HUAWEI

6. Security Configuration 7. VPN Configuration 8. Reliability Configuration 9. QoS Configuration 10. DDR Configuration 11. VoIP Configuration

VRP User Manual Configuration Guide Volume 3

V200R001

VRP User Manual Configuration Guide

Volume Manual Version Product Version BOM 3 T2-080168-20011213-C-1.5 V200R001 31010868

Copyright 2001 by Huawei Technologies Co., Ltd.

All Rights Reserved

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks

, HUAWEI, C&C08, EAST8000, HONET, ViewPoint, INtess, ETS, DMC, SBS,

TELLIN, InfoLink, Netkey, Quidway, SYNLOCK, Radium, , M900/M1800, TELESIGHT, Quidview, NETENGINE, Musa, OptiX, Airbridge, Tellwin, Inmedia, VRP, DOPRA, iTELLIN are trademarks of Huawei Technologies Co., Ltd.

Notice
The information in this document is subject to change without notice. Although every effort has been made to make this document as accurate, complete, and clear as possible, Huawei Technologies assumes no responsibility for any errors that may appear in this document.

Huawei Technologies Co., Ltd.

Address: Zip code: Tel: Fax: Website: E-mail: Huawei Customer Service Building, Kefa Road, Science-based Industrial Park, Shenzhen, P. R. China 518057 +86-755-6540036 +86-755-6540035 http://www.huawei.com support@huawei.com

About This Manual

Contents
To help readers to better understand, use and maintain Quidway series routers, we publish the manual suit of Quidway series routers. This manual suit includes: VRP User Manual VRP User Manual VRP User Manual VRP User Manual VRP User Manual VRP User Manual Configuration Guide (V1.5) -Volume 1 Configuration Guide (V1.5) -Volume 2 Configuration Guide (V1.5) -Volume 3 Command Reference (V1.5) -Volume 1 Command Reference (V1.5) -Volume 2 Command Reference (V1.5) -Volume 3

Quidway R1602 Router Installation Manual Quidway R1603/1604 Routers Installation Manual Quidway R2501 Router Installation Manual Quidway R2501E Router Installation Manual Quidway R2509/2511 Routers Installation Manual Quidway R2509E/2511E Routers Installation Manual Quidway R4001 Router Installation Manual Quidway R4001E Router Installation Manual Quidway R26/36 Modular Router Installation Manual Among the manual suit, the first two manuals are applicable to all routers, and the other installation manuals are separately used for their own types of routers. In VRP User Manual follows: Configuration Guide (V1.5) -Volume 3, the modules are arranged as

Module 6 Security Configuration (06SC) This module mainly introduces the principle and basic specific configuration of security features provided by VRP1.5, including AAA configuration, Radius protocol configuration, terminal access security configuration, firewall and packet filtering configuration, IPSec protocol configuration and IKE protocol configuration. Module 7 VPN Configuration (07VPN) This module mainly introduces the principle and specific configuration of VPN solutions provided by VRP1.5, including configuration of L2TP protocol and GRE protocol. Module 8 Reliability Configuration (08LC) This module mainly introduces the principle and specific configuration of backup center and HSRP protocol. Module 9 QoS Configuration (09QC) This module mainly introduces the principle and specific configuration of QoS service features supported by VRP1.5, including configuration of congestion management, priorityqueue and custom-queue.

Module 10 DDR Configuration (10DC) This module mainly introduces the principle and specific configuration of dial solutions provided by VRP1.5, including Legacy DDR configuration, Dialer Profile configuration and modem management configuration. Module 11 VoIP Configuration (11VC) This module mainly introduces the principle and specific configuration of IP voice service features supported by VRP1.5, including configuration of VoIP, IP Fax, E1 voice, GK client and IPHC.

Note: For questions regarding the product specifications, please confirm with the concerned personnel in Huawei's Enterprise Network Section as the software specifications are varied with the product of different type.

Target Readers
The manual is intended for the following readers: Network engineers Technical assistance engineers Network administrators

Conventions Used in the Document

Keyboard operation
Format <Key > <Key 1 + Key 2> <Key 1, Key 2> [Menu Option] Description Press the key with key name expressed with a pointed bracket, e.g. <Enter>, <Tab>, <Backspace>, or <A >. Press the keys concurrently; e.g. <Ctrl+Alt+A> means the three keys should be pressed concurrently. Press the keys in turn, e.g. <Alt, A> means the two keys should be pressed in turn. The item with a square bracket indicates the menu option, e.g. [System] option on the main menu. The item with a pointed bracket indicates the functional button option, e.g. <OK> button on some interface. Multi-level menu options, e.g. [System/Option/Color setup] on the main menu indicates [Color Setup] on the menu option of [Option], which is on the menu option of [System].

[Menu 1/Menu 2/Menu 3]

Mouse operation

Action Click Double Click Drag

Description Press the left button or right button quickly (left button by default). Press the left button twice continuously and quickly. Press and hold the left button and drag it to a certain position.

Symbol
Some distinct symbols are employed in the manual to indicate the special notice that should be taken for the operation. The symbols are: Caution, Notice, Warning, Danger: Notify the special attention that should be given to the operation. Note, Prompt, Tip, Thought: Give further necessary supplement or explanation for the operation description.

HUAWEI

VRP User Manual Configuration Guide Volume 3 06 Security Configuration (SC)

User Manual - Configuration Guide (Volume 3) Versatile Routing Platform

Chapter 2
Configuration of Terminal Access Security

Chapter 2 Configuration of Terminal Access Security

2.1 Terminal Access Security
2.1.1 Classification of Terminal Access Users
Quidway series routers adopt cascade protection for the command line interface, and divide terminal access users into two types: Ordinary users Privileged users An ordinary user can only view some simple running information of routers, but a privileged user can not only view all the running information of a router, but also configure and debug the routers. Password is not necessary for ordinary users to access a router, but it is necessary for privileged users.

2.1.2 Configuring EXEC Login Authentication

All users accessing a router through various terminal means are called EXEC users. Quidway series routers divide EXEC users into five types: asynchronous port terminal users, X.25 PAD calling users, console port users, dumb terminal access users and Telnet terminal users. Quidway series routers now support the command line interpreters accessing terminals from four types of interfaces: Accessing routers via remote X.25 PAD calling users Accessing routers via the asynchronous dialing port (working in Interactive mode) Accessing routers via the local console port Accessing routers via dumb terminal access mode Accessing routers via local/remote Telnet terminal Please perform the following tasks in the global configuration mode. Table SC-2-1 Configure EXEC login authentication
Operation Configure login authentication of EXEC from asynchronous port Cancel login authentication of EXEC from asynchronous port Configure login authentication of EXEC from Console port Cancel login authentication of EXEC from Console port Configure EXEC login authentication to dumb terminal access server user Cancel EXEC login authentication to dumb terminal access server user Configure login authentication to remote X.25 PAD calling user Cancel login authentication to remote X.25 PAD calling user Configure login authentication of EXEC via telnet Cancel login authentication of EXEC via telnet Command login async no login async login con no login con login hwtty no login hwtty login pad no login pad login telnet no login telnet

2-1

User Manual - Configuration Guide (Volume 3) Versatile Routing Platform

Chapter 2
Configuration of Terminal Access Security

2.1.3 Security Features Provided by Command Line Interfaces for Terminal Users
A command line interface provides the following features for terminal users: A terminal user will log in a router as an ordinary user by default. To become a privileged user who can configure and manage the router, the enable command should be executed in the ordinary user mode and correct privileged user password should be input. For security, the privileged user password input will not be displayed on the terminal screen. In case that illegal users attempt to enter different passwords times and again, the access will be disconnected automatically if wrong password has been input for three times. If a terminal user makes no keyboard input within 10 minutes, the access is disconnected automatically (for Console port terminal users, this time limit is 3 minutes). It is recommended that when a privileged user is away from a terminal for a long time, it is recommended to exit to the ordinary user mode or disconnect the router, so as to avoid illegal access to the router. Table SC-2-2 Related operation of a privileged user
Operation Privileged user password authentication Exit from terminal user connection Return from the privileged user mode to the ordinary user mode Privileged user entering configuration mode Disconnect the user upon timeout when nothing is input Disable the disconnection of user when nothing is input Command enable exit disable configure exec-timeout no exec-timeout

2.1.4 Modifying Privileged User Password

No default privileged user password of a router is set at delivery, so when the router is powered on for the first time, use the command enable to modify the privileged user password. Table SC-2-3 Modify privileged user password
Operation Modify privileged user password enable [ password password ] Command

2.2 Typical Configuration of EXEC

2.2.1 Configuring EXEC Login Authentication from CONSOLE Port
1) 2) 3) Enable AAA Configure the login authentication of entering EXEC from Console port Configure the local authentication user name and password of EXEC user type. Quidway (config)#aaa-enable Quidway (config)#login con

2-2

User Manual - Configuration Guide (Volume 3) Versatile Routing Platform

Chapter 2
Configuration of Terminal Access Security

Quidway (config)#user abc service-type exec password 0 hello 4) 5) Configure the default authentication method list of EXEC users Configure RADIUS server and the shared secret Quidway (config)#aaa authentication login default radius local Quidway (config)#radius-server host 172.17.0.30 auth-port 1645 acct-port 1646 Quidway (config)#radius-server key quidway In this example, the user name is abc, the password is hello. The user is first authenticated by RADIUS server, then local authentication is used when the former authentication can not be carried out normally. When logging in the router connected via the Console port, only the user whose user name is abc and password is hello can log in successfully, otherwise, access to the router will be denied.

2.2.2 Configuring EXEC Login Authentication via Telnet

1) 2) 3) 4) Enable AAA Configure the login authentication of entering EXEC via Telnet port Configure the local authentication user name and password of EXEC user type. Configure the authentication method list of EXEC users Quidway (config)#aaa-enable Quidway (config)#login telnet Quidway (config)#user abc service-type exec password 0 hello Quidway (config)#aaa authentication login default local In this example, the user name is abc, the password is hello. Local authentication is conducted directly and only users passing the local authentication can log in successfully. Otherwise, access to the router will be denied.

2-3