Configuration Guide - Security (V200R002C00 - 02)

Huawei AR200-S Series Enterprise Routers V200R002C00
Configuration Guide - Security

Issue Date 02 2012-03-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 02 (2012-03-30)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Huawei AR200-S Series Enterprise Routers Configuration Guide - Security
About This Document
About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the security feature supported by the AR200-S. This document describes how to configure the security feature. This document is intended for: l l l l Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 02 (2012-03-30)
ii
About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing interface numbers on devices.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Changes in Issue 02 (2012-03-30)

Based on issue 01 (2011-12-30), the document is updated as follows: The following information is modified: l l 2.2 HTTPS Features Supported by the AR200-S 13.3.5 Configuring key-string of a key-id
Issue 02 (2012-03-30)
iii
About This Document
Changes in Issue 01 (2011-12-30)

Initial commercial release.
Issue 02 (2012-03-30)
iv
Contents
Contents
About This Document.....................................................................................................................ii 1 AAA Configuration.......................................................................................................................1
1.1 AAA Overview...................................................................................................................................................2 1.2 AAA Features Supported by the AR200-S.........................................................................................................2 1.3 Configuring Local Authentication and Authorization........................................................................................5 1.3.1 Establishing the Configuration Task.........................................................................................................6 1.3.2 Configuring a Local User..........................................................................................................................6 1.3.3 Configuring authentication and authorization Schemes............................................................................8 1.3.4 Configuring a Domain...............................................................................................................................9 1.3.5 Checking the Configuration.....................................................................................................................10 1.4 Configuring RADIUS AAA.............................................................................................................................11 1.4.1 Establishing the Configuration Task.......................................................................................................11 1.4.2 Configuring AAA Schemes.....................................................................................................................12 1.4.3 Configuring a RADIUS Server Template...............................................................................................14 1.4.4 Configuring a Domain.............................................................................................................................16 1.4.5 Checking the Configuration.....................................................................................................................18 1.5 Configuring HWTACACS AAA......................................................................................................................18 1.5.1 Establishing the Configuration Task.......................................................................................................18 1.5.2 Configuring AAA Schemes.....................................................................................................................20 1.5.3 Configuring an HWTACACS Server Template......................................................................................22 1.5.4 Configuring a Domain.............................................................................................................................25 1.5.5 Checking the Configuration.....................................................................................................................26 1.6 Maintaining AAA.............................................................................................................................................27 1.6.1 Clearing the Statistics..............................................................................................................................27 1.7 Configuration Examples...................................................................................................................................28 1.7.1 Example for Configuring RADIUS Authentication, Authorization, and Accounting.............................28 1.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting.....................31
2 HTTPS Configuration.................................................................................................................35
2.1 HTTPS Overview.............................................................................................................................................36 2.2 HTTPS Features Supported by the AR200-S...................................................................................................36 2.3 Configuring the AR200-S as an HTTPS Server...............................................................................................36 2.4 Configuration Examples...................................................................................................................................38 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
2.4.1 Example for Configuring the Router as an HTTPS Server.....................................................................38
3 Firewall Configuration...............................................................................................................42
3.1 Firewall Overview............................................................................................................................................44 3.2 Firewall Features Supported by the AR200-S..................................................................................................44 3.3 Configuring Zones............................................................................................................................................50 3.3.1 Establishing the Configuration Task.......................................................................................................50 3.3.2 Creating a Zone.......................................................................................................................................51 3.3.3 Adding an Interface to the Zone..............................................................................................................51 3.3.4 Creating an Interzone...............................................................................................................................52 3.3.5 Enabling Firewall in the Interzone..........................................................................................................52 3.3.6 Checking the Configuration.....................................................................................................................53 3.4 Configuring the Packet Filtering Firewall........................................................................................................53 3.4.1 Establishing the Configuration Task.......................................................................................................53 3.4.2 Configuring ACL-based Packet Filtering in an Interzone.......................................................................54 3.4.3 Checking the Configuration.....................................................................................................................55 3.5 Configuring the Blacklist..................................................................................................................................55 3.5.1 Establishing the Configuration Task.......................................................................................................55 3.5.2 Enabling the Blacklist Function..............................................................................................................56 3.5.3 Adding IP Addresses to the Blacklist Manually......................................................................................56 3.5.4 Configuring Blacklist and Whitelist Using the Configuration File.........................................................57 3.5.5 Checking the Configuration.....................................................................................................................58 3.6 Configuring the Whitelist.................................................................................................................................58 3.6.1 Establishing the Configuration Task.......................................................................................................58 3.6.2 Adding Entries to the Whitelist Manually...............................................................................................59 3.6.3 Configuring Blacklist and Whitelist Using the Configuration File.........................................................60 3.6.4 Checking the Configuration.....................................................................................................................61 3.7 Configuring ASPF............................................................................................................................................61 3.7.1 Establishing the Configuration Task.......................................................................................................61 3.7.2 Configuring ASPF Detection...................................................................................................................62 3.7.3 Checking the Configuration.....................................................................................................................62 3.8 Configuring Port Mapping................................................................................................................................63 3.8.1 Establishing the Configuration Task.......................................................................................................63 3.8.2 Configuring Port Mapping.......................................................................................................................64 3.8.3 Checking the Configuration.....................................................................................................................64 3.9 Configuring the Aging Time of the Firewall Session Table............................................................................65 3.9.1 Establishing the Configuration Task.......................................................................................................65 3.9.2 Configuring the Aging Time of the Firewall Session Table...................................................................65 3.9.3 Checking the Configuration.....................................................................................................................66 3.10 Configuring the Attack Defense Function......................................................................................................67 3.10.1 Establishing the Configuration Task.....................................................................................................67 3.10.2 Enabling the Attack Defense Function..................................................................................................67 3.10.3 Setting the Parameters for Flood Attack Defense..................................................................................70 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vi
Contents
3.10.4 Configuring Large ICMP Packet Attack Defense.................................................................................70 3.10.5 Setting Parameters for Scanning Attack Defense..................................................................................71 3.10.6 Checking the Configuration...................................................................................................................72 3.11 Configuring Traffic Statistics and Monitoring...............................................................................................72 3.11.1 Establishing the Configuration Task.....................................................................................................73 3.11.2 Enabling Traffic Statistics and Monitoring...........................................................................................74 3.11.3 Setting the Session Thresholds..............................................................................................................74 3.11.4 Checking the Configuration...................................................................................................................76 3.12 Configuring the Log Function........................................................................................................................76 3.12.1 Establishing the Configuration Task.....................................................................................................77 3.12.2 Enabling the Log Function on the Firewall...........................................................................................77 3.12.3 Setting the Log Parameters....................................................................................................................78 3.12.4 Checking the Configuration...................................................................................................................79 3.13 Maintaining the Firewall................................................................................................................................79 3.13.1 Displaying the Firewall Configuration..................................................................................................79 3.13.2 Clearing the Firewall Statistics..............................................................................................................80 3.14 Configuration Examples.................................................................................................................................81 3.14.1 Example for Configuring the ACL-based Packet Filtering Firewall.....................................................81 3.14.2 Example for Configuring ASPF and Port Mapping..............................................................................83 3.14.3 Example for Configuring the Blacklist..................................................................................................86
4 Traffic Suppression Configuration..........................................................................................90

4.1 Traffic Suppression Overview..........................................................................................................................91 4.2 Traffic Suppression Features Supported by the AR200-S................................................................................91 4.3 Configuring Traffic Suppression......................................................................................................................91 4.3.1 Establishing the Configuration Task.......................................................................................................91 4.3.2 Configuring Traffic Suppression on an Interface....................................................................................92 4.3.3 Checking the Configuration.....................................................................................................................92 4.4 Configuration Examples...................................................................................................................................93 4.4.1 Example for Setting the CIR Value for Traffic Suppression...................................................................93
5 NAC Configuration.....................................................................................................................95
5.1 NAC Overview.................................................................................................................................................96 5.2 NAC Features Supported by the AR200-S.......................................................................................................96 5.3 Configuring 802.1x Authentication..................................................................................................................97 5.3.1 Establishing the Configuration Task.......................................................................................................97 5.3.2 Enabling Global 802.1x Authentication..................................................................................................98 5.3.3 Enabling 802.1x Authentication on an Interface.....................................................................................98 5.3.4 (Optional) Setting the 802.1x Authentication Mode...............................................................................99 5.3.5 (Optional) Setting the Access Method on an Interface..........................................................................100 5.3.6 (Optional) Configuring the Authorization Status of an Interface..........................................................101 5.3.7 (Optional) Setting the Maximum Number of Concurrent Access Users on an Interface......................102 5.3.8 (Optional) Enabling 802.1x Authentication Triggered by DHCP Messages........................................103 5.3.9 (Optional) Setting Values of Timers Used in 802.1x Authentication...................................................103 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
5.3.10 (Optional) Configuring the Quiet Timer Function..............................................................................104 5.3.11 (Optional) Configuring 802.1x Re-authentication...............................................................................104 5.3.12 (Optional) Configuring a Guest VLAN for 802.1x Authentication....................................................106 5.3.13 (Optional) Configuring a Restrict VLAN for 802.1x Authentication.................................................107 5.3.14 (Optional) Enabling the Handshake Function.....................................................................................108 5.3.15 (Optional) Setting the Maximum Number of Times the AR200-S Sends Authentication Requests ........................................................................................................................................................................108 5.3.16 Checking the Configuration.................................................................................................................109 5.4 Maintaining NAC...........................................................................................................................................109 5.4.1 Clearing the Statistics on 802.1x Authentication..................................................................................109 5.4.2 Clearing the Statistics on MAC Address Authentication......................................................................110 5.5 Configuration Examples.................................................................................................................................110 5.5.1 Example for Configuring 802.1x Authentication..................................................................................110
6 ARP Security Configuration....................................................................................................114

6.1 ARP Security Overview.................................................................................................................................115 6.2 ARP Security Supported by the AR200-S......................................................................................................115 6.3 Configuring ARP Entry Limiting...................................................................................................................117 6.3.1 Establishing the Configuration Task.....................................................................................................117 6.3.2 Enabling Strict ARP Learning...............................................................................................................118 6.3.3 Configuring Interface-based ARP Entry Limiting................................................................................118 6.3.4 Checking the Configuration...................................................................................................................119 6.4 Configuring ARP Anti-attack.........................................................................................................................120 6.4.1 Establishing the Configuration Task.....................................................................................................120 6.4.2 Configuring ARP Anti-spoofing...........................................................................................................121 6.4.3 Configuring the AR200-S to Check Source MAC Address Consistency in ARP Packets...................121 6.4.4 Configuring ARP Gateway Anti-collision............................................................................................122 6.4.5 Configuring the AR200-S to Send Gratuitous ARP Packets.................................................................122 6.4.6 Checking the Configuration...................................................................................................................124 6.5 Configuring ARP Suppression.......................................................................................................................125 6.5.1 Establishing the Configuration Task.....................................................................................................125 6.5.2 Configuring Source IP Address-based ARP Packet Suppression.........................................................126 6.5.3 Configuring Rate Limit of ARP Packets...............................................................................................127 6.5.4 Configuring Source IP Address-based ARP Miss Packet Suppression.................................................128 6.5.5 Configuring Rate Limiting of ARP Miss Packets.................................................................................129 6.5.6 Configuring Source MAC Address-based ARP Packet Suppression....................................................129 6.5.7 Setting the Aging Time of Fake ARP Entries.......................................................................................130 6.5.8 (Optional) Setting the Rate Limit of Broadcasting ARP Packets on the VLANIF Interface of a SuperVLAN.............................................................................................................................................................131 6.5.9 Checking the Configuration...................................................................................................................131 6.6 Maintaining ARP Security..............................................................................................................................132 6.6.1 Displaying the Statistics on ARP Packets.............................................................................................132 6.6.2 Clearing the Statistics on ARP Packets.................................................................................................132 6.6.3 Clearing the Statistics on Discarded ARP Packets................................................................................133 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. viii
Contents
6.7 Configuration Examples.................................................................................................................................133 6.7.1 Example for Configuring ARP Security Functions...............................................................................133
7 ICMP Security Configuration.................................................................................................139

7.1 ICMP Security Overview...............................................................................................................................140 7.2 ICMP Security Features Supported by the AR200-S.....................................................................................140 7.3 Limiting the Rate of ICMP Packets................................................................................................................140 7.4 Configuring the AR200-S to Discard Specified ICMP Packets.....................................................................142 7.4.1 Establishing the Configuration Task.....................................................................................................142 7.4.2 Configuring the AR200-S to Discard the ICMP Packets with TTL Value of 1....................................142 7.4.3 Configuring the AR200-S to Discard the ICMP Packets with Options................................................143 7.4.4 Configuring the AR200-S to Discard ICMP Destination-Unreachable Packets...................................143 7.4.5 Checking the Configuration...................................................................................................................144 7.5 Disabling the AR200-S from Sending Destination-Unreachable Packets......................................................144 7.6 Maintaining ICMP Security............................................................................................................................145 7.7 Configuration Examples.................................................................................................................................146 7.7.1 Example for Disabling the AR200-S from Sending Host-Unreachable Packets...................................146 7.7.2 Example for Optimizing System Performance by Discarding Certain ICMP Packets..........................148
8 IP Address Anti-spoofing Configuration.............................................................................151

8.1 IP Address Anti-spoofing Overview..............................................................................................................152 8.2 IP Source Address-based Attack Defense Features Supported by the AR200-S...........................................152 8.3 Configuring URPF..........................................................................................................................................153 8.4 Configuration Examples.................................................................................................................................154 8.4.1 Example for Configuring URPF............................................................................................................154
9 Local Attack Defense Configuration.....................................................................................157

9.1 Local Attack Defense Overview.....................................................................................................................158 9.2 Local Attack Defense Features Supported by the AR200-S..........................................................................158 9.3 Configuring Attack Source Tracing...............................................................................................................159 9.4 Configuring CPU Attack Defense..................................................................................................................161 9.4.1 Establishing the Configuration Task.....................................................................................................161 9.4.2 Creating an Attack Defense Policy........................................................................................................162 9.4.3 (Optional) Configuring a Blacklist........................................................................................................163 9.4.4 (Optional) Configuring the Rate Limit for Packets Sent to the CPU....................................................163 9.4.5 (Optional) Setting the Priority of Protocol Packets...............................................................................164 9.4.6 (Optional) Configuring the Rate Limit for All Packets Sent to the CPU..............................................164 9.4.7 (Optional) Configuring the Rate Limit for Packets After ALP Is Enabled...........................................165 9.4.8 Applying the Attack Defense Policy.....................................................................................................165 9.4.9 Checking the Configuration...................................................................................................................166 9.5 Maintaining the Attack Defense Policy..........................................................................................................166 9.5.1 Clearing Statistics on Packets Sent to the CPU.....................................................................................167 9.5.2 Clearing Attack Source Information......................................................................................................167 9.6 Configuration Examples.................................................................................................................................167 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
9.6.1 Example for Configuring an Attack Defense Policy.............................................................................167
10 ACL Configuration..................................................................................................................173
10.1 ACL Overview.............................................................................................................................................174 10.2 ACL Features Supported by the AR200-S...................................................................................................174 10.3 Configuring a Basic ACL.............................................................................................................................177 10.3.1 Establishing the Configuration Task...................................................................................................177 10.3.2 (Optional) Creating a Time Range for a Basic ACL...........................................................................178 10.3.3 Creating a Basic ACL..........................................................................................................................178 10.3.4 Configuring a Basic ACL Rule...........................................................................................................180 10.3.5 Applying a Basic ACL........................................................................................................................181 10.3.6 Checking the Configuration.................................................................................................................183 10.4 Configuring an Advanced ACL....................................................................................................................183 10.4.1 Establishing the Configuration Task...................................................................................................184 10.4.2 (Optional) Creating a Time Range for an Advanced ACL..................................................................185 10.4.3 Creating an Advanced ACL................................................................................................................186 10.4.4 Configuring an Advanced ACL Rule..................................................................................................187 10.4.5 Applying an Advanced ACL...............................................................................................................189 10.4.6 Checking the Configuration.................................................................................................................190 10.5 Configuring a Layer 2 ACL..........................................................................................................................191 10.5.1 Establishing the Configuration Task...................................................................................................191 10.5.2 (Optional) Creating a Time Range for a Layer 2 ACL........................................................................192 10.5.3 Creating a Layer 2 ACL......................................................................................................................193 10.5.4 Configuring a Layer 2 ACL Rule........................................................................................................194 10.5.5 Applying a Layer 2 ACL.....................................................................................................................195 10.5.6 Checking the Configuration.................................................................................................................196 10.6 Configuration Examples...............................................................................................................................197 10.6.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server........................................197 10.6.2 Example for Using Advanced ACLs to Configure the Firewall Function..........................................199 10.6.3 Example for Using a Layer 2 ACL to Configure Traffic Classification.............................................203
11 SSL Configuration...................................................................................................................206
11.1 SSL Overview...............................................................................................................................................207 11.2 SSL Features Supported by the AR200-S....................................................................................................209 11.3 Configuring a Server SSL Policy.................................................................................................................209 11.4 Configuring a Client SSL Policy..................................................................................................................211 11.5 Configuration Examples...............................................................................................................................213 11.5.1 Example for Configuring a Server SSL Policy...................................................................................213 11.5.2 Example for Configuring a Client SSL Policy....................................................................................216
12 PKI Configuration...................................................................................................................222
12.1 PKI Overview...............................................................................................................................................223 12.2 PKI Features Supported by the AR200-S.....................................................................................................224 12.3 Configuring a PKI Entity..............................................................................................................................226 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. x
Contents
12.3.1 Establishing the Configuration Task...................................................................................................226 12.3.2 Configuring a PKI Entity Identifier.....................................................................................................227 12.3.3 (Optional) Configuring PKI Entity Attributes.....................................................................................227 12.3.4 Checking the Configuration.................................................................................................................228 12.4 Configuring a PKI Domain...........................................................................................................................229 12.4.1 Establishing the Configuration Task...................................................................................................229 12.4.2 Creating a PKI Domain.......................................................................................................................229 12.4.3 Configuring a PKI Entity Name..........................................................................................................230 12.4.4 Configuring the Trusted CA Name and Enrollment URL...................................................................230 12.4.5 (Optional) Configuring CA Certificate Fingerprint.............................................................................231 12.4.6 (Optional) Configuring a Certificate Revocation Password................................................................232 12.4.7 (Optional) Configuring the RSA Key Length of Certificates..............................................................232 12.4.8 (Optional) Configuring a Source IP Address for TCP Connection Setup...........................................233 12.4.9 Checking the Configuration.................................................................................................................233 12.5 Configuring Certificate Enrollment..............................................................................................................234 12.5.1 Establishing the Configuration Task...................................................................................................234 12.5.2 Configuring Manual Certificate Enrollment........................................................................................234 12.5.3 Configuring Automatic Certificate Enrollment and Update................................................................235 12.5.4 Creating a Self-signed Certificate or Local Certificate.......................................................................236 12.5.5 Checking the Configuration.................................................................................................................236 12.6 Configuring Certificate Authentication........................................................................................................236 12.6.1 Establishing the Configuration Task...................................................................................................236 12.6.2 Configuring the Certificate Check Mode............................................................................................237 12.6.3 Checking Certificate Validity..............................................................................................................238 12.6.4 Checking the Configuration.................................................................................................................239 12.7 Managing Certificates...................................................................................................................................239 12.7.1 Deleting a Certificate...........................................................................................................................239 12.7.2 Importing a Certificate.........................................................................................................................239 12.7.3 Exporting a Certificate.........................................................................................................................240 12.7.4 Configuring the Default Path Where Certificates Are Stored.............................................................240 12.8 Configuration Examples...............................................................................................................................240 12.8.1 Example for Configuring Manual Certificate Enrollment...................................................................240 12.8.2 Example for Configuring PKI in IPSec...............................................................................................243
13 Keychain Configuration.........................................................................................................252
13.1 Introduction to Keychain..............................................................................................................................253 13.2 Keychain Features Supported by the AR200-S............................................................................................253 13.3 Configuring Basic Keychain Functions........................................................................................................254 13.3.1 Establishing the Configuration Task...................................................................................................254 13.3.2 Creating a Keychain............................................................................................................................255 13.3.3 Configuring Receive Tolerance of a Keychain...................................................................................255 13.3.4 Configuring a key-id in a Keychain....................................................................................................256 13.3.5 Configuring key-string of a key-id......................................................................................................256 Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
13.3.6 Configuring Authentication Algorithm of a key-id.............................................................................257 13.3.7 Configuring a key-id as the Default send-key-id.................................................................................257 13.3.8 Configuring send-time of a key-id.......................................................................................................258 13.3.9 Configuring receive-time of a key-id..................................................................................................260 13.3.10 Checking the Configuration...............................................................................................................262 13.4 Configuring TCP Authentication parameters...............................................................................................263 13.4.1 Establishing the Configuration Task...................................................................................................263 13.4.2 Configuring TCP Kind of a Keychain.................................................................................................264 13.4.3 Configuring TCP Algorithm-id in a Keychain....................................................................................264 13.4.4 Checking the Configuration.................................................................................................................264 13.5 Configuration Examples...............................................................................................................................266 13.5.1 Example for Configuring Keychain Authentication for Non-TCP Application..................................266
14 Configuration of Attack Defense and Application Layer Association.........................269

14.1 Overview to Attack Defense and Application Layer Association................................................................270 14.1.1 Overview of Attack Defense and Application Layer Association.......................................................270 14.1.2 Attack Defense and Application Layer Association Supported by AR200-S.....................................271 14.2 Configuring Abnormal Packet Attack Defense............................................................................................272 14.2.1 Establishing the Configuration Task...................................................................................................272 14.2.2 Enabling Defense Against Abnormal Packet Attacks.........................................................................273 14.2.3 Checking the Configuration.................................................................................................................273 14.3 Configuring Fragmented Packet Attack Defense.........................................................................................274 14.3.1 Establishing the Configuration Task...................................................................................................274 14.3.2 Configuring Defense Against Packet Fragment Attacks.....................................................................274 14.3.3 Checking the Configuration.................................................................................................................275 14.4 Configuring Flood Attack Defense...............................................................................................................275 14.4.1 Establishing the Configuration Task...................................................................................................276 14.4.2 Configuring Defense Against SYN Flood Attacks..............................................................................276 14.4.3 Configuring Defense Against UDP Flood Attacks..............................................................................277 14.4.4 Configuring Defense Against ICMP Flood Attacks............................................................................277 14.4.5 Checking the Configuration.................................................................................................................278 14.5 Configuring Application Layer Association.................................................................................................278 14.5.1 Establishing the Configuration Task...................................................................................................278 14.5.2 Configuring Application Layer Association........................................................................................279 14.6 Maintenance Attack Defense and Application Layer Association...............................................................280 14.6.1 Clearing Statistics of Attack Defense and Application Layer Association.........................................280 14.7 Configuration Example.................................................................................................................................280 14.7.1 Example of Configuring Attack Defense............................................................................................280
Issue 02 (2012-03-30)
xii
1 AAA Configuration
1
About This Chapter
AAA Configuration
The AAA-capable AR200-S checks validity of users and delivers rights to authorized users to ensure network security. 1.1 AAA Overview Authentication, Authorization, and Accounting (AAA) is a security technology. 1.2 AAA Features Supported by the AR200-S The AR200-S supports RADIUS and HWTACACS authentication, authorization, and accounting (AAA), and also local authentication and authorization. 1.3 Configuring Local Authentication and Authorization After local authentication and authorization are configured, the AR200-S authenticates and authorizes access users based on user information. 1.4 Configuring RADIUS AAA RADIUS is often used to implement authentication, authorization, and accounting (AAA). RADIUS uses the client/server model and protects a network from unauthorized access. It is often used in network environments that require high security and control of remote user access. 1.5 Configuring HWTACACS AAA Similar to RADIUS, HWTACACS uses the client/server model to communicate with the HWTACACS server, implementing authentication, authorization, and accounting (AAA) for access users. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption and is therefore more suitable for security control. 1.6 Maintaining AAA Clearing the Statistics 1.7 Configuration Examples This section provides several AAA configuration examples. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
Issue 02 (2012-03-30)
1 AAA Configuration
1.1 AAA Overview

Authentication, Authorization, and Accounting (AAA) is a security technology.
Security Functions Provided by AAA

AAA provides the following security functions: l l l Authentication: checks whether a user is allowed to access a network. Authorization: authorizes a user to use specific services. Accounting: records all the operations performed by a user and the service type, start time, and data traffic.
A user can use one or more security services. For example, if a company only needs to authenticate employees that access certain network resources, only an authentication server is needed. If the company also needs to record operations performed by employees, an additional accounting server is needed.
AAA Architecture
AAA uses the client/server model, as shown in Figure 1-1. This model features good extensibility and is convenient for centralized management of user information. Figure 1-1 AAA architecture
Access user
Router
Server
The Router authenticates a user that wants to access the network through the Router. The Router delivers authentication, authorization, and accounting information to an AAA server (a RADIUS server or an HWTACACS server).
1.2 AAA Features Supported by the AR200-S

The AR200-S supports RADIUS and HWTACACS authentication, authorization, and accounting (AAA), and also local authentication and authorization.
RADIUS Authentication, Authorization, and Accounting

RADIUS uses the client/server model and protects a network from unauthorized access. It is often used on networks that require high security and control of remote user access. RADIUS messages are encapsulated in User Datagram Protocol (UDP) packets. RADIUS ensures reliability of information exchanged between the RADIUS server and client by using the timer, retransmission mechanism, and secondary server. RADIUS integrates authentication and authorization. RADIUS integrates authentication and authorization, and RADIUS authentication response packets carry authorization information.
Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2

NOTE
1 AAA Configuration
In RADIUS authentication for an administrator, the AR200-S checks whether the access type of the administrator is the same as that specified in the Access-Accept packet sent from the RADIUS server. If not, administrator fails to be authenticated.
Figure 1-2 shows packets exchanged between a user, the AR200-S, and the RADIUS server. Figure 1-2 RADIUS authentication, authorization, and accounting
Access user
Router
RADIUS server
User enters user name and password Authentication request packet Access-Accept/Reject packet Accounting request packet Accounting response packet
User accesses network resources
User exits Accounting-stop request packet Accounting-stop response packet
1. 2. 3.
A user sends a request packet containing the user name and password to the AR200-S. The AR200-S sends an authentication request packet containing the user name and password to the RADIUS server. The RADIUS server authenticates the user name and password. If authentication succeeds, the RADIUS server sends a RADIUS Access-Accept packet to the AR200-S. If authentication fails, the RADIUS server sends a RADIUS Access-Reject packet to the AR200-S. The RADIUS Access-Accept packet contains authorization information. The AR200-S permits or rejects the user according to the authentication result. If the user is permitted, the AR200-S sends an Accounting-Start packet to the RADIUS server. The RADIUS server sends a response packet to the AR200-S and starts accounting. The user starts to access network resources. The user requests to disconnect from the network. The AR200-S sends an Accounting-Stop packet to the RADIUS server. The RADIUS server sends a response packet to the AR200-S and stops accounting.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3
4. 5. 6. 7. 8.
Issue 02 (2012-03-30)
1 AAA Configuration
HWTACACS Authentication, Authorization, and Accounting

HWTACACS is an extension of TACACS. Similar to RADIUS, HWTACACS uses the client/ server model to communicate with the HWTACACS server, implementing AAA for access users. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control. Figure 1-3 shows messages exchanged between a Telnet user, the AR200-S, and the HWTACACS server. Figure 1-3 HWTACACS authentication, authorization, and accounting
Access user
Router
HWTACACS server
User logs in Authentication request packet Authentication response packet Request the user name Enter the user name Authentication request packet Authentication response packet Request the password Enter the password Authentication request packet Authentication response packet Authorization request packet Authorization response packet Accounting request packet
User accesses network resources
User exits Accounting-stop packet Accounting-stop response packet
Issue 02 (2012-03-30)
1 AAA Configuration
1. 2. 3. 4. 5. 6. 7. 8. 9.
A Telnet user sends a request packet to the AR200-S. The AR200-S sends an authentication request packet to the HWTACACS server after receiving the request packet. The HWTACACS server sends an authentication response packet to request the user name. The AR200-S sends a packet to request the user name after receiving the authentication response packet. The user enters the user name. The AR200-S sends an authentication packet containing the user name to the HWTACACS server. The HWTACACS server sends an authentication response packet to request the password. The AR200-S sends a packet to request the password after receiving the authentication response packet. The user enters the password.
10. The AR200-S sends an authentication packet containing the password to the HWTACACS server. 11. The HWTACACS server sends an authentication response packet, indicating that the user has been authenticated. 12. The AR200-S sends an authorization request packet to the HWTACACS server. 13. The HWTACACS server sends an authorization response packet, indicating that the user is authorized. 14. The AR200-S receives the authorization response packet. 15. The AR200-S sends an Accounting-Start packet to the HWTACACS server. 16. The HWTACACS server sends an accounting response packet and starts accounting. 17. The user starts to access network resources. 18. The user requests to disconnect from the network. The AR200-S sends an Accounting-Stop packet to the HWTACACS server. 19. The HWTACACS server sends an Accounting-Stop response packet and stops accounting.
Local Authentication and Authorization

In local authentication and authorization, the user information including the local user name, password, and attributes is configured on the AR200-S. Local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the hardware capacity of the device. Local authentication and authorization are often used for administrators. Local authentication is a backup of RADIUS authentication and HWTACACS authentication. Local authorization is a backup of HWTACACS authorization.
1.3 Configuring Local Authentication and Authorization

After local authentication and authorization are configured, the AR200-S authenticates and authorizes access users based on user information.
Issue 02 (2012-03-30)
1 AAA Configuration
1.3.1 Establishing the Configuration Task

Before configuring local authentication and authorization, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Applicable Environment
If users need to be authenticated or authorized but no RADIUS server or HWTACACS server is deployed on the network, use local authentication or authorization. Local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the hardware capacity of the device. Local authentication and authorization are often used for administrators. Local authentication is a backup of RADIUS authentication and HWTACACS authentication; local authorization is a backup of HWTACACS authorization.
Pre-configuration Tasks
Before configuring local authentication and authorization, completing the following task: l Configuring physical attributes for interfaces to ensure that the physical layer status of the interfaces is Up
Data Preparation
To configure local authentication and authorization, you need the following data. No. 1 2 3 4 5 6 7 8 9 Data User name and password (Optional) Local user level (Optional) Access type of the local user (Optional) Name of the FTP directory that the local user can access (Optional) Local user status (Optional) Maximum number of local users Name of an authentication scheme Name of an authorization scheme Name of a domain
1.3.2 Configuring a Local User

To configure local authentication and authorization, configure the authentication and authorization information on the AR200-S, including the user name, password, and user level.
1 AAA Configuration
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

aaa
The AAA view is displayed. Step 3 Run: local-user user-name password { simple password | cipher password } A local user is created and the password is configured.
NOTE
If the user name contains a domain name delimiter such as @, |, and %, the character string before the domain name delimiter is the user name and the character string behind the domain name delimiter is the domain name. If the user name does not contain a domain name delimiter, the entire character string is the user name and the domain name is default.
Step 4 (Optional) Run:

local-user user-name privilege level level
The level of the local user is set. By default, the level of a local user is determined by the management module. If the level of a local user is not set in the user interface view, the user level is 0. Step 5 (Optional) Run:
local-user user-name idle-timeout minutes [ seconds ]
The idle timeout interval of the local user is set. Step 6 (Optional) Run:
local-user user-name service-type { 8021x | bind | ftp | http | l2tp | ppp | ssh | telnet | terminal | web | x25-pad } *
The access type of the local user is set. By default, a local user can use any access type. Step 7 (Optional) Run:
local-user user-name ftp-directory directory
The FTP directory that the local user can access is configured. By default, the FTP directory of a local user is empty. When the AR200-S functions as an FTP server, you must configure the FTP directory that FTP users can access. Otherwise, FTP users cannot access the AR200-S. Step 8 (Optional) Run:
local-user user-name state { active | block }
The status of the local user is set. By default, a local user is in active state. The AR200-S processes requests from users in different states as follows:
1 AAA Configuration
l If a local user is in active state, the AR200-S accepts and processes the authentication request from the user. l If a local user is in blocking state, the AR200-S rejects the authentication request from the user. Step 9 (Optional) Run:
local-user user-name access-limit max-number
The maximum number of connections established by the local user is set. By default, the number of connections established by a user is not limited. ----End
1.3.3 Configuring authentication and authorization Schemes

To use local authentication and authorization, set the authentication mode in an authentication scheme to local authentication and the authorization mode in an authorization scheme to local authorization.
Context
By default, the AR200-S performs local authentication and authorization for access users.
NOTE
The AR200-S does not support local accounting.
Procedure
l Configuring an authentication scheme 1. Run:
system-view
The system view is displayed. 2. Run:

aaa
The AAA view is displayed. 3. Run:

authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view is displayed. By default, the default authentication scheme is used. The default authentication scheme can be modified, but it cannot be deleted. 4. Run:
authentication-mode local
Local authentication is configured. 5. (Optional) Run:

authentication-super { hwtacacs | super }
*
[ none ]
The authentication mode used to upgrade user levels is configured.

1 AAA Configuration
6.
(Optional) Run:
quit
Return to the AAA view. 7. (Optional) Run:

domainname-parse-direction { left-to-right | right-to-left }
The direction in which the user name and domain name are parsed is configured. l Configuring an authorization scheme 1. Run:
system-view

aaa

authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is displayed. By default, the default authorization scheme is used. The default authorization scheme can be modified, but it cannot be deleted. 4. Run:
authorization-mode local [ none ]
The authorization mode is configured. ----End
1.3.4 Configuring a Domain

The created authentication and authorization schemes take effect only after being applied to a domain.
Context
Before configuring a domain, ensure that the authentication and authorization schemes have been created. When local authentication and authorization are used, non-accounting is used by default.
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed.

1 AAA Configuration
Step 3 Run:
domain domain-name
A domain is created and the domain view is displayed. The AR200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run:
An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 Run:
An authorization scheme is applied to the domain. By default, no authorization scheme is applied to a domain. Step 6 (Optional) Run:
state { active | block }
The domain status is configured. When a domain is in blocking state, users in this domain cannot log in. By default, a domain is in active state after being created. Step 7 Run:
quit
Return to the domain view. Step 8 (Optional) Run:

domain-name-delimiter delimiter
The domain name delimiter is configured. The domain name delimiter can be any of the following: \ / : < > | @ ' %. By default, the domain name delimiter is @. ----End
1.3.5 Checking the Configuration

Prerequisites
The configurations of local authentication and authorization are complete.
Procedure
l l Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
Issue 02 (2012-03-30)
1 AAA Configuration
l l
Run the display authorization-scheme [ authorization-scheme-name ] command to check the authorization scheme configuration. Run the display access-user [ domain domain-name | interface interface-type interfacenumber [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance instance-name ] | mac-address mac-address | slot slot-id | ssid ssid-name | user-id usernumber ] command to check the summary of all online users. Run the display domain [ name domain-name ] command to check the domain configuration.
----End
1.4 Configuring RADIUS AAA

RADIUS is often used to implement authentication, authorization, and accounting (AAA). RADIUS uses the client/server model and protects a network from unauthorized access. It is often used in network environments that require high security and control of remote user access.

Before configuring RADIUS authentication, authorization, and accounting, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
To prevent unauthorized users from attacking a network, configure AAA: l l l Authentication: checks whether a user is allowed to access a network. Only authenticated users can access the network. Authorization: authorizes a user to use specific services. Accounting: records all the operations performed by a user and the service type, start time, and data traffic.
RADIUS protects a network from unauthorized access. It is often used on networks that require high security and control remote user access.
Before configuring RADIUS authentication, authorization, and accounting, complete the following task: l Configuring physical attributes for interfaces to ensure that the physical layer status of the interfaces is Up
Data Preparation
To configure RADIUS authentication, authorization, and accounting, you need the following data.
1 AAA Configuration
No. 1 2 3 4 5 6 7 8 9 10
Data Name of an authentication scheme Name of an accounting scheme Name of a RADIUS server template IP addresses and port numbers of the primary RADIUS authentication servers IP addresses and port numbers of the primary RADIUS accounting servers (Optional) IP address of the RADIUS authorization server (Optional)IP addresses and port numbers of the secondary RADIUS authentication servers (Optional) IP addresses and port numbers of the secondary RADIUS accounting servers (Optional) Shared key in RADIUS packets (Optional) Number of times RADIUS request packets are retransmitted and timeout interval
1.4.2 Configuring AAA Schemes

To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and the accounting mode in an accounting scheme to RADIUS.
Context
If RADIUS authentication is configured, you can also configure local authentication or nonauthentication as a backup. This allows local authentication or non-authentication to be implemented if RADIUS authentication fails. If RADIUS accounting is configured, you can also configure non-accounting as a backup.
Procedure
system-view

aaa

An authentication scheme is created and the authentication scheme view is displayed.

1 AAA Configuration
By default, the default authentication scheme is used. The default authentication scheme can be modified, but it cannot be deleted. 4. Run:
authentication-mode radius [ none ]
RADIUS authentication is configured. By default, local authentication is used. To use local authentication as the backup authentication method, run the authentication-mode radius local command to configured local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR200-S uses the authentication mode that was configured later only after the current authentication mode fails. The AR200-S stops the authentication if the user fails to pass the authentication.
5.
(Optional) Run:
*
[ none ]
The authentication mode used to upgrade user levels is configured. 6. (Optional) Run:
quit
Return to the AAA view. 7. (Optional) Run:

The direction in which the user name and domain name are parsed is configured. l Configuring an accounting scheme 1. Run:
system-view

aaa

accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed. By default, the default accounting scheme is used. The default accounting scheme can be modified, but it cannot be deleted. 4. Run:
accounting-mode radius
The accounting mode is set. By default, non-accounting is used.
Issue 02 (2012-03-30)
13

NOTE
1 AAA Configuration
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR200-S uses the accounting mode that was configured later only after the current accounting mode fails.
5.
(Optional) Run:
accounting start-fail { online | offline }
The policy for accounting-start failures is configured. By default, users cannot go online if accounting-start fails. 6. (Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set. By default, real-time accounting is disabled. 7. (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting failures is set and a policy used after a real-time accounting failure is configured. After real-time accounting is enabled, the maximum number of real-time accounting failures is 3 and the AR200-S keeps paid users online after a real-time accounting failure by default. ----End
1.4.3 Configuring a RADIUS Server Template

In a RADIUS server template, you must specify the IP address, port number, and shared key of a specified RADIUS server. Other settings such as the RADIUS user name format, traffic unit, and number of times RADIUS request packets are retransmitted have default values and can be changed according to network requirements.
Context
The settings of a RADIUS server template such as the RADIUS user name format and shared key on the RADIUS client must be the same as those on the RADIUS server.
Procedure
Step 1 Run:
system-view

radius-server authorization ip-address { server-group group-name | shared-key { cipher | simple } key-string } * [ ack-reserved-interval interval ]
A RADIUS authorization server is configured. By default, no RADIUS authorization server is configured. Step 3 Run:
radius-server template template-name
Issue 02 (2012-03-30)
14
1 AAA Configuration
The RADIUS server template view is displayed. Step 4 Run:

radius-server authentication ip-address port [ source number | ip-address ip-address } ] { loopback interface-
The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 5 (Optional) Run:
radius-server authentication ip-address port [ source number | ip-address ip-address } ] secondary { loopback interface-
The secondary RADIUS authentication server is configured. By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 6 Run:
radius-server accounting ip-address port [ source { loopback interface-number | ipaddress ip-address } ]
The primary RADIUS accounting server is configured. By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 7 (Optional) Run:
radius-server accounting ip-address port [ source { loopback interface-number | ipaddress ip-address } ] secondary
The secondary RADIUS accounting server is configured. By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 8 (Optional) Run:
radius-server shared-key { cipher | simple } key-string
The shared key is configured. By default, the shared key of a RADIUS server is huawei. Step 9 (Optional) Run:
radius-server user-name domain-included
The AR200-S is configured to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server. By default, the AR200-S encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server. If the RADIUS server does not accept the user name with the domain name, run the undo radiusserver user-name domain-included command to delete the domain name from the user name. Step 10 (Optional) Run:
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit used by a RADIUS server is configured.

1 AAA Configuration
By default, the traffic unit is byte on the AR200-S. Step 11 (Optional) Run:
radius-server { retransmit retry-times | timeout time-value }*
The number of times RADIUS request packets are retransmitted and timeout interval are set. By default, the number of transmission times is 3 and the timeout interval is 5s. Step 12 (Optional) Run:
radius-server nas-port-format { new | old }
The format of the Network Access Server (NAS) port attribute is set. By default, the new format of the NAS port attribute is used. Step 13 (Optional) Run:
radius-server nas-port-id-format { new | old }
The format of the NAS port ID attribute is set. By default, the new format of the NAS port ID attribute is used. Step 14 (Optional) Run:
radius-attribute nas-ip
The RADIUS NAS-IP-Address attribute is set. Step 15 (Optional) Run:

return
Return to the user view. Step 16 (Optional) Run:

test-aaa user-name user-password radius-template template-name [ chap | pap ]
You can test whether a user can be authenticated using RADIUS authentication. ----End

The created authentication scheme, accounting scheme, and RADIUS server template take effect only after being applied to a domain.
Context
Before configuring a domain, ensure that the authentication scheme, accounting scheme, and RADIUS server template have been created.
Procedure
Step 1 Run:
system-view

aaa
Issue 02 (2012-03-30)
16
1 AAA Configuration
The AAA view is displayed. Step 3 (Optional) Run:

domain domain-name
An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 (Optional) Run:
An accounting scheme is applied to a domain. By default, the default accounting scheme is applied to a domain. In the default accounting scheme, non-accounting is used and the real-time accounting function is disabled. Step 6 (Optional) Run:
service-scheme service-scheme-name
A service scheme is applied to a domain. By default, no service scheme is applied to a domain. Step 7 Run:
radius-server template-name
A RADIUS server template is applied to a domain. By default, no RADIUS server template is applied to a domain. Step 8 (Optional) Run:
quit

1 AAA Configuration

Prerequisites
The RADIUS AAA configurations are complete.
Procedure
l l l l l l l l Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration. Run the display accounting-scheme [ accounting-scheme-name ] command to check the accounting scheme configuration. Run the display service-scheme [ name name ] command to check the service scheme configuration. Run the display radius-server configuration [ template template-name ] command to check the RADIUS server template configuration. Run the display radius-attribute [ template template-name ] disable command to check the disabled RADIUS attributes. Run the display radius-attribute [ template template-name ] translate command to check the RADIUS attribute translation configuration. Run the display domain [ name domain-name ] command to check the domain configuration.
----End
1.5 Configuring HWTACACS AAA

Similar to RADIUS, HWTACACS uses the client/server model to communicate with the HWTACACS server, implementing authentication, authorization, and accounting (AAA) for access users. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption and is therefore more suitable for security control.

Before configuring HWTACACS authentication, authorization, and accounting, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
To prevent unauthorized users from attacking a network, configure AAA: l l
Issue 02 (2012-03-30)
Authentication: checks whether a user is allowed to access a network. Only authenticated users can access the network. Authorization: authorizes a user to use specific services.
1 AAA Configuration
Accounting: records all the operations performed by a user and the service type, start time, and data traffic.
HWTACACS prevents unauthorized users from attacking a network and provides command line authorization. Compared with RADIUS, HWTACACS is more suitable for security control.
Before configuring HWTACACS authentication, authorization, and accounting, complete the following task: l Configuring physical attributes for interfaces to ensure that the physical layer status of the interfaces is Up
Data Preparation
To configure HWTACACS authentication, authorization, and accounting, you need the following data. No. 1 2 3 4 5 Data Name of an authentication scheme Name of an authorization scheme Name of an accounting scheme Name of an HWTACACS server template IP addresses and port numbers of primary and secondary HWTACACS authentication servers IP addresses and port numbers of primary and secondary HWTACACS authorization servers (Optional) IP addresses and port numbers of primary and secondary HWTACACS accounting servers (Optional) Shared key in HWTACACS packets (Optional) Response timeout interval of an HWTACACS server (Optional) Time for the primary HWTACACS server to return to the active state (Optional) Retransmission interval of accounting-stop packets
8 9 10
11
Issue 02 (2012-03-30)
19
1 AAA Configuration
1.5.2 Configuring AAA Schemes

To use HWTACACS AAA, set the authentication mode in an authentication scheme to HWTACACS, the authorization mode in an authorization scheme to HWTACACS, and the accounting mode in an accounting scheme to HWTACACS.
Context
Local authentication or non-authentication can be configured as a backup for HWTACACS authentication in an authentication scheme. This allows local authentication or nonauthentication to be implemented if HWTACACS authentication fails. When HWTACACS authorization is used, you can configure local authorization or non-authorization as a backup. When HWTACACS accounting is used, you can configure non-accounting as a backup.
Procedure
system-view

aaa

An authentication scheme is created and the authentication scheme view is displayed. By default, the default authentication scheme is used. The default authentication scheme can be modified, but it cannot be deleted. 4. Run:
authentication-mode hwtacacs [ none ]
HWTACACS authentication is configured. By default, local authentication is used. To configure local authentication as a backup, see 1.3 Configuring Local Authentication and Authorization.
NOTE
If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR200-S uses the authentication mode that was configured later only after the current authentication mode fails. The AR200-S stops the authentication if the user fails to pass the authentication.
5.
(Optional) Run:
*
[ none ]
The authentication mode used to upgrade user levels is configured. 6. (Optional) Run:
quit
Return to the AAA view.

1 AAA Configuration
7.
(Optional) Run:
The direction in which the user name and domain name are parsed is configured. l Configuring an authorization scheme 1. Run:
system-view

aaa

An authorization scheme is created and the authorization scheme view is displayed. By default, the default authorization scheme is used. The default authorization scheme can be modified, but it cannot be deleted. 4. Run:
authorization-mode { hwtacacs | local }* [ none ]
The authorization mode is configured. By default, local authorization is used. If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.
NOTE
If multiple authorization modes are configured in an authorization scheme, authorization modes are used in the sequence in which they were configured. The AR200-S uses the authorization mode that was configured later only after the current authorization mode fails. The AR200-S stops the authorization if the user fails to pass the authorization.
5.
(Optional) Run:
authorization-cmd privilege-level hwtacacs [ local ]
Command line authorization is enabled for users at a certain level. By default, command line authorization is disabled for users at levels 0 to 15. If command line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain. l Configuring an accounting scheme 1. Run:
system-view

aaa

Issue 02 (2012-03-30)
21
1 AAA Configuration
An accounting scheme is created and the accounting scheme view is displayed. By default, the default accounting scheme is used. The default accounting scheme can be modified, but it cannot be deleted. 4. Run:
accounting-mode hwtacacs
The accounting mode is set. By default, non-accounting is used.

NOTE
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR200-S uses the accounting mode that was configured later only after the current accounting mode fails.
5.
(Optional) Run:
accounting start-fail { online | offline }
The policy for accounting-start failures is configured. By default, users cannot go online if accounting-start fails. 6. (Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set. By default, real-time accounting is disabled. 7. (Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting failures is set and a policy used after a real-time accounting failure is configured. After real-time accounting is enabled, the maximum number of real-time accounting failures is 3 and the AR200-S keeps paid users online after a real-time accounting failure by default. ----End
1.5.3 Configuring an HWTACACS Server Template

In an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Other settings such as the HWTACACS user name format and traffic unit have default values and can be changed according to network requirements.
Context
The settings of an HWTACACS server template such as the HWTACACS user name format and shared key on the HWTACACS client must be the same as those on the HWTACACS server.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
22
1 AAA Configuration
The system view is displayed. Step 2 (Optional) Run:

hwtacacs enable
HWTACACS is enabled. Step 3 Run:

hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is displayed. Step 4 Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS authentication server is specified. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and its port number is 0, and the primary HWTACACS authentication server is not bound to any VPN instance. Step 5 (Optional) Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authentication server is specified. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and its port number is 0, and the secondary HWTACACS authentication server is not bound to any VPN instance. Step 6 Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS authorization server is specified. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and its port number is 0, and the primary HWTACACS authorization server is not bound to any VPN instance. Step 7 (Optional) Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authorization server is specified. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and its port number is 0, and the secondary HWTACACS authorization server is not bound to any VPN instance. Step 8 Run:
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS accounting server is specified. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and its port number is 0, and the primary HWTACACS accounting server is not bound to any VPN instance.
1 AAA Configuration

hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS accounting server is specified. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and its port number is 0, and the secondary HWTACACS accounting server is not bound to any VPN instance. Step 10 (Optional) Run:
hwtacacs-server source-ip ip-address
The AR200-S is configured to encapsulate the source IP address in HWTACACS packets to be sent to an HWTACACS server. By default, the source IP address in HWTACACS packets is 0.0.0.0. The AR200-S uses the IP address of the actual outbound VLANIF interface as the source IP address in HWTACACS packets. After you specify the source IP address in HWTACACS packets, the AR200-S uses this IP address to communicate with the HWTACACS server. Step 11 (Optional) Run:
hwtacacs-server shared-key [ cipher | simple ] key-string
The shared key is configured. By default, no shared key is configured. Step 12 (Optional) Run:
hwtacacs-server user-name domain-included
The AR200-S is configured to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server. By default, the AR200-S encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server. Step 13 (Optional) Run:
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit used by an HWTACACS server is configured. By default, the traffic unit is byte on the AR200-S. Step 14 (Optional) Run:
hwtacacs-server timer response-timeout value
The response timeout interval for an HWTACACS server is set. By default, the response timeout interval for an HWTACACS server is 5s. If the AR200-S does not receive any response from the HWTACACS server within the timeout interval, it considers that the HWTACACS server is faulty. The the AR200-S then tries to perform authentication and authorization by using other methods. Step 15 (Optional) Run:
hwtacacs-server timer quiet value
The time for the primary HWTACACS server to return to the active state is set.
1 AAA Configuration
By default, the time for the primary HWTACACS server to return to the active state is 5 minutes. Step 16 (Optional) Run:
quit

hwtacacs-server accounting-stop-packet resend { disable | enable number }
Retransmission of accounting-stop packets is configured. You can enable retransmission of accounting-stop packets and set the retransmission count, or disable the function. By default, the retransmission function is enabled and the retransmission count is 100. Step 18 (Optional) Run:
return

hwtacacs-user change-password hwtacacs-server template-name
The password saved on the HWTACACS server is changed. ----End

The created authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template take effect only after being applied to a domain.
Context
Before configuring a domain, ensure that the authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template have been created.
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed. Step 3 Run:

domain domain-name

1 AAA Configuration
An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 (Optional) Run:
An authorization scheme is applied to the domain. By default, no authorization scheme is applied to a domain. Step 6 (Optional) Run:
An accounting scheme is applied to a domain. By default, the default accounting scheme is applied to a domain. In the default accounting scheme, non-accounting is used and the real-time accounting function is disabled. Step 7 (Optional) Run:
service-scheme service-scheme-name
A service scheme is applied to a domain. By default, no service scheme is applied to a domain. Step 8 Run:
hwtacacs-server template-name
The HWTACACS server template is applied to a domain. By default, no HWTACACS server template is applied to a domain. Step 9 (Optional) Run:
quit


1 AAA Configuration
Prerequisites
The HWTACACS AAA configurations are complete.
Procedure
l l l l l l l Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration. Run the display authorization-scheme [ authorization-scheme-name ] command to check the authorization scheme configuration. Run the display accounting-scheme [ accounting-scheme-name ] command to check the accounting scheme configuration. Run the display service-scheme [ name name ] command to check the service scheme configuration. Run the display hwtacacs-server template [ template-name ] command to check the HWTACACS server template configuration. Run the display domain [ name domain-name ] command to check the domain configuration.
----End
1.6 Maintaining AAA

Clearing the Statistics
1.6.1 Clearing the Statistics

Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command. Run the following commands in the user view to clear the statistics.
Procedure
l l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command to clear the HWTACACS statistics. Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command to clear the statistics on accounting-stop packets.
----End
1 AAA Configuration
1.7 Configuration Examples

This section provides several AAA configuration examples. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
1.7.1 Example for Configuring RADIUS Authentication, Authorization, and Accounting

Networking Requirements
As shown in Figure 1-4, users access the network through RouterA and belong to the domain huawei. RouterB functions as the network access server of the destination network. Request packets from users need to traverse the network where RouterA and RouterB are located to reach the authentication server. Users can access the destination network through RouterB after being authenticated. The remote authentication configuration on RouterB is as follows: l l The RADIUS server performs authentication and accounting for access users. The RADIUS server at 129.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813.
Figure 1-4 Networking diagram of RADIUS authentication and accounting
Domain Huawei
Router A Network
Router B 129.7.66.66/24
129.7.66.67/24 Destination network
Issue 02 (2012-03-30)
28
1 AAA Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a RADIUS server template. Configure an authentication scheme and an accounting scheme. Apply the RADIUS server template, authentication scheme, and accounting scheme to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that users belong to Name of the RADIUS server template Names of the authentication scheme and accounting scheme, and authentication and accounting modes IP addresses and authentication and accounting port numbers of the primary and secondary RADIUS servers Shared key and retransmission count
NOTE
The following configurations are performed on RouterB.
Procedure
Step 1 Configure interface IP addresses and routes to enable users and the RADIUS server to communicate. Step 2 Configure a RADIUS server template. # Configure a RADIUS template shiva.
<Huawei> system-view [Huawei] radius-server template shiva
# Configure the IP address and port numbers of the primary RADIUS authentication and accounting server.
[Huawei-radius-shiva] radius-server authentication 129.7.66.66 1812 [Huawei-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and port numbers of the secondary RADIUS authentication and accounting server.
[Huawei-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [Huawei-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Configure the shared key and retransmission count of the RADIUS server.
[Huawei-radius-shiva] radius-server shared-key cipher hello [Huawei-radius-shiva] radius-server retransmit 2 [Huawei-radius-shiva] quit
Step 3 Configure authentication and accounting schemes. # Configure authentication scheme 1 and set the authentication method to RADIUS authentication.

[Huawei] aaa [Huawei-aaa] authentication-scheme 1 [Huawei-aaa-authen-1] authentication-mode radius [Huawei-aaa-authen-1] quit
1 AAA Configuration
# Configure accounting scheme 1 and set the accounting method to RADIUS accounting.
[Huawei-aaa] accounting-scheme 1 [Huawei-aaa-accounting-1] accounting-mode radius [Huawei-aaa-accounting-1] quit
Step 4 Configure a domain huawei and apply authentication scheme 1, accounting scheme 1, and RADIUS server template shiva to the domain.
[Huawei-aaa] domain huawei [Huawei-aaa-domain-huawei] authentication-scheme 1 [Huawei-aaa-domain-huawei] accounting-scheme 1 [Huawei-aaa-domain-huawei] radius-server shiva
Step 5 Verify the configuration. Run the display radius-server configuration template command on RouterB. The command output shows that the configuration of the RADIUS server template meets the requirements.
<Huawei> display radius-server configuration template shiva ------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) Primary-authentication-server shiva standard B 3MQ*TZ,O3KCQ=^Q`MAF4<1!! 5 129.7.66.66 :1812 :LoopBack:NULL Source-IP:0.0.0.0 Primary-accounting-server : 129.7.66.66 :1813 :LoopBack:NULL Source-IP:0.0.0.0 Secondary-authentication-server : 129.7.66.67 :1812 :LoopBack:NULL Source-IP:0.0.0.0 Secondary-accounting-server : 129.7.66.67 :1813 :LoopBack:NULL Source-IP:0.0.0.0 Retransmission : 2 Domain-included : YES NAS-IP-Address : 0.0.0.0 ------------------------------------------------------------------: : : : : :
----End
Configuration Files
# sysname Huawei # radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1
Issue 02 (2012-03-30)
30

accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva # return
1 AAA Configuration
1.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting

As shown in Figure 1-5: l l l l l l The HWTACACS server will authenticate access users first. If HWTACACS authentication fails, local authentication is used. HWTACACS authentication is required before the level of access users is upgraded. If HWTACACS authentication fails, local authentication is performed. HWTACACS authorization is performed. HWTACACS accounting is performed. Real-time accounting is performed every 3 minutes. The IP addresses of primary and secondary HWTACACS servers are 129.7.66.66/24 and 129.7.66.67/24. The port number for authentication, accounting, and authorization is 49.
Figure 1-5 Networking diagram of HWTACACS authentication, authorization, and accounting
Domain Huawei
Router A Network
Router B 129.7.66.66/24
129.7.66.67/24 Destination network
Issue 02 (2012-03-30)
31
1 AAA Configuration
The configuration roadmap is as follows: 1. 2. 3. Configure an HWTACACS server template. Configure authentication, authorization, and accounting schemes. Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data: l l l l l Name of the domain that users belong to Name of the HWTACACS server template Names of the authentication scheme, authorization scheme, and accounting scheme, and authentication, authorization, and accounting modes IP addresses, authentication port numbers, authorization port numbers, and accounting port numbers of the primary and secondary HWTACACS servers Shared key of the HWTACACS server
NOTE
The following configurations are performed on RouterB.
Procedure
Step 1 Configure an HWTACACS server template. # Configure an HWTACACS server template ht.
<Huawei> system-view [Huawei] hwtacacs-server template ht
# Configure IP addresses and port numbers of the primary HWTACACS authentication, authorization, and accounting servers.
[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and port numbers of the secondary HWTACACS authentication, authorization, and accounting servers.
[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[Huawei-hwtacacs-ht] hwtacacs-server shared-key cipher hello [Huawei-hwtacacs-ht] quit
Step 2 Configure the authentication scheme, authorization scheme, and accounting scheme. # Create an authentication scheme 1-h. In the authentication scheme, the system performs HWTACACS authentication first, and performs local authentication if HWTACACS authentication fails. HWTACACS authentication is used first if the level of users is upgraded.

[Huawei] aaa [Huawei-aaa] authentication-scheme l-h [Huawei-aaa-authen-l-h] authentication-mode hwtacacs local [Huawei-aaa-authen-l-h] authentication-super hwtacacs super [Huawei-aaa-authen-l-h] quit
1 AAA Configuration
# Create an authorization scheme HWTACACS and set HWTACACS authorization.

[Huawei-aaa] authorization-scheme hwtacacs [Huawei-aaa-author-hwtacacs] authorization-mode hwtacacs [Huawei-aaa-author-hwtacacs] quit
# Create an accounting scheme HWTACACS and set HWTACACS accounting.

[Huawei-aaa] accounting-scheme hwtacacs [Huawei-aaa-accounting-hwtacacs] accounting-mode hwtacacs
# Set the interval of real-time accounting to 3 minutes.

[Huawei-aaa-accounting-hwtacacs] accounting realtime 3 [Huawei-aaa-accounting-hwtacacs] quit
Step 3 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme HWTACACS, accounting scheme HWTACACS, and the HWTACACS server template ht to the domain.
[Huawei-aaa] domain huawei [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa-domain-huawei] [Huawei-aaa] quit authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht quit
Step 4 Verify the configuration. Run the display hwtacacs-server template command on RouterB. You can see that the configuration of the HWTACACS server template is correct.
<Huawei> display hwtacacs-server template ht --------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49:Primary-authorization-server : 129.7.66.66:49:Primary-accounting-server : 129.7.66.66:49:Secondary-authentication-server : 129.7.66.67:49:Secondary-authorization-server : 129.7.66.67:49:Secondary-accounting-server : 129.7.66.67:49:Current-authentication-server : 129.7.66.66:49:Current-authorization-server : 129.7.66.66:49:Current-accounting-server : 129.7.66.66:49:Source-IP-address : 0.0.0.0 Shared-key : **************** Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
Run the display domain command on RouterB. You can see that the domain configuration is correct.
<Huawei> display domain name huawei Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name : : : : : huawei Active l-h hwtacacs hwtacacs
Issue 02 (2012-03-30)
33

Service-scheme-name RADIUS-server-group HWTACACS-server-template : : : ht
1 AAA Configuration
----End
Configuration Files
# hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! # aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs local authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht # return
Issue 02 (2012-03-30)
34
2 HTTPS Configuration
2
About This Chapter
HTTPS Configuration
The Hypertext Transfer Protocol Secure (HTTPS) protocol provides secure web access using security mechanisms provided by the Secure Sockets Layer (SSL) protocol, including data encryption, identity authentication, and message integrity check. 2.1 HTTPS Overview HTTPS is a combination of the Hypertext Transfer Protocol (HTTP) and the Secure Sockets Layer (SSL) protocol. 2.2 HTTPS Features Supported by the AR200-S The AR200-S supports the HTTPS server function. 2.3 Configuring the AR200-S as an HTTPS Server The HTTPS server function allows users to securely access the AR200-S on web pages. 2.4 Configuration Examples This section provides an HTTPS configuration example.
Issue 02 (2012-03-30)
35
2.1 HTTPS Overview

HTTPS is a combination of the Hypertext Transfer Protocol (HTTP) and the Secure Sockets Layer (SSL) protocol. HTTPS uses SSL to authenticate clients and servers and encrypt transmitted data for secure communication. HTTP enables a device supporting the web management system to function as a web server. Users can log in to this device using HTTP and manage the device on web pages. HTTP cannot authenticate web servers or encrypt data, so it cannot protect data privacy or security. Therefore, HTTPS is used on devices to provide encrypted communication and secure identification of web servers. As shown in Figure 2-1, an SSL policy is configured on the device (an HTTP server). After the HTTPS server function is enabled on the device, users can use a web browser to log in to the device (an HTTPS server) and manage the device on web pages. Figure 2-1 Logging in to an HTTPS server through the web browser
Network PC HTTPS server
2.2 HTTPS Features Supported by the AR200-S

The AR200-S supports the HTTPS server function. An AR200-S functions as an HTTPS server after the HTTPS server function is configured. The AR200-S uses the SSL protocol's data encryption, identity authentication, and message integrity check mechanisms to protect security of data transmitted between users and the AR200-S. These mechanisms ensure that users securely access a remote AR200-S on web pages. Before configuring services including the web management system and SSL VPN service, ensure that the HTTPS server function has been configured on the AR200-S.
NOTE
The HTTPS function is used with a license. To use the HTTPS function, apply for and purchase the following license from the Huawei local office: l AR150&200 Value-Added Security Package
2.3 Configuring the AR200-S as an HTTPS Server

The HTTPS server function allows users to securely access the AR200-S on web pages.
Issue 02 (2012-03-30)
36
When users access a remote AR200-S functioning as an HTTP server, the following problems exist: l l l Users cannot authenticate the AR200-S. Privacy of data transmitted between users and the AR200-S cannot be protected. Integrity of data transmitted between users and the AR200-S cannot be ensured, and the data may be modified by unauthorized users.
To solve the preceding problems, configure the AR200-S as an HTTPS server. The AR200-S uses the SSL protocol's data encryption, identity authentication, and message integrity check mechanisms to protect security of data transmitted between users and the AR200-S. These mechanisms ensure that users securely access a remote AR200-S on web pages.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Configure a server SSL policy. For details, see 11.3 Configuring a Server SSL Policy. Step 3 Run:
http secure-server ssl-policy ssl-policy
An SSL policy is applied to the HTTPS service. By default, no SSL policy is applied to the HTTPS service on the AR200-S. Step 4 (Optional) Run:
http secure-server port port
The port number is set for the HTTPS service. By default, the port number of the HTTPS service is 443. Step 5 Run:
http secure-server enable
The HTTPS server function is enabled on the AR200-S. By default, the HTTPS server function is disabled on the AR200-S. ----End
Example
# Run the display current-configuration command to check the configuration of the HTTPS server.
<Huawei> display current-configuration | include http secure-server http secure-server port 1026 http secure-server ssl-policy user http secure-server enable
Issue 02 (2012-03-30)
37

This section provides an HTTPS configuration example.
2.4.1 Example for Configuring the Router as an HTTPS Server

This section describes how to configure an HTTPS server to allow the administrator of an enterprise to remotely log in to a gateway.
Networking Environment
As shown in Figure 2-2, the administrator of enterprise A works in a different city than the R&D department. The administrator needs to securely log in to the gateway of the R&D department to manage the gateway. To meet the preceding requirement, configure the HTTPS server function on the Router (the gateway) so that: l l The administrator establishes an HTTPS connection with the Router (the gateway) from a host named Admin and manages the Router on web pages. The administrator uses the SSL protocol's security mechanisms to authenticate the Router, improving remote access security.
NOTE
To implement certificate authentication, you also need to configure a Certificate Authority (CA) server. The CA server configuration is not mentioned here.
Figure 2-2 Networking diagram of HTTPS server configuration

3.1.1.1/24 Router 1.1.1.1/24
Internet
CA R&D department PC Eth1/0/0 2.1.1.1/24 Admin
Enterprise A
The configuration roadmap is as follows: 1. 2. 3. Configure a public key infrastructure (PKI) entity and a PKI domain. Configure a server SSL policy. Configure the Router as an HTTPS server.
Data Preparation
To complete the configuration, you need the following data:
l l l l
Router's interface connected to the Internet: Ethernet1/0/0 IP address of Ethernet1/0/0: 2.1.1.1/24 IP address of the CA: 3.1.1.1/24 PKI parameters, as shown in the following table Item PKI entity Data PKI entity name: admin l PKI common name: hello l Country code: CN PKI domain PKI domain name: admin l Trusted CA: ca_root l Certificate's enrollment URL: http:// 3.1.1.1:8080/certsrv/mscep/mscep.dll l Bound PKI entity: admin l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5 B578EAF
SSL parameters, as shown in the following table Policy Name adminserver Maximum Number of Sessions 40 Session Timeout Period 7200 seconds
HTTPS service port number: 1278

NOTE
Before starting the configuration, ensure that routes between the Router, user hosts, and CA are reachable.
Procedure
Step 1 Configure a PKI entity and a PKI domain. # Configure a PKI entity.
<Huawei> system-view [Huawei] sysname Router [Router] pki entity admin [Router-pki-entity-admin] common-name hello [Router-pki-entity-admin] country CN [Router-pki-entity-admin] quit
# Configure a PKI domain.

[Router] pki realm admin [Router-pki-realm-admin] entity admin [Router-pki-realm-admin] ca id ca_root [Router-pki-realm-admin] enrollment-url http://3.1.1.1:8080/certsrv/mscep/
Issue 02 (2012-03-30)
39
mscep.dll ra [Router-pki-realm-admin] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF [Router-pki-realm-admin] quit
# Enroll the certificate manually.

[Router] pki enroll-certificate admin Info: Start certificate enrollment ... Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Cert enrolling now,It will take a few minutes or more. Please waiting... [Router] The certificate enroll successful.
NOTE
You will be prompted to enter the password during certificate enrollment. If you do not have a password, press Enter.
Step 2 Configure a server SSL policy. # Create a server SSL policy and specify PKI domain admin in the policy. This allows the Router to obtain a digital certificate from the CA specified in the PKI domain.
[Router] ssl policy adminserver type server [Router-ssl-policy-adminserver] pki-realm admin
# Set the maximum number of sessions that can be saved and the timeout period of a saved session.
[Router-ssl-policy-adminserver] session cachesize 40 timeout 7200 [Router-ssl-policy-adminserver] quit
Step 3 Configure the Router as an HTTPS server. # Apply the SSL policy adminserver to the HTTPS service.
[Router] http secure-server ssl-policy adminserver
# Configure the port number of the HTTPS service.

[Router] http secure-server port 1278
# Enable the HTTPS server function on the Router.

[Router] http secure-server enable
Step 4 Verify the configuration. # Run the display ssl policy policy-name command to view the configuration of the SSL policy adminserver.
<Router> display ssl policy adminserver -----------------------------------------------------------------------------Policy name : adminserver Policy ID : 1 Policy type : Server Cache number : 40 Time out(second) : 7200
Issue 02 (2012-03-30)
40
Server certificate load status : loaded Bind number : 1 SSL connection number : 1 -----------------------------------------------------------------------------
# Start the web browser on the host Admin, enter https://2.1.1.1:1278 in the address box. The web management system of the Router is displayed, and the administrator can securely access and manage the Router on web pages. ----End
Configuration Files
Configuration file of the Router
# sysname Router # interface Ethernet 1/0/0 ip address 2.1.1.1 255.255.255.0 # pki entity admin common-name hello country CN # pki realm admin entity admin ca id ca_root enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF # ssl policy adminserver type server pki-realm admin session cachesize 40 timeout 7200 # http secure-server ssl-policy adminserver http secure-server enable http secure-server port 1278 # return
Issue 02 (2012-03-30)
41
3 Firewall Configuration
3
About This Chapter
Firewall Configuration
The attack defense system protects an internal network against attacks from external networks; therefore, firewalls are generally deployed between the internal and external networks to prevent attacks. 3.1 Firewall Overview A firewall discards unwanted packets and protects the systems and key resources on the internal network. 3.2 Firewall Features Supported by the AR200-S The firewall features supported by the AR200-S include ACL-based packet filtering, blacklist, whitelist, application specific packet filter (ASPF), port mapping, virtual firewall, attack defense, traffic statistics and monitoring, and logs. 3.3 Configuring Zones All the security policies of the firewall are enforced based on zones. 3.4 Configuring the Packet Filtering Firewall The packet filtering firewall filters packets by using an ACL. 3.5 Configuring the Blacklist You can manually add entries to the blacklist or configure a dynamic blacklist. If you choose the dynamic blacklist, enable IP address scanning and port scanning defense on the attack defense module of the AR200-S. When the AR200-S detects that the connection rate of an IP address or a port exceeds the threshold, the AR200-S considers that a scanning attack occurs, and adds the source IP address to the blacklist. All the packets from this source IP address are then filtered out. 3.6 Configuring the Whitelist Whitelists are applicable to networks where devices send valid service packets that resemble IP address or port scanning attack packets. Whitelists prevent these devices from being added to the blacklist. 3.7 Configuring ASPF The ASPF function can detect sessions that attempt to traverse the application layer and deny the undesired packets. In addition, ASPF enables application protocols that cannot traverse firewalls to function properly.
3.8 Configuring Port Mapping Port mapping defines new port numbers for different application-layer protocols, protecting the server against the service specific attacks. 3.9 Configuring the Aging Time of the Firewall Session Table 3.10 Configuring the Attack Defense Function The AR200-S attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.11 Configuring Traffic Statistics and Monitoring The AR200-S supports traffic statistics and monitoring at the system level, zone level, and IP address level. 3.12 Configuring the Log Function The firewall logs include session logs, statistics logs, attack defense logs, and blacklist logs. 3.13 Maintaining the Firewall 3.14 Configuration Examples This section provides several configuration examples of firewall.
Issue 02 (2012-03-30)
43
3.1 Firewall Overview

A firewall discards unwanted packets and protects the systems and key resources on the internal network. In a building, a firewall is designed to prevent the spread of fire from one place to other places. Similarly, a firewall on the network prevents hazards on the Internet from spreading to the internal network. Located at the network boundary, a firewall prevents unauthorized access to the protected network and allows the internal users' secure access to the web service across the Internet. Both the packets from the Internet to the internal network and the packets from the internal network to the Internet pass through the firewall; therefore, the firewall is a guard that can discard the undesired packets. A firewall can also be used to protect systems and key resources such as data on the internal network. A firewall filters the access to the protected data, even the internal access to the data. Ae firewall also serves as an authority control gateway to restrict the access to the Internet. For example, it allows the specified internal users to access the Internet. Firewalls also provide other functions, such as identity authentication and security processing (packet encryption). The AR200-S has the following functions: l l l l l l l ACL-based packet filtering: filters packets through an ACL. ASPF: filters packets at the application layer. Blacklist: filters packets based on source IP addresses. Whitelist: prevents the specified IP addresses from being added to the blacklist and filters packets based on source IP addresses. Port mapping: defines new port numbers for different application-layer protocols, protecting the server against service-specific attacks. Attack defense: detects various network attacks and takes measures to protect the internal network against attacks. Traffic statistics and monitoring: monitors traffic volume, detects the connections between internal and external networks, and carries out calculation and analysis.
3.2 Firewall Features Supported by the AR200-S

The firewall features supported by the AR200-S include ACL-based packet filtering, blacklist, whitelist, application specific packet filter (ASPF), port mapping, virtual firewall, attack defense, traffic statistics and monitoring, and logs.
Security Zone
The security zone, also referred to as a zone, is the basis of a firewall. All the security policies are enforced based on zones. A zone is an interface or a group of multiple interfaces. The users in a zone have the same security attributes. Each zone has a unique security priority. That is, the priorities of any two zones are different.
The AR200-S considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission. The AR200-S verifies the data and enforces the security policies only when the data flows from one zone to another.
Interzone
Any two zones form an interzone. Each interzone has an independent interzone view. Most firewall configurations are performed in the interzone views. Assume that there are zone1 and zone2. In the interzone view, ACL-based packet filtering can be configured. The configured filtering policy is then enforced on the data transmission between zone1 and zone2.
Direction
In an interzone, data is transmitted in the inbound or outbound direction. l l Inbound: indicates that data flows from a zone with lower priority to a zone with higher priority. Outbound: indicates that data flows from a zone with higher priority to a zone with lower priority.
ACL-based Packet Filtering

ACL-based packet filtering analyzes the information in the packets to be forwarded, including source/destination IP addresses, source/destination port numbers, and IP protocol number. The AR200-S compares the packet information with the ACL rules and determines whether to forward or discard the packets. In addition, the AR200-S can filter fragmented IP packets to prevent a non-initial fragment attack.
ASPF
ASPF is applied to the application layer, that is, ASPF is status-based packet filtering. ASPF detects the application-layer sessions that attempt to pass the firewall, and discards undesired packets. The AR200-S performs ASPF for the File Transfer Protocol (FTP) and Hypertext Transport Protocol (HTTP) packets.
Blacklist
A blacklist filters packets based on source IP addresses. Compared with the ACL, the blacklist uses simpler matching fields to implement high-speed packet filtering. Packets from certain IP addresses can be filtered out. The firewall dynamically adds IP addresses to the blacklist. The firewall uses packet behavior to detect an attack from an IP address. If an attack is detected, the firewall adds the IP address of the attacker to the blacklist so that all packets from the attacker will be discarded.
Issue 02 (2012-03-30)
45
Whitelist
The whitelist prevents specified IP addresses from being added to the blacklist. The IP addresses in the whitelist will not be added to the static or dynamic blacklist. An entry in the whitelist is represented by the source VPN and IP address. The whitelist applies to the network where some devices send valid service packets that resemble IP address scanning attack packets or port scanning attack packets. The whitelist prevents these devices from being added to the blacklist. The whitelist entries on the AR200-S can only be manually added.
Port Mapping
Application-layer protocols use well-known ports for communication. Port mapping defines new port numbers for different application-layer protocols, which protect the server against servicespecific attacks. Port mapping applies to service-sensitive features such as ASPF and Network Address Translation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet provides the FTP service through port 2121. When accessing the FTP server through a NAT server, users must use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP packets that use port 2121 and send the FTP packets to the FTP server. This enables users to access the FTP server.
Virtual Firewall
Recently, more small-scale private networks have been established. Most of these private networks belong to small-scale enterprises. Such enterprises have the following requirements: l l High security Insufficient costs to afford a private security device
Logically, the AR200-S can be divided into multiple virtual firewalls to serve multiple smallscale private networks. By using the virtual firewall function, an ISP can lease the network security services to the enterprises. A virtual firewall integrates a VPN instance and a security instance. The virtual firewall provides a private routing plane and security service for the virtual firewall users. The VPN instance and the security instance provide the following functions: l l VPN instance: provides independent VPN routes for the users under each virtual firewall. These VPN routes are used to forward the packets received by each virtual firewall. Security instance: provides independent security services for the users under each virtual firewall. The security instance contains private interfaces, zones, interzones, ACL rules, and NAT rules. In addition, it provides the security services such as address binding, blacklist, address translation, packet filtering, traffic statistics and monitoring, attack defense, ASPF, and NAT for the users under the virtual firewalls.
Firewall Log
The firewall records the behaviors and status of the firewall in real time. For example, the attack defense measures and the detection of malicious attacks are recorded in the firewall log. The firewall logs are categorized into the following types:
l l l
Session log: sent to the log server in real time. Blacklist log: sent to the information center in real time. Attack log and statistics log: sent to the information center periodically.
These logs help you find out security risks, detect attempts to violate security policies, and learn the type of a network attack. The real-time log is also used to detect an intrusion that is underway.
Traffic Statistics and Monitoring

A firewall monitors data traffic and detects connection setup between internal and external networks, generates statistics, and analyzes data. The firewall can analyze the logs by using special software after events occur. The firewall also has analysis functions that enable it to analyze data in real time. By checking whether the number of TCP/UDP sessions initiated from external networks to the internal network exceeds the threshold, the firewall determines whether to restrict new sessions from external networks to the internal network or restrict new sessions from an IP address in the internal network. If the firewall finds that the number of sessions in the system exceeds the threshold, it speeds up the aging of sessions. This ensures that new sessions are set up. In this way, a DoS attack can be prevented if the system is too busy. Figure 3-1 shows an application of the firewall. The IP address-based statistics function is enabled for the packets from external networks to the internal network. If the number of TCP sessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, the AR200-S forbids external networks to initiate new sessions until the number of sessions is smaller than the threshold. Figure 3-1 Limiting the number of sessions initiated by external server
Router Ethernet Internal network Internet TCP connection Web server 129.9.0.1
Attack Defense
With the attack defense feature, the AR200-S can detect and protect against various network attacks. Network attacks are classified into three types: DoS attacks, scanning and snooping attacks, and malformed packet attacks. l DoS attack Denial of service (DoS) attack attacks a system with a large number of data packets. This prevents the system from receiving requests from authorized users or suspends the host. DoS attacks include SYN Flood attack and Fraggle attack. DoS attacks are different from
other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or routers. l Scanning and snooping attack Scanning and snooping attacks identify the existing systems on the network through ping scanning (including ICMP and TCP scanning), and then discover potential targets. Through TCP scanning, the attackers can learn the operating system and the monitored services. By scanning and snooping, an attacker can generally know the service type and security vulnerability of the system and plan further intrusion to the system. l Malformed packet attack Malformed packet attacks send malformed IP packets to the system. Under such an attack, the system crashes when processing the malformed IP packets. Malformed packet attacks include Ping of Death and Teardrop.
Land Attack
A Land attack sets the source and destination addresses of a TCP SYN packet to the IP address of the attacked target. The target then sends the SYN-ACK message to its own IP address, and an ACK message is sent back to the target. This forms a null session. Every null session exists until it times out. The responses to the Land attack vary according to the targets. For instance, many UNIX hosts crash while Windows NT hosts slow down.
Smurf Attack
A simple Smurf attack is used to attack a network. The attacker sends an ICMP request to the broadcast address of the network. All the hosts on the network then respond to the request and the network is congested. The traffic caused by a Smurf attack is one or two orders of magnitude higher than the traffic caused by ping of large packets. An advanced Smurf attack targets hosts. The attacker changes the source address of an ICMP request to the IP address of the target host. The host becomes overwhelmed with ICMP replies, then crashes. This attack is more effective when a large volume of ICMP requests packets are generated and when there are a large number of hosts on the network.
WinNuke Attack
A WinNuke attack sends an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running the Windows operating system. The NetBIOS fragment then overlaps and the host crashes. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet is not fragmented. An attack occurs when a host receives an IGMP packet.
SYN Flood Attack

The TCP/IP protocol stack only permits a limited number of TCP connections due to resource restriction. SYN Flood attacks utilize this TCP/IP characteristic. The attacker forges a SYN packet whose source address is forged or nonexistent and originates a connection to the server. Upon receipt of this packet, the server replies with SYN-ACK. Because there is no receiver of the SYN-ACK packet, a half-connection is created. If the attacker sends a large number of these packets, a lot of half-connections are produced on the attacked host and the host's resources will be exhausted. Common users cannot access the host till the half-connections expire. If the connections can be created without restriction, SYN Flood will consume the system resources such as memory.
ICMP and UDP Flood Attack

ICMP and UDP Flood attacks send a large number of ICMP packets (such as ping packets) and UDP packets to the target host in a short time and request responses. The host is then overloaded and cannot process valid tasks.
IP Sweeping and Port Scanning Attack

IP address sweeping and port scanning attacks detect the IP addresses and ports of the target hosts by using scanning tools. The attacker then determines the hosts that exist on the target network according to the response. The attacker can then find the ports that provide services.
Ping of Death Attack

The Ping of Death attacks a system by sending oversized ICMP packets. The length field of an IP packet is 16 bits, indicating that the maximum length of an IP packet is 65535. If the data field of an ICMP Echo Request packet is longer than 65507, the length of the ICMP Echo Request packet (ICMP data + 20-byte IP header + 8-byte ICMP header) is greater than 65535. Upon receiving the packet, routers or systems will crash, stop responding, or restart due to improper processing of the packet.
ICMP-Redirect and ICMP-Unreachable Attack

A network device sends an ICMP-redirect packet to hosts on the same subnet, requesting the hosts to change a route. However, some malicious attackers cross a network segment and send a fraudulent ICMP-redirect packet to the hosts of another network. In this way, the attackers change the routing table of the hosts, interfering with normal IP packet forwarding of the hosts. Another type of attack sends an ICMP-unreachable packet. After receiving the ICMPunreachable packets of a network (code is 0) or a host (code is 1), some systems consider the subsequent packets sent to this destination as unreachable. The systems then disconnect the destination from the host.
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment of the original packet contained in this fragment. Some systems running TCP/IP may stop running when receiving a forged fragment containing an overlap offset. The Teardrop attack uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with a generated character string. Similar to the ICMP packet attack, the two UDP ports generate many invalid response packets, which occupy the network bandwidth. The attacker can send a UDP packet to the destination network. The source address of the UDP packet is the IP address of the host to be attacked and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. Then, all the systems enabled with this function return packets to the target host. In this case, the high traffic volume blocks the network or the host stops responding. In addition, the systems without this function generate ICMP-unreachable packets, which also consume
bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragments, including Fragment Offset, Length, Don't Fragment (DF), and MF. If the previous fields conflict and are not processed correctly, the equipment may stop running. In the following cases, the fields conflict: l l DF bit and MF bit are set at the same time or the fragment offset is not 0. The value of DF is 0, but the total values of Fragment Offset and Length is larger than 65535.
In addition, the device must directly discard the fragment packet with the destination as itself. This is because more fragments result in heavy load due to packet caching and assembling.
Tracert Attack
A Tracert attack discovers the packet transmission path through the ICMP timeout packets that is returned when Time To Live (TTL) value is 0 or through the returned ICMP port-unreachable packets.
3.3 Configuring Zones

All the security policies of the firewall are enforced based on zones.

Before configuring a zone, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Before configuring a firewall, you need to configure zones. Then you can configure the firewall based on zones or interzones.
Before configuring a zone, complete the following task: l Configuring the interfaces that you want to add to the zone
Data Preparation
To configure the zone, you need the following data. No. 1
Issue 02 (2012-03-30)
Data Name of the zone

No. 2 3
Data Priority of the zone Interfaces that you want to add to the zone
3.3.2 Creating a Zone

Before configuring a firewall, you need to create the related zones. Then you can deploy security services according to the security priorities of the zones.
Procedure
Step 1 Run:
system-view

firewall zone zone-name
A zone is created. The AR200-S can be configured with up to 255 zones, and no default zone is provided. Step 3 Run:
priority security-priority
The priority of the zone is set. You must configure a priority for a zone before making other configurations. The priority cannot be changed. The priorities of the zones cannot be the same. A greater value indicates a higher priority. ----End
3.3.3 Adding an Interface to the Zone

You can add interfaces to the specified zone.
Prerequisites
The zone has been created through the firewall zone command.
Procedure
Step 1 Run:
system-view

interface interface-type interface-number
Issue 02 (2012-03-30)
51
The interface view is displayed. Step 3 Run:

zone zone-name
The interface is added to the zone. ----End
3.3.4 Creating an Interzone

Create the interzone so you can enable the firewall to filter packets or application-layer services in the specified interzone.
Procedure
Step 1 Run:
system-view

firewall interzone zone-name1 zone-name2
An interzone is created. The zones specified for an interzone must have been created on the device. ----End
3.3.5 Enabling Firewall in the Interzone

The configured firewall functions take effect only after you enable firewall in the interzone.
Procedure
Step 1 Run:
system-view

The interzone view is displayed. The zones zone-name1 and zone-name2 have been created through the firewall zone command. Step 3 Run:
firewall enable
The firewall is enabled. By default, the firewall function is disabled in an interzone. ----End

After configuring the zones and interzone, you can view information about the zones and interzone.
Procedure
l l Run the display firewall zone [ zone-name ] [ interface | priority ] command to view information about the zones. Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about the interzone.
----End
3.4 Configuring the Packet Filtering Firewall

The packet filtering firewall filters packets by using an ACL.

Before configuring the ACL-based packet filtering firewall, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
When data is transmitted between two zones, the ACL-based packet filtering firewall enforces the packet filtering policies according to the ACL rules. The ACLs for filtering packet include basic ACLs and advanced ACLs.
Before configuring ACL-based packet filtering, complete the following tasks: l l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and advanced ACL and configuring ACL rules
Data Preparation
To configure ACL-based packet filtering, you need the following data. No. 1 2 3 Data Zone names ACL number Packet direction to which the ACL is applied
Issue 02 (2012-03-30)
53
3.4.2 Configuring ACL-based Packet Filtering in an Interzone

The packet filtering firewall filters packets through ACLs.
Procedure
Step 1 Run:
system-view

acl [ number ] acl-number [ match-order { config | auto }]
An ACL is created and the ACL view is displayed. Step 3 Run:

rule
An ACL rule is configured. Step 4 Run:

quit
Return to the system view. Step 5 Run:

The interzone view is displayed. Step 6 Run:

packet-filter acl-number { inbound | outbound }
The ACL-based packet filtering is configured. You can configure ACL-based packet filtering in the interzone for incoming or outgoing packets. Step 7 (Optional) Run:
packet-filter default { deny | permit } { inbound | outbound }
The default processing mode for unmatched packets is configured. In the default settings of the system, the outbound unmatched packets are allowed, and the inbound unmatched packets are denied. If an ACL is applied to the inbound or outbound packets of an interzone, the packets are filtered according to the ACL rules. If packets do not match the ACL, the default processing mode is used.
NOTE
During the modification of interzone filtering rules, some sessions may not be filtered properly according to the rules. Therefore, after the modification is complete, use the reset firewall session all command to delete all existing firewall session entries.
----End

After the ACL-based packet filtering firewall is configured, you can view information about ACL-based packet filtering.
Procedure
l l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about packet filtering. Run the display acl acl-number command to view the ACL configuration.
----End
3.5 Configuring the Blacklist

You can manually add entries to the blacklist or configure a dynamic blacklist. If you choose the dynamic blacklist, enable IP address scanning and port scanning defense on the attack defense module of the AR200-S. When the AR200-S detects that the connection rate of an IP address or a port exceeds the threshold, the AR200-S considers that a scanning attack occurs, and adds the source IP address to the blacklist. All the packets from this source IP address are then filtered out.

Before configuring the blacklist, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
The blacklist can filter out packets sent from a specified IP address to a zone. An IP address can be added to the blacklist manually or automatically. When the attack defense module of the firewall detects an attack through the packet behavior, the firewall adds the source IP address of the packet to the blacklist. All the packets from this IP address are then filtered out.
Before configuring the blacklist, complete the following tasks: l l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Enabling IP address scanning attack defense or port scanning attack defense if a dynamic blacklist is used
Data Preparation
To configure the blacklist, you need the following data.
No. 1 2
Data IP address that you want to add to the blacklist (Optional) Aging time of blacklist entries
3.5.2 Enabling the Blacklist Function

To make the entries added to the blacklist manually or dynamically effective, you must first enable the blacklist function.
Procedure
Step 1 Run:
system-view

firewall blacklist enable
The blacklist function is enabled. By default, the blacklist function is disabled. ----End
3.5.3 Adding IP Addresses to the Blacklist Manually

After an IP address is added to the blacklist, the firewall denies the packets from this IP address until this entry expires.
Procedure
Step 1 Run:
system-view

firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]
An entry is added to the blacklist. When adding an entry to the blacklist, you can set the IP address, aging time, and VPN instance. The aging time refers to the period in which the IP address is effective after it is added to the blacklist. When the IP address expires, it is released from the blacklist. If the aging time is not specified, the IP address is always valid in the blacklist. An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not. That is, even though the blacklist is not enabled, you can add entries, but the entries do not take effect until the blacklist is enabled. You can add up to 32 entries to a blacklist.

NOTE
The blacklist entries without the aging time are added to the configuration file. The entries configured with the aging time are not added to the configuration file, but you can view them by using the display firewall blacklist command.
----End
Follow-up Procedure
Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file.
3.5.4 Configuring Blacklist and Whitelist Using the Configuration File

You can configure blacklist and whitelist entries in a batch by loading the configuration file.
Prerequisites
The configuration file for storing the blacklist and whitelist is available.
Context
The configuration file must be in txt format, and the contents are as follows:
[FirewallBlacklist] # A blacklist entry IPAddress = # An IP address in the blacklist, in dotted decimal notation VPNName = # (Optional) VPN instance of the blacklist [FirewallWhitelist] # A whitelist entry IPAddress = # An IP address in the whitelist, in dotted decimal notation VPNName = # (Optional) VPN instance of the whitelist, in dotted decimal notation
A configuration file can contain multiple entries, but each entry must be edited separately. Blank lines are allowed between lines.
[FirewallBlacklist] IPAddress = 210.10.10.1 VPNName = vpna [FirewallBlacklist] IPAddress = 220.10.10.2 VPNName = [FirewallWhitelist] IPAddress = 10.10.10.1 VPNName = vpnb [FirewallWhitelist] IPAddress =20.20.20.1 VPNName =
NOTE
A configuration file can contain up to 50000 lines.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
firewall black-white-list load configuration-file configuration-file-name
The blacklist and whitelist configuration file is loaded. The configured blacklist takes effect only after you run the firewall blacklist enable command to enable the blacklist. The entries in the whitelist take effect directly and you do not need to enable the whitelist function. A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries. ----End
Follow-up Procedure
Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time.

After the blacklist is configured, you can view information about the blacklist.
Procedure
l Run the display firewall blacklist command to view information about the blacklist. ----End
Example
Run the display firewall blacklist command to view information about the blacklist.
<Huawei> display firewall blacklist all Firewall blacklist items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance -----------------------------------------------------------------------10.1.1.1 Manual 100 -----------------------------------------------------------------------Total number is : 1
3.6 Configuring the Whitelist

Whitelists are applicable to networks where devices send valid service packets that resemble IP address or port scanning attack packets. Whitelists prevent these devices from being added to the blacklist.

Before configuring the whitelist, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Whitelists are applicable to networks where some devices send valid service packets that resemble IP address scanning attack or port scanning attack. Whitelists prevent these devices from being added to the blacklist. If you add the VPN and IP address of a host to the whitelist, the firewall does not check the packets sent by the host that look like IP address scanning or port scanning attack, or add the IP address to the blacklist.
Before configuring the whitelist, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure the whitelist, you need the following data. No. 1 2 Data IP address that you want add to the whitelist (Optional) Aging time of whitelist entries
3.6.2 Adding Entries to the Whitelist Manually

The entries in the whitelist take effect directly and you do not need to enable the whitelist function.
Procedure
Step 1 Run:
system-view

firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]
An entry is added to the whitelist. By running this command, you can add an entry to the whitelist manually. You can specify the IP address, VPN instance, and aging time when adding the entry.The aging time refers to the period in which the IP address is effective after it is added to the whitelist. When the IP address expires, it is released from the whitelist. If the aging time is not specified, the IP address is always valid in the whitelist. You can create up to 32 entries in the whitelist. ----End
Follow-up Procedure
3.6.3 Configuring Blacklist and Whitelist Using the Configuration File

You can configure blacklist and whitelist entries in a batch by loading the configuration file.
Prerequisites
The configuration file for storing the blacklist and whitelist is available.
Context
The configuration file must be in txt format, and the contents are as follows:
[FirewallBlacklist] # A blacklist entry IPAddress = # An IP address in the blacklist, in dotted decimal notation VPNName = # (Optional) VPN instance of the blacklist [FirewallWhitelist] # A whitelist entry IPAddress = # An IP address in the whitelist, in dotted decimal notation VPNName = # (Optional) VPN instance of the whitelist, in dotted decimal notation
A configuration file can contain multiple entries, but each entry must be edited separately. Blank lines are allowed between lines.
[FirewallBlacklist] IPAddress = 210.10.10.1 VPNName = vpna [FirewallBlacklist] IPAddress = 220.10.10.2 VPNName = [FirewallWhitelist] IPAddress = 10.10.10.1 VPNName = vpnb [FirewallWhitelist] IPAddress =20.20.20.1 VPNName =
NOTE
A configuration file can contain up to 50000 lines.
Procedure
Step 1 Run:
system-view

firewall black-white-list load configuration-file configuration-file-name
The blacklist and whitelist configuration file is loaded. The configured blacklist takes effect only after you run the firewall blacklist enable command to enable the blacklist.
The entries in the whitelist take effect directly and you do not need to enable the whitelist function. A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries. ----End
Follow-up Procedure

After the whitelist is configured, you can view information about the whitelist.
Procedure
l Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view information about the whitelist.
----End
Example
Run thedisplay firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpninstance vpn-instance-name } command to view information about the whitelist.
<Huawei> display firewall whitelist all Firewall whitelist items : -----------------------------------------------------------------------IP-Address Expire-Time(m) Vpn-Instance -----------------------------------------------------------------------1.1.1.1 3 vpn1 1.1.1.2 Permanent vpn2 1.1.1.3 6 -----------------------------------------------------------------------Total number is : 3
3.7 Configuring ASPF

The ASPF function can detect sessions that attempt to traverse the application layer and deny the undesired packets. In addition, ASPF enables application protocols that cannot traverse firewalls to function properly.

Before configuring ASPF, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
When data is transmitted between two zones, ASPF checks the packets at the application layer and discards the unmatched packets.
Before configuring ASPF, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure ASPF, you need the following data. No. 1 2 3 Data Names of the two zones Type of the application protocol (Optional) Aging time of the session table for each application layer protocol
3.7.2 Configuring ASPF Detection

ASPF can detect and filter FTP, HTTP, SIP, and RTSP packets at the application layer.
Procedure
Step 1 Run:
system-view


detect aspf { all | ftp | http [ activex-blocking | java-blocking ] | rtsp | sip }
ASPF is configured. Generally, the application-layer protocol packets are exchanged between the two parties in communication, so the direction does not need to be configured. The AR200-S automatically checks the packets in both directions. By default, ASPF is not configured in the interzone. ----End

After ASPF is configured, you can view information about ASPF.
Procedure
l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view ASPF information of the interzone.
----End
Example
Run the display firewall interzone [ zone-name1 zone-name2 ] command to view the ASPF information of the interzone.
<Huawei> display firewall interzone interzone zone2 zone1 firewall enable packet-filter default permit outbound packet-filter default permit inbound session-log 2006 inbound detect aspf ftp detect aspf sip detect aspf rtsp detect aspf http detect aspf http java-blocking detect aspf http activex-blocking total number is : 1
3.8 Configuring Port Mapping

Port mapping defines new port numbers for different application-layer protocols, protecting the server against the service specific attacks.

Before configuring port mapping, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Through port mapping, the firewall can identify packets of the application-layer protocols that use the non-well-known ports. The port mapping function can be applied to features sensitive to application-layer protocols, such as ASPF. Port mapping is applicable to the application-layer protocols such as FTP, DNS, HTTP, SIP, and RTSP. Port mapping is implemented based on the ACL. Only the packets matching an ACL rule are mapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering, the AR200-S matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
NOTE
Port mapping is applied only to the data within the interzone; therefore, when configuring port mapping, you must configure the zones and interzone.
Before configuring port mapping, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and configuring ACL rules
Data Preparation
To configure port mapping, you need the following data. No. 1 2 3 Data Type of application-layer protocol User-defined port to be mapped Number of the basic ACL
3.8.2 Configuring Port Mapping

Port mapping maps protocols to ports based on a basic ACL.
Procedure
Step 1 Run:
system-view

port-mapping { dns | ftp | http | sip | rtsp } port port-number acl acl-number
Port mapping is configured. You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings, however, must be distinguished by the ACL. That is, packets matching different ACL rules use different mapping entries.
NOTE
Port mapping identifies the protocol type of the packets destined for an IP address (such as the IP address of a WWW server); therefore, when configuring the basic ACL rules, you need to match the destination IP addresses of the packets with the source IP addresses defined in ACL rules.
----End

After port mapping is configured, you can view information about port mapping.
Procedure
l Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command to view information about port mapping.
----End
Example
Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command to view information about port mapping.
<Huawei> display port-mapping dns ------------------------------------------------Service Port Acl Type ------------------------------------------------dns 53 system defined ------------------------------------------------Total number is : 1
3.9 Configuring the Aging Time of the Firewall Session Table

Before configuring the aging time of the firewall session table, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
The AR200-S creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. The aging time is set for the session table of the firewall. If a record in the session table does not match any packet within the aging time, the system deletes the record. To change the aging time of protocol sessions, set the aging time of the firewall session table.
Data Preparation
To set the aging time of the firewall session table, you need the following data. No. 1 Data Aging time of the session table of each application-layer protocol
3.9.2 Configuring the Aging Time of the Firewall Session Table

If a session entry is not used within the specified period, the session becomes invalid.
Procedure
Step 1 Run:
system-view

Step 2 Run:
firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media } aging-time time-value
The aging time of the firewall session table is set. By default, the aging time of each protocol is as follows: l DNS: 120 seconds l FTP: 120 seconds l FTP-data: 120 seconds l HTTP: 120 seconds l ICMP: 20 seconds l TCP: 600 seconds l TCP-proxy: 10 seconds l UDP: 40 seconds l SIP: 1800 seconds l SIP-media: 120 seconds l RTSP: 60 seconds l RTSP-media: 120 seconds
NOTE
In general, you do not need to change the aging time of a session table.
----End

After the aging time of the firewall session table is set, you can view the aging time.
Procedure
l Run the display firewall-nat session aging-time command to view the aging time of the firewall session table.
----End
Example
Run the display firewall-nat session aging-time command to view the aging time of the firewall session table.
<Huawei> display firewall-nat session aging-time --------------------------------------------tcp protocol timeout : 60 (s) tcp-proxy timeout : 60 (s) udp protocol timeout : 40 (s) icmp protocol timeout : 20 (s) dns protocol timeout : 120 (s) http protocol timeout : 120 (s) ftp protocol timeout : 120 (s) ftp-data protocol timeout : 120 (s) rtsp protocol timeout : 60 (s) rtsp-media protocol timeout : 120 (s) sip protocol timeout : 1800 (s)
Issue 02 (2012-03-30)
66

sip-media protocol timeout : 120 (s) ---------------------------------------------
3.10 Configuring the Attack Defense Function

The AR200-S attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked.

Before configuring the attack defense function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
On the AR200-S, you can enable the attack defense function for the protected area. The protected area may be zones or IP addresses.
Before configuring the attack defense function, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure the attack defense function, you need the following data. No. 1 3 Data Attack type, a specified type or all types Status of the TCP proxy that prevents SYN Flood attacks, including always enabled, always disabled, or auto enabled (automatically enabled when the session rate exceeds the threshold) Timeout of blacklist and maximum session rate to prevent scanning attacks (IP address sweeping and port scanning) Maximum packet length to prevent a large ICMP packet attack
4 5
3.10.2 Enabling the Attack Defense Function

Context
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend against different types of attacks.
Procedure
Step 1 Run:
system-view

firewall defend all enable
All the attack defense functions are enabled. Step 3 Run:

firewall defend fraggle enable
The Fraggle attack defense is enabled. Step 4 Run:

firewall defend icmp-flood enable
The ICMP Flood attack defense is enabled. After the parameters for ICMP Flood attack defense are set, you must enable the ICMP Flood attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 5 Run:
firewall defend icmp-redirect enable
The ICMP Redirect attack defense is enabled. Step 6 Run:

firewall defend icmp-unreachable enable
The ICMP Unreachable attack defense is enabled. Step 7 Run:

firewall defend ip-fragment enable
The IP-Fragment attack defense is enabled. Step 8 Run:

firewall defend ip-sweep enable
The IP address sweeping attack defense is enabled. After the parameters for IP address sweeping attack defense are set, you must enable the IP address sweeping attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 9 Run:
firewall defend land enable
The Land attack defense is enabled. Step 10 Run:

firewall defend large-icmp enable
The large ICMP packet attack defense is enabled.

After the maximum length of ICMP packets is set, you must enable the large ICMP packet attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 11 Run:
firewall defend ping-of-death enable
The Ping of Death attack defense is enabled. Step 12 Run:

firewall defend port-scan enable
The port scanning attack defense is enabled. After the parameters for port scanning attack defense are set, you must enable the port scanning attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 13 Run:
firewall defend smurf enable
The Smurf attack defense is enabled. Step 14 Run:

firewall defend syn-flood enable
The SYN Flood attack defense is enabled. After the parameters for SYN Flood attack defense are set, you must enable the SYN Flood attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 15 Run:
firewall defend tcp-flag enable
The TCP flag attack defense is enabled. Step 16 Run:

firewall defend teardrop enable
The Teardrop attack defense is enabled. Step 17 Run:

firewall defend tracert enable
The Tracert attack defense is enabled. Step 18 Run:

firewall defend udp-flood enable
The UDP Flood attack defense is enabled. After the parameters for UDP Flood attack defense are set, you must enable the UDP Flood attack defense function; otherwise, the AR200-S does not detect the attack packets or take attack defense measures. Step 19 Run:
firewall defend winnuke enable
The WinNuke attack defense is enabled.

By default, no attack defense function is enabled. ----End
3.10.3 Setting the Parameters for Flood Attack Defense

Context
Steps 2-4 are optional and can be performed in any sequence. You can select these steps to defend different types of Flood attacks.
Procedure
Step 1 Run:
system-view

firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]
The parameters for ICMP Flood attack defense are set. Step 3 Run:
firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ] | [ tcp-proxy { auto | off | on } ]
The parameters for SYN Flood attack defense are set. Step 4 Run:
firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]
The parameters for UDP Flood attack defense are set. To prevent Flood attacks, you need to specify the zones or IP addresses to be protected; otherwise, the attack defense parameters are invalid. You can also specify the maximum session rate. When the session rate exceeds the limit, the AR200-S considers that an attack occurs and takes measures. For Flood attack defense, the priority of IP addresses is higher than the priority of zones. If Flood attack defense is enabled for both a specified IP address and the zone where the IP address resides, then the attack defense for the IP address takes effect. If you cancel the attack defense for the IP address, the attack defense for the zone takes effect. By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabled for the SYN Flood attack defense. For Flood attack defense, you can specify up to 32 IP addresses to protect. ----End
3.10.4 Configuring Large ICMP Packet Attack Defense

Procedure
Step 1 Run:
system-view

firewall defend large-icmp max-length length
The parameter for large ICMP packet attack defense is set. For large ICMP packet attack defense, only one parameter needs to be set, namely, the maximum packet length. When the length of an ICMP packet exceeds the limit, the AR200-S considers that an attack occurs and discards the packet. By default, the maximum length of an ICMP packet is 4000 bytes. ----End
3.10.5 Setting Parameters for Scanning Attack Defense

Context
Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps to defend against different types of scanning attacks.
Procedure
Step 1 Run:
system-view

firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }
The parameters for IP address sweep attack defense are set. Step 3 Run:
firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters for port scanning attack defense are set. For scanning attack defense, the following two parameters need to be set: l Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the AR200-S considers that a scanning attack occurs, and then adds the IP address to the blacklist and denies new sessions from the IP address or port. l Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, the AR200-S deletes the IP address from the blacklist and allows new sessions from the IP address or port. By default, the maximum session rate for IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes. ----End

After the attack defense is configured, you can view information about attack defense.
Procedure
l Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view information about attack defense.
----End
Example
Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view information about attack defense. # View the status of each attack defense function.
<Huawei> display firewall defend flag -------------------------------Type Flag -------------------------------land : disable smurf : disable fraggle : disable winnuke : disable syn-flood : disable udp-flood : disable icmp-flood : disable icmp-redirect : disable icmp-unreachable : disable ip-sweep : disable port-scan : disable tracert : disable ping-of-death : disable teardrop : disable tcp-flag : disable ip-fragment : disable large-icmp : disable --------------------------------
# View the configuration of IP address sweep attack defense.

<Huawei> display firewall defend ip-sweep defend-flag : disable max-rate : 4000 (pps) blacklist-expire-time : 20 (m)
3.11 Configuring Traffic Statistics and Monitoring

The AR200-S supports traffic statistics and monitoring at the system level, zone level, and IP address level.
Issue 02 (2012-03-30)
72

Before configuring traffic statistics and monitoring, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
System-level traffic statistics and monitoring take effect on all the data flows in interzones that are enabled with the firewall feature. That is, the AR200-S collects statistics on packets of ICMP, TCP, TCP proxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold, the AR200-S restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring take effect on the data flows between zones. That is, the AR200-S counts the total number of TCP and UDP sessions between the local zone and other zones. When the number of sessions exceeds the threshold, the AR200-S restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the AR200-S counts and monitors the sessions initiated by the local zone. The outbound direction means that the AR200-S counts and monitors the sessions destined for this zone. The IP address-based traffic statistics and monitoring count and monitor the TCP and UDP sessions set up by an IP address in the zone. When the number of sessions set up by an IP address exceeds the threshold, the AR200-S restricts the sessions until the number of sessions is less than the threshold. The IP address-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the AR200-S counts and monitors the sessions initiated by the IP address in the local zone. The outbound direction means that the AR200-S counts and monitors the sessions destined for this IP address.
Before configuring traffic statistics and monitoring, complete the following tasks: l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure traffic statistics and monitoring, you need the following data. No. 1 2 3 Data Type of sessions to be monitored, including TCP and UDP Session threshold Direction of traffic statistics and monitoring
Issue 02 (2012-03-30)
73
3.11.2 Enabling Traffic Statistics and Monitoring

You can enable traffic statistics and monitoring at the system level, zone level, or IP address level as needed.
Procedure
l Enabling system-level traffic statistics and monitoring 1. Run:
system-view

firewall statistics system enable
The system-level traffic statistics and monitoring is enabled. By default, the system-level traffic statistics and monitoring is disabled. l Enabling zone-level traffic statistics and monitoring 1. Run:
system-view

The zone view is displayed. 3. Run:

statistics zone enable { inzone | outzone }
The zone-level traffic statistics and monitoring is enabled. By default, the zone-level traffic statistics and monitoring is disabled. l Enabling IP address-level traffic statistics and monitoring 1. Run:
system-view


statistics ip enable { inzone | outzone }
The IP address-level traffic statistics and monitoring is enabled. By default, the IP address-level traffic statistics and monitoring is disabled. ----End
3.11.3 Setting the Session Thresholds

You can set the session thresholds for the system-level, zone-level, or IP address-level traffic statistics and monitoring as needed.
Procedure
l Setting the session thresholds for system-level traffic statistics and monitoring 1. Run:
system-view

firewall statistics system enable
The system-level traffic statistics and monitoring are enabled. By default, the system-level traffic statistics and monitoring is disabled. 3. Run:
firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold
The session thresholds for the system-level traffic statistics and monitoring are set. For the system-level traffic statistics, you can set the threshold for each type of session. For example, you can set the upper threshold for TCP sessions to 15000 and lower threshold to 12000. When the number of TCP sessions in all interzones exceeds 15000, the AR200-S denies all new TCP sessions in the interzone and reports an alarm to the information center. If traffic volume falls to 12000 below the lower threshold, the AR200-S generates the recovery log and sends the log to the information center. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288. l Setting the session thresholds for zone-level traffic statistics and monitoring 1. Run:
system-view


statistics zone enable { inzone | outzone }
The zone-level traffic statistics and monitoring are enabled. By default, the zone-level traffic statistics and monitoring is disabled. 4. Run:
statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the zone-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions. For example, you can set the threshold of inbound TCP sessions to 15000. When the number of TCP sessions initiated by this zone exceeds 15000, the AR200S denies new TCP sessions from this zone. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288.
Setting the session thresholds for IP address-level traffic statistics and monitoring 1. Run:
system-view


statistics ip enable { inzone | outzone }
The IP address-level traffic statistics and monitoring are enabled. By default, the IP address-level traffic statistics and monitoring is disabled. 4. Run:
statistics connect-number ip { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the IP address-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions. For example, you can set the threshold for inbound TCP sessions to 10000. When the number of TCP sessions initiated from an IP address in the local zone exceeds 10000, the AR200-S denies new TCP sessions from this IP address. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288. ----End

After the traffic statistics and monitoring are configured, you can view information about traffic statistics and monitoring.
Procedure
l l Run the display firewall statistics system command to view information about the systemlevel traffic statistics and monitoring. Run the system-view command to enter the system view, and then run the display firewall statistics zone zone-name { inzone | outzone } all command to view information about the zone-level traffic statistics and monitoring. Run the display firewall statistics zone-ip zone-name command to view information about the IP address-level traffic statistics and monitoring.
----End
3.12 Configuring the Log Function

The firewall logs include session logs, statistics logs, attack defense logs, and blacklist logs.
Issue 02 (2012-03-30)
76

Before configuring the log function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
The logs record the behaviors and status of the firewall to help you find security risks, analyze attempts to violate security policies, and detect network attacks.
Before configuring the logs, complete the following tasks: l l l Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating a basic ACL or an advanced ACL and configuring ACL rules
Data Preparation
To configure the log function, you need the following data. No. 1 2 Data Type of the log IP address and port number of the session log host, and the source IP address and source port number that the AR200-S uses to communicate with the session log host Conditions for recording session logs, including the ACL number and the direction (Optional) Interval for exporting the attack defense logs or statistics logs
3 4
3.12.2 Enabling the Log Function on the Firewall

Procedure
Step 1 Run:
system-view

firewall log { all | blacklist | defend | session | statistics } enable
The log function is enabled on the firewall. The log function can be enabled according to log types or enabled for all types of logs by using the all parameter.
By default, the log function is disabled on a firewall. Step 3 Run:

firewall log session nat enable
The NAT session log is enabled. Before running the firewall log session nat enable command, you must run the firewall log session enable command. By default, the NAT session log is disabled. ----End
3.12.3 Setting the Log Parameters

The log parameters include the session log host, conditions for recording session logs, and interval for exporting logs.
Context
The session logs are exported to a log host in real time; therefore, you need to configure the log host first. To configure the log host, you need to configure the IP address and port number of the log host and the IP address and port number that the AR200-S uses to communicate with the log host. An ACL is referenced in the interzone view to determine the sessions to be recorded in the logs. The ACLs can be configured for incoming and outgoing traffic.
Procedure
Step 1 Run:
system-view

firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]
The session log host is configured. By default, no session log host is configured. Step 3 (Optional) Run:
firewall log { blacklist | defend | session | statistics } log-interval time
The interval for exporting logs is set. By default, logs are exported every 30 seconds. Step 4 Run:

session-log acl-number { inbound | outbound }
The conditions for recording session logs are configured.

By default, no condition is configured in an interzone for recording session logs. ----End

After the log function is configured on the firewall, you can view information about the logs.
Procedure
l Run the display firewall log configuration command to view information about the logs on the firewall.
----End
Example
Run the display firewall log configuration command to view information about the logs on the firewall.
<Huawei> display firewall log configuration defend log : status : enabled log-interval : 30 s statistics log : status : enabled log-interval : 30 s blacklist log : status : enabled log-interval : 30 s session log : status : enabled log-interval : 30 s nat-session : disabled binary-log host : host source ----:-----:--
VPN instance-name ---
3.13 Maintaining the Firewall

3.13.1 Displaying the Firewall Configuration
Procedure
l l l l Run the display firewall zone [ zone-name ] | [ interface | priority ] command to view the configurations of all zones or the specified zone. Run the display firewall interzone [ zone-name1 zone-name2 ] command to view the configurations of the interzone. Run the display firewall blacklist configuration command to view the status of the blacklist function. Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | dynamic | static | vpn-instance vpn-instance-name } command to view the blacklist entries.
Issue 02 (2012-03-30)
l l l l l l l
Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view the whitelist entries. Run the display firewall statistics system command to view the system-level traffic statistics. Run the display firewall statistics zone zone-name { inzone | outzone } all command to view the zone-level traffic statistics and traffic monitoring information. Run the display firewall statistics zone-ip zone-name command to view the status of traffic monitoring function and session thresholds for each protocol. Run the display firewall-nat session aging-time command to view the timeout of entries in the session table. Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command to view the mappings between application-layer protocols and ports. Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view the status and configuration of the attack defense functions. Run the display firewall log configuration command to view the global configuration of the log function. Run the display firewall session command to view the session table of the firewall.
l l
----End
3.13.2 Clearing the Firewall Statistics

Context
To view the communication packets of a device within a specified period, you can clear the previous packet statistics on the device first. Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps to clear different types of packet statistics.
Procedure
Step 1 Run:
system-view

clear firewall statistics system normal
The communication packet statistics are cleared. Step 3 Run:

clear firewall statistics zone zone-name
The communication packet statistics in the zone are cleared. ----End


This section provides several configuration examples of firewall.
3.14.1 Example for Configuring the ACL-based Packet Filtering Firewall

This example shows the configuration of the ACL-based packet filtering firewall on a network. The firewall improves data flow security by filtering packets based on source/destination IP addresses, source/destination port numbers, and IP protocol numbers.
As shown in Figure 3-2, Ethernet0/0/0 of the Router is connected to a highly secure internal network, and Ethernet0/0/8 is connected to the insecure external network. The Router must filter the packets between the internal network and the external network. The following requirements must be met: l l A host (202.39.2.3) on the external network is allowed to access the servers in the internal network. Other hosts are not allowed to access the servers on the internal network.
Figure 3-2 Network diagram for configuring ACL-based packet filtering
FTP server Web server 129.38.1.2 129.38.1.4
Eth0/0/0 Router
Eth0/0/8 202.39.2.3
Internal network Telnet server 129.38.1.3
The configuration roadmap is as follows: 1. 2. 3.
Issue 02 (2012-03-30)
Configure zones and an interzone. Add interfaces to the zones. Configure an ACL.
4.
Configure ACL-based packet filtering in the interzone.
Procedure
Step 1 Configure zones and an interzone on the Router .
<Huawei> system-view [Huawei] firewall zone trust [Huawei-zone-trust] priority 15 [Huawei-zone-trust] quit [Huawei] firewall zone untrust [Huawei-zone-untrust] priority 1 [Huawei-zone-untrust] quit [Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] firewall enable [Huawei-interzone-trust-untrust] quit
Step 2 Add Router interfaces to zones.

[Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 129.38.1.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] zone trust [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/8 [Huawei-Ethernet0/0/8] ip address 202.39.2.1 24 [Huawei-Ethernet0/0/8] zone untrust [Huawei-Ethernet0/0/8] quit
Step 3 Configure the ACL on the Router .

[Huawei] acl 3102 [Huawei-acl-adv-3102] 129.38.1.2 0.0.0.0 [Huawei-acl-adv-3102] 129.38.1.3 0.0.0.0 [Huawei-acl-adv-3102] 129.38.1.4 0.0.0.0 [Huawei-acl-adv-3102] [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination rule permit tcp source 202.39.2.3 0.0.0.0 destination rule permit tcp source 202.39.2.3 0.0.0.0 destination rule deny ip quit
Step 4 Configure packet filtering on the Router .

[Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] packet-filter 3102 inbound [Huawei-interzone-trust-untrust] quit
Step 5 Verify the configuration. After the configuration, only the specified host (202.39.2.3) can access the servers on the internal network. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and the result is as follows:
[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound
----End
Configuration Files
# vlan 100 # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # interface Vlanif100 ip address 129.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8 ip address 202.39.2.1 255.255.255.0 zone untrust # return
3.14.2 Example for Configuring ASPF and Port Mapping

This example shows the configuration of the mapping between ASPF and port on a network. The Router can detect the packets of the specified application-layer protocols and discard the undesired packets.
As shown in Figure 3-3, Ethernet0/0/0 of the Router is connected to a highly secure internal network, and Ethernet0/0/8 is connected to the insecure external network. The Router must filter the packets and perform ASPF check between the internal network and the external network. The following requirements must be met: l l l l A host (202.39.2.3) on the external network is allowed to access the servers in the internal network. Other hosts are not allowed to access the servers on the internal network. The Router checks the FTP status of the connections and filters the undesired packets. The packets from the external host are sent to the FTP servers through port 2121, which is used as the port of the FTP protocol.
Issue 02 (2012-03-30)
83
Figure 3-3 Network diagram for configuring ASPF and port mapping
FTP server Web server 129.38.1.2 129.38.1.4
Eth0/0/0 Router
Eth0/0/8 202.39.2.3
Internal network Telnet server 129.38.1.3
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure zones and an interzone. Add interfaces to the zones. Configure an ACL. Configure ACL-based packet filtering in the interzone. Configure ASPF in the interzone. Map port 2121 to the FTP protocol.
Procedure
<Huawei> system-view [Huawei] firewall zone trust [Huawei-zone-trust] priority 15 [Huawei-zone-trust] quit [Huawei] firewall zone untrust [Huawei-zone-untrust] priority 1 [Huawei-zone-untrust] quit [Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] firewall enable [Huawei-interzone-trust-untrust] quit
Step 2 Add the interfaces of Router to zones.

[Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 129.38.1.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] zone trust
Issue 02 (2012-03-30)
84

[Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/8 [Huawei-Ethernet 0/0/8] ip address 202.39.2.1 24 [Huawei-Ethernet0/0/8] zone untrust [Huawei-Ethernet0/0/8] quit
Step 3 Configure the ACL on Router .

[Huawei] acl 2102 [Huawei-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0 [Huawei-acl-basic-2102] quit [Huawei] acl 3102 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0 [Huawei-acl-adv-3102] rule deny ip [Huawei-acl-adv-3102] quit
Step 4 Configure packet filtering on Router .

[Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] packet-filter 3102 inbound [Huawei-interzone-trust-untrust] quit
Step 5 Configure ASPF on the Router .

[Huawei-interzone-trust-untrust] detect aspf ftp [Huawei-interzone-trust-untrust] quit
Step 6 Configure port mapping on the Router .

[Huawei] port-mapping ftp port 2121 acl 2102
Step 7 Verify the configuration. Run the display firewall interzone zone-name1 zone-name2 command on the Router , and the result is as follows:
[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound detect aspf ftp
Run the display port-mapping ftp command on the Router , and the result is as follows:
[Huawei] display port-mapping ftp ------------------------------------------------Service Port Acl Type ------------------------------------------------ftp 21 system defined ftp 2121 2102 user defined ------------------------------------------------Total number is : 2
----End
Configuration Files
# vlan 100 # acl number 2102 rule 5 permit source 129.38.1.2 0
Issue 02 (2012-03-30)
85
# acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # port-mapping ftp port 2121 acl 2102 # interface Vlanif100 ip address 129.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound detect aspf ftp # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8 ip address 202.39.2.1 255.255.255.0 zone untrust # return
3.14.3 Example for Configuring the Blacklist

This example shows the blacklist configuration on a network. By using a blacklist, the Router can prevent the attacks initiated from certain IP addresses.
As shown in Figure 3-4, Ethernet0/0/0 of the Router is connected to a highly secure internal network, and Ethernet0/0/8 is connected to the insecure external network. The Router needs to apply IP address sweeping defense and blacklist policies to the packets sent from the Internet to the enterprise intranet. If the Router detects that an IP address attacks the enterprise intranet by using IP address sweeping, it adds the IP address to the blacklist. The maximum session rate is 5000 pps, and the blacklist timeout is 30 minutes. If an IP address, for example, 202.39.1.2, attempts to attack the enterprise intranet multiple times, you can add the IP address to the blacklist manually. The IP address added manually will be always in the blacklist.
Issue 02 (2012-03-30)
86
Figure 3-4 Network diagram for configuring the blacklist
Server
Enterprise network
Eth0/0/0 Router
Eth0/0/8
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure zones and an interzone. Add interfaces to the zones. Enable the blacklist function. Add an entry to the blacklist. Enable the defense against IP address sweeping or port scanning. Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning.
Procedure
[Huawei] firewall zone trust [Huawei-zone-trust] priority 15 [Huawei-zone-trust] quit [Huawei] firewall zone untrust [Huawei-zone-untrust] priority 1 [Huawei-zone-untrust] quit [Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] firewall enable [Huawei-interzone-trust-untrust] quit
Step 2 Add Router interfaces to zones.

[Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 129.38.1.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] zone trust
Issue 02 (2012-03-30)
87

[Huawei-Vlanif100] quit [Huawei] interface Ethernet0/0/8 [Huawei-Ethernet0/0/8] ip address 202.39.2.1 24 [Huawei-Ethernet0/0/8] zone untrust [Huawei-Ethernet0/0/8] quit
Step 3 Enable the blacklist function.

[Huawei] firewall blacklist enable
Step 4 Add an entry to the blacklist.

[Huawei] firewall blacklist 202.39.1.2
Step 5 Enable the defense against IP address sweeping and port scanning.
[Huawei] firewall defend ip-sweep enable [Huawei] firewall defend port-scan enable
Step 6 Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning.
[Huawei] [Huawei] [Huawei] [Huawei] firewall firewall firewall firewall defend defend defend defend ip-sweep max-rate 5000 ip-sweep blacklist-expire-time 30 port-scan max-rate 5000 port-scan blacklist-expire-time 30
Step 7 Verify the configuration. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and the result is as follows:
[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound
Run the display firewall blacklist all command on the Router , and the result is as follows:
[Huawei] display firewall blacklist all Firewall Blacklist Items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance -----------------------------------------------------------------------202.39.1.2 Manual Permanent -----------------------------------------------------------------------total number is : 1
Run the display firewall defend command on the Router , and the result is as follows:
[Huawei] display firewall defend port-scan defend-flag : enable max-rate : 5000 (pps) blacklist-expire-time : 30 (m) [Huawei] display firewall defend ip-sweep defend-flag : enable max-rate : 5000 (pps) blacklist-expire-time : 30 (m)
----End
Configuration Files
# firewall defend ip-sweep enable
Issue 02 (2012-03-30)
88

firewall defend port-scan enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-expire-time 30 firewall defend port-scan max-rate 5000 firewall defend port-scan blacklist-expire-time 30 # firewall blacklist enable firewall blacklist 202.39.1.2 # vlan 100 # interface Vlanif100 ip address 129.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8 ip address 202.39.2.1 255.255.255.0 zone untrust #
Issue 02 (2012-03-30)
89
4 Traffic Suppression Configuration
Traffic Suppression Configuration
About This Chapter

This section describes configuration procedures for traffic suppression and provides configuration examples. 4.1 Traffic Suppression Overview This section describes the traffic suppression function. 4.2 Traffic Suppression Features Supported by the AR200-S This section describes traffic suppression features supported by the AR200-S. 4.3 Configuring Traffic Suppression This section describes how to configure traffic suppression. 4.4 Configuration Examples This section provides traffic suppression configuration examples.
Issue 02 (2012-03-30)
90
4.1 Traffic Suppression Overview

This section describes the traffic suppression function. The AR200-S forwards broadcast packets, multicast packets, and unknown unicast packets to all interfaces in the same VLAN. The preceding types of packets occupy a large number of system resources and waste bandwidth; therefore, the system forwarding capability and processing capability deteriorate. The traffic suppression function can limit the rate of the preceding types of packets to protect the AR200-S against attacks of these packets. In addition, the function ensures available bandwidth and processing capability of the AR200-S when the network traffic is heavy.
4.2 Traffic Suppression Features Supported by the AR200-S

This section describes traffic suppression features supported by the AR200-S. Traffic suppression can be configured on Ethernet interfaces of the AR200-S. You can set the rate limit in bit/s for broadcast packets, multicast packets, or unknown unicast packets on an interface.
4.3 Configuring Traffic Suppression

This section describes how to configure traffic suppression.

Before configuring traffic suppression, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
When receiving unknown unicast packets, multicast packets, or broadcast packets, the AR200S forwards the packets to all the interfaces except the receive interface because the AR200-S cannot determine the outbound interface according to the destination MAC address of packets. In this case, broadcast storms may occur on the network and the forwarding performance of the AR200-S deteriorates. To prevent the AR200-S from being attacked by heavy traffic and ensure that the AR200-S can forward packets in unicast mode, configure traffic suppression on an interface to limit the rate of incoming broadcast packets, multicast packets, or unknown unicast packets.
Before configuring traffic suppression, complete the following task: l Connecting interfaces and setting the physical parameters of interfaces so that the physical layer is in Up state
Issue 02 (2012-03-30)
Data Preparation
To configure traffic suppression, you need the following data. No. 1 2 3 4 Data Type and number of the interface where traffic suppression needs to be configured Type of the traffic to be suppressed (broadcast, multicast, or unknown unicast traffic) Rate limit mode (in bit/s) Rate limit value in bit/s (CIR value)
4.3.2 Configuring Traffic Suppression on an Interface

This section describes how to configure traffic suppression on an interface.
Procedure
Step 1 Run:
system-view

The interface view is displayed. Step 3 Set the CIR value for traffic suppression. l Run the broadcast-suppression cir cir-value command to set the CIR value for broadcast traffic. l Run the multicast-suppression cir cir-value command to set the CIR value for multicast traffic. l Run the unicast-suppression cir cir-value command to set the CIR value for unknown unicast traffic. ----End

This section describes how to check the configuration of traffic suppression.
Prerequisites
The traffic suppression configurations are complete.
Issue 02 (2012-03-30)
92
Procedure
l Run the display flow-suppression interface interface-type interface-number command to check the traffic suppression configuration.
----End
Example
Run the display flow-suppression interface interface-type interface-number command to check the traffic suppression configuration on the specified interface.
<AR200-S> display flow-suppression interface ethernet 2/0/1 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast pps packets: 1260(packets per second) multicast pps packets: 2520(packets per second) broadcast pps packets: 1260(packets per second) -------------------------------------------------------------------------------

This section provides traffic suppression configuration examples.
4.4.1 Example for Setting the CIR Value for Traffic Suppression
This section describes how to set the CIR value for traffic suppression.
As shown in Figure 4-1, RouterA is connected to a Layer 2 network and a Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can set the rate limit in bit/s on Ethernet 0/0/0.
NOTE
As shown in Figure 4-1, RouterA is the AR200-S and RouterB is an aggregation router. The CIR Value for Traffic Suppression can be set only on LAN-side Ethernet interfaces of the SRU on theAR200-S.
Figure 4-1 Network diagram of setting the CIR value for traffic suppression
L2 network
Ethernet 0/0/0
L3 network
RouterA
RouterB
The configuration roadmap is as follows: l
Issue 02 (2012-03-30)
Set the CIR value for traffic suppression on Ethernet 0/0/0.

Data Preparation
To complete the configuration, you need the following data: l l Name of the interface where traffic suppression needs to be configured: Ethernet 0/0/0 CIR value for broadcast and unknown unicast packets: 100 kbit/s, CIR value for multicast packets: 200 kbit/s
Procedure
Step 1 Enter the interface view.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] interface ethernet 0/0/0
Step 2 Set the CIR value for broadcast packets.

[RouterA-Ethernet0/0/0] broadcast-suppression cir 100
Step 3 Set the CIR value for multicast packets.

[RouterA-Ethernet0/0/0] multicast-suppression cir 200
Step 4 Set the CIR value for unknown unicast packets.

[RouterA-Ethernet0/0/0] unicast-suppression cir 100
Step 5 Verify the configuration. Run the display flow-suppression interface command to view the traffic suppression configuration on Ethernet 0/0/0.
[RouterA] display flow-suppression interface Ethernet 0/0/0 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast bps cir: 100(kbit/s) multicast bps cir: 200(kbit/s) broadcast bps cir: 100(kbit/s) -------------------------------------------------------------------------------
----End
Configuration Files
# sysname RouterA # interface Ethernet 0/0/0 unicast-suppression cir 100 multicast-suppression cir 200 broadcast-suppression cir 100 # return
Issue 02 (2012-03-30)
94
5 NAC Configuration
5
About This Chapter
NAC Configuration
This chapter describes the NAC system architecture, principles, and authentication methods. 5.1 NAC Overview Network access control (NAC) is an end-to-end access security framework and includes Web authentication, 802.1x authentication, and MAC address authentication. 5.2 NAC Features Supported by the AR200-S The AR200-S supports multiple authentication and control methods to control user authorities and access areas. 5.3 Configuring 802.1x Authentication You can configure 802.1x authentication on an interface to authenticate access devices connected to an interface of an access control device on a LAN. 5.4 Maintaining NAC This section describes how to maintain NAC. 5.5 Configuration Examples This section provides several NAC configuration examples.
Issue 02 (2012-03-30)
95
5 NAC Configuration
5.1 NAC Overview

Network access control (NAC) is an end-to-end access security framework and includes Web authentication, 802.1x authentication, and MAC address authentication. Traditional network security technologies focus on threats from external computers but not threats from internal computers. Current network devices cannot prevent attacks initiated by devices on internal networks. NAC protects terminal security, thus providing end-to-end network security. Figure 5-1 Typical NAC networking
User
NAD
ACS
Remediation server
AAA Directory server server PVS & AUDIT server
As shown in Figure 5-1, NAC is a control scheme for network access security, and involves the following entities: l l User: Access user who must be authenticated. If 802.1x authentication is used, users must install the client software. NAD: Network access device (NAD). An NAD authenticates and authorizes access users. The NAD works with an AAA server to prevent unauthorized terminals from accessing the network, minimize the threats brought by insecure terminals, prevent unauthorized access requests from authorized terminals, and protect core resources. ACS: Access control server (ACS). An ACS checks terminal security and manage policies, manages user behaviors and audits rule violations, and prevents malicious attacks from terminals.
5.2 NAC Features Supported by the AR200-S

The AR200-S supports multiple authentication and control methods to control user authorities and access areas. The AR200-S functions as a network access device (NAD) and supports 802.1x authentication, MAC address authentication, and Web authentication.
802.1x Authentication
The Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard, 802.1x for short, is an interface-based network access control protocol. 802.1x authentication authenticates and
5 NAC Configuration
controls access devices connected to an interface of an access control device on a LAN. User devices connected to the interface can access resources on the LAN only after being authenticated. 802.1x authentication is classified into: l Interface-based authentication: All the other access users can use network resources and do not need to be authenticated, as long as the first user on an interface is authenticated. After the first user gets offline, other users cannot use network resources. MAC address-based authentication: All access users on an interface need to be authenticated.
Authentication mode l Extensible Authentication Protocol (EAP) termination authentication: The AR200-S terminates EAP packets from users, parses user names and passwords, encrypts the passwords, and then sends them to the AAA server for authentication. EAP termination authentication includes Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). PAP is a two-way handshake authentication protocol and transmits passwords in plain text. It has low security. CHAP is a three-way handshake authentication protocol and transmits passwords in cipher text. It has higher security than PAP. l EAP relay authentication: The AR200-S encapsulates authentication information about 802.1x users and EAP packets in the attribute fields in RADIUS packets or HWTACACS packets and sends the packets to the AAA server.
Guest VLAN If a user that fails to be authenticated wants to access some network resources, for example, the user wants to download the 802.1x client program and update the virus library, add the user to a guest VLAN so that the user can access resources in the guest VLAN.
MAC Address Authentication

MAC address authentication controls network access permissions of a user based on the access interface and MAC address of the user. The user does not need to install any client software. The user name and password are the MAC address of the user device. After detecting the MAC address of a user for the first time, the AR200-S starts authenticating the user.
NAC Applications
LAN-side Ethernet on the AR200 support only 802.1x authentication.
5.3 Configuring 802.1x Authentication

You can configure 802.1x authentication on an interface to authenticate access devices connected to an interface of an access control device on a LAN.

Before configuring 802.1x authentication, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
5 NAC Configuration
The 802.1x protocol is applied to the Ethernet as an access control mechanism on LAN interfaces to authenticate access users and ensure security on the Ethernet.
None.
Data Preparation
To configure 802.1x authentication, you need the following data. No. 1 2 3 Data Interface that will be enabled with 802.1x authentication (Optional) Maximum number of concurrent access users on an interface (Optional) Maximum number of times an authentication request can be retransmitted
5.3.2 Enabling Global 802.1x Authentication

The 802.1x authentication configurations take effect only after global 802.1x authentication is enabled.
Procedure
Step 1 Run:
system-view

dot1x enable
Global 802.1x authentication is enabled. By default, global 802.1x authentication is disabled. ----End
5.3.3 Enabling 802.1x Authentication on an Interface

To perform 802.1x authentication for a user, enable 802.1x authentication on the interface connected to the user.
Context
802.1x authentication cannot be used together with MAC address authentication on the same interface. 802.1x authentication can be enabled on an interface in the system view or interface view.
5 NAC Configuration
Procedure
l Enabling 802.1x authentication on an interface in the system view 1. Run:
system-view

dot1x enable interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
802.1x authentication is enabled on an interface. By default, 802.1x authentication is disabled on an interface. l Enabling 802.1x authentication on an interface in the interface view 1. Run:
system-view

The interface view is displayed. 3. Run:

dot1x enable
802.1x authentication is enabled on the interface. By default, 802.1x authentication is disabled on an interface. ----End
5.3.4 (Optional) Setting the 802.1x Authentication Mode

The AR200-S supports CHAP authentication, PAP authentication, and EAP relay authentication.
Context
PAP is a two-way handshake authentication protocol and transmits passwords in plain text. It has low security. CHAP is a three-way handshake authentication protocol and transmits passwords in cipher text. It has higher security than PAP. EAP supports multiple authentication mechanisms. The AR200-S transparently transmits EAP Request packets and Response packets to the authentication server. The AR200-S determines whether to allow user access based on the authentication result from the authentication server only.
CAUTION
If local authentication is used, EAP cannot be configured.
Issue 02 (2012-03-30)
99
5 NAC Configuration
Procedure
Step 1 Run:
system-view

dot1x authentication-method { chap | eap | pap }
The authentication mode is configured for 802.1x users. By default, the AR200-S uses CHAP to authenticate 802.1x users. ----End
5.3.5 (Optional) Setting the Access Method on an Interface

The AR200-S provides interface-based access method and MAC address-based access method.
Context
MAC address-based access method: 802.1x users on an interface are authenticated independently. Interface-based access method: All the other users on an interface can use network resources after the first user is authenticated. After the first user goes offline, other users cannot use network resources. The access method can be configured in the system view or interface view.
CAUTION
If there are online 802.1x users on an interface, you cannot change the access method of the interface.
Procedure
l Setting the access method on an interface in the system view 1. Run:
system-view

dot1x port-method { mac | port } interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The access method is configured on an interface. By default, an interface uses the MAC address-based access method. l Setting the access method on an interface in the interface view 1. Run:
system-view
Issue 02 (2012-03-30)
100
5 NAC Configuration


dot1x port-method { mac | port }
The access method is configured on the interface. By default, an interface uses the MAC address-based access method. ----End
5.3.6 (Optional) Configuring the Authorization Status of an Interface

The AR200-S supports the auto, authorized-force, and unauthorized-force modes.
Context
auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. After a user is authenticated on the interface, the interface enters the authorized state and allows users to access network resources. authorized-force: An interface is always in authorized state and allows users to access network resources without authentication. unauthorized-force: An interface is always in unauthorized state and does not allow users to access network resources. The authorization status of an interface can be configured in the system view or interface view.
Procedure
l Setting the authorization status of an interface in the system view 1. Run:
system-view

dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The authorization status of an interface is configured. By default, the authorization status of an interface is auto. l Setting the authorization status of an interface in the interface view 1. Run:
system-view

Issue 02 (2012-03-30)
101
5 NAC Configuration

dot1x port-control { auto | authorized-force | unauthorized-force }
The authorization status of the interface is configured. By default, the authorization status of an interface is auto. ----End
5.3.7 (Optional) Setting the Maximum Number of Concurrent Access Users on an Interface
After the maximum number of concurrent access users is set on an interface, if the number of access users on the interface reaches the maximum, the AR200-S does not authenticate subsequent access users and these users cannot access networks.
Context
The AR200-S allows a maximum of 128 concurrent access users.
NOTE
If the number of current online users on an interface has exceeded the maximum number that you set, online users are not affected but new access users cannot access networks.
You can set the maximum number of concurrent access users in the system view or interface view.
Procedure
l Setting the maximum number of concurrent access users in the system view 1. Run:
system-view

dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The maximum number of concurrent access users is set on an interface. By default, each interface allows a maximum number of 128 concurrent access users. l Setting the maximum number of concurrent access users in the interface view 1. Run:
system-view


dot1x max-user user-number
The maximum number of concurrent access users is set on the interface.

5 NAC Configuration
By default, each interface allows a maximum number of 128 concurrent access users. ----End
5.3.8 (Optional) Enabling 802.1x Authentication Triggered by DHCP Messages

After 802.1x authentication triggered by DHCP messages is enabled, the AR200-S authenticates users when they send DHCP messages to apply for IP addresses.
Procedure
Step 1 Run:
system-view

dot1x dhcp-trigger
802.1x authentication triggered by DHCP messages is enabled. By default, 802.1x authentication triggered by DHCP messages is disabled. ----End
5.3.9 (Optional) Setting Values of Timers Used in 802.1x Authentication

On the AR200-S, you can set the client authentication timeout timers, handshake interval between the AR200-S and the 802.1x client, quiet timer value, re-authentication interval, and interval for sending authentication requests.
Context
Before setting the value of a timer used in 802.1x authentication, ensure that the timer function is enabled. It is recommended that you retain default settings of the timers.
Procedure
Step 1 Run:
system-view

dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period txperiod-value }
The values of timers used in 802.1x authentication are set. The timers are described as follows:
5 NAC Configuration
l client-timeout: specifies the value of the timeout timer of a client. The default value is 30s. l handshake-period: specifies the handshake interval between the AR200-S and the 802.1x client. The default value is 60s. l quiet-period: specifies the value of the quiet timer. The default value is 60s. l reauthenticate-period: specifies the re-authentication interval. The default value is 3600s. l server-timeout: specifies the value of the timeout timer of the authentication server. The default value is 30s. l tx-period: specifies the interval for sending authentication requests. The default value is 30s. The dot1x timer command only sets the values of the timers, and you need to enable the corresponding timers by running commands or adopting the default settings. ----End
5.3.10 (Optional) Configuring the Quiet Timer Function

If a user fails to be authenticated after the quiet timer function is enabled, the AR200-S does not process the authentication requests from the user in this period. This prevents frequent authentication on the system.
Procedure
Step 1 Run:
system-view

dot1x quiet-period
The quiet timer function is enabled. By default, the quiet timer function is disabled. Step 3 (Optional) Run:
dot1x timer quiet-period quiet-period-value
The value of the quiet timer is set. After the quiet timer function is enabled, the default value of the quiet timer is 60s. Step 4 (Optional) Run:
dot1x quiet-times fail-times
The number of authentication failures within 60 seconds before an 802.1x user enters the quiet state is set. By default, an 802.1x user enters the quiet state after three authentication failures within 60 seconds. ----End
5.3.11 (Optional) Configuring 802.1x Re-authentication

The AR200-S re-authenticates users who have been authenticated after a period of time to ensure validity of users.
5 NAC Configuration
Context
802.1x re-authentication can be enabled in the system view or interface view.
Procedure
l Enabling 802.1x re-authentication in the system view 1. Run:
system-view

dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
802.1x re-authentication is enabled on an interface. By default, 802.1x re-authentication is disabled on an interface. 3. (Optional) Run:
dot1x timer reauthenticate-period reauthenticate-period-value
The re-authentication interval is set. After 802.1x re-authentication is enabled on an interface, the default re-authentication interval is 3600s. l Enabling 802.1x re-authentication in the interface view 1. Run:
system-view
The system view is displayed. 2. (Optional) Run:

dot1x timer reauthenticate-period reauthenticate-period-value
The re-authentication interval is set. After 802.1x re-authentication is enabled on an interface, the default re-authentication interval is 3600s. 3. Run:
The interface view is displayed. 4. (Optional) Run:

dot1x reauthenticate
Re-authentication is enabled on the interface. By default, 802.1x re-authentication is disabled on an interface. ----End
Issue 02 (2012-03-30)
105
5 NAC Configuration
5.3.12 (Optional) Configuring a Guest VLAN for 802.1x Authentication

Context
When the guest VLAN is enabled, the AR200-S broadcasts authentication request packets to all the interfaces enabled with 802.1x authentication. If an interface does not return a response when the maximum number of re-authentication times is reached, the AR200-S adds the interface to the guest VLAN. Users in the guest VLAN can access resources in the guest VLAN without authentication but must be authenticated when they access external resources.
NOTE
The configured guest VLAN cannot be the default VLAN of the interface. A super VLAN cannot be configured as a guest VLAN. If an interface is configured with the guest VLAN, the interface cannot be added to the guest VLAN and the VLAN configured as the guest VLAN cannot be deleted. Users in the guest VLAN can communicate with each other.
You can configure a guest VLAN in the system view and in the interface view.
Procedure
l Configuring a guest VLAN in the system view 1. Run:
system-view

dot1x guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
A guest VLAN is configured on an interface. By default, no guest VLAN is configured on an interface. l Configuring a guest VLAN in the interface view 1. Run:
system-view


dot1x guest-vlan vlan-id
A guest VLAN is configured on the interface. By default, no guest VLAN is configured on an interface. ----End
5 NAC Configuration
5.3.13 (Optional) Configuring a Restrict VLAN for 802.1x Authentication

If a user that fails to be authenticated wants to access some network resources, for example, download the 802.1x client program and update the virus library, add the user to a restrict VLAN so that the user can access resources in the restrict VLAN.
Context
If a user fails to be authenticated after the restrict VLAN function is enabled, the AR200-S adds the access interface of the user to the restrict VLAN. Users in the restrict VLAN can access resources in the restrict VLAN without authentication but must be authenticated when they access external resources.
NOTE
The configured restrict VLAN cannot be the default VLAN of the interface. A super VLAN cannot be configured as a restrict VLAN. If an interface is configured with the restrict VLAN, the interface cannot be added to the restrict VLAN and the VLAN configured as the restrict VLAN cannot be deleted. Users in the VLAN that is the same as the restrict VLAN can communicate with users in the restrict VLAN.
A restrict VLAN can be configured in the system view and in the interface view.
Procedure
l Configuring a restrict VLAN in the system view 1. Run:
system-view

dot1x restrict-vlan fail-times fail-times
The maximum number of authentication failures is set. By default, the maximum number of authentication failures is 3. 3. Run:
dot1x restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
A restrict VLAN is configured on an interface. By default, no restrict VLAN is configured on an interface. l Configuring a restrict VLAN in the interface view 1. Run:
system-view

dot1x restrict-vlan fail-times fail-times
The maximum number of authentication failures is set. By default, the maximum number of authentication failures is 3.
5 NAC Configuration
3.
Run:

dot1x restrict-vlan vlan-id
A restrict VLAN is configured on the interface. By default, no restrict VLAN is configured on an interface. ----End
5.3.14 (Optional) Enabling the Handshake Function

After the handshake function is enabled, the AR200-S sends handshake packets periodically to detect whether users are online.
Context
If a client does not support the handshake function, the AR200-S will not receive handshake response packets within the handshake interval and considers that the user is offline. Therefore, if the client does not support the handshake function, disable the handshake function on the AR200-S.
Procedure
Step 1 Run:
system-view

dot1x handshake
The AR200-S is enabled to send handshake packets to online users. By default, the AR200-S sends handshake packets to online users. Step 3 (Optional) Run:
dot1x timer handshake-period handshake-period-value
The handshake interval between the AR200-S and the 802.1x client is set. By default, the handshake interval between the AR200-S and the 802.1x client is 60s. ----End
5.3.15 (Optional) Setting the Maximum Number of Times the AR200-S Sends Authentication Requests
Users may not respond to authentication requests if packets are discarded because of an unstable network. To solve the problem, set the maximum number of times authentication requests are sent.
5 NAC Configuration
Context
If the AR200-S does not receive a response after sending an authentication request to a user, it retransmits the authentication request to the user. If the AR200-S still fails to receive the response when the maximum number of times for sending authentication requests is reached, it does not send the authentication request to the user any more.
Procedure
Step 1 Run:
system-view

dot1x retry max-retry-value
The maximum number of times the AR200-S sends authentication requests is set. By default, the AR200-S retransmits an authentication request to an access user twice. ----End

Procedure
l Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] or display dot1x global command to check the 802.1x authentication configuration. Run the display mac-address authen [ vlan vlan-id ] command to check MAC address entries of the authen type.
----End
5.4 Maintaining NAC

This section describes how to maintain NAC.
5.4.1 Clearing the Statistics on 802.1x Authentication

Before collecting 802.1x authentication statistics, run the reset command to clear the existing statistics.
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the following command.
Issue 02 (2012-03-30)
109
5 NAC Configuration
Run the following command in the user view to clear 802.1x authentication statistics.
Procedure
l Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to clear 802.1x authentication statistics.
----End
5.4.2 Clearing the Statistics on MAC Address Authentication

Before collecting statistics on MAC address authentication, run the reset command to clear the existing statistics.
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the following command. Run the following command in the user view to clear the statistics on MAC address authentication.
Procedure
l Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] command to clear the statistics on MAC address authentication.
----End

This section provides several NAC configuration examples.
5.5.1 Example for Configuring 802.1x Authentication

After 802.1x authentication is configured, a user that is not authenticated can access limited network resources. This ensures network security.
As shown in Figure 5-2, users access the Internet using the Router. To ensure network security, users must be authenticated before accessing the Internet. Users that are authenticated can access the Internet, but users that fail to be authenticated can access only resources in VLAN 10.
Issue 02 (2012-03-30)
110
5 NAC Configuration
Figure 5-2 Networking diagram of 802.1x authentication
RADIUS server 192.168.2.30/24
PC Eth 0/0/1 Eth 0/0/0
Eth 0/0/8 192.168.2.10/24
Internet
Router
Printer
The configuration roadmap is as follows: 1. 2. 3. Configure AAA authentication. User names and passwords are sent to the RADIUS server for authentication. Configure 802.1x authentication to authenticate users on 0/0/0. Configure a guest VLAN so that users that fail to be authenticated can access resources in VLAN 10.
Data Preparation
To complete the configuration, you need the following data: l l l l l IP address 192.168.2.30 and port number 1812 of the RADIUS authentication server RADIUS server key dot1x-isp and retransmission count 2 AAA authentication scheme scheme1 RADIUS server template temp1 Domain isp1
NOTE
In this example, only the Router configuration is provided, and the RADIUS server configuration is not mentioned here.
Procedure
Step 1 Configure a RADIUS server template. # Configure a RADIUS server template temp1.
[Huawei] radius-server template temp1
Issue 02 (2012-03-30)
111
5 NAC Configuration
# Configure the IP address and port number of the primary RADIUS authentication server.
[Huawei-radius-temp1] radius-server authentication 192.168.2.30 1812
# Configure the key and retransmission count of the RADIUS server.

[Huawei-radius-temp1] radius-server shared-key cipher dot1x-isp [Huawei-radius-temp1] radius-server retransmit 2 [Huawei-radius-temp1] quit
Step 2 Create an authentication scheme scheme1 and set the authentication mode to RADIUS authentication.
[Huawei] aaa [Huawei-aaa] authentication-scheme scheme1 [Huawei-aaa-scheme1] authentication-mode radius [Huawei-aaa-scheme1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Huawei-aaa] domain isp1 [Huawei-aaa-domain-isp1] authentication-scheme scheme1 [Huawei-aaa-domain-isp1] radius-server temp1 [Huawei-aaa-domain-isp1] quit [Huawei-aaa] quit
Step 4 Configure 802.1x authentication. # Enable 802.1x authentication globally and on an interface.
[Huawei] dot1x enable [Huawei] interface ethernet 0/0/0 [Huawei-Ethernet0/0/0] dot1x enable [Huawei-Ethernet0/0/0] quit
# Configure a guest VLAN.

[Huawei] vlan batch 10 [Huawei] interface ethernet 0/0/0 [Huawei-Ethernet0/0/0] dot1x guest-vlan 10 [Huawei-Ethernet0/0/0] quit
Step 5 Verify the configuration. Run the display dot1x interface command on the Router to view the 802.1x authentication configuration and statistics.
<Huawei> display dot1x interface ethernet 0/0/0 Ethernet0/0/0 status: UP 802.1x protocol is enabled. Port control type is auto. Authentication method is MAC-based. Reauthentication is disabled. Maximum users: 128 Current users: 1 Port PVID : 1 Port configured PVID : 1 Guest VLAN : 10 Restrict VLAN : 0 Authentication success: 4 Authentication failure: 0 EAPOL Packets: TX : 10 RX Sent EAPOL Request/Identity Packets EAPOL Request/Challenge Packets Multicast Trigger Packets EAPOL Success Packets EAPOL Failure Packets Received EAPOL Start Packets EAPOL LogOff Packets
: : : : : : : :
0 4 4 0 4 0 4 3
Issue 02 (2012-03-30)
112

EAPOL Response/Identity Packets : 4 EAPOL Response/Challenge Packets: 4
5 NAC Configuration
----End
Configuration Files
# vlan batch 10 20 # dot1x enable # radius-server template temp1 radius-server shared-key cipher #%I/SW5&ABHRID9_LGZK@1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme scheme1 authentication-mode radius domain isp1 authentication-scheme scheme1 radius-server temp1 # interface Ethernet0/0/0 dot1x enable dot1x guest-vlan 10 # interface 0/0/8 ip address 192.168.2.10 255.255.255.0 # return
Issue 02 (2012-03-30)
113
6 ARP Security Configuration
6
About This Chapter
ARP Security Configuration
ARP security ensures security and robustness of network devices by filtering out untrusted ARP packets, checking the binding table of ARP packets, and defending against ARP gateway conflicts. 6.1 ARP Security Overview This section describes the principle of ARP security. 6.2 ARP Security Supported by the AR200-S The ARP security features supported by the AR200-S include limitation of ARP entry learning, ARP anti-spoofing, defense against ARP gateway attacks, source address-based ARP packet suppression, source address-based ARP Miss packet suppression and ARP packet rate limit. 6.3 Configuring ARP Entry Limiting This section describes how to configure ARP Entry Limiting. 6.4 Configuring ARP Anti-attack The ARP anti-attack function defends against attacks from bogus hosts and gateways and manin-the-middle attacks. 6.5 Configuring ARP Suppression If the AR200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usage is high. The AR200-S prevents ARP attacks by discarding attack packets and limiting the rate of attack packets. 6.6 Maintaining ARP Security This section describes how to maintain ARP security. 6.7 Configuration Examples This section provides ARP security configuration examples.
Issue 02 (2012-03-30)
114
6.1 ARP Security Overview

This section describes the principle of ARP security.
ARP Attacks
ARP-oriented attacks include ARP spoofing attacks and ARP flood attacks. l ARP spoofing attack: An attacker sends a large number of bogus ARP packets to modify ARP entries of network devices. As a result, packet forwarding is affected. Attackers initiate ARP spoofing attacks by using either of the following methods: Forging user host IP addresses Forging gateway addresses l ARP flood attack: An attacker sends a large number of bogus ARP Request packets or gratuitous ARP packets. The AR200-S is busy with ARP processing for a long period and cannot process other services. The rate of ARP packets may exceed the limit and ARP entries may overflow. As a result, ARP entries of valid users cannot be buffered and packet forwarding is affected. ARP flood attacks are classified into the following types: ARP Denial of Service (DoS) attacks ARP buffer overflow attacks ARP-based network scanning attacks
ARP Security
ARP security ensures security and robustness of network devices by filtering out untrusted ARP packets, checking the binding table of ARP packets, and defending against ARP gateway conflicts.
6.2 ARP Security Supported by the AR200-S

The ARP security features supported by the AR200-S include limitation of ARP entry learning, ARP anti-spoofing, defense against ARP gateway attacks, source address-based ARP packet suppression, source address-based ARP Miss packet suppression and ARP packet rate limit.
ARP Entry Limiting

You can configure strict ARP learning so that the AR200-S can learn only the response messages of the ARP requests sent locally. You can set the maximum number of ARP entries that can be dynamically learned by an interface. This prevents malicious use of ARP entries and ensures that the AR200-S can learn the ARP entries of authorized users.
ARP Anti-spoofing
ARP spoofing means that attackers use ARP packets sent by authorized users to construct bogus ARP packets and modify ARP entries on the gateway. As a result, the authorized users are disconnected from the network. The AR200-S can prevent ARP spoofing by using the following methods:
Fixed MAC address: After learning an ARP entry, the AR200-S does not allow the modification of the MAC address that is performed through ARP entry learning until this ARP entry ages. The AR200-S prevents ARP entries of authorized users from being modified without permission. The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac mode, MAC addresses cannot be modified, but VLANs and interfaces can be modified. In fixed-all mode, MAC addresses, VLANs, and interfaces cannot be modified.
send-ack: The AR200-S does not modify an ARP entry immediately when it receives an ARP packet requesting for modifying a MAC address. Instead, the AR200-S sends a unicast packet for acknowledgement to the user matching this MAC address in the original ARP table.
Defense Against ARP Gateway Attacks

An ARP gateway attack means that an attacker sends gratuitous ARP packets with the source IP address as the bogus gateway address on a local area network (LAN). After receiving these packets, the host replaces its gateway address with the address of the attacker. As a result, none of the hosts on a LAN can access the network. When the AR200-S receives ARP packets with the bogus gateway address, the following situations can occur: l l The source IP address in the ARP packets is the same as the IP address of the interface that receives the packets. The source IP address in the ARP packets is the virtual IP address of the inbound interface but the source MAC address of ARP packets is not the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC address mode.
In the preceding situations, the AR200-S generates ARP anti-attack entries and discards the packets in a period (the default value is three minutes). This can prevent ARP packets with the bogus gateway address from being broadcast in a VLAN. To ensure that packets sent by hosts on the internal network are forwarded to the gateway or to prevent malicious users from intercepting these packets, the AR200-S sends gratuitous ARP packets at a specified interval to update the gateway address in ARP entries of the hosts.
Source Address-based ARP Packet Suppression

When a large number of packets are sent from a source IP address, the CPU resources of the AR200-S and the bandwidth reserved for sending ARP packets are occupied. The AR200-S can limit the rate of ARP packets with a specified source IP address. If the number of ARP packets with a specified source IP address received by the AR200-S within a specified period exceeds the threshold, the AR200-S does not process the excessive ARP request packets.
Source Address-based ARP Miss Packet Suppression

When a host sends a large number of IP packets with unreachable destination IP addresses to attack the device, the AR200-S suppresses the ARP Miss packets with the specified source IP address. If a large number of IP packets whose destination IP address cannot be resolved are sent to the AR200-S from a source IP address, the ARP Miss packets are triggered. The AR200-S collects
statistics on the ARP Miss packets. If a source IP address triggers the ARP Miss packets continuously in a period and the triggering rate exceeds the threshold, the AR200-S considers that an attack occurs. When the AR200-S detects an attack, configure the rate limit for ARP Miss packets to limit the rate of ARP Miss packets so that the CPU is protected and other services can be processed by the CPU.
Rate Limiting on ARP Packets and ARP Miss Packets

The AR200-S limits the rate of sending ARP packets globally, based on the interface, or based on the VLAN ID and the rate of sending ARP Miss packets globally. This prevents a large number of ARP packets or ARP Miss packets from being sent to the security module. System performance does not deteriorate.
6.3 Configuring ARP Entry Limiting

This section describes how to configure ARP Entry Limiting.

Before configuring ARP entry limiting, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
After strict ARP learning is enabled, the AR200-S learns only the ARP Reply packets corresponding to the ARP Request packets that it sends. You can configure interface-based ARP entry limiting to limit the number of ARP entries dynamically learned by the interfaces.
Before configuring ARP entry limiting, complete the following task: l Setting link layer protocol parameters and the interface IP address so that the link layer protocol is Up
Data Preparation
To configure ARP entry limiting, you need the following data. No. 1 Data Type and number of the interface where ARP entry limiting will be configured
Issue 02 (2012-03-30)
117
6.3.2 Enabling Strict ARP Learning

Strict ARP learning prevents attackers from sending packets with the bogus gateway address to attack the AR200-S.
Procedure
l Configuring strict ARP learning globally 1. Run:
system-view

arp learning strict
Strict ARP learning is enabled. By default, strict ARP learning is disabled on the AR200-S. l Configuring strict ARP learning on an interface 1. Run:
system-view

The interface view is displayed. On the AR200-S, strict ARP learning can be enabled on Layer 3 Ethernet interfaces and its sub-interfaces, Layer 3 Eth-Trunk interfaces and its sub-interfaces, and VLANIF interfaces. 3. Run:
arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the interface. force-enable: enables strict ARP entry learning on an interface. force-disable: disables strict ARP entry learning on an interface. trust: indicates that the configuration of strict ARP entry learning on an interface is the same as that configured globally. By default, the configuration of strict ARP entry learning on an interface is the same as that configured globally. ----End
6.3.3 Configuring Interface-based ARP Entry Limiting

If attackers occupy a large number of ARP entries, the AR200-S cannot learn ARP entries of authorized users. To prevent such attacks, set the maximum number of ARP entries that can be dynamically learned by an interface.
Procedure
l Configuring interface-based ARP entry limiting 1. Run:
system-view


arp-limit [ vlan vlan-id1 [ to vlan-id2 ]] maximum maximum
Interface-based ARP entry limiting is configured. The vlan parameter can only be specified in the Layer 2 interface view. l Configuring sub-interface-based ARP entry limiting 1. Run:
system-view

interface interface-type interface-number.subnumber
The sub-interface view is displayed. On the AR200-S, sub-interface-based ARP entry limiting can be enabled on Ethernet sub-interface, Eth-Trunk sub-interface. 3. Run:
arp-limit maximum maximum
Sub-interface-based ARP entry limiting is configured. ----End

The configurations of ARP entry limiting are complete.
Procedure
l l Run the display arp learning strict command to view the configuration of strict ARP learning. Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to view the maximum number of ARP entries that can be learned on an interface or in a VLAN.
----End
Example
Run the display arp learning strict command to view the configuration of strict ARP learning.
<Huawei> display arp learning strict The global configuration:arp learning strict
Issue 02 (2012-03-30)
119
Interface LearningStrictState -----------------------------------------------------------Ethernet1/0/0 force-enable Vlanif1 force-enable -----------------------------------------------------------Total:2 Force-enable:2 Force-disable:0
# Display the maximum number of ARP entries that can be learned on the entire device.
<Huawei> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Ethernet1/0/0 10 0 0 Ethernet0/0/0 10 10 0 --------------------------------------------------------------------------Total:2
6.4 Configuring ARP Anti-attack

The ARP anti-attack function defends against attacks from bogus hosts and gateways and manin-the-middle attacks.

Before configuring defense against ARP attacks, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
On an enterprise network, ARP entries are easily attacked; therefore, you can configure the following ARP anti-attack functions at the access layer to ensure network security: l l To prevent attackers from forging ARP packets of authorized users and modifying the ARP entries on the gateway, configure the ARP address anti-spoofing function. To prevent attackers from sending gratuitous ARP packets with the source IP addresses as the forged gateway address on a LAN, configure the ARP gateway anti-collision function and configure the AR200-S to send gratuitous ARP packets. To prevent unauthorized users from accessing external networks by sending ARP packets to the AR200-S, configure the ARP packet checking function.
Prerequisites
Before configuring defense against ARP attacks, complete the following task: l Setting link layer protocol parameters and assigning IP addresses to interfaces to ensure that the status of the link layer protocol of the interfaces is Up
Data Preparation
To configure defense against ARP attacks, you need the following data.
Issue 02 (2012-03-30)
120
No. 1 2
Data Check item in ARP packets (Optional) Alarm threshold for discarded ARP packets because they do not match the binding table (Optional) Interval at which gratuitous ARP packets are sent
6.4.2 Configuring ARP Anti-spoofing

This section describes how to configure ARP anti-spoofing.
Procedure
Step 1 Run:
system-view

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
ARP anti-spoofing is enabled. You can use only one ARP anti-spoofing mode at one time. If you run the arp anti-attack entrycheck command multiple times, only the latest configuration takes effect. By default, ARP anti-spoofing is disabled on the AR200-S. ----End
6.4.3 Configuring the AR200-S to Check Source MAC Address Consistency in ARP Packets
The AR200-S checks validity of ARP packets and discards invalid ARP packets to defend against ARP attacks.
Context
By default, the AR200-S checks the following items of ARP packets: l l l l l l l
Issue 02 (2012-03-30)
Packet length Validity of source and destination MAC addresses in the Ethernet header VLAN tag Packet type (The type field value must be 1 or 2.) Hardware address length IP address length Whether the ARP packet is encapsulated in an Ethernet frame
By default, the AR200-S checks the source and destination MAC addresses of all ARP packets. If an ARP packet has an all-0 source or destination MAC address, the AR200-S discards the ARP packet. Generally, the Ethernet header and ARP header of an ARP packet contain the same source MAC address. If the two headers contain different source MAC addresses, the ARP packet may be an attack packet. To protect the AR200-S from ARP attacks, configure the AR200-S to check consistency of source MAC addresses in Ethernet and ARP headers of ARP packets.
Procedure
Step 1 Run:
system-view

arp anti-attack packet-check sender-mac
The AR200-S is configured to check consistency of MAC addresses in Ethernet and ARP headers of ARP packets. By default, the AR200-S does not check consistency of source MAC addresses in Ethernet and ARP headers of ARP packets. ----End
6.4.4 Configuring ARP Gateway Anti-collision

If an attacker sends an ARP packet with the source IP address as the gateway address, ARP entries in a VLAN are modified incorrectly. ARP gateway anti-collision can solve this problem.
Procedure
Step 1 Run:
system-view

arp anti-attack gateway-duplicate enable
ARP gateway anti-collision is enabled. After ARP gateway anti-collision is enabled, the AR200-S generates ARP anti-collision entries and discards packets with the same source MAC address in the Ethernet header in a period of time. This can prevent ARP packets with a bogus gateway address from being broadcast in a VLAN. ----End
6.4.5 Configuring the AR200-S to Send Gratuitous ARP Packets

By configuring the AR200-S to send gratuitous ARP packets, the AR200-S can send user packets to the correct gateway and prevent malicious attackers from intercepting these packets.
Context
The AR200-S periodically sends ARP Request packets with the destination IP address as the gateway address to update the gateway MAC address in ARP entries on the network. By doing this, the AR200-S sends user packets to the correct gateway and prevents attackers from intercepting these packets. When the AR200-S functions as a gateway, enable gratuitous ARP packet sending globally or on an interface. If this function is enabled globally and on an interface simultaneously, the function enabled on the interface takes effect.
Procedure
l Configuring the AR200-S to send gratuitous ARP packets 1. Run:
system-view

arp gratuitous-arp send enable
Gratuitous ARP packet sending is enabled. By default, gratuitous ARP packet sending is disabled. 3. (Optional) Run:
arp gratuitous-arp send interval interval-time
The interval for sending gratuitous ARP packets is set. By default, the interval for sending gratuitous ARP packets is 90s. l Configuring the AR200-S to send gratuitous ARP packets on an interface 1. Run:
system-view

interface vlanif vlan-id
The VLANIF interface view is displayed. 3. Run:

arp gratuitous-arp send enable
Gratuitous ARP packet sending is enabled. By default, gratuitous ARP packet sending is disabled. 4. (Optional) Run:
arp gratuitous-arp send interval interval-time
The interval for sending gratuitous ARP packets is set. By default, the interval for sending gratuitous ARP packets is 90s. ----End

This section describes how to check the ARP anti-attack configuration.
Procedure
l Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | log-traptimer | all } command to check the ARP anti-attack configuration. Run the display arp anti-attack gateway-duplicate item command to check information about bogus gateway address attacks.
----End
Example
Run the display arp anti-attack configuration all command to view the ARP anti-attack configuration.
<Huawei> display arp anti-attack configuration all ARP anti-attack packet-check function: enable ARP anti-attack entry-check mode: disabled
ARP gateway-duplicate anti-attack function: disabled ARP rate-limit configuration: ------------------------------------------------------------------------------Global configuration: arp anti-attack rate-limit enable arp packet drop count = 0 Interface configuration: ------------------------------------------------------------------------------ARP miss rate-limit configuration: ------------------------------------------------------------------------------Global configuration: arp-miss anti-attack rate-limit enable ------------------------------------------------------------------------------ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------0000-0000-0001 200 Others 100 ------------------------------------------------------------------------------1 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------10.0.0.1 512 Others 126 ------------------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------10.134.23.6 400 Others 500 ------------------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items.
Issue 02 (2012-03-30)
124
Run the display arp anti-attack gateway-duplicate item command to view information about bogus gateway address attacks.
<Huawei> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time ------------------------------------------------------------------------------Ethernet1/0/0 2.1.1.1 0000-0000-0002 2 150 ------------------------------------------------------------------------------There are 1 records in gateway conflict table
6.5 Configuring ARP Suppression

If the AR200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usage is high. The AR200-S prevents ARP attacks by discarding attack packets and limiting the rate of attack packets.

Before configuring ARP suppression, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
On intranets, ARP entries are often used to initiate attacks; therefore, it is required to configure ARP anti-attack on the access layer to ensure network security. l To prevent excess ARP packets from occupying the CPU and prevent excess ARP entries, configure the rate limit for ARP packets to limit the number of ARP packets sent to the SRU. To prevent a host from sending excess IP packets with destination IP addresses that cannot be resolved, configure the rate limit for ARP Miss packets. The AR200-S discards these IP packets. After IP source guard is enabled on an interface, all the ARP packets passing through the interface are forwarded to the security module for checking. If excess ARP packets are sent to the security module, performance of the security module deteriorates. To solve this problem, configure the rate limit for ARP packets so that the packets that exceed the rate limit are discarded.
Before configuring ARP suppression, complete the following task: l Setting link layer protocol parameters and the interface IP address and enabling the link layer protocol
Data Preparation
To configure ARP suppression, you need the following data.
Issue 02 (2012-03-30)
125
No. 1 2 3
Data Rate limit for ARP packets with a specified source IP address Rate limit for ARP Miss packets with a specified source IP address Rate limit duration and rate limit for sending ARP packets. (Optional) Alarm threshold for the number of discarded ARP packets that exceed the rate limit.
Rate limit duration and rate limit for sending ARP Miss packets (Optional) Alarm threshold for the number of discarded ARP packets that exceed the rate limit
Rate limit of broadcasting ARP Request packets on the VLANIF interface of the super-VLAN
6.5.2 Configuring Source IP Address-based ARP Packet Suppression

This section describes how to configure source IP address-based ARP packet suppression.
Procedure
Step 1 Run:
system-view

arp speed-limit source-ip maximum maximum
The rate limit of ARP packets is set. Step 3 (Optional)Run:

arp speed-limit source-ip ip-address maximum maximum
The rate limit of ARP packets with a specified source IP address is set. After the preceding configurations are complete, the rate limit of ARP packets with a specified source IP address is limited to the value specified by maximum in step 3, and the rate limit of ARP packets with other source IP addresses is limited to the value specified by maximum in step 2. ----End
6.5.3 Configuring Rate Limit of ARP Packets

This section describes how to configure the rate limit for ARP packets.
Procedure
l Configuring the rate limit of ARP packets in the system view 1. Run:
system-view

arp anti-attack rate-limit enable
Rate limiting of ARP packets is enabled. By default, rate limiting of ARP packets is disabled globally. 3. Run:
arp anti-attack rate-limit packet-number [ interval-value ]
The rate limit duration and the rate limit of ARP packets are set. After the rate limit duration and the rate limit of ARP packets are set, ARP packets whose rate exceeds the rate limit in the rate limit duration are discarded. By default, the rate limit of ARP packets is 100 and the rate limit duration of ARP packets is 1s. 4. (Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is enabled. By default, the alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is disabled. 5. (Optional) Run:
arp anti-attack rate-limit alarm threshold threshold
The alarm threshold for the number of ARP packets discarded when the rate of ARP packets exceeds the rate limit is set. By default, the alarm threshold for the number of ARP packets discarded is 100. l Configuring the rate limit of ARP packets in the interface view 1. Run:
system-view

The interface view is displayed. The interface type can be Ethernet,or Eth-Trunk. 3. Run:
arp anti-attack rate-limit enable
Rate limiting of ARP packets is enabled.

By default, rate limiting of ARP packets is disabled. 4. Run:

arp anti-attack rate-limit packet-number [ interval-value ]
The rate limit duration and the rate limit of ARP packets are set. After the rate limit duration and the rate limit of ARP packets are set, ARP packets whose rate exceeds the rate limit in the rate limit duration are discarded. By default, the rate limit of ARP packets is 100 and the rate limit duration of ARP packets is 1s. 5. (Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is enabled. By default, the alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is disabled. 6. (Optional) Run:
arp anti-attack rate-limit alarm threshold threshold
The alarm threshold for the number of ARP packets discarded when the rate of ARP packets exceeds the rate limit is set. By default, the alarm threshold for the number of ARP packets discarded is 100. ----End
6.5.4 Configuring Source IP Address-based ARP Miss Packet Suppression

This section describes how to configure source IP address-based ARP Miss packet suppression.
Procedure
Step 1 Run:
system-view

arp-miss speed-limit source-ip maximum maximum
The rate limit of ARP Miss packets is set. Step 3 (Optional) Run:
arp-miss speed-limit source-ip ip-address maximum maximum
The rate limit of ARP Miss packets with a specified source IP address is set. After the preceding configurations are complete, the rate limit of ARP Miss packets with a specified source IP address is specified by maximum in step 3, and the rate limit of ARP Miss packets with other source IP addresses is specified by maximum in step 2. If the rate limit of ARP packets is 0, ARP Miss packets are not suppressed. By default, the rate limit of ARP Miss packets is 5 pps. ----End
6.5.5 Configuring Rate Limiting of ARP Miss Packets

This section describes how to configure rate limiting for ARP Miss packets.
Context
If many ARP Miss packets are triggered, the system is busy in broadcasting ARP request packets and its performance deteriorates. After ARP Miss suppression is configured, the system counts ARP Miss packets generated within a specified period and discards excess ARP Miss packets.
Procedure
Step 1 Run:
system-view

arp-miss anti-attack rate-limit enable
Rate limiting of ARP Miss packets is enabled globally. By default, rate limiting of ARP Miss packets is disabled globally. Step 3 Run:
arp-miss anti-attack rate-limit packet-number [ interval-value ]
The rate limit duration and the rate limit of ARP Miss packets are set. After the rate limit duration and the rate limit of ARP Miss packets are set, ARP Miss packets that exceed the rate limit in the rate limit duration are discarded. By default, the rate limit of ARP Miss packets is 100 packets per second. Step 4 (Optional) Run:
arp-miss anti-attack rate-limit alarm enable
The alarm function for the discarded ARP Miss packets that exceed the rate limit is enabled. By default, the alarm function is disabled. Step 5 (Optional) Run:
arp-miss anti-attack rate-limit alarm threshold threshold
The alarm threshold for the discarded ARP Miss packets that exceed the rate limit is set. By default, the alarm threshold is 100. ----End
6.5.6 Configuring Source MAC Address-based ARP Packet Suppression

This section describes how to configure source MAC address-based ARP packet suppression.
Procedure
Step 1 Run:

system-view

arp speed-limit source-mac maximum maximum
The rate limit of ARP packets is set. Step 3 (Optional)Run:

arp speed-limit source-mac ip-address maximum maximum
The rate limit of ARP packets with a specified source MAC address is set. After the preceding configurations are complete, the rate limit of ARP packets with a specified source MAC address is specified by maximum in step 3, and the rate limit of ARP packets with other source MAC addresses is specified by maximum in step 2. ----End
6.5.7 Setting the Aging Time of Fake ARP Entries

By setting the aging time of fake ARP entries, you can control the frequency of sending ARP Miss packets to the upper-layer software. This reduces the possibility of attacks to the system.
Context
After the aging time of fake ARP entries is set, the same ARP Miss packet is sent once in the aging time. After the aging time of fake ARP entries is reached, fake ARP entries are deleted. If no ARP entry matches the packets forwarded by a device, ARP Miss packets are re-generated and reported. The device generates fake ARP entries again. The fake ARP entries are deleted until the device generates correct ARP entries.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface type can be Ethernet,Eth-Trunk, or VLANIF. Step 3 Run:
arp-fake expire-time expire-time
The aging time of fake ARP entries is set. By default, the aging time of fake ARP entries is 1s. ----End
6.5.8 (Optional) Setting the Rate Limit of Broadcasting ARP Packets on the VLANIF Interface of a Super-VLAN
After the rate limit of broadcasting ARP Request packets on the VLANIF interface in a super VLAN is set, the system discards ARP Request packets that exceed the rate limit to reduce the CPU burden.
Context
The VLANIF interface in a super VLAN is triggered to learn ARP entries in the following situations: l l The VLANIF interface receives unknown unicast packets. ARP proxy is enabled on the VLANIF interface and the VLANIF interface receives ARP Request packets.
The VLANIF interface in the super-VLAN replicates ARP Request packets in each sub-VLAN when learning ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the AR200-S generates a large number of ARP Request packets. As a result, the CPU is busy in processing ARP Request packets and cannot process other services in a timely manner.
Procedure
Step 1 Run:
system-view

arp speed-limit flood-rate rate
The rate limit of broadcasting ARP Request packets on all the VLANIF interfaces of the super VLAN is set. By default, the rate limit of broadcasting ARP Request packets on all the VLANIF interfaces in a super VLAN is 1000 pps. ----End

This section describes how to check the ARP suppression configuration.
Procedure
l l l Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit } command to view the ARP rate limit configuration. Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speedlimit } command to view the ARP suppression configuration. Run the display arp flood statistics command to view the statistics on sent ARP Request packets of VLANIF interfaces in all super-VLANs.
----End
Example
# Run the display arp anti-attack configuration command to view the rate limit for ARP packets.
<Huawei> display arp anti-attack configuration arp-speed-limit ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------0000-0000-0001 150 Others 200 ------------------------------------------------------------------------------1 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------10.0.0.20 50 Others 100 ------------------------------------------------------------------------------1 specified IP addresses are configured, spec is 512 items.
# Run the display arp flood statistics command to view the statistics on sent ARP Request packets of VLANIF interfaces in all super-VLANs.
<Huawei> display arp flood statistics ARP request packets statistics on supervlan: Total ARP request packets number : 5100 Sent ARP request packets number : 4000 Dropped ARP request packets number: 1100
6.6 Maintaining ARP Security

This section describes how to maintain ARP security.
6.6.1 Displaying the Statistics on ARP Packets

This section describes how to view statistics on ARP packets.
Procedure
l Run the display arp packet statistics command to view the statistics on ARP packets. ----End
Example
Run the display arp packet statistics command to view the statistics on ARP packets.
<Huawei> display arp packet statistics ARP Pkt Received: sum 199992 ARP Learnt Count: sum 4 ARP Pkt Discard For Limit: sum 0 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Proxy Suppress: sum ARP Pkt Discard For Other: sum 18220
0 0
6.6.2 Clearing the Statistics on ARP Packets

This section describes how to clear statistics on ARP packets.
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command. Run the following command in the user view to clear the statistics.
Procedure
l l Run the reset arp packet statistics command to clear the statistics on ARP packets. Run the reset arp flood statistics command to clear the statistics on ARP Request packets of all the VLANIF interfaces in a super-VLAN.
----End
6.6.3 Clearing the Statistics on Discarded ARP Packets

This section describes how to clear the statistics on discarded ARP packets.
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command. To clear the statistics on discarded ARP packets, run the following commands in the user view.
Procedure
l Run the reset arp anti-attack statistics rate-limit { global | interface interface-type interface-number } command to clear the statistics on the ARP packets discarded because the transmission rate exceeds the limit.
----End

This section provides ARP security configuration examples.
6.7.1 Example for Configuring ARP Security Functions

This section provides an example for configuring ARP security functions.
Issue 02 (2012-03-30)
133
As shown in Figure 6-1, the Router is connected to a server through Ethernet0/0/3 that is added to VLAN 30 and is connected to users in VLAN 10 and VLAN 20 through Ethernet0/0/1 and Ethernet0/0/2. The following ARP attacks occur on the network: l l The server may send several packets with an unreachable destination IP address, and the number of these packets is larger than the number of packets from common users. After virus attacks occur on user 1, a large number of ARP packets are sent. Among these packets, the source IP address of certain ARP packets changes on the local network segment and the source IP address of certain ARP packets is the same as the IP address of the gateway. User 3 constructs a large number of ARP packets with a fixed IP address to attack the network. User 4 constructs a large number of ARP packets with an unreachable destination IP address to attack the network.
l l
ARP security functions are required to be configured on the Router to prevent the preceding attacks. The rate limit of ARP Miss packets on the server should be greater than the rate limit of other users. Figure 6-1 Network diagram for configuring ARP security functions
Ethernet0/0/3
Router
Server
Ethernet0/0/1
Ethernet0/0/2
VLAN10
VLAN20
User1
User2
User3
User4
The configuration roadmap is as follows: 1. 2. 3. 4. Enable strict ARP learning. Enable interface-based ARP entry limiting. Enable the ARP anti-spoofing function. Enable the ARP anti-attack function for preventing attacks by sending ARP packets with a bogus gateway address.
Issue 02 (2012-03-30)
5. 6. 7.
Configure the rate limit for ARP packets with the specified source IP address. Configure the rate limit for ARP Miss packets. Enable log and alarm functions for potential attacks.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l Number of limited ARP entries on the interface: 20 Anti-spoofing mode used to prevent attacks that are initiated by user 1: fixed-mac IP addresses of VLANIF10, VLANIF20 and VLANIF30: 2.2.1.10/24, 2.2.4.10/24 and 2.2.2.10/24 IP address of the server: 2.2.2.2/24 IP address of user 4 that sends a large number of ARP packets: 2.2.4.2/24 Rate limit for ARP packets of user 4 and rate limit for ARP packets of other users: 10 pps and 15 pps Rate limit for ARP Miss packets of common users: 20 pps; rate limit for ARP Miss packets on the server: 50 pps Interval for writing an ARP log and sending an alarm: 300s
Procedure
Step 1 Create a VLAN, add an interface to the VLAN, and assign an IP address to the VLANIF Interface. The configuration procedure is not mentioned here. Step 2 Enable strict ARP learning.
<Huawei> system-view [Huawei] sysname Router [Router] arp learning strict
Step 3 Configure interface-based ARP entry limiting. # The number of limited ARP entries on Ethernet0/0/1, Ethernet0/0/2 and Ethernet0/0/3 is 20. The following lists the configuration of Ethernet0/0/1.
[Router] interface ethernet 0/0/1 [Router-Ethernet0/0/1] arp-limit vlan 10 maximum 20 [Router-Ethernet0/0/1] quit
Step 4 Enable the ARP anti-spoofing function. # Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated by user 1.
[Router] arp anti-attack entry-check fixed-mac enable
Step 5 Enable the ARP anti-attack function to prevent attacks by sending ARP packets with a bogus gateway address. # Enable the ARP anti-attack function for preventing user 1 from sending ARP packets with a bogus gateway address.
[Router] arp anti-attack gateway-duplicate enable
Step 6 Configure the rate limit for ARP packets with the specified source IP address.
# Set the rate limit for ARP packets sent by user 4 to 10 pps. To prevent all users from sending a large number of ARP packets incorrectly, set the rate limit for ARP packets of the system to 15 pps.
[Router] arp speed-limit source-ip maximum 15 [Router] arp speed-limit source-ip 2.2.4.2 maximum 10
Step 7 Configure the rate limit for ARP Miss packets. # Set the rate limit for ARP Miss packets of the system to 20 pps to prevent users from sending a large number of IP packets with an unreachable destination IP address.
[Router] arp-miss speed-limit source-ip maximum 20
# Set the rate limit for ARP Miss packets on the server to 50 pps to prevent the server from sending a large number of IP packets with an unreachable destination IP address, and to prevent communication on the network when the rate for the server to send IP packets with an unreachable destination IP address is incorrect.
[Router] arp-miss speed-limit source-ip 2.2.2.2 maximum 50
Step 8 Verify the configuration. After the configuration, run the display arp learning strict command to view information about strict ARP learning.
<Router> display arp learning strict The global configuration:arp learning strict interface LearningStrictState ----------------------------------------------------------------------------------------------------------------------Total:0 force-enable:0 force-disable:0
You can use the display arp-limit command to check the maximum number of ARP entries learned by the interface. Take the display on Ethernet0/0/1 as an example.
<Router> display arp-limit interface ethernet Ethernet0/0/1 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Ethernet0/0/1 20 10 0 --------------------------------------------------------------------------Total:1
You can use the display arp anti-attack configuration all command to check the ARP antiattack configuration.
<Router> display arp anti-attack configuration all ARP anti-attack packet-check function: disabled ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP rate-limit configuration: ------------------------------------------------------------------------------Global configuration: Interface configuration: ------------------------------------------------------------------------------ARP miss rate-limit configuration: ------------------------------------------------------------------------------Global configuration: -------------------------------------------------------------------------------
Issue 02 (2012-03-30)
136
ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------All 0 ------------------------------------------------------------------------------0 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.4.2 10 Others 15 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.2.2 50 Others 20 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 128 items.
You can use the display arp packet statistics command to view the number of discarded ARP packets and the number of learned ARP entries.
<Router> display arp packet statistics ARP Pkt Received: sum 167 ARP Learnt Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Proxy Suppress: sum ARP Pkt Discard For Other: sum 3
0 0
In addition, you can also use the display arp anti-attack gateway-duplicate item command to view information about attacks from packets with a forged gateway address on the current network.
<Router> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time ------------------------------------------------------------------------------Ethernet0/0/1 2.2.1.10 0000-0000-0002 10 153 Ethernet0/0/2 2.2.4.10 0000-0000-0004 20 179 ------------------------------------------------------------------------------There are 2 records in gateway conflict table
----End
Configuration Files
# sysname Router # vlan batch 10 20 30 # arp speed-limit source-ip maximum 15 arp-miss speed-limit source-ip maximum 20 arp learning strict # arp anti-attack entry-check fixed-mac enable arp anti-attack gateway-duplicate enable arp-miss speed-limit source-ip 2.2.2.2 maximum 50 arp speed-limit source-ip 2.2.4.2 maximum 10 # interface Ethernet0/0/1 port hybrid pvid vlan 10
Issue 02 (2012-03-30)
137

port hybrid tagged vlan 10 arp-limit vlan 10 maximum 20 # interface Ethernet0/0/2 port hybrid pvid vlan 20 port hybrid tagged vlan 20 arp-limit vlan 20 maximum 20 # interface Ethernet0/0/3 port hybrid pvid vlan 30 port hybrid tagged vlan 30 arp-limit vlan 30 maximum 20 # interface Vlanif 10 ip address 2.2.1.10 255.255.255.0 # interface Vlanif 20 ip address 2.2.4.10 255.255.255.0 # interface Vlanif 30 ip address 2.2.2.10 255.255.255.0 # return
Issue 02 (2012-03-30)
138
7 ICMP Security Configuration
7
About This Chapter
ICMP Security Configuration
This section describes configuration procedures for ICMP security and provides configuration examples. 7.1 ICMP Security Overview This section describes ICMP security principles. 7.2 ICMP Security Features Supported by the AR200-S The AR200-S can limit the rate at which ICMP packets are received, check the validity of ICMP packets, discard invalid and specified ICMP packets, and ignore destination-unreachable packets. 7.3 Limiting the Rate of ICMP Packets This section describes how to limit the rate at which ICMP packets are received. 7.4 Configuring the AR200-S to Discard Specified ICMP Packets This section describes how to configure the AR200-S to discard specified ICMP packets. 7.5 Disabling the AR200-S from Sending Destination-Unreachable Packets This section describes how to disable the AR200-S from sending destination-unreachable packets. 7.6 Maintaining ICMP Security This section describes how to monitor the ICMP running status. 7.7 Configuration Examples This section provides ICMP security configuration examples.
Issue 02 (2012-03-30)
139
7.1 ICMP Security Overview

This section describes ICMP security principles. The Internet Control Message Protocol (ICMP) is a sub-protocol of the TCP/IP protocol suite, and is used to transfer control messages between IP hosts and routers. A control message conveys information about network connectivity, host reachability and route availability. The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. Therefore, the AR200-S needs to check the validity of ICMP packets, discard specified ICMP packets, and limit the rate at which ICMP packets are received.
7.2 ICMP Security Features Supported by the AR200-S

The AR200-S can limit the rate at which ICMP packets are received, check the validity of ICMP packets, discard invalid and specified ICMP packets, and ignore destination-unreachable packets.
ICMP Packet Rate Limiting

The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. Limiting the rate at which ICMP packets are received on the AR200-S can help reduce the burden of the CPU, ensuring operation of services. The rate limit for ICMP packets can be configured globally or on an interface.
Checking Validity of ICMP Packets and Discarding Invalid and Specified ICMP Packets
By default, the AR200-S discards invalid ICMP packets, such as ICMP packets with the TTL value of 0 or type 15, 16 or 17 to protect CPU resources. The AR200-S can be configured to discard seldom-used ICMP packets, including ICMP packets with the TTL value of 1, with options, or with unreachable destinations. This helps reduce the burden on the AR200-S and protect CPU resources.
Ignoring Destination-Unreachable Packets

The AR200-S can be configured to ignore destination-unreachable packets, including hostunreachable packets and port-unreachable packets. If an attacker sends a large number of destination-unreachable packets to attack the AR200-S, the AR200-S does not respond to these packets and discards them directly to protect CPU resources.
7.3 Limiting the Rate of ICMP Packets

This section describes how to limit the rate at which ICMP packets are received.
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. Limiting the rate at which ICMP packets are received can help
reduce the burden of the CPU, ensuring nonstop service transmission. After this function is configured, the AR200-S discards excess packets.
NOTE
After rate limiting of ICMP packets is configured, the AR200-S may fail to respond to ping packets.
Procedure
l Configuring the global rate limit for ICMP packets 1. Run:
system-view

icmp rate-limit enable
The global ICMP packet rate limiting function is enabled. By default, the global ICMP packet rate limiting function is disabled on an AR200S. 3. (Optional) Run:
icmp rate-limit threshold threshold-value
The global rate limit for ICMP packets is set. By default, the global rate limit for ICMP packets is 100 pps. l Configuring the rate limit for ICMP packets on a specified interface 1. Run:
system-view

The interface view is displayed. The AR200-S can limit the rate at which ICMP packets are received on Ethernet interfaces and Eth-Trunk interfaces. 3. Run:
icmp rate-limit enable
The ICMP packet rate limiting function is enabled on the interface. By default, the ICMP packet rate limiting function is disabled on an AR200-S. 4. (Optional) Run:
icmp rate-limit threshold threshold-value
The highest rate at which ICMP packets are received on the interface is set. By default, the rate limit for ICMP packets on an interface is 100 pps To configure rate limits for ICMP packets on multiple interfaces, repeat this step. ----End
Checking the Configuration

# Run the display current-configuration | include icmp command to check the configuration of the highest rate at which ICMP packets are received.
<Huawei> display current-configuration | include icmp icmp rate-limit enable icmp rate-limit threshold 120
7.4 Configuring the AR200-S to Discard Specified ICMP Packets

This section describes how to configure the AR200-S to discard specified ICMP packets.

Before configuring the AR200-S to discard specified ICMP packets, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard seldom-used ICMP packets, including the ICMP packets with the TTL values of 1, with options, and with unreachable destinations. This helps reduce the burden of processing ICMP packets that are received on the AR200-S, protecting CPU resources.
Before configuring the AR200-S to discard specified ICMP packets, complete the following task: l Setting parameters for the link layer protocols on the interfaces to ensure that the link layer protocols are Up
Data Preparation
None.
7.4.2 Configuring the AR200-S to Discard the ICMP Packets with TTL Value of 1
This section describes how to configure the AR200-S to discard the ICMP packets with the TTL value of 1.
Context
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard the ICMP packets with the TTL value of 1. This helps reduce the burden on the AR200-S and protect CPU resources.
Procedure
Step 1 Run:
system-view

icmp ttl-exceeded drop
The AR200-S is enabled to discard ICMP packets with the TTL value of 1. By default, the AR200-S does not discard ICMP packets with the TTL value of 1. ----End
7.4.3 Configuring the AR200-S to Discard the ICMP Packets with Options
This section describes how to configure the AR200-S to discard the ICMP packets with options.
Context
The AR200-S is busy in processing tasks defined in options in the IP header of ICMP packets. For example, the AR200-S calculates the hop count. As a result, normal services are not processed immediately. The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard the ICMP packets with options. This helps reduce the burden on the AR200-S and protect CPU resources.
Procedure
Step 1 Run:
system-view

icmp with-options drop
The AR200-S is enabled to discard ICMP packets with options. By default, the AR200-S does not discard ICMP packets with options. ----End
7.4.4 Configuring the AR200-S to Discard ICMP DestinationUnreachable Packets

This section describes how to configure the AR200-S to discard ICMP destination-unreachable packets.
Context
The AR200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR200-S can be configured to discard the ICMP
destination-unreachable packets. This helps reduce the burden on the AR200-S and protect CPU resources.
Procedure
Step 1 Run:
system-view

icmp unreachable drop
The AR200-S is enabled to discard ICMP destination-unreachable packets. By default, the AR200-S does not discard ICMP destination-unreachable packets. ----End

After configuring the AR200-S to discard specified ICMP packets, you can use the following commands to verify the configuration.
Procedure
l Run the display current-configuration command to check whether the AR200-S is configured to discard specified ICMP packets.
----End
Example
# Run the display current-configuration | include icmp command to check whether the AR200-S is configured to discard specified ICMP packets.
<Huawei> display current-configuration | include icmp icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop
7.5 Disabling the AR200-S from Sending DestinationUnreachable Packets

This section describes how to disable the AR200-S from sending destination-unreachable packets.
The AR200-S can be disabled from sending destination-unreachable packets, including hostunreachable packets and port-unreachable packets. If an attacker sends a large number of destination-unreachable packets to attack the AR200-S, the AR200-S does not respond to these packets and discards them directly to protect CPU resources.
Procedure
Step 1 Run:
system-view

undo icmp port-unreachable send
The AR200-S is disabled from sending ICMP port-unreachable packets. By default, the AR200-S is enabled to send ICMP port-unreachable packets. Step 3 Run:
The interface view is displayed. The AR200-S cannot be configured to send the ICMP host-unreachable packets on a Layer 2 interface. Step 4 Run:
undo icmp host-unreachable send
The interface is disabled from sending the ICMP host-unreachable packets. By default, the AR200-S is enabled to send ICMP host-unreachable packets. ----End

# Run the display current-configuration | include icmp command to check whether the AR200-S is enabled to send ICMP destination-unreachable packets.
<Huawei> display current-configuration | include icmp undo icmp port-unreachable send undo icmp host-unreachable send
7.6 Maintaining ICMP Security

This section describes how to monitor the ICMP running status.
Procedure
l Run the display icmp statistics command to check statistics about ICMP traffic. ----End
Example
# Run the display icmp statistics command to view statistics about ICMP traffic.
<Huawei> display icmp statistics Input: bad formats 0 echo 0 source quench 0 echo reply 0 timestamp 0 bad checksum destination unreachable redirects parameter problem information request 0 0 0 0 0
Issue 02 (2012-03-30)
145

mask requests time exceeded Mping request Output:echo source quench echo reply timestamp mask requests time exceeded Mping request 0 0 0 0 0 0 0 0 0 0 mask replies

0 0 0 0 0 0 0 0
Mping reply destination unreachable redirects parameter problem information reply mask replies Mping reply

This section provides ICMP security configuration examples.
7.7.1 Example for Disabling the AR200-S from Sending HostUnreachable Packets
This section provides an example to illustrate how to disable the AR200-S from sending hostunreachable packets.
As shown in Figure 7-1, RouterA, RouterB and RouterC are connected through their layer 3 interfaces to test whether the AR200-S can send ICMP host-unreachable packets.
NOTE
AR200-S Enterprise Routers is RouterA, or RouterC.
Figure 7-1 Disabling the AR200-S from sending host-unreachable packets
Eth1/0/0 2.2.2.2/24
Internet
Eth2/0/0 3.3.3.1/24
RouterC
RouterB
Eth1/0/0 1.1.1.2/24
Eth1/0/0 1.1.1.1/24
RouterA
The configuration roadmap is as follows: 1. 2.
Issue 02 (2012-03-30)
Assign IP addresses to corresponding interfaces on each device. Configure static routes from Router A to RouterC.
3.
Enable RouterA and RouterC to send ICMP host-unreachable packets.

NOTE
By default, an interface is enabled to send ICMP host-unreachable packets. If this function is enabled, skip this step.
4.
Disable Eth1/0/0 on Router B from sending ICMP host-unreachable packets so that Router B will not respond to the incoming host-unreachable packets on Eth1/0/0
Data Preparation
To complete the configuration, you need the following data: l l Static routes from Router A to Router C IP address of each interface
Procedure
Step 1 Configure RouterA. # Configure static routes on RouterA.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
# Assign an IP address to Eth1/0/0.

[RouterA] interface ethernet 1/0/0 [RouterA-Ethernet1/0/0] ip address 1.1.1.1 24 [RouterA-Ethernet1/0/0] quit
Step 2 # Configure RouterC. # Assign an IP address to Eth1/0/0.

<Huawei> system-view [Huawei] sysname RouterC [RouterC] interface ethernet 1/0/0 [RouterC-Ethernet1/0/0] ip address 2.2.2.2 24 [RouterC-Ethernet1/0/0] quit
Step 3 Configure RouterB. # Disable Eth1/0/0 from sending ICMP host-unreachable packets and assign an IP address to Eth1/0/0.
<Huawei> system-view [Huawei] sysname RouterB [RouterB] interface ethernet 1/0/0 [RouterB-Ethernet1/0/0] undo icmp host-unreachable send [RouterB-Ethernet1/0/0] ip address 1.1.1.2 24 [RouterB-Ethernet1/0/0] quit [RouterB] quit
Step 4 Verify the configuration. # Enable ICMP packet debugging on RouterB.

<RouterB> debugging ip icmp <RouterB> terminal monitor <RouterB> terminal debugging
# Run ping 2.2.2.2 on RouterA. If you can view that RouterB does not send ICMP host unreachable packets, it means that the configuration succeeds.
There is no reachable route from RouterB to RouterC; therefore RouterB should respond to ping packets received from RouterA with ICMP host-unreachable packets. Because Eth1/0/0 of Router B is disabled from sending ICMP host-unreachable packets, RouterB does not respond to ping packets received from RouterA. ----End
Configuration Files
l Configuration file of RouterA
# sysname RouterA # interface Ethernet 1/0/0 ip address 1.1.1.1 255.255.255.0 # ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 # return
Configuration file of RouterB

# sysname RouterB # interface Ethernet 1/0/0 ip address 1.1.1.2 255.255.255.0 undo icmp host-unreachable send # return
Configuration file of RouterC

# sysname RouterC # interface Ethernet 1/0/0 ip address 2.2.2.2 255.255.255.0 # return
7.7.2 Example for Optimizing System Performance by Discarding Certain ICMP Packets
This section describes how to optimize system performance by discarding specified ICMP packets.
As shown in Figure 7-2, RouterA functions as an access device for the enterprise, individual user, and user network that is connected to an LSW to the Internet. RouterA is connected to RouterB. RouterA needs to discard ICMP packets with TTL value of 1, with options, or with unreachable destinations to protect CPU resources.
Issue 02 (2012-03-30)
148
Figure 7-2 Networking diagram of ICMP security configurations
Internet
RouterB
RouterA
LSW User network Enterprise Individual user
The configuration roadmap is as follows: l l l Configure RouterA to discard ICMP packets with the TTL value of 1. Configure RouterA to discard ICMP packets with options. Configure RouterA to discard ICMP destination-unreachable packets.
Data Preparation
None.
Procedure
Step 1 Configure RouterA to discard specified ICMP packets. # Configure RouterA to discard ICMP packets with TTL value of 1.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] icmp ttl-exceeded drop
# Configure RouterA to discard ICMP packets with options.

[RouterA] icmp with-options drop
Issue 02 (2012-03-30)
149
# Configure RouterA to discard ICMP destination-unreachable packets.

[RouterA] icmp unreachable drop
Step 2 Verify the configuration. # Run the display current-configuration command in the user view. You can view the ICMP security configuration.
<RouterA> display current-configuration | include icmp icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop
----End
Configuration Files
# sysname RouterA # icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop # return
Issue 02 (2012-03-30)
150
8 IP Address Anti-spoofing Configuration
IP Address Anti-spoofing Configuration
About This Chapter

To protect authorized users from source IP address spoofing attacks, configure URPF. 8.1 IP Address Anti-spoofing Overview This function defends against source address spoofing attacks. 8.2 IP Source Address-based Attack Defense Features Supported by the AR200-S This section describes the IP source address-based attack defense features supported by the AR200-S. 8.3 Configuring URPF This section describes how to configure URPF. 8.4 Configuration Examples This topic provides IP address anti-spoofing configuration examples.
Issue 02 (2012-03-30)
151
8.1 IP Address Anti-spoofing Overview

This function defends against source address spoofing attacks. Source IP address spoofing attacks often occur on the Internet. An attacker sends a packet carrying the IP address of an authorized user to a server to access the server. As a result, the authorized user cannot use network services or the authorized user information is intercepted. To defend against such an attack, the AR200-S provides Unicast Reverse Path Forwarding (URPF).
URPF
When the AR200-S receives a packet, it searches for the route to the destination address of the packet. If the route is found, the AR200-S forwards the packet. Otherwise, the AR200-S discards the packet. After URPF is configured, the AR200-S obtains the source address and inbound interface of the packet. The AR200-S takes the source address as the destination address to retrieve the corresponding outbound interface in the FIB and compares the retrieved interface with the inbound interface. If they do not match, the AR200-S considers the source address as a spoofing address and discards the packet. URPF can effectively protect the AR200-S against malicious attacks by blocking packets from bogus source addresses. As shown in Figure 8-1, RouterA sends bogus packets carrying the source address 2.1.1.1 of RouterC to RouterB. RouterB sends response packets to the real source address 2.1.1.1. RouterB and RouterC are attacked by the bogus packets. If URPF is enabled on an interface of RouterB, when RouterB receives bogus packets, it detects that the packets should not come from RouterA's interface and discards these bogus packets. Figure 8-1 URPF
1.1.1.1/24 2.1.1.1/24 Source address
2.1.1.1/24
RouterA
RouterB
RouterC
8.2 IP Source Address-based Attack Defense Features Supported by the AR200-S

This section describes the IP source address-based attack defense features supported by the AR200-S.
URPF
URPF takes effect only on Layer 3 inbound interfaces of the AR200-S. If URPF is enabled on an interface, the URPF check is conducted on packets received by the interface.
The AR200-S supports the following types of URPF check modes: l Strict check: Packets can pass the check only when the FIB table of the AR200-S has a corresponding routing entry with the destination address being the source address of the packet and the inbound interface of the packets matches the outbound interface in the routing entry. Unmatched packets are discarded. Loose check: A packet can pass the check as long as the FIB table of the AR200-S has a routing entry with the destination address being the source address of the packet.
8.3 Configuring URPF

This section describes how to configure URPF.
Users on an enterprise network are often attacked by unauthorized users on other network segments when they use applications demanding IP address-based authentication. An attacker sends bogus packets with the IP address of an authorized user to a server to access the server. As a result, the authorized user cannot access the server or the authorized user information is intercepted. To prevent such an attack, configure URPF on the AR200-S. As shown in Figure 8-2, Network 1 and VLAN 10 are connected to Eth0/0/8 and Vlanif 10 of RouterA. URPF strict check is configured on Eth0/0/8 and Vlanif 10. PC A on Network 1 sends a bogus packet with the source IP address 2.2.2.2 to the server on Network 3. After RouterA receives this packet, it checks the inbound interface. Packets with the source address 2.2.2.2 must reach Network 3 through Vlanif 10 but not 0/0/8. Therefore, RouterA considers the packet as a bogus packet and discards it. This protects PC B on VLAN 10 against IP address spoofing attacks initiated from PC A. Packets sent from VLAN 10 to the server pass the URPF check and are forward normally. Figure 8-2 URPF application
Network1 PC A
1.1.1.1/24 URPF enabled Eth0/0/8
Network3 Server
RouterA VLAN 10 PC B
2.2.2.2/24 Eth0/0/1
Vlanif 10
RouterB
3.3.3.3/24
Issue 02 (2012-03-30)
153
Procedure
Step 1 Run:
system-view

The interface view is displayed. URPF cannot be configured on Layer 2 interfaces of the AR200-S. Step 3 Configure URPF check for packets on the interface. l Configure URPF check for IPv4 packets on the interface. Run the urpf { loose | strict } [ allow-default-route ] command to configure the URPF check for IPv4 packets on the interface. l Configure URPF check for IPv6 packets on the interface. Run the ipv6 urpf { loose | strict } [ allow-default-route ] command to configure the URPF check for IPv6 packets on the interface.
NOTE
To configure URPF check for IPv6 packets on an interface, enable the IPv6 function on the interface first. Run the ipv6 command in the system view, and then the ipv6 enable command in the interface view.
----End

After the configuration, run the display this command in the interface view to view the URPF configuration on the interface.
[Huawei-Ethernet0/0/8] display this # interface Ethernet 0/0/8 urpf strict allow-default-route # return

This topic provides IP address anti-spoofing configuration examples.
8.4.1 Example for Configuring URPF

This example illustrates how to configure the URPF function.
As show in Figure 8-3, the R&D department of an enterprise connects to Eth0/0/1 of RouterA, and the marketing department connects to Eth0/0/2. RouterA has a reachable route to an external server, and users in the R&D and marketing departments are allowed to connect to the server through RouterA. RouterA is required to prevent staff in other departments from accessing the server without permission.

NOTE
In Figure 8-3, RouterA is an access router of the enterprise, and RouterB is an aggregation router.
Figure 8-3 Networking diagram of URPF configuration
PC A
10.10.1.1/24
Marketing
Eth0/0/1 Eth0/0/2
source:10.10.2.1 destination:10.2.2.10
RouterA RouterB Internet
Server
10.2.2.10/24
PC B
10.10.2.1/24
R&D
The configuration roadmap is as follows: 1. 2. Configure VLAN 10 and VLAN 20 and add Eth0/0/1 and Eth0/0/2 to VLAN 10 and VLAN 20 respectively. Configure URPF in VLANIF 10 and VLANIF 20 and allow special processing for the default route.
Data Preparation
l URPF check mode: strict check
NOTE
URPF strict check is used because packets are transmitted between RouterA and the server through the same path.
l l l
Network segment on which the R&D is located: 10.10.2.0/24 Network segment on which the marketing department is located: 10.10.1.0/24 Server IP address: 10.2.2.10/24
Procedure
Step 1 Configure VLANs and add interfaces to VLANs.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] vlan 10 [RouterA-vlan10] quit
Issue 02 (2012-03-30)
155

[RouterA] vlan 20 [RouterA-vlan20] quit [RouterA] interface ethernet [RouterA-Ethernet0/0/1] port [RouterA-Ethernet0/0/1] port [RouterA-Ethernet0/0/1] quit [RouterA] interface ethernet [RouterA-Ethernet0/0/2] port [RouterA-Ethernet0/0/2] port [RouterA-Ethernet0/0/2] quit
0/0/1 link-type trunk trunk allow-pass vlan 10 0/0/2 link-type trunk trunk allow-pass vlan 20
Step 2 Configure strict URPF on the VLANIF interfaces.

[RouterA] interface vlanif 10 [RouterA-Vlanif10] urpf strict allow-default-route [RouterA-Vlanif10] quit [RouterA] interface vlanif 20 [RouterA-Vlanif20] urpf strict allow-default-route
Step 3 Verify the configuration. Run the display this command on VLANIF10 to view the URPF configuration.
[RouterA-vlanif 10] display this # interface Vlanif10 urpf strict allow-default-route # return
Run the display this command on VLANIF20 to view the URPF configuration.
[RouterA-vlanif 20] display this # interface Vlanif20 urpf strict allow-default-route # return
----End
Configuration Files
# sysname RouterA # vlan batch 10 20 # interface Vlanif10 urpf strict allow-default-route # interface Vlanif20 urpf strict allow-default-route # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # return
Issue 02 (2012-03-30)
156
9 Local Attack Defense Configuration
Local Attack Defense Configuration
About This Chapter

This section describes configuration procedures for local attack defense and provides configuration examples. 9.1 Local Attack Defense Overview This section describes the background and functions of local attack defense. 9.2 Local Attack Defense Features Supported by the AR200-S This section describes local attack defense features supported by the AR200-S. 9.3 Configuring Attack Source Tracing The attack source tracing function checks for attack packets sent to the CPU and notifies users by sending logs or alarms. 9.4 Configuring CPU Attack Defense CPU attack defense limits the rate of packets sent to the CPU to protect the CPU. 9.5 Maintaining the Attack Defense Policy This section describes how to maintain the attack defense policy. 9.6 Configuration Examples This section provides attack defense policy configuration examples.
Issue 02 (2012-03-30)
157
9.1 Local Attack Defense Overview

This section describes the background and functions of local attack defense. On a network, a large number of packets including valid packets and malicious attack packets need to be delivered to the CPU. The malicious attack packets will affect other services or even interrupt the system. When the AR200-S processes excess valid packets, the CPU usage becomes high. As a result, the CPU performance deteriorates and services are interrupted. To protect the CPU and ensure that it can process services, the AR200-S provides the local attack defense function. The local attack defense functions protect the AR200-S against attacks, ensure service transmission in the case of attacks, and minimize the impact on the services in the case of attacks by limiting the rate of packets sent to the CPU.
9.2 Local Attack Defense Features Supported by the AR200S

This section describes local attack defense features supported by the AR200-S.
Attack Defense Policies Supported by the AR200-S

The AR200-S supports the default attack defense policy. The default attack defense policy defines the rate limit and priority for protocol packets, and defines the rate limit for all the packets sent to the CPU. It is applied to all the boards by default, and cannot be modified or deleted. Attack defense policies can be created on the AR200-S. The configuration in a user-defined attack defense policy overrides the configuration in the default attack defense policy. If no parameter is configured in the user-defined attack defense policy, the configuration in the default attack defense policy is used.
Attack Defense Functions Supported by the AR200-S

Attack source tracing and CPU attack defense can be configured in the same attack defense policy on the AR200-S. Attack source tracing checks attack packets sent to the CPU and notifies the administrator by sending logs or alarms so that the administrator can take measures to defend against attacks. For example, the administrator can add the possible attack source to a blacklist. Attack source tracing provides the following functions: l Attack source check After attack source tracing is enabled, you can set the threshold for attack source tracing. When the number of protocol packets sent from an attack source in a given period exceeds the threshold, the AR200-S traces and logs the attack source to notify the administrator. l Alarm function for attack source tracing After the alarm function for attack source tracing is enabled, you can set the alarm threshold for attack source tracing. If the number of protocol packets sent from an attack source in a given period exceeds the alarm threshold, an alarm is generated to notify the administrator. CPU attack defense limits the rate of all the packets sent to the CPU to protect the CPU. CPU attack defense provides the following functions:
Blacklist A blacklist refers to a group of unauthorized users. To defend against malicious attacks, the AR200-S adds users with a specific characteristic to a blacklist by using ACL rules and discards the packets sent from the users in the blacklist.
Rate limit The rate limit function limits the rate of packets sent to the CPU. The AR200-S sets different rate limits for packets of different types or discards packets of a certain type to protect the CPU.
Priority for packets of a specified protocol The AR200-S schedules packets sent to the CPU based on priorities of protocol packets to ensure that packets with higher protocol priorities are processed first.
l l
Rate limit The AR200-S can limit the rate of all the packets sent to the CPU to protect the CPU. ALP Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacks occur. When the AR200-S detects setup of an HTTP session, an FTP session, ALP is enabled to protect the session. The packets matching characteristics of the session are sent at a high rate; therefore, reliability and stability of session-related services are ensured.
9.3 Configuring Attack Source Tracing

The attack source tracing function checks for attack packets sent to the CPU and notifies users by sending logs or alarms.
A large number of attack packets may attack the CPUs of network devices. Attack source tracing checks attack packets sent to the CPU and notifies the administrator by sending logs or alarms so that the administrator can take measures to defend against attacks.
Procedure
Step 1 Run:
system-view

cpu-defend policy policy-name
An attack defense policy is created and the attack defense policy view is displayed. The AR200-S supports a maximum of 19 attack defense policies, including the default attack defense policy. The default attack defense policy is automatically generated in the system by default and is applied to all boards. The default attack defense policy cannot be deleted or modified. The other 18 policies can be created and deleted. Step 3 (Optional) Run:
description text
Issue 02 (2012-03-30)
159
The description of the attack defense policy is configured. Step 4 Run:

auto-defend enable
Automatic attack source tracing is enabled. By default, attack source tracing is disabled. Step 5 (Optional) Run:
auto-defend protocol { all | { arp | dhcp | icmp | igmp | tcp expired } * } | telnet | ttl-
The types of traced packets are specified. By default, the AR200-S traces sources of ARP, DHCP, ICMP, IGMP, TCP, Telnet, and TTLexpired packets after attack source tracing is enabled. Step 6 (Optional) Run:
auto-defend trace-type { source-ip | source-mac | source-portvlan }
*
The attack source tracing modes are specified. By default, the AR200-S traces attack sources based on the source IP address, source MAC address, and source interface plus VLAN. Step 7 (Optional) Run:
auto-defend threshold threshold
The threshold for attack source tracing is set. By default, the threshold for attack source tracing is 128 pps. Step 8 (Optional) Run:
auto-defend action deny [ timer time-length ]
The AR200-S is configured to drop packets sent from attack sources. By default, the AR200-S does not drop packets sent from attack sources. Step 9 (Optional) Configure the alarm function for attack source tracing. 1. Run:
auto-defend alarm enable
The alarm function for attack source tracing is enabled. By default, the alarm function for attack source tracing is disabled. 2. (Optional) Run:
auto-defend alarm threshold threshold
The alarm threshold for attack source tracing is set. By default, the alarm threshold for attack source tracing is 128 pps. Step 10 In the system view, run:
cpu-defend-policy policy-name [ global | slot slot-id ]
The attack defense policy is applied. If the attack defense policy is applied to an LPU or SRU, it takes effect for only the packets sent to the CPU of the LPU or SRU.
If global or slot is not specified, the attack defense policy is applied to the SRU. If global is specified, the attack defense policy is applied to all LPUs. If slot is specified, the attack defense policy is applied to an LPU in a specified slot.
NOTE
Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy is applied to the SRU.
----End

# Run the display auto-defend attack-source command to view the attack source list on the SRU. # Run the display auto-defend configuration command to view the configuration of attack source tracing. # Run the display cpu-defend policy command to check the attack defense policy.
9.4 Configuring CPU Attack Defense

CPU attack defense limits the rate of packets sent to the CPU to protect the CPU.

Before configuring an attack defense policy, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
When a large number of users connect to the AR200-S, the AR200-S may be attacked by the packets sent to the CPU or needs to process a large of number of these packets. The AR200-S can limit the rate of all the packets sent to the CPU to protect the CPU. CPU attack defense provides hierarchical device protection: l l l l Level 1: The AR200-S uses blacklists to filter invalid packets sent to the CPU. Level 2: The AR200-S limits the rate of packets sent to the CPU based on the protocol type to prevent excess packets of a particular protocol from being sent to the CPU. Level 3: The AR200-S schedules packets sent to the CPU based on the protocol priority to ensure that packets with higher protocol priorities are processed first. Level 4: The AR200-S uniformly limits the rate of packets sent to the CPU and randomly discards the excess packets to ensure CPU security.
Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacks occur.
Before configuring an attack defense policy, complete the following task:
Connecting interfaces and setting the physical parameters of interfaces so that the physical layer is Up
Data Preparation
To configure an attack defense policy, you need the following data. No. 1 2 3 4 5 6 7 8 Data Name of an attack defense policy (Optional) Description of an attack defense policy (Optional) ACL rule and number in the blacklist (Optional) Rate limit for packets sent to the CPU (Optional) Priority of protocol packets (Optional) Rate limit for all the packets sent to the CPU (Optional) ALP rate limit Number of the LPU to which the attack defense policy is applied
9.4.2 Creating an Attack Defense Policy

This section describes how to create an attack defense policy.
Procedure
Step 1 Run:
system-view

cpu-defend policy
An attack defense policy is created and the attack defense policy view is displayed. The AR200-S supports a maximum of 19 attack defense policies, including the default attack defense policy. The default attack defense policy is automatically generated in the system by default and is applied to all boards. The default attack defense policy cannot be deleted or modified. The other 18 policies can be created and deleted. Step 3 (Optional) Run:
description text
The description of the attack defense policy is configured. ----End
Issue 02 (2012-03-30)
162
9.4.3 (Optional) Configuring a Blacklist

A blacklist is a set of unauthorized users. The packets that match ACL rules bound to the blacklist are discarded.
Context
To defend against malicious attacks, the AR200-S adds users with a specific characteristic to a blacklist by using ACL rules and discards the packets sent from the users in the blacklist.
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed. Step 3 Run:

blacklist blacklist-id acl acl-number
A blacklist is created. A maximum of eight blacklists can be configured on the AR200-S. The ACL referenced by the blacklist can be a basic ACL, an advanced ACL, or a Layer 2 ACL. By default, no blacklist is configured on the AR200-S. ----End
9.4.4 (Optional) Configuring the Rate Limit for Packets Sent to the CPU
The AR200-S sets different rate limits for packets of different types or discards packets of a certain type to protect the CPU.
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed. Step 3 Configure the rate limit. l Run:
packet-type packet-type rate-limit rate-value
Issue 02 (2012-03-30)
163
The rate limit for packets sent to the CPU is set. Excess packets are discarded. l Run:
deny packet-type packet-type
The AR200-S is configured to discard packets of a specified type sent to the CPU. That is, the rate limit for packets of the specified type to be sent to the CPU is 0. By default, the AR200-S applies the rate limit defined in the default attack defense policy to the packets sent to the CPU. ----End
9.4.5 (Optional) Setting the Priority of Protocol Packets

After an attack defense policy is created, set the priorities of protocol packets in the attack defense policy so that packets with higher priorities are processed first.
Procedure
Step 1 Run:
system-view


packet-type packet-type priority priority-level
The priority of protocol packets sent to the CPU is set. By default, the priority defined in the default attack defense policy is used for protocol packets sent to the CPU. ----End
9.4.6 (Optional) Configuring the Rate Limit for All Packets Sent to the CPU
After an attack defense policy is created, set the rate limit for all packets sent to the CPU in the attack defense policy. The AR200-S then randomly discards the packets that exceed the rate limit to protect the CPU.
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed.

Step 3 Run:
rate-limit all-packets pps pps-value
The rate limit for all packets sent to the CPU is set. The AR200-S then randomly discards the packets that exceed the rate limit to protect the CPU. ----End
9.4.7 (Optional) Configuring the Rate Limit for Packets After ALP Is Enabled
You can set the rate limit for packets in the attack defense policy after ALP is enabled.
Context
Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacks occur.
Procedure
Step 1 Run:
system-view


application-apperceive packet-type { | ftp | http } rate-limit rate-value
The rate limit for HTTP, FTP packets is set.

NOTE
During setup of an HTTP connection,an FTP connection , if the application-apperceive command is not used to specify a rate, the default rate limit specified by application-apperceive is applied to HTTP,FTP. By default, the rate limit for FTP packets is 1024 pps and the rate limit for packets is 512 pps when the session is enabled with ALP
----End
9.4.8 Applying the Attack Defense Policy

An attack defense policy takes effect only when it is applied to a board.
Prerequisites
To protect session-based application layer data, including data of HTTP Sessions, FTP sessions andand ensure non-stop transmission of these services when attacks occur, enable active link protection (ALP) before you create an attack defense policy.
Context
An attack defense policy can be applied to the SRU, all the LAN-side LPUs, or to the specified LAN-side LPU in the system view.
NOTE
If the attack defense policy is applied to an LAN-side LPU or SRU, it takes effect for only the packets sent to the CPU of the LAN-side LPU or SRU.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 (Optional) Run:

cpu-defend application-apperceive [ ftp | http ] enable
ALP is enabled.
NOTE
By default, ALP is enabled for FTP and HTTP
Step 3 Run:
cpu-defend-policy policy-name [ global ]
The attack defense policy is applied. If global is not specified, the attack defense policy is applied to the SRU. If global is specified, the attack defense policy is applied to all LAN-side LPUs. ----End

This section describes how to check the CPU attack defense configuration.
Procedure
l l l Run the display cpu-defend policy [ policy-name ] command to check the attack defense policy. Run the display cpu-defend statistics [ packet-type packet-type ] command to check the statistics on packets sent to the CPU. Run the display cpu-defend configuration [ packet-type packet-type ] { all | sru } command to check the rate limit configuration for protocol packets sent to the CPU.
----End
9.5 Maintaining the Attack Defense Policy

This section describes how to maintain the attack defense policy.
Issue 02 (2012-03-30)
166
9.5.1 Clearing Statistics on Packets Sent to the CPU

This section describes how to clear statistics on packets sent to the CPU.
Procedure
l Run the reset cpu-defend statistics [ packet-type packet-type ] command to clear statistics on packets sent to the CPU.
----End
9.5.2 Clearing Attack Source Information

This section describes how to clear attack source information.
Procedure
l Run the reset auto-defend attack-source command to clear attack source information. ----End

This section provides attack defense policy configuration examples.
9.6.1 Example for Configuring an Attack Defense Policy

This section provides an example for configuring an attack defense policy.
As shown in Figure 9-1, users on different LANs access the Internet through RouterA. To locate attacks on RouterA, attack source tracing needs to be configured to trace the attack source. The problems in this scenario are as follows: l l l l l A user on the network segment Net1 often attacks RouterA. Attackers send a large number of ARP Request packets, resulting in CPU performance deterioration. The administrator needs to upload files to RouterA using FTP. An FTP connection between the administrator's host and RouterA needs to be set up. Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process DHCP Client packets sent to the CPU. The Telnet server is not enabled on RouterA, whereas RouterA often receives a large number of Telnet packets.
Configurations should be performed on RouterA to solve the preceding problems.
Issue 02 (2012-03-30)
167
Figure 9-1 Networking diagram of attack defense policy configurations
Eth ern et0 Net1: 1.1.1.0/24 /0/ 1

et0/0/2 Ethern
Internet
RouterA RouterB
Net2: 2.2.2.0/24
Net3: 3.3.3.0/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure a blacklist and add attackers on the network segment Net1 to the blacklist to prevent users on Net1 from accessing the network. Configure the rate limit for ARP Request packets sent to the CPU. Configure active link protection (ALP) for FTP so that file data can be transmitted between the administrator's host and RouterA. Configure a high priority for DHCP Client packets so that RouterA first processes DHCP Client packets sent to the CPU. Configure application layer association for Telnet so that RouterA discards the received Telnet packets.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l Name of the attack defense policy: devicesafety Threshold for attack source tracing: 50 pps MAC address of the attacker: 0001-c0a8-0102 ACL number: 4001 Blacklist ID: 1 Rate limit for ARP Request packets sent to the CPU: 64 pps Rate limit for FTP packets after ALP is enabled: 2000 pps Priority of DHCP Client packets: 3
NOTE
This section provides only the configuration procedure for the local attack defense function supported by the AR200-S. For details about the routing configuration, see the Huawei AR200-S Series Enterprise Routers Configuration Guide - IP Routing.
Issue 02 (2012-03-30)
Et he rn et
0/ 0/ 3
168
Procedure
Step 1 Configure an ACL to be referenced by the blacklist.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] acl number 4001 [RouterA-acl-L2-4001] rule 5 permit source-mac 0001-c0a8-0102 [RouterA-acl-L2-4001] quit
Step 2 Create an attack defense policy.

[RouterA] cpu-defend policy devicesafety
Step 3 Configure the threshold for attack source tracing.

[RouterA-cpu-defend-policy-devicesafety] auto-defend enable [RouterA-cpu-defend-policy-devicesafety] auto-defend threshold 50
Step 4 Configure a blacklist.

[RouterA-cpu-defend-policy-devicesafety] blacklist 1 acl 4001
Step 5 Configure the rate limit for ARP Request packets sent to the CPU.
[RouterA-cpu-defend-policy-devicesafety] packet-type arp-request rate-limit 64
Step 6 Configure the rate limit for FTP packets after ALP is enabled.
[RouterA-cpu-defend-policy-devicesafety] application-apperceive packet-type ftp rate-limit 2000
Step 7 Set the priority of DHCP Client packets.

[RouterA-cpu-defend-policy-devicesafety] packet-type dhcp-client priority 3 [RouterA-cpu-defend-policy-devicesafety] quit
Step 8 Apply the attack defense policy. # Enable ALP for FTP.
[RouterA] cpu-defend application-apperceive ftp enable
# Apply the attack defense policy to the SRU.

[RouterA] cpu-defend-policy devicesafety
Step 9 Configure application layer association for Telnet.

[RouterA] undo telnet server enable
Step 10 Verify the configuration. # View information about the configured attack defense policy.
[RouterA] display cpu-defend policy devicesafety Related slot : <0> BlackList Status : Slot<0> : Success Configuration : Blacklist 1 ACL number : 4001 Packet-type arp-request rate-limit : 64(pps) Packet-type dhcp-client priority : 3 Rate-limit all-packets : 2000(pps) (default) Application-apperceive packet-type ftp : 2000(pps) Application-apperceive packet-type tftp : 2000(pps)
# View the rate limit configuration on the SRU. You can see that application layer association for Telnet, the rate limit for ARP Request packets sent to the CPU, and the priority for DHCP client packets are configured successfully.
<Huawei> display cpu-defend configuration sru Rate configurations on main board.
Issue 02 (2012-03-30)
169
----------------------------------------------------------------Packet-type Status Rate-limit(PPS) Priority ----------------------------------------------------------------8021X Disabled 128 2 arp-miss Enabled 64 2 arp-reply Enabled 128 2 arp-request Enabled 64 2 bfd Disabled 256 4 bgp Enabled 256 3 bgp4plus Enabled 256 3 dhcp-client Enabled 128 3 dhcp-server Enabled 128 2 dhcpv6-reply Enabled 128 2 dhcpv6-request Enabled 128 2 dns Enabled 256 2 fib-hit Enabled 256 2 fr Enabled 128 3 ftp-client Disabled 256 2 ftp-server Enabled 256 2 fw-dns Enabled 128 2 fw-ftp Enabled 128 2 fw-http Enabled 128 2 fw-rtsp Enabled 128 2 fw-sip Enabled 128 2 gre-keepalive Enabled 128 3 gvrp Enabled 48 3 hdlc Enabled 128 3 http-client Enabled 256 4 http-server Enabled 256 4 hw-tacacs Enabled 128 2 icmp Enabled 256 2 icmpv6 Enabled 256 2 igmp Enabled 256 2 ip-option Enabled 256 2 ipsec-ike Enabled 128 2 ipsec-isa Enabled 128 2 ipsec-osa Enabled 128 2 isis Enabled 128 3 isisv6 Enabled 128 3 l2tp Enabled 128 2 lacp Enabled 320 3 lldp Enabled 48 3 nd Enabled 128 5 nd-miss Enabled 64 5 nhrp Enabled 256 3 ntp Enabled 128 4 ospf Enabled 256 3 ospfv3 Enabled 256 3 pim Disabled 256 3 ppp Enabled 256 2 pppoe Enabled 256 2 radius Enabled 128 2 rip Enabled 128 3 ripng Enabled 256 3 snmp Enabled 256 4 ssh-client Enabled 128 4 ssh-server Enabled 128 4 sslvpn Enabled 4096 3 stp Enabled 96 3 tcp Enabled 128 2 telnet-client Enabled 128 4 telnet-server Enabled 128 4 ttl-expired Enabled 256 1 udp-helper Disabled 16 2 unknown-multicast Enabled 128 1 unknown-packet Enabled 256 1 voice Enabled 256 4 vrrp Disabled 256 3 -----------------------------------------------------------------
Issue 02 (2012-03-30)
170
# The log for attack source tracing of Net1 indicates that attack source tracing has taken effect.
Dec 18 2010 09:55:50-05:13 AR200-S %%01SECE/4/USER_ATTACK(l)[0]:User attack occurred.(Slot=MPU, SourceAttackInterface=Ethernet0/0/1, OuterVlan/ InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per second)
# View the statistics on packets sent to the SRU. The discarded packets indicate that the rate limit is set for ARP Request packets.
<Huawei> display cpu-defend statistics ----------------------------------------------------------------------Packet Type Pass Packets Drop Packets ----------------------------------------------------------------------8021X 0 0 arp-miss 5 0 arp-reply 8090 0 arp-request 1446576 127773 bfd 0 0 bgp 0 0 bgp4plus 0 0 dhcp-client 879 0 dhcp-server 0 0 dhcpv6-reply 0 0 dhcpv6-request 0 0 dlsw 0 0 dns 4 0 fib-hit 0 0 fr 0 0 ftp-client 0 0 ftp-server 0 0 fw-dns 0 0 fw-ftp 0 0 fw-http 0 0 fw-rtsp 0 0 fw-sip 0 0 gre-keepalive 0 0 gvrp 0 0 hdlc 0 0 http-client 0 0 http-server 0 0 hw-tacacs 0 0 icmp 59 0 icmpv6 224 0 igmp 539 0 ip-option 0 0 ipsec-ike 0 0 ipsec-isa 0 0 ipsec-osa 0 0 isis 70252 0 isisv6 0 0 l2tp 0 0 lacp 0 0 lldp 0 0 nd 358 0 nd-miss 0 0 nhrp 0 0 ntp 0 0 ospf 0 0 ospfv3 0 0 pim 0 0 ppp 0 0 pppoe 0 0 radius 0 0 rip 11306 0 ripng 7385 0 snmp 0 0 ssh-client 0 0 ssh-server 0 0 sslvpn 0 0
Issue 02 (2012-03-30)
171
stp 0 0 tcp 15 0 telnet-client 81476 0 telnet-server 0 0 ttl-expired 0 0 udp-helper 0 0 unknown-multicast 0 0 unknown-packet 66146 0 voice 0 0 vrrp 0 0 ---------------------------------------------------------------------
----End
Configuration Files
# sysname RouterA # acl number 4001 rule 5 permit source-mac 0001-c0a8-0102 # cpu-defend policy devicesafety blacklist 1 acl 4001 packet-type arp-request rate-limit 64 packet-type dhcp-client priority 3 application-apperceive packet-type ftp rate-limit 2000 auto-defend enable auto-defend threshold 50 auto-defend trace-type source-mac source-ip source-portvlan auto-defend protocol all # cpu-defend-policy devicesafety # undo telnet server enable # return
Issue 02 (2012-03-30)
172
10 ACL Configuration
10
About This Chapter
10.2 ACL Features Supported by the AR200-S
ACL Configuration
This chapter explains how to filter data packets on an AR200-S by defining an Access Control List (ACL) to determine allowed packet types. 10.1 ACL Overview This section describes the basic concept of ACLs.
10.3 Configuring a Basic ACL A basic ACL classifies IPv4 packets based on information such as source IP addresses, fragment flags, and time ranges. 10.4 Configuring an Advanced ACL An advanced ACL classifies IPv4 packets based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, and time ranges. 10.5 Configuring a Layer 2 ACL A Layer 2 ACL classifies Layer 2 packets with the Ethernet protocol type of Ethernet_II based on information such as the source and destination MAC addresses, and Layer 2 protocol type. 10.6 Configuration Examples This section provides several configuration examples of ACLs.
Issue 02 (2012-03-30)
173
10.1 ACL Overview

This section describes the basic concept of ACLs. An ACL is composed of a list of rules. Each rule contains a permit or deny clause. These rules are defined to use information in packets to classify the packets. After these rules are applied to the AR200-S, the AR200-S determines which packets to receive and reject. ACLs can be applied to some services and functions on the AR200-S, for example, the routing policy, traffic classifier, firewall, and IPSec.
NOTE
An ACL is only a set of rules and cannot filter packets directly. The ACL can identify packets of a certain type and the packets of this type are processed by the function that references the ACL.
10.2 ACL Features Supported by the AR200-S

ACLs Supported by the AR200-S
The AR200-S supports different types of ACLs, as shown in Table 10-1. Table 10-1 Classification of ACLs Classification Rule Information defined in an ACL Type Basic ACL Function A basic ACL matches packets based on information such as source IP addresses, fragment flags, and time ranges. An advanced ACL matches packets based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, and time ranges. A Layer 2 ACL matches packets based on Layer 2 information in packets, such as source and destination MAC addresses, and Layer 2 protocol types. Description The number of a basic ACL ranges from 2000 to 2999.
Advanced ACL
The number of an advanced ACL ranges from 3000 to 3999.
Layer 2 ACL
The number of a Layer 2 ACL ranges from 4000 to 4999.
Issue 02 (2012-03-30)
174
Classification Rule Naming mode
Type Numbered ACL
Function A numbered ACL is identified by a number, which can be specified to reference the ACL. A named ACL is identified by a character string name, which can be specified to reference the ACL. Named ACLs are easy to identify and remember.
Description -
Named ACL
The AR200-S supports flexible ACL naming modes. You can also specify a number for a named ACL. If no ACL number is specified for a named ACL, the system allocates an ACL number to the named ACL.
Table 10-2 shows information that can be used by basic ACLs, advanced ACLs, and Layer 2 ACLs to define rules. Advanced ACLs can define rules based on IP version information and the type of the protocol over IP, such as Generic Routing Encapsulation (GRE), Internet Group Management Protocol (IGMP), IPinIP, Open Shortest Path First (OSPF), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Management Protocol (ICMP). Table 10-2 Information that can be used by different types of ACLs to define rules Information Defined in an ACL Basic ACL IP Advanced ACL GRE, IGMP, IPinIP, and OSPF Yes Yes Yes TCP UDP ICMP Layer 2 ACL -
Layer 3 information
Source IP address Destination IP address DiffServ Codepoint (DSCP) Priority Fragment flag Type of Service (ToS)
Yes No No
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
No No No
No Yes No
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
No No No
Issue 02 (2012-03-30)
175
Information Defined in an ACL
Basic ACL IP
Advanced ACL GRE, IGMP, IPinIP, and OSPF No TCP UDP ICMP
Layer 2 ACL -
ICMP packet type and code Layer 4 information Source port number Destination port number SYN flag type Layer 2 information Source MAC address Destination MAC address Layer 2 protocol type VLAN ID 802.1p priority Other information Time range
No
No
No
No
Yes
No
No No No No
No No No No
No No No No
Yes Yes Yes No
Yes Yes No No
No No No No
No No No Yes
No
No
No
No
No
No
Yes
No
No
No
No
No
No
Yes
No No Yes
No No Yes
No No Yes
No No Yes
No No Yes
No No Yes
Yes Yes Yes
Other ACL Features Supported by the AR200-S

The AR200-S supports the following ACL features: l l l l Step: The step value makes it possible to add a new rule between existing rules and to control the matching order of rules. Description of an ACL: The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. Description of an ACL rule: The description of an ACL rule describes the function or usage of the ACL rule. It is used to differentiate ACL rules. Time range: A time range defines the period during which ACL rules take effect. Some services or functions that reference ACLs need to be started during a specified period of
Issue 02 (2012-03-30)
time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in an ACL so that the ACL takes effect in the time range. The service or function that references the ACL is also started in the specified time range.
NOTE
The ACLs configured on fixed LAN-side interfaces do not take effect for Layer 2 traffic transmitted between LANs.
10.3 Configuring a Basic ACL

A basic ACL classifies IPv4 packets based on information such as source IP addresses, fragment flags, and time ranges.

Before configuring a basic ACL, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Basic ACLs can be referenced by many services and functions such as the routing policy and traffic classifier. The AR200-S processes different types of packets based on basic ACL rules. Basic ACLs are applied to all the IPv4 packets at the network layer and upper layers. Basic ACLs classify packets based on source IP addresses, fragment flags, and time ranges in the packets.
Before configuring a basic ACL, complete the following task: l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up
Data Preparation
To configure a basic ACL, you need the following data. No. 1 2 3 4 5 6 Data (Optional) Name of a time range during which ACL rules take effect Number or name of a basic ACL Source IP address, fragment flag (Optional) Description of a basic ACL (Optional) Description of a basic ACL rule (Optional) Step between ACL rule IDs
Issue 02 (2012-03-30)
177
10.3.2 (Optional) Creating a Time Range for a Basic ACL

To make a basic ACL take effect during a specified period of time, create a time range and reference the time range in the basic ACL. If no time range is specified for the ACL, the ACL remains effective until it is deleted or the rules of the ACL are deleted.
Context
Some services or functions that reference basic ACLs need to be started during a specified period of time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in a basic ACL so that the basic ACL takes effect in the time range. The service or function that references the basic ACL is also started in the specified time range.
Procedure
Step 1 Run:
system-view

time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }
A time range is created. To configure multiple time ranges with the same name on the AR200-S, run the preceding command with the same value of time-name multiple times.
NOTE
You can configure the same name for multiple time ranges to describe a special period. Assume that the same name test is configured for the following time ranges: l Time range 1: 2010-01-01 00:00 to 2010-12-31 23:59 (absolute time range) l Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range) l Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range) The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.
----End
Follow-up Procedure
Reference the time range in a basic ACL rule.
10.3.3 Creating a Basic ACL

Before using a basic ACL, ensure that the basic ACL has been created. You can create a named or numbered basic ACL.
Prerequisites
The display acl all command has been executed to view all the configured ACLs. This prevents duplicate basic ACLs from being configured.
Procedure
l Creating a numbered basic ACL 1. Run:
system-view

acl [ number ] acl-number [ match-order { auto | config } ]
A basic ACL with the specified number is created and the basic ACL view is displayed. acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999. match-order specifies the matching order of basic ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the basic ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. l Creating a named basic ACL 1. Run:
system-view

acl name acl-name { basic | acl-number } [ match-order { auto | config } ]
A basic ACL with the specified name is created and the basic ACL view is displayed. acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999. match-order specifies the matching order of basic ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the basic ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. ----End
Follow-up Procedure
Configure rules in the basic ACL.
10.3.4 Configuring a Basic ACL Rule

A basic ACL is composed of a list of rules. The ACL classifies packets by matching packet information with the ACL rules.
Prerequisites
A basic ACL has been created and the basic ACL view is displayed. Before creating a new rule, run the display acl { acl-number | name acl-name } command to view all the configured ACL rules to prevent the new rule from overriding existing rules.
Context
A basic ACL classifies packets by matching packet information with the ACL rules. After a basic ACL is created, configure rules in the basic ACL.
Procedure
step step-value
The step value between ACL rule IDs is set. By default, the step value is 5. Step 2 Run:
rule { deny | permit } [ source { source-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name | [ fragment | none-firstfragment ] ] *
A basic ACL rule is configured. To configure multiple rules, repeat this step.
NOTE
If the rule ID is not specified, the step value is used as the start rule ID. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.

rule rule-id description text
The description of the basic ACL rule is configured. The description of an ACL rule describes the function or usage of the ACL rule. It is used to differentiate ACL rules. ----End
Follow-up Procedure
After a basic ACL rule is configured, perform the following operations as required:
l l
Run the step command to change the step value. Run the rule command with rule-id specified to add a new rule between existing rules when the configuration order is used.
10.3.5 Applying a Basic ACL

A basic ACL can be applied to some services and functions to classify packets.
Prerequisites
A basic ACL has been created and rules have been configured in the basic ACL.
Context
A basic ACL can be applied to the following services and functions: l l l l l l l l l Traffic classifier Blacklist for local attack defense Route filtering OSPF LSA filtering IP multicast Limiting access to an FTP or TFTP server Firewall NAT Packet filtering on an interface
Procedure
l Apply a basic ACL to a traffic classifier. To provide differentiated services based on packet information, configure traffic classifiers. Basic ACLs can be referenced by traffic classifiers to define rules for classifying traffic. For details, see Configuring a Traffic Classifier. l Apply a basic ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR200-S uses basic ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist. l Apply a basic ACL to route filtering. You can configure route filtering for the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), and Multiprotocol Border Gateway Protocol (MBGP), and set conditions for filtering routes of these protocols. The routes that do not meet the conditions are not added to the routing table or advertised. The AR200-S uses basic ACLs to set filtering conditions so that route filtering is implemented. For details, see Configuration Guide - IP Routing. l Apply a basic ACL to OSPF LSA filtering. In special network environments, OSPF features need to be configured and performance of the OSPF network needs to be improved. When multiple links exist between two routers, you can filter outgoing LSAs on the local router. This can reduce the unnecessary
retransmission of LSAs on certain links and save bandwidth resources. The AR200-S can use basic ACLs to filter outgoing LSAs. For details, see Optimizing an OSPF Network. l Apply a basic ACL to IP multicast. Certain functions of the Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent MulticastSparse Mode (PIM-SM) need to reference basic ACLs. For details, see Configuration Guide - Multicast. l Apply a basic ACL to control users that can connect to an FTP or TFTP server. When the AR200-S functions as an FTP or TFTP server, you can configure a basic ACL to allow only the clients that meet certain conditions to access the server. For details, see (Optional) Configuring an FTP ACL. l Apply a basic ACL to a firewall. The attack defense system protects an internal network against attacks from external networks. Generally, firewalls are deployed between the internal and external networks to defend against attacks. A packet filtering firewall filters packets by using an ACL. The AR200-S uses a basic ACL to configure the packet filtering firewall. For details, see 3.4 Configuring the Packet Filtering Firewall. l Apply a basic ACL to NAT. Network Address Translation (NAT) enables hosts on a private network to access the public network. A NAT address pool is a set of public IP addresses. When a packet from a private network reaches the public network by using address translation, one IP address in the NAT address pool is selected as the source address after translation. The AR200-S uses a basic ACL to classify IP addresses in the NAT address pool so that source addresses of data packets matching the basic ACL are translated. For details, see Associating an ACL with an Address Pool. l Apply an ACL to an interface to filter packets on the interface. The AR200-S can filter packets on an interface using an ACL. If the action in an ACL rule is deny, the AR200-S discards all packets matching the rule. If the action in an ACL rule is permit, the AR200-S forwards all packets matching the rule. Perform the following steps to apply a basic ACL to an interface: 1. Run:
system-view


traffic-filter { inbound | outbound } acl { acl-number | name acl-name }
A basic ACL is applied to the interface. ----End


After a basic ACL is configured, you can view information about the basic ACL and time range.
Prerequisites
The basic ACL configurations are complete.
Procedure
l l l Run the display acl acl-number command to view the basic ACL with the specified number. Run the display acl name acl-name command to view the basic ACL with the specified name. Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl acl-number command to view the basic ACL number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl 2009 Basic ACL 2009, 1 rule Acl's step is 5 rule 5 deny source 10.1.1.1 0
# Run the display acl name acl-name command to view the basic ACL name and number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl name qos1 Basic ACL qos1 2999, 1 rule Acl's step is 5 rule 5 permit source 202.114.24.56 0.0.0.255
# Run the display time-range all command to view the configuration and status of the current time range.
<Huawei> display time-range all Current time is 09:13:37 12-27-2010 Thursday Time-range : test1 ( Inactive ) 13:00 to 18:00 working-day 13:00 to 18:00 off-day
10.4 Configuring an Advanced ACL

An advanced ACL classifies IPv4 packets based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, and time ranges.
Issue 02 (2012-03-30)
183

Before configuring an advanced ACL, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Advanced ACLs are applied to multiple services and functions, for example, traffic classifiers and multicast. The AR200-S processes different types of packets based on advanced ACL rules. Advanced ACLs can be applied to: l All the IPv4 packets at the network layer and upper layers. Advanced ACLs classify IPv4 packets based on information such as source and destination IP addresses, packet priorities, fragment flags, time ranges, and VPN instances in the packets.
NOTE
An advanced ACL is similar to a basic ACL, but defines more information than a basic ACL.
Specified types of packets include GRE packets, ICMP packets, IPinIP packets, OSPF packets, ICMP packets, UDP packets, and TCP packets. Advanced ACLs classify these packet types based on different types of information: GRE packets, ICMP packets, IPinIP packets, and OSPF packets are classified based on information such as source and destination IP addresses, packet priorities, fragment flags, time ranges, and VPN instances in the packets. ICMP packets are classified based on information such as source and destination IP addresses, packet priorities, fragment flags, ICMP packet types and codes, time ranges, and VPN instances in the packets. UDP packets are classified based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, fragment flags, time ranges, and VPN instances in the packets. TCP packets are classified based on information such as source and destination IP addresses, source and destination port numbers, SYN flag types, packet priorities, fragment flags, time ranges, and VPN instances in the packets.
Before configuring an advanced ACL, complete the following task: l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up
Data Preparation
To configure an advanced ACL, you need the following data. No. 1 2 3
Issue 02 (2012-03-30)
Data (Optional) Name of a time range during which ACL rules take effect Number or name of an advanced ACL Protocol type
No. 4 5 6 7
Data Source IP address and port number, destination IP address and port number, fragment flag, ICMP packet type and code, packet priority, ToS value, and time range (Optional) Description of an advanced ACL (Optional) Description of an advanced ACL rule (Optional) Step value between advanced ACL rule IDs
10.4.2 (Optional) Creating a Time Range for an Advanced ACL

To make an advanced ACL take effect during a specified period of time, create a time range and reference the time range in the advanced ACL. If no time range is specified for the ACL, the ACL remains effective until it is deleted or the rules of the ACL are deleted.
Context
Some services or functions that reference advanced ACLs need to be started during a specified period of time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in an advanced ACL so that the advanced ACL takes effect in the time range. The service or function that references the advanced ACL is also started in the specified time range.
Procedure
Step 1 Run:
system-view

NOTE
----End
Follow-up Procedure
Reference the time range in an advanced ACL rule.
10.4.3 Creating an Advanced ACL

Before using an advanced ACL, ensure that the advanced ACL has been created. You can create a named or numbered advanced ACL.
Prerequisites
The display acl all command has been executed to view all the configured ACLs. This prevents duplicate advanced ACLs from being configured.
Procedure
l Creating a numbered advanced ACL 1. Run:
system-view

An advanced ACL with the specified number is created and the advanced ACL view is displayed. acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999. match-order specifies the matching order of advanced ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the advanced ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. l Creating an advanced ACL based on the name 1. Run:
system-view

acl name acl-name [ advance | acl-number ] [ match-order { auto | config } ]
An advanced ACL with the specified name is created and the advanced ACL view is displayed.
acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999. match-order specifies the matching order of advanced ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the advanced ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. ----End
Follow-up Procedure
Configure rules in the advanced ACL.
10.4.4 Configuring an Advanced ACL Rule

An advanced ACL is composed of a list of rules. The ACL classifies packets by matching packet information with the ACL rules.
Prerequisites
An advanced ACL has been created and the advanced ACL view is displayed. Before creating a new rule, run the display acl { acl-number | name acl-name } command to view all the configured ACL rules to prevent the new rule from overriding existing rules.
Context
An advanced ACL classifies packets by matching packet information with its rules. After an advanced ACL is created, configure rules in the advanced ACL.
Procedure
step step-value
The step value between ACL rule IDs is set. By default, the step value is 5. Step 2 Configure an advanced ACL rule based on the IP protocol version or the type of the protocol over IP. l When IPv4 is used, run: rule { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | vpn-instance
vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | nonefirst-fragment ] ] * l Configure an advanced ACL rule based on the protocol over IP. When the Internet Control Management Protocol (ICMP) is used, run: rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | time-range time-name | vpn-instance vpninstance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | nonefirst-fragment ] ] * When the Transmission Control Protocol (TCP) is used, run: rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcpflag { ack | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpninstance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | nonefirst-fragment ] ] * When the User Datagram Protocol (UDP) is used, run: rule { deny | permit }{ protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | timerange time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] * When the Generic Routing Encapsulation (GRE), Internet Group Management Protocol (IGMP), IPinIP, or Open Shortest Path First (OSPF) is used, run: rule { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | source { source-address sourcewildcard | any } | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] * To configure multiple rules, repeat this step.
NOTE

The description of the advanced ACL rule is configured. The description of an ACL rule describes the function or usage of the ACL rule. It is used to differentiate ACL rules. ----End
Follow-up Procedure
After an advanced ACL rule is configured, perform the following operations as required: l
Issue 02 (2012-03-30)
Run the step command to change the step value.

Run the rule command with rule-id specified to add a new rule between existing rules when the configuration order is used.
10.4.5 Applying an Advanced ACL

An advanced ACL can be applied to some services and functions to classify packets.
Prerequisites
An advanced ACL has been created and rules have been configured in the advanced ACL.
Context
An advanced ACL can be applied to the following services and functions: l l l l l l l Traffic classifier Blacklist for local attack defense IP multicast IPSec Firewall NAT Packet filtering on an interface
Procedure
l Apply an advanced ACL to a traffic classifier. To provide differentiated services based on packet information, configure traffic classifiers. Advanced ACLs can be referenced by traffic classifiers to define rules for classifying traffic. For details, see Configuring a Traffic Classifier. l Apply an advanced ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR200-S uses advanced ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist. l Apply an advanced ACL to IP multicast. Certain functions of the Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent MulticastSparse Mode (PIM-SM) need to reference advanced ACLs. For details, see Configuration Guide - Multicast. l Apply an advanced ACL to IPSec. The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. IPSec peers can use various security protection measures (authentication, encryption, or both) on different data flows. The AR200-S can use advanced ACLs to define data flows. For details, see IPSec Configuration. l Apply an advanced ACL to a firewall. The attack defense system protects an internal network against attacks from external networks. Generally, firewalls are deployed between the internal and external networks to
defend against attacks. A packet filtering firewall filters packets by using an ACL. The AR200-S uses an advanced ACL to configure the packet filtering firewall. For details, see 3.4 Configuring the Packet Filtering Firewall. l Apply an advanced ACL to NAT. Network Address Translation (NAT) enables hosts on a private network to access the public network. A NAT address pool is a set of public IP addresses. When a packet from a private network reaches the public network by using address translation, one IP address in the NAT address pool is selected as the source address after translation. The AR200-S uses an advanced ACL to classify IP addresses in the NAT address pool so that source addresses of data packets matching the advanced ACL are translated. For details, see Associating an ACL with an Address Pool. l Apply an advanced ACL to an interface to filter packets on the interface. The AR200-S can filter packets on an interface using an ACL. If the action in an ACL rule is deny, the AR200-S discards all packets matching the rule. If the action in an ACL rule is permit, the AR200-S forwards all packets matching the rule. Perform the following steps to apply an ACL to an interface: 1. Run:
system-view


An ACL is configured to filter packets. ----End

After an advanced ACL is configured, you can view information about the advanced ACL and time range.
Prerequisites
The advanced ACL configurations are complete.
Procedure
l l Run the display acl acl-number command to view the advanced ACL with the specified number. Run the display acl name acl-name command to view the advanced ACL with the specified name.
Issue 02 (2012-03-30)
Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl acl-number command to view the advanced ACL number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0
# Run the display acl name acl-name command to view the advanced ACL name and number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl name qos1 Advanced ACL qos1 3999, 1 rule Acl's step is 5 rule 5 permit tcp
# Run the display time-range all command to view the configuration and status of the current time range.
10.5 Configuring a Layer 2 ACL

A Layer 2 ACL classifies Layer 2 packets with the Ethernet protocol type of Ethernet_II based on information such as the source and destination MAC addresses, and Layer 2 protocol type.

Before configuring a Layer 2 ACL, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Layer 2 ACLs can be applied to multiple services, for example, traffic classifiers. The AR200S processes different types of packets based on Layer 2 ACL rules. Layer 2 ACLs are applied to Layer 2 packets with the Ethernet protocol type of Ethernet_II. Layer 2 ACLs classify Layer 2 packets based on information such as source and destination MAC addresses, Layer 2 protocol types, VLAN IDs or 802.1p priorities, and time ranges in the packets.
Before configuring a Layer 2 ACL, complete the following task: l Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Data Preparation
To configure a Layer 2 ACL, you need the following data. No. 1 2 3 4 5 6 Data (Optional) Name of a time range during which ACL rules take effect Number or name of a Layer 2 ACL Source MAC address, destination MAC address, Layer 2 protocol type, and VLAN ID or 802.1p priority (Optional) Description of a Layer 2 ACL (Optional) Description of a Layer 2 ACL rule (Optional) Step value between Layer 2 ACL rule IDs
10.5.2 (Optional) Creating a Time Range for a Layer 2 ACL

To make a Layer 2 ACL take effect during a specified period of time, create a time range and reference the time range in the Layer 2 ACL. If no time range is specified for the ACL, the ACL remains effective until it is deleted or the rules of the ACL are deleted.
Context
Some services or functions that reference Layer 2 ACLs need to be started during a specified period of time, for example, QoS needs to be started during peak hours. You can create a time range and reference the time range in a Layer 2 ACL so that the Layer 2 ACL takes effect in the time range. The service or function that references the Layer 2 ACL is also started in the specified time range.
Procedure
Step 1 Run:
system-view


NOTE
----End
Follow-up Procedure
Reference the time range in a Layer 2 ACL rule.
10.5.3 Creating a Layer 2 ACL

Before using a Layer 2 ACL, ensure that the Layer 2 ACL has been created. You can create a named or numbered Layer 2 ACL.
Prerequisites
The display acl all command has been executed to view all the configured ACLs. This prevents duplicate Layer 2 ACLs from being configured.
Procedure
l Creating a numbered Layer 2 ACL 1. Run:
system-view

A Layer 2 ACL with the specified number is created and the Layer 2 ACL view is displayed. acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999. match-order specifies the matching order of Layer 2 ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the Layer 2 ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL.
Creating a named Layer 2 ACL 1. Run:

system-view

acl name acl-name { link | acl-number } [ match-order { auto | config } ]
A Layer 2 ACL with the specified name is created and the Layer 2 ACL view is displayed. acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999. match-order specifies the matching order of Layer 2 ACL rules: auto: indicates that ACL rules are matched based on the depth first principle. config: indicates that ACL rules are matched based on the sequence in which they were configured. 3. (Optional) Run:
description text
The description of the Layer 2 ACL is configured. The description of an ACL describes the function or usage of the ACL. It is used to differentiate ACLs. By default, no description is configured for an ACL. ----End
Follow-up Procedure
Configure rules in the Layer 2 ACL.
10.5.4 Configuring a Layer 2 ACL Rule

A Layer 2 ACL is composed of a list of rules. The ACL classifies packets by matching packet information with the ACL rules.
Prerequisites
A Layer 2 ACL has been created and the Layer 2 ACL view is displayed. Before creating a new rule, run the display acl { acl-number | name acl-name } command to view all the configured ACL rules to prevent the new rule from overriding existing rules.
Context
A Layer 2 ACL classifies packets by matching packet information with the ACL rules. After a Layer 2 ACL is created, configure rules in the Layer 2 ACL.
Procedure

step step-value
The step value between ACL rule IDs is set. By default, the step value is 5. Step 2 Run:
rule { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-macmask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | [ time-range timerange-name ] ] *
A Layer 2 ACL is configured. To configure multiple rules, repeat this step.

NOTE

The description of the Layer 2 ACL rule is configured. The description of an ACL rule describes the function or usage of the ACL rule. It is used to differentiate ACL rules. ----End
Follow-up Procedure
After a Layer 2 ACL rule is configured, perform the following operations as required: l l Run the step command to change the step value. Run the rule command with rule-id specified to add a new rule between existing rules when the configuration order is used.
10.5.5 Applying a Layer 2 ACL

A Layer 2 ACL can be applied to some services and functions to classify packets.
Prerequisites
A Layer 2 ACL has been created and rules have been configured in the Layer 2 ACL.
Context
A Layer 2 ACL can be applied to the following services and functions: l l l Traffic classifier Blacklist for local attack defense feature Packet filtering on an interface.
Procedure
l
Issue 02 (2012-03-30)
Apply a Layer 2 ACL to a traffic classifier.

To provide differentiated services based on packet information, configure traffic classifiers. Layer 2 ACLs can be referenced by traffic classifiers to define rules for classifying traffic. For details, see Configuring a Traffic Classifier. l Apply a Layer 2 ACL to add users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR200-S uses Layer 2 ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist. l Apply a Layer 2 ACL to an interface to filter packets on the interface. The AR200-S can filter packets on an interface using an ACL. If the action in an ACL rule is deny, the AR200-S discards all packets matching the rule. If the action in an ACL rule is permit, the AR200-S forwards all packets matching the rule. Perform the following steps to apply a Layer 2 ACL to an interface: 1. Run:
system-view


A Layer 2 ACL is applied to the interface. ----End

After a Layer 2 ACL is configured, you can view information about the Layer 2 ACL and time range.
Prerequisites
The Layer 2 ACL configurations are complete.
Procedure
l l l Run the display acl acl-number command to view the Layer 2 ACL with the specified number. Run the display acl name acl-name command to view the Layer 2 ACL with the specified name. Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl acl-number command to view the Layer 2 ACL number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl 4001 L2 ACL 4001, 1 rule Acl's step is 5 rule 5 permit l2-protocol ip destination-mac 0000-0000-0001 source-mac 0000-0000-0002
# Run the display acl name acl-name command to view the Layer 2 ACL name and number, the number of rules, the step value, and the content of the rules.
<Huawei> display acl name test L2 ACL test 4999, 1 rule Acl's step is 5 rule 5 deny destination-mac 00e0-fc01-0304
# Run the display time-range command to view the configuration and status of the current time range.

This section provides several configuration examples of ACLs.
10.6.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server
In this example, a basic ACL is used to limit access to the FTP server.
As shown in Figure 10-1, the Router functions as an FTP server (172.16.104.110/24). The requirements are as follows: l l l All the users on subnet 1 (172.16.105.0/23) are allowed to access the FTP server at any time. All the users on subnet 2 (172.16.107.0/23) are allowed to access the FTP server only at the specified period of time. Other users are not allowed to access the FTP server.
The routes between the Router and subnets are reachable. You need to configure the Router to limit user access.
Issue 02 (2012-03-30)
197
Figure 10-1 Configuring a basic ACL to limit user access to the FTP server
PC A
172.16.105.111
FTP Server Network Router

172.16.104.110
PC B
172.16.107.111
PC C
10.10.10.1
The configuration roadmap is as follows: l l l Create a basic ACL on the Router and configure rules in the basic ACL to classify users. Configure basic FTP functions on the Router. Apply a basic ACL to the Router to limit user access.
Data Preparation
To complete the configuration, you need the following data: l l l Number of a basic ACL: 2001 Name of a time range during which users in subnet2 access the FTP server: ftp-access Time range: 14:00-18:00 on Saturday and Sunday from 2009 to 2011
Procedure
Step 1 Configure a time range.
<Huawei> [Huawei] [Router] [Router] system-view sysname Router time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31 time-range ftp-access 14:00 to 18:00 off-day
Step 2 Configure a basic ACL.

[Router] acl number 2001 [Router-acl-basic-2001] rule permit source 172.16.105.0 0.0.1.255 [Router-acl-basic-2001] rule permit source 172.16.107.0 0.0.1.255 time-range ftpaccess [Router-acl-basic-2001] quit
Step 3 Configure basic FTP functions. The configuration details are not mentioned here. Step 4 Configure access permissions on the FTP server.
[Router] ftp acl 2001
Step 5 Verify the configuration. Run the ftp 172.16.104.110 command on PC A (172.16.105.111/24) in subnet 1. PC A can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in 2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. PC B can connect to the FTP server. Run the ftp 172.16.104.110 command on PC C (10.10.10.1/24). PC C cannot connect to the FTP server. ----End
Configuration Files
# Configuration file of the Router
# sysname Router # ftp server enable ftp acl 2001 # time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31 time-range ftp-access 14:00 to 18:00 off-day # acl number 2001 rule 5 permit source 172.16.104.0 0.0.1.255 rule 10 permit source 172.16.106.0 0.0.1.255 time-range ftp-access # return
10.6.2 Example for Using Advanced ACLs to Configure the Firewall Function
In this example, advanced ACLs are used to configure the packet filtering firewall between the internal network and the external network.
As shown in Figure 10-2, an enterprise that provides Web, FTP, and Telnet services accesses an external network through Ethernet0/0/8 of the Router and joins a VLAN through Ethernet0/0/0 of the Router. The enterprise is located on the network segment 202.169.10.0 and the IP addresses of the Web server, FTP server, and Telnet server of the enterprise are 202.169.10.5/24, 202.169.10.6/24, and 202.169.10.7/24. To ensure security, the enterprise requires the Router to be configured with the firewall function. By doing this, only specified users are allowed to access internal servers of the enterprise and only internal servers of the enterprise are allowed to access the external network.
Issue 02 (2012-03-30)
199
Figure 10-2 Using advanced ACLs to configure the firewall function
FTP server WWW server 202.169.10.6 202.169.10.5
Eth0/0/0 Router Internal network Telnet server 202.169.10.7
Eth0/0/8
Internet
202.39.2.3
The configuration roadmap is as follows: l l l l Configure zones on the internal and external networks. Configure an interzone and enable the firewall function in the interzone. Configure advanced ACLs to classify external users and internal servers. Configure ACL-based packet filtering in the interzone.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l l l Name of the zone on the internal network: company Priority of the zone company: 12 Name of the zone on the external network: external Priority of the zone external: 5 VLAN that the enterprise joins: VLAN 100 IP address of VLANIF 100: 202.169.10.1/24 IP address of Ethernet0/0/8: 129.39.10.8/24 IP address of the user that can access internal servers: 202.39.2.3/24 Number of the advanced ACL that classifies specified users: ACL 3001 Number of the advanced ACL that classifies internal servers: ACL 3002
Procedure
Step 1 Configure zones. # Configure a zone on the internal network.
<Huawei> system-view [Huawei] sysname Router [Router] firewall zone company
Issue 02 (2012-03-30)
200

[Router-zone-company] priority 12 [Router-zone-company] quit
# Add VLANIF 100 to the zone company.

[Router] interface vlanif 100 [Router-Vlanif100] zone company [Router-Vlanif100] quit
# Configure a zone on the external network.

[Router] firewall zone external [Router-zone-external] priority 5 [Router-zone-external] quit
# Add Ethernet0/0/8 to the zone external.

[Router] interface ethernet 0/0/8 [Router-Ethernet0/0/8] zone external [Router-Ethernet0/0/8] quit
Step 2 Configure an interzone.

[Router] firewall interzone company external [Router-interzone-company-external] firewall enable [Router-interzone-company-external] quit
Step 3 Configure ACL 3001. # Create ACL 3001.

[Router] acl 3001
# Configure a rule in ACL 3001 to allow specified users to access internal servers.
[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0 [Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0 [Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0
# Configure a rule in ACL 3001 to prevent other users from accessing any host of the enterprise.
[Router-acl-adv-3001] rule deny ip [Router-acl-adv-3001] quit
Step 4 Configure ACL 3002. # Create ACL 3002.

[Router] acl 3002
# Configure a rule in ACL 3002 to allow internal servers to access the external network.
[Router-acl-adv-3002] rule permit ip source 202.169.10.5 0.0.0.0 [Router-acl-adv-3002] rule permit ip source 202.169.10.6 0.0.0.0 [Router-acl-adv-3002] rule permit ip source 202.169.10.7 0.0.0.0
# Configure a rule in ACL 3002 to prevent other users of the enterprise from accessing the external network.
[Router-acl-adv-3002] rule deny ip [Router-acl-adv-3002] quit
Step 5 Configure ACL-based packet filtering in the interzone.

[Router] firewall interzone company external [Router-interzone-company-external] packet-filter 3001 inbound
Issue 02 (2012-03-30)
201

[Router-interzone-company-external] packet-filter 3002 outbound [Router-interzone-company-external] quit
Step 6 Verify the configuration. After the configuration is complete, only the host at 202.39.2.3 can access internal servers and only internal servers can access the external network. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router, and the result is as follows:
[Router] display firewall interzone company external interzone company external firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3001 inbound packet-filter 3002 outbound
----End
Configuration Files
# Configuration file of the Router
# sysname Router # vlan batch 100 # acl number 3001 rule 5 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0 rule 10 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0 rule 15 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0 rule 20 deny ip # acl number 3002 rule 5 permit ip source 202.169.10.5 0.0.0.0 rule 10 permit ip source 202.169.10.6 0.0.0.0 rule 15 permit ip source 202.169.10.7 0.0.0.0 rule 20 deny ip # interface Vlanif100 ip address 202.169.10.1 255.255.255.0 zone company # firewall zone company priority 12 # firewall zone external priority 5 # firewall interzone company external firewall enable packet-filter 3001 inbound packet-filter 3002 outbound # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8
Issue 02 (2012-03-30)
202

ip address 129.39.10.8 255.255.255.0 zone external # return
10.6.3 Example for Using a Layer 2 ACL to Configure Traffic Classification

A Layer 2 ACL is used to configure traffic classification to collect statistics on packets with the specified source MAC address.
As shown in Figure 10-3, the MAC address of PC1 is 0000-0000-0003 and PC1 is connected to Ethernet0/0/0 of the Router through the switch. The Router is required to collect statistics on packets with the source MAC address 0000-0000-0003. Figure 10-3 Using a Layer 2 ACL to configure traffic classification
Ethernet0/0/0 VLAN 20 Switch MAC: 0000-0000-0003 PC1 Router
Internet
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a Layer 2 ACL to match packets with the source MAC address 0000-0000-0003. Configure traffic classification based on the Layer 2 ACL. Configure a traffic behavior to collect statistics on the classified packets. Configure a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy.
Data Preparation
To complete the configuration, you need the following data: l l l l l
Issue 02 (2012-03-30)
VLAN that the interface connecting the Router and the switch belong to: VLAN 20 Layer 2 ACL name: layer2 Traffic classifier name: c1 Traffic behavior name: b1 Traffic policy name: p1
Procedure
Step 1 Create a VLAN and configure each interface. # Create VLAN 20.
<Huawei> system-view [Huawei] sysname Router [Router] vlan 20 [Router-vlan20] quit
# Configure Ethernet0/0/0 as a trunk interface and add Ethernet0/0/0 to VLAN 20.

[Router] interface ethernet 0/0/0 [Router-Ethernet0/0/0] port link-type trunk [Router-Ethernet0/0/0] port trunk allow-pass vlan 20 [Router-Ethernet0/0/0] quit
NOTE
Configure the interface of the switch connecting to the Router as a trunk interface and add it to VLAN 20. The configuration details are not mentioned here. Configure the interface of the switch connecting to PC1 as an access interface and add it to VLAN 20. The configuration details are not mentioned here.
Step 2 Configure an ACL. # Create a Layer 2 ACL named layer2 on the Router to match packets with the source MAC address 0000-0000-0003.
[Router] acl name layer2 link [Router-acl-L2-layer2] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff [Router-acl-L2-layer2] quit
Step 3 Configure a traffic classifier. # Create a traffic classifier c1 on the Router to match ACL layer2.
[Router] traffic classifier c1 [Router-classifier-c1] if-match acl layer2 [Router-classifier-c1] quit
Step 4 Configure a traffic behavior. # Create a traffic behavior b1 on the Router and configure the traffic statistics action in the traffic behavior.
[Router] traffic behavior b1 [Router-behavior-b1] statistic enable [Router-behavior-b1] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface. # Create a traffic policy p1 on the Router and bind the traffic policy to the traffic classifier and traffic behavior.
[Router] traffic policy p1 [Router-trafficpolicy-p1] classifier c1 behavior b1 [Router-trafficpolicy-p1] quit
# Apply the traffic policy p1 to Ethernet0/0/0.

[Router] interface ethernet 0/0/0 [Router-Ethernet0/0/0] traffic-policy p1 inbound [Router-Ethernet0/0/0] quit [Router] quit
Issue 02 (2012-03-30)
204
Step 6 Verify the configuration. # View the ACL configuration.

<Router> display acl name layer2 L2 ACL layer2 4999, 1 rule Acl's step is 5 rule 5 permit source-mac 0000-0000-0003
# View the traffic classifier configuration.

<Router> display traffic classifier user-defined User Defined Classifier Information: Classifier: c1 Operator: OR Rule(s) : if-match acl name layer2
# View the traffic policy configuration.

<Router> display traffic policy user-defined p1 User Defined Traffic Policy Information: Policy: p1 Classifier: c1 Operator: OR Behavior: b1 statistic: enable
----End
Configuration Files
l Configuration file of the Router
# sysname Router # vlan batch 20 # acl name layer2 4999 rule 5 permit source-mac 0000-0000-0003 # traffic classifier c1 operator or if-match acl layer2 # traffic behavior b1 statistic enable # traffic policy p1 classifier c1 behavior b1 # interface Ethernet0/0/0 port link-type trunk port trunk allow-pass vlan 20 traffic-policy p1 inbound # return
Issue 02 (2012-03-30)
205
11 SSL Configuration
11
About This Chapter
SSL Configuration
The Secure Sockets Layer (SSL) protocol protects information privacy on the Internet. 11.1 SSL Overview The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. 11.2 SSL Features Supported by the AR200-S The AR200-S supports server SSL policies and client SSL policies. 11.3 Configuring a Server SSL Policy A server SSL policy defines parameters that an SSL server uses in SSL handshakes, including the PKI domain name, maximum number of sessions that can be saved, timeout period of a saved session, and cipher suite. Among these parameters, the PKI domain name is mandatory, and the others are optional. 11.4 Configuring a Client SSL Policy A client SSL policy defines the parameters that an SSL client uses in SSL handshakes, including the PKI domain name, SSL protocol version, and cipher suite. 11.5 Configuration Examples This section provides several SSL configuration examples.
Issue 02 (2012-03-30)
206
11.1 SSL Overview

The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols.
Introduction to SSL
SSL is a cryptographic protocol that provides communication security over the Internet. It allows a client and a server to communicate in a way designed to prevent eavesdropping. The server must be authenticated by the client before they start to communicate, and the client can also be authenticated by the server. SSL is widely used in ecommerce and online banking. It has the following advantages: l l High security: SSL ensures secure data transmission by using data encryption, identity authentication, and message integrity check. Support for various application layer protocols: SSL was originally designed to secure World Wide Web traffic. SSL functions between the application layer and the transport layer, so it can provide security for any TCP-based application. Easy to deploy: SSL has become a world-wide communications standard used to authenticate websites and web users, and to encrypt data transmitted between browser users and web servers.
SSL improves device security using the following functions: l l l Allows only authorized users to connect to servers. Encrypts data transmitted between a client and a server to secure data transmission and computes a digest to ensure data integrity. Defines an access control policy on a device based on certificate attributes to control access rights of clients. This access control policy prevents unauthorized users from attacking the device.
Terms
l Certificate Authority (CA) A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks validity of digital certificate owners, signs digital certificates to prevent eavesdropping and tampering, and manages certificates and keys. A world-wide trusted CA is called a root CA. The root CA can authorize other CAs as subordinate CAs. The CA identities are described in a trusted-CA file. In the certificate issuing process, CA1 functions as the root CA and issues a certificate for CA2, and CA2 issues a certificate for CA3. The process repeats until CAn issues the final server certificate. In the certificate authentication process, the client first authenticates the server's certificate. If CA3 issues the server certificate, the client uses CA3 certificate to authenticate the server certificate. If the server certificate is authenticated, the client uses CA2 certificate to authenticate the CA3 certificate. After CA2 certificate is authenticated, the client uses CA1 certificate to authenticate CA2 certificate. The client considers the server certificate valid only when CA2 certificate has been authenticated. Figure 11-1 shows the certificate issuing and authentication processes.
Figure 11-1 Certificate issuing and authentication
Certificate issuing CA1 CA2 CAn Server certificate
Certificate verification
l Digital certificate A digital certificate is an electronic document issued by a CA to bind a public key with a certificate subject (an applicant that has obtained a certificate). Information in a digital certificate includes the applicant name, public key, digital signature of the CA that issues the digital certificate, and validity period of the digital certificate. A digital certificate verifies the identities of two communicating parties, improving communication reliability. A user must obtain the public key certificate of the information sender to decrypt and authenticate information in the certificate. The user also needs the CA certificate of the information sender to verify the identity of the information sender. l Certificate Revocation List (CRL) A CRL is issued by a CA to specify certificates that have been revoked. Each certificate has a validity period. A CA can issue a CRL to revoke certificates before their validity periods expire. The validity period of a certificate specified in the CRL is shorter than the original validity period of the certificate. If a CA revokes a digital certificate, the key pair defined in the certificate cannot be used. After a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the CRL. Information in a CRL includes the issuer and serial number of each certificate, the issuing date of the CRL, certificate revocation date, and time when the next CRL will be issued. Clients use CRLs to check validity of certificates. When verifying a server's digital certificate, a client checks the CRL. If the certificate is in the CRL, the client considers the certificate invalid.
Security Mechanisms
SSL provides the following security mechanisms: l Connection privacy SSL uses symmetric cryptography to encrypt data. It uses the Rivest-Shamir-Adleman (RSA) algorithm (an asymmetric algorithm) to encrypt the key used by the symmetric cryptography. l Identity authentication Digital certificates are used to authenticate a server and a client that need to communicate with each other. The SSL server and client use the mechanism provided by the public key infrastructure (PKI) to apply to a CA for a certificate. l Message integrity A keyed message authentication code (MAC) is used to verify message integrity during transmission. A MAC algorithm computes a key and data of an arbitrary length to generate a MAC of a fixed length.
A message sender uses a MAC algorithm and a key to compute a MAC, appends it to a message, and send the message to a receiver. The receiver uses the same key and MAC algorithm to compute a MAC and compares it with the MAC in the received message. If the two MACs are the same, the message has not been tampered during transmission. If the two MACs are different, the message has been tampered, and the receiver discards this message.
11.2 SSL Features Supported by the AR200-S

The AR200-S supports server SSL policies and client SSL policies.
Server SSL Policy

A server SSL policy defines the parameters that an SSL server uses in SSL handshakes, including the public key infrastructure (PKI) domain name, maximum number of sessions that can be saved, timeout period of a saved session, and cipher suite. To use an AR200-S as an SSL server, configure a server SSL policy on the AR200-S. During an SSL handshake, the AR200-S uses the SSL parameters in the server SSL policy to negotiate session parameters with an SSL client. After the handshake is complete, the AR200-S establishes a session with the client. A server SSL policy can be applied to application layer protocols such as the Hypertext Transfer Protocol (HTTP) to provide secure connections. The AR200-S can use a server SSL policy to ensure security of Hypertext Transfer Protocol Secure (HTTPS) .
Client SSL Policy

A client SSL policy defines the parameters that an SSL client uses in SSL handshakes, including the PKI domain name, SSL protocol version, and cipher suite. To use an AR200-S as an SSL client, configure a client SSL policy on the AR200-S. During an SSL handshake, the AR200-S uses the SSL parameters in the client SSL policy to negotiate session parameters with the SSL server. After the handshake is complete, the AR200-S establishes a session with the server. A client SSL policy can be applied to application layer protocols such as the CPE WAN Management Protocol (CWMP) to provide secure connections. The AR200-S can use a client SSL policy to ensure security of the CWMP service.
11.3 Configuring a Server SSL Policy

A server SSL policy defines parameters that an SSL server uses in SSL handshakes, including the PKI domain name, maximum number of sessions that can be saved, timeout period of a saved session, and cipher suite. Among these parameters, the PKI domain name is mandatory, and the others are optional.
Prerequisites
The PKI domain has been configured.
The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. To use an AR200-S as an SSL server, configure a server SSL policy on the AR200-S. A server SSL policy can be applied to application layer protocols such as HTTP to provide secure connections. Figure 11-2 AR200-S functions as an SSL server
SSL client Internet
SSL server
As shown in Figure 11-2, the AR200-S functions as an SSL server and has a server SSL policy configured. During an SSL handshake, the AR200-S uses the SSL parameters in the server SSL policy to negotiate session parameters with an SSL client. After the handshake is complete, the AR200-S establishes a session with the client. The AR200-S is authenticated by the SSL client, but it cannot authenticate the client.
NOTE
When functioning as an SSL server, the AR200-S can communicate with SSL clients running SSL3.0, TLS1.0, or TLS 1.1. The AR200-S determines the SSL protocol version used for this communication and sends a Server Hello message to notify the client.
Procedure
Step 1 Run:
system-view

ssl policy policy-name type server
A server SSL policy is created. Step 3 Run:

pki-realm realm-name
A PKI domain is specified for the server SSL policy. By default, no PKI domain is specified for a server SSL policy on the AR200-S.
NOTE
The AR200-S obtains a digital certificate from a CA in the specified PKI domain. Clients can then authenticate the AR200-S by checking the digital certificate.

session { cachesize size | timeout time }
*
The maximum number of sessions that can be saved and the timeout period of a saved session are set.
By default, a maximum of 32 sessions can be saved, and the timeout period of a saved session is 3600s. Step 5 (Optional) Run:
ciphersuite { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *
A cipher suite is specified. By default, a server SSL policy supports all the cipher suites: rsa_aes_128_cbc_sha, rsa_des_cbc_sha, rsa_rc4_128_md5, and rsa_rc4_128_sha. ----End
Example
# Run the display ssl policy policy-name command to view the configuration of the SSL policy server-users.
<Huawei> display ssl policy server-users -----------------------------------------------------------------------------Policy name : serverusers Policy ID : 1 Policy type : Server Cache number : 32 Time out(second) : 3600 Server certificate load status : loaded Bind number : 1 SSL connection number : 1 --------------------------------------------------------------------------
11.4 Configuring a Client SSL Policy

A client SSL policy defines the parameters that an SSL client uses in SSL handshakes, including the PKI domain name, SSL protocol version, and cipher suite.
Prerequisites
The PKI domain has been configured.
The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. To use an AR200-S as an SSL client, configure a client SSL policy on the AR200-S. A client SSL policy can be applied to application layer protocols such as the CPE WAN Management Protocol (CWMP) to provide secure connections. Figure 11-3 AR200-S functions as an SSL client
SSL client Internet
SSL server
Issue 02 (2012-03-30)
211
As shown in Figure 11-3, the Figure 11-3 functions as an SSL client and has a client SSL policy configured. During an SSL handshake, the AR200-S uses the SSL parameters in the client SSL policy to negotiate session parameters with the SSL server. After the handshake is complete, the AR200-S establishes a session with the server. When functioning as an SSL client, the AR200-S does not allow SSL servers to authenticate it, but it can authenticate SSL servers. When the AR200-S functions as an SSL client, enable it to authenticate servers to ensure secure communication.
Procedure
Step 1 Run:
system-view

ssl policy policy-name type client
A client SSL policy is created. Step 3 Run:

server-verify enable
SSL server authentication is enabled. By default, SSL server authentication is disabled in a client SSL policy. Step 4 Run:
pki-realm realm-name
A PKI domain is specified for the client SSL policy. By default, no PKI domain is specified for a client SSL policy on the AR200-S.
NOTE
The AR200-S obtains a CA certificate chain from CAs in the specified PKI domain. The AR200-S authenticates an SSL server by checking the server certificate and CA certificates against the CA certificate chain.

version { ssl3.0 | tls1.0 | tls1.1 }
The SSL protocol version is specified. By default, a client SSL policy uses Transport Layer Security (TLS) version 1.0.
NOTE
Ensure that the specified SSL protocol version is supported by the SSL server. Before performing this step, check the SSL protocol versions that the SSL server supports.

prefer-ciphersuite { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }
A cipher suite is specified. By default, a client SSL policy uses all the cipher suites: rsa_aes_128_cbc_sha, rsa_des_cbc_sha, rsa_rc4_128_md5, and rsa_rc4_128_sha.

NOTE
Ensure that the specified cipher suite is supported by the SSL server. Before performing this step, check the cipher suites that the SSL server supports.
----End
Example
# Run the display ssl policy policy-name command to view the configuration of the SSL policy client-users.
<Huawei> display ssl policy client-users -----------------------------------------------------------------------------Policy name : clientusers Policy ID : 3 Policy type : Client Server verify : 1 CA certificate load status : loaded CA certificate num : 1 Bind number : 1 SSL connection number : 1 ------------------------------------------------------------------------------

This section provides several SSL configuration examples.
11.5.1 Example for Configuring a Server SSL Policy

This example shows how to configure a server SSL policy on an AR200-S functioning as an HTTPS server. After the configuration is complete, users can use a web browser to log in to and manage the Router.
As shown in Figure 11-4, enterprise users use a web browser to connect to the Router. To prevent eavesdropping and tampering during data transmission, a network administrator requires users to use HTTPS to access the Router securely. To meet this requirement, configure the Router as an HTTPS server, and configure a server SSL policy on the Router. Figure 11-4 Networking diagram of the server SSL policy configuration
CA
11.137.145.158/24 Eth1/0/0 11.1.1.1/24
Internet Enterprise
Issue 02 (2012-03-30)
Router
213
The configuration roadmap is as follows: 1. 2. 3. Configure a PKI entity and a PKI domain. Configure a server SSL policy. Configure the Router as an HTTPS server.
Data Preparation
To complete the configuration, you need the following data: l l l l Router's interface connected to the Internet: Ethernet1/0/0 IP address of Ethernet1/0/0: 11.1.1.1/24 IP address of the CA: 11.137.145.158/24 PKI parameters, as shown in the following table. Item PKI entity Data PKI entity name: users l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info PKI domain PKI domain name: users l Trusted CA: ca_root l Certificate's enrollment URL: http:// 11.137.145.158:8080/certsrv/mscep/mscep.dll ra l Bound PKI entity: users l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 7bb05ada0482273388ed4ec228d79f77309ea3f4
SSL parameters, as shown in the following table. Policy Name sslserver Maximum Number of Sessions 40 Session Timeout Period 7200s
HTTPS service port number: 1278

NOTE
Before starting the configuration, ensure that routes between the Router, user hosts, and CA are reachable.
Issue 02 (2012-03-30)
214
Procedure
<Huawei> system-view [Huawei] sysname Router [Router] pki entity users [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users] [Router-pki-entity-users]
NOTE
common-name hello country cn state jiangsu organization huawei organization-unit info quit
If the entity name and entity common name are not set to the Router's IP address 11.1.1.1, the system will display a message indicating that the certificate is invalid when the client opens a website. This does not affect HTTPS application.
# Configure a PKI domain, and enable the automatic certificate enrollment and update function.
[Router] pki realm users [Router-pki-realm-users] [Router-pki-realm-users] [Router-pki-realm-users] mscep.dll ra [Router-pki-realm-users] [Router-pki-realm-users] [Router-pki-realm-users]
entity users ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 auto-enroll regenerate quit
Step 2 Configure a server SSL policy sslserver. # Create a server SSL policy and specify PKI domain users in the policy. This allows the Router to obtain a digital certificate from the CA specified in the PKI domain.
[Router] ssl policy sslserver type server [Router-ssl-policy-sslserver] pki-realm users
# Set the maximum number of sessions that can be saved and the timeout period of a session.
[Router-ssl-policy-sslserver] session cachesize 40 timeout 7200 [Router-ssl-policy-sslserver] quit
Step 3 Configure the Router as an HTTPS server. # Apply the SSL policy sslserver to the HTTPS service.
[Router] http secure-server ssl-policy sslserver
# Enable the HTTPS server function on the Router.

[Router] http secure-server enable
# Configure the port number of the HTTPS service.

[Router] http secure-server port 1278
Step 4 Verify the configuration. # Run the display ssl policy command to view the configuration of the SSL policy sslserver.
<Router> display ssl policy sslserver
Issue 02 (2012-03-30)
215
-----------------------------------------------------------------------------Policy name : sslserver Policy ID : 1 Policy type : Server Cache number : 40 Time out(second) : 7200 Server certificate load status : loaded Bind number : 1 SSL connection number : 1 --------------------------------------------------------------------------
# Start the web browser on a PC, and enter https://11.1.1.1:1278 in the address box. The web management system of the Router is displayed, and you can manage the Router on the web pages. ----End
Example
# sysname Router # interface Ethernet 1/0/0 ip address 11.1.1.1 255.255.255.0 # pki entity users country CN state jiangsu organization huawei organization-unit info common-name hello # pki realm users ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra entity users auto-enroll regenerate fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 # ssl policy sslserver type server pki-realm users session cachesize 40 timeout 7200 # http secure-server ssl-policy sslserver http secure-server enable http secure-server port 1278 # return
11.5.2 Example for Configuring a Client SSL Policy

This example shows how to configure a client SSL policy on the AR200-S functioning as the customer premises equipment (CPE). After the configuration is complete, the AR200-S can authenticate the auto-configuration server (ACS) and communicate with the ACS securely.
As shown in Figure 11-5, the Router functions as a CPE to connect to phones, fax machines, and switches. An ACS uses CWMP to manage and control the Router.
The ACS functions as an SSL server and has obtained a digital certificate from the CA. You need to configure the Router as an SSL client to authenticate the ACS. This ensures privacy and integrity of data exchanged between the Router and the ACS. Figure 11-5 Networking diagram of the client SSL policy configuration
CA
11.137.145.158/24 Analog phone Eth1/0/0 11.1.1.1/24 Router LSW CWMP IP phone PC
Internet
ACS 11.2.2.58/24
Fax
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a PKI entity and a PKI domain. Configure a client SSL policy on the Router and enable SSL server authentication in the policy. Apply the client SSL policy to the CWMP service so that the Router authenticates the ACS to ensure data privacy and integrity. Enable the Router to automatically initiate connections to the ACS and set the CWMP parameters. This enables the ACS to manage and control the Router using CWMP.
Data Preparation
To complete the configuration, you need the following data: l l l l l PKI domain name: cwmp0 Client SSL policy name: sslclient IP address of the CA: 11.137.145.158/24 URL of the ACS: https://www.acs.com:80/acs PKI parameters, as shown in the following table.
Issue 02 (2012-03-30)
217
Item PKI entity
Data PKI entity name: cwmp0 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info
PKI domain
PKI domain name: cwmp0 l Trusted CA: ca_root l Certificate's enrollment URL: http://http:// 11.137.145.158:8080/certsrv/mscep/mscep.dll ra l Bound PKI entity: cwmp0 l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 7bb05ada0482273388ed4ec228d79f77309ea3f4
NOTE
Before starting the configuration, ensure that routes between the Router, ACS, and CA are reachable.
Procedure
<Huawei> system-view [Huawei] sysname Router [Router] pki entity cwmp0 [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0] [Router-pki-entity-cwmp0]
common-name hello country CN state jiangsu organization huawei organization-unit info quit
# Configure a PKI domain, and enable the automatic certificate enrollment and update function.
[Router] pki realm cwmp0 [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0] mscep.dll ra [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0] [Router-pki-realm-cwmp0]
entity cwmp0 ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 auto-enroll regenerate quit
# Manually enroll the certificate.

[Router] pki enroll-certificate cwmp0 Info: Start certificate enrollment ... Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
Issue 02 (2012-03-30)
218
For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate enrolling now,It will take a few minutes or more. Please waiting... [Router] The certificate enroll successful.
NOTE
You will be prompted to enter the password during certificate enrollment. If you do not have a password, press Enter.
Step 2 Configure a client SSL policy. # Enable SSL server authentication.

[Router] ssl policy sslclient type client [Router-ssl-policy-sslclient] server-verify enable
# Specify the PKI domain cwmp0 in the client SSL policy.

[Router-ssl-policy-sslclient] pki-realm cwmp0 [Router-ssl-policy-sslclient] quit
Step 3 Enable the CWMP function on the Router.

[Router] cwmp [Router-cwmp] cwmp enable
Step 4 Apply the SSL policy to CWMP.

[Router-cwmp] cwmp ssl-client ssl-policy sslclient
Step 5 Configure the Router to automatically initiate connections to the ACS. # Configure the URL used by the Router to connect to the ACS.
[Router-cwmp] cwmp acs url https://www.acs.com:80/acs
# Enable the Router to send Inform messages.

[Router-cwmp] cwmp cpe inform interval enable
# Set the interval at which the Router sends Inform messages to 1000 seconds.
[Router-cwmp] cwmp cpe inform interval 1000
# Configure the Router to send an Inform message at 2011-01-01 20:00:00.

[Router-cwmp] cwmp cpe inform time 2011-01-01T20:00:00
Step 6 Set CWMP parameters on the Router. # Configure the interface that the Router uses to connect to the ACS.
[Router-cwmp] cwmp cpe connect interface Ethernet 1/0/0
# Set the user name and password that the Router uses for authentication by the ACS.
[Router-cwmp] cwmp acs username newacsname [Router-cwmp] cwmp acs password newacspsw
# Configure the user name and password that the Router uses to authenticate the ACS.
[Router-cwmp] cwmp cpe username newcpename [Router-cwmp] cwmp cpe password newcpepsw
Issue 02 (2012-03-30)
219
# Set the maximum number of connection attempts to 5.

[Router-cwmp] cwmp cpe connect retry 5
# Set the close-wait timer of the Router to 100 seconds. If no data is transmitted within 100 seconds, the connection is torn down.
[Router-cwmp] cwmp cpe wait timeout 100
Step 7 Verify the configuration. # Run the display current-configuration command. The command output shows that SSL has been successfully configured for CWMP.
<Router> display current-configuration ... cwmp cwmp cpe inform interval enable cwmp acs url https://www.acs.com:80/acs cwmp acs username newacsname cwmp acs password newacspsw cwmp cpe username newcpename cwmp cpe password newacspsw cwmp cpe inform interval 1000 cwmp cpe connect retry 5 cwmp cpe wait timeout 100 cwmp cpe connect interface Ethernet 1/0/0 cwmp ssl-client ssl-policy sslclient ...
# Run the display cwmp configuration command. The command output shows that CWMP is enabled, and the Router is configured to send Inform packets at intervals.
<Router> display cwmp configuration CWMP is enabled ACS URL: ACS username: ACS password: Inform enable status: Inform interval: Inform time: Wait timeout: Reconnection times:
https://www.acs.com:80/acs newacsname newacspsw enabled 1000s 2011-01-01T20:00:00 100s 5
# Run the display cwmp status command. The command output shows that CWMP is enabled, and the CWMP connection status is connected.
<Router> display cwmp status CWMP is enabled ACS URL: Acs information is set by: ACS username: ACS password: Connection status: Time of last successful connection:
https://www.acs.com:80/acs user newacsname newacspsw connected 2010-12-01T20:00:00
----End
Example
#
Issue 02 (2012-03-30)
220
sysname Router # interface Ethernet 1/0/0 ip address 11.1.1.1 255.255.255.0 # cwmp cwmp cpe inform interval enable cwmp acs url https://www.acs.com:80/acs cwmp acs username newacsname cwmp acs password newacspsw cwmp cpe username newcpename cwmp cpe password newacspsw cwmp cpe inform interval 1000 cwmp cpe connect retry 5 cwmp cpe wait timeout 100 cwmp cpe connect interface Ethernet 1/0/0 cwmp ssl-client ssl-policy sslclient # pki entity cwmp0 country CN state jiangsu organization huawei organization-unit info common-name hello # pki realm cwmp0 ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra entity cwmp0 auto-enroll regenerate fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 # ssl policy sslclient type client server-verify enable pki-realm cwmp0 # return
Issue 02 (2012-03-30)
221
12 PKI Configuration
12
About This Chapter
PKI Configuration
12.1 PKI Overview The Public Key Infrastructure (PKI) is a system that generates public keys and digital certificates, and verifies identities of certificate subjects to ensure information security. PKI provides a certificate management mechanism for the IP Security (IPSec) protocol and Secure Sockets Layer (SSL) protocol. 12.2 PKI Features Supported by the AR200-S On the AR200-S, you can configure PKI entities, PKI domains, manually or automatically enroll certificates, authenticate certificate validity, manage certificates, import or export certificates, and delete expired certificates. 12.3 Configuring a PKI Entity A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A PKI entity identifies a certificate applicant. 12.4 Configuring a PKI Domain Before an entity applies for a PKI certificate, registration information needs to be configured for the entity. A set of the registration information is the PKI domain of the entity. 12.5 Configuring Certificate Enrollment Certificate enrollment is a process in which an entity registers with a CA and obtains a certificate from the CA. During this process, the entity provides the identity information and public key, which will be added to the certificate issued to the entity. 12.6 Configuring Certificate Authentication Before a certificate is used, it must be authenticated. 12.7 Managing Certificates Managing certificates include deleting, importing, and exporting certificates, and configuring the default path where certificates are stored. 12.8 Configuration Examples
Issue 02 (2012-03-30)
222
12.1 PKI Overview

The Public Key Infrastructure (PKI) is a system that generates public keys and digital certificates, and verifies identities of certificate subjects to ensure information security. PKI provides a certificate management mechanism for the IP Security (IPSec) protocol and Secure Sockets Layer (SSL) protocol.
Definition
The public key infrastructure (PKI) is a system that generates public keys and digital certificates, and verifies identities of certificate subjects to ensure information security. PKI issues digital certificates that bind public keys to respective user identities by means of a certificate authority (CA). PKI allows users to easily request, download, and revoke digital certificates. In addition to issuing digital certificates, the PKI provides other services such as blacklisting to ensure confidentiality, integrity, non-repudiation, and authentication of data. l l l l Confidentiality: Data will not be intercepted by unauthorized users during transmission. Integrity: Data will not be tampered with by unauthorized users during transmission. Non-repudiation: A data sender cannot deny having sent a message or digital signature. Authentication: Communication entities can be identified.
PKI provides information security on insecure networks and private networks. It can also securely transmit keys between users.
Digital Certificate
A digital certificate is a file that is signed by a certificate authority (CA) and binds a public key to user identity. The signature of the CA ensures the validity and authority of the digital certificate. A digital certificate must comply with the ITU-T X.509 standard. Currently, the X. 509 v3 digital certificates are mostly used. A digital certificate contains multiple fields, including the certificate issuer name, entity public key, signature of the issuing CA, and certificate validity period. Three types of digital certificates are described in this section: local certificates, CA certificates, and self-signed certificates. l l Local certificate: is signed by a CA to a user. CA certificate: is used to verify a CA's identity. If multiple CAs exist in the PKI system, a CA hierarchy is formed. At the top of the hierarchy is a root CA, which has a self-signed certificate. l Self-signed certificate: is issued by a PKI device. In a self-signed certificate, the certificate issuer and subject are the same.
Certificate Revocation List

When a user name is changed, a private key is compromised, or services cease, the certificate of the user must be revoked to unbind the public key from user identity. In the PKI, a certificate revocation list (CRL) is used to revoke certificates. After a certificate is revoked, the CA issuing this certificate needs to publish a CRL to declare that this certificate is invalid. The CRL contains serial numbers of revoked certificates. A CRL provides a method to verify certificate validity.
If a CRL contains many revoked certificates, the CRL size is large, deteriorating performance of network resources. To avoid this problem, a CA publishes multiple CRLs and use CRL distribution points (CDPs) to indicate the location of these CRLs.
12.2 PKI Features Supported by the AR200-S

On the AR200-S, you can configure PKI entities, PKI domains, manually or automatically enroll certificates, authenticate certificate validity, manage certificates, import or export certificates, and delete expired certificates.
PKI System Architecture

Figure 12-1 shows the PKI system architecture. Figure 12-1 PKI system architecture
Operational interaction
End entity Management interaction
Outband certificate loading PKI end entity PKI management entity
Certificate/CRL repository
Management interaction Issue certificate RA Management interaction Outband issuing
Issue certificate and CRL
CA
Issue CRL
CDP
Certificate
CA
The public key infrastructure (PKI) system consists of the following components: l PKI entity A PKI entity refers to an end entity or a PKI management entity. An end entity is a certificate applicant or user. A PKI management entity is an authority that issues or manages certificates. Certificate authorities (CAs), registration authorities (RAs), and certificate revocation list (CRL) issuers are PKI management entities. Sometimes an attribute authority (AA) functions as a CRL issuer.
l l
PKI repository The PKI repository stores certificates and CRLs for PKI entities to query and manage. PKI protocol suite The PKI protocol suite consists of the Public Key Infrastructure And X.509 (PKIX) and Public-Key Cryptography Standards (PKCS). The PKI and X.509 were developed by the PKIX Working Group. PKIX defines a series of standards and protocols used for communication between PKI entities or between a PKI entity and a PKI repository. These standards define operation rules, certificate formats and content, CRL formats and content, cryptography and signature algorithms, PKI policies, PKI repository protocols, and certificate management protocols. PKCS was jointly developed by RSA Laboratories and other secure systems developers to implement cooperation between public-key cryptography systems. It defines various key and data formats, algorithms and application programming interfaces, abstract syntax notation, and basic encoding rules. The data formats and algorithm defined in PKCS are the basis of PKI implementation. The Rivest-Shamir-Adleman (RSA) algorithm is one of commonly used public algorithms. PKCS#1 defines the RSA cryptography specifications, including formats for RSA public key functions, calculation methods for digital signatures, formats for digital signatures and data to be signed, syntax for public and private keys.
Other protocols Some protocols do not belong to the PKCS family, but PKCS uses encoding rules in these protocols to describe objects. These protocols include Abstract Syntax Notation One (ASN. 1), Distinguished Encoding Rules (DER), Basic Encoding Rules (BER), and Base64. ASN.1 (also called X.208) defines rules for describing the structure of objects and data structures in representing, encoding, transmitting, and decoding data.
PKI Working Process

On a PKI network, PKI is configured on the AR200-S to allow the AR200-S to obtain a local certificate from a CA and verify certificate validity. The PKI working process is as follows: 1. 2. 3. 4. 5. 6. An entity applies for a certificate from a registration authority (RA). The RA authenticates the entity's identity and sends the entity's identity information and public key as a digital signature to a certificate authority (CA). The CA authenticates the digital signature, issues a certificate if it approves the entity's request, and sends it to the RA. The RA receives the certificate and notifies the entity that its certificate has been issued. The entity obtains the certificate and uses it to securely communicate with other entities by means of encrypted data or digital signatures. The entity sends a revocation request to the CA if it needs to revoke its certificate. The CA approves the entity's revocation request and updates its CRL.
PKI Configuration Roadmap

Figure 12-2 shows the PKI configuration roadmap.
Issue 02 (2012-03-30)
225
Figure 12-2 PKI configuration roadmap

Configure a PKI entity Configure a PKI entity identifier (Optional) Configure PKI entity attributes Create a PKI domain Configure the trusted CA name and enrollment URL (Optional) Configure CA certificate fingerprint (Optional) Configure other attributes in the PKI domain Configure manual certificate enrollment, configure automatic certificate enrollment and update, or configure a self-signed or local certificate Configure the certificate check mode Check certificate validity Delete a CA certificate or local certificate Import a certificate Export a certificate
Configure a PKI domain
Configure certificate enrollment
(Optional) Configure certificate authentication
(Optional) Manage certificates
License Support
The PKI function is used with a license. To use the PKI function, apply for and purchase the following license from the Huawei local office: l AR150&200 Value-Added Security Package
12.3 Configuring a PKI Entity

A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A PKI entity identifies a certificate applicant.

Before configuring a PKI entity, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for configuration. This will help you complete the configuration task quickly and accurately.
A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A distinguished name (DN) of an entity is the identity information of the entity. The identity information provided by an entity uniquely identifies a certificate applicant.
None
Data Preparation
To configure a PKI entity, you need the following data. No. 1 Data PKI entity's common name, fully qualified domain name (FQDN), or both (each of the two uniquely identifies a PKI entity) (Optional) PKI entity's country code, state name, organization name, department name, and IP address
12.3.2 Configuring a PKI Entity Identifier

You can configure a common name, a fully qualified domain name (FQDN), or both to uniquely identify a PKI entity.
Procedure
Step 1 Run:
system-view

pki entity entity-name
The PKI entity view is displayed. By default, no PKI entity is configured on the AR200-S. Step 3 Run the following commands to configure the PKI entity identifiers: l Run the common-name common-name command to configure the common name for the PKI entity. By default, no PKI entity name is configured on the AR200-S. l Run the fqdn fqdn-name command to configure the FQDN for the PKI entity. By default, no FQDN is configured on the AR200-S. Either common-name or fqdn-name can identify a PKI entity. To identify a PKI entity, specify common-name or fqdn-name. ----End
12.3.3 (Optional) Configuring PKI Entity Attributes

In addition to configuring a common name or an FQDN for a PKI entity, you can configure the country code, state name or province name, and department name for the PKI entity to identify this PKI entity.
Procedure
Step 1 Run:
system-view

pki entity entity-name
The PKI entity view is displayed. Step 3 Run:

country country-code
A country code is configured for the PKI entity. By default, no country code is configured for a PKI entity. Step 4 Run:
state state-name
A state name or province name is configured for the PKI entity. By default, no state name or province name is configured for a PKI entity. Step 5 Run:
organization organization-name
An organization name is configured for the PKI entity. By default, no organization name is configured for a PKI entity. Step 6 Run:
organization-unit organization-unit-name
A department name is configured for the PKI entity. By default, no department name is configured for a PKI entity. Step 7 Run:
ip-address ip-address
An IP address is configured for the PKI entity. By default, no IP address is configured for a PKI entity. ----End

After a PKI entity is configured, you can view the PKI entity configuration.
Procedure
l Run the display pki entity [ entity-name ] command to check the PKI entity configuration. ----End
12.4 Configuring a PKI Domain

Before an entity applies for a PKI certificate, registration information needs to be configured for the entity. A set of the registration information is the PKI domain of the entity.

Before configuring a PKI domain, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for configuration. This will help you complete the configuration task quickly and accurately.
A PKI domain is a set of identity information required when a PKI entity enrolls a certificate. A PKI domain allows other applications, such as Internet Key Exchange (IKE) and Secure Sockets Layer (SSL), to reference the PKI configuration easily. A PKI domain configured on a device is unavailable to CAs or other devices. Each PKI domain has its own domain parameters.
Before creating a PKI domain, complete the following task: l Creating a PKI entity
Data Preparation
To configure a PKI domain, you need the following data. No. 1 2 3 4 5 Data PKI domain name Bound PKI entity name Trusted CA name and enrollment URL (Optional) CA root certificate fingerprint (Optional) Certificate revocation password, Rivest, Shamir, and Adelman (RSA) key length, source IP address used in TCP connection setup
12.4.2 Creating a PKI Domain

A PKI domain is a set of identity information required when a PKI entity enrolls a certificate. A PKI domain allows other applications, such as Internet Key Exchange (IKE) and Secure Sockets Layer (SSL), to reference the PKI configuration easily.
Issue 02 (2012-03-30)
229
Procedure
Step 1 Run:
system-view

pki realm realm-name
A PKI domain is created. By default, no PKI domain is configured on the AR200-S. ----End
12.4.3 Configuring a PKI Entity Name

In a PKI domain, configure a name for the PKI entity applying for a certificate. A PKI entity name binds to only one PKI entity.
Context
When a PKI entity sends a certificate request to a CA, the PKI entity must specify the used entity name to show its identity information to the CA.
Procedure
Step 1 Run:
system-view

A PKI domain is configured. By default, no PKI domain is configured on the AR200-S. Step 3 Run:
entity entity-name
A PKI entity is specified. By default, no PKI entity is specified on the AR200-S. ----End
12.4.4 Configuring the Trusted CA Name and Enrollment URL

A trusted authentication authority enrolls and issues certificates to entities. Therefore, a trusted CA name and enrollment URL must be configured.
Context
A registration authority (RA) receives registration requests from users, checks users' certificate credentials, and decides whether a CA can issue digital certificates to the users. An RA does not
issue certificates to users and it only checks users' certificate credentials. Sometimes, a CA implements the registration management function and therefore no independent RA is required. Before an entity requests a certificate, an enrollment URL must be specified. The entity requests a certificate using the Simple Certificate Enrollment Protocol (SCEP) with the server specified by the enrollment URL. SCEP is used by entities to communicate with CAs.
Procedure
Step 1 Run:
system-view

ca id ca-name
A trusted CA name is configured. By default, no trusted CA is configured on the AR200-S. Step 4 Run:
enrollment-url url [ interval minutes ] [ times count ] [ ra ]
An enrollment URL is configured. By default, no enrollment URL is configured on the AR200-S. ----End
12.4.5 (Optional) Configuring CA Certificate Fingerprint

Before the AR200-S obtains a root certificate from a CA, the AR200-S needs to check the CA root certificate fingerprint. The CA root certificate fingerprint is the hash value of the root certificate and is unique to each certificate. If the CA root certificate fingerprint is different from the fingerprint configured in a specified PKI domain, the AR200-S refuses the issued root certificate.
Procedure
Step 1 Run:
system-view

A PKI domain is configured. By default, no PKI domain is configured on the AR200-S.

Step 3 Run:
fingerprint { md5 | sha1 } fingerprint
The CA certificate fingerprint used in CA certificate authentication is configured. A CA certificate fingerprint is usually sent to the AR200-S using emails. By default, no CA certificate fingerprint is configured on the AR200-S. ----End
12.4.6 (Optional) Configuring a Certificate Revocation Password

Configuring a certificate revocation password prevents users from incorrectly revoking certificates. This improves operation security.
Procedure
Step 1 Run:
system-view

password [ cipher ] password
A certificate revocation password is configured. By default, no certificate revocation password is configured on the AR200-S. ----End
12.4.7 (Optional) Configuring the RSA Key Length of Certificates

After the RSA key length of certificates is set, the AR200-S generates the RSA key of the specified length when requesting a certificate.
Context
An RSA key pair contains a public key and a private key. When host A requests a certificate, the certificate request must contain the public key. After a certificate is granted to host A, host B uses the public key of host A to encrypt data sent to host A. Host A saves the private key and uses it to decrypt data sent from host B or generates a digital signature for data sent to host B.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa-key-size size
The RSA key length of certificates is set. By default, the RSK key length of certificates is 1024 on the AR200-S. ----End
12.4.8 (Optional) Configuring a Source IP Address for TCP Connection Setup

The AR200-S uses a specified source IP address to establish a TCP connection with the Simple Certificate Enrollment Protocol (SCEP) server or Online Certificate Status Protocol (OCSP) server.
Procedure
Step 1 Run:
system-view

source interface interface-name
The source interface is specified. The AR200-S uses the IP address of this interface to set up a TCP connection. By default, the AR200-S uses an outbound interface's IP address as the source IP address for TCP connection setup. ----End

After a PKI domain is configured, you can check the PKI domain configuration.
Procedure
l Run the display pki realm [ pki-realm-name ] command to check the PKI domain configuration.
----End
12.5 Configuring Certificate Enrollment

Certificate enrollment is a process in which an entity registers with a CA and obtains a certificate from the CA. During this process, the entity provides the identity information and public key, which will be added to the certificate issued to the entity.

Before configuring certificate enrollment, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for configuration. This will help you complete the configuration task quickly and accurately.
Certificates can be enrolled using the following methods: l l Manual certificate enrollment: A PKI device is configured to enroll a certificate with a CA. Automatic certificate enrollment: A PKI device uses the Simple Certification Enrollment Protocol (SCEP) to request a certificate from a CA when the configuration required for certificate enrollment is complete but no local certificate is available. Self-signed certificate enrollment: A PKI device issues a self-signed certificate to itself.
Before configuring certificate enrollment, complete the following tasks: l l Creating a PKI entity Creating a PKI domain
Data Preparation
To configure certificate enrollment, you need the following data. No. 1 2 3 Data PKI domain name and (optional) certificate request information in PKCS#10 format (Optional) Percentage of the certificate's validity period Self-signed certificate file name
12.5.2 Configuring Manual Certificate Enrollment

An entity can apply to a CA for a certificate online or offline. In offline enrollment mode, the entity provides the identity information and public key in an outband way. For example, the entity can make a call or send an email to the CA.
Prerequisites
A PKI domain has been created and configured. For details, see 12.4 Configuring a PKI Domain.
Procedure
Step 1 Run:
system-view

pki enroll-certificate pki-realm-name [ pkcs10 [ filename filename ] ]
Manual certificate enrollment is configured. If pkcs10 is specified, an entity applies to a CA for a certificate offline. The entity saves the certificate request information in a file in PKCS#10 format and sends the file to the CA in an outband way. If pkcs10 is not specified, an entity applies to a CA for a certificate online. Step 3 (Optional) Run:
pki get-certificate { ca | local } pki-realm-name
A certificate is obtained. When a certificate is enrolled manually, the CA certificate and local certificate are downloaded and saved in the default path automatically. If the CA certificate or local certificate is deleted unexpectedly, run the pki get-certificate command to obtain the CA certificate or device certificate again. ----End
12.5.3 Configuring Automatic Certificate Enrollment and Update

When the certificates are unavailable, will expire, or have expired, an entity automatically requests a new certificate or renews the certificate using the Simple Certification Enrollment Protocol (SCEP).
Prerequisites
A PKI domain has been created and configured. For details, see 12.4 Configuring a PKI Domain.
Procedure
Step 1 Run:
system-view

A PKI domain is configured.

By default, no PKI domain is configured on the AR200-S. Step 3 Run:

auto-enroll [ percent ] [ regenerate ]
The automatic certificate enrollment and update function is enabled. After the automatic certificate enrollment and update function is enabled, users do not need to manually enroll certificates. When an external application requires a CA or local certificate, it instructs the system to register a CA or local certificate. ----End
12.5.4 Creating a Self-signed Certificate or Local Certificate

A PKI device can generate a self-signed certificate or local certificate and issue the certificate to a user.
Procedure
Step 1 Run:
system-view

pki create-certificate [ self-signed ] { filename file-name }
A self-signed certificate or local certificate is created. ----End

After a certificate is obtained from a CA, or a self-signed certificate or local certificate is created, you can view certificate information.
Procedure
l l Run the display pki certificate { local | ca } pki-realm-name [ verbose ] command to check certificate information. Run the display pki certificate enroll-status pki-realm-name command to view the certificate enrollment status.
----End
12.6 Configuring Certificate Authentication

Before a certificate is used, it must be authenticated.

Before configuring certificate authentication, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for configuration. This will help you complete the configuration task quickly and accurately.
Before a certificate is used, it must be authenticated. In a certificate, the issuing date, issuer information, and certificate validity need to be authenticated. A valid certificate must be within the validity period and has not been revoked. A PKI entity uses any of the following methods to check the peer certificate status: l l l Certificate revocation list (CRL) Online Certificate Status Protocol (OCSP) None: The PKI entity does not check the peer certificate status.
Before configuring certificate authentication, complete the following task: Obtaining and enrolling a certificate
Data Preparation
To configure certificate authentication, you need the following data. No. 1 2 3 Data PKI domain name (Optional) CDP URL and interval at which a PKI entity downloads a CRL from the CRL storage server (Optional) OCSP server URL
12.6.2 Configuring the Certificate Check Mode

There are three certificate check modes: CRL, OCSP, or none.
Procedure
Step 1 Run:
system-view

certificate-check { crl | none | ocsp }
The certificate check mode is configured. By default, the AR200-S checks certificates using CRLs.
If CRL is used for certificate check, CRLs are automatically downloaded from a CA server during each certificate check. To use CRL to check a certificate, perform the following operations according to networking requirements: Run:
cdp-url cdp-url
A CRL distribution point (CDP) URL used to obtain the CRL issued by a CA is configured. Certificates issued by the CA contain the CDP information, specifying how and where to obtain the CRL. A PKI entity uses the method specified in the CDP information to download the CRL. If the CDP URL is configured in the PKI domain, the PKI entity obtains the CRL from the specified URL. Run:
crl cache
The AR200-S is configured to use the buffered CRL for certificate check, without having to download the CRL from the CA. Run:
crl update-period hours
The interval at which a PKI entity downloads a CRL from a CRL storage server is configured. Run:
quit
Return to the system view. If the PKI entity suspects that the CRL expires, run:
pki get-crl pki-realm-name
The AR200-S is configured to download the latest CRL from the CA. l To use OCSP for certificate check, perform the following operation: Run:
ocsp-url ocsp-url
The OCSP server's URL is configured. This URL will override the OCSP server's address in the certificate. ----End
12.6.3 Checking Certificate Validity

After the certificate validity check mode is configured, you can check certificate validity.
Procedure
Step 1 Run:
system-view

pki validate-certificate { ca | local } pki-realm-name
The CA certificate validity or local certificate validity is checked. ----End


After the certificate authentication mode is configured, you can view certificate information.
Procedure
l l Run the display pki certificate enroll-status pki-realm-name command to check the certificate enrollment status. Run the display pki crl pki-realm-name command to check CRL information.
----End
12.7 Managing Certificates

Managing certificates include deleting, importing, and exporting certificates, and configuring the default path where certificates are stored.
12.7.1 Deleting a Certificate

When a certificate expires or a user wants to request a new certificate, you can delete the existing certificate.
Procedure
Step 1 Run:
system-view

pki delete-certificate { ca | local | ocsp } pki-realm-name
The certificate is deleted. ----End
12.7.2 Importing a Certificate

To use an external certificate, copy it to a storage device in an outband way and import it to the AR200-S.
Procedure
Step 1 Run:
system-view

pki import-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }
The external certificate is imported to the AR200-S. ----End

12.7.3 Exporting a Certificate

To provide a certificate for another device, export the certificate.
Procedure
Step 1 Run:
system-view

pki export-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }
The certificate is exported and saved in a file. ----End
12.7.4 Configuring the Default Path Where Certificates Are Stored

You can configure the default path where certificate files are stored.
Procedure
Step 1 Run:
system-view

pki credential-storage local-dir
The default path and directory where the CA certificate, local certificate, and private key are stored are configured. By default, the CA certificate, local certificate, and private key are stored in flash:/. ----End

12.8.1 Example for Configuring Manual Certificate Enrollment
This section describes how to configure a PKI entity (a router) to request a local certificate from a CA. Figure 12-3 Configuring a PKI entity to request a certificate from a CA
PKI entity Internet Router
Issue 02 (2012-03-30)
CA
Table 12-1 Data plan Item PKI entity Data PKI entity name: user01 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info PKI domain name PKI domain name: test l Trusted CA name: ca_root l Certificate's enrollment URL: http:// 10.137.145.158:8080/certsrv/mscep/mscep.dll l Bound PKI entity name: user01 l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5B5 78EAF
1. 2. Configure a PKI entity to identify a certificate applicant. Configure a PKI domain and specify identity information required for certificate enrollment, including the trusted CA name, bound entity name, enrollment URL, and root certificate fingerprint. Obtain a local certificate manually.
3.
Procedure
Step 1 Configure interface IP addresses and routes to enable the PKI entity and CA to communicate. Step 2 Configure a PKI entity to identify a certificate applicant. # Configure a PKI entity user01.
<Huawei> system-view [Huawei] pki entity user01 [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01] [Huawei-pki-entity-user01]
common-name hello country cn state jiangsu organization huawei organization-unit info quit
Step 3 Configure a PKI domain and specify the identity information required for certificate enrollment in the PKI domain.
# Configure the trusted CA, bound entity, enrollment URL, and root certificate fingerprint.
[Huawei] pki realm test [Huawei-pki-realm-test] [Huawei-pki-realm-test] [Huawei-pki-realm-test] mscep.dll ra [Huawei-pki-realm-test] [Huawei-pki-realm-test] ca id ca_root entity user01 enrollment-url http://10.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF quit
Step 4 Enroll the certificate manually.

[Huawei] pki enroll-certificate test Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.
You will be prompted to enter the password during certificate enrollment. If you do not have a password, press Enter. Step 5 Verify the configuration. After the preceding configurations are complete, the CA issues a certificate to the PKI entity. In the certificate information, the issued to field value is the entity common name hello. Run the display pki certificate { local | ca } pki-realm-name [ verbose ] command on the PKI entity to view the certificate.
<Huawei> display pki certificate local test Certificate Status : Available Version: 3 Serial Number: 19 36 41 af 00 00 00 00 02 ba Subject: C=CN ST=jiangsu O=huawei OU=info CN=hello Associated Pki Realm : test Total Number: 1
----End
Configuration Files
# pki entity user01 country CN state jiangsu organization huawei organization-unit info common-name hello # pki realm test ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity user01
Issue 02 (2012-03-30)
242

fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf # return
12.8.2 Example for Configuring PKI in IPSec

As shown in Figure 12-4, devices in two subnets communicate with the Internet using respective gateways and need to establish an IPSec tunnel to transmit data flows. To meet this requirement, perform the following operations: l l Establish an IPSec tunnel between the two gateways to protect security of data flows transmitted between subnet 1 at 10.1.1.0/24 and subnet at 11.1.1.0/24. Establish a security tunnel between the two gateways using Internet Key Exchange (IKE) negotiation. During IKE negotiation, PKI certificates are used for identity authentication.
Figure 12-4 Configuring PKI in IPSec
CA
RouterA Eth0/0/8 1.1.1.1/24
Internet
RouterB Eth0/0/8 2.2.2.1/24
VLANIF 10 10.1.1.1/24 Eth0/0/1
IPSec Tunnel
VLANIF 20 11.1.1.1/24 Eth0/0/1
10.1.1.2/24 Group 1
11.1.1.2/24 Group 2
Issue 02 (2012-03-30)
243
Table 12-2 Data plan of RouterA Item PKI entity Data PKI entity name: routera l Entity's common name: helloa l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: info PKI domain name PKI domain name: test l Trusted CA name: ca_root l Certificate's enrollment URL: http:// 10.137.145.158:8080/certsrv/mscep/mscep.dll l Bound entity name: routera l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5B578E AF IKE proposal l Encryption algorithm: 3DES-CBC l Authentication algorithm: SHA1 l Authentication mode: Rivest, Shamir, and Adelman (RSA) signature IKE peer l IKE peer name: routera l Local peer's ID type: IP address l Local IP address: 1.1.1.1 l Remote IP address: 2.2.2.1 l Negotiation mode: main IPSec proposal l Transport protocol: ESP l Authentication algorithm: SHA1 l Encryption algorithm: 3DES l Encapsulation mode: tunnel IPSec policy Security association (SA) triggering mode: automatic
Issue 02 (2012-03-30)
244
Table 12-3 Data plan of RouterB Item PKI entity Data PKI entity name: routerb l Entity's common name: hellob l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei l Entity's department name: marketing PKI domain name PKI domain name: testb l Trusted CA name: ca_root l Certificate's enrollment URL: http:// 10.137.145.158:8080/certsrv/mscep/mscep.dll l Bound entity name: routerb l CA's fingerprint algorithm: secure hash algorithm (SHA) Fingerprint: 17A34D94624B1C1BCBF6D763C4A67035D5B578E AF IKE proposal l Encryption algorithm: 3DES-CBC l Authentication mode: RSA signature l Authentication algorithm: SHA1 IKE peer l IKE peer name: routerb l Negotiation mode: main l Local peer's ID type: IP address l Local IP address: 2.2.2.1 l Remote IP address: 1.1.1.1 IPSec proposal l Transport protocol: ESP l Authentication algorithm: SHA1 l Encryption algorithm: 3DES l Encapsulation mode: tunnel IPSec policy SA triggering mode: automatic
1. 2. 3. 4. 5.
Issue 02 (2012-03-30)
Configure a PKI entity to identify a certificate applicant. Configure a PKI domain and specify the identity information required for certificate enrollment in the PKI domain. Configure IKE to use a digital signature for identity authentication. Configure IPSec to protect data flows between two subnets. Request a certificate and download it for IKE negotiation.
Procedure
Step 1 Configure interface IP addresses and routes to enable IPSec peers and CA to communicate. Step 2 Configure a PKI entity. # Configure RouterA.
<Huawei> system-view [Huawei] pki entity routera [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera] [Huawei-pki-entity-routera]
common-name helloa country cn state jiangsu organization huawei organization-unit info quit
# Configure RouterB.
<Huawei> system-view [Huawei] pki entity routerb [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb] [Huawei-pki-entity-routerb]
common-name hellob country cn state jiangsu organization huawei organization-unit marketing quit
Step 3 Configure a PKI domain. # Configure RouterA.

[Huawei] pki realm testa [Huawei-pki-realm-testa] [Huawei-pki-realm-testa] [Huawei-pki-realm-testa] mscep.dll ra [Huawei-pki-realm-testa] [Huawei-pki-realm-testa] [Huawei-pki-realm-testa] ca id ca_root entity routera enrollment-url http://10.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF certificate-check none quit
#Configure RouterB.
[Huawei] pki realm testb [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] mscep.dll ra [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] [Huawei-pki-realm-testb] ca id ca_root entity routerb enrollment-url http://10.137.145.158:8080/certsrv/mscep/ fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF certificate-check none quit
Step 4 Configure IKE to use a digital signature for identity authentication. # Configure RouterA.
[Huawei] ike proposal 1 [Huawei-ike-proposal-1] encryption-algorithm 3des-cbc [Huawei-ike-proposal-1] authentication-method rsa-signature [Huawei-ike-proposal-1] authentication-algorithm sha1 [Huawei-ike-proposal-1] quit [Huawei] ike peer routera v2 [Huawei-ike-peer-routera] ike-proposal 1 [Huawei-ike-peer-routera] local-address 1.1.1.1 [Huawei-ike-peer-routera] remote-address 2.2.2.1 [Huawei-ike-peer-routera] pki realm testa

[Huawei] ike proposal 1 [Huawei-ike-proposal-1] encryption-algorithm 3des-cbc [Huawei-ike-proposal-1] authentication-method rsa-signature [Huawei-ike-proposal-1] authentication-algorithm sha1 [Huawei-ike-proposal-1] quit [Huawei] ike peer routerb v2 [Huawei-ike-peer-routerb] ike-proposal 1 [Huawei-ike-peer-routerb] local-address 2.2.2.1 [Huawei-ike-peer-routerb] remote-address 1.1.1.1 [Huawei-ike-peer-routerb] pki realm testb
Step 5 Configure access control lists (ACLs) and define the data flows to be protected in the ACLs. # Configure RouterA.
[Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0 [Huawei-acl-adv-3000] rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 [Huawei-acl-adv-3000] quit
[Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0 [Huawei-acl-adv-3000] rule 10 permit ip source 11.1.1.1 0 destination 10.1.1.1 0 [Huawei-acl-adv-3000] quit
Step 6 Configure IPSec to protect data flows between two subnets. # Configure RouterA.
[Huawei] ipsec proposal routera [Huawei-ipsec-proposal-routera] transform esp [Huawei-ipsec-proposal-routera] esp authentication-algorithm sha1 [Huawei-ipsec-proposal-routera] esp encryption-algorithm 3des [Huawei-ipsec-proposal-routera] quit [Huawei] ipsec policy routera 1 isakmp [Huawei-ipsec-policy-isakmp-routera-1] security acl 3000 [Huawei-ipsec-policy-isakmp-routera-1] ike-peer routera [Huawei-ipsec-policy-isakmp-routera-1] proposal routera [Huawei-ipsec-policy-isakmp-routera-1] quit
[Huawei] ipsec proposal routerb [Huawei-ipsec-proposal-routerb] transform esp [Huawei-ipsec-proposal-routerb] esp authentication-algorithm sha1 [Huawei-ipsec-proposal-routerb] esp encryption-algorithm 3des [Huawei-ipsec-proposal-routerb] quit [Huawei] ipsec policy routerb 1 isakmp [Huawei-ipsec-policy-isakmp-routerb-1] security acl 3000 [Huawei-ipsec-policy-isakmp-routerb-1] ike-peer routerb [Huawei-ipsec-policy-isakmp-routerb-1] proposal routerb [Huawei-ipsec-policy-isakmp-routerb-1] quit
Step 7 Bind IPSec policies to interfaces. # Configure RouterA.

[Huawei] interface ethernet 0/0/8 [Huawei-Ethernet0/0/8] ipsec policy routera [Huawei-Ethernet0/0/8] quit

[Huawei] interface ethernet 0/0/8 [Huawei-Ethernet0/0/8] ipsec policy routerb [Huawei-Ethernet0/0/8] quit
Step 8 Configure devices to request a certificate and download it for IKE negotiation. # Configure RouterA.
[Huawei] pki enroll-certificate testa Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.
[Huawei] pki enroll-certificate testb Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.
Step 9 Verify the configuration. Run the display ike sa v2 command on RouterA and RouterB to view IKE SA information. The command output shows that RouterA and RouterB have established an IKE SA and can ping each other successfully. The display on RouterA is as follows.
[Huawei] display ike sa v2 Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------898 2.2.2.1 0 RD|ST 2 895 2.2.2.1 0 RD|ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [Huawei]
The display on RouterB is as follows.

[Huawei] display ike sa v2 Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------874 1.1.1.1 0 RD 2 873 1.1.1.1 0 RD 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
Ping RouterB from RouterA. RouterA can ping RouterB successfully.


[Huawei] ping 2.2.2.1 PING 2.2.2.1: 56 data bytes, press CTRL_C to break Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=255 time=3 Reply from 2.2.2.1: bytes=56 Sequence=2 ttl=255 time=2 Reply from 2.2.2.1: bytes=56 Sequence=3 ttl=255 time=2 Reply from 2.2.2.1: bytes=56 Sequence=4 ttl=255 time=2 Reply from 2.2.2.1: bytes=56 Sequence=5 ttl=255 time=2 --- 2.2.2.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms
NOTE
ms ms ms ms ms
During IKE negotiation, if RouterA and Router B do not obtain CA certificates or local certificates, IKE negotiation fails.
----End
Configuration Files
Configuration file of RouterA
# router id 1.1.1.1 # acl number 3000 rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0 rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 # ipsec proposal routera esp authentication-algorithm sha1 esp encryption-algorithm 3des # ike proposal 1 encryption-algorithm 3des-cbc authentication-method rsa-signature # ike peer routera v2 ike-proposal 1 local-address 1.1.1.1 remote-address 2.2.2.1 pki realm testa # ipsec policy routera 1 isakmp security acl 3000 ike-peer routera proposal routera # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface Ethernet0/0/8 ip address 1.1.1.1 255.255.255.0 ipsec policy routera # ospf 1 area 0.0.0.0
Issue 02 (2012-03-30)
249

network 1.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255
# pki entity routera country CN state jiangsu organization huawei organization-unit info common-name helloa # pki realm testa ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routera fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none # return
Configuration file of RouterB

# router id 3.3.3.3 # acl number 3000 rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0 rule 10 permit ip source 11.1.1.1 0 destination 10.1.1.1 0 # ipsec proposal routerb esp authentication-algorithm sha1 esp encryption-algorithm 3des # ike proposal 1 encryption-algorithm 3des-cbc authentication-method rsa-signature # ike peer routerb v2 ike-proposal 1 local-address 2.2.2.1 remote-address 1.1.1.1 pki realm testb # ipsec policy routerb 1 isakmp security acl 3000 ike-peer routerb proposal routerb # interface Vlanif20 ip address 11.1.1.1 255.255.255.0 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 # interface Ethernet0/0/8 ip address 2.2.2.1 255.255.255.0 ipsec policy routerb # ospf 1 area 0.0.0.0 network 2.2.2.0 0.0.0.255 network 11.1.1.0 0.0.0.255 # pki entity routerb country CN state jiangsu organization huawei organization-unit marketing common-name hellob
Issue 02 (2012-03-30)
250
# pki realm testb ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routerb fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none # return
Issue 02 (2012-03-30)
251
13 Keychain Configuration
13
About This Chapter
13.1 Introduction to Keychain
Keychain Configuration
This chapter describes the keychain fundamentals. It also provides keychain configuration steps based on different parameters along with typical example.
13.2 Keychain Features Supported by the AR200-S 13.3 Configuring Basic Keychain Functions This section descries how to configure the basic functions of keychain module. 13.4 Configuring TCP Authentication parameters This section descries how to configure the TCP Authentication parameters of Keychain module. 13.5 Configuration Examples This section provides configuration examples of the keychain module.
Issue 02 (2012-03-30)
252
13.1 Introduction to Keychain

Keychain provides authentication function to all the applications. The keychain also provides dynamic change of authentication keys without any packet drops. Applications exchange authenticated packets on networks for security reasons. Authentication algorithms along with the secret shared key are used to determine whether a message sent over an insecure channel has been tampered. This type of authentication requires that the sender and the receiver share the secret key and the authentication algorithm used to authenticate the packet. Also the secret key should never be sent over the network. If each application maintains its own set of authentication rules (authentication algorithm and shared secret key), then there are many instances in which the same set of authentication is used. This results in duplication of data and reprocessing of the authentication information. Also each of the applications uses a constant authentication key unless the administrator of the network changes the key manually. The manual change of authentication is a cumbersome procedure and during the change of keys, there can be packet drops as it is very difficult to change the keys instantaneously on all the Routers. Thus the system needs a mechanism to achieve centralization of all authentication processing and dynamic changes of authentication algorithm and keys without much human intervention. To achieve this functionality the keychain module is used.
13.2 Keychain Features Supported by the AR200-S

The AR200-S supports the following keychain features: l Authentication for applications Application that requires authentication support has to quote a keychain. A keychain can have one or multiple key-ids. Key-id comprises of authentication algorithm and the key string (secret shared key). Each key-id is associated with send and receive lifetime based on which it will be send active or receive active or both at an instant of time. Key-id that is send active at one end should be receive active at the other end. Administrator has to configure the key-ids under the keychain in such a way that both sides can communicate without any packet loss. l Receive Tolerance When the send key-id on a Router changes, the corresponding receive key-id on the peer Router should change instantaneously. Due to clock non-synchronization, there can be a time lag between the change of the key-ids on the two Routers. During this period, there can be packet drops because of inconsistent use of key-ids. To prevent this and to accommodate for a smooth transition from one key-id to another, a grace period is allowed during which both keys will be used. This grace period is termed as receive tolerance period, and it is applicable only to the receive keys. The receive time period will be extended by a period equal to the receive tolerance on both the start and end time of a receive key. l Default send-key-id When administrator does not configure a key-id for some interval of time, there can be a chance that there is no active key-id. During that period, application will not be able to have authenticated communication. In order to avoid this situation there should be a default sendkey-id which will be always active. Any key-id in a keychain can be marked as the default
send-key-id. There can be only one default send-key-id in a keychain. When any key-id becomes active, the application uses the new active key-id instead of the default send-keyid. Similarly when active key-id becomes inactive and when there is no other active keyid then application uses the default send-key-id. l TCP-kind and TCP algorithm-id configuration TCP based applications can communicate with other vendor nodes by using the authenticated TCP connection. For authenticated communication, TCP uses TCP Enhanced Authentication Option. Currently different vendors use different kind-value to represent the TCP Enhanced Authentication Option type. So in order to communicate with other vendors, kind-value should be made configurable, so that it can be changed based on the type of vendor to which it is connected. Similarly TCP Enhanced Authentication Option has a field named algorithm-id which represents the authentication algorithm type. As algorithm-ids are not defined by IANA. Currently different vendor uses different algorithmid to represent the same algorithm. In order to communicate with the other vendors, user has to configure the TCP algorithm-id in the keychain for the algorithms depending on the peer node type.
13.3 Configuring Basic Keychain Functions

This section descries how to configure the basic functions of keychain module.

Keychain is used to provide authentication support to the applications. A keychain can have one or multiple key-ids. Key-id comprises of authentication algorithm and the key-string (secret shared key). Each key-id is associated with send and receive lifetime. Based on the send and receive lifetime, a key-id will be send-active or receive-active or both. When the key-id is sendactive or receive-active, it will be used for authenticated communication. When the key-id is send-active, then it will be used to send out authenticated packet. On the receiver side that keyid should be receive-active to process the authenticated packet. The administrator has to configure the key-ids under the keychain in such a way that both sides can communicate without any packet loss.
Before configuring the keychain on the peer Routers, configure the Network Time Protocol (NTP) so that the time is consistent on the two Routers.
Data Preparation
To configure basic keychain features, you need the following data. No. 1 2
Issue 02 (2012-03-30)
Data Keychain name Key-ids for the keychain

No. 3 4 5 6
Data Key-string for each key-id Authentication algorithm for each key-id Send and Receive time for each key-id Receive tolerance if required
13.3.2 Creating a Keychain

Procedure
Step 1 Run:
system-view

keychain keychain-name [ mode { absolute | periodic { daily | weekly | monthly | yearly } } ]
Keychain is created and keychain view is entered.

NOTE
When creating a keychain, timing mode is mandatory. Once a keychain is created, to enter the keychain view timing mode need not be specified.
----End
13.3.3 Configuring Receive Tolerance of a Keychain

Procedure
Step 1 Run:
system-view
The system view is entered. Step 2 Run:

keychain keychain-name
Keychain view is entered Step 3 Run:

receive-tolerance { value | infinite }
The receive tolerance period for the keychain is configured.
Issue 02 (2012-03-30)
255

NOTE
Receive tolerance can be configured in the following two ways: l Specifying a particular receive tolerance value in minutes, which can be a maximum of 10 days (14400 minutes). l Specifying an infinite receive tolerance using infinite keyword.
----End
13.3.4 Configuring a key-id in a Keychain

Procedure
Step 1 Run:
system-view

The keychain view is entered. Step 3 Run:

key-id key-id
Key-id is created and key-id view is entered.

NOTE
To configure a key-id in a keychain, a unique id within the keychain is required. This id should be an integer and the value ranges from 0 to 63.
----End
13.3.5 Configuring key-string of a key-id

Procedure
Step 1 Run:
system-view


key-id key-id
Key-id is created and key-id view is entered. Step 4 Run:

key-string { [ plain ] plain-text | cipher cipher-text }
The key-string for the key-id is configured.

Key-string is the authentication string used while sending and receiving the packets. In case of plain text the password string is displayed as un-encrypted text. In case of Cipher text the password string is displayed in encrypted form. Both are case sensitive.
NOTE
Key-id will be inactive if the key-string is not configured.
----End
13.3.6 Configuring Authentication Algorithm of a key-id

Procedure
Step 1 Run:
system-view


key-id key-id
Key-id is created and key-id view is entered. Step 4 Run:

algorithm { hmac-md5 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | simple }
The authentication algorithm for the key-id is configured.

NOTE
Key-id will be inactive if the authentication algorithm is not configured.
----End
13.3.7 Configuring a key-id as the Default send-key-id

Procedure
Step 1 Run:
system-view


key-id key-id
Key-id is created and key-id view is entered.

Step 4 Run:
default send-key-id
The key-id is set as the default send-key-id.

NOTE
Only one key-id in a keychain can be configured as the default send-key-id.
----End
13.3.8 Configuring send-time of a key-id

Procedure
l Absolute Timing Mode 1. Run:
system-view
The system view is entered. 2. Run:

keychain keychain-name mode absolute
The keychain is created in absolute timing mode and keychain view is entered. 3. Run:
key-id key-id
The key-id is created and key-id view is entered. 4. Run:

send-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }
The send-time for the key-id is configured. l Daily Periodic Timing Mode 1. Run:
system-view

keychain keychain-name mode periodic daily
The keychain is created in daily periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

send-time daily start-time to end-time
The send-time for the key-id is configured. l Weekly Periodic Timing Mode 1. Run:
system-view
Issue 02 (2012-03-30)
258

keychain keychain-name mode periodic weekly
The keychain is created in weekly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

send-time day { { start-day-name } &<1-7> } [ to end-day-name ]
The send-time for the key-id is configured. l Monthly Periodic Timing Mode 1. Run:
system-view

keychain keychain-name mode periodic monthly
The keychain is created in monthly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

send-time date { { start-date-value } &<1-31> } [ to end-date-value ]
The send-time for the key-id is configured. l Yearly Periodic Timing Mode 1. Run:
system-view

keychain keychain-name mode periodic yearly
The keychain is created in yearly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

send-time month { { start-month-name } &<1-12> } [ to end-month-name ]
The send-time for the key-id is configured.
Issue 02 (2012-03-30)
259

NOTE
Send-time for a key-id is configured according to the timing mode defined for the keychain. Only one send key-id in a keychain can be active at a time. The send-time of different key-ids in a keychain must not overlap each other. To re-configure send-time, we need to undo the send-time that is currently configured.
----End
13.3.9 Configuring receive-time of a key-id

Procedure
l Absolute Timing Mode 1. Run:
system-view

keychain keychain-name mode absolute
The keychain is created in absolute timing mode and keychain view is entered. 3. Run:
key-id key-id

receive-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date }
The receive-time for the key-id is configured. l Daily Periodic Timing Mode 1. Run:
system-view

keychain keychain-name mode periodic daily
The keychain is created in daily periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

receive-time daily start-time to end-time
The receive-time for the key-id is configured. l Weekly Periodic Timing Mode 1. Run:
system-view
The system view is entered.

2.
Run:
keychain keychain-name mode periodic weekly
The keychain is created in weekly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

receive-time day { { start-day-name } &<1-7> } [ to end-day-name ]
The receive-time for the key-id is configured. l Monthly Periodic Timing Mode 1. Run:
system-view

keychain keychain-name mode periodic monthly
The keychain is created in monthly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

receive-time date { { start-date-value } &<1-31> } [ to end-date-value ]
The receive-time for the key-id is configured. l Yearly Periodic Timing Mode 1. Run:
system-view

keychain keychain-name mode periodic yearly
The keychain is created in yearly periodic timing mode and keychain view is entered. 3. Run:
key-id key-id

receive-time month { { start-month-name } &<1-12> } [ to end-month-name ]
The receive-time for the key-id is configured.

NOTE
Receive-time for a key-id is configured in accordance with the timing mode defined for the keychain. The receive-time for a key-id can be configured in five different ways namely absolute, daily periodic, weekly periodic, monthly periodic and yearly periodic depending upon the timing mode. More than one receive key-id can not be active at the same time. To re-configure receive time you need to undo the receive time that is currently configured.
----End

Prerequisites
The configurations of the keycahin are complete.
Procedure
l l Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
----End
Example
The configurations of the keycahin are complete, Run the display keychain keychain-name command to view the current configuration of a keychain, for example:
<Huawei> display keychain earth Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 0 TCP Kind : 254 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 3 SHA1 : 4 Number of Key IDs : 0 Active Send Key ID : None Active Receive Key IDs : None Default send Key ID : Not configured
The configurations of the keycahin are complete, Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain, for example:
<Huawei> display keychain earth key-id 1 Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 100 TCP Kind : 182 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 17 SHA1 : 4 Key ID Information: ------------------Key ID Key string Algorithm
: 1 : hello (plain) : MD5
Issue 02 (2012-03-30)
262

SEND TIMER : Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active RECEIVE TIMER : Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active DEFAULT SEND KEY ID INFORMATION Default : Not configured
13.4 Configuring TCP Authentication parameters

This section descries how to configure the TCP Authentication parameters of Keychain module.

Keychain is needed to provide authentication support to all the needed applications. Authenticated TCP communication is required between two peers.TCP based applications can communicate with other vendor nodes by using the authenticated TCP connection. For authenticated communication, TCP uses TCP Enhanced Authentication Option. Currently different vendors use different Kind value to represent the TCP Enhanced Authentication Option type. So in order to communicate with other vendors, kind value should be made configurable based on the type of vendor to which it is connected. Similarly TCP Enhanced Authentication Option has a field named algorithm ID which represents the authentication algorithm type. As algorithm IDs are not defined by IANA(Internet Assigned Numbers Authority), Currently different vendor uses different algorithm ID to represent the same algorithm. In order to communicate with the other vendors, user has to configure the TCP algorithm ID in the key chain for the algorithms depending on the peer node type.
Before configuring the Keychain feature on the peer Router s, configure the Network Time Protocol (NTP) so that the time is consistent on the two Router s.
Data Preparation
To configure basic keychain features, you need the following data. No. 1 2 3 Data Keychain Name TCP kind value TCP algorithm id for each authentication algorithm
Issue 02 (2012-03-30)
263
13.4.2 Configuring TCP Kind of a Keychain

Procedure
Step 1 Run:
system-view


tcp-kind kind-value
The TCP kind value for the keychain is configured. The range of the kind-value can be <28-255>.
NOTE
TCP uses TCP Enhanced Authentication Option for authenticated communication. The kind value used to represent the TCP Enhanced Authentication Option type for a keychain can be configured.
----End
13.4.3 Configuring TCP Algorithm-id in a Keychain

Procedure
Step 1 Run:
system-view


tcp-algorithm-id { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 } algorithmid
The range of the algorithm-id can be 1 to 63.

NOTE
The algorithm-id used to represent authentication algorithm type in TCP Enhanced Authentication Option for a keychain can be configured.
----End

Prerequisites
The configurations of the keycahin are complete.
Procedure
l l Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
----End
Example
The configurations of the keycahin are complete, Run the display keychain keychain-name command to view the current configuration of a keychain, for example:
<Huawei> display keychain earth Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 0 TCP Kind : 254 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 3 SHA1 : 4 Number of Key IDs : 0 Active Send Key ID : None Active Receive Key IDs : None Default send Key ID : Not configured
The configurations of the keycahin are complete, Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain, for example:
<Huawei> display keychain earth key-id 1 Keychain Information: --------------------Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 100 TCP Kind : 182 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 17 SHA1 : 4 Key ID Information: ------------------Key ID Key string Algorithm SEND TIMER Start time End time Status RECEIVE TIMER
: : : : : : : :
1 hello (plain) MD5 2012-03-14 00:00 2012-08-08 23:59 Active
Issue 02 (2012-03-30)
265

Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active DEFAULT SEND KEY ID INFORMATION Default : Not configured

This section provides configuration examples of the keychain module.
13.5.1 Example for Configuring Keychain Authentication for NonTCP Application

As shown in Figure 13-1, it is required to enable RIP and keychain authentication on all interfaces of Router A and Router B. The Router s interconnect with each other using RIP-2. Figure 13-1 Networking diagram of keychain
Eth0/0/8 192.168.1.1/24
Eth0/0/8 192.168.1.2/24
RouterA
RouterB
The configuration roadmap is as follows: 1. 2. Configure keychain basic functions. Configure the application RIP on both the Routers to use keychain.
Data Preparation
To complete the configuration, you need the following data: l l l l l keychain name key-id algorithm and key-string send and receive time receive tolerance
Procedure
Step 1 # Configure RouterA Configuring Keychain Authentication
<RouterA> system-view
Issue 02 (2012-03-30)
266
[RouterA] keychain huawei mode absolute [RouterA-keychain] receive-tolerance 100 [RouterA-keychain] key-id 1 [RouterA-keychain-keyid-1] algorithm md5 [RouterA-keychain-keyid-1] key-string plain hello [RouterA-keychain-keyid-1] send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 [RouterA-keychain-keyid-1] receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10 [RouterA-keychain-keyid-1] quit
Configuring the basic function of RIP

<RouterA> system-view [RouterA] interface ethernet 0/0/8 [RouterA-Ethernet0/0/8] ip address 192.168.1.1 24 [RouterA-Ethernet0/0/8] rip authentication-mode md5 nonstandard keychain huawei [RouterA-Ethernet0/0/8] quit
Step 2 # Configure RouterB. Configuring Keychain Authentication

[RouterB] keychain huawei mode absolute [RouterB-keychain] receive-tolerance 100 [RouterB-keychain] key-id 1 [RouterB-keychain-keyid-1] algorithm md5 [RouterB-keychain-keyid-1] key-string plain hello [RouterB-keychain-keyid-1] send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 [RouterB-keychain-keyid-1] receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10 [RouterB-keychain-keyid-1] quit
Configuring the basic function of RIP

[RouterB] interface ethernet 0/0/8 [RouterB-Ethernet0/0/8] ip address 192.168.1.2 24 [RouterB-Ethernet0/0/8] rip authentication-mode md5 nonstandard keychain huawei [RouterB-Ethernet0/0/8] quit
----End
Configuration File
l #Configuration file of RouterA.
# sysname RouterA # interface Ethernet0/0/8 ip address 192.168.1.1 255.255.255.0 rip authentication-mode md5 nonstandard keychain huawei # keychain huawei mode absolute receive-tolerance 100 key-id 1 algorithm md5 key-string plain hello send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10 # return
#Configuration file of RouterB.

# sysname RouterB # interface Ethernet0/0/8 ip address 192.168.1.2 255.255.255.0 rip authentication-mode md5 nonstandard keychain huawei # keychain huawei mode absolute
Issue 02 (2012-03-30)
267

receive-tolerance 100 key-id 1 algorithm md5 key-string plain hello send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10 # return
Issue 02 (2012-03-30)
268
14 Configuration of Attack Defense and Application Layer Association
14
Configuration of Attack Defense and Application Layer Association
About This Chapter

Attack defense and application layer association can prevent the attack of packets to the CPU, which ensures that the device runs normally when it is attacked. 14.1 Overview to Attack Defense and Application Layer Association Attacks on TCP/IP networks increase steadily. Attacks to network devices may cause the network to be disabled or unavailable. 14.2 Configuring Abnormal Packet Attack Defense Malformed packet attacks are classified into flood attacks without IP payload, IGMP null packet attacks, LAND attacks, Smurf attacks, and TCP flag-bit invalid attacks. 14.3 Configuring Fragmented Packet Attack Defense Fragmented packet attacks can be classified into attacks of a huge number of fragments, Tear Drop, syndrop, nesta, fawx, bonk, NewTear, Bonk, Rose, huge-offset, Ping of death, Jolt, and duplicated fragmentation. 14.4 Configuring Flood Attack Defense Flood attacks include SYN flood attacks, UDP flood attacks, and ICMP flood attacks. 14.5 Configuring Application Layer Association Application layer association controls forwarding and discarding of protocol packets by enabling or disabling application layer protocols. In this manner, application layer association can defense attacks. 14.6 Maintenance Attack Defense and Application Layer Association This section describes how to clear statistics about attack defense. 14.7 Configuration Example This section provides an example for improving network security through attack defense. Familiarize yourself with the configuration procedures against the networking diagram. Each configuration example consists of the networking requirements, configuration precautions, configuration roadmap, configuration procedures, and configuration files.
Issue 02 (2012-03-30)
269
14.1 Overview to Attack Defense and Application Layer Association

Attacks on TCP/IP networks increase steadily. Attacks to network devices may cause the network to be disabled or unavailable.
14.1.1 Overview of Attack Defense and Application Layer Association

Improving the capability of the device to defense DoS attacks, scan and probe attacks, malformed packet attacks can enhance the system security and meet the demands of service deployment.
TCP/IP Attack Defense

The attacks on the TCP/IP network keep increasing because the TCP/IP protocols have defects and loose implementation. As a result, the impact on the TCP/IP network is greater and greater. Especially the attacks on the network devices may lead to network failure. The attacks on the TCP/IP network are classified into three types: denial of service (DoS) attacks, scanning attacks, and abnormal packet attacks. l DoS attack DoS attackers send so massive packets to the system that the system cannot process normal requests or the resources are exhausted. DoS attackers use SYN flood or fraggle methods to attack the system. DoS attacks are different from other attacks because DoS attackers does not search for the ingress of a network but prevents valid users from accessing resources or Router . l Scanning attack Scanning attacks identify the systems running on the network through ping scanning (ICMP and TCP) and thus accurately obtain the potential victims. TCP and UDP port scanning can be used to detect the type of operating system and potential services. Through scanning, the attacker can learn the service types provided by the target system and the latent security loopholes, thus getting ready to attack the system. l Abnormal packet attack Abnormal packet attacks use abnormal packets. That is, the attacker sends defective IP packets to the target system, and the target system may crash when processing such IP packets. Main abnormal packet attacks include Ping of Death and Teardrop. Router are used in a large number on core networks and MANs. You can enhance the system security to meet the service requirements by enhancing the attack defense performance of Router .
Application Layer Association

Router s may simultaneously use multiple services or functions, including Layer 2 services (STP, MSTP, and RRPP), route services (OSPF and BGP), MPLS services (LDP and RSVP), system services (FTP Server and TFTP Server), and diagnosis functions (Ping and Tracert). In this case, attackers can send packets of different types to attack Router s. If the sent packets are multicast packets or the destination address is the address of a port (including the loopback
port) of the Router , the Router directly sends the packets to the CPU. As a result, the Router CPU and system resources are wasted, which is the aim of DoS attack. To prevent such attacks, switch control is used on some services and protocols. If the protocol is enabled, the packet of this protocol is sent. If the protocol is disabled, the packets of this protocol are discarded. In this way, the protocol packet is controlled and application layer association is implemented. Some protocols support a whitelist. The module of application layer association detects sent protocol packet and allows the sending with larger bandwidth and higher rate if the protocol packets to be sent match the whitelist.
14.1.2 Attack Defense and Application Layer Association Supported by AR200-S

The AR200-S supports defense against various attacks such as malformed packet attacks, fragmented packet attacks, and flooding attacks. In addition, the AR200-S offers the application layer association module to implement association with the application layer and packet filtering at the application layer.
Attack Defense Supported by AR200-S

The AR200-S supports TCP/IP attack defense of the following types: l Defense against Abnormal packets The defense against abnormal packets prevents attacks from using excessive CPU resources. These abnormal packets lead to system crash and network failure. Thus, the AR200-S directly discards these abnormal packets after they are detected. The following actions can be taken to defend against abnormal packet attacks: Flood attacks without IP payload: The IP packets without any higher layer data are considered useless and directly discarded. IGMP null packet attacks: If the length of the IGMP packets is smaller than 28 bytes, the packets are considered null and thus discarded. LAND attacks: The router detects whether the source address and the destination address in the TCP SYN packet are consistent and whether the source interface and the destination interface are consistent. If they are consistent, the packets are considered abnormal and thus directly discarded. Smurf attacks: The ICMP echo request packets with the broadcast address or the subnet broadcast address as its destination address are considered abnormal and thus discarded. TCP flag bit invalid attacks: Check each flag bit of the TCP packets. If the URG, ACK, PSH, RST, SYN, and FIN flag bits are all 1s or 0s, or the both SYN and FIN are 1s, the packets are directly discarded. l Defense against packet fragment attacks The offsets of packet fragments may be overlapped. The system reassembles packet fragments with excessive resources, and thus the network connection fails. This is the principle of Teardrop attacks. When defending against Teardrop attacks, the AR200S discards the packets with overlapped offsets in reassembly to guarantee correct reassembly of packet fragments. The offset length of packet fragments is larger than 65515. Thus, the system reassembles packets with excessive resources and the network services are disrupted. This is the principle of huge offset attacks. When processing huge offset attacks, the AR200-S
determines whether the total length of the offset is larger than 65515. If so, the packets are discarded. Repeated fragmented packet attack refers to sending the repeated packet fragments multiple times, including resending the same packet fragments; the offset is the same but the packet fragments are different. As a result, the system fails to reassemble packet fragments and the CPU usage is overhigh. To defend repeated fragmented packet attacks, the AR200-S restricts the rate of sending packet fragments on the interface board and thus ensure that the CPU is not attacked and the Committed Access Rate (CAR) can be configured. l Defense against Flood attacks Flood attacks include TCP SYN flood attacks, UDP flood attacks (including fraggle attacks and UDP diagnosis port attacks), and TCMP flood attacks. The AR200-S defends against TCP SYN flood attacks and ICMP flood attacks by restricting rate to prevent the CPU resources from being exhausted. To defend against UDP flood attacks, the AR200-S discards those UDP packets with port numbers 7, 13, and 19.
NOTE
Attack defense configurations take effect for only the main control board.
Application Layer Association Supported by the AR200-S

The AR200-S supports application layer association. The application layer association module controls some protocols and functions. l l When a protocol is disabled, the AR200-S directly discards packets of this protocol to prevent attacks. When a protocol is enabled, the AR200-S limits the rate of protocol packets sent to the CPU to protect the CPU.
The application layer association module supports SNMP, HW-TACACS, NTP, SSH, DHCP, 802.1x, and PIM protocols and supports HTTP server, Telnet server, STelnet server, FTP server, SFTP server, BFD, UDP helper, and VRRP services.
NOTE
You can configure application layer association for different protocols and services.
14.2 Configuring Abnormal Packet Attack Defense

Malformed packet attacks are classified into flood attacks without IP payload, IGMP null packet attacks, LAND attacks, Smurf attacks, and TCP flag-bit invalid attacks.

This section describes the applicable environment, required tasks, and data for configuring defense against malformed packets.
Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services.
To prevent the network devices from being attacked and to ensure normal network services, defense against abnormal packet attacks must be configured.
Before configuring defense against abnormal packet attacks, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
None.
14.2.2 Enabling Defense Against Abnormal Packet Attacks

The major measure to defend attacks from malformed packets is to determine the packet type. If a packet is of the malformed type, it is discarded directly.
Context
Do as follows on the router:
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the anti-attack abnormal enable command to enable defense against abnormal packet attacks. The defense against abnormal packet attacks is enabled by default. If defense against abnormal packet attacks is disabled, run the command to enable it. ----End

After configuring defense against attacks from malformed packets, you can view statistics about defense against malformed packets.
Prerequisites
The configurations of the abnormal packet attack defense are complete.
Procedure
Step 1 Run the display anti-attck statistics abnormal command to check the statistics of defense against abnormal packet attacks on the interface board. ----End
Example
After the configuration is complete, run the display anti-attck statistics abnormal command to check the statistics of defense against abnormal packet attacks on the interface board.
<Huawei> display anti-attck statistics abnormal Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Abnormal 0 0 0 0 0 0 -------------------------------------------------------------------------------
14.3 Configuring Fragmented Packet Attack Defense

Fragmented packet attacks can be classified into attacks of a huge number of fragments, Tear Drop, syndrop, nesta, fawx, bonk, NewTear, Bonk, Rose, huge-offset, Ping of death, Jolt, and duplicated fragmentation.

This section describes the applicable environment, required tasks, and data for configuring defense against fragmented packet attacks.
Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services. To prevent the network devices from being attacked and to ensure normal network services, defense against packet fragment attacks must be configured.
Before configuring defense against packet fragment attacks, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
To configure defense against packet fragment attacks, you need the following data: No. 1 Data Restricted rate of packet fragments
14.3.2 Configuring Defense Against Packet Fragment Attacks

The major measure to defend fragmented packet attacks is to limit the packet rate. In this manner, you can prevent attackers from sending a great number of fragmented packets to cause a high CPU usage and ensure that the CPU works normally when being attacked.
Context
Procedure
Step 1 Run:
system-view

anti-attack fragment enable
Defense against packet fragment attacks is enabled. Defense against packet fragment attacks is enabled by default. Thus, you need to configure the restricted rate only. If defense against packet fragment attacks is disabled, run the command to enable it. Step 3 Run:
anti-attack fragment car cir cir
The rate of sending packet fragments is restricted. ----End

After configuring defense against fragmented packet attacks, you can view statistics about defense against fragmented packets on the LPU.
Prerequisites
The configurations of the fragmented packet attack defense are complete.
Procedure
Step 1 Run the display anti-attck statistics fragment command to check the statistics of defense against packet fragment attacks on the interface board. ----End
Example
After the configuration is complete, run the display anti-attck statistics fragment command to check the statistics of defense against packet fragment attacks on the interface board.
<Huawei> display anti-attck statistics fragment Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Fragment 0 0 0 0 0 0 -------------------------------------------------------------------------------
14.4 Configuring Flood Attack Defense

Flood attacks include SYN flood attacks, UDP flood attacks, and ICMP flood attacks.
Issue 02 (2012-03-30)
275

This section describes the applicable environment, required tasks, and data for configuring defense against flood attacks.
Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services. To prevent the network devices from being attacked and to ensure normal network services, defense against flood attacks must be configured.
Before configuring defense against flood attacks, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
To configure defense against flood attacks, you need the following data: No. 1 Data Rate restricted by TCP SYN packets and rate restricted by ICMP flood packets
14.4.2 Configuring Defense Against SYN Flood Attacks

The major measure to defend SYN flood attacks is to limit the rate of TCP SYN packets.
Context
Procedure
Step 1 Run:
system-view

anti-attack tcp-syn enable
Defense against SYN flood attacks is enabled. Defense against SYN flood attacks is enabled by default. Thus, you need to configure the restricted rate only. If defense against SYN flood attacks is disabled, run the command to enable it. Step 3 Run:
anti-attack tcp-syn car cir cir
Issue 02 (2012-03-30)
276
The rate of sending TCP SYN packets is restricted. ----End
14.4.3 Configuring Defense Against UDP Flood Attacks

The major measure to defend UDP flood attacks is to limit the rate of UDP packets.
Context
Procedure
Step 1 Run:
system-view

anti-attack udp-flood enable
Defense against UDP flood attacks is enabled. Defense against UDP flood attacks is enabled by default. If defense against UDP flood attacks is disabled, run the command to enable it. ----End
14.4.4 Configuring Defense Against ICMP Flood Attacks

The major measure to defend ICMP flood attacks is to limit the rate of ICMP packets.
Context
Configure router as follows:
Procedure
Step 1 Run:
system-view

anti-attack icmp-flood enable
Defense against ICMP flood attacks is enabled. Defense against ICMP flood attacks is enabled by default. Thus, you need to configure the restricted rate only. If defense against ICMP flood attacks is disabled, run the command to enable it. Step 3 Run:
anti-attack icmp-flood car cir cir
The rate of sending ICMP flood packets is restricted. ----End


After configuring defense against flood attacks, you can view statistics about defense against flood attacks on the interface board.
Prerequisites
The configurations of the flood attack defense are complete.
Procedure
Step 1 Run the display anti-attck statistics [ tcp-syn | udp-flood | icmp-flood ] command to check the statistics of defense against flood attacks on the interface board. ----End
Example
After the configuration is complete, run the display anti-attck statistics [ tcp-syn | udpflood | icmp-flood ] command to check the statistics of defense against flood attacks on the interface board.
<Huawei> display anti-attck statistics tcp-syn Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Tcp-syn 0 0 0 0 0 0 ------------------------------------------------------------------------------<Huawei> display anti-attack statistics udp-flood Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Udp-flood 0 0 0 0 0 0 ------------------------------------------------------------------------------<Huawei>display anti-attack statistics icmp-flood Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------Icmp-flood 0 0 0 0 0 0 -------------------------------------------------------------------------------
14.5 Configuring Application Layer Association

Application layer association controls forwarding and discarding of protocol packets by enabling or disabling application layer protocols. In this manner, application layer association can defense attacks.

This section describes the applicable environment, required tasks, and data for configuring application layer association.
To prevent network devices from being attacked by the packets of idle protocols and to prevent the network from running busily, overhigh usage of CPU, and DoS attack, the application layer association is required and the protocol module must be disabled. In this way, the protocol packets are discarded without being sent to the CPU. Thus, the CPU works normally.
Before configuring application layer association, complete the following tasks: l Setting the link layer protocol parameters (and the IP address) for the interface to make the status of link protocol Up
Data Preparation
To configure association layer association, you need the following data. No. 1 2 Data Protocols to be enabled/disabled Packet policy that does not match the application layer association module
14.5.2 Configuring Application Layer Association

Enabling of the application layer association module depends on whether a protocol is enabled. Whether a packet that mismatches the application layer association module is forwarded or discarded depends on the configuration of the device.
Context
The application layer association module uses the switch to control whether the application layer association is enabled. If the protocol is enabled, the packets of the protocol are sent. If the protocol is disabled, the packets of the protocol are directly discarded. To prevent the attacks from the packets of idle protocols, the protocol module must be disabled. If the protocol is enabled, which cannot filter invalid packets, use the rate restriction function to restrict the rate of sending packets and protect the CPU from being attacked. Do as follows on the router:
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 For all the protocols and functions that match the application layer association, enable the necessary protocols and disable the idle protocols to prevent attacks on the CPU. Step 3 (Optional) Run the application-apperceive default drop to discard the packets if no application layer association policy is found. ----End
14.6 Maintenance Attack Defense and Application Layer Association

This section describes how to clear statistics about attack defense.
14.6.1 Clearing Statistics of Attack Defense and Application Layer Association

After confirming that you need to clear statistics about attack defense, you can run a command to do it.
Context
CAUTION
The statistics cannot be recovered if cleared. Perform the action with caution.
Procedure
Step 1 Run the reset anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmpflood ] command to clear the statistics of defense again packet attacks. ----End
14.7 Configuration Example

This section provides an example for improving network security through attack defense. Familiarize yourself with the configuration procedures against the networking diagram. Each configuration example consists of the networking requirements, configuration precautions, configuration roadmap, configuration procedures, and configuration files.
14.7.1 Example of Configuring Attack Defense

This section describes the applications of attack defense on an actual network, including defense against malformed packet attacks, fragmented packet attacks, and flood attacks.
As shown in Figure 14-1, Router B as a client is connected to Router A on the public network. To prevent Router A from being attacked by the TCP/IP attack packets sent by a hacker on the LAN, the following attack defense measures must be used on Router A. l
Issue 02 (2012-03-30)
Enable defense against abnormal packet attacks.

Enable defense against packet fragment attacks and restrict the rate for sending packet fragments to 15000 bit/s to prevent packet fragments from attacking the CPU and using excessive CPU and system resources. Enable defense against flood attacks as follows: Enable defense against SYN flood attacks and restrict the rate for sending TCP SYN packets to 15000 bit/s to prevent the TCP SYN packets from using excessive CPU resources. Enable defense against UDP flood attacks to discard the UDP packets sent on specified ports. Enable defense against ICMP flood attacks and restrict the rate for sending ICMP flood packets to 15000 bit/s to prevent the ICMP flood packets from using excessive CPU resources.
Figure 14-1 Networking diagram of configuring Attack Defense
Internet
Eth0/0/7 100.111.1.1/24
Router A
Eth0/0/7 100.111.1.2/24 VLAN300
Router B
VLAN100
VLAN200
hacker
user
user
The configuration roadmap is as follows: 1. 2. 3. 4. Configure the IP addresses and routes of each interface to guarantee internetworking. Enable defense against abnormal packet attacks on Router A. Enable defense against packet fragment attacks on Router A. Enable defense against flood attacks on Router A.
Data Preparation
To complete the configuration, you need the following data:
l l
IP address of each interface Restricted rate of sending packets to the CPU
Procedure
Step 1 Configure the IP addresses and routes of each interface to guarantee internetworking (omitted). Step 2 Enable defense against abnormal packet attacks on Router A.
<RouterA> system-view [RouterA] anti-attack abnormal enable
Step 3 # Enable defense against packet fragment attacks on Router A and restrict the rate for sending fragments packet to 15000 bit/s.
[RouterA] anti-attack fragment enable
#
[RouterA] anti-attack fragment car cir 15000
Step 4 # Enable defense against SYN flood attacks on Router A and restrict the rate for sending TCP SYN packets to 15000 bit/s.
[RouterA] anti-attack tcp-syn enable [RouterA] anti-attack tcp-syn car cir 15000
# Enable defense against UDP flood attacks on Router A to discard the UDP packets sent on specified ports.
[RouterA] anti-attack udp-flood enable
# Enable defense against ICMP flood attacks on Router A and restrict the rate for sending ICMP flood packets to 15000 bit/s.
[RouterA] anti-attack icmp-flood enable [RouterA] anti-attack icmp-flood car cir 15000
Step 5 Verify the configuration. After the configuration is complete, run the display anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmp-flood ] command to check the statistics of packet attack defense.
<RouterA> display anti-attck statistics Packets Statistic Information: ------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------URPF 0 0 0 0 0 0 Abnormal 0 0 0 0 0 0 Fragment 0 0 0 0 0 0 Tcp-syn 0 30 0 0 0 30 Udp-flood 0 0 0 0 0 0 Icmp-flood 0 40 0 0 0 40 -------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Router A
# sysname RouterA #
Issue 02 (2012-03-30)
282
interface GigabitEthernet1/0/0 ip address 100.111.1.1 255.255.255.252 # anti-attack fragment car cir 15000 anti-attack tcp-syn car cir 15000 anti-attack icmp-flood car cir 15000 # return
Configuration file of Router B

# sysname RouterB # interface GigabitEthernet2/0/0 ip address 100.111.1.2 255.255.255.252 # return
Issue 02 (2012-03-30)
283

Configuration Guide - Security (V200R002C00 - 02)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - Security (V200R002C00 - 02)

Uploaded by

Copyright:

Available Formats

Huawei AR200-S Series Enterprise Routers V200R002C00

Configuration Guide - Security

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

About This Document

Interface Numbering Conventions

Changes in Issue 02 (2012-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

About This Document

Changes in Issue 01 (2011-12-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

2.4.1 Example for Configuring the Router as an HTTPS Server.....................................................................38

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

4 Traffic Suppression Configuration..........................................................................................90

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

6 ARP Security Configuration....................................................................................................114

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

7 ICMP Security Configuration.................................................................................................139

8 IP Address Anti-spoofing Configuration.............................................................................151

9 Local Attack Defense Configuration.....................................................................................157

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

9.6.1 Example for Configuring an Attack Defense Policy.............................................................................167

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

14 Configuration of Attack Defense and Application Layer Association.........................269

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

1.1 AAA Overview

Security Functions Provided by AAA

1.2 AAA Features Supported by the AR200-S

RADIUS Authentication, Authorization, and Accounting

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

User exits Accounting-stop request packet Accounting-stop response packet

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

HWTACACS Authentication, Authorization, and Accounting

User exits Accounting-stop packet Accounting-stop response packet

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

Local Authentication and Authorization

1.3 Configuring Local Authentication and Authorization

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

1.3.1 Establishing the Configuration Task

1.3.2 Configuring a Local User

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

The system view is displayed. Step 2 Run:

Step 4 (Optional) Run:

Huawei AR200-S Series Enterprise Routers Configuration Guide - Security

1.3.3 Configuring authentication and authorization Schemes

The AR200-S does not support local accounting.