
Step 1 Run:
system-view
----End
6 PPPoE+ Configuration
IP network BRAS PPPoE server GE0/0/1 PPPoE+ Ethernet 0/0/1 Switch Ethernet 0/0/2
PPPoE client
PPPoE client
Configuration Roadmap
The configuration roadmap is as follows: 1. Enable PPPoE+ globally.
NOTE
2. 3. 4.
Configure the contents and format of fields to be added to PPPoE packets on the Switch. Configure the action for the Switch to process PPPoE packets. Configure the interface connecting the Switch and the PPPoE server as the trusted interface.
Data Preparation
None.
Procedure
Step 1 Enable PPPoE+.
<Quidway> system-view [Quidway] pppoe intermediate-agent information enable
Step 2 Configure the format of information fields. Configure the Switch to add the circuit ID in extend format to PPPoE packets, that is, the format in hexadecimal notation is used.
[Quidway] pppoe intermediate-agent information format circuit-id extend
6-6
Issue 01 (2011-05-20)
6 PPPoE+ Configuration
Step 3 Configure the action for processing original fields in PPPoE packets. Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the Switch.
[Quidway] pppoe intermediate-agent information policy replace
Step 4 Configure the trusted interface. Configure GE 0/0/1 as the trusted interface.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] pppoe uplink-port trusted [Quidway-GigabitEthernet0/0/1] quit
----End
Configuration Files
# sysname Quidway # pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend # interface GigabitEthernet0/0/1 pppoe uplink-port trusted # return
Issue 01 (2011-05-20)
6-7
7 MFF Configuration
7
About This Chapter
Context
NOTE
MFF Configuration
This section describes the principle and configuration of the MAC-Forced Forwarding (MFF) function.
7.1 MFF Overview This section describes the principle of the MFF function. 7.2 MFF Features Supported by the S2300 This section describes the MFF features supported by the S2300. 7.3 Configuring MFF The MFF function isolates users at Layer 2 and forwards traffic through the gateway. 7.4 Configuration Examples This section provides a configuration example of MFF.
Issue 01 (2011-05-20)
7-1
7 MFF Configuration
Background
In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer 2 isolation and Layer 3 interconnection between clients. When many users need to be isolated on Layer 2, a large number of VLANs are required. In addition, to enable the clients to communicate on Layer 3, each VLAN must be assigned an IP network segment and each VLANIF interface needs an IP address. This wastes IP addresses. In addition, the network is easy to attack and the malicious attacks from users on the network cannot be prevented. The MFF function provides a solution to this problem and implements Layer 2 isolation and Layer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARP requests from users and replies with ARP responses containing the MAC address of the gateway through the ARP proxy. In this manner, the MFF forces users to send all traffic, including the traffic on the same subnet, to the gateway so that the gateway can monitor data traffic. This prevents malicious attacks and improves network security.
l l l
The interfaces receiving packets sent from the gateway must be configured as network-side interfaces. The interface role is irrelevant to the position of the interface on a network. On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.
7-2
Issue 01 (2011-05-20)
7 MFF Configuration
Static Gateway
The static gateway is applicable to the scenario where the IP addresses are set statically. When users are assigned IP addresses statically, the users cannot obtain the gateway information through the DHCP packets. In this case, a static gateway address needs to be configured for each VLAN. If the static gateway address is not configured, all the users cannot communicate with each other except for the DHCP users.
ARP Proxy
The Layer 3 communication between users is implemented through the ARP proxy. The ARP proxy reduces the number of broadcast packets at the user side. MFF processes ARP packets as follows: l Responds to the ARP requests of users. MFF substitutes for the gateway to respond to the ARP requests of users. Therefore, all the packets of users are forwarded at Layer 3 by the gateway. The ARP packet of a user may be the request for the gateway address or the request for the IP addresses of other users. l Responds to ARP request packets with the user IP address and MAC address.
7 MFF Configuration
Pre-configuration Tasks
Before configuring basic MFF functions, complete the following tasks. If DHCP users exist, you need to perform the following operations: l l Enabling DHCP snooping Configuring the trusted interface of DHCP snooping
Data Preparation
To configure the MFF function, you need the following data.
7-4
Issue 01 (2011-05-20)
7 MFF Configuration
No. 1 2 3 4
Data VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the static gateway to be configured (Optional) IP address of the server to be configured
Procedure
Step 1 Run:
system-view
The global MFF is enabled. By default, the global MFF is disabled. ----End
This task can be performed before the global MFF is enabled; however, it takes effect only after the global MFF is enabled.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-05-20)
7-5
7 MFF Configuration
The interface is configured as a network interface. By default, the interface is a user interface. ----End
Procedure
Step 1 Run:
system-view
The MFF function is enabled for the VLAN. By default, the MFF function is disabled in a VLAN. ----End
7-6
Issue 01 (2011-05-20)
7 MFF Configuration
The timed gateway address detection is enabled. After the timed gateway address detection is enabled, the S2300 sends ARP packets periodically to detect the gateway. By default, the timed gateway address detection is disabled. ----End
7 MFF Configuration
Procedure
Step 1 Run:
system-view
The gateway is allowed to detect online users by sending ARP request packets. ----End
The inbound interface of the MFF device is configured to discard the IPv6 packets from users. This prevents IPv6 packets from being broadcast on the VLAN. ----End
----End
Example
Run the display mac-forced-forwarding network-port command, and you can see information about the network-side interface matching the MFF VLAN.
7-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
7 MFF Configuration
<Quidway> display mac-forced-forwarding network-port -------------------------------------------------------------------------------VLAN ID Network-ports -------------------------------------------------------------------------------VLAN 10 Ethernet0/0/1 Ethernet0/0/2 Ethernet0/0/3 VLAN 100 Ethernet0/0/4 Ethernet0/0/5
Run the display mac-forced-forwarding vlan vlan-id command, and you can see information about MFF users and gateway on the VLAN.
<Quidway> display mac-forced-forwarding vlan 100 Servers: 192.168.1.2 192.168.1.3 -------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC -------------------------------------------------------------------192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01 192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01 192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03 -------------------------------------------------------------------[Vlan 100] MFF host total count = 3
Issue 01 (2011-05-20)
7-9
7 MFF Configuration
DHCP server SwitchC 10.10.10.1/24 SwitchB GE0/0/1 GE0/0/3 GE0/0/2 SwitchA GE0/0/2 GE0/0/1 GE0/0/4 GE0/0/3
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure DHCP snooping. Enable global MFF. Configure the MFF network interfaces. Enable MFF for the VLAN. (Optional) Enable the function of timed gateway address detection. (Optional) Configure the server.
Data Preparation
To complete the configuration, you need the following data: l l l VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the server to be configured
Procedure
Step 1 Configure DHCP snooping. # Enable global DHCP snooping on Switch A.
<Quidway> [Quidway] [SwitchA] [SwitchA] system-view sysname SwitchA dhcp enable dhcp snooping enable
7-10
Issue 01 (2011-05-20)
7 MFF Configuration
# Enable DHCP snooping on the interfaces of the Switch A. Take the configuration on GE 0/0/1 as an example. The configurations on GE 0/0/2, GE 0/0/3, and GE 0/0/4 are similar to the configuration on GE 0/0/1 and are not mentioned here.
[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] dhcp snooping enable [SwitchA-GigabitEthernet0/0/1] quit
# Enable DHCP snooping on the interfaces of the Switch B. Take the configuration on GE 0/0/1 as an example. The configurations on GE 0/0/2 is similar to the configuration on GE 0/0/1 and are not mentioned here.
[SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1 dhcp snooping enable [SwitchB-GigabitEthernet0/0/1] quit
Step 3 Configure the MFF network interfaces. # Configure GE 0/0/1 of Switch A as the network interface.
[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] mac-forced-forwarding network-port [SwitchA-GigabitEthernet0/0/1] quit
Step 4 Enable MFF for the VLAN. # Enable MFF for VLAN 10 on Switch A.
[SwitchA] vlan 10 [SwitchA-vlan10] mac-forced-forwarding enable
7 MFF Configuration
[SwitchB] vlan 10 [SwitchB-vlan10] mac-forced-forwarding enable
Step 5 (Optional) Enable the function of timed gateway address detection. # Enable the function of timed gateway address detection on Switch A.
[SwitchA-vlan10] mac-forced-forwarding gateway-detect
----End
Configuration Files
l Configuration file of Switch A
# sysname SwitchA # vlan 10 # dhcp enable dhcp snooping enable mac-forced-forwarding enable # vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 dhcp snooping enable # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 dhcp snooping enable # interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable # return
# sysname SwitchB
7-12
Issue 01 (2011-05-20)
7 MFF Configuration
Issue 01 (2011-05-20)
7-13
Issue 01 (2011-05-20)
8-1
Pre-configuration Tasks
None
Data Preparation
To configure traffic suppression, you need the following data.
8-2
Issue 01 (2011-05-20)
No. 1 2
Data Type and number of the interface where traffic suppression needs to be configured Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be suppressed Mode in which traffic is suppressed (rate percentage on a physical interface) Limited rate, including bandwidth percentage.
3 4
Procedure
Step 1 Run:
system-view
Traffic suppression is configured. l To configure traffic suppression based on the bandwidth percentage, you must select the percent-value parameter.
NOTE
l S2300SI does not support configuring traffic suppression for unicast-suppression. The unknown unicast and multicast packets are all suppressed for multicast-suppression. l If traffic suppression is configured for a type of traffic on an interface, the latest configuration overrides the previous configuration when the configuration of traffic suppression for this type of traffic at different rate is sent.
----End
Prerequisite
The configurations of traffic suppression are complete.
Procedure
l Run the display flow-suppression interface interface-type interface-number command to check the configuration of traffic suppression.
----End
Example
Run the display flow-suppression interface interface-type interface-number command, and you can view the configuration of traffic suppression on a specified interface.
<Quidway> display flow-suppression interface gigabitethernet 0/0/1 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast percent percent: 80% multicast percent percent: 80% broadcast percent percent: 80% -------------------------------------------------------------------------------
L2 network
GE0/0/1 Switch
GE0/0/2
L3 network
Configuration Roadmap
Configure traffic suppression in the interface view of GE 0/0/1.
8-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
Data Preparation
To complete the configuration, you need the following data: l l l GE 0/0/1 where traffic suppression is configured Traffic suppression for broadcast, unknown unicast and multicast packets based on the rate percentage Maximum rate of broadcast, unknown unicast and multicast packets being 80 percent of the interface rate after traffic suppression is configured
Procedure
Step 1 Enter the interface view.
<Quidway> system-view [Quidway] interface gigabitethernet 0/0/1
Step 5 Verify the configuration. Run the display flow-suppression interface command, and you can view the configuration of traffic suppression on GE 0/0/1.
<Quidway> display flow-suppression interface gigabitethernet 0/0/1 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast percent percent: 80% multicast percent percent: 80% broadcast percent percent: 80% -------------------------------------------------------------------------------
----End
Configuration Files
# sysname Quidway # interface gigabitethernet0/0/1 unicast-suppression 80 multicast-suppression 80 broadcast-suppression 80 # return
Issue 01 (2011-05-20)
8-5
9 ACL Configuration
9
About This Chapter
ACL Configuration
The ACL classifies packets according to the rules. After these rules are applied to the interfaces on the S2300, the S2300 can determine packets that are received and rejected. 9.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL. 9.2 Classification of ACLs Supported by the S2300 This section describes the classification of ACLs supported by the S2300. 9.3 Configuring an ACL This section describes how to create an ACL, set the time range, configure the description of an ACL, , and set the step of an ACL. 9.4 Configuring ACL6 This section describes how to configure basic ACL6 and advanced ACL6. 9.5 Configuration Examples This section provides configuration examples of the ACL.
Issue 01 (2011-05-20)
9-1
9 ACL Configuration
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers to the access control list that is used to filter IPv6 packets.
Classification of ACLs
The S2300 supports basic ACLs, advanced ACLs, and layer 2 ACLs for IPv4 packets. l l Basic ACLs: classify and define data packets according to their source addresses, fragmentation flag, and effective time range. Advanced ACLs: classify and define data packets more refinedly according to the source address, destination address, source port number, destination port number, protocol type, precedence, and effective time range. Layer 2 ACLs: classify and define data packets according to the source MAC address, destination MAC address, and protocol type.
The S2300 supports basic ACL6s and advanced ACL6s for IPv6 packets. l l A basic ACL6 can use the source IP address, fragmentation flag, and effective time range as the elements of rules. An advanced ACL6 can use the source IP address and destination IP address of data packets, protocol type supported by IP, features of the protocol such as the source port number and destination port number as the elements of rules.
Application of ACLs
ACLs defined on the S2300 can be applied in the following scenarios: l Hardware-based application: The ACL is sent to the hardware. For example, when QoS is configured, the ACL is imported to classify packets. Note that when the ACL is imported by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in the ACL is set to be in permit mode, the packets matching the ACL are processed by the S2300 according to the action defined by the traffic behavior in QoS. For details on the traffic behavior, see the Quidway S2300 Series Ethernet Switches Configuration Guide QoS.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
9-2
9 ACL Configuration
Software-based application: When the ACL is imported by the upper-layer software, for example, the ACL is imported when the control function is configured for login users, you can use the ACL to control FTP, Telnet and SSH users. When the S2300 functions as a TFTP client, you can configure an ACL to specify the TFTP servers that the S2300 can access through TFTP. When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S2300 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configurations.
NOTE
l When the ACL is sent to the hardware and is imported by QoS to classify packets, the S2300 does not process packets according to the action defined in the traffic behavior, if the packets does not match the ACL rule. l When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSH login users, the S2300 discards the packets, if the packets does not match the ACL rule.
9 ACL Configuration
Applicable Environment
ACLs can be used in multiple services, such as routing policies and packet filtering, to distinguish the types of packets and process them accordingly.
Pre-configuration Tasks
None.
Data Preparation
To configure an ACL, you need the following data. No. 1 2 3 4 Data Number or name of the ACL Name of the time range when the ACL takes effect, start time, and end time Description of the ACL Number of ACL rule and the rule that identifies the type of packets, including protocol, source address, source port, destination address, destination port, the type and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of Service (ToS) value Step of the ACL
Context
An ACL is composed of multiple lists of rules containing permit or deny clauses. Before creating an ACL rule, you need to create an ACL. To create an ACL, you need to specify the following parameters: l When creating an ACL based on the number, you need to specify the ACL number. The ACL number specifies the type of an ACL. For example, the ACL with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an advanced ACL. When creating an ACL based on the name, you need to specify the ACL name. You can specify the number or type for a named ACL. If the number of a named ACL is not specified, the system automatically allocates a number to the named ACL.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
9-4
9 ACL Configuration
Procedure
l Creating an ACL based on the number 1. Run:
system-view
An ACL with the specified number is created. The value of a basic ACL ranges from 2000 to 2999. The value of an advanced ACL ranges from 3000 to 3999. The value of a Layer 2 ACL ranges from 4000 to 4999. l Creating an ACL based on the name 1. Run:
system-view
An ACL with the specified name is created. If the number of a named ACL is not specified, the S2300 automatically allocates a number to the named ACL. The following situations are involved: If the type of a named ACL is specified, the number of the named ACL allocated by the S2300 is the maximum value of the named ACL of the type. If the number and the type of a named ACL are not specified, the S2300 considers the named ACL as the advanced ACL and allocates 3999 to the named ACL6. The S2300 does not allocate the number to a named ACL repeatedly. ----End
9.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
When a time range is specified for an ACL, the ACL takes effect only in this time range. If no time range is specified for the ACL, the ACL is always effective until it is deleted or the rules of the ACL are deleted.
Procedure
Step 1 Run:
system-view
9 ACL Configuration
You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name test: l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time range l Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range l Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
Procedure
Step 1 Run:
system-view
Or, run:
acl name acl-name
The description of the ACL is configured. The description of an ACL is a string of up to 127 characters, describing the usage of the ACL. By default, no description is configured for an ACL. ----End
Procedure
Step 1 Run:
system-view
9 ACL Configuration
A basic ACL is created based on the name. The value of a basic ACL ranges from 2000 to 2999. Step 3 Run:
rule [ rule-id ] { deny | permit } [ any } | time-range time-name ]* source { source-address source-wildcard |
Procedure
Step 1 Run:
system-view
An advanced ACL is created based on the name. The value of an advanced ACL ranges from 3000 to 3999. Step 3 Run the following command as required: l When protocol is specified as the Transmission Control Protocol (TCP), run:
rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcp-flag { tcp-value | ack | fin | psh | rst | syn | urg }* | time-range time-name | tos tos ]*
An ACL rule is created. l When protocol is specified as the User Datagram Protocol (UDP), run:
rule [ rule-id ] { deny | permit } udp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ]*
Issue 01 (2011-05-20)
9-7
9 ACL Configuration
An ACL rule is created. l When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ]*
An ACL rule is created. You can configure different advanced ACLs on the S2300 according to the protocol carried by IP. Different parameter combinations are available for different protocol types.
NOTE
dscp dscp and precedence precedence cannot be specified at the same time.
----End
Procedure
Step 1 Run:
system-view
A layer 2 ACL is created based on the name. The value of a layer 2 ACL ranges from 4000 to 4999. Step 3 Run:
rule [ rule-id ] { permit | deny } [ { ether-ii | 802.3 | snap } | l2-protocol typevalue [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | sourcemac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value ] * [ time-range time-range-name ]
9 ACL Configuration
Procedure
Step 1 Run:
system-view
Or, run:
acl name acl-name
The step between ACL rules is set. When changing ACL configurations, pay attention to the following point: l The undo step command sets the default step of an ACL and re-arranges the numbers of ACL rules. l By default, the value of step-value is 5. ----End
Prerequisite
The configurations of the ACL are complete.
Procedure
l l l Run the display acl { acl-number | all } command to check the ACL rule based on the number. Run the display acl name acl-name command to check the ACL rule based on the name. Run the display time-range { all | time-name } command to check the time range.
----End
Example
# Run the display acl command, and you can view the ACL number, rule IDs, and step, and rule contents.
<Quidway> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0
# Run the display acl name command, and you can view the ACL name, ACL number, rule quantity, step, and rule contents.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 9-9
9 ACL Configuration
<Quidway> display acl name test Advanced ACL test 3999, 1 rule Acl's step is 5 rule 5 permit tcp
# Run the display time-range command, and you can view the configuration and status of the current time range.
<Quidway> display time-range all Current time is 14:19:16 12-4-2008 Tuesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily from 09:09 2008/9/9 to 23:59 2099/12/31
Applicable Environment
An ACL6 can be applied to the following tasks: l l l Configuring the packet filtering policy Configuring policy-based routing Configuring a routing policy
Pre-configuration Tasks
None
9-10
Issue 01 (2011-05-20)
9 ACL Configuration
Data Preparation
To configure an ACL6, you need the following data. No. 1 2 3 Data Number or name of the ACL6 (Optional) Name of the time range during which the ACL6 is valid and the start time and end time of the time range Number of the ACL6 and the rule of identifying the packet type, including protocol type, source address and source interface, destination address and destination interface, ICMPv6 type and code, precedence, and ToS
Context
To create an ACL, you need to specify a number to identify the ACL6 type. For example, the ACL6 with the number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with the number ranging from 3000 to 3999 is an advanced ACL6.
Procedure
l Creating an ACL6 based on the number 1. Run:
system-view
An ACL6 is created based on the number. The value of a basic ACL6 ranges from 2000 to 2999. The value of an advanced ACL6 ranges from 3000 to 3999. l Creating an ACL6 based on the name 1. Run:
system-view
An ACL6 is created based on the name. If the number of a named ACL6 is not specified, the S2300 automatically allocates a number to the named ACL6. The following situations are involved:
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 9-11
9 ACL Configuration
If the type of a named ACL6 is specified, the number of the named ACL6 allocated by the S2300 is the maximum value of the named ACL6 of the type. If the number and the type of a named ACL6 are not specified, the S2300 considers the named ACL6 as the advanced ACL6 and allocates 3999 to the named ACL6. The S2300 does not allocate the number to a named ACL6 repeatedly. ----End
Procedure
Step 1 Run:
system-view
The time range is created. You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name, that is, test. l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59 l Time range 2: 8:00-18:00 on Monday to Friday l Time range 3: 14:00-18:00 on Saturday and Sunday The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
Procedure
Step 1 Run:
system-view
9 ACL Configuration
A basic ACL6 is created based on the name. The value of a basic ACL6 ranges from 2000 to 2999. Step 3 Run:
rule [ rule-id ] { deny | permit } [ source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name ] *
Procedure
Step 1 Run:
system-view
An advanced ACL6 is created based on the name. The value of an advanced ACL6 ranges from 3000 to 3999. Step 3 Perform the following steps as required to configure rules for the ACL6: You can configure the advanced ACL6 on the S2300 according to the type of the protocol carried by IP. The parameters vary according to the protocol type. l When protocol is TCP, run:
rule [ rule-id ] { deny | permit } { tcp | protocol } [ destination { destinationipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq | gt | lt | range } port | tcp-flag {tcp-value |ack | fin | psh | rst | syn | urg } * | time-range time-name | tos tos ]*
Issue 01 (2011-05-20)
9-13
9 ACL Configuration
----End
Prerequisite
The configurations of the ACL6 are complete.
Procedure
l l l Run the display acl ipv6 { acl6-number | all } command to check the ACL6 rule based on the number. Run the display acl ipv6 name acl6-name command to check the ACL6 rule based on the name. Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl ipv6 command, and you can view the ACL6 number, rule IDs, and rule contents.
<Quidway> display acl ipv6 2002 Basic IPv6 ACL 2002, 2 rules rule 0 permit time-range time1 rule 1 permit
# Run the display acl ipv6 name command, and you can view the ACL6 name, ACL6 number, rule quantity, and rule contents.
<Quidway> display acl ipv6 name test Advanced IPv6 ACL 3999 name test, 1 rule rule 0 permit udp
# Run the display time-range command, and you can see the configuration and status of the current time range.
<Quidway> display time-range all Current time is 09:33:31 5-21-2009 Thursday
9-14
Issue 01 (2011-05-20)
9 ACL Configuration
PC A IP:10.0.0.2/24
GE0/0/1
GE0/0/2
Switch
PC B
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5.
Issue 01 (2011-05-20)
Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 9-15
9 ACL Configuration
Data Preparation
To complete the configuration, you need the following data: l l l l ACL number IP address of user A Names of traffic classifier, traffic behavior, and traffic policy Interface where the traffic policy is applied
Procedure
Step 1 Configure the traffic classifier that is based on the ACL rules. # Define the ACL rules.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255 [Quidway-acl-basic-2000] quit
Step 3 Configure the traffic policy. # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
Step 4 Verify the configuration. # Check the configuration of the ACL rules.
<Quidway> display acl 2000 Basic ACL 2000, 1 rule Acl's step is 5 rule 5 permit source 10.0.0.0 0.0.0.255
9 ACL Configuration
----End
Configuration Files
# acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255 # traffic classifier tc1 operator and if-match acl 2000 # traffic behavior tb1 deny # traffic policy tp1 classifier tc1 behavior tb1 # interface GigabitEthernet0/0/1 traffic-policy tp1 inbound # return
Salary query server 10.164.9.9 Ethernet 0/0/4 Ethernet 0/0/1 Ethernet 0/0/3 President's office 10.164.1.0/24
9 ACL Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Assign IP addresses to interfaces. Configure the time range. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l VLAN that the interface belongs to Name of the time range ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces. # Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces. Add Ethernet 0/0/1, Ethernet 0/0/2, and Ethernet 0/0/3 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add Ethernet 0/0/4 to VLAN 100. The first IP address of the network segment is taken as the address of the VLANIF interface. Take Ethernet 0/0/1 as an example. The configurations of other interfaces are similar to the configuration of Ethernet 0/0/1, and are not mentioned here.
<Quidway> system-view [Quidway] vlan batch 10 20 30 100 [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port link-type access [Quidway-Ethernet0/0/1] port default vlan 10 [Quidway-Ethernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Quidway-Vlanif10] quit
Step 2 Configure the time range. # Configure the time range from 8:00 to 17:30.
9-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
9 ACL Configuration
Step 3 Configure ACLs. # Configure the ACL for the personnel of the marketing department to access the salary query server.
[Quidway] acl 3002 [Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3002] quit
# Configure the ACL for the personnel of the R&D department to access the salary query server.
[Quidway] acl 3003 [Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers. # Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Quidway] traffic classifier c_market [Quidway-classifier-c_market] if-match acl 3002 [Quidway-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd [Quidway-classifier-c_rd] if-match acl 3003 [Quidway-classifier-c_rd] quit
Step 5 Configure traffic behaviors. # Configure the traffic behavior b_market to reject packets.
[Quidway] traffic behavior b_market [Quidway-behavior-b_market] deny [Quidway-behavior-b_market] quit
Step 6 Configure traffic policies. # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[Quidway] traffic policy p_market [Quidway-trafficpolicy-p_market] classifier c_market behavior b_market [Quidway-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd [Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd [Quidway-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy. # Apply the traffic policy p_market to Ethernet 0/0/2.
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 9-19
9 ACL Configuration
[Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/2] traffic-policy p_market inbound [Quidway-Ethernet0/0/2] quit
----End
Configuration Files
# sysname Quidway # vlan batch 10 20 30 40 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
9-20
Issue 01 (2011-05-20)
9 ACL Configuration
satime # acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market operator or if-match acl 3002 traffic classifier c_rd operator or if-match acl 3003 # traffic behavior b_market deny traffic behavior b_rd deny # traffic policy p_market classifier c_market behavior b_market traffic policy p_rd classifier c_rd behavior b_rd # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface Ethernet0/0/1 port link-type access port default vlan 10 # interface Ethernet0/0/2 port link-type access port default vlan 20 traffic-policy p_market inbound # interface Ethernet0/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound # interface Ethernet0/0/4 port link-type access port default vlan 100 # return
Issue 01 (2011-05-20)
9-21
9 ACL Configuration
GE0/0/1
GE0/0/2 Switch
IP network
00e0-f201-0101
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data: l l l l l ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Configure an ACL. # Configure the required layer 2 ACL.
[Quidway] acl 4000 [Quidway-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002 ffff-ffff-ffff [Quidway-acl-L2-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL. # Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Quidway] traffic classifier tc1 [Quidway-classifier-tc1] if-match acl 4000 [Quidway-classifier-tc1] quit
9 ACL Configuration
Step 4 Configure the traffic policy. # Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy. # Apply the traffic policy tp1 to GE 0/0/1.
[Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Quidway-GigabitEthernet0/0/1] quit
----End
Configuration Files
# sysname Quidway # acl number 4000 rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101 # traffic classifier tc1 operator and if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 classifier tc1 behavior tb1 #
Issue 01 (2011-05-20)
9-23
9 ACL Configuration
interface GigabitEthernet0/0/1 traffic-policy tp1 inbound # return
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Perform basic configurations on the FTP server. Configure a basic ACL6. Bind the basic ACL6 to the FTP server.
Data Preparation
To complete the configuration, you need the following data: l l FTP user name and password configured on the FTP server Basic ACL6 number
Procedure
Step 1 Configure basic FTP functions. See Example for Configuring the FTP Server. Step 2 Configure a basic ACL6.
<Quidway> system-view [Quidway] acl ipv6 number 2001 [Quidway-acl-basic-2001] rule deny source 3001::2/128 [Quidway-acl-basic-2001] quit
9-24
Issue 01 (2011-05-20)
9 ACL Configuration
----End
Configuration Files
# acl ipv6 number 2001 rule 0 deny source 3001::2/128 # ftp ipv6 acl 2001 # return
Issue 01 (2011-05-20)
9-25
10 ND Snooping Configuration
10
About This Chapter
Context
NOTE
ND Snooping Configuration
This chapter describes the principle and configuration method of neighbor discovery (ND) snooping and provides configuration examples.
10.1 ND Snooping Overview This section describes the principle of ND snooping. 10.2 ND Snooping Features Supported by the S2300 This section describes ND snooping features supported by the S2300. 10.3 Configuring ND Snooping This section describes the basic concepts of ND snooping and the procedure for configuring ND snooping, and provides configuration examples of ND snooping. 10.4 Maintaining ND Snooping This section describes how to reset the prefix management table and ND dynamic binding table. 10.5 Configuration Examples This section provides a configuration example of ND snooping.
Issue 01 (2011-05-20)
10-1
10 ND Snooping Configuration
The ND snooping technology is a security feature of ND. By capturing and analyzing the preceding types of messages, it filters out untrusted messages, and establishes and maintains the prefix management table and ND dynamic binding table. The prefix management table contains information about the prefix and the prefix lease. The ND dynamic binding table contains information about IPv6 addresses, MAC addresses, interfaces, and VLAN IDs. By maintaining the prefix management table and ND dynamic binding table, the device enabled with ND snooping allows authorized users to access the network and prevents unauthorized users from attacking network devices and authorized users.
10-2
Issue 01 (2011-05-20)
10 ND Snooping Configuration
L3 network
User network
10 ND Snooping Configuration
Applicable Environment
When a bogus ND server exists on the network, it sends the incorrect information such as the incorrect gateway address, incorrect DNS server, and incorrect IP address to ND clients. As a result, ND clients cannot access the destination network. To protect the S2300 against attacks of the bogus ND server, you can configure ND snooping on the S2300, configure the network-side interface as the trusted interface, and configure userside interfaces as untrusted interfaces. The RA messages received from untrusted interfaces are discarded. Based on the RA messages received from the trusted interface, the S2300 establishes the prefix management table. The prefix management table saves information about prefixes allocated by the ND server to the S2300, and is used by the S2300 to manage client addresses. According to information about prefixes in the ND snooping prefix management table, clients automatically generate IPv6 addresses and send NS messages to detect whether the IPv6 addresses conflict. In this process, the S2300 generates the ND dynamic binding table based on NS messages. The ND dynamic binding table saves information about IPv6 addresses, MAC addresses, and VLAN IDs of clients. The S2300 delivers the ND dynamic binding entries to the ACL that is automatically generated. Packets matching the entries in the ACL are permitted by default.
Pre-configuration Tasks
Before configuring ND snooping, complete the following task: l Configuring the ND server
Data Preparation
To configure ND snooping, you need the following data. No. 1 2 3 Data Type and number of interface that needs to be configured as the trusted interface (Optional) Number of detection times for aging ND dynamic binding entries (Optional) Detection interval for aging ND dynamic binding entries
Context
Before enabling ND snooping on interface or in a VLAN, you must enable ND snooping globally. By default, ND snooping is disabled globally, on interface or in a VLAN.
10-4
Issue 01 (2011-05-20)
10 ND Snooping Configuration
Procedure
l Configuring ND snooping on an interface 1. Run:
system-view
Context
When RA messages sent from the ND server pass through the trusted interface of the S2300, the S2300 establishes the prefix management table according to the RA messages. The prefix
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 10-5
10 ND Snooping Configuration
management table saves information about prefixes allocated to the S2300 in the RA messages. The S2300 discards the RA messages received from untrusted interfaces. Generally, the interface connected to the ND server is configured as the trusted interface and other interfaces are configured as untrusted interfaces. After ND snooping is enabled on an interface, the interface is an untrusted interface by default.
Procedure
l Configuring ND snooping on an interface 1. Run:
system-view
The interface is configured as the trusted interface. l Configuring ND snooping in a VLAN 1. Run:
system-view
When you run the nd snooping trusted command in the VLAN view, the specified interface must belong to the VLAN. Compared with the nd snooping trusted command run in the interface view, the nd snooping trusted command run in the VLAN view is more accurate because a specified interface in a specified VLAN can be configured as a trusted interface.
----End
10.3.4 (Optional) Configuring the Aging Function of the ND Dynamic Binding Table
Through the aging function, the S2300 can automatically manage the ND dynamic binding table.
Context
After ND snooping is enabled, the S2300 establishes the ND dynamic binding table based on the user information.
10-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
10 ND Snooping Configuration
When the lease of ND dynamic binding entries expires, if the aging function of the ND dynamic binding table is configured, the S2300 sends NS messages according to the number of detection times and the detection interval for aging ND dynamic binding entries. If the user does not send NA messages after the specified number of detection times, the S2300 considers that the user is not online. Then the S2300 deletes the ND dynamic binding entry of the user and does not forward messages to the user.
Procedure
Step 1 Run:
system-view
The aging function of the ND dynamic binding table is enabled. By default, the aging function of the ND dynamic binding table is disabled. Step 3 Run:
nd user-bind detect retransmit retransmit-times interval retransmit-interval
The detection interval and the number of detection times for aging ND dynamic binding entries are set. By default, the detection interval for aging ND dynamic binding entries is 1000 ms and the number of detection times for aging ND dynamic binding entries is 2. ----End
Prerequisite
The configurations of ND snooping are complete.
Procedure
l l Run the display nd snooping prefix command to check prefix management entries of ND users. Run the display nd snooping user-bind { all | ipv6-address ipv6-address | macaddress mac-address | interface interface-type interface-number | vlan vlan-id | vlan vlanid interface interface-type interface-number } command to check ND dynamic binding entries. Run the display this command in the system view to check the configuration of ND snooping. Run the display this command, and you can view the enabling of ND snooping and information about the aging function of the ND dynamic binding table. ----End
Issue 01 (2011-05-20) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 10-7
10 ND Snooping Configuration
Example
After the configuration is successful, you can run the display nd snooping prefix command to view the prefix management table of ND users.
<Quidway> display nd snooping prefix prefix-table: Prefix Length Valid-Time Preferred-Time -------------------------------------------------------------------------------3001:: 64 100000 100000 -------------------------------------------------------------------------------Prefix table total count: 1
Run the display nd snooping user-bind allcommand, and you can view information about the ND dynamic binding table.
<Quidway> display nd snooping user-bind all ND Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Lease -------------------------------------------------------------------------------3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 30 /-- /-2011.05.06-20:09 -------------------------------------------------------------------------------print count: 1 total count: 1
Run the display this command in the system view, and you can view the configuration of ND snooping.
[Quidway] display this nd snooping enable nd user-bind detect enable nd user-bind detect retransmit 10 interval 1000
Context
The ND server sends RA messages periodically to request clients to update prefixes. As the access device of the client, the S2300 maintains the prefix information and updates and ages the prefix information. Generally, you are advised not to manually delete prefix management entries. You need to manually delete prefix management entries if the following conditions are met: l l
10-8
The user address lease does not expire; therefore, prefix management entries cannot age automatically. It is confirmed that the user does not connect to the network through the S2300.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2011-05-20)
10 ND Snooping Configuration
To manually delete prefix management entries, run the following command in the user view or in the system view.
Procedure
l Run the reset nd snooping prefix [ ipv6-address/prefix-length ] command to reset the prefix management table.
----End
Context
You need to manually delete ND dynamic binding entries if the following conditions are met: l l l The ND dynamic binding table does not reach the aging time; therefore, ND dynamic binding entries cannot age automatically. It is confirmed that the user does not connect to the network through the S2300. The user VLAN or interface information changes.
NOTE
After the networking environment changes, ND dynamic binding entries do not age immediately. However, the following information in ND dynamic binding entries may change, causing packet forwarding failure: l l VLAN ID in packets Interface information
Before changing the networking environment, clear all ND dynamic binding entries manually so that a device generates a new ND dynamic binding table according to the new networking environment.
To manually delete ND dynamic binding entries, run the following command in the user view or in the system view.
Procedure
l Run the reset nd snooping user-bind [ interface interface-type interface-number | ipv6address ipv6-address | mac-address mac-address | vlan vlan-id ] command to reset the ND dynamic binding table.
----End
10 ND Snooping Configuration
Networking Requirements
As shown in Figure 10-2, the Switch is deployed in the layer 2 network between the user network and the ND server. To protect the Switch against the attacks of a bogus ND server, it is required that ND snooping be configured on the Switch and the network-side interface of the carrier be configured as the trusted interface. By maintaining the prefix management table and ND dynamic binding table, the Switch ensures that authorized users access the network and prevents unauthorized users from attacking network devices and authorized users. Figure 10-2 Networking diagram for configuring ND snooping on a Layer 2 network
L3 network
User network
Configuration Roadmap
The configuration roadmap is as follows (assume that the ND server is configured): 1. 2. 3. Enable ND snooping in the system view and interface view. Configure the interface connected to the ND server as the trusted interface. Configure the aging function of the ND dynamic binding table.
Data Preparation
To complete the configuration, you need the following data: l l l Interfaces in trusted or untrusted mode: GE 0/0/1 in trusted mode and GE 0/0/2 in untrusted mode Detection interval for aging ND dynamic binding entries Number of detection times for aging ND dynamic binding entries
Procedure
Step 1 Configure ND snooping. # Enable ND snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] nd snooping enable
10-10
Issue 01 (2011-05-20)
10 ND Snooping Configuration
After ND snooping is enabled on GE 0/0/2, the interface is the untrusted interface by default. Step 3 Configure the aging function of the ND dynamic binding table. # Set the detection interval and the number of detection times for aging ND dynamic binding entries.
[Quidway] nd user-bind detect enable [Quidway] nd user-bind detect retransmit 5 interval 600
Step 4 Verify the configuration. Run the display this command in the system view, and you can view that ND snooping is enabled globally and on the interface.
[Quidway] display this nd snooping enable nd user-bind detect enable nd user-bind detect retransmit 5 interval 600
Run the display nd snooping prefix command, and you can view the prefix management table of ND users.
<Quidway> display nd snooping prefix prefix-table: Prefix Length Valid-Time Preferred-Time ------------------------------------------------------------------------------2001:: 64 600 600 Info: Prefix table total count:1
Run the display nd snooping user-bind all command, and you can view information about the ND dynamic binding table.
<Quidway> display nd snooping user-bind all ND Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - map vlan IP Address MAC Address VSI/VLAN(O/I/P) Lease -------------------------------------------------------------------------------3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 30 /-- /-2011.05.06-20:09 3001::E58C:A2E7:AA4C:8D54 00e0-4c7c-afae 30 /-- /-2011.05.06-20:09 -------------------------------------------------------------------------------Dynamic binditem count: 2 Dynamic binditem total count: 2
----End
Configuration Files
# dhcp enable # nd snooping enable # nd user-bind detect enable # nd user-bind detect retransmit 5 interval 600 #
Issue 01 (2011-05-20)
10-11
10 ND Snooping Configuration
interface GigabitEthernet0/0/1 nd snooping enable nd snooping trusted # interface GigabitEthernet0/0/2 nd snooping enable # return
10-12
Issue 01 (2011-05-20)