Huawei Quidway S9300 Configuration Manual
  1. Manuals
  2. Brands
  3. Huawei Manuals
  4. Switch
  5. Quidway S9300
  6. Configuration manual
Huawei Quidway S9300 Configuration Manual

Huawei Quidway S9300 Configuration Manual

Terabit routing switch v100r001c03
Hide thumbs Also See for Quidway S9300:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
Quidway S9300 Terabit Routing Switch
V100R001C03
Configuration Guide - Security
Issue
01
Date
2009-07-28
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

Advertisement

Table of Contents
loading

Related Manuals for Huawei Quidway S9300

Summary of Contents for Huawei Quidway S9300

  • Page 1 Quidway S9300 Terabit Routing Switch V100R001C03 Configuration Guide - Security Issue Date 2009-07-28 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 2 Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com...

  • Page 3: Table Of Contents

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents Contents About This Document........................1 1 AAA and User Management Configuration.................1-1 1.1 Introduction to AAA and User Management....................1-2 1.2 AAA and User Management Features Supported by the S9300..............1-2 1.3 Configuring Local User Management......................1-3 1.3.1 Establishing the Configuration Task......................1-4...
  • Page 4 Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 1.6.3 Configuring an HWTACACS Authentication Server................1-23 1.6.4 Configuring an HWTACACS Authorization Server................1-23 1.6.5 (Optional) Configuring the Source IP Address of the HWTACACS Server........1-24 1.6.6 (Optional) Setting the Shared Key of an HWTACACS Server............1-24 1.6.7 (Optional) Setting the User Name Format for an HWTACACS Server..........1-25...
  • Page 5 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 2.5.6 Checking the Configuration.........................2-14 2.6 Limiting the Rate of Sending DHCP Messages....................2-16 2.6.1 Establishing the Configuration Task....................2-16 2.6.2 Enabling DHCP Snooping........................2-16 2.6.3 Limiting the Rate of Sending DHCP Messages...................2-17 2.6.4 Checking the Configuration.........................2-18 2.7 Configuring the Packet Discarding Alarm Function..................2-18...
  • Page 6 Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 4.3.3 Configuring Interface-based ARP Entry Limitation................4-6 4.3.4 Checking the Configuration........................4-6 4.4 Configuring ARP Anti-Attack........................4-7 4.4.1 Establishing the Configuration Task......................4-7 4.4.2 Preventing the ARP Address Spoofing Attack..................4-8 4.4.3 Preventing the ARP Gateway Duplicate Attack..................4-9 4.4.4 Preventing the Man-in-the-Middle Attack.....................4-9...
  • Page 7 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 6.4 Maintaining IP Source Trail..........................6-4 6.4.1 Displaying the Statistics on IP Source Trail...................6-4 6.4.2 Clearing the Statistics on IP Source Trail....................6-4 6.5 Configuration Examples..........................6-5 6.5.1 Example for Configuring IP Source Trail....................6-5 7 URPF Configuration........................7-1...
  • Page 8 Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 8.6.4 Example for Configuring the Blacklist and Whitelist................8-22 Huawei Proprietary and Confidential Issue 01 (2009-07-28) Copyright © Huawei Technologies Co., Ltd.
  • Page 9 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Figures Figures Figure 1-1 Networking diagram for using RADIUS to authenticate users............1-33 Figure 1-2 Networking diagram for using HWTACACS to authenticate and authorize users......1-37 Figure 2-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network....2-3 Figure 2-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent ....................................2-3...
  • Page 11 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Tables Tables Table 2-1 Matching table between type of attacks and DHCP snooping operation modes......... 2-4 Table 2-2 Relation between the type of attacks and the type of discarded packets..........2-19 Issue 01 (2009-07-28) Huawei Proprietary and Confidential Copyright ©...

  • Page 13: About This Document

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security About This Document About This Document Purpose This document describes security features of the S9300 including AAA and user management, DHCP snooping, IP source guard, ARP security, traffic suppression, IP source trail, URPF and ACL from function introduction, configuration methods, maintenance and configuration examples.

  • Page 14: Symbol Conventions

    Quidway S9300 Terabit Routing Switch About This Document Configuration Guide - Security Chapter Description 2 DHCP Snooping Describes basic concepts of DHCP snooping, and provides Configuration configuration methods and configuration examples. 3 IP Source Guard Describes basic concepts of IP source guard, and provides Configuration configuration methods and configuration examples.

  • Page 15: General Conventions

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security About This Document General Conventions The general conventions that may be found in this document are defined as follows. Convention Description Times New Roman Normal paragraphs are in Times New Roman.
  • Page 16 Quidway S9300 Terabit Routing Switch About This Document Configuration Guide - Security Convention Description > Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder. Keyboard Operations The keyboard operations that may be found in this document are defined as follows.

  • Page 17: Aaa And User Management Configuration

    This chapter describes the principle and configuration of Authentication, Authorization, and Accounting (AAA), local user management, Remote Authentication Dial in User Service (RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and domain. 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management.

  • Page 18: Introduction To Aaa And User Management

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management. AAA provides the following types of services: Authentication: determines the user who can access the network.

  • Page 19: Configuring Local User Management

    All the users of the S9300 belong to a domain. The domain that a user belongs to depends on the character string that follows the @ of a user name. . For example, the user of "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain default.

  • Page 20: Establishing The Configuration Task

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.3.1 Establishing the Configuration Task 1.3.2 Creating a Local User 1.3.3 (Optional) Setting the Access Type of the Local User 1.3.4 (Optional) Configuring the FTP Directory That a Local User Can Access 1.3.5 (Optional) Setting the Status of a Local User...

  • Page 21: Optional) Setting The Access Type Of The Local User

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name password { simple | cipher } password A local user is created.

  • Page 22: Optional) Setting The Status Of A Local User

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Context NOTE If the access type of a local user is set to FTP, you must configure the FTP directory that the local user can access;...

  • Page 23: Optional) Enabling The Idle-Cut Function For A Local User

    If a user level is not set, the user level is 0. NOTE You can run the user-interface command in the system view to enter the user interface view. For details on the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 Terabit Routing Switch Command Reference. ----End 1.3.7 (Optional) Enabling the Idle-cut Function for a Local User...

  • Page 24: Optional) Forcibly Cutting A User Off

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The idle-cut function is enabled for a local user. By default, the idle-cut function is disabled for a local user. NOTE By default, the idle-cut duration set in a domain does not take effect for a local user. After you enable the idle-cut function for a local user, the user can obtain the idle-cut duration.

  • Page 25: Configuring Aaa Schemes

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration <Quidway> display local-user ---------------------------------------------------------------------- Username State Type Access-limit Online ---------------------------------------------------------------------- crystal Active F Active T ---------------------------------------------------------------------- Total 2,2 printed Run the display local-user [ username user-name ] command, and you can view detailed information about a specified user.

  • Page 26: Configuring An Authentication Scheme

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Pre-configuration Tasks None Data Preparation To configure AAA schemes, you need the following data. Data Name of the authentication scheme and authentication mode Name of the authorization scheme,...

  • Page 27: Configuring An Authorization Scheme

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration By default, there is an authentication scheme named default on the S9300. This scheme can be modified but cannot be deleted. Step 4 Run: authentication-mode { hwtacacs | radius | local }...
  • Page 28 Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: authorization-scheme authorization-scheme-name An authorization scheme is created and the authorization scheme view is displayed.

  • Page 29: Optional) Configuring A Recording Scheme

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration When the HWTACACS server fails, the command-line-based authorization mode changes to the local authorization mode. Authorization fails because the level of the input command is higher than the level set on the local end.

  • Page 30: Checking The Configuration

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Step 7 Run: outbound recording-scheme recording-scheme-name The information about connections is recorded. By default, information about connections is not recorded. Step 8 Run: system recording-scheme recording-scheme-name System events are recorded.

  • Page 31: Configuring A Radius Server Template

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Authentication-method : Local authentication Authentication-super method : Super authentication-super -------------------------------------------------------------------- You can run the display authorization-scheme [ authorization-scheme-name ] command to view the configuration of the authorization scheme.

  • Page 32: Establishing The Configuration Task

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.5.2 Creating a RADIUS Server Template 1.5.3 Configuring a RADIUS Authentication Server 1.5.4 (Optional) Configuring the Protocol Version of the RADIUS Server 1.5.5 (Optional) Setting a Shared Key for a RADIUS Server 1.5.6 (Optional) Setting the User Name Format Supported by a RADIUS Server...

  • Page 33: Creating A Radius Server Template

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Data (Optional) Timeout interval for a RADIUS server to send response packets and number of times for retransmitting request packets on a RADIUS server 1.5.2 Creating a RADIUS Server Template...

  • Page 34: Optional) Configuring The Protocol Version Of The Radius Server

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. ----End 1.5.4 (Optional) Configuring the Protocol Version of the RADIUS...

  • Page 35: Optional) Setting The User Name Format Supported By A Radius Server

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration By default, the shared key of a RADIUS server is huawei. ----End 1.5.6 (Optional) Setting the User Name Format Supported by a RADIUS Server Context NOTE A user name is in the user name@domain name format and the characters after @ refer to the domain name.

  • Page 36: Optional) Setting Retransmission Parameters On A Radius Server

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The traffic unit is set for a RADIUS server. By default, the traffic is expressed in bytes on the S9300. ----End 1.5.8 (Optional) Setting Retransmission Parameters on a RADIUS...

  • Page 37: Configuring An Hwtacacs Server Template

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Example After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.

  • Page 38: Creating An Hwtacacs Server Template

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Applicable Environment In remote authentication or authorization mode, you need to configure a server template as required. You need to configure an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme.

  • Page 39: Configuring An Hwtacacs Authentication Server

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Step 2 Run: hwtacacs-server template template-name An HWTACACS server template is created and the HWTACACS server template view is displayed. ----End 1.6.3 Configuring an HWTACACS Authentication Server...

  • Page 40: Optional) Configuring The Source Ip Address Of The Hwtacacs Server

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run: hwtacacs-server authorization ip-address [ port ] secondary The IP address of the secondary HWTACACS authorization server is configured.

  • Page 41: Optional) Setting The User Name Format For An Hwtacacs Server

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: hwtacacs-server template template-name The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server shared-key key-string The shared key is set for the HWTACACS server.

  • Page 42: Optional) Setting Hwtacacs Timers

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: hwtacacs-server template template-name The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte } The traffic unit is set for an HWTACACS server.

  • Page 43: Configuring A Domain

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Prerequisite The configurations of the HWTACACS server template are complete. Procedure Run the display hwtacacs-server template [ template-name ] command to check the configuration of the HWTACACS server template.

  • Page 44: Creating A Domain

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Applicable Environment To perform authentication and authorization for a user logging in to the S9300, you need to configure a domain. NOTE The modification of a domain takes effect next time a user logs in.

  • Page 45: Configuring Authentication And Authorization Schemes For A Domain

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration By default, a domain named default exists on the S9300. This domain can be modified but cannot be deleted. ----End 1.7.3 Configuring Authentication and Authorization Schemes for a...

  • Page 46: Configuring An Hwtacacs Server Template For A Domain

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Step 2 Run: The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed. Step 4 Run: radius-server template-name A RADIUS server template is configured for the domain.

  • Page 47: Checking The Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed.

  • Page 48: Maintaining Aaa And User Management

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Domain-state : Active Authentication-scheme-name : scheme1 Accounting-scheme-name : default Authorization-scheme-name : scheme1 Web-IP-address Primary-DNS-IP-address Second-DNS-IP-address Primary-NBNS-IP-address Second-NBNS-IP-address Idle-data-attribute (time,flow) : 60, 1500 User-access-limit : 300...

  • Page 49: Configuration Examples

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration When a running fault occurs on the RADIUS or HWTACACS server, run the debugging commands in the user view to locate the fault. Procedure Run the debugging radius packet command to debug RADIUS packets.
  • Page 50 Apply the RADIUS server template and authentication scheme to the domain. Data Preparation To complete the configuration, you need the following data: Name of the domain that the user belongs to being huawei IP address and port number of the primary RADIUS authentication server being 10.1.1.1/24 and 1812 IP address and port number of the secondary RADIUS authentication server being 10.1.1.2/24 and 1812...
  • Page 51 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration [Quidway] aaa [Quidway-aaa] domain huawei # Configure an authentication scheme for the domain. [Quidway-aaa-domain-huawei] authentication-scheme scheme1 # Configure a RADIUS server template for the domain.

  • Page 52: Example For Using Hwtacacs To Authenticate And Authorize Users

    Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security radius-server template rrr radius-server shared-key hello radius-server authentication 10.1.1.1 1812 radius-server authentication 10.1.1.2 1812 secondary radius-server retransmit 2 authentication-scheme default authentication-scheme scheme1 authentication-mode radius authorization-scheme default...

  • Page 53: Figure 1-2 Networking Diagram For Using Hwtacacs To Authenticate And Authorize Users

    Data Preparation To complete the configuration, you need the following data: Name of the domain that the user belongs to being huawei IP address of the primary HWTACACS server being 10.1.1.1/24, authentication port number being 49, and authorization port number being 49 IP address of the secondary HWTACACS server being 10.1.1.2/24, authentication port...
  • Page 54 Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security [Quidway-aaa] authentication-scheme scheme1 # Set an authentication mode for the authentication scheme. [Quidway-aaa-authen-scheme1] authentication-mode local hwtacacs [Quidway-aaa-authen-scheme1] quit Step 2 Configure an authorization scheme. # Create an authorization scheme named scheme1.
  • Page 55 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration [Quidway] display hwtacacs-server template hhh ----------------------------------------------------------------------- HWTACACS-server template name : hhh Primary-authentication-server : 10.1.1.1:49 Primary-authorization-server : 10.1.1.1:49 Primary-accounting-server : 0.0.0.0:0 Secondary-authentication-server : 10.1.1.2:49 Secondary-authorization-server : 10.1.1.2:49 Secondary-accounting-server : 0.0.0.0:0...
  • Page 56 Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security authorization-scheme scheme1 hwtacacs-server hhh user-interface vty 0 4 authentication-mode aaa return 1-40 Huawei Proprietary and Confidential Issue 01 (2009-07-28) Copyright © Huawei Technologies Co., Ltd.

  • Page 57: Dhcp Snooping Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration DHCP Snooping Configuration About This Chapter This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S9300 to defend against DHCP attacks. 2.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping.

  • Page 58: Introduction To Dhcp Snooping

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security 2.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table.

  • Page 59: Figure 2-2 Networking Diagram For Applying Dhcp Snooping On The S9300 That Functions As The Dhcp Relay Agent

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Figure 2-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network L3 network Trusted DHCP relay S9300 Untrusted DHCP server L2 network...

  • Page 60: Preventing The Bogus Dhcp Server Attack

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security NOTE When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping is enabled. In this manner, the S9300 can defend against attacks shown in Table 2-1.

  • Page 61: Enabling Dhcp Snooping

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S9300, configure the network-side interface to be trusted and the user-side interface to be untrusted, and discard DHCP Reply messages received from untrusted interfaces.

  • Page 62: Configuring An Interface As A Trusted Interface

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security DHCP snooping is enabled on the interface. DHCP snooping must be enabled on all the network-side interfaces and user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces.

  • Page 63: Checking The Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server detect Detection of bogus DHCP servers is enabled. By default, detection of bogus DHCP servers is disabled on the S9300.

  • Page 64: Preventing The Dos Attack By Changing The Chaddr Field

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security [Quidway] display this sysname Quidway dhcp snooping enable dhcp server detect 2.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR.

  • Page 65: Enabling Dhcp Snooping

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration 2.4.2 Enabling DHCP Snooping Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface.

  • Page 66: Checking The Configuration

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security The interface is the user-side interface. Step 3 Run: dhcp snooping check mac-address enable The interface is configured to check the CHADDR field in DHCP Request messages.

  • Page 67: Establishing The Configuration Task

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration 2.5.4 Enabling the Checking of DHCP Request Messages 2.5.5 (Optional) Configuring the Option 82 Function 2.5.6 Checking the Configuration 2.5.1 Establishing the Configuration Task Applicable Environment The attacker pretends to be a valid user and continuously sends DHCP Request messages intending to extend the IP address lease.

  • Page 68: Enabling Dhcp Snooping

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security 2.5.2 Enabling DHCP Snooping Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface.

  • Page 69: Enabling The Checking Of Dhcp Request Messages

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration ip-address and vlan are mandatory. mac-address and interface are optional. You do not need to set the two parameters if they are unnecessary. ----End 2.5.4 Enabling the Checking of DHCP Request Messages...

  • Page 70: Checking The Configuration

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. The interface is the user-side interface.
  • Page 71 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Procedure Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.

  • Page 72: Limiting The Rate Of Sending Dhcp Messages

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security <Quidway> display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable 2.6 Limiting the Rate of Sending DHCP Messages This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S9300.

  • Page 73: Limiting The Rate Of Sending Dhcp Messages

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface. Procedure...

  • Page 74: Checking The Configuration

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Step 4 Run: dhcp snooping check dhcp-rate alarm enable The alarm function is enabled for the DHCP packets discarded because they exceed the transmission rate. Step 5 (Optional) Run:...

  • Page 75: Enabling Dhcp Snooping

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Applicable Environment With DHCP snooping configured, the S9300 discards packets sent from an attacker. Table shows the relation between the type of attacks and the type of discarded packets.

  • Page 76: Enabling The Checking Of Dhcp Messages

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface. Procedure...

  • Page 77: Configuring The Packet Discarding Alarm Function

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration the message. If the MAC address is different from of the value of the CHADDR field, the DHCP Request message is discarded. After you run the user-bind command, the S9300 checks whether the DHCP Request or Release message matches the binding table;...

  • Page 78: Checking The Configuration

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security mac-address: If the MAC address in the packet header is different from the MAC – address of the DHCP message, the message is discarded. user-bind: If the DHCP message does not match the binding table, the message –...

  • Page 79: Maintaining Dhcp Snooping

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration mac-address&src mac total untrust-reply total 2.8 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping. 2.8.1 Clearing DHCP Snooping Statistics 2.8.2 Resetting the DHCP Snooping Binding Table 2.8.3 Backing Up the DHCP Snooping Binding Table...

  • Page 80: Debugging Dhcp Snooping

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Procedure Run the dhcp snooping user-bind autosave file-name command to back up the DHCP snooping binding table. If the binding table is backed up, the system automatically backs up the binding table –...

  • Page 81: Figure 2-3 Networking Diagram For Preventing The Bogus Dhcp Server Attack

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Networking Requirements As shown in Figure 2-3, the S9300 is deployed between the user network and the Layer 2 network of the ISP. To prevent the bogus DHCP server attack, it is required that DHCP snooping be configured on the S9300, the user-side interface be configured as untrusted, the network-side interface be configured as trusted, and the packet discarding alarm function be configured.
  • Page 82 Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Procedure Step 1 Enable DHCP snooping. # Enable DHCP snooping globally. <Quidway> system-view [Quidway] dhcp snooping enable # Enable DHCP snooping on the interface. You can perform other DHCP snooping configurations only after DHCP snooping is enabled on the interfaces at the DHCP server side and user side.

  • Page 83: Example For Preventing The Dos Attack By Changing The Chaddr Field

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration mac-address&src mac total untrust-reply total ----End Configuration Files sysname Quidway dhcp snooping enable interface GigabitEthernet1/0/0 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet2/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable...
  • Page 84 Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Configuration Roadmap The configuration roadmap is as follows: Enable DHCP snooping globally and on the interface. Enable the checking of the CHADDR field of DHCP Request messages on the user-side interface.

  • Page 85: Example For Preventing The Attacker From Sending Bogus Dhcp Messages For Extending Ip Address Leases

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration <Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 user-bind total mac-address&src mac total...

  • Page 86: Figure 2-5 Networking Diagram For Preventing The Attacker From Sending Bogus Dhcp Messages For Extending Ip Address Leases

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Figure 2-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP address leases ISP network L3 network DHCP relay L2 network GE1/0/0...
  • Page 87 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration <Quidway> system-view [Quidway] dhcp snooping enable # Enable DHCP snooping on the interface. You can perform other DHCP snooping configurations only after DHCP snooping is enabled on the interfaces at the DHCP server side and user side.

  • Page 88: Example For Limiting The Rate Of Sending Dhcp Messages

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security ifname p/cvlan tp lease mac-address ip-address vpn-instance ------------------------------------------------------------------------------- GE2/0/0 0001/0000 S 0000-005e-008a 010.001.001.003 GE2/0/0 0333/0000 D 090320-1109 0016-21f1-56b6 070.070.116.062 ------------------------------------------------------------------------------- total count : 2 Run the display dhcp option82 interface command, and you can find that the function of inserting the Option 82 field into packets is enabled on the interface.

  • Page 89: Figure 2-6 Networking Diagram For Limiting The Rate For Sending Dhcp Messages

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Figure 2-6 Networking diagram for limiting the rate for sending DHCP messages Attacker L2 network GE1/0/1 L3 network L2 network GE2/0/1 GE1/0/2 DHCP client DHCP relay S9300...

  • Page 90: Example For Applying Dhcp Snooping On A Layer 2 Network

    Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] dhcp snooping enable [Quidway-GigabitEthernet1/0/1] quit Step 2 Limit the rate for sending DHCP messages. # Enable the checking of the rate of sending DHCP Request messages.

  • Page 91: Figure 2-7 Networking Diagram For Configuring Dhcp Snooping

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration IP address. It is required that DHCP snooping be configured on user-side interfaces GE 1/0/0 and GE 1/0/1 of the S9300 to prevent the following type of attacks:...
  • Page 92 Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security VLAN that the interface belongs to being 10 GE 1/0/0 and GE 1/0/1 configured as untrusted and GE 2/0/0 configured as trusted Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding...
  • Page 93 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit Step 4 Configure the DHCP snooping binding table. # If you use the static IP address, configuring DHCP snooping static entries is required.
  • Page 94 Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120...

  • Page 95: Example For Enabling Dhcp Snooping On The Dhcp Relay Agent

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120...
  • Page 96 Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Configuration Roadmap The configuration roadmap is as follows: Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
  • Page 97 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration [Quidway-GigabitEthernet2/0/0] dhcp snooping enable [Quidway-GigabitEthernet2/0/0] quit Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping on the interfaces connecting to the DHCP client.
  • Page 98 Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security # Enable the alarm function for checking the rate of sending packets and set the alarm threshold for checking the rate of sending packets. [Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80 Step 8 Associate ARP with DHCP snooping.
  • Page 99 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration [Quidway] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable ----End Configuration Files sysname Quidway vlan batch 10 dhcp snooping enable dhcp snooping check dhcp-rate enable...

  • Page 101: Ip Source Guard Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration IP Source Guard Configuration About This Chapter This chapter describes the principle and configuration of IP source guard. 3.1 Introduction to IP Source Guard This section describes the principle of IP source guard.

  • Page 102: Introduction To Ip Source Guard

    Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security 3.1 Introduction to IP Source Guard This section describes the principle of IP source guard. IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot pass through the interfaces and the security of the interfaces is improved.

  • Page 103: Configuring Ip Source Guard

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration After the DHCP snooping function is enabled for DHCP users, the binding table is dynamically generated for the DHCP users. When users are configured with IP addresses statically, you need to configure the binding table by running commands.

  • Page 104: Enabling Ip Source Guard

    Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security Context For the IP address statically assigned to the user, the S9300 cannot automatically learn the MAC address of the user or generate the binding table. You need to create the binding table manually.

  • Page 105: Checking The Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration Context After the function of checking IP packets is enabled, the S9300 checks the received IP packets against the binding table. The check items include the source IP address, source MAC address, VLAN ID, and interface number.

  • Page 106: Configuration Examples

    Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security Example After the configuration, run the display user-bind user-type static command, and you can view information about the static binding table. <Quidway> display user-bind user-type static...
  • Page 107 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration Configuration Roadmap Assume that the user is configured with an IP address statically. The configuration roadmap is as follows: Enable the IP source guard function on the interfaces connected to Host A and Host B.
  • Page 108 Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security The preceding information indicates that Host A exists in the static binding table, whereas Host B does not exist. ----End Configuration Files sysname Quidway user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface...

  • Page 109: Arp Security Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP Security Configuration About This Chapter This chapter describes the principle and configuration of ARP security features. 4.1 Introduction to ARP Security This section describes the principle of ARP security.

  • Page 110: Introduction To Arp Security

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security 4.1 Introduction to ARP Security This section describes the principle of ARP security. ARP Attack On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request and Response packets to attack network devices.
  • Page 111 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The S9300 can prevent ARP spoofing by using the following methods: Fixed MAC address: After learning an ARP entry, the S9300 does not allow the modification on the MAC address that is performed through ARP entry learning until this ARP entry ages.

  • Page 112: Limiting Arp Entry Learning

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a period (the default value is 50 seconds).

  • Page 113: Enabling Strict Arp Entry Learning

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Data Preparation To configure the limitation on ARP entry learning, you need the following data. Data Type and number of the interface where you need to configure the limitation on ARP entry learning 4.3.2 Enabling Strict ARP Entry Learning...

  • Page 114: Configuring Interface-Based Arp Entry Limitation

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security By default, the configuration of strict ARP entry learning on an interface is the same as that configured globally. ----End 4.3.3 Configuring Interface-based ARP Entry Limitation Context If attackers occupy a large number of ARP entries, the S9300 cannot learn the ARP entries of authorized users.

  • Page 115: Configuring Arp Anti-Attack

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Example Run the display arp learning strict command, and you can view the configuration of strict ARP entry learning. <Quidway> display arp learning strict The global configuration:arp learning strict...

  • Page 116: Preventing The Arp Address Spoofing Attack

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Applicable Environment On an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore, it is required to configure the ARP anti-attack function on the access layer or convergence layer to ensure network security.

  • Page 117: Preventing The Arp Gateway Duplicate Attack

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration 4.4.3 Preventing the ARP Gateway Duplicate Attack Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: arp anti-attack gateway-duplicate enable The ARP anti-attack function for preventing ARP packets with the bogus gateway address is enabled.

  • Page 118: Optional) Configuring The S9300 To Discard Gratuitous Arp Packets

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security By default, the interfaces are not enabled with the IP source guard function. Step 4 Run: arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } The check items of ARP packets are configured.

  • Page 119: Configuring Dhcp To Trigger Arp Learning

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The system view is displayed. Run: arp anti-attack gratuitous-arp drop The S9300 is enabled to discard gratuitous ARP packets. By default, the S9300 does not discard gratuitous ARP packets.

  • Page 120: Enabling Log And Alarm Functions For Potential Attacks

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security By default, the S9300 does not learn ARP entries when receiving DHCP ACK messages. When the traffic passes, ARP learning is triggered. NOTE To use the arp learning dhcp-trigger command, ensure that the DHCP relay function is enabled on the VLANIF interface.

  • Page 121: Suppressing Transmission Rate Of Arp Packets

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.) Run the display arp anti-attack gateway-duplicate item command, and you can view information about bogus gateway address attack on the network.

  • Page 122: Configuring Source-Based Arp Suppression

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security packets are sent to the security module, the security module will be impacted. In this case, you can suppress the transmission rate of the ARP packets; the packets that exceed the transmission rate are discarded.

  • Page 123: Configuring Source-Based Arp Miss Suppression

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The suppression rate of ARP packets is set. Step 3 (Optional) Run: arp speed-limit source-ip ip-address maximum maximum The suppression rate of ARP packets with a specified source IP address is set.

  • Page 124: Suppressing Transmission Rate Of Arp Packets

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Context After the VLANIF interface receives unreachable IP unicast packets, the packets are sent to the CPU of the main control board because the ARP entries corresponding to the packets are not found in the forwarding table.

  • Page 125: Checking The Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration By default, ARP suppression is disabled globally. Step 3 Run: arp anti-attack rate-limit limit The threshold for transmission rate of ARP packets is set. After the threshold is set, the excessive packets are discarded. By default, the threshold for the transmission rate of ARP packets is 100 pps.

  • Page 126: Maintaining Arp Security

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Others ------------------------------------------------------------------------ 4 specified IP addresses are configured, spec is 1024 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 10.0.0.1 10.0.0.2 10.0.0.8 2.1.1.10...

  • Page 127: Clearing The Statistics On Discarded Arp Packets

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Run the following command in the user view to clear the statistics. Procedure Run the reset arp packet statistics [ slot slot-id ] command to clear the statistics on ARP packets.

  • Page 128: Configuration Examples

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Run the debugging arp process [ slot slot-id | interface interface-type interface- number ] command to debug the processing of ARP packets. ----End 4.7 Configuration Examples This section provides several configuration examples of ARP security.
  • Page 129 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Configuration Roadmap The configuration roadmap is as follows: Enable strict ARP learning. Enable interface-based ARP entry restriction. Enable the ARP anti-spoofing function. Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address.
  • Page 130 Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security # Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address to prevent User 1 from sending ARP packets with the bogus gateway address.
  • Page 131 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 2.2.4.2 Others ------------------------------------------------------------------------ 1 specified IP addresses are configured, spec is 1024 items. ARP miss speed-limit for source-IP configuration:...

  • Page 132: Example For Configuring Arp Anti-Attack To Prevent Man-In-The-Middle Attacks

    Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security 4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in- the-Middle Attacks Networking Requirements As shown in Figure 4-2, two users are connected to the S9300 through GE 1/0/1 and GE 1/0/2 respectively.
  • Page 133 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Procedure Step 1 Configure the IP source guard function. # Enable the IP source guard function on GE 1/0/1 connected to the client. [Quidway] interface gigabitethernet 1/0/1...
  • Page 134 Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security vlan batch 10 arp anti-attack check user-bind alarm threshold 80 user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 1/0/1 vlan 10 interface gigabitethernet 1/0/1 arp anti-attack check user-bind enable...

  • Page 135: Traffic Suppression Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Traffic Suppression Configuration Traffic Suppression Configuration About This Chapter This chapter describes the principle and configuration of traffic suppression . 5.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression.

  • Page 136: Introduction To Traffic Suppression

    Quidway S9300 Terabit Routing Switch 5 Traffic Suppression Configuration Configuration Guide - Security 5.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression. Broadcast packets entering the S9300 are forwarded on all the interfaces in a VLAN, and multicast packets are also forwarded on interfaces of the multicast group.

  • Page 137: Configuring Traffic Suppression On An Interface

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Traffic Suppression Configuration Data Type and number of the interface where traffic suppression needs to be configured Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be...

  • Page 138: Checking The Configuration

    Quidway S9300 Terabit Routing Switch 5 Traffic Suppression Configuration Configuration Guide - Security NOTE The suppression based on bandwidth percentage equals to the suppression based on packet rate. Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equals to the packets keyword.

  • Page 139: Figure 5-1 Networking Diagram For Configuring Traffic Suppression

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Traffic Suppression Configuration Networking Requirements As shown in Figure 5-1, the S9300 is connected to the Layer 2 network and Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can configure traffic suppression on GE 1/0/2.
  • Page 140 Quidway S9300 Terabit Routing Switch 5 Traffic Suppression Configuration Configuration Guide - Security ------------------------------------------------------------------------------- unknown-unicast cir: 100(kbit/s), cbs: 18800(byte) multicast percent percent: 80% broadcast cir: 100(kbit/s), cbs: 18800(byte) ------------------------------------------------------------------------------- ----End Configuration Files sysname Quidway interface gigabitethernet 1/0/2 unicast-suppression cir 100 cbs 18800...

  • Page 141: Ip Source Trail Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 IP Source Trail Configuration IP Source Trail Configuration About This Chapter This chapter describes the principle of IP source trail, and provides configuration methods and examples of IP source trail.

  • Page 142: Introduction To Ip Source Trail

    Quidway S9300 Terabit Routing Switch 6 IP Source Trail Configuration Configuration Guide - Security 6.1 Introduction to IP Source Trail This section describes the principle of IP source trail. IP source trail is a policy of preventing Denial of Service (DoS) attacks. It is mainly used to trace the attack source and take defense measures after confirming the attack source.

  • Page 143: Configuring Ip Source Trail

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 IP Source Trail Configuration 6.3 Configuring IP Source Trail This section describes how to configure IP source trail. 6.3.1 Establishing the Configuration Task 6.3.2 Configuring IP Source Trail Based on the Destination IP Address 6.3.3 Checking the Configuration...

  • Page 144: Checking The Configuration

    Quidway S9300 Terabit Routing Switch 6 IP Source Trail Configuration Configuration Guide - Security 6.3.3 Checking the Configuration Prerequisite The configurations of IP source trail are complete. Procedure Run the display ip source-trail [ ip-address ip-address ] command to check the statistics on IP source trail.

  • Page 145: Configuration Examples

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 IP Source Trail Configuration Context All the statistical entries on IP source trail are null upon query after the reset command is run to clear the statistics on IP source trail.
  • Page 146 Quidway S9300 Terabit Routing Switch 6 IP Source Trail Configuration Configuration Guide - Security Procedure Step 1 Configure IP source trail based on the destination IP address. <Quidway> system-view [Quidway] ip source-trail ip-address 10.0.0.3 Step 2 Verify the configuration. Run the display ip source-trail ip-address ip-address command, and you can view the trace result of 10.0.0.3.

  • Page 147: Urpf Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 URPF Configuration URPF Configuration About This Chapter This chapter describes the principle of Unicast Reverse Path Forwarding (URPF), and provides configuration methods and examples of URPF. 7.1 Introduction to URPF This section describes the principle of URPF.

  • Page 148: Introduction To Urpf

    Quidway S9300 Terabit Routing Switch 7 URPF Configuration Configuration Guide - Security 7.1 Introduction to URPF This section describes the principle of URPF. URPF is mainly used to prevent network attacks based on source address spoofing. As shown in Figure 7-1, S9300-A sends a packet to S9300-B by using the pseudo source IP address 2.1.1.1.

  • Page 149: Configuring Urpf

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 URPF Configuration 7.3 Configuring URPF This section describes how to configure URPF. 7.3.1 Establishing the Configuration Task 7.3.2 Enabling URPF 7.3.3 Setting the URPF Check Mode on an Interface 7.3.4 (Optional) Disabling URPF for the Specified Traffic 7.3.5 Checking the Configuration...

  • Page 150: Setting The Urpf Check Mode On An Interface

    Quidway S9300 Terabit Routing Switch 7 URPF Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: urpf slot slot-number URPF is enabled on an LPU. By default, URPF is disabled on an LPU.

  • Page 151: Optional) Disabling Urpf For The Specified Traffic

    VLAN, the S9300 does not perform URPF check on the traffic that match the traffic classifier rules. For the configuration procedures of traffic classifier and traffic policy, see Class-based QoS Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS. ----End 7.3.5 Checking the Configuration Issue 01 (2009-07-28) Huawei Proprietary and Confidential...

  • Page 152: Configuration Examples

    Quidway S9300 Terabit Routing Switch 7 URPF Configuration Configuration Guide - Security Prerequisite The configurations of URPF are complete. Procedure Run the display this command in the interface view to check whether URPF is enabled on the current interface. ----End Example Run the display this command to check whether URPF is enabled on GE 1/0/0.
  • Page 153 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 URPF Configuration Data Preparation To complete the configuration, you need the following data: URPF strict check mode NOTE As shown in Figure 7-2, the networking of symmetric routes is adopted. URPF strict check is recommended in the case of symmetric routes.

  • Page 155: Acl Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration ACL Configuration About This Chapter This chapter describes how to configure the Access Control List (ACL). 8.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL.

  • Page 156: Introduction To The Acl

    When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S9300 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S9300 Terabit Routing Switch Configuration Guide - Basic Configurations.

  • Page 157: Configuring An Acl

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration NOTE When the ACL is sent to the hardware and is imported by QoS to classify packets, the S9300 does not process packets according to the action defined in the traffic behavior, if the packets does not match the ACL rule.

  • Page 158: Creating An Acl

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Data Name of the time range when the ACL takes effect, start time, and end time Number of the ACL Number of ACL rule and the rule that identifies the type of packets, including...

  • Page 159: Optional) Configuring The Description Of An Acl

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time range is set.

  • Page 160: Configuring An Advanced Acl

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Context Do as follows on the S9300. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] A basic ACL is created.

  • Page 161: Configuring A Frame Header-Based Acl

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination- address destination-wildcard | any } | destination-port eq port | dscp dscp |...

  • Page 162: Optional) Setting The Step Of An Acl

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security 8.3.8 (Optional) Setting the Step of an ACL Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number The ACL view is displayed.

  • Page 163: Applying The Acl To The S9300

    Quidway S9300 Terabit Routing Switch Configuration Guide - Basic Configuration. An ACL can also be applied to the traffic classification function. For the application of an ACL in the traffic classification function, see the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS.

  • Page 164: Configuring The Whitelist

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Context When the S9300 detects the attacks from certain IP addresses or MAC addresses, the S9300 uses the blacklist to prevent the attacks. NOTE The blacklist has the highest level in an ACL. Before configuring a blacklist, you must confirm the characteristics of attack packets.

  • Page 165: Checking The Configuration

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration After the whitelist is configured, the packets matching the rules defined in the whitelist are sent first after reaching the S9300. The packets are not affected by the blacklist.

  • Page 166: Monitoring The Running Status Of An Acl

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Context CAUTION Statistics cannot be restored after being cleared. So, confirm the action before you run the command. Procedure Run the reset blacklist command in the user view or system view to clear the statistics about a blacklist.

  • Page 167: Figure 8-1 Networking Diagram For Disabling Urpf For The Specified Traffic

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration strict URPF check on GE 1/0/1 and GE 2/0/1. In addition, it is required that the S9300 trusts the packets from user A whose IP address is 10.0.0.2/24. In this case, you also need to disable URPF check for the packets sent by user A.
  • Page 168 Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security # Configure the URPF mode on the interface. [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] urpf strict [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet 2/0/1 [Quidway-GigabitEthernet2/0/1] urpf strict [Quidway-GigabitEthernet2/0/1] quit Step 2 Configure the traffic classifier that is based on the ACL rules.

  • Page 169: Example For Configuring An Advanced Acl

    Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Classifier: default-class Behavior: be -none- Classifier: tc1 Behavior: tb1 statistic: enable urpf switch: off ----End Configuration Files sysname Quidway urpf slot 1 urpf slot 2 acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255...

  • Page 170: Figure 8-2 Networking Diagram For Configuring Ipv4 Acls

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Figure 8-2 Networking diagram for configuring IPv4 ACLs Salary query server 10.164.9.9 GE2/0/1 GE1/0/2 GE1/0/1 GE1/0/3 Marketing department President's office 10.164.2.0/24 10.164.1.0/24 R&D department 10.164.3.0/24 Configuration Roadmap The configuration roadmap is as follows: Assign IP addresses to interfaces.
  • Page 171 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Procedure Step 1 Assign IP addresses to interfaces. # Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces. Add GE 1/0/1, GE 2/0/1, and GE 3/0/1 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add GE 2/0/1 to VLAN 100.
  • Page 172 Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security [Quidway] traffic behavior b_rd [Quidway-behavior-b_rd] deny [Quidway-behavior-b_rd] quit Step 6 Configure traffic policies. # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
  • Page 173 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Policy: p_market Classifier: default-class Behavior: be -none- Classifier: c_market Behavior: b_market Deny Policy: p_rd Classifier: default-class Behavior: be -none- Classifier: c_rd Behavior: b_rd Deny ----End Configuration Files sysname Quidway...

  • Page 174: Example For Configuring A Frame Header-Based Acl

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security port default vlan 20 traffic-policy p_rd inbound interface GigabitEthernet1/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound interface GigabitEthernet2/0/1 port link-type access port default vlan 100 return 8.6.3 Example for Configuring a Frame Header-based ACL...
  • Page 175 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to Procedure Step 1 Configure an ACL.

  • Page 176: Figure 8-4 Networking Diagram For Configuring The Blacklist And Whitelist

    Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security <Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: default-class Behavior: be -none- Classifier: tc1 Behavior: tb1 Deny ----End Configuration Files sysname Quidway...
  • Page 177 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Configuration Roadmap The configuration roadmap is as follows: Configure the ACL and its rules. Configure the blacklist. Configure the whitelist. Data Preparation To complete the configuration, you need the following data:...
  • Page 178 Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security [Quidway] display blacklist Blacklist, used:1 Slot: 1 2 -------------------------------------------------------------- Summary: 27.125K packets -------------------------------------------------------------- Acl 3001 Rule 27.125K packets # Check the statistics on the whitelist. [Quidway] display whitelist...

Table of Contents