Page 1 Quidway S3700 Series Ethernet Switches V100R006C00 Configuration Guide - Security Issue Date 2011-07-15 HUAWEI TECHNOLOGIES CO., LTD.
Page 2 All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
Page 3: About This Document
Quidway S3700 Series Ethernet Switches Configuration Guide - Security About This Document About This Document Intended Audience This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the security feature supported by the S3700.
Page 4: Command Conventions
Quidway S3700 Series Ethernet Switches Configuration Guide - Security About This Document Command Conventions The command conventions that may be found in this document are defined as follows. Convention Description Boldface The keywords of a command line are in boldface.
Page 5: Table Of Contents
Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents Contents About This Document........................ii 1 AAA and User Management Configuration................1 1.1 Introduction to AAA and User Management.....................2 1.2 AAA and User Management Features Supported by the S3700................2 1.3 Configuring AAA Schemes..........................4 1.3.1 Establishing the Configuration Task......................4...
Page 6 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 1.5.10 (Optional) Setting HWTACACS Timers....................23 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet............23 1.5.12 Checking the Configuration........................24 1.6 Configuring a Service Scheme.........................24 1.6.1 Establishing the Configuration Task.......................25 1.6.2 Creating a Service Scheme........................25 1.6.3 Setting the Administrator Level......................26...
Page 7 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 2.3 Configuring Web Authentication........................50 2.3.1 Establishing the Configuration Task.......................50 2.3.2 Configuring the Web Authentication Server...................51 2.3.3 Binding a Web Authentication Server to an Interface................52 2.3.4 (Optional)Configuring the Free Rule for Web Authentication..............52 2.3.5 (Optional) Configuring the Web Authentication Policy................53...
Page 8 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 2.7.2 Example for Configuring 802.1x Authentication..................78 2.7.3 Example for Configuring MAC Address Authentication................81 2.7.4 Example for Configuring the RADIUS Server to Deliver Authorization ACL........83 3 DHCP Snooping Configuration....................87 3.1 Introduction to DHCP Snooping........................89 3.2 DHCP Snooping Features Supported by the S3700..................89...
Page 9 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 3.9 Maintaining DHCP Snooping.........................117 3.9.1 Clearing DHCP Snooping Statistics......................117 3.9.2 Resetting the DHCP Snooping Binding Table..................118 3.10 Configuration Examples..........................118 3.10.1 Example for Preventing Bogus DHCP Server Attacks...............118 3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field...........121 3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP Address...
Page 10 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 5 Source IP Attack Defense Configuration................168 5.1 Overview of IP Source Guard........................169 5.2 IP Source Guard Features Supported by the S3700..................169 5.3 Configuring IP Source Guard.........................170 5.3.1 Establishing the Configuration Task.....................170 5.3.2 (Optional) Configuring a Static User Binding Entry................171...
Page 11 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 7.1 PPPoE+ Overview............................195 7.2 PPPoE+ Features Supported by the S3700.....................195 7.3 Configuring PPPoE+............................195 7.3.1 Establishing the Configuration Task.....................195 7.3.2 Enabling PPPoE+ Globally........................196 7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets........196 7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets...........196...
Page 12 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 9.5.2 Example for Configuring the Storm Control Function................221 10 ACL Configuration........................223 10.1 Introduction to the ACL..........................224 10.2 Classification of ACLs Supported by the S3700..................224 10.3 Configuring an ACL.............................225 10.3.1 Establishing the Configuration Task....................225 10.3.2 Creating an ACL..........................226...
Page 13 Quidway S3700 Series Ethernet Switches Configuration Guide - Security Contents 11.5.1 Example for Configuring ND Snooping on a Layer 2 Network............259 Issue 01 (2011-07-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 14: Aaa And User Management Configuration
This chapter describes the principle and configuration of Authentication, Authorization, and Accounting (AAA), local user management, Remote Authentication Dial in User Service (RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and domain. 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management.
Page 15: Introduction To Aaa And User Management
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management. AAA provides the following types of services: Authentication: determines if the certain users can access the network.
Page 16: Local User Management
The domain name delimiter can be @,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain default.
Page 17: Configuring Aaa Schemes
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The S3700 supports up to 32 domains, including the two default domains. The priority of authorization configured in a domain is lower than the priority configured on an AAA server.
Page 18: Configuring An Authentication Scheme
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Data Name of the authentication scheme and authentication mode Name of the authorization scheme, authorization mode, (optional) user level in command-line-based authorization mode on the HWTACACS server, and (optional)
Page 19: Configuring An Authorization Scheme
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration authentication-mode { hwtacacs | radius | local } [ none ] The authentication mode is set. none indicates the non-authentication mode. By default, the local authentication mode is used.
Page 20: Configuring An Accounting Scheme
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration By default, an authorization scheme named default exists on the S3700. This scheme can be modified but cannot be deleted. Step 4 Run: authorization-mode [ hwtacacs ] { if-authenticated | local | none } The authorization mode is set.
Page 21: Optional) Configuring A Recording Scheme
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The accounting mode is set. By default, the accounting mode is none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS server template and apply the template to the corresponding user domain.
Page 22: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: hwtacacs-server template The HWTACACS server template is created. Step 3 Run: The AAA view is displayed.
Page 23: Configuring A Radius Server Template
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Prerequisite The configurations of AAA schemes are complete. Procedure Run the display aaa configuration command to check the summary of AAA. Run the display authentication-scheme [ authentication-scheme-name ] command to check the configuration of the authentication scheme.
Page 24: Creating A Radius Server Template
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Data IP address of the RADIUS authentication server IP address of the RADIUS accounting server (Optional) Shared key of the RADIUS server (Optional) User name format supported by...
Page 25: Configuring The Radius Accounting Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration radius-server authentication ip-address port [ source loopback interface-number ] The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0.
Page 26: Optional) Setting A Shared Key For A Radius Server
Step 3 Run: radius-server shared-key [ cipher | simple ] key-string The shared key is set for a RADIUS server. By default, the shared key of a RADIUS server is huawei. ----End 1.4.7 (Optional) Setting the User Name Format Supported by a...
Page 27: Optional) Setting The Traffic Unit For A Radius Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: radius-server template template-name The RADIUS server template view is displayed. Step 3 Run: radius-server user-name domain-included The user name format supported by a RADIUS server is set.
Page 28: Optional) Setting The Nas Port Format Of A Radius Server
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server Context The NAS port format and the NAS port ID format are developed by Huawei, which are used to maintain connectivity and service cooperation among devices of Huawei. The NAS port format and NAS port ID format have new and old forms respectively.
Page 29: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits).
Page 30: Configuring An Hwtacacs Server Template
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Example After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.
Page 31: Establishing The Configuration Task
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.5.1 Establishing the Configuration Task Applicable Environment In remote authentication or authorization mode, you need to configure a server template as required. You need to configure an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme.
Page 32: Configuring An Hwtacacs Authentication Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: hwtacacs-server template template-name An HWTACACS server template is created and the HWTACACS server template view is displayed.
Page 33: Configuring The Hwtacacs Accounting Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Step 3 Run: hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn- instance-name ] The IP address of the primary HWTACACS authorization server is configured.
Page 34: Optional) Setting The Shared Key Of An Hwtacacs Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: hwtacacs-server template template-name The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server source-ip ip-address The source IP address of HWTACACS packets is configured.
Page 35: Optional) Setting The User Name Format For An Hwtacacs Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server Context NOTE A user name is in the user name@domain name format and the character string after "@" refers to the domain name.
Page 36: Optional) Setting Hwtacacs Timers
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration By default, the traffic is expressed in bytes on the S3700. ----End 1.5.10 (Optional) Setting HWTACACS Timers Procedure Step 1 Run: system-view The system view is displayed.
Page 37: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: hwtacacs-server accounting-stop-packet resend { disable | enable number } The function of retransmitting the Accounting-Stop packet is configured.
Page 38: Establishing The Configuration Task
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.6.1 Establishing the Configuration Task Applicable Environment Access users must acquire authorization information before getting online. Authorization information about users can be managed through the service scheme.
Page 39: Setting The Administrator Level
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Step 3 Run: service-scheme service-scheme-name A service scheme is created. service-scheme-name is a string of 1 to 32 characters, excluding / \ : * ? " < > | @ ' %.
Page 40: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The service scheme view is displayed. Step 4 Run: dns ip-address The IP address of the primary DNS server is configured. Step 5 Run: (Optional)dns ip-address secondary The IP address of the secondary DNS server is configured.
Page 41: Creating A Domain
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration NOTE The modification of a domain takes effect next time a user logs in. Pre-configuration Tasks Before configuring a domain, complete the following tasks: Configuring authentication and authorization schemes...
Page 42: Configuring Authentication , Authorization And Accounting Schemes For A Domain
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The S3700 supports up to 32 domains, including the two default domains. ----End Follow-up Procedure After creating a domain, you can run the domain domain-name [ admin ] command in the system view to configure the domain as the global default domain.
Page 43: Configuring A Radius Server Template For A Domain
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.7.4 Configuring a RADIUS Server Template for a Domain Context If a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUS server template to the domain.
Page 44: Optional) Configuring A Service Scheme For A Domain
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The domain view is displayed. Step 4 Run: hwtacacs-server template-name An HWTACACS server template is configured for the domain. By default, no HWTACACS server template is configured for a domain.
Page 45: Optional) Configuring The Domain Name Delimiter
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Step 2 Run: The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed. Step 4 Run: state { active | block } The status of the domain is set.
Page 46: Configuring Local User Management
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Run the display domain [ name domain-name ] command to check the configuration of the domain. ----End Example After the configuration, you can run the display domain command to view the summary of all domains.
Page 47: Creating A Local User
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Data User name and password Access type of the local user Name of the FTP directory that the local user can access Status of the local user...
Page 48: Optional) Configuring The Ftp Directory That A Local User Can Access
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } The access type of the local user is set.
Page 49: Optional) Setting The Level Of A Local User
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name state { active | block } The status of a local user is set.
Page 50: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name access-limit max-number The maximum number of online local users is set.
Page 51: Maintaining Aaa And User Management
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration 1.9 Maintaining AAA and User Management This section describes how to maintain AAA and user management. 1.9.1 Clearing the Statistics Context CAUTION Statistics cannot be restored after you clear them. So, confirm the action before you use the command.
Page 52: Configuration Examples
1-1, users access the network through Switch A and are located in the domain huawei. Switch B acts as the network access server of the destination network. The access request of the user needs to pass the network of Switch A and Switch B to reach the authentication server.
Page 53 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Figure 1-1 Networking diagram of RADIUS authentication and accounting Domain Huawei SwitchB SwitchA 129.7.66.66/24 Network 129.7.66.67/24 Destination Network Configuration Roadmap The configuration roadmap is as follows: Configure a RADIUS server template.
Page 54 [Quidway-aaa] accounting-scheme 1 Info: Create a new accounting scheme [Quidway-aaa-accounting-1] accounting-mode radius [Quidway-aaa-accounting-1] quit Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and RADIUS template shiva to the domain. [Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme 1 [Quidway-aaa-domain-huawei] accounting-scheme 1 [Quidway-aaa-domain-huawei] radius-server shiva Step 4 Verify the configuration.
Page 55: Example For Configuring Hwtacacs Authentication, Accounting, And Authorization
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Configuration Files sysname Quidway radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary...
Page 56 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization Domain Huawei SwitchB SwitchA 129.7.66.66/24 Network 129.7.66.67/24 Destination Network Configuration Roadmap The configuration roadmap is as follows: Configure an HWTACACS server template.
Page 57 # Set the interval of interim accounting to 3 minutes. [Quidway-aaa-accounting-hwtacacs] accounting realtime 3 [Quidway-aaa-accounting-hwtacacs] quit Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template of ht to the domain.
Page 58 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration Run the display hwtacacs-server template command on Switch B, and you can see that the configuration of the HWTACACS server template meets the requirements. <Quidway> display hwtacacs-server template ht...
Page 59 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 1 AAA and User Management Configuration domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht return Issue 01 (2011-07-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 60: Nac Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration NAC Configuration About This Chapter This chapter describes the working principle and configuration of network access control (NAC). 2.1 Introduction to NAC This section describes the working principle of NAC.
Page 61: Introduction To Nac
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration 2.1 Introduction to NAC This section describes the working principle of NAC. Traditional network security technologies focus on the threat brought by external computers, rather than the threat brought by internal computers. In addition, the current network devices cannot prevent the attacks initiated by the internal devices on the network.
Page 62: Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The Portal protocol enables Web servers to communicate with other devices. The portal protocol is based on client/server model and uses the User Datagram Protocol (UDP) as the transmission protocol.
Page 63: Nac Features Supported By The S3700
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration 2.2 NAC Features Supported by the S3700 This section describes the NAC features supported by the S3700. Functioning as the network access device (NAD), the S3700 supports the following NAC features: Interface-based 802.1x authentication...
Page 64: Configuring The Web Authentication Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Pre-configuration Tasks Web authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method.
Page 65: Binding A Web Authentication Server To An Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The Uniform Resource Locator (URL) is configured for the Web authentication server. Step 5 Run: port port-number [ all ] The interface of the Web authentication server to which the S3700 sends notification messages is configured.
Page 66: Optional) Configuring The Web Authentication Policy
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } The free rule is configured.
Page 67: Optional) Setting The Version Of The Portal Protocol Packets
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: web-auth-server listening-port port-number The number of the port number that listens to Portal packets is configured.
Page 68: Configuring 802.1X Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration <Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled ------------------------------------------------------------------------ Web-auth-server Name : hw1 IP-address : 192.168.1.100 Shared-key...
Page 69: Enabling 802.1X Authentication On An Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dot1x enable 802.1x authentication is globally enabled. Running this command is equivalent to enabling 802.1x authentication globally. Related configurations of 802.1x authentication take effect only after 802.1x authentication is enabled.
Page 70: Optional) Enabling Mac Bypass Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration interface interface-type interface-number The interface view is displayed. Run: dot1x enable 802.1x authentication is enabled on the interface. If there are online users who log in through 802.1x authentication, disabling 802.1x authentication is prohibited.
Page 71: Setting The Authentication Method For The 802.1X User
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration After you run the dot1x mac-bypass command, the commands of enabling 802.1x authentication on the interface are overwritten. The details are as follows: – If 802.1x authentication is disabled on the interface, 802.1x authentication is enabled after you run the dot1x mac-bypass command.
Page 72: Optional) Configuring The Interface Access Mode
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration CAUTION Only if RADIUS authentication is adopted, you can use the EAP authentication for 802.1x users. ----End 2.4.6 (Optional) Configuring the Interface Access Mode Context The 802.1x protocol can work in the following modes:...
Page 73: Optional) Configuring The Authorization Status Of An Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration CAUTION When 802.1x users are online, you cannot use this command to change the access mode of an interface. ----End 2.4.7 (Optional) Configuring the Authorization Status of an...
Page 74: Optional) Setting The Maximum Number Of Concurrent Access Users
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration – authorized-force: An interface is always in authorized state and allows users to access network resources without authentication. – unauthorized-force: An interface is always in unauthorized state and does not users to access network resources.
Page 75: Optional) Enabling Dhcp Packets To Trigger Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration NOTE When users are online on the S3700, you can use this command. The command is invalid for existing online users, but takes effect for users who undergo authentication after the command is run.
Page 76: Optional) Configuring The Quiet Timer Function
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Step 2 Run: dot1x timer { client-timeout client-timeout-value | handshake-period handshake- period-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period tx- period-value } The timers of 802.1x authentication are set.
Page 77: Optional) Configuring 802.1X Re-Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Step 3 Run: dot1x quiet-times fail-times The number of authentication failures within 60 seconds before the 802.1x user enters the silent state is set. By default, the number of authentication failures within 60 seconds before the 802.1x user enters the silent state is 3.
Page 78: Optional) Configuring The Guest Vlan For 802.1X Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration 2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication Context When the user access mode is mac and guest VLAN is enabled, the S3700 broadcasts authentication request packets to all the 802.1x-enabled interfaces. If an interface does not respond when the maximum number of re-authentications is reached, the S3700 adds this interface to the guest VLAN.
Page 79: Optional) Enabling The S3700 To Send Handshake Packets To Online Users
Online Users Context The S3700 can send handshake packets to a Huawei client to detect whether the user is online. If the client does not support the handshake function, the S3700 will not receive handshake response packets within the handshake interval. In this case, you need to disable the user handshake function to prevent the S3700 from disconnecting users by mistake.
Page 80: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The retransmission count of the authentication request is set. By default, the S3700 retransmits an authentication request to an access user twice. ----End 2.4.16 Checking the Configuration Prerequisite The configurations of 802.1x authentication are complete.
Page 81: Configuring Mac Address Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 64 View information about the MAC address added to the guest VLAN. <Quidway> display mac-address guest MAC address table of slot 0:...
Page 82: Enabling Mac Address Authentication On An Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Context Before the configuration of MAC address authentication, enable MAC address authentication globally. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: mac-authen MAC address authentication is enabled globally.
Page 83: Configuring A User Name For Mac Address Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration In the interface view: Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. Run: mac-authen MAC address authentication is enabled on the interface.
Page 84: Optional) Setting The Timers Of Mac Address Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Context If the user adopts MAC address authentication or the fixed user name that does not contain the domain name, the default authentication domain is used when no authentication domain is configured.
Page 85: Optional) Configuring The Guest Vlan For Mac Address Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration 2.5.7 (Optional) Configuring the Guest VLAN for MAC Address Authentication Context If the MAC authentication fails after the guest VLAN function is enabled, the S3700 adds the user to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without MAC address authentication.
Page 86: Optional) Re-Authenticating A User With The Specified Mac Address
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Context When the number of access users on an interface reaches the limit, the S3700 does not trigger the authentication for the users connecting to the interface later; therefore, these users cannot access the network.
Page 87: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: mac-authen reauthenticate mac-address mac-address A specified user who has passed MAC address authentication is re-authenticated.
Page 88: Clearing Statistics About Mac Address Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Context CAUTION Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Page 89 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration The user can access only the Web authentication server before authentication. After passing the Web authentication, the user can access the external network. Figure 2-2 Network diagram for configuring Web authentication...
Page 90 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Procedure Step 1 Set the IP address of the Layer 3 interface connected to the user. <Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 0/0/3 [Quidway-GigabitEthernet0/0/3] port link-type access...
Page 91: Example For Configuring 802.1X Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration <Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled ------------------------------------------------------------------------ Web-auth-server Name : isp1 IP-address : 192.168.1.20 Shared-key...
Page 92 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Figure 2-3 Networking diagram for configuring 802.1x authentication RADIUS Server 192.168.2.30 User VLANIF 20 GE0/0/2 192.168.2.10 Internet GE0/0/1 GE0/0/3 Switch Printer Configuration Roadmap The configuration roadmap is as follows: Configure a RADIUS server template.
Page 93 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration [Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812 # Set the key and retransmission count of the RADIUS server. [Quidway-radius-rd1] radius-server shared-key cipher hello [Quidway-radius-rd1] radius-server retransmit 2 [Quidway-radius-rd1] quit Step 2 Create an authentication scheme web1 and set the authentication method to RADIUS authentication.
Page 94: Example For Configuring Mac Address Authentication
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration sysname Quidway dot1x enable radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1...
Page 95 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Configure a RADIUS server template. Configure an AAA authentication template. Configure the domain of the users that use MAC address authentication. Configure the MAC address authentication. Data Preparation...
Page 96: Example For Configuring The Radius Server To Deliver Authorization Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration [Quidway-GigabitEthernet0/0/1] mac-authen max-user 100 [Quidway-GigabitEthernet0/0/1] quit # Specify domain isp1 as the domain of the users that use MAC address authentication. [Quidway] mac-authen domain isp1 Step 5 Verify the configuration.
Page 97: Radius Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration Figure 2-5 Networking diagram for configuring 802.1x authentication Radius Server 100.1.1.1 HTTP 100.1.1.2 Server 192.168.1.1/24 192.168.1.2/24 Internet Switch 101.0.0.2 192.168.1.10 Configuration Roadmap The configuration roadmap is as follows: Configure the RADIUS authentication server to deliver the authorization ACL.
Page 98 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration # Configure the IP address and port number of the primary RADIUS authentication server. [Quidway-radius-rd1] radius-server authentication 100.1.1.1 1812 # Configure the shared key of the RADIUS server.
Page 99 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 2 NAC Configuration acl number 3000 rule 0 deny ip destination 101.0.0.2 0 authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 accounting-scheme web1 radius-server rd1 return Issue 01 (2011-07-15) Huawei Proprietary and Confidential...
Page 100: Dhcp Snooping Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP Snooping Configuration About This Chapter This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S3700 to defend against DHCP attacks. 3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping.
Page 101 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.10 Configuration Examples This section provides several configuration examples of DHCP snooping. Issue 01 (2011-07-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 102: Introduction To Dhcp Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table.
Page 103: Dhcp Server
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-1 Networking diagram for applying DHCP snooping on the S3700 on a Layer 2 network L3 network Trusted DHCP relay Switch Untrusted DHCP server L2 network...
Page 104 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-2 Networking diagram for applying DHCP snooping on the S3700 that functions as the DHCP relay agent L3 network Trusted Switch Untrusted DHCP relay DHCP network...
Page 105: Preventing The Bogus Dhcp Server Attack
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Type of Attacks DHCP Snooping Operation Mode Attack by sending bogus messages to Checking whether DHCP request messages extend IP address leases match entries in the DHCP snooping binding...
Page 106: Enabling Dhcp Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.3.2 Enabling DHCP Snooping After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN. Otherwise, DHCP snooping does not take effect.
Page 107: Configuring An Interface As A Trusted Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration system-view The system view is displayed. Run: dhcp enable DHCP is enabled globally. Run: dhcp snooping enable DHCP snooping is enabled globally. Run: interface interface-type interface-number The interface view is displayed.
Page 108: Optional) Enabling Detection Of Bogus Dhcp Servers
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration The prerequisite for the dhcp snooping trusted interface command to take effect is the interface is added to the VLAN. ----End 3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and on the interface.
Page 109: Preventing The Dos Attack By Changing The Chaddr Field
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR.
Page 110 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Enable DHCP snooping globally. Enable DHCP snooping on an interface or in a VLAN. Procedure Enabling DHCP snooping in the VLAN view Run: system-view The system view is displayed.
Page 111: Checking The Chaddr Field In Dhcp Request Messages
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP snooping is enabled globally. Run: interface interface-type interface-number The interface view is displayed. Run: dhcp snooping enableDHCP snooping is enabled on an interface. ----End 3.4.3 Checking the CHADDR Field in DHCP Request Messages If the CHADDR field in DHCP Request messages matches the source MAC address in the Ethernet frame header, the messages are forwarded.
Page 112: Preventing The Attacker From Sending Bogus Dhcp Messages For Extending Ip Address Leases
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases.
Page 113: Enabling Dhcp Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Data Preparation To prevent the attacker from sending bogus DHCP messages for extending IP address leases, you need the following data. Data Type and number of the interface enabled with detection of bogus DHCP servers 3.5.2 Enabling DHCP Snooping...
Page 114: Enabling Checking Of Dhcp Request Messages
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration interface interface-type interface-number The interface view is displayed. (Optional) Run: dhcp snooping disable DHCP snooping is disabled on the specified interface in the VLAN. To disable DHCP snooping on a specified interface in a VLAN, perform steps 6 and...
Page 115: Optional) Configuring The Option 82 Function
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration The interface is a user-side interface. Step 3 Run: dhcp snooping check dhcp-request enable [ alarm dhcp-request { enable [ threshold threshold-value ] | threshold threshold-value } ] The interface is enabled to check DHCP Request messages.
Page 116: Optional) Setting The Format Of The Option 82 Field
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration system-view The system view is displayed. Run: vlan vlan-id The VLAN view is displayed. Run: dhcp option82 insert enable interface { interface-name | interface-type interface-number } [ to interface-number ] The Option 82 is appended to DHCP messages.
Page 117: Optional) Appending The Option 18 Field Or The Option 37 Field To Dhcpv6 Request Messages
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration NOTE If the customized format of the Option 82 field is used (that is, user-defined is specified), it is recommended that you specify the interface type, slot ID, and interface number in text.
Page 118: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.5.7 Checking the Configuration Checking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases. Prerequisite The configurations of preventing the attacker from sending bogus DHCP messages for extending IP address leases are complete.
Page 119: Enabling Dhcp Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Enabling DHCP snooping globally Enabling check of the DHCP snooping binding table Data Preparation To set the maximum number of DHCP snooping users, you need the following data.
Page 120: Setting The Maximum Number Of Dhcp Snooping Users
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Return to the system view. (Optional) Run: interface interface-type interface-number The interface view is displayed. (Optional) Run: dhcp snooping disable DHCP snooping is disabled on the specified interface in the VLAN.
Page 121: Optional) Configuring Mac Address Security On An Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Or, run: vlan vlan-id The VLAN view is displayed. Step 4 Run: dhcp snooping max-user-number max-user-number The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set.
Page 122: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. You need to configure static MAC addresses for the static users to have the packets forwarded normally.
Page 123: Enabling Dhcp Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Pre-configuration Tasks Before limiting the rate of sending packets, complete the following tasks: Configuring the DHCP server Configuring the DHCP relay agent Data Preparation To limit the rate of sending packets, you need the following data.
Page 124: Setting The Maximum Rate Of Sending Dhcp Messages
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP snooping is enabled in a VLAN. Run: quit Return to the system view. (Optional) Run: interface interface-type interface-number The interface view is displayed. (Optional) Run: dhcp snooping disable DHCP snooping is disabled on the specified interface in the VLAN.
Page 125 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration The function of checking the rate of sending DHCP messages is enabled. By default, the function of checking the rate of sending DHCP messages is disabled globally.
Page 126: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration – The alarm threshold for discarded DHCP messages is set. By default, the function of checking the rate of sending DHCP messages to the DHCP stack is disabled on an interface; the rate limit of sending DHCP messages to the DHCP stack is 100 pps;...
Page 127: Enabling Dhcp Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration After the packet discarding alarm function is enabled, an alarm is generated when the number of discarded packets on the S3700 reaches the alarm threshold. Pre-configuration Tasks...
Page 128: Configuring The Packet Discarding Alarm Function
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration DHCP snooping is enabled globally. Run: vlan vlan-id The VLAN view is displayed. Run: dhcp snooping enable DHCP snooping is enabled in a VLAN. Run: quit Return to the system view.
Page 129 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration The packet discarding alarm function configured globally takes effect for all interfaces. The packet discarding alarm function configured on an interface takes effect for a specified interface. If the packet discarding alarm function is not configured on an interface, the global configuration is used.
Page 130: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration By default, the packet discarding alarm is disabled, and the threshold that triggers the alarm on discarded packets is 100. After dhcp snooping alarm command is configured, the S3700 discards the following types of packets: –...
Page 131: Resetting The Dhcp Snooping Binding Table
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Run the reset dhcp snooping statistics vlan vlan-id command to clear the statistics on discarded packets on the VLAN. ----End 3.9.2 Resetting the DHCP Snooping Binding Table After DHCP snooping is enabled, multiple binding entries are generated when DHCP users go online.
Page 132 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-3 Networking diagram for preventing bogus DHCP server attacks ISP network L3 network DHCP relay L2 network GE0/0/1 DHCP Switch server GE0/0/2 User network Configuration Roadmap The configuration roadmap is as follows: (Assume that the DHCP server has been configured.)
Page 133 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration # Enable bogus DHCP server detection. [Quidway] dhcp server detect # Enable DHCP snooping on the user-side interface. [Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping enable [Quidway-GigabitEthernet0/0/2] quit Step 2 Configure the interface as the trusted interface or an untrusted interface.
Page 134: Example For Preventing Dos Attacks By Changing The Chaddr Field
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Configuration Files dhcp enable dhcp snooping enable dhcp server detect interface GigabitEthernet0/0/1 dhcp snooping trusted interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 return 3.10.2 Example for Preventing DoS Attacks by Changing the...
Page 135 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Configuration Roadmap The configuration roadmap is as follows: Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as the trusted interface.
Page 136: Example For Preventing Attackers From Sending Bogus Dhcp Messages For Extending Ip Address Leases
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Dhcp snooping enable is configured at interface : GigabitEthernet0/0/2 Dhcp snooping trusted is configured at interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at interface :NULL Dhcp option82 rebuild is configured at interface :NULL...
Page 137 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-5 Networking diagram for preventing attackers from sending bogus DHCP messages for extending IP address leases ISP network L3 network DHCP relay L2 network GE0/0/1 DHCP...
Page 138 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable # Enable DHCP snooping on the user-side interface. [Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] dhcp snooping enable [Quidway-GigabitEthernet0/0/2] quit Step 2 Configure the interface as the trusted interface or an untrusted interface.
Page 139: Example For Limiting The Rate Of Sending Dhcp Messages
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration dhcp packet dropped by dhcp-request checking = 45 dhcp packet dropped by untrust-reply checking = 0 ----End Configuration Files dhcp enable dhcp snooping enable interface GigabitEthernet0/0/1 dhcp snooping trusted...
Page 140 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Enable DHCP snooping globally and in the interface view. Configure the interface connected to the DHCP server as the trusted interface. Set the rate of sending DHCP Request messages to the protocol stack on interfaces.
Page 141 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Run the display dhcp snooping global command on the Switch, and you can view that DHCP snooping is enabled globally or in interface view. [Quidway] display dhcp snooping global...
Page 142: Example For Applying Dhcp Snooping On A Layer 2 Network
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network This section describes the configuration of DHCP snooping on a Layer 2 network, including the configuration of the trusted interface, the function of checking DHCP messages, the function of limiting the rate of sending DHCP messages, and the Option 82 function.
Page 143 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. Configure the Option 82 function.
Page 144 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120 # Enable the checking of the CHADDR field and alarm function on the interfaces on the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages.
Page 145 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration Dhcp snooping enable is configured at these interface : Ethernet0/0/1 Ethernet0/0/2 Dhcp snooping trusted is configured at these interface : GigabitEthernet0/0/1 Dhcp option82 insert is configured at these interface :...
Page 146 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 3 DHCP Snooping Configuration dhcp option82 insert enable interface Ethernet0/0/2 dhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120 dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120 dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120...
Page 147: Arp Security Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration ARP Security Configuration About This Chapter The ARP security technology ensures security and robustness of network devices by filtering out untrusted ARP packets and perform timestamp suppression for some ARP packets.
Page 148: Arp Security Overview
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration 4.1 ARP Security Overview ARP attacks are common and have great impact on networks. The S3700 defends against ARP attacks on the interface that is nearest to the attack source.
Page 149: Arp Security Supported By The S3700
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration ARP Attack Defense Policy An attack defense policy should be deployed on the node nearest to the attack source to minimize attack impact and improve attack defense efficiency.
Page 150 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration ARP Anti-Spoofing ARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARP packets and modify ARP entries on the gateway. As a result, the authorized users are disconnected from the network.
Page 151: Checking Source Mac Addresses Of Arp Packets
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Suppression of ARP Miss Packets Based on the Source Address When a host sends a large number of IP packets whose destination IP address cannot be resolved to attack the device, the S3700 suppresses the ARP Miss packets with the specified source IP address.
Page 152: Configuring Defense Against Arp Dos Attacks
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration by the ARP protocol. After the arp anti-attack packet-check sender-mac command is used, the S3700 checks the source MAC addresses in the ARP packet header and Ethernet frame header, and discards the packets with inconsistent source MAC addresses.
Page 153 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Table 4-1 ARP DoS attack defense scenarios and methods Packet Scenario Measures Taken by S3700 Type ARP request l An attacker sends a lot of ARP The general idea is to suppress the packet request packets to the S3700.
Page 154: Configuring Source Mac Address-Based Arp Packet Suppression
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Data Source address and rate limit for ARP packet suppression (Optional) Alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit Source address and rate limit for ARP Miss packet suppression...
Page 155: Configuring Source-Based Arp Miss Suppression
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration The system view is displayed. Step 2 Run: arp speed-limit source-ip maximum maximum The suppression rate of ARP packets based on the source IP address is set.
Page 156: Configuring Rate Limit Of Arp Miss Packets
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration If the rate of ARP Miss packets from the specified IP address to this interface reaches the limit, the S3700 delivers an ACL rule to discard the IP packets that trigger ARP Miss. The ACL rule will be canceled after 50 seconds.
Page 157 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Run: system-view The system view is displayed. Run: vlan vlan-id The VLAN view is displayed. Run: arp-miss anti-attack rate-limit enable Rate limit of ARP Miss packets is enabled.
Page 158: Configuring Rate Limit Of Arp Packets
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration The rate limit duration and the maximum rate of ARP Miss packets are set. After the rate limit duration and the maximum rate of ARP Miss packets are set, ARP Miss packets whose rate exceeds the maximum rate in the rate limit duration are discarded.
Page 159 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration By default, the alarm function is disabled when the rate of ARP packets exceeds the maximum rate. (Optional) Run: arp anti-attack rate-limit alarm threshold threshold The alarm threshold for the number of ARP packets discarded when the rate of ARP packets exceeds the maximum rate is set.
Page 160: Configuring The S3700 To Send Gratuitous Arp Packets
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration The interface view is displayed. Run: arp anti-attack rate-limit enable Rate limit of ARP packets is enabled. By default, rate limit of ARP packets is disabled. Run: arp anti-attack rate-limit packet-number [ interval-value ] The rate limit duration and the maximum rate of ARP packets are set.
Page 161: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration The system view is displayed. Step 2 (Optional) Run: interface vlanif vlan-id The VLANIF interface view is displayed. Step 3 Run: arp gratuitous-arp send enable The function of sending gratuitous ARP packets is enabled.
Page 162: Configuring Arp Anti-Spoofing
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Interface configuration: Vlan configuration: ------------------------------------------------------------------------------- ARP miss rate-limit configuration: ------------------------------------------------------------------------------- Global configuration: Interface configuration: Vlan configuration: ------------------------------------------------------------------------------- ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled)
Page 163 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Applicable Environment As shown in Table 4-2, the S3700 provides various methods to prevent ARP spoofing attacks. Table 4-2 ARP anti-spoofing scenarios and methods Scenario Description Measures Taken by S3700...
Page 164: Enabling Strict Arp Entry Learning
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Scenario Description Measures Taken by S3700 Man-in-the- The attacker modifies information The S3700 generates a binding table middle attack about both host and gateway: to check ARP packets against binding...
Page 165: Configuring Interface-Based Arp Entry Restriction
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Procedure Configuring strict ARP entry learning globally Run: system-view The system view is displayed. Run: arp learning strict Strict ARP learning is enabled. By default, strict ARP learning is enabled on the S3700.
Page 166: Preventing The Arp Address Spoofing Attack
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration interface interface-type interface-number The interface view is displayed. On the non-VLANIF interface, run: arp-limit [ vlan vlan-id1 [ to vlan-id2 ]] maximum maximum Interface-based ARP entry restriction is configured on the interface.
Page 167: Preventing The Man-In-The-Middle Attack
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration in a period (the default value is three minutes). This can prevent ARP packets with the bogus gateway address from being broadcast on a VLAN. ----End 4.5.6 Preventing the Man-in-the-Middle Attack Context To prevent man-in-the-middle attacks, you can configure the S3700 to check ARP packets.
Page 168: Optional) Configuring The Function Of Discarding Ip Packets With The Same Source And Destination Ip Addresses
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration By default, the check items consist of IP address, MAC address, VLAN, and interface. The packets that do not match the binding table are discarded. NOTE The mode of checking ARP packets takes no effect for the user host configured with the static binding table.
Page 169: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Context This task is performed to enable DHCP-triggered ARP learning. When the DHCP server assigns an IP address to the user, the S3700 obtains the MAC address of the user and generates the ARP entry corresponding to the IP address after responding to DHCP ACK messages.
Page 170 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Example Run the display arp anti-attack configuration all command, and you can view the configuration of ARP anti-attack. <Quidway> display arp anti-attack configuration all ARP anti-attack packet-check function: disable...
Page 171: Maintaining Arp Security
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration 4.6 Maintaining ARP Security This section describes how to maintain ARP security. 4.6.1 Displaying the Statistics About ARP Packets You can use the display command to view the Statistics on ARP Packets.
Page 172: Debugging Arp Packets
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Context CAUTION Statistics cannot be restored after being cleared. So, confirm the action before you run the command. To clear the statistics on discarded ARP packets, run the following commands in the user view.
Page 173: Configuration Examples
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration The interval for sending an ARP alarm an log is set for potential attacks. The log and alarm functions for potential attacks take effect for all the ARP packets.
Page 174 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Figure 4-1 Networking diagram for configuring ARP security functions Switch Ethernet0/0/3 Ethernet0/0/1 Ethernet0/0/2 Server VLAN10 VLAN20 User4 User1 User2 User3 Configuration Roadmap The configuration roadmap is as follows: Enable strict ARP learning.
Page 175 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Procedure Step 1 Enable strict ARP learning. <Quidway> system-view [Quidway] arp learning strict Step 2 Configure interface-based ARP entry restriction. # The number of limited ARP entries on each interface is 20. The following lists the configuration of Ethernet 0/0/1, and the configurations of other interfaces are the same as the configuration of Ethernet 0/0/1.
Page 176 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration interface LearningStrictState ------------------------------------------------------------ ------------------------------------------------------------ Total:0 force-enable:0 force-disable:0 You can use the display arp-limit command to check the maximum number of ARP entries learned by the interface. <Quidway> display arp-limit interface ethernet 0/0/1...
Page 177: Example For Configuring Arp Anti-Attack To Prevent Man-In-The-Middle Attacks
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration ARP Pkt Discard For SpeedLimit: ARP Pkt Discard For Other: <Quidway> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time ------------------------------------------------------------------------------- GigabitEthernet0/0/1 2.1.1.1...
Page 178 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Figure 4-2 Networking diagram for prevent man-in-the-middle attacks Attacker Switch Ethernet0/0/2 Ethernet0/0/1 Server IP:10.0.0.1/24 MAC:1-1-1 VLAN ID:10 Client Configuration Roadmap The configuration roadmap is as follows: Enable the IP source guard function.
Page 179 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration Step 2 Configure the alarm function for discarded packets. # Set the alarm threshold of the ARP packets discarded because they do not match the binding table on Ethernet 0/0/1 connected to the client.
Page 180 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 4 ARP Security Configuration return Issue 01 (2011-07-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 181: Source Ip Attack Defense Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration Source IP Attack Defense Configuration About This Chapter This chapter describes the principle and configuration of attacking IP source addresses. 5.1 Overview of IP Source Guard This section describes the principle of the IP source Guard.
Page 182: Overview Of Ip Source Guard
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration 5.1 Overview of IP Source Guard This section describes the principle of the IP source Guard. The source IP address spoofing is a common attack on the network, for example, the attacker forges a valid user and sends IP packets to the server or forges the source IP address of users for communication.
Page 183: Configuring Ip Source Guard
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration IP Source Guard The IP Source Guard feature is used to check the IP packets according to the binding table, including source IP addresses, source MAC addresses, interface, and VLAN. For example, in...
Page 184: Optional) Configuring A Static User Binding Entry
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration Data (Optional) User information in a static binding entry, including the IPv4 or IPv6 address, MAC address, VLAN ID, and interface number of the user...
Page 185: Configuring The Check Items Of Ip Packets
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration Or, run: vlan vlan-id The VLAN view is displayed. Step 3 Run: ip source check user-bind enable The IP source guard function is enabled on the interface.
Page 186: Optional) Configuring The Alarm Function Of Ip Source Guard
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration NOTE This command is valid only for dynamic binding entries. ----End 5.3.5 (Optional) Configuring the Alarm Function of IP Source Guard When the alarm function of IP source guard is enabled, the S3700 counts the number of received IP packets whose rate exceeds the threshold.
Page 187: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration The system view is displayed. Step 2 Run: ip anti-attack source-ip equals destination-ip drop The function of discarding IP packets with the same source and destination IP addresses is enabled.
Page 188 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration Figure 5-2 Networking diagram for configuring IP source guard Server Switch Ethernet0/0/1 Ethernet0/0/2 Packets: SIP:10.0.0.1/24 SMAC:2-2-2 Host A Host B (Attacker) IP:10.0.0.1/24 IP:10.0.0.2/24 MAC:1-1-1 MAC:2-2-2 Configuration Roadmap Assume that the user obtains an IP address through DHCP.
Page 189 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 5 Source IP Attack Defense Configuration # Enable the IP source guard function on Ethernet 0/0/2 connected to Host B. [Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/2] ip source check user-bind enable [Quidway-Ethernet0/0/2] quit # Enable the alarm function for checking the received IP packets on Ethernet 0/0/2 connected to Host B.
Page 190: Local Attack Defense Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Local Attack Defense Configuration About This Chapter This chapter describes the principle and configuration of local attack defense. 6.1 Overview of Local Attack Defense This section describes the principle of the local attack defense.
Page 191: Overview Of Local Attack Defense
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration 6.1 Overview of Local Attack Defense This section describes the principle of the local attack defense. With the development and wide application of the network, users poses higher requirement for security of the network and network devices.
Page 192: Creating An Attack Defense Policy
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Pre-configuration Tasks Before configuring an attack defense policy, complete the following tasks. Connecting interfaces and setting the physical parameters of each interface to ensure that the physical layer is in Up state Data Preparation To configure an attack defense policy, you need the following data.
Page 193: Optional) Configuring The Rule For Sending Packets To The Cpu
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Context You can create a blacklist and add users matching bound ACL rules to the blacklist. The packets sent from the users in the blacklist are discarded by default. The S3700 supports the flexible setting of the blacklist through ACLs.
Page 194: Optional) Setting The Queue Number For Protocol Packets Sent To The Cpu
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cpu-defend policy policy-name The attack defense policy view is displayed. Step 3 Run: linkup-car packet-type { bgp | ftp | ospf } cir cir-value [ cbs cbs-value ] The rate limit for packets of BGP, FTP, or OSPF packets is set.
Page 195: Applying The Attack Defense Policy
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cpu-defend policy policy-name The attack defense policy view is displayed. Step 3 Run: queue packet-type packet-type queue-value The queue number for protocol packets sent to the CPU is set.
Page 196 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Run the display cpu-defend configuration [ packet-type packet-type ] { all | slot slot- id } command to view the CAR configuration of packets sent to the CPU.
Page 197: Configuring Attack Source Tracing
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Enabled 10000 telnet Enabled 10000 ttl-expired Enabled 10000 vrrp Disabled 10000 vrrp6 Disabled 10000 ---------------------------------------------------------------------- Linkup Information: ---------------------------------------------------------------------------- Packet Name Cir(Kbps)/Cbs(Byte) SIP(SMAC) DIP(DMAC) Port(C/S) ---------------------------------------------------------------------------- 512/64000 6.6.6.6...
Page 198: Configuring Attack Source Tracing
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cpu-defend policy policy-name An attack defense policy is created and the attack defense policy view is displayed.
Page 199: Optional) Setting The Attack Source Tracing Mode
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration By default, the alarm function of attack source tracing is disabled. Step 6 Run: auto-defend alarm threshold threshold The alarm threshold for attack source tracing is set.
Page 200: Optional) Specifying Protocol Types Supporting Source Tracing
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration The system view is displayed. Step 2 Run: cpu-defend policy policy-name The attack defense policy view is displayed. Step 3 Run: auto-defend enable Automatic attack source tracing is enabled.
Page 201: Optional) Configuring Auto-Defend Function For Source Tracing
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration auto-defend protocol { { arp | icmp | dhcp | igmp | ttl-expired | tcp | telnet } * | all } The protocol types supporting source tracing are specified.
Page 202: Applying The Attack Defense Policy
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Step 2 Run: cpu-defend policy policy-name The attack defense policy view is displayed. Step 3 Run: auto-defend enable Automatic attack source tracing is enabled. By default, automatic attack source tracing is disabled.
Page 203: Maintaining The Attack Defense Policy
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Run the display auto-defend attack-source [ detail ] command to view the list of attack sources configured globally. ----End Example Run the display cpu-defend policy command, and you can view information about attack defense policy .
Page 204: Configuration Examples
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 On S3700EI and S3700SIrun: reset auto-defend attack-source The statistics about the attack source are cleared.
Page 205 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Configuration Roadmap The configuration roadmap is as follows: Configure the ACL and define rules for filtering the packets to be sent to the CPU. Create an attack defense policy and configure the whitelist, blacklist, and user-defined flow.
Page 206 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 6 Local Attack Defense Configuration Configuration : Blacklist 1 ACL number : 2001 Car packet-type arp-request : CIR(128) CBS(24064) Car all-packets pps : 500 (default) # View information about CAR. <Quidway> display cpu-defend arp-request configuration all Car Configurations On Slot 0.
Page 207: Pppoe+ Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 7 PPPoE+ Configuration PPPoE+ Configuration About This Chapter This chapter describes how to configure PPPoE+. 7.1 PPPoE+ Overview This section describes the principle of PPPoE+. 7.2 PPPoE+ Features Supported by the S3700 This section describes the PPPoE+ features supported by the S3700.
Page 208: Pppoe+ Overview
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 7 PPPoE+ Configuration 7.1 PPPoE+ Overview This section describes the principle of PPPoE+. Currently, PPPoE provides good authentication and security mechanism, but still has certain disadvantages, for example, account embezzlement. In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces of devices, they can access the newtork as long as their accounts are authenticated successfully on the same RADIUS server.
Page 209: Enabling Pppoe+ Globally
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 7 PPPoE+ Configuration 7.3.2 Enabling PPPoE+ Globally Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pppoe intermediate-agent information enable PPPoE+ is enabled globally. After the pppoe intermediate-agent information enable command is run in the system view, PPPoE+ is enabled on all the interfaces.
Page 210: Configuring The Pppoe Trusted Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 7 PPPoE+ Configuration adopt a different action on an interface, run the pppoe intermediate-agent information policy command in the interface view. In this case, the action for processing packets on the interface depends on the configuration of the interface.
Page 211: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 7 PPPoE+ Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The Ethernet interface view is displayed. Step 3 Run: pppoe uplink-port trusted The interface is configured as the trusted interface.
Page 212 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 7 PPPoE+ Configuration Figure 7-1 Networking diagram for configuring PPPoE+ IP network PPPoE server GE0/0/1 PPPoE+ Switch Ethernet Ethernet 0/0/2 0/0/1 PPPoE client PPPoE client Configuration Roadmap The configuration roadmap is as follows: Enable PPPoE+ globally.
Page 213 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 7 PPPoE+ Configuration Step 3 Configure the action for processing original fields in PPPoE packets. Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the Switch.
Page 214: Mff Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration MFF Configuration About This Chapter This section describes the principle and configuration of the MAC-Forced Forwarding (MFF) function. 8.1 MFF Overview This section describes the principle of the MFF function.
Page 215: Mff Overview
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration 8.1 MFF Overview This section describes the principle of the MFF function. Background In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer 2 isolation and Layer 3 interconnection between clients. When many users need to be isolated on Layer 2, a large number of VLANs are required.
Page 216: Mff Features Supported By The S3700
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration 8.2 MFF Features Supported by the S3700 This section describes the MFF features supported by the S3700. Static Gateway The static gateway is applicable to the scenario where the IP addresses are set statically. When users are assigned IP addresses statically, the users cannot obtain the gateway information through the DHCP packets.
Page 217: Configuring Mff
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration Transparently Transmitting User Status Detection Packets If the gateway provides accounting function, the gateway needs to detect whether users are online. The MFF-enabled S3700 can transparently transmit user status detection packets so that it is aware of user status changes immediately.
Page 218: Configuring The Mff Network Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration Context You can perform other MFF configurations only after enabling the global MFF. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: mac-forced-forwarding enable The global MFF is enabled.
Page 219: Optional) Configuring The Static Gateway Address
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration Context If an MFF-enabled network has multiple S3700s, at least one Network-to-Network Interface (NNI) must reside in the VLAN configured with MFF. Procedure Step 1 Run: system-view The system view is displayed.
Page 220: Optional) Setting The Server Address
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration Step 2 Run: vlan vlan-id The VLAN view is displayed. Step 3 Run: mac-forced-forwarding gateway-detect The timed gateway address detection is enabled. After the timed gateway address detection is enabled, the S3700 sends ARP packets periodically to detect the gateway.
Page 221: Optional) Discarding Ipv6 Packets Sent From Users
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration The gateway is allowed to detect online users by sending ARP request packets. ----End 8.3.9 (Optional) Discarding IPv6 Packets Sent from Users Procedure Step 1 Run: system-view The system view is displayed.
Page 222: Configuration Examples
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration 192.168.1.3 -------------------------------------------------------------------- User IP User MAC Gateway IP Gateway MAC -------------------------------------------------------------------- 192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01 192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01 192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03 -------------------------------------------------------------------- [Vlan 100] MFF host total count = 3 8.4 Configuration Examples...
Page 223 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration Enable global MFF. Configure the MFF network interfaces. Enable MFF for the VLAN. (Optional) Enable the function of timed gateway address detection. (Optional) Configure the server. Data Preparation...
Page 224 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration # Enable global MFF on Switch A. [SwitchA] mac-forced-forwarding enable # Enable global MFF on Switch B. [SwitchB] mac-forced-forwarding enable Step 3 Configure the MFF network interfaces. # Configure GE 0/0/1 of Switch A as the network interface.
Page 225 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 8 MFF Configuration vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 interface GigabitEthernet0/0/1 port link-type access port default vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port interface GigabitEthernet0/0/2...
Page 226: Traffic Suppression Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration Traffic Suppression Configuration About This Chapter This chapter describes the principle and configuration of traffic suppression . 9.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression.
Page 227: Introduction To Traffic Suppression
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration 9.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression. Broadcast packets, multicast packets and unknown unicast packets entering the S3700 are forwarded on all the interfaces in a VLAN. These three types of packets consume great bandwidth, reduces available bandwidth of the system, and affects normal forwarding and processing capabilities.
Page 228: Configuring Traffic Suppression On An Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration Data Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be suppressed Mode in which traffic is suppressed (packet rate, rate percentage on a physical interface) Limited rate, including packet rate, bandwidth percentage.
Page 229: Optional) Configuring Broadcast Suppression In A Vlan
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration The outgoing packets on the interface are blocked. ----End 9.3.3 (Optional) Configuring Broadcast Suppression in a VLAN Procedure Step 1 Run: system-view The system view is displayed.
Page 230: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration Step 3 Run: icmp rate-limit { total | interface interface-type interface-number [ to interface- number ] } threshold threshold-value The rate threshold of ICMP packets is set on an interface.
Page 231: Configuring The Storm Control Function
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration Pre-configuration Tasks Before configuring the storm control function, complete the following tasks: Setting link layer parameters of interfaces Setting physical parameters of interfaces Data Preparation To configure the storm control function, you need the following data.
Page 232: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration The function of recording logs or reporting traps is enabled during storm control. By default, the functions of recording logs and reporting traps are disabled. Step 6 (Optional) Run: storm-control interval interval-value The interval for detecting storms is set.
Page 233 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration Figure 9-1 Networking diagram for configuring traffic suppression GE0/0/1 GE0/0/2 L2 network L3 network Switch Configuration Roadmap Configure traffic suppression in the interface view of GE 0/0/1.
Page 234: Example For Configuring The Storm Control Function
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration Configuration Files sysname Quidway interface gigabitethernet0/0/1 unicast-suppression 80 multicast-suppression 80 broadcast-suppression 80 return 9.5.2 Example for Configuring the Storm Control Function Networking Requirements As shown in Figure...
Page 235 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 9 Traffic Suppression Configuration Procedure Step 1 Enter the interface view. <Quidway> system-view [Quidway] interface gigabitethernet 0/0/1 Step 2 Configure storm control for broadcast packets. [Quidway-GigabitEthernet0/0/1] storm-control broadcast min-rate 1000 max-rate 2000 Step 3 Configure storm control for multicast packets.
Page 236: Acl Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration ACL Configuration About This Chapter The ACL classifies packets according to the rules. After these rules are applied to the interfaces on the S3700, the S3700 can determine packets that are received and rejected.
Page 237: Introduction To The Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration 10.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL. To filter packets, a set of rules needs to be configured on the S3700 to determine the data packets that can pass through.
Page 238: Configuring An Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration traffic behavior, see the Quidway S3700 Series Ethernet Switches Configuration Guide - QoS. Software-based application: When the ACL is imported by the upper-layer software, for example, the ACL is imported when the control function is configured for login users, you can use the ACL to control FTP, Telnet and SSH users.
Page 239: Creating An Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Data Number of ACL rule and the rule that identifies the type of packets, including protocol, source address, source port, destination address, destination port, the type and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of...
Page 240: Optional) Setting The Time Range When An Acl Takes Effect
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration An ACL with the specified name is created. If the number of a named ACL is not specified, the S3700 automatically allocates a number to the named ACL. The following situations are involved: –...
Page 241: Configuring A Basic Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Or, run: acl name acl-name The ACL view is displayed. Step 3 Run: description description The description of the ACL is configured. The description of an ACL is a string of up to 127 characters, describing the usage of the ACL.
Page 242: Configuring A Layer 2 Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Step 2 Run: acl [ number ] acl-number An advanced ACL is created based on the number. Or, run: acl name acl-name [ advance | acl-number ] An advanced ACL is created based on the name.
Page 243: Creating A User-Defined Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number A layer 2 ACL is created based on the number.
Page 244: Optional) Setting The Step Between Acl Rules
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration A user-defined ACL is configured. ----End 10.3.9 (Optional) Setting the Step Between ACL Rules The S3700 can automatically allocates numbers to ACLs according to the step between ACL rules.
Page 245: Configuring Acl6
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Example # Run the display acl command, and you can view the ACL number, rule IDs, and step, and rule contents. <Quidway> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0...
Page 246: Establishing The Configuration Task
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration 10.4.1 Establishing the Configuration Task Establishing the Configuration Task of ACL6. Applicable Environment An ACL6 can be applied to the following tasks: Configuring the packet filtering policy Configuring policy-based routing...
Page 247: Optional) Creating The Time Range Of The Acl6
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration – The value of a basic ACL6 ranges from 2000 to 2999. – The value of an advanced ACL6 ranges from 3000 to 3999. Creating an ACL6 based on the name...
Page 248: Configuring A Basic Acl6
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration 10.4.4 Configuring a Basic ACL6 Basic ACL6s can classify data packets based on the source IP address. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl ipv6 [ number ] acl6-number A basic ACL6 is created based on the number.
Page 249: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration You can configure the advanced ACL6 on the S3700 according to the type of the protocol carried by IP. The parameters vary according to the protocol type. l When protocol is TCP, run:...
Page 250: Configuration Examples
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Example # Run the display acl ipv6 command, and you can view the ACL6 number, rule IDs, and rule contents. <Quidway> display acl ipv6 2002 Basic IPv6 ACL 2002, 2 rules...
Page 251 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Configuration Roadmap The configuration roadmap is as follows: Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Page 252: Example For Configuring An Advanced Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Acl's step is 5 rule 5 permit source 10.0.0.0 0.0.0.255 # Check the configuration of the traffic classifier. <Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1...
Page 253 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Figure 10-2 Networking diagram for configuring IPv4 ACLs Salary query server 10.164.9.9 Ethernet 0/0/4 Ethernet Ethernet 0/0/2 0/0/1 Switch Ethernet 0/0/3 Marketing department President's office 10.164.2.0/24 10.164.1.0/24 R&D department 10.164.3.0/24...
Page 254 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Procedure Step 1 Assign IP addresses to interfaces. # Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces. Add Ethernet 0/0/1, Ethernet 0/0/2, and Ethernet 0/0/3 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add Ethernet 0/0/4 to VLAN 100.
Page 255 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration # Configure the traffic behavior b_rd to reject packets. [Quidway] traffic behavior b_rd [Quidway-behavior-b_rd] deny [Quidway-behavior-b_rd] quit Step 6 Configure traffic policies. # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
Page 256 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Policy: p_market Classifier: c_market Operator: AND Behavior: b_market Deny Policy: p_rd Classifier: c_rd Operator: AND Behavior: b_rd Deny ----End Configuration Files sysname Quidway vlan batch 10 20 30 40 100...
Page 257: Example For Configuring A Layer 2 Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration port link-type access port default vlan 30 traffic-policy p_rd inbound interface Ethernet0/0/4 port link-type access port default vlan 100 return 10.5.3 Example for Configuring a Layer 2 ACL...
Page 258 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Procedure Step 1 Configure an ACL. # Configure the required layer 2 ACL. [Quidway] acl 4000 [Quidway-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002 ffff-ffff-ffff [Quidway-acl-L2-4000] quit Step 2 Configure the traffic classifier that is based on the ACL.
Page 259: Example For Configuring A Customized Acl
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Behavior: tb1 Deny ----End Configuration Files sysname Quidway acl number 4000 rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101 traffic classifier tc1 operator and if-match acl 4000 traffic behavior tb1...
Page 260 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Configure an ACL. Configure a traffic classifier. Configure a traffic behavior. Configure a traffic policy. Apply the traffic policy to an interface. Data Preparation To complete the configuration, you need the following data:...
Page 261: Example For Configuring An Acl6 To Control Ftp User Access
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration <Quidway> display acl 5000 User ACL 5000, 1 rule Acl's step is 5 rule 5 permit 0x0180c200 0xffffffff 14 # Check the configuration of the traffic classifier. <Quidway> display traffic classifier user-defined...
Page 262 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Figure 10-5 Networking diagram for configuring an ACL6 to control FTP users VLAN 10 SwitchA SwitchB GE0/0/1 GE0/0/1 3001::1/64 3001::2/64 Loopback2 3002::2/64 Configuration Roadmap The configuration roadmap is as follows: Perform basic configurations on the FTP server.
Page 263 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 10 ACL Configuration Info:ACL6 was denied by remote host! Connection closed by remote host. ----End Configuration Files acl ipv6 number 2001 rule 0 deny source 3001::2/128 ftp ipv6 acl 2001 return...
Page 264: Nd Snooping Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration ND Snooping Configuration About This Chapter This chapter describes the principle and configuration method of neighbor discovery (ND) snooping and provides configuration examples. 11.1 ND Snooping Overview This section describes the principle of ND snooping.
Page 265: Nd Snooping Overview
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration 11.1 ND Snooping Overview This section describes the principle of ND snooping. Neighbor discovery (ND) is a group of messages and processes that identify relationships between neighboring nodes. IPv6 ND corresponds to a combination of the Address Resolution Protocol (ARP), ICMP router discovery, and ICMP Redirect of IPv4.
Page 266: Configuring Nd Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration Figure 11-1 ND snooping enabled on the S3700 of the Layer 2 network Trusted Switch Untrusted Router network (ND Server) network User network 11.3 Configuring ND Snooping This section describes the basic concepts of ND snooping and the procedure for configuring ND snooping, and provides configuration examples of ND snooping.
Page 267: Enabling Nd Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration NS messages. The ND dynamic binding table saves information about IPv6 addresses, MAC addresses, and VLAN IDs of clients. The S3700 delivers the ND dynamic binding entries to the ACL that is automatically generated.
Page 268: Configuring An Interface As The Trusted Interface
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration Run: nd snooping enable ND snooping is enabled on the interface. Configuring ND snooping in a VLAN Run: system-view The system view is displayed. Run: dhcp enable DHCP is enabled globally.
Page 269: Optional) Configuring The Aging Function Of The Nd Dynamic Binding Table
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration The interface view is displayed. Run: nd snooping trusted The interface is configured as the trusted interface. Configuring ND snooping in a VLAN Run: system-view The system view is displayed.
Page 270: Checking The Configuration
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration By default, the aging function of the ND dynamic binding table is disabled. Step 3 Run: nd user-bind detect retransmit retransmit-times interval retransmit-interval The detection interval and the number of detection times for aging ND dynamic binding entries are set.
Page 271: Maintaining Nd Snooping
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration 3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 2011.05.06-20:09 -------------------------------------------------------------------------------- print count: total count: Run the display this command in the system view, and you can view the configuration of ND snooping. [Quidway] display this...
Page 272: Configuration Examples
Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration NOTE After the networking environment changes, ND dynamic binding entries do not age immediately. However, the following information in ND dynamic binding entries may change, causing packet forwarding failure:...
Page 273 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration Configuration Roadmap The configuration roadmap is as follows (assume that the ND server is configured): Enable ND snooping in the system view and interface view. Configure the interface connected to the ND server as the trusted interface.
Page 274 Quidway S3700 Series Ethernet Switches Configuration Guide - Security 11 ND Snooping Configuration Run the display nd snooping prefix command, and you can view the prefix management table of ND users. <Quidway> display nd snooping prefix prefix-table: Prefix Length Valid-Time...

Huawei Quidway S3700 Series Configuration Manual

About this Document

1 AAA and User Management Configuration

2 NAC Configuration

3 DHCP Snooping Configuration

4 ARP Security Configuration

5 Source IP Attack Defense Configuration

6 Local Attack Defense Configuration

7 Pppoe+ Configuration

8 MFF Configuration

9 Traffic Suppression Configuration

10 ACL Configuration

Quick Links

Related Manuals for Huawei Quidway S3700 Series

Summary of Contents for Huawei Quidway S3700 Series