Professional Documents
Culture Documents
Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: Email:
Issue 02 (2012-03-30)
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 02 (2012-03-30)
ii
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Issue 02 (2012-03-30)
iii
Issue 02 (2012-03-30)
iv
Contents
Contents
About This Document.....................................................................................................................ii 1 AAA Configuration.......................................................................................................................1
1.1 AAA Overview...................................................................................................................................................2 1.2 AAA Features Supported by the AR200-S.........................................................................................................2 1.3 Configuring Local Authentication and Authorization........................................................................................5 1.3.1 Establishing the Configuration Task.........................................................................................................6 1.3.2 Configuring a Local User..........................................................................................................................6 1.3.3 Configuring authentication and authorization Schemes............................................................................8 1.3.4 Configuring a Domain...............................................................................................................................9 1.3.5 Checking the Configuration.....................................................................................................................10 1.4 Configuring RADIUS AAA.............................................................................................................................11 1.4.1 Establishing the Configuration Task.......................................................................................................11 1.4.2 Configuring AAA Schemes.....................................................................................................................12 1.4.3 Configuring a RADIUS Server Template...............................................................................................14 1.4.4 Configuring a Domain.............................................................................................................................16 1.4.5 Checking the Configuration.....................................................................................................................18 1.5 Configuring HWTACACS AAA......................................................................................................................18 1.5.1 Establishing the Configuration Task.......................................................................................................18 1.5.2 Configuring AAA Schemes.....................................................................................................................20 1.5.3 Configuring an HWTACACS Server Template......................................................................................22 1.5.4 Configuring a Domain.............................................................................................................................25 1.5.5 Checking the Configuration.....................................................................................................................26 1.6 Maintaining AAA.............................................................................................................................................27 1.6.1 Clearing the Statistics..............................................................................................................................27 1.7 Configuration Examples...................................................................................................................................28 1.7.1 Example for Configuring RADIUS Authentication, Authorization, and Accounting.............................28 1.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting.....................31
2 HTTPS Configuration.................................................................................................................35
2.1 HTTPS Overview.............................................................................................................................................36 2.2 HTTPS Features Supported by the AR200-S...................................................................................................36 2.3 Configuring the AR200-S as an HTTPS Server...............................................................................................36 2.4 Configuration Examples...................................................................................................................................38 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
3 Firewall Configuration...............................................................................................................42
3.1 Firewall Overview............................................................................................................................................44 3.2 Firewall Features Supported by the AR200-S..................................................................................................44 3.3 Configuring Zones............................................................................................................................................50 3.3.1 Establishing the Configuration Task.......................................................................................................50 3.3.2 Creating a Zone.......................................................................................................................................51 3.3.3 Adding an Interface to the Zone..............................................................................................................51 3.3.4 Creating an Interzone...............................................................................................................................52 3.3.5 Enabling Firewall in the Interzone..........................................................................................................52 3.3.6 Checking the Configuration.....................................................................................................................53 3.4 Configuring the Packet Filtering Firewall........................................................................................................53 3.4.1 Establishing the Configuration Task.......................................................................................................53 3.4.2 Configuring ACL-based Packet Filtering in an Interzone.......................................................................54 3.4.3 Checking the Configuration.....................................................................................................................55 3.5 Configuring the Blacklist..................................................................................................................................55 3.5.1 Establishing the Configuration Task.......................................................................................................55 3.5.2 Enabling the Blacklist Function..............................................................................................................56 3.5.3 Adding IP Addresses to the Blacklist Manually......................................................................................56 3.5.4 Configuring Blacklist and Whitelist Using the Configuration File.........................................................57 3.5.5 Checking the Configuration.....................................................................................................................58 3.6 Configuring the Whitelist.................................................................................................................................58 3.6.1 Establishing the Configuration Task.......................................................................................................58 3.6.2 Adding Entries to the Whitelist Manually...............................................................................................59 3.6.3 Configuring Blacklist and Whitelist Using the Configuration File.........................................................60 3.6.4 Checking the Configuration.....................................................................................................................61 3.7 Configuring ASPF............................................................................................................................................61 3.7.1 Establishing the Configuration Task.......................................................................................................61 3.7.2 Configuring ASPF Detection...................................................................................................................62 3.7.3 Checking the Configuration.....................................................................................................................62 3.8 Configuring Port Mapping................................................................................................................................63 3.8.1 Establishing the Configuration Task.......................................................................................................63 3.8.2 Configuring Port Mapping.......................................................................................................................64 3.8.3 Checking the Configuration.....................................................................................................................64 3.9 Configuring the Aging Time of the Firewall Session Table............................................................................65 3.9.1 Establishing the Configuration Task.......................................................................................................65 3.9.2 Configuring the Aging Time of the Firewall Session Table...................................................................65 3.9.3 Checking the Configuration.....................................................................................................................66 3.10 Configuring the Attack Defense Function......................................................................................................67 3.10.1 Establishing the Configuration Task.....................................................................................................67 3.10.2 Enabling the Attack Defense Function..................................................................................................67 3.10.3 Setting the Parameters for Flood Attack Defense..................................................................................70 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vi
Contents
3.10.4 Configuring Large ICMP Packet Attack Defense.................................................................................70 3.10.5 Setting Parameters for Scanning Attack Defense..................................................................................71 3.10.6 Checking the Configuration...................................................................................................................72 3.11 Configuring Traffic Statistics and Monitoring...............................................................................................72 3.11.1 Establishing the Configuration Task.....................................................................................................73 3.11.2 Enabling Traffic Statistics and Monitoring...........................................................................................74 3.11.3 Setting the Session Thresholds..............................................................................................................74 3.11.4 Checking the Configuration...................................................................................................................76 3.12 Configuring the Log Function........................................................................................................................76 3.12.1 Establishing the Configuration Task.....................................................................................................77 3.12.2 Enabling the Log Function on the Firewall...........................................................................................77 3.12.3 Setting the Log Parameters....................................................................................................................78 3.12.4 Checking the Configuration...................................................................................................................79 3.13 Maintaining the Firewall................................................................................................................................79 3.13.1 Displaying the Firewall Configuration..................................................................................................79 3.13.2 Clearing the Firewall Statistics..............................................................................................................80 3.14 Configuration Examples.................................................................................................................................81 3.14.1 Example for Configuring the ACL-based Packet Filtering Firewall.....................................................81 3.14.2 Example for Configuring ASPF and Port Mapping..............................................................................83 3.14.3 Example for Configuring the Blacklist..................................................................................................86
5 NAC Configuration.....................................................................................................................95
5.1 NAC Overview.................................................................................................................................................96 5.2 NAC Features Supported by the AR200-S.......................................................................................................96 5.3 Configuring 802.1x Authentication..................................................................................................................97 5.3.1 Establishing the Configuration Task.......................................................................................................97 5.3.2 Enabling Global 802.1x Authentication..................................................................................................98 5.3.3 Enabling 802.1x Authentication on an Interface.....................................................................................98 5.3.4 (Optional) Setting the 802.1x Authentication Mode...............................................................................99 5.3.5 (Optional) Setting the Access Method on an Interface..........................................................................100 5.3.6 (Optional) Configuring the Authorization Status of an Interface..........................................................101 5.3.7 (Optional) Setting the Maximum Number of Concurrent Access Users on an Interface......................102 5.3.8 (Optional) Enabling 802.1x Authentication Triggered by DHCP Messages........................................103 5.3.9 (Optional) Setting Values of Timers Used in 802.1x Authentication...................................................103 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
5.3.10 (Optional) Configuring the Quiet Timer Function..............................................................................104 5.3.11 (Optional) Configuring 802.1x Re-authentication...............................................................................104 5.3.12 (Optional) Configuring a Guest VLAN for 802.1x Authentication....................................................106 5.3.13 (Optional) Configuring a Restrict VLAN for 802.1x Authentication.................................................107 5.3.14 (Optional) Enabling the Handshake Function.....................................................................................108 5.3.15 (Optional) Setting the Maximum Number of Times the AR200-S Sends Authentication Requests ........................................................................................................................................................................108 5.3.16 Checking the Configuration.................................................................................................................109 5.4 Maintaining NAC...........................................................................................................................................109 5.4.1 Clearing the Statistics on 802.1x Authentication..................................................................................109 5.4.2 Clearing the Statistics on MAC Address Authentication......................................................................110 5.5 Configuration Examples.................................................................................................................................110 5.5.1 Example for Configuring 802.1x Authentication..................................................................................110
Contents
6.7 Configuration Examples.................................................................................................................................133 6.7.1 Example for Configuring ARP Security Functions...............................................................................133
Contents
10 ACL Configuration..................................................................................................................173
10.1 ACL Overview.............................................................................................................................................174 10.2 ACL Features Supported by the AR200-S...................................................................................................174 10.3 Configuring a Basic ACL.............................................................................................................................177 10.3.1 Establishing the Configuration Task...................................................................................................177 10.3.2 (Optional) Creating a Time Range for a Basic ACL...........................................................................178 10.3.3 Creating a Basic ACL..........................................................................................................................178 10.3.4 Configuring a Basic ACL Rule...........................................................................................................180 10.3.5 Applying a Basic ACL........................................................................................................................181 10.3.6 Checking the Configuration.................................................................................................................183 10.4 Configuring an Advanced ACL....................................................................................................................183 10.4.1 Establishing the Configuration Task...................................................................................................184 10.4.2 (Optional) Creating a Time Range for an Advanced ACL..................................................................185 10.4.3 Creating an Advanced ACL................................................................................................................186 10.4.4 Configuring an Advanced ACL Rule..................................................................................................187 10.4.5 Applying an Advanced ACL...............................................................................................................189 10.4.6 Checking the Configuration.................................................................................................................190 10.5 Configuring a Layer 2 ACL..........................................................................................................................191 10.5.1 Establishing the Configuration Task...................................................................................................191 10.5.2 (Optional) Creating a Time Range for a Layer 2 ACL........................................................................192 10.5.3 Creating a Layer 2 ACL......................................................................................................................193 10.5.4 Configuring a Layer 2 ACL Rule........................................................................................................194 10.5.5 Applying a Layer 2 ACL.....................................................................................................................195 10.5.6 Checking the Configuration.................................................................................................................196 10.6 Configuration Examples...............................................................................................................................197 10.6.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server........................................197 10.6.2 Example for Using Advanced ACLs to Configure the Firewall Function..........................................199 10.6.3 Example for Using a Layer 2 ACL to Configure Traffic Classification.............................................203
11 SSL Configuration...................................................................................................................206
11.1 SSL Overview...............................................................................................................................................207 11.2 SSL Features Supported by the AR200-S....................................................................................................209 11.3 Configuring a Server SSL Policy.................................................................................................................209 11.4 Configuring a Client SSL Policy..................................................................................................................211 11.5 Configuration Examples...............................................................................................................................213 11.5.1 Example for Configuring a Server SSL Policy...................................................................................213 11.5.2 Example for Configuring a Client SSL Policy....................................................................................216
12 PKI Configuration...................................................................................................................222
12.1 PKI Overview...............................................................................................................................................223 12.2 PKI Features Supported by the AR200-S.....................................................................................................224 12.3 Configuring a PKI Entity..............................................................................................................................226 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. x
Contents
12.3.1 Establishing the Configuration Task...................................................................................................226 12.3.2 Configuring a PKI Entity Identifier.....................................................................................................227 12.3.3 (Optional) Configuring PKI Entity Attributes.....................................................................................227 12.3.4 Checking the Configuration.................................................................................................................228 12.4 Configuring a PKI Domain...........................................................................................................................229 12.4.1 Establishing the Configuration Task...................................................................................................229 12.4.2 Creating a PKI Domain.......................................................................................................................229 12.4.3 Configuring a PKI Entity Name..........................................................................................................230 12.4.4 Configuring the Trusted CA Name and Enrollment URL...................................................................230 12.4.5 (Optional) Configuring CA Certificate Fingerprint.............................................................................231 12.4.6 (Optional) Configuring a Certificate Revocation Password................................................................232 12.4.7 (Optional) Configuring the RSA Key Length of Certificates..............................................................232 12.4.8 (Optional) Configuring a Source IP Address for TCP Connection Setup...........................................233 12.4.9 Checking the Configuration.................................................................................................................233 12.5 Configuring Certificate Enrollment..............................................................................................................234 12.5.1 Establishing the Configuration Task...................................................................................................234 12.5.2 Configuring Manual Certificate Enrollment........................................................................................234 12.5.3 Configuring Automatic Certificate Enrollment and Update................................................................235 12.5.4 Creating a Self-signed Certificate or Local Certificate.......................................................................236 12.5.5 Checking the Configuration.................................................................................................................236 12.6 Configuring Certificate Authentication........................................................................................................236 12.6.1 Establishing the Configuration Task...................................................................................................236 12.6.2 Configuring the Certificate Check Mode............................................................................................237 12.6.3 Checking Certificate Validity..............................................................................................................238 12.6.4 Checking the Configuration.................................................................................................................239 12.7 Managing Certificates...................................................................................................................................239 12.7.1 Deleting a Certificate...........................................................................................................................239 12.7.2 Importing a Certificate.........................................................................................................................239 12.7.3 Exporting a Certificate.........................................................................................................................240 12.7.4 Configuring the Default Path Where Certificates Are Stored.............................................................240 12.8 Configuration Examples...............................................................................................................................240 12.8.1 Example for Configuring Manual Certificate Enrollment...................................................................240 12.8.2 Example for Configuring PKI in IPSec...............................................................................................243
13 Keychain Configuration.........................................................................................................252
13.1 Introduction to Keychain..............................................................................................................................253 13.2 Keychain Features Supported by the AR200-S............................................................................................253 13.3 Configuring Basic Keychain Functions........................................................................................................254 13.3.1 Establishing the Configuration Task...................................................................................................254 13.3.2 Creating a Keychain............................................................................................................................255 13.3.3 Configuring Receive Tolerance of a Keychain...................................................................................255 13.3.4 Configuring a key-id in a Keychain....................................................................................................256 13.3.5 Configuring key-string of a key-id......................................................................................................256 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
13.3.6 Configuring Authentication Algorithm of a key-id.............................................................................257 13.3.7 Configuring a key-id as the Default send-key-id.................................................................................257 13.3.8 Configuring send-time of a key-id.......................................................................................................258 13.3.9 Configuring receive-time of a key-id..................................................................................................260 13.3.10 Checking the Configuration...............................................................................................................262 13.4 Configuring TCP Authentication parameters...............................................................................................263 13.4.1 Establishing the Configuration Task...................................................................................................263 13.4.2 Configuring TCP Kind of a Keychain.................................................................................................264 13.4.3 Configuring TCP Algorithm-id in a Keychain....................................................................................264 13.4.4 Checking the Configuration.................................................................................................................264 13.5 Configuration Examples...............................................................................................................................266 13.5.1 Example for Configuring Keychain Authentication for Non-TCP Application..................................266
Issue 02 (2012-03-30)
xii
1 AAA Configuration
1
About This Chapter
AAA Configuration
The AAA-capable AR200-S checks validity of users and delivers rights to authorized users to ensure network security. 1.1 AAA Overview Authentication, Authorization, and Accounting (AAA) is a security technology. 1.2 AAA Features Supported by the AR200-S The AR200-S supports RADIUS and HWTACACS authentication, authorization, and accounting (AAA), and also local authentication and authorization. 1.3 Configuring Local Authentication and Authorization After local authentication and authorization are configured, the AR200-S authenticates and authorizes access users based on user information. 1.4 Configuring RADIUS AAA RADIUS is often used to implement authentication, authorization, and accounting (AAA). RADIUS uses the client/server model and protects a network from unauthorized access. It is often used in network environments that require high security and control of remote user access. 1.5 Configuring HWTACACS AAA Similar to RADIUS, HWTACACS uses the client/server model to communicate with the HWTACACS server, implementing authentication, authorization, and accounting (AAA) for access users. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption and is therefore more suitable for security control. 1.6 Maintaining AAA Clearing the Statistics 1.7 Configuration Examples This section provides several AAA configuration examples. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
Issue 02 (2012-03-30)
1 AAA Configuration
A user can use one or more security services. For example, if a company only needs to authenticate employees that access certain network resources, only an authentication server is needed. If the company also needs to record operations performed by employees, an additional accounting server is needed.
AAA Architecture
AAA uses the client/server model, as shown in Figure 1-1. This model features good extensibility and is convenient for centralized management of user information. Figure 1-1 AAA architecture
Access user
Router
Server
The Router authenticates a user that wants to access the network through the Router. The Router delivers authentication, authorization, and accounting information to an AAA server (a RADIUS server or an HWTACACS server).
1 AAA Configuration
In RADIUS authentication for an administrator, the AR200-S checks whether the access type of the administrator is the same as that specified in the Access-Accept packet sent from the RADIUS server. If not, administrator fails to be authenticated.
Figure 1-2 shows packets exchanged between a user, the AR200-S, and the RADIUS server. Figure 1-2 RADIUS authentication, authorization, and accounting
Access user
Router
RADIUS server
User enters user name and password Authentication request packet Access-Accept/Reject packet Accounting request packet Accounting response packet
User accesses network resources
1. 2. 3.
A user sends a request packet containing the user name and password to the AR200-S. The AR200-S sends an authentication request packet containing the user name and password to the RADIUS server. The RADIUS server authenticates the user name and password. If authentication succeeds, the RADIUS server sends a RADIUS Access-Accept packet to the AR200-S. If authentication fails, the RADIUS server sends a RADIUS Access-Reject packet to the AR200-S. The RADIUS Access-Accept packet contains authorization information. The AR200-S permits or rejects the user according to the authentication result. If the user is permitted, the AR200-S sends an Accounting-Start packet to the RADIUS server. The RADIUS server sends a response packet to the AR200-S and starts accounting. The user starts to access network resources. The user requests to disconnect from the network. The AR200-S sends an Accounting-Stop packet to the RADIUS server. The RADIUS server sends a response packet to the AR200-S and stops accounting.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3
4. 5. 6. 7. 8.
Issue 02 (2012-03-30)
1 AAA Configuration
Access user
Router
HWTACACS server
User logs in Authentication request packet Authentication response packet Request the user name Enter the user name Authentication request packet Authentication response packet Request the password Enter the password Authentication request packet Authentication response packet Authorization request packet Authorization response packet Accounting request packet
User accesses network resources
Issue 02 (2012-03-30)
1 AAA Configuration
1. 2. 3. 4. 5. 6. 7. 8. 9.
A Telnet user sends a request packet to the AR200-S. The AR200-S sends an authentication request packet to the HWTACACS server after receiving the request packet. The HWTACACS server sends an authentication response packet to request the user name. The AR200-S sends a packet to request the user name after receiving the authentication response packet. The user enters the user name. The AR200-S sends an authentication packet containing the user name to the HWTACACS server. The HWTACACS server sends an authentication response packet to request the password. The AR200-S sends a packet to request the password after receiving the authentication response packet. The user enters the password.
10. The AR200-S sends an authentication packet containing the password to the HWTACACS server. 11. The HWTACACS server sends an authentication response packet, indicating that the user has been authenticated. 12. The AR200-S sends an authorization request packet to the HWTACACS server. 13. The HWTACACS server sends an authorization response packet, indicating that the user is authorized. 14. The AR200-S receives the authorization response packet. 15. The AR200-S sends an Accounting-Start packet to the HWTACACS server. 16. The HWTACACS server sends an accounting response packet and starts accounting. 17. The user starts to access network resources. 18. The user requests to disconnect from the network. The AR200-S sends an Accounting-Stop packet to the HWTACACS server. 19. The HWTACACS server sends an Accounting-Stop response packet and stops accounting.
Issue 02 (2012-03-30)
1 AAA Configuration
Applicable Environment
If users need to be authenticated or authorized but no RADIUS server or HWTACACS server is deployed on the network, use local authentication or authorization. Local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the hardware capacity of the device. Local authentication and authorization are often used for administrators. Local authentication is a backup of RADIUS authentication and HWTACACS authentication; local authorization is a backup of HWTACACS authorization.
Pre-configuration Tasks
Before configuring local authentication and authorization, completing the following task: l Configuring physical attributes for interfaces to ensure that the physical layer status of the interfaces is Up
Data Preparation
To configure local authentication and authorization, you need the following data. No. 1 2 3 4 5 6 7 8 9 Data User name and password (Optional) Local user level (Optional) Access type of the local user (Optional) Name of the FTP directory that the local user can access (Optional) Local user status (Optional) Maximum number of local users Name of an authentication scheme Name of an authorization scheme Name of a domain
1 AAA Configuration
Procedure
Step 1 Run:
system-view
The AAA view is displayed. Step 3 Run: local-user user-name password { simple password | cipher password } A local user is created and the password is configured.
NOTE
If the user name contains a domain name delimiter such as @, |, and %, the character string before the domain name delimiter is the user name and the character string behind the domain name delimiter is the domain name. If the user name does not contain a domain name delimiter, the entire character string is the user name and the domain name is default.
The level of the local user is set. By default, the level of a local user is determined by the management module. If the level of a local user is not set in the user interface view, the user level is 0. Step 5 (Optional) Run:
local-user user-name idle-timeout minutes [ seconds ]
The idle timeout interval of the local user is set. Step 6 (Optional) Run:
local-user user-name service-type { 8021x | bind | ftp | http | l2tp | ppp | ssh | telnet | terminal | web | x25-pad } *
The access type of the local user is set. By default, a local user can use any access type. Step 7 (Optional) Run:
local-user user-name ftp-directory directory
The FTP directory that the local user can access is configured. By default, the FTP directory of a local user is empty. When the AR200-S functions as an FTP server, you must configure the FTP directory that FTP users can access. Otherwise, FTP users cannot access the AR200-S. Step 8 (Optional) Run:
local-user user-name state { active | block }
The status of the local user is set. By default, a local user is in active state. The AR200-S processes requests from users in different states as follows:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7
1 AAA Configuration
l If a local user is in active state, the AR200-S accepts and processes the authentication request from the user. l If a local user is in blocking state, the AR200-S rejects the authentication request from the user. Step 9 (Optional) Run:
local-user user-name access-limit max-number
The maximum number of connections established by the local user is set. By default, the number of connections established by a user is not limited. ----End
Context
By default, the AR200-S performs local authentication and authorization for access users.
NOTE
Procedure
l Configuring an authentication scheme 1. Run:
system-view
An authentication scheme is created and the authentication scheme view is displayed. By default, the default authentication scheme is used. The default authentication scheme can be modified, but it cannot be deleted. 4. Run:
authentication-mode local
[ none ]
1 AAA Configuration
6.
(Optional) Run:
quit
The direction in which the user name and domain name are parsed is configured. l Configuring an authorization scheme 1. Run:
system-view
An authorization scheme is created and the authorization scheme view is displayed. By default, the default authorization scheme is used. The default authorization scheme can be modified, but it cannot be deleted. 4. Run:
authorization-mode local [ none ]
Context
Before configuring a domain, ensure that the authentication and authorization schemes have been created. When local authentication and authorization are used, non-accounting is used by default.
Procedure
Step 1 Run:
system-view
1 AAA Configuration
Step 3 Run:
domain domain-name
A domain is created and the domain view is displayed. The AR200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run:
authentication-scheme authentication-scheme-name
An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 Run:
authorization-scheme authorization-scheme-name
An authorization scheme is applied to the domain. By default, no authorization scheme is applied to a domain. Step 6 (Optional) Run:
state { active | block }
The domain status is configured. When a domain is in blocking state, users in this domain cannot log in. By default, a domain is in active state after being created. Step 7 Run:
quit
The domain name delimiter is configured. The domain name delimiter can be any of the following: \ / : < > | @ ' %. By default, the domain name delimiter is @. ----End
Procedure
l l Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 10
Issue 02 (2012-03-30)
1 AAA Configuration
l l
Run the display authorization-scheme [ authorization-scheme-name ] command to check the authorization scheme configuration. Run the display access-user [ domain domain-name | interface interface-type interfacenumber [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance instance-name ] | mac-address mac-address | slot slot-id | ssid ssid-name | user-id usernumber ] command to check the summary of all online users. Run the display domain [ name domain-name ] command to check the domain configuration.
----End
Applicable Environment
To prevent unauthorized users from attacking a network, configure AAA: l l l Authentication: checks whether a user is allowed to access a network. Only authenticated users can access the network. Authorization: authorizes a user to use specific services. Accounting: records all the operations performed by a user and the service type, start time, and data traffic.
RADIUS protects a network from unauthorized access. It is often used on networks that require high security and control remote user access.
Pre-configuration Tasks
Before configuring RADIUS authentication, authorization, and accounting, complete the following task: l Configuring physical attributes for interfaces to ensure that the physical layer status of the interfaces is Up
Data Preparation
To configure RADIUS authentication, authorization, and accounting, you need the following data.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 11
1 AAA Configuration
No. 1 2 3 4 5 6 7 8 9 10
Data Name of an authentication scheme Name of an accounting scheme Name of a RADIUS server template IP addresses and port numbers of the primary RADIUS authentication servers IP addresses and port numbers of the primary RADIUS accounting servers (Optional) IP address of the RADIUS authorization server (Optional)IP addresses and port numbers of the secondary RADIUS authentication servers (Optional) IP addresses and port numbers of the secondary RADIUS accounting servers (Optional) Shared key in RADIUS packets (Optional) Number of times RADIUS request packets are retransmitted and timeout interval
Context
If RADIUS authentication is configured, you can also configure local authentication or nonauthentication as a backup. This allows local authentication or non-authentication to be implemented if RADIUS authentication fails. If RADIUS accounting is configured, you can also configure non-accounting as a backup.
Procedure
l Configuring an authentication scheme 1. Run:
system-view
1 AAA Configuration
By default, the default authentication scheme is used. The default authentication scheme can be modified, but it cannot be deleted. 4. Run:
authentication-mode radius [ none ]
RADIUS authentication is configured. By default, local authentication is used. To use local authentication as the backup authentication method, run the authentication-mode radius local command to configured local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR200-S uses the authentication mode that was configured later only after the current authentication mode fails. The AR200-S stops the authentication if the user fails to pass the authentication.
5.
(Optional) Run:
authentication-super { hwtacacs | super }
*
[ none ]
The authentication mode used to upgrade user levels is configured. 6. (Optional) Run:
quit
The direction in which the user name and domain name are parsed is configured. l Configuring an accounting scheme 1. Run:
system-view
An accounting scheme is created and the accounting scheme view is displayed. By default, the default accounting scheme is used. The default accounting scheme can be modified, but it cannot be deleted. 4. Run:
accounting-mode radius
Issue 02 (2012-03-30)
13
1 AAA Configuration
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR200-S uses the accounting mode that was configured later only after the current accounting mode fails.
5.
(Optional) Run:
accounting start-fail { online | offline }
The policy for accounting-start failures is configured. By default, users cannot go online if accounting-start fails. 6. (Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set. By default, real-time accounting is disabled. 7. (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting failures is set and a policy used after a real-time accounting failure is configured. After real-time accounting is enabled, the maximum number of real-time accounting failures is 3 and the AR200-S keeps paid users online after a real-time accounting failure by default. ----End
Context
The settings of a RADIUS server template such as the RADIUS user name format and shared key on the RADIUS client must be the same as those on the RADIUS server.
Procedure
Step 1 Run:
system-view
A RADIUS authorization server is configured. By default, no RADIUS authorization server is configured. Step 3 Run:
radius-server template template-name
Issue 02 (2012-03-30)
14
1 AAA Configuration
The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 5 (Optional) Run:
radius-server authentication ip-address port [ source number | ip-address ip-address } ] secondary { loopback interface-
The secondary RADIUS authentication server is configured. By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 6 Run:
radius-server accounting ip-address port [ source { loopback interface-number | ipaddress ip-address } ]
The primary RADIUS accounting server is configured. By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 7 (Optional) Run:
radius-server accounting ip-address port [ source { loopback interface-number | ipaddress ip-address } ] secondary
The secondary RADIUS accounting server is configured. By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 8 (Optional) Run:
radius-server shared-key { cipher | simple } key-string
The shared key is configured. By default, the shared key of a RADIUS server is huawei. Step 9 (Optional) Run:
radius-server user-name domain-included
The AR200-S is configured to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server. By default, the AR200-S encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server. If the RADIUS server does not accept the user name with the domain name, run the undo radiusserver user-name domain-included command to delete the domain name from the user name. Step 10 (Optional) Run:
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
1 AAA Configuration
By default, the traffic unit is byte on the AR200-S. Step 11 (Optional) Run:
radius-server { retransmit retry-times | timeout time-value }*
The number of times RADIUS request packets are retransmitted and timeout interval are set. By default, the number of transmission times is 3 and the timeout interval is 5s. Step 12 (Optional) Run:
radius-server nas-port-format { new | old }
The format of the Network Access Server (NAS) port attribute is set. By default, the new format of the NAS port attribute is used. Step 13 (Optional) Run:
radius-server nas-port-id-format { new | old }
The format of the NAS port ID attribute is set. By default, the new format of the NAS port ID attribute is used. Step 14 (Optional) Run:
radius-attribute nas-ip
You can test whether a user can be authenticated using RADIUS authentication. ----End
Context
Before configuring a domain, ensure that the authentication scheme, accounting scheme, and RADIUS server template have been created.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
16
1 AAA Configuration
A domain is created and the domain view is displayed. The AR200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run:
authentication-scheme authentication-scheme-name
An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 (Optional) Run:
accounting-scheme accounting-scheme-name
An accounting scheme is applied to a domain. By default, the default accounting scheme is applied to a domain. In the default accounting scheme, non-accounting is used and the real-time accounting function is disabled. Step 6 (Optional) Run:
service-scheme service-scheme-name
A service scheme is applied to a domain. By default, no service scheme is applied to a domain. Step 7 Run:
radius-server template-name
A RADIUS server template is applied to a domain. By default, no RADIUS server template is applied to a domain. Step 8 (Optional) Run:
state { active | block }
The domain status is configured. When a domain is in blocking state, users in this domain cannot log in. By default, a domain is in active state after being created. Step 9 Run:
quit
The domain name delimiter is configured. The domain name delimiter can be any of the following: \ / : < > | @ ' %. By default, the domain name delimiter is @. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 17
1 AAA Configuration
Procedure
l l l l l l l l Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration. Run the display accounting-scheme [ accounting-scheme-name ] command to check the accounting scheme configuration. Run the display service-scheme [ name name ] command to check the service scheme configuration. Run the display radius-server configuration [ template template-name ] command to check the RADIUS server template configuration. Run the display radius-attribute [ template template-name ] disable command to check the disabled RADIUS attributes. Run the display radius-attribute [ template template-name ] translate command to check the RADIUS attribute translation configuration. Run the display domain [ name domain-name ] command to check the domain configuration.
----End
Applicable Environment
To prevent unauthorized users from attacking a network, configure AAA: l l
Issue 02 (2012-03-30)
Authentication: checks whether a user is allowed to access a network. Only authenticated users can access the network. Authorization: authorizes a user to use specific services.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 18
1 AAA Configuration
Accounting: records all the operations performed by a user and the service type, start time, and data traffic.
HWTACACS prevents unauthorized users from attacking a network and provides command line authorization. Compared with RADIUS, HWTACACS is more suitable for security control.
Pre-configuration Tasks
Before configuring HWTACACS authentication, authorization, and accounting, complete the following task: l Configuring physical attributes for interfaces to ensure that the physical layer status of the interfaces is Up
Data Preparation
To configure HWTACACS authentication, authorization, and accounting, you need the following data. No. 1 2 3 4 5 Data Name of an authentication scheme Name of an authorization scheme Name of an accounting scheme Name of an HWTACACS server template IP addresses and port numbers of primary and secondary HWTACACS authentication servers IP addresses and port numbers of primary and secondary HWTACACS authorization servers (Optional) IP addresses and port numbers of primary and secondary HWTACACS accounting servers (Optional) Shared key in HWTACACS packets (Optional) Response timeout interval of an HWTACACS server (Optional) Time for the primary HWTACACS server to return to the active state (Optional) Retransmission interval of accounting-stop packets
8 9 10
11
Issue 02 (2012-03-30)
19
1 AAA Configuration
Context
Local authentication or non-authentication can be configured as a backup for HWTACACS authentication in an authentication scheme. This allows local authentication or nonauthentication to be implemented if HWTACACS authentication fails. When HWTACACS authorization is used, you can configure local authorization or non-authorization as a backup. When HWTACACS accounting is used, you can configure non-accounting as a backup.
Procedure
l Configuring an authentication scheme 1. Run:
system-view
An authentication scheme is created and the authentication scheme view is displayed. By default, the default authentication scheme is used. The default authentication scheme can be modified, but it cannot be deleted. 4. Run:
authentication-mode hwtacacs [ none ]
HWTACACS authentication is configured. By default, local authentication is used. To configure local authentication as a backup, see 1.3 Configuring Local Authentication and Authorization.
NOTE
If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR200-S uses the authentication mode that was configured later only after the current authentication mode fails. The AR200-S stops the authentication if the user fails to pass the authentication.
5.
(Optional) Run:
authentication-super { hwtacacs | super }
*
[ none ]
The authentication mode used to upgrade user levels is configured. 6. (Optional) Run:
quit
1 AAA Configuration
7.
(Optional) Run:
domainname-parse-direction { left-to-right | right-to-left }
The direction in which the user name and domain name are parsed is configured. l Configuring an authorization scheme 1. Run:
system-view
An authorization scheme is created and the authorization scheme view is displayed. By default, the default authorization scheme is used. The default authorization scheme can be modified, but it cannot be deleted. 4. Run:
authorization-mode { hwtacacs | local }* [ none ]
The authorization mode is configured. By default, local authorization is used. If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.
NOTE
If multiple authorization modes are configured in an authorization scheme, authorization modes are used in the sequence in which they were configured. The AR200-S uses the authorization mode that was configured later only after the current authorization mode fails. The AR200-S stops the authorization if the user fails to pass the authorization.
5.
(Optional) Run:
authorization-cmd privilege-level hwtacacs [ local ]
Command line authorization is enabled for users at a certain level. By default, command line authorization is disabled for users at levels 0 to 15. If command line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain. l Configuring an accounting scheme 1. Run:
system-view
Issue 02 (2012-03-30)
21
1 AAA Configuration
An accounting scheme is created and the accounting scheme view is displayed. By default, the default accounting scheme is used. The default accounting scheme can be modified, but it cannot be deleted. 4. Run:
accounting-mode hwtacacs
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR200-S uses the accounting mode that was configured later only after the current accounting mode fails.
5.
(Optional) Run:
accounting start-fail { online | offline }
The policy for accounting-start failures is configured. By default, users cannot go online if accounting-start fails. 6. (Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set. By default, real-time accounting is disabled. 7. (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting failures is set and a policy used after a real-time accounting failure is configured. After real-time accounting is enabled, the maximum number of real-time accounting failures is 3 and the AR200-S keeps paid users online after a real-time accounting failure by default. ----End
Context
The settings of an HWTACACS server template such as the HWTACACS user name format and shared key on the HWTACACS client must be the same as those on the HWTACACS server.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
22
1 AAA Configuration
An HWTACACS server template is created and the HWTACACS server template view is displayed. Step 4 Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS authentication server is specified. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and its port number is 0, and the primary HWTACACS authentication server is not bound to any VPN instance. Step 5 (Optional) Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authentication server is specified. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and its port number is 0, and the secondary HWTACACS authentication server is not bound to any VPN instance. Step 6 Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS authorization server is specified. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and its port number is 0, and the primary HWTACACS authorization server is not bound to any VPN instance. Step 7 (Optional) Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authorization server is specified. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and its port number is 0, and the secondary HWTACACS authorization server is not bound to any VPN instance. Step 8 Run:
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS accounting server is specified. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and its port number is 0, and the primary HWTACACS accounting server is not bound to any VPN instance.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 23
1 AAA Configuration
The IP address of the secondary HWTACACS accounting server is specified. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and its port number is 0, and the secondary HWTACACS accounting server is not bound to any VPN instance. Step 10 (Optional) Run:
hwtacacs-server source-ip ip-address
The AR200-S is configured to encapsulate the source IP address in HWTACACS packets to be sent to an HWTACACS server. By default, the source IP address in HWTACACS packets is 0.0.0.0. The AR200-S uses the IP address of the actual outbound VLANIF interface as the source IP address in HWTACACS packets. After you specify the source IP address in HWTACACS packets, the AR200-S uses this IP address to communicate with the HWTACACS server. Step 11 (Optional) Run:
hwtacacs-server shared-key [ cipher | simple ] key-string
The shared key is configured. By default, no shared key is configured. Step 12 (Optional) Run:
hwtacacs-server user-name domain-included
The AR200-S is configured to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server. By default, the AR200-S encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server. Step 13 (Optional) Run:
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit used by an HWTACACS server is configured. By default, the traffic unit is byte on the AR200-S. Step 14 (Optional) Run:
hwtacacs-server timer response-timeout value
The response timeout interval for an HWTACACS server is set. By default, the response timeout interval for an HWTACACS server is 5s. If the AR200-S does not receive any response from the HWTACACS server within the timeout interval, it considers that the HWTACACS server is faulty. The the AR200-S then tries to perform authentication and authorization by using other methods. Step 15 (Optional) Run:
hwtacacs-server timer quiet value
The time for the primary HWTACACS server to return to the active state is set.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 24
1 AAA Configuration
By default, the time for the primary HWTACACS server to return to the active state is 5 minutes. Step 16 (Optional) Run:
quit
Retransmission of accounting-stop packets is configured. You can enable retransmission of accounting-stop packets and set the retransmission count, or disable the function. By default, the retransmission function is enabled and the retransmission count is 100. Step 18 (Optional) Run:
return
Context
Before configuring a domain, ensure that the authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template have been created.
Procedure
Step 1 Run:
system-view
A domain is created and the domain view is displayed. The AR200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 25
1 AAA Configuration
An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 (Optional) Run:
authorization-scheme authorization-scheme-name
An authorization scheme is applied to the domain. By default, no authorization scheme is applied to a domain. Step 6 (Optional) Run:
accounting-scheme accounting-scheme-name
An accounting scheme is applied to a domain. By default, the default accounting scheme is applied to a domain. In the default accounting scheme, non-accounting is used and the real-time accounting function is disabled. Step 7 (Optional) Run:
service-scheme service-scheme-name
A service scheme is applied to a domain. By default, no service scheme is applied to a domain. Step 8 Run:
hwtacacs-server template-name
The HWTACACS server template is applied to a domain. By default, no HWTACACS server template is applied to a domain. Step 9 (Optional) Run:
state { active | block }
The domain status is configured. When a domain is in blocking state, users in this domain cannot log in. By default, a domain is in active state after being created. Step 10 Run:
quit
The domain name delimiter is configured. The domain name delimiter can be any of the following: \ / : < > | @ ' %. By default, the domain name delimiter is @. ----End
1 AAA Configuration
Prerequisites
The HWTACACS AAA configurations are complete.
Procedure
l l l l l l l Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration. Run the display authorization-scheme [ authorization-scheme-name ] command to check the authorization scheme configuration. Run the display accounting-scheme [ accounting-scheme-name ] command to check the accounting scheme configuration. Run the display service-scheme [ name name ] command to check the service scheme configuration. Run the display hwtacacs-server template [ template-name ] command to check the HWTACACS server template configuration. Run the display domain [ name domain-name ] command to check the domain configuration.
----End
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command. Run the following commands in the user view to clear the statistics.
Procedure
l l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command to clear the HWTACACS statistics. Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command to clear the statistics on accounting-stop packets.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 27
1 AAA Configuration
Domain Huawei
Router A Network
Router B 129.7.66.66/24
Issue 02 (2012-03-30)
28
1 AAA Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a RADIUS server template. Configure an authentication scheme and an accounting scheme. Apply the RADIUS server template, authentication scheme, and accounting scheme to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that users belong to Name of the RADIUS server template Names of the authentication scheme and accounting scheme, and authentication and accounting modes IP addresses and authentication and accounting port numbers of the primary and secondary RADIUS servers Shared key and retransmission count
NOTE
Procedure
Step 1 Configure interface IP addresses and routes to enable users and the RADIUS server to communicate. Step 2 Configure a RADIUS server template. # Configure a RADIUS template shiva.
<Huawei> system-view [Huawei] radius-server template shiva
# Configure the IP address and port numbers of the primary RADIUS authentication and accounting server.
[Huawei-radius-shiva] radius-server authentication 129.7.66.66 1812 [Huawei-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and port numbers of the secondary RADIUS authentication and accounting server.
[Huawei-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [Huawei-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Configure the shared key and retransmission count of the RADIUS server.
[Huawei-radius-shiva] radius-server shared-key cipher hello [Huawei-radius-shiva] radius-server retransmit 2 [Huawei-radius-shiva] quit
Step 3 Configure authentication and accounting schemes. # Configure authentication scheme 1 and set the authentication method to RADIUS authentication.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 29
1 AAA Configuration
# Configure accounting scheme 1 and set the accounting method to RADIUS accounting.
[Huawei-aaa] accounting-scheme 1 [Huawei-aaa-accounting-1] accounting-mode radius [Huawei-aaa-accounting-1] quit
Step 4 Configure a domain huawei and apply authentication scheme 1, accounting scheme 1, and RADIUS server template shiva to the domain.
[Huawei-aaa] domain huawei [Huawei-aaa-domain-huawei] authentication-scheme 1 [Huawei-aaa-domain-huawei] accounting-scheme 1 [Huawei-aaa-domain-huawei] radius-server shiva
Step 5 Verify the configuration. Run the display radius-server configuration template command on RouterB. The command output shows that the configuration of the RADIUS server template meets the requirements.
<Huawei> display radius-server configuration template shiva ------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) Primary-authentication-server shiva standard B 3MQ*TZ,O3KCQ=^Q`MAF4<1!! 5 129.7.66.66 :1812 :LoopBack:NULL Source-IP:0.0.0.0 Primary-accounting-server : 129.7.66.66 :1813 :LoopBack:NULL Source-IP:0.0.0.0 Secondary-authentication-server : 129.7.66.67 :1812 :LoopBack:NULL Source-IP:0.0.0.0 Secondary-accounting-server : 129.7.66.67 :1813 :LoopBack:NULL Source-IP:0.0.0.0 Retransmission : 2 Domain-included : YES NAS-IP-Address : 0.0.0.0 ------------------------------------------------------------------: : : : : :
----End
Configuration Files
# sysname Huawei # radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1
Issue 02 (2012-03-30)
30
1 AAA Configuration
Domain Huawei
Router A Network
Router B 129.7.66.66/24
Issue 02 (2012-03-30)
31
1 AAA Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure an HWTACACS server template. Configure authentication, authorization, and accounting schemes. Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that users belong to Name of the HWTACACS server template Names of the authentication scheme, authorization scheme, and accounting scheme, and authentication, authorization, and accounting modes IP addresses, authentication port numbers, authorization port numbers, and accounting port numbers of the primary and secondary HWTACACS servers Shared key of the HWTACACS server
NOTE
Procedure
Step 1 Configure an HWTACACS server template. # Configure an HWTACACS server template ht.
<Huawei> system-view [Huawei] hwtacacs-server template ht
# Configure IP addresses and port numbers of the primary HWTACACS authentication, authorization, and accounting servers.
[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and port numbers of the secondary HWTACACS authentication, authorization, and accounting servers.
[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
Step 2 Configure the authentication scheme, authorization scheme, and accounting scheme. # Create an authentication scheme 1-h. In the authentication scheme, the system performs HWTACACS authentication first, and performs local authentication if HWTACACS authentication fails. HWTACACS authentication is used first if the level of users is upgraded.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 32
1 AAA Configuration
Step 3 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme HWTACACS, accounting scheme HWTACACS, and the HWTACACS server template ht to the domain.
[Huawei-aaa] domain huawei [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa] quit authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht quit
Step 4 Verify the configuration. Run the display hwtacacs-server template command on RouterB. You can see that the configuration of the HWTACACS server template is correct.
<Huawei> display hwtacacs-server template ht --------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49:Primary-authorization-server : 129.7.66.66:49:Primary-accounting-server : 129.7.66.66:49:Secondary-authentication-server : 129.7.66.67:49:Secondary-authorization-server : 129.7.66.67:49:Secondary-accounting-server : 129.7.66.67:49:Current-authentication-server : 129.7.66.66:49:Current-authorization-server : 129.7.66.66:49:Current-accounting-server : 129.7.66.66:49:Source-IP-address : 0.0.0.0 Shared-key : **************** Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
Run the display domain command on RouterB. You can see that the domain configuration is correct.
<Huawei> display domain name huawei Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name : : : : : huawei Active l-h hwtacacs hwtacacs
Issue 02 (2012-03-30)
33
1 AAA Configuration
----End
Configuration Files
# hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! # aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs local authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht # return
Issue 02 (2012-03-30)
34
2 HTTPS Configuration
2
About This Chapter
HTTPS Configuration
The Hypertext Transfer Protocol Secure (HTTPS) protocol provides secure web access using security mechanisms provided by the Secure Sockets Layer (SSL) protocol, including data encryption, identity authentication, and message integrity check. 2.1 HTTPS Overview HTTPS is a combination of the Hypertext Transfer Protocol (HTTP) and the Secure Sockets Layer (SSL) protocol. 2.2 HTTPS Features Supported by the AR200-S The AR200-S supports the HTTPS server function. 2.3 Configuring the AR200-S as an HTTPS Server The HTTPS server function allows users to securely access the AR200-S on web pages. 2.4 Configuration Examples This section provides an HTTPS configuration example.
Issue 02 (2012-03-30)
35
2 HTTPS Configuration
The HTTPS function is used with a license. To use the HTTPS function, apply for and purchase the following license from the Huawei local office: l AR150&200 Value-Added Security Package
Issue 02 (2012-03-30)
36
2 HTTPS Configuration
Applicable Environment
When users access a remote AR200-S functioning as an HTTP server, the following problems exist: l l l Users cannot authenticate the AR200-S. Privacy of data transmitted between users and the AR200-S cannot be protected. Integrity of data transmitted between users and the AR200-S cannot be ensured, and the data may be modified by unauthorized users.
To solve the preceding problems, configure the AR200-S as an HTTPS server. The AR200-S uses the SSL protocol's data encryption, identity authentication, and message integrity check mechanisms to protect security of data transmitted between users and the AR200-S. These mechanisms ensure that users securely access a remote AR200-S on web pages.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Configure a server SSL policy. For details, see 11.3 Configuring a Server SSL Policy. Step 3 Run:
http secure-server ssl-policy ssl-policy
An SSL policy is applied to the HTTPS service. By default, no SSL policy is applied to the HTTPS service on the AR200-S. Step 4 (Optional) Run:
http secure-server port port
The port number is set for the HTTPS service. By default, the port number of the HTTPS service is 443. Step 5 Run:
http secure-server enable
The HTTPS server function is enabled on the AR200-S. By default, the HTTPS server function is disabled on the AR200-S. ----End
Example
# Run the display current-configuration command to check the configuration of the HTTPS server.
<Huawei> display current-configuration | include http secure-server http secure-server port 1026 http secure-server ssl-policy user http secure-server enable
Issue 02 (2012-03-30)
37
2 HTTPS Configuration
Networking Environment
As shown in Figure 2-2, the administrator of enterprise A works in a different city than the R&D department. The administrator needs to securely log in to the gateway of the R&D department to manage the gateway. To meet the preceding requirement, configure the HTTPS server function on the Router (the gateway) so that: l l The administrator establishes an HTTPS connection with the Router (the gateway) from a host named Admin and manages the Router on web pages. The administrator uses the SSL protocol's security mechanisms to authenticate the Router, improving remote access security.
NOTE
To implement certificate authentication, you also need to configure a Certificate Authority (CA) server. The CA server configuration is not mentioned here.
Internet
CA R&D department PC Eth1/0/0 2.1.1.1/24 Admin
Enterprise A
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a public key infrastructure (PKI) entity and a PKI domain. Configure a server SSL policy. Configure the Router as an HTTPS server.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 38
2 HTTPS Configuration
l l l l
Router's interface connected to the Internet: Ethernet1/0/0 IP address of Ethernet1/0/0: 2.1.1.1/24 IP address of the CA: 3.1.1.1/24 PKI parameters, as shown in the following table Item PKI entity Data PKI entity name: admin l PKI common name: hello l Country code: CN PKI domain PKI domain name: admin l Trusted CA: ca_root l Certificate's enrollment URL: http:// 3.1.1.1:8080/certsrv/mscep/mscep.dll l Bound PKI entity: admin l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5 B578EAF
SSL parameters, as shown in the following table Policy Name adminserver Maximum Number of Sessions 40 Session Timeout Period 7200 seconds
Before starting the configuration, ensure that routes between the Router, user hosts, and CA are reachable.
Procedure
Step 1 Configure a PKI entity and a PKI domain. # Configure a PKI entity.
<Huawei> system-view [Huawei] sysname Router [Router] pki entity admin [Router-pki-entity-admin] common-name hello [Router-pki-entity-admin] country CN [Router-pki-entity-admin] quit
Issue 02 (2012-03-30)
39
2 HTTPS Configuration
You will be prompted to enter the password during certificate enrollment. If you do not have a password, press Enter.
Step 2 Configure a server SSL policy. # Create a server SSL policy and specify PKI domain admin in the policy. This allows the Router to obtain a digital certificate from the CA specified in the PKI domain.
[Router] ssl policy adminserver type server [Router-ssl-policy-adminserver] pki-realm admin
# Set the maximum number of sessions that can be saved and the timeout period of a saved session.
[Router-ssl-policy-adminserver] session cachesize 40 timeout 7200 [Router-ssl-policy-adminserver] quit
Step 3 Configure the Router as an HTTPS server. # Apply the SSL policy adminserver to the HTTPS service.
[Router] http secure-server ssl-policy adminserver
Step 4 Verify the configuration. # Run the display ssl policy policy-name command to view the configuration of the SSL policy adminserver.
<Router> display ssl policy adminserver -----------------------------------------------------------------------------Policy name : adminserver Policy ID : 1 Policy type : Server Cache number : 40 Time out(second) : 7200
Issue 02 (2012-03-30)
40
2 HTTPS Configuration
Server certificate load status : loaded Bind number : 1 SSL connection number : 1 -----------------------------------------------------------------------------
# Start the web browser on the host Admin, enter https://2.1.1.1:1278 in the address box. The web management system of the Router is displayed, and the administrator can securely access and manage the Router on web pages. ----End
Configuration Files
Configuration file of the Router
# sysname Router # interface Ethernet 1/0/0 ip address 2.1.1.1 255.255.255.0 # pki entity admin common-name hello country CN # pki realm admin entity admin ca id ca_root enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF # ssl policy adminserver type server pki-realm admin session cachesize 40 timeout 7200 # http secure-server ssl-policy adminserver http secure-server enable http secure-server port 1278 # return
Issue 02 (2012-03-30)
41
3 Firewall Configuration
3
About This Chapter
Firewall Configuration
The attack defense system protects an internal network against attacks from external networks; therefore, firewalls are generally deployed between the internal and external networks to prevent attacks. 3.1 Firewall Overview A firewall discards unwanted packets and protects the systems and key resources on the internal network. 3.2 Firewall Features Supported by the AR200-S The firewall features supported by the AR200-S include ACL-based packet filtering, blacklist, whitelist, application specific packet filter (ASPF), port mapping, virtual firewall, attack defense, traffic statistics and monitoring, and logs. 3.3 Configuring Zones All the security policies of the firewall are enforced based on zones. 3.4 Configuring the Packet Filtering Firewall The packet filtering firewall filters packets by using an ACL. 3.5 Configuring the Blacklist You can manually add entries to the blacklist or configure a dynamic blacklist. If you choose the dynamic blacklist, enable IP address scanning and port scanning defense on the attack defense module of the AR200-S. When the AR200-S detects that the connection rate of an IP address or a port exceeds the threshold, the AR200-S considers that a scanning attack occurs, and adds the source IP address to the blacklist. All the packets from this source IP address are then filtered out. 3.6 Configuring the Whitelist Whitelists are applicable to networks where devices send valid service packets that resemble IP address or port scanning attack packets. Whitelists prevent these devices from being added to the blacklist. 3.7 Configuring ASPF The ASPF function can detect sessions that attempt to traverse the application layer and deny the undesired packets. In addition, ASPF enables application protocols that cannot traverse firewalls to function properly.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 42
3 Firewall Configuration
3.8 Configuring Port Mapping Port mapping defines new port numbers for different application-layer protocols, protecting the server against the service specific attacks. 3.9 Configuring the Aging Time of the Firewall Session Table 3.10 Configuring the Attack Defense Function The AR200-S attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.11 Configuring Traffic Statistics and Monitoring The AR200-S supports traffic statistics and monitoring at the system level, zone level, and IP address level. 3.12 Configuring the Log Function The firewall logs include session logs, statistics logs, attack defense logs, and blacklist logs. 3.13 Maintaining the Firewall 3.14 Configuration Examples This section provides several configuration examples of firewall.
Issue 02 (2012-03-30)
43
3 Firewall Configuration
Security Zone
The security zone, also referred to as a zone, is the basis of a firewall. All the security policies are enforced based on zones. A zone is an interface or a group of multiple interfaces. The users in a zone have the same security attributes. Each zone has a unique security priority. That is, the priorities of any two zones are different.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 44
3 Firewall Configuration
The AR200-S considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission. The AR200-S verifies the data and enforces the security policies only when the data flows from one zone to another.
Interzone
Any two zones form an interzone. Each interzone has an independent interzone view. Most firewall configurations are performed in the interzone views. Assume that there are zone1 and zone2. In the interzone view, ACL-based packet filtering can be configured. The configured filtering policy is then enforced on the data transmission between zone1 and zone2.
Direction
In an interzone, data is transmitted in the inbound or outbound direction. l l Inbound: indicates that data flows from a zone with lower priority to a zone with higher priority. Outbound: indicates that data flows from a zone with higher priority to a zone with lower priority.
ASPF
ASPF is applied to the application layer, that is, ASPF is status-based packet filtering. ASPF detects the application-layer sessions that attempt to pass the firewall, and discards undesired packets. The AR200-S performs ASPF for the File Transfer Protocol (FTP) and Hypertext Transport Protocol (HTTP) packets.
Blacklist
A blacklist filters packets based on source IP addresses. Compared with the ACL, the blacklist uses simpler matching fields to implement high-speed packet filtering. Packets from certain IP addresses can be filtered out. The firewall dynamically adds IP addresses to the blacklist. The firewall uses packet behavior to detect an attack from an IP address. If an attack is detected, the firewall adds the IP address of the attacker to the blacklist so that all packets from the attacker will be discarded.
Issue 02 (2012-03-30)
45
3 Firewall Configuration
Whitelist
The whitelist prevents specified IP addresses from being added to the blacklist. The IP addresses in the whitelist will not be added to the static or dynamic blacklist. An entry in the whitelist is represented by the source VPN and IP address. The whitelist applies to the network where some devices send valid service packets that resemble IP address scanning attack packets or port scanning attack packets. The whitelist prevents these devices from being added to the blacklist. The whitelist entries on the AR200-S can only be manually added.
Port Mapping
Application-layer protocols use well-known ports for communication. Port mapping defines new port numbers for different application-layer protocols, which protect the server against servicespecific attacks. Port mapping applies to service-sensitive features such as ASPF and Network Address Translation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet provides the FTP service through port 2121. When accessing the FTP server through a NAT server, users must use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP packets that use port 2121 and send the FTP packets to the FTP server. This enables users to access the FTP server.
Virtual Firewall
Recently, more small-scale private networks have been established. Most of these private networks belong to small-scale enterprises. Such enterprises have the following requirements: l l High security Insufficient costs to afford a private security device
Logically, the AR200-S can be divided into multiple virtual firewalls to serve multiple smallscale private networks. By using the virtual firewall function, an ISP can lease the network security services to the enterprises. A virtual firewall integrates a VPN instance and a security instance. The virtual firewall provides a private routing plane and security service for the virtual firewall users. The VPN instance and the security instance provide the following functions: l l VPN instance: provides independent VPN routes for the users under each virtual firewall. These VPN routes are used to forward the packets received by each virtual firewall. Security instance: provides independent security services for the users under each virtual firewall. The security instance contains private interfaces, zones, interzones, ACL rules, and NAT rules. In addition, it provides the security services such as address binding, blacklist, address translation, packet filtering, traffic statistics and monitoring, attack defense, ASPF, and NAT for the users under the virtual firewalls.
Firewall Log
The firewall records the behaviors and status of the firewall in real time. For example, the attack defense measures and the detection of malicious attacks are recorded in the firewall log. The firewall logs are categorized into the following types:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 46
3 Firewall Configuration
l l l
Session log: sent to the log server in real time. Blacklist log: sent to the information center in real time. Attack log and statistics log: sent to the information center periodically.
These logs help you find out security risks, detect attempts to violate security policies, and learn the type of a network attack. The real-time log is also used to detect an intrusion that is underway.
Router Ethernet Internal network Internet TCP connection Web server 129.9.0.1
Attack Defense
With the attack defense feature, the AR200-S can detect and protect against various network attacks. Network attacks are classified into three types: DoS attacks, scanning and snooping attacks, and malformed packet attacks. l DoS attack Denial of service (DoS) attack attacks a system with a large number of data packets. This prevents the system from receiving requests from authorized users or suspends the host. DoS attacks include SYN Flood attack and Fraggle attack. DoS attacks are different from
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 47
3 Firewall Configuration
other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or routers. l Scanning and snooping attack Scanning and snooping attacks identify the existing systems on the network through ping scanning (including ICMP and TCP scanning), and then discover potential targets. Through TCP scanning, the attackers can learn the operating system and the monitored services. By scanning and snooping, an attacker can generally know the service type and security vulnerability of the system and plan further intrusion to the system. l Malformed packet attack Malformed packet attacks send malformed IP packets to the system. Under such an attack, the system crashes when processing the malformed IP packets. Malformed packet attacks include Ping of Death and Teardrop.
Land Attack
A Land attack sets the source and destination addresses of a TCP SYN packet to the IP address of the attacked target. The target then sends the SYN-ACK message to its own IP address, and an ACK message is sent back to the target. This forms a null session. Every null session exists until it times out. The responses to the Land attack vary according to the targets. For instance, many UNIX hosts crash while Windows NT hosts slow down.
Smurf Attack
A simple Smurf attack is used to attack a network. The attacker sends an ICMP request to the broadcast address of the network. All the hosts on the network then respond to the request and the network is congested. The traffic caused by a Smurf attack is one or two orders of magnitude higher than the traffic caused by ping of large packets. An advanced Smurf attack targets hosts. The attacker changes the source address of an ICMP request to the IP address of the target host. The host becomes overwhelmed with ICMP replies, then crashes. This attack is more effective when a large volume of ICMP requests packets are generated and when there are a large number of hosts on the network.
WinNuke Attack
A WinNuke attack sends an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running the Windows operating system. The NetBIOS fragment then overlaps and the host crashes. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet is not fragmented. An attack occurs when a host receives an IGMP packet.
3 Firewall Configuration
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment of the original packet contained in this fragment. Some systems running TCP/IP may stop running when receiving a forged fragment containing an overlap offset. The Teardrop attack uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with a generated character string. Similar to the ICMP packet attack, the two UDP ports generate many invalid response packets, which occupy the network bandwidth. The attacker can send a UDP packet to the destination network. The source address of the UDP packet is the IP address of the host to be attacked and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. Then, all the systems enabled with this function return packets to the target host. In this case, the high traffic volume blocks the network or the host stops responding. In addition, the systems without this function generate ICMP-unreachable packets, which also consume
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 49
3 Firewall Configuration
bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragments, including Fragment Offset, Length, Don't Fragment (DF), and MF. If the previous fields conflict and are not processed correctly, the equipment may stop running. In the following cases, the fields conflict: l l DF bit and MF bit are set at the same time or the fragment offset is not 0. The value of DF is 0, but the total values of Fragment Offset and Length is larger than 65535.
In addition, the device must directly discard the fragment packet with the destination as itself. This is because more fragments result in heavy load due to packet caching and assembling.
Tracert Attack
A Tracert attack discovers the packet transmission path through the ICMP timeout packets that is returned when Time To Live (TTL) value is 0 or through the returned ICMP port-unreachable packets.
Applicable Environment
Before configuring a firewall, you need to configure zones. Then you can configure the firewall based on zones or interzones.
Pre-configuration Tasks
Before configuring a zone, complete the following task: l Configuring the interfaces that you want to add to the zone
Data Preparation
To configure the zone, you need the following data. No. 1
Issue 02 (2012-03-30)
3 Firewall Configuration
No. 2 3
Data Priority of the zone Interfaces that you want to add to the zone
Procedure
Step 1 Run:
system-view
A zone is created. The AR200-S can be configured with up to 255 zones, and no default zone is provided. Step 3 Run:
priority security-priority
The priority of the zone is set. You must configure a priority for a zone before making other configurations. The priority cannot be changed. The priorities of the zones cannot be the same. A greater value indicates a higher priority. ----End
Prerequisites
The zone has been created through the firewall zone command.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
51
3 Firewall Configuration
Procedure
Step 1 Run:
system-view
An interzone is created. The zones specified for an interzone must have been created on the device. ----End
Procedure
Step 1 Run:
system-view
The interzone view is displayed. The zones zone-name1 and zone-name2 have been created through the firewall zone command. Step 3 Run:
firewall enable
The firewall is enabled. By default, the firewall function is disabled in an interzone. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 52
3 Firewall Configuration
Procedure
l l Run the display firewall zone [ zone-name ] [ interface | priority ] command to view information about the zones. Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about the interzone.
----End
Applicable Environment
When data is transmitted between two zones, the ACL-based packet filtering firewall enforces the packet filtering policies according to the ACL rules. The ACLs for filtering packet include basic ACLs and advanced ACLs.
Pre-configuration Tasks
Before configuring ACL-based packet filtering, complete the following tasks: l l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and advanced ACL and configuring ACL rules
Data Preparation
To configure ACL-based packet filtering, you need the following data. No. 1 2 3 Data Zone names ACL number Packet direction to which the ACL is applied
Issue 02 (2012-03-30)
53
3 Firewall Configuration
Procedure
Step 1 Run:
system-view
The ACL-based packet filtering is configured. You can configure ACL-based packet filtering in the interzone for incoming or outgoing packets. Step 7 (Optional) Run:
packet-filter default { deny | permit } { inbound | outbound }
The default processing mode for unmatched packets is configured. In the default settings of the system, the outbound unmatched packets are allowed, and the inbound unmatched packets are denied. If an ACL is applied to the inbound or outbound packets of an interzone, the packets are filtered according to the ACL rules. If packets do not match the ACL, the default processing mode is used.
NOTE
During the modification of interzone filtering rules, some sessions may not be filtered properly according to the rules. Therefore, after the modification is complete, use the reset firewall session all command to delete all existing firewall session entries.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 54
3 Firewall Configuration
Procedure
l l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about packet filtering. Run the display acl acl-number command to view the ACL configuration.
----End
Applicable Environment
The blacklist can filter out packets sent from a specified IP address to a zone. An IP address can be added to the blacklist manually or automatically. When the attack defense module of the firewall detects an attack through the packet behavior, the firewall adds the source IP address of the packet to the blacklist. All the packets from this IP address are then filtered out.
Pre-configuration Tasks
Before configuring the blacklist, complete the following tasks: l l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Enabling IP address scanning attack defense or port scanning attack defense if a dynamic blacklist is used
Data Preparation
To configure the blacklist, you need the following data.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 55
3 Firewall Configuration
No. 1 2
Data IP address that you want to add to the blacklist (Optional) Aging time of blacklist entries
Procedure
Step 1 Run:
system-view
The blacklist function is enabled. By default, the blacklist function is disabled. ----End
Procedure
Step 1 Run:
system-view
An entry is added to the blacklist. When adding an entry to the blacklist, you can set the IP address, aging time, and VPN instance. The aging time refers to the period in which the IP address is effective after it is added to the blacklist. When the IP address expires, it is released from the blacklist. If the aging time is not specified, the IP address is always valid in the blacklist. An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not. That is, even though the blacklist is not enabled, you can add entries, but the entries do not take effect until the blacklist is enabled. You can add up to 32 entries to a blacklist.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 56
3 Firewall Configuration
The blacklist entries without the aging time are added to the configuration file. The entries configured with the aging time are not added to the configuration file, but you can view them by using the display firewall blacklist command.
----End
Follow-up Procedure
Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file.
Prerequisites
The configuration file for storing the blacklist and whitelist is available.
Context
The configuration file must be in txt format, and the contents are as follows:
[FirewallBlacklist] # A blacklist entry IPAddress = # An IP address in the blacklist, in dotted decimal notation VPNName = # (Optional) VPN instance of the blacklist [FirewallWhitelist] # A whitelist entry IPAddress = # An IP address in the whitelist, in dotted decimal notation VPNName = # (Optional) VPN instance of the whitelist, in dotted decimal notation
A configuration file can contain multiple entries, but each entry must be edited separately. Blank lines are allowed between lines.
[FirewallBlacklist] IPAddress = 210.10.10.1 VPNName = vpna [FirewallBlacklist] IPAddress = 220.10.10.2 VPNName = [FirewallWhitelist] IPAddress = 10.10.10.1 VPNName = vpnb [FirewallWhitelist] IPAddress =20.20.20.1 VPNName =
NOTE
Procedure
Step 1 Run:
system-view
3 Firewall Configuration
Step 2 Run:
firewall black-white-list load configuration-file configuration-file-name
The blacklist and whitelist configuration file is loaded. The configured blacklist takes effect only after you run the firewall blacklist enable command to enable the blacklist. The entries in the whitelist take effect directly and you do not need to enable the whitelist function. A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries. ----End
Follow-up Procedure
Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time.
Procedure
l Run the display firewall blacklist command to view information about the blacklist. ----End
Example
Run the display firewall blacklist command to view information about the blacklist.
<Huawei> display firewall blacklist all Firewall blacklist items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance -----------------------------------------------------------------------10.1.1.1 Manual 100 -----------------------------------------------------------------------Total number is : 1
3 Firewall Configuration
Applicable Environment
Whitelists are applicable to networks where some devices send valid service packets that resemble IP address scanning attack or port scanning attack. Whitelists prevent these devices from being added to the blacklist. If you add the VPN and IP address of a host to the whitelist, the firewall does not check the packets sent by the host that look like IP address scanning or port scanning attack, or add the IP address to the blacklist.
Pre-configuration Tasks
Before configuring the whitelist, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure the whitelist, you need the following data. No. 1 2 Data IP address that you want add to the whitelist (Optional) Aging time of whitelist entries
Procedure
Step 1 Run:
system-view
An entry is added to the whitelist. By running this command, you can add an entry to the whitelist manually. You can specify the IP address, VPN instance, and aging time when adding the entry.The aging time refers to the period in which the IP address is effective after it is added to the whitelist. When the IP address expires, it is released from the whitelist. If the aging time is not specified, the IP address is always valid in the whitelist. You can create up to 32 entries in the whitelist. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 59
3 Firewall Configuration
Follow-up Procedure
Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time.
Prerequisites
The configuration file for storing the blacklist and whitelist is available.
Context
The configuration file must be in txt format, and the contents are as follows:
[FirewallBlacklist] # A blacklist entry IPAddress = # An IP address in the blacklist, in dotted decimal notation VPNName = # (Optional) VPN instance of the blacklist [FirewallWhitelist] # A whitelist entry IPAddress = # An IP address in the whitelist, in dotted decimal notation VPNName = # (Optional) VPN instance of the whitelist, in dotted decimal notation
A configuration file can contain multiple entries, but each entry must be edited separately. Blank lines are allowed between lines.
[FirewallBlacklist] IPAddress = 210.10.10.1 VPNName = vpna [FirewallBlacklist] IPAddress = 220.10.10.2 VPNName = [FirewallWhitelist] IPAddress = 10.10.10.1 VPNName = vpnb [FirewallWhitelist] IPAddress =20.20.20.1 VPNName =
NOTE
Procedure
Step 1 Run:
system-view
The blacklist and whitelist configuration file is loaded. The configured blacklist takes effect only after you run the firewall blacklist enable command to enable the blacklist.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 60
3 Firewall Configuration
The entries in the whitelist take effect directly and you do not need to enable the whitelist function. A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries. ----End
Follow-up Procedure
Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time.
Procedure
l Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view information about the whitelist.
----End
Example
Run thedisplay firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpninstance vpn-instance-name } command to view information about the whitelist.
<Huawei> display firewall whitelist all Firewall whitelist items : -----------------------------------------------------------------------IP-Address Expire-Time(m) Vpn-Instance -----------------------------------------------------------------------1.1.1.1 3 vpn1 1.1.1.2 Permanent vpn2 1.1.1.3 6 -----------------------------------------------------------------------Total number is : 3
Applicable Environment
When data is transmitted between two zones, ASPF checks the packets at the application layer and discards the unmatched packets.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 61
3 Firewall Configuration
Pre-configuration Tasks
Before configuring ASPF, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure ASPF, you need the following data. No. 1 2 3 Data Names of the two zones Type of the application protocol (Optional) Aging time of the session table for each application layer protocol
Procedure
Step 1 Run:
system-view
ASPF is configured. Generally, the application-layer protocol packets are exchanged between the two parties in communication, so the direction does not need to be configured. The AR200-S automatically checks the packets in both directions. By default, ASPF is not configured in the interzone. ----End
3 Firewall Configuration
Procedure
l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view ASPF information of the interzone.
----End
Example
Run the display firewall interzone [ zone-name1 zone-name2 ] command to view the ASPF information of the interzone.
<Huawei> display firewall interzone interzone zone2 zone1 firewall enable packet-filter default permit outbound packet-filter default permit inbound session-log 2006 inbound detect aspf ftp detect aspf sip detect aspf rtsp detect aspf http detect aspf http java-blocking detect aspf http activex-blocking total number is : 1
Applicable Environment
Through port mapping, the firewall can identify packets of the application-layer protocols that use the non-well-known ports. The port mapping function can be applied to features sensitive to application-layer protocols, such as ASPF. Port mapping is applicable to the application-layer protocols such as FTP, DNS, HTTP, SIP, and RTSP. Port mapping is implemented based on the ACL. Only the packets matching an ACL rule are mapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering, the AR200-S matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
NOTE
Port mapping is applied only to the data within the interzone; therefore, when configuring port mapping, you must configure the zones and interzone.
Pre-configuration Tasks
Before configuring port mapping, complete the following tasks:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 63
3 Firewall Configuration
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and configuring ACL rules
Data Preparation
To configure port mapping, you need the following data. No. 1 2 3 Data Type of application-layer protocol User-defined port to be mapped Number of the basic ACL
Procedure
Step 1 Run:
system-view
Port mapping is configured. You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings, however, must be distinguished by the ACL. That is, packets matching different ACL rules use different mapping entries.
NOTE
Port mapping identifies the protocol type of the packets destined for an IP address (such as the IP address of a WWW server); therefore, when configuring the basic ACL rules, you need to match the destination IP addresses of the packets with the source IP addresses defined in ACL rules.
----End
Procedure
l Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command to view information about port mapping.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 64
3 Firewall Configuration
Example
Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command to view information about port mapping.
<Huawei> display port-mapping dns ------------------------------------------------Service Port Acl Type ------------------------------------------------dns 53 system defined ------------------------------------------------Total number is : 1
Applicable Environment
The AR200-S creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. The aging time is set for the session table of the firewall. If a record in the session table does not match any packet within the aging time, the system deletes the record. To change the aging time of protocol sessions, set the aging time of the firewall session table.
Data Preparation
To set the aging time of the firewall session table, you need the following data. No. 1 Data Aging time of the session table of each application-layer protocol
Procedure
Step 1 Run:
system-view
3 Firewall Configuration
Step 2 Run:
firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media } aging-time time-value
The aging time of the firewall session table is set. By default, the aging time of each protocol is as follows: l DNS: 120 seconds l FTP: 120 seconds l FTP-data: 120 seconds l HTTP: 120 seconds l ICMP: 20 seconds l TCP: 600 seconds l TCP-proxy: 10 seconds l UDP: 40 seconds l SIP: 1800 seconds l SIP-media: 120 seconds l RTSP: 60 seconds l RTSP-media: 120 seconds
NOTE
In general, you do not need to change the aging time of a session table.
----End
Procedure
l Run the display firewall-nat session aging-time command to view the aging time of the firewall session table.
----End
Example
Run the display firewall-nat session aging-time command to view the aging time of the firewall session table.
<Huawei> display firewall-nat session aging-time --------------------------------------------tcp protocol timeout : 60 (s) tcp-proxy timeout : 60 (s) udp protocol timeout : 40 (s) icmp protocol timeout : 20 (s) dns protocol timeout : 120 (s) http protocol timeout : 120 (s) ftp protocol timeout : 120 (s) ftp-data protocol timeout : 120 (s) rtsp protocol timeout : 60 (s) rtsp-media protocol timeout : 120 (s) sip protocol timeout : 1800 (s)
Issue 02 (2012-03-30)
66
3 Firewall Configuration
Applicable Environment
On the AR200-S, you can enable the attack defense function for the protected area. The protected area may be zones or IP addresses.
Pre-configuration Tasks
Before configuring the attack defense function, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure the attack defense function, you need the following data. No. 1 3 Data Attack type, a specified type or all types Status of the TCP proxy that prevents SYN Flood attacks, including always enabled, always disabled, or auto enabled (automatically enabled when the session rate exceeds the threshold) Timeout of blacklist and maximum session rate to prevent scanning attacks (IP address sweeping and port scanning) Maximum packet length to prevent a large ICMP packet attack
4 5
3 Firewall Configuration
Procedure
Step 1 Run:
system-view
The ICMP Flood attack defense is enabled. After the parameters for ICMP Flood attack defense are set, you must enable the ICMP Flood attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 5 Run:
firewall defend icmp-redirect enable
The IP address sweeping attack defense is enabled. After the parameters for IP address sweeping attack defense are set, you must enable the IP address sweeping attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 9 Run:
firewall defend land enable
3 Firewall Configuration
After the maximum length of ICMP packets is set, you must enable the large ICMP packet attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 11 Run:
firewall defend ping-of-death enable
The port scanning attack defense is enabled. After the parameters for port scanning attack defense are set, you must enable the port scanning attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 13 Run:
firewall defend smurf enable
The SYN Flood attack defense is enabled. After the parameters for SYN Flood attack defense are set, you must enable the SYN Flood attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 15 Run:
firewall defend tcp-flag enable
The UDP Flood attack defense is enabled. After the parameters for UDP Flood attack defense are set, you must enable the UDP Flood attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 19 Run:
firewall defend winnuke enable
3 Firewall Configuration
Procedure
Step 1 Run:
system-view
The parameters for ICMP Flood attack defense are set. Step 3 Run:
firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ] | [ tcp-proxy { auto | off | on } ]
The parameters for SYN Flood attack defense are set. Step 4 Run:
firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]
The parameters for UDP Flood attack defense are set. To prevent Flood attacks, you need to specify the zones or IP addresses to be protected; otherwise, the attack defense parameters are invalid. You can also specify the maximum session rate. When the session rate exceeds the limit, the AR200-S considers that an attack occurs and takes measures. For Flood attack defense, the priority of IP addresses is higher than the priority of zones. If Flood attack defense is enabled for both a specified IP address and the zone where the IP address resides, then the attack defense for the IP address takes effect. If you cancel the attack defense for the IP address, the attack defense for the zone takes effect. By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabled for the SYN Flood attack defense. For Flood attack defense, you can specify up to 32 IP addresses to protect. ----End
3 Firewall Configuration
Procedure
Step 1 Run:
system-view
The parameter for large ICMP packet attack defense is set. For large ICMP packet attack defense, only one parameter needs to be set, namely, the maximum packet length. When the length of an ICMP packet exceeds the limit, the AR200-S considers that an attack occurs and discards the packet. By default, the maximum length of an ICMP packet is 4000 bytes. ----End
Procedure
Step 1 Run:
system-view
The parameters for IP address sweep attack defense are set. Step 3 Run:
firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters for port scanning attack defense are set. For scanning attack defense, the following two parameters need to be set: l Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the AR200-S considers that a scanning attack occurs, and then adds the IP address to the blacklist and denies new sessions from the IP address or port. l Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, the AR200-S deletes the IP address from the blacklist and allows new sessions from the IP address or port. By default, the maximum session rate for IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 71
3 Firewall Configuration
Procedure
l Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view information about attack defense.
----End
Example
Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view information about attack defense. # View the status of each attack defense function.
<Huawei> display firewall defend flag -------------------------------Type Flag -------------------------------land : disable smurf : disable fraggle : disable winnuke : disable syn-flood : disable udp-flood : disable icmp-flood : disable icmp-redirect : disable icmp-unreachable : disable ip-sweep : disable port-scan : disable tracert : disable ping-of-death : disable teardrop : disable tcp-flag : disable ip-fragment : disable large-icmp : disable --------------------------------
Issue 02 (2012-03-30)
72
3 Firewall Configuration
Applicable Environment
System-level traffic statistics and monitoring take effect on all the data flows in interzones that are enabled with the firewall feature. That is, the AR200-S collects statistics on packets of ICMP, TCP, TCP proxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold, the AR200-S restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring take effect on the data flows between zones. That is, the AR200-S counts the total number of TCP and UDP sessions between the local zone and other zones. When the number of sessions exceeds the threshold, the AR200-S restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the AR200-S counts and monitors the sessions initiated by the local zone. The outbound direction means that the AR200-S counts and monitors the sessions destined for this zone. The IP address-based traffic statistics and monitoring count and monitor the TCP and UDP sessions set up by an IP address in the zone. When the number of sessions set up by an IP address exceeds the threshold, the AR200-S restricts the sessions until the number of sessions is less than the threshold. The IP address-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the AR200-S counts and monitors the sessions initiated by the IP address in the local zone. The outbound direction means that the AR200-S counts and monitors the sessions destined for this IP address.
Pre-configuration Tasks
Before configuring traffic statistics and monitoring, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure traffic statistics and monitoring, you need the following data. No. 1 2 3 Data Type of sessions to be monitored, including TCP and UDP Session threshold Direction of traffic statistics and monitoring
Issue 02 (2012-03-30)
73
3 Firewall Configuration
Procedure
l Enabling system-level traffic statistics and monitoring 1. Run:
system-view
The system-level traffic statistics and monitoring is enabled. By default, the system-level traffic statistics and monitoring is disabled. l Enabling zone-level traffic statistics and monitoring 1. Run:
system-view
The zone-level traffic statistics and monitoring is enabled. By default, the zone-level traffic statistics and monitoring is disabled. l Enabling IP address-level traffic statistics and monitoring 1. Run:
system-view
The IP address-level traffic statistics and monitoring is enabled. By default, the IP address-level traffic statistics and monitoring is disabled. ----End
3 Firewall Configuration
Procedure
l Setting the session thresholds for system-level traffic statistics and monitoring 1. Run:
system-view
The system-level traffic statistics and monitoring are enabled. By default, the system-level traffic statistics and monitoring is disabled. 3. Run:
firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold
The session thresholds for the system-level traffic statistics and monitoring are set. For the system-level traffic statistics, you can set the threshold for each type of session. For example, you can set the upper threshold for TCP sessions to 15000 and lower threshold to 12000. When the number of TCP sessions in all interzones exceeds 15000, the AR200-S denies all new TCP sessions in the interzone and reports an alarm to the information center. If traffic volume falls to 12000 below the lower threshold, the AR200-S generates the recovery log and sends the log to the information center. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288. l Setting the session thresholds for zone-level traffic statistics and monitoring 1. Run:
system-view
The zone-level traffic statistics and monitoring are enabled. By default, the zone-level traffic statistics and monitoring is disabled. 4. Run:
statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the zone-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions. For example, you can set the threshold of inbound TCP sessions to 15000. When the number of TCP sessions initiated by this zone exceeds 15000, the AR200S denies new TCP sessions from this zone. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 75
3 Firewall Configuration
Setting the session thresholds for IP address-level traffic statistics and monitoring 1. Run:
system-view
The IP address-level traffic statistics and monitoring are enabled. By default, the IP address-level traffic statistics and monitoring is disabled. 4. Run:
statistics connect-number ip { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the IP address-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions. For example, you can set the threshold for inbound TCP sessions to 10000. When the number of TCP sessions initiated from an IP address in the local zone exceeds 10000, the AR200-S denies new TCP sessions from this IP address. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288. ----End
Procedure
l l Run the display firewall statistics system command to view information about the systemlevel traffic statistics and monitoring. Run the system-view command to enter the system view, and then run the display firewall statistics zone zone-name { inzone | outzone } all command to view information about the zone-level traffic statistics and monitoring. Run the display firewall statistics zone-ip zone-name command to view information about the IP address-level traffic statistics and monitoring.
----End
Issue 02 (2012-03-30)
76
3 Firewall Configuration
Applicable Environment
The logs record the behaviors and status of the firewall to help you find security risks, analyze attempts to violate security policies, and detect network attacks.
Pre-configuration Tasks
Before configuring the logs, complete the following tasks: l l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating a basic ACL or an advanced ACL and configuring ACL rules
Data Preparation
To configure the log function, you need the following data. No. 1 2 Data Type of the log IP address and port number of the session log host, and the source IP address and source port number that the AR200-S uses to communicate with the session log host Conditions for recording session logs, including the ACL number and the direction (Optional) Interval for exporting the attack defense logs or statistics logs
3 4
The log function is enabled on the firewall. The log function can be enabled according to log types or enabled for all types of logs by using the all parameter.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 77
3 Firewall Configuration
The NAT session log is enabled. Before running the firewall log session nat enable command, you must run the firewall log session enable command. By default, the NAT session log is disabled. ----End
Context
The session logs are exported to a log host in real time; therefore, you need to configure the log host first. To configure the log host, you need to configure the IP address and port number of the log host and the IP address and port number that the AR200-S uses to communicate with the log host. An ACL is referenced in the interzone view to determine the sessions to be recorded in the logs. The ACLs can be configured for incoming and outgoing traffic.
Procedure
Step 1 Run:
system-view
The session log host is configured. By default, no session log host is configured. Step 3 (Optional) Run:
firewall log { blacklist | defend | session | statistics } log-interval time
The interval for exporting logs is set. By default, logs are exported every 30 seconds. Step 4 Run:
firewall interzone zone-name1 zone-name2
3 Firewall Configuration
Procedure
l Run the display firewall log configuration command to view information about the logs on the firewall.
----End
Example
Run the display firewall log configuration command to view information about the logs on the firewall.
<Huawei> display firewall log configuration defend log : status : enabled log-interval : 30 s statistics log : status : enabled log-interval : 30 s blacklist log : status : enabled log-interval : 30 s session log : status : enabled log-interval : 30 s nat-session : disabled binary-log host : host source ----:-----:--
Issue 02 (2012-03-30)
3 Firewall Configuration
l l l l l l l
Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view the whitelist entries. Run the display firewall statistics system command to view the system-level traffic statistics. Run the display firewall statistics zone zone-name { inzone | outzone } all command to view the zone-level traffic statistics and traffic monitoring information. Run the display firewall statistics zone-ip zone-name command to view the status of traffic monitoring function and session thresholds for each protocol. Run the display firewall-nat session aging-time command to view the timeout of entries in the session table. Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command to view the mappings between application-layer protocols and ports. Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view the status and configuration of the attack defense functions. Run the display firewall log configuration command to view the global configuration of the log function. Run the display firewall session command to view the session table of the firewall.
l l
----End
Procedure
Step 1 Run:
system-view
3 Firewall Configuration
Networking Requirements
As shown in Figure 3-2, Ethernet0/0/0 of the Router is connected to a highly secure internal network, and Ethernet0/0/8 is connected to the insecure external network. The Router must filter the packets between the internal network and the external network. The following requirements must be met: l l A host (202.39.2.3) on the external network is allowed to access the servers in the internal network. Other hosts are not allowed to access the servers on the internal network.
Eth0/0/0 Router
Eth0/0/8 202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3.
Issue 02 (2012-03-30)
Configure zones and an interzone. Add interfaces to the zones. Configure an ACL.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 81
3 Firewall Configuration
4.
Procedure
Step 1 Configure zones and an interzone on the Router .
<Huawei> system-view [Huawei] firewall zone trust [Huawei-zone-trust] priority 15 [Huawei-zone-trust] quit [Huawei] firewall zone untrust [Huawei-zone-untrust] priority 1 [Huawei-zone-untrust] quit [Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] firewall enable [Huawei-interzone-trust-untrust] quit
Step 5 Verify the configuration. After the configuration, only the specified host (202.39.2.3) can access the servers on the internal network. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and the result is as follows:
[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 82
3 Firewall Configuration
Configuration Files
# vlan 100 # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # interface Vlanif100 ip address 129.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8 ip address 202.39.2.1 255.255.255.0 zone untrust # return
Networking Requirements
As shown in Figure 3-3, Ethernet0/0/0 of the Router is connected to a highly secure internal network, and Ethernet0/0/8 is connected to the insecure external network. The Router must filter the packets and perform ASPF check between the internal network and the external network. The following requirements must be met: l l l l A host (202.39.2.3) on the external network is allowed to access the servers in the internal network. Other hosts are not allowed to access the servers on the internal network. The Router checks the FTP status of the connections and filters the undesired packets. The packets from the external host are sent to the FTP servers through port 2121, which is used as the port of the FTP protocol.
Issue 02 (2012-03-30)
83
3 Firewall Configuration
Figure 3-3 Network diagram for configuring ASPF and port mapping
Eth0/0/0 Router
Eth0/0/8 202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure zones and an interzone. Add interfaces to the zones. Configure an ACL. Configure ACL-based packet filtering in the interzone. Configure ASPF in the interzone. Map port 2121 to the FTP protocol.
Procedure
Step 1 Configure zones and an interzone on the Router .
<Huawei> system-view [Huawei] firewall zone trust [Huawei-zone-trust] priority 15 [Huawei-zone-trust] quit [Huawei] firewall zone untrust [Huawei-zone-untrust] priority 1 [Huawei-zone-untrust] quit [Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] firewall enable [Huawei-interzone-trust-untrust] quit
Issue 02 (2012-03-30)
84
3 Firewall Configuration
Step 7 Verify the configuration. Run the display firewall interzone zone-name1 zone-name2 command on the Router , and the result is as follows:
[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound detect aspf ftp
Run the display port-mapping ftp command on the Router , and the result is as follows:
[Huawei] display port-mapping ftp ------------------------------------------------Service Port Acl Type ------------------------------------------------ftp 21 system defined ftp 2121 2102 user defined ------------------------------------------------Total number is : 2
----End
Configuration Files
# vlan 100 # acl number 2102 rule 5 permit source 129.38.1.2 0
Issue 02 (2012-03-30)
85
3 Firewall Configuration
# acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # port-mapping ftp port 2121 acl 2102 # interface Vlanif100 ip address 129.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound detect aspf ftp # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8 ip address 202.39.2.1 255.255.255.0 zone untrust # return
Networking Requirements
As shown in Figure 3-4, Ethernet0/0/0 of the Router is connected to a highly secure internal network, and Ethernet0/0/8 is connected to the insecure external network. The Router needs to apply IP address sweeping defense and blacklist policies to the packets sent from the Internet to the enterprise intranet. If the Router detects that an IP address attacks the enterprise intranet by using IP address sweeping, it adds the IP address to the blacklist. The maximum session rate is 5000 pps, and the blacklist timeout is 30 minutes. If an IP address, for example, 202.39.1.2, attempts to attack the enterprise intranet multiple times, you can add the IP address to the blacklist manually. The IP address added manually will be always in the blacklist.
Issue 02 (2012-03-30)
86
3 Firewall Configuration
Server
Enterprise network
Eth0/0/0 Router
Eth0/0/8
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure zones and an interzone. Add interfaces to the zones. Enable the blacklist function. Add an entry to the blacklist. Enable the defense against IP address sweeping or port scanning. Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning.
Procedure
Step 1 Configure zones and an interzone on the Router .
[Huawei] firewall zone trust [Huawei-zone-trust] priority 15 [Huawei-zone-trust] quit [Huawei] firewall zone untrust [Huawei-zone-untrust] priority 1 [Huawei-zone-untrust] quit [Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] firewall enable [Huawei-interzone-trust-untrust] quit
Issue 02 (2012-03-30)
87
3 Firewall Configuration
Step 5 Enable the defense against IP address sweeping and port scanning.
[Huawei] firewall defend ip-sweep enable [Huawei] firewall defend port-scan enable
Step 6 Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning.
[Huawei] [Huawei] [Huawei] [Huawei] firewall firewall firewall firewall defend defend defend defend ip-sweep max-rate 5000 ip-sweep blacklist-expire-time 30 port-scan max-rate 5000 port-scan blacklist-expire-time 30
Step 7 Verify the configuration. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and the result is as follows:
[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound
Run the display firewall blacklist all command on the Router , and the result is as follows:
[Huawei] display firewall blacklist all Firewall Blacklist Items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance -----------------------------------------------------------------------202.39.1.2 Manual Permanent -----------------------------------------------------------------------total number is : 1
Run the display firewall defend command on the Router , and the result is as follows:
[Huawei] display firewall defend port-scan defend-flag : enable max-rate : 5000 (pps) blacklist-expire-time : 30 (m) [Huawei] display firewall defend ip-sweep defend-flag : enable max-rate : 5000 (pps) blacklist-expire-time : 30 (m)
----End
Configuration Files
# firewall defend ip-sweep enable
Issue 02 (2012-03-30)
88
3 Firewall Configuration
Issue 02 (2012-03-30)
89
Issue 02 (2012-03-30)
90
Applicable Environment
When receiving unknown unicast packets, multicast packets, or broadcast packets, the AR200S forwards the packets to all the interfaces except the receive interface because the AR200-S cannot determine the outbound interface according to the destination MAC address of packets. In this case, broadcast storms may occur on the network and the forwarding performance of the AR200-S deteriorates. To prevent the AR200-S from being attacked by heavy traffic and ensure that the AR200-S can forward packets in unicast mode, configure traffic suppression on an interface to limit the rate of incoming broadcast packets, multicast packets, or unknown unicast packets.
Pre-configuration Tasks
Before configuring traffic suppression, complete the following task: l Connecting interfaces and setting the physical parameters of interfaces so that the physical layer is in Up state
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 91
Issue 02 (2012-03-30)
Data Preparation
To configure traffic suppression, you need the following data. No. 1 2 3 4 Data Type and number of the interface where traffic suppression needs to be configured Type of the traffic to be suppressed (broadcast, multicast, or unknown unicast traffic) Rate limit mode (in bit/s) Rate limit value in bit/s (CIR value)
Procedure
Step 1 Run:
system-view
The interface view is displayed. Step 3 Set the CIR value for traffic suppression. l Run the broadcast-suppression cir cir-value command to set the CIR value for broadcast traffic. l Run the multicast-suppression cir cir-value command to set the CIR value for multicast traffic. l Run the unicast-suppression cir cir-value command to set the CIR value for unknown unicast traffic. ----End
Prerequisites
The traffic suppression configurations are complete.
Issue 02 (2012-03-30)
92
Procedure
l Run the display flow-suppression interface interface-type interface-number command to check the traffic suppression configuration.
----End
Example
Run the display flow-suppression interface interface-type interface-number command to check the traffic suppression configuration on the specified interface.
<AR200-S> display flow-suppression interface ethernet 2/0/1 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast pps packets: 1260(packets per second) multicast pps packets: 2520(packets per second) broadcast pps packets: 1260(packets per second) -------------------------------------------------------------------------------
4.4.1 Example for Setting the CIR Value for Traffic Suppression
This section describes how to set the CIR value for traffic suppression.
Networking Requirements
As shown in Figure 4-1, RouterA is connected to a Layer 2 network and a Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can set the rate limit in bit/s on Ethernet 0/0/0.
NOTE
As shown in Figure 4-1, RouterA is the AR200-S and RouterB is an aggregation router. The CIR Value for Traffic Suppression can be set only on LAN-side Ethernet interfaces of the SRU on theAR200-S.
Figure 4-1 Network diagram of setting the CIR value for traffic suppression
L2 network
Ethernet 0/0/0
L3 network
RouterA
RouterB
Configuration Roadmap
The configuration roadmap is as follows: l
Issue 02 (2012-03-30)
Data Preparation
To complete the configuration, you need the following data: l l Name of the interface where traffic suppression needs to be configured: Ethernet 0/0/0 CIR value for broadcast and unknown unicast packets: 100 kbit/s, CIR value for multicast packets: 200 kbit/s
Procedure
Step 1 Enter the interface view.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] interface ethernet 0/0/0
Step 5 Verify the configuration. Run the display flow-suppression interface command to view the traffic suppression configuration on Ethernet 0/0/0.
[RouterA] display flow-suppression interface Ethernet 0/0/0 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast bps cir: 100(kbit/s) multicast bps cir: 200(kbit/s) broadcast bps cir: 100(kbit/s) -------------------------------------------------------------------------------
----End
Configuration Files
# sysname RouterA # interface Ethernet 0/0/0 unicast-suppression cir 100 multicast-suppression cir 200 broadcast-suppression cir 100 # return
Issue 02 (2012-03-30)
94
5 NAC Configuration
5
About This Chapter
NAC Configuration
This chapter describes the NAC system architecture, principles, and authentication methods. 5.1 NAC Overview Network access control (NAC) is an end-to-end access security framework and includes Web authentication, 802.1x authentication, and MAC address authentication. 5.2 NAC Features Supported by the AR200-S The AR200-S supports multiple authentication and control methods to control user authorities and access areas. 5.3 Configuring 802.1x Authentication You can configure 802.1x authentication on an interface to authenticate access devices connected to an interface of an access control device on a LAN. 5.4 Maintaining NAC This section describes how to maintain NAC. 5.5 Configuration Examples This section provides several NAC configuration examples.
Issue 02 (2012-03-30)
95
5 NAC Configuration
User
NAD
ACS
Remediation server
As shown in Figure 5-1, NAC is a control scheme for network access security, and involves the following entities: l l User: Access user who must be authenticated. If 802.1x authentication is used, users must install the client software. NAD: Network access device (NAD). An NAD authenticates and authorizes access users. The NAD works with an AAA server to prevent unauthorized terminals from accessing the network, minimize the threats brought by insecure terminals, prevent unauthorized access requests from authorized terminals, and protect core resources. ACS: Access control server (ACS). An ACS checks terminal security and manage policies, manages user behaviors and audits rule violations, and prevents malicious attacks from terminals.
802.1x Authentication
The Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard, 802.1x for short, is an interface-based network access control protocol. 802.1x authentication authenticates and
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 96
5 NAC Configuration
controls access devices connected to an interface of an access control device on a LAN. User devices connected to the interface can access resources on the LAN only after being authenticated. 802.1x authentication is classified into: l Interface-based authentication: All the other access users can use network resources and do not need to be authenticated, as long as the first user on an interface is authenticated. After the first user gets offline, other users cannot use network resources. MAC address-based authentication: All access users on an interface need to be authenticated.
Authentication mode l Extensible Authentication Protocol (EAP) termination authentication: The AR200-S terminates EAP packets from users, parses user names and passwords, encrypts the passwords, and then sends them to the AAA server for authentication. EAP termination authentication includes Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). PAP is a two-way handshake authentication protocol and transmits passwords in plain text. It has low security. CHAP is a three-way handshake authentication protocol and transmits passwords in cipher text. It has higher security than PAP. l EAP relay authentication: The AR200-S encapsulates authentication information about 802.1x users and EAP packets in the attribute fields in RADIUS packets or HWTACACS packets and sends the packets to the AAA server.
Guest VLAN If a user that fails to be authenticated wants to access some network resources, for example, the user wants to download the 802.1x client program and update the virus library, add the user to a guest VLAN so that the user can access resources in the guest VLAN.
NAC Applications
LAN-side Ethernet on the AR200 support only 802.1x authentication.
5 NAC Configuration
Applicable Environment
The 802.1x protocol is applied to the Ethernet as an access control mechanism on LAN interfaces to authenticate access users and ensure security on the Ethernet.
Pre-configuration Tasks
None.
Data Preparation
To configure 802.1x authentication, you need the following data. No. 1 2 3 Data Interface that will be enabled with 802.1x authentication (Optional) Maximum number of concurrent access users on an interface (Optional) Maximum number of times an authentication request can be retransmitted
Procedure
Step 1 Run:
system-view
Global 802.1x authentication is enabled. By default, global 802.1x authentication is disabled. ----End
Context
802.1x authentication cannot be used together with MAC address authentication on the same interface. 802.1x authentication can be enabled on an interface in the system view or interface view.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 98
5 NAC Configuration
Procedure
l Enabling 802.1x authentication on an interface in the system view 1. Run:
system-view
802.1x authentication is enabled on an interface. By default, 802.1x authentication is disabled on an interface. l Enabling 802.1x authentication on an interface in the interface view 1. Run:
system-view
802.1x authentication is enabled on the interface. By default, 802.1x authentication is disabled on an interface. ----End
Context
PAP is a two-way handshake authentication protocol and transmits passwords in plain text. It has low security. CHAP is a three-way handshake authentication protocol and transmits passwords in cipher text. It has higher security than PAP. EAP supports multiple authentication mechanisms. The AR200-S transparently transmits EAP Request packets and Response packets to the authentication server. The AR200-S determines whether to allow user access based on the authentication result from the authentication server only.
CAUTION
If local authentication is used, EAP cannot be configured.
Issue 02 (2012-03-30)
99
5 NAC Configuration
Procedure
Step 1 Run:
system-view
The authentication mode is configured for 802.1x users. By default, the AR200-S uses CHAP to authenticate 802.1x users. ----End
Context
MAC address-based access method: 802.1x users on an interface are authenticated independently. Interface-based access method: All the other users on an interface can use network resources after the first user is authenticated. After the first user goes offline, other users cannot use network resources. The access method can be configured in the system view or interface view.
CAUTION
If there are online 802.1x users on an interface, you cannot change the access method of the interface.
Procedure
l Setting the access method on an interface in the system view 1. Run:
system-view
The access method is configured on an interface. By default, an interface uses the MAC address-based access method. l Setting the access method on an interface in the interface view 1. Run:
system-view
Issue 02 (2012-03-30)
100
5 NAC Configuration
The access method is configured on the interface. By default, an interface uses the MAC address-based access method. ----End
Context
auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. After a user is authenticated on the interface, the interface enters the authorized state and allows users to access network resources. authorized-force: An interface is always in authorized state and allows users to access network resources without authentication. unauthorized-force: An interface is always in unauthorized state and does not allow users to access network resources. The authorization status of an interface can be configured in the system view or interface view.
Procedure
l Setting the authorization status of an interface in the system view 1. Run:
system-view
The authorization status of an interface is configured. By default, the authorization status of an interface is auto. l Setting the authorization status of an interface in the interface view 1. Run:
system-view
Issue 02 (2012-03-30)
101
5 NAC Configuration
The authorization status of the interface is configured. By default, the authorization status of an interface is auto. ----End
5.3.7 (Optional) Setting the Maximum Number of Concurrent Access Users on an Interface
After the maximum number of concurrent access users is set on an interface, if the number of access users on the interface reaches the maximum, the AR200-S does not authenticate subsequent access users and these users cannot access networks.
Context
The AR200-S allows a maximum of 128 concurrent access users.
NOTE
If the number of current online users on an interface has exceeded the maximum number that you set, online users are not affected but new access users cannot access networks.
You can set the maximum number of concurrent access users in the system view or interface view.
Procedure
l Setting the maximum number of concurrent access users in the system view 1. Run:
system-view
The maximum number of concurrent access users is set on an interface. By default, each interface allows a maximum number of 128 concurrent access users. l Setting the maximum number of concurrent access users in the interface view 1. Run:
system-view
5 NAC Configuration
By default, each interface allows a maximum number of 128 concurrent access users. ----End
Procedure
Step 1 Run:
system-view
802.1x authentication triggered by DHCP messages is enabled. By default, 802.1x authentication triggered by DHCP messages is disabled. ----End
Context
Before setting the value of a timer used in 802.1x authentication, ensure that the timer function is enabled. It is recommended that you retain default settings of the timers.
Procedure
Step 1 Run:
system-view
The values of timers used in 802.1x authentication are set. The timers are described as follows:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 103
5 NAC Configuration
l client-timeout: specifies the value of the timeout timer of a client. The default value is 30s. l handshake-period: specifies the handshake interval between the AR200-S and the 802.1x client. The default value is 60s. l quiet-period: specifies the value of the quiet timer. The default value is 60s. l reauthenticate-period: specifies the re-authentication interval. The default value is 3600s. l server-timeout: specifies the value of the timeout timer of the authentication server. The default value is 30s. l tx-period: specifies the interval for sending authentication requests. The default value is 30s. The dot1x timer command only sets the values of the timers, and you need to enable the corresponding timers by running commands or adopting the default settings. ----End
Procedure
Step 1 Run:
system-view
The quiet timer function is enabled. By default, the quiet timer function is disabled. Step 3 (Optional) Run:
dot1x timer quiet-period quiet-period-value
The value of the quiet timer is set. After the quiet timer function is enabled, the default value of the quiet timer is 60s. Step 4 (Optional) Run:
dot1x quiet-times fail-times
The number of authentication failures within 60 seconds before an 802.1x user enters the quiet state is set. By default, an 802.1x user enters the quiet state after three authentication failures within 60 seconds. ----End
5 NAC Configuration
Context
802.1x re-authentication can be enabled in the system view or interface view.
Procedure
l Enabling 802.1x re-authentication in the system view 1. Run:
system-view
802.1x re-authentication is enabled on an interface. By default, 802.1x re-authentication is disabled on an interface. 3. (Optional) Run:
dot1x timer reauthenticate-period reauthenticate-period-value
The re-authentication interval is set. After 802.1x re-authentication is enabled on an interface, the default re-authentication interval is 3600s. l Enabling 802.1x re-authentication in the interface view 1. Run:
system-view
The re-authentication interval is set. After 802.1x re-authentication is enabled on an interface, the default re-authentication interval is 3600s. 3. Run:
interface interface-type interface-number
Re-authentication is enabled on the interface. By default, 802.1x re-authentication is disabled on an interface. ----End
Issue 02 (2012-03-30)
105
5 NAC Configuration
The configured guest VLAN cannot be the default VLAN of the interface. A super VLAN cannot be configured as a guest VLAN. If an interface is configured with the guest VLAN, the interface cannot be added to the guest VLAN and the VLAN configured as the guest VLAN cannot be deleted. Users in the guest VLAN can communicate with each other.
You can configure a guest VLAN in the system view and in the interface view.
Procedure
l Configuring a guest VLAN in the system view 1. Run:
system-view
A guest VLAN is configured on an interface. By default, no guest VLAN is configured on an interface. l Configuring a guest VLAN in the interface view 1. Run:
system-view
A guest VLAN is configured on the interface. By default, no guest VLAN is configured on an interface. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 106
5 NAC Configuration
Context
If a user fails to be authenticated after the restrict VLAN function is enabled, the AR200-S adds the access interface of the user to the restrict VLAN. Users in the restrict VLAN can access resources in the restrict VLAN without authentication but must be authenticated when they access external resources.
NOTE
The configured restrict VLAN cannot be the default VLAN of the interface. A super VLAN cannot be configured as a restrict VLAN. If an interface is configured with the restrict VLAN, the interface cannot be added to the restrict VLAN and the VLAN configured as the restrict VLAN cannot be deleted. Users in the VLAN that is the same as the restrict VLAN can communicate with users in the restrict VLAN.
A restrict VLAN can be configured in the system view and in the interface view.
Procedure
l Configuring a restrict VLAN in the system view 1. Run:
system-view
The maximum number of authentication failures is set. By default, the maximum number of authentication failures is 3. 3. Run:
dot1x restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
A restrict VLAN is configured on an interface. By default, no restrict VLAN is configured on an interface. l Configuring a restrict VLAN in the interface view 1. Run:
system-view
The maximum number of authentication failures is set. By default, the maximum number of authentication failures is 3.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 107
5 NAC Configuration
3.
Run:
interface interface-type interface-number
A restrict VLAN is configured on the interface. By default, no restrict VLAN is configured on an interface. ----End
Context
If a client does not support the handshake function, the AR200-S will not receive handshake response packets within the handshake interval and considers that the user is offline. Therefore, if the client does not support the handshake function, disable the handshake function on the AR200-S.
Procedure
Step 1 Run:
system-view
The AR200-S is enabled to send handshake packets to online users. By default, the AR200-S sends handshake packets to online users. Step 3 (Optional) Run:
dot1x timer handshake-period handshake-period-value
The handshake interval between the AR200-S and the 802.1x client is set. By default, the handshake interval between the AR200-S and the 802.1x client is 60s. ----End
5.3.15 (Optional) Setting the Maximum Number of Times the AR200-S Sends Authentication Requests
Users may not respond to authentication requests if packets are discarded because of an unstable network. To solve the problem, set the maximum number of times authentication requests are sent.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 108
5 NAC Configuration
Context
If the AR200-S does not receive a response after sending an authentication request to a user, it retransmits the authentication request to the user. If the AR200-S still fails to receive the response when the maximum number of times for sending authentication requests is reached, it does not send the authentication request to the user any more.
Procedure
Step 1 Run:
system-view
The maximum number of times the AR200-S sends authentication requests is set. By default, the AR200-S retransmits an authentication request to an access user twice. ----End
----End
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the following command.
Issue 02 (2012-03-30)
109
5 NAC Configuration
Run the following command in the user view to clear 802.1x authentication statistics.
Procedure
l Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to clear 802.1x authentication statistics.
----End
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the following command. Run the following command in the user view to clear the statistics on MAC address authentication.
Procedure
l Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] command to clear the statistics on MAC address authentication.
----End
Networking Requirements
As shown in Figure 5-2, users access the Internet using the Router. To ensure network security, users must be authenticated before accessing the Internet. Users that are authenticated can access the Internet, but users that fail to be authenticated can access only resources in VLAN 10.
Issue 02 (2012-03-30)
110
5 NAC Configuration
Internet
Router
Printer
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure AAA authentication. User names and passwords are sent to the RADIUS server for authentication. Configure 802.1x authentication to authenticate users on 0/0/0. Configure a guest VLAN so that users that fail to be authenticated can access resources in VLAN 10.
Data Preparation
To complete the configuration, you need the following data: l l l l l IP address 192.168.2.30 and port number 1812 of the RADIUS authentication server RADIUS server key dot1x-isp and retransmission count 2 AAA authentication scheme scheme1 RADIUS server template temp1 Domain isp1
NOTE
In this example, only the Router configuration is provided, and the RADIUS server configuration is not mentioned here.
Procedure
Step 1 Configure a RADIUS server template. # Configure a RADIUS server template temp1.
[Huawei] radius-server template temp1
Issue 02 (2012-03-30)
111
5 NAC Configuration
# Configure the IP address and port number of the primary RADIUS authentication server.
[Huawei-radius-temp1] radius-server authentication 192.168.2.30 1812
Step 2 Create an authentication scheme scheme1 and set the authentication mode to RADIUS authentication.
[Huawei] aaa [Huawei-aaa] authentication-scheme scheme1 [Huawei-aaa-scheme1] authentication-mode radius [Huawei-aaa-scheme1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Huawei-aaa] domain isp1 [Huawei-aaa-domain-isp1] authentication-scheme scheme1 [Huawei-aaa-domain-isp1] radius-server temp1 [Huawei-aaa-domain-isp1] quit [Huawei-aaa] quit
Step 4 Configure 802.1x authentication. # Enable 802.1x authentication globally and on an interface.
[Huawei] dot1x enable [Huawei] interface ethernet 0/0/0 [Huawei-Ethernet0/0/0] dot1x enable [Huawei-Ethernet0/0/0] quit
Step 5 Verify the configuration. Run the display dot1x interface command on the Router to view the 802.1x authentication configuration and statistics.
<Huawei> display dot1x interface ethernet 0/0/0 Ethernet0/0/0 status: UP 802.1x protocol is enabled. Port control type is auto. Authentication method is MAC-based. Reauthentication is disabled. Maximum users: 128 Current users: 1 Port PVID : 1 Port configured PVID : 1 Guest VLAN : 10 Restrict VLAN : 0 Authentication success: 4 Authentication failure: 0 EAPOL Packets: TX : 10 RX Sent EAPOL Request/Identity Packets EAPOL Request/Challenge Packets Multicast Trigger Packets EAPOL Success Packets EAPOL Failure Packets Received EAPOL Start Packets EAPOL LogOff Packets
: : : : : : : :
0 4 4 0 4 0 4 3
Issue 02 (2012-03-30)
112
5 NAC Configuration
----End
Configuration Files
# vlan batch 10 20 # dot1x enable # radius-server template temp1 radius-server shared-key cipher #%I/SW5&ABHRID9_LGZK@1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme scheme1 authentication-mode radius domain isp1 authentication-scheme scheme1 radius-server temp1 # interface Ethernet0/0/0 dot1x enable dot1x guest-vlan 10 # interface 0/0/8 ip address 192.168.2.10 255.255.255.0 # return
Issue 02 (2012-03-30)
113
6
About This Chapter
ARP security ensures security and robustness of network devices by filtering out untrusted ARP packets, checking the binding table of ARP packets, and defending against ARP gateway conflicts. 6.1 ARP Security Overview This section describes the principle of ARP security. 6.2 ARP Security Supported by the AR200-S The ARP security features supported by the AR200-S include limitation of ARP entry learning, ARP anti-spoofing, defense against ARP gateway attacks, source address-based ARP packet suppression, source address-based ARP Miss packet suppression and ARP packet rate limit. 6.3 Configuring ARP Entry Limiting This section describes how to configure ARP Entry Limiting. 6.4 Configuring ARP Anti-attack The ARP anti-attack function defends against attacks from bogus hosts and gateways and manin-the-middle attacks. 6.5 Configuring ARP Suppression If the AR200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usage is high. The AR200-S prevents ARP attacks by discarding attack packets and limiting the rate of attack packets. 6.6 Maintaining ARP Security This section describes how to maintain ARP security. 6.7 Configuration Examples This section provides ARP security configuration examples.
Issue 02 (2012-03-30)
114
ARP Attacks
ARP-oriented attacks include ARP spoofing attacks and ARP flood attacks. l ARP spoofing attack: An attacker sends a large number of bogus ARP packets to modify ARP entries of network devices. As a result, packet forwarding is affected. Attackers initiate ARP spoofing attacks by using either of the following methods: Forging user host IP addresses Forging gateway addresses l ARP flood attack: An attacker sends a large number of bogus ARP Request packets or gratuitous ARP packets. The AR200-S is busy with ARP processing for a long period and cannot process other services. The rate of ARP packets may exceed the limit and ARP entries may overflow. As a result, ARP entries of valid users cannot be buffered and packet forwarding is affected. ARP flood attacks are classified into the following types: ARP Denial of Service (DoS) attacks ARP buffer overflow attacks ARP-based network scanning attacks
ARP Security
ARP security ensures security and robustness of network devices by filtering out untrusted ARP packets, checking the binding table of ARP packets, and defending against ARP gateway conflicts.
ARP Anti-spoofing
ARP spoofing means that attackers use ARP packets sent by authorized users to construct bogus ARP packets and modify ARP entries on the gateway. As a result, the authorized users are disconnected from the network. The AR200-S can prevent ARP spoofing by using the following methods:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 115
Fixed MAC address: After learning an ARP entry, the AR200-S does not allow the modification of the MAC address that is performed through ARP entry learning until this ARP entry ages. The AR200-S prevents ARP entries of authorized users from being modified without permission. The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac mode, MAC addresses cannot be modified, but VLANs and interfaces can be modified. In fixed-all mode, MAC addresses, VLANs, and interfaces cannot be modified.
send-ack: The AR200-S does not modify an ARP entry immediately when it receives an ARP packet requesting for modifying a MAC address. Instead, the AR200-S sends a unicast packet for acknowledgement to the user matching this MAC address in the original ARP table.
In the preceding situations, the AR200-S generates ARP anti-attack entries and discards the packets in a period (the default value is three minutes). This can prevent ARP packets with the bogus gateway address from being broadcast in a VLAN. To ensure that packets sent by hosts on the internal network are forwarded to the gateway or to prevent malicious users from intercepting these packets, the AR200-S sends gratuitous ARP packets at a specified interval to update the gateway address in ARP entries of the hosts.
statistics on the ARP Miss packets. If a source IP address triggers the ARP Miss packets continuously in a period and the triggering rate exceeds the threshold, the AR200-S considers that an attack occurs. When the AR200-S detects an attack, configure the rate limit for ARP Miss packets to limit the rate of ARP Miss packets so that the CPU is protected and other services can be processed by the CPU.
Applicable Environment
After strict ARP learning is enabled, the AR200-S learns only the ARP Reply packets corresponding to the ARP Request packets that it sends. You can configure interface-based ARP entry limiting to limit the number of ARP entries dynamically learned by the interfaces.
Pre-configuration Tasks
Before configuring ARP entry limiting, complete the following task: l Setting link layer protocol parameters and the interface IP address so that the link layer protocol is Up
Data Preparation
To configure ARP entry limiting, you need the following data. No. 1 Data Type and number of the interface where ARP entry limiting will be configured
Issue 02 (2012-03-30)
117
Procedure
l Configuring strict ARP learning globally 1. Run:
system-view
Strict ARP learning is enabled. By default, strict ARP learning is disabled on the AR200-S. l Configuring strict ARP learning on an interface 1. Run:
system-view
The interface view is displayed. On the AR200-S, strict ARP learning can be enabled on Layer 3 Ethernet interfaces and its sub-interfaces, Layer 3 Eth-Trunk interfaces and its sub-interfaces, and VLANIF interfaces. 3. Run:
arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the interface. force-enable: enables strict ARP entry learning on an interface. force-disable: disables strict ARP entry learning on an interface. trust: indicates that the configuration of strict ARP entry learning on an interface is the same as that configured globally. By default, the configuration of strict ARP entry learning on an interface is the same as that configured globally. ----End
Procedure
l Configuring interface-based ARP entry limiting 1. Run:
system-view
Interface-based ARP entry limiting is configured. The vlan parameter can only be specified in the Layer 2 interface view. l Configuring sub-interface-based ARP entry limiting 1. Run:
system-view
The sub-interface view is displayed. On the AR200-S, sub-interface-based ARP entry limiting can be enabled on Ethernet sub-interface, Eth-Trunk sub-interface. 3. Run:
arp-limit maximum maximum
Procedure
l l Run the display arp learning strict command to view the configuration of strict ARP learning. Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to view the maximum number of ARP entries that can be learned on an interface or in a VLAN.
----End
Example
Run the display arp learning strict command to view the configuration of strict ARP learning.
<Huawei> display arp learning strict The global configuration:arp learning strict
Issue 02 (2012-03-30)
119
# Display the maximum number of ARP entries that can be learned on the entire device.
<Huawei> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Ethernet1/0/0 10 0 0 Ethernet0/0/0 10 10 0 --------------------------------------------------------------------------Total:2
Applicable Environment
On an enterprise network, ARP entries are easily attacked; therefore, you can configure the following ARP anti-attack functions at the access layer to ensure network security: l l To prevent attackers from forging ARP packets of authorized users and modifying the ARP entries on the gateway, configure the ARP address anti-spoofing function. To prevent attackers from sending gratuitous ARP packets with the source IP addresses as the forged gateway address on a LAN, configure the ARP gateway anti-collision function and configure the AR200-S to send gratuitous ARP packets. To prevent unauthorized users from accessing external networks by sending ARP packets to the AR200-S, configure the ARP packet checking function.
Prerequisites
Before configuring defense against ARP attacks, complete the following task: l Setting link layer protocol parameters and assigning IP addresses to interfaces to ensure that the status of the link layer protocol of the interfaces is Up
Data Preparation
To configure defense against ARP attacks, you need the following data.
Issue 02 (2012-03-30)
120
No. 1 2
Data Check item in ARP packets (Optional) Alarm threshold for discarded ARP packets because they do not match the binding table (Optional) Interval at which gratuitous ARP packets are sent
Procedure
Step 1 Run:
system-view
ARP anti-spoofing is enabled. You can use only one ARP anti-spoofing mode at one time. If you run the arp anti-attack entrycheck command multiple times, only the latest configuration takes effect. By default, ARP anti-spoofing is disabled on the AR200-S. ----End
6.4.3 Configuring the AR200-S to Check Source MAC Address Consistency in ARP Packets
The AR200-S checks validity of ARP packets and discards invalid ARP packets to defend against ARP attacks.
Context
By default, the AR200-S checks the following items of ARP packets: l l l l l l l
Issue 02 (2012-03-30)
Packet length Validity of source and destination MAC addresses in the Ethernet header VLAN tag Packet type (The type field value must be 1 or 2.) Hardware address length IP address length Whether the ARP packet is encapsulated in an Ethernet frame
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 121
By default, the AR200-S checks the source and destination MAC addresses of all ARP packets. If an ARP packet has an all-0 source or destination MAC address, the AR200-S discards the ARP packet. Generally, the Ethernet header and ARP header of an ARP packet contain the same source MAC address. If the two headers contain different source MAC addresses, the ARP packet may be an attack packet. To protect the AR200-S from ARP attacks, configure the AR200-S to check consistency of source MAC addresses in Ethernet and ARP headers of ARP packets.
Procedure
Step 1 Run:
system-view
The AR200-S is configured to check consistency of MAC addresses in Ethernet and ARP headers of ARP packets. By default, the AR200-S does not check consistency of source MAC addresses in Ethernet and ARP headers of ARP packets. ----End
Procedure
Step 1 Run:
system-view
ARP gateway anti-collision is enabled. After ARP gateway anti-collision is enabled, the AR200-S generates ARP anti-collision entries and discards packets with the same source MAC address in the Ethernet header in a period of time. This can prevent ARP packets with a bogus gateway address from being broadcast in a VLAN. ----End
Context
The AR200-S periodically sends ARP Request packets with the destination IP address as the gateway address to update the gateway MAC address in ARP entries on the network. By doing this, the AR200-S sends user packets to the correct gateway and prevents attackers from intercepting these packets. When the AR200-S functions as a gateway, enable gratuitous ARP packet sending globally or on an interface. If this function is enabled globally and on an interface simultaneously, the function enabled on the interface takes effect.
Procedure
l Configuring the AR200-S to send gratuitous ARP packets 1. Run:
system-view
Gratuitous ARP packet sending is enabled. By default, gratuitous ARP packet sending is disabled. 3. (Optional) Run:
arp gratuitous-arp send interval interval-time
The interval for sending gratuitous ARP packets is set. By default, the interval for sending gratuitous ARP packets is 90s. l Configuring the AR200-S to send gratuitous ARP packets on an interface 1. Run:
system-view
Gratuitous ARP packet sending is enabled. By default, gratuitous ARP packet sending is disabled. 4. (Optional) Run:
arp gratuitous-arp send interval interval-time
The interval for sending gratuitous ARP packets is set. By default, the interval for sending gratuitous ARP packets is 90s. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 123
Procedure
l Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | log-traptimer | all } command to check the ARP anti-attack configuration. Run the display arp anti-attack gateway-duplicate item command to check information about bogus gateway address attacks.
----End
Example
Run the display arp anti-attack configuration all command to view the ARP anti-attack configuration.
<Huawei> display arp anti-attack configuration all ARP anti-attack packet-check function: enable ARP anti-attack entry-check mode: disabled
ARP gateway-duplicate anti-attack function: disabled ARP rate-limit configuration: ------------------------------------------------------------------------------Global configuration: arp anti-attack rate-limit enable arp packet drop count = 0 Interface configuration: ------------------------------------------------------------------------------ARP miss rate-limit configuration: ------------------------------------------------------------------------------Global configuration: arp-miss anti-attack rate-limit enable ------------------------------------------------------------------------------ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------0000-0000-0001 200 Others 100 ------------------------------------------------------------------------------1 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------10.0.0.1 512 Others 126 ------------------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------10.134.23.6 400 Others 500 ------------------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items.
Issue 02 (2012-03-30)
124
Run the display arp anti-attack gateway-duplicate item command to view information about bogus gateway address attacks.
<Huawei> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time ------------------------------------------------------------------------------Ethernet1/0/0 2.1.1.1 0000-0000-0002 2 150 ------------------------------------------------------------------------------There are 1 records in gateway conflict table
Applicable Environment
On intranets, ARP entries are often used to initiate attacks; therefore, it is required to configure ARP anti-attack on the access layer to ensure network security. l To prevent excess ARP packets from occupying the CPU and prevent excess ARP entries, configure the rate limit for ARP packets to limit the number of ARP packets sent to the SRU. To prevent a host from sending excess IP packets with destination IP addresses that cannot be resolved, configure the rate limit for ARP Miss packets. The AR200-S discards these IP packets. After IP source guard is enabled on an interface, all the ARP packets passing through the interface are forwarded to the security module for checking. If excess ARP packets are sent to the security module, performance of the security module deteriorates. To solve this problem, configure the rate limit for ARP packets so that the packets that exceed the rate limit are discarded.
Pre-configuration Tasks
Before configuring ARP suppression, complete the following task: l Setting link layer protocol parameters and the interface IP address and enabling the link layer protocol
Data Preparation
To configure ARP suppression, you need the following data.
Issue 02 (2012-03-30)
125
No. 1 2 3
Data Rate limit for ARP packets with a specified source IP address Rate limit for ARP Miss packets with a specified source IP address Rate limit duration and rate limit for sending ARP packets. (Optional) Alarm threshold for the number of discarded ARP packets that exceed the rate limit.
Rate limit duration and rate limit for sending ARP Miss packets (Optional) Alarm threshold for the number of discarded ARP packets that exceed the rate limit
Rate limit of broadcasting ARP Request packets on the VLANIF interface of the super-VLAN
Procedure
Step 1 Run:
system-view
The rate limit of ARP packets with a specified source IP address is set. After the preceding configurations are complete, the rate limit of ARP packets with a specified source IP address is limited to the value specified by maximum in step 3, and the rate limit of ARP packets with other source IP addresses is limited to the value specified by maximum in step 2. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 126
Procedure
l Configuring the rate limit of ARP packets in the system view 1. Run:
system-view
Rate limiting of ARP packets is enabled. By default, rate limiting of ARP packets is disabled globally. 3. Run:
arp anti-attack rate-limit packet-number [ interval-value ]
The rate limit duration and the rate limit of ARP packets are set. After the rate limit duration and the rate limit of ARP packets are set, ARP packets whose rate exceeds the rate limit in the rate limit duration are discarded. By default, the rate limit of ARP packets is 100 and the rate limit duration of ARP packets is 1s. 4. (Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is enabled. By default, the alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is disabled. 5. (Optional) Run:
arp anti-attack rate-limit alarm threshold threshold
The alarm threshold for the number of ARP packets discarded when the rate of ARP packets exceeds the rate limit is set. By default, the alarm threshold for the number of ARP packets discarded is 100. l Configuring the rate limit of ARP packets in the interface view 1. Run:
system-view
The interface view is displayed. The interface type can be Ethernet,or Eth-Trunk. 3. Run:
arp anti-attack rate-limit enable
The rate limit duration and the rate limit of ARP packets are set. After the rate limit duration and the rate limit of ARP packets are set, ARP packets whose rate exceeds the rate limit in the rate limit duration are discarded. By default, the rate limit of ARP packets is 100 and the rate limit duration of ARP packets is 1s. 5. (Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is enabled. By default, the alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is disabled. 6. (Optional) Run:
arp anti-attack rate-limit alarm threshold threshold
The alarm threshold for the number of ARP packets discarded when the rate of ARP packets exceeds the rate limit is set. By default, the alarm threshold for the number of ARP packets discarded is 100. ----End
Procedure
Step 1 Run:
system-view
The rate limit of ARP Miss packets is set. Step 3 (Optional) Run:
arp-miss speed-limit source-ip ip-address maximum maximum
The rate limit of ARP Miss packets with a specified source IP address is set. After the preceding configurations are complete, the rate limit of ARP Miss packets with a specified source IP address is specified by maximum in step 3, and the rate limit of ARP Miss packets with other source IP addresses is specified by maximum in step 2. If the rate limit of ARP packets is 0, ARP Miss packets are not suppressed. By default, the rate limit of ARP Miss packets is 5 pps. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 128
Context
If many ARP Miss packets are triggered, the system is busy in broadcasting ARP request packets and its performance deteriorates. After ARP Miss suppression is configured, the system counts ARP Miss packets generated within a specified period and discards excess ARP Miss packets.
Procedure
Step 1 Run:
system-view
Rate limiting of ARP Miss packets is enabled globally. By default, rate limiting of ARP Miss packets is disabled globally. Step 3 Run:
arp-miss anti-attack rate-limit packet-number [ interval-value ]
The rate limit duration and the rate limit of ARP Miss packets are set. After the rate limit duration and the rate limit of ARP Miss packets are set, ARP Miss packets that exceed the rate limit in the rate limit duration are discarded. By default, the rate limit of ARP Miss packets is 100 packets per second. Step 4 (Optional) Run:
arp-miss anti-attack rate-limit alarm enable
The alarm function for the discarded ARP Miss packets that exceed the rate limit is enabled. By default, the alarm function is disabled. Step 5 (Optional) Run:
arp-miss anti-attack rate-limit alarm threshold threshold
The alarm threshold for the discarded ARP Miss packets that exceed the rate limit is set. By default, the alarm threshold is 100. ----End
Procedure
Step 1 Run:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 129
The rate limit of ARP packets with a specified source MAC address is set. After the preceding configurations are complete, the rate limit of ARP packets with a specified source MAC address is specified by maximum in step 3, and the rate limit of ARP packets with other source MAC addresses is specified by maximum in step 2. ----End
Context
After the aging time of fake ARP entries is set, the same ARP Miss packet is sent once in the aging time. After the aging time of fake ARP entries is reached, fake ARP entries are deleted. If no ARP entry matches the packets forwarded by a device, ARP Miss packets are re-generated and reported. The device generates fake ARP entries again. The fake ARP entries are deleted until the device generates correct ARP entries.
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface type can be Ethernet,Eth-Trunk, or VLANIF. Step 3 Run:
arp-fake expire-time expire-time
The aging time of fake ARP entries is set. By default, the aging time of fake ARP entries is 1s. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 130
6.5.8 (Optional) Setting the Rate Limit of Broadcasting ARP Packets on the VLANIF Interface of a Super-VLAN
After the rate limit of broadcasting ARP Request packets on the VLANIF interface in a super VLAN is set, the system discards ARP Request packets that exceed the rate limit to reduce the CPU burden.
Context
The VLANIF interface in a super VLAN is triggered to learn ARP entries in the following situations: l l The VLANIF interface receives unknown unicast packets. ARP proxy is enabled on the VLANIF interface and the VLANIF interface receives ARP Request packets.
The VLANIF interface in the super-VLAN replicates ARP Request packets in each sub-VLAN when learning ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the AR200-S generates a large number of ARP Request packets. As a result, the CPU is busy in processing ARP Request packets and cannot process other services in a timely manner.
Procedure
Step 1 Run:
system-view
The rate limit of broadcasting ARP Request packets on all the VLANIF interfaces of the super VLAN is set. By default, the rate limit of broadcasting ARP Request packets on all the VLANIF interfaces in a super VLAN is 1000 pps. ----End
Procedure
l l l Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit } command to view the ARP rate limit configuration. Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speedlimit } command to view the ARP suppression configuration. Run the display arp flood statistics command to view the statistics on sent ARP Request packets of VLANIF interfaces in all super-VLANs.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 131
Example
# Run the display arp anti-attack configuration command to view the rate limit for ARP packets.
<Huawei> display arp anti-attack configuration arp-speed-limit ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------0000-0000-0001 150 Others 200 ------------------------------------------------------------------------------1 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------10.0.0.20 50 Others 100 ------------------------------------------------------------------------------1 specified IP addresses are configured, spec is 512 items.
# Run the display arp flood statistics command to view the statistics on sent ARP Request packets of VLANIF interfaces in all super-VLANs.
<Huawei> display arp flood statistics ARP request packets statistics on supervlan: Total ARP request packets number : 5100 Sent ARP request packets number : 4000 Dropped ARP request packets number: 1100
Procedure
l Run the display arp packet statistics command to view the statistics on ARP packets. ----End
Example
Run the display arp packet statistics command to view the statistics on ARP packets.
<Huawei> display arp packet statistics ARP Pkt Received: sum 199992 ARP Learnt Count: sum 4 ARP Pkt Discard For Limit: sum 0 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Proxy Suppress: sum ARP Pkt Discard For Other: sum 18220
0 0
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command. Run the following command in the user view to clear the statistics.
Procedure
l l Run the reset arp packet statistics command to clear the statistics on ARP packets. Run the reset arp flood statistics command to clear the statistics on ARP Request packets of all the VLANIF interfaces in a super-VLAN.
----End
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command. To clear the statistics on discarded ARP packets, run the following commands in the user view.
Procedure
l Run the reset arp anti-attack statistics rate-limit { global | interface interface-type interface-number } command to clear the statistics on the ARP packets discarded because the transmission rate exceeds the limit.
----End
Issue 02 (2012-03-30)
133
Networking Requirements
As shown in Figure 6-1, the Router is connected to a server through Ethernet0/0/3 that is added to VLAN 30 and is connected to users in VLAN 10 and VLAN 20 through Ethernet0/0/1 and Ethernet0/0/2. The following ARP attacks occur on the network: l l The server may send several packets with an unreachable destination IP address, and the number of these packets is larger than the number of packets from common users. After virus attacks occur on user 1, a large number of ARP packets are sent. Among these packets, the source IP address of certain ARP packets changes on the local network segment and the source IP address of certain ARP packets is the same as the IP address of the gateway. User 3 constructs a large number of ARP packets with a fixed IP address to attack the network. User 4 constructs a large number of ARP packets with an unreachable destination IP address to attack the network.
l l
ARP security functions are required to be configured on the Router to prevent the preceding attacks. The rate limit of ARP Miss packets on the server should be greater than the rate limit of other users. Figure 6-1 Network diagram for configuring ARP security functions
Ethernet0/0/3
Router
Server
Ethernet0/0/1
Ethernet0/0/2
VLAN10
VLAN20
User1
User2
User3
User4
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Enable strict ARP learning. Enable interface-based ARP entry limiting. Enable the ARP anti-spoofing function. Enable the ARP anti-attack function for preventing attacks by sending ARP packets with a bogus gateway address.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 134
Issue 02 (2012-03-30)
5. 6. 7.
Configure the rate limit for ARP packets with the specified source IP address. Configure the rate limit for ARP Miss packets. Enable log and alarm functions for potential attacks.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l Number of limited ARP entries on the interface: 20 Anti-spoofing mode used to prevent attacks that are initiated by user 1: fixed-mac IP addresses of VLANIF10, VLANIF20 and VLANIF30: 2.2.1.10/24, 2.2.4.10/24 and 2.2.2.10/24 IP address of the server: 2.2.2.2/24 IP address of user 4 that sends a large number of ARP packets: 2.2.4.2/24 Rate limit for ARP packets of user 4 and rate limit for ARP packets of other users: 10 pps and 15 pps Rate limit for ARP Miss packets of common users: 20 pps; rate limit for ARP Miss packets on the server: 50 pps Interval for writing an ARP log and sending an alarm: 300s
Procedure
Step 1 Create a VLAN, add an interface to the VLAN, and assign an IP address to the VLANIF Interface. The configuration procedure is not mentioned here. Step 2 Enable strict ARP learning.
<Huawei> system-view [Huawei] sysname Router [Router] arp learning strict
Step 3 Configure interface-based ARP entry limiting. # The number of limited ARP entries on Ethernet0/0/1, Ethernet0/0/2 and Ethernet0/0/3 is 20. The following lists the configuration of Ethernet0/0/1.
[Router] interface ethernet 0/0/1 [Router-Ethernet0/0/1] arp-limit vlan 10 maximum 20 [Router-Ethernet0/0/1] quit
Step 4 Enable the ARP anti-spoofing function. # Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated by user 1.
[Router] arp anti-attack entry-check fixed-mac enable
Step 5 Enable the ARP anti-attack function to prevent attacks by sending ARP packets with a bogus gateway address. # Enable the ARP anti-attack function for preventing user 1 from sending ARP packets with a bogus gateway address.
[Router] arp anti-attack gateway-duplicate enable
Step 6 Configure the rate limit for ARP packets with the specified source IP address.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 135
# Set the rate limit for ARP packets sent by user 4 to 10 pps. To prevent all users from sending a large number of ARP packets incorrectly, set the rate limit for ARP packets of the system to 15 pps.
[Router] arp speed-limit source-ip maximum 15 [Router] arp speed-limit source-ip 2.2.4.2 maximum 10
Step 7 Configure the rate limit for ARP Miss packets. # Set the rate limit for ARP Miss packets of the system to 20 pps to prevent users from sending a large number of IP packets with an unreachable destination IP address.
[Router] arp-miss speed-limit source-ip maximum 20
# Set the rate limit for ARP Miss packets on the server to 50 pps to prevent the server from sending a large number of IP packets with an unreachable destination IP address, and to prevent communication on the network when the rate for the server to send IP packets with an unreachable destination IP address is incorrect.
[Router] arp-miss speed-limit source-ip 2.2.2.2 maximum 50
Step 8 Verify the configuration. After the configuration, run the display arp learning strict command to view information about strict ARP learning.
<Router> display arp learning strict The global configuration:arp learning strict interface LearningStrictState ----------------------------------------------------------------------------------------------------------------------Total:0 force-enable:0 force-disable:0
You can use the display arp-limit command to check the maximum number of ARP entries learned by the interface. Take the display on Ethernet0/0/1 as an example.
<Router> display arp-limit interface ethernet Ethernet0/0/1 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Ethernet0/0/1 20 10 0 --------------------------------------------------------------------------Total:1
You can use the display arp anti-attack configuration all command to check the ARP antiattack configuration.
<Router> display arp anti-attack configuration all ARP anti-attack packet-check function: disabled ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP rate-limit configuration: ------------------------------------------------------------------------------Global configuration: Interface configuration: ------------------------------------------------------------------------------ARP miss rate-limit configuration: ------------------------------------------------------------------------------Global configuration: -------------------------------------------------------------------------------
Issue 02 (2012-03-30)
136
ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------All 0 ------------------------------------------------------------------------------0 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.4.2 10 Others 15 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.2.2 50 Others 20 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items.
You can use the display arp packet statistics command to view the number of discarded ARP packets and the number of learned ARP entries.
<Router> display arp packet statistics ARP Pkt Received: sum 167 ARP Learnt Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Proxy Suppress: sum ARP Pkt Discard For Other: sum 3
0 0
In addition, you can also use the display arp anti-attack gateway-duplicate item command to view information about attacks from packets with a forged gateway address on the current network.
<Router> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time ------------------------------------------------------------------------------Ethernet0/0/1 2.2.1.10 0000-0000-0002 10 153 Ethernet0/0/2 2.2.4.10 0000-0000-0004 20 179 ------------------------------------------------------------------------------There are 2 records in gateway conflict table
----End
Configuration Files
# sysname Router # vlan batch 10 20 30 # arp speed-limit source-ip maximum 15 arp-miss speed-limit source-ip maximum 20 arp learning strict # arp anti-attack entry-check fixed-mac enable arp anti-attack gateway-duplicate enable arp-miss speed-limit source-ip 2.2.2.2 maximum 50 arp speed-limit source-ip 2.2.4.2 maximum 10 # interface Ethernet0/0/1 port hybrid pvid vlan 10
Issue 02 (2012-03-30)
137
Issue 02 (2012-03-30)
138
7
About This Chapter
This section describes configuration procedures for ICMP security and provides configuration examples. 7.1 ICMP Security Overview This section describes ICMP security principles. 7.2 ICMP Security Features Supported by the AR200-S The AR200-S can limit the rate at which ICMP packets are received, check the validity of ICMP packets, discard invalid and specified ICMP packets, and ignore destination-unreachable packets. 7.3 Limiting the Rate of ICMP Packets This section describes how to limit the rate at which ICMP packets are received. 7.4 Configuring the AR200-S to Discard Specified ICMP Packets This section describes how to configure the AR200-S to discard specified ICMP packets. 7.5 Disabling the AR200-S from Sending Destination-Unreachable Packets This section describes how to disable the AR200-S from sending destination-unreachable packets. 7.6 Maintaining ICMP Security This section describes how to monitor the ICMP running status. 7.7 Configuration Examples This section provides ICMP security configuration examples.
Issue 02 (2012-03-30)
139
Checking Validity of ICMP Packets and Discarding Invalid and Specified ICMP Packets
By default, the AR200-S discards invalid ICMP packets, such as ICMP packets with the TTL value of 0 or type 15, 16 or 17 to protect CPU resources. The AR200-S can be configured to discard seldom-used ICMP packets, including ICMP packets with the TTL value of 1, with options, or with unreachable destinations. This helps reduce the burden on the AR200-S and protect CPU resources.
Applicable Environment
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. Limiting the rate at which ICMP packets are received can help
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 140
reduce the burden of the CPU, ensuring nonstop service transmission. After this function is configured, the AR200-S discards excess packets.
NOTE
After rate limiting of ICMP packets is configured, the AR200-S may fail to respond to ping packets.
Procedure
l Configuring the global rate limit for ICMP packets 1. Run:
system-view
The global ICMP packet rate limiting function is enabled. By default, the global ICMP packet rate limiting function is disabled on an AR200S. 3. (Optional) Run:
icmp rate-limit threshold threshold-value
The global rate limit for ICMP packets is set. By default, the global rate limit for ICMP packets is 100 pps. l Configuring the rate limit for ICMP packets on a specified interface 1. Run:
system-view
The interface view is displayed. The AR200-S can limit the rate at which ICMP packets are received on Ethernet interfaces and Eth-Trunk interfaces. 3. Run:
icmp rate-limit enable
The ICMP packet rate limiting function is enabled on the interface. By default, the ICMP packet rate limiting function is disabled on an AR200-S. 4. (Optional) Run:
icmp rate-limit threshold threshold-value
The highest rate at which ICMP packets are received on the interface is set. By default, the rate limit for ICMP packets on an interface is 100 pps To configure rate limits for ICMP packets on multiple interfaces, repeat this step. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 141
Applicable Environment
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard seldom-used ICMP packets, including the ICMP packets with the TTL values of 1, with options, and with unreachable destinations. This helps reduce the burden of processing ICMP packets that are received on the AR200-S, protecting CPU resources.
Pre-configuration Tasks
Before configuring the AR200-S to discard specified ICMP packets, complete the following task: l Setting parameters for the link layer protocols on the interfaces to ensure that the link layer protocols are Up
Data Preparation
None.
7.4.2 Configuring the AR200-S to Discard the ICMP Packets with TTL Value of 1
This section describes how to configure the AR200-S to discard the ICMP packets with the TTL value of 1.
Context
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard the ICMP packets with the TTL value of 1. This helps reduce the burden on the AR200-S and protect CPU resources.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 142
Procedure
Step 1 Run:
system-view
The AR200-S is enabled to discard ICMP packets with the TTL value of 1. By default, the AR200-S does not discard ICMP packets with the TTL value of 1. ----End
7.4.3 Configuring the AR200-S to Discard the ICMP Packets with Options
This section describes how to configure the AR200-S to discard the ICMP packets with options.
Context
The AR200-S is busy in processing tasks defined in options in the IP header of ICMP packets. For example, the AR200-S calculates the hop count. As a result, normal services are not processed immediately. The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard the ICMP packets with options. This helps reduce the burden on the AR200-S and protect CPU resources.
Procedure
Step 1 Run:
system-view
The AR200-S is enabled to discard ICMP packets with options. By default, the AR200-S does not discard ICMP packets with options. ----End
Context
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard the ICMP
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 143
destination-unreachable packets. This helps reduce the burden on the AR200-S and protect CPU resources.
Procedure
Step 1 Run:
system-view
The AR200-S is enabled to discard ICMP destination-unreachable packets. By default, the AR200-S does not discard ICMP destination-unreachable packets. ----End
Procedure
l Run the display current-configuration command to check whether the AR200-S is configured to discard specified ICMP packets.
----End
Example
# Run the display current-configuration | include icmp command to check whether the AR200-S is configured to discard specified ICMP packets.
<Huawei> display current-configuration | include icmp icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop
Applicable Environment
The AR200-S can be disabled from sending destination-unreachable packets, including hostunreachable packets and port-unreachable packets. If an attacker sends a large number of destination-unreachable packets to attack the AR200-S, the AR200-S does not respond to these packets and discards them directly to protect CPU resources.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 144
Procedure
Step 1 Run:
system-view
The AR200-S is disabled from sending ICMP port-unreachable packets. By default, the AR200-S is enabled to send ICMP port-unreachable packets. Step 3 Run:
interface interface-type interface-number
The interface view is displayed. The AR200-S cannot be configured to send the ICMP host-unreachable packets on a Layer 2 interface. Step 4 Run:
undo icmp host-unreachable send
The interface is disabled from sending the ICMP host-unreachable packets. By default, the AR200-S is enabled to send ICMP host-unreachable packets. ----End
Procedure
l Run the display icmp statistics command to check statistics about ICMP traffic. ----End
Example
# Run the display icmp statistics command to view statistics about ICMP traffic.
<Huawei> display icmp statistics Input: bad formats 0 echo 0 source quench 0 echo reply 0 timestamp 0 bad checksum destination unreachable redirects parameter problem information request 0 0 0 0 0
Issue 02 (2012-03-30)
145
Mping reply destination unreachable redirects parameter problem information reply mask replies Mping reply
7.7.1 Example for Disabling the AR200-S from Sending HostUnreachable Packets
This section provides an example to illustrate how to disable the AR200-S from sending hostunreachable packets.
Networking Requirements
As shown in Figure 7-1, RouterA, RouterB and RouterC are connected through their layer 3 interfaces to test whether the AR200-S can send ICMP host-unreachable packets.
NOTE
Eth1/0/0 2.2.2.2/24
Internet
Eth2/0/0 3.3.3.1/24
RouterC
RouterB
Eth1/0/0 1.1.1.2/24
Eth1/0/0 1.1.1.1/24
RouterA
Configuration Roadmap
The configuration roadmap is as follows: 1. 2.
Issue 02 (2012-03-30)
Assign IP addresses to corresponding interfaces on each device. Configure static routes from Router A to RouterC.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 146
3.
By default, an interface is enabled to send ICMP host-unreachable packets. If this function is enabled, skip this step.
4.
Disable Eth1/0/0 on Router B from sending ICMP host-unreachable packets so that Router B will not respond to the incoming host-unreachable packets on Eth1/0/0
Data Preparation
To complete the configuration, you need the following data: l l Static routes from Router A to Router C IP address of each interface
Procedure
Step 1 Configure RouterA. # Configure static routes on RouterA.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
Step 3 Configure RouterB. # Disable Eth1/0/0 from sending ICMP host-unreachable packets and assign an IP address to Eth1/0/0.
<Huawei> system-view [Huawei] sysname RouterB [RouterB] interface ethernet 1/0/0 [RouterB-Ethernet1/0/0] undo icmp host-unreachable send [RouterB-Ethernet1/0/0] ip address 1.1.1.2 24 [RouterB-Ethernet1/0/0] quit [RouterB] quit
# Run ping 2.2.2.2 on RouterA. If you can view that RouterB does not send ICMP host unreachable packets, it means that the configuration succeeds.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 147
There is no reachable route from RouterB to RouterC; therefore RouterB should respond to ping packets received from RouterA with ICMP host-unreachable packets. Because Eth1/0/0 of Router B is disabled from sending ICMP host-unreachable packets, RouterB does not respond to ping packets received from RouterA. ----End
Configuration Files
l Configuration file of RouterA
# sysname RouterA # interface Ethernet 1/0/0 ip address 1.1.1.1 255.255.255.0 # ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 # return
7.7.2 Example for Optimizing System Performance by Discarding Certain ICMP Packets
This section describes how to optimize system performance by discarding specified ICMP packets.
Networking Requirements
As shown in Figure 7-2, RouterA functions as an access device for the enterprise, individual user, and user network that is connected to an LSW to the Internet. RouterA is connected to RouterB. RouterA needs to discard ICMP packets with TTL value of 1, with options, or with unreachable destinations to protect CPU resources.
Issue 02 (2012-03-30)
148
Internet
RouterB
RouterA
Configuration Roadmap
The configuration roadmap is as follows: l l l Configure RouterA to discard ICMP packets with the TTL value of 1. Configure RouterA to discard ICMP packets with options. Configure RouterA to discard ICMP destination-unreachable packets.
Data Preparation
None.
Procedure
Step 1 Configure RouterA to discard specified ICMP packets. # Configure RouterA to discard ICMP packets with TTL value of 1.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] icmp ttl-exceeded drop
Issue 02 (2012-03-30)
149
Step 2 Verify the configuration. # Run the display current-configuration command in the user view. You can view the ICMP security configuration.
<RouterA> display current-configuration | include icmp icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop
----End
Configuration Files
# sysname RouterA # icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop # return
Issue 02 (2012-03-30)
150
Issue 02 (2012-03-30)
151
URPF
When the AR200-S receives a packet, it searches for the route to the destination address of the packet. If the route is found, the AR200-S forwards the packet. Otherwise, the AR200-S discards the packet. After URPF is configured, the AR200-S obtains the source address and inbound interface of the packet. The AR200-S takes the source address as the destination address to retrieve the corresponding outbound interface in the FIB and compares the retrieved interface with the inbound interface. If they do not match, the AR200-S considers the source address as a spoofing address and discards the packet. URPF can effectively protect the AR200-S against malicious attacks by blocking packets from bogus source addresses. As shown in Figure 8-1, RouterA sends bogus packets carrying the source address 2.1.1.1 of RouterC to RouterB. RouterB sends response packets to the real source address 2.1.1.1. RouterB and RouterC are attacked by the bogus packets. If URPF is enabled on an interface of RouterB, when RouterB receives bogus packets, it detects that the packets should not come from RouterA's interface and discards these bogus packets. Figure 8-1 URPF
2.1.1.1/24
RouterA
RouterB
RouterC
URPF
URPF takes effect only on Layer 3 inbound interfaces of the AR200-S. If URPF is enabled on an interface, the URPF check is conducted on packets received by the interface.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 152
The AR200-S supports the following types of URPF check modes: l Strict check: Packets can pass the check only when the FIB table of the AR200-S has a corresponding routing entry with the destination address being the source address of the packet and the inbound interface of the packets matches the outbound interface in the routing entry. Unmatched packets are discarded. Loose check: A packet can pass the check as long as the FIB table of the AR200-S has a routing entry with the destination address being the source address of the packet.
Applicable Environment
Users on an enterprise network are often attacked by unauthorized users on other network segments when they use applications demanding IP address-based authentication. An attacker sends bogus packets with the IP address of an authorized user to a server to access the server. As a result, the authorized user cannot access the server or the authorized user information is intercepted. To prevent such an attack, configure URPF on the AR200-S. As shown in Figure 8-2, Network 1 and VLAN 10 are connected to Eth0/0/8 and Vlanif 10 of RouterA. URPF strict check is configured on Eth0/0/8 and Vlanif 10. PC A on Network 1 sends a bogus packet with the source IP address 2.2.2.2 to the server on Network 3. After RouterA receives this packet, it checks the inbound interface. Packets with the source address 2.2.2.2 must reach Network 3 through Vlanif 10 but not 0/0/8. Therefore, RouterA considers the packet as a bogus packet and discards it. This protects PC B on VLAN 10 against IP address spoofing attacks initiated from PC A. Packets sent from VLAN 10 to the server pass the URPF check and are forward normally. Figure 8-2 URPF application
Network1 PC A
1.1.1.1/24 URPF enabled Eth0/0/8
Network3 Server
RouterA VLAN 10 PC B
2.2.2.2/24 Eth0/0/1
Vlanif 10
RouterB
3.3.3.3/24
Issue 02 (2012-03-30)
153
Procedure
Step 1 Run:
system-view
The interface view is displayed. URPF cannot be configured on Layer 2 interfaces of the AR200-S. Step 3 Configure URPF check for packets on the interface. l Configure URPF check for IPv4 packets on the interface. Run the urpf { loose | strict } [ allow-default-route ] command to configure the URPF check for IPv4 packets on the interface. l Configure URPF check for IPv6 packets on the interface. Run the ipv6 urpf { loose | strict } [ allow-default-route ] command to configure the URPF check for IPv6 packets on the interface.
NOTE
To configure URPF check for IPv6 packets on an interface, enable the IPv6 function on the interface first. Run the ipv6 command in the system view, and then the ipv6 enable command in the interface view.
----End
Networking Requirements
As show in Figure 8-3, the R&D department of an enterprise connects to Eth0/0/1 of RouterA, and the marketing department connects to Eth0/0/2. RouterA has a reachable route to an external server, and users in the R&D and marketing departments are allowed to connect to the server through RouterA. RouterA is required to prevent staff in other departments from accessing the server without permission.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 154
In Figure 8-3, RouterA is an access router of the enterprise, and RouterB is an aggregation router.
PC A
10.10.1.1/24
Marketing
Eth0/0/1 Eth0/0/2
source:10.10.2.1 destination:10.2.2.10
Server
10.2.2.10/24
PC B
10.10.2.1/24
R&D
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure VLAN 10 and VLAN 20 and add Eth0/0/1 and Eth0/0/2 to VLAN 10 and VLAN 20 respectively. Configure URPF in VLANIF 10 and VLANIF 20 and allow special processing for the default route.
Data Preparation
l URPF check mode: strict check
NOTE
URPF strict check is used because packets are transmitted between RouterA and the server through the same path.
l l l
Network segment on which the R&D is located: 10.10.2.0/24 Network segment on which the marketing department is located: 10.10.1.0/24 Server IP address: 10.2.2.10/24
Procedure
Step 1 Configure VLANs and add interfaces to VLANs.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] vlan 10 [RouterA-vlan10] quit
Issue 02 (2012-03-30)
155
0/0/1 link-type trunk trunk allow-pass vlan 10 0/0/2 link-type trunk trunk allow-pass vlan 20
Step 3 Verify the configuration. Run the display this command on VLANIF10 to view the URPF configuration.
[RouterA-vlanif 10] display this # interface Vlanif10 urpf strict allow-default-route # return
Run the display this command on VLANIF20 to view the URPF configuration.
[RouterA-vlanif 20] display this # interface Vlanif20 urpf strict allow-default-route # return
----End
Configuration Files
# sysname RouterA # vlan batch 10 20 # interface Vlanif10 urpf strict allow-default-route # interface Vlanif20 urpf strict allow-default-route # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # return
Issue 02 (2012-03-30)
156
Issue 02 (2012-03-30)
157
Blacklist A blacklist refers to a group of unauthorized users. To defend against malicious attacks, the AR200-S adds users with a specific characteristic to a blacklist by using ACL rules and discards the packets sent from the users in the blacklist.
Rate limit The rate limit function limits the rate of packets sent to the CPU. The AR200-S sets different rate limits for packets of different types or discards packets of a certain type to protect the CPU.
Priority for packets of a specified protocol The AR200-S schedules packets sent to the CPU based on priorities of protocol packets to ensure that packets with higher protocol priorities are processed first.
l l
Rate limit The AR200-S can limit the rate of all the packets sent to the CPU to protect the CPU. ALP Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacks occur. When the AR200-S detects setup of an HTTP session, an FTP session, ALP is enabled to protect the session. The packets matching characteristics of the session are sent at a high rate; therefore, reliability and stability of session-related services are ensured.
Applicable Environment
A large number of attack packets may attack the CPUs of network devices. Attack source tracing checks attack packets sent to the CPU and notifies the administrator by sending logs or alarms so that the administrator can take measures to defend against attacks.
Procedure
Step 1 Run:
system-view
An attack defense policy is created and the attack defense policy view is displayed. The AR200-S supports a maximum of 19 attack defense policies, including the default attack defense policy. The default attack defense policy is automatically generated in the system by default and is applied to all boards. The default attack defense policy cannot be deleted or modified. The other 18 policies can be created and deleted. Step 3 (Optional) Run:
description text
Issue 02 (2012-03-30)
159
Automatic attack source tracing is enabled. By default, attack source tracing is disabled. Step 5 (Optional) Run:
auto-defend protocol { all | { arp | dhcp | icmp | igmp | tcp expired } * } | telnet | ttl-
The types of traced packets are specified. By default, the AR200-S traces sources of ARP, DHCP, ICMP, IGMP, TCP, Telnet, and TTLexpired packets after attack source tracing is enabled. Step 6 (Optional) Run:
auto-defend trace-type { source-ip | source-mac | source-portvlan }
*
The attack source tracing modes are specified. By default, the AR200-S traces attack sources based on the source IP address, source MAC address, and source interface plus VLAN. Step 7 (Optional) Run:
auto-defend threshold threshold
The threshold for attack source tracing is set. By default, the threshold for attack source tracing is 128 pps. Step 8 (Optional) Run:
auto-defend action deny [ timer time-length ]
The AR200-S is configured to drop packets sent from attack sources. By default, the AR200-S does not drop packets sent from attack sources. Step 9 (Optional) Configure the alarm function for attack source tracing. 1. Run:
auto-defend alarm enable
The alarm function for attack source tracing is enabled. By default, the alarm function for attack source tracing is disabled. 2. (Optional) Run:
auto-defend alarm threshold threshold
The alarm threshold for attack source tracing is set. By default, the alarm threshold for attack source tracing is 128 pps. Step 10 In the system view, run:
cpu-defend-policy policy-name [ global | slot slot-id ]
The attack defense policy is applied. If the attack defense policy is applied to an LPU or SRU, it takes effect for only the packets sent to the CPU of the LPU or SRU.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 160
If global or slot is not specified, the attack defense policy is applied to the SRU. If global is specified, the attack defense policy is applied to all LPUs. If slot is specified, the attack defense policy is applied to an LPU in a specified slot.
NOTE
Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy is applied to the SRU.
----End
Applicable Environment
When a large number of users connect to the AR200-S, the AR200-S may be attacked by the packets sent to the CPU or needs to process a large of number of these packets. The AR200-S can limit the rate of all the packets sent to the CPU to protect the CPU. CPU attack defense provides hierarchical device protection: l l l l Level 1: The AR200-S uses blacklists to filter invalid packets sent to the CPU. Level 2: The AR200-S limits the rate of packets sent to the CPU based on the protocol type to prevent excess packets of a particular protocol from being sent to the CPU. Level 3: The AR200-S schedules packets sent to the CPU based on the protocol priority to ensure that packets with higher protocol priorities are processed first. Level 4: The AR200-S uniformly limits the rate of packets sent to the CPU and randomly discards the excess packets to ensure CPU security.
Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacks occur.
Pre-configuration Tasks
Before configuring an attack defense policy, complete the following task:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 161
Connecting interfaces and setting the physical parameters of interfaces so that the physical layer is Up
Data Preparation
To configure an attack defense policy, you need the following data. No. 1 2 3 4 5 6 7 8 Data Name of an attack defense policy (Optional) Description of an attack defense policy (Optional) ACL rule and number in the blacklist (Optional) Rate limit for packets sent to the CPU (Optional) Priority of protocol packets (Optional) Rate limit for all the packets sent to the CPU (Optional) ALP rate limit Number of the LPU to which the attack defense policy is applied
Procedure
Step 1 Run:
system-view
An attack defense policy is created and the attack defense policy view is displayed. The AR200-S supports a maximum of 19 attack defense policies, including the default attack defense policy. The default attack defense policy is automatically generated in the system by default and is applied to all boards. The default attack defense policy cannot be deleted or modified. The other 18 policies can be created and deleted. Step 3 (Optional) Run:
description text
Issue 02 (2012-03-30)
162
Context
To defend against malicious attacks, the AR200-S adds users with a specific characteristic to a blacklist by using ACL rules and discards the packets sent from the users in the blacklist.
Procedure
Step 1 Run:
system-view
A blacklist is created. A maximum of eight blacklists can be configured on the AR200-S. The ACL referenced by the blacklist can be a basic ACL, an advanced ACL, or a Layer 2 ACL. By default, no blacklist is configured on the AR200-S. ----End
9.4.4 (Optional) Configuring the Rate Limit for Packets Sent to the CPU
The AR200-S sets different rate limits for packets of different types or discards packets of a certain type to protect the CPU.
Procedure
Step 1 Run:
system-view
The attack defense policy view is displayed. Step 3 Configure the rate limit. l Run:
packet-type packet-type rate-limit rate-value
Issue 02 (2012-03-30)
163
The rate limit for packets sent to the CPU is set. Excess packets are discarded. l Run:
deny packet-type packet-type
The AR200-S is configured to discard packets of a specified type sent to the CPU. That is, the rate limit for packets of the specified type to be sent to the CPU is 0. By default, the AR200-S applies the rate limit defined in the default attack defense policy to the packets sent to the CPU. ----End
Procedure
Step 1 Run:
system-view
The priority of protocol packets sent to the CPU is set. By default, the priority defined in the default attack defense policy is used for protocol packets sent to the CPU. ----End
9.4.6 (Optional) Configuring the Rate Limit for All Packets Sent to the CPU
After an attack defense policy is created, set the rate limit for all packets sent to the CPU in the attack defense policy. The AR200-S then randomly discards the packets that exceed the rate limit to protect the CPU.
Procedure
Step 1 Run:
system-view
Step 3 Run:
rate-limit all-packets pps pps-value
The rate limit for all packets sent to the CPU is set. The AR200-S then randomly discards the packets that exceed the rate limit to protect the CPU. ----End
9.4.7 (Optional) Configuring the Rate Limit for Packets After ALP Is Enabled
You can set the rate limit for packets in the attack defense policy after ALP is enabled.
Context
Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacks occur.
Procedure
Step 1 Run:
system-view
During setup of an HTTP connection,an FTP connection , if the application-apperceive command is not used to specify a rate, the default rate limit specified by application-apperceive is applied to HTTP,FTP. By default, the rate limit for FTP packets is 1024 pps and the rate limit for packets is 512 pps when the session is enabled with ALP
----End
Prerequisites
To protect session-based application layer data, including data of HTTP Sessions, FTP sessions andand ensure non-stop transmission of these services when attacks occur, enable active link protection (ALP) before you create an attack defense policy.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 165
Context
An attack defense policy can be applied to the SRU, all the LAN-side LPUs, or to the specified LAN-side LPU in the system view.
NOTE
If the attack defense policy is applied to an LAN-side LPU or SRU, it takes effect for only the packets sent to the CPU of the LAN-side LPU or SRU.
Procedure
Step 1 Run:
system-view
ALP is enabled.
NOTE
Step 3 Run:
cpu-defend-policy policy-name [ global ]
The attack defense policy is applied. If global is not specified, the attack defense policy is applied to the SRU. If global is specified, the attack defense policy is applied to all LAN-side LPUs. ----End
Procedure
l l l Run the display cpu-defend policy [ policy-name ] command to check the attack defense policy. Run the display cpu-defend statistics [ packet-type packet-type ] command to check the statistics on packets sent to the CPU. Run the display cpu-defend configuration [ packet-type packet-type ] { all | sru } command to check the rate limit configuration for protocol packets sent to the CPU.
----End
Issue 02 (2012-03-30)
166
Procedure
l Run the reset cpu-defend statistics [ packet-type packet-type ] command to clear statistics on packets sent to the CPU.
----End
Procedure
l Run the reset auto-defend attack-source command to clear attack source information. ----End
Networking Requirements
As shown in Figure 9-1, users on different LANs access the Internet through RouterA. To locate attacks on RouterA, attack source tracing needs to be configured to trace the attack source. The problems in this scenario are as follows: l l l l l A user on the network segment Net1 often attacks RouterA. Attackers send a large number of ARP Request packets, resulting in CPU performance deterioration. The administrator needs to upload files to RouterA using FTP. An FTP connection between the administrator's host and RouterA needs to be set up. Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process DHCP Client packets sent to the CPU. The Telnet server is not enabled on RouterA, whereas RouterA often receives a large number of Telnet packets.
Issue 02 (2012-03-30)
167
Internet
RouterA RouterB
Net2: 2.2.2.0/24
Net3: 3.3.3.0/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure a blacklist and add attackers on the network segment Net1 to the blacklist to prevent users on Net1 from accessing the network. Configure the rate limit for ARP Request packets sent to the CPU. Configure active link protection (ALP) for FTP so that file data can be transmitted between the administrator's host and RouterA. Configure a high priority for DHCP Client packets so that RouterA first processes DHCP Client packets sent to the CPU. Configure application layer association for Telnet so that RouterA discards the received Telnet packets.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l Name of the attack defense policy: devicesafety Threshold for attack source tracing: 50 pps MAC address of the attacker: 0001-c0a8-0102 ACL number: 4001 Blacklist ID: 1 Rate limit for ARP Request packets sent to the CPU: 64 pps Rate limit for FTP packets after ALP is enabled: 2000 pps Priority of DHCP Client packets: 3
NOTE
This section provides only the configuration procedure for the local attack defense function supported by the AR200-S. For details about the routing configuration, see the Huawei AR200-S Series Enterprise Routers Configuration Guide - IP Routing.
Issue 02 (2012-03-30)
Et he rn et
0/ 0/ 3
168
Procedure
Step 1 Configure an ACL to be referenced by the blacklist.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] acl number 4001 [RouterA-acl-L2-4001] rule 5 permit source-mac 0001-c0a8-0102 [RouterA-acl-L2-4001] quit
Step 5 Configure the rate limit for ARP Request packets sent to the CPU.
[RouterA-cpu-defend-policy-devicesafety] packet-type arp-request rate-limit 64
Step 6 Configure the rate limit for FTP packets after ALP is enabled.
[RouterA-cpu-defend-policy-devicesafety] application-apperceive packet-type ftp rate-limit 2000
Step 8 Apply the attack defense policy. # Enable ALP for FTP.
[RouterA] cpu-defend application-apperceive ftp enable
Step 10 Verify the configuration. # View information about the configured attack defense policy.
[RouterA] display cpu-defend policy devicesafety Related slot : <0> BlackList Status : Slot<0> : Success Configuration : Blacklist 1 ACL number : 4001 Packet-type arp-request rate-limit : 64(pps) Packet-type dhcp-client priority : 3 Rate-limit all-packets : 2000(pps) (default) Application-apperceive packet-type ftp : 2000(pps) Application-apperceive packet-type tftp : 2000(pps)
# View the rate limit configuration on the SRU. You can see that application layer association for Telnet, the rate limit for ARP Request packets sent to the CPU, and the priority for DHCP client packets are configured successfully.
<Huawei> display cpu-defend configuration sru Rate configurations on main board.
Issue 02 (2012-03-30)
169
----------------------------------------------------------------Packet-type Status Rate-limit(PPS) Priority ----------------------------------------------------------------8021X Disabled 128 2 arp-miss Enabled 64 2 arp-reply Enabled 128 2 arp-request Enabled 64 2 bfd Disabled 256 4 bgp Enabled 256 3 bgp4plus Enabled 256 3 dhcp-client Enabled 128 3 dhcp-server Enabled 128 2 dhcpv6-reply Enabled 128 2 dhcpv6-request Enabled 128 2 dns Enabled 256 2 fib-hit Enabled 256 2 fr Enabled 128 3 ftp-client Disabled 256 2 ftp-server Enabled 256 2 fw-dns Enabled 128 2 fw-ftp Enabled 128 2 fw-http Enabled 128 2 fw-rtsp Enabled 128 2 fw-sip Enabled 128 2 gre-keepalive Enabled 128 3 gvrp Enabled 48 3 hdlc Enabled 128 3 http-client Enabled 256 4 http-server Enabled 256 4 hw-tacacs Enabled 128 2 icmp Enabled 256 2 icmpv6 Enabled 256 2 igmp Enabled 256 2 ip-option Enabled 256 2 ipsec-ike Enabled 128 2 ipsec-isa Enabled 128 2 ipsec-osa Enabled 128 2 isis Enabled 128 3 isisv6 Enabled 128 3 l2tp Enabled 128 2 lacp Enabled 320 3 lldp Enabled 48 3 nd Enabled 128 5 nd-miss Enabled 64 5 nhrp Enabled 256 3 ntp Enabled 128 4 ospf Enabled 256 3 ospfv3 Enabled 256 3 pim Disabled 256 3 ppp Enabled 256 2 pppoe Enabled 256 2 radius Enabled 128 2 rip Enabled 128 3 ripng Enabled 256 3 snmp Enabled 256 4 ssh-client Enabled 128 4 ssh-server Enabled 128 4 sslvpn Enabled 4096 3 stp Enabled 96 3 tcp Enabled 128 2 telnet-client Enabled 128 4 telnet-server Enabled 128 4 ttl-expired Enabled 256 1 udp-helper Disabled 16 2 unknown-multicast Enabled 128 1 unknown-packet Enabled 256 1 voice Enabled 256 4 vrrp Disabled 256 3 -----------------------------------------------------------------
Issue 02 (2012-03-30)
170
# The log for attack source tracing of Net1 indicates that attack source tracing has taken effect.
Dec 18 2010 09:55:50-05:13 AR200-S %%01SECE/4/USER_ATTACK(l)[0]:User attack occurred.(Slot=MPU, SourceAttackInterface=Ethernet0/0/1, OuterVlan/ InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per second)
# View the statistics on packets sent to the SRU. The discarded packets indicate that the rate limit is set for ARP Request packets.
<Huawei> display cpu-defend statistics ----------------------------------------------------------------------Packet Type Pass Packets Drop Packets ----------------------------------------------------------------------8021X 0 0 arp-miss 5 0 arp-reply 8090 0 arp-request 1446576 127773 bfd 0 0 bgp 0 0 bgp4plus 0 0 dhcp-client 879 0 dhcp-server 0 0 dhcpv6-reply 0 0 dhcpv6-request 0 0 dlsw 0 0 dns 4 0 fib-hit 0 0 fr 0 0 ftp-client 0 0 ftp-server 0 0 fw-dns 0 0 fw-ftp 0 0 fw-http 0 0 fw-rtsp 0 0 fw-sip 0 0 gre-keepalive 0 0 gvrp 0 0 hdlc 0 0 http-client 0 0 http-server 0 0 hw-tacacs 0 0 icmp 59 0 icmpv6 224 0 igmp 539 0 ip-option 0 0 ipsec-ike 0 0 ipsec-isa 0 0 ipsec-osa 0 0 isis 70252 0 isisv6 0 0 l2tp 0 0 lacp 0 0 lldp 0 0 nd 358 0 nd-miss 0 0 nhrp 0 0 ntp 0 0 ospf 0 0 ospfv3 0 0 pim 0 0 ppp 0 0 pppoe 0 0 radius 0 0 rip 11306 0 ripng 7385 0 snmp 0 0 ssh-client 0 0 ssh-server 0 0 sslvpn 0 0
Issue 02 (2012-03-30)
171
stp 0 0 tcp 15 0 telnet-client 81476 0 telnet-server 0 0 ttl-expired 0 0 udp-helper 0 0 unknown-multicast 0 0 unknown-packet 66146 0 voice 0 0 vrrp 0 0 ---------------------------------------------------------------------
----End
Configuration Files
# sysname RouterA # acl number 4001 rule 5 permit source-mac 0001-c0a8-0102 # cpu-defend policy devicesafety blacklist 1 acl 4001 packet-type arp-request rate-limit 64 packet-type dhcp-client priority 3 application-apperceive packet-type ftp rate-limit 2000 auto-defend enable auto-defend threshold 50 auto-defend trace-type source-mac source-ip source-portvlan auto-defend protocol all # cpu-defend-policy devicesafety # undo telnet server enable # return
Issue 02 (2012-03-30)
172
10 ACL Configuration
10
About This Chapter
10.2 ACL Features Supported by the AR200-S
ACL Configuration
This chapter explains how to filter data packets on an AR200-S by defining an Access Control List (ACL) to determine allowed packet types. 10.1 ACL Overview This section describes the basic concept of ACLs.
10.3 Configuring a Basic ACL A basic ACL classifies IPv4 packets based on information such as source IP addresses, fragment flags, and time ranges. 10.4 Configuring an Advanced ACL An advanced ACL classifies IPv4 packets based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, and time ranges. 10.5 Configuring a Layer 2 ACL A Layer 2 ACL classifies Layer 2 packets with the Ethernet protocol type of Ethernet_II based on information such as the source and destination MAC addresses, and Layer 2 protocol type. 10.6 Configuration Examples This section provides several configuration examples of ACLs.
Issue 02 (2012-03-30)
173
10 ACL Configuration
An ACL is only a set of rules and cannot filter packets directly. The ACL can identify packets of a certain type and the packets of this type are processed by the function that references the ACL.
Advanced ACL
Layer 2 ACL
Issue 02 (2012-03-30)
174
10 ACL Configuration
Function A numbered ACL is identified by a number, which can be specified to reference the ACL. A named ACL is identified by a character string name, which can be specified to reference the ACL. Named ACLs are easy to identify and remember.
Description -
Named ACL
The AR200-S supports flexible ACL naming modes. You can also specify a number for a named ACL. If no ACL number is specified for a named ACL, the system allocates an ACL number to the named ACL.
Table 10-2 shows information that can be used by basic ACLs, advanced ACLs, and Layer 2 ACLs to define rules. Advanced ACLs can define rules based on IP version information and the type of the protocol over IP, such as Generic Routing Encapsulation (GRE), Internet Group Management Protocol (IGMP), IPinIP, Open Shortest Path First (OSPF), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Management Protocol (ICMP). Table 10-2 Information that can be used by different types of ACLs to define rules Information Defined in an ACL Basic ACL IP Advanced ACL GRE, IGMP, IPinIP, and OSPF Yes Yes Yes TCP UDP ICMP Layer 2 ACL -
Layer 3 information
Source IP address Destination IP address DiffServ Codepoint (DSCP) Priority Fragment flag Type of Service (ToS)
Yes No No
No No No
No Yes No
No No No
Issue 02 (2012-03-30)
175
10 ACL Configuration
Basic ACL IP
Advanced ACL GRE, IGMP, IPinIP, and OSPF No TCP UDP ICMP
Layer 2 ACL -
ICMP packet type and code Layer 4 information Source port number Destination port number SYN flag type Layer 2 information Source MAC address Destination MAC address Layer 2 protocol type VLAN ID 802.1p priority Other information Time range
No
No
No
No
Yes
No
No No No No
No No No No
No No No No
Yes Yes No No
No No No No
No No No Yes
No
No
No
No
No
No
Yes
No
No
No
No
No
No
Yes
No No Yes
No No Yes
No No Yes
No No Yes
No No Yes
No No Yes
Issue 02 (2012-03-30)
10 ACL Configuration
time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in an ACL so that the ACL takes effect in the time range. The service or function that references the ACL is also started in the specified time range.
NOTE
The ACLs configured on fixed LAN-side interfaces do not take effect for Layer 2 traffic transmitted between LANs.
Applicable Environment
Basic ACLs can be referenced by many services and functions such as the routing policy and traffic classifier. The AR200-S processes different types of packets based on basic ACL rules. Basic ACLs are applied to all the IPv4 packets at the network layer and upper layers. Basic ACLs classify packets based on source IP addresses, fragment flags, and time ranges in the packets.
Pre-configuration Tasks
Before configuring a basic ACL, complete the following task: l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up
Data Preparation
To configure a basic ACL, you need the following data. No. 1 2 3 4 5 6 Data (Optional) Name of a time range during which ACL rules take effect Number or name of a basic ACL Source IP address, fragment flag (Optional) Description of a basic ACL (Optional) Description of a basic ACL rule (Optional) Step between ACL rule IDs
Issue 02 (2012-03-30)
177
10 ACL Configuration
Context
Some services or functions that reference basic ACLs need to be started during a specified period of time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in a basic ACL so that the basic ACL takes effect in the time range. The service or function that references the basic ACL is also started in the specified time range.
Procedure
Step 1 Run:
system-view
A time range is created. To configure multiple time ranges with the same name on the AR200-S, run the preceding command with the same value of time-name multiple times.
NOTE
You can configure the same name for multiple time ranges to describe a special period. Assume that the same name test is configured for the following time ranges: l Time range 1: 2010-01-01 00:00 to 2010-12-31 23:59 (absolute time range) l Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range) l Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range) The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.
----End
Follow-up Procedure
Reference the time range in a basic ACL rule.
Prerequisites
The display acl all command has been executed to view all the configured ACLs. This prevents duplicate basic ACLs from being configured.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 178
10 ACL Configuration
Procedure
l Creating a numbered basic ACL 1. Run:
system-view
A basic ACL with the specified number is created and the basic ACL view is displayed. acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999. match-order specifies the matching order of basic ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the basic ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. l Creating a named basic ACL 1. Run:
system-view
A basic ACL with the specified name is created and the basic ACL view is displayed. acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999. match-order specifies the matching order of basic ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the basic ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 179
10 ACL Configuration
Follow-up Procedure
Configure rules in the basic ACL.
Prerequisites
A basic ACL has been created and the basic ACL view is displayed. Before creating a new rule, run the display acl { acl-number | name acl-name } command to view all the configured ACL rules to prevent the new rule from overriding existing rules.
Context
A basic ACL classifies packets by matching packet information with the ACL rules. After a basic ACL is created, configure rules in the basic ACL.
Procedure
Step 1 (Optional) Run:
step step-value
The step value between ACL rule IDs is set. By default, the step value is 5. Step 2 Run:
rule { deny | permit } [ source { source-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name | [ fragment | none-firstfragment ] ] *
A basic ACL rule is configured. To configure multiple rules, repeat this step.
NOTE
If the rule ID is not specified, the step value is used as the start rule ID. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.
The description of the basic ACL rule is configured. The description of an ACL rule describes the function or usage of the ACL rule. It is used to differentiate ACL rules. ----End
Follow-up Procedure
After a basic ACL rule is configured, perform the following operations as required:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 180
10 ACL Configuration
l l
Run the step command to change the step value. Run the rule command with rule-id specified to add a new rule between existing rules when the configuration order is used.
Prerequisites
A basic ACL has been created and rules have been configured in the basic ACL.
Context
A basic ACL can be applied to the following services and functions: l l l l l l l l l Traffic classifier Blacklist for local attack defense Route filtering OSPF LSA filtering IP multicast Limiting access to an FTP or TFTP server Firewall NAT Packet filtering on an interface
Procedure
l Apply a basic ACL to a traffic classifier. To provide differentiated services based on packet information, configure traffic classifiers. Basic ACLs can be referenced by traffic classifiers to define rules for classifying traffic. For details, see Configuring a Traffic Classifier. l Apply a basic ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR200-S uses basic ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist. l Apply a basic ACL to route filtering. You can configure route filtering for the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), and Multiprotocol Border Gateway Protocol (MBGP), and set conditions for filtering routes of these protocols. The routes that do not meet the conditions are not added to the routing table or advertised. The AR200-S uses basic ACLs to set filtering conditions so that route filtering is implemented. For details, see Configuration Guide - IP Routing. l Apply a basic ACL to OSPF LSA filtering. In special network environments, OSPF features need to be configured and performance of the OSPF network needs to be improved. When multiple links exist between two routers, you can filter outgoing LSAs on the local router. This can reduce the unnecessary
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 181
10 ACL Configuration
retransmission of LSAs on certain links and save bandwidth resources. The AR200-S can use basic ACLs to filter outgoing LSAs. For details, see Optimizing an OSPF Network. l Apply a basic ACL to IP multicast. Certain functions of the Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent MulticastSparse Mode (PIM-SM) need to reference basic ACLs. For details, see Configuration Guide - Multicast. l Apply a basic ACL to control users that can connect to an FTP or TFTP server. When the AR200-S functions as an FTP or TFTP server, you can configure a basic ACL to allow only the clients that meet certain conditions to access the server. For details, see (Optional) Configuring an FTP ACL. l Apply a basic ACL to a firewall. The attack defense system protects an internal network against attacks from external networks. Generally, firewalls are deployed between the internal and external networks to defend against attacks. A packet filtering firewall filters packets by using an ACL. The AR200-S uses a basic ACL to configure the packet filtering firewall. For details, see 3.4 Configuring the Packet Filtering Firewall. l Apply a basic ACL to NAT. Network Address Translation (NAT) enables hosts on a private network to access the public network. A NAT address pool is a set of public IP addresses. When a packet from a private network reaches the public network by using address translation, one IP address in the NAT address pool is selected as the source address after translation. The AR200-S uses a basic ACL to classify IP addresses in the NAT address pool so that source addresses of data packets matching the basic ACL are translated. For details, see Associating an ACL with an Address Pool. l Apply an ACL to an interface to filter packets on the interface. The AR200-S can filter packets on an interface using an ACL. If the action in an ACL rule is deny, the AR200-S discards all packets matching the rule. If the action in an ACL rule is permit, the AR200-S forwards all packets matching the rule. Perform the following steps to apply a basic ACL to an interface: 1. Run:
system-view
10 ACL Configuration
Prerequisites
The basic ACL configurations are complete.
Procedure
l l l Run the display acl acl-number command to view the basic ACL with the specified number. Run the display acl name acl-name command to view the basic ACL with the specified name. Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl acl-number command to view the basic ACL number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl 2009 Basic ACL 2009, 1 rule Acl's step is 5 rule 5 deny source 10.1.1.1 0
# Run the display acl name acl-name command to view the basic ACL name and number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl name qos1 Basic ACL qos1 2999, 1 rule Acl's step is 5 rule 5 permit source 202.114.24.56 0.0.0.255
# Run the display time-range all command to view the configuration and status of the current time range.
<Huawei> display time-range all Current time is 09:13:37 12-27-2010 Thursday Time-range : test1 ( Inactive ) 13:00 to 18:00 working-day 13:00 to 18:00 off-day
Issue 02 (2012-03-30)
183
10 ACL Configuration
Applicable Environment
Advanced ACLs are applied to multiple services and functions, for example, traffic classifiers and multicast. The AR200-S processes different types of packets based on advanced ACL rules. Advanced ACLs can be applied to: l All the IPv4 packets at the network layer and upper layers. Advanced ACLs classify IPv4 packets based on information such as source and destination IP addresses, packet priorities, fragment flags, time ranges, and VPN instances in the packets.
NOTE
An advanced ACL is similar to a basic ACL, but defines more information than a basic ACL.
Specified types of packets include GRE packets, ICMP packets, IPinIP packets, OSPF packets, ICMP packets, UDP packets, and TCP packets. Advanced ACLs classify these packet types based on different types of information: GRE packets, ICMP packets, IPinIP packets, and OSPF packets are classified based on information such as source and destination IP addresses, packet priorities, fragment flags, time ranges, and VPN instances in the packets. ICMP packets are classified based on information such as source and destination IP addresses, packet priorities, fragment flags, ICMP packet types and codes, time ranges, and VPN instances in the packets. UDP packets are classified based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, fragment flags, time ranges, and VPN instances in the packets. TCP packets are classified based on information such as source and destination IP addresses, source and destination port numbers, SYN flag types, packet priorities, fragment flags, time ranges, and VPN instances in the packets.
Pre-configuration Tasks
Before configuring an advanced ACL, complete the following task: l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up
Data Preparation
To configure an advanced ACL, you need the following data. No. 1 2 3
Issue 02 (2012-03-30)
Data (Optional) Name of a time range during which ACL rules take effect Number or name of an advanced ACL Protocol type
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 184
10 ACL Configuration
No. 4 5 6 7
Data Source IP address and port number, destination IP address and port number, fragment flag, ICMP packet type and code, packet priority, ToS value, and time range (Optional) Description of an advanced ACL (Optional) Description of an advanced ACL rule (Optional) Step value between advanced ACL rule IDs
Context
Some services or functions that reference advanced ACLs need to be started during a specified period of time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in an advanced ACL so that the advanced ACL takes effect in the time range. The service or function that references the advanced ACL is also started in the specified time range.
Procedure
Step 1 Run:
system-view
A time range is created. To configure multiple time ranges with the same name on the AR200-S, run the preceding command with the same value of time-name multiple times.
NOTE
You can configure the same name for multiple time ranges to describe a special period. Assume that the same name test is configured for the following time ranges: l Time range 1: 2010-01-01 00:00 to 2010-12-31 23:59 (absolute time range) l Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range) l Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range) The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 185
10 ACL Configuration
Follow-up Procedure
Reference the time range in an advanced ACL rule.
Prerequisites
The display acl all command has been executed to view all the configured ACLs. This prevents duplicate advanced ACLs from being configured.
Procedure
l Creating a numbered advanced ACL 1. Run:
system-view
An advanced ACL with the specified number is created and the advanced ACL view is displayed. acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999. match-order specifies the matching order of advanced ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the advanced ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. l Creating an advanced ACL based on the name 1. Run:
system-view
An advanced ACL with the specified name is created and the advanced ACL view is displayed.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 186
10 ACL Configuration
acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999. match-order specifies the matching order of advanced ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the advanced ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. ----End
Follow-up Procedure
Configure rules in the advanced ACL.
Prerequisites
An advanced ACL has been created and the advanced ACL view is displayed. Before creating a new rule, run the display acl { acl-number | name acl-name } command to view all the configured ACL rules to prevent the new rule from overriding existing rules.
Context
An advanced ACL classifies packets by matching packet information with its rules. After an advanced ACL is created, configure rules in the advanced ACL.
Procedure
Step 1 (Optional) Run:
step step-value
The step value between ACL rule IDs is set. By default, the step value is 5. Step 2 Configure an advanced ACL rule based on the IP protocol version or the type of the protocol over IP. l When IPv4 is used, run: rule { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | vpn-instance
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 187
10 ACL Configuration
vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | nonefirst-fragment ] ] * l Configure an advanced ACL rule based on the protocol over IP. When the Internet Control Management Protocol (ICMP) is used, run: rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | time-range time-name | vpn-instance vpninstance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | nonefirst-fragment ] ] * When the Transmission Control Protocol (TCP) is used, run: rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcpflag { ack | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpninstance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | nonefirst-fragment ] ] * When the User Datagram Protocol (UDP) is used, run: rule { deny | permit }{ protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | timerange time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] * When the Generic Routing Encapsulation (GRE), Internet Group Management Protocol (IGMP), IPinIP, or Open Shortest Path First (OSPF) is used, run: rule { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | source { source-address sourcewildcard | any } | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] * To configure multiple rules, repeat this step.
NOTE
If the rule ID is not specified, the step value is used as the start rule ID. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.
The description of the advanced ACL rule is configured. The description of an ACL rule describes the function or usage of the ACL rule. It is used to differentiate ACL rules. ----End
Follow-up Procedure
After an advanced ACL rule is configured, perform the following operations as required: l
Issue 02 (2012-03-30)
10 ACL Configuration
Run the rule command with rule-id specified to add a new rule between existing rules when the configuration order is used.
Prerequisites
An advanced ACL has been created and rules have been configured in the advanced ACL.
Context
An advanced ACL can be applied to the following services and functions: l l l l l l l Traffic classifier Blacklist for local attack defense IP multicast IPSec Firewall NAT Packet filtering on an interface
Procedure
l Apply an advanced ACL to a traffic classifier. To provide differentiated services based on packet information, configure traffic classifiers. Advanced ACLs can be referenced by traffic classifiers to define rules for classifying traffic. For details, see Configuring a Traffic Classifier. l Apply an advanced ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR200-S uses advanced ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist. l Apply an advanced ACL to IP multicast. Certain functions of the Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent MulticastSparse Mode (PIM-SM) need to reference advanced ACLs. For details, see Configuration Guide - Multicast. l Apply an advanced ACL to IPSec. The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. IPSec peers can use various security protection measures (authentication, encryption, or both) on different data flows. The AR200-S can use advanced ACLs to define data flows. For details, see IPSec Configuration. l Apply an advanced ACL to a firewall. The attack defense system protects an internal network against attacks from external networks. Generally, firewalls are deployed between the internal and external networks to
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 189
10 ACL Configuration
defend against attacks. A packet filtering firewall filters packets by using an ACL. The AR200-S uses an advanced ACL to configure the packet filtering firewall. For details, see 3.4 Configuring the Packet Filtering Firewall. l Apply an advanced ACL to NAT. Network Address Translation (NAT) enables hosts on a private network to access the public network. A NAT address pool is a set of public IP addresses. When a packet from a private network reaches the public network by using address translation, one IP address in the NAT address pool is selected as the source address after translation. The AR200-S uses an advanced ACL to classify IP addresses in the NAT address pool so that source addresses of data packets matching the advanced ACL are translated. For details, see Associating an ACL with an Address Pool. l Apply an advanced ACL to an interface to filter packets on the interface. The AR200-S can filter packets on an interface using an ACL. If the action in an ACL rule is deny, the AR200-S discards all packets matching the rule. If the action in an ACL rule is permit, the AR200-S forwards all packets matching the rule. Perform the following steps to apply an ACL to an interface: 1. Run:
system-view
Prerequisites
The advanced ACL configurations are complete.
Procedure
l l Run the display acl acl-number command to view the advanced ACL with the specified number. Run the display acl name acl-name command to view the advanced ACL with the specified name.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 190
Issue 02 (2012-03-30)
10 ACL Configuration
Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl acl-number command to view the advanced ACL number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0
# Run the display acl name acl-name command to view the advanced ACL name and number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl name qos1 Advanced ACL qos1 3999, 1 rule Acl's step is 5 rule 5 permit tcp
# Run the display time-range all command to view the configuration and status of the current time range.
<Huawei> display time-range all Current time is 09:13:37 12-27-2010 Thursday Time-range : test1 ( Inactive ) 13:00 to 18:00 working-day 13:00 to 18:00 off-day
Applicable Environment
Layer 2 ACLs can be applied to multiple services, for example, traffic classifiers. The AR200S processes different types of packets based on Layer 2 ACL rules. Layer 2 ACLs are applied to Layer 2 packets with the Ethernet protocol type of Ethernet_II. Layer 2 ACLs classify Layer 2 packets based on information such as source and destination MAC addresses, Layer 2 protocol types, VLAN IDs or 802.1p priorities, and time ranges in the packets.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 191
10 ACL Configuration
Pre-configuration Tasks
Before configuring a Layer 2 ACL, complete the following task: l Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Data Preparation
To configure a Layer 2 ACL, you need the following data. No. 1 2 3 4 5 6 Data (Optional) Name of a time range during which ACL rules take effect Number or name of a Layer 2 ACL Source MAC address, destination MAC address, Layer 2 protocol type, and VLAN ID or 802.1p priority (Optional) Description of a Layer 2 ACL (Optional) Description of a Layer 2 ACL rule (Optional) Step value between Layer 2 ACL rule IDs
Context
Some services or functions that reference Layer 2 ACLs need to be started during a specified period of time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in a Layer 2 ACL so that the Layer 2 ACL takes effect in the time range. The service or function that references the Layer 2 ACL is also started in the specified time range.
Procedure
Step 1 Run:
system-view
A time range is created. To configure multiple time ranges with the same name on the AR200-S, run the preceding command with the same value of time-name multiple times.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 192
10 ACL Configuration
You can configure the same name for multiple time ranges to describe a special period. Assume that the same name test is configured for the following time ranges: l Time range 1: 2010-01-01 00:00 to 2010-12-31 23:59 (absolute time range) l Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range) l Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range) The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.
----End
Follow-up Procedure
Reference the time range in a Layer 2 ACL rule.
Prerequisites
The display acl all command has been executed to view all the configured ACLs. This prevents duplicate Layer 2 ACLs from being configured.
Procedure
l Creating a numbered Layer 2 ACL 1. Run:
system-view
A Layer 2 ACL with the specified number is created and the Layer 2 ACL view is displayed. acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999. match-order specifies the matching order of Layer 2 ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the Layer 2 ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 193
10 ACL Configuration
A Layer 2 ACL with the specified name is created and the Layer 2 ACL view is displayed. acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999. match-order specifies the matching order of Layer 2 ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the Layer 2 ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. ----End
Follow-up Procedure
Configure rules in the Layer 2 ACL.
Prerequisites
A Layer 2 ACL has been created and the Layer 2 ACL view is displayed. Before creating a new rule, run the display acl { acl-number | name acl-name } command to view all the configured ACL rules to prevent the new rule from overriding existing rules.
Context
A Layer 2 ACL classifies packets by matching packet information with the ACL rules. After a Layer 2 ACL is created, configure rules in the Layer 2 ACL.
Procedure
Step 1 (Optional) Run:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 194
10 ACL Configuration
The step value between ACL rule IDs is set. By default, the step value is 5. Step 2 Run:
rule { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-macmask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | [ time-range timerange-name ] ] *
If the rule ID is not specified, the step value is used as the start rule ID. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.
The description of the Layer 2 ACL rule is configured. The description of an ACL rule describes the function or usage of the ACL rule. It is used to differentiate ACL rules. ----End
Follow-up Procedure
After a Layer 2 ACL rule is configured, perform the following operations as required: l l Run the step command to change the step value. Run the rule command with rule-id specified to add a new rule between existing rules when the configuration order is used.
Prerequisites
A Layer 2 ACL has been created and rules have been configured in the Layer 2 ACL.
Context
A Layer 2 ACL can be applied to the following services and functions: l l l Traffic classifier Blacklist for local attack defense feature Packet filtering on an interface.
Procedure
l
Issue 02 (2012-03-30)
10 ACL Configuration
To provide differentiated services based on packet information, configure traffic classifiers. Layer 2 ACLs can be referenced by traffic classifiers to define rules for classifying traffic. For details, see Configuring a Traffic Classifier. l Apply a Layer 2 ACL to add users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR200-S uses Layer 2 ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist. l Apply a Layer 2 ACL to an interface to filter packets on the interface. The AR200-S can filter packets on an interface using an ACL. If the action in an ACL rule is deny, the AR200-S discards all packets matching the rule. If the action in an ACL rule is permit, the AR200-S forwards all packets matching the rule. Perform the following steps to apply a Layer 2 ACL to an interface: 1. Run:
system-view
Prerequisites
The Layer 2 ACL configurations are complete.
Procedure
l l l Run the display acl acl-number command to view the Layer 2 ACL with the specified number. Run the display acl name acl-name command to view the Layer 2 ACL with the specified name. Run the display time-range { all | time-name } command to view information about the time range.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 196
10 ACL Configuration
Example
# Run the display acl acl-number command to view the Layer 2 ACL number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl 4001 L2 ACL 4001, 1 rule Acl's step is 5 rule 5 permit l2-protocol ip destination-mac 0000-0000-0001 source-mac 0000-0000-0002
# Run the display acl name acl-name command to view the Layer 2 ACL name and number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl name test L2 ACL test 4999, 1 rule Acl's step is 5 rule 5 deny destination-mac 00e0-fc01-0304
# Run the display time-range command to view the configuration and status of the current time range.
<Huawei> display time-range all Current time is 09:13:37 12-27-2010 Thursday Time-range : test1 ( Inactive ) 13:00 to 18:00 working-day 13:00 to 18:00 off-day
10.6.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server
In this example, a basic ACL is used to limit access to the FTP server.
Networking Requirements
As shown in Figure 10-1, the Router functions as an FTP server (172.16.104.110/24). The requirements are as follows: l l l All the users on subnet 1 (172.16.105.0/23) are allowed to access the FTP server at any time. All the users on subnet 2 (172.16.107.0/23) are allowed to access the FTP server only at the specified period of time. Other users are not allowed to access the FTP server.
The routes between the Router and subnets are reachable. You need to configure the Router to limit user access.
Issue 02 (2012-03-30)
197
10 ACL Configuration
Figure 10-1 Configuring a basic ACL to limit user access to the FTP server
PC A
172.16.105.111
PC B
172.16.107.111
PC C
10.10.10.1
Configuration Roadmap
The configuration roadmap is as follows: l l l Create a basic ACL on the Router and configure rules in the basic ACL to classify users. Configure basic FTP functions on the Router. Apply a basic ACL to the Router to limit user access.
Data Preparation
To complete the configuration, you need the following data: l l l Number of a basic ACL: 2001 Name of a time range during which users in subnet2 access the FTP server: ftp-access Time range: 14:00-18:00 on Saturday and Sunday from 2009 to 2011
Procedure
Step 1 Configure a time range.
<Huawei> [Huawei] [Router] [Router] system-view sysname Router time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31 time-range ftp-access 14:00 to 18:00 off-day
Step 3 Configure basic FTP functions. The configuration details are not mentioned here. Step 4 Configure access permissions on the FTP server.
[Router] ftp acl 2001
Step 5 Verify the configuration. Run the ftp 172.16.104.110 command on PC A (172.16.105.111/24) in subnet 1. PC A can connect to the FTP server.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 198
10 ACL Configuration
Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in 2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. PC B can connect to the FTP server. Run the ftp 172.16.104.110 command on PC C (10.10.10.1/24). PC C cannot connect to the FTP server. ----End
Configuration Files
# Configuration file of the Router
# sysname Router # ftp server enable ftp acl 2001 # time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31 time-range ftp-access 14:00 to 18:00 off-day # acl number 2001 rule 5 permit source 172.16.104.0 0.0.1.255 rule 10 permit source 172.16.106.0 0.0.1.255 time-range ftp-access # return
10.6.2 Example for Using Advanced ACLs to Configure the Firewall Function
In this example, advanced ACLs are used to configure the packet filtering firewall between the internal network and the external network.
Networking Requirements
As shown in Figure 10-2, an enterprise that provides Web, FTP, and Telnet services accesses an external network through Ethernet0/0/8 of the Router and joins a VLAN through Ethernet0/0/0 of the Router. The enterprise is located on the network segment 202.169.10.0 and the IP addresses of the Web server, FTP server, and Telnet server of the enterprise are 202.169.10.5/24, 202.169.10.6/24, and 202.169.10.7/24. To ensure security, the enterprise requires the Router to be configured with the firewall function. By doing this, only specified users are allowed to access internal servers of the enterprise and only internal servers of the enterprise are allowed to access the external network.
Issue 02 (2012-03-30)
199
10 ACL Configuration
Eth0/0/8
Internet
202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows: l l l l Configure zones on the internal and external networks. Configure an interzone and enable the firewall function in the interzone. Configure advanced ACLs to classify external users and internal servers. Configure ACL-based packet filtering in the interzone.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l l l Name of the zone on the internal network: company Priority of the zone company: 12 Name of the zone on the external network: external Priority of the zone external: 5 VLAN that the enterprise joins: VLAN 100 IP address of VLANIF 100: 202.169.10.1/24 IP address of Ethernet0/0/8: 129.39.10.8/24 IP address of the user that can access internal servers: 202.39.2.3/24 Number of the advanced ACL that classifies specified users: ACL 3001 Number of the advanced ACL that classifies internal servers: ACL 3002
Procedure
Step 1 Configure zones. # Configure a zone on the internal network.
<Huawei> system-view [Huawei] sysname Router [Router] firewall zone company
Issue 02 (2012-03-30)
200
10 ACL Configuration
# Configure a rule in ACL 3001 to allow specified users to access internal servers.
[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0 [Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0 [Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0
# Configure a rule in ACL 3001 to prevent other users from accessing any host of the enterprise.
[Router-acl-adv-3001] rule deny ip [Router-acl-adv-3001] quit
# Configure a rule in ACL 3002 to allow internal servers to access the external network.
[Router-acl-adv-3002] rule permit ip source 202.169.10.5 0.0.0.0 [Router-acl-adv-3002] rule permit ip source 202.169.10.6 0.0.0.0 [Router-acl-adv-3002] rule permit ip source 202.169.10.7 0.0.0.0
# Configure a rule in ACL 3002 to prevent other users of the enterprise from accessing the external network.
[Router-acl-adv-3002] rule deny ip [Router-acl-adv-3002] quit
Issue 02 (2012-03-30)
201
10 ACL Configuration
Step 6 Verify the configuration. After the configuration is complete, only the host at 202.39.2.3 can access internal servers and only internal servers can access the external network. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router, and the result is as follows:
[Router] display firewall interzone company external interzone company external firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3001 inbound packet-filter 3002 outbound
----End
Configuration Files
# Configuration file of the Router
# sysname Router # vlan batch 100 # acl number 3001 rule 5 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0 rule 10 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0 rule 15 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0 rule 20 deny ip # acl number 3002 rule 5 permit ip source 202.169.10.5 0.0.0.0 rule 10 permit ip source 202.169.10.6 0.0.0.0 rule 15 permit ip source 202.169.10.7 0.0.0.0 rule 20 deny ip # interface Vlanif100 ip address 202.169.10.1 255.255.255.0 zone company # firewall zone company priority 12 # firewall zone external priority 5 # firewall interzone company external firewall enable packet-filter 3001 inbound packet-filter 3002 outbound # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8
Issue 02 (2012-03-30)
202
10 ACL Configuration
Networking Requirements
As shown in Figure 10-3, the MAC address of PC1 is 0000-0000-0003 and PC1 is connected to Ethernet0/0/0 of the Router through the switch. The Router is required to collect statistics on packets with the source MAC address 0000-0000-0003. Figure 10-3 Using a Layer 2 ACL to configure traffic classification
Internet
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a Layer 2 ACL to match packets with the source MAC address 0000-0000-0003. Configure traffic classification based on the Layer 2 ACL. Configure a traffic behavior to collect statistics on the classified packets. Configure a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy.
Data Preparation
To complete the configuration, you need the following data: l l l l l
Issue 02 (2012-03-30)
VLAN that the interface connecting the Router and the switch belong to: VLAN 20 Layer 2 ACL name: layer2 Traffic classifier name: c1 Traffic behavior name: b1 Traffic policy name: p1
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 203
10 ACL Configuration
Procedure
Step 1 Create a VLAN and configure each interface. # Create VLAN 20.
<Huawei> system-view [Huawei] sysname Router [Router] vlan 20 [Router-vlan20] quit
Configure the interface of the switch connecting to the Router as a trunk interface and add it to VLAN 20. The configuration details are not mentioned here. Configure the interface of the switch connecting to PC1 as an access interface and add it to VLAN 20. The configuration details are not mentioned here.
Step 2 Configure an ACL. # Create a Layer 2 ACL named layer2 on the Router to match packets with the source MAC address 0000-0000-0003.
[Router] acl name layer2 link [Router-acl-L2-layer2] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff [Router-acl-L2-layer2] quit
Step 3 Configure a traffic classifier. # Create a traffic classifier c1 on the Router to match ACL layer2.
[Router] traffic classifier c1 [Router-classifier-c1] if-match acl layer2 [Router-classifier-c1] quit
Step 4 Configure a traffic behavior. # Create a traffic behavior b1 on the Router and configure the traffic statistics action in the traffic behavior.
[Router] traffic behavior b1 [Router-behavior-b1] statistic enable [Router-behavior-b1] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface. # Create a traffic policy p1 on the Router and bind the traffic policy to the traffic classifier and traffic behavior.
[Router] traffic policy p1 [Router-trafficpolicy-p1] classifier c1 behavior b1 [Router-trafficpolicy-p1] quit
Issue 02 (2012-03-30)
204
10 ACL Configuration
----End
Configuration Files
l Configuration file of the Router
# sysname Router # vlan batch 20 # acl name layer2 4999 rule 5 permit source-mac 0000-0000-0003 # traffic classifier c1 operator or if-match acl layer2 # traffic behavior b1 statistic enable # traffic policy p1 classifier c1 behavior b1 # interface Ethernet0/0/0 port link-type trunk port trunk allow-pass vlan 20 traffic-policy p1 inbound # return
Issue 02 (2012-03-30)
205
11 SSL Configuration
11
About This Chapter
SSL Configuration
The Secure Sockets Layer (SSL) protocol protects information privacy on the Internet. 11.1 SSL Overview The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. 11.2 SSL Features Supported by the AR200-S The AR200-S supports server SSL policies and client SSL policies. 11.3 Configuring a Server SSL Policy A server SSL policy defines parameters that an SSL server uses in SSL handshakes, including the PKI domain name, maximum number of sessions that can be saved, timeout period of a saved session, and cipher suite. Among these parameters, the PKI domain name is mandatory, and the others are optional. 11.4 Configuring a Client SSL Policy A client SSL policy defines the parameters that an SSL client uses in SSL handshakes, including the PKI domain name, SSL protocol version, and cipher suite. 11.5 Configuration Examples This section provides several SSL configuration examples.
Issue 02 (2012-03-30)
206
11 SSL Configuration
Introduction to SSL
SSL is a cryptographic protocol that provides communication security over the Internet. It allows a client and a server to communicate in a way designed to prevent eavesdropping. The server must be authenticated by the client before they start to communicate, and the client can also be authenticated by the server. SSL is widely used in ecommerce and online banking. It has the following advantages: l l High security: SSL ensures secure data transmission by using data encryption, identity authentication, and message integrity check. Support for various application layer protocols: SSL was originally designed to secure World Wide Web traffic. SSL functions between the application layer and the transport layer, so it can provide security for any TCP-based application. Easy to deploy: SSL has become a world-wide communications standard used to authenticate websites and web users, and to encrypt data transmitted between browser users and web servers.
SSL improves device security using the following functions: l l l Allows only authorized users to connect to servers. Encrypts data transmitted between a client and a server to secure data transmission and computes a digest to ensure data integrity. Defines an access control policy on a device based on certificate attributes to control access rights of clients. This access control policy prevents unauthorized users from attacking the device.
Terms
l Certificate Authority (CA) A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks validity of digital certificate owners, signs digital certificates to prevent eavesdropping and tampering, and manages certificates and keys. A world-wide trusted CA is called a root CA. The root CA can authorize other CAs as subordinate CAs. The CA identities are described in a trusted-CA file. In the certificate issuing process, CA1 functions as the root CA and issues a certificate for CA2, and CA2 issues a certificate for CA3. The process repeats until CAn issues the final server certificate. In the certificate authentication process, the client first authenticates the server's certificate. If CA3 issues the server certificate, the client uses CA3 certificate to authenticate the server certificate. If the server certificate is authenticated, the client uses CA2 certificate to authenticate the CA3 certificate. After CA2 certificate is authenticated, the client uses CA1 certificate to authenticate CA2 certificate. The client considers the server certificate valid only when CA2 certificate has been authenticated. Figure 11-1 shows the certificate issuing and authentication processes.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 207
11 SSL Configuration
Certificate verification
l Digital certificate A digital certificate is an electronic document issued by a CA to bind a public key with a certificate subject (an applicant that has obtained a certificate). Information in a digital certificate includes the applicant name, public key, digital signature of the CA that issues the digital certificate, and validity period of the digital certificate. A digital certificate verifies the identities of two communicating parties, improving communication reliability. A user must obtain the public key certificate of the information sender to decrypt and authenticate information in the certificate. The user also needs the CA certificate of the information sender to verify the identity of the information sender. l Certificate Revocation List (CRL) A CRL is issued by a CA to specify certificates that have been revoked. Each certificate has a validity period. A CA can issue a CRL to revoke certificates before their validity periods expire. The validity period of a certificate specified in the CRL is shorter than the original validity period of the certificate. If a CA revokes a digital certificate, the key pair defined in the certificate cannot be used. After a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the CRL. Information in a CRL includes the issuer and serial number of each certificate, the issuing date of the CRL, certificate revocation date, and time when the next CRL will be issued. Clients use CRLs to check validity of certificates. When verifying a server's digital certificate, a client checks the CRL. If the certificate is in the CRL, the client considers the certificate invalid.
Security Mechanisms
SSL provides the following security mechanisms: l Connection privacy SSL uses symmetric cryptography to encrypt data. It uses the Rivest-Shamir-Adleman (RSA) algorithm (an asymmetric algorithm) to encrypt the key used by the symmetric cryptography. l Identity authentication Digital certificates are used to authenticate a server and a client that need to communicate with each other. The SSL server and client use the mechanism provided by the public key infrastructure (PKI) to apply to a CA for a certificate. l Message integrity A keyed message authentication code (MAC) is used to verify message integrity during transmission. A MAC algorithm computes a key and data of an arbitrary length to generate a MAC of a fixed length.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 208
11 SSL Configuration
A message sender uses a MAC algorithm and a key to compute a MAC, appends it to a message, and send the message to a receiver. The receiver uses the same key and MAC algorithm to compute a MAC and compares it with the MAC in the received message. If the two MACs are the same, the message has not been tampered during transmission. If the two MACs are different, the message has been tampered, and the receiver discards this message.
Prerequisites
The PKI domain has been configured.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 209
11 SSL Configuration
Applicable Environment
The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. To use an AR200-S as an SSL server, configure a server SSL policy on the AR200-S. A server SSL policy can be applied to application layer protocols such as HTTP to provide secure connections. Figure 11-2 AR200-S functions as an SSL server
SSL server
As shown in Figure 11-2, the AR200-S functions as an SSL server and has a server SSL policy configured. During an SSL handshake, the AR200-S uses the SSL parameters in the server SSL policy to negotiate session parameters with an SSL client. After the handshake is complete, the AR200-S establishes a session with the client. The AR200-S is authenticated by the SSL client, but it cannot authenticate the client.
NOTE
When functioning as an SSL server, the AR200-S can communicate with SSL clients running SSL3.0, TLS1.0, or TLS 1.1. The AR200-S determines the SSL protocol version used for this communication and sends a Server Hello message to notify the client.
Procedure
Step 1 Run:
system-view
A PKI domain is specified for the server SSL policy. By default, no PKI domain is specified for a server SSL policy on the AR200-S.
NOTE
The AR200-S obtains a digital certificate from a CA in the specified PKI domain. Clients can then authenticate the AR200-S by checking the digital certificate.
The maximum number of sessions that can be saved and the timeout period of a saved session are set.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 210
11 SSL Configuration
By default, a maximum of 32 sessions can be saved, and the timeout period of a saved session is 3600s. Step 5 (Optional) Run:
ciphersuite { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *
A cipher suite is specified. By default, a server SSL policy supports all the cipher suites: rsa_aes_128_cbc_sha, rsa_des_cbc_sha, rsa_rc4_128_md5, and rsa_rc4_128_sha. ----End
Example
# Run the display ssl policy policy-name command to view the configuration of the SSL policy server-users.
<Huawei> display ssl policy server-users -----------------------------------------------------------------------------Policy name : serverusers Policy ID : 1 Policy type : Server Cache number : 32 Time out(second) : 3600 Server certificate load status : loaded Bind number : 1 SSL connection number : 1 --------------------------------------------------------------------------
Prerequisites
The PKI domain has been configured.
Applicable Environment
The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. To use an AR200-S as an SSL client, configure a client SSL policy on the AR200-S. A client SSL policy can be applied to application layer protocols such as the CPE WAN Management Protocol (CWMP) to provide secure connections. Figure 11-3 AR200-S functions as an SSL client
SSL server
Issue 02 (2012-03-30)
211
11 SSL Configuration
As shown in Figure 11-3, the Figure 11-3 functions as an SSL client and has a client SSL policy configured. During an SSL handshake, the AR200-S uses the SSL parameters in the client SSL policy to negotiate session parameters with the SSL server. After the handshake is complete, the AR200-S establishes a session with the server. When functioning as an SSL client, the AR200-S does not allow SSL servers to authenticate it, but it can authenticate SSL servers. When the AR200-S functions as an SSL client, enable it to authenticate servers to ensure secure communication.
Procedure
Step 1 Run:
system-view
SSL server authentication is enabled. By default, SSL server authentication is disabled in a client SSL policy. Step 4 Run:
pki-realm realm-name
A PKI domain is specified for the client SSL policy. By default, no PKI domain is specified for a client SSL policy on the AR200-S.
NOTE
The AR200-S obtains a CA certificate chain from CAs in the specified PKI domain. The AR200-S authenticates an SSL server by checking the server certificate and CA certificates against the CA certificate chain.
The SSL protocol version is specified. By default, a client SSL policy uses Transport Layer Security (TLS) version 1.0.
NOTE
Ensure that the specified SSL protocol version is supported by the SSL server. Before performing this step, check the SSL protocol versions that the SSL server supports.
A cipher suite is specified. By default, a client SSL policy uses all the cipher suites: rsa_aes_128_cbc_sha, rsa_des_cbc_sha, rsa_rc4_128_md5, and rsa_rc4_128_sha.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 212
11 SSL Configuration
Ensure that the specified cipher suite is supported by the SSL server. Before performing this step, check the cipher suites that the SSL server supports.
----End
Example
# Run the display ssl policy policy-name command to view the configuration of the SSL policy client-users.
<Huawei> display ssl policy client-users -----------------------------------------------------------------------------Policy name : clientusers Policy ID : 3 Policy type : Client Server verify : 1 CA certificate load status : loaded CA certificate num : 1 Bind number : 1 SSL connection number : 1 ------------------------------------------------------------------------------
Networking Environment
As shown in Figure 11-4, enterprise users use a web browser to connect to the Router. To prevent eavesdropping and tampering during data transmission, a network administrator requires users to use HTTPS to access the Router securely. To meet this requirement, configure the Router as an HTTPS server, and configure a server SSL policy on the Router. Figure 11-4 Networking diagram of the server SSL policy configuration
CA
11.137.145.158/24 Eth1/0/0 11.1.1.1/24
Internet Enterprise
Issue 02 (2012-03-30)
Router
213
11 SSL Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a PKI entity and a PKI domain. Configure a server SSL policy. Configure the Router as an HTTPS server.
Data Preparation
To complete the configuration, you need the following data: l l l l Router's interface connected to the Internet: Ethernet1/0/0 IP address of Ethernet1/0/0: 11.1.1.1/24 IP address of the CA: 11.137.145.158/24 PKI parameters, as shown in the following table. Item PKI entity Data PKI entity name: users l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info PKI domain PKI domain name: users l Trusted CA: ca_root l Certificate's enrollment URL: http:// 11.137.145.158:8080/certsrv/mscep/mscep.dll ra l Bound PKI entity: users l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 7bb05ada0482273388ed4ec228d79f77309ea3f4
SSL parameters, as shown in the following table. Policy Name sslserver Maximum Number of Sessions 40 Session Timeout Period 7200s
Before starting the configuration, ensure that routes between the Router, user hosts, and CA are reachable.
Issue 02 (2012-03-30)
214
11 SSL Configuration
Procedure
Step 1 Configure a PKI entity and a PKI domain. # Configure a PKI entity.
<Huawei> system-view [Huawei] sysname Router [Router] pki entity users [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users]
NOTE
common-name hello country cn state jiangsu organization huawei organization-unit info quit
If the entity name and entity common name are not set to the Router's IP address 11.1.1.1, the system will display a message indicating that the certificate is invalid when the client opens a website. This does not affect HTTPS application.
# Configure a PKI domain, and enable the automatic certificate enrollment and update function.
[Router] pki realm users [Router-pki-realm-users] [Router-pki-realm-users] [Router-pki-realm-users] mscep.dll ra [Router-pki-realm-users] [Router-pki-realm-users] [Router-pki-realm-users]
entity users ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 auto-enroll regenerate quit
Step 2 Configure a server SSL policy sslserver. # Create a server SSL policy and specify PKI domain users in the policy. This allows the Router to obtain a digital certificate from the CA specified in the PKI domain.
[Router] ssl policy sslserver type server [Router-ssl-policy-sslserver] pki-realm users
# Set the maximum number of sessions that can be saved and the timeout period of a session.
[Router-ssl-policy-sslserver] session cachesize 40 timeout 7200 [Router-ssl-policy-sslserver] quit
Step 3 Configure the Router as an HTTPS server. # Apply the SSL policy sslserver to the HTTPS service.
[Router] http secure-server ssl-policy sslserver
Step 4 Verify the configuration. # Run the display ssl policy command to view the configuration of the SSL policy sslserver.
<Router> display ssl policy sslserver
Issue 02 (2012-03-30)
215
11 SSL Configuration
-----------------------------------------------------------------------------Policy name : sslserver Policy ID : 1 Policy type : Server Cache number : 40 Time out(second) : 7200 Server certificate load status : loaded Bind number : 1 SSL connection number : 1 --------------------------------------------------------------------------
# Start the web browser on a PC, and enter https://11.1.1.1:1278 in the address box. The web management system of the Router is displayed, and you can manage the Router on the web pages. ----End
Example
Configuration file of the Router
# sysname Router # interface Ethernet 1/0/0 ip address 11.1.1.1 255.255.255.0 # pki entity users country CN state jiangsu organization huawei organization-unit info common-name hello # pki realm users ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra entity users auto-enroll regenerate fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 # ssl policy sslserver type server pki-realm users session cachesize 40 timeout 7200 # http secure-server ssl-policy sslserver http secure-server enable http secure-server port 1278 # return
Networking Environment
As shown in Figure 11-5, the Router functions as a CPE to connect to phones, fax machines, and switches. An ACS uses CWMP to manage and control the Router.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 216
11 SSL Configuration
The ACS functions as an SSL server and has obtained a digital certificate from the CA. You need to configure the Router as an SSL client to authenticate the ACS. This ensures privacy and integrity of data exchanged between the Router and the ACS. Figure 11-5 Networking diagram of the client SSL policy configuration
CA
11.137.145.158/24 Analog phone Eth1/0/0 11.1.1.1/24 Router LSW CWMP IP phone PC
Internet
ACS 11.2.2.58/24
Fax
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a PKI entity and a PKI domain. Configure a client SSL policy on the Router and enable SSL server authentication in the policy. Apply the client SSL policy to the CWMP service so that the Router authenticates the ACS to ensure data privacy and integrity. Enable the Router to automatically initiate connections to the ACS and set the CWMP parameters. This enables the ACS to manage and control the Router using CWMP.
Data Preparation
To complete the configuration, you need the following data: l l l l l PKI domain name: cwmp0 Client SSL policy name: sslclient IP address of the CA: 11.137.145.158/24 URL of the ACS: https://www.acs.com:80/acs PKI parameters, as shown in the following table.
Issue 02 (2012-03-30)
217
11 SSL Configuration
Data PKI entity name: cwmp0 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info
PKI domain
PKI domain name: cwmp0 l Trusted CA: ca_root l Certificate's enrollment URL: http://http:// 11.137.145.158:8080/certsrv/mscep/mscep.dll ra l Bound PKI entity: cwmp0 l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 7bb05ada0482273388ed4ec228d79f77309ea3f4
NOTE
Before starting the configuration, ensure that routes between the Router, ACS, and CA are reachable.
Procedure
Step 1 Configure a PKI entity and a PKI domain. # Configure a PKI entity.
<Huawei> system-view [Huawei] sysname Router [Router] pki entity cwmp0 [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0]
common-name hello country CN state jiangsu organization huawei organization-unit info quit
# Configure a PKI domain, and enable the automatic certificate enrollment and update function.
[Router] pki realm cwmp0 [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0] mscep.dll ra [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0]
entity cwmp0 ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 auto-enroll regenerate quit
Issue 02 (2012-03-30)
218
11 SSL Configuration
For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate enrolling now,It will take a few minutes or more. Please waiting... [Router] The certificate enroll successful.
NOTE
You will be prompted to enter the password during certificate enrollment. If you do not have a password, press Enter.
Step 5 Configure the Router to automatically initiate connections to the ACS. # Configure the URL used by the Router to connect to the ACS.
[Router-cwmp] cwmp acs url https://www.acs.com:80/acs
# Set the interval at which the Router sends Inform messages to 1000 seconds.
[Router-cwmp] cwmp cpe inform interval 1000
Step 6 Set CWMP parameters on the Router. # Configure the interface that the Router uses to connect to the ACS.
[Router-cwmp] cwmp cpe connect interface Ethernet 1/0/0
# Set the user name and password that the Router uses for authentication by the ACS.
[Router-cwmp] cwmp acs username newacsname [Router-cwmp] cwmp acs password newacspsw
# Configure the user name and password that the Router uses to authenticate the ACS.
[Router-cwmp] cwmp cpe username newcpename [Router-cwmp] cwmp cpe password newcpepsw
Issue 02 (2012-03-30)
219
11 SSL Configuration
# Set the close-wait timer of the Router to 100 seconds. If no data is transmitted within 100 seconds, the connection is torn down.
[Router-cwmp] cwmp cpe wait timeout 100
Step 7 Verify the configuration. # Run the display current-configuration command. The command output shows that SSL has been successfully configured for CWMP.
<Router> display current-configuration ... cwmp cwmp cpe inform interval enable cwmp acs url https://www.acs.com:80/acs cwmp acs username newacsname cwmp acs password newacspsw cwmp cpe username newcpename cwmp cpe password newacspsw cwmp cpe inform interval 1000 cwmp cpe connect retry 5 cwmp cpe wait timeout 100 cwmp cpe connect interface Ethernet 1/0/0 cwmp ssl-client ssl-policy sslclient ...
# Run the display cwmp configuration command. The command output shows that CWMP is enabled, and the Router is configured to send Inform packets at intervals.
<Router> display cwmp configuration CWMP is enabled ACS URL: ACS username: ACS password: Inform enable status: Inform interval: Inform time: Wait timeout: Reconnection times:
# Run the display cwmp status command. The command output shows that CWMP is enabled, and the CWMP connection status is connected.
<Router> display cwmp status CWMP is enabled ACS URL: Acs information is set by: ACS username: ACS password: Connection status: Time of last successful connection:
----End
Example
Configuration file of the Router
#
Issue 02 (2012-03-30)
220
11 SSL Configuration
sysname Router # interface Ethernet 1/0/0 ip address 11.1.1.1 255.255.255.0 # cwmp cwmp cpe inform interval enable cwmp acs url https://www.acs.com:80/acs cwmp acs username newacsname cwmp acs password newacspsw cwmp cpe username newcpename cwmp cpe password newacspsw cwmp cpe inform interval 1000 cwmp cpe connect retry 5 cwmp cpe wait timeout 100 cwmp cpe connect interface Ethernet 1/0/0 cwmp ssl-client ssl-policy sslclient # pki entity cwmp0 country CN state jiangsu organization huawei organization-unit info common-name hello # pki realm cwmp0 ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra entity cwmp0 auto-enroll regenerate fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 # ssl policy sslclient type client server-verify enable pki-realm cwmp0 # return
Issue 02 (2012-03-30)
221
12 PKI Configuration
12
About This Chapter
PKI Configuration
12.1 PKI Overview The Public Key Infrastructure (PKI) is a system that generates public keys and digital certificates, and verifies identities of certificate subjects to ensure information security. PKI provides a certificate management mechanism for the IP Security (IPSec) protocol and Secure Sockets Layer (SSL) protocol. 12.2 PKI Features Supported by the AR200-S On the AR200-S, you can configure PKI entities, PKI domains, manually or automatically enroll certificates, authenticate certificate validity, manage certificates, import or export certificates, and delete expired certificates. 12.3 Configuring a PKI Entity A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A PKI entity identifies a certificate applicant. 12.4 Configuring a PKI Domain Before an entity applies for a PKI certificate, registration information needs to be configured for the entity. A set of the registration information is the PKI domain of the entity. 12.5 Configuring Certificate Enrollment Certificate enrollment is a process in which an entity registers with a CA and obtains a certificate from the CA. During this process, the entity provides the identity information and public key, which will be added to the certificate issued to the entity. 12.6 Configuring Certificate Authentication Before a certificate is used, it must be authenticated. 12.7 Managing Certificates Managing certificates include deleting, importing, and exporting certificates, and configuring the default path where certificates are stored. 12.8 Configuration Examples
Issue 02 (2012-03-30)
222
12 PKI Configuration
Definition
The public key infrastructure (PKI) is a system that generates public keys and digital certificates, and verifies identities of certificate subjects to ensure information security. PKI issues digital certificates that bind public keys to respective user identities by means of a certificate authority (CA). PKI allows users to easily request, download, and revoke digital certificates. In addition to issuing digital certificates, the PKI provides other services such as blacklisting to ensure confidentiality, integrity, non-repudiation, and authentication of data. l l l l Confidentiality: Data will not be intercepted by unauthorized users during transmission. Integrity: Data will not be tampered with by unauthorized users during transmission. Non-repudiation: A data sender cannot deny having sent a message or digital signature. Authentication: Communication entities can be identified.
PKI provides information security on insecure networks and private networks. It can also securely transmit keys between users.
Digital Certificate
A digital certificate is a file that is signed by a certificate authority (CA) and binds a public key to user identity. The signature of the CA ensures the validity and authority of the digital certificate. A digital certificate must comply with the ITU-T X.509 standard. Currently, the X. 509 v3 digital certificates are mostly used. A digital certificate contains multiple fields, including the certificate issuer name, entity public key, signature of the issuing CA, and certificate validity period. Three types of digital certificates are described in this section: local certificates, CA certificates, and self-signed certificates. l l Local certificate: is signed by a CA to a user. CA certificate: is used to verify a CA's identity. If multiple CAs exist in the PKI system, a CA hierarchy is formed. At the top of the hierarchy is a root CA, which has a self-signed certificate. l Self-signed certificate: is issued by a PKI device. In a self-signed certificate, the certificate issuer and subject are the same.
12 PKI Configuration
If a CRL contains many revoked certificates, the CRL size is large, deteriorating performance of network resources. To avoid this problem, a CA publishes multiple CRLs and use CRL distribution points (CDPs) to indicate the location of these CRLs.
Operational interaction
Certificate/CRL repository
CA
Issue CRL
CDP
Certificate
CA
The public key infrastructure (PKI) system consists of the following components: l PKI entity A PKI entity refers to an end entity or a PKI management entity. An end entity is a certificate applicant or user. A PKI management entity is an authority that issues or manages certificates. Certificate authorities (CAs), registration authorities (RAs), and certificate revocation list (CRL) issuers are PKI management entities. Sometimes an attribute authority (AA) functions as a CRL issuer.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 224
12 PKI Configuration
l l
PKI repository The PKI repository stores certificates and CRLs for PKI entities to query and manage. PKI protocol suite The PKI protocol suite consists of the Public Key Infrastructure And X.509 (PKIX) and Public-Key Cryptography Standards (PKCS). The PKI and X.509 were developed by the PKIX Working Group. PKIX defines a series of standards and protocols used for communication between PKI entities or between a PKI entity and a PKI repository. These standards define operation rules, certificate formats and content, CRL formats and content, cryptography and signature algorithms, PKI policies, PKI repository protocols, and certificate management protocols. PKCS was jointly developed by RSA Laboratories and other secure systems developers to implement cooperation between public-key cryptography systems. It defines various key and data formats, algorithms and application programming interfaces, abstract syntax notation, and basic encoding rules. The data formats and algorithm defined in PKCS are the basis of PKI implementation. The Rivest-Shamir-Adleman (RSA) algorithm is one of commonly used public algorithms. PKCS#1 defines the RSA cryptography specifications, including formats for RSA public key functions, calculation methods for digital signatures, formats for digital signatures and data to be signed, syntax for public and private keys.
Other protocols Some protocols do not belong to the PKCS family, but PKCS uses encoding rules in these protocols to describe objects. These protocols include Abstract Syntax Notation One (ASN. 1), Distinguished Encoding Rules (DER), Basic Encoding Rules (BER), and Base64. ASN.1 (also called X.208) defines rules for describing the structure of objects and data structures in representing, encoding, transmitting, and decoding data.
Issue 02 (2012-03-30)
225
12 PKI Configuration
License Support
The PKI function is used with a license. To use the PKI function, apply for and purchase the following license from the Huawei local office: l AR150&200 Value-Added Security Package
Applicable Environment
A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A distinguished name (DN) of an entity is the identity information of the entity. The identity information provided by an entity uniquely identifies a certificate applicant.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 226
12 PKI Configuration
Pre-configuration Tasks
None
Data Preparation
To configure a PKI entity, you need the following data. No. 1 Data PKI entity's common name, fully qualified domain name (FQDN), or both (each of the two uniquely identifies a PKI entity) (Optional) PKI entity's country code, state name, organization name, department name, and IP address
Procedure
Step 1 Run:
system-view
The PKI entity view is displayed. By default, no PKI entity is configured on the AR200-S. Step 3 Run the following commands to configure the PKI entity identifiers: l Run the common-name common-name command to configure the common name for the PKI entity. By default, no PKI entity name is configured on the AR200-S. l Run the fqdn fqdn-name command to configure the FQDN for the PKI entity. By default, no FQDN is configured on the AR200-S. Either common-name or fqdn-name can identify a PKI entity. To identify a PKI entity, specify common-name or fqdn-name. ----End
12 PKI Configuration
Procedure
Step 1 Run:
system-view
A country code is configured for the PKI entity. By default, no country code is configured for a PKI entity. Step 4 Run:
state state-name
A state name or province name is configured for the PKI entity. By default, no state name or province name is configured for a PKI entity. Step 5 Run:
organization organization-name
An organization name is configured for the PKI entity. By default, no organization name is configured for a PKI entity. Step 6 Run:
organization-unit organization-unit-name
A department name is configured for the PKI entity. By default, no department name is configured for a PKI entity. Step 7 Run:
ip-address ip-address
An IP address is configured for the PKI entity. By default, no IP address is configured for a PKI entity. ----End
Procedure
l Run the display pki entity [ entity-name ] command to check the PKI entity configuration. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 228
12 PKI Configuration
Applicable Environment
A PKI domain is a set of identity information required when a PKI entity enrolls a certificate. A PKI domain allows other applications, such as Internet Key Exchange (IKE) and Secure Sockets Layer (SSL), to reference the PKI configuration easily. A PKI domain configured on a device is unavailable to CAs or other devices. Each PKI domain has its own domain parameters.
Pre-configuration Tasks
Before creating a PKI domain, complete the following task: l Creating a PKI entity
Data Preparation
To configure a PKI domain, you need the following data. No. 1 2 3 4 5 Data PKI domain name Bound PKI entity name Trusted CA name and enrollment URL (Optional) CA root certificate fingerprint (Optional) Certificate revocation password, Rivest, Shamir, and Adelman (RSA) key length, source IP address used in TCP connection setup
Issue 02 (2012-03-30)
229
12 PKI Configuration
Procedure
Step 1 Run:
system-view
A PKI domain is created. By default, no PKI domain is configured on the AR200-S. ----End
Context
When a PKI entity sends a certificate request to a CA, the PKI entity must specify the used entity name to show its identity information to the CA.
Procedure
Step 1 Run:
system-view
A PKI domain is configured. By default, no PKI domain is configured on the AR200-S. Step 3 Run:
entity entity-name
A PKI entity is specified. By default, no PKI entity is specified on the AR200-S. ----End
Context
A registration authority (RA) receives registration requests from users, checks users' certificate credentials, and decides whether a CA can issue digital certificates to the users. An RA does not
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 230
12 PKI Configuration
issue certificates to users and it only checks users' certificate credentials. Sometimes, a CA implements the registration management function and therefore no independent RA is required. Before an entity requests a certificate, an enrollment URL must be specified. The entity requests a certificate using the Simple Certificate Enrollment Protocol (SCEP) with the server specified by the enrollment URL. SCEP is used by entities to communicate with CAs.
Procedure
Step 1 Run:
system-view
A PKI domain is configured. By default, no PKI domain is configured on the AR200-S. Step 3 Run:
ca id ca-name
A trusted CA name is configured. By default, no trusted CA is configured on the AR200-S. Step 4 Run:
enrollment-url url [ interval minutes ] [ times count ] [ ra ]
An enrollment URL is configured. By default, no enrollment URL is configured on the AR200-S. ----End
Procedure
Step 1 Run:
system-view
12 PKI Configuration
Step 3 Run:
fingerprint { md5 | sha1 } fingerprint
The CA certificate fingerprint used in CA certificate authentication is configured. A CA certificate fingerprint is usually sent to the AR200-S using emails. By default, no CA certificate fingerprint is configured on the AR200-S. ----End
Procedure
Step 1 Run:
system-view
A PKI domain is configured. By default, no PKI domain is configured on the AR200-S. Step 3 Run:
password [ cipher ] password
A certificate revocation password is configured. By default, no certificate revocation password is configured on the AR200-S. ----End
Context
An RSA key pair contains a public key and a private key. When host A requests a certificate, the certificate request must contain the public key. After a certificate is granted to host A, host B uses the public key of host A to encrypt data sent to host A. Host A saves the private key and uses it to decrypt data sent from host B or generates a digital signature for data sent to host B.
Procedure
Step 1 Run:
system-view
12 PKI Configuration
Step 2 Run:
pki realm realm-name
A PKI domain is configured. By default, no PKI domain is configured on the AR200-S. Step 3 Run:
rsa-key-size size
The RSA key length of certificates is set. By default, the RSK key length of certificates is 1024 on the AR200-S. ----End
Procedure
Step 1 Run:
system-view
A PKI domain is configured. By default, no PKI domain is configured on the AR200-S. Step 3 Run:
source interface interface-name
The source interface is specified. The AR200-S uses the IP address of this interface to set up a TCP connection. By default, the AR200-S uses an outbound interface's IP address as the source IP address for TCP connection setup. ----End
Procedure
l Run the display pki realm [ pki-realm-name ] command to check the PKI domain configuration.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 233
12 PKI Configuration
Applicable Environment
Certificates can be enrolled using the following methods: l l Manual certificate enrollment: A PKI device is configured to enroll a certificate with a CA. Automatic certificate enrollment: A PKI device uses the Simple Certification Enrollment Protocol (SCEP) to request a certificate from a CA when the configuration required for certificate enrollment is complete but no local certificate is available. Self-signed certificate enrollment: A PKI device issues a self-signed certificate to itself.
Pre-configuration Tasks
Before configuring certificate enrollment, complete the following tasks: l l Creating a PKI entity Creating a PKI domain
Data Preparation
To configure certificate enrollment, you need the following data. No. 1 2 3 Data PKI domain name and (optional) certificate request information in PKCS#10 format (Optional) Percentage of the certificate's validity period Self-signed certificate file name
12 PKI Configuration
Prerequisites
A PKI domain has been created and configured. For details, see 12.4 Configuring a PKI Domain.
Procedure
Step 1 Run:
system-view
Manual certificate enrollment is configured. If pkcs10 is specified, an entity applies to a CA for a certificate offline. The entity saves the certificate request information in a file in PKCS#10 format and sends the file to the CA in an outband way. If pkcs10 is not specified, an entity applies to a CA for a certificate online. Step 3 (Optional) Run:
pki get-certificate { ca | local } pki-realm-name
A certificate is obtained. When a certificate is enrolled manually, the CA certificate and local certificate are downloaded and saved in the default path automatically. If the CA certificate or local certificate is deleted unexpectedly, run the pki get-certificate command to obtain the CA certificate or device certificate again. ----End
Prerequisites
A PKI domain has been created and configured. For details, see 12.4 Configuring a PKI Domain.
Procedure
Step 1 Run:
system-view
12 PKI Configuration
The automatic certificate enrollment and update function is enabled. After the automatic certificate enrollment and update function is enabled, users do not need to manually enroll certificates. When an external application requires a CA or local certificate, it instructs the system to register a CA or local certificate. ----End
Procedure
Step 1 Run:
system-view
Procedure
l l Run the display pki certificate { local | ca } pki-realm-name [ verbose ] command to check certificate information. Run the display pki certificate enroll-status pki-realm-name command to view the certificate enrollment status.
----End
12 PKI Configuration
Applicable Environment
Before a certificate is used, it must be authenticated. In a certificate, the issuing date, issuer information, and certificate validity need to be authenticated. A valid certificate must be within the validity period and has not been revoked. A PKI entity uses any of the following methods to check the peer certificate status: l l l Certificate revocation list (CRL) Online Certificate Status Protocol (OCSP) None: The PKI entity does not check the peer certificate status.
Pre-configuration Tasks
Before configuring certificate authentication, complete the following task: Obtaining and enrolling a certificate
Data Preparation
To configure certificate authentication, you need the following data. No. 1 2 3 Data PKI domain name (Optional) CDP URL and interval at which a PKI entity downloads a CRL from the CRL storage server (Optional) OCSP server URL
Procedure
Step 1 Run:
system-view
A PKI domain is configured. By default, no PKI domain is configured on the AR200-S. Step 3 Run:
certificate-check { crl | none | ocsp }
The certificate check mode is configured. By default, the AR200-S checks certificates using CRLs.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 237
12 PKI Configuration
If CRL is used for certificate check, CRLs are automatically downloaded from a CA server during each certificate check. To use CRL to check a certificate, perform the following operations according to networking requirements: Run:
cdp-url cdp-url
A CRL distribution point (CDP) URL used to obtain the CRL issued by a CA is configured. Certificates issued by the CA contain the CDP information, specifying how and where to obtain the CRL. A PKI entity uses the method specified in the CDP information to download the CRL. If the CDP URL is configured in the PKI domain, the PKI entity obtains the CRL from the specified URL. Run:
crl cache
The AR200-S is configured to use the buffered CRL for certificate check, without having to download the CRL from the CA. Run:
crl update-period hours
The interval at which a PKI entity downloads a CRL from a CRL storage server is configured. Run:
quit
Return to the system view. If the PKI entity suspects that the CRL expires, run:
pki get-crl pki-realm-name
The AR200-S is configured to download the latest CRL from the CA. l To use OCSP for certificate check, perform the following operation: Run:
ocsp-url ocsp-url
The OCSP server's URL is configured. This URL will override the OCSP server's address in the certificate. ----End
Procedure
Step 1 Run:
system-view
12 PKI Configuration
Procedure
l l Run the display pki certificate enroll-status pki-realm-name command to check the certificate enrollment status. Run the display pki crl pki-realm-name command to check CRL information.
----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
12 PKI Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The default path and directory where the CA certificate, local certificate, and private key are stored are configured. By default, the CA certificate, local certificate, and private key are stored in flash:/. ----End
CA
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 240
12 PKI Configuration
Table 12-1 Data plan Item PKI entity Data PKI entity name: user01 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info PKI domain name PKI domain name: test l Trusted CA name: ca_root l Certificate's enrollment URL: http:// 10.137.145.158:8080/certsrv/mscep/mscep.dll l Bound PKI entity name: user01 l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5B5 78EAF
Configuration Roadmap
1. 2. Configure a PKI entity to identify a certificate applicant. Configure a PKI domain and specify identity information required for certificate enrollment, including the trusted CA name, bound entity name, enrollment URL, and root certificate fingerprint. Obtain a local certificate manually.
3.
Procedure
Step 1 Configure interface IP addresses and routes to enable the PKI entity and CA to communicate. Step 2 Configure a PKI entity to identify a certificate applicant. # Configure a PKI entity user01.
<Huawei> system-view [Huawei] pki entity user01 [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01]
common-name hello country cn state jiangsu organization huawei organization-unit info quit
Step 3 Configure a PKI domain and specify the identity information required for certificate enrollment in the PKI domain.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 241
12 PKI Configuration
# Configure the trusted CA, bound entity, enrollment URL, and root certificate fingerprint.
[Huawei] pki realm test [Huawei-pki-realm-test] [Huawei-pki-realm-test] [Huawei-pki-realm-test] mscep.dll ra [Huawei-pki-realm-test] [Huawei-pki-realm-test] ca id ca_root entity user01 enrollment-url http://10.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF quit
You will be prompted to enter the password during certificate enrollment. If you do not have a password, press Enter. Step 5 Verify the configuration. After the preceding configurations are complete, the CA issues a certificate to the PKI entity. In the certificate information, the issued to field value is the entity common name hello. Run the display pki certificate { local | ca } pki-realm-name [ verbose ] command on the PKI entity to view the certificate.
<Huawei> display pki certificate local test Certificate Status : Available Version: 3 Serial Number: 19 36 41 af 00 00 00 00 02 ba Subject: C=CN ST=jiangsu O=huawei OU=info CN=hello Associated Pki Realm : test Total Number: 1
----End
Configuration Files
# pki entity user01 country CN state jiangsu organization huawei organization-unit info common-name hello # pki realm test ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity user01
Issue 02 (2012-03-30)
242
12 PKI Configuration
CA
Internet
IPSec Tunnel
10.1.1.2/24 Group 1
11.1.1.2/24 Group 2
Issue 02 (2012-03-30)
243
12 PKI Configuration
Table 12-2 Data plan of RouterA Item PKI entity Data PKI entity name: routera l Entity's common name: helloa l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info PKI domain name PKI domain name: test l Trusted CA name: ca_root l Certificate's enrollment URL: http:// 10.137.145.158:8080/certsrv/mscep/mscep.dll l Bound entity name: routera l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5B578E AF IKE proposal l Encryption algorithm: 3DES-CBC l Authentication algorithm: SHA1 l Authentication mode: Rivest, Shamir, and Adelman (RSA) signature IKE peer l IKE peer name: routera l Local peer's ID type: IP address l Local IP address: 1.1.1.1 l Remote IP address: 2.2.2.1 l Negotiation mode: main IPSec proposal l Transport protocol: ESP l Authentication algorithm: SHA1 l Encryption algorithm: 3DES l Encapsulation mode: tunnel IPSec policy Security association (SA) triggering mode: automatic
Issue 02 (2012-03-30)
244
12 PKI Configuration
Table 12-3 Data plan of RouterB Item PKI entity Data PKI entity name: routerb l Entity's common name: hellob l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: marketing PKI domain name PKI domain name: testb l Trusted CA name: ca_root l Certificate's enrollment URL: http:// 10.137.145.158:8080/certsrv/mscep/mscep.dll l Bound entity name: routerb l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5B578E AF IKE proposal l Encryption algorithm: 3DES-CBC l Authentication mode: RSA signature l Authentication algorithm: SHA1 IKE peer l IKE peer name: routerb l Negotiation mode: main l Local peer's ID type: IP address l Local IP address: 2.2.2.1 l Remote IP address: 1.1.1.1 IPSec proposal l Transport protocol: ESP l Authentication algorithm: SHA1 l Encryption algorithm: 3DES l Encapsulation mode: tunnel IPSec policy SA triggering mode: automatic
Configuration Roadmap
1. 2. 3. 4. 5.
Issue 02 (2012-03-30)
Configure a PKI entity to identify a certificate applicant. Configure a PKI domain and specify the identity information required for certificate enrollment in the PKI domain. Configure IKE to use a digital signature for identity authentication. Configure IPSec to protect data flows between two subnets. Request a certificate and download it for IKE negotiation.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 245
12 PKI Configuration
Procedure
Step 1 Configure interface IP addresses and routes to enable IPSec peers and CA to communicate. Step 2 Configure a PKI entity. # Configure RouterA.
<Huawei> system-view [Huawei] pki entity routera [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera]
common-name helloa country cn state jiangsu organization huawei organization-unit info quit
# Configure RouterB.
<Huawei> system-view [Huawei] pki entity routerb [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb]
common-name hellob country cn state jiangsu organization huawei organization-unit marketing quit
#Configure RouterB.
[Huawei] pki realm testb [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] mscep.dll ra [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] ca id ca_root entity routerb enrollment-url http://10.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF certificate-check none quit
Step 4 Configure IKE to use a digital signature for identity authentication. # Configure RouterA.
[Huawei] ike proposal 1 [Huawei-ike-proposal-1] encryption-algorithm 3des-cbc [Huawei-ike-proposal-1] authentication-method rsa-signature [Huawei-ike-proposal-1] authentication-algorithm sha1 [Huawei-ike-proposal-1] quit [Huawei] ike peer routera v2 [Huawei-ike-peer-routera] ike-proposal 1 [Huawei-ike-peer-routera] local-address 1.1.1.1 [Huawei-ike-peer-routera] remote-address 2.2.2.1 [Huawei-ike-peer-routera] pki realm testa
# Configure RouterB.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 246
12 PKI Configuration
Step 5 Configure access control lists (ACLs) and define the data flows to be protected in the ACLs. # Configure RouterA.
[Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0 [Huawei-acl-adv-3000] rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 [Huawei-acl-adv-3000] quit
# Configure RouterB.
[Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0 [Huawei-acl-adv-3000] rule 10 permit ip source 11.1.1.1 0 destination 10.1.1.1 0 [Huawei-acl-adv-3000] quit
Step 6 Configure IPSec to protect data flows between two subnets. # Configure RouterA.
[Huawei] ipsec proposal routera [Huawei-ipsec-proposal-routera] transform esp [Huawei-ipsec-proposal-routera] esp authentication-algorithm sha1 [Huawei-ipsec-proposal-routera] esp encryption-algorithm 3des [Huawei-ipsec-proposal-routera] quit [Huawei] ipsec policy routera 1 isakmp [Huawei-ipsec-policy-isakmp-routera-1] security acl 3000 [Huawei-ipsec-policy-isakmp-routera-1] ike-peer routera [Huawei-ipsec-policy-isakmp-routera-1] proposal routera [Huawei-ipsec-policy-isakmp-routera-1] quit
# Configure RouterB.
[Huawei] ipsec proposal routerb [Huawei-ipsec-proposal-routerb] transform esp [Huawei-ipsec-proposal-routerb] esp authentication-algorithm sha1 [Huawei-ipsec-proposal-routerb] esp encryption-algorithm 3des [Huawei-ipsec-proposal-routerb] quit [Huawei] ipsec policy routerb 1 isakmp [Huawei-ipsec-policy-isakmp-routerb-1] security acl 3000 [Huawei-ipsec-policy-isakmp-routerb-1] ike-peer routerb [Huawei-ipsec-policy-isakmp-routerb-1] proposal routerb [Huawei-ipsec-policy-isakmp-routerb-1] quit
# Configure RouterB.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 247
12 PKI Configuration
Step 8 Configure devices to request a certificate and download it for IKE negotiation. # Configure RouterA.
[Huawei] pki enroll-certificate testa Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.
# Configure RouterB.
[Huawei] pki enroll-certificate testb Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.
Step 9 Verify the configuration. Run the display ike sa v2 command on RouterA and RouterB to view IKE SA information. The command output shows that RouterA and RouterB have established an IKE SA and can ping each other successfully. The display on RouterA is as follows.
[Huawei] display ike sa v2 Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------898 2.2.2.1 0 RD|ST 2 895 2.2.2.1 0 RD|ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [Huawei]
12 PKI Configuration
ms ms ms ms ms
During IKE negotiation, if RouterA and Router B do not obtain CA certificates or local certificates, IKE negotiation fails.
----End
Configuration Files
Configuration file of RouterA
# router id 1.1.1.1 # acl number 3000 rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0 rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 # ipsec proposal routera esp authentication-algorithm sha1 esp encryption-algorithm 3des # ike proposal 1 encryption-algorithm 3des-cbc authentication-method rsa-signature # ike peer routera v2 ike-proposal 1 local-address 1.1.1.1 remote-address 2.2.2.1 pki realm testa # ipsec policy routera 1 isakmp security acl 3000 ike-peer routera proposal routera # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface Ethernet0/0/8 ip address 1.1.1.1 255.255.255.0 ipsec policy routera # ospf 1 area 0.0.0.0
Issue 02 (2012-03-30)
249
12 PKI Configuration
# pki entity routera country CN state jiangsu organization huawei organization-unit info common-name helloa # pki realm testa ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routera fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none # return
Issue 02 (2012-03-30)
250
12 PKI Configuration
# pki realm testb ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routerb fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none # return
Issue 02 (2012-03-30)
251
13 Keychain Configuration
13
About This Chapter
13.1 Introduction to Keychain
Keychain Configuration
This chapter describes the keychain fundamentals. It also provides keychain configuration steps based on different parameters along with typical example.
13.2 Keychain Features Supported by the AR200-S 13.3 Configuring Basic Keychain Functions This section descries how to configure the basic functions of keychain module. 13.4 Configuring TCP Authentication parameters This section descries how to configure the TCP Authentication parameters of Keychain module. 13.5 Configuration Examples This section provides configuration examples of the keychain module.
Issue 02 (2012-03-30)
252
13 Keychain Configuration
13 Keychain Configuration
send-key-id. There can be only one default send-key-id in a keychain. When any key-id becomes active, the application uses the new active key-id instead of the default send-keyid. Similarly when active key-id becomes inactive and when there is no other active keyid then application uses the default send-key-id. l TCP-kind and TCP algorithm-id configuration TCP based applications can communicate with other vendor nodes by using the authenticated TCP connection. For authenticated communication, TCP uses TCP Enhanced Authentication Option. Currently different vendors use different kind-value to represent the TCP Enhanced Authentication Option type. So in order to communicate with other vendors, kind-value should be made configurable, so that it can be changed based on the type of vendor to which it is connected. Similarly TCP Enhanced Authentication Option has a field named algorithm-id which represents the authentication algorithm type. As algorithm-ids are not defined by IANA. Currently different vendor uses different algorithmid to represent the same algorithm. In order to communicate with the other vendors, user has to configure the TCP algorithm-id in the keychain for the algorithms depending on the peer node type.
Pre-configuration Tasks
Before configuring the keychain on the peer Routers, configure the Network Time Protocol (NTP) so that the time is consistent on the two Routers.
Data Preparation
To configure basic keychain features, you need the following data. No. 1 2
Issue 02 (2012-03-30)
13 Keychain Configuration
No. 3 4 5 6
Data Key-string for each key-id Authentication algorithm for each key-id Send and Receive time for each key-id Receive tolerance if required
When creating a keychain, timing mode is mandatory. Once a keychain is created, to enter the keychain view timing mode need not be specified.
----End
Issue 02 (2012-03-30)
255
13 Keychain Configuration
Receive tolerance can be configured in the following two ways: l Specifying a particular receive tolerance value in minutes, which can be a maximum of 10 days (14400 minutes). l Specifying an infinite receive tolerance using infinite keyword.
----End
To configure a key-id in a keychain, a unique id within the keychain is required. This id should be an integer and the value ranges from 0 to 63.
----End
13 Keychain Configuration
Key-string is the authentication string used while sending and receiving the packets. In case of plain text the password string is displayed as un-encrypted text. In case of Cipher text the password string is displayed in encrypted form. Both are case sensitive.
NOTE
----End
----End
13 Keychain Configuration
Step 4 Run:
default send-key-id
----End
The keychain is created in absolute timing mode and keychain view is entered. 3. Run:
key-id key-id
The send-time for the key-id is configured. l Daily Periodic Timing Mode 1. Run:
system-view
The keychain is created in daily periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
The send-time for the key-id is configured. l Weekly Periodic Timing Mode 1. Run:
system-view
Issue 02 (2012-03-30)
258
13 Keychain Configuration
The keychain is created in weekly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
The send-time for the key-id is configured. l Monthly Periodic Timing Mode 1. Run:
system-view
The keychain is created in monthly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
The send-time for the key-id is configured. l Yearly Periodic Timing Mode 1. Run:
system-view
The keychain is created in yearly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
Issue 02 (2012-03-30)
259
13 Keychain Configuration
Send-time for a key-id is configured according to the timing mode defined for the keychain. Only one send key-id in a keychain can be active at a time. The send-time of different key-ids in a keychain must not overlap each other. To re-configure send-time, we need to undo the send-time that is currently configured.
----End
The keychain is created in absolute timing mode and keychain view is entered. 3. Run:
key-id key-id
The receive-time for the key-id is configured. l Daily Periodic Timing Mode 1. Run:
system-view
The keychain is created in daily periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
The receive-time for the key-id is configured. l Weekly Periodic Timing Mode 1. Run:
system-view
13 Keychain Configuration
2.
Run:
keychain keychain-name mode periodic weekly
The keychain is created in weekly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
The receive-time for the key-id is configured. l Monthly Periodic Timing Mode 1. Run:
system-view
The keychain is created in monthly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
The receive-time for the key-id is configured. l Yearly Periodic Timing Mode 1. Run:
system-view
The keychain is created in yearly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id
Receive-time for a key-id is configured in accordance with the timing mode defined for the keychain. The receive-time for a key-id can be configured in five different ways namely absolute, daily periodic, weekly periodic, monthly periodic and yearly periodic depending upon the timing mode. More than one receive key-id can not be active at the same time. To re-configure receive time you need to undo the receive time that is currently configured.
----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 261
13 Keychain Configuration
Procedure
l l Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
----End
Example
The configurations of the keycahin are complete, Run the display keychain keychain-name command to view the current configuration of a keychain, for example:
<Huawei> display keychain earth Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 0 TCP Kind : 254 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 3 SHA1 : 4 Number of Key IDs : 0 Active Send Key ID : None Active Receive Key IDs : None Default send Key ID : Not configured
The configurations of the keycahin are complete, Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain, for example:
<Huawei> display keychain earth key-id 1 Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 100 TCP Kind : 182 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 17 SHA1 : 4 Key ID Information: ------------------Key ID Key string Algorithm
Issue 02 (2012-03-30)
262
13 Keychain Configuration
Pre-configuration Tasks
Before configuring the Keychain feature on the peer Router s, configure the Network Time Protocol (NTP) so that the time is consistent on the two Router s.
Data Preparation
To configure basic keychain features, you need the following data. No. 1 2 3 Data Keychain Name TCP kind value TCP algorithm id for each authentication algorithm
Issue 02 (2012-03-30)
263
13 Keychain Configuration
The TCP kind value for the keychain is configured. The range of the kind-value can be <28-255>.
NOTE
TCP uses TCP Enhanced Authentication Option for authenticated communication. The kind value used to represent the TCP Enhanced Authentication Option type for a keychain can be configured.
----End
The algorithm-id used to represent authentication algorithm type in TCP Enhanced Authentication Option for a keychain can be configured.
----End
13 Keychain Configuration
Prerequisites
The configurations of the keycahin are complete.
Procedure
l l Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
----End
Example
The configurations of the keycahin are complete, Run the display keychain keychain-name command to view the current configuration of a keychain, for example:
<Huawei> display keychain earth Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 0 TCP Kind : 254 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 3 SHA1 : 4 Number of Key IDs : 0 Active Send Key ID : None Active Receive Key IDs : None Default send Key ID : Not configured
The configurations of the keycahin are complete, Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain, for example:
<Huawei> display keychain earth key-id 1 Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 100 TCP Kind : 182 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 17 SHA1 : 4 Key ID Information: ------------------Key ID Key string Algorithm SEND TIMER Start time End time Status RECEIVE TIMER
: : : : : : : :
Issue 02 (2012-03-30)
265
13 Keychain Configuration
Eth0/0/8 192.168.1.1/24
Eth0/0/8 192.168.1.2/24
RouterA
RouterB
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure keychain basic functions. Configure the application RIP on both the Routers to use keychain.
Data Preparation
To complete the configuration, you need the following data: l l l l l keychain name key-id algorithm and key-string send and receive time receive tolerance
Procedure
Step 1 # Configure RouterA Configuring Keychain Authentication
<RouterA> system-view
Issue 02 (2012-03-30)
266
13 Keychain Configuration
[RouterA] keychain huawei mode absolute [RouterA-keychain] receive-tolerance 100 [RouterA-keychain] key-id 1 [RouterA-keychain-keyid-1] algorithm md5 [RouterA-keychain-keyid-1] key-string plain hello [RouterA-keychain-keyid-1] send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 [RouterA-keychain-keyid-1] receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10 [RouterA-keychain-keyid-1] quit
----End
Configuration File
l #Configuration file of RouterA.
# sysname RouterA # interface Ethernet0/0/8 ip address 192.168.1.1 255.255.255.0 rip authentication-mode md5 nonstandard keychain huawei # keychain huawei mode absolute receive-tolerance 100 key-id 1 algorithm md5 key-string plain hello send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10 # return
Issue 02 (2012-03-30)
267
13 Keychain Configuration
Issue 02 (2012-03-30)
268
14
Issue 02 (2012-03-30)
269
port) of the Router , the Router directly sends the packets to the CPU. As a result, the Router CPU and system resources are wasted, which is the aim of DoS attack. To prevent such attacks, switch control is used on some services and protocols. If the protocol is enabled, the packet of this protocol is sent. If the protocol is disabled, the packets of this protocol are discarded. In this way, the protocol packet is controlled and application layer association is implemented. Some protocols support a whitelist. The module of application layer association detects sent protocol packet and allows the sending with larger bandwidth and higher rate if the protocol packets to be sent match the whitelist.
determines whether the total length of the offset is larger than 65515. If so, the packets are discarded. Repeated fragmented packet attack refers to sending the repeated packet fragments multiple times, including resending the same packet fragments; the offset is the same but the packet fragments are different. As a result, the system fails to reassemble packet fragments and the CPU usage is overhigh. To defend repeated fragmented packet attacks, the AR200-S restricts the rate of sending packet fragments on the interface board and thus ensure that the CPU is not attacked and the Committed Access Rate (CAR) can be configured. l Defense against Flood attacks Flood attacks include TCP SYN flood attacks, UDP flood attacks (including fraggle attacks and UDP diagnosis port attacks), and TCMP flood attacks. The AR200-S defends against TCP SYN flood attacks and ICMP flood attacks by restricting rate to prevent the CPU resources from being exhausted. To defend against UDP flood attacks, the AR200-S discards those UDP packets with port numbers 7, 13, and 19.
NOTE
Attack defense configurations take effect for only the main control board.
The application layer association module supports SNMP, HW-TACACS, NTP, SSH, DHCP, 802.1x, and PIM protocols and supports HTTP server, Telnet server, STelnet server, FTP server, SFTP server, BFD, UDP helper, and VRRP services.
NOTE
You can configure application layer association for different protocols and services.
Applicable Environment
Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 272
To prevent the network devices from being attacked and to ensure normal network services, defense against abnormal packet attacks must be configured.
Pre-configuration Tasks
Before configuring defense against abnormal packet attacks, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
None.
Context
Do as follows on the router:
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the anti-attack abnormal enable command to enable defense against abnormal packet attacks. The defense against abnormal packet attacks is enabled by default. If defense against abnormal packet attacks is disabled, run the command to enable it. ----End
Prerequisites
The configurations of the abnormal packet attack defense are complete.
Procedure
Step 1 Run the display anti-attck statistics abnormal command to check the statistics of defense against abnormal packet attacks on the interface board. ----End
Example
After the configuration is complete, run the display anti-attck statistics abnormal command to check the statistics of defense against abnormal packet attacks on the interface board.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 273
<Huawei> display anti-attck statistics abnormal Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Abnormal 0 0 0 0 0 0 -------------------------------------------------------------------------------
Applicable Environment
Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services. To prevent the network devices from being attacked and to ensure normal network services, defense against packet fragment attacks must be configured.
Pre-configuration Tasks
Before configuring defense against packet fragment attacks, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
To configure defense against packet fragment attacks, you need the following data: No. 1 Data Restricted rate of packet fragments
Context
Do as follows on the router:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 274
Procedure
Step 1 Run:
system-view
Defense against packet fragment attacks is enabled. Defense against packet fragment attacks is enabled by default. Thus, you need to configure the restricted rate only. If defense against packet fragment attacks is disabled, run the command to enable it. Step 3 Run:
anti-attack fragment car cir cir
Prerequisites
The configurations of the fragmented packet attack defense are complete.
Procedure
Step 1 Run the display anti-attck statistics fragment command to check the statistics of defense against packet fragment attacks on the interface board. ----End
Example
After the configuration is complete, run the display anti-attck statistics fragment command to check the statistics of defense against packet fragment attacks on the interface board.
<Huawei> display anti-attck statistics fragment Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Fragment 0 0 0 0 0 0 -------------------------------------------------------------------------------
Issue 02 (2012-03-30)
275
Applicable Environment
Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services. To prevent the network devices from being attacked and to ensure normal network services, defense against flood attacks must be configured.
Pre-configuration Tasks
Before configuring defense against flood attacks, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
To configure defense against flood attacks, you need the following data: No. 1 Data Rate restricted by TCP SYN packets and rate restricted by ICMP flood packets
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Defense against SYN flood attacks is enabled. Defense against SYN flood attacks is enabled by default. Thus, you need to configure the restricted rate only. If defense against SYN flood attacks is disabled, run the command to enable it. Step 3 Run:
anti-attack tcp-syn car cir cir
Issue 02 (2012-03-30)
276
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Defense against UDP flood attacks is enabled. Defense against UDP flood attacks is enabled by default. If defense against UDP flood attacks is disabled, run the command to enable it. ----End
Context
Configure router as follows:
Procedure
Step 1 Run:
system-view
Defense against ICMP flood attacks is enabled. Defense against ICMP flood attacks is enabled by default. Thus, you need to configure the restricted rate only. If defense against ICMP flood attacks is disabled, run the command to enable it. Step 3 Run:
anti-attack icmp-flood car cir cir
Prerequisites
The configurations of the flood attack defense are complete.
Procedure
Step 1 Run the display anti-attck statistics [ tcp-syn | udp-flood | icmp-flood ] command to check the statistics of defense against flood attacks on the interface board. ----End
Example
After the configuration is complete, run the display anti-attck statistics [ tcp-syn | udpflood | icmp-flood ] command to check the statistics of defense against flood attacks on the interface board.
<Huawei> display anti-attck statistics tcp-syn Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Tcp-syn 0 0 0 0 0 0 ------------------------------------------------------------------------------<Huawei> display anti-attack statistics udp-flood Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Udp-flood 0 0 0 0 0 0 ------------------------------------------------------------------------------<Huawei>display anti-attack statistics icmp-flood Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Icmp-flood 0 0 0 0 0 0 -------------------------------------------------------------------------------
Applicable Environment
To prevent network devices from being attacked by the packets of idle protocols and to prevent the network from running busily, overhigh usage of CPU, and DoS attack, the application layer association is required and the protocol module must be disabled. In this way, the protocol packets are discarded without being sent to the CPU. Thus, the CPU works normally.
Pre-configuration Tasks
Before configuring application layer association, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
To configure association layer association, you need the following data. No. 1 2 Data Protocols to be enabled/disabled Packet policy that does not match the application layer association module
Context
The application layer association module uses the switch to control whether the application layer association is enabled. If the protocol is enabled, the packets of the protocol are sent. If the protocol is disabled, the packets of the protocol are directly discarded. To prevent the attacks from the packets of idle protocols, the protocol module must be disabled. If the protocol is enabled, which cannot filter invalid packets, use the rate restriction function to restrict the rate of sending packets and protect the CPU from being attacked. Do as follows on the router:
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 For all the protocols and functions that match the application layer association, enable the necessary protocols and disable the idle protocols to prevent attacks on the CPU. Step 3 (Optional) Run the application-apperceive default drop to discard the packets if no application layer association policy is found. ----End
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 279
Context
CAUTION
The statistics cannot be recovered if cleared. Perform the action with caution.
Procedure
Step 1 Run the reset anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmpflood ] command to clear the statistics of defense again packet attacks. ----End
Networking Requirements
As shown in Figure 14-1, Router B as a client is connected to Router A on the public network. To prevent Router A from being attacked by the TCP/IP attack packets sent by a hacker on the LAN, the following attack defense measures must be used on Router A. l
Issue 02 (2012-03-30)
Enable defense against packet fragment attacks and restrict the rate for sending packet fragments to 15000 bit/s to prevent packet fragments from attacking the CPU and using excessive CPU and system resources. Enable defense against flood attacks as follows: Enable defense against SYN flood attacks and restrict the rate for sending TCP SYN packets to 15000 bit/s to prevent the TCP SYN packets from using excessive CPU resources. Enable defense against UDP flood attacks to discard the UDP packets sent on specified ports. Enable defense against ICMP flood attacks and restrict the rate for sending ICMP flood packets to 15000 bit/s to prevent the ICMP flood packets from using excessive CPU resources.
Internet
Eth0/0/7 100.111.1.1/24
Router A
Eth0/0/7 100.111.1.2/24 VLAN300
Router B
VLAN100
VLAN200
hacker
user
user
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure the IP addresses and routes of each interface to guarantee internetworking. Enable defense against abnormal packet attacks on Router A. Enable defense against packet fragment attacks on Router A. Enable defense against flood attacks on Router A.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 281
l l
Procedure
Step 1 Configure the IP addresses and routes of each interface to guarantee internetworking (omitted). Step 2 Enable defense against abnormal packet attacks on Router A.
<RouterA> system-view [RouterA] anti-attack abnormal enable
Step 3 # Enable defense against packet fragment attacks on Router A and restrict the rate for sending fragments packet to 15000 bit/s.
[RouterA] anti-attack fragment enable
#
[RouterA] anti-attack fragment car cir 15000
Step 4 # Enable defense against SYN flood attacks on Router A and restrict the rate for sending TCP SYN packets to 15000 bit/s.
[RouterA] anti-attack tcp-syn enable [RouterA] anti-attack tcp-syn car cir 15000
# Enable defense against UDP flood attacks on Router A to discard the UDP packets sent on specified ports.
[RouterA] anti-attack udp-flood enable
# Enable defense against ICMP flood attacks on Router A and restrict the rate for sending ICMP flood packets to 15000 bit/s.
[RouterA] anti-attack icmp-flood enable [RouterA] anti-attack icmp-flood car cir 15000
Step 5 Verify the configuration. After the configuration is complete, run the display anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmp-flood ] command to check the statistics of packet attack defense.
<RouterA> display anti-attck statistics Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------URPF 0 0 0 0 0 0 Abnormal 0 0 0 0 0 0 Fragment 0 0 0 0 0 0 Tcp-syn 0 30 0 0 0 30 Udp-flood 0 0 0 0 0 0 Icmp-flood 0 40 0 0 0 40 -------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Router A
# sysname RouterA #
Issue 02 (2012-03-30)
282
interface GigabitEthernet1/0/0 ip address 100.111.1.1 255.255.255.252 # anti-attack fragment car cir 15000 anti-attack tcp-syn car cir 15000 anti-attack icmp-flood car cir 15000 # return
Issue 02 (2012-03-30)
283