Quidway S5300 Configuration Guide - Security (V100R003 - 02) PDF

Quidway S5300 Series Ethernet Switches V100R003
Configuration Guide - Security
Issue Date
02 2009-08-14
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com [email protected]
Website: Email:
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Quidway S5300 Series Ethernet Switches Configuration Guide - Security
Contents
Contents
About This Document.....................................................................................................................1 1 Security Protection on Interfaces............................................................................................1-1
1.1 Overview of Security Protection on Interfaces...............................................................................................1-2 1.1.1 Introduction to Security Protection on Interfaces...................................................................................1-2 1.1.2 Security Protection on Interfaces Supported by the S-switch................................................................1-2 1.2 Configuring Security Protection on an Interface.............................................................................................1-2 1.2.1 Establishing the Configuration Task......................................................................................................1-3 1.2.2 Configuring the Limit on the Number of MAC Addresses Learnt by an Interface...............................1-3 1.2.3 Enabling Security Protection on an Interface.........................................................................................1-4 1.2.4 (Optional) Configuring the Security Protection Action for an Interface................................................1-4 1.2.5 (Optional) Configuring an Interface to Convert Secure Dynamic MAC Addresses to Static MAC Addresses........................................................................................................................................................1-5 1.2.6 Checking the Configuration...................................................................................................................1-5 1.3 Configuration Examples..................................................................................................................................1-5 1.3.1 Example for Configuring Security Protection on an Interface...............................................................1-6
2 MFF Configuration....................................................................................................................2-1
2.1 Introduction to MFF........................................................................................................................................2-2 2.1.1 MFF Overview.......................................................................................................................................2-2 2.1.2 MFF Functions Supported by the S-switch............................................................................................2-3 2.1.3 Update History.......................................................................................................................................2-4 2.2 Configuring MFF............................................................................................................................................2-4 2.2.1 Establishing the Configuration Task......................................................................................................2-4 2.2.2 Enabling MFF Globally.........................................................................................................................2-5 2.2.3 Configuring an MFF Network Interface................................................................................................2-5 2.2.4 Enabling MFF in a VLAN.....................................................................................................................2-6 2.2.5 (Optional) Assigning an IP Address to the Static Gateway...................................................................2-6 2.2.6 (Optional) Enabling Timing Detection of the MAC Address of the Gateway.......................................2-6 2.2.7 (Optional) Assigning an IP Address to the Server.................................................................................2-7 2.2.8 Checking the Configuration...................................................................................................................2-7 2.3 Configuration Examples..................................................................................................................................2-8 2.3.1 Example for Configuring MFF..............................................................................................................2-8
3 Attack Defense Configuration.................................................................................................3-1

Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. i
Contents
3.1 Overview of Attack Defense...........................................................................................................................3-2 3.1.1 Introduction to Attack Defense..............................................................................................................3-2 3.1.2 Attack Defense Supported by the S-switch............................................................................................3-2 3.1.3 Logical Relationships Between Configuration Tasks............................................................................3-2 3.2 Configuring the Defense Against IP Spoofing Attacks..................................................................................3-2 3.2.1 Establishing the Configuration Task......................................................................................................3-3 3.2.2 Configuring the Defense Against IP Spoofing Attacks.........................................................................3-3 3.2.3 Checking the Configuration...................................................................................................................3-4 3.3 Configuring the Defense Against Land Attacks.............................................................................................3-4 3.3.1 Establishing the Configuration Task......................................................................................................3-5 3.3.2 Configuring the Defense Against Land Attacks....................................................................................3-5 3.3.3 Checking the Configuration...................................................................................................................3-6 3.4 Configuring the Defense Against Smurf Attacks............................................................................................3-6 3.4.1 Establishing the Configuration Task......................................................................................................3-7 3.4.2 Configuring the Defense Against Smurf Attacks...................................................................................3-7 3.4.3 Checking the Configuration...................................................................................................................3-8 3.5 Configuring the Defense Against SYN Flood Attacks...................................................................................3-8 3.5.1 Establishing the Configuration Task......................................................................................................3-8 3.5.2 Example for Configuring the Defense Against SYN Flood Attacks.....................................................3-9 3.5.3 Checking the Configuration.................................................................................................................3-10 3.6 Configuring the Defense Against ICMP Flood Attacks................................................................................3-10 3.6.1 Establishing the Configuration Task....................................................................................................3-10 3.6.2 Configuring the Defense Against ICMP Flood Attacks.......................................................................3-11 3.6.3 Checking the Configuration.................................................................................................................3-12 3.7 Configuring the Defense Against Ping of Death Attacks.............................................................................3-12 3.7.1 Establishing the Configuration Task....................................................................................................3-12 3.7.2 Configuring the Defense Against Ping of Death Attacks....................................................................3-12 3.7.3 Checking the Configuration.................................................................................................................3-13 3.8 Configuring the Defense Against Teardrop Attacks.....................................................................................3-14 3.8.1 Establishing the Configuration Task....................................................................................................3-14 3.8.2 Configuring the Defense Against Teardrop Attacks............................................................................3-14 3.8.3 Checking the Configuration.................................................................................................................3-15 3.9 Debugging Attack Defense...........................................................................................................................3-16 3.10 Configuration Examples..............................................................................................................................3-16 3.10.1 Example for Configuring the Defense Against Land Attacks............................................................3-16 3.10.2 Example for Configuring the Defense Against SYN Flood Attacks.................................................3-18
4 DHCP Snooping Configuration..............................................................................................4-1

4.1 Overview of DHCP snooping.........................................................................................................................4-2 4.1.1 Introduction to DHCP Snooping............................................................................................................4-2 4.1.2 DHCP Snooping Supported by the S-switch..........................................................................................4-2 4.1.3 Logical Relationships Between Configuration Tasks............................................................................4-4 4.2 Preventing the Bogus DHCP Server Attack....................................................................................................4-4 ii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Contents
4.2.1 Establishing the Configuration Task......................................................................................................4-4 4.2.2 Enabling Global DHCP Snooping..........................................................................................................4-5 4.2.3 Enabling Local DHCP Snooping...........................................................................................................4-6 4.2.4 Configuring Trusted Interfaces..............................................................................................................4-6 4.2.5 Checking the Configuration...................................................................................................................4-7 4.3 Preventing the Middleman Attack and IP/MAC Spoofing Attack..................................................................4-7 4.3.1 Establishing the Configuration Task......................................................................................................4-8 4.3.2 Enabling Global DHCP Snooping........................................................................................................4-10 4.3.3 Enabling Local DHCP Snooping.........................................................................................................4-10 4.3.4 Enabling Packet Check.........................................................................................................................4-10 4.3.5 Configuring the DHCP Snooping Binding Table................................................................................4-11 4.3.6 Configuring Option 82.........................................................................................................................4-12 4.3.7 Configuring Security Protection on an Interface..................................................................................4-13 4.3.8 Checking the Configuration.................................................................................................................4-13 4.4 Preventing the DoS Attack by Changing the CHADDR Field.....................................................................4-14 4.4.1 Establishing the Configuration Task....................................................................................................4-14 4.4.2 Enabling Global DHCP Snooping........................................................................................................4-16 4.4.3 Enabling Local DHCP Snooping.........................................................................................................4-16 4.4.4 Checking the CHADDR Field in DHCP Request Messages...............................................................4-17 4.4.5 Checking the Configuration.................................................................................................................4-17 4.5 Preventing the Attacker from Sending Bogus Messages for Extending IP Address Leases.........................4-18 4.5.1 Establishing the Configuration Task....................................................................................................4-18 4.5.2 Enabling Global DHCP Snooping........................................................................................................4-19 4.5.3 Enabling Local DHCP Snooping.........................................................................................................4-20 4.5.4 Enabling the Checking of DHCP Request Messages...........................................................................4-20 4.5.5 Configuring Option 82.........................................................................................................................4-21 4.5.6 Checking the Configuration.................................................................................................................4-21 4.6 Configuring the Packet Discarding Alarm....................................................................................................4-22 4.6.1 Establishing the Configuration Task....................................................................................................4-22 4.6.2 Configuring the Packet Discarding Alarm...........................................................................................4-23 4.6.3 Checking the Configuration.................................................................................................................4-24 4.7 Configuring the DHCP Option 82 String......................................................................................................4-25 4.7.1 Configuring the Storage Format of the Option 82 Field......................................................................4-25 4.7.2 Configuring the Circuit ID in the Option 82 Field in the System View..............................................4-25 4.7.3 Configuring the Circuit ID of the Option 82 Field in the Interface View............................................4-26 4.7.4 Configuring the Remote ID in the Option 82 Field in the System View.............................................4-26 4.7.5 Configuring the Remote ID of the Option 82 Field in the Interface View..........................................4-27 4.7.6 Checking the Configuration.................................................................................................................4-27 4.8 Maintaining DHCP Snooping.......................................................................................................................4-27 4.8.1 Backing Up the DHCP Snooping Binding Table.................................................................................4-28 4.8.2 Debugging DHCP Snooping................................................................................................................4-28 4.9 Configuration Examples................................................................................................................................4-28 Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii
Contents
Quidway S5300 Series Ethernet Switches Configuration Guide - Security 4.9.1 Example for Configuring DHCP Snooping to Prevent Attacks Against the Network.........................4-28
5 AAA Configuration...................................................................................................................5-1
5.1 Overview of AAA...........................................................................................................................................5-2 5.1.1 Introduction to AAA.............................................................................................................................. 5-2 5.1.2 RADIUS.................................................................................................................................................5-3 5.1.3 HWTACACS......................................................................................................................................... 5-5 5.1.4 Domain-based User Management..........................................................................................................5-6 5.1.5 Local User Management........................................................................................................................ 5-6 5.1.6 References..............................................................................................................................................5-6 5.1.7 Logical Relationships Between Configuration Tasks............................................................................5-7 5.2 Configuring AAA............................................................................................................................................5-7 5.2.1 Establishing the Configuration Task......................................................................................................5-7 5.2.2 Configuring the Authentication Scheme................................................................................................5-8 5.2.3 (Optional) Configuring the Authorization Scheme................................................................................5-9 5.2.4 Configuring the Accounting Scheme.....................................................................................................5-9 5.2.5 (Optional) Configuring the Recording Scheme...................................................................................5-10 5.2.6 Checking the Configuration.................................................................................................................5-11 5.3 Configuring the RADIUS Server..................................................................................................................5-11 5.3.1 Establishing the Configuration Task....................................................................................................5-12 5.3.2 Creating a RADIUS Server Template..................................................................................................5-13 5.3.3 Configuring the RADIUS Authentication Server................................................................................5-13 5.3.4 Configuring the RADIUS Accounting Server.....................................................................................5-14 5.3.5 (Optional) Configuring the Protocol Version for the RADIUS Server................................................5-14 5.3.6 (Optional) Configuring the Shared Key for the RADIUS Server........................................................5-15 5.3.7 (Optional) Configuring the User Name Format for the RADIUS Server............................................5-15 5.3.8 (Optional) Setting the Traffic Unit for the RADIUS Server................................................................5-16 5.3.9 (Optional) Configuring the Retransmission Parameters for the RADIUS Server................................5-16 5.3.10 (Optional) Configuring the NAS Interface for the RADIUS Server..................................................5-17 5.3.11 Checking the Configuration...............................................................................................................5-17 5.4 Configuring the HWTACACS Server...........................................................................................................5-17 5.4.1 Establishing the Configuration Task....................................................................................................5-18 5.4.2 Creating a HWTACACS Server Template..........................................................................................5-19 5.4.3 Configuring the HWTACACS Authentication Server.........................................................................5-19 5.4.4 Configuring the HWTACACS Authorization Server..........................................................................5-20 5.4.5 Configuring the HWTACACS Accounting Server..............................................................................5-20 5.4.6 (Optional) Configuring the Source IP Address of the HWTACACS Server.......................................5-21 5.4.7 (Optional) Configuring the Shared Key for the HWTACACS Server.................................................5-21 5.4.8 (Optional) Configuring the User Name Format for the HWTACACS Server.....................................5-22 5.4.9 (Optional) Setting the Traffic Unit for the HWTACACS Server........................................................5-22 5.4.10 (Optional) Setting the Timer of the HWTACACS Server.................................................................5-23 5.4.11 Checking the Configuration...............................................................................................................5-23 5.5 Configuring a Domain...................................................................................................................................5-24 iv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Contents
5.5.1 Establishing the Configuration Task....................................................................................................5-24 5.5.2 Creating a Domain...............................................................................................................................5-24 5.5.3 Configuring Authentication, Authorization, and Accounting Schemes for the Domain.....................5-25 5.5.4 (Optional) Configuring the RADIUS Server Template for the Domain..............................................5-26 5.5.5 (Optional) Configuring the HWTACACS Server Template for the Domain......................................5-26 5.5.6 (Optional) Configuring the Status of the Domain................................................................................5-27 5.5.7 (Optional) Setting the Maximum Number of Access Users for the Domain.......................................5-27 5.5.8 Checking the Configuration.................................................................................................................5-28 5.6 Configuring Local User Management...........................................................................................................5-28 5.6.1 Establishing the Configuration Task....................................................................................................5-28 5.6.2 Creating Local User Accounts.............................................................................................................5-29 5.6.3 (Optional) Configuring the Service Type for Local Users...................................................................5-29 5.6.4 (Optional) Configuring the Authority of Accessing the FTP Directory for Local Users.....................5-30 5.6.5 (Optional) Configuring the Status of Local Users...............................................................................5-30 5.6.6 (Optional) Setting the Priority of Local Users.....................................................................................5-31 5.6.7 (Optional) Setting the Access Limit for Local Users...........................................................................5-31 5.6.8 Checking the Configuration.................................................................................................................5-32 5.7 Maintaining AAA..........................................................................................................................................5-32 5.7.1 Clearing HWTACACS Statistics.........................................................................................................5-32 5.7.2 Debugging AAA..................................................................................................................................5-32 5.8 Configuration Examples................................................................................................................................5-33
6 MAC Address Authentication Configuration......................................................................6-1

6.1 Overview of MAC Address Authentication....................................................................................................6-2 6.1.1 Introduction to MAC Address Authentication.......................................................................................6-2 6.1.2 MAC Address Authentication Features Supported by the S-switch......................................................6-3 6.1.3 Update History.......................................................................................................................................6-3 6.2 Configuring MAC Address Authentication....................................................................................................6-3 6.2.1 Establishing the Configuration Task......................................................................................................6-4 6.2.2 Configuring Global MAC Address Authentication...............................................................................6-4 6.2.3 Configuring MAC Address Authentication on an Interface..................................................................6-5 6.2.4 Configuring a MAC Address as a Username for MAC Address Authentication..................................6-5 6.2.5 Configuring a Fixed Username for a MAC Address Authentication User............................................6-5 6.2.6 (Optional)Configuring a Domain Name for a MAC Address Authentication User...............................6-6 6.2.7 (Optional)Configuring Timers for MAC Address Authentication.........................................................6-6 6.2.8 Checking the Configuration...................................................................................................................6-7 6.3 Configuring Enhanced MAC Address Authentication....................................................................................6-7 6.3.1 Establishing the Configuration Task......................................................................................................6-7 6.3.2 Configuring a Guest VLAN...................................................................................................................6-8 6.3.3 Configuring the Maximum Number of MAC Address Authentication Users on an Interface..............6-9 6.3.4 Checking the Configuration...................................................................................................................6-9 6.4 Maintaining MAC Address Authentication..................................................................................................6-10 6.4.1 Resetting Statistics of MAC Address Authentication..........................................................................6-10 Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
6.5 Configuration Examples................................................................................................................................6-10 6.5.1 Example for Configuring MAC Address Authentication....................................................................6-10
7 802.1X Configuration.................................................................................................................7-1
7.1 Overview of 802.1X........................................................................................................................................7-2 7.1.1 Introduction to 802.1X...........................................................................................................................7-2 7.1.2 802.1X Authentication System.............................................................................................................. 7-2 7.1.3 802.1X Authentication Process..............................................................................................................7-3 7.1.4 Implementation of 802.1X on the S-switch........................................................................................... 7-6 7.1.5 Logical Relationships Between Configuration Tasks............................................................................7-7 7.1.6 Update History....................................................................................................................................... 7-7 7.2 Configuring 802.1X........................................................................................................................................ 7-7 7.2.1 Establishing the Configuration Task......................................................................................................7-7 7.2.2 Enabling 802.1X Globally and on the Interface.....................................................................................7-8 7.2.3 (Optional) Setting the Port Access Control Mode................................................................................. 7-8 7.2.4 (Optional) Setting the Port Access Control Method.............................................................................. 7-9 7.2.5 (Optional) Setting the Maximum Number of Concurrent Access Users................................................7-9 7.2.6 (Optional) Enabling DHCP Trigger.......................................................................................................7-9 7.2.7 (Optional) Setting the Authentication Method for the 802.1X User....................................................7-10 7.2.8 (Optional) Configuring the Guest VLAN............................................................................................7-10 7.2.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request.............7-11 7.2.10 (Optional) Setting the Timer Parameters...........................................................................................7-11 7.2.11 (Optional) Enabling the Quiet-Period Timer.....................................................................................7-11 7.2.12 (Optional) Enabling the Handshake-Period Timer.............................................................................7-12 7.2.13 Checking the Configuration...............................................................................................................7-12 7.3 Configuration Examples................................................................................................................................7-13 7.3.1 Example for Configuring 802.1X.........................................................................................................7-13
8 NAC Configuration...................................................................................................................8-1
8.1 Access Mode of NAC..................................................................................................................................... 8-2 8.2 Configuring the NAC Access Based on Web Authentication.........................................................................8-4 8.2.1 Establishing the Configuration Task......................................................................................................8-5 8.2.2 Configuring the Web Authentication Server..........................................................................................8-5 8.2.3 Configuring the Portal Protocol............................................................................................................. 8-6 8.2.4 Configuring Mandatory Web Authentication........................................................................................ 8-7 8.2.5 Configuring a Non-authentication Rule.................................................................................................8-7 8.2.6 Checking the Configuration...................................................................................................................8-8 8.3 Configuring the NAC Access Based on 802.1X Authentication....................................................................8-9 8.4 Configuring the NAC Access Based on MAC Address Authentication.........................................................8-9 8.5 Configuring the NAC Access Based on MAC Bypass Authentication.......................................................... 8-9 8.5.1 Establishing the Configuration Task......................................................................................................8-9 8.5.2 Enabling 802.1X Globally....................................................................................................................8-10 8.5.3 Enabling MAC Bypass Authentication on an Interface.......................................................................8-10 8.5.4 (Optional) Setting the Port Access Control Mode...............................................................................8-11 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Contents
8.5.5 (Optional) Setting the Port Access Control Method............................................................................8-11 8.5.6 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................8-12 8.5.7 (Optional) Setting the Authentication Method for the 802.1X User....................................................8-12 8.5.8 (Optional) Configuring the Guest VLAN............................................................................................8-12 8.5.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request.............8-13 8.5.10 (Optional) Setting the Timer Parameters...........................................................................................8-13 8.5.11 (Optional) Enabling the Quiet-Period Timer.....................................................................................8-14 8.5.12 (Optional) Enabling the Handshake-Period Timer.............................................................................8-14 8.5.13 Checking the Configuration...............................................................................................................8-14 8.6 Configuration Examples................................................................................................................................8-15 8.6.1 Example for Configuring the NAC Access Based on Web Authentication.........................................8-15
9 PPPoE+ Configuration..............................................................................................................9-1
9.1 PPPoE+ Overview...........................................................................................................................................9-2 9.2 PPPoE+ Supported by the S-switch................................................................................................................9-2 9.3 Configuring PPPoE+.......................................................................................................................................9-2 9.3.1 Establishing the Configuration Task......................................................................................................9-2 9.3.2 Enabling PPPoE+ Globally....................................................................................................................9-3 9.3.3 Configuring Actions for an Interface to Process the Original Fields in PPPoE Packets........................9-3 9.3.4 Configuring the Format and Contents of the Fields to be Inserted into PPPoE Packets........................9-4 9.3.5 Configuring an Interface to be Trusted..................................................................................................9-4 9.3.6 Checking the Configuration...................................................................................................................9-4 9.4 Configuration Examples..................................................................................................................................9-5 9.4.1 Example for Configuring PPPoE+.........................................................................................................9-5
Issue 02 (2009-08-14)
vii
Figures
Figures
Figure 1-1 Networking diagram of configuring security protection on an interface........................................... 1-6 Figure 2-1 Networking diagram of configuring dynamic MFF...........................................................................2-8 Figure 3-1 Networking for configuring the defense against Land attacks.........................................................3-16 Figure 3-2 Networking for configuring the defense against SYN flood attacks................................................3-18 Figure 4-1 Networking for the DHCP snooping application on the S-switch......................................................4-3 Figure 4-2 Diagram of preventing the bogus DHCP server attack...................................................................... 4-5 Figure 4-3 Diagram of preventing the middleman attack and IP/MAC spoofing attack..................................... 4-8 Figure 4-4 Diagram of preventing the middleman attack and IP/MAC spoofing attack..................................... 4-9 Figure 4-5 Networking diagram of preventing the DoS attack by changing the CHADDR field.....................4-15 Figure 4-6 Networking diagram of preventing the attacker from sending bogus messages for extending IP address leases...................................................................................................................................................................4-18 Figure 4-7 Networking for configuring DHCP snooping to prevent attacks against the network.....................4-29 Figure 5-1 Message exchange between the RADIUS client and the RADIUS server.........................................5-4 Figure 5-2 Message structure defined by RADIUS............................................................................................. 5-4 Figure 5-3 Networking diagram of AAA...........................................................................................................5-33 Figure 6-1 Networking diagram for configuring local authentication with a fixed username...........................6-10 Figure 7-1 802.1X authentication system.............................................................................................................7-3 Figure 7-2 802.1X authentication process in EAP-MD5 relay mode.................................................................. 7-4 Figure 7-3 802.1X authentication process in EAP termination mode..................................................................7-6 Figure 7-4 Authentication through 802.1X and RADIUS.................................................................................7-13 Figure 8-1 Typical networking of Web authentication........................................................................................ 8-2 Figure 8-2 Typical networking of 802.1x authentication.....................................................................................8-3 Figure 8-3 Example for Configuring Web Authentication.................................................................................8-16 Figure 9-1 Networking diagram of PPPoE+ configurations................................................................................9-5
Issue 02 (2009-08-14)
ix
Tables
Tables
Table 4-1 Attack types and DHCP snooping working modes..............................................................................4-3 Table 4-2 Relationship between the type of attacks and the type of discarded packets.....................................4-22 Table 5-1 Comparisons between HWTACACS and RADIUS............................................................................5-5
Issue 02 (2009-08-14)
xi
About This Document
About This Document

Purpose
This document describes procedures and provides examples for configuring the security features of the S-switch. This document covers the following topics:
l l l l l l
Feature description Data preparation Pre-configuration tasks Configuration procedures Checking the configuration Configuration examples
This document guides you through the configuration and applicable environment of the security features of the S-switch.
Related Versions
The following table lists the product versions related to this document. Product Name S5300 Version V100R003
Intended Audience
This document is intended for:
l l l l
Commissioning engineers Data configuration engineers Network monitoring engineers System maintenance engineers
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1
Issue 02 (2009-08-14)
About This Document
Organization
This document is organized as follows. Chapter 1 Security Protection on Interfaces 2 MFF Configuration Description This chapter describes the basics and configuration of security protection on interfaces. This chapter describes the basics of MAC Forced Forwarding (MFF) and the procedures and examples for configuring MFF. This chapter describes how to implement and configure attack defense on the S-switch. This chapter describes the implementation and configuration procedures of DHCP Snooping on the Sswitch. This chapter describes the basic concepts and configuration procedures of Athenticatoin, Authorization, and Accounting (AAA), Remote Authentication Dial in User Service (RADIUS), Huawei Terminal Access Controller Access Control System (HWTACACS), domains, and local users. This chapter describes the basic concepts of MAC address authentication and the procedure for configuring MAC address authentication, and provides examples for configuring MAC address authentication. This chapter describes the basics, methods, and configuration example of 802.1X. This chapter describes the basics, methods, and configuration example of NAC. This chapter describes the basics, methods, and configuration example of PPPoE Plus.
3 Attack Defense Configuration 4 DHCP Snooping Configuration 5 AAA Configuration
6 MAC Address Authentication Configuration 7 802.1X Configuration 8 NAC Configuration 9 PPPoE+ Configuration
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
Issue 02 (2009-08-14)
About This Document
Symbol
Description Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injuries. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you address a problem or save your time. Provides additional information to emphasize or supplement important points of the main text.
General Conventions
Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Terminal display is in Courier New. The messages input on terminals by users that are displayed are in boldface.
Command Conventions
Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.
Issue 02 (2009-08-14)
About This Document
Convention [ x | y | ... ]* &<1-n> #
Description Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
GUI Conventions
Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operation
Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Issue 02 (2009-08-14)
About This Document
Update History
Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous versions.
Updates in Issue 02 (2009-08-14)

Second commercial release. The document is updated as follows:
l l
Bugs are fixed. The manual version is updated.
Updates in Issue 01 (2009-06-30)

This is the first release.
Issue 02 (2009-08-14)
1 Security Protection on Interfaces
Security Protection on Interfaces
About This Chapter

This chapter describes the basics and configuration of security protection on interfaces. 1.1 Overview of Security Protection on Interfaces This section describes security protection on interfaces. 1.2 Configuring Security Protection on an Interface This section describes how to configure security protection on an interface. 1.3 Configuration Examples This section provides examples of security protection on interfaces.
Issue 02 (2009-08-14)
1-1
1.1 Overview of Security Protection on Interfaces

This section describes security protection on interfaces. 1.1.1 Introduction to Security Protection on Interfaces 1.1.2 Security Protection on Interfaces Supported by the S-switch
1.1.1 Introduction to Security Protection on Interfaces

As a security mechanism to control network access, security protection on interfaces ensures the security of interfaces. It detects invalid packets and takes corresponding protection actions by checking whether the source MAC addresses of received data frames are valid.
1.1.2 Security Protection on Interfaces Supported by the S-switch

GigabitEthernet , 10GE interfaces on the S-switch support security protection on interfaces. After security protection is enabled on GigabitEthernet interfaces, the S-switch considers the following types of MAC addresses as valid:
l l
Static MAC addresses that are manually configured Dynamic or static MAC addresses in a Dynamic Host Configuration Protocol (DHCP) snooping binding table Dynamic MAC addresses learnt before the number of MAC addresses reaches the upper limit
Source MAC addresses that do not fall into the preceding types are considered invalid. When an interface receives packets with invalid source MAC addresses, security protection takes effect on the interface. At present, the S-switch supports the following security protection actions on an interface:
l
restrict: The interface neither learns the source MAC addresses of received packets with invalid source MAC addresses nor forwards the packets, but directly discards them and sends a trap message to the Network Management System (NMS). shutdown: The interface is automatically shut down when receiving packets with invalid source MAC addresses. You have to manually restore the interface if required. protect: The interface neither learns the source MAC addresses of received packets with invalid source MAC addresses nor forwards the packets, but directly discards them.
1.2 Configuring Security Protection on an Interface

This section describes how to configure security protection on an interface. 1.2.3 Enabling Security Protection on an Interface is the prerequisite for 1.2.4 (Optional) Configuring the Security Protection Action for an Interface. That is, you can perform 1.2.4 (Optional) Configuring the Security Protection Action for an Interface only after performing 1.2.3 Enabling Security Protection on an Interface. 1.2.1 Establishing the Configuration Task 1.2.2 Configuring the Limit on the Number of MAC Addresses Learnt by an Interface
1-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
1.2.3 Enabling Security Protection on an Interface 1.2.4 (Optional) Configuring the Security Protection Action for an Interface 1.2.5 (Optional) Configuring an Interface to Convert Secure Dynamic MAC Addresses to Static MAC Addresses 1.2.6 Checking the Configuration
1.2.1 Establishing the Configuration Task

Applicable Environment
After enabling security protection on an interface, the device can protect the interface by controlling packets with invalid source MAC addresses.
Pre-configuration Tasks
None.
Data Preparation
Before configuring security protection on an interface, you need the following data. No. 1 2 Data Number of the interface Maximum number of MAC addresses that can be learnt and that of static MAC addresses on the interface
1.2.2 Configuring the Limit on the Number of MAC Addresses Learnt by an Interface
Context
Do as follows on devices on which the limit on the number of MAC addresses learnt by an interface should be configured.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

mac-address restrict
MAC address learning restriction and forwarding restriction are enabled on interfaces of the device.
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
Step 3 Run:
mac-table limit interface-type interface-number limit-number
The limit on the number of MAC addresses that can be learnt is configured for an interface. By default, the MAC address learning restriction and forwarding restriction on interfaces are disabled on the device. That is, there is no limit on the number of static MAC addresses on an interface. ----End
1.2.3 Enabling Security Protection on an Interface

Context
Do as follows on devices on which security protection on interfaces should be enabled.
Procedure
Step 1 Run:
system-view

interface interface-type interface-number
The interface view is displayed. Step 3 Run:

port-security enable
Security protection is enabled on the interface. By default, security protection is disabled on interfaces of the device. ----End
1.2.4 (Optional) Configuring the Security Protection Action for an Interface

Context
Do as follows on devices on which the security protection actions on interfaces should be configured.
Procedure
Step 1 Run:
system-view

1-4
Issue 02 (2009-08-14)

port-security protect-action { protect | restrict | shutdown }
A security protection action is configured for the interface. By default, the security protection action on an interface is restrict. ----End
1.2.5 (Optional) Configuring an Interface to Convert Secure Dynamic MAC Addresses to Static MAC Addresses
Context
Do as follows on devices on which security protection on interfaces should be configured.
Procedure
Step 1 Run:
system-view


port-security dynamic-to-static mac-address { all | mac-address vlan vlan-id }
The interface is configured to convert secure dynamic MAC addresses into static MAC addresses. ----End
1.2.6 Checking the Configuration

Run the following commands to check the previous configuration. Action Check the configurations on interfaces. Command display current-configuration [ configuration [ configuration-type ] | controller | interface interfacetype [ interface-number ] ] [ | { begin | exclude | include } regular-expression ]
1.3 Configuration Examples

This section provides examples of security protection on interfaces. 1.3.1 Example for Configuring Security Protection on an Interface
1.3.1 Example for Configuring Security Protection on an Interface

Networking Requirements
In the network shown in Figure 1-1, you need to enable security protection on GigabitEthernet 0/0/1 of the S-switch to protect the interface. You are also required to configure the security protection action on the interface as shutdown. Figure 1-1 Networking diagram of configuring security protection on an interface
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure the limit on the number of MAC addresses learnt by the interface. Enable security protection on the interface. Configure the security protection action for the interface.
Data Preparation
To complete the configuration, you need the following data:
l l
Number of the interface Maximum number of MAC addresses learnt by the interface, which is set to 100
Configuration Procedure
1. Configure the limit on the number of MAC addresses learnt by the interface.
<Quidway> system-view [Quidway] mac-address restrict [Quidway] interface GigabitEthernet 0/0/1 [Quidway-GigabitEthernet0/0/1] mac-table limit 100
2. 3. 4.
Enable security protection on the interface.

[Quidway-GigabitEthernet0/0/1] port-security enable
Set the security protection action on the interface as shutdown.

[Quidway-GigabitEthernet0/0/1] port-security protect-action shutdown
Verify the configuration. # Run the display current-configuration command to check the configuration of security protection on the interface.
1-6
Issue 02 (2009-08-14)

[S-switch-A-GigabitEthernet0/0/1] display this # interface GigabitEthernet0/0/1 mac-table limit 100 port-security enable port-security protect-action shutdown # return
Configuration Files
Configuration file of the S-switch
# sysname Quidway # mac-address restrict # interface GigabitEthernet0/0/1 mac-table limit 100 port-security enable port-security protect-action shutdown
Issue 02 (2009-08-14)
1-7
2 MFF Configuration
2
About This Chapter
MFF Configuration
This chapter describes the basics of MAC Forced Forwarding (MFF) and the procedures and examples for configuring MFF. 2.1 Introduction to MFF This section describes the definition, principle, and specification of MFF. 2.2 Configuring MFF In an access network, configuring MFF implements Layer 2 isolation between user hosts and enables the traffic between user hosts to be forwarded through ARs. 2.3 Configuration Examples This section provides several configuration examples of MFF.
Issue 02 (2009-08-14)
2-1
2 MFF Configuration
2.1 Introduction to MFF

This section describes the definition, principle, and specification of MFF. 2.1.1 MFF Overview 2.1.2 MFF Functions Supported by the S-switch 2.1.3 Update History
2.1.1 MFF Overview

In traditional Ethernet networking schemes, to implement Layer 2 isolation and Layer 3 interconnection between different clients, Virtual Local Area Networks (VLANs) are often used on the switch. If a large number of users need to be isolated at Layer 2, a large number of VLANs are occupied. To implement Layer 3 interconnection between clients, you need to plan different IP network segments for VLANs and assign IP addresses to VLANIF interfaces. Thus, dividing too many VLANs reduces the efficiency in allocating IP addresses. MFF provides a solution to the preceding issues, implementing Layer 2 isolation and Layer 3 interconnection between clients in the same broadcast domain. MFF captures Address Resolution Protocol (ARP) request packets and sends ARP response packets with the MAC address of the gateway through proxy ARP. In this manner, all traffic including the traffic in the same subnet can be forcibly sent to the gateway so that the gateway can monitor data traffic. This prevents malicious attacks between user hosts and improves the security of network deployment. MFF involves two types of interface roles: user interface and network interface. 1. User interface The MFF user interface refers to the interface connected to the network terminal users. The user interface processes different packets as follows:
l l
Permits protocol packets to pass through. Sends ARP packets and Dynamic Host Configuration Protocol (DHCP) packets to the CPU for processing. Permits only the unicast packets with the destination address as the MAC address of the gateway to pass through if the MAC address of the gateway is learnt, and discards other packets. Discards the unicast packets with the destination address as the MAC address of the gateway if the MAC address of the gateway is not learnt. Denies multicast and broadcast packets to pass through.
2.
Network interface The MFF network interface refers to the interface that is connected to another network device such as the access switch, the convergence switch, or the gateway. The network interface processes different packets as follows:
l l l
Permits multicast packets and DHCP packets to pass through. Sends ARP packets to the CPU for processing. Denies other broadcast packets to pass through.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
2-2

NOTE
2 MFF Configuration
The interfaces that connect upstream devices and the gateway, the interfaces that are connected to other downstream MFF devices in a cascading network where multiple MFF devices are connected, or the interfaces connecting devices in a ring network should be configured as network interfaces. The network interface is just a type of interface roles, and is irrelevant to the position of the interface in the network. In a VLAN where MFF is enabled, there are only network interfaces and user interfaces.
2.1.2 MFF Functions Supported by the S-switch

Static Gateway
The static gateway is applied in a scenario where the IP address is configured statically because the information about the gateway cannot be obtained through DHCP packets. When configuring the IP address statically, you need to maintain an IP address of the static gateway in a VLAN. If the IP address of the static gateway is not configured, user hosts except for valid user hosts dynamically allocated by DHCP cannot communicate normally.
Detection and Maintenance of the MAC Address of the Gateway

If timing detection of the gateway is configured, the gateway is detected periodically. The bogus ARP packets are used during detection. Their IP address and source MAC address are originated from the user list recorded by MFF. Generally, the IP address and MAC address of the first user recorded by MFF are selected. If the entry of this user is deleted, you need to re-select user information of bogus ARP packets. If no user host corresponds to the gateway after the user entry is deleted, information about detection of the gateway is cleared.
Proxy ARP
Proxy ARP ensures Layer 3 interconnection between user hosts. In addition, proxy ARP reduces the number of broadcast packets at the network side and at the user side. MFF processes ARP packets as follows:
l
Responds to ARP requests. Replaces the gateway to respond to ARP packets to the user host so that packets between users are forwarded at Layer 3 through the gateway. Here, ARP requests of user hosts include ARP requests on the gateway and ARP requests on IP information of other users. Replaces the gateway to respond to ARP requests. Replaces the user host to respond to ARP packets to the gateway. If the entry requested by the gateway exists on the MFF, the response is replied according to the entry. If the entry is not created, the request is forwarded. In this manner, broadcast packets are reduced. Monitors ARP packets in the network, and updates the mapping table between IP addresses and MAC addresses of the gateway.
Deploying the Server in a Network

The IP address of the server can be the IP address of the DHCP server, the IP address of the server bearing other services, or the virtual IP address of the Virtual Router Redundancy Protocol (VRRP). If ARP requests with the source IP address as the IP address of the server are received at the network side, MFF responds to these ARP requests of the server as follows:
2 MFF Configuration
l l
MFF forwards the packets sent from the user host to the server through the gateway. MFF forwards the packets sent from the server to the user host without using the gateway.
2.1.3 Update History

Version V200R002C01B010 Revision This is the first release.
2.2 Configuring MFF

In an access network, configuring MFF implements Layer 2 isolation between user hosts and enables the traffic between user hosts to be forwarded through ARs. 2.2.1 Establishing the Configuration Task 2.2.2 Enabling MFF Globally 2.2.3 Configuring an MFF Network Interface 2.2.4 Enabling MFF in a VLAN 2.2.5 (Optional) Assigning an IP Address to the Static Gateway 2.2.6 (Optional) Enabling Timing Detection of the MAC Address of the Gateway 2.2.7 (Optional) Assigning an IP Address to the Server 2.2.8 Checking the Configuration

In the Metro Ethernet network at the access layer, you can configure MFF to implement the following functions:
l l
Isolate multiple access users at Layer 2. The traffic between user hosts is forwarded through ARs at Layer 3 so that user traffic can be filtered, scheduled, and charged.
Before configuring basic MFF functions, complete the following tasks: If there are user hosts whose IP addresses are allocated dynamically, you need to:
l l
Enable DHCP snooping. Set the trusted interface of DHCP snooping.
Data Preparation
To configure basic MFF functions, you need the following data.
2 MFF Configuration
No. 1 2 3 4
Data ID of the VLAN where MFF needs to be configured Number of the network interface IP address of the static gateway IP address of the server
2.2.2 Enabling MFF Globally

Context
Do as follows on the AN.
Procedure
Step 1 Run:
system-view

mac-forced-forwarding enable
MFF is enabled globally. ----End
2.2.3 Configuring an MFF Network Interface

Context
Procedure
Step 1 Run:

mac-forced-forwarding network-port
The interface is configured as the MFF network interface.

NOTE
This configuration can be performed before MFF is enabled, but takes effect only after MFF is enabled.
----End
2 MFF Configuration
2.2.4 Enabling MFF in a VLAN

Context
Procedure
Step 1 Run:
vlan vlan-id
The VLAN view is displayed. Step 2 Run:

mac-forced-forwarding enable
MFF is enabled in the VLAN.

NOTE
If entries on the device are insufficient, MFF fails to be configured.
----End
2.2.5 (Optional) Assigning an IP Address to the Static Gateway

Context
Procedure
Step 1 Run:
vlan vlan-id

mac-forced-forwarding static-gateway ip-address
An IP address is assigned to the static gateway. ----End
2.2.6 (Optional) Enabling Timing Detection of the MAC Address of the Gateway
Context
2 MFF Configuration
Procedure
Step 1 Run:
vlan vlan-id

mac-forced-forwarding gateway-detect
Detection of the MAC address of the gateway is enabled in the VLAN. ----End
2.2.7 (Optional) Assigning an IP Address to the Server

Context
Procedure
Step 1 Run:
vlan vlan-id

mac-forced-forwarding server ip-address &<1-10>
An IP address is assigned to the server deployed in a network. ----End

Run the following commands to check the previous configuration. Action Check information about the MFF network interface. Check information about the MFF user and gateway in a VLAN. Command display mac-forced-forwarding network-port display mac-forced-forwarding vlan vlan-id
Run the display mac-forced-forwarding network-port command, and you can view information about the network interface in a VLAN where MFF is enabled. For example:
[Quidway] display mac-forced-forwarding network-port -------------------------------------------------------------------------------VLAN ID Network-ports -------------------------------------------------------------------------------VLAN 111 GigabitEthernet0/0/4
Issue 02 (2009-08-14)
2-7
2 MFF Configuration
Run the display mac-forced-forwarding vlan vlan-id command, and you can view information about the MFF user and gateway in a specified VLAN. For example:
[Quidway] display mac-forced-forwarding vlan 111 ---------------------------------------------------------------------------Servers (none) ---------------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC ---------------------------------------------------------------------------10.1.1.1 0000-0001-0101 10.1.1.100 0000-0001-0200

This section provides several configuration examples of MFF. 2.3.1 Example for Configuring MFF
2.3.1 Example for Configuring MFF

As shown in Figure 2-1, all user hosts obtain IP addresses dynamically through the DHCP server. It is required that all user hosts should be interconnected through the AR. Figure 2-1 Networking diagram of configuring dynamic MFF
2-8
Issue 02 (2009-08-14)
2 MFF Configuration
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure DHCP snooping. Enable MFF globally. Configure MFF network interfaces. Enable MFF in a VLAN. (Optional) Configure timing detection of the gateway. (Optional) Configure the server.
Data Preparation
l l l l
ID of the VLAN where MFF needs to be configured Number of the network interface IP address of the static gateway (Optional) IP address of the server
1. Configure DHCP snooping. # Configure DHCP snooping globally on S-switch-A.
[S-switch-A] dhcp snooping enable
# Configure DHCP snooping in a VLAN on S-switch-A.

[S-switch-A] vlan 2 [S-switch-A-Vlan2] dhcp snooping enable
# Configure GigabitEthernet 0/0/4 as the trusted interface on S-switch-A.

[S-switch-A-vlan2] dhcp snooping trusted interface gigabitethernet0/0/4 [S-switch-A-vlan2] quit
# Configure DHCP snooping globally on S-switch-B.

[S-switch-B] dhcp snooping enable
# Configure DHCP snooping in a VLAN on S-switch-B.

[S-switch-B] vlan 2 [S-switch-B-vlan2] dhcp snooping enable
# Configure GigabitEthernet 0/0/1 as the trusted interface on S-switch-B.

[S-switch-B-vlan2] dhcp snooping trusted interface gigabitethernet0/0/1 [S-switch-B-vlan2] quit
2.
Enable MFF globally. # Enable MFF globally on S-switch-A.

[S-switch-A] mac-forced-forwarding enable
# Enable MFF globally on S-switch-B.

[S-switch-B] mac-forced-forwarding enable
3.
Configure MFF network interfaces. # Configure GigabitEthernet 0/0/4 as the MFF network interface on S-switch-A.
[S-switch-A] interface gigabitethernet0/0/4 [S-switch-A-GigabitEthernet0/0/4] mac-forced-forwarding network-port
Issue 02 (2009-08-14)
2-9
2 MFF Configuration
[S-switch-A-GigabitEthernet0/0/4] quit
# Configure GigabitEthernet 0/0/1 and GigabitEthernet0/0/2 as MFF network interfaces on S-switch-B.

[S-switch-B] interface gigabitethernet0/0/1 [S-switch-B-GigabitEthernet0/0/1] mac-forced-forwarding network-port [S-switch-B-GigabitEthernet0/0/1] quit [S-switch-B] interface gigabitethernet0/0/2 [S-switch-B-GigabitEthernet0/0/2] mac-forced-forwarding network-port [S-switch-B-GigabitEthernet0/0/2] quit
4.
Enable MFF in a VLAN. # Enable MFF in VLAN 2 on S-switch-A.

[S-switch-A] vlan 2 [S-switch-A-vlan2] mac-forced-forwarding enable
# Enable MFF in VLAN 2 on S-switch-B.

[S-switch-B] vlan 2 [S-switch-B-vlan2] mac-forced-forwarding enable
5.
(Optional) Configure timing detection of the gateway. # Configure timing detection of the gateway on S-switch-A.
[S-switch-A-vlan2] mac-forced-forwarding gateway-detect
# Configure timing detection of the gateway on S-switch-B.

[S-switch-B-vlan2] mac-forced-forwarding gateway-detect
6.
(Optional) Configure the server. # Configure the server on S-switch-A.

[S-switch-A-vlan2] mac-forced-forwarding server 10.10.0.1
# Configure the server on S-switch-B.

[S-switch-B-vlan2] mac-forced-forwarding server 10.10.0.1
Configuration Files
l
Configuration file of S-switch-A

# sysname S-switch-A # vlan batch 2 # dhcp snooping enable mac-forced-forwarding enable # vlan 2 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet0/0/4 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.0.1 # interface GigabitEthernet0/0/1 port default vlan 2 # interface GigabitEthernet0/0/2 port default vlan 2 # interface GigabitEthernet0/0/3 port default vlan 2 # interface GigabitEthernet0/0/4 port trunk allow-pass vlan 2 mac-forced-forwarding network-port
2-10
Issue 02 (2009-08-14)

# return l
2 MFF Configuration
Configuration file of S-switch-B

# sysname S-switch-B # vlan batch 2 # dhcp snooping enable mac-forced-forwarding enable # vlan 2 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet0/0/1 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.0.1 # interface GigabitEthernet0/0/1 port trunk allow-pass vlan 2 mac-forced-forwarding network-port # interface GigabitEthernet0/0/2 port trunk allow-pass vlan 2 mac-forced-forwarding network-port # interface GigabitEthernet0/0/3 port default vlan 2 # return
Issue 02 (2009-08-14)
2-11
3 Attack Defense Configuration
3
About This Chapter
Attack Defense Configuration
This chapter describes how to implement and configure attack defense on the S-switch. 3.1 Overview of Attack Defense This section describes the concepts and types of attack defense. 3.2 Configuring the Defense Against IP Spoofing Attacks This section describes how to configure the defense against IP spoofing attacks. 3.3 Configuring the Defense Against Land Attacks This section describes how to configure the defense against Land attacks. 3.4 Configuring the Defense Against Smurf Attacks This section describes how to configure the defense against Smurf attacks. 3.5 Configuring the Defense Against SYN Flood Attacks This section describes how to configure the defense against SYN flood attacks. 3.6 Configuring the Defense Against ICMP Flood Attacks This section describes how to configure the defense against ICMP flood attacks. 3.7 Configuring the Defense Against Ping of Death Attacks This section describes how to configure the defense against Ping of Death attacks. 3.8 Configuring the Defense Against Teardrop Attacks This section describes how to configure the defense against Teardrop attacks. 3.9 Debugging Attack Defense This section describes how to debug attack defense. 3.10 Configuration Examples This section provides several configuration examples of attack defense.
Issue 02 (2009-08-14)
3-1
3.1 Overview of Attack Defense

This section describes the concepts and types of attack defense. 3.1.1 Introduction to Attack Defense 3.1.2 Attack Defense Supported by the S-switch 3.1.3 Logical Relationships Between Configuration Tasks
3.1.1 Introduction to Attack Defense

Network attacks are generally launched in the following ways: The network attack intrudes or destroys a network server (a host) to steal sensitive data or to interrupt the server's service. The network attacker directly destroys network devices, which results in abnormality of network services or even service interruption. With the attack defense function, the S-switch can locate types of network attacks and protect the Intranet against malicious attacks to ensure normal running of the system.
3.1.2 Attack Defense Supported by the S-switch

The S-switch defends the system against the following attacks:
l
Denial of Service (DoS) attack: The attacker consumes a large quantity of system resources by sending numerous unsolicited packets or forged connection packets to the S-switch. As a result, the S-switch reboots or crashes, interrupting normal services. Malformed packet attack: The attacker sends a defective IP packet to the S-switch, causing the system to crash during the processing of such an IP packet.
3.1.3 Logical Relationships Between Configuration Tasks

To protect the S-switch against attacks, you can configure the following attack defense functions. All configuration tasks are not listed in sequence. You can configure them as required.
l l l l l
3.2 Configuring the Defense Against IP Spoofing Attacks 3.3 Configuring the Defense Against Land Attacks 3.7 Configuring the Defense Against Ping of Death Attacks 3.8 Configuring the Defense Against Teardrop Attacks 3.6 Configuring the Defense Against ICMP Flood Attacks
To protect an Intranet connected to the S-switch against attacks, you can configure the following attack defense functions. All configuration tasks are not listed in sequence. You can configure them as required.
l l
3.4 Configuring the Defense Against Smurf Attacks 3.5 Configuring the Defense Against SYN Flood Attacks
3.2 Configuring the Defense Against IP Spoofing Attacks

This section describes how to configure the defense against IP spoofing attacks.
3.2.1 Establishing the Configuration Task 3.2.2 Configuring the Defense Against IP Spoofing Attacks 3.2.3 Checking the Configuration

In the IP spoofing attack, an attacker forges a packet carrying a valid source IP address to access a targeted system, or even control it. To defend the S-switch against IP spoofing attacks, you need to configure the defense against IP spoofing attacks on the S-switch.
Before configuring the defense against IP spoofing attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface Adding the interface connecting the Extranet to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against IP spoofing attacks, you need the following data. No. 1 Data ID of the VLAN that the interface joins
3.2.2 Configuring the Defense Against IP Spoofing Attacks

Context
Do as follows on the S-switch to be configured with the defense against IP spoofing attacks.
Procedure
Step 1 Run:
system-view

vlan vlan-id
A VLAN is created and the view of the VLAN is displayed. Step 3 Run:
quit
Issue 02 (2009-08-14)
3-3
The system view is returned to. Step 4 Run:

firewall enable
The firewall is enabled. Step 5 Run:

interface vlanif vlan-id
The VLANIF interface view is displayed. Step 6 Run:

firewall defend enable
Attack defense is enabled. Step 7 Run:

quit

firewall defend ip-spoofing enable
The defense against IP spoofing attacks is enabled. By default, the defense against IP spoofing attacks is disabled. After the S-switch is enabled with the defense against IP spoofing attacks, the attack information is recorded when the S-switch suffers IP spoofing attacks and a log is output. The log displays the records maintained by the system within the last 30 seconds. The records include the source IP addresses of the attack packets, the start time of the attacks, the end time of the attacks, and the total number of the attack packets. In addition, a maximum of 12 different IP addresses can be displayed. When the attack sources are more than 12, "" is displayed. ----End

Run the following command to check the previous configuration. Action Check the configuration of attack defense on the S-switch. Command display firewall defend flag
Run the display firewall defend flag command on the S-switch. If ip-spoofing is displayed, it means that the defense against IP spoofing attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: ip-spoofing
3.3 Configuring the Defense Against Land Attacks

This section describes how to configure the defense against Land attacks.
3.3.1 Establishing the Configuration Task 3.3.2 Configuring the Defense Against Land Attacks 3.3.3 Checking the Configuration

To protect the S-switch against Land attacks, you need to configure the defense against Land attacks on the S-switch.
Before configuring the defense against Land attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface. Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against Land attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
3.3.2 Configuring the Defense Against Land Attacks

Context
Do as follows on the S-switch to be configured with the defense against Land attacks.
Procedure
Step 1 Run:
system-view

vlan vlan-id
quit
The system view is returned to.

Step 4 Run:
firewall enable



quit

firewall defend land enable
The defense against Land attacks is enabled. By default, the defense against Land attacks is disabled. ----End

Run the display firewall defend flag command on the S-switch. If land is displayed, it means that the defense against Land attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: land
3.4 Configuring the Defense Against Smurf Attacks

This section describes how to configure the defense against Smurf attacks. 3.4.1 Establishing the Configuration Task 3.4.2 Configuring the Defense Against Smurf Attacks 3.4.3 Checking the Configuration

To protect the S-switch against Smurf attacks, you need to configure the defense against Smurf attacks on the S-switch.
Before configuring the defense against Smurf attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against Smurf attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
3.4.2 Configuring the Defense Against Smurf Attacks

Context
Do as follows on the S-switch to be configured with the defense against Smurf attacks.
Procedure
Step 1 Run:
system-view

vlan vlan-id
quit

firewall enable

Issue 02 (2009-08-14)
3-7


quit

firewall defend smurf enable
The defense against Smurf attacks is enabled. By default, the defense against Smurf attacks is disabled. ----End

Run the following command to check the previous configuration. Action Check the configuration of attack defense on a Sswitch. Command display firewall defend flag
Run the display firewall defend flag command on the S-switch. If smurf is displayed, it means that the defense against Smurf attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: smurf
3.5 Configuring the Defense Against SYN Flood Attacks

This section describes how to configure the defense against SYN flood attacks. 3.5.1 Establishing the Configuration Task 3.5.2 Example for Configuring the Defense Against SYN Flood Attacks 3.5.3 Checking the Configuration

To protect the S-switch against SYN flood attacks, you need to configure the defense against SYN flood attacks on the S-switch.
Before configuring the defense against SYN flood attacks, complete the following task:
l l
Data Preparation
To configure the defense against SYN flood attacks, you need the following data. No. 1 2 3 Data ID of the VLAN to which the interface belongs IP address of a device to be protected (Optional) Maximum rate of SYN packets
3.5.2 Example for Configuring the Defense Against SYN Flood Attacks
Context
Do as follows on the S-switch to be configured with the defense against SYN flood attacks.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the vlan vlan-id command to create a VLAN and enter the view of the VLAN. Step 3 Run the quit command to return to the system view. Step 4 Run the firewall enable command to enable the firewall. Step 5 Run the firewall defend syn-flood enable command to enable the defense against SYN flood attacks. By default, the defense against SYN flood attacks is disabled. Step 6 Run the interface vlanif vlan-id command to enter the VLANIF interface view. Step 7 Run the firewall defend enable command to enable attack defense. Step 8 Run the quit command to return to the system view. Step 9 (Optional) Run the firewall defend syn-flood ip ip-address [ max-rate rate-number ] command to specify the IP address of a device to be protected from SYN flood attacks and specify relevant parameters. ----End

Run the display firewall defend flag command on the S-switch. If syn-flood is displayed, it means that the defense against SYN flood attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: syn-flood
3.6 Configuring the Defense Against ICMP Flood Attacks

This section describes how to configure the defense against ICMP flood attacks. 3.6.1 Establishing the Configuration Task 3.6.2 Configuring the Defense Against ICMP Flood Attacks 3.6.3 Checking the Configuration

To protect the S-switch against ICMP flood attacks, you need to configure the defense against ICMP flood attacks on the S-switch.
Before configuring the defense against ICMP flood attacks, complete the following task:
l l
Data Preparation
To configure the defense against ICMP flood attacks, you need the following data. No. 1 2 3 Data ID of the VLAN to which the interface belongs IP address of a device to be protected (Optional) Maximum rate of ICMP packets
3-10
Issue 02 (2009-08-14)
3.6.2 Configuring the Defense Against ICMP Flood Attacks

Context
Do as follows on the S-switch to be configured with the defense against ICMP flood attacks.
Procedure
Step 1 Run:
system-view

vlan vlan-id
quit

firewall enable



quit

firewall defend icmp-flood enable
The global defense against ICMP flood attacks is enabled. By default, the defense against ICMP flood attacks is disabled. Step 9 (Optional) Run: firewall defend icmp-flood ip ip-address [ max-rate rate-number ] The relevant parameters are specified for the device with a specified IP address to be protected from ICMP flood attacks. ----End

Run the display firewall defend flag command on the S-switch. If icmp-flood is displayed, it means that the defense against ICMP flood attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: icmp-flood
3.7 Configuring the Defense Against Ping of Death Attacks

This section describes how to configure the defense against Ping of Death attacks. 3.7.1 Establishing the Configuration Task 3.7.2 Configuring the Defense Against Ping of Death Attacks 3.7.3 Checking the Configuration

To protect the S-switch against attacks of oversized ICMP packets, you need to configure the defense against Ping of Death attacks on the S-switch.
Before configuring the defense against Ping of Death attacks, complete the following task:
l l
Data Preparation
To configure the defense against Ping of Death attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
3.7.2 Configuring the Defense Against Ping of Death Attacks

Context
Do as follows on the S-switch to be configured with the defense against Ping of Death attacks.
Procedure
Step 1 Run:
system-view

vlan vlan-id
quit

firewall enable



quit

firewall defend ping-of-death enable
The defense against Ping of Death attacks is enabled. By default, the defense against Ping of Death attacks is disabled. ----End

Issue 02 (2009-08-14)
3-13
Run the display firewall defend flag command on the S-switch. If ping-of-death is displayed, it means that the defense against Ping of Death attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: ping-of-death
3.8 Configuring the Defense Against Teardrop Attacks

This section describes how to configure the defense against Teardrop attacks. 3.8.1 Establishing the Configuration Task 3.8.2 Configuring the Defense Against Teardrop Attacks 3.8.3 Checking the Configuration

To protect the S-switch against attacks of forged fragmented IP packets, you need to configure the defense against Teardrop attacks on the S-switch.
Before configuring the defense against Teardrop attacks, complete the following task:
l l
Data Preparation
To configure the defense against Teardrop attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
3.8.2 Configuring the Defense Against Teardrop Attacks

Context
Do as follows on the S-switch to be configured with the defense against Teardrop attacks.
Procedure
Step 1 Run:
system-view
3-14
Issue 02 (2009-08-14)

vlan vlan-id
quit

firewall enable



quit

firewall defend teardrop enable
The defense against Teardrop attacks is enabled. By default, the defense against Teardrop attacks is disabled. ----End

Run the display firewall defend flag command on the S-switch. If teardrop is displayed, it means that the defense against Teardrop attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: teardrop
Issue 02 (2009-08-14)
3-15
3.9 Debugging Attack Defense

This section describes how to debug attack defense.
CAUTION
Enabling the debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it at once. When a fault occurs, run the following debugging command in the user view to locate the fault. Action Enable the debugging of attack defense. Command debugging firewall defend { all | ip-spoofing | land | smurf | syn-flood | icmp-flood | ping-of-death | tear-drop }

This section provides several configuration examples of attack defense. 3.10.1 Example for Configuring the Defense Against Land Attacks 3.10.2 Example for Configuring the Defense Against SYN Flood Attacks
3.10.1 Example for Configuring the Defense Against Land Attacks

As shown in Figure 3-1, on the S-switch, GigabitEthernet0/0/1 is connected to an Intranet and GigabitEthernet0/0/2 is connected to the Internet. It is required that GigabitEthernet0/0/2 be enabled with the defense against Land attacks. Figure 3-1 Networking for configuring the defense against Land attacks
3-16
Issue 02 (2009-08-14)
The configuration roadmap is as follows: 1. 2. Add GigabitEthernet0/0/2 to a VLAN and assign an IP address to the VLANIF interface. Enable the defense against Land attacks on the S-switch.
Data Preparation
l l
Numbers of the interfaces on the S-switch ID of the VLAN to which GigabitEthernet0/0/2 is added and the IP address of the VLANIF interface
1. Enable the global attack defense on the S-switch.
<Quidway> system-view [Quidway] firewall enable [Quidway] vlan 2 [Quidwayvlan2] port gigabitethernet 0/0/2 [Quidwayvlan2] quit [Quidway] interface vlanif 2 [QuidwayVlanif2] ip address 192.168.0.1 24 [QuidwayVlanif2] firewall defend enable [QuidwayVlanif2] quit
2. 3.
Enable the defense against Land attacks on the S-switch.

[Quidway] firewall defend land enable
Verify the configuration. Run the display firewall defend flag command on the S-switch, and you can view that the defense against Land attacks is enabled.
[Quidway] display firewall defend flag The attack defend flag is: land
Configuration Files
l
The following lists the configuration file of the S-switch.

sysname Quidway # firewall enable # vlan batch 1 2 # firewall defend land enable # interface Vlanif2 ip address 192.168.0.1 255.255.255.255 firewall defend enable # interface GigabitEthernet0/0/2 port default vlan 2 ......... # return
Issue 02 (2009-08-14)
3-17
3.10.2 Example for Configuring the Defense Against SYN Flood Attacks
As shown in Figure 3-2, on the S-switch, GE 0/0/1 is connected to an Intranet and GE 0/0/2 is connected to the Internet. It is required that the defense against SYN flood attacks be enabled on the Figure 3-2 to protect the device at 192.168.1.3. Figure 3-2 Networking for configuring the defense against SYN flood attacks
The configuration roadmap is as follows: 1. 2. 3. Add GE 0/0/1 and GE 0/0/2 to VLANs respectively and assign an IP address to each VLANIF interface. Configure the defense function on the VLANIF interfaces corresponding to GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 respectively Configure the defense against SYN flood attacks on the S-switch to protect the device at 192.168.1.3.
Data Preparation
l l
Numbers of the interfaces on the S-switch IDs of the VLANs to which GE 0/0/1 and GE 0/0/2 are respectively added and the IP addresses of the VLANIF interfaces IP address of the device to be protected Maximum rate of SYN packets Maximum number of half-open connections
l l l
1. Add GE 0/0/1 to VLAN 30 and assign an IP address to VLANIF 30.
<Quidway> system-view [Quidway] firewall enable
3-18
Issue 02 (2009-08-14)

[Quidway] vlan 30 [Quidway-vlan30] port gigabitethernet 0/0/1 [Quidway-vlan30] quit [Quidway] interface vlanif 30 [Quidway-Vlanif30] ip address 192.168.1.0 24 [Quidway-Vlanif30] firewall defend enable [Quidway-Vlanif30] quit
2.
Add GE 0/0/2 to VLAN 40 and assign an IP address to VLANIF 40.

[Quidway] vlan 40 [Quidwayvlan40] port gigabitethernet 0/0/2 [Quidwayvlan40] quit [Quidway] interface vlanif 40 [QuidwayVlanif40] ip address 202.1.0.0 16 [Quidway-Vlanif40] firewall defend enable [QuidwayVlanif40] quit
3. 4.
Enable the global defense against SYN flood attacks.

[Quidway] firewall defend syn-flood enable
Configure the defense against SYN flood attacks. Set the maximum rate of SYN packets to 500 packets per second.
[Quidway] firewall defend syn-flood ip 192.168.1.3 max-rate 500
5.
Verify the configuration. Run the display firewall defend flag command on the S-switch, and you can view that the defense against SYN flood attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: syn-flood
Configuration Files
l
The following lists the configuration file of the S-switch.

sysname Quidway # firewall enable # vlan batch 1 30 40 # firewall defend syn-flood enable firewall defend syn-flood ip 192.168.1.3 max-rate 500 # interface Vlanif30 ip address 192.168.1.0 255.255.255.0 firewall defend enable # interface Vlanif40 ip address 202.1.0.0 255.255.0.0 firewall defend enable # interface GigabitEthernet0/0/1 port default vlan 30 # interface GigabitEthernet0/0/2 port default vlan 40 ...... # return
Issue 02 (2009-08-14)
3-19
4 DHCP Snooping Configuration
4
About This Chapter
DHCP Snooping Configuration
This chapter describes the implementation and configuration procedures of DHCP snooping on the S-switch. 4.1 Overview of DHCP snooping This section describes the concept and types of DHCP snooping. 4.2 Preventing the Bogus DHCP Server Attack This section describes how to prevent the bogus DHCP server attack through the S-switch. 4.3 Preventing the Middleman Attack and IP/MAC Spoofing Attack This section describes how to prevent the middleman attack and IP/MAC spoofing attack through the S-switch. 4.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the DoS attack by changing the CHADDR field. 4.5 Preventing the Attacker from Sending Bogus Messages for Extending IP Address Leases This section describes how to prevent the attacker from sending bogus messages for extending IP address leases. 4.6 Configuring the Packet Discarding Alarm This section describes how to configure the packet discarding alarm. 4.7 Configuring the DHCP Option 82 String This section describes how to configure the DHCP Option 82 string. 4.8 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping. 4.9 Configuration Examples This section provides several examples for configuring DHCP snooping.
Issue 02 (2009-08-14)
4-1
4.1 Overview of DHCP snooping

This section describes the concept and types of DHCP snooping. 4.1.1 Introduction to DHCP Snooping 4.1.2 DHCP Snooping Supported by the S-switch 4.1.3 Logical Relationships Between Configuration Tasks
4.1.1 Introduction to DHCP Snooping

Dynamic Host Configuration Protocol (DHCP) snooping intercepts and analyzes DHCP messages transmitted between the DHCP client and the DHCP server agent. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table. The binding table contains the MAC address, IP address, lease, binding type, VLAN ID, and interface information. DHCP snooping acts as a firewall between DHCP clients and a DHCP server. DHCP snooping prevents DHCP Denial of Service (DoS) attacks, bogus DHCP server attacks, and middleman and IP/MAC spoofing attacks when DHCP is enabled on the device. The S-switch supports security features such as the MAC address limit, DHCP snooping binding table, binding of the IP address and MAC address, and Option 82. In this manner, security of the device enabled with DHCP is ensured.
4.1.2 DHCP Snooping Supported by the S-switch

The S-switch supports the following DHCP snooping features:
l l l l
MAC address limit Configuring the trusted/untrusted interfaces Checking the CHADDR field in DHCP messages DHCP snooping binding table
Figure 4-1 shows the DHCP snooping application on the S-switch where DHCP snooping is enabled.
4-2
Issue 02 (2009-08-14)
Figure 4-1 Networking for the DHCP snooping application on the S-switch
As shown in Figure 4-1, the S-switch enabled with DHCP snooping is deployed between the DHCP client and the DHCP relay agent. The S-switch forwards DHCP reply messages received from a trusted interface but discards DHCP reply messages received from an untrusted interface. The DHCP snooping binding table is then generated on the basis of the DHCP reply messages received from the trusted interface. IP packets and ARP packets received from the untrusted interface are forwarded only when there are matching entries in the binding table; otherwise, they are discarded. When DHCP snooping is configured for a VLAN of the S-switch, the S-switch checks packets coming from the VLAN. The working mode of DHCP snooping varies according to the type of attacks, as shown in Table 4-1. Table 4-1 Attack types and DHCP snooping working modes Type of Attacks DHCP exhaustion attack
Issue 02 (2009-08-14)
DHCP Snooping Working Mode MAC Address limit

4-3
Type of Attacks Bogus DHCP server attack Middleman attack and IP/MAC spoofing attack DoS attack by changing the value of the CHADDR field Attack of sending bogus messages to extend IP address leases
DHCP Snooping Working Mode Configuring an interface as trusted or untrusted Checking whether the IP packets or ARP packets have matching entries in the DHCP snooping binding table Checking the CHADDR field in DHCP messages Checking whether the DHCP request messages have matching entries in the DHCP snooping binding table

All configuration tasks in this chapter are not listed in sequence. You can configure them as required.
4.2 Preventing the Bogus DHCP Server Attack

This section describes how to prevent the bogus DHCP server attack through the S-switch. 4.2.1 Establishing the Configuration Task 4.2.2 Enabling Global DHCP Snooping 4.2.3 Enabling Local DHCP Snooping 4.2.4 Configuring Trusted Interfaces 4.2.5 Checking the Configuration

As shown in Figure 4-2, a bogus DHCP server on the user network replies incorrect messages such as the incorrect IP address of the gateway, incorrect DNS server, and incorrect IP address to the DHCP client, so that the DHCP client cannot access the network.
4-4
Issue 02 (2009-08-14)
Figure 4-2 Diagram of preventing the bogus DHCP server attack
To prevent the bogus DHCP server attack, you can configure DHCP snooping on the Sswitch, and set the interface at the user side to be untrusted and the interface at the network side to be trusted. In this manner, DHCP reply messages received from the untrusted interface are discarded. Only DHCP reply messages received from the trusted interface are forwarded.
Before preventing the bogus DHCP server attack through the S-switch, complete the following tasks:
l l
Configuring the DHCP server Configuring the DHCP relay agent

NOTE
The DHCP server and the DHCP relay agent are configured on the upstream router or server of the Sswitch.
Data Preparation
To prevent the bogus DHCP server attack through the S-switch, you need the following data. No. 1 2 3 Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong Name of the interface to be configured as trusted
4.2.2 Enabling Global DHCP Snooping

Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view

dhcp snooping enable
Global DHCP snooping is enabled. By default, DHCP snooping is disabled. ----End
4.2.3 Enabling Local DHCP Snooping

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

DHCP snooping is enabled in the VLAN. By default, DHCP snooping is disabled. ----End
4.2.4 Configuring Trusted Interfaces

Context
Procedure
Step 1 Run:
system-view


vlan vlan-id
The VLAN view is displayed. The VLAN should be the one to which the interface connected to the DHCP server belongs. Step 3 Run:
dhcp snooping trusted interface interface-type interface-number
A specified interface is configured in the VLAN as trusted. ----End

Run the following commands to check the previous configuration. Action Check information about global DHCP snooping. Check information about trusted interfaces. Command display dhcp snooping global display this
Run the display dhcp snooping global command. You can view that global DHCP snooping is enabled.
<Quidway> display dhcp snooping global dhcp snooping enable
Run the display this command in the VLAN view. You can check the information about trusted interfaces.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] display this # vlan 10 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet0/0/2 # return
4.3 Preventing the Middleman Attack and IP/MAC Spoofing Attack

This section describes how to prevent the middleman attack and IP/MAC spoofing attack through the S-switch. 4.3.1 Establishing the Configuration Task 4.3.2 Enabling Global DHCP Snooping 4.3.3 Enabling Local DHCP Snooping 4.3.4 Enabling Packet Check
4.3.5 Configuring the DHCP Snooping Binding Table 4.3.6 Configuring Option 82 4.3.7 Configuring Security Protection on an Interface 4.3.8 Checking the Configuration

When a middleman attack exists or an IP/MAC spoofing attack occurs, the attacker pretends to be the DHCP server or DHCP client to exchange data with the actual DHCP server and DHCP client. As shown in Figure 4-3Figure 4-4, the middleman sends IP or ARP packets to the DHCP server. Thus, the DHCP server learns the IP address 10.1.1.3 of the DHCP client and the MAC address 0000-005e-008b of the middleman. The DHCP server considers that all the packets are coming from or sending to the DHCP client. In fact, all the packets are processed by the middleman. The middleman then sends IP or ARP packets to the DHCP client. Thus, the DHCP client learns the IP address 10.2.1.1 of the DHCP server and the MAC address 0000-005e-008b of itself. In the same manner, the DHCP client considers that all the packets are coming from or sending to the DHCP server. In fact, all the packets are processed by the middleman. As a result, the middleman can pretend to be the DHCP server or the DHCP client and obtain data exchanged between the DHCP server and the DHCP client. Figure 4-3 Diagram of preventing the middleman attack and IP/MAC spoofing attack
4-8
Issue 02 (2009-08-14)
Figure 4-4 Diagram of preventing the middleman attack and IP/MAC spoofing attack
To prevent the middleman attack and the IP/MAC spoofing attack, configure DHCP snooping on the S-switch and use the DHCP snooping binding table. The received packets can be forwarded only when they match with entries in the binding table; otherwise, packets are discarded.
Before preventing the middleman attack and the IP/MAC spoofing attack through the Sswitch, complete the following tasks:
l l

NOTE
Data Preparation
To prevent the middleman attack and the IP/MAC spoofing attack through the S-switch, you need the following data. No. 1 2 3 Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong Static IP addresses from which packets are forwarded
Issue 02 (2009-08-14)
4-9

Context
Procedure
Step 1 Run:
system-view

Global DHCP snooping is enabled. By default, DHCP snooping is disabled. ----End

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

4.3.4 Enabling Packet Check

Context
Procedure
Step 1 Run:
system-view

The GigabitEthernet interface view or Eth-Trunk interface viewis displayed. The interface should be at the user side. Step 3 Run:
dhcp snooping check arp enable alarm arp enable threshold
ARP packet check is enabled on the interface. Step 4 Run:

dhcp snooping check ip enable alarm ip enable threshold
IP packet check is enabled on the interface. Step 5 Run:

dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold
DHCP packet check is enabled on the interface. Step 6 Run:

dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold
DHCP packet check is enabled on the interface. Step 7 Run:

dhcp snooping check dhcp-rate enable rate rate-value alarm dhcp-rate enable threshold
Checking the rate of sending DHCP packets to the DHCP protocol stack is enabled on the Sswitch.The rate of sending DHCP packets to the DHCP protocol stack is set. By default, the S-switch is disabled from checking the rate of sending DHCP packets to the DHCP protocol stack. And it checks 100 DHCP packets per second. ----End
4.3.5 Configuring the DHCP Snooping Binding Table

Context
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
vlan vlan-id
The VLAN view is displayed. The VLAN should be the one to which the interface at the user side belongs. Step 3 Run:
dhcp snooping bind-table static ip-address ip-address mac-address mac-address interface interface-type interface-number
A static entry binding the IP address and MAC address is configured in the DHCP snooping table. The static binding table contains the MAC address, IP address, VLAN ID, and interface information. If users access the network through static IP addresses, user packets can be forwarded by the S-switch only after the MAC address, IP address, VLAN ID, and inbound interface of the packets match entries in the static binding table. Otherwise, user packets are discarded. If users are assigned static IP addresses, you can configure static binding entries for these static IP addresses. If static entries are not configured in the DHCP snooping binding table, packets from all users with static IP addresses are discarded. All static users thus cannot access the DHCP server. The dynamic entries in the DHCP snooping binding table require no configuration. They are automatically generated when DHCP snooping is enabled. The static entries, however, need to be configured through commands. ----End
4.3.6 Configuring Option 82

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id
dhcp option82 rebuild enable interface interface-type interface-number1 [ to interface-number2 ]
The Option 82 field is forcibly appended to the DHCP messages on a specified interface in the VLAN. By default, the Option 82 field cannot be forcibly appended.
The DHCP reply messages are broadcast packets. Thus, the S-switch cannot determine to which interface the packets are sent. As a result, dynamic binding entries do not include interfaces. To protect the S-switch against attacks with the forged Option 82 field, you can enable the Sswitch to forcibly append the Option 82 field to DHCP messages. The Option 82 field is appended to DHCP discovery messages if original DHCP discovery messages are not appended with the Option 82 field. If the original DHCP discovery messages are appended with the Option 82 field, the original Option 82 field is removed and a new one is appended. ----End
4.3.7 Configuring Security Protection on an Interface

Context
Procedure
Step 1 Run:
system-view

mac-address restrict
The S-switch is enabled to restrict MAC address learning and packet forwarding. Step 3 Run:
mac-table limit interface-type interface-number limit-number
The limit on the number of MAC addresses that can be learnt by an interface is configured. Step 4 Run:

port-security enable
Security protection is enabled on the interface. By default, the S-switch is disabled from restricting MAC address learning and packet forwarding. If the S-switch is not enabled to restrict MAC address learning and packet forwarding, you cannot enable security protection on interfaces. ----End

Run the following commands to check the previous configuration.
Issue 02 (2009-08-14)
4-13
Action Check information about global DHCP snooping. Check information about the DHCP snooping binding table.
Command display dhcp snooping global display dhcp snooping bind-table { all | dynamic | ip-address ip-address | mac-address mac-address | static | vlan vlan-id | interface interface-type interface-number } display dhcp option82 vlan vlan-id [ interface interface-type interface-number ]
Check the Option 82 status.
Run the display dhcp snooping bind-table command. You can view the static entries generated in the DHCP snooping binding table.
<Quidway> display dhcp snooping bind-table ip-address 10.1.1.1 bind-table: ifname vrf vsi p/cvlan mac-address ip-address tp lease ------------------------------------------------------------------------------GE0/0/1 0000-0020/0000 003e-0001-0001 010.001.001.001 S 0 ------------------------------------------------------------------------------binditem count: 1 binditem total count: 1
Run the display dhcp option82 command. You can view the Option 82 status.
<Quidway> display dhcp option82 vlan 20 interface gigabitethernet 0/0/1 dhcp option82 rebuild enable interface GigabitEthernet0/0/1
4.4 Preventing the DoS Attack by Changing the CHADDR Field

This section describes how to prevent the DoS attack by changing the CHADDR field. 4.4.1 Establishing the Configuration Task 4.4.2 Enabling Global DHCP Snooping 4.4.3 Enabling Local DHCP Snooping 4.4.4 Checking the CHADDR Field in DHCP Request Messages 4.4.5 Checking the Configuration

As shown in Figure 4-5, the attacker continuously applies for IP addresses in a DHCP domain through various MAC addresses until all IP addresses are exhausted. Thus, legal users cannot
obtain IP addresses. To prevent the DHCP exhaustion attack, you can apply the MAC address limit, that is, limit to the number of MAC addresses learned on interfaces. This protects the Sswitch against attacks of sending a large number of DHCP request messages through various MAC addresses. Figure 4-5 Networking diagram of preventing the DoS attack by changing the CHADDR field
The attacker may change the CHADDR field carried in a DHCP message instead of the source MAC address in the frame header to apply for IP addresses continuously. If the S-switch checks the validity of packets based on the source MAC address in the frame header, attack packets can still be forwarded normally. The MAC address limit cannot take effect in this manner. To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping on the S-switch to check the CHADDR field carried in DHCP request messages. If the CHADDR field matches the source MAC address in the frame header, the messages are forwarded. Otherwise, the messages are discarded.
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l l

NOTE
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
No. 1 2
Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong

Context
Procedure
Step 1 Run:
system-view

Global DHCP snooping is enabled. By default, DHCP snooping is disabled. All the other DHCP snooping configurations can be performed only after global DHCP snooping is enabled. ----End

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

DHCP snooping is enabled in the VLAN.

By default, DHCP snooping is disabled. ----End
4.4.4 Checking the CHADDR Field in DHCP Request Messages

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number command to enter the GigabitEthernet interface view, 10GE interface view or Eth-Trunk interface view. The interface should be at the user side. Step 3 Run the dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold command to enable the interface to check the CHADDR field in DHCP request messages. By default, checking the CHADDR field is disabled. ----End

Run the following commands to check the previous configuration. Action Check information about global DHCP snooping. Check information about DHCP snooping on an interface. Command display dhcp snooping global display dhcp snooping interface interface-type interface-number
Run the display dhcp snooping interface command. You can view the DHCP snooping configuration on the interface.
<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping check dhcp-chaddr enable arp total 0 ip total 0 dhcp-rate-drop total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
Issue 02 (2009-08-14)
4-17
4.5 Preventing the Attacker from Sending Bogus Messages for Extending IP Address Leases
This section describes how to prevent the attacker from sending bogus messages for extending IP address leases. 4.5.1 Establishing the Configuration Task 4.5.2 Enabling Global DHCP Snooping 4.5.3 Enabling Local DHCP Snooping 4.5.4 Enabling the Checking of DHCP Request Messages 4.5.5 Configuring Option 82 4.5.6 Checking the Configuration

As shown in Figure 4-6, the attacker pretends to be a legal user and continuously sends DHCP request messages intending to extend the IP address lease. This prevents certain expired IP addresses from being reused, which is not the purpose of a legal user. Figure 4-6 Networking diagram of preventing the attacker from sending bogus messages for extending IP address leases
To prevent the attacker from sending bogus messages to extend IP address leases, you can configure DHCP snooping on the S-switch to check the source IP address and source MAC address of DHCP request messages.

l
If there are no entries that match the source IP address in the DHCP snooping binding table, the DHCP request messages are forwarded. If there are entries that match the source IP address but do not match the source MAC address, the DHCP request messages are discarded.
Before preventing the attacker from sending bogus messages for extending IP address leases through the S-switch, complete the following tasks:
l l

NOTE
Data Preparation
To prevent the attacker from sending bogus messages for extending IP address leases through the S-switch, you need the following data. No. 1 2 3 Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong Static IP addresses from which packets are forwarded

Context
Procedure
Step 1 Run:
system-view

Global DHCP snooping is enabled. By default, DHCP snooping is disabled. All the other DHCP snooping configurations can be performed only after global DHCP snooping is enabled. ----End

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

4.5.4 Enabling the Checking of DHCP Request Messages

Context
Procedure
Step 1 Run:
system-view

The Eth-Trunk interface viewis displayed. The interface should be at the user side. Step 3 Run:
The checking of DHCP request messages is enabled on the interface. By default, checking DHCP request messages is disabled. ----End
4.5.5 Configuring Option 82

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id
dhcp option82 rebuild enable interface interface-type interface-number1 [ to interface-number2 ]
The Option 82 field is forcibly appended to the DHCP messages on a specified interface in the VLAN. By default, the Option 82 field cannot be forcibly appended. The DHCP reply messages are broadcast packets. Thus, the S-switch cannot determine to which interface the packets are sent. As a result, the related dynamic binding entries cannot be generated. To protect the S-switch against attacks with the forged Option 82 field, you can enable the Sswitch to forcibly append the Option 82 field to DHCP messages. The Option 82 field is appended to DHCP discovery messages if original DHCP discovery messages are not appended with the Option 82 field. If the original DHCP discovery messages are appended with the Option 82 field, the original Option 82 field is removed and a new one is appended. ----End

Run the following commands to check the previous configuration. Action Check information about global DHCP snooping. Check information about DHCP snooping on an interface. Check the Option 82 status. Command display dhcp snooping global display dhcp snooping interface interface-tyre interface-number display dhcp option82 vlan vlan-id [ interface interface-type interface-number ]
Issue 02 (2009-08-14)
4-21
<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping check dhcp-request enable arp total 0 ip total 0 dhcp-rate-drop total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
Run the display dhcp option82 command. You can view the Option 82 status.
<Quidway> display dhcp option82 vlan 20 interface gigabitethernet 0/0/1 dhcp option82 rebuild enable interface GigabitEthernet0/0/1
4.6 Configuring the Packet Discarding Alarm

This section describes how to configure the packet discarding alarm. 4.6.1 Establishing the Configuration Task 4.6.2 Configuring the Packet Discarding Alarm 4.6.3 Checking the Configuration

With DHCP snooping configured, the S-switch can discard packets sent from the attacker. Table 4-2 shows the relationship between the type of attacks and the type of discarded packets. Table 4-2 Relationship between the type of attacks and the type of discarded packets Type of Attacks Bogus attack Middleman and IP/MAC spoofing attack DoS attack by changing the CHADDR field Type of Discarded Packets DHCP reply messages received from untrusted interfaces IP packets or ARP packets that do not match entries in the DHCP snooping binding table DHCP request messages whose CHADDR field does not match the source MAC address in the frame header DHCP request messages that do not match entries in the DHCP snooping binding table Messages exceeding the rate limit
Attack of sending bogus messages to extend IP address leases Attack of sending DHCP request messages
4-22
Issue 02 (2009-08-14)
After the packet discarding alarm is enabled, an alarm is generated when the number of discarded packets on the S-switch reaches the threshold.
Before configuring the packet discarding alarm, complete the following tasks:
l l l
Configuring the DHCP server Configuring the DHCP relay agent Configuring the discarding of DHCP reply messages from the untrusted interface at the user side Configuring the checking of ARP packets, IP packets, and DHCP request messages Configuring the checking of the CHADDR field in DHCP request messages Configuring the checking of the rate of sending DHCP messages
NOTE
l l l
Data Preparation
To configure the packet discarding alarm, you need the following data. No. 1 2 3 4 5 Data Alarm threshold for the number of discarded ARP packets Alarm threshold for the number of discarded IP packets Alarm threshold for the number of discarded DHCP CHADDR packets Alarm threshold for the number of discarded DHCP reply messages Alarm threshold for the number of discarded DHCP request messages
4.6.2 Configuring the Packet Discarding Alarm

Context
Procedure
Step 1 Run:
system-view

Issue 02 (2009-08-14)
4-23

dhcp snooping check arp enable alarm arp enable threshold
The ARP packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 4 Run:
dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold
The DHCP Request packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 5 Run:
dhcp snooping alarm dhcp-reply enable threshold
The DHCP Reply packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 6 Run:
The DHCP Request packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 7 Run:
dhcp snooping check ip enable alarm ip enable threshold
The IP packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 8 Run:
dhcp snooping check dhcp-rate enable rate alarm dhcp-rate enable threshold
The alarm is enabled for the rate of sending DHCP messages to the protocol stack, and the threshold that triggers the alarm is set. ----End

Run the following commands to check the previous configuration. Action Check information about global DHCP snooping. Check information about DHCP snooping on an interface. Command display dhcp snooping global display dhcp snooping interface interface-type interface-number
4-24
Issue 02 (2009-08-14)
<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 50 arp total 0 ip total 0 dhcp-rate-drop total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
4.7 Configuring the DHCP Option 82 String

This section describes how to configure the DHCP Option 82 string. 4.7.1 Configuring the Storage Format of the Option 82 Field 4.7.2 Configuring the Circuit ID in the Option 82 Field in the System View 4.7.3 Configuring the Circuit ID of the Option 82 Field in the Interface View 4.7.4 Configuring the Remote ID in the Option 82 Field in the System View 4.7.5 Configuring the Remote ID of the Option 82 Field in the Interface View 4.7.6 Checking the Configuration
4.7.1 Configuring the Storage Format of the Option 82 Field

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dhcp snooping enable command to enable DHCP snooping on the S-switch. By default, DHCP snooping is disabled. Step 3 Run the dhcp snooping information format { hex | ascii } command to configure the storage format of the Option 82 field. By default, the storage format for the Option 82 field is hex. ----End
4.7.2 Configuring the Circuit ID in the Option 82 Field in the System View
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dhcp snooping information circuit-id string string command to configure the circuit ID in the Option 82 field. By default, the circuit ID in the Option 82 field is the ID of the VLAN to which the interface receiving the DHCP client's request belongs. ----End
4.7.3 Configuring the Circuit ID of the Option 82 Field in the Interface View
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the dhcp snooping information [ vlan vlan-id ] circuit-id string string command to configure the circuit ID in the Option 82 field. By default, the circuit ID in the Option 82 field is the bridge MAC address of the DHCP snooping device that receives the DHCP client's request.
NOTE
With vlan vlan-id specified, the customized circuit ID applies only to the DHCP packets from the specified VLAN. With no vlan vlan-id specified, the customized circuit ID applies to all DHCP packets that pass through the current interface.
----End
4.7.4 Configuring the Remote ID in the Option 82 Field in the System View
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dhcp snooping information remote-id { sysname | string string } command to configure the remote ID in the Option 82 field. By default, the remote ID in the Option 82 field is the bridge MAC address of the DHCP snooping device that receives the DHCP client's request.

NOTE
If you have configured the remote ID both in the interface view and in the system view, the remote ID configured in the interface view is applied. If no remote ID ID is configured in the interface view, the remote ID configured in the system view is applied.
----End
4.7.5 Configuring the Remote ID of the Option 82 Field in the Interface View
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the dhcp snooping information [ vlan vlan-id ] remote-id string string command to configure the remote ID in the Option 82 field. By default, the remote ID in the Option 82 field is the bridge MAC address of the DHCP snooping device that receives the DHCP client's request.
NOTE
With vlan vlan-id specified, the customized remote ID applies only to the DHCP packets from the specified VLAN. With no vlan vlan-id specified, the customized remote ID applies to all DHCP packets that pass through the current interface.
----End

Run the following commands in the user view to check the previous configuration. Action Check information about global DHCP snooping. Check information about DHCP snooping on an interface. Command display dhcp snooping global display dhcp snooping interface
4.8 Maintaining DHCP Snooping

This section describes how to maintain DHCP snooping. 4.8.1 Backing Up the DHCP Snooping Binding Table 4.8.2 Debugging DHCP Snooping
4.8.1 Backing Up the DHCP Snooping Binding Table

To back up the DHCP snooping binding table, run the following command in the system view. Action Back up the DHCP snooping binding table. Command dhcp snooping bind-table autosave file-name
If the backup of the binding table is configured, the system automatically backs up the binding table to a specified path every 24 hours. If no backup binding table exists, the DHCP snooping dynamic binding table is lost after the Sswitch reboots. As a result, users cannot obtain IP addresses dynamically from the DHCP server so that they cannot communicate normally.
4.8.2 Debugging DHCP Snooping
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When an operation fault occurs, run the following debugging command in the user view to display the debugging information and locate the fault. Action Enable DHCP snooping debugging. Command debugging dhcp snooping

This section provides several examples for configuring DHCP snooping. 4.9.1 Example for Configuring DHCP Snooping to Prevent Attacks Against the Network
4.9.1 Example for Configuring DHCP Snooping to Prevent Attacks Against the Network
You can configure DHCP snooping to prevent the following network attacks:
l
Bogus DHCP server attack

4-28

l l l
Middleman and IP/MAC spoofing attack DoS attack by changing the value of the CHADDR field Attack of sending bogus messages to extend IP address leases
As shown in Figure 4-7, to prevent attacks against the network, you need to configure trusted/ untrusted interfaces, enable packet check, set up a static binding table, and enable the sending of alarms to the NMS on the S-switch. Two DHCP clients access the network through the static IP addresses 10.1.1.2 and 10.1.1.3 respectively. It is required that a static DHCP snooping binding table be configured to ensure the forwarding of packets from the DHCP clients. Figure 4-7 Networking for configuring DHCP snooping to prevent attacks against the network
The configuration roadmap is as follows: 1. 2.
Issue 02 (2009-08-14)
Enable DHCP snooping globally and in the VLAN view. Set the interface at the network side to be trusted.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-29
3. 4. 5. 6.
Enable packet check. Configure a static binding table. Configure Option 82 and create a binding table covering accurate interface information. Configure the sending of alarms to the NMS.
Data Preparation
l l l
IDs of VLANs to which the interfaces belong Static IP addresses and MAC addresses assigned to users Threshold for sending alarms to the NMS
The following describes how to configure the S-switch. For the configuration procedures for the other devices shown in Figure 4-7, refer to the related configuration guides. 1. Configure DHCP snooping on the S-switch. # Enable global DHCP snooping.
[Quidway] dhcp snooping enable
# Configure the VLAN to which the interfaces at the user side belong.
[Quidway] vlan 100 [Quidway-vlan100] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet0/0/1] port [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet0/0/2] port [Quidway-GigabitEthernet0/0/2] quit 0/0/1 trunk allow-pass vlan 100 0/0/2 trunk allow-pass vlan 100
# Configure the VLAN to which the interface at the network side belong.
[Quidway] interface gigabitethernet 0/0/3 [Quidway-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 [Quidway-GigabitEthernet0/0/3] quit
# Enable DHCP snooping for VLAN 100.

[Quidway]vlan 100 [Quidway-vlan100] dhcp snooping enable
2.
Configure the interface at the network side as trusted.

[Quidway-vlan100] dhcp snooping trusted interface gigabitethernet 0/0/3 [Quidway-vlan100]quit
3.
Enable packet check on the interfaces at the user side.

[Quidway]interface gigabitethernet [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]quit [Quidway]interface gigabitethernet [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]quit 0/0/1 snooping snooping snooping snooping 0/0/2 snooping snooping snooping snooping check check check check check check check check arp enable ip enable dhcp-chaddr enable dhcp-request enable arp enable ip enable dhcp-chaddr enable dhcp-request enable
4.
Configure static binding entries.

[Quidway]vlan 100
4-30
Issue 02 (2009-08-14)

[Quidway-vlan100]dhcp snooping bind-table static address 0000-005e-008a interface gigabitethernet [Quidway-vlan100]dhcp snooping bind-table static address 0000-005e-008b interface gigabitethernet

ip-address 10.1.1.3 mac0/0/2 ip-address 10.1.1.2 mac0/0/1
5.
Forcibly append the Option 82 field to DHCP messages.

[Quidway-vlan100]dhcp option82 rebuild enable interface gigabitethernet 0/0/1 [Quidway-vlan100]dhcp option82 rebuild enable interface gigabitethernet 0/0/2 [Quidway-vlan100]dhcp option82 rebuild enable interface gigabitethernet 0/0/3 [Quidway-vlan100]quit
6.
Configure the sending of alarms to the NMS. # Enable the sending of alarms to the NMS.
[Quidway]interface gigabitethernet [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]quit [Quidway]interface gigabitethernet [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]quit 0/0/1 snooping snooping snooping snooping snooping 0/0/2 snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm alarm alarm alarm alarm arp enable ip enable dhcp-chaddr enable dhcp-request enable dhcp-reply enable arp enable ip enable dhcp-chaddr enable dhcp-request enable dhcp-reply enable
# Set the threshold for sending alarms.

[Quidway]interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1]dhcp snooping alarm arp threshold 10 [Quidway-GigabitEthernet0/0/1]dhcp snooping alarm ip threshold 10 [Quidway-GigabitEthernet0/0/1]dhcp snooping alarm dhcp-chaddr threshold 10 [Quidway-GigabitEthernet0/0/1]dhcp snooping alarm dhcp-request threshold 10 [Quidway-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 10 [Quidway-GigabitEthernet0/0/1]quit [Quidway]interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2]dhcp snooping alarm arp threshold 10 [Quidway-GigabitEthernet0/0/2]dhcp snooping alarm ip threshold 10 [Quidway-GigabitEthernet0/0/2]dhcp snooping alarm dhcp-chaddr threshold 10 [Quidway-GigabitEthernet0/0/2]dhcp snooping alarm dhcp-request threshold 10 [Quidway-GigabitEthernet0/0/2]dhcp snooping alarm dhcp-reply threshold 10 [Quidway-GigabitEthernet0/0/2]quit
7.
Verify the configuration. Run the display dhcp snooping bind-table command and the display dhcp option82 command. You can view that DHCP snooping is enabled in the system view. You can also view the configurations of sending alarms to the NMS and the statistics on the discarded packets. # Check DHCP snooping configurations in the system view.
[Quidway]display dhcp snooping global dhcp snooping enable
# Check static entries in the DHCP snooping binding table.

[Quidway]display dhcp snooping bind-table static bind-table: ifname vrf vsi p/cvlan mac-address ip-address tp lease -----------------------------------------------------------------------------GE0/0/1 0000 0100/0000 0000-005e-008b 010.001.001.002 S 0 GE0/0/2 0000 0100/0000 0000-005e-008a 010.001.001.003 S 0 -----------------------------------------------------------------------------binditem count: 2 binditem total count: 2
# Check whether Option 82 is enabled on GigabitEthernet 0/0/1.

[Quidway]display dhcp option82 vlan 100 interface gigabitethernet 0/0/1 dhcp option82 rebuilt enable interface gigabitethernet 0/0/1
Configuration Files
The following lists configuration files of the S-switch.
# sysname Quidway # vlan batch 100 # dhcp snooping enable # vlan 100 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet0/0/3 dhcp option82 rebuild enable interface GigabitEthernet0/0/1 dhcp option82 rebuild enable interface GigabitEthernet0/0/2 dhcp option82 rebuild enable interface GigabitEthernet0/0/3 dhcp snooping bind-table static ip-address 10.1.1.3 mac-address 0000-005e-008a interface GigabitEthernet0/0/2 dhcp snooping bind-table static ip-address 10.1.1.2 mac-address 0000-005e-008b interface GigabitEthernet 0/0/1 # interface GigabitEthernet0/0/1 port trunk allow-pass vlan 100 dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 10 dhcp snooping check ip enable dhcp snooping alarm ip enable dhcp snooping alarm ip threshold 10 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 10 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 10 dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 10 # interface GigabitEthernet0/0/2 port trunk allow-pass vlan 100 dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 10 dhcp snooping check ip enable dhcp snooping alarm ip enable dhcp snooping alarm ip threshold 10 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 10 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 10 dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 10 # interface GigabitEthernet0/0/3 port trunk allow-pass vlan 100 # return #
4-32
Issue 02 (2009-08-14)
5 AAA Configuration
5
About This Chapter
AAA Configuration
This chapter describes the basic concepts and configuration procedures of Athenticatoin, Authorization, and Accounting (AAA), Remote Authentication Dial in User Service (RADIUS), Huawei Terminal Access Controller Access Control System (HWTACACS), domains, and local users. 5.1 Overview of AAA This section describes the basic principle and concepts of AAA and user management. 5.2 Configuring AAA This section describes how to configure AAA. 5.3 Configuring the RADIUS Server This section describes how to configure the RADIUS server. 5.4 Configuring the HWTACACS Server This section describes how to configure the HWTACACS server. 5.5 Configuring a Domain This section describes how to configure a domain. 5.6 Configuring Local User Management This section describes how to configure local user management. 5.7 Maintaining AAA This section describes how to clear or debug AAA. 5.8 Configuration Examples This section provides an example for configuring AAA.
Issue 02 (2009-08-14)
5-1
5 AAA Configuration
5.1 Overview of AAA

This section describes the basic principle and concepts of AAA and user management. 5.1.1 Introduction to AAA 5.1.2 RADIUS 5.1.3 HWTACACS 5.1.4 Domain-based User Management 5.1.5 Local User Management 5.1.6 References 5.1.7 Logical Relationships Between Configuration Tasks
5.1.1 Introduction to AAA

AAA provides the following security functions for users:
l
Authentication It determines the users that can access the network. Authorization It authorizes users to use certain services. Accounting It records the network resource usage of users.
Generally, AAA adopts the client/server model. In this model, the client runs at the resource side that is managed through AAA, whereas the server collects and keeps all user information. This model features good extensibility and facilitates concentrated management over user information.
Authentication
AAA, implemented on the S-switch, provides the following authentication modes:
l
Non-authentication Users are completely trusted and there is no check on their validity. This authentication mode is not recommended.
Local authentication For local authentication, user information, including the user name, password, and attributes, is configured on the S-switch. This authentication mode features high processing speed and low operation cost; however, the capacity of information storage is restricted by the hardware of the device.
Remote authentication Users are remotely authenticated through the RADIUS protocol or the HWTACACS protocol. In this process, the S-switch serves as the client to communicate with the RADIUS or HWTACACS authentication server. The RADIUS protocol can be either a standard RADIUS protocol or an extended RADIUS protocol of Huawei, which is used on the
5-2
Issue 02 (2009-08-14)
5 AAA Configuration
iTELLIN or the Comprehensive Access Management Server (CAMS) to complete the authentication.
Authorization
AAA, implemented on the S-switch, provides the following authorization modes:
l
Non-authorization Users are completely trusted and directly authorized. Local authorization Local users are authorized based on their attributes configured on the S-switch. HWTACACS authorization Users are authorized by the HWTACACS server. If-authenticated authorization Users are authorized if they pass the authentication and the authentication mode is not nonauthentication.
RADIUS authorization RADIUS authentication and RADIUS authorization are bound together. Therefore, RADIUS authorization cannot be performed separately. The RADIUS server authorizes users immediately after they pass the RADIUS authentication.
Accounting
AAA, implemented on the S-switch, provides the following accounting modes:
l
Non-accounting Free services are provided. Remote accounting It supports remote accounting through the RADIUS server or the HWTACACS server.
5.1.2 RADIUS
AAA can be implemented through many protocols, of which the RADIUS protocol is the most commonly used. The RADIUS protocol was initially used for managing a large number of scattered users who accessed the network through serial interfaces and modems. Later, this protocol is widely applied to the network access server (NAS) system. RADIUS prescribes how to transmit user information and accounting information between the NAS and the RADIUS server. The authentication information between the NAS and the RADIUS server is transmitted with a key. This can protect the user password from theft on an insecure network. To obtain the right to access certain networks or to use some network resources, a user needs to set up a connection with the NAS through a network. In this case, the NAS is in charge of authenticating the user or the connection. After this authentication, the NAS sends the AAA information about the user to the RADIUS server. The RADIUS server receives connection requests from users, authenticates users, and then sends the required configuration information back to the NAS.
5 AAA Configuration
Message Exchange Defined by RADIUS

The RADIUS protocol prescribes the message exchange between the client and the server, and the structure of the exchanged messages. The server where the RADIUS protocol is applied is called a RADIUS server. Figure 5-1 shows the simple message exchange defined by RADIUS. Figure 5-1 Message exchange between the RADIUS client and the RADIUS server
To log in to the S-switch, a user first sends its user name and password to the S-switch. On receiving the user name and password, the RADIUS client on the S-switch sends a request to the RADIUS server for authentication. If the request is legal, the RADIUS server completes the authentication and returns required user authentication information to the S-switch. Authentication information is transmitted between the S-switch and the RADIUS server with a key, that is, authentication information is transmitted on the network only after being encrypted. This can protect user information against theft on an insecure network. The exchange of accounting information is the same as that of authentication and authorization information.
Message Structure Defined by RADIUS

Figure 5-2 shows the message structure defined by RADIUS. Figure 5-2 Message structure defined by RADIUS
Code: indicates the message type, such as the access request, access permission, and accounting request. Identifier: is a string of ascending numbers for matching the request and response packets. Length: indicates the total length of all fields. Authenticator: is a value for checking the validity of a RADIUS message. Attribute: is the main body of a message, providing the attributes of the user.
5-4
Issue 02 (2009-08-14)
5 AAA Configuration
Features of RADIUS
Using the User Datagram Protocol (UDP) as the transmission protocol, RADIUS features good and real-time performance. In addition, RADIUS features high reliability by providing retransmission and standby server mechanisms. RADIUS is easy to implement and is applicable to the multithreading structure of the server for a large number of users. Owing to these features, RADIUS is widely applied. As the RADIUS client, the S-switch provides the following functions:
l
Functions defined in the standard and extended RADIUS protocols including RFC 2865 and RFC 2866 Functions defined in Huawei extended RADIUS+v1.1 Active detection of the RADIUS server: After receiving an AAA authentication or accounting message, the RADIUS client enables the server detection if the status of the current server is Down. The RADIUS client then transforms the message into a packet that functions as the server-probe packet, and sends the packet to the server. If the client receives a response packet from the RADIUS server, the client considers the server as available. Caching Accounting Stop packets locally and retransmitting them: If the number of retransmission failures exceeds the set value, the Accounting Stop packets are stored into the buffer queue. The system periodically scans the queue, extracts the packets, and then sends them to the specified server. After the sending, the system enables a timer. If the transmission fails or no response packet comes from the server within the timeout period, the packets are replaced into the buffer queue. Automatic switchover of the RADIUS server: When the timer expires, you can send packets to another server in the configured server group if the current server does not work or the number of transmissions exceeds the maximum number.
l l
5.1.3 HWTACACS
HWTACACS is an access control protocol based on TACACS (RFC1492). Like RADIUS, HWTACACS carries out several AAA services in server/client mode. Compared with RADIUS, HWTACACS is more reliable in transmission by encrypting the packets. Table 5-1 shows the comparisons between HWTACACS and RADIUS. Table 5-1 Comparisons between HWTACACS and RADIUS HWTACACS Uses the Transmission Control Protocol (TCP) to provide reliable transmission. Encrypts the main structure of the authentication packet except the standard HWTACACS header. Separates authentication from authorization. Is suitable for security control.
Issue 02 (2009-08-14)
RADIUS Uses UDP. Encrypts only the password field in the authentication packet. Performs authentication together with authorization. Is suitable for accounting.
5-5
5 AAA Configuration
HWTACACS Authorizes users to use the commands for configuring the device.
RADIUS None.
5.1.4 Domain-based User Management

The NAS manages users in the following ways: One is based on the domain in which you can configure default authorization, RADIUS or HWTACACS server template, and authentication and accounting schemes in the domain; the other is based on the user account. In current AAA implementation, users are categorized into different domains. The domain to which a user belongs depends on the character string that follows the "@" in the user name. For example, the user "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain "default". To perform AAA for access users, you need to configure authentication, authorization, and accounting modes respectively in the AAA view, and then apply the authentication, authorization, and accounting schemes in the domain view. AAA, by default, adopts local authentication, local authorization, and non-accounting schemes respectively. If a domain is created but no scheme is applied in it, AAA adopts the default schemes for this domain. In addition, to use the RADIUS or HWTACACS schemes for a user, the RADIUS or HWTACACS server template must be pre-configured in the system view and then applied in the view of the domain to which the user belongs. For details about the configuration procedures, see examples in the following sections. When a domain and users in the domain are configured with the same attribute at the same time, the user-based configuration takes precedence over the domain-based configuration. The authorization precedence configured within a domain is lower than that configured on an AAA server. In other words, the authorization attribute of the AAA server is used preferentially. The domain authorization attribute is valid only when the AAA server lacks this authorization or does not support this authorization. In this way, you can add services flexibly when using domains regardless of the attribute limitations of the AAA server. On the S-switch, you can configure multiple domains. Packets are transmitted according to their domain names. Functioning as an NAS, the S-switch determines the Internet service provider (ISP) to which a user belongs according to the domain name of the user, and then transmits packets of the user to this ISP network.
5.1.5 Local User Management

To perform local user management, you need to set up the local user database, maintain user information, and manage users on the local S-switch. In addition to creating local user accounts, you can also implement functions such as local authentication and authorization.
5.1.6 References
For more information about AAA and RADIUS, refer to the following documents:
l l
RFC2865: Remote Authentication Dial In User Service (RADIUS) RFC2866: RADIUS Accounting
5-6

l l l l l
5 AAA Configuration
RFC2867: RADIUS Accounting Modifications for Tunnel Protocol Support RFC2869: RADIUS Extensions RFC2903: Generic AAA Architecture RFC2904: AAA Authorization Framework RFC2906: AAA Authorization Requirements

1. 2. 3. 4. 5. 6. 7. Categorize users as required. Create authentication, authorization, and accounting schemes. Configure the RADIUS or HWTACACS server to implement RADIUS or HWTACACS authentication, authorization, or accounting. Create a domain. Apply the authentication, authorization, and accounting schemes configured in Step 2 in the domain. Apply the RADIUS or HWTACACS server configured in Step 5 in the domain. Configure local users.
5.2 Configuring AAA

This section describes how to configure AAA. 5.2.1 Establishing the Configuration Task 5.2.2 Configuring the Authentication Scheme 5.2.3 (Optional) Configuring the Authorization Scheme 5.2.4 Configuring the Accounting Scheme 5.2.5 (Optional) Configuring the Recording Scheme 5.2.6 Checking the Configuration

You can configure AAA to provide network access services for legal users in the following scenarios:
l l l
The network devices need to be protected. Illegal access needs to be denied. The credibility of legal users is low.
NOTE
AAA is always enabled on the S-switch.
Issue 02 (2009-08-14)
5-7
5 AAA Configuration
None.
Data Preparation
To configure AAA, you need the following data. No. 1 2 3 4 5 6 Data Name of the authentication scheme and authentication mode (Optional) Name of the authorization scheme and authorization mode Name of the accounting scheme, accounting mode, and interval for real-time accounting (Optional) Policy for accounting start failures, policy for real-time accounting failures, and maximum number of real-time accounting failures (Optional) Name of the recording scheme, name of the HWTACACS server template related to the recording mode, and events to be recorded Types and numbers of the interfaces at the server side and the client side
5.2.2 Configuring the Authentication Scheme

Context
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed. Step 3 Run:

authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view is displayed. Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
or
authentication-mode none
The authentication mode is set.

5 AAA Configuration
In this step, more than one authentication mode can be chosen, with the none mode as the last choice. During the actual authentication, the order for the modes to take effect is determined by the order of input commands. The next mode takes effect only after the preceding one becomes invalid. ----End
5.2.3 (Optional) Configuring the Authorization Scheme

Context
Procedure
Step 1 Run:
system-view

aaa

authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is displayed. Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }*[ none ]
or
authorization-mode none
The authorization mode is set. In this step, more than one authorization mode can be chosen, with the none mode as the last choice. During the actual authorization, the order for the modes to take effect is determined by the order of input commands. The next mode takes effect only after the preceding one becomes invalid. ----End
5.2.4 Configuring the Accounting Scheme

Context
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-9
5 AAA Configuration

aaa

accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed. Step 4 Run:
accounting-mode { hwtacacs | none | radius }
The accounting mode is set. Step 5 (Optional) Run:

accounting realtime interval
Real-time accounting is enabled and the accounting interval is set. By default, the value of interval is 5, in minutes. Step 6 (Optional) Run:
accounting interim-fail [ max-times times ] [offline | online ]
The policy for real-time accounting failures is configured. By default, the value of times is 3. Step 7 (Optional) Run:
accounting start-fail [ offline | online ]
The policy for accounting start failures is configured. By default, the policy for accounting start failures is offline. ----End
5.2.5 (Optional) Configuring the Recording Scheme

Context
NOTE
You can configure the recording scheme only when HWTACACS has been enabled and the HWTACACS server template has been set.
Procedure
Step 1 Run:
system-view

aaa
5-10
Issue 02 (2009-08-14)
5 AAA Configuration

recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed. Step 4 Run:
recording-mode hwtacacs template-name
The recording mode is set. Step 5 Run:

quit
The recording scheme view is quit and the AAA view is displayed. Step 6 Run:
cmd recording-scheme recording-scheme-name
The commands that are used by the user are recorded on the device. Step 7 Run:
outbound recording-scheme recording-scheme-name
The operations that are implemented on the device are recorded for the client. Step 6 and Step 7 are not listed in sequence. ----End

Run the following commands to check the previous configuration. Action Check the summary of AAA. Check the accounting scheme. Check the authentication scheme. Check the authorization scheme. Check the recording scheme. Command display aaa configuration display accounting-scheme [ accounting-scheme-name ] display authentication-scheme [ authentication-schemename ] display authorization-scheme [ authorization-schemename ] display recording-scheme [ recording-scheme-name ]
5.3 Configuring the RADIUS Server

This section describes how to configure the RADIUS server. 5.3.1 Establishing the Configuration Task 5.3.2 Creating a RADIUS Server Template 5.3.3 Configuring the RADIUS Authentication Server
5 AAA Configuration
5.3.4 Configuring the RADIUS Accounting Server 5.3.5 (Optional) Configuring the Protocol Version for the RADIUS Server 5.3.6 (Optional) Configuring the Shared Key for the RADIUS Server 5.3.7 (Optional) Configuring the User Name Format for the RADIUS Server 5.3.8 (Optional) Setting the Traffic Unit for the RADIUS Server 5.3.9 (Optional) Configuring the Retransmission Parameters for the RADIUS Server 5.3.10 (Optional) Configuring the NAS Interface for the RADIUS Server 5.3.11 Checking the Configuration

When the RADIUS protocol is adopted for AAA, you need to configure the RADIUS server.
NOTE
Although most RADIUS configurations have default ones, you can modify them as required. The configurations, however, can be modified only when the RADIUS server template is not in use.
None.
Data Preparation
To configure the RADIUS server, you need the following data. No. 1 2 3 4 5 6 7 8
5-12
Data Name of the RADIUS server template IP address, interface number, and source interface number of the primary RADIUS server for authentication and accounting (Optional) IP address, interface number, and source interface number of the secondary RADIUS server for authentication and accounting (Optional) Retransmission times or prohibited retransmission of Accounting Stop packets (Optional) Protocol version of the RADIUS server (Optional) Shared key of the RADIUS server (Optional) User name format (with or without the domain name) of the RADIUS server (Optional) Traffic unit of the RADIUS server
5 AAA Configuration
No. 9 10
Data (Optional) Response timeout period and retransmission times of the RADIUS server (Optional) NAS interface format and its ID format of the RADIUS server
5.3.2 Creating a RADIUS Server Template

Context
Procedure
Step 1 Run:
system-view

radius-server template template-name
A RADIUS server template is created and the RADIUS view is displayed. ----End
5.3.3 Configuring the RADIUS Authentication Server

Context
Procedure
Step 1 Run:
system-view

The RADIUS view is displayed. Step 3 Run:

radius-server authentication ip-address port [ source loopback interface-number ]
The primary RADIUS authentication server is configured. Step 4 Run:

radius-server authentication ip-address port [ source loopback interface-number ] secondary
Issue 02 (2009-08-14)
5-13
5 AAA Configuration
The secondary RADIUS authentication server is configured. ----End
5.3.4 Configuring the RADIUS Accounting Server

Context
Procedure
Step 1 Run:
system-view


radius-server accounting ip-address port [ source loopback interface-number ]
The primary RADIUS accounting server is configured. Step 4 Run:

radius-server accounting ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS accounting server is configured. ----End
5.3.5 (Optional) Configuring the Protocol Version for the RADIUS Server
Context
Procedure
Step 1 Run:
system-view



radius-server type { portal | standard }
5 AAA Configuration
The protocol version is configured for the RADIUS server. ----End
5.3.6 (Optional) Configuring the Shared Key for the RADIUS Server
Context
Procedure
Step 1 Run:
system-view


radius-server shared-key key-string
The shared key is configured for the RADIUS server. ----End
5.3.7 (Optional) Configuring the User Name Format for the RADIUS Server
Context
Procedure
Step 1 Run:
system-view


radius-server user-name domain-included
Issue 02 (2009-08-14)
5-15
5 AAA Configuration
The user name format is configured for the RADIUS server. ----End
5.3.8 (Optional) Setting the Traffic Unit for the RADIUS Server
Context
Procedure
Step 1 Run:
system-view


radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for the RADIUS server. ----End
5.3.9 (Optional) Configuring the Retransmission Parameters for the RADIUS Server
Context
Procedure
Step 1 Run:
system-view


radius-server timeout seconds
The response timeout period is set for the RADIUS server. Step 4 Run:
radius-server retransmit retry-times
5-16
Issue 02 (2009-08-14)
5 AAA Configuration
The retransmission times are set for the RADIUS server. Step 3 and Step 4 are not listed in sequence. ----End
5.3.10 (Optional) Configuring the NAS Interface for the RADIUS Server
Context
Procedure
Step 1 Run:
system-view


radius-server nas-port-format { new | old }
The NAS interface format is configured for the RADIUS server. Step 4 Run:
radius-server nas-port-id-format { new | old }
The ID format of the NAS interface is configured for the RADIUS server. Step 3 and Step 4 are not listed in sequence. ----End

Run the following command to check the previous configuration. Action Check the configuration of the RADIUS server. Command display radius-server configuration [ template template-name ]
5.4 Configuring the HWTACACS Server

This section describes how to configure the HWTACACS server. 5.4.1 Establishing the Configuration Task
5 AAA Configuration
5.4.2 Creating a HWTACACS Server Template 5.4.3 Configuring the HWTACACS Authentication Server 5.4.4 Configuring the HWTACACS Authorization Server 5.4.5 Configuring the HWTACACS Accounting Server 5.4.6 (Optional) Configuring the Source IP Address of the HWTACACS Server 5.4.7 (Optional) Configuring the Shared Key for the HWTACACS Server 5.4.8 (Optional) Configuring the User Name Format for the HWTACACS Server 5.4.9 (Optional) Setting the Traffic Unit for the HWTACACS Server 5.4.10 (Optional) Setting the Timer of the HWTACACS Server 5.4.11 Checking the Configuration

When the HWTACACS protocol is adopted for AAA, you need configure the HWTACACS server.
NOTE
The configuration of the HWTACACS server differs from that of the RADIUS server as follows: The S-switch does not check whether the HWTACACS template is in use when you modify attributes of the HWTACACS server except for deleting the configuration of the server. By default, no authentication key is configured for the HWTACACS server. HWTACACS can process Accounting Stop packets on both integrated devices and distributed devices.
None.
Data Preparation
To configure AAA, you need the following data. No. 1 2 3 4 5
5-18
Data Name of the HWTACACS server template IP address and interface number of the primary HWTACACS server for authentication, authorization, and accounting (Optional) IP address and interface number of the secondary HWTACACS server for authentication, authorization, and accounting (Optional) Retransmission times or prohibited retransmission of Accounting Stop packets (Optional) Source IP address of the HWTACACS server
5 AAA Configuration
No. 6 7 8 9
Data (Optional) Shared key of the HWTACACS server (Optional) User name format (with or without the domain name) of the HWTACACS server (Optional) Traffic unit of the HWTACACS server (Optional) Response timeout period of the HWTACACS server and the time for restoring the primary HWTACACS server to be active
5.4.2 Creating a HWTACACS Server Template

Context
Procedure
Step 1 Run:
system-view

hwtacacs-server template template-name
A HWTACACS server template is created and the HWTACACS view is displayed. ----End
5.4.3 Configuring the HWTACACS Authentication Server

Context
Procedure
Step 1 Run:
system-view

The HWTACACS view is displayed. Step 3 Run:

hwtacacs-server authentication ip-address [ port ]
Issue 02 (2009-08-14)
5-19
5 AAA Configuration
The primary HWTACACS authentication server is configured. Step 4 Run:

hwtacacs-server authentication ip-address [ port ]
The secondary HWTACACS authentication server is configured. ----End
5.4.4 Configuring the HWTACACS Authorization Server

Context
Procedure
Step 1 Run:
system-view


hwtacacs-server authorization ip-address [ port ]
The primary HWTACACS authorization server is configured. Step 4 Run:

hwtacacs-server authorization ip-address [ port ] secondary
The secondary HWTACACS authorization server is configured. ----End
5.4.5 Configuring the HWTACACS Accounting Server

Context
Procedure
Step 1 Run:
system-view

5-20
Issue 02 (2009-08-14)
5 AAA Configuration

hwtacacs-server accounting ip-address [ port ]
The primary HWTACACS accounting server is configured. Step 4 Run:

hwtacacs-server accounting ip-address [ port ] secondary
The secondary HWTACACS accounting server is configured. Step 5 Run:

quit
The HWTACACS view is quit. Step 6 Run:

hwtacacs-server accounting-stop-packet resend { disable | enable number }
The retransmission of Accounting Stop packets is configured. ----End
5.4.6 (Optional) Configuring the Source IP Address of the HWTACACS Server

Context
Procedure
Step 1 Run:
system-view


hwtacacs-server source-ip ip-address
The source IP address of the HWTACACS server is configured. ----End
5.4.7 (Optional) Configuring the Shared Key for the HWTACACS Server
Context
5 AAA Configuration
Procedure
Step 1 Run:
system-view


hwtacacs-server shared-key key-string
The shared key is configured for the HWTACACS server. ----End
5.4.8 (Optional) Configuring the User Name Format for the HWTACACS Server
Context
Procedure
Step 1 Run:
system-view


hwtacacs-server user-name domain-included
The user name format is configured for the HWTACACS server. ----End
5.4.9 (Optional) Setting the Traffic Unit for the HWTACACS Server
Context
Procedure
Step 1 Run:
system-view
5-22
Issue 02 (2009-08-14)
5 AAA Configuration


hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for the HWTACACS server. ----End
5.4.10 (Optional) Setting the Timer of the HWTACACS Server

Context
Procedure
Step 1 Run:
system-view


hwtacacs-server timer response-timeout timeout
The response timeout period is set for the HWTACACS server. Step 4 Run:
hwtacacs-server timer quiet time
The restoration period is set for the HWTACACS server. ----End

Run the following commands to check the previous configuration. Action Check the HWTACACS server. Check Accounting Stop packets on the HWTACACS server. Command display hwtacacs-server template [ template-name [ verbose ] ] display hwtacacs-server accounting-stop-packet { all | number | ip ip-address }
Issue 02 (2009-08-14)
5-23
5 AAA Configuration
5.5 Configuring a Domain

This section describes how to configure a domain. 5.5.1 Establishing the Configuration Task 5.5.2 Creating a Domain 5.5.3 Configuring Authentication, Authorization, and Accounting Schemes for the Domain 5.5.4 (Optional) Configuring the RADIUS Server Template for the Domain 5.5.5 (Optional) Configuring the HWTACACS Server Template for the Domain 5.5.6 (Optional) Configuring the Status of the Domain 5.5.7 (Optional) Setting the Maximum Number of Access Users for the Domain 5.5.8 Checking the Configuration

You can configure a domain to implement AAA management on users who access the Sswitch through the domain.
Configure the RADIUS or HWTACACS server template if the remote authentication, authorization, and accounting schemes are adopted.
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 4 Data Domain name Names of the authentication, authorization and accounting schemes to be used for the domain (Optional) Name of the RADIUS or HWTACACS template to be used for the domain (Optional) Maximum number of access users allowed in the domain
5.5.2 Creating a Domain

5 AAA Configuration
Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
A domain is created and the domain view is displayed. ----End
5.5.3 Configuring Authentication, Authorization, and Accounting Schemes for the Domain
Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
The domain view is displayed. Step 4 Run:

authentication-scheme authentication-scheme-name
The authentication scheme is configured for the domain. Step 5 Run:

authorization-scheme authorization-scheme-name
The authorization scheme is configured for the domain.

5 AAA Configuration
Step 6 Run:
accounting-scheme accounting-scheme-name
The accounting scheme is configured for the domain. ----End
5.5.4 (Optional) Configuring the RADIUS Server Template for the Domain
Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

radius-server template-name
The RADIUS server template is configured for the domain. ----End
5.5.5 (Optional) Configuring the HWTACACS Server Template for the Domain
Context
Procedure
Step 1 Run:
system-view

aaa
5-26
Issue 02 (2009-08-14)
5 AAA Configuration

domain domain-name

hwtacacs-server template-name
The HWTACACS server template is configured for the domain. ----End
5.5.6 (Optional) Configuring the Status of the Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

state { active | block }
The status of the domain is configured. ----End
5.5.7 (Optional) Setting the Maximum Number of Access Users for the Domain
Context
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-27
5 AAA Configuration

aaa

domain domain-name

access-limit max-number
The maximum number of access users is set for the domain. ----End

Run the following command to check the previous configuration. Action Check the domain. Command display domain [ domain-name ]
5.6 Configuring Local User Management

This section describes how to configure local user management. 5.6.1 Establishing the Configuration Task 5.6.2 Creating Local User Accounts 5.6.3 (Optional) Configuring the Service Type for Local Users 5.6.4 (Optional) Configuring the Authority of Accessing the FTP Directory for Local Users 5.6.5 (Optional) Configuring the Status of Local Users 5.6.6 (Optional) Setting the Priority of Local Users 5.6.7 (Optional) Setting the Access Limit for Local Users 5.6.8 Checking the Configuration

You can create local users and manage them on the S-switch.
None.
5 AAA Configuration
Data Preparation
To configure AAA, you need the following data. No. 1 2 3 4 5 6 Data User names and passwords (Optional) Service type of local users (Optional) Name of the FTP directory for local users (Optional) Status of local users (Optional) Priority of local users (Optional) Maximum number of local access users
5.6.2 Creating Local User Accounts

Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name password { simple | cipher } password
Local user accounts are created. ----End
5.6.3 (Optional) Configuring the Service Type for Local Users

Context
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-29
5 AAA Configuration

aaa

local-user user-name service-type { ftp | ppp | ssh | telnet | terminal }
*
The service type is configured for local users.

NOTE
Through this configuration procedure, user management based on the service type is implemented.
----End
5.6.4 (Optional) Configuring the Authority of Accessing the FTP Directory for Local Users
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name ftp-directory directory
The authority of accessing the FTP directory is configured for local users. ----End
5.6.5 (Optional) Configuring the Status of Local Users

Context
Procedure
Step 1 Run:
system-view
5-30
Issue 02 (2009-08-14)
5 AAA Configuration

aaa

local-user user-name state { active | block }
The status of local users is configured. ----End
5.6.6 (Optional) Setting the Priority of Local Users

Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name level level
The priority of local users is set. ----End
5.6.7 (Optional) Setting the Access Limit for Local Users

Context
Procedure
Step 1 Run:
system-view

aaa
Issue 02 (2009-08-14)
5-31
5 AAA Configuration

local-user user-name access-limit access-limit
The access limit is set for local users. ----End

Run the following command to check the previous configuration. Action Check the attributes of local users. Command display local-user [ domain domain-name | username user-name ]
5.7 Maintaining AAA

This section describes how to clear or debug AAA. 5.7.1 Clearing HWTACACS Statistics 5.7.2 Debugging AAA
5.7.1 Clearing HWTACACS Statistics
CAUTION
HWTACACS statistics cannot be restored after you clear it. So, confirm the action before you use the commands. Action Clear statistics about the HWTACACS server. Clear statistics about Accounting Stop packets on the HWTACACS server. Command reset hwtacacs-server statistics { all | accounting | authentication | authorization } reset hwtacacs-server accounting-stop-packet { all | ip ip-address }
5.7.2 Debugging AAA

5 AAA Configuration
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it at once. When an AAA fault occurs, run the following debugging commands in the user view to locate the fault. For details about debugging, see Chapter 6 "Debugging and Diagnosis." Action Debug RADIUS packets. Debug the HWTACACS server. Command debugging radius packet debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

This section provides an example for configuring AAA.
It is required that Telnet users be authenticated through the RADIUS protocol. A maximum of five Telnet users can log in to the S-switch. Telnet users are first authenticated by the RADIUS authentication server. If the RADIUS authentication server does not respond, the non-authentication mode is adopted. The IP address of the RADIUS authentication server is 1.1.1.1. There is no secondary authentication server. By default, the interface number is 1812.
Networking diagram
See . Figure 5-3 Networking diagram of AAA
Issue 02 (2009-08-14)
5-33
5 AAA Configuration
# Configure the mode in which users access the S-switch to only Telnet and set the AAA authentication for users.
[S-switch-A] user-interface vty 0 4 [S-switch-A-ui-vty0-4] protocol inbound telnet [S-switch-A-ui-vty0-4] authentication-mode aaa [S-switch-A-ui-vty0-4] quit
# Configure the RADIUS server template.

[S-switch-A] radius-server template shiva
# Configure the IP address and interface of the RADIUS authentication server.

[S-switch-A-radius-shiva] radius-server authentication 1.1.1.1 1812
# Set the shared key and retransmission times for the RADIUS server.
[S-switch-A-radius-shiva] radius-server shared-key it-is-my-secret [S-switch-A-radius-shiva] radius-server retransmit 2 [S-switch-A-radius-shiva] quit
# Enter the AAA view.

[S-switch-A] aaa
# Configure the authentication scheme r-n and set the authentication mode to radius and none in sequence, that is, if the RADIUS authentication server does not respond, the nonauthentication is adopted.
[S-switch-Aaaa] authentication-scheme r-n [S-switch-A-aaa-authen-r-n] authentication-mode radius none [S-switch-A-aaa-authen-r-n] quit
# Configure the default domain. Adopt the authentication scheme r-n, default accounting scheme (non-accounting scheme), and the RADIUS template shiva in the domain view.
[S-switch-A-aaa] domain default [S-switch-A-aaa-domain-default] authentication-scheme r-n [S-switch-A-aaa-domain-default] radius-server shiva
Configuration Files
# sysname S-switch-A # radius-server template shiva radius-server shared-key it-is-my-secret radius-server authentication 1.1.1.1 1812 radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme r-n authentication-mode radius none # authorization-scheme default # accounting-scheme default # domain default authentication-scheme r-n radius-server shiva
5-34
Issue 02 (2009-08-14)

# # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode aaa #
5 AAA Configuration
Issue 02 (2009-08-14)
5-35
6 MAC Address Authentication Configuration
MAC Address Authentication Configuration
About This Chapter

This chapter describes the basic concepts of MAC address authentication and the procedure for configuring MAC address authentication, and provides examples for configuring MAC address authentication. 6.1 Overview of MAC Address Authentication This section describes the basic principle and concepts of MAC address authentication. 6.2 Configuring MAC Address Authentication This section describes how to configure MAC address authentication. 6.3 Configuring Enhanced MAC Address Authentication This section describes how to configure a guest VLAN and the maximum number of MAC address authentication users attached to an interface of an S-switch. 6.4 Maintaining MAC Address Authentication Run the reset command in the user view to reset the statistics of MAC address authentication. 6.5 Configuration Examples This section provides a configuration example for MAC address authentication.
Issue 02 (2009-08-14)
6-1
6.1 Overview of MAC Address Authentication

This section describes the basic principle and concepts of MAC address authentication. 6.1.1 Introduction to MAC Address Authentication 6.1.2 MAC Address Authentication Features Supported by the S-switch 6.1.3 Update History
6.1.1 Introduction to MAC Address Authentication

The switch adopt MAC address authentication in the following modes:
l l
Remote Authentication Dial-In User Service (RADIUS) server authentication Local authentication
After confirming the authentication mode, you can select one of the following types of authentication usernames:
l
MAC-address usenames: The MAC address of a user is used as a usename for authentication. Fixed username: All users that use the same MAC address use the username and password pre-configured on an S-switch; therefore, whether users can pass the authentication depends on the correctness of the username and password, and the maximum number of users allowed to use the username.
MAC Address Authentication in RADIUS Server Authentication Mode

When MAC address authentication adopts the RADIUS server authentication mode, an Sswitch functioning as a RADIUS client cooperates with the RADIUS server to implement MAC address authentication.
l
When the MAC-address username type is adopted, the S-switch takes the MAC address of a detected user as the username and password of the user, and sends it to the RADIUS server. When the fixed username type is adopted, the S-switch takes the locally configured username and password as the username and password of a user to be authenticated, and sends them to the RADIUS server.
Users that pass the authentication on the RADIUS server can access the network.
MAC Address Authentication in Local Authentication Mode

When MAC address authentication adopts the local authentication mode, users are authenticated on the local S-switch. You need to configure the local username and password on the S-switch.
l
When the MAC-address username type is adopted, the MAC address of an access user is configured as the local username and the password for the authentication.Whether the local username contains delimiter - should be consistent with the format of a username configured on a device; otherwise, MAC address authentication fails.
6-2

l
When the fixed username type is adopted, the MAC addresses of all the users match the configured local username and password automatically.
6.1.2 MAC Address Authentication Features Supported by the Sswitch

Timers for MAC Address Authentication
MAC address authentication is controlled by the following timers:
l
Offline-detect timer: specifies the interval for an S-switch to check whether a user goes offline. When a user goes offline, the S-switch immediately notifies the RADIUS server to stop charging the user. Quiet timer: specifies the period for a switch to wait to re-authenticate a user that fails in the authentication. During this period, the S-switch does not process the authentication requests of the user. Server-timeout timer: specifies the timeout period of the connection between an S-switch and the RADIUS server. During the authentication process, if the connection between an S-switch and a RADIUS server times out, the authentication fails.
Silent MAC Address

After the authentication of a MAC address fails, the MAC address becomes a silent MAC address. During the timeout period of the quiet timer, the S-switch directly discards data packets received from users of this MAC address. The silent MAC address is configured to prevent invalid MAC addresses from being authenticated repeatedly in a short time.
Guest VLAN
When the authentication of a user connected to an interface fails, the interface is added to a guest VLAN if the conditions for validating a guest VLAN are met. The user connected to the interface can access network resources of the guest VLAN. This is an authorization method of enabling users that fail in the authentication to access limited resource of specific VLANs.

Version V200R002C02 Revision This is the first release.
6.2 Configuring MAC Address Authentication

This section describes how to configure MAC address authentication. 6.2.1 Establishing the Configuration Task 6.2.2 Configuring Global MAC Address Authentication 6.2.3 Configuring MAC Address Authentication on an Interface 6.2.4 Configuring a MAC Address as a Username for MAC Address Authentication
6.2.5 Configuring a Fixed Username for a MAC Address Authentication User 6.2.6 (Optional)Configuring a Domain Name for a MAC Address Authentication User 6.2.7 (Optional)Configuring Timers for MAC Address Authentication 6.2.8 Checking the Configuration

MAC address authentication can be configured on an interface before global MAC address authentication is enabled, but MAC address authentication does not take effect on the interface. After global MAC address authentication is enabled, MAC address authentication enabled on the interface takes effect immediately.
NOTE
l l
If MAC address authentication is enabled on an interface, 802.1x cannot be enabled on the interface; if 802.1x is enabled on an interface, MAC address authentication cannot be enabled on the interface. If MAC address authentication is enabled on an interface, VLAN mapping cannot be enabled on the interface; if VLAN mapping is enabled on an interface, MAC address authentication cannot be enabled on the interface.
Before configuring MAC address authentication, complete the following tasks:
l
Connecting interfaces and configuring physical parameters for the interfaces to ensure that the physical layer status of the interfaces is Up Configuring parameters of the link layer protocol for interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure MAC address authentication, you need the following data. No. 1 Data Number of an interface to be authenticated
6.2.2 Configuring Global MAC Address Authentication

Context
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the mac-authen command to enable global MAC address authentication. ----End
6.2.3 Configuring MAC Address Authentication on an Interface

Context
Do as follows on the S-switch in the system view and in the interface view respectively.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } command to enable MAC address authentication on a specified interface.
NOTE
In addition, you can run the mac-authen command in the interface view to enable MAC address authentication on the interface.
----End
6.2.4 Configuring a MAC Address as a Username for MAC Address Authentication

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen username macaddress command to configure a MAC address as a username for MAC address authentication. By default, a MAC address without delimiter - is used as a username for MAC address authentication. Step 3 (Optional)Run the mac-authen username macaddress format with-hyphen command to configure a MAC address with delimiter - as a username for MAC address authentication. ----End
6.2.5 Configuring a Fixed Username for a MAC Address Authentication User

Context
To configure a fixed username for a MAC address authentication user, do as follows on the Sswitch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen username fixed command to configure a fixed username for a MAC address authentication user. Step 3 Run the mac-authen username username command to configure a username for MAC address authentication. Step 4 Run the mac-authen password password command to configure a password for MAC address authentication. ----End
6.2.6 (Optional)Configuring a Domain Name for a MAC Address Authentication User

Context
When a user adopts MAC address authentication, you must configure an authentication domain for the user. To configure a domain name for a MAC address authentication user, do as follows on the S-switch. The configuration is invalid for a user with a fixed username.By default, MAC address authentication without a domain is used, and a username does not contains a domain name.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen domain isp-name command to configure a domain name for a MAC address authentication user.
NOTE
Configure an authentication domain for a MAC address authentication user. Check whether there is an available domain before configuring the domain; otherwise, the system prompts that an error occurs.
----End
6.2.7 (Optional)Configuring Timers for MAC Address Authentication

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen timer offline-detect offline-detect-value command to configure the value of the offline-detect timer. The default value is 300 seconds.
Step 3 Run the mac-authen timer quiet-period quiet-value command to configure the value of the quiet timer. The default value is 60 seconds. Step 4 Run the mac-authen timer server-timeout server-timeout-value command to configure the value of the server timeout timer. The default value is 30 seconds. ----End

Prerequisite
All configurations of MAC address authentication are complete.
Procedure
Step 1 Run the display mac-authen command to view the status of MAC address authentication. ----End
Example
Run the display mac-authen command to check the configuration results of MAC address authentication. For example:
<Quidway> display mac-authen Mac address authentication is Enabled. Fixed username: test Fixed Password: test123 Offline detect period is 60s Quiet period is 65s Server response timeout value is 66s Guest VLAN reauthenticate period is 30s Max online user is 1024 Current online user is 0 Current domain: not configured
6.3 Configuring Enhanced MAC Address Authentication

This section describes how to configure a guest VLAN and the maximum number of MAC address authentication users attached to an interface of an S-switch. 6.3.1 Establishing the Configuration Task 6.3.2 Configuring a Guest VLAN 6.3.3 Configuring the Maximum Number of MAC Address Authentication Users on an Interface 6.3.4 Checking the Configuration

After the authentication of a user connected to an interface fails, the interface is added to a guest VLAN. The MAC address of the user is added to the MAC address table of the guest VLAN. Thus, the user can access network resources of the guest VLAN. By configuring the maximum number of MAC address authentication users, you can control users accessing an interface. The number of users accessing an interface of an S-switch reaches a limit value, the S-switch does not trigger MAC address authentication for subsequent users accessing the interface. Therefore, these users cannot access the network normally.
Before configuring enhanced MAC address authentication, complete the following tasks:
l l l
Enabling MAC address authentication Creating a VLAN to be configured as a guest VLAN Configuring the maximum number of MAC address authentication users to one.
Data Preparation
To configure enhanced MAC address authentication, you need the following data. No. 1 2 Data Number of an interface on a S-switch that performs MAC address authentication ID of a guest VLAN
6.3.2 Configuring a Guest VLAN

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the mac-authen guest-vlan vlan-id command to configure a guest VLAN on the interface. Step 4 (Optional) Run the mac-authen timer guest-vlan reauthenticate-period interval command to configure the interval for the S-switch to re-authenticate users of the guest VLAN. Step 5 Run the quit command to return to the system view. ----End
6.3.3 Configuring the Maximum Number of MAC Address Authentication Users on an Interface
Context
To set the maximum number of online users on an interface of a S-switch, do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the mac-authen max-user user-number command to set the maximum number of MAC address authentication users on the interface. Step 4 Run the quit command to return to the system view. ----End

Prerequisite
All configurations of enhanced MAC address authentication are complete.
Procedure
Step 1 Run the display mac-authen command to check the configuration of enhanced MAC address authentication. ----End
Example
Run the display mac-authen command to check the configuration results of enhanced MAC address authentication. For example:
<Quidway> display mac-authen Mac address authentication is Enabled. Fixed username: Fixed Password: test123 Offline detect period is 60s Quiet period is 65s Server response timeout value is 66s Guest VLAN reauthenticate period is 30s Max online user is 1024 Current online user is 0 Current domain: not configured
Issue 02 (2009-08-14)
6-9
6.4 Maintaining MAC Address Authentication

Run the reset command in the user view to reset the statistics of MAC address authentication. 6.4.1 Resetting Statistics of MAC Address Authentication
6.4.1 Resetting Statistics of MAC Address Authentication

Context
CAUTION
Statistics of MAC address authentication cannot be restored after you clear them. So, confirm the action before you use the command.
Procedure
Step 1 After confirming the action of resetting the statistics of MAC address authentication, run the reset mac-authentication statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command in the user view to clear them. ----End

This section provides a configuration example for MAC address authentication. 6.5.1 Example for Configuring MAC Address Authentication
6.5.1 Example for Configuring MAC Address Authentication

l l
The administrator of the S-switch wants to perform MAC address authentication on users accessing GigabitEthernet 0/0/1 to control users' access to the Internet. Local authentication with a fixed username is adopted; the fixed username is set to huawei@default; the fixed password is set to huawei. Only users that pass the authentication can access the Internet.
Figure 6-1 Networking diagram for configuring local authentication with a fixed username
6-10
Issue 02 (2009-08-14)
The configuration roadmap is as follows:
l l
Add a local access user and configure the username and password for the user. Configure MAC address authentication on GigabitEthernet 0/0/1 and configure default VLAN. Adopt a fixed username for MAC address authentication. Enable global MAC address authentication.
NOTE
l l
Configure global MAC address authentication after setting all related parameters. Otherwise, authorized users may fail to access the Internet.
Data Preparation
To complete this configuration, you need the following data:
l l l l
Interface for authentication Username for authentication Password for authentication Authentication type
Procedure
Step 1 Add a local access user to an S-switch, and configure the username and password for the user.
<Quidway> system-view [Quidway] aaa [Quidway-aaa] local-user huawei@default password simple huawei [Quidway-aaa] local-user huawei@default service-type ppp [Quidway-aaa] authorization-scheme default [Quidway-aaa-author-default] authorization-mode none [Quidway-aaa-author-default] quit [Quidway-aaa] quit
Step 2 Configure MAC address authentication on GigabitEthernet 0/0/1 and configure default VLAN.
[Quidway] vlan batch 10 [Quidway-aaa] interface gigabitethernet 0/0/1 [QuidwayGigabitEthernet0/0/1] port default vlan 10 [QuidwayGigabitEthernet0/0/1] mac-authen [QuidwayGigabitEthernet0/0/1] quit
Step 3 Adopt a fixed username for MAC address authentication.

[Quidway] mac-authen username fixed [Quidway] mac-authen username huawei@default [Quidway] mac-authen password huawei
Step 4 Enable global MAC address authentication.

[Quidway] mac-authen [Quidway] quit
----End
Configuration Files
# sysname Quidway # vlan batch 10 # mac-authen mac-authen username fixed mac-authen username huawei@default mac-authen password huawei # interface GigabitEthernet0/0/1 port default vlan 10 mac-authen # aaa local-user huawei@default password simple huawei local-user huawei@default service-type ppp authentication-scheme default # authorization-scheme default authorization-mode none # accounting-scheme default # domain default # return
6-12
Issue 02 (2009-08-14)
7 802.1X Configuration
7
About This Chapter
802.1X Configuration
This chapter describes the basics, methods, and configuration example of 802.1X. 7.1 Overview of 802.1X This section describes the basic concepts of 802.1X and the 802.1X functions supported by the S-switch. 7.2 Configuring 802.1X This section describes the scenario, procedures, and precautions for configuring 802.1X. 7.3 Configuration Examples This section describes a configuration example of 802.1X.
Issue 02 (2009-08-14)
7-1
7.1 Overview of 802.1X

This section describes the basic concepts of 802.1X and the 802.1X functions supported by the S-switch. 7.1.1 Introduction to 802.1X 7.1.2 802.1X Authentication System 7.1.3 802.1X Authentication Process 7.1.4 Implementation of 802.1X on the S-switch 7.1.5 Logical Relationships Between Configuration Tasks 7.1.6 Update History
7.1.1 Introduction to 802.1X

The IEEE 802.1X standard, 802.1X in brief, is a port-based network access control protocol. It is put forward based on the IEEE 802.11 standard for wireless local area network (WLAN) access to solve the authentication problem. Later, the 802.1X protocol is applied on the Ethernet as a common access control mechanism on the local area network (LAN) interface to solve problems in terms of authentication and security on the Ethernet. "Port-based network access control" indicates the authentication and control implemented for access devices on an interface of a LAN access control device. A user device can access LAN resources only after it passes the authentication.
7.1.2 802.1X Authentication System

As shown in Figure 7-1, 802.1X authentication adopts the typical client/server model and involves three entities, that is, the supplicant, authenticator, and the authentication server.
l
The supplicant is usually a user terminal installed with the 802.1X client software provided by Huawei or the Windows XP operating system. The supplicant initiates the 802.1X authentication by running the 802.1X client software. The supplicant must support the Extensible Authentication Protocol over LAN (EAPoL). The authenticator is usually a network device supporting the 802.1X protocol. The authenticator provides the interface, either physical or logical, for LAN access of the supplicant. The authentication server is usually a Remote Authentication Dial-In User Service (RADIUS) server for implementing authentication, authorization, and accounting (AAA). The authentication server stores information such as the user name, password, user VLAN, committed access rate (CAR) parameters, priority, and user access control list (ACL).
The information exchange between the three entities is as follows:

l
The authenticator and the authentication server exchange information through the Extensible Authentication Protocol (EAP). The supplicant and the authenticator exchange information through EAPoL defined in the IEEE 802.1X standard.
The authenticator encapsulates authentication data in an EAP packet and then encapsulates the EAP packet in an upper-layer AAA protocol packet such as the RADIUS protocol packet. In
this manner, the authentication data can travel through the complex network to reach the authentication server. Figure 7-1 802.1X authentication system
The three authentication entities involve the following basic concepts: 1. 2. PAE The Port Access Entity (PAE) performs the algorithm and implements the protocol. Controlled or uncontrolled interface
l l
In authorized mode, a controlled interface can transmit packets in both directions; in unauthorized mode, a controlled interface cannot receive packets from the supplicant. An uncontrolled interface can bidirectionally transmit EAPoL protocol packets in either mode to ensure that the supplicant sends and receives packets at any time.
3.
Controlled direction In unauthorized mode, you can set an interface to be unidirectionally controlled or bidirectionally controlled. If an interface is unidirectionally controlled, it can send packets to the supplicant but cannot receive packets from the supplicant.
NOTE
Currently, the S-switch supports only unidirectionally controlled interfaces.
7.1.3 802.1X Authentication Process

The 802.1X authentication can be initiated by either the authenticator or the supplicant.
l
802.1X authentication initiated by the supplicant The supplicant sends an EAPoL-Start packet to the authenticator through the client software and initiates the authentication.
802.1X authentication initiated by the authenticator On detecting an unauthenticated user accessing the network, the authenticator sends an EAP-Request/Identity packet to the user and initiates the authentication.
The 802.1X authentication system supports the EAP relay mode and the EAP termination mode to exchange information for user authentication. Take the 802.1X authentication initiated by the supplicant as an example. The authentication processes in preceding modes are as follows:
EAP Relay Mode

The EAP relay mode is defined in the IEEE 802.1X standard. The EAP protocol is borne by an upper-layer AAA protocol, for example EAP over RADIUS, to travel through the complex network and reach the authentication server. In EAP relay mode, the RADIUS server must support EAP attributes, EAP-Message and Message-Authenticator. Currently, the S-switch supports the EAP-Message Digest 5 (MD5) relay mode. In EAP-MD5 relay mode, the RADIUS server sends an MD5 encryption word in an EAP-Request/MD5 Challenge packet to the supplicant. The supplicant encrypts the password with the MD5 encryption word. Figure 7-2 shows the authentication process in EAP-MD5 relay mode. Figure 7-2 802.1X authentication process in EAP-MD5 relay mode
The authentication process is as follows: 1. The user runs the 802.1X client program, enters the assigned and registered user name and password, and sends an EAPoL-Start packet to the authenticator.
7-4
2. 3.
After receiving the EAPoL-Start packet, the authenticator returns an EAP-Request/Identity packet, requiring the supplicant to send the entered user name. The supplicant responds with an EAP-Response/Identity packet, carrying the user name to the authenticator. The authenticator receives the EAP-Response/Identity packet, encapsulates the packet into a RADIUS Access-Request packet, and sends it to the authentication server. After receiving the user name from the authenticator, the authentication server searches for the password corresponding to the user name, encrypts the password through a randomly generated encryption word, and at the same time, sends the encryption word in a RADIUS Access-Challenge packet to the authenticator. After receiving the encryption word in the EAP-Request/MD5 Challenge packet from the authenticator, the supplicant encrypts the password with the encryption word and then sends it in an EAP-Response/MD5 Challenge packet to the authentication server through the authenticator. The authentication server compares the password in the RADIUS Access-Request packet from the authenticator with the local password generated through the MD5 algorithm. If the two passwords are the same, the authentication server responds with RADIUS AccessAccept and EAP-Success packets. After the authenticator receives the packets, the interface becomes authorized and the user can access the network through this interface. After the interface becomes authorized, the authenticator periodically sends handshake packets to the supplicant to monitor the online user. By default, the authenticator disconnects a user after sending two handshake packets but receiving no response. In this manner, network resource waste caused by the authenticator's unawareness of abnormal user disconnection is prevented.
4.
5.
6.
7.
EAP Termination Mode

In EAP termination mode, EAP packets are terminated on the authenticator and mapped to RADIUS packets to complete the authentication, authorization, and accounting through the standard RADIUS protocol. In EAP termination mode, the authenticator and the RADIUS server exchange information through the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). Figure 7-3 takes authentication through CHAP as an example and shows the authentication process in EAP termination mode.
Issue 02 (2009-08-14)
7-5
Figure 7-3 802.1X authentication process in EAP termination mode
The difference between the EAP termination mode and the EAP relay mode is: In EAP termination mode, the authenticator randomly generates an encryption word for user password encryption, and then sends the user name, random encryption word, and password encrypted on the supplicant to the RADIUS server for authentication.
7.1.4 Implementation of 802.1X on the S-switch

The S-switch supports port-based access authentication defined in the 802.1X protocol, and extends and optimizes this feature in the following ways to enhance the security and manageability of the system.
l l
Supporting a physical interface connected to multiple users Supporting MAC-based and port-based access control methods
7-6
Issue 02 (2009-08-14)

Enabling 802.1X globally and on the interface is a required configuration task; other configuration tasks are optional. There is no strict logical relation between the configuration tasks. You can configure them as required.

Version V100R002C02 Revision This is the first release.
7.2 Configuring 802.1X

This section describes the scenario, procedures, and precautions for configuring 802.1X. 7.2.1 Establishing the Configuration Task 7.2.2 Enabling 802.1X Globally and on the Interface 7.2.3 (Optional) Setting the Port Access Control Mode 7.2.4 (Optional) Setting the Port Access Control Method 7.2.5 (Optional) Setting the Maximum Number of Concurrent Access Users 7.2.6 (Optional) Enabling DHCP Trigger 7.2.7 (Optional) Setting the Authentication Method for the 802.1X User 7.2.8 (Optional) Configuring the Guest VLAN 7.2.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request 7.2.10 (Optional) Setting the Timer Parameters 7.2.11 (Optional) Enabling the Quiet-Period Timer 7.2.12 (Optional) Enabling the Handshake-Period Timer 7.2.13 Checking the Configuration

You can configure 802.1X to implement port-based network access control, that is, to authenticate and control access devices on an interface of a LAN access control device.
The 802.1X protocol provides only an implementation scheme for user identity authentication. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1X, complete the following tasks:
l
Configuring the Internet Service Provider (ISP) authentication domain and AAA scheme, that is, RADIUS or local authentication scheme, for the 802.1X user Configuring the user name and password on the RADIUS server if RADIUS authentication is selected. Adding the user name and password manually on the S-switch if local authentication is selected.
Data Preparation
None.
7.2.2 Enabling 802.1X Globally and on the Interface

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x command to enable 802.1X globally. By default, 802.1X is disabled globally and on an interface.
NOTE
To add the interface to the dynamic VLAN delivered by the server, you also need to run the port hybrid untagged vlan command in the interface view. In this manner, frames from the VLAN can pass through the interface in untagged mode.
Step 3 Run the dot1x interface interface-type interface-number1 [ to interface-number2 ] command to enable 802.1X on the specified interface. Or run the interface interface-type interfacenumber command to enter the interface view and then run the dot1x command to enable 802.1X on the interface. ----End
7.2.3 (Optional) Setting the Port Access Control Mode

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-type interface-number1 [ to interface-number2 ] ] command to set the port access control mode. By default, the port access control mode is auto. ----End
7.2.4 (Optional) Setting the Port Access Control Method

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-method { mac | port } [ interface { interface-type interface-number1 [ to interface-number2 ] }] command to set the port access control method. By default, the port access control method is mac. ----End
7.2.5 (Optional) Setting the Maximum Number of Concurrent Access Users

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x max-user user-number [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to set the maximum number of concurrent access users on the interface. By default, an interface allows up to eight concurrent access users. By default, an interface allows up to 256 concurrent access users. ----End
7.2.6 (Optional) Enabling DHCP Trigger

Context
Procedure
Step 1 Run:
system-view

dot1x dhcp-trigger
Dynamic Host Configuration Protocol (DHCP) trigger is enabled for user authentication.
By default, DHCP trigger is disabled. ----End
7.2.7 (Optional) Setting the Authentication Method for the 802.1X User
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x authentication-method { chap | eap | pap} command to set the authentication method for the 802.1X user. By default, the authentication method of an 802.1X user is chap. ----End
7.2.8 (Optional) Configuring the Guest VLAN

Context
Before configuring the guest VLAN, complete the following tasks:
l l l l
Enabling 802.1X Setting the maximum number of concurrent access users to 1 on the interface Setting the port access control mode to auto on the interface Creating a VLAN to be configured as the guest VLAN
After the preceding configurations, do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x guest-vlan vlan-id [ interface { interface-type interface-number1 [ to interfacenumber2 ] }] command to configure the guest VLAN on the interface. Or run the interface interface-type interface-number command to enter the interface view and then run the dot1x guest-vlan vlan-id command to configure the guest VLAN on the interface. By default, no guest VLAN is configured on an interface.
NOTE
The configured guest VLAN takes effect only when the maximum number of concurrent access users on the interface is 1. If the maximum number of concurrent access users on interface is not 1, you can configure the guest VLAN, whereas the configured guest VLAN does not take effect. Assign different VLAN IDs to the voice VLAN, default VLAN, and 802.X guest VLAN on the interface to ensure normal services.
----End
7.2.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x retry max-retry-value command to set the maximum number of times for sending an authentication request to the access user. By default, the S-switch can send an authentication request to an access user twice. ----End
7.2.10 (Optional) Setting the Timer Parameters

Context
Do as follows on the S-switch .
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-periodvalue | server-timeout server-timeout-value | tx-period tx-period-value} command to set the timer parameters. By default, the settings of the timers are as follows:
l l l l l l
The timeout period of the response from the client is 30s. The interval for sending handshake packets is 15s. The quiet period of a user failing the authentication is 60s. The authentication interval is 3600s. The timeout period of the response from the server is 30s. The interval for sending authentication requests is 30s.
----End
7.2.11 (Optional) Enabling the Quiet-Period Timer

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x quiet-period command to enable the quiet-period timer. By default, the quiet-period timer is disabled. ----End
7.2.12 (Optional) Enabling the Handshake-Period Timer

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x handshake command to enable the handshake-period timer. By default, the handshake-period timer is enabled. ----End

Procedure
l Using the display dot1x command, you can view information about the sessions and statistics about 802.1X.
----End
Example
Run the display dot1x command, you can view that the 802.1x is enabled globally and on interface.
[Quidway] display dot1x Global 802.1x is Enabled CHAP authentication is Enabled DHCP-trigger is Disabled Handshake is Enabled Quiet function is disabled Configuration:Handshake Period Client Timeout Quiet Period
15s 30s 60s
Reauthen Period Server Timeout
3600s 30s
Total maximum 802.1x user resource number is 1024 Total current used 802.1x resource number is 3 GigabitEthernet0/0/1 current state : UP 802.1x protocol is Enabled Port control type is Auto Authentication method is MAC-based Reauthentication is enabled Max online user is 256 Current online user is 1 Guest VLAN is disabled
7-12
Issue 02 (2009-08-14)
Authentication Success: 0 EAPOL Packets: TX : 0
Failure: 0 RX : 0

This section describes a configuration example of 802.1X.
Context
7.3.1 Example for Configuring 802.1X
7.3.1 Example for Configuring 802.1X

l
The user must be authenticated on an interface of the S-switch before accessing the Internet; the MAC-based access control method is adopted. RADIUS authentication is performed for the user. If the RADIUS server does not respond, local authentication is performed for the user. The user name of the local 802.1X access user is localuser@test and the password is localpass. Configure the S-switch to remove the domain name from the user name before sending it to the RADIUS server.
Figure 7-4 Authentication through 802.1X and RADIUS
The configuration roadmap is as follows:
l
Create a VLANIF interface, assign an IP address to it. And add all the interfaces to the corresponding VLANs. Create a local access user and configure the user name and password for the user. Configure the domain for local authentication.
l l
Issue 02 (2009-08-14)
l l l
Configure the domain for RADIUS authentication. Create a RADIUS scheme. Enable 802.1X authentication on the specified interface, and set the number of max user on the interface to 1. Enable 802.1X authentication globally.
NOTE
Perform this step after setting all related parameters. Otherwise, authorized users may fail to access the Internet.
Data Preparation
To configure 802.1X, you need the following data.
l l l l l l l
IP address of the VLANIF interface IP address of the RADIUS server Interface for authentication User name for authentication Domain for authentication Password for authentication Service type
Procedure
Step 1 Create a VLANIF interface and assign an IP address to it on the S-switch.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] port gigabitethernet 0/0/1 [Quidway-vlan10] quit [Quidway-vlan10] interface vlanif 10 [Quidway-Vlanif10] ip address 10.10.1.1 255.255.255.0 [Quidway-Vlanif10] quit [Quidway] vlan 100 [Quidway-vlan100] port gigabitethernet 0/0/2 [Quidway-vlan100] port gigabitethernet 0/0/3 [Quidway-vlan100] interface vlanif 100 [Quidway-Vlanif100] ip address 192.168.0.1 255.255.255.0 [Quidway-Vlanif100] quit
Step 2 Create a local access user, and configure the user name and password for the user.
<Quidway> system-view [Quidway] aaa [Quidway-aaa] local-user localuser@test password simple localpass [Quidway-aaa] local-user localuser@test service-type ppp
Step 3 Configure the domain for local authentication.

[Quidway-aaa] authentication-scheme test [Quidway-aaa-authen-test] authentication-mode local [Quidway-aaa-authen-test] quit [Quidway-aaa] authorization-scheme test [Quidway-aaa-author-test] authorization-mode none [Quidway-aaa-author-test] quit [Quidway-aaa] domain test [Quidway-aaa-domain-test] authentication-scheme test [Quidway-aaa-domain-test] authorization-scheme test [Quidway-aaa-domain-test] quit
7-14
Issue 02 (2009-08-14)
Step 4 Configure the domain for RADIUS authentication.

<Quidway> system-view [Quidway] radius-server template account [Quidway-radius-account] radius-server authentication 192.168.0.10 1000 [Quidway-radius-account] radius-server accounting 192.168.0.10 1001 [Quidway-radius-account] radius-server shared-key 3300
Step 5 Create a RADIUS scheme.

[Quidway-aaa] authentication-scheme server [Quidway-aaa-authen-server] authentication-mode radius [Quidway-aaa-authen-server] quit [Quidway-aaa] accounting-scheme account [Quidway-aaa-accounting-account] accounting-mode radius [Quidway-aaa-accounting-account] quit [Quidway-aaa] domain remote [Quidway-aaa-domain-remote] authentication-scheme server [Quidway-aaa-domain-remote] accounting-scheme account [Quidway-aaa-domain-remote] radius-server account
Step 6 Enable 802.1X authentication on GigabitEthernet 0/0/1.

[Quidway] interface gigabitethernet 0/0/1 [QuidwayGigabitEthernet0/0/1] dot1x max-user 1 [QuidwayGigabitEthernet0/0/1] dot1x [QuidwayGigabitEthernet0/0/1] quit
Step 7 Enable 802.1X authentication globally.

[Quidway] dot1x
Step 8 Check the configuration.

[Quidway] display dot1x interface gigabitethernet 0/0/1 GigabitEthernet0/0/1 current state : UP 802.1x protocol is Enabled The port is an authenticator Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Max online user is 1 Current online user is 1 Guest VLAN is disabled Dynamic VLAN: 4000 Alias: VLAN 4000 Authentication Success: 2 Failure: EAPOL Packets: TX : 45 RX : Sent EAPOL Request/Identity Packets : EAPOL Request/Challenge Packets : Multicast Trigger Packets : DHCP Trigger Packets : EAPOL Success Packets : EAPOL Failure Packets : Received EAPOL Start Packets : EAPOL LogOff Packets : EAPOL Response/Identity Packets : EAPOL Response/Challenge Packets: 0 26 21 2 0 0 21 1 2 1 21 2 UserName localuser@test
Index MAC/VLAN UserOnlineTime 12 0001-0001-0002/4000 2008-01-01 08:20:35 Controlled User(s) amount to 1
----End
Configuration Files
Configuration files of the S-switch
# sysname Quidway # vlan batch 10 100
Issue 02 (2009-08-14)
7-15
# dot1x # radius-server template account radius-server shared-key 3300 radius-server authentication 192.168.0.10 1000 radius-server accounting 192.168.0.10 1001 # interface Vlanif10 ip address 10.10.1.1 255.255.255.0 # interface Vlanif100 ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet0/0/1 port default vlan 10 dot1x dot1x max-user 1 # interface GigabitEthernet0/0/2 port default vlan 100 # interface GigabitEthernet0/0/3 port default vlan 100 # aaa local-user localuser@test password simple localpass local-user localuser@test service-type ppp authentication-scheme default authentication-scheme test authentication-scheme server authentication-mode radius # authorization-scheme default authorization-scheme test authorization-mode none # accounting-scheme default accounting-scheme account accounting-mode radius # domain default domain test authentication-scheme test authorization-scheme test domain remote authentication-scheme server accounting-scheme account radius-server account # # return
7-16
Issue 02 (2009-08-14)
8 NAC Configuration
8
About This Chapter
8.1 Access Mode of NAC This section describes access modes of NAC.
NAC Configuration
This chapter describes the basics, configuration methods, and configuration examples of NAC.
8.2 Configuring the NAC Access Based on Web Authentication This section how to configure the NAC access based on Web authentication. 8.3 Configuring the NAC Access Based on 802.1X Authentication The procedure for configuring the NAC access based on 802.1X authentication is the same as that for configuring 802.1X authentication. For more details, see 802.1X authentication. 8.4 Configuring the NAC Access Based on MAC Address Authentication For the procedure of configuring the NAC access based on MAC address authentication , please refer to MAC address authentication. 8.5 Configuring the NAC Access Based on MAC Bypass Authentication This section describes how to configure the NAC access based on MAC bypass authentication. 8.6 Configuration Examples This section provides an example for configuring the NAC access based on Web authentication.
Issue 02 (2009-08-14)
8-1
8 NAC Configuration
8.1 Access Mode of NAC

This section describes access modes of NAC.
Basics
Network Admission Control (NAC) refers to a technology that is used to control the access and isolation of users on the network.
Access Based on Web Authentication

NAC supports Web authentication.In Web authentication, if accessing an unaccessible network segment, a user is to be redirected to the login page of Web authentication. The Web authentication server communicates with the S-switch through the Portal protocol. The Sswitch functions as the client. After extracting the user name and password entered by the user on the authentication page, the Web authentication server forwards them to the S-switch through the Portal protocol. The typical networking of access based on Web authentication is shown in Figure 8-1. Figure 8-1 Typical networking of Web authentication
NAC proceeds as follows:

l
The PC does not need to be installed with terminal software. The S-switch forcibly redirects the user to the Web authentication page. After the user enters the user name and password,
8-2
8 NAC Configuration
the S-switch forwards them to the RADIUS server for authentication. In this case, the user can access the isolation area only.
l
The Access Control Server (ACS), functioning as the RADIUS server, replies that the user passes the authentication. An HTTP link is established between the PC and ACS. The ACS checks whether the PC passes the authentication. If the PC has passed the authentication, the user can access the common information area or the core information area according to the authority of the user.
Access Based on 802.1x Authentication

802.1x is an interface-based network access control protocol. That is, 802.1x authenticates and control access devices on the interface connecting the LAN. User devices connected to the interface can access the sources in the LAN only after passing the authentication. 802.1x authentication operates in two modes:
l
the mode based on interfaces:Once one device connected to an interface passes the 802.1x authentication, other devices connected to the interface are allowed to access the Sswitch; the mode based on MAC addresses:each device needs to be authenticated before accessing the S-switch.
The typical networking of access based on 802.1x authentication is shown in Figure 8-2. Figure 8-2 Typical networking of 802.1x authentication
NAC proceeds as follows:

l
Detecting that a user goes online, the S-switch sends an EAP authentication request. If the user does not respond after several requests, the S-switch detects that the user is not installed with terminal software, and then expands the authority of the user to access the isolation
Issue 02 (2009-08-14)
8 NAC Configuration
area. The S-switch can also redirect the user to the URL to instruct the user to download terminal software.
l
After a specified period of time, the S-switch implements 802.1X authentication on the user if detecting that the user is installed with terminal software. After the user passes 802.1X authentication, an HTTP link is established between the PC and the ACS, and the ACS checks whether the PC passes the authentication. If yes, the ACL is updated, and the PC can access the working area. If the user is not installed with terminal software but configured with MAC bypass authentication, the MAC address of the user is used as the user name and password to pass the MAC address authentication. If failing to pass MAC address authentication, the user goes offline, and the S-switch does not implement MAC address authentication or detection for a period of time. After the timeout period, the S-switch implements detection again and determines that the user fails to pass the authentication, if the user is not configured with MAC address authentication. After the ACS detects that the PC is infected with virus, the S-switch delivers an ACL to allow the user to access the isolation area only, and redirects the user to the URL to update its virus library or install a corresponding patch. After the user updates its virus library, the ACS detects that the user is secured, and the Sswitch updates the ACL through the COA interface on the RADIUS server. In this case, the user is allowed to access the working area.
Access Based on MAC Address Authentication

When the access based on MAC address authentication is adopted, an NAC user needs to pass MAC address authentication. In addition, the S-switch implements real-time detection on online users. When an NAC user accesses the S-switch, the S-switch creates a MAC authentication user according to the obtained source MAC address. The NAC procedure of the access based on MAC address authentication is similar to that of the access based on 802.1X authentication. For more details, see the NAC procedure of the access based on 802.1X authentication.
Access Based on MAC Bypass Authentication

When MAC bypass authentication is adopted, it indicates that MAC address authentication is automatically performed if 802.1X authentication fails. The S-switch sends the MAC address of the user to the RADIUS server as the user name and password for authentication and creates an ARP entry. When detecting that the user is infected with virus, the ACS instructs the authentication server to deliver an ACL. In this case, the user is isolated, and malicious attacks are prevented. Certain special terminals, such as a printer, cannot use or be installed with 802.1X terminal software. In this case, MAC bypass authentication is adopted. The NAC procedure of the access based on MAC bypass authentication is similar to that of the access based on 802.1X authentication. For more details, see the NAC procedure of the access based on 802.1X authentication.
8.2 Configuring the NAC Access Based on Web Authentication

This section how to configure the NAC access based on Web authentication.
8 NAC Configuration
8.2.1 Establishing the Configuration Task 8.2.2 Configuring the Web Authentication Server 8.2.3 Configuring the Portal Protocol 8.2.4 Configuring Mandatory Web Authentication 8.2.5 Configuring a Non-authentication Rule 8.2.6 Checking the Configuration

You need to configure the Web authentication server for Web authentication users.
None.
Data Preparation
To configure Web authentication, you need the following data. No. 1 2 3 4 Data Name, IP address, port number, shared key, and Uniform Resource Locator (URL) of the Web authentication server Version of the Portal protocol, listening port number of the S-switch, and source interface Whether to transparently transmit the RADIUS authentication result to the Web authentication server (Optional) Whether to use mandatory Web authentication
8.2.2 Configuring the Web Authentication Server

Prerequisite
To configure the Web authentication server, you need the following data:
l l l l
IP address and name of the Web authentication server Port number of the Web authentication server Shared key of the Web authentication server URL of the Web authentication server
Issue 02 (2009-08-14)
8 NAC Configuration
Context
Procedure
Step 1 Run:
system-view

web-auth-server server-name ip-address [ port port-number [ all ] | key key-string | url url-string ] *
The Web authentication server is configured.

NOTE
If all is specified during the configuration of the port number of the Web authentication server, the configured port number is used as the destination port number of all the packets sent from the S-switch to the Web authentication server, and the destination port number of the packets received from the Web authentication server is used as the source port number of the packets.
----End
8.2.3 Configuring the Portal Protocol

Prerequisite
The configurations of the Portal protocol, which are valid for all Web authentication servers, include the following items:
l
Version of the Portal protocol. The Portal protocol has two versions, that is, V1 and V2. The S-switch supports both versions. Listening port number. The listening port number refers to the port number of the interface through which the S-switch monitors the messages of the Web authentication server. By default, the S-switch monitors the messages of the Web authentication server through port 2000. Whether to transparently transmit RADIUS messages. The transparent transmission of RADIUS messages indicates that after receiving the authentication result from the RADIUS server, the S-switch forwards the authentication result directly to the Web authentication server without any processing.
Context
Procedure
Step 1 Run:
system-view
The system view is displayed.

8 NAC Configuration
Step 2 (Optional) Run:

web-auth-server version v2 [ v1 ]
The version of the Portal protocol is configured. Or run:

web-auth-server listening-port port
The listening port number of the S-switch is configured. (Optional) Or run:

web-auth-server reply-message
The S-switch is configured to transparently transmit RADIUS messages. By default, the S-switch transparently transmits RADIUS messages to the Web authentication server. ----End
8.2.4 Configuring Mandatory Web Authentication

Context
Procedure
Step 1 Run:
system-view


web-auth-server server-name
The mandatory Web authentication server is configured. The URL to which the Web authentication server redirects a user is in the format of "http:// www.isp.com/index.htm." ----End
8.2.5 Configuring a Non-authentication Rule

Context
8 NAC Configuration
Procedure
Step 1 Run:
system-view

portal mask } name } id } * free-rule rule-number { destination ip { ip-address mask { mask-length | ip| any } | source { interface { interface-type interface-number | interface| ip { ip-address mask { mask-length | ip-mask } | any } | any | vlan vlan} *
A non-authentication rule is configured for Portal users. ----End

Procedure
l l Run the display this command in the VLANIF interface view to check whether Web authentication is correctly configured on the S-switch. Run the display this command in the AAA view to check information about the current configuration of the S-switch.
----End
Example
Run the display this command and you can detect that Web authentication is correctly configured on the S-switch.
[S-switch-Vlanif2] display this # interface Vlanif2 ip address 10.1.1.1 255.255.255.0 web-auth-server webserver #
Run the display this command and you can detect that the current configuration of the Sswitch is correct.
[Quidway-aaa] display this # aaa authentication-scheme nac authentication-mode none domain nac authentication-scheme nac local-user huawei@nac password simple 888 local-user huawei@nac service-type web # return
8-8
Issue 02 (2009-08-14)
8 NAC Configuration
8.3 Configuring the NAC Access Based on 802.1X Authentication

The procedure for configuring the NAC access based on 802.1X authentication is the same as that for configuring 802.1X authentication. For more details, see 802.1X authentication.
8.4 Configuring the NAC Access Based on MAC Address Authentication

For the procedure of configuring the NAC access based on MAC address authentication , please refer to MAC address authentication.
8.5 Configuring the NAC Access Based on MAC Bypass Authentication

This section describes how to configure the NAC access based on MAC bypass authentication. 8.5.1 Establishing the Configuration Task 8.5.2 Enabling 802.1X Globally 8.5.3 Enabling MAC Bypass Authentication on an Interface 8.5.4 (Optional) Setting the Port Access Control Mode 8.5.5 (Optional) Setting the Port Access Control Method 8.5.6 (Optional) Setting the Maximum Number of Concurrent Access Users 8.5.7 (Optional) Setting the Authentication Method for the 802.1X User 8.5.8 (Optional) Configuring the Guest VLAN 8.5.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request 8.5.10 (Optional) Setting the Timer Parameters 8.5.11 (Optional) Enabling the Quiet-Period Timer 8.5.12 (Optional) Enabling the Handshake-Period Timer 8.5.13 Checking the Configuration

You can configure 802.1X to implement port-based network access control, that is, to authenticate and control access devices on an interface of a LAN access control device.
8 NAC Configuration
The 802.1X protocol provides only an implementation scheme for user identity authentication. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1X, complete the following tasks:
l
Configuring the Internet Service Provider (ISP) authentication domain and AAA scheme, that is, RADIUS or local authentication scheme, for the 802.1X user Configuring the user name and password on the RADIUS server if RADIUS authentication is selected. Adding the user name and password manually on the S-switch if local authentication is selected.
Data Preparation
None.
8.5.2 Enabling 802.1X Globally

Context
Procedure
Step 1 Run:
system-view

dot1x
802.1X is enabled globally. By default, 802.1X is disabled globally. ----End
8.5.3 Enabling MAC Bypass Authentication on an Interface

Context
Procedure
Step 1 Run:
system-view

8-10
Issue 02 (2009-08-14)
8 NAC Configuration
The GE interface view is displayed. Step 3 Run:

dot1x mac-bypass
MAC bypass authentication is enabled on an interface. After MAC bypass authentication is enabled on an interface, MAC address authentication is automatically performed if 802.1X authentication fails for a long period of time. The MAC address of the user is sent to the RADIUS server as the user name and password for authentication. By default, MAC bypass authentication is disabled on an interface. ----End
8.5.4 (Optional) Setting the Port Access Control Mode

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-type interface-number1 [ to interface-number2 ] ] command to set the port access control mode. By default, the port access control mode is auto. ----End
8.5.5 (Optional) Setting the Port Access Control Method

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-method { mac | port } [ interface { interface-type interface-number1 [ to interface-number2 ] }] command to set the port access control method. By default, the port access control method is mac. ----End
Issue 02 (2009-08-14)
8-11
8 NAC Configuration
8.5.6 (Optional) Setting the Maximum Number of Concurrent Access Users

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x max-user user-number [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to set the maximum number of concurrent access users on the interface. By default, an interface allows up to eight concurrent access users. By default, an interface allows up to 256 concurrent access users. ----End
8.5.7 (Optional) Setting the Authentication Method for the 802.1X User
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x authentication-method { chap | eap | pap} command to set the authentication method for the 802.1X user. By default, the authentication method of an 802.1X user is chap. ----End
8.5.8 (Optional) Configuring the Guest VLAN

Context
Before configuring the guest VLAN, complete the following tasks:
l l l l
Enabling 802.1X Setting the maximum number of concurrent access users to 1 on the interface Setting the port access control mode to auto on the interface Creating a VLAN to be configured as the guest VLAN
After the preceding configurations, do as follows on the S-switch.

8 NAC Configuration
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x guest-vlan vlan-id [ interface { interface-type interface-number1 [ to interfacenumber2 ] }] command to configure the guest VLAN on the interface. Or run the interface interface-type interface-number command to enter the interface view and then run the dot1x guest-vlan vlan-id command to configure the guest VLAN on the interface. By default, no guest VLAN is configured on an interface.
NOTE
The configured guest VLAN takes effect only when the maximum number of concurrent access users on the interface is 1. If the maximum number of concurrent access users on interface is not 1, you can configure the guest VLAN, whereas the configured guest VLAN does not take effect. Assign different VLAN IDs to the voice VLAN, default VLAN, and 802.X guest VLAN on the interface to ensure normal services.
----End
8.5.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x retry max-retry-value command to set the maximum number of times for sending an authentication request to the access user. By default, the S-switch can send an authentication request to an access user twice. ----End
8.5.10 (Optional) Setting the Timer Parameters

Context
Do as follows on the S-switch .
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-periodvalue | server-timeout server-timeout-value | tx-period tx-period-value} command to set the timer parameters. By default, the settings of the timers are as follows:
8 NAC Configuration
l l l l l l
The timeout period of the response from the client is 30s. The interval for sending handshake packets is 15s. The quiet period of a user failing the authentication is 60s. The authentication interval is 3600s. The timeout period of the response from the server is 30s. The interval for sending authentication requests is 30s.
----End
8.5.11 (Optional) Enabling the Quiet-Period Timer

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x quiet-period command to enable the quiet-period timer. By default, the quiet-period timer is disabled. ----End
8.5.12 (Optional) Enabling the Handshake-Period Timer

Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x handshake command to enable the handshake-period timer. By default, the handshake-period timer is enabled. ----End

Procedure
l Run the display dot1x command to check information about 802.1X sessions and the statistics about 802.1X.
----End
Example
Run the display dot1x command, and you can detect that 802.1X authentication is enabled globally and on GigabitEthernet 0/0/1.

[Quidway] display dot1x Global 802.1x is Enabled CHAP authentication is Enabled DHCP-trigger is Disabled Handshake is Enabled Quiet function is disabled Configuration:Handshake Period Client Timeout Quiet Period
8 NAC Configuration
15s 30s 60s
Reauthen Period Server Timeout
3600s 30s
Total maximum 802.1x user resource number is 1024 Total current used 802.1x resource number is 3 GigabitEthernet0/0/1 current state : UP 802.1x protocol is Enabled Port control type is Auto Authentication method is MAC-based Reauthentication is enabled Max online user is 256 Current online user is 1 Guest VLAN is disabled Authentication Success: 0 EAPOL Packets: TX : 0 Failure: 0 RX : 0

This section provides an example for configuring the NAC access based on Web authentication. 8.6.1 Example for Configuring the NAC Access Based on Web Authentication
8.6.1 Example for Configuring the NAC Access Based on Web Authentication
As shown in Figure 8-3, the user accesses the Web authentication server through the S-switch for identity authentication. After the user enters the user name and password, the S-switch forwards them to the RADIUS server for authentication. The user can access the Internet only after passing the authentication.
l
The IP address of the Web authentication server is 10.1.1.1; the port number of the Web authentication server is 50100; the listening port number is 2000; and the key is HuaweiTech. The user name and password of the Web authentication user are huawei and 888 respectively; the IP address of the Web authentication user is 10.1.1.2. The access type of the Web authentication user is Web.
Issue 02 (2009-08-14)
8-15
8 NAC Configuration
Figure 8-3 Example for Configuring Web Authentication
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the user name and password of the Web authentication user. Set the access type of the Web authentication user to Web. Configure the Web authentication server. Configure a non-authentication rule for the Web authentication user. Create and enter the VLANIF interface view. Bind the Web authentication server in the VLANIF interface view to redirect all HTTP request packets to the Web authentication server.
Data Preparation
l l l l l
User name and password of the Web authentication user Access type of the Web authentication user IP address, name, port number, and shared key of the Web authentication server URL of the Web authentication server being http://www.isp.com/index.htm VLAN ID and IP address of the VLANIF interface being 2 and 10.1.1.1 respectively
1. Configure the user name and password of the Web authentication user as huawei and 888 respectively.
<S-switch> system-view [S-switch] aaa [S-switch-aaa] authentication-scheme nac [S-switch-aaa-authen-nac] authentication-mode none [S-switch-aaa-author-nac] quit [S-switch-aaa] domain nac [S-switch-aaa-domain-nac] authentication-scheme nac [S-switch-aaa-domain-nac] quit [S-switch-aaa] local-user huawei@nac password simple 888
2.
8-16
Set the access type of the Web authentication user to Web.


[S-switch-aaa] local-user huawei@nac service-type web [S-switch-aaa] quit
8 NAC Configuration
3.
Configure the IP address of the Web authentication server as 10.1.1.1, the port number of the Web authentication server as 50100, the listening port number as 2000, and the key as HuaweiTech.
[S-switch] web-auth-server webserver 10.1.1.1 port 50100 key HuaweiTech url http://www.isp.com/index.htm.
4.
Configure the IP address of the Web authentication server, 10.1.1.1, to implement the nonauthentication rule.
[S-switch] portal free-rule 1 destination ip 10.1.1.1 mask 255.255.255.0
5.
Assign IP address 10.1.1.1 to the VLANIF interface.

[S-switch] vlan 2 [S-switch-vlan2] quit [S-switch] interface vlanif 2 [S-switch-Vlanif2] ip address 10.1.1.1 255.255.255.0
6. 7.
Configure forced Web authentication in the VLANIF interface view.

[S-switch-Vlanif2] web-auth-server webserver
Verify the configuration. Run the display this command in the VLANIF interface view to check whether the Sswitch is correctly configured.
[S-switch-Vlanif2] display this # interface Vlanif2 ip address 10.1.1.1 255.255.255.0 web-auth-server webserver #
Run the display this command in the AAA view to check whether the S-switch is correctly configured.
[S-switch-aaa] display this # aaa authentication-scheme nac authentication-mode none domain nac authentication-scheme nac local-user huawei@nac password simple 888 local-user huawei@nac service-type web # return
8.
Check whether the PC functioning as the client is correctly configured. On the PC, open the IE browser and enter the address of the Web authentication server http://10.1.1.1/ or any other address. Then, the authentication page of the Web authentication server is displayed. After a user enters the correct user name and password, the user can access the Internet.
Configuration Files
# sysname S-switch # vlan batch 2 # web-auth-server webserver 10.1.1.1 port 50100 key HuaweiTech portal free-rule 1 destination ip 10.1.1.1 mask 255.255.255.0 # interface Vlanif2 ip address 10.1.1.1 255.255.255.0 web-auth-server webserver
Issue 02 (2009-08-14)
8-17
8 NAC Configuration
# aaa authentication-scheme nac authentication-mode none domain nac authentication-scheme nac local-user huawei@nac password simple 888 local-user huawei@nac service-type web # return
8-18
Issue 02 (2009-08-14)
9 PPPoE+ Configuration
9
About This Chapter
9.1 PPPoE+ Overview 9.2 PPPoE+ Supported by the S-switch
PPPoE+ Configuration
This chapter describes the basics, configuration procedures, and configuration examples of PPPoE+.
9.3 Configuring PPPoE+ This section describes how to configure PPPoE+. 9.4 Configuration Examples This section provides a configuration example of PPPoE+.
Issue 02 (2009-08-14)
9-1
9.1 PPPoE+ Overview

PPPoE currently boasts of a good authentication and security mechanism. Certain bugs such as account embezzlement, however, still exist. If the common PPPoE dial-up is adopted, a user can access the Internet only if the account passes the same RADIUS authentication, regardless of the access interfaces. As the PPPoE+ feature is added, in addition to the user name and password, authentication packets also carry information about access interfaces. If the interface number identified by the RADIUS server is not the same as the configured one, the account fails to pass the authentication. In this manner, users are prevented from embezzling accounts (mostly owned by companies) to access the Internet.
9.2 PPPoE+ Supported by the S-switch

The S-switch inserts such information as the device type and interface number to received PPPoE packets. Then, the PPPoE server can implement flexible control policies such as IP address assignment and flexible accounting on the client according to the information.
9.3 Configuring PPPoE+

This section describes how to configure PPPoE+. 9.3.1 Establishing the Configuration Task 9.3.2 Enabling PPPoE+ Globally 9.3.3 Configuring Actions for an Interface to Process the Original Fields in PPPoE Packets 9.3.4 Configuring the Format and Contents of the Fields to be Inserted into PPPoE Packets 9.3.5 Configuring an Interface to be Trusted 9.3.6 Checking the Configuration

To prevent users from illegally accessing the Internet during the PPPoE authentication, you need to configure PPPoE+ on the S-switch. PPPoE+ inserts information about access interfaces to PPPoE packets to ensure the network security.
None.
Data Preparation
To configure PPPoE+, you need the following data.
No. 1 2
Data Numbers of interfaces related to PPPoE authentication Format and contents of the fields to be inserted into PPPoE packets
9.3.2 Enabling PPPoE+ Globally

Context
Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information enable
PPPoE+ is enabled globally. By default, PPPoE+ is disabled globally. ----End
9.3.3 Configuring Actions for an Interface to Process the Original Fields in PPPoE Packets
Context
Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information policy { drop | replace | keep }
Actions are configured for an interface to process the original fields in PPPoE packets. Step 3 (Optional) Run:
The Ethernet interface view is displayed. Then run:

pppoe intermediate-agent information policy { drop | replace | keep }
Actions are configured for an interface to process the original fields in PPPoE packets. ----End
9.3.4 Configuring the Format and Contents of the Fields to be Inserted into PPPoE Packets
Context
Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information format { circuit-id | remote-id } { common | extend | user-defined text }
The format and contents of the fields to be added to PPPoE packets are configured. ----End
9.3.5 Configuring an Interface to be Trusted

Context
Procedure
Step 1 Run:
system-view

The Ethernet interface view is displayed. Step 3 Run:

pppoe uplink-port trusted
An interface is configured to be trusted. ----End

Run the following commands to check the previous configuration.
Action Check information about the globally-configured circuit-id and remote-id parameters. Check the actions configured on the device to process the original fields in PPPoE packets.
Command display pppoe intermediate-agent information format display pppoe intermediate-agent information policy

This section provides a configuration example of PPPoE+. 9.4.1 Example for Configuring PPPoE+
9.4.1 Example for Configuring PPPoE+

As shown in Figure 9-1, the S-switch is connected to an upstream BAS and downstream PCs. The BAS functions as a PPPoE server. PPPoE+ is enabled on the S-switch to control and monitor users' accessing the Internet through dial-up. Figure 9-1 Networking diagram of PPPoE+ configurations
Issue 02 (2009-08-14)
9-5
The configuration roadmap is as follows: 1. Enable PPPoE+ globally or on specified interfaces of the S-switch.
NOTE
If being enabled globally, PPPoE+ is enabled on all interfaces.
2. 3. 4.
Configure actions for the S-switch to process PPPoE packets. Configure the format and contents of the fields to be inserted by the S-switch into PPPoE packets. Configure the interfaces connecting the PPPoE server on the S-switch to be trusted.
Data Preparation
None.
1. Enable PPPoE+ on the S-switch.
<Quidway> system-view [Quidway] pppoe intermediate-agent information enable
2.
Configure all interfaces to replace the original fields in PPPoE packets with the circuit-id fields configured on the local S-switches.
[Quidway] pppoe intermediate-agent information policy replace
3.
Configure the S-switch to add the circuit-id fields in the extended format to PPPoE packets. That is, the circuit-id fields are filled in the hexadecimal format.
[Quidway] pppoe intermediate-agent information format circuit-id extend
4.
# Configure GigabitEthernet 0/0/3 to be trusted.

[Quidway] interface gigabitethernet 0/0/3 [Quidway-GigabitEthernet0/0/3] pppoe uplink-port trusted [Quidway-GigabitEthernet0/0/3] quit
Configuration Files
# sysname Quidway # pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend # interface GigabitEthernet0/0/3 pppoe uplink-port trusted # return
9-6
Issue 02 (2009-08-14)

Quidway S5300 Configuration Guide - Security (V100R003 - 02) PDF

Uploaded by

Copyright:

Available Formats

Quidway S5300 Configuration Guide - Security (V100R003 - 02) PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Quidway S5300 Configuration Guide - Security (V100R003 - 02) PDF

Uploaded by

Copyright:

Available Formats

Quidway S5300 Series Ethernet Switches V100R003

Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd.

Trademarks and Permissions

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

3 Attack Defense Configuration.................................................................................................3-1

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

4 DHCP Snooping Configuration..............................................................................................4-1

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

6 MAC Address Authentication Configuration......................................................................6-1

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

About This Document

About This Document

About This Document

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

3 Attack Defense Configuration 4 DHCP Snooping Configuration 5 AAA Configuration

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

Convention [ x | y | ... ]* &<1-n> #

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

About This Document

Updates in Issue 02 (2009-08-14)

Bugs are fixed. The manual version is updated.

Updates in Issue 01 (2009-06-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

1 Security Protection on Interfaces

Security Protection on Interfaces

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Security Protection on Interfaces

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

1.1 Overview of Security Protection on Interfaces

1.1.1 Introduction to Security Protection on Interfaces

1.1.2 Security Protection on Interfaces Supported by the S-switch

1.2 Configuring Security Protection on an Interface

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

1 Security Protection on Interfaces

1.2.1 Establishing the Configuration Task

The system view is displayed. Step 2 Run:

1 Security Protection on Interfaces

Quidway S5300 Series Ethernet Switches Configuration Guide - Security

1.2.3 Enabling Security Protection on an Interface