configuration guide - security(v200r002c00_02)

Huawei AR200-S Series Enterprise RoutersV200R002C00

Configuration Guide - Security

Issue 02

Date 2012-03-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2012-03-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Intended AudienceThis document provides the basic concepts, configuration procedures, and configurationexamples in different application scenarios of the security feature supported by the AR200-S.

This document describes how to configure the security feature.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security About This Document


ii

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering ConventionsInterface numbers used in this manual are examples. In device configuration, use the existinginterface numbers on devices.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 02 (2012-03-30)

Based on issue 01 (2011-12-30), the document is updated as follows:

The following information is modified:

l 2.2 HTTPS Features Supported by the AR200-S

l 13.3.5 Configuring key-string of a key-id



iii

Changes in Issue 01 (2011-12-30)Initial commercial release.



iv

Contents

About This Document.....................................................................................................................ii

1 AAA Configuration.......................................................................................................................11.1 AAA Overview...................................................................................................................................................21.2 AAA Features Supported by the AR200-S.........................................................................................................21.3 Configuring Local Authentication and Authorization........................................................................................5

1.3.1 Establishing the Configuration Task.........................................................................................................61.3.2 Configuring a Local User..........................................................................................................................61.3.3 Configuring authentication and authorization Schemes............................................................................81.3.4 Configuring a Domain...............................................................................................................................91.3.5 Checking the Configuration.....................................................................................................................10

1.4 Configuring RADIUS AAA.............................................................................................................................111.4.1 Establishing the Configuration Task.......................................................................................................111.4.2 Configuring AAA Schemes.....................................................................................................................121.4.3 Configuring a RADIUS Server Template...............................................................................................141.4.4 Configuring a Domain.............................................................................................................................161.4.5 Checking the Configuration.....................................................................................................................18

1.5 Configuring HWTACACS AAA......................................................................................................................181.5.1 Establishing the Configuration Task.......................................................................................................181.5.2 Configuring AAA Schemes.....................................................................................................................201.5.3 Configuring an HWTACACS Server Template......................................................................................221.5.4 Configuring a Domain.............................................................................................................................251.5.5 Checking the Configuration.....................................................................................................................26

1.6 Maintaining AAA.............................................................................................................................................271.6.1 Clearing the Statistics..............................................................................................................................27

1.7 Configuration Examples...................................................................................................................................281.7.1 Example for Configuring RADIUS Authentication, Authorization, and Accounting.............................281.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting.....................31

2 HTTPS Configuration.................................................................................................................352.1 HTTPS Overview.............................................................................................................................................362.2 HTTPS Features Supported by the AR200-S...................................................................................................362.3 Configuring the AR200-S as an HTTPS Server...............................................................................................362.4 Configuration Examples...................................................................................................................................38

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security Contents


v

2.4.1 Example for Configuring the Router as an HTTPS Server.....................................................................38

3 Firewall Configuration...............................................................................................................423.1 Firewall Overview............................................................................................................................................443.2 Firewall Features Supported by the AR200-S..................................................................................................443.3 Configuring Zones............................................................................................................................................50

3.3.1 Establishing the Configuration Task.......................................................................................................503.3.2 Creating a Zone.......................................................................................................................................513.3.3 Adding an Interface to the Zone..............................................................................................................513.3.4 Creating an Interzone...............................................................................................................................523.3.5 Enabling Firewall in the Interzone..........................................................................................................523.3.6 Checking the Configuration.....................................................................................................................53

3.4 Configuring the Packet Filtering Firewall........................................................................................................533.4.1 Establishing the Configuration Task.......................................................................................................533.4.2 Configuring ACL-based Packet Filtering in an Interzone.......................................................................543.4.3 Checking the Configuration.....................................................................................................................55

3.5 Configuring the Blacklist..................................................................................................................................553.5.1 Establishing the Configuration Task.......................................................................................................553.5.2 Enabling the Blacklist Function..............................................................................................................563.5.3 Adding IP Addresses to the Blacklist Manually......................................................................................563.5.4 Configuring Blacklist and Whitelist Using the Configuration File.........................................................573.5.5 Checking the Configuration.....................................................................................................................58

3.6 Configuring the Whitelist.................................................................................................................................583.6.1 Establishing the Configuration Task.......................................................................................................583.6.2 Adding Entries to the Whitelist Manually...............................................................................................593.6.3 Configuring Blacklist and Whitelist Using the Configuration File.........................................................603.6.4 Checking the Configuration.....................................................................................................................61

3.7 Configuring ASPF............................................................................................................................................613.7.1 Establishing the Configuration Task.......................................................................................................613.7.2 Configuring ASPF Detection...................................................................................................................623.7.3 Checking the Configuration.....................................................................................................................62

3.8 Configuring Port Mapping................................................................................................................................633.8.1 Establishing the Configuration Task.......................................................................................................633.8.2 Configuring Port Mapping.......................................................................................................................643.8.3 Checking the Configuration.....................................................................................................................64

3.9 Configuring the Aging Time of the Firewall Session Table............................................................................653.9.1 Establishing the Configuration Task.......................................................................................................653.9.2 Configuring the Aging Time of the Firewall Session Table...................................................................653.9.3 Checking the Configuration.....................................................................................................................66

3.10 Configuring the Attack Defense Function......................................................................................................673.10.1 Establishing the Configuration Task.....................................................................................................673.10.2 Enabling the Attack Defense Function..................................................................................................673.10.3 Setting the Parameters for Flood Attack Defense..................................................................................70



vi

3.10.4 Configuring Large ICMP Packet Attack Defense.................................................................................703.10.5 Setting Parameters for Scanning Attack Defense..................................................................................713.10.6 Checking the Configuration...................................................................................................................72

3.11 Configuring Traffic Statistics and Monitoring...............................................................................................723.11.1 Establishing the Configuration Task.....................................................................................................733.11.2 Enabling Traffic Statistics and Monitoring...........................................................................................743.11.3 Setting the Session Thresholds..............................................................................................................743.11.4 Checking the Configuration...................................................................................................................76

3.12 Configuring the Log Function........................................................................................................................763.12.1 Establishing the Configuration Task.....................................................................................................773.12.2 Enabling the Log Function on the Firewall...........................................................................................773.12.3 Setting the Log Parameters....................................................................................................................783.12.4 Checking the Configuration...................................................................................................................79

3.13 Maintaining the Firewall................................................................................................................................793.13.1 Displaying the Firewall Configuration..................................................................................................793.13.2 Clearing the Firewall Statistics..............................................................................................................80

3.14 Configuration Examples.................................................................................................................................813.14.1 Example for Configuring the ACL-based Packet Filtering Firewall.....................................................813.14.2 Example for Configuring ASPF and Port Mapping..............................................................................833.14.3 Example for Configuring the Blacklist..................................................................................................86

4 Traffic Suppression Configuration..........................................................................................904.1 Traffic Suppression Overview..........................................................................................................................914.2 Traffic Suppression Features Supported by the AR200-S................................................................................914.3 Configuring Traffic Suppression......................................................................................................................91

4.3.1 Establishing the Configuration Task.......................................................................................................914.3.2 Configuring Traffic Suppression on an Interface....................................................................................924.3.3 Checking the Configuration.....................................................................................................................92

4.4 Configuration Examples...................................................................................................................................934.4.1 Example for Setting the CIR Value for Traffic Suppression...................................................................93

5 NAC Configuration.....................................................................................................................955.1 NAC Overview.................................................................................................................................................965.2 NAC Features Supported by the AR200-S.......................................................................................................965.3 Configuring 802.1x Authentication..................................................................................................................97

5.3.1 Establishing the Configuration Task.......................................................................................................975.3.2 Enabling Global 802.1x Authentication..................................................................................................985.3.3 Enabling 802.1x Authentication on an Interface.....................................................................................985.3.4 (Optional) Setting the 802.1x Authentication Mode...............................................................................995.3.5 (Optional) Setting the Access Method on an Interface..........................................................................1005.3.6 (Optional) Configuring the Authorization Status of an Interface..........................................................1015.3.7 (Optional) Setting the Maximum Number of Concurrent Access Users on an Interface......................1025.3.8 (Optional) Enabling 802.1x Authentication Triggered by DHCP Messages........................................1035.3.9 (Optional) Setting Values of Timers Used in 802.1x Authentication...................................................103



vii

5.3.10 (Optional) Configuring the Quiet Timer Function..............................................................................1045.3.11 (Optional) Configuring 802.1x Re-authentication...............................................................................1045.3.12 (Optional) Configuring a Guest VLAN for 802.1x Authentication....................................................1065.3.13 (Optional) Configuring a Restrict VLAN for 802.1x Authentication.................................................1075.3.14 (Optional) Enabling the Handshake Function.....................................................................................1085.3.15 (Optional) Setting the Maximum Number of Times the AR200-S Sends Authentication Requests........................................................................................................................................................................1085.3.16 Checking the Configuration.................................................................................................................109

5.4 Maintaining NAC...........................................................................................................................................1095.4.1 Clearing the Statistics on 802.1x Authentication..................................................................................1095.4.2 Clearing the Statistics on MAC Address Authentication......................................................................110

5.5 Configuration Examples.................................................................................................................................1105.5.1 Example for Configuring 802.1x Authentication..................................................................................110

6 ARP Security Configuration....................................................................................................1146.1 ARP Security Overview.................................................................................................................................1156.2 ARP Security Supported by the AR200-S......................................................................................................1156.3 Configuring ARP Entry Limiting...................................................................................................................117

6.3.1 Establishing the Configuration Task.....................................................................................................1176.3.2 Enabling Strict ARP Learning...............................................................................................................1186.3.3 Configuring Interface-based ARP Entry Limiting................................................................................1186.3.4 Checking the Configuration...................................................................................................................119

6.4 Configuring ARP Anti-attack.........................................................................................................................1206.4.1 Establishing the Configuration Task.....................................................................................................1206.4.2 Configuring ARP Anti-spoofing...........................................................................................................1216.4.3 Configuring the AR200-S to Check Source MAC Address Consistency in ARP Packets...................1216.4.4 Configuring ARP Gateway Anti-collision............................................................................................1226.4.5 Configuring the AR200-S to Send Gratuitous ARP Packets.................................................................1226.4.6 Checking the Configuration...................................................................................................................124

6.5 Configuring ARP Suppression.......................................................................................................................1256.5.1 Establishing the Configuration Task.....................................................................................................1256.5.2 Configuring Source IP Address-based ARP Packet Suppression.........................................................1266.5.3 Configuring Rate Limit of ARP Packets...............................................................................................1276.5.4 Configuring Source IP Address-based ARP Miss Packet Suppression.................................................1286.5.5 Configuring Rate Limiting of ARP Miss Packets.................................................................................1296.5.6 Configuring Source MAC Address-based ARP Packet Suppression....................................................1296.5.7 Setting the Aging Time of Fake ARP Entries.......................................................................................1306.5.8 (Optional) Setting the Rate Limit of Broadcasting ARP Packets on the VLANIF Interface of a Super-VLAN.............................................................................................................................................................1316.5.9 Checking the Configuration...................................................................................................................131

6.6 Maintaining ARP Security..............................................................................................................................1326.6.1 Displaying the Statistics on ARP Packets.............................................................................................1326.6.2 Clearing the Statistics on ARP Packets.................................................................................................1326.6.3 Clearing the Statistics on Discarded ARP Packets................................................................................133



viii

6.7 Configuration Examples.................................................................................................................................1336.7.1 Example for Configuring ARP Security Functions...............................................................................133

7 ICMP Security Configuration.................................................................................................1397.1 ICMP Security Overview...............................................................................................................................1407.2 ICMP Security Features Supported by the AR200-S.....................................................................................1407.3 Limiting the Rate of ICMP Packets................................................................................................................1407.4 Configuring the AR200-S to Discard Specified ICMP Packets.....................................................................142

7.4.1 Establishing the Configuration Task.....................................................................................................1427.4.2 Configuring the AR200-S to Discard the ICMP Packets with TTL Value of 1....................................1427.4.3 Configuring the AR200-S to Discard the ICMP Packets with Options................................................1437.4.4 Configuring the AR200-S to Discard ICMP Destination-Unreachable Packets...................................1437.4.5 Checking the Configuration...................................................................................................................144

7.5 Disabling the AR200-S from Sending Destination-Unreachable Packets......................................................1447.6 Maintaining ICMP Security............................................................................................................................1457.7 Configuration Examples.................................................................................................................................146

7.7.1 Example for Disabling the AR200-S from Sending Host-Unreachable Packets...................................1467.7.2 Example for Optimizing System Performance by Discarding Certain ICMP Packets..........................148

8 IP Address Anti-spoofing Configuration.............................................................................1518.1 IP Address Anti-spoofing Overview..............................................................................................................1528.2 IP Source Address-based Attack Defense Features Supported by the AR200-S...........................................1528.3 Configuring URPF..........................................................................................................................................1538.4 Configuration Examples.................................................................................................................................154

8.4.1 Example for Configuring URPF............................................................................................................154

9 Local Attack Defense Configuration.....................................................................................1579.1 Local Attack Defense Overview.....................................................................................................................1589.2 Local Attack Defense Features Supported by the AR200-S..........................................................................1589.3 Configuring Attack Source Tracing...............................................................................................................1599.4 Configuring CPU Attack Defense..................................................................................................................161

9.4.1 Establishing the Configuration Task.....................................................................................................1619.4.2 Creating an Attack Defense Policy........................................................................................................1629.4.3 (Optional) Configuring a Blacklist........................................................................................................1639.4.4 (Optional) Configuring the Rate Limit for Packets Sent to the CPU....................................................1639.4.5 (Optional) Setting the Priority of Protocol Packets...............................................................................1649.4.6 (Optional) Configuring the Rate Limit for All Packets Sent to the CPU..............................................1649.4.7 (Optional) Configuring the Rate Limit for Packets After ALP Is Enabled...........................................1659.4.8 Applying the Attack Defense Policy.....................................................................................................1659.4.9 Checking the Configuration...................................................................................................................166

9.5 Maintaining the Attack Defense Policy..........................................................................................................1669.5.1 Clearing Statistics on Packets Sent to the CPU.....................................................................................1679.5.2 Clearing Attack Source Information......................................................................................................167

9.6 Configuration Examples.................................................................................................................................167



ix

9.6.1 Example for Configuring an Attack Defense Policy.............................................................................167

10 ACL Configuration..................................................................................................................17310.1 ACL Overview.............................................................................................................................................17410.2 ACL Features Supported by the AR200-S...................................................................................................17410.3 Configuring a Basic ACL.............................................................................................................................177

10.3.1 Establishing the Configuration Task...................................................................................................17710.3.2 (Optional) Creating a Time Range for a Basic ACL...........................................................................17810.3.3 Creating a Basic ACL..........................................................................................................................17810.3.4 Configuring a Basic ACL Rule...........................................................................................................18010.3.5 Applying a Basic ACL........................................................................................................................18110.3.6 Checking the Configuration.................................................................................................................183

10.4 Configuring an Advanced ACL....................................................................................................................18310.4.1 Establishing the Configuration Task...................................................................................................18410.4.2 (Optional) Creating a Time Range for an Advanced ACL..................................................................18510.4.3 Creating an Advanced ACL................................................................................................................18610.4.4 Configuring an Advanced ACL Rule..................................................................................................18710.4.5 Applying an Advanced ACL...............................................................................................................18910.4.6 Checking the Configuration.................................................................................................................190

10.5 Configuring a Layer 2 ACL..........................................................................................................................19110.5.1 Establishing the Configuration Task...................................................................................................19110.5.2 (Optional) Creating a Time Range for a Layer 2 ACL........................................................................19210.5.3 Creating a Layer 2 ACL......................................................................................................................19310.5.4 Configuring a Layer 2 ACL Rule........................................................................................................19410.5.5 Applying a Layer 2 ACL.....................................................................................................................19510.5.6 Checking the Configuration.................................................................................................................196

10.6 Configuration Examples...............................................................................................................................19710.6.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server........................................19710.6.2 Example for Using Advanced ACLs to Configure the Firewall Function..........................................19910.6.3 Example for Using a Layer 2 ACL to Configure Traffic Classification.............................................203

11 SSL Configuration...................................................................................................................20611.1 SSL Overview...............................................................................................................................................20711.2 SSL Features Supported by the AR200-S....................................................................................................20911.3 Configuring a Server SSL Policy.................................................................................................................20911.4 Configuring a Client SSL Policy..................................................................................................................21111.5 Configuration Examples...............................................................................................................................213

11.5.1 Example for Configuring a Server SSL Policy...................................................................................21311.5.2 Example for Configuring a Client SSL Policy....................................................................................216

12 PKI Configuration...................................................................................................................22212.1 PKI Overview...............................................................................................................................................22312.2 PKI Features Supported by the AR200-S.....................................................................................................22412.3 Configuring a PKI Entity..............................................................................................................................226



x

12.3.1 Establishing the Configuration Task...................................................................................................22612.3.2 Configuring a PKI Entity Identifier.....................................................................................................22712.3.3 (Optional) Configuring PKI Entity Attributes.....................................................................................22712.3.4 Checking the Configuration.................................................................................................................228

12.4 Configuring a PKI Domain...........................................................................................................................22912.4.1 Establishing the Configuration Task...................................................................................................22912.4.2 Creating a PKI Domain.......................................................................................................................22912.4.3 Configuring a PKI Entity Name..........................................................................................................23012.4.4 Configuring the Trusted CA Name and Enrollment URL...................................................................23012.4.5 (Optional) Configuring CA Certificate Fingerprint.............................................................................23112.4.6 (Optional) Configuring a Certificate Revocation Password................................................................23212.4.7 (Optional) Configuring the RSA Key Length of Certificates..............................................................23212.4.8 (Optional) Configuring a Source IP Address for TCP Connection Setup...........................................23312.4.9 Checking the Configuration.................................................................................................................233

12.5 Configuring Certificate Enrollment..............................................................................................................23412.5.1 Establishing the Configuration Task...................................................................................................23412.5.2 Configuring Manual Certificate Enrollment........................................................................................23412.5.3 Configuring Automatic Certificate Enrollment and Update................................................................23512.5.4 Creating a Self-signed Certificate or Local Certificate.......................................................................23612.5.5 Checking the Configuration.................................................................................................................236

12.6 Configuring Certificate Authentication........................................................................................................23612.6.1 Establishing the Configuration Task...................................................................................................23612.6.2 Configuring the Certificate Check Mode............................................................................................23712.6.3 Checking Certificate Validity..............................................................................................................23812.6.4 Checking the Configuration.................................................................................................................239

12.7 Managing Certificates...................................................................................................................................23912.7.1 Deleting a Certificate...........................................................................................................................23912.7.2 Importing a Certificate.........................................................................................................................23912.7.3 Exporting a Certificate.........................................................................................................................24012.7.4 Configuring the Default Path Where Certificates Are Stored.............................................................240

12.8 Configuration Examples...............................................................................................................................24012.8.1 Example for Configuring Manual Certificate Enrollment...................................................................24012.8.2 Example for Configuring PKI in IPSec...............................................................................................243

13 Keychain Configuration.........................................................................................................25213.1 Introduction to Keychain..............................................................................................................................25313.2 Keychain Features Supported by the AR200-S............................................................................................25313.3 Configuring Basic Keychain Functions........................................................................................................254

13.3.1 Establishing the Configuration Task...................................................................................................25413.3.2 Creating a Keychain............................................................................................................................25513.3.3 Configuring Receive Tolerance of a Keychain...................................................................................25513.3.4 Configuring a key-id in a Keychain....................................................................................................25613.3.5 Configuring key-string of a key-id......................................................................................................256



xi

13.3.6 Configuring Authentication Algorithm of a key-id.............................................................................25713.3.7 Configuring a key-id as the Default send-key-id.................................................................................25713.3.8 Configuring send-time of a key-id.......................................................................................................25813.3.9 Configuring receive-time of a key-id..................................................................................................26013.3.10 Checking the Configuration...............................................................................................................262

13.4 Configuring TCP Authentication parameters...............................................................................................26313.4.1 Establishing the Configuration Task...................................................................................................26313.4.2 Configuring TCP Kind of a Keychain.................................................................................................26413.4.3 Configuring TCP Algorithm-id in a Keychain....................................................................................26413.4.4 Checking the Configuration.................................................................................................................264

13.5 Configuration Examples...............................................................................................................................26613.5.1 Example for Configuring Keychain Authentication for Non-TCP Application..................................266

14 Configuration of Attack Defense and Application Layer Association.........................26914.1 Overview to Attack Defense and Application Layer Association................................................................270

14.1.1 Overview of Attack Defense and Application Layer Association.......................................................27014.1.2 Attack Defense and Application Layer Association Supported by AR200-S.....................................271

14.2 Configuring Abnormal Packet Attack Defense............................................................................................27214.2.1 Establishing the Configuration Task...................................................................................................27214.2.2 Enabling Defense Against Abnormal Packet Attacks.........................................................................27314.2.3 Checking the Configuration.................................................................................................................273

14.3 Configuring Fragmented Packet Attack Defense.........................................................................................27414.3.1 Establishing the Configuration Task...................................................................................................27414.3.2 Configuring Defense Against Packet Fragment Attacks.....................................................................27414.3.3 Checking the Configuration.................................................................................................................275

14.4 Configuring Flood Attack Defense...............................................................................................................27514.4.1 Establishing the Configuration Task...................................................................................................27614.4.2 Configuring Defense Against SYN Flood Attacks..............................................................................27614.4.3 Configuring Defense Against UDP Flood Attacks..............................................................................27714.4.4 Configuring Defense Against ICMP Flood Attacks............................................................................27714.4.5 Checking the Configuration.................................................................................................................278

14.5 Configuring Application Layer Association.................................................................................................27814.5.1 Establishing the Configuration Task...................................................................................................27814.5.2 Configuring Application Layer Association........................................................................................279

14.6 Maintenance Attack Defense and Application Layer Association...............................................................28014.6.1 Clearing Statistics of Attack Defense and Application Layer Association.........................................280

14.7 Configuration Example.................................................................................................................................28014.7.1 Example of Configuring Attack Defense............................................................................................280



xii

1 AAA Configuration

About This Chapter

The AAA-capable AR200-S checks validity of users and delivers rights to authorized users toensure network security.

1.1 AAA OverviewAuthentication, Authorization, and Accounting (AAA) is a security technology.

1.2 AAA Features Supported by the AR200-SThe AR200-S supports RADIUS and HWTACACS authentication, authorization, andaccounting (AAA), and also local authentication and authorization.

1.3 Configuring Local Authentication and AuthorizationAfter local authentication and authorization are configured, the AR200-S authenticates andauthorizes access users based on user information.

1.4 Configuring RADIUS AAARADIUS is often used to implement authentication, authorization, and accounting (AAA).RADIUS uses the client/server model and protects a network from unauthorized access. It isoften used in network environments that require high security and control of remote user access.

1.5 Configuring HWTACACS AAASimilar to RADIUS, HWTACACS uses the client/server model to communicate with theHWTACACS server, implementing authentication, authorization, and accounting (AAA) foraccess users. Compared with RADIUS, HWTACACS is more reliable in transmission andencryption and is therefore more suitable for security control.

1.6 Maintaining AAAClearing the Statistics

1.7 Configuration ExamplesThis section provides several AAA configuration examples. The configuration examples explainnetworking requirements, configuration notes, and configuration roadmap.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 1 AAA Configuration


1

1.1 AAA OverviewAuthentication, Authorization, and Accounting (AAA) is a security technology.

Security Functions Provided by AAAAAA provides the following security functions:l Authentication: checks whether a user is allowed to access a network.l Authorization: authorizes a user to use specific services.l Accounting: records all the operations performed by a user and the service type, start time,

and data traffic.

A user can use one or more security services. For example, if a company only needs toauthenticate employees that access certain network resources, only an authentication server isneeded. If the company also needs to record operations performed by employees, an additionalaccounting server is needed.

AAA ArchitectureAAA uses the client/server model, as shown in Figure 1-1. This model features goodextensibility and is convenient for centralized management of user information.

Figure 1-1 AAA architecture

Access user Router Server

The Router authenticates a user that wants to access the network through the Router. The Routerdelivers authentication, authorization, and accounting information to an AAA server (a RADIUSserver or an HWTACACS server).

1.2 AAA Features Supported by the AR200-SThe AR200-S supports RADIUS and HWTACACS authentication, authorization, andaccounting (AAA), and also local authentication and authorization.

RADIUS Authentication, Authorization, and AccountingRADIUS uses the client/server model and protects a network from unauthorized access. It isoften used on networks that require high security and control of remote user access.

RADIUS messages are encapsulated in User Datagram Protocol (UDP) packets. RADIUSensures reliability of information exchanged between the RADIUS server and client by usingthe timer, retransmission mechanism, and secondary server. RADIUS integrates authenticationand authorization. RADIUS integrates authentication and authorization, and RADIUSauthentication response packets carry authorization information.



2

NOTE

In RADIUS authentication for an administrator, the AR200-S checks whether the access type of theadministrator is the same as that specified in the Access-Accept packet sent from the RADIUS server. Ifnot, administrator fails to be authenticated.

Figure 1-2 shows packets exchanged between a user, the AR200-S, and the RADIUS server.

Figure 1-2 RADIUS authentication, authorization, and accounting

Access user Router RADIUSserver

User enters user name andpassword

Authentication request packet

Access-Accept/Reject packet

Accounting request packet

Accounting response packet

User accesses network resources

User exits

Accounting-stop request packetAccounting-stop response

packet

1. A user sends a request packet containing the user name and password to the AR200-S.2. The AR200-S sends an authentication request packet containing the user name and

password to the RADIUS server.3. The RADIUS server authenticates the user name and password. If authentication succeeds,

the RADIUS server sends a RADIUS Access-Accept packet to the AR200-S. Ifauthentication fails, the RADIUS server sends a RADIUS Access-Reject packet to theAR200-S. The RADIUS Access-Accept packet contains authorization information.

4. The AR200-S permits or rejects the user according to the authentication result. If the useris permitted, the AR200-S sends an Accounting-Start packet to the RADIUS server.

5. The RADIUS server sends a response packet to the AR200-S and starts accounting.6. The user starts to access network resources.7. The user requests to disconnect from the network. The AR200-S sends an Accounting-Stop

packet to the RADIUS server.8. The RADIUS server sends a response packet to the AR200-S and stops accounting.



3

HWTACACS Authentication, Authorization, and AccountingHWTACACS is an extension of TACACS. Similar to RADIUS, HWTACACS uses the client/server model to communicate with the HWTACACS server, implementing AAA for accessusers. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption,and is more suitable for security control.

Figure 1-3 shows messages exchanged between a Telnet user, the AR200-S, and theHWTACACS server.

Figure 1-3 HWTACACS authentication, authorization, and accounting

Access user Router HWTACACS server

User logs in


Authentication response packet

User accesses network resources


User exits


Request the user name

Enter the user name


Request the password

Enter the passwordAuthentication request packet

Authorization request packet

Authorization response packet

Accounting request packet

Accounting-stop response packet

Accounting-stop packet



4

1. A Telnet user sends a request packet to the AR200-S.

2. The AR200-S sends an authentication request packet to the HWTACACS server afterreceiving the request packet.

3. The HWTACACS server sends an authentication response packet to request the user name.

4. The AR200-S sends a packet to request the user name after receiving the authenticationresponse packet.

5. The user enters the user name.

6. The AR200-S sends an authentication packet containing the user name to the HWTACACSserver.

7. The HWTACACS server sends an authentication response packet to request the password.

8. The AR200-S sends a packet to request the password after receiving the authenticationresponse packet.

9. The user enters the password.

10. The AR200-S sends an authentication packet containing the password to the HWTACACSserver.

11. The HWTACACS server sends an authentication response packet, indicating that the userhas been authenticated.

12. The AR200-S sends an authorization request packet to the HWTACACS server.

13. The HWTACACS server sends an authorization response packet, indicating that the useris authorized.

14. The AR200-S receives the authorization response packet.

15. The AR200-S sends an Accounting-Start packet to the HWTACACS server.

16. The HWTACACS server sends an accounting response packet and starts accounting.

17. The user starts to access network resources.

18. The user requests to disconnect from the network. The AR200-S sends an Accounting-Stoppacket to the HWTACACS server.

19. The HWTACACS server sends an Accounting-Stop response packet and stops accounting.

Local Authentication and Authorization

In local authentication and authorization, the user information including the local user name,password, and attributes is configured on the AR200-S. Local authentication and authorizationfeature fast processing and low operation cost, whereas the amount of information that can bestored is limited by the hardware capacity of the device.

Local authentication and authorization are often used for administrators. Local authenticationis a backup of RADIUS authentication and HWTACACS authentication. Local authorization isa backup of HWTACACS authorization.

1.3 Configuring Local Authentication and AuthorizationAfter local authentication and authorization are configured, the AR200-S authenticates andauthorizes access users based on user information.



5

1.3.1 Establishing the Configuration TaskBefore configuring local authentication and authorization, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the data required forthe configuration. This will help you complete the configuration task quickly and accurately.

Applicable Environment

If users need to be authenticated or authorized but no RADIUS server or HWTACACS serveris deployed on the network, use local authentication or authorization. Local authentication andauthorization feature fast processing and low operation cost, whereas the amount of informationthat can be stored is limited by the hardware capacity of the device.

Local authentication and authorization are often used for administrators. Local authenticationis a backup of RADIUS authentication and HWTACACS authentication; local authorization isa backup of HWTACACS authorization.

Pre-configuration Tasks

Before configuring local authentication and authorization, completing the following task:

l Configuring physical attributes for interfaces to ensure that the physical layer status of theinterfaces is Up

Data Preparation

To configure local authentication and authorization, you need the following data.

No. Data

1 User name and password

2 (Optional) Local user level

3 (Optional) Access type of the local user

4 (Optional) Name of the FTP directory that the local user can access

5 (Optional) Local user status

6 (Optional) Maximum number of local users

7 Name of an authentication scheme

8 Name of an authorization scheme

9 Name of a domain

1.3.2 Configuring a Local UserTo configure local authentication and authorization, configure the authentication andauthorization information on the AR200-S, including the user name, password, and user level.



6

ProcedureStep 1 Run:

system-view

The system view is displayed.

Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:local-user user-name password { simple password | cipher password }

A local user is created and the password is configured.

NOTE

If the user name contains a domain name delimiter such as @, |, and %, the character string before thedomain name delimiter is the user name and the character string behind the domain name delimiter is thedomain name. If the user name does not contain a domain name delimiter, the entire character string is theuser name and the domain name is default.

Step 4 (Optional) Run:local-user user-name privilege level level

The level of the local user is set.

By default, the level of a local user is determined by the management module. If the level of alocal user is not set in the user interface view, the user level is 0.

Step 5 (Optional) Run:local-user user-name idle-timeout minutes [ seconds ]

The idle timeout interval of the local user is set.

Step 6 (Optional) Run:local-user user-name service-type { 8021x | bind | ftp | http | l2tp | ppp | ssh | telnet | terminal | web | x25-pad } *

The access type of the local user is set.

By default, a local user can use any access type.

Step 7 (Optional) Run:local-user user-name ftp-directory directory

The FTP directory that the local user can access is configured.

By default, the FTP directory of a local user is empty.

When the AR200-S functions as an FTP server, you must configure the FTP directory that FTPusers can access. Otherwise, FTP users cannot access the AR200-S.

Step 8 (Optional) Run:local-user user-name state { active | block }

The status of the local user is set.

By default, a local user is in active state.

The AR200-S processes requests from users in different states as follows:



7

l If a local user is in active state, the AR200-S accepts and processes the authentication requestfrom the user.

l If a local user is in blocking state, the AR200-S rejects the authentication request from theuser.

Step 9 (Optional) Run:local-user user-name access-limit max-number

The maximum number of connections established by the local user is set.

By default, the number of connections established by a user is not limited.

----End

1.3.3 Configuring authentication and authorization SchemesTo use local authentication and authorization, set the authentication mode in an authenticationscheme to local authentication and the authorization mode in an authorization scheme to localauthorization.

ContextBy default, the AR200-S performs local authentication and authorization for access users.

NOTE

The AR200-S does not support local accounting.

Procedurel Configuring an authentication scheme

1. Run:system-view

The system view is displayed.2. Run:

aaa

The AAA view is displayed.3. Run:

authentication-scheme authentication-scheme-name

An authentication scheme is created and the authentication scheme view is displayed.

By default, the default authentication scheme is used. The default authenticationscheme can be modified, but it cannot be deleted.

4. Run:authentication-mode local

Local authentication is configured.5. (Optional) Run:

authentication-super { hwtacacs | super } * [ none ]

The authentication mode used to upgrade user levels is configured.



8

6. (Optional) Run:quit

Return to the AAA view.7. (Optional) Run:

domainname-parse-direction { left-to-right | right-to-left }

The direction in which the user name and domain name are parsed is configured.l Configuring an authorization scheme

1. Run:system-view


aaa


authorization-scheme authorization-scheme-name

An authorization scheme is created and the authorization scheme view is displayed.

By default, the default authorization scheme is used. The default authorization schemecan be modified, but it cannot be deleted.

4. Run:authorization-mode local [ none ]

The authorization mode is configured.

----End

1.3.4 Configuring a DomainThe created authentication and authorization schemes take effect only after being applied to adomain.

Context

Before configuring a domain, ensure that the authentication and authorization schemes havebeen created.

When local authentication and authorization are used, non-accounting is used by default.

Procedure

Step 1 Run:system-view


Step 2 Run:aaa




9

Step 3 Run:domain domain-name

A domain is created and the domain view is displayed.

The AR200-S has two default domains: default and default_admin. The default domain is usedby common access users and the default_admin domain is used by administrators.

Step 4 Run:authentication-scheme authentication-scheme-name

An authentication scheme is applied to the domain.

By default, the default authentication scheme is applied to a domain.

Step 5 Run:authorization-scheme authorization-scheme-name

An authorization scheme is applied to the domain.

By default, no authorization scheme is applied to a domain.

Step 6 (Optional) Run:state { active | block }

The domain status is configured.

When a domain is in blocking state, users in this domain cannot log in. By default, a domain isin active state after being created.

Step 7 Run:quit

Return to the domain view.

Step 8 (Optional) Run:domain-name-delimiter delimiter

The domain name delimiter is configured.

The domain name delimiter can be any of the following: \ / : < > | @ ' %.

By default, the domain name delimiter is @.

----End

1.3.5 Checking the Configuration

PrerequisitesThe configurations of local authentication and authorization are complete.

Procedurel Run the display aaa configuration command to check the AAA summary.l Run the display authentication-scheme [ authentication-scheme-name ] command to

check the authentication scheme configuration.



10

l Run the display authorization-scheme [ authorization-scheme-name ] command to checkthe authorization scheme configuration.

l Run the display access-user [ domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instanceinstance-name ] | mac-address mac-address | slot slot-id | ssid ssid-name | user-id user-number ] command to check the summary of all online users.

l Run the display domain [ name domain-name ] command to check the domainconfiguration.

----End

1.4 Configuring RADIUS AAARADIUS is often used to implement authentication, authorization, and accounting (AAA).RADIUS uses the client/server model and protects a network from unauthorized access. It isoften used in network environments that require high security and control of remote user access.

1.4.1 Establishing the Configuration TaskBefore configuring RADIUS authentication, authorization, and accounting, familiarize yourselfwith the applicable environment, complete the pre-configuration tasks, and obtain the datarequired for the configuration. This will help you complete the configuration task quickly andaccurately.


To prevent unauthorized users from attacking a network, configure AAA:

l Authentication: checks whether a user is allowed to access a network. Only authenticatedusers can access the network.

l Authorization: authorizes a user to use specific services.

l Accounting: records all the operations performed by a user and the service type, start time,and data traffic.

RADIUS protects a network from unauthorized access. It is often used on networks that requirehigh security and control remote user access.


Before configuring RADIUS authentication, authorization, and accounting, complete thefollowing task:


Data Preparation

To configure RADIUS authentication, authorization, and accounting, you need the followingdata.



11

No. Data


2 Name of an accounting scheme

3 Name of a RADIUS server template

4 IP addresses and port numbers of the primary RADIUS authentication servers

5 IP addresses and port numbers of the primary RADIUS accounting servers

6 (Optional) IP address of the RADIUS authorization server

7 (Optional)IP addresses and port numbers of the secondary RADIUSauthentication servers

8 (Optional) IP addresses and port numbers of the secondary RADIUS accountingservers

9 (Optional) Shared key in RADIUS packets

10 (Optional) Number of times RADIUS request packets are retransmitted andtimeout interval

1.4.2 Configuring AAA SchemesTo use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS andthe accounting mode in an accounting scheme to RADIUS.

Context

If RADIUS authentication is configured, you can also configure local authentication or non-authentication as a backup. This allows local authentication or non-authentication to beimplemented if RADIUS authentication fails. If RADIUS accounting is configured, you can alsoconfigure non-accounting as a backup.


1. Run:system-view


2. Run:aaa


3. Run:authentication-scheme authentication-scheme-name




12


4. Run:authentication-mode radius [ none ]

RADIUS authentication is configured.

By default, local authentication is used.

To use local authentication as the backup authentication method, run theauthentication-mode radius local command to configured local authentication.

NOTE

If multiple authentication modes are configured in an authentication scheme, authenticationmodes are used according to the sequence in which they were configured. The AR200-S usesthe authentication mode that was configured later only after the current authentication modefails. The AR200-S stops the authentication if the user fails to pass the authentication.

5. (Optional) Run:authentication-super { hwtacacs | super } * [ none ]

The authentication mode used to upgrade user levels is configured.

6. (Optional) Run:quit

Return to the AAA view.

7. (Optional) Run:domainname-parse-direction { left-to-right | right-to-left }

The direction in which the user name and domain name are parsed is configured.

l Configuring an accounting scheme

1. Run:system-view


2. Run:aaa


3. Run:accounting-scheme accounting-scheme-name

An accounting scheme is created and the accounting scheme view is displayed.

By default, the default accounting scheme is used. The default accounting schemecan be modified, but it cannot be deleted.

4. Run:accounting-mode radius

The accounting mode is set.

By default, non-accounting is used.



13

NOTE

If multiple accounting modes are configured in an accounting scheme, accounting modes areused according to the sequence in which they were configured. The AR200-S uses theaccounting mode that was configured later only after the current accounting mode fails.

5. (Optional) Run:accounting start-fail { online | offline }

The policy for accounting-start failures is configured.

By default, users cannot go online if accounting-start fails.6. (Optional) Run:

accounting realtime interval

Real-time accounting is enabled and the interval for real-time accounting is set.

By default, real-time accounting is disabled.7. (Optional) Run:

accounting interim-fail [ max-times times ] { online | offline }

The maximum number of real-time accounting failures is set and a policy used aftera real-time accounting failure is configured.

After real-time accounting is enabled, the maximum number of real-time accountingfailures is 3 and the AR200-S keeps paid users online after a real-time accountingfailure by default.

----End

1.4.3 Configuring a RADIUS Server TemplateIn a RADIUS server template, you must specify the IP address, port number, and shared key ofa specified RADIUS server. Other settings such as the RADIUS user name format, traffic unit,and number of times RADIUS request packets are retransmitted have default values and can bechanged according to network requirements.

ContextThe settings of a RADIUS server template such as the RADIUS user name format and sharedkey on the RADIUS client must be the same as those on the RADIUS server.

Procedure



Step 2 Run:radius-server authorization ip-address { server-group group-name | shared-key { cipher | simple } key-string } * [ ack-reserved-interval interval ]

A RADIUS authorization server is configured.

By default, no RADIUS authorization server is configured.

Step 3 Run:radius-server template template-name



14

The RADIUS server template view is displayed.

Step 4 Run:radius-server authentication ip-address port [ source { loopback interface-number | ip-address ip-address } ]

The primary RADIUS authentication server is configured.

By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the portnumber is 0.

Step 5 (Optional) Run:radius-server authentication ip-address port [ source { loopback interface-number | ip-address ip-address } ] secondary

The secondary RADIUS authentication server is configured.

By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the portnumber is 0.

Step 6 Run:radius-server accounting ip-address port [ source { loopback interface-number | ip-address ip-address } ]

The primary RADIUS accounting server is configured.

By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the portnumber is 0.

Step 7 (Optional) Run:radius-server accounting ip-address port [ source { loopback interface-number | ip-address ip-address } ] secondary

The secondary RADIUS accounting server is configured.

By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the portnumber is 0.

Step 8 (Optional) Run:radius-server shared-key { cipher | simple } key-string

The shared key is configured.

By default, the shared key of a RADIUS server is huawei.

Step 9 (Optional) Run:radius-server user-name domain-included

The AR200-S is configured to encapsulate the domain name in the user name in RADIUS packetsto be sent to a RADIUS server.

By default, the AR200-S encapsulates the domain name in the user name when sending RADIUSpackets to a RADIUS server.

If the RADIUS server does not accept the user name with the domain name, run the undo radius-server user-name domain-included command to delete the domain name from the user name.

Step 10 (Optional) Run:radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit used by a RADIUS server is configured.



15

By default, the traffic unit is byte on the AR200-S.

Step 11 (Optional) Run:radius-server { retransmit retry-times | timeout time-value }*

The number of times RADIUS request packets are retransmitted and timeout interval are set.

By default, the number of transmission times is 3 and the timeout interval is 5s.

Step 12 (Optional) Run:radius-server nas-port-format { new | old }

The format of the Network Access Server (NAS) port attribute is set.

By default, the new format of the NAS port attribute is used.

Step 13 (Optional) Run:radius-server nas-port-id-format { new | old }

The format of the NAS port ID attribute is set.

By default, the new format of the NAS port ID attribute is used.

Step 14 (Optional) Run:radius-attribute nas-ip

The RADIUS NAS-IP-Address attribute is set.

Step 15 (Optional) Run:return

Return to the user view.

Step 16 (Optional) Run:test-aaa user-name user-password radius-template template-name [ chap | pap ]

You can test whether a user can be authenticated using RADIUS authentication.

----End

1.4.4 Configuring a DomainThe created authentication scheme, accounting scheme, and RADIUS server template take effectonly after being applied to a domain.

ContextBefore configuring a domain, ensure that the authentication scheme, accounting scheme, andRADIUS server template have been created.

Procedure



Step 2 Run:aaa



16


Step 3 (Optional) Run:domain domain-name



Step 4 Run:authentication-scheme authentication-scheme-name



Step 5 (Optional) Run:accounting-scheme accounting-scheme-name

An accounting scheme is applied to a domain.

By default, the default accounting scheme is applied to a domain. In the default accountingscheme, non-accounting is used and the real-time accounting function is disabled.

Step 6 (Optional) Run:service-scheme service-scheme-name

A service scheme is applied to a domain.

By default, no service scheme is applied to a domain.

Step 7 Run:radius-server template-name

A RADIUS server template is applied to a domain.

By default, no RADIUS server template is applied to a domain.




Step 9 Run:quit






----End



17


PrerequisitesThe RADIUS AAA configurations are complete.

Procedurel Run the display aaa configuration command to check the AAA summary.

l Run the display authentication-scheme [ authentication-scheme-name ] command tocheck the authentication scheme configuration.

l Run the display accounting-scheme [ accounting-scheme-name ] command to check theaccounting scheme configuration.

l Run the display service-scheme [ name name ] command to check the service schemeconfiguration.

l Run the display radius-server configuration [ template template-name ] command tocheck the RADIUS server template configuration.

l Run the display radius-attribute [ template template-name ] disable command to checkthe disabled RADIUS attributes.

l Run the display radius-attribute [ template template-name ] translate command to checkthe RADIUS attribute translation configuration.


----End

1.5 Configuring HWTACACS AAASimilar to RADIUS, HWTACACS uses the client/server model to communicate with theHWTACACS server, implementing authentication, authorization, and accounting (AAA) foraccess users. Compared with RADIUS, HWTACACS is more reliable in transmission andencryption and is therefore more suitable for security control.

1.5.1 Establishing the Configuration TaskBefore configuring HWTACACS authentication, authorization, and accounting, familiarizeyourself with the applicable environment, complete the pre-configuration tasks, and obtain thedata required for the configuration. This will help you complete the configuration task quicklyand accurately.


To prevent unauthorized users from attacking a network, configure AAA:

l Authentication: checks whether a user is allowed to access a network. Only authenticatedusers can access the network.

l Authorization: authorizes a user to use specific services.



18

l Accounting: records all the operations performed by a user and the service type, start time,and data traffic.

HWTACACS prevents unauthorized users from attacking a network and provides commandline authorization. Compared with RADIUS, HWTACACS is more suitable for security control.


Before configuring HWTACACS authentication, authorization, and accounting, complete thefollowing task:


Data Preparation

To configure HWTACACS authentication, authorization, and accounting, you need thefollowing data.

No. Data


2 Name of an authorization scheme

3 Name of an accounting scheme

4 Name of an HWTACACS server template

5 IP addresses and port numbers of primary andsecondary HWTACACS authenticationservers

6 IP addresses and port numbers of primary andsecondary HWTACACS authorizationservers

7 (Optional) IP addresses and port numbers ofprimary and secondary HWTACACSaccounting servers

8 (Optional) Shared key in HWTACACSpackets

9 (Optional) Response timeout interval of anHWTACACS server

10 (Optional) Time for the primaryHWTACACS server to return to the activestate

11 (Optional) Retransmission interval ofaccounting-stop packets



19

1.5.2 Configuring AAA SchemesTo use HWTACACS AAA, set the authentication mode in an authentication scheme toHWTACACS, the authorization mode in an authorization scheme to HWTACACS, and theaccounting mode in an accounting scheme to HWTACACS.

ContextLocal authentication or non-authentication can be configured as a backup for HWTACACSauthentication in an authentication scheme. This allows local authentication or non-authentication to be implemented if HWTACACS authentication fails. When HWTACACSauthorization is used, you can configure local authorization or non-authorization as a backup.When HWTACACS accounting is used, you can configure non-accounting as a backup.


1. Run:system-view


aaa





4. Run:authentication-mode hwtacacs [ none ]

HWTACACS authentication is configured.

By default, local authentication is used.

To configure local authentication as a backup, see 1.3 Configuring LocalAuthentication and Authorization.

NOTE

If multiple authentication modes are configured in an authentication scheme, authenticationmodes are used according to the sequence in which they were configured. The AR200-S usesthe authentication mode that was configured later only after the current authentication modefails. The AR200-S stops the authentication if the user fails to pass the authentication.

5. (Optional) Run:authentication-super { hwtacacs | super } * [ none ]

The authentication mode used to upgrade user levels is configured.6. (Optional) Run:

quit

Return to the AAA view.



20

7. (Optional) Run:domainname-parse-direction { left-to-right | right-to-left }

The direction in which the user name and domain name are parsed is configured.l Configuring an authorization scheme

1. Run:system-view


aaa


authorization-scheme authorization-scheme-name

An authorization scheme is created and the authorization scheme view is displayed.

By default, the default authorization scheme is used. The default authorization schemecan be modified, but it cannot be deleted.

4. Run:authorization-mode { hwtacacs | local }* [ none ]

The authorization mode is configured.

By default, local authorization is used.

If HWTACACS authorization is configured, you must configure an HWTACACSserver template and apply the template to the corresponding user domain.

NOTE

If multiple authorization modes are configured in an authorization scheme, authorization modesare used in the sequence in which they were configured. The AR200-S uses the authorizationmode that was configured later only after the current authorization mode fails. The AR200-Sstops the authorization if the user fails to pass the authorization.

5. (Optional) Run:authorization-cmd privilege-level hwtacacs [ local ]

Command line authorization is enabled for users at a certain level.

By default, command line authorization is disabled for users at levels 0 to 15.

If command line authorization is enabled, you must configure an HWTACACS servertemplate and apply the template to the corresponding user domain.

l Configuring an accounting scheme1. Run:

system-view


aaa


accounting-scheme accounting-scheme-name



21

An accounting scheme is created and the accounting scheme view is displayed.

By default, the default accounting scheme is used. The default accounting schemecan be modified, but it cannot be deleted.

4. Run:accounting-mode hwtacacs

The accounting mode is set.

By default, non-accounting is used.

NOTE

If multiple accounting modes are configured in an accounting scheme, accounting modes areused according to the sequence in which they were configured. The AR200-S uses theaccounting mode that was configured later only after the current accounting mode fails.

5. (Optional) Run:accounting start-fail { online | offline }

The policy for accounting-start failures is configured.

By default, users cannot go online if accounting-start fails.6. (Optional) Run:

accounting realtime interval

Real-time accounting is enabled and the interval for real-time accounting is set.

By default, real-time accounting is disabled.7. (Optional) Run:

accounting interim-fail [ max-times times ] { online | offline }

The maximum number of real-time accounting failures is set and a policy used aftera real-time accounting failure is configured.

After real-time accounting is enabled, the maximum number of real-time accountingfailures is 3 and the AR200-S keeps paid users online after a real-time accountingfailure by default.

----End

1.5.3 Configuring an HWTACACS Server TemplateIn an HWTACACS server template, you must specify the IP address, port number, and sharedkey of a specified HWTACACS server. Other settings such as the HWTACACS user nameformat and traffic unit have default values and can be changed according to networkrequirements.

ContextThe settings of an HWTACACS server template such as the HWTACACS user name formatand shared key on the HWTACACS client must be the same as those on the HWTACACS server.

Procedure




22


Step 2 (Optional) Run:hwtacacs enable

HWTACACS is enabled.

Step 3 Run:hwtacacs-server template template-name

An HWTACACS server template is created and the HWTACACS server template view isdisplayed.

Step 4 Run:hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ]The IP address of the primary HWTACACS authentication server is specified.

By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and itsport number is 0, and the primary HWTACACS authentication server is not bound to any VPNinstance.

Step 5 (Optional) Run:hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] secondary

The IP address of the secondary HWTACACS authentication server is specified.

By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 andits port number is 0, and the secondary HWTACACS authentication server is not bound to anyVPN instance.

Step 6 Run:hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ]

The IP address of the primary HWTACACS authorization server is specified.

By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and itsport number is 0, and the primary HWTACACS authorization server is not bound to any VPNinstance.

Step 7 (Optional) Run:hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] secondary

The IP address of the secondary HWTACACS authorization server is specified.

By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and itsport number is 0, and the secondary HWTACACS authorization server is not bound to any VPNinstance.

Step 8 Run:hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ]

The IP address of the primary HWTACACS accounting server is specified.

By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and its portnumber is 0, and the primary HWTACACS accounting server is not bound to any VPN instance.



23

Step 9 (Optional) Run:hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] secondary

The IP address of the secondary HWTACACS accounting server is specified.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and itsport number is 0, and the secondary HWTACACS accounting server is not bound to any VPNinstance.

Step 10 (Optional) Run:hwtacacs-server source-ip ip-address

The AR200-S is configured to encapsulate the source IP address in HWTACACS packets to besent to an HWTACACS server.

By default, the source IP address in HWTACACS packets is 0.0.0.0. The AR200-S uses the IPaddress of the actual outbound VLANIF interface as the source IP address in HWTACACSpackets.

After you specify the source IP address in HWTACACS packets, the AR200-S uses this IPaddress to communicate with the HWTACACS server.

Step 11 (Optional) Run:hwtacacs-server shared-key [ cipher | simple ] key-string

The shared key is configured.

By default, no shared key is configured.

Step 12 (Optional) Run:hwtacacs-server user-name domain-included

The AR200-S is configured to encapsulate the domain name in the user name in HWTACACSpackets to be sent to an HWTACACS server.

By default, the AR200-S encapsulates the domain name in the user name when sendingHWTACACS packets to an HWTACACS server.

Step 13 (Optional) Run:hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit used by an HWTACACS server is configured.

By default, the traffic unit is byte on the AR200-S.

Step 14 (Optional) Run:hwtacacs-server timer response-timeout value

The response timeout interval for an HWTACACS server is set.

By default, the response timeout interval for an HWTACACS server is 5s.

If the AR200-S does not receive any response from the HWTACACS server within the timeoutinterval, it considers that the HWTACACS server is faulty. The the AR200-S then tries toperform authentication and authorization by using other methods.

Step 15 (Optional) Run:hwtacacs-server timer quiet value

The time for the primary HWTACACS server to return to the active state is set.



24

By default, the time for the primary HWTACACS server to return to the active state is 5 minutes.

Step 16 (Optional) Run:quit


Step 17 (Optional) Run:hwtacacs-server accounting-stop-packet resend { disable | enable number }

Retransmission of accounting-stop packets is configured.

You can enable retransmission of accounting-stop packets and set the retransmission count, ordisable the function. By default, the retransmission function is enabled and the retransmissioncount is 100.

Step 18 (Optional) Run:return


Step 19 (Optional) Run:hwtacacs-user change-password hwtacacs-server template-name

The password saved on the HWTACACS server is changed.

----End

1.5.4 Configuring a DomainThe created authentication scheme, authorization scheme, accounting scheme, andHWTACACS server template take effect only after being applied to a domain.

ContextBefore configuring a domain, ensure that the authentication scheme, authorization scheme,accounting scheme, and HWTACACS server template have been created.

Procedure



Step 2 Run:aaa


Step 3 Run:domain domain-name



Step 4 Run:



25




Step 5 (Optional) Run:authorization-scheme authorization-scheme-name

An authorization scheme is applied to the domain.

By default, no authorization scheme is applied to a domain.

Step 6 (Optional) Run:accounting-scheme accounting-scheme-name

An accounting scheme is applied to a domain.

By default, the default accounting scheme is applied to a domain. In the default accountingscheme, non-accounting is used and the real-time accounting function is disabled.

Step 7 (Optional) Run:service-scheme service-scheme-name

A service scheme is applied to a domain.

By default, no service scheme is applied to a domain.

Step 8 Run:hwtacacs-server template-name

The HWTACACS server template is applied to a domain.

By default, no HWTACACS server template is applied to a domain.




Step 10 Run:quit






----End




26

PrerequisitesThe HWTACACS AAA configurations are complete.

Procedurel Run the display aaa configuration command to check the AAA summary.

l Run the display authentication-scheme [ authentication-scheme-name ] command tocheck the authentication scheme configuration.

l Run the display authorization-scheme [ authorization-scheme-name ] command to checkthe authorization scheme configuration.

l Run the display accounting-scheme [ accounting-scheme-name ] command to check theaccounting scheme configuration.

l Run the display service-scheme [ name name ] command to check the service schemeconfiguration.

l Run the display hwtacacs-server template [ template-name ] command to check theHWTACACS server template configuration.


----End

1.6 Maintaining AAAClearing the Statistics

1.6.1 Clearing the Statistics

Context

CAUTIONStatistics cannot be restored after being cleared. Exercise caution when you run this command.

Run the following commands in the user view to clear the statistics.

Procedurel Run the reset hwtacacs-server statistics { all | accounting | authentication |

authorization } command to clear the HWTACACS statistics.

l Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } commandto clear the statistics on accounting-stop packets.

----End



27

1.7 Configuration ExamplesThis section provides several AAA configuration examples. The configuration examples explainnetworking requirements, configuration notes, and configuration roadmap.

1.7.1 Example for Configuring RADIUS Authentication,Authorization, and Accounting

Networking RequirementsAs shown in Figure 1-4, users access the network through RouterA and belong to the domainhuawei. RouterB functions as the network access server of the destination network. Requestpackets from users need to traverse the network where RouterA and RouterB are located to reachthe authentication server. Users can access the destination network through RouterB after beingauthenticated. The remote authentication configuration on RouterB is as follows:

l The RADIUS server performs authentication and accounting for access users.l The RADIUS server at 129.7.66.66/24 functions as the primary authentication and

accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondaryauthentication and accounting server. The default authentication port and accounting portare 1812 and 1813.

Figure 1-4 Networking diagram of RADIUS authentication and accounting

Router A Router B

Destination network

Domain Huawei

Network129.7.66.66/24

129.7.66.67/24



28

Configuration RoadmapThe configuration roadmap is as follows:

1. Configure a RADIUS server template.2. Configure an authentication scheme and an accounting scheme.3. Apply the RADIUS server template, authentication scheme, and accounting scheme to the

domain.

Data PreparationTo complete the configuration, you need the following data:

l Name of the domain that users belong tol Name of the RADIUS server templatel Names of the authentication scheme and accounting scheme, and authentication and

accounting modesl IP addresses and authentication and accounting port numbers of the primary and secondary

RADIUS serversl Shared key and retransmission count

NOTE

The following configurations are performed on RouterB.

Procedure

Step 1 Configure interface IP addresses and routes to enable users and the RADIUS server tocommunicate.

Step 2 Configure a RADIUS server template.

# Configure a RADIUS template shiva.

<Huawei> system-view[Huawei] radius-server template shiva

# Configure the IP address and port numbers of the primary RADIUS authentication andaccounting server.

[Huawei-radius-shiva] radius-server authentication 129.7.66.66 1812[Huawei-radius-shiva] radius-server accounting 129.7.66.66 1813

# Configure the IP address and port numbers of the secondary RADIUS authentication andaccounting server.

[Huawei-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary[Huawei-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary

# Configure the shared key and retransmission count of the RADIUS server.

[Huawei-radius-shiva] radius-server shared-key cipher hello[Huawei-radius-shiva] radius-server retransmit 2[Huawei-radius-shiva] quit

Step 3 Configure authentication and accounting schemes.

# Configure authentication scheme 1 and set the authentication method to RADIUSauthentication.



29

[Huawei] aaa[Huawei-aaa] authentication-scheme 1[Huawei-aaa-authen-1] authentication-mode radius[Huawei-aaa-authen-1] quit

# Configure accounting scheme 1 and set the accounting method to RADIUS accounting.

[Huawei-aaa] accounting-scheme 1[Huawei-aaa-accounting-1] accounting-mode radius[Huawei-aaa-accounting-1] quit

Step 4 Configure a domain huawei and apply authentication scheme 1, accounting scheme 1, andRADIUS server template shiva to the domain.[Huawei-aaa] domain huawei[Huawei-aaa-domain-huawei] authentication-scheme 1[Huawei-aaa-domain-huawei] accounting-scheme 1[Huawei-aaa-domain-huawei] radius-server shiva

Step 5 Verify the configuration.

Run the display radius-server configuration template command on RouterB. The commandoutput shows that the configuration of the RADIUS server template meets the requirements.

<Huawei> display radius-server configuration template shiva

-------------------------------------------------------------------

Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Timeout-interval(in second) : 5 Primary-authentication-server : 129.7.66.66 :1812 :- LoopBack:NULL Source-IP:0.0.0.0 Primary-accounting-server : 129.7.66.66 :1813 :- LoopBack:NULL Source-IP:0.0.0.0 Secondary-authentication-server : 129.7.66.67 :1812 :- LoopBack:NULL Source-IP:0.0.0.0 Secondary-accounting-server : 129.7.66.67 :1813 :- LoopBack:NULL Source-IP:0.0.0.0 Retransmission : 2 Domain-included : YES NAS-IP-Address : 0.0.0.0 -------------------------------------------------------------------

----End

Configuration Files

#sysname Huawei#radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2#aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1



30

accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva#return

1.7.2 Example for Configuring HWTACACS Authentication,Authorization, and Accounting

Networking RequirementsAs shown in Figure 1-5:

l The HWTACACS server will authenticate access users first. If HWTACACSauthentication fails, local authentication is used.

l HWTACACS authentication is required before the level of access users is upgraded. IfHWTACACS authentication fails, local authentication is performed.

l HWTACACS authorization is performed.l HWTACACS accounting is performed.l Real-time accounting is performed every 3 minutes.l The IP addresses of primary and secondary HWTACACS servers are 129.7.66.66/24 and

129.7.66.67/24. The port number for authentication, accounting, and authorization is 49.

Figure 1-5 Networking diagram of HWTACACS authentication, authorization, and accounting

Router ARouter B

Destination network

Domain Huawei

Network129.7.66.66/24

129.7.66.67/24



31


1. Configure an HWTACACS server template.2. Configure authentication, authorization, and accounting schemes.3. Apply the HWTACACS server template, authentication, authorization, and accounting

schemes to the domain.


l Name of the domain that users belong tol Name of the HWTACACS server templatel Names of the authentication scheme, authorization scheme, and accounting scheme, and

authentication, authorization, and accounting modesl IP addresses, authentication port numbers, authorization port numbers, and accounting port

numbers of the primary and secondary HWTACACS serversl Shared key of the HWTACACS server

NOTE

The following configurations are performed on RouterB.

ProcedureStep 1 Configure an HWTACACS server template.

# Configure an HWTACACS server template ht.<Huawei> system-view[Huawei] hwtacacs-server template ht

# Configure IP addresses and port numbers of the primary HWTACACS authentication,authorization, and accounting servers.

[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49[Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49[Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49

# Configure the IP addresses and port numbers of the secondary HWTACACS authentication,authorization, and accounting servers.

[Huawei-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary[Huawei-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary[Huawei-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary

# Configure the shared key of the HWTACACS server.

[Huawei-hwtacacs-ht] hwtacacs-server shared-key cipher hello[Huawei-hwtacacs-ht] quit

Step 2 Configure the authentication scheme, authorization scheme, and accounting scheme.

# Create an authentication scheme 1-h. In the authentication scheme, the system performsHWTACACS authentication first, and performs local authentication if HWTACACSauthentication fails. HWTACACS authentication is used first if the level of users is upgraded.



32

[Huawei] aaa[Huawei-aaa] authentication-scheme l-h[Huawei-aaa-authen-l-h] authentication-mode hwtacacs local[Huawei-aaa-authen-l-h] authentication-super hwtacacs super[Huawei-aaa-authen-l-h] quit

# Create an authorization scheme HWTACACS and set HWTACACS authorization.

[Huawei-aaa] authorization-scheme hwtacacs[Huawei-aaa-author-hwtacacs] authorization-mode hwtacacs[Huawei-aaa-author-hwtacacs] quit

# Create an accounting scheme HWTACACS and set HWTACACS accounting.

[Huawei-aaa] accounting-scheme hwtacacs[Huawei-aaa-accounting-hwtacacs] accounting-mode hwtacacs

# Set the interval of real-time accounting to 3 minutes.

[Huawei-aaa-accounting-hwtacacs] accounting realtime 3[Huawei-aaa-accounting-hwtacacs] quit

Step 3 Configure a domain huawei, and apply the authentication scheme l-h, authorization schemeHWTACACS, accounting scheme HWTACACS, and the HWTACACS server template ht tothe domain.[Huawei-aaa] domain huawei[Huawei-aaa-domain-huawei] authentication-scheme l-h[Huawei-aaa-domain-huawei] authorization-scheme hwtacacs[Huawei-aaa-domain-huawei] accounting-scheme hwtacacs[Huawei-aaa-domain-huawei] hwtacacs-server ht[Huawei-aaa-domain-huawei] quit[Huawei-aaa] quit


Run the display hwtacacs-server template command on RouterB. You can see that theconfiguration of the HWTACACS server template is correct.

<Huawei> display hwtacacs-server template ht --------------------------------------------------------------------------- HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49:- Primary-authorization-server : 129.7.66.66:49:- Primary-accounting-server : 129.7.66.66:49:- Secondary-authentication-server : 129.7.66.67:49:- Secondary-authorization-server : 129.7.66.67:49:- Secondary-accounting-server : 129.7.66.67:49:- Current-authentication-server : 129.7.66.66:49:- Current-authorization-server : 129.7.66.66:49:- Current-accounting-server : 129.7.66.66:49:- Source-IP-address : 0.0.0.0 Shared-key : **************** Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------

Run the display domain command on RouterB. You can see that the domain configuration iscorrect.

<Huawei> display domain name huawei

Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : hwtacacs Authorization-scheme-name : hwtacacs



33

Service-scheme-name : - RADIUS-server-group : - HWTACACS-server-template : ht

----End

Configuration Files

#hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!#aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs local authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht#return



34

2 HTTPS Configuration

About This Chapter

The Hypertext Transfer Protocol Secure (HTTPS) protocol provides secure web access usingsecurity mechanisms provided by the Secure Sockets Layer (SSL) protocol, including dataencryption, identity authentication, and message integrity check.

2.1 HTTPS OverviewHTTPS is a combination of the Hypertext Transfer Protocol (HTTP) and the Secure SocketsLayer (SSL) protocol.

2.2 HTTPS Features Supported by the AR200-SThe AR200-S supports the HTTPS server function.

2.3 Configuring the AR200-S as an HTTPS ServerThe HTTPS server function allows users to securely access the AR200-S on web pages.

2.4 Configuration ExamplesThis section provides an HTTPS configuration example.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 2 HTTPS Configuration


35

2.1 HTTPS OverviewHTTPS is a combination of the Hypertext Transfer Protocol (HTTP) and the Secure SocketsLayer (SSL) protocol.

HTTPS uses SSL to authenticate clients and servers and encrypt transmitted data for securecommunication.

HTTP enables a device supporting the web management system to function as a web server.Users can log in to this device using HTTP and manage the device on web pages. HTTP cannotauthenticate web servers or encrypt data, so it cannot protect data privacy or security. Therefore,HTTPS is used on devices to provide encrypted communication and secure identification of webservers.

As shown in Figure 2-1, an SSL policy is configured on the device (an HTTP server). After theHTTPS server function is enabled on the device, users can use a web browser to log in to thedevice (an HTTPS server) and manage the device on web pages.

Figure 2-1 Logging in to an HTTPS server through the web browser

Network

PC HTTPS server

2.2 HTTPS Features Supported by the AR200-SThe AR200-S supports the HTTPS server function.

An AR200-S functions as an HTTPS server after the HTTPS server function is configured. TheAR200-S uses the SSL protocol's data encryption, identity authentication, and message integritycheck mechanisms to protect security of data transmitted between users and the AR200-S. Thesemechanisms ensure that users securely access a remote AR200-S on web pages.

Before configuring services including the web management system and SSL VPN service,ensure that the HTTPS server function has been configured on the AR200-S.

NOTE

The HTTPS function is used with a license. To use the HTTPS function, apply for and purchase thefollowing license from the Huawei local office:

l AR150&200 Value-Added Security Package

2.3 Configuring the AR200-S as an HTTPS ServerThe HTTPS server function allows users to securely access the AR200-S on web pages.



36


When users access a remote AR200-S functioning as an HTTP server, the following problemsexist:

l Users cannot authenticate the AR200-S.l Privacy of data transmitted between users and the AR200-S cannot be protected.l Integrity of data transmitted between users and the AR200-S cannot be ensured, and the

data may be modified by unauthorized users.

To solve the preceding problems, configure the AR200-S as an HTTPS server. The AR200-Suses the SSL protocol's data encryption, identity authentication, and message integrity checkmechanisms to protect security of data transmitted between users and the AR200-S. Thesemechanisms ensure that users securely access a remote AR200-S on web pages.

Procedure



Step 2 Configure a server SSL policy. For details, see 11.3 Configuring a Server SSL Policy.

Step 3 Run:http secure-server ssl-policy ssl-policy

An SSL policy is applied to the HTTPS service.

By default, no SSL policy is applied to the HTTPS service on the AR200-S.

Step 4 (Optional) Run:http secure-server port port

The port number is set for the HTTPS service.

By default, the port number of the HTTPS service is 443.

Step 5 Run:http secure-server enable

The HTTPS server function is enabled on the AR200-S.

By default, the HTTPS server function is disabled on the AR200-S.

----End

Example

# Run the display current-configuration command to check the configuration of the HTTPSserver.

<Huawei> display current-configuration | include http secure-server http secure-server port 1026 http secure-server ssl-policy user http secure-server enable



37

2.4 Configuration ExamplesThis section provides an HTTPS configuration example.

2.4.1 Example for Configuring the Router as an HTTPS ServerThis section describes how to configure an HTTPS server to allow the administrator of anenterprise to remotely log in to a gateway.

Networking EnvironmentAs shown in Figure 2-2, the administrator of enterprise A works in a different city than the R&Ddepartment. The administrator needs to securely log in to the gateway of the R&D departmentto manage the gateway.

To meet the preceding requirement, configure the HTTPS server function on the Router (thegateway) so that:

l The administrator establishes an HTTPS connection with the Router (the gateway) from ahost named Admin and manages the Router on web pages.

l The administrator uses the SSL protocol's security mechanisms to authenticate theRouter, improving remote access security.

NOTE

To implement certificate authentication, you also need to configure a Certificate Authority (CA) server. The CAserver configuration is not mentioned here.

Figure 2-2 Networking diagram of HTTPS server configuration

Admin

1.1.1.1/24

CA

R&D department

Router

PC

Internet

Eth1/0/02.1.1.1/24

3.1.1.1/24

Enterprise A


1. Configure a public key infrastructure (PKI) entity and a PKI domain.2. Configure a server SSL policy.3. Configure the Router as an HTTPS server.




38

l Router's interface connected to the Internet: Ethernet1/0/0l IP address of Ethernet1/0/0: 2.1.1.1/24l IP address of the CA: 3.1.1.1/24l PKI parameters, as shown in the following table

Item Data

PKI entity PKI entity name: adminl PKI common name: hellol Country code: CN

PKI domain PKI domain name: adminl Trusted CA: ca_rootl Certificate's enrollment URL: http://

3.1.1.1:8080/certsrv/mscep/mscep.dlll Bound PKI entity: adminl CA's fingerprint algorithm: secure hash algorithm

(SHA)Fingerprint:17A34D94624B1C1BCBF6D763C4A67035D5B578EAF

l SSL parameters, as shown in the following table

Policy Name Maximum Number ofSessions

Session Timeout Period

adminserver 40 7200 seconds

l HTTPS service port number: 1278

NOTE

Before starting the configuration, ensure that routes between the Router, user hosts, and CA are reachable.

Procedure

Step 1 Configure a PKI entity and a PKI domain.

# Configure a PKI entity.

<Huawei> system-view[Huawei] sysname Router[Router] pki entity admin[Router-pki-entity-admin] common-name hello[Router-pki-entity-admin] country CN[Router-pki-entity-admin] quit

# Configure a PKI domain.

[Router] pki realm admin[Router-pki-realm-admin] entity admin[Router-pki-realm-admin] ca id ca_root[Router-pki-realm-admin] enrollment-url http://3.1.1.1:8080/certsrv/mscep/



39

mscep.dll ra[Router-pki-realm-admin] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF[Router-pki-realm-admin] quit

# Enroll the certificate manually.

[Router] pki enroll-certificate admin Info: Start certificate enrollment ... Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Cert enrolling now,It will take a few minutes or more. Please waiting...[Router] The certificate enroll successful.

NOTE

You will be prompted to enter the password during certificate enrollment. If you do not have a password, pressEnter.

Step 2 Configure a server SSL policy.

# Create a server SSL policy and specify PKI domain admin in the policy. This allows theRouter to obtain a digital certificate from the CA specified in the PKI domain.

[Router] ssl policy adminserver type server[Router-ssl-policy-adminserver] pki-realm admin

# Set the maximum number of sessions that can be saved and the timeout period of a savedsession.

[Router-ssl-policy-adminserver] session cachesize 40 timeout 7200[Router-ssl-policy-adminserver] quit

Step 3 Configure the Router as an HTTPS server.

# Apply the SSL policy adminserver to the HTTPS service.

[Router] http secure-server ssl-policy adminserver

# Configure the port number of the HTTPS service.

[Router] http secure-server port 1278

# Enable the HTTPS server function on the Router.

[Router] http secure-server enable


# Run the display ssl policy policy-name command to view the configuration of the SSL policyadminserver.

<Router> display ssl policy adminserver ------------------------------------------------------------------------------ Policy name : adminserver Policy ID : 1 Policy type : Server Cache number : 40 Time out(second) : 7200



40

Server certificate load status : loaded Bind number : 1 SSL connection number : 1 -----------------------------------------------------------------------------

# Start the web browser on the host Admin, enter https://2.1.1.1:1278 in the address box. Theweb management system of the Router is displayed, and the administrator can securely accessand manage the Router on web pages.

----End

Configuration FilesConfiguration file of the Router

# sysname Router#interface Ethernet 1/0/0 ip address 2.1.1.1 255.255.255.0#pki entity admin common-name hello country CN#pki realm admin entity admin ca id ca_root enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF#ssl policy adminserver type server pki-realm admin session cachesize 40 timeout 7200# http secure-server ssl-policy adminserver http secure-server enable http secure-server port 1278#return



41

3 Firewall Configuration

About This Chapter

The attack defense system protects an internal network against attacks from external networks;therefore, firewalls are generally deployed between the internal and external networks to preventattacks.

3.1 Firewall OverviewA firewall discards unwanted packets and protects the systems and key resources on the internalnetwork.

3.2 Firewall Features Supported by the AR200-SThe firewall features supported by the AR200-S include ACL-based packet filtering, blacklist,whitelist, application specific packet filter (ASPF), port mapping, virtual firewall, attack defense,traffic statistics and monitoring, and logs.

3.3 Configuring ZonesAll the security policies of the firewall are enforced based on zones.

3.4 Configuring the Packet Filtering FirewallThe packet filtering firewall filters packets by using an ACL.

3.5 Configuring the BlacklistYou can manually add entries to the blacklist or configure a dynamic blacklist. If you choosethe dynamic blacklist, enable IP address scanning and port scanning defense on the attack defensemodule of the AR200-S. When the AR200-S detects that the connection rate of an IP addressor a port exceeds the threshold, the AR200-S considers that a scanning attack occurs, and addsthe source IP address to the blacklist. All the packets from this source IP address are then filteredout.

3.6 Configuring the WhitelistWhitelists are applicable to networks where devices send valid service packets that resemble IPaddress or port scanning attack packets. Whitelists prevent these devices from being added tothe blacklist.

3.7 Configuring ASPFThe ASPF function can detect sessions that attempt to traverse the application layer and denythe undesired packets. In addition, ASPF enables application protocols that cannot traversefirewalls to function properly.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 3 Firewall Configuration


42

3.8 Configuring Port MappingPort mapping defines new port numbers for different application-layer protocols, protecting theserver against the service specific attacks.

3.9 Configuring the Aging Time of the Firewall Session Table

3.10 Configuring the Attack Defense FunctionThe AR200-S attack defense function prevents attacks to the CPU. It ensures that the serveroperates normally even when it is attacked.

3.11 Configuring Traffic Statistics and MonitoringThe AR200-S supports traffic statistics and monitoring at the system level, zone level, and IPaddress level.

3.12 Configuring the Log FunctionThe firewall logs include session logs, statistics logs, attack defense logs, and blacklist logs.

3.13 Maintaining the Firewall

3.14 Configuration ExamplesThis section provides several configuration examples of firewall.



43

3.1 Firewall OverviewA firewall discards unwanted packets and protects the systems and key resources on the internalnetwork.

In a building, a firewall is designed to prevent the spread of fire from one place to other places.Similarly, a firewall on the network prevents hazards on the Internet from spreading to theinternal network.

Located at the network boundary, a firewall prevents unauthorized access to the protectednetwork and allows the internal users' secure access to the web service across the Internet.

Both the packets from the Internet to the internal network and the packets from the internalnetwork to the Internet pass through the firewall; therefore, the firewall is a guard that can discardthe undesired packets.

A firewall can also be used to protect systems and key resources such as data on the internalnetwork. A firewall filters the access to the protected data, even the internal access to the data.

Ae firewall also serves as an authority control gateway to restrict the access to the Internet. Forexample, it allows the specified internal users to access the Internet. Firewalls also provide otherfunctions, such as identity authentication and security processing (packet encryption).

The AR200-S has the following functions:

l ACL-based packet filtering: filters packets through an ACL.l ASPF: filters packets at the application layer.l Blacklist: filters packets based on source IP addresses.l Whitelist: prevents the specified IP addresses from being added to the blacklist and filters

packets based on source IP addresses.l Port mapping: defines new port numbers for different application-layer protocols,

protecting the server against service-specific attacks.l Attack defense: detects various network attacks and takes measures to protect the internal

network against attacks.l Traffic statistics and monitoring: monitors traffic volume, detects the connections between

internal and external networks, and carries out calculation and analysis.

3.2 Firewall Features Supported by the AR200-SThe firewall features supported by the AR200-S include ACL-based packet filtering, blacklist,whitelist, application specific packet filter (ASPF), port mapping, virtual firewall, attack defense,traffic statistics and monitoring, and logs.

Security ZoneThe security zone, also referred to as a zone, is the basis of a firewall. All the security policiesare enforced based on zones.

A zone is an interface or a group of multiple interfaces. The users in a zone have the same securityattributes. Each zone has a unique security priority. That is, the priorities of any two zones aredifferent.



44

The AR200-S considers that the data transmission within a zone is reliable; therefore, it doesnot enforce any security policy on the intra-zone data transmission. The AR200-S verifies thedata and enforces the security policies only when the data flows from one zone to another.

Interzone

Any two zones form an interzone. Each interzone has an independent interzone view. Mostfirewall configurations are performed in the interzone views.

Assume that there are zone1 and zone2. In the interzone view, ACL-based packet filtering canbe configured. The configured filtering policy is then enforced on the data transmission betweenzone1 and zone2.

Direction

In an interzone, data is transmitted in the inbound or outbound direction.

l Inbound: indicates that data flows from a zone with lower priority to a zone with higherpriority.

l Outbound: indicates that data flows from a zone with higher priority to a zone with lowerpriority.

ACL-based Packet Filtering

ACL-based packet filtering analyzes the information in the packets to be forwarded, includingsource/destination IP addresses, source/destination port numbers, and IP protocol number. TheAR200-S compares the packet information with the ACL rules and determines whether toforward or discard the packets.

In addition, the AR200-S can filter fragmented IP packets to prevent a non-initial fragmentattack.

ASPF

ASPF is applied to the application layer, that is, ASPF is status-based packet filtering. ASPFdetects the application-layer sessions that attempt to pass the firewall, and discards undesiredpackets.

The AR200-S performs ASPF for the File Transfer Protocol (FTP) and Hypertext TransportProtocol (HTTP) packets.

Blacklist

A blacklist filters packets based on source IP addresses. Compared with the ACL, the blacklistuses simpler matching fields to implement high-speed packet filtering. Packets from certain IPaddresses can be filtered out.

The firewall dynamically adds IP addresses to the blacklist. The firewall uses packet behaviorto detect an attack from an IP address. If an attack is detected, the firewall adds the IP addressof the attacker to the blacklist so that all packets from the attacker will be discarded.



45

WhitelistThe whitelist prevents specified IP addresses from being added to the blacklist. The IP addressesin the whitelist will not be added to the static or dynamic blacklist. An entry in the whitelist isrepresented by the source VPN and IP address.

The whitelist applies to the network where some devices send valid service packets that resembleIP address scanning attack packets or port scanning attack packets. The whitelist prevents thesedevices from being added to the blacklist.

The whitelist entries on the AR200-S can only be manually added.

Port MappingApplication-layer protocols use well-known ports for communication. Port mapping defines newport numbers for different application-layer protocols, which protect the server against service-specific attacks.

Port mapping applies to service-sensitive features such as ASPF and Network AddressTranslation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet providesthe FTP service through port 2121. When accessing the FTP server through a NAT server, usersmust use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identifythe FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol.After port mapping, the NAT server can identify the FTP packets that use port 2121 and sendthe FTP packets to the FTP server. This enables users to access the FTP server.

Virtual FirewallRecently, more small-scale private networks have been established. Most of these privatenetworks belong to small-scale enterprises. Such enterprises have the following requirements:

l High securityl Insufficient costs to afford a private security device

Logically, the AR200-S can be divided into multiple virtual firewalls to serve multiple small-scale private networks. By using the virtual firewall function, an ISP can lease the networksecurity services to the enterprises.

A virtual firewall integrates a VPN instance and a security instance. The virtual firewall providesa private routing plane and security service for the virtual firewall users. The VPN instance andthe security instance provide the following functions:l VPN instance: provides independent VPN routes for the users under each virtual firewall.

These VPN routes are used to forward the packets received by each virtual firewall.l Security instance: provides independent security services for the users under each virtual

firewall. The security instance contains private interfaces, zones, interzones, ACL rules,and NAT rules. In addition, it provides the security services such as address binding,blacklist, address translation, packet filtering, traffic statistics and monitoring, attackdefense, ASPF, and NAT for the users under the virtual firewalls.

Firewall LogThe firewall records the behaviors and status of the firewall in real time. For example, the attackdefense measures and the detection of malicious attacks are recorded in the firewall log.

The firewall logs are categorized into the following types:



46

l Session log: sent to the log server in real time.l Blacklist log: sent to the information center in real time.l Attack log and statistics log: sent to the information center periodically.

These logs help you find out security risks, detect attempts to violate security policies, and learnthe type of a network attack. The real-time log is also used to detect an intrusion that is underway.

Traffic Statistics and MonitoringA firewall monitors data traffic and detects connection setup between internal and externalnetworks, generates statistics, and analyzes data. The firewall can analyze the logs by usingspecial software after events occur. The firewall also has analysis functions that enable it toanalyze data in real time.

By checking whether the number of TCP/UDP sessions initiated from external networks to theinternal network exceeds the threshold, the firewall determines whether to restrict new sessionsfrom external networks to the internal network or restrict new sessions from an IP address in theinternal network. If the firewall finds that the number of sessions in the system exceeds thethreshold, it speeds up the aging of sessions. This ensures that new sessions are set up. In thisway, a DoS attack can be prevented if the system is too busy.

Figure 3-1 shows an application of the firewall. The IP address-based statistics function isenabled for the packets from external networks to the internal network. If the number of TCPsessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, theAR200-S forbids external networks to initiate new sessions until the number of sessions issmaller than the threshold.

Figure 3-1 Limiting the number of sessions initiated by external server

EthernetInternal network

Web server129.9.0.1

Router

TCP connection

Internet

Attack DefenseWith the attack defense feature, the AR200-S can detect and protect against various networkattacks.

Network attacks are classified into three types: DoS attacks, scanning and snooping attacks, andmalformed packet attacks.l DoS attack

Denial of service (DoS) attack attacks a system with a large number of data packets. Thisprevents the system from receiving requests from authorized users or suspends the host.DoS attacks include SYN Flood attack and Fraggle attack. DoS attacks are different from



47

other attacks because DoS attackers do not search for the ingress of a network but preventauthorized users from accessing resources or routers.

l Scanning and snooping attackScanning and snooping attacks identify the existing systems on the network through pingscanning (including ICMP and TCP scanning), and then discover potential targets. ThroughTCP scanning, the attackers can learn the operating system and the monitored services. Byscanning and snooping, an attacker can generally know the service type and securityvulnerability of the system and plan further intrusion to the system.

l Malformed packet attackMalformed packet attacks send malformed IP packets to the system. Under such an attack,the system crashes when processing the malformed IP packets. Malformed packet attacksinclude Ping of Death and Teardrop.

Land AttackA Land attack sets the source and destination addresses of a TCP SYN packet to the IP addressof the attacked target. The target then sends the SYN-ACK message to its own IP address, andan ACK message is sent back to the target. This forms a null session. Every null session existsuntil it times out. The responses to the Land attack vary according to the targets. For instance,many UNIX hosts crash while Windows NT hosts slow down.

Smurf AttackA simple Smurf attack is used to attack a network. The attacker sends an ICMP request to thebroadcast address of the network. All the hosts on the network then respond to the request andthe network is congested. The traffic caused by a Smurf attack is one or two orders of magnitudehigher than the traffic caused by ping of large packets.

An advanced Smurf attack targets hosts. The attacker changes the source address of an ICMPrequest to the IP address of the target host. The host becomes overwhelmed with ICMP replies,then crashes. This attack is more effective when a large volume of ICMP requests packets aregenerated and when there are a large number of hosts on the network.

WinNuke AttackA WinNuke attack sends an out-of-band (OOB) data packet to the NetBIOS port (139) of thetarget host running the Windows operating system. The NetBIOS fragment then overlaps andthe host crashes. An Internet Group Management Protocol (IGMP) fragment packet can alsodamage the target host because the IGMP packet is not fragmented. An attack occurs when ahost receives an IGMP packet.

SYN Flood AttackThe TCP/IP protocol stack only permits a limited number of TCP connections due to resourcerestriction. SYN Flood attacks utilize this TCP/IP characteristic. The attacker forges a SYNpacket whose source address is forged or nonexistent and originates a connection to the server.Upon receipt of this packet, the server replies with SYN-ACK. Because there is no receiver ofthe SYN-ACK packet, a half-connection is created. If the attacker sends a large number of thesepackets, a lot of half-connections are produced on the attacked host and the host's resources willbe exhausted. Common users cannot access the host till the half-connections expire. If theconnections can be created without restriction, SYN Flood will consume the system resourcessuch as memory.



48

ICMP and UDP Flood AttackICMP and UDP Flood attacks send a large number of ICMP packets (such as ping packets) andUDP packets to the target host in a short time and request responses. The host is then overloadedand cannot process valid tasks.

IP Sweeping and Port Scanning AttackIP address sweeping and port scanning attacks detect the IP addresses and ports of the targethosts by using scanning tools. The attacker then determines the hosts that exist on the targetnetwork according to the response. The attacker can then find the ports that provide services.

Ping of Death AttackThe Ping of Death attacks a system by sending oversized ICMP packets. The length field of anIP packet is 16 bits, indicating that the maximum length of an IP packet is 65535. If the datafield of an ICMP Echo Request packet is longer than 65507, the length of the ICMP Echo Requestpacket (ICMP data + 20-byte IP header + 8-byte ICMP header) is greater than 65535. Uponreceiving the packet, routers or systems will crash, stop responding, or restart due to improperprocessing of the packet.

ICMP-Redirect and ICMP-Unreachable AttackA network device sends an ICMP-redirect packet to hosts on the same subnet, requesting thehosts to change a route. However, some malicious attackers cross a network segment and senda fraudulent ICMP-redirect packet to the hosts of another network. In this way, the attackerschange the routing table of the hosts, interfering with normal IP packet forwarding of the hosts.

Another type of attack sends an ICMP-unreachable packet. After receiving the ICMP-unreachable packets of a network (code is 0) or a host (code is 1), some systems consider thesubsequent packets sent to this destination as unreachable. The systems then disconnect thedestination from the host.

Teardrop AttackThe More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segmentof the original packet contained in this fragment. Some systems running TCP/IP may stoprunning when receiving a forged fragment containing an overlap offset. The Teardrop attackuses the flaw of some systems that do not check the validity of fragment information.

Fraggle AttackAfter receiving UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with agenerated character string. Similar to the ICMP packet attack, the two UDP ports generate manyinvalid response packets, which occupy the network bandwidth.

The attacker can send a UDP packet to the destination network. The source address of the UDPpacket is the IP address of the host to be attacked and its destination address is the broadcastaddress or network address of the host's subnet. The destination port number of the packet is 7or 19. Then, all the systems enabled with this function return packets to the target host. In thiscase, the high traffic volume blocks the network or the host stops responding. In addition, thesystems without this function generate ICMP-unreachable packets, which also consume



49

bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO,the systems generate response packets continuously and cause serious damage.

IP-Fragment AttackIn an IP packet, some fields are relevant to flag bits and fragments, including Fragment Offset,Length, Don't Fragment (DF), and MF.

If the previous fields conflict and are not processed correctly, the equipment may stop running.In the following cases, the fields conflict:l DF bit and MF bit are set at the same time or the fragment offset is not 0.l The value of DF is 0, but the total values of Fragment Offset and Length is larger than

65535.

In addition, the device must directly discard the fragment packet with the destination as itself.This is because more fragments result in heavy load due to packet caching and assembling.

Tracert AttackA Tracert attack discovers the packet transmission path through the ICMP timeout packets thatis returned when Time To Live (TTL) value is 0 or through the returned ICMP port-unreachablepackets.

3.3 Configuring ZonesAll the security policies of the firewall are enforced based on zones.

3.3.1 Establishing the Configuration TaskBefore configuring a zone, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the data required for the configuration. This will help youcomplete the configuration task quickly and accurately.

Applicable EnvironmentBefore configuring a firewall, you need to configure zones. Then you can configure the firewallbased on zones or interzones.

Pre-configuration TasksBefore configuring a zone, complete the following task:

l Configuring the interfaces that you want to add to the zone

Data PreparationTo configure the zone, you need the following data.

No. Data

1 Name of the zone



50

No. Data

2 Priority of the zone

3 Interfaces that you want to add to the zone

3.3.2 Creating a ZoneBefore configuring a firewall, you need to create the related zones. Then you can deploy securityservices according to the security priorities of the zones.

Procedure



Step 2 Run:firewall zone zone-name

A zone is created.

The AR200-S can be configured with up to 255 zones, and no default zone is provided.

Step 3 Run:priority security-priority

The priority of the zone is set.

You must configure a priority for a zone before making other configurations. The priority cannotbe changed. The priorities of the zones cannot be the same. A greater value indicates a higherpriority.

----End

3.3.3 Adding an Interface to the ZoneYou can add interfaces to the specified zone.

Prerequisites

The zone has been created through the firewall zone command.

Procedure



Step 2 Run:interface interface-type interface-number



51

The interface view is displayed.

Step 3 Run:zone zone-name

The interface is added to the zone.

----End

3.3.4 Creating an InterzoneCreate the interzone so you can enable the firewall to filter packets or application-layer servicesin the specified interzone.

Procedure



Step 2 Run:firewall interzone zone-name1 zone-name2

An interzone is created.

The zones specified for an interzone must have been created on the device.

----End

3.3.5 Enabling Firewall in the InterzoneThe configured firewall functions take effect only after you enable firewall in the interzone.

Procedure




The interzone view is displayed.

The zones zone-name1 and zone-name2 have been created through the firewall zone command.

Step 3 Run:firewall enable

The firewall is enabled.

By default, the firewall function is disabled in an interzone.

----End



52

3.3.6 Checking the ConfigurationAfter configuring the zones and interzone, you can view information about the zones andinterzone.

Procedurel Run the display firewall zone [ zone-name ] [ interface | priority ] command to view

information about the zones.l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view

information about the interzone.

----End

3.4 Configuring the Packet Filtering FirewallThe packet filtering firewall filters packets by using an ACL.

3.4.1 Establishing the Configuration TaskBefore configuring the ACL-based packet filtering firewall, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the data required forthe configuration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentWhen data is transmitted between two zones, the ACL-based packet filtering firewall enforcesthe packet filtering policies according to the ACL rules. The ACLs for filtering packet includebasic ACLs and advanced ACLs.

Pre-configuration TasksBefore configuring ACL-based packet filtering, complete the following tasks:

l Configuring zones and adding interfaces to the zonesl Configuring the interzone and enabling the firewall function in the interzonel Creating the basic ACL and advanced ACL and configuring ACL rules

Data PreparationTo configure ACL-based packet filtering, you need the following data.

No. Data

1 Zone names

2 ACL number

3 Packet direction to which the ACL is applied



53

3.4.2 Configuring ACL-based Packet Filtering in an InterzoneThe packet filtering firewall filters packets through ACLs.

Procedure



Step 2 Run:acl [ number ] acl-number [ match-order { config | auto }]

An ACL is created and the ACL view is displayed.

Step 3 Run:rule

An ACL rule is configured.

Step 4 Run:quit

Return to the system view.



Step 6 Run:packet-filter acl-number { inbound | outbound }

The ACL-based packet filtering is configured.

You can configure ACL-based packet filtering in the interzone for incoming or outgoing packets.

Step 7 (Optional) Run:packet-filter default { deny | permit } { inbound | outbound }

The default processing mode for unmatched packets is configured.

In the default settings of the system, the outbound unmatched packets are allowed, and theinbound unmatched packets are denied.

If an ACL is applied to the inbound or outbound packets of an interzone, the packets are filteredaccording to the ACL rules. If packets do not match the ACL, the default processing mode isused.

NOTE

During the modification of interzone filtering rules, some sessions may not be filtered properly accordingto the rules. Therefore, after the modification is complete, use the reset firewall session all command todelete all existing firewall session entries.

----End



54

3.4.3 Checking the ConfigurationAfter the ACL-based packet filtering firewall is configured, you can view information aboutACL-based packet filtering.

Procedurel Run the display firewall interzone [ zone-name1 zone-name2 ] command to view

information about packet filtering.

l Run the display acl acl-number command to view the ACL configuration.

----End

3.5 Configuring the BlacklistYou can manually add entries to the blacklist or configure a dynamic blacklist. If you choosethe dynamic blacklist, enable IP address scanning and port scanning defense on the attack defensemodule of the AR200-S. When the AR200-S detects that the connection rate of an IP addressor a port exceeds the threshold, the AR200-S considers that a scanning attack occurs, and addsthe source IP address to the blacklist. All the packets from this source IP address are then filteredout.

3.5.1 Establishing the Configuration TaskBefore configuring the blacklist, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.


The blacklist can filter out packets sent from a specified IP address to a zone. An IP address canbe added to the blacklist manually or automatically.

When the attack defense module of the firewall detects an attack through the packet behavior,the firewall adds the source IP address of the packet to the blacklist. All the packets from thisIP address are then filtered out.


Before configuring the blacklist, complete the following tasks:

l Configuring zones and adding interfaces to the zones

l Configuring the interzone and enabling the firewall function in the interzone

l Enabling IP address scanning attack defense or port scanning attack defense if a dynamicblacklist is used

Data Preparation

To configure the blacklist, you need the following data.



55

No. Data

1 IP address that you want to add to the blacklist

2 (Optional) Aging time of blacklist entries

3.5.2 Enabling the Blacklist FunctionTo make the entries added to the blacklist manually or dynamically effective, you must firstenable the blacklist function.

Procedure



Step 2 Run:firewall blacklist enable

The blacklist function is enabled.

By default, the blacklist function is disabled.

----End

3.5.3 Adding IP Addresses to the Blacklist ManuallyAfter an IP address is added to the blacklist, the firewall denies the packets from this IP addressuntil this entry expires.

Procedure



Step 2 Run:firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

An entry is added to the blacklist.

When adding an entry to the blacklist, you can set the IP address, aging time, and VPNinstance. The aging time refers to the period in which the IP address is effective after it is addedto the blacklist. When the IP address expires, it is released from the blacklist. If the aging timeis not specified, the IP address is always valid in the blacklist.

An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not.That is, even though the blacklist is not enabled, you can add entries, but the entries do not takeeffect until the blacklist is enabled.

You can add up to 32 entries to a blacklist.



56

NOTE

The blacklist entries without the aging time are added to the configuration file. The entries configured withthe aging time are not added to the configuration file, but you can view them by using the display firewallblacklist command.

----End

Follow-up ProcedureRun the firewall black-white-list save command to save the blacklist and whitelist to thespecified configuration file.

3.5.4 Configuring Blacklist and Whitelist Using the ConfigurationFile

You can configure blacklist and whitelist entries in a batch by loading the configuration file.

PrerequisitesThe configuration file for storing the blacklist and whitelist is available.

ContextThe configuration file must be in txt format, and the contents are as follows:[FirewallBlacklist] # A blacklist entryIPAddress = # An IP address in the blacklist, in dotted decimal notationVPNName = # (Optional) VPN instance of the blacklist[FirewallWhitelist] # A whitelist entryIPAddress = # An IP address in the whitelist, in dotted decimal notationVPNName = # (Optional) VPN instance of the whitelist, in dotted decimal notation

A configuration file can contain multiple entries, but each entry must be edited separately. Blanklines are allowed between lines.[FirewallBlacklist]IPAddress = 210.10.10.1VPNName = vpna[FirewallBlacklist]IPAddress = 220.10.10.2VPNName =

[FirewallWhitelist]IPAddress = 10.10.10.1VPNName = vpnb[FirewallWhitelist]IPAddress =20.20.20.1VPNName =

NOTEA configuration file can contain up to 50000 lines.

Procedure





57

Step 2 Run:firewall black-white-list load configuration-file configuration-file-name

The blacklist and whitelist configuration file is loaded.

The configured blacklist takes effect only after you run the firewall blacklist enable commandto enable the blacklist.

The entries in the whitelist take effect directly and you do not need to enable the whitelistfunction.

A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries.

----End

Follow-up Procedure

Run the firewall black-white-list save command to save the blacklist and whitelist to thespecified configuration file to load next time.

3.5.5 Checking the ConfigurationAfter the blacklist is configured, you can view information about the blacklist.

Procedurel Run the display firewall blacklist command to view information about the blacklist.

----End

Example

Run the display firewall blacklist command to view information about the blacklist.

<Huawei> display firewall blacklist allFirewall blacklist items :------------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance------------------------------------------------------------------------10.1.1.1 Manual 100------------------------------------------------------------------------ Total number is : 1

3.6 Configuring the WhitelistWhitelists are applicable to networks where devices send valid service packets that resemble IPaddress or port scanning attack packets. Whitelists prevent these devices from being added tothe blacklist.

3.6.1 Establishing the Configuration TaskBefore configuring the whitelist, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.



58

Applicable EnvironmentWhitelists are applicable to networks where some devices send valid service packets thatresemble IP address scanning attack or port scanning attack. Whitelists prevent these devicesfrom being added to the blacklist.

If you add the VPN and IP address of a host to the whitelist, the firewall does not check thepackets sent by the host that look like IP address scanning or port scanning attack, or add the IPaddress to the blacklist.

Pre-configuration TasksBefore configuring the whitelist, complete the following tasks:

l Configuring zones and adding interfaces to the zonesl Configuring the interzone and enabling the firewall function in the interzone

Data PreparationTo configure the whitelist, you need the following data.

No. Data

1 IP address that you want add to the whitelist

2 (Optional) Aging time of whitelist entries

3.6.2 Adding Entries to the Whitelist ManuallyThe entries in the whitelist take effect directly and you do not need to enable the whitelistfunction.

Procedure



Step 2 Run:firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

An entry is added to the whitelist.

By running this command, you can add an entry to the whitelist manually. You can specify theIP address, VPN instance, and aging time when adding the entry.The aging time refers to theperiod in which the IP address is effective after it is added to the whitelist. When the IP addressexpires, it is released from the whitelist. If the aging time is not specified, the IP address is alwaysvalid in the whitelist.

You can create up to 32 entries in the whitelist.

----End



59

Follow-up ProcedureRun the firewall black-white-list save command to save the blacklist and whitelist to thespecified configuration file to load next time.

3.6.3 Configuring Blacklist and Whitelist Using the ConfigurationFile

You can configure blacklist and whitelist entries in a batch by loading the configuration file.

PrerequisitesThe configuration file for storing the blacklist and whitelist is available.

ContextThe configuration file must be in txt format, and the contents are as follows:[FirewallBlacklist] # A blacklist entryIPAddress = # An IP address in the blacklist, in dotted decimal notationVPNName = # (Optional) VPN instance of the blacklist[FirewallWhitelist] # A whitelist entryIPAddress = # An IP address in the whitelist, in dotted decimal notationVPNName = # (Optional) VPN instance of the whitelist, in dotted decimal notation

A configuration file can contain multiple entries, but each entry must be edited separately. Blanklines are allowed between lines.[FirewallBlacklist]IPAddress = 210.10.10.1VPNName = vpna[FirewallBlacklist]IPAddress = 220.10.10.2VPNName =

[FirewallWhitelist]IPAddress = 10.10.10.1VPNName = vpnb[FirewallWhitelist]IPAddress =20.20.20.1VPNName =

NOTEA configuration file can contain up to 50000 lines.

Procedure



Step 2 Run:firewall black-white-list load configuration-file configuration-file-name

The blacklist and whitelist configuration file is loaded.

The configured blacklist takes effect only after you run the firewall blacklist enable commandto enable the blacklist.



60

The entries in the whitelist take effect directly and you do not need to enable the whitelistfunction.

A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries.

----End

Follow-up ProcedureRun the firewall black-white-list save command to save the blacklist and whitelist to thespecified configuration file to load next time.

3.6.4 Checking the ConfigurationAfter the whitelist is configured, you can view information about the whitelist.

Procedurel Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] |

vpn-instance vpn-instance-name } command to view information about the whitelist.

----End

ExampleRun thedisplay firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view information about the whitelist.

<Huawei> display firewall whitelist allFirewall whitelist items :------------------------------------------------------------------------IP-Address Expire-Time(m) Vpn-Instance------------------------------------------------------------------------1.1.1.1 3 vpn11.1.1.2 Permanent vpn21.1.1.3 6 ------------------------------------------------------------------------ Total number is : 3

3.7 Configuring ASPFThe ASPF function can detect sessions that attempt to traverse the application layer and denythe undesired packets. In addition, ASPF enables application protocols that cannot traversefirewalls to function properly.

3.7.1 Establishing the Configuration TaskBefore configuring ASPF, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the data required for the configuration. This will help youcomplete the configuration task quickly and accurately.

Applicable EnvironmentWhen data is transmitted between two zones, ASPF checks the packets at the application layerand discards the unmatched packets.



61


Before configuring ASPF, complete the following tasks:



Data Preparation

To configure ASPF, you need the following data.

No. Data

1 Names of the two zones

2 Type of the application protocol

3 (Optional) Aging time of the session table for each application layer protocol

3.7.2 Configuring ASPF DetectionASPF can detect and filter FTP, HTTP, SIP, and RTSP packets at the application layer.

Procedure





Step 3 Run:detect aspf { all | ftp | http [ activex-blocking | java-blocking ] | rtsp | sip }

ASPF is configured.

Generally, the application-layer protocol packets are exchanged between the two parties incommunication, so the direction does not need to be configured. The AR200-S automaticallychecks the packets in both directions.

By default, ASPF is not configured in the interzone.

----End

3.7.3 Checking the ConfigurationAfter ASPF is configured, you can view information about ASPF.



62

Procedurel Run the display firewall interzone [ zone-name1 zone-name2 ] command to view ASPF

information of the interzone.

----End

ExampleRun the display firewall interzone [ zone-name1 zone-name2 ] command to view the ASPFinformation of the interzone.

<Huawei> display firewall interzoneinterzone zone2 zone1 firewall enable packet-filter default permit outbound packet-filter default permit inbound session-log 2006 inbound detect aspf ftp detect aspf sip detect aspf rtsp detect aspf http detect aspf http java-blocking detect aspf http activex-blocking

total number is : 1

3.8 Configuring Port MappingPort mapping defines new port numbers for different application-layer protocols, protecting theserver against the service specific attacks.

3.8.1 Establishing the Configuration TaskBefore configuring port mapping, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentThrough port mapping, the firewall can identify packets of the application-layer protocols thatuse the non-well-known ports. The port mapping function can be applied to features sensitiveto application-layer protocols, such as ASPF. Port mapping is applicable to the application-layerprotocols such as FTP, DNS, HTTP, SIP, and RTSP.

Port mapping is implemented based on the ACL. Only the packets matching an ACL rule aremapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering,the AR200-S matches the destination IP address of the packet with the IP address configured inthe basic ACL rule.

NOTE

Port mapping is applied only to the data within the interzone; therefore, when configuring port mapping,you must configure the zones and interzone.

Pre-configuration TasksBefore configuring port mapping, complete the following tasks:



63

l Configuring zones and adding interfaces to the zonesl Configuring the interzone and enabling the firewall function in the interzonel Creating the basic ACL and configuring ACL rules

Data PreparationTo configure port mapping, you need the following data.

No. Data

1 Type of application-layer protocol

2 User-defined port to be mapped

3 Number of the basic ACL

3.8.2 Configuring Port MappingPort mapping maps protocols to ports based on a basic ACL.

Procedure



Step 2 Run:port-mapping { dns | ftp | http | sip | rtsp } port port-number acl acl-number

Port mapping is configured.

You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings,however, must be distinguished by the ACL. That is, packets matching different ACL rules usedifferent mapping entries.

NOTE

Port mapping identifies the protocol type of the packets destined for an IP address (such as the IP addressof a WWW server); therefore, when configuring the basic ACL rules, you need to match the destinationIP addresses of the packets with the source IP addresses defined in ACL rules.

----End

3.8.3 Checking the ConfigurationAfter port mapping is configured, you can view information about port mapping.

Procedurel Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command

to view information about port mapping.

----End



64

Example

Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command toview information about port mapping.

<Huawei> display port-mapping dns ------------------------------------------------- Service Port Acl Type ------------------------------------------------- dns 53 system defined ------------------------------------------------- Total number is : 1

3.9 Configuring the Aging Time of the Firewall SessionTable

3.9.1 Establishing the Configuration TaskBefore configuring the aging time of the firewall session table, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the data required forthe configuration. This will help you complete the configuration task quickly and accurately.


The AR200-S creates a session table for data flows of each protocol, such as TCP, UDP, andICMP, to record the connection status of the protocol. The aging time is set for the session tableof the firewall. If a record in the session table does not match any packet within the aging time,the system deletes the record.

To change the aging time of protocol sessions, set the aging time of the firewall session table.

Data Preparation

To set the aging time of the firewall session table, you need the following data.

No. Data

1 Aging time of the session table of each application-layer protocol

3.9.2 Configuring the Aging Time of the Firewall Session TableIf a session entry is not used within the specified period, the session becomes invalid.

Procedure





65

Step 2 Run:firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media } aging-time time-value

The aging time of the firewall session table is set.

By default, the aging time of each protocol is as follows:l DNS: 120 secondsl FTP: 120 secondsl FTP-data: 120 secondsl HTTP: 120 secondsl ICMP: 20 secondsl TCP: 600 secondsl TCP-proxy: 10 secondsl UDP: 40 secondsl SIP: 1800 secondsl SIP-media: 120 secondsl RTSP: 60 secondsl RTSP-media: 120 seconds

NOTE

In general, you do not need to change the aging time of a session table.

----End

3.9.3 Checking the ConfigurationAfter the aging time of the firewall session table is set, you can view the aging time.

Procedurel Run the display firewall-nat session aging-time command to view the aging time of the

firewall session table.

----End

ExampleRun the display firewall-nat session aging-time command to view the aging time of the firewallsession table.

<Huawei> display firewall-nat session aging-time--------------------------------------------- tcp protocol timeout : 60 (s) tcp-proxy timeout : 60 (s) udp protocol timeout : 40 (s) icmp protocol timeout : 20 (s) dns protocol timeout : 120 (s) http protocol timeout : 120 (s) ftp protocol timeout : 120 (s) ftp-data protocol timeout : 120 (s) rtsp protocol timeout : 60 (s) rtsp-media protocol timeout : 120 (s) sip protocol timeout : 1800 (s)



66

sip-media protocol timeout : 120 (s) ---------------------------------------------

3.10 Configuring the Attack Defense FunctionThe AR200-S attack defense function prevents attacks to the CPU. It ensures that the serveroperates normally even when it is attacked.

3.10.1 Establishing the Configuration TaskBefore configuring the attack defense function, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentOn the AR200-S, you can enable the attack defense function for the protected area. The protectedarea may be zones or IP addresses.

Pre-configuration TasksBefore configuring the attack defense function, complete the following tasks:

l Configuring zones and adding interfaces to the zonesl Configuring the interzone and enabling the firewall function in the interzone

Data PreparationTo configure the attack defense function, you need the following data.

No. Data

1 Attack type, a specified type or all types

3 Status of the TCP proxy that prevents SYN Flood attacks, including alwaysenabled, always disabled, or auto enabled (automatically enabled when the sessionrate exceeds the threshold)

4 Timeout of blacklist and maximum session rate to prevent scanning attacks (IPaddress sweeping and port scanning)

5 Maximum packet length to prevent a large ICMP packet attack

3.10.2 Enabling the Attack Defense Function

ContextSteps 2-19 are optional and can be performed in any sequence. You can select these steps todefend against different types of attacks.



67

Procedure



Step 2 Run:firewall defend all enable

All the attack defense functions are enabled.

Step 3 Run:firewall defend fraggle enable

The Fraggle attack defense is enabled.

Step 4 Run:firewall defend icmp-flood enable

The ICMP Flood attack defense is enabled.

After the parameters for ICMP Flood attack defense are set, you must enable the ICMP Floodattack defense function; otherwise, the AR200-S does not detect the attack packets or take attackdefense measures.

Step 5 Run:firewall defend icmp-redirect enable

The ICMP Redirect attack defense is enabled.

Step 6 Run:firewall defend icmp-unreachable enable

The ICMP Unreachable attack defense is enabled.

Step 7 Run:firewall defend ip-fragment enable

The IP-Fragment attack defense is enabled.

Step 8 Run:firewall defend ip-sweep enable

The IP address sweeping attack defense is enabled.

After the parameters for IP address sweeping attack defense are set, you must enable the IPaddress sweeping attack defense function; otherwise, the AR200-S does not detect the attackpackets or take attack defense measures.

Step 9 Run:firewall defend land enable

The Land attack defense is enabled.

Step 10 Run:firewall defend large-icmp enable

The large ICMP packet attack defense is enabled.



68

After the maximum length of ICMP packets is set, you must enable the large ICMP packet attackdefense function; otherwise, the AR200-S does not detect the attack packets or take attackdefense measures.

Step 11 Run:firewall defend ping-of-death enable

The Ping of Death attack defense is enabled.

Step 12 Run:firewall defend port-scan enable

The port scanning attack defense is enabled.

After the parameters for port scanning attack defense are set, you must enable the port scanningattack defense function; otherwise, the AR200-S does not detect the attack packets or take attackdefense measures.

Step 13 Run:firewall defend smurf enable

The Smurf attack defense is enabled.

Step 14 Run:firewall defend syn-flood enable

The SYN Flood attack defense is enabled.

After the parameters for SYN Flood attack defense are set, you must enable the SYN Floodattack defense function; otherwise, the AR200-S does not detect the attack packets or take attackdefense measures.

Step 15 Run:firewall defend tcp-flag enable

The TCP flag attack defense is enabled.

Step 16 Run:firewall defend teardrop enable

The Teardrop attack defense is enabled.

Step 17 Run:firewall defend tracert enable

The Tracert attack defense is enabled.

Step 18 Run:firewall defend udp-flood enable

The UDP Flood attack defense is enabled.

After the parameters for UDP Flood attack defense are set, you must enable the UDP Floodattack defense function; otherwise, the AR200-S does not detect the attack packets or take attackdefense measures.

Step 19 Run:firewall defend winnuke enable

The WinNuke attack defense is enabled.



69

By default, no attack defense function is enabled.

----End

3.10.3 Setting the Parameters for Flood Attack Defense

Context

Steps 2-4 are optional and can be performed in any sequence. You can select these steps to defenddifferent types of Flood attacks.

Procedure



Step 2 Run:firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]

The parameters for ICMP Flood attack defense are set.

Step 3 Run:firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ] | [ tcp-proxy { auto | off | on } ]

The parameters for SYN Flood attack defense are set.

Step 4 Run:firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]

The parameters for UDP Flood attack defense are set.

To prevent Flood attacks, you need to specify the zones or IP addresses to be protected;otherwise, the attack defense parameters are invalid. You can also specify the maximum sessionrate. When the session rate exceeds the limit, the AR200-S considers that an attack occurs andtakes measures.

For Flood attack defense, the priority of IP addresses is higher than the priority of zones. If Floodattack defense is enabled for both a specified IP address and the zone where the IP addressresides, then the attack defense for the IP address takes effect. If you cancel the attack defensefor the IP address, the attack defense for the zone takes effect.

By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabledfor the SYN Flood attack defense.

For Flood attack defense, you can specify up to 32 IP addresses to protect.

----End

3.10.4 Configuring Large ICMP Packet Attack Defense



70

Procedure



Step 2 Run:firewall defend large-icmp max-length length

The parameter for large ICMP packet attack defense is set.

For large ICMP packet attack defense, only one parameter needs to be set, namely, the maximumpacket length. When the length of an ICMP packet exceeds the limit, the AR200-S considersthat an attack occurs and discards the packet.

By default, the maximum length of an ICMP packet is 4000 bytes.

----End

3.10.5 Setting Parameters for Scanning Attack Defense

ContextStep 2 and step 3 are optional and can be performed in any sequence. You can select these stepsto defend against different types of scanning attacks.

Procedure



Step 2 Run:firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }

The parameters for IP address sweep attack defense are set.

Step 3 Run:firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }

The parameters for port scanning attack defense are set.

For scanning attack defense, the following two parameters need to be set:

l Maximum session rate: When the session rate of an IP address or a port exceeds the limit,the AR200-S considers that a scanning attack occurs, and then adds the IP address to theblacklist and denies new sessions from the IP address or port.

l Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, theAR200-S deletes the IP address from the blacklist and allows new sessions from the IPaddress or port.

By default, the maximum session rate for IP address sweeping and port scanning attack defenseis 4000 pps, and the blacklist timeout is 20 minutes.

----End



71

3.10.6 Checking the ConfigurationAfter the attack defense is configured, you can view information about attack defense.

Procedurel Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-

address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }command to view information about attack defense.

----End

Example

Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }command to view information about attack defense.

# View the status of each attack defense function.

<Huawei> display firewall defend flag-------------------------------- Type Flag-------------------------------- land : disable smurf : disable fraggle : disable winnuke : disable syn-flood : disable udp-flood : disable icmp-flood : disable icmp-redirect : disable icmp-unreachable : disable ip-sweep : disable port-scan : disable tracert : disable ping-of-death : disable teardrop : disable tcp-flag : disable ip-fragment : disable large-icmp : disable--------------------------------

# View the configuration of IP address sweep attack defense.

<Huawei> display firewall defend ip-sweep

defend-flag : disable max-rate : 4000 (pps) blacklist-expire-time : 20 (m)

3.11 Configuring Traffic Statistics and MonitoringThe AR200-S supports traffic statistics and monitoring at the system level, zone level, and IPaddress level.



72

3.11.1 Establishing the Configuration TaskBefore configuring traffic statistics and monitoring, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.


System-level traffic statistics and monitoring take effect on all the data flows in interzones thatare enabled with the firewall feature. That is, the AR200-S collects statistics on packets of ICMP,TCP, TCP proxy, and UDP sessions in the interzones. When the number of sessions exceeds thethreshold, the AR200-S restricts the sessions until the number of sessions is less than thethreshold.

The zone-based traffic statistics and monitoring take effect on the data flows between zones.That is, the AR200-S counts the total number of TCP and UDP sessions between the local zoneand other zones. When the number of sessions exceeds the threshold, the AR200-S restricts thesessions until the number of sessions is less than the threshold. The zone-based traffic statisticsand monitoring can be configured in the inbound or outbound direction. The inbound directionmeans that the AR200-S counts and monitors the sessions initiated by the local zone. Theoutbound direction means that the AR200-S counts and monitors the sessions destined for thiszone.

The IP address-based traffic statistics and monitoring count and monitor the TCP and UDPsessions set up by an IP address in the zone. When the number of sessions set up by an IP addressexceeds the threshold, the AR200-S restricts the sessions until the number of sessions is lessthan the threshold. The IP address-based traffic statistics and monitoring can be configured inthe inbound or outbound direction. The inbound direction means that the AR200-S counts andmonitors the sessions initiated by the IP address in the local zone. The outbound direction meansthat the AR200-S counts and monitors the sessions destined for this IP address.


Before configuring traffic statistics and monitoring, complete the following tasks:



Data Preparation

To configure traffic statistics and monitoring, you need the following data.

No. Data

1 Type of sessions to be monitored, including TCP and UDP

2 Session threshold

3 Direction of traffic statistics and monitoring



73

3.11.2 Enabling Traffic Statistics and MonitoringYou can enable traffic statistics and monitoring at the system level, zone level, or IP addresslevel as needed.

Procedurel Enabling system-level traffic statistics and monitoring

1. Run:system-view


firewall statistics system enable

The system-level traffic statistics and monitoring is enabled.

By default, the system-level traffic statistics and monitoring is disabled.l Enabling zone-level traffic statistics and monitoring

1. Run:system-view


firewall zone zone-name

The zone view is displayed.3. Run:

statistics zone enable { inzone | outzone }

The zone-level traffic statistics and monitoring is enabled.

By default, the zone-level traffic statistics and monitoring is disabled.l Enabling IP address-level traffic statistics and monitoring

1. Run:system-view




statistics ip enable { inzone | outzone }

The IP address-level traffic statistics and monitoring is enabled.

By default, the IP address-level traffic statistics and monitoring is disabled.

----End

3.11.3 Setting the Session ThresholdsYou can set the session thresholds for the system-level, zone-level, or IP address-level trafficstatistics and monitoring as needed.



74

Procedurel Setting the session thresholds for system-level traffic statistics and monitoring

1. Run:system-view


firewall statistics system enable

The system-level traffic statistics and monitoring are enabled.

By default, the system-level traffic statistics and monitoring is disabled.3. Run:

firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold

The session thresholds for the system-level traffic statistics and monitoring are set.

For the system-level traffic statistics, you can set the threshold for each type of session.For example, you can set the upper threshold for TCP sessions to 15000 and lowerthreshold to 12000. When the number of TCP sessions in all interzones exceeds 15000,the AR200-S denies all new TCP sessions in the interzone and reports an alarm to theinformation center. If traffic volume falls to 12000 below the lower threshold, theAR200-S generates the recovery log and sends the log to the information center.

By default, the upper threshold and lower threshold for each type of protocol packetsare 16384 and 12288.

l Setting the session thresholds for zone-level traffic statistics and monitoring1. Run:

system-view




statistics zone enable { inzone | outzone }

The zone-level traffic statistics and monitoring are enabled.

By default, the zone-level traffic statistics and monitoring is disabled.4. Run:

statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

The session thresholds for the zone-level traffic statistics and monitoring are set.

You can set the thresholds for TCP and UDP sessions in the inbound and outbounddirections. For example, you can set the threshold of inbound TCP sessions to 15000.When the number of TCP sessions initiated by this zone exceeds 15000, the AR200-S denies new TCP sessions from this zone.




75

l Setting the session thresholds for IP address-level traffic statistics and monitoring

1. Run:system-view


2. Run:firewall zone zone-name

The zone view is displayed.

3. Run:statistics ip enable { inzone | outzone }

The IP address-level traffic statistics and monitoring are enabled.

By default, the IP address-level traffic statistics and monitoring is disabled.

4. Run:statistics connect-number ip { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

The session thresholds for the IP address-level traffic statistics and monitoring are set.

You can set the thresholds for TCP and UDP sessions in the inbound and outbounddirections. For example, you can set the threshold for inbound TCP sessions to 10000.When the number of TCP sessions initiated from an IP address in the local zoneexceeds 10000, the AR200-S denies new TCP sessions from this IP address.


----End

3.11.4 Checking the ConfigurationAfter the traffic statistics and monitoring are configured, you can view information about trafficstatistics and monitoring.

Procedurel Run the display firewall statistics system command to view information about the system-

level traffic statistics and monitoring.

l Run the system-view command to enter the system view, and then run the display firewallstatistics zone zone-name { inzone | outzone } all command to view information aboutthe zone-level traffic statistics and monitoring.

l Run the display firewall statistics zone-ip zone-name command to view information aboutthe IP address-level traffic statistics and monitoring.

----End

3.12 Configuring the Log FunctionThe firewall logs include session logs, statistics logs, attack defense logs, and blacklist logs.



76

3.12.1 Establishing the Configuration TaskBefore configuring the log function, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentThe logs record the behaviors and status of the firewall to help you find security risks, analyzeattempts to violate security policies, and detect network attacks.

Pre-configuration TasksBefore configuring the logs, complete the following tasks:

l Configuring zones and adding interfaces to the zonesl Configuring the interzone and enabling the firewall function in the interzonel Creating a basic ACL or an advanced ACL and configuring ACL rules

Data PreparationTo configure the log function, you need the following data.

No. Data

1 Type of the log

2 IP address and port number of the session log host, and the source IP address andsource port number that the AR200-S uses to communicate with the session loghost

3 Conditions for recording session logs, including the ACL number and thedirection

4 (Optional) Interval for exporting the attack defense logs or statistics logs

3.12.2 Enabling the Log Function on the Firewall

Procedure



Step 2 Run:firewall log { all | blacklist | defend | session | statistics } enable

The log function is enabled on the firewall.

The log function can be enabled according to log types or enabled for all types of logs by usingthe all parameter.



77

By default, the log function is disabled on a firewall.

Step 3 Run:firewall log session nat enable

The NAT session log is enabled.

Before running the firewall log session nat enable command, you must run the firewall logsession enable command.

By default, the NAT session log is disabled.

----End

3.12.3 Setting the Log ParametersThe log parameters include the session log host, conditions for recording session logs, andinterval for exporting logs.

ContextThe session logs are exported to a log host in real time; therefore, you need to configure the loghost first. To configure the log host, you need to configure the IP address and port number ofthe log host and the IP address and port number that the AR200-S uses to communicate with thelog host.

An ACL is referenced in the interzone view to determine the sessions to be recorded in the logs.The ACLs can be configured for incoming and outgoing traffic.

Procedure



Step 2 Run:firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]

The session log host is configured.

By default, no session log host is configured.

Step 3 (Optional) Run:firewall log { blacklist | defend | session | statistics } log-interval time

The interval for exporting logs is set.

By default, logs are exported every 30 seconds.



Step 5 Run:session-log acl-number { inbound | outbound }

The conditions for recording session logs are configured.



78

By default, no condition is configured in an interzone for recording session logs.

----End

3.12.4 Checking the ConfigurationAfter the log function is configured on the firewall, you can view information about the logs.

Procedurel Run the display firewall log configuration command to view information about the logs

on the firewall.

----End

Example

Run the display firewall log configuration command to view information about the logs on thefirewall.

<Huawei> display firewall log configurationdefend log : status : enabled log-interval : 30 sstatistics log : status : enabled log-interval : 30 sblacklist log : status : enabled log-interval : 30 ssession log : status : enabled log-interval : 30 s nat-session : disabledbinary-log host : host source VPN instance-name ----:-- ----:-- ---

3.13 Maintaining the Firewall

3.13.1 Displaying the Firewall Configuration

Procedurel Run the display firewall zone [ zone-name ] | [ interface | priority ] command to view the

configurations of all zones or the specified zone.l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view the

configurations of the interzone.l Run the display firewall blacklist configuration command to view the status of the

blacklist function.l Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] |

dynamic | static | vpn-instance vpn-instance-name } command to view the blacklistentries.



79

l Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] |vpn-instance vpn-instance-name } command to view the whitelist entries.

l Run the display firewall statistics system command to view the system-level trafficstatistics.

l Run the display firewall statistics zone zone-name { inzone | outzone } all command toview the zone-level traffic statistics and traffic monitoring information.

l Run the display firewall statistics zone-ip zone-name command to view the status of trafficmonitoring function and session thresholds for each protocol.

l Run the display firewall-nat session aging-time command to view the timeout of entriesin the session table.

l Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] commandto view the mappings between application-layer protocols and ports.

l Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }command to view the status and configuration of the attack defense functions.

l Run the display firewall log configuration command to view the global configuration ofthe log function.

l Run the display firewall session command to view the session table of the firewall.

----End

3.13.2 Clearing the Firewall Statistics

Context

To view the communication packets of a device within a specified period, you can clear theprevious packet statistics on the device first.

Step 2 and step 3 are optional and can be performed in any sequence. You can select these stepsto clear different types of packet statistics.

Procedure



Step 2 Run:clear firewall statistics system normal

The communication packet statistics are cleared.

Step 3 Run:clear firewall statistics zone zone-name

The communication packet statistics in the zone are cleared.

----End



80

3.14 Configuration ExamplesThis section provides several configuration examples of firewall.

3.14.1 Example for Configuring the ACL-based Packet FilteringFirewall

This example shows the configuration of the ACL-based packet filtering firewall on a network.The firewall improves data flow security by filtering packets based on source/destination IPaddresses, source/destination port numbers, and IP protocol numbers.

Networking Requirements

As shown in Figure 3-2, Ethernet0/0/0 of the Router is connected to a highly secure internalnetwork, and Ethernet0/0/8 is connected to the insecure external network. The Router must filterthe packets between the internal network and the external network. The following requirementsmust be met:l A host (202.39.2.3) on the external network is allowed to access the servers in the internal

network.l Other hosts are not allowed to access the servers on the internal network.

Figure 3-2 Network diagram for configuring ACL-based packet filtering

Telnet server

FTP server129.38.1.2

202.39.2.3

Web server

Internal network

Router

129.38.1.4

129.38.1.3

Eth0/0/0 Eth0/0/8

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure zones and an interzone.2. Add interfaces to the zones.3. Configure an ACL.



81

4. Configure ACL-based packet filtering in the interzone.

ProcedureStep 1 Configure zones and an interzone on the Router .

<Huawei> system-view[Huawei] firewall zone trust[Huawei-zone-trust] priority 15[Huawei-zone-trust] quit[Huawei] firewall zone untrust[Huawei-zone-untrust] priority 1[Huawei-zone-untrust] quit[Huawei] firewall interzone trust untrust[Huawei-interzone-trust-untrust] firewall enable[Huawei-interzone-trust-untrust] quit

Step 2 Add Router interfaces to zones.[Huawei] vlan 100 [Huawei-vlan100] quit[Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 129.38.1.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0[Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] zone trust[Huawei-Vlanif100] quit[Huawei] interface Ethernet 0/0/8 [Huawei-Ethernet0/0/8] ip address 202.39.2.1 24 [Huawei-Ethernet0/0/8] zone untrust [Huawei-Ethernet0/0/8] quit

Step 3 Configure the ACL on the Router .[Huawei] acl 3102[Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0[Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0[Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0[Huawei-acl-adv-3102] rule deny ip[Huawei-acl-adv-3102] quit

Step 4 Configure packet filtering on the Router .[Huawei] firewall interzone trust untrust[Huawei-interzone-trust-untrust] packet-filter 3102 inbound[Huawei-interzone-trust-untrust] quit


After the configuration, only the specified host (202.39.2.3) can access the servers on the internalnetwork.

Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , andthe result is as follows:[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound

----End



82

Configuration Files# vlan 100 # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip #interface Vlanif100 ip address 129.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8 ip address 202.39.2.1 255.255.255.0 zone untrust#return

3.14.2 Example for Configuring ASPF and Port MappingThis example shows the configuration of the mapping between ASPF and port on a network.The Router can detect the packets of the specified application-layer protocols and discard theundesired packets.

Networking RequirementsAs shown in Figure 3-3, Ethernet0/0/0 of the Router is connected to a highly secure internalnetwork, and Ethernet0/0/8 is connected to the insecure external network. The Router must filterthe packets and perform ASPF check between the internal network and the external network.The following requirements must be met:l A host (202.39.2.3) on the external network is allowed to access the servers in the internal

network.l Other hosts are not allowed to access the servers on the internal network.l The Router checks the FTP status of the connections and filters the undesired packets.l The packets from the external host are sent to the FTP servers through port 2121, which is

used as the port of the FTP protocol.



83

Figure 3-3 Network diagram for configuring ASPF and port mapping

Telnet server


202.39.2.3

Web server

Internal network

Router

129.38.1.4

129.38.1.3

Eth0/0/0 Eth0/0/8


1. Configure zones and an interzone.2. Add interfaces to the zones.3. Configure an ACL.4. Configure ACL-based packet filtering in the interzone.5. Configure ASPF in the interzone.6. Map port 2121 to the FTP protocol.

Procedure

Step 1 Configure zones and an interzone on the Router .<Huawei> system-view[Huawei] firewall zone trust[Huawei-zone-trust] priority 15[Huawei-zone-trust] quit[Huawei] firewall zone untrust[Huawei-zone-untrust] priority 1[Huawei-zone-untrust] quit[Huawei] firewall interzone trust untrust[Huawei-interzone-trust-untrust] firewall enable[Huawei-interzone-trust-untrust] quit

Step 2 Add the interfaces of Router to zones.[Huawei] vlan 100 [Huawei-vlan100] quit[Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 129.38.1.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] zone trust



84

[Huawei-Vlanif100] quit[Huawei] interface Ethernet 0/0/8[Huawei-Ethernet 0/0/8] ip address 202.39.2.1 24 [Huawei-Ethernet0/0/8] zone untrust [Huawei-Ethernet0/0/8] quit

Step 3 Configure the ACL on Router .[Huawei] acl 2102[Huawei-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0[Huawei-acl-basic-2102] quit [Huawei] acl 3102[Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0[Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0[Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0[Huawei-acl-adv-3102] rule deny ip[Huawei-acl-adv-3102] quit

Step 4 Configure packet filtering on Router .[Huawei] firewall interzone trust untrust[Huawei-interzone-trust-untrust] packet-filter 3102 inbound[Huawei-interzone-trust-untrust] quit

Step 5 Configure ASPF on the Router .[Huawei-interzone-trust-untrust] detect aspf ftp[Huawei-interzone-trust-untrust] quit

Step 6 Configure port mapping on the Router .[Huawei] port-mapping ftp port 2121 acl 2102


Run the display firewall interzone zone-name1 zone-name2 command on the Router , and theresult is as follows:

[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound detect aspf ftp

Run the display port-mapping ftp command on the Router , and the result is as follows:

[Huawei] display port-mapping ftp ------------------------------------------------- Service Port Acl Type ------------------------------------------------- ftp 21 system defined ftp 2121 2102 user defined ------------------------------------------------- Total number is : 2

----End

Configuration Files# vlan 100 # acl number 2102 rule 5 permit source 129.38.1.2 0



85

# acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # port-mapping ftp port 2121 acl 2102 # interface Vlanif100 ip address 129.38.1.1 255.255.255.0zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound detect aspf ftp # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8ip address 202.39.2.1 255.255.255.0 zone untrust # return

3.14.3 Example for Configuring the BlacklistThis example shows the blacklist configuration on a network. By using a blacklist, the Routercan prevent the attacks initiated from certain IP addresses.

Networking RequirementsAs shown in Figure 3-4, Ethernet0/0/0 of the Router is connected to a highly secure internalnetwork, and Ethernet0/0/8 is connected to the insecure external network.

The Router needs to apply IP address sweeping defense and blacklist policies to the packetssent from the Internet to the enterprise intranet. If the Router detects that an IP address attacksthe enterprise intranet by using IP address sweeping, it adds the IP address to the blacklist. Themaximum session rate is 5000 pps, and the blacklist timeout is 30 minutes.

If an IP address, for example, 202.39.1.2, attempts to attack the enterprise intranet multiple times,you can add the IP address to the blacklist manually. The IP address added manually will bealways in the blacklist.



86

Figure 3-4 Network diagram for configuring the blacklist

Router

Enterprise network

Server

Eth0/0/0 Eth0/0/8


1. Configure zones and an interzone.2. Add interfaces to the zones.3. Enable the blacklist function.4. Add an entry to the blacklist.5. Enable the defense against IP address sweeping or port scanning.6. Configure the maximum session rate and blacklist timeout for the defense against IP address

sweeping or port scanning.

Procedure

Step 1 Configure zones and an interzone on the Router .[Huawei] firewall zone trust[Huawei-zone-trust] priority 15[Huawei-zone-trust] quit[Huawei] firewall zone untrust[Huawei-zone-untrust] priority 1[Huawei-zone-untrust] quit[Huawei] firewall interzone trust untrust[Huawei-interzone-trust-untrust] firewall enable[Huawei-interzone-trust-untrust] quit

Step 2 Add Router interfaces to zones.[Huawei] vlan 100 [Huawei-vlan100] quit[Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 129.38.1.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] zone trust



87

[Huawei-Vlanif100] quit[Huawei] interface Ethernet0/0/8 [Huawei-Ethernet0/0/8] ip address 202.39.2.1 24 [Huawei-Ethernet0/0/8] zone untrust [Huawei-Ethernet0/0/8] quit

Step 3 Enable the blacklist function.[Huawei] firewall blacklist enable

Step 4 Add an entry to the blacklist.[Huawei] firewall blacklist 202.39.1.2

Step 5 Enable the defense against IP address sweeping and port scanning.[Huawei] firewall defend ip-sweep enable[Huawei] firewall defend port-scan enable

Step 6 Configure the maximum session rate and blacklist timeout for the defense against IP addresssweeping or port scanning.[Huawei] firewall defend ip-sweep max-rate 5000[Huawei] firewall defend ip-sweep blacklist-expire-time 30[Huawei] firewall defend port-scan max-rate 5000 [Huawei] firewall defend port-scan blacklist-expire-time 30


Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , andthe result is as follows:

[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound

Run the display firewall blacklist all command on the Router , and the result is as follows:

[Huawei] display firewall blacklist allFirewall Blacklist Items :------------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance------------------------------------------------------------------------202.39.1.2 Manual Permanent------------------------------------------------------------------------ total number is : 1

Run the display firewall defend command on the Router , and the result is as follows:[Huawei] display firewall defend port-scan defend-flag : enable max-rate : 5000 (pps) blacklist-expire-time : 30 (m) [Huawei] display firewall defend ip-sweep defend-flag : enable max-rate : 5000 (pps) blacklist-expire-time : 30 (m)

----End

Configuration Files

# firewall defend ip-sweep enable



88

firewall defend port-scan enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-expire-time 30 firewall defend port-scan max-rate 5000 firewall defend port-scan blacklist-expire-time 30 # firewall blacklist enable firewall blacklist 202.39.1.2 # vlan 100 #interface Vlanif100 ip address 129.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 15 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8 ip address 202.39.2.1 255.255.255.0 zone untrust #



89

4 Traffic Suppression Configuration

About This Chapter

This section describes configuration procedures for traffic suppression and providesconfiguration examples.

4.1 Traffic Suppression OverviewThis section describes the traffic suppression function.

4.2 Traffic Suppression Features Supported by the AR200-SThis section describes traffic suppression features supported by the AR200-S.

4.3 Configuring Traffic SuppressionThis section describes how to configure traffic suppression.

4.4 Configuration ExamplesThis section provides traffic suppression configuration examples.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 4 Traffic Suppression Configuration


90

4.1 Traffic Suppression OverviewThis section describes the traffic suppression function.

The AR200-S forwards broadcast packets, multicast packets, and unknown unicast packets toall interfaces in the same VLAN. The preceding types of packets occupy a large number ofsystem resources and waste bandwidth; therefore, the system forwarding capability andprocessing capability deteriorate.

The traffic suppression function can limit the rate of the preceding types of packets to protectthe AR200-S against attacks of these packets. In addition, the function ensures availablebandwidth and processing capability of the AR200-S when the network traffic is heavy.

4.2 Traffic Suppression Features Supported by the AR200-SThis section describes traffic suppression features supported by the AR200-S.

Traffic suppression can be configured on Ethernet interfaces of the AR200-S. You can set therate limit in bit/s for broadcast packets, multicast packets, or unknown unicast packets on aninterface.

4.3 Configuring Traffic SuppressionThis section describes how to configure traffic suppression.

4.3.1 Establishing the Configuration TaskBefore configuring traffic suppression, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This will help you completethe configuration task quickly and accurately.


When receiving unknown unicast packets, multicast packets, or broadcast packets, the AR200-S forwards the packets to all the interfaces except the receive interface because the AR200-Scannot determine the outbound interface according to the destination MAC address of packets.In this case, broadcast storms may occur on the network and the forwarding performance of theAR200-S deteriorates. To prevent the AR200-S from being attacked by heavy traffic and ensurethat the AR200-S can forward packets in unicast mode, configure traffic suppression on aninterface to limit the rate of incoming broadcast packets, multicast packets, or unknown unicastpackets.


Before configuring traffic suppression, complete the following task:

l Connecting interfaces and setting the physical parameters of interfaces so that the physicallayer is in Up state



91

Data Preparation

To configure traffic suppression, you need the following data.

No. Data

1 Type and number of the interface where traffic suppression needs to beconfigured

2 Type of the traffic to be suppressed (broadcast, multicast, or unknown unicasttraffic)

3 Rate limit mode (in bit/s)

4 Rate limit value in bit/s (CIR value)

4.3.2 Configuring Traffic Suppression on an InterfaceThis section describes how to configure traffic suppression on an interface.

Procedure





Step 3 Set the CIR value for traffic suppression.

l Run the broadcast-suppression cir cir-value command to set the CIR value for broadcasttraffic.

l Run the multicast-suppression cir cir-value command to set the CIR value for multicasttraffic.

l Run the unicast-suppression cir cir-value command to set the CIR value for unknownunicast traffic.

----End

4.3.3 Checking the ConfigurationThis section describes how to check the configuration of traffic suppression.

PrerequisitesThe traffic suppression configurations are complete.



92

Procedurel Run the display flow-suppression interface interface-type interface-number command to

check the traffic suppression configuration.

----End

ExampleRun the display flow-suppression interface interface-type interface-number command tocheck the traffic suppression configuration on the specified interface.

<AR200-S> display flow-suppression interface ethernet 2/0/1 storm type rate mode set rate value------------------------------------------------------------------------------- unknown-unicast pps packets: 1260(packets per second) multicast pps packets: 2520(packets per second) broadcast pps packets: 1260(packets per second)-------------------------------------------------------------------------------

4.4 Configuration ExamplesThis section provides traffic suppression configuration examples.

4.4.1 Example for Setting the CIR Value for Traffic SuppressionThis section describes how to set the CIR value for traffic suppression.

Networking RequirementsAs shown in Figure 4-1, RouterA is connected to a Layer 2 network and a Layer 3 router. Tolimit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2network, you can set the rate limit in bit/s on Ethernet 0/0/0.

NOTE

As shown in Figure 4-1, RouterA is the AR200-S and RouterB is an aggregation router. The CIR Valuefor Traffic Suppression can be set only on LAN-side Ethernet interfaces of the SRU on theAR200-S.

Figure 4-1 Network diagram of setting the CIR value for traffic suppression

RouterA

Ethernet 0/0/0L2 network L3 network

RouterB


l Set the CIR value for traffic suppression on Ethernet 0/0/0.



93

Data PreparationTo complete the configuration, you need the following data:l Name of the interface where traffic suppression needs to be configured: Ethernet 0/0/0l CIR value for broadcast and unknown unicast packets: 100 kbit/s, CIR value for multicast

packets: 200 kbit/s

Procedure

Step 1 Enter the interface view.<Huawei> system-view[Huawei] sysname RouterA[RouterA] interface ethernet 0/0/0

Step 2 Set the CIR value for broadcast packets.[RouterA-Ethernet0/0/0] broadcast-suppression cir 100

Step 3 Set the CIR value for multicast packets.[RouterA-Ethernet0/0/0] multicast-suppression cir 200

Step 4 Set the CIR value for unknown unicast packets.[RouterA-Ethernet0/0/0] unicast-suppression cir 100


Run the display flow-suppression interface command to view the traffic suppressionconfiguration on Ethernet 0/0/0.

[RouterA] display flow-suppression interface Ethernet 0/0/0 storm type rate mode set rate value------------------------------------------------------------------------------- unknown-unicast bps cir: 100(kbit/s) multicast bps cir: 200(kbit/s) broadcast bps cir: 100(kbit/s)-------------------------------------------------------------------------------

----End

Configuration Files

# sysname RouterA #interface Ethernet 0/0/0 unicast-suppression cir 100 multicast-suppression cir 200 broadcast-suppression cir 100 #return



94

5 NAC Configuration

About This Chapter

This chapter describes the NAC system architecture, principles, and authentication methods.

5.1 NAC OverviewNetwork access control (NAC) is an end-to-end access security framework and includes Webauthentication, 802.1x authentication, and MAC address authentication.

5.2 NAC Features Supported by the AR200-SThe AR200-S supports multiple authentication and control methods to control user authoritiesand access areas.

5.3 Configuring 802.1x AuthenticationYou can configure 802.1x authentication on an interface to authenticate access devicesconnected to an interface of an access control device on a LAN.

5.4 Maintaining NACThis section describes how to maintain NAC.

5.5 Configuration ExamplesThis section provides several NAC configuration examples.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 5 NAC Configuration


95

5.1 NAC OverviewNetwork access control (NAC) is an end-to-end access security framework and includes Webauthentication, 802.1x authentication, and MAC address authentication.

Traditional network security technologies focus on threats from external computers but notthreats from internal computers. Current network devices cannot prevent attacks initiated bydevices on internal networks. NAC protects terminal security, thus providing end-to-endnetwork security.

Figure 5-1 Typical NAC networking

User NAD ACS

AAAserver

Remediation server

Directoryserver

PVS & AUDITserver

As shown in Figure 5-1, NAC is a control scheme for network access security, and involves thefollowing entities:l User: Access user who must be authenticated. If 802.1x authentication is used, users must

install the client software.l NAD: Network access device (NAD). An NAD authenticates and authorizes access users.

The NAD works with an AAA server to prevent unauthorized terminals from accessing thenetwork, minimize the threats brought by insecure terminals, prevent unauthorized accessrequests from authorized terminals, and protect core resources.

l ACS: Access control server (ACS). An ACS checks terminal security and manage policies,manages user behaviors and audits rule violations, and prevents malicious attacks fromterminals.

5.2 NAC Features Supported by the AR200-SThe AR200-S supports multiple authentication and control methods to control user authoritiesand access areas.

The AR200-S functions as a network access device (NAD) and supports 802.1x authentication,MAC address authentication, and Web authentication.

802.1x AuthenticationThe Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard, 802.1x for short,is an interface-based network access control protocol. 802.1x authentication authenticates and



96

controls access devices connected to an interface of an access control device on a LAN. Userdevices connected to the interface can access resources on the LAN only after beingauthenticated.

802.1x authentication is classified into:

l Interface-based authentication: All the other access users can use network resources anddo not need to be authenticated, as long as the first user on an interface is authenticated.After the first user gets offline, other users cannot use network resources.

l MAC address-based authentication: All access users on an interface need to beauthenticated.

Authentication mode

l Extensible Authentication Protocol (EAP) termination authentication: The AR200-Sterminates EAP packets from users, parses user names and passwords, encrypts thepasswords, and then sends them to the AAA server for authentication. EAP terminationauthentication includes Password Authentication Protocol (PAP) and ChallengeHandshake Authentication Protocol (CHAP).– PAP is a two-way handshake authentication protocol and transmits passwords in plain

text. It has low security.– CHAP is a three-way handshake authentication protocol and transmits passwords in

cipher text. It has higher security than PAP.l EAP relay authentication: The AR200-S encapsulates authentication information about

802.1x users and EAP packets in the attribute fields in RADIUS packets or HWTACACSpackets and sends the packets to the AAA server.

Guest VLAN

If a user that fails to be authenticated wants to access some network resources, for example, theuser wants to download the 802.1x client program and update the virus library, add the user toa guest VLAN so that the user can access resources in the guest VLAN.

MAC Address AuthenticationMAC address authentication controls network access permissions of a user based on the accessinterface and MAC address of the user. The user does not need to install any client software.The user name and password are the MAC address of the user device. After detecting the MACaddress of a user for the first time, the AR200-S starts authenticating the user.

NAC ApplicationsLAN-side Ethernet on the AR200 support only 802.1x authentication.

5.3 Configuring 802.1x AuthenticationYou can configure 802.1x authentication on an interface to authenticate access devicesconnected to an interface of an access control device on a LAN.

5.3.1 Establishing the Configuration TaskBefore configuring 802.1x authentication, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.



97

Applicable EnvironmentThe 802.1x protocol is applied to the Ethernet as an access control mechanism on LAN interfacesto authenticate access users and ensure security on the Ethernet.

Pre-configuration TasksNone.

Data PreparationTo configure 802.1x authentication, you need the following data.

No. Data

1 Interface that will be enabled with 802.1x authentication

2 (Optional) Maximum number of concurrent access users on an interface

3 (Optional) Maximum number of times an authentication request can be retransmitted

5.3.2 Enabling Global 802.1x AuthenticationThe 802.1x authentication configurations take effect only after global 802.1x authentication isenabled.

Procedure



Step 2 Run:dot1x enable

Global 802.1x authentication is enabled.

By default, global 802.1x authentication is disabled.

----End

5.3.3 Enabling 802.1x Authentication on an InterfaceTo perform 802.1x authentication for a user, enable 802.1x authentication on the interfaceconnected to the user.

Context802.1x authentication cannot be used together with MAC address authentication on the sameinterface.

802.1x authentication can be enabled on an interface in the system view or interface view.



98

Procedurel Enabling 802.1x authentication on an interface in the system view

1. Run:system-view


dot1x enable interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

802.1x authentication is enabled on an interface.

By default, 802.1x authentication is disabled on an interface.l Enabling 802.1x authentication on an interface in the interface view

1. Run:system-view


interface interface-type interface-number

The interface view is displayed.3. Run:

dot1x enable

802.1x authentication is enabled on the interface.

By default, 802.1x authentication is disabled on an interface.

----End

5.3.4 (Optional) Setting the 802.1x Authentication ModeThe AR200-S supports CHAP authentication, PAP authentication, and EAP relayauthentication.

ContextPAP is a two-way handshake authentication protocol and transmits passwords in plain text. Ithas low security.

CHAP is a three-way handshake authentication protocol and transmits passwords in cipher text.It has higher security than PAP.

EAP supports multiple authentication mechanisms. The AR200-S transparently transmits EAPRequest packets and Response packets to the authentication server. The AR200-S determineswhether to allow user access based on the authentication result from the authentication serveronly.

CAUTIONIf local authentication is used, EAP cannot be configured.



99

Procedure



Step 2 Run:dot1x authentication-method { chap | eap | pap }

The authentication mode is configured for 802.1x users.

By default, the AR200-S uses CHAP to authenticate 802.1x users.

----End

5.3.5 (Optional) Setting the Access Method on an InterfaceThe AR200-S provides interface-based access method and MAC address-based access method.

ContextMAC address-based access method: 802.1x users on an interface are authenticatedindependently.

Interface-based access method: All the other users on an interface can use network resourcesafter the first user is authenticated. After the first user goes offline, other users cannot use networkresources.

The access method can be configured in the system view or interface view.

CAUTIONIf there are online 802.1x users on an interface, you cannot change the access method of theinterface.

Procedurel Setting the access method on an interface in the system view

1. Run:system-view


dot1x port-method { mac | port } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The access method is configured on an interface.

By default, an interface uses the MAC address-based access method.l Setting the access method on an interface in the interface view

1. Run:system-view



100




dot1x port-method { mac | port }

The access method is configured on the interface.

By default, an interface uses the MAC address-based access method.

----End

5.3.6 (Optional) Configuring the Authorization Status of anInterface

The AR200-S supports the auto, authorized-force, and unauthorized-force modes.

Contextauto: An interface is initially in unauthorized state and sends and receives only EAPoL packets.Therefore, users cannot access network resources. After a user is authenticated on the interface,the interface enters the authorized state and allows users to access network resources.

authorized-force: An interface is always in authorized state and allows users to access networkresources without authentication.

unauthorized-force: An interface is always in unauthorized state and does not allow users toaccess network resources.

The authorization status of an interface can be configured in the system view or interface view.

Procedurel Setting the authorization status of an interface in the system view

1. Run:system-view


dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The authorization status of an interface is configured.

By default, the authorization status of an interface is auto.l Setting the authorization status of an interface in the interface view

1. Run:system-view





101


dot1x port-control { auto | authorized-force | unauthorized-force }

The authorization status of the interface is configured.

By default, the authorization status of an interface is auto.

----End

5.3.7 (Optional) Setting the Maximum Number of ConcurrentAccess Users on an Interface

After the maximum number of concurrent access users is set on an interface, if the number ofaccess users on the interface reaches the maximum, the AR200-S does not authenticatesubsequent access users and these users cannot access networks.

ContextThe AR200-S allows a maximum of 128 concurrent access users.

NOTE

If the number of current online users on an interface has exceeded the maximum number that you set, onlineusers are not affected but new access users cannot access networks.

You can set the maximum number of concurrent access users in the system view or interfaceview.

Procedurel Setting the maximum number of concurrent access users in the system view

1. Run:system-view


dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The maximum number of concurrent access users is set on an interface.

By default, each interface allows a maximum number of 128 concurrent access users.l Setting the maximum number of concurrent access users in the interface view

1. Run:system-view




dot1x max-user user-number

The maximum number of concurrent access users is set on the interface.



102

By default, each interface allows a maximum number of 128 concurrent access users.

----End

5.3.8 (Optional) Enabling 802.1x Authentication Triggered byDHCP Messages

After 802.1x authentication triggered by DHCP messages is enabled, the AR200-S authenticatesusers when they send DHCP messages to apply for IP addresses.

Procedure



Step 2 Run:dot1x dhcp-trigger

802.1x authentication triggered by DHCP messages is enabled.

By default, 802.1x authentication triggered by DHCP messages is disabled.

----End

5.3.9 (Optional) Setting Values of Timers Used in 802.1xAuthentication

On the AR200-S, you can set the client authentication timeout timers, handshake intervalbetween the AR200-S and the 802.1x client, quiet timer value, re-authentication interval, andinterval for sending authentication requests.

ContextBefore setting the value of a timer used in 802.1x authentication, ensure that the timer functionis enabled.

It is recommended that you retain default settings of the timers.

Procedure



Step 2 Run:dot1x timer { client-timeout client-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period tx-period-value }

The values of timers used in 802.1x authentication are set.

The timers are described as follows:



103

l client-timeout: specifies the value of the timeout timer of a client. The default value is 30s.l handshake-period: specifies the handshake interval between the AR200-S and the 802.1x

client. The default value is 60s.l quiet-period: specifies the value of the quiet timer. The default value is 60s.l reauthenticate-period: specifies the re-authentication interval. The default value is 3600s.l server-timeout: specifies the value of the timeout timer of the authentication server. The

default value is 30s.l tx-period: specifies the interval for sending authentication requests. The default value is 30s.

The dot1x timer command only sets the values of the timers, and you need to enable thecorresponding timers by running commands or adopting the default settings.

----End

5.3.10 (Optional) Configuring the Quiet Timer FunctionIf a user fails to be authenticated after the quiet timer function is enabled, the AR200-S does notprocess the authentication requests from the user in this period. This prevents frequentauthentication on the system.

Procedure



Step 2 Run:dot1x quiet-period

The quiet timer function is enabled.

By default, the quiet timer function is disabled.

Step 3 (Optional) Run:dot1x timer quiet-period quiet-period-value

The value of the quiet timer is set.

After the quiet timer function is enabled, the default value of the quiet timer is 60s.

Step 4 (Optional) Run:dot1x quiet-times fail-times

The number of authentication failures within 60 seconds before an 802.1x user enters the quietstate is set.

By default, an 802.1x user enters the quiet state after three authentication failures within 60seconds.

----End

5.3.11 (Optional) Configuring 802.1x Re-authenticationThe AR200-S re-authenticates users who have been authenticated after a period of time to ensurevalidity of users.



104

Context

802.1x re-authentication can be enabled in the system view or interface view.

Procedurel Enabling 802.1x re-authentication in the system view

1. Run:system-view


2. Run:dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

802.1x re-authentication is enabled on an interface.

By default, 802.1x re-authentication is disabled on an interface.

3. (Optional) Run:dot1x timer reauthenticate-period reauthenticate-period-value

The re-authentication interval is set.

After 802.1x re-authentication is enabled on an interface, the default re-authenticationinterval is 3600s.

l Enabling 802.1x re-authentication in the interface view

1. Run:system-view


2. (Optional) Run:dot1x timer reauthenticate-period reauthenticate-period-value

The re-authentication interval is set.

After 802.1x re-authentication is enabled on an interface, the default re-authenticationinterval is 3600s.

3. Run:interface interface-type interface-number


4. (Optional) Run:dot1x reauthenticate

Re-authentication is enabled on the interface.

By default, 802.1x re-authentication is disabled on an interface.

----End



105

5.3.12 (Optional) Configuring a Guest VLAN for 802.1xAuthentication

Context

When the guest VLAN is enabled, the AR200-S broadcasts authentication request packets to allthe interfaces enabled with 802.1x authentication. If an interface does not return a response whenthe maximum number of re-authentication times is reached, the AR200-S adds the interface tothe guest VLAN. Users in the guest VLAN can access resources in the guest VLAN withoutauthentication but must be authenticated when they access external resources.

NOTE

The configured guest VLAN cannot be the default VLAN of the interface.

A super VLAN cannot be configured as a guest VLAN.

If an interface is configured with the guest VLAN, the interface cannot be added to the guest VLAN andthe VLAN configured as the guest VLAN cannot be deleted. Users in the guest VLAN can communicatewith each other.

You can configure a guest VLAN in the system view and in the interface view.

Procedurel Configuring a guest VLAN in the system view

1. Run:system-view


2. Run:dot1x guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

A guest VLAN is configured on an interface.

By default, no guest VLAN is configured on an interface.

l Configuring a guest VLAN in the interface view

1. Run:system-view




3. Run:dot1x guest-vlan vlan-id

A guest VLAN is configured on the interface.

By default, no guest VLAN is configured on an interface.

----End



106

5.3.13 (Optional) Configuring a Restrict VLAN for 802.1xAuthentication

If a user that fails to be authenticated wants to access some network resources, for example,download the 802.1x client program and update the virus library, add the user to a restrict VLANso that the user can access resources in the restrict VLAN.

ContextIf a user fails to be authenticated after the restrict VLAN function is enabled, the AR200-S addsthe access interface of the user to the restrict VLAN. Users in the restrict VLAN can accessresources in the restrict VLAN without authentication but must be authenticated when theyaccess external resources.

NOTE

The configured restrict VLAN cannot be the default VLAN of the interface.

A super VLAN cannot be configured as a restrict VLAN.

If an interface is configured with the restrict VLAN, the interface cannot be added to the restrict VLANand the VLAN configured as the restrict VLAN cannot be deleted. Users in the VLAN that is the same asthe restrict VLAN can communicate with users in the restrict VLAN.

A restrict VLAN can be configured in the system view and in the interface view.

Procedurel Configuring a restrict VLAN in the system view

1. Run:system-view

The system view is displayed.2. (Optional) Run:

dot1x restrict-vlan fail-times fail-times

The maximum number of authentication failures is set.

By default, the maximum number of authentication failures is 3.3. Run:

dot1x restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

A restrict VLAN is configured on an interface.

By default, no restrict VLAN is configured on an interface.l Configuring a restrict VLAN in the interface view

1. Run:system-view

The system view is displayed.2. (Optional) Run:

dot1x restrict-vlan fail-times fail-times

The maximum number of authentication failures is set.

By default, the maximum number of authentication failures is 3.



107



4. Run:dot1x restrict-vlan vlan-id

A restrict VLAN is configured on the interface.

By default, no restrict VLAN is configured on an interface.

----End

5.3.14 (Optional) Enabling the Handshake FunctionAfter the handshake function is enabled, the AR200-S sends handshake packets periodically todetect whether users are online.

Context

If a client does not support the handshake function, the AR200-S will not receive handshakeresponse packets within the handshake interval and considers that the user is offline. Therefore,if the client does not support the handshake function, disable the handshake function on theAR200-S.

Procedure



Step 2 Run:dot1x handshake

The AR200-S is enabled to send handshake packets to online users.

By default, the AR200-S sends handshake packets to online users.

Step 3 (Optional) Run:dot1x timer handshake-period handshake-period-value

The handshake interval between the AR200-S and the 802.1x client is set.

By default, the handshake interval between the AR200-S and the 802.1x client is 60s.

----End

5.3.15 (Optional) Setting the Maximum Number of Times theAR200-S Sends Authentication Requests

Users may not respond to authentication requests if packets are discarded because of an unstablenetwork. To solve the problem, set the maximum number of times authentication requests aresent.



108

ContextIf the AR200-S does not receive a response after sending an authentication request to a user, itretransmits the authentication request to the user. If the AR200-S still fails to receive the responsewhen the maximum number of times for sending authentication requests is reached, it does notsend the authentication request to the user any more.

Procedure



Step 2 Run:dot1x retry max-retry-value

The maximum number of times the AR200-S sends authentication requests is set.

By default, the AR200-S retransmits an authentication request to an access user twice.

----End


Procedurel Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10> ] or display dot1x global command to check the 802.1xauthentication configuration.

l Run the display mac-address authen [ vlan vlan-id ] command to check MAC addressentries of the authen type.

----End

5.4 Maintaining NACThis section describes how to maintain NAC.

5.4.1 Clearing the Statistics on 802.1x AuthenticationBefore collecting 802.1x authentication statistics, run the reset command to clear the existingstatistics.

Context

CAUTIONStatistics cannot be restored after being cleared. Exercise caution when you run the followingcommand.



109

Run the following command in the user view to clear 802.1x authentication statistics.

Procedurel Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interface-

number2 ] } &<1-10> ] command to clear 802.1x authentication statistics.

----End

5.4.2 Clearing the Statistics on MAC Address AuthenticationBefore collecting statistics on MAC address authentication, run the reset command to clear theexisting statistics.

Context

CAUTIONStatistics cannot be restored after being cleared. Exercise caution when you run the followingcommand.

Run the following command in the user view to clear the statistics on MAC addressauthentication.

Procedurel Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10> ] command to clear the statistics on MAC addressauthentication.

----End

5.5 Configuration ExamplesThis section provides several NAC configuration examples.

5.5.1 Example for Configuring 802.1x AuthenticationAfter 802.1x authentication is configured, a user that is not authenticated can access limitednetwork resources. This ensures network security.


As shown in Figure 5-2, users access the Internet using the Router. To ensure network security,users must be authenticated before accessing the Internet. Users that are authenticated can accessthe Internet, but users that fail to be authenticated can access only resources in VLAN 10.



110

Figure 5-2 Networking diagram of 802.1x authentication

Router

PC

RADIUS server

Printer

Eth 0/0/0

Eth 0/0/8

Eth 0/0/1 Internet192.168.2.10/24

192.168.2.30/24


1. Configure AAA authentication. User names and passwords are sent to the RADIUS serverfor authentication.

2. Configure 802.1x authentication to authenticate users on 0/0/0.3. Configure a guest VLAN so that users that fail to be authenticated can access resources in

VLAN 10.


l IP address 192.168.2.30 and port number 1812 of the RADIUS authentication serverl RADIUS server key dot1x-isp and retransmission count 2l AAA authentication scheme scheme1l RADIUS server template temp1l Domain isp1

NOTEIn this example, only the Router configuration is provided, and the RADIUS server configuration is notmentioned here.

Procedure

Step 1 Configure a RADIUS server template.

# Configure a RADIUS server template temp1.

[Huawei] radius-server template temp1



111

# Configure the IP address and port number of the primary RADIUS authentication server.

[Huawei-radius-temp1] radius-server authentication 192.168.2.30 1812

# Configure the key and retransmission count of the RADIUS server.

[Huawei-radius-temp1] radius-server shared-key cipher dot1x-isp[Huawei-radius-temp1] radius-server retransmit 2[Huawei-radius-temp1] quit

Step 2 Create an authentication scheme scheme1 and set the authentication mode to RADIUSauthentication.[Huawei] aaa[Huawei-aaa] authentication-scheme scheme1[Huawei-aaa-scheme1] authentication-mode radius[Huawei-aaa-scheme1] quit

Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to thedomain.[Huawei-aaa] domain isp1[Huawei-aaa-domain-isp1] authentication-scheme scheme1[Huawei-aaa-domain-isp1] radius-server temp1[Huawei-aaa-domain-isp1] quit[Huawei-aaa] quit

Step 4 Configure 802.1x authentication.

# Enable 802.1x authentication globally and on an interface.

[Huawei] dot1x enable[Huawei] interface ethernet 0/0/0[Huawei-Ethernet0/0/0] dot1x enable[Huawei-Ethernet0/0/0] quit

# Configure a guest VLAN.

[Huawei] vlan batch 10[Huawei] interface ethernet 0/0/0[Huawei-Ethernet0/0/0] dot1x guest-vlan 10[Huawei-Ethernet0/0/0] quit


Run the display dot1x interface command on the Router to view the 802.1x authenticationconfiguration and statistics.

<Huawei> display dot1x interface ethernet 0/0/0 Ethernet0/0/0 status: UP 802.1x protocol is enabled. Port control type is auto. Authentication method is MAC-based. Reauthentication is disabled. Maximum users: 128 Current users: 1 Port PVID : 1 Port configured PVID : 1 Guest VLAN : 10 Restrict VLAN : 0

Authentication success: 4 Authentication failure: 0 EAPOL Packets: TX : 10 RX : 0 Sent EAPOL Request/Identity Packets : 4 EAPOL Request/Challenge Packets : 4 Multicast Trigger Packets : 0 EAPOL Success Packets : 4 EAPOL Failure Packets : 0 Received EAPOL Start Packets : 4 EAPOL LogOff Packets : 3



112

EAPOL Response/Identity Packets : 4 EAPOL Response/Challenge Packets: 4

----End

Configuration Files

# vlan batch 10 20#dot1x enable #radius-server template temp1 radius-server shared-key cipher #%I/SW5&ABHRID9_LGZK@1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2#aaa authentication-scheme scheme1 authentication-mode radius domain isp1 authentication-scheme scheme1 radius-server temp1#interface Ethernet0/0/0 dot1x enable dot1x guest-vlan 10#interface 0/0/8 ip address 192.168.2.10 255.255.255.0# return



113

6 ARP Security Configuration

About This Chapter

ARP security ensures security and robustness of network devices by filtering out untrusted ARPpackets, checking the binding table of ARP packets, and defending against ARP gatewayconflicts.

6.1 ARP Security OverviewThis section describes the principle of ARP security.

6.2 ARP Security Supported by the AR200-SThe ARP security features supported by the AR200-S include limitation of ARP entry learning,ARP anti-spoofing, defense against ARP gateway attacks, source address-based ARP packetsuppression, source address-based ARP Miss packet suppression and ARP packet rate limit.

6.3 Configuring ARP Entry LimitingThis section describes how to configure ARP Entry Limiting.

6.4 Configuring ARP Anti-attackThe ARP anti-attack function defends against attacks from bogus hosts and gateways and man-in-the-middle attacks.

6.5 Configuring ARP SuppressionIf the AR200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usageis high. The AR200-S prevents ARP attacks by discarding attack packets and limiting the rateof attack packets.

6.6 Maintaining ARP SecurityThis section describes how to maintain ARP security.

6.7 Configuration ExamplesThis section provides ARP security configuration examples.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 6 ARP Security Configuration


114

6.1 ARP Security OverviewThis section describes the principle of ARP security.

ARP AttacksARP-oriented attacks include ARP spoofing attacks and ARP flood attacks.

l ARP spoofing attack: An attacker sends a large number of bogus ARP packets to modifyARP entries of network devices. As a result, packet forwarding is affected. Attackers initiateARP spoofing attacks by using either of the following methods:– Forging user host IP addresses– Forging gateway addresses

l ARP flood attack: An attacker sends a large number of bogus ARP Request packets orgratuitous ARP packets. The AR200-S is busy with ARP processing for a long period andcannot process other services. The rate of ARP packets may exceed the limit and ARPentries may overflow. As a result, ARP entries of valid users cannot be buffered and packetforwarding is affected. ARP flood attacks are classified into the following types:– ARP Denial of Service (DoS) attacks– ARP buffer overflow attacks– ARP-based network scanning attacks

ARP SecurityARP security ensures security and robustness of network devices by filtering out untrusted ARPpackets, checking the binding table of ARP packets, and defending against ARP gatewayconflicts.

6.2 ARP Security Supported by the AR200-SThe ARP security features supported by the AR200-S include limitation of ARP entry learning,ARP anti-spoofing, defense against ARP gateway attacks, source address-based ARP packetsuppression, source address-based ARP Miss packet suppression and ARP packet rate limit.

ARP Entry LimitingYou can configure strict ARP learning so that the AR200-S can learn only the response messagesof the ARP requests sent locally.

You can set the maximum number of ARP entries that can be dynamically learned by aninterface. This prevents malicious use of ARP entries and ensures that the AR200-S can learnthe ARP entries of authorized users.

ARP Anti-spoofingARP spoofing means that attackers use ARP packets sent by authorized users to construct bogusARP packets and modify ARP entries on the gateway. As a result, the authorized users aredisconnected from the network.

The AR200-S can prevent ARP spoofing by using the following methods:



115

l Fixed MAC address: After learning an ARP entry, the AR200-S does not allow themodification of the MAC address that is performed through ARP entry learning until thisARP entry ages. The AR200-S prevents ARP entries of authorized users from beingmodified without permission.The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-macmode, MAC addresses cannot be modified, but VLANs and interfaces can be modified. Infixed-all mode, MAC addresses, VLANs, and interfaces cannot be modified.

l send-ack: The AR200-S does not modify an ARP entry immediately when it receives anARP packet requesting for modifying a MAC address. Instead, the AR200-S sends a unicastpacket for acknowledgement to the user matching this MAC address in the original ARPtable.

Defense Against ARP Gateway AttacksAn ARP gateway attack means that an attacker sends gratuitous ARP packets with the sourceIP address as the bogus gateway address on a local area network (LAN). After receiving thesepackets, the host replaces its gateway address with the address of the attacker. As a result, noneof the hosts on a LAN can access the network.

When the AR200-S receives ARP packets with the bogus gateway address, the followingsituations can occur:

l The source IP address in the ARP packets is the same as the IP address of the interface thatreceives the packets.

l The source IP address in the ARP packets is the virtual IP address of the inbound interfacebut the source MAC address of ARP packets is not the virtual MAC address of the VirtualRouter Redundancy Protocol (VRRP) group when the VRRP group is in virtual MACaddress mode.

In the preceding situations, the AR200-S generates ARP anti-attack entries and discards thepackets in a period (the default value is three minutes). This can prevent ARP packets with thebogus gateway address from being broadcast in a VLAN.

To ensure that packets sent by hosts on the internal network are forwarded to the gateway or toprevent malicious users from intercepting these packets, the AR200-S sends gratuitous ARPpackets at a specified interval to update the gateway address in ARP entries of the hosts.

Source Address-based ARP Packet SuppressionWhen a large number of packets are sent from a source IP address, the CPU resources of theAR200-S and the bandwidth reserved for sending ARP packets are occupied.

The AR200-S can limit the rate of ARP packets with a specified source IP address. If the numberof ARP packets with a specified source IP address received by the AR200-S within a specifiedperiod exceeds the threshold, the AR200-S does not process the excessive ARP request packets.

Source Address-based ARP Miss Packet SuppressionWhen a host sends a large number of IP packets with unreachable destination IP addresses toattack the device, the AR200-S suppresses the ARP Miss packets with the specified source IPaddress.

If a large number of IP packets whose destination IP address cannot be resolved are sent to theAR200-S from a source IP address, the ARP Miss packets are triggered. The AR200-S collects



116

statistics on the ARP Miss packets. If a source IP address triggers the ARP Miss packetscontinuously in a period and the triggering rate exceeds the threshold, the AR200-S considersthat an attack occurs.

When the AR200-S detects an attack, configure the rate limit for ARP Miss packets to limit therate of ARP Miss packets so that the CPU is protected and other services can be processed bythe CPU.

Rate Limiting on ARP Packets and ARP Miss Packets

The AR200-S limits the rate of sending ARP packets globally, based on the interface, or basedon the VLAN ID and the rate of sending ARP Miss packets globally. This prevents a largenumber of ARP packets or ARP Miss packets from being sent to the security module. Systemperformance does not deteriorate.

6.3 Configuring ARP Entry LimitingThis section describes how to configure ARP Entry Limiting.

6.3.1 Establishing the Configuration TaskBefore configuring ARP entry limiting, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


After strict ARP learning is enabled, the AR200-S learns only the ARP Reply packetscorresponding to the ARP Request packets that it sends.

You can configure interface-based ARP entry limiting to limit the number of ARP entriesdynamically learned by the interfaces.


Before configuring ARP entry limiting, complete the following task:

l Setting link layer protocol parameters and the interface IP address so that the link layerprotocol is Up

Data Preparation

To configure ARP entry limiting, you need the following data.

No. Data

1 Type and number of the interface where ARPentry limiting will be configured



117

6.3.2 Enabling Strict ARP LearningStrict ARP learning prevents attackers from sending packets with the bogus gateway address toattack the AR200-S.

Procedurel Configuring strict ARP learning globally

1. Run:system-view


2. Run:arp learning strict

Strict ARP learning is enabled.

By default, strict ARP learning is disabled on the AR200-S.

l Configuring strict ARP learning on an interface

1. Run:system-view




On the AR200-S, strict ARP learning can be enabled on Layer 3 Ethernet interfacesand its sub-interfaces, Layer 3 Eth-Trunk interfaces and its sub-interfaces, andVLANIF interfaces.

3. Run:arp learning strict { force-enable | force-disable | trust }

The strict ARP entry learning function is enabled on the interface.

– force-enable: enables strict ARP entry learning on an interface.

– force-disable: disables strict ARP entry learning on an interface.

– trust: indicates that the configuration of strict ARP entry learning on an interfaceis the same as that configured globally.

By default, the configuration of strict ARP entry learning on an interface is the sameas that configured globally.

----End

6.3.3 Configuring Interface-based ARP Entry LimitingIf attackers occupy a large number of ARP entries, the AR200-S cannot learn ARP entries ofauthorized users. To prevent such attacks, set the maximum number of ARP entries that can bedynamically learned by an interface.



118

Procedurel Configuring interface-based ARP entry limiting

1. Run:system-view




arp-limit [ vlan vlan-id1 [ to vlan-id2 ]] maximum maximum

Interface-based ARP entry limiting is configured.

The vlan parameter can only be specified in the Layer 2 interface view.l Configuring sub-interface-based ARP entry limiting

1. Run:system-view


interface interface-type interface-number.subnumber

The sub-interface view is displayed.

On the AR200-S, sub-interface-based ARP entry limiting can be enabled on Ethernetsub-interface, Eth-Trunk sub-interface.

3. Run:arp-limit maximum maximum

Sub-interface-based ARP entry limiting is configured.

----End

6.3.4 Checking the ConfigurationThe configurations of ARP entry limiting are complete.

Procedurel Run the display arp learning strict command to view the configuration of strict ARP

learning.l Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]

command to view the maximum number of ARP entries that can be learned on an interfaceor in a VLAN.

----End

ExampleRun the display arp learning strict command to view the configuration of strict ARP learning.

<Huawei> display arp learning strict The global configuration:arp learning strict



119

Interface LearningStrictState ------------------------------------------------------------ Ethernet1/0/0 force-enable Vlanif1 force-enable ------------------------------------------------------------ Total:2 Force-enable:2 Force-disable:0

# Display the maximum number of ARP entries that can be learned on the entire device.

<Huawei> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------- Ethernet1/0/0 10 0 0 Ethernet0/0/0 10 10 0 --------------------------------------------------------------------------- Total:2

6.4 Configuring ARP Anti-attackThe ARP anti-attack function defends against attacks from bogus hosts and gateways and man-in-the-middle attacks.

6.4.1 Establishing the Configuration TaskBefore configuring defense against ARP attacks, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.


On an enterprise network, ARP entries are easily attacked; therefore, you can configure thefollowing ARP anti-attack functions at the access layer to ensure network security:

l To prevent attackers from forging ARP packets of authorized users and modifying the ARPentries on the gateway, configure the ARP address anti-spoofing function.

l To prevent attackers from sending gratuitous ARP packets with the source IP addresses asthe forged gateway address on a LAN, configure the ARP gateway anti-collision functionand configure the AR200-S to send gratuitous ARP packets.

l To prevent unauthorized users from accessing external networks by sending ARP packetsto the AR200-S, configure the ARP packet checking function.

Prerequisites

Before configuring defense against ARP attacks, complete the following task:

l Setting link layer protocol parameters and assigning IP addresses to interfaces to ensurethat the status of the link layer protocol of the interfaces is Up

Data Preparation

To configure defense against ARP attacks, you need the following data.



120

No. Data

1 Check item in ARP packets

2 (Optional) Alarm threshold for discardedARP packets because they do not match thebinding table

3 (Optional) Interval at which gratuitous ARPpackets are sent

6.4.2 Configuring ARP Anti-spoofingThis section describes how to configure ARP anti-spoofing.

Procedure



Step 2 Run:arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

ARP anti-spoofing is enabled.

You can use only one ARP anti-spoofing mode at one time. If you run the arp anti-attack entry-check command multiple times, only the latest configuration takes effect.

By default, ARP anti-spoofing is disabled on the AR200-S.

----End

6.4.3 Configuring the AR200-S to Check Source MAC AddressConsistency in ARP Packets

The AR200-S checks validity of ARP packets and discards invalid ARP packets to defend againstARP attacks.

ContextBy default, the AR200-S checks the following items of ARP packets:

l Packet lengthl Validity of source and destination MAC addresses in the Ethernet headerl VLAN tagl Packet type (The type field value must be 1 or 2.)l Hardware address lengthl IP address lengthl Whether the ARP packet is encapsulated in an Ethernet frame



121

By default, the AR200-S checks the source and destination MAC addresses of all ARP packets.If an ARP packet has an all-0 source or destination MAC address, the AR200-S discards theARP packet.

Generally, the Ethernet header and ARP header of an ARP packet contain the same source MACaddress. If the two headers contain different source MAC addresses, the ARP packet may be anattack packet. To protect the AR200-S from ARP attacks, configure the AR200-S to checkconsistency of source MAC addresses in Ethernet and ARP headers of ARP packets.

Procedure



Step 2 Run:arp anti-attack packet-check sender-mac

The AR200-S is configured to check consistency of MAC addresses in Ethernet and ARP headersof ARP packets.

By default, the AR200-S does not check consistency of source MAC addresses in Ethernet andARP headers of ARP packets.

----End

6.4.4 Configuring ARP Gateway Anti-collisionIf an attacker sends an ARP packet with the source IP address as the gateway address, ARPentries in a VLAN are modified incorrectly. ARP gateway anti-collision can solve this problem.

Procedure



Step 2 Run:arp anti-attack gateway-duplicate enable

ARP gateway anti-collision is enabled.

After ARP gateway anti-collision is enabled, the AR200-S generates ARP anti-collision entriesand discards packets with the same source MAC address in the Ethernet header in a period oftime. This can prevent ARP packets with a bogus gateway address from being broadcast in aVLAN.

----End

6.4.5 Configuring the AR200-S to Send Gratuitous ARP PacketsBy configuring the AR200-S to send gratuitous ARP packets, the AR200-S can send user packetsto the correct gateway and prevent malicious attackers from intercepting these packets.



122

Context

The AR200-S periodically sends ARP Request packets with the destination IP address as thegateway address to update the gateway MAC address in ARP entries on the network. By doingthis, the AR200-S sends user packets to the correct gateway and prevents attackers fromintercepting these packets.

When the AR200-S functions as a gateway, enable gratuitous ARP packet sending globally oron an interface. If this function is enabled globally and on an interface simultaneously, thefunction enabled on the interface takes effect.

Procedurel Configuring the AR200-S to send gratuitous ARP packets

1. Run:system-view


2. Run:arp gratuitous-arp send enable

Gratuitous ARP packet sending is enabled.

By default, gratuitous ARP packet sending is disabled.

3. (Optional) Run:arp gratuitous-arp send interval interval-time

The interval for sending gratuitous ARP packets is set.

By default, the interval for sending gratuitous ARP packets is 90s.

l Configuring the AR200-S to send gratuitous ARP packets on an interface

1. Run:system-view


2. Run:interface vlanif vlan-id

The VLANIF interface view is displayed.

3. Run:arp gratuitous-arp send enable

Gratuitous ARP packet sending is enabled.

By default, gratuitous ARP packet sending is disabled.

4. (Optional) Run:arp gratuitous-arp send interval interval-time

The interval for sending gratuitous ARP packets is set.

By default, the interval for sending gratuitous ARP packets is 90s.

----End



123

6.4.6 Checking the ConfigurationThis section describes how to check the ARP anti-attack configuration.

Procedurel Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit |

arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | log-trap-timer | all } command to check the ARP anti-attack configuration.

l Run the display arp anti-attack gateway-duplicate item command to check informationabout bogus gateway address attacks.

----End

ExampleRun the display arp anti-attack configuration all command to view the ARP anti-attackconfiguration.<Huawei> display arp anti-attack configuration all ARP anti-attack packet-check function: enable ARP anti-attack entry-check mode: disabled

ARP gateway-duplicate anti-attack function: disabled

ARP rate-limit configuration: ------------------------------------------------------------------------------- Global configuration: arp anti-attack rate-limit enable arp packet drop count = 0 Interface configuration: ------------------------------------------------------------------------------- ARP miss rate-limit configuration: ------------------------------------------------------------------------------- Global configuration: arp-miss anti-attack rate-limit enable ------------------------------------------------------------------------------- ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- 0000-0000-0001 200 Others 100 ------------------------------------------------------------------------------- 1 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- 10.0.0.1 512 Others 126 ------------------------------------------------------------------------------- 1 specified IP addresses are configured, spec is 128 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- 10.134.23.6 400 Others 500 ------------------------------------------------------------------------------- 1 specified IP addresses are configured, spec is 128 items.



124

Run the display arp anti-attack gateway-duplicate item command to view information aboutbogus gateway address attacks.

<Huawei> display arp anti-attack gateway-duplicate iteminterface IP address MAC address VLANID aging time------------------------------------------------------------------------------- Ethernet1/0/0 2.1.1.1 0000-0000-0002 2 150-------------------------------------------------------------------------------There are 1 records in gateway conflict table

6.5 Configuring ARP SuppressionIf the AR200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usageis high. The AR200-S prevents ARP attacks by discarding attack packets and limiting the rateof attack packets.

6.5.1 Establishing the Configuration TaskBefore configuring ARP suppression, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentOn intranets, ARP entries are often used to initiate attacks; therefore, it is required to configureARP anti-attack on the access layer to ensure network security.

l To prevent excess ARP packets from occupying the CPU and prevent excess ARP entries,configure the rate limit for ARP packets to limit the number of ARP packets sent to theSRU.

l To prevent a host from sending excess IP packets with destination IP addresses that cannotbe resolved, configure the rate limit for ARP Miss packets. The AR200-S discards theseIP packets.

l After IP source guard is enabled on an interface, all the ARP packets passing through theinterface are forwarded to the security module for checking. If excess ARP packets are sentto the security module, performance of the security module deteriorates. To solve thisproblem, configure the rate limit for ARP packets so that the packets that exceed the ratelimit are discarded.

Pre-configuration TasksBefore configuring ARP suppression, complete the following task:l Setting link layer protocol parameters and the interface IP address and enabling the link

layer protocol

Data PreparationTo configure ARP suppression, you need the following data.



125

No. Data

1 Rate limit for ARP packets with a specifiedsource IP address

2 Rate limit for ARP Miss packets with aspecified source IP address

3 Rate limit duration and rate limit for sendingARP packets.(Optional) Alarm threshold for the number ofdiscarded ARP packets that exceed the ratelimit.

4 Rate limit duration and rate limit for sendingARP Miss packets(Optional) Alarm threshold for the number ofdiscarded ARP packets that exceed the ratelimit

5 Rate limit of broadcasting ARP Requestpackets on the VLANIF interface of thesuper-VLAN

6.5.2 Configuring Source IP Address-based ARP PacketSuppression

This section describes how to configure source IP address-based ARP packet suppression.

Procedure



Step 2 Run:arp speed-limit source-ip maximum maximum

The rate limit of ARP packets is set.

Step 3 (Optional)Run:arp speed-limit source-ip ip-address maximum maximum

The rate limit of ARP packets with a specified source IP address is set.

After the preceding configurations are complete, the rate limit of ARP packets with a specifiedsource IP address is limited to the value specified by maximum in step 3, and the rate limit ofARP packets with other source IP addresses is limited to the value specified by maximum in step2.

----End



126

6.5.3 Configuring Rate Limit of ARP PacketsThis section describes how to configure the rate limit for ARP packets.

Procedurel Configuring the rate limit of ARP packets in the system view

1. Run:system-view


arp anti-attack rate-limit enable

Rate limiting of ARP packets is enabled.

By default, rate limiting of ARP packets is disabled globally.3. Run:

arp anti-attack rate-limit packet-number [ interval-value ]

The rate limit duration and the rate limit of ARP packets are set.

After the rate limit duration and the rate limit of ARP packets are set, ARP packetswhose rate exceeds the rate limit in the rate limit duration are discarded. By default,the rate limit of ARP packets is 100 and the rate limit duration of ARP packets is 1s.

4. (Optional) Run:arp anti-attack rate-limit alarm enable

The alarm function for ARP packets that are discarded when the rate of ARP packetsexceeds the rate limit is enabled.

By default, the alarm function for ARP packets that are discarded when the rate ofARP packets exceeds the rate limit is disabled.

5. (Optional) Run:arp anti-attack rate-limit alarm threshold threshold

The alarm threshold for the number of ARP packets discarded when the rate of ARPpackets exceeds the rate limit is set.

By default, the alarm threshold for the number of ARP packets discarded is 100.l Configuring the rate limit of ARP packets in the interface view

1. Run:system-view




The interface type can be Ethernet,or Eth-Trunk.3. Run:

arp anti-attack rate-limit enable

Rate limiting of ARP packets is enabled.



127

By default, rate limiting of ARP packets is disabled.4. Run:

arp anti-attack rate-limit packet-number [ interval-value ]

The rate limit duration and the rate limit of ARP packets are set.

After the rate limit duration and the rate limit of ARP packets are set, ARP packetswhose rate exceeds the rate limit in the rate limit duration are discarded. By default,the rate limit of ARP packets is 100 and the rate limit duration of ARP packets is 1s.

5. (Optional) Run:arp anti-attack rate-limit alarm enable

The alarm function for ARP packets that are discarded when the rate of ARP packetsexceeds the rate limit is enabled.

By default, the alarm function for ARP packets that are discarded when the rate ofARP packets exceeds the rate limit is disabled.

6. (Optional) Run:arp anti-attack rate-limit alarm threshold threshold

The alarm threshold for the number of ARP packets discarded when the rate of ARPpackets exceeds the rate limit is set.

By default, the alarm threshold for the number of ARP packets discarded is 100.

----End

6.5.4 Configuring Source IP Address-based ARP Miss PacketSuppression

This section describes how to configure source IP address-based ARP Miss packet suppression.

Procedure



Step 2 Run:arp-miss speed-limit source-ip maximum maximum

The rate limit of ARP Miss packets is set.

Step 3 (Optional) Run:arp-miss speed-limit source-ip ip-address maximum maximum

The rate limit of ARP Miss packets with a specified source IP address is set.

After the preceding configurations are complete, the rate limit of ARP Miss packets with aspecified source IP address is specified by maximum in step 3, and the rate limit of ARP Misspackets with other source IP addresses is specified by maximum in step 2.

If the rate limit of ARP packets is 0, ARP Miss packets are not suppressed. By default, the ratelimit of ARP Miss packets is 5 pps.

----End



128

6.5.5 Configuring Rate Limiting of ARP Miss PacketsThis section describes how to configure rate limiting for ARP Miss packets.

ContextIf many ARP Miss packets are triggered, the system is busy in broadcasting ARP request packetsand its performance deteriorates. After ARP Miss suppression is configured, the system countsARP Miss packets generated within a specified period and discards excess ARP Miss packets.

Procedure



Step 2 Run:arp-miss anti-attack rate-limit enable

Rate limiting of ARP Miss packets is enabled globally.

By default, rate limiting of ARP Miss packets is disabled globally.

Step 3 Run:arp-miss anti-attack rate-limit packet-number [ interval-value ]

The rate limit duration and the rate limit of ARP Miss packets are set.

After the rate limit duration and the rate limit of ARP Miss packets are set, ARP Miss packetsthat exceed the rate limit in the rate limit duration are discarded. By default, the rate limit ofARP Miss packets is 100 packets per second.

Step 4 (Optional) Run:arp-miss anti-attack rate-limit alarm enable

The alarm function for the discarded ARP Miss packets that exceed the rate limit is enabled.

By default, the alarm function is disabled.

Step 5 (Optional) Run:arp-miss anti-attack rate-limit alarm threshold threshold

The alarm threshold for the discarded ARP Miss packets that exceed the rate limit is set.

By default, the alarm threshold is 100.

----End

6.5.6 Configuring Source MAC Address-based ARP PacketSuppression

This section describes how to configure source MAC address-based ARP packet suppression.

Procedure

Step 1 Run:



129

system-view


Step 2 Run:arp speed-limit source-mac maximum maximum

The rate limit of ARP packets is set.

Step 3 (Optional)Run:arp speed-limit source-mac ip-address maximum maximum

The rate limit of ARP packets with a specified source MAC address is set.

After the preceding configurations are complete, the rate limit of ARP packets with a specifiedsource MAC address is specified by maximum in step 3, and the rate limit of ARP packets withother source MAC addresses is specified by maximum in step 2.

----End

6.5.7 Setting the Aging Time of Fake ARP EntriesBy setting the aging time of fake ARP entries, you can control the frequency of sending ARPMiss packets to the upper-layer software. This reduces the possibility of attacks to the system.

Context

After the aging time of fake ARP entries is set, the same ARP Miss packet is sent once in theaging time. After the aging time of fake ARP entries is reached, fake ARP entries are deleted.If no ARP entry matches the packets forwarded by a device, ARP Miss packets are re-generatedand reported. The device generates fake ARP entries again. The fake ARP entries are deleteduntil the device generates correct ARP entries.

Procedure





The interface type can be Ethernet,Eth-Trunk, or VLANIF.

Step 3 Run:arp-fake expire-time expire-time

The aging time of fake ARP entries is set.

By default, the aging time of fake ARP entries is 1s.

----End



130

6.5.8 (Optional) Setting the Rate Limit of Broadcasting ARP Packetson the VLANIF Interface of a Super-VLAN

After the rate limit of broadcasting ARP Request packets on the VLANIF interface in a superVLAN is set, the system discards ARP Request packets that exceed the rate limit to reduce theCPU burden.

Context

The VLANIF interface in a super VLAN is triggered to learn ARP entries in the followingsituations:

l The VLANIF interface receives unknown unicast packets.l ARP proxy is enabled on the VLANIF interface and the VLANIF interface receives ARP

Request packets.

The VLANIF interface in the super-VLAN replicates ARP Request packets in each sub-VLANwhen learning ARP entries. If a large number of sub-VLANs are configured for the super-VLAN,the AR200-S generates a large number of ARP Request packets. As a result, the CPU is busy inprocessing ARP Request packets and cannot process other services in a timely manner.

Procedure



Step 2 Run:arp speed-limit flood-rate rate

The rate limit of broadcasting ARP Request packets on all the VLANIF interfaces of the superVLAN is set.

By default, the rate limit of broadcasting ARP Request packets on all the VLANIF interfaces ina super VLAN is 1000 pps.

----End

6.5.9 Checking the ConfigurationThis section describes how to check the ARP suppression configuration.

Procedurel Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit }

command to view the ARP rate limit configuration.l Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speed-

limit } command to view the ARP suppression configuration.l Run the display arp flood statistics command to view the statistics on sent ARP Request

packets of VLANIF interfaces in all super-VLANs.

----End



131

Example# Run the display arp anti-attack configuration command to view the rate limit for ARPpackets.<Huawei> display arp anti-attack configuration arp-speed-limit ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- 0000-0000-0001 150 Others 200 ------------------------------------------------------------------------------- 1 specified MAC addresses are configured, spec is 256 items.

ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- 10.0.0.20 50 Others 100 ------------------------------------------------------------------------------- 1 specified IP addresses are configured, spec is 512 items.

# Run the display arp flood statistics command to view the statistics on sent ARP Requestpackets of VLANIF interfaces in all super-VLANs.<Huawei> display arp flood statisticsARP request packets statistics on supervlan:Total ARP request packets number : 5100 Sent ARP request packets number : 4000Dropped ARP request packets number: 1100

6.6 Maintaining ARP SecurityThis section describes how to maintain ARP security.

6.6.1 Displaying the Statistics on ARP PacketsThis section describes how to view statistics on ARP packets.

Procedurel Run the display arp packet statistics command to view the statistics on ARP packets.

----End

ExampleRun the display arp packet statistics command to view the statistics on ARP packets.<Huawei> display arp packet statisticsARP Pkt Received: sum 199992ARP Learnt Count: sum 4ARP Pkt Discard For Limit: sum 0ARP Pkt Discard For SpeedLimit: sum 0ARP Pkt Discard For Proxy Suppress: sum 0ARP Pkt Discard For Other: sum 18220

6.6.2 Clearing the Statistics on ARP PacketsThis section describes how to clear statistics on ARP packets.



132

Context


Run the following command in the user view to clear the statistics.

Procedurel Run the reset arp packet statistics command to clear the statistics on ARP packets.

l Run the reset arp flood statistics command to clear the statistics on ARP Request packetsof all the VLANIF interfaces in a super-VLAN.

----End

6.6.3 Clearing the Statistics on Discarded ARP PacketsThis section describes how to clear the statistics on discarded ARP packets.

Context


To clear the statistics on discarded ARP packets, run the following commands in the user view.

Procedurel Run the reset arp anti-attack statistics rate-limit { global | interface interface-type

interface-number } command to clear the statistics on the ARP packets discarded becausethe transmission rate exceeds the limit.

----End

6.7 Configuration ExamplesThis section provides ARP security configuration examples.

6.7.1 Example for Configuring ARP Security FunctionsThis section provides an example for configuring ARP security functions.



133


As shown in Figure 6-1, the Router is connected to a server through Ethernet0/0/3 that is addedto VLAN 30 and is connected to users in VLAN 10 and VLAN 20 through Ethernet0/0/1 andEthernet0/0/2. The following ARP attacks occur on the network:

l The server may send several packets with an unreachable destination IP address, and thenumber of these packets is larger than the number of packets from common users.

l After virus attacks occur on user 1, a large number of ARP packets are sent. Among thesepackets, the source IP address of certain ARP packets changes on the local network segmentand the source IP address of certain ARP packets is the same as the IP address of thegateway.

l User 3 constructs a large number of ARP packets with a fixed IP address to attack thenetwork.

l User 4 constructs a large number of ARP packets with an unreachable destination IP addressto attack the network.

ARP security functions are required to be configured on the Router to prevent the precedingattacks. The rate limit of ARP Miss packets on the server should be greater than the rate limitof other users.

Figure 6-1 Network diagram for configuring ARP security functions

Router

Server Ethernet0/0/2Ethernet0/0/1

User1 User2

VLAN10

User3 User4

VLAN20

Ethernet0/0/3



1. Enable strict ARP learning.2. Enable interface-based ARP entry limiting.3. Enable the ARP anti-spoofing function.4. Enable the ARP anti-attack function for preventing attacks by sending ARP packets with

a bogus gateway address.



134

5. Configure the rate limit for ARP packets with the specified source IP address.6. Configure the rate limit for ARP Miss packets.7. Enable log and alarm functions for potential attacks.


l Number of limited ARP entries on the interface: 20l Anti-spoofing mode used to prevent attacks that are initiated by user 1: fixed-macl IP addresses of VLANIF10, VLANIF20 and VLANIF30: 2.2.1.10/24, 2.2.4.10/24 and

2.2.2.10/24l IP address of the server: 2.2.2.2/24l IP address of user 4 that sends a large number of ARP packets: 2.2.4.2/24l Rate limit for ARP packets of user 4 and rate limit for ARP packets of other users: 10 pps

and 15 ppsl Rate limit for ARP Miss packets of common users: 20 pps; rate limit for ARP Miss packets

on the server: 50 ppsl Interval for writing an ARP log and sending an alarm: 300s

Procedure

Step 1 Create a VLAN, add an interface to the VLAN, and assign an IP address to the VLANIF Interface.The configuration procedure is not mentioned here.

Step 2 Enable strict ARP learning.<Huawei> system-view[Huawei] sysname Router[Router] arp learning strict

Step 3 Configure interface-based ARP entry limiting.

# The number of limited ARP entries on Ethernet0/0/1, Ethernet0/0/2 and Ethernet0/0/3 is 20.The following lists the configuration of Ethernet0/0/1.

[Router] interface ethernet 0/0/1[Router-Ethernet0/0/1] arp-limit vlan 10 maximum 20[Router-Ethernet0/0/1] quit

Step 4 Enable the ARP anti-spoofing function.

# Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated byuser 1.

[Router] arp anti-attack entry-check fixed-mac enable

Step 5 Enable the ARP anti-attack function to prevent attacks by sending ARP packets with a bogusgateway address.

# Enable the ARP anti-attack function for preventing user 1 from sending ARP packets with abogus gateway address.

[Router] arp anti-attack gateway-duplicate enable

Step 6 Configure the rate limit for ARP packets with the specified source IP address.



135

# Set the rate limit for ARP packets sent by user 4 to 10 pps. To prevent all users from sendinga large number of ARP packets incorrectly, set the rate limit for ARP packets of the system to15 pps.

[Router] arp speed-limit source-ip maximum 15[Router] arp speed-limit source-ip 2.2.4.2 maximum 10

Step 7 Configure the rate limit for ARP Miss packets.

# Set the rate limit for ARP Miss packets of the system to 20 pps to prevent users from sendinga large number of IP packets with an unreachable destination IP address.

[Router] arp-miss speed-limit source-ip maximum 20

# Set the rate limit for ARP Miss packets on the server to 50 pps to prevent the server fromsending a large number of IP packets with an unreachable destination IP address, and to preventcommunication on the network when the rate for the server to send IP packets with anunreachable destination IP address is incorrect.

[Router] arp-miss speed-limit source-ip 2.2.2.2 maximum 50


After the configuration, run the display arp learning strict command to view information aboutstrict ARP learning.

<Router> display arp learning strict The global configuration:arp learning strict interface LearningStrictState------------------------------------------------------------------------------------------------------------------------ Total:0 force-enable:0 force-disable:0

You can use the display arp-limit command to check the maximum number of ARP entrieslearned by the interface. Take the display on Ethernet0/0/1 as an example.

<Router> display arp-limit interface ethernet Ethernet0/0/1 interface LimitNum VlanID LearnedNum(Mainboard)--------------------------------------------------------------------------- Ethernet0/0/1 20 10 0--------------------------------------------------------------------------- Total:1

You can use the display arp anti-attack configuration all command to check the ARP anti-attack configuration.

<Router> display arp anti-attack configuration all ARP anti-attack packet-check function: disabled ARP anti-attack entry-check mode: fixed-MAC

ARP gateway-duplicate anti-attack function: enabled

ARP rate-limit configuration:------------------------------------------------------------------------------- Global configuration: Interface configuration:-------------------------------------------------------------------------------

ARP miss rate-limit configuration:------------------------------------------------------------------------------- Global configuration:-------------------------------------------------------------------------------



136

ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- All 0 ------------------------------------------------------------------------------- 0 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 2.2.4.2 10 Others 15 ------------------------------------------------------------------------ 1 specified IP addresses are configured, spec is 128 items.

ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 2.2.2.2 50 Others 20 ------------------------------------------------------------------------ 1 specified IP addresses are configured, spec is 128 items.

You can use the display arp packet statistics command to view the number of discarded ARPpackets and the number of learned ARP entries.

<Router> display arp packet statisticsARP Pkt Received: sum 167ARP Learnt Count: sum 8ARP Pkt Discard For Limit: sum 5ARP Pkt Discard For SpeedLimit: sum 0ARP Pkt Discard For Proxy Suppress: sum 0ARP Pkt Discard For Other: sum 3

In addition, you can also use the display arp anti-attack gateway-duplicate item command toview information about attacks from packets with a forged gateway address on the currentnetwork.

<Router> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time------------------------------------------------------------------------------- Ethernet0/0/1 2.2.1.10 0000-0000-0002 10 153 Ethernet0/0/2 2.2.4.10 0000-0000-0004 20 179-------------------------------------------------------------------------------There are 2 records in gateway conflict table

----End

Configuration Files

# sysname Router#vlan batch 10 20 30# arp speed-limit source-ip maximum 15 arp-miss speed-limit source-ip maximum 20 arp learning strict# arp anti-attack entry-check fixed-mac enable arp anti-attack gateway-duplicate enable arp-miss speed-limit source-ip 2.2.2.2 maximum 50 arp speed-limit source-ip 2.2.4.2 maximum 10#interface Ethernet0/0/1 port hybrid pvid vlan 10



137

port hybrid tagged vlan 10 arp-limit vlan 10 maximum 20 #interface Ethernet0/0/2 port hybrid pvid vlan 20 port hybrid tagged vlan 20 arp-limit vlan 20 maximum 20 #interface Ethernet0/0/3 port hybrid pvid vlan 30 port hybrid tagged vlan 30 arp-limit vlan 30 maximum 20 #interface Vlanif 10 ip address 2.2.1.10 255.255.255.0#interface Vlanif 20 ip address 2.2.4.10 255.255.255.0#interface Vlanif 30 ip address 2.2.2.10 255.255.255.0#return



138

7 ICMP Security Configuration

About This Chapter

This section describes configuration procedures for ICMP security and provides configurationexamples.

7.1 ICMP Security OverviewThis section describes ICMP security principles.

7.2 ICMP Security Features Supported by the AR200-SThe AR200-S can limit the rate at which ICMP packets are received, check the validity of ICMPpackets, discard invalid and specified ICMP packets, and ignore destination-unreachablepackets.

7.3 Limiting the Rate of ICMP PacketsThis section describes how to limit the rate at which ICMP packets are received.

7.4 Configuring the AR200-S to Discard Specified ICMP PacketsThis section describes how to configure the AR200-S to discard specified ICMP packets.

7.5 Disabling the AR200-S from Sending Destination-Unreachable PacketsThis section describes how to disable the AR200-S from sending destination-unreachablepackets.

7.6 Maintaining ICMP SecurityThis section describes how to monitor the ICMP running status.

7.7 Configuration ExamplesThis section provides ICMP security configuration examples.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 7 ICMP Security Configuration


139

7.1 ICMP Security OverviewThis section describes ICMP security principles.

The Internet Control Message Protocol (ICMP) is a sub-protocol of the TCP/IP protocol suite,and is used to transfer control messages between IP hosts and routers. A control message conveysinformation about network connectivity, host reachability and route availability.

The AR200-S receives a large number of ICMP packets from the network, and these packetsconsume a lot of CPU resources. Therefore, the AR200-S needs to check the validity of ICMPpackets, discard specified ICMP packets, and limit the rate at which ICMP packets are received.

7.2 ICMP Security Features Supported by the AR200-SThe AR200-S can limit the rate at which ICMP packets are received, check the validity of ICMPpackets, discard invalid and specified ICMP packets, and ignore destination-unreachablepackets.

ICMP Packet Rate LimitingThe AR200-S receives a large number of ICMP packets from the network, and these packetsconsume a lot of CPU resources. Limiting the rate at which ICMP packets are received on theAR200-S can help reduce the burden of the CPU, ensuring operation of services.

The rate limit for ICMP packets can be configured globally or on an interface.

Checking Validity of ICMP Packets and Discarding Invalid and Specified ICMPPackets

By default, the AR200-S discards invalid ICMP packets, such as ICMP packets with the TTLvalue of 0 or type 15, 16 or 17 to protect CPU resources.

The AR200-S can be configured to discard seldom-used ICMP packets, including ICMP packetswith the TTL value of 1, with options, or with unreachable destinations. This helps reduce theburden on the AR200-S and protect CPU resources.

Ignoring Destination-Unreachable PacketsThe AR200-S can be configured to ignore destination-unreachable packets, including host-unreachable packets and port-unreachable packets. If an attacker sends a large number ofdestination-unreachable packets to attack the AR200-S, the AR200-S does not respond to thesepackets and discards them directly to protect CPU resources.

7.3 Limiting the Rate of ICMP PacketsThis section describes how to limit the rate at which ICMP packets are received.

Applicable EnvironmentThe AR200-S receives a large number of ICMP packets from the network, and these packetsconsume a lot of CPU resources. Limiting the rate at which ICMP packets are received can help



140

reduce the burden of the CPU, ensuring nonstop service transmission. After this function isconfigured, the AR200-S discards excess packets.

NOTE

After rate limiting of ICMP packets is configured, the AR200-S may fail to respond to ping packets.

Procedurel Configuring the global rate limit for ICMP packets

1. Run:system-view


icmp rate-limit enable

The global ICMP packet rate limiting function is enabled.

By default, the global ICMP packet rate limiting function is disabled on an AR200-S.

3. (Optional) Run:icmp rate-limit threshold threshold-value

The global rate limit for ICMP packets is set.

By default, the global rate limit for ICMP packets is 100 pps.l Configuring the rate limit for ICMP packets on a specified interface

1. Run:system-view




The AR200-S can limit the rate at which ICMP packets are received on Ethernetinterfaces and Eth-Trunk interfaces.

3. Run:icmp rate-limit enable

The ICMP packet rate limiting function is enabled on the interface.

By default, the ICMP packet rate limiting function is disabled on an AR200-S.4. (Optional) Run:

icmp rate-limit threshold threshold-value

The highest rate at which ICMP packets are received on the interface is set.

By default, the rate limit for ICMP packets on an interface is 100 pps

To configure rate limits for ICMP packets on multiple interfaces, repeat this step.

----End



141

Checking the Configuration# Run the display current-configuration | include icmp command to check the configurationof the highest rate at which ICMP packets are received.

<Huawei> display current-configuration | include icmp icmp rate-limit enable icmp rate-limit threshold 120

7.4 Configuring the AR200-S to Discard Specified ICMPPackets

This section describes how to configure the AR200-S to discard specified ICMP packets.

7.4.1 Establishing the Configuration TaskBefore configuring the AR200-S to discard specified ICMP packets, familiarize yourself withthe applicable environment, complete the pre-configuration tasks, and obtain the required data.This can help you complete the configuration task quickly and accurately.

Applicable EnvironmentThe AR200-S receives a large number of ICMP packets from the network, and these packetsconsume a lot of CPU resources. The AR200-S can be configured to discard seldom-used ICMPpackets, including the ICMP packets with the TTL values of 1, with options, and withunreachable destinations. This helps reduce the burden of processing ICMP packets that arereceived on the AR200-S, protecting CPU resources.

Pre-configuration TasksBefore configuring the AR200-S to discard specified ICMP packets, complete the followingtask:l Setting parameters for the link layer protocols on the interfaces to ensure that the link layer

protocols are Up

Data PreparationNone.

7.4.2 Configuring the AR200-S to Discard the ICMP Packets withTTL Value of 1

This section describes how to configure the AR200-S to discard the ICMP packets with the TTLvalue of 1.

ContextThe AR200-S receives a large number of ICMP packets from the network, and these packetsconsume a lot of CPU resources. The AR200-S can be configured to discard the ICMP packetswith the TTL value of 1. This helps reduce the burden on the AR200-S and protect CPUresources.



142


system-view


Step 2 Run:icmp ttl-exceeded drop

The AR200-S is enabled to discard ICMP packets with the TTL value of 1.

By default, the AR200-S does not discard ICMP packets with the TTL value of 1.

----End

7.4.3 Configuring the AR200-S to Discard the ICMP Packets withOptions

This section describes how to configure the AR200-S to discard the ICMP packets with options.

ContextThe AR200-S is busy in processing tasks defined in options in the IP header of ICMP packets.For example, the AR200-S calculates the hop count. As a result, normal services are notprocessed immediately.

The AR200-S receives a large number of ICMP packets from the network, and these packetsconsume a lot of CPU resources. The AR200-S can be configured to discard the ICMP packetswith options. This helps reduce the burden on the AR200-S and protect CPU resources.


system-view


Step 2 Run:icmp with-options drop

The AR200-S is enabled to discard ICMP packets with options.

By default, the AR200-S does not discard ICMP packets with options.

----End

7.4.4 Configuring the AR200-S to Discard ICMP Destination-Unreachable Packets

This section describes how to configure the AR200-S to discard ICMP destination-unreachablepackets.

ContextThe AR200-S receives a large number of ICMP packets from the network, and these packetsconsume a lot of CPU resources. The AR200-S can be configured to discard the ICMP



143

destination-unreachable packets. This helps reduce the burden on the AR200-S and protect CPUresources.

Procedure



Step 2 Run:icmp unreachable drop

The AR200-S is enabled to discard ICMP destination-unreachable packets.

By default, the AR200-S does not discard ICMP destination-unreachable packets.

----End

7.4.5 Checking the ConfigurationAfter configuring the AR200-S to discard specified ICMP packets, you can use the followingcommands to verify the configuration.

Procedurel Run the display current-configuration command to check whether the AR200-S is

configured to discard specified ICMP packets.

----End

Example

# Run the display current-configuration | include icmp command to check whether theAR200-S is configured to discard specified ICMP packets.

<Huawei> display current-configuration | include icmp icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop

7.5 Disabling the AR200-S from Sending Destination-Unreachable Packets

This section describes how to disable the AR200-S from sending destination-unreachablepackets.


The AR200-S can be disabled from sending destination-unreachable packets, including host-unreachable packets and port-unreachable packets. If an attacker sends a large number ofdestination-unreachable packets to attack the AR200-S, the AR200-S does not respond to thesepackets and discards them directly to protect CPU resources.



144

Procedure



Step 2 Run:undo icmp port-unreachable send

The AR200-S is disabled from sending ICMP port-unreachable packets.

By default, the AR200-S is enabled to send ICMP port-unreachable packets.



The AR200-S cannot be configured to send the ICMP host-unreachable packets on a Layer 2interface.

Step 4 Run:undo icmp host-unreachable send

The interface is disabled from sending the ICMP host-unreachable packets.

By default, the AR200-S is enabled to send ICMP host-unreachable packets.

----End

Checking the Configuration# Run the display current-configuration | include icmp command to check whether theAR200-S is enabled to send ICMP destination-unreachable packets.

<Huawei> display current-configuration | include icmp undo icmp port-unreachable send undo icmp host-unreachable send

7.6 Maintaining ICMP SecurityThis section describes how to monitor the ICMP running status.

Procedurel Run the display icmp statistics command to check statistics about ICMP traffic.

----End

Example# Run the display icmp statistics command to view statistics about ICMP traffic.

<Huawei> display icmp statistics Input: bad formats 0 bad checksum 0 echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp 0 information request 0



145

mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0 Output:echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0

7.7 Configuration ExamplesThis section provides ICMP security configuration examples.

7.7.1 Example for Disabling the AR200-S from Sending Host-Unreachable Packets

This section provides an example to illustrate how to disable the AR200-S from sending host-unreachable packets.


As shown in Figure 7-1, RouterA, RouterB and RouterC are connected through their layer 3interfaces to test whether the AR200-S can send ICMP host-unreachable packets.

NOTEAR200-S Enterprise Routers is RouterA, or RouterC.

Figure 7-1 Disabling the AR200-S from sending host-unreachable packets

Eth1/0/0

RouterA

RouterBRouterC

1.1.1.1/24

2.2.2.2/24

1.1.1.2/24

3.3.3.1/24Internet

Eth1/0/0

Eth2/0/0Eth1/0/0



1. Assign IP addresses to corresponding interfaces on each device.2. Configure static routes from Router A to RouterC.



146

3. Enable RouterA and RouterC to send ICMP host-unreachable packets.NOTE

By default, an interface is enabled to send ICMP host-unreachable packets. If this function is enabled, skipthis step.

4. Disable Eth1/0/0 on Router B from sending ICMP host-unreachable packets so thatRouter B will not respond to the incoming host-unreachable packets on Eth1/0/0


l Static routes from Router A to Router Cl IP address of each interface

ProcedureStep 1 Configure RouterA.

# Configure static routes on RouterA.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] ip route-static 2.2.2.0 255.255.255.0 1.1.1.2

# Assign an IP address to Eth1/0/0.

[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] ip address 1.1.1.1 24 [RouterA-Ethernet1/0/0] quit

Step 2 # Configure RouterC.

# Assign an IP address to Eth1/0/0.

<Huawei> system-view[Huawei] sysname RouterC[RouterC] interface ethernet 1/0/0[RouterC-Ethernet1/0/0] ip address 2.2.2.2 24[RouterC-Ethernet1/0/0] quit

Step 3 Configure RouterB.

# Disable Eth1/0/0 from sending ICMP host-unreachable packets and assign an IP address toEth1/0/0.

<Huawei> system-view[Huawei] sysname RouterB[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] undo icmp host-unreachable send[RouterB-Ethernet1/0/0] ip address 1.1.1.2 24 [RouterB-Ethernet1/0/0] quit[RouterB] quit


# Enable ICMP packet debugging on RouterB.

<RouterB> debugging ip icmp<RouterB> terminal monitor<RouterB> terminal debugging

# Run ping 2.2.2.2 on RouterA. If you can view that RouterB does not send ICMP hostunreachable packets, it means that the configuration succeeds.



147

There is no reachable route from RouterB to RouterC; therefore RouterB should respond to pingpackets received from RouterA with ICMP host-unreachable packets. Because Eth1/0/0 ofRouter B is disabled from sending ICMP host-unreachable packets, RouterB does not respondto ping packets received from RouterA.

----End

Configuration Filesl Configuration file of RouterA

# sysname RouterA#interface Ethernet 1/0/0 ip address 1.1.1.1 255.255.255.0# ip route-static 2.2.2.0 255.255.255.0 1.1.1.2#return

l Configuration file of RouterB# sysname RouterB#interface Ethernet 1/0/0 ip address 1.1.1.2 255.255.255.0 undo icmp host-unreachable send#return

l Configuration file of RouterC# sysname RouterC#interface Ethernet 1/0/0 ip address 2.2.2.2 255.255.255.0#return

7.7.2 Example for Optimizing System Performance by DiscardingCertain ICMP Packets

This section describes how to optimize system performance by discarding specified ICMPpackets.

Networking RequirementsAs shown in Figure 7-2, RouterA functions as an access device for the enterprise, individualuser, and user network that is connected to an LSW to the Internet. RouterA is connected toRouterB. RouterA needs to discard ICMP packets with TTL value of 1, with options, or withunreachable destinations to protect CPU resources.



148

Figure 7-2 Networking diagram of ICMP security configurations

RouterA

RouterB

LSW

Enterprise Individual user

Internet

User network


l Configure RouterA to discard ICMP packets with the TTL value of 1.l Configure RouterA to discard ICMP packets with options.l Configure RouterA to discard ICMP destination-unreachable packets.


ProcedureStep 1 Configure RouterA to discard specified ICMP packets.

# Configure RouterA to discard ICMP packets with TTL value of 1.<Huawei> system-view[Huawei] sysname RouterA[RouterA] icmp ttl-exceeded drop

# Configure RouterA to discard ICMP packets with options.[RouterA] icmp with-options drop



149

# Configure RouterA to discard ICMP destination-unreachable packets.

[RouterA] icmp unreachable drop


# Run the display current-configuration command in the user view. You can view the ICMPsecurity configuration.

<RouterA> display current-configuration | include icmp icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop

----End

Configuration Files

# sysname RouterA # icmp unreachable drop icmp ttl-exceeded drop icmp with-options drop# return



150

8 IP Address Anti-spoofing Configuration

About This Chapter

To protect authorized users from source IP address spoofing attacks, configure URPF.

8.1 IP Address Anti-spoofing OverviewThis function defends against source address spoofing attacks.

8.2 IP Source Address-based Attack Defense Features Supported by the AR200-SThis section describes the IP source address-based attack defense features supported by theAR200-S.

8.3 Configuring URPFThis section describes how to configure URPF.

8.4 Configuration ExamplesThis topic provides IP address anti-spoofing configuration examples.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 8 IP Address Anti-spoofing Configuration


151

8.1 IP Address Anti-spoofing OverviewThis function defends against source address spoofing attacks.

Source IP address spoofing attacks often occur on the Internet. An attacker sends a packetcarrying the IP address of an authorized user to a server to access the server. As a result, theauthorized user cannot use network services or the authorized user information is intercepted.To defend against such an attack, the AR200-S provides Unicast Reverse Path Forwarding(URPF).

URPFWhen the AR200-S receives a packet, it searches for the route to the destination address of thepacket. If the route is found, the AR200-S forwards the packet. Otherwise, the AR200-S discardsthe packet. After URPF is configured, the AR200-S obtains the source address and inboundinterface of the packet. The AR200-S takes the source address as the destination address toretrieve the corresponding outbound interface in the FIB and compares the retrieved interfacewith the inbound interface. If they do not match, the AR200-S considers the source address asa spoofing address and discards the packet. URPF can effectively protect the AR200-S againstmalicious attacks by blocking packets from bogus source addresses.

As shown in Figure 8-1, RouterA sends bogus packets carrying the source address 2.1.1.1 ofRouterC to RouterB. RouterB sends response packets to the real source address 2.1.1.1.RouterB and RouterC are attacked by the bogus packets.

If URPF is enabled on an interface of RouterB, when RouterB receives bogus packets, it detectsthat the packets should not come from RouterA's interface and discards these bogus packets.

Figure 8-1 URPF

1.1.1.1/24

RouterA

2.1.1.1/24Source address

RouterB

2.1.1.1/24

RouterC

8.2 IP Source Address-based Attack Defense FeaturesSupported by the AR200-S

This section describes the IP source address-based attack defense features supported by theAR200-S.

URPFURPF takes effect only on Layer 3 inbound interfaces of the AR200-S. If URPF is enabled onan interface, the URPF check is conducted on packets received by the interface.



152

The AR200-S supports the following types of URPF check modes:l Strict check: Packets can pass the check only when the FIB table of the AR200-S has a

corresponding routing entry with the destination address being the source address of thepacket and the inbound interface of the packets matches the outbound interface in therouting entry. Unmatched packets are discarded.

l Loose check: A packet can pass the check as long as the FIB table of the AR200-S has arouting entry with the destination address being the source address of the packet.

8.3 Configuring URPFThis section describes how to configure URPF.


Users on an enterprise network are often attacked by unauthorized users on other networksegments when they use applications demanding IP address-based authentication. An attackersends bogus packets with the IP address of an authorized user to a server to access the server.As a result, the authorized user cannot access the server or the authorized user information isintercepted. To prevent such an attack, configure URPF on the AR200-S.

As shown in Figure 8-2, Network 1 and VLAN 10 are connected to Eth0/0/8 and Vlanif 10 ofRouterA. URPF strict check is configured on Eth0/0/8 and Vlanif 10.

PC A on Network 1 sends a bogus packet with the source IP address 2.2.2.2 to the server onNetwork 3. After RouterA receives this packet, it checks the inbound interface. Packets with thesource address 2.2.2.2 must reach Network 3 through Vlanif 10 but not 0/0/8. Therefore,RouterA considers the packet as a bogus packet and discards it. This protects PC B on VLAN10 against IP address spoofing attacks initiated from PC A.

Packets sent from VLAN 10 to the server pass the URPF check and are forward normally.

Figure 8-2 URPF application

PC A

PC B

RouterA

Eth0/0/8

2.2.2.2/24

3.3.3.3/24

Server1.1.1.1/24URPF

enabled

RouterB

Network1

VLAN 10

Network3

Eth0/0/1

Vlanif 10



153


system-view




URPF cannot be configured on Layer 2 interfaces of the AR200-S.

Step 3 Configure URPF check for packets on the interface.l Configure URPF check for IPv4 packets on the interface.

Run the urpf { loose | strict } [ allow-default-route ] command to configure the URPFcheck for IPv4 packets on the interface.

l Configure URPF check for IPv6 packets on the interface.Run the ipv6 urpf { loose | strict } [ allow-default-route ] command to configure theURPF check for IPv6 packets on the interface.

NOTE

To configure URPF check for IPv6 packets on an interface, enable the IPv6 function on the interfacefirst. Run the ipv6 command in the system view, and then the ipv6 enable command in the interfaceview.

----End

Checking the ConfigurationAfter the configuration, run the display this command in the interface view to view the URPFconfiguration on the interface.

[Huawei-Ethernet0/0/8] display this#interface Ethernet 0/0/8 urpf strict allow-default-route #return

8.4 Configuration ExamplesThis topic provides IP address anti-spoofing configuration examples.

8.4.1 Example for Configuring URPFThis example illustrates how to configure the URPF function.

Networking RequirementsAs show in Figure 8-3, the R&D department of an enterprise connects to Eth0/0/1 of RouterA,and the marketing department connects to Eth0/0/2. RouterA has a reachable route to an externalserver, and users in the R&D and marketing departments are allowed to connect to the serverthrough RouterA. RouterA is required to prevent staff in other departments from accessing theserver without permission.



154

NOTE

In Figure 8-3, RouterA is an access router of the enterprise, and RouterB is an aggregation router.

Figure 8-3 Networking diagram of URPF configuration

RouterA

Eth0/0/2

Eth0/0/1

10.10.1.1/24source:10.10.2.1destination:10.2.2.10

PC A

PC B10.10.2.1/24

Marketing

R&D

RouterB ServerInternet 10.2.2.10/24


1. Configure VLAN 10 and VLAN 20 and add Eth0/0/1 and Eth0/0/2 to VLAN 10 and VLAN20 respectively.

2. Configure URPF in VLANIF 10 and VLANIF 20 and allow special processing for thedefault route.

Data Preparationl URPF check mode: strict check

NOTE

URPF strict check is used because packets are transmitted between RouterA and the server through thesame path.

l Network segment on which the R&D is located: 10.10.2.0/24l Network segment on which the marketing department is located: 10.10.1.0/24l Server IP address: 10.2.2.10/24

Procedure

Step 1 Configure VLANs and add interfaces to VLANs.<Huawei> system-view[Huawei] sysname RouterA[RouterA] vlan 10[RouterA-vlan10] quit



155

[RouterA] vlan 20[RouterA-vlan20] quit[RouterA] interface ethernet 0/0/1[RouterA-Ethernet0/0/1] port link-type trunk[RouterA-Ethernet0/0/1] port trunk allow-pass vlan 10[RouterA-Ethernet0/0/1] quit[RouterA] interface ethernet 0/0/2[RouterA-Ethernet0/0/2] port link-type trunk[RouterA-Ethernet0/0/2] port trunk allow-pass vlan 20[RouterA-Ethernet0/0/2] quit

Step 2 Configure strict URPF on the VLANIF interfaces.[RouterA] interface vlanif 10[RouterA-Vlanif10] urpf strict allow-default-route[RouterA-Vlanif10] quit[RouterA] interface vlanif 20[RouterA-Vlanif20] urpf strict allow-default-route


Run the display this command on VLANIF10 to view the URPF configuration.

[RouterA-vlanif 10] display this#interface Vlanif10 urpf strict allow-default-route#return

Run the display this command on VLANIF20 to view the URPF configuration.

[RouterA-vlanif 20] display this#interface Vlanif20 urpf strict allow-default-route#return

----End

Configuration Files#sysname RouterA# vlan batch 10 20#interface Vlanif10 urpf strict allow-default-route#interface Vlanif20 urpf strict allow-default-route#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 20#return



156

9 Local Attack Defense Configuration

About This Chapter

This section describes configuration procedures for local attack defense and providesconfiguration examples.

9.1 Local Attack Defense OverviewThis section describes the background and functions of local attack defense.

9.2 Local Attack Defense Features Supported by the AR200-SThis section describes local attack defense features supported by the AR200-S.

9.3 Configuring Attack Source TracingThe attack source tracing function checks for attack packets sent to the CPU and notifies usersby sending logs or alarms.

9.4 Configuring CPU Attack DefenseCPU attack defense limits the rate of packets sent to the CPU to protect the CPU.

9.5 Maintaining the Attack Defense PolicyThis section describes how to maintain the attack defense policy.

9.6 Configuration ExamplesThis section provides attack defense policy configuration examples.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 9 Local Attack Defense Configuration


157

9.1 Local Attack Defense OverviewThis section describes the background and functions of local attack defense.

On a network, a large number of packets including valid packets and malicious attack packetsneed to be delivered to the CPU. The malicious attack packets will affect other services or eveninterrupt the system. When the AR200-S processes excess valid packets, the CPU usage becomeshigh. As a result, the CPU performance deteriorates and services are interrupted.

To protect the CPU and ensure that it can process services, the AR200-S provides the local attackdefense function. The local attack defense functions protect the AR200-S against attacks, ensureservice transmission in the case of attacks, and minimize the impact on the services in the caseof attacks by limiting the rate of packets sent to the CPU.

9.2 Local Attack Defense Features Supported by the AR200-S

This section describes local attack defense features supported by the AR200-S.

Attack Defense Policies Supported by the AR200-SThe AR200-S supports the default attack defense policy. The default attack defense policydefines the rate limit and priority for protocol packets, and defines the rate limit for all the packetssent to the CPU. It is applied to all the boards by default, and cannot be modified or deleted.

Attack defense policies can be created on the AR200-S. The configuration in a user-definedattack defense policy overrides the configuration in the default attack defense policy. If noparameter is configured in the user-defined attack defense policy, the configuration in thedefault attack defense policy is used.

Attack Defense Functions Supported by the AR200-SAttack source tracing and CPU attack defense can be configured in the same attack defensepolicy on the AR200-S.

Attack source tracing checks attack packets sent to the CPU and notifies the administrator bysending logs or alarms so that the administrator can take measures to defend against attacks. Forexample, the administrator can add the possible attack source to a blacklist. Attack source tracingprovides the following functions:

l Attack source checkAfter attack source tracing is enabled, you can set the threshold for attack source tracing.When the number of protocol packets sent from an attack source in a given period exceedsthe threshold, the AR200-S traces and logs the attack source to notify the administrator.

l Alarm function for attack source tracingAfter the alarm function for attack source tracing is enabled, you can set the alarm thresholdfor attack source tracing. If the number of protocol packets sent from an attack source in agiven period exceeds the alarm threshold, an alarm is generated to notify the administrator.

CPU attack defense limits the rate of all the packets sent to the CPU to protect the CPU. CPUattack defense provides the following functions:



158

l BlacklistA blacklist refers to a group of unauthorized users. To defend against malicious attacks,the AR200-S adds users with a specific characteristic to a blacklist by using ACL rules anddiscards the packets sent from the users in the blacklist.

l Rate limitThe rate limit function limits the rate of packets sent to the CPU. The AR200-S sets differentrate limits for packets of different types or discards packets of a certain type to protect theCPU.

l Priority for packets of a specified protocolThe AR200-S schedules packets sent to the CPU based on priorities of protocol packets toensure that packets with higher protocol priorities are processed first.

l Rate limitThe AR200-S can limit the rate of all the packets sent to the CPU to protect the CPU.

l ALPActive link protection (ALP) protects session-based application layer data, including dataof HTTP Sessions, FTP sessions. It ensures non-stop transmission of these services whenattacks occur.When the AR200-S detects setup of an HTTP session, an FTP session, ALP is enabled toprotect the session. The packets matching characteristics of the session are sent at a highrate; therefore, reliability and stability of session-related services are ensured.

9.3 Configuring Attack Source TracingThe attack source tracing function checks for attack packets sent to the CPU and notifies usersby sending logs or alarms.

Applicable EnvironmentA large number of attack packets may attack the CPUs of network devices. Attack source tracingchecks attack packets sent to the CPU and notifies the administrator by sending logs or alarmsso that the administrator can take measures to defend against attacks.

Procedure



Step 2 Run:cpu-defend policy policy-name

An attack defense policy is created and the attack defense policy view is displayed.

The AR200-S supports a maximum of 19 attack defense policies, including the default attackdefense policy. The default attack defense policy is automatically generated in the system bydefault and is applied to all boards. The default attack defense policy cannot be deleted ormodified. The other 18 policies can be created and deleted.

Step 3 (Optional) Run:description text



159

The description of the attack defense policy is configured.

Step 4 Run:auto-defend enable

Automatic attack source tracing is enabled.

By default, attack source tracing is disabled.

Step 5 (Optional) Run:auto-defend protocol { all | { arp | dhcp | icmp | igmp | tcp | telnet | ttl-expired } * }

The types of traced packets are specified.

By default, the AR200-S traces sources of ARP, DHCP, ICMP, IGMP, TCP, Telnet, and TTL-expired packets after attack source tracing is enabled.

Step 6 (Optional) Run:auto-defend trace-type { source-ip | source-mac | source-portvlan } *

The attack source tracing modes are specified.

By default, the AR200-S traces attack sources based on the source IP address, source MACaddress, and source interface plus VLAN.

Step 7 (Optional) Run:auto-defend threshold threshold

The threshold for attack source tracing is set.

By default, the threshold for attack source tracing is 128 pps.

Step 8 (Optional) Run:auto-defend action deny [ timer time-length ]

The AR200-S is configured to drop packets sent from attack sources.

By default, the AR200-S does not drop packets sent from attack sources.

Step 9 (Optional) Configure the alarm function for attack source tracing.1. Run:

auto-defend alarm enable

The alarm function for attack source tracing is enabled.

By default, the alarm function for attack source tracing is disabled.2. (Optional) Run:

auto-defend alarm threshold threshold

The alarm threshold for attack source tracing is set.

By default, the alarm threshold for attack source tracing is 128 pps.

Step 10 In the system view, run:cpu-defend-policy policy-name [ global | slot slot-id ]

The attack defense policy is applied.

If the attack defense policy is applied to an LPU or SRU, it takes effect for only the packets sentto the CPU of the LPU or SRU.



160

If global or slot is not specified, the attack defense policy is applied to the SRU. If global isspecified, the attack defense policy is applied to all LPUs. If slot is specified, the attack defensepolicy is applied to an LPU in a specified slot.

NOTE

Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy isapplied to the SRU.

----End

Checking the Configuration# Run the display auto-defend attack-source command to view the attack source list on theSRU.

# Run the display auto-defend configuration command to view the configuration of attacksource tracing.

# Run the display cpu-defend policy command to check the attack defense policy.

9.4 Configuring CPU Attack DefenseCPU attack defense limits the rate of packets sent to the CPU to protect the CPU.

9.4.1 Establishing the Configuration TaskBefore configuring an attack defense policy, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentWhen a large number of users connect to the AR200-S, the AR200-S may be attacked by thepackets sent to the CPU or needs to process a large of number of these packets. The AR200-Scan limit the rate of all the packets sent to the CPU to protect the CPU.

CPU attack defense provides hierarchical device protection:

l Level 1: The AR200-S uses blacklists to filter invalid packets sent to the CPU.l Level 2: The AR200-S limits the rate of packets sent to the CPU based on the protocol type

to prevent excess packets of a particular protocol from being sent to the CPU.l Level 3: The AR200-S schedules packets sent to the CPU based on the protocol priority to

ensure that packets with higher protocol priorities are processed first.l Level 4: The AR200-S uniformly limits the rate of packets sent to the CPU and randomly

discards the excess packets to ensure CPU security.

Active link protection (ALP) protects session-based application layer data, including data ofHTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacksoccur.

Pre-configuration TasksBefore configuring an attack defense policy, complete the following task:



161

l Connecting interfaces and setting the physical parameters of interfaces so that the physicallayer is Up

Data Preparation

To configure an attack defense policy, you need the following data.

No. Data

1 Name of an attack defense policy

2 (Optional) Description of an attack defense policy

3 (Optional) ACL rule and number in the blacklist

4 (Optional) Rate limit for packets sent to the CPU

5 (Optional) Priority of protocol packets

6 (Optional) Rate limit for all the packets sent to the CPU

7 (Optional) ALP rate limit

8 Number of the LPU to which the attack defense policy is applied

9.4.2 Creating an Attack Defense PolicyThis section describes how to create an attack defense policy.

Procedure



Step 2 Run:cpu-defend policy

An attack defense policy is created and the attack defense policy view is displayed.

The AR200-S supports a maximum of 19 attack defense policies, including the default attackdefense policy. The default attack defense policy is automatically generated in the system bydefault and is applied to all boards. The default attack defense policy cannot be deleted ormodified. The other 18 policies can be created and deleted.

Step 3 (Optional) Run:description text

The description of the attack defense policy is configured.

----End



162

9.4.3 (Optional) Configuring a BlacklistA blacklist is a set of unauthorized users. The packets that match ACL rules bound to the blacklistare discarded.

ContextTo defend against malicious attacks, the AR200-S adds users with a specific characteristic to ablacklist by using ACL rules and discards the packets sent from the users in the blacklist.

Procedure




The attack defense policy view is displayed.

Step 3 Run:blacklist blacklist-id acl acl-number

A blacklist is created.

A maximum of eight blacklists can be configured on the AR200-S.

The ACL referenced by the blacklist can be a basic ACL, an advanced ACL, or a Layer 2 ACL.

By default, no blacklist is configured on the AR200-S.

----End

9.4.4 (Optional) Configuring the Rate Limit for Packets Sent to theCPU

The AR200-S sets different rate limits for packets of different types or discards packets of acertain type to protect the CPU.

Procedure





Step 3 Configure the rate limit.l Run:

packet-type packet-type rate-limit rate-value



163

The rate limit for packets sent to the CPU is set. Excess packets are discarded.l Run:

deny packet-type packet-typeThe AR200-S is configured to discard packets of a specified type sent to the CPU. That is,the rate limit for packets of the specified type to be sent to the CPU is 0.

By default, the AR200-S applies the rate limit defined in the default attack defense policy tothe packets sent to the CPU.

----End

9.4.5 (Optional) Setting the Priority of Protocol PacketsAfter an attack defense policy is created, set the priorities of protocol packets in the attack defensepolicy so that packets with higher priorities are processed first.

Procedure





Step 3 Run:packet-type packet-type priority priority-level

The priority of protocol packets sent to the CPU is set.

By default, the priority defined in the default attack defense policy is used for protocol packetssent to the CPU.

----End

9.4.6 (Optional) Configuring the Rate Limit for All Packets Sent tothe CPU

After an attack defense policy is created, set the rate limit for all packets sent to the CPU in theattack defense policy. The AR200-S then randomly discards the packets that exceed the ratelimit to protect the CPU.

Procedure







164

Step 3 Run:rate-limit all-packets pps pps-value

The rate limit for all packets sent to the CPU is set.

The AR200-S then randomly discards the packets that exceed the rate limit to protect the CPU.

----End

9.4.7 (Optional) Configuring the Rate Limit for Packets After ALPIs Enabled

You can set the rate limit for packets in the attack defense policy after ALP is enabled.

ContextActive link protection (ALP) protects session-based application layer data, including data ofHTTP Sessions, FTP sessions. It ensures non-stop transmission of these services when attacksoccur.

Procedure





Step 3 Run:application-apperceive packet-type { | ftp | http } rate-limit rate-value

The rate limit for HTTP, FTP packets is set.

NOTE

During setup of an HTTP connection,an FTP connection , if the application-apperceive command is notused to specify a rate, the default rate limit specified by application-apperceive is applied to HTTP,FTP.

By default, the rate limit for FTP packets is 1024 pps and the rate limit for packets is 512 pps when thesession is enabled with ALP

----End

9.4.8 Applying the Attack Defense PolicyAn attack defense policy takes effect only when it is applied to a board.

PrerequisitesTo protect session-based application layer data, including data of HTTP Sessions, FTP sessionsandand ensure non-stop transmission of these services when attacks occur, enable active linkprotection (ALP) before you create an attack defense policy.



165

Context

An attack defense policy can be applied to the SRU, all the LAN-side LPUs, or to the specifiedLAN-side LPU in the system view.

NOTE

If the attack defense policy is applied to an LAN-side LPU or SRU, it takes effect for only the packets sentto the CPU of the LAN-side LPU or SRU.

Procedure



Step 2 (Optional) Run:cpu-defend application-apperceive [ ftp | http ] enable

ALP is enabled.

NOTE

By default, ALP is enabled for FTP and HTTP

Step 3 Run:cpu-defend-policy policy-name [ global ]

The attack defense policy is applied.

If global is not specified, the attack defense policy is applied to the SRU. If global is specified,the attack defense policy is applied to all LAN-side LPUs.

----End

9.4.9 Checking the ConfigurationThis section describes how to check the CPU attack defense configuration.

Procedurel Run the display cpu-defend policy [ policy-name ] command to check the attack defense

policy.

l Run the display cpu-defend statistics [ packet-type packet-type ] command to check thestatistics on packets sent to the CPU.

l Run the display cpu-defend configuration [ packet-type packet-type ] { all | sru }command to check the rate limit configuration for protocol packets sent to the CPU.

----End

9.5 Maintaining the Attack Defense PolicyThis section describes how to maintain the attack defense policy.



166

9.5.1 Clearing Statistics on Packets Sent to the CPUThis section describes how to clear statistics on packets sent to the CPU.

Procedurel Run the reset cpu-defend statistics [ packet-type packet-type ] command to clear statistics

on packets sent to the CPU.

----End

9.5.2 Clearing Attack Source InformationThis section describes how to clear attack source information.

Procedurel Run the reset auto-defend attack-source command to clear attack source information.

----End

9.6 Configuration ExamplesThis section provides attack defense policy configuration examples.

9.6.1 Example for Configuring an Attack Defense PolicyThis section provides an example for configuring an attack defense policy.

Networking RequirementsAs shown in Figure 9-1, users on different LANs access the Internet through RouterA. To locateattacks on RouterA, attack source tracing needs to be configured to trace the attack source. Theproblems in this scenario are as follows:

l A user on the network segment Net1 often attacks RouterA.l Attackers send a large number of ARP Request packets, resulting in CPU performance

deterioration.l The administrator needs to upload files to RouterA using FTP. An FTP connection between

the administrator's host and RouterA needs to be set up.l Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process

DHCP Client packets sent to the CPU.l The Telnet server is not enabled on RouterA, whereas RouterA often receives a large

number of Telnet packets.

Configurations should be performed on RouterA to solve the preceding problems.



167

Figure 9-1 Networking diagram of attack defense policy configurations

RouterA

Ethernet0/0/1

Ethernet0/0/2

Net1: 1.1.1.0/24

Net2: 2.2.2.0/24

Internet

Net3: 3.3.3.0/24

Ethern

et0/0/

3

RouterB


1. Configure a blacklist and add attackers on the network segment Net1 to the blacklist toprevent users on Net1 from accessing the network.

2. Configure the rate limit for ARP Request packets sent to the CPU.3. Configure active link protection (ALP) for FTP so that file data can be transmitted between

the administrator's host and RouterA.4. Configure a high priority for DHCP Client packets so that RouterA first processes DHCP

Client packets sent to the CPU.5. Configure application layer association for Telnet so that RouterA discards the received

Telnet packets.


l Name of the attack defense policy: devicesafetyl Threshold for attack source tracing: 50 ppsl MAC address of the attacker: 0001-c0a8-0102l ACL number: 4001l Blacklist ID: 1l Rate limit for ARP Request packets sent to the CPU: 64 ppsl Rate limit for FTP packets after ALP is enabled: 2000 ppsl Priority of DHCP Client packets: 3

NOTE

This section provides only the configuration procedure for the local attack defense function supported bythe AR200-S. For details about the routing configuration, see the Huawei AR200-S Series EnterpriseRouters Configuration Guide - IP Routing.



168

ProcedureStep 1 Configure an ACL to be referenced by the blacklist.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] acl number 4001[RouterA-acl-L2-4001] rule 5 permit source-mac 0001-c0a8-0102[RouterA-acl-L2-4001] quit

Step 2 Create an attack defense policy.[RouterA] cpu-defend policy devicesafety

Step 3 Configure the threshold for attack source tracing.[RouterA-cpu-defend-policy-devicesafety] auto-defend enable[RouterA-cpu-defend-policy-devicesafety] auto-defend threshold 50

Step 4 Configure a blacklist.[RouterA-cpu-defend-policy-devicesafety] blacklist 1 acl 4001

Step 5 Configure the rate limit for ARP Request packets sent to the CPU.[RouterA-cpu-defend-policy-devicesafety] packet-type arp-request rate-limit 64

Step 6 Configure the rate limit for FTP packets after ALP is enabled.[RouterA-cpu-defend-policy-devicesafety] application-apperceive packet-type ftp rate-limit 2000

Step 7 Set the priority of DHCP Client packets.[RouterA-cpu-defend-policy-devicesafety] packet-type dhcp-client priority 3[RouterA-cpu-defend-policy-devicesafety] quit

Step 8 Apply the attack defense policy.

# Enable ALP for FTP.[RouterA] cpu-defend application-apperceive ftp enable

# Apply the attack defense policy to the SRU.[RouterA] cpu-defend-policy devicesafety

Step 9 Configure application layer association for Telnet.[RouterA] undo telnet server enable


# View information about the configured attack defense policy.[RouterA] display cpu-defend policy devicesafety Related slot : <0> BlackList Status : Slot<0> : Success Configuration : Blacklist 1 ACL number : 4001 Packet-type arp-request rate-limit : 64(pps) Packet-type dhcp-client priority : 3 Rate-limit all-packets : 2000(pps)(default) Application-apperceive packet-type ftp : 2000(pps) Application-apperceive packet-type tftp : 2000(pps)

# View the rate limit configuration on the SRU. You can see that application layer associationfor Telnet, the rate limit for ARP Request packets sent to the CPU, and the priority for DHCPclient packets are configured successfully.<Huawei> display cpu-defend configuration sruRate configurations on main board.



169

----------------------------------------------------------------- Packet-type Status Rate-limit(PPS) Priority ----------------------------------------------------------------- 8021X Disabled 128 2 arp-miss Enabled 64 2 arp-reply Enabled 128 2 arp-request Enabled 64 2 bfd Disabled 256 4 bgp Enabled 256 3 bgp4plus Enabled 256 3 dhcp-client Enabled 128 3 dhcp-server Enabled 128 2 dhcpv6-reply Enabled 128 2 dhcpv6-request Enabled 128 2 dns Enabled 256 2 fib-hit Enabled 256 2 fr Enabled 128 3 ftp-client Disabled 256 2 ftp-server Enabled 256 2 fw-dns Enabled 128 2 fw-ftp Enabled 128 2 fw-http Enabled 128 2 fw-rtsp Enabled 128 2 fw-sip Enabled 128 2 gre-keepalive Enabled 128 3 gvrp Enabled 48 3 hdlc Enabled 128 3 http-client Enabled 256 4 http-server Enabled 256 4 hw-tacacs Enabled 128 2 icmp Enabled 256 2 icmpv6 Enabled 256 2 igmp Enabled 256 2 ip-option Enabled 256 2 ipsec-ike Enabled 128 2 ipsec-isa Enabled 128 2 ipsec-osa Enabled 128 2 isis Enabled 128 3 isisv6 Enabled 128 3 l2tp Enabled 128 2 lacp Enabled 320 3 lldp Enabled 48 3 nd Enabled 128 5 nd-miss Enabled 64 5 nhrp Enabled 256 3 ntp Enabled 128 4 ospf Enabled 256 3 ospfv3 Enabled 256 3 pim Disabled 256 3 ppp Enabled 256 2 pppoe Enabled 256 2 radius Enabled 128 2 rip Enabled 128 3 ripng Enabled 256 3 snmp Enabled 256 4 ssh-client Enabled 128 4 ssh-server Enabled 128 4 sslvpn Enabled 4096 3 stp Enabled 96 3 tcp Enabled 128 2 telnet-client Enabled 128 4 telnet-server Enabled 128 4 ttl-expired Enabled 256 1 udp-helper Disabled 16 2 unknown-multicast Enabled 128 1 unknown-packet Enabled 256 1 voice Enabled 256 4 vrrp Disabled 256 3 -----------------------------------------------------------------



170

# The log for attack source tracing of Net1 indicates that attack source tracing has taken effect.Dec 18 2010 09:55:50-05:13 AR200-S %%01SECE/4/USER_ATTACK(l)[0]:User attack occurred.(Slot=MPU, SourceAttackInterface=Ethernet0/0/1, OuterVlan/InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per second)

# View the statistics on packets sent to the SRU. The discarded packets indicate that the ratelimit is set for ARP Request packets.<Huawei> display cpu-defend statistics----------------------------------------------------------------------- Packet Type Pass Packets Drop Packets ----------------------------------------------------------------------- 8021X 0 0 arp-miss 5 0 arp-reply 8090 0 arp-request 1446576 127773 bfd 0 0 bgp 0 0 bgp4plus 0 0 dhcp-client 879 0 dhcp-server 0 0 dhcpv6-reply 0 0 dhcpv6-request 0 0 dlsw 0 0 dns 4 0 fib-hit 0 0 fr 0 0 ftp-client 0 0 ftp-server 0 0 fw-dns 0 0 fw-ftp 0 0 fw-http 0 0 fw-rtsp 0 0 fw-sip 0 0 gre-keepalive 0 0 gvrp 0 0 hdlc 0 0 http-client 0 0 http-server 0 0 hw-tacacs 0 0 icmp 59 0 icmpv6 224 0 igmp 539 0 ip-option 0 0 ipsec-ike 0 0 ipsec-isa 0 0 ipsec-osa 0 0 isis 70252 0 isisv6 0 0 l2tp 0 0 lacp 0 0 lldp 0 0 nd 358 0 nd-miss 0 0 nhrp 0 0 ntp 0 0 ospf 0 0 ospfv3 0 0 pim 0 0 ppp 0 0 pppoe 0 0 radius 0 0 rip 11306 0 ripng 7385 0 snmp 0 0 ssh-client 0 0 ssh-server 0 0 sslvpn 0 0



171

stp 0 0 tcp 15 0 telnet-client 81476 0 telnet-server 0 0 ttl-expired 0 0 udp-helper 0 0 unknown-multicast 0 0 unknown-packet 66146 0 voice 0 0 vrrp 0 0 ---------------------------------------------------------------------

----End

Configuration Files

#sysname RouterA#acl number 4001 rule 5 permit source-mac 0001-c0a8-0102#cpu-defend policy devicesafety blacklist 1 acl 4001 packet-type arp-request rate-limit 64 packet-type dhcp-client priority 3 application-apperceive packet-type ftp rate-limit 2000 auto-defend enable auto-defend threshold 50 auto-defend trace-type source-mac source-ip source-portvlan auto-defend protocol all# cpu-defend-policy devicesafety# undo telnet server enable# return



172

10 ACL Configuration

About This Chapter

This chapter explains how to filter data packets on an AR200-S by defining an Access ControlList (ACL) to determine allowed packet types.

10.1 ACL OverviewThis section describes the basic concept of ACLs.

10.2 ACL Features Supported by the AR200-S

10.3 Configuring a Basic ACLA basic ACL classifies IPv4 packets based on information such as source IP addresses, fragmentflags, and time ranges.

10.4 Configuring an Advanced ACLAn advanced ACL classifies IPv4 packets based on information such as source and destinationIP addresses, source and destination port numbers, packet priorities, and time ranges.

10.5 Configuring a Layer 2 ACLA Layer 2 ACL classifies Layer 2 packets with the Ethernet protocol type of Ethernet_II basedon information such as the source and destination MAC addresses, and Layer 2 protocol type.

10.6 Configuration ExamplesThis section provides several configuration examples of ACLs.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 10 ACL Configuration


173

10.1 ACL OverviewThis section describes the basic concept of ACLs.

An ACL is composed of a list of rules. Each rule contains a permit or deny clause. These rulesare defined to use information in packets to classify the packets. After these rules are applied tothe AR200-S, the AR200-S determines which packets to receive and reject.

ACLs can be applied to some services and functions on the AR200-S, for example, the routingpolicy, traffic classifier, firewall, and IPSec.

NOTE

An ACL is only a set of rules and cannot filter packets directly. The ACL can identify packets of a certain typeand the packets of this type are processed by the function that references the ACL.

10.2 ACL Features Supported by the AR200-S

ACLs Supported by the AR200-S

The AR200-S supports different types of ACLs, as shown in Table 10-1.

Table 10-1 Classification of ACLs

ClassificationRule

Type Function Description

Informationdefined in anACL

BasicACL

A basic ACL matchespackets based oninformation such as sourceIP addresses, fragmentflags, and time ranges.

The number of a basic ACLranges from 2000 to 2999.

AdvancedACL

An advanced ACLmatches packets based oninformation such as sourceand destination IPaddresses, source anddestination port numbers,packet priorities, and timeranges.

The number of an advancedACL ranges from 3000 to3999.

Layer 2ACL

A Layer 2 ACL matchespackets based on Layer 2information in packets,such as source anddestination MACaddresses, and Layer 2protocol types.

The number of a Layer 2 ACLranges from 4000 to 4999.



174

ClassificationRule

Type Function Description

Naming mode NumberedACL

A numbered ACL isidentified by a number,which can be specified toreference the ACL.

-

NamedACL

A named ACL is identifiedby a character string name,which can be specified toreference the ACL. NamedACLs are easy to identifyand remember.

The AR200-S supportsflexible ACL naming modes.You can also specify a numberfor a named ACL. If no ACLnumber is specified for anamed ACL, the systemallocates an ACL number tothe named ACL.

Table 10-2 shows information that can be used by basic ACLs, advanced ACLs, and Layer 2ACLs to define rules. Advanced ACLs can define rules based on IP version information and thetype of the protocol over IP, such as Generic Routing Encapsulation (GRE), Internet GroupManagement Protocol (IGMP), IPinIP, Open Shortest Path First (OSPF), Transmission ControlProtocol (TCP), User Datagram Protocol (UDP), and Internet Control Management Protocol(ICMP).

Table 10-2 Information that can be used by different types of ACLs to define rules

Information Defined inan ACL

BasicACL

Advanced ACL Layer 2ACL

- IP GRE,IGMP,IPinIP,

andOSPF

TCP UDP ICMP -

Layer 3information

Source IPaddress

Yes Yes Yes Yes Yes Yes No

DestinationIP address

No Yes Yes Yes Yes Yes No

DiffServCodepoint(DSCP)


Priority No Yes Yes Yes Yes Yes No

Fragmentflag

Yes Yes Yes Yes Yes Yes No

Type ofService(ToS)




175

Information Defined inan ACL

BasicACL

Advanced ACL Layer 2ACL

- IP GRE,IGMP,IPinIP,

andOSPF

TCP UDP ICMP -

ICMPpacket typeand code

No No No No No Yes No

Layer 4information

Source portnumber

No No No Yes Yes No No

Destinationport number

No No No Yes Yes No No

SYN flagtype

No No No Yes No No No

Layer 2information

SourceMACaddress

No No No No No No Yes

DestinationMACaddress


Layer 2protocoltype


VLAN ID No No No No No No Yes

802.1ppriority


Otherinformation

Time range Yes Yes Yes Yes Yes Yes Yes

Other ACL Features Supported by the AR200-SThe AR200-S supports the following ACL features:

l Step: The step value makes it possible to add a new rule between existing rules and tocontrol the matching order of rules.

l Description of an ACL: The description of an ACL describes the function or usage of theACL. It is used to differentiate ACLs.

l Description of an ACL rule: The description of an ACL rule describes the function or usageof the ACL rule. It is used to differentiate ACL rules.

l Time range: A time range defines the period during which ACL rules take effect. Someservices or functions that reference ACLs need to be started during a specified period of



176

time, for example, QoS needs to be started during peak hours. You can create a time rangeand reference the time range in an ACL so that the ACL takes effect in the time range. Theservice or function that references the ACL is also started in the specified time range.

NOTE

The ACLs configured on fixed LAN-side interfaces do not take effect for Layer 2 traffic transmittedbetween LANs.

10.3 Configuring a Basic ACLA basic ACL classifies IPv4 packets based on information such as source IP addresses, fragmentflags, and time ranges.

10.3.1 Establishing the Configuration TaskBefore configuring a basic ACL, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.


Basic ACLs can be referenced by many services and functions such as the routing policy andtraffic classifier. The AR200-S processes different types of packets based on basic ACL rules.

Basic ACLs are applied to all the IPv4 packets at the network layer and upper layers. Basic ACLsclassify packets based on source IP addresses, fragment flags, and time ranges in the packets.


Before configuring a basic ACL, complete the following task:

l Setting link layer protocol parameters for interfaces to ensure that the link layer protocolstatus on the interfaces is Up

Data Preparation

To configure a basic ACL, you need the following data.

No. Data

1 (Optional) Name of a time range during which ACL rules take effect

2 Number or name of a basic ACL

3 Source IP address, fragment flag

4 (Optional) Description of a basic ACL

5 (Optional) Description of a basic ACL rule

6 (Optional) Step between ACL rule IDs



177

10.3.2 (Optional) Creating a Time Range for a Basic ACLTo make a basic ACL take effect during a specified period of time, create a time range andreference the time range in the basic ACL. If no time range is specified for the ACL, the ACLremains effective until it is deleted or the rules of the ACL are deleted.

Context

Some services or functions that reference basic ACLs need to be started during a specified periodof time, for example, QoS needs to be started during peak hours. You can create a time rangeand reference the time range in a basic ACL so that the basic ACL takes effect in the time range.The service or function that references the basic ACL is also started in the specified time range.

Procedure



Step 2 Run:time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }

A time range is created.

To configure multiple time ranges with the same name on the AR200-S, run the precedingcommand with the same value of time-name multiple times.

NOTE

You can configure the same name for multiple time ranges to describe a special period. Assume that the samename test is configured for the following time ranges:

l Time range 1: 2010-01-01 00:00 to 2010-12-31 23:59 (absolute time range)

l Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)

l Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)

The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

----End

Follow-up Procedure

Reference the time range in a basic ACL rule.

10.3.3 Creating a Basic ACLBefore using a basic ACL, ensure that the basic ACL has been created. You can create a namedor numbered basic ACL.

Prerequisites

The display acl all command has been executed to view all the configured ACLs. This preventsduplicate basic ACLs from being configured.



178

Procedurel Creating a numbered basic ACL

1. Run:system-view


acl [ number ] acl-number [ match-order { auto | config } ]

A basic ACL with the specified number is created and the basic ACL view is displayed.

acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.

match-order specifies the matching order of basic ACL rules:

– auto: indicates that ACL rules are matched based on the depth first principle.– config: indicates that ACL rules are matched based on the sequence in which they

were configured.3. (Optional) Run:

description text

The description of the basic ACL is configured.

The description of an ACL describes the function or usage of the ACL. It is used todifferentiate ACLs.

By default, no description is configured for an ACL.l Creating a named basic ACL

1. Run:system-view


acl name acl-name { basic | acl-number } [ match-order { auto | config } ]

A basic ACL with the specified name is created and the basic ACL view is displayed.

acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.

match-order specifies the matching order of basic ACL rules:



description text

The description of the basic ACL is configured.


By default, no description is configured for an ACL.

----End



179

Follow-up ProcedureConfigure rules in the basic ACL.

10.3.4 Configuring a Basic ACL RuleA basic ACL is composed of a list of rules. The ACL classifies packets by matching packetinformation with the ACL rules.

PrerequisitesA basic ACL has been created and the basic ACL view is displayed.

Before creating a new rule, run the display acl { acl-number | name acl-name } command toview all the configured ACL rules to prevent the new rule from overriding existing rules.

ContextA basic ACL classifies packets by matching packet information with the ACL rules. After abasic ACL is created, configure rules in the basic ACL.

Procedure

Step 1 (Optional) Run:step step-value

The step value between ACL rule IDs is set.

By default, the step value is 5.

Step 2 Run:rule { deny | permit } [ source { source-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | [ fragment | none-first-fragment ] ] *

A basic ACL rule is configured.

To configure multiple rules, repeat this step.

NOTE

If the rule ID is not specified, the step value is used as the start rule ID.

If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.

Step 3 (Optional) Run:rule rule-id description text

The description of the basic ACL rule is configured.

The description of an ACL rule describes the function or usage of the ACL rule. It is used todifferentiate ACL rules.

----End

Follow-up ProcedureAfter a basic ACL rule is configured, perform the following operations as required:



180

l Run the step command to change the step value.l Run the rule command with rule-id specified to add a new rule between existing rules when

the configuration order is used.

10.3.5 Applying a Basic ACLA basic ACL can be applied to some services and functions to classify packets.

PrerequisitesA basic ACL has been created and rules have been configured in the basic ACL.

ContextA basic ACL can be applied to the following services and functions:

l Traffic classifierl Blacklist for local attack defensel Route filteringl OSPF LSA filteringl IP multicastl Limiting access to an FTP or TFTP serverl Firewalll NATl Packet filtering on an interface

Procedurel Apply a basic ACL to a traffic classifier.

To provide differentiated services based on packet information, configure traffic classifiers.Basic ACLs can be referenced by traffic classifiers to define rules for classifying traffic.For details, see Configuring a Traffic Classifier.

l Apply a basic ACL to add specified users to the blacklist for local attack defense.

A blacklist is a set of unauthorized users. The AR200-S uses basic ACLs to add users witha specific characteristic to a blacklist and discards the packets from the users in the blacklist.For details, see 9.4.3 (Optional) Configuring a Blacklist.

l Apply a basic ACL to route filtering.

You can configure route filtering for the Routing Information Protocol (RIP), Open ShortestPath First (OSPF), Intermediate System-to-Intermediate System (IS-IS), and MultiprotocolBorder Gateway Protocol (MBGP), and set conditions for filtering routes of these protocols.The routes that do not meet the conditions are not added to the routing table or advertised.The AR200-S uses basic ACLs to set filtering conditions so that route filtering isimplemented. For details, see Configuration Guide - IP Routing.

l Apply a basic ACL to OSPF LSA filtering.

In special network environments, OSPF features need to be configured and performanceof the OSPF network needs to be improved. When multiple links exist between two routers,you can filter outgoing LSAs on the local router. This can reduce the unnecessary



181

retransmission of LSAs on certain links and save bandwidth resources. The AR200-S canuse basic ACLs to filter outgoing LSAs. For details, see Optimizing an OSPF Network.

l Apply a basic ACL to IP multicast.

Certain functions of the Internet Group Management Protocol (IGMP), ProtocolIndependent Multicast-Dense Mode (PIM-DM) and Protocol Independent Multicast-Sparse Mode (PIM-SM) need to reference basic ACLs. For details, see Configuration Guide- Multicast.

l Apply a basic ACL to control users that can connect to an FTP or TFTP server.

When the AR200-S functions as an FTP or TFTP server, you can configure a basic ACLto allow only the clients that meet certain conditions to access the server. For details, see(Optional) Configuring an FTP ACL.

l Apply a basic ACL to a firewall.

The attack defense system protects an internal network against attacks from externalnetworks. Generally, firewalls are deployed between the internal and external networks todefend against attacks. A packet filtering firewall filters packets by using an ACL. TheAR200-S uses a basic ACL to configure the packet filtering firewall. For details, see 3.4Configuring the Packet Filtering Firewall.

l Apply a basic ACL to NAT.

Network Address Translation (NAT) enables hosts on a private network to access the publicnetwork. A NAT address pool is a set of public IP addresses. When a packet from a privatenetwork reaches the public network by using address translation, one IP address in the NATaddress pool is selected as the source address after translation. The AR200-S uses a basicACL to classify IP addresses in the NAT address pool so that source addresses of datapackets matching the basic ACL are translated. For details, see Associating an ACL withan Address Pool.

l Apply an ACL to an interface to filter packets on the interface.

The AR200-S can filter packets on an interface using an ACL.

– If the action in an ACL rule is deny, the AR200-S discards all packets matching therule.

– If the action in an ACL rule is permit, the AR200-S forwards all packets matching therule.

Perform the following steps to apply a basic ACL to an interface:

1. Run:system-view




traffic-filter { inbound | outbound } acl { acl-number | name acl-name }

A basic ACL is applied to the interface.

----End



182

10.3.6 Checking the ConfigurationAfter a basic ACL is configured, you can view information about the basic ACL and time range.

Prerequisites

The basic ACL configurations are complete.

Procedurel Run the display acl acl-number command to view the basic ACL with the specified number.

l Run the display acl name acl-name command to view the basic ACL with the specifiedname.

l Run the display time-range { all | time-name } command to view information about thetime range.

----End

Example

# Run the display acl acl-number command to view the basic ACL number, the number of rules,the step value, and the content of the rules.

<Huawei> display acl 2009Basic ACL 2009, 1 ruleAcl's step is 5 rule 5 deny source 10.1.1.1 0

# Run the display acl name acl-name command to view the basic ACL name and number, thenumber of rules, the step value, and the content of the rules.

<Huawei> display acl name qos1Basic ACL qos1 2999, 1 ruleAcl's step is 5 rule 5 permit source 202.114.24.56 0.0.0.255

# Run the display time-range all command to view the configuration and status of the currenttime range.

<Huawei> display time-range allCurrent time is 09:13:37 12-27-2010 Thursday Time-range : test1 ( Inactive ) 13:00 to 18:00 working-day 13:00 to 18:00 off-day

10.4 Configuring an Advanced ACLAn advanced ACL classifies IPv4 packets based on information such as source and destinationIP addresses, source and destination port numbers, packet priorities, and time ranges.



183

10.4.1 Establishing the Configuration TaskBefore configuring an advanced ACL, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentAdvanced ACLs are applied to multiple services and functions, for example, traffic classifiersand multicast. The AR200-S processes different types of packets based on advanced ACL rules.

Advanced ACLs can be applied to:

l All the IPv4 packets at the network layer and upper layers. Advanced ACLs classify IPv4packets based on information such as source and destination IP addresses, packet priorities,fragment flags, time ranges, and VPN instances in the packets.

NOTE

An advanced ACL is similar to a basic ACL, but defines more information than a basic ACL.

l Specified types of packets include GRE packets, ICMP packets, IPinIP packets, OSPFpackets, ICMP packets, UDP packets, and TCP packets. Advanced ACLs classify thesepacket types based on different types of information:– GRE packets, ICMP packets, IPinIP packets, and OSPF packets are classified based on

information such as source and destination IP addresses, packet priorities, fragmentflags, time ranges, and VPN instances in the packets.

– ICMP packets are classified based on information such as source and destination IPaddresses, packet priorities, fragment flags, ICMP packet types and codes, time ranges,and VPN instances in the packets.

– UDP packets are classified based on information such as source and destination IPaddresses, source and destination port numbers, packet priorities, fragment flags, timeranges, and VPN instances in the packets.

– TCP packets are classified based on information such as source and destination IPaddresses, source and destination port numbers, SYN flag types, packet priorities,fragment flags, time ranges, and VPN instances in the packets.

Pre-configuration TasksBefore configuring an advanced ACL, complete the following task:

l Setting link layer protocol parameters for interfaces to ensure that the link layer protocolstatus on the interfaces is Up

Data PreparationTo configure an advanced ACL, you need the following data.

No. Data


2 Number or name of an advanced ACL

3 Protocol type



184

No. Data

4 Source IP address and port number, destination IP address and port number, fragmentflag, ICMP packet type and code, packet priority, ToS value, and time range

5 (Optional) Description of an advanced ACL

6 (Optional) Description of an advanced ACL rule

7 (Optional) Step value between advanced ACL rule IDs

10.4.2 (Optional) Creating a Time Range for an Advanced ACLTo make an advanced ACL take effect during a specified period of time, create a time range andreference the time range in the advanced ACL. If no time range is specified for the ACL, theACL remains effective until it is deleted or the rules of the ACL are deleted.

Context

Some services or functions that reference advanced ACLs need to be started during a specifiedperiod of time, for example, QoS needs to be started during peak hours. You can create a timerange and reference the time range in an advanced ACL so that the advanced ACL takes effectin the time range. The service or function that references the advanced ACL is also started inthe specified time range.

Procedure






NOTE






----End



185

Follow-up ProcedureReference the time range in an advanced ACL rule.

10.4.3 Creating an Advanced ACLBefore using an advanced ACL, ensure that the advanced ACL has been created. You can createa named or numbered advanced ACL.

PrerequisitesThe display acl all command has been executed to view all the configured ACLs. This preventsduplicate advanced ACLs from being configured.

Procedurel Creating a numbered advanced ACL

1. Run:system-view



An advanced ACL with the specified number is created and the advanced ACL viewis displayed.

acl-number specifies the number of an advanced ACL. The value ranges from 3000to 3999.

match-order specifies the matching order of advanced ACL rules:



description text

The description of the advanced ACL is configured.


By default, no description is configured for an ACL.l Creating an advanced ACL based on the name

1. Run:system-view


acl name acl-name [ advance | acl-number ] [ match-order { auto | config } ]

An advanced ACL with the specified name is created and the advanced ACL view isdisplayed.



186

acl-number specifies the number of an advanced ACL. The value ranges from 3000to 3999.

match-order specifies the matching order of advanced ACL rules:



description text

The description of the advanced ACL is configured.



----End

Follow-up ProcedureConfigure rules in the advanced ACL.

10.4.4 Configuring an Advanced ACL RuleAn advanced ACL is composed of a list of rules. The ACL classifies packets by matching packetinformation with the ACL rules.

PrerequisitesAn advanced ACL has been created and the advanced ACL view is displayed.


ContextAn advanced ACL classifies packets by matching packet information with its rules. After anadvanced ACL is created, configure rules in the advanced ACL.

Procedure

Step 1 (Optional) Run:step step-value



Step 2 Configure an advanced ACL rule based on the IP protocol version or the type of the protocolover IP.l When IPv4 is used, run:

rule { deny | permit } ip [ destination { destination-address destination-wildcard | any } |source { source-address source-wildcard | any } | time-range time-name | vpn-instance



187

vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] *

l Configure an advanced ACL rule based on the protocol over IP.

– When the Internet Control Management Protocol (ICMP) is used, run:rule { deny | permit } { protocol-number | icmp } [ destination { destination-addressdestination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source{ source-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] *

– When the Transmission Control Protocol (TCP) is used, run:rule { deny | permit } { protocol-number | tcp } [ destination { destination-addressdestination-wildcard | any } | destination-port { eq | gt | lt | range } port | source{ source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcp-flag { ack | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] *

– When the User Datagram Protocol (UDP) is used, run:rule { deny | permit }{ protocol-number | udp } [ destination { destination-addressdestination-wildcard | any } | destination-port { eq | gt | lt | range } port | source{ source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos |precedence precedence ] * ] | [ fragment | none-first-fragment ] ] *

– When the Generic Routing Encapsulation (GRE), Internet Group Management Protocol(IGMP), IPinIP, or Open Shortest Path First (OSPF) is used, run:rule { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination{ destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | [ dscpdscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] *


NOTE




The description of the advanced ACL rule is configured.


----End

Follow-up Procedure

After an advanced ACL rule is configured, perform the following operations as required:

l Run the step command to change the step value.



188

l Run the rule command with rule-id specified to add a new rule between existing rules whenthe configuration order is used.

10.4.5 Applying an Advanced ACLAn advanced ACL can be applied to some services and functions to classify packets.

PrerequisitesAn advanced ACL has been created and rules have been configured in the advanced ACL.

ContextAn advanced ACL can be applied to the following services and functions:

l Traffic classifierl Blacklist for local attack defensel IP multicastl IPSecl Firewalll NATl Packet filtering on an interface

Procedurel Apply an advanced ACL to a traffic classifier.

To provide differentiated services based on packet information, configure traffic classifiers.Advanced ACLs can be referenced by traffic classifiers to define rules for classifyingtraffic. For details, see Configuring a Traffic Classifier.

l Apply an advanced ACL to add specified users to the blacklist for local attack defense.

A blacklist is a set of unauthorized users. The AR200-S uses advanced ACLs to add userswith a specific characteristic to a blacklist and discards the packets from the users in theblacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist.

l Apply an advanced ACL to IP multicast.

Certain functions of the Internet Group Management Protocol (IGMP), ProtocolIndependent Multicast-Dense Mode (PIM-DM) and Protocol Independent Multicast-Sparse Mode (PIM-SM) need to reference advanced ACLs. For details, see ConfigurationGuide - Multicast.

l Apply an advanced ACL to IPSec.

The IP Security (IPSec) protocol family is a series of protocols defined by the InternetEngineering Task Force (IETF). This protocol family provides high quality, interoperable,and cryptology-based security for IP packets. IPSec peers can use various securityprotection measures (authentication, encryption, or both) on different data flows. TheAR200-S can use advanced ACLs to define data flows. For details, see IPSec Configuration.

l Apply an advanced ACL to a firewall.

The attack defense system protects an internal network against attacks from externalnetworks. Generally, firewalls are deployed between the internal and external networks to



189

defend against attacks. A packet filtering firewall filters packets by using an ACL. TheAR200-S uses an advanced ACL to configure the packet filtering firewall. For details, see3.4 Configuring the Packet Filtering Firewall.

l Apply an advanced ACL to NAT.

Network Address Translation (NAT) enables hosts on a private network to access the publicnetwork. A NAT address pool is a set of public IP addresses. When a packet from a privatenetwork reaches the public network by using address translation, one IP address in the NATaddress pool is selected as the source address after translation. The AR200-S uses anadvanced ACL to classify IP addresses in the NAT address pool so that source addressesof data packets matching the advanced ACL are translated. For details, see Associating anACL with an Address Pool.

l Apply an advanced ACL to an interface to filter packets on the interface.




Perform the following steps to apply an ACL to an interface:

1. Run:system-view





An ACL is configured to filter packets.

----End

10.4.6 Checking the ConfigurationAfter an advanced ACL is configured, you can view information about the advanced ACL andtime range.

Prerequisites

The advanced ACL configurations are complete.

Procedurel Run the display acl acl-number command to view the advanced ACL with the specified

number.

l Run the display acl name acl-name command to view the advanced ACL with the specifiedname.



190

l Run the display time-range { all | time-name } command to view information about thetime range.

----End

Example

# Run the display acl acl-number command to view the advanced ACL number, the number ofrules, the step value, and the content of the rules.

<Huawei> display acl 3000Advanced ACL 3000, 1 ruleAcl's step is 5 rule 5 deny ip source 10.1.1.1 0

# Run the display acl name acl-name command to view the advanced ACL name and number,the number of rules, the step value, and the content of the rules.

<Huawei> display acl name qos1Advanced ACL qos1 3999, 1 ruleAcl's step is 5 rule 5 permit tcp

# Run the display time-range all command to view the configuration and status of the currenttime range.


10.5 Configuring a Layer 2 ACLA Layer 2 ACL classifies Layer 2 packets with the Ethernet protocol type of Ethernet_II basedon information such as the source and destination MAC addresses, and Layer 2 protocol type.

10.5.1 Establishing the Configuration TaskBefore configuring a Layer 2 ACL, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


Layer 2 ACLs can be applied to multiple services, for example, traffic classifiers. The AR200-S processes different types of packets based on Layer 2 ACL rules.

Layer 2 ACLs are applied to Layer 2 packets with the Ethernet protocol type of Ethernet_II.Layer 2 ACLs classify Layer 2 packets based on information such as source and destinationMAC addresses, Layer 2 protocol types, VLAN IDs or 802.1p priorities, and time ranges in thepackets.



191

Pre-configuration TasksBefore configuring a Layer 2 ACL, complete the following task:

l Connecting interfaces and setting physical parameters for the interfaces to ensure that thephysical status of the interfaces is Up

Data PreparationTo configure a Layer 2 ACL, you need the following data.

No. Data


2 Number or name of a Layer 2 ACL

3 Source MAC address, destination MAC address, Layer 2 protocol type, and VLANID or 802.1p priority

4 (Optional) Description of a Layer 2 ACL

5 (Optional) Description of a Layer 2 ACL rule

6 (Optional) Step value between Layer 2 ACL rule IDs

10.5.2 (Optional) Creating a Time Range for a Layer 2 ACLTo make a Layer 2 ACL take effect during a specified period of time, create a time range andreference the time range in the Layer 2 ACL. If no time range is specified for the ACL, the ACLremains effective until it is deleted or the rules of the ACL are deleted.

ContextSome services or functions that reference Layer 2 ACLs need to be started during a specifiedperiod of time, for example, QoS needs to be started during peak hours. You can create a timerange and reference the time range in a Layer 2 ACL so that the Layer 2 ACL takes effect in thetime range. The service or function that references the Layer 2 ACL is also started in the specifiedtime range.

Procedure








192

NOTE






----End

Follow-up ProcedureReference the time range in a Layer 2 ACL rule.

10.5.3 Creating a Layer 2 ACLBefore using a Layer 2 ACL, ensure that the Layer 2 ACL has been created. You can create anamed or numbered Layer 2 ACL.

PrerequisitesThe display acl all command has been executed to view all the configured ACLs. This preventsduplicate Layer 2 ACLs from being configured.

Procedurel Creating a numbered Layer 2 ACL

1. Run:system-view



A Layer 2 ACL with the specified number is created and the Layer 2 ACL view isdisplayed.

acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to4999.

match-order specifies the matching order of Layer 2 ACL rules:



description text

The description of the Layer 2 ACL is configured.





193

l Creating a named Layer 2 ACL1. Run:

system-view


acl name acl-name { link | acl-number } [ match-order { auto | config } ]

A Layer 2 ACL with the specified name is created and the Layer 2 ACL view isdisplayed.

acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to4999.

match-order specifies the matching order of Layer 2 ACL rules:



description text

The description of the Layer 2 ACL is configured.



----End

Follow-up ProcedureConfigure rules in the Layer 2 ACL.

10.5.4 Configuring a Layer 2 ACL RuleA Layer 2 ACL is composed of a list of rules. The ACL classifies packets by matching packetinformation with the ACL rules.

PrerequisitesA Layer 2 ACL has been created and the Layer 2 ACL view is displayed.


ContextA Layer 2 ACL classifies packets by matching packet information with the ACL rules. After aLayer 2 ACL is created, configure rules in the Layer 2 ACL.

Procedure

Step 1 (Optional) Run:



194

step step-value



Step 2 Run:rule { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | [ time-range time-range-name ] ] *

A Layer 2 ACL is configured.


NOTE




The description of the Layer 2 ACL rule is configured.


----End

Follow-up ProcedureAfter a Layer 2 ACL rule is configured, perform the following operations as required:

l Run the step command to change the step value.l Run the rule command with rule-id specified to add a new rule between existing rules when

the configuration order is used.

10.5.5 Applying a Layer 2 ACLA Layer 2 ACL can be applied to some services and functions to classify packets.

PrerequisitesA Layer 2 ACL has been created and rules have been configured in the Layer 2 ACL.

ContextA Layer 2 ACL can be applied to the following services and functions:

l Traffic classifierl Blacklist for local attack defense featurel Packet filtering on an interface.

Procedurel Apply a Layer 2 ACL to a traffic classifier.



195

To provide differentiated services based on packet information, configure traffic classifiers.Layer 2 ACLs can be referenced by traffic classifiers to define rules for classifying traffic.For details, see Configuring a Traffic Classifier.

l Apply a Layer 2 ACL to add users to the blacklist for local attack defense.

A blacklist is a set of unauthorized users. The AR200-S uses Layer 2 ACLs to add userswith a specific characteristic to a blacklist and discards the packets from the users in theblacklist. For details, see 9.4.3 (Optional) Configuring a Blacklist.

l Apply a Layer 2 ACL to an interface to filter packets on the interface.




Perform the following steps to apply a Layer 2 ACL to an interface:

1. Run:system-view





A Layer 2 ACL is applied to the interface.

----End

10.5.6 Checking the ConfigurationAfter a Layer 2 ACL is configured, you can view information about the Layer 2 ACL and timerange.

Prerequisites

The Layer 2 ACL configurations are complete.

Procedurel Run the display acl acl-number command to view the Layer 2 ACL with the specified

number.l Run the display acl name acl-name command to view the Layer 2 ACL with the specified

name.l Run the display time-range { all | time-name } command to view information about the

time range.

----End



196

Example# Run the display acl acl-number command to view the Layer 2 ACL number, the number ofrules, the step value, and the content of the rules.

<Huawei> display acl 4001L2 ACL 4001, 1 ruleAcl's step is 5 rule 5 permit l2-protocol ip destination-mac 0000-0000-0001 source-mac 0000-0000-0002 # Run the display acl name acl-name command to view the Layer 2 ACL name and number,the number of rules, the step value, and the content of the rules.<Huawei> display acl name testL2 ACL test 4999, 1 ruleAcl's step is 5 rule 5 deny destination-mac 00e0-fc01-0304

# Run the display time-range command to view the configuration and status of the current timerange.


10.6 Configuration ExamplesThis section provides several configuration examples of ACLs.

10.6.1 Example for Configuring a Basic ACL to Limit Access to theFTP Server

In this example, a basic ACL is used to limit access to the FTP server.

Networking RequirementsAs shown in Figure 10-1, the Router functions as an FTP server (172.16.104.110/24). Therequirements are as follows:

l All the users on subnet 1 (172.16.105.0/23) are allowed to access the FTP server at anytime.

l All the users on subnet 2 (172.16.107.0/23) are allowed to access the FTP server only atthe specified period of time.

l Other users are not allowed to access the FTP server.

The routes between the Router and subnets are reachable. You need to configure the Router tolimit user access.



197

Figure 10-1 Configuring a basic ACL to limit user access to the FTP server

Router

PC A

PC B

PC C

Network

FTP Server

172.16.104.110

172.16.105.111

172.16.107.111

10.10.10.1


l Create a basic ACL on the Router and configure rules in the basic ACL to classify users.l Configure basic FTP functions on the Router.l Apply a basic ACL to the Router to limit user access.


l Number of a basic ACL: 2001l Name of a time range during which users in subnet2 access the FTP server: ftp-accessl Time range: 14:00-18:00 on Saturday and Sunday from 2009 to 2011

ProcedureStep 1 Configure a time range.

<Huawei> system-view[Huawei] sysname Router[Router] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31[Router] time-range ftp-access 14:00 to 18:00 off-day

Step 2 Configure a basic ACL.[Router] acl number 2001[Router-acl-basic-2001] rule permit source 172.16.105.0 0.0.1.255[Router-acl-basic-2001] rule permit source 172.16.107.0 0.0.1.255 time-range ftp-access[Router-acl-basic-2001] quit

Step 3 Configure basic FTP functions. The configuration details are not mentioned here.

Step 4 Configure access permissions on the FTP server.[Router] ftp acl 2001


Run the ftp 172.16.104.110 command on PC A (172.16.105.111/24) in subnet 1. PC A canconnect to the FTP server.



198

Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B(172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. PC B can connect to the FTPserver.

Run the ftp 172.16.104.110 command on PC C (10.10.10.1/24). PC C cannot connect to the FTPserver.

----End

Configuration Files# Configuration file of the Router

#sysname Router#ftp server enableftp acl 2001#time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31time-range ftp-access 14:00 to 18:00 off-day#acl number 2001 rule 5 permit source 172.16.104.0 0.0.1.255 rule 10 permit source 172.16.106.0 0.0.1.255 time-range ftp-access#return

10.6.2 Example for Using Advanced ACLs to Configure the FirewallFunction

In this example, advanced ACLs are used to configure the packet filtering firewall between theinternal network and the external network.

Networking RequirementsAs shown in Figure 10-2, an enterprise that provides Web, FTP, and Telnet services accessesan external network through Ethernet0/0/8 of the Router and joins a VLAN throughEthernet0/0/0 of the Router.

The enterprise is located on the network segment 202.169.10.0 and the IP addresses of the Webserver, FTP server, and Telnet server of the enterprise are 202.169.10.5/24, 202.169.10.6/24,and 202.169.10.7/24.

To ensure security, the enterprise requires the Router to be configured with the firewall function.By doing this, only specified users are allowed to access internal servers of the enterprise andonly internal servers of the enterprise are allowed to access the external network.



199

Figure 10-2 Using advanced ACLs to configure the firewall function

202.169.10.6

Telnet server


202.39.2.3

WWW server

Internal network

Router

202.169.10.7

InternetEth0/0/8Eth0/0/0


l Configure zones on the internal and external networks.l Configure an interzone and enable the firewall function in the interzone.l Configure advanced ACLs to classify external users and internal servers.l Configure ACL-based packet filtering in the interzone.


l Name of the zone on the internal network: companyl Priority of the zone company: 12l Name of the zone on the external network: externall Priority of the zone external: 5l VLAN that the enterprise joins: VLAN 100l IP address of VLANIF 100: 202.169.10.1/24l IP address of Ethernet0/0/8: 129.39.10.8/24l IP address of the user that can access internal servers: 202.39.2.3/24l Number of the advanced ACL that classifies specified users: ACL 3001l Number of the advanced ACL that classifies internal servers: ACL 3002

Procedure

Step 1 Configure zones.

# Configure a zone on the internal network.

<Huawei> system-view[Huawei] sysname Router[Router] firewall zone company



200

[Router-zone-company] priority 12[Router-zone-company] quit

# Add VLANIF 100 to the zone company.

[Router] interface vlanif 100 [Router-Vlanif100] zone company[Router-Vlanif100] quit

# Configure a zone on the external network.

[Router] firewall zone external[Router-zone-external] priority 5[Router-zone-external] quit

# Add Ethernet0/0/8 to the zone external.

[Router] interface ethernet 0/0/8 [Router-Ethernet0/0/8] zone external[Router-Ethernet0/0/8] quit

Step 2 Configure an interzone.[Router] firewall interzone company external[Router-interzone-company-external] firewall enable[Router-interzone-company-external] quit

Step 3 Configure ACL 3001.

# Create ACL 3001.

[Router] acl 3001

# Configure a rule in ACL 3001 to allow specified users to access internal servers.

[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0

# Configure a rule in ACL 3001 to prevent other users from accessing any host of the enterprise.

[Router-acl-adv-3001] rule deny ip[Router-acl-adv-3001] quit

Step 4 Configure ACL 3002.

# Create ACL 3002.

[Router] acl 3002

# Configure a rule in ACL 3002 to allow internal servers to access the external network.

[Router-acl-adv-3002] rule permit ip source 202.169.10.5 0.0.0.0[Router-acl-adv-3002] rule permit ip source 202.169.10.6 0.0.0.0[Router-acl-adv-3002] rule permit ip source 202.169.10.7 0.0.0.0

# Configure a rule in ACL 3002 to prevent other users of the enterprise from accessing theexternal network.

[Router-acl-adv-3002] rule deny ip[Router-acl-adv-3002] quit

Step 5 Configure ACL-based packet filtering in the interzone.[Router] firewall interzone company external[Router-interzone-company-external] packet-filter 3001 inbound



201

[Router-interzone-company-external] packet-filter 3002 outbound[Router-interzone-company-external] quit


After the configuration is complete, only the host at 202.39.2.3 can access internal servers andonly internal servers can access the external network.

Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router, andthe result is as follows:

[Router] display firewall interzone company external interzone company external firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3001 inbound packet-filter 3002 outbound

----End

Configuration Files# Configuration file of the Router

# sysname Router# vlan batch 100 # acl number 3001 rule 5 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0 rule 10 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0 rule 15 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0 rule 20 deny ip #acl number 3002 rule 5 permit ip source 202.169.10.5 0.0.0.0 rule 10 permit ip source 202.169.10.6 0.0.0.0 rule 15 permit ip source 202.169.10.7 0.0.0.0 rule 20 deny ip #interface Vlanif100 ip address 202.169.10.1 255.255.255.0 zone company # firewall zone company priority 12 # firewall zone external priority 5 # firewall interzone company external firewall enable packet-filter 3001 inbound packet-filter 3002 outbound # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/8



202

ip address 129.39.10.8 255.255.255.0 zone external#return

10.6.3 Example for Using a Layer 2 ACL to Configure TrafficClassification

A Layer 2 ACL is used to configure traffic classification to collect statistics on packets with thespecified source MAC address.


As shown in Figure 10-3, the MAC address of PC1 is 0000-0000-0003 and PC1 is connectedto Ethernet0/0/0 of the Router through the switch. The Router is required to collect statistics onpackets with the source MAC address 0000-0000-0003.

Figure 10-3 Using a Layer 2 ACL to configure traffic classification

SwitchPC1 RouterMAC: 0000-0000-0003

VLAN 20Internet

Ethernet0/0/0



1. Configure a Layer 2 ACL to match packets with the source MAC address 0000-0000-0003.

2. Configure traffic classification based on the Layer 2 ACL.

3. Configure a traffic behavior to collect statistics on the classified packets.

4. Configure a traffic policy and bind the traffic classifier and traffic behavior to the trafficpolicy.

Data Preparation

To complete the configuration, you need the following data:

l VLAN that the interface connecting the Router and the switch belong to: VLAN 20

l Layer 2 ACL name: layer2

l Traffic classifier name: c1

l Traffic behavior name: b1

l Traffic policy name: p1



203

Procedure

Step 1 Create a VLAN and configure each interface.

# Create VLAN 20.

<Huawei> system-view[Huawei] sysname Router[Router] vlan 20[Router-vlan20] quit

# Configure Ethernet0/0/0 as a trunk interface and add Ethernet0/0/0 to VLAN 20.

[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port link-type trunk[Router-Ethernet0/0/0] port trunk allow-pass vlan 20[Router-Ethernet0/0/0] quit

NOTE

Configure the interface of the switch connecting to the Router as a trunk interface and add it to VLAN 20.The configuration details are not mentioned here.

Configure the interface of the switch connecting to PC1 as an access interface and add it to VLAN 20. Theconfiguration details are not mentioned here.

Step 2 Configure an ACL.

# Create a Layer 2 ACL named layer2 on the Router to match packets with the source MACaddress 0000-0000-0003.

[Router] acl name layer2 link[Router-acl-L2-layer2] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff[Router-acl-L2-layer2] quit

Step 3 Configure a traffic classifier.

# Create a traffic classifier c1 on the Router to match ACL layer2.

[Router] traffic classifier c1[Router-classifier-c1] if-match acl layer2[Router-classifier-c1] quit

Step 4 Configure a traffic behavior.

# Create a traffic behavior b1 on the Router and configure the traffic statistics action in the trafficbehavior.

[Router] traffic behavior b1[Router-behavior-b1] statistic enable[Router-behavior-b1] quit

Step 5 Configure a traffic policy and apply the traffic policy to an interface.

# Create a traffic policy p1 on the Router and bind the traffic policy to the traffic classifier andtraffic behavior.

[Router] traffic policy p1[Router-trafficpolicy-p1] classifier c1 behavior b1[Router-trafficpolicy-p1] quit

# Apply the traffic policy p1 to Ethernet0/0/0.

[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] traffic-policy p1 inbound[Router-Ethernet0/0/0] quit[Router] quit



204


# View the ACL configuration.

<Router> display acl name layer2L2 ACL layer2 4999, 1 ruleAcl's step is 5 rule 5 permit source-mac 0000-0000-0003

# View the traffic classifier configuration.

<Router> display traffic classifier user-defined User Defined Classifier Information: Classifier: c1 Operator: OR Rule(s) : if-match acl name layer2

# View the traffic policy configuration.

<Router> display traffic policy user-defined p1 User Defined Traffic Policy Information: Policy: p1 Classifier: c1 Operator: OR Behavior: b1 statistic: enable

----End

Configuration Filesl Configuration file of the Router

# sysname Router# vlan batch 20#acl name layer2 4999 rule 5 permit source-mac 0000-0000-0003 #traffic classifier c1 operator or if-match acl layer2#traffic behavior b1 statistic enable#traffic policy p1 classifier c1 behavior b1 # interface Ethernet0/0/0 port link-type trunk port trunk allow-pass vlan 20 traffic-policy p1 inbound #return



205

11 SSL Configuration

About This Chapter

The Secure Sockets Layer (SSL) protocol protects information privacy on the Internet.

11.1 SSL OverviewThe Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, andmessage integrity check to ensure security of TCP-based application layer protocols.

11.2 SSL Features Supported by the AR200-SThe AR200-S supports server SSL policies and client SSL policies.

11.3 Configuring a Server SSL PolicyA server SSL policy defines parameters that an SSL server uses in SSL handshakes, includingthe PKI domain name, maximum number of sessions that can be saved, timeout period of a savedsession, and cipher suite. Among these parameters, the PKI domain name is mandatory, and theothers are optional.

11.4 Configuring a Client SSL PolicyA client SSL policy defines the parameters that an SSL client uses in SSL handshakes, includingthe PKI domain name, SSL protocol version, and cipher suite.

11.5 Configuration ExamplesThis section provides several SSL configuration examples.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 11 SSL Configuration


206

11.1 SSL OverviewThe Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, andmessage integrity check to ensure security of TCP-based application layer protocols.

Introduction to SSL

SSL is a cryptographic protocol that provides communication security over the Internet. It allowsa client and a server to communicate in a way designed to prevent eavesdropping. The servermust be authenticated by the client before they start to communicate, and the client can also beauthenticated by the server. SSL is widely used in ecommerce and online banking. It has thefollowing advantages:

l High security: SSL ensures secure data transmission by using data encryption, identityauthentication, and message integrity check.

l Support for various application layer protocols: SSL was originally designed to secureWorld Wide Web traffic. SSL functions between the application layer and the transportlayer, so it can provide security for any TCP-based application.

l Easy to deploy: SSL has become a world-wide communications standard used toauthenticate websites and web users, and to encrypt data transmitted between browser usersand web servers.

SSL improves device security using the following functions:

l Allows only authorized users to connect to servers.l Encrypts data transmitted between a client and a server to secure data transmission and

computes a digest to ensure data integrity.l Defines an access control policy on a device based on certificate attributes to control access

rights of clients. This access control policy prevents unauthorized users from attacking thedevice.

Termsl Certificate Authority (CA)

A CA is an entity that issues, manages, and abolishes digital certificates. A CA checksvalidity of digital certificate owners, signs digital certificates to prevent eavesdropping andtampering, and manages certificates and keys. A world-wide trusted CA is called a rootCA. The root CA can authorize other CAs as subordinate CAs. The CA identities aredescribed in a trusted-CA file.In the certificate issuing process, CA1 functions as the root CA and issues a certificate forCA2, and CA2 issues a certificate for CA3. The process repeats until CAn issues the finalserver certificate.In the certificate authentication process, the client first authenticates the server's certificate.If CA3 issues the server certificate, the client uses CA3 certificate to authenticate the servercertificate. If the server certificate is authenticated, the client uses CA2 certificate toauthenticate the CA3 certificate. After CA2 certificate is authenticated, the client uses CA1certificate to authenticate CA2 certificate. The client considers the server certificate validonly when CA2 certificate has been authenticated.Figure 11-1 shows the certificate issuing and authentication processes.



207

Figure 11-1 Certificate issuing and authentication

CA1

Certificate issuing

Certificate verification

…

…CA2 CAn Server

certificate

l Digital certificateA digital certificate is an electronic document issued by a CA to bind a public key with acertificate subject (an applicant that has obtained a certificate). Information in a digitalcertificate includes the applicant name, public key, digital signature of the CA that issuesthe digital certificate, and validity period of the digital certificate. A digital certificateverifies the identities of two communicating parties, improving communication reliability.A user must obtain the public key certificate of the information sender to decrypt andauthenticate information in the certificate. The user also needs the CA certificate of theinformation sender to verify the identity of the information sender.

l Certificate Revocation List (CRL)A CRL is issued by a CA to specify certificates that have been revoked.Each certificate has a validity period. A CA can issue a CRL to revoke certificates beforetheir validity periods expire. The validity period of a certificate specified in the CRL isshorter than the original validity period of the certificate. If a CA revokes a digitalcertificate, the key pair defined in the certificate cannot be used. After a certificate in aCRL expires, the certificate is deleted from the CRL to shorten the CRL.Information in a CRL includes the issuer and serial number of each certificate, the issuingdate of the CRL, certificate revocation date, and time when the next CRL will be issued.Clients use CRLs to check validity of certificates. When verifying a server's digitalcertificate, a client checks the CRL. If the certificate is in the CRL, the client considers thecertificate invalid.

Security Mechanisms

SSL provides the following security mechanisms:

l Connection privacySSL uses symmetric cryptography to encrypt data. It uses the Rivest-Shamir-Adleman(RSA) algorithm (an asymmetric algorithm) to encrypt the key used by the symmetriccryptography.

l Identity authenticationDigital certificates are used to authenticate a server and a client that need to communicatewith each other. The SSL server and client use the mechanism provided by the public keyinfrastructure (PKI) to apply to a CA for a certificate.

l Message integrityA keyed message authentication code (MAC) is used to verify message integrity duringtransmission.A MAC algorithm computes a key and data of an arbitrary length to generate a MAC of afixed length.



208

– A message sender uses a MAC algorithm and a key to compute a MAC, appends it toa message, and send the message to a receiver.

– The receiver uses the same key and MAC algorithm to compute a MAC and comparesit with the MAC in the received message.

If the two MACs are the same, the message has not been tampered during transmission. Ifthe two MACs are different, the message has been tampered, and the receiver discards thismessage.

11.2 SSL Features Supported by the AR200-SThe AR200-S supports server SSL policies and client SSL policies.

Server SSL Policy

A server SSL policy defines the parameters that an SSL server uses in SSL handshakes, includingthe public key infrastructure (PKI) domain name, maximum number of sessions that can besaved, timeout period of a saved session, and cipher suite.

To use an AR200-S as an SSL server, configure a server SSL policy on the AR200-S. Duringan SSL handshake, the AR200-S uses the SSL parameters in the server SSL policy to negotiatesession parameters with an SSL client. After the handshake is complete, the AR200-S establishesa session with the client.

A server SSL policy can be applied to application layer protocols such as the Hypertext TransferProtocol (HTTP) to provide secure connections. The AR200-S can use a server SSL policy toensure security of Hypertext Transfer Protocol Secure (HTTPS) .

Client SSL Policy

A client SSL policy defines the parameters that an SSL client uses in SSL handshakes, includingthe PKI domain name, SSL protocol version, and cipher suite.

To use an AR200-S as an SSL client, configure a client SSL policy on the AR200-S. During anSSL handshake, the AR200-S uses the SSL parameters in the client SSL policy to negotiatesession parameters with the SSL server. After the handshake is complete, the AR200-Sestablishes a session with the server.

A client SSL policy can be applied to application layer protocols such as the CPE WANManagement Protocol (CWMP) to provide secure connections. The AR200-S can use a clientSSL policy to ensure security of the CWMP service.

11.3 Configuring a Server SSL PolicyA server SSL policy defines parameters that an SSL server uses in SSL handshakes, includingthe PKI domain name, maximum number of sessions that can be saved, timeout period of a savedsession, and cipher suite. Among these parameters, the PKI domain name is mandatory, and theothers are optional.

Prerequisites

The PKI domain has been configured.



209


The SSL protocol uses data encryption, identity authentication, and message integrity check toensure security of TCP-based application layer protocols. To use an AR200-S as an SSL server,configure a server SSL policy on the AR200-S. A server SSL policy can be applied to applicationlayer protocols such as HTTP to provide secure connections.

Figure 11-2 AR200-S functions as an SSL server

Internet

SSL serverSSL client

As shown in Figure 11-2, the AR200-S functions as an SSL server and has a server SSL policyconfigured. During an SSL handshake, the AR200-S uses the SSL parameters in the server SSLpolicy to negotiate session parameters with an SSL client. After the handshake is complete, theAR200-S establishes a session with the client.

The AR200-S is authenticated by the SSL client, but it cannot authenticate the client.

NOTE

When functioning as an SSL server, the AR200-S can communicate with SSL clients running SSL3.0, TLS1.0,or TLS 1.1. The AR200-S determines the SSL protocol version used for this communication and sends a ServerHello message to notify the client.

Procedure



Step 2 Run:ssl policy policy-name type server

A server SSL policy is created.

Step 3 Run:pki-realm realm-name

A PKI domain is specified for the server SSL policy.

By default, no PKI domain is specified for a server SSL policy on the AR200-S.

NOTE

The AR200-S obtains a digital certificate from a CA in the specified PKI domain. Clients can then authenticatethe AR200-S by checking the digital certificate.

Step 4 (Optional) Run:session { cachesize size | timeout time } *

The maximum number of sessions that can be saved and the timeout period of a saved sessionare set.



210

By default, a maximum of 32 sessions can be saved, and the timeout period of a saved sessionis 3600s.

Step 5 (Optional) Run:ciphersuite { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *

A cipher suite is specified.

By default, a server SSL policy supports all the cipher suites: rsa_aes_128_cbc_sha,rsa_des_cbc_sha, rsa_rc4_128_md5, and rsa_rc4_128_sha.

----End

Example# Run the display ssl policy policy-name command to view the configuration of the SSL policyserver-users.

<Huawei> display ssl policy server-users ------------------------------------------------------------------------------ Policy name : server-users Policy ID : 1 Policy type : Server Cache number : 32 Time out(second) : 3600 Server certificate load status : loaded Bind number : 1 SSL connection number : 1 --------------------------------------------------------------------------

11.4 Configuring a Client SSL PolicyA client SSL policy defines the parameters that an SSL client uses in SSL handshakes, includingthe PKI domain name, SSL protocol version, and cipher suite.

PrerequisitesThe PKI domain has been configured.

Applicable EnvironmentThe SSL protocol uses data encryption, identity authentication, and message integrity check toensure security of TCP-based application layer protocols. To use an AR200-S as an SSL client,configure a client SSL policy on the AR200-S. A client SSL policy can be applied to applicationlayer protocols such as the CPE WAN Management Protocol (CWMP) to provide secureconnections.

Figure 11-3 AR200-S functions as an SSL client

Internet

SSL serverSSL client



211

As shown in Figure 11-3, the Figure 11-3 functions as an SSL client and has a client SSL policyconfigured. During an SSL handshake, the AR200-S uses the SSL parameters in the client SSLpolicy to negotiate session parameters with the SSL server. After the handshake is complete, theAR200-S establishes a session with the server.

When functioning as an SSL client, the AR200-S does not allow SSL servers to authenticate it,but it can authenticate SSL servers. When the AR200-S functions as an SSL client, enable it toauthenticate servers to ensure secure communication.

Procedure



Step 2 Run:ssl policy policy-name type client

A client SSL policy is created.

Step 3 Run:server-verify enable

SSL server authentication is enabled.

By default, SSL server authentication is disabled in a client SSL policy.

Step 4 Run:pki-realm realm-name

A PKI domain is specified for the client SSL policy.

By default, no PKI domain is specified for a client SSL policy on the AR200-S.

NOTE

The AR200-S obtains a CA certificate chain from CAs in the specified PKI domain. The AR200-S authenticatesan SSL server by checking the server certificate and CA certificates against the CA certificate chain.

Step 5 (Optional) Run:version { ssl3.0 | tls1.0 | tls1.1 }

The SSL protocol version is specified.

By default, a client SSL policy uses Transport Layer Security (TLS) version 1.0.

NOTE

Ensure that the specified SSL protocol version is supported by the SSL server. Before performing this step,check the SSL protocol versions that the SSL server supports.

Step 6 (Optional) Run:prefer-ciphersuite { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

A cipher suite is specified.

By default, a client SSL policy uses all the cipher suites: rsa_aes_128_cbc_sha, rsa_des_cbc_sha,rsa_rc4_128_md5, and rsa_rc4_128_sha.



212

NOTE

Ensure that the specified cipher suite is supported by the SSL server. Before performing this step, check thecipher suites that the SSL server supports.

----End

Example# Run the display ssl policy policy-name command to view the configuration of the SSL policyclient-users.<Huawei> display ssl policy client-users ------------------------------------------------------------------------------ Policy name : client-users Policy ID : 3 Policy type : Client Server verify : 1 CA certificate load status : loaded CA certificate num : 1 Bind number : 1 SSL connection number : 1 ------------------------------------------------------------------------------

11.5 Configuration ExamplesThis section provides several SSL configuration examples.

11.5.1 Example for Configuring a Server SSL PolicyThis example shows how to configure a server SSL policy on an AR200-S functioning as anHTTPS server. After the configuration is complete, users can use a web browser to log in to andmanage the Router.

Networking EnvironmentAs shown in Figure 11-4, enterprise users use a web browser to connect to the Router. To preventeavesdropping and tampering during data transmission, a network administrator requires usersto use HTTPS to access the Router securely.

To meet this requirement, configure the Router as an HTTPS server, and configure a server SSLpolicy on the Router.

Figure 11-4 Networking diagram of the server SSL policy configuration

CA

Router

Internet

Enterprise

Eth1/0/011.1.1.1/24

11.137.145.158/24



213



1. Configure a PKI entity and a PKI domain.

2. Configure a server SSL policy.

3. Configure the Router as an HTTPS server.

Data Preparation

To complete the configuration, you need the following data:

l Router's interface connected to the Internet: Ethernet1/0/0

l IP address of Ethernet1/0/0: 11.1.1.1/24

l IP address of the CA: 11.137.145.158/24

l PKI parameters, as shown in the following table.

Item Data

PKI entity PKI entity name: usersl Entity's common name: hellol Entity's country code: CNl Entity's province name: jiangsul Entity's organization name: huaweil Entity's department name: info

PKI domain PKI domain name: usersl Trusted CA: ca_rootl Certificate's enrollment URL: http://

11.137.145.158:8080/certsrv/mscep/mscep.dll ral Bound PKI entity: usersl CA's fingerprint algorithm: secure hash algorithm

(SHA)Fingerprint:7bb05ada0482273388ed4ec228d79f77309ea3f4

l SSL parameters, as shown in the following table.

Policy Name Maximum Number ofSessions

Session Timeout Period

sslserver 40 7200s

l HTTPS service port number: 1278

NOTE

Before starting the configuration, ensure that routes between the Router, user hosts, and CA are reachable.



214

Procedure



<Huawei> system-view[Huawei] sysname Router[Router] pki entity users[Router-pki-entity-users] common-name hello[Router-pki-entity-users] country cn[Router-pki-entity-users] state jiangsu[Router-pki-entity-users] organization huawei[Router-pki-entity-users] organization-unit info[Router-pki-entity-users] quit

NOTEIf the entity name and entity common name are not set to the Router's IP address 11.1.1.1, the system willdisplay a message indicating that the certificate is invalid when the client opens a website. This does notaffect HTTPS application.

# Configure a PKI domain, and enable the automatic certificate enrollment and update function.

[Router] pki realm users[Router-pki-realm-users] entity users[Router-pki-realm-users] ca id ca_root[Router-pki-realm-users] enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra[Router-pki-realm-users] fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4[Router-pki-realm-users] auto-enroll regenerate[Router-pki-realm-users] quit

Step 2 Configure a server SSL policy sslserver.

# Create a server SSL policy and specify PKI domain users in the policy. This allows theRouter to obtain a digital certificate from the CA specified in the PKI domain.

[Router] ssl policy sslserver type server[Router-ssl-policy-sslserver] pki-realm users

# Set the maximum number of sessions that can be saved and the timeout period of a session.

[Router-ssl-policy-sslserver] session cachesize 40 timeout 7200[Router-ssl-policy-sslserver] quit

Step 3 Configure the Router as an HTTPS server.

# Apply the SSL policy sslserver to the HTTPS service.

[Router] http secure-server ssl-policy sslserver

# Enable the HTTPS server function on the Router.

[Router] http secure-server enable

# Configure the port number of the HTTPS service.

[Router] http secure-server port 1278


# Run the display ssl policy command to view the configuration of the SSL policy sslserver.

<Router> display ssl policy sslserver



215

------------------------------------------------------------------------------ Policy name : sslserver Policy ID : 1 Policy type : Server Cache number : 40 Time out(second) : 7200 Server certificate load status : loaded Bind number : 1 SSL connection number : 1 --------------------------------------------------------------------------

# Start the web browser on a PC, and enter https://11.1.1.1:1278 in the address box. The webmanagement system of the Router is displayed, and you can manage the Router on the webpages.

----End

ExampleConfiguration file of the Router

# sysname Router#interface Ethernet 1/0/0 ip address 11.1.1.1 255.255.255.0#pki entity users country CN state jiangsu organization huawei organization-unit info common-name hello#pki realm users ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra entity users auto-enroll regenerate fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4#ssl policy sslserver type server pki-realm users session cachesize 40 timeout 7200# http secure-server ssl-policy sslserver http secure-server enable http secure-server port 1278#return

11.5.2 Example for Configuring a Client SSL PolicyThis example shows how to configure a client SSL policy on the AR200-S functioning as thecustomer premises equipment (CPE). After the configuration is complete, the AR200-S canauthenticate the auto-configuration server (ACS) and communicate with the ACS securely.

Networking EnvironmentAs shown in Figure 11-5, the Router functions as a CPE to connect to phones, fax machines,and switches. An ACS uses CWMP to manage and control the Router.



216

The ACS functions as an SSL server and has obtained a digital certificate from the CA. Youneed to configure the Router as an SSL client to authenticate the ACS. This ensures privacy andintegrity of data exchanged between the Router and the ACS.

Figure 11-5 Networking diagram of the client SSL policy configuration

Internet

RouterACS

Analog phone

Fax

IP phone

PC

LSWCWMP

CA

Eth1/0/011.1.1.1/24

11.137.145.158/24

11.2.2.58/24


1. Configure a PKI entity and a PKI domain.2. Configure a client SSL policy on the Router and enable SSL server authentication in the

policy.3. Apply the client SSL policy to the CWMP service so that the Router authenticates the ACS

to ensure data privacy and integrity.4. Enable the Router to automatically initiate connections to the ACS and set the CWMP

parameters. This enables the ACS to manage and control the Router using CWMP.


l PKI domain name: cwmp0l Client SSL policy name: sslclientl IP address of the CA: 11.137.145.158/24l URL of the ACS: https://www.acs.com:80/acsl PKI parameters, as shown in the following table.



217

Item Data

PKI entity PKI entity name: cwmp0l Entity's common name: hellol Entity's country code: CNl Entity's province name: jiangsul Entity's organization name: huaweil Entity's department name: info

PKI domain PKI domain name: cwmp0l Trusted CA: ca_rootl Certificate's enrollment URL: http://http://

11.137.145.158:8080/certsrv/mscep/mscep.dll ral Bound PKI entity: cwmp0l CA's fingerprint algorithm: secure hash algorithm

(SHA)Fingerprint:7bb05ada0482273388ed4ec228d79f77309ea3f4

NOTE

Before starting the configuration, ensure that routes between the Router, ACS, and CA are reachable.

Procedure



<Huawei> system-view[Huawei] sysname Router[Router] pki entity cwmp0[Router-pki-entity-cwmp0] common-name hello[Router-pki-entity-cwmp0] country CN[Router-pki-entity-cwmp0] state jiangsu[Router-pki-entity-cwmp0] organization huawei[Router-pki-entity-cwmp0] organization-unit info[Router-pki-entity-cwmp0] quit

# Configure a PKI domain, and enable the automatic certificate enrollment and update function.

[Router] pki realm cwmp0[Router-pki-realm-cwmp0] entity cwmp0[Router-pki-realm-cwmp0] ca id ca_root[Router-pki-realm-cwmp0] enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra[Router-pki-realm-cwmp0] fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4[Router-pki-realm-cwmp0] auto-enroll regenerate[Router-pki-realm-cwmp0] quit

# Manually enroll the certificate.

[Router] pki enroll-certificate cwmp0 Info: Start certificate enrollment ... Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.



218

For security reasons your password will not be saved in the configuration. Please make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate enrolling now,It will take a few minutes or more.Please waiting...[Router] The certificate enroll successful.

NOTE

You will be prompted to enter the password during certificate enrollment. If you do not have a password, pressEnter.

Step 2 Configure a client SSL policy.

# Enable SSL server authentication.

[Router] ssl policy sslclient type client[Router-ssl-policy-sslclient] server-verify enable

# Specify the PKI domain cwmp0 in the client SSL policy.

[Router-ssl-policy-sslclient] pki-realm cwmp0[Router-ssl-policy-sslclient] quit

Step 3 Enable the CWMP function on the Router.

[Router] cwmp[Router-cwmp] cwmp enable

Step 4 Apply the SSL policy to CWMP.

[Router-cwmp] cwmp ssl-client ssl-policy sslclient

Step 5 Configure the Router to automatically initiate connections to the ACS.

# Configure the URL used by the Router to connect to the ACS.

[Router-cwmp] cwmp acs url https://www.acs.com:80/acs

# Enable the Router to send Inform messages.

[Router-cwmp] cwmp cpe inform interval enable

# Set the interval at which the Router sends Inform messages to 1000 seconds.

[Router-cwmp] cwmp cpe inform interval 1000

# Configure the Router to send an Inform message at 2011-01-01 20:00:00.

[Router-cwmp] cwmp cpe inform time 2011-01-01T20:00:00

Step 6 Set CWMP parameters on the Router.

# Configure the interface that the Router uses to connect to the ACS.

[Router-cwmp] cwmp cpe connect interface Ethernet 1/0/0

# Set the user name and password that the Router uses for authentication by the ACS.

[Router-cwmp] cwmp acs username newacsname[Router-cwmp] cwmp acs password newacspsw

# Configure the user name and password that the Router uses to authenticate the ACS.

[Router-cwmp] cwmp cpe username newcpename[Router-cwmp] cwmp cpe password newcpepsw



219

# Set the maximum number of connection attempts to 5.

[Router-cwmp] cwmp cpe connect retry 5

# Set the close-wait timer of the Router to 100 seconds. If no data is transmitted within 100seconds, the connection is torn down.

[Router-cwmp] cwmp cpe wait timeout 100


# Run the display current-configuration command. The command output shows that SSL hasbeen successfully configured for CWMP.

<Router> display current-configuration...cwmp cwmp cpe inform interval enable cwmp acs url https://www.acs.com:80/acs cwmp acs username newacsname cwmp acs password newacspsw cwmp cpe username newcpename cwmp cpe password newacspsw cwmp cpe inform interval 1000 cwmp cpe connect retry 5 cwmp cpe wait timeout 100 cwmp cpe connect interface Ethernet 1/0/0 cwmp ssl-client ssl-policy sslclient...

# Run the display cwmp configuration command. The command output shows that CWMP isenabled, and the Router is configured to send Inform packets at intervals.

<Router> display cwmp configuration CWMP is enabled ACS URL: https://www.acs.com:80/acs ACS username: newacsname ACS password: newacspsw Inform enable status: enabled Inform interval: 1000s Inform time: 2011-01-01T20:00:00 Wait timeout: 100s Reconnection times: 5

# Run the display cwmp status command. The command output shows that CWMP is enabled,and the CWMP connection status is connected.

<Router> display cwmp status CWMP is enabled ACS URL: https://www.acs.com:80/acs Acs information is set by: user ACS username: newacsname ACS password: newacspsw Connection status: connected Time of last successful connection: 2010-12-01T20:00:00

----End

ExampleConfiguration file of the Router

#



220

sysname Router#interface Ethernet 1/0/0 ip address 11.1.1.1 255.255.255.0#cwmp cwmp cpe inform interval enable cwmp acs url https://www.acs.com:80/acs cwmp acs username newacsname cwmp acs password newacspsw cwmp cpe username newcpename cwmp cpe password newacspsw cwmp cpe inform interval 1000 cwmp cpe connect retry 5 cwmp cpe wait timeout 100 cwmp cpe connect interface Ethernet 1/0/0 cwmp ssl-client ssl-policy sslclient#pki entity cwmp0 country CN state jiangsu organization huawei organization-unit info common-name hello#pki realm cwmp0 ca id ca_root enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra entity cwmp0 auto-enroll regenerate fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4#ssl policy sslclient type client server-verify enable pki-realm cwmp0#return



221

12 PKI Configuration

About This Chapter

12.1 PKI OverviewThe Public Key Infrastructure (PKI) is a system that generates public keys and digital certificates,and verifies identities of certificate subjects to ensure information security. PKI provides acertificate management mechanism for the IP Security (IPSec) protocol and Secure SocketsLayer (SSL) protocol.

12.2 PKI Features Supported by the AR200-SOn the AR200-S, you can configure PKI entities, PKI domains, manually or automatically enrollcertificates, authenticate certificate validity, manage certificates, import or export certificates,and delete expired certificates.

12.3 Configuring a PKI EntityA certificate binds a public key to a set of information that uniquely identifies a PKI entity. APKI entity identifies a certificate applicant.

12.4 Configuring a PKI DomainBefore an entity applies for a PKI certificate, registration information needs to be configuredfor the entity. A set of the registration information is the PKI domain of the entity.

12.5 Configuring Certificate EnrollmentCertificate enrollment is a process in which an entity registers with a CA and obtains a certificatefrom the CA. During this process, the entity provides the identity information and public key,which will be added to the certificate issued to the entity.

12.6 Configuring Certificate AuthenticationBefore a certificate is used, it must be authenticated.

12.7 Managing CertificatesManaging certificates include deleting, importing, and exporting certificates, and configuringthe default path where certificates are stored.

12.8 Configuration Examples

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 12 PKI Configuration


222

12.1 PKI OverviewThe Public Key Infrastructure (PKI) is a system that generates public keys and digital certificates,and verifies identities of certificate subjects to ensure information security. PKI provides acertificate management mechanism for the IP Security (IPSec) protocol and Secure SocketsLayer (SSL) protocol.

DefinitionThe public key infrastructure (PKI) is a system that generates public keys and digital certificates,and verifies identities of certificate subjects to ensure information security. PKI issues digitalcertificates that bind public keys to respective user identities by means of a certificate authority(CA).

PKI allows users to easily request, download, and revoke digital certificates. In addition toissuing digital certificates, the PKI provides other services such as blacklisting to ensureconfidentiality, integrity, non-repudiation, and authentication of data.

l Confidentiality: Data will not be intercepted by unauthorized users during transmission.l Integrity: Data will not be tampered with by unauthorized users during transmission.l Non-repudiation: A data sender cannot deny having sent a message or digital signature.l Authentication: Communication entities can be identified.

PKI provides information security on insecure networks and private networks. It can alsosecurely transmit keys between users.

Digital CertificateA digital certificate is a file that is signed by a certificate authority (CA) and binds a public keyto user identity. The signature of the CA ensures the validity and authority of the digitalcertificate. A digital certificate must comply with the ITU-T X.509 standard. Currently, the X.509 v3 digital certificates are mostly used. A digital certificate contains multiple fields, includingthe certificate issuer name, entity public key, signature of the issuing CA, and certificate validityperiod.

Three types of digital certificates are described in this section: local certificates, CA certificates,and self-signed certificates.l Local certificate: is signed by a CA to a user.l CA certificate: is used to verify a CA's identity.

If multiple CAs exist in the PKI system, a CA hierarchy is formed. At the top of the hierarchyis a root CA, which has a self-signed certificate.

l Self-signed certificate: is issued by a PKI device. In a self-signed certificate, the certificateissuer and subject are the same.

Certificate Revocation ListWhen a user name is changed, a private key is compromised, or services cease, the certificateof the user must be revoked to unbind the public key from user identity. In the PKI, a certificaterevocation list (CRL) is used to revoke certificates. After a certificate is revoked, the CA issuingthis certificate needs to publish a CRL to declare that this certificate is invalid. The CRL containsserial numbers of revoked certificates. A CRL provides a method to verify certificate validity.



223

If a CRL contains many revoked certificates, the CRL size is large, deteriorating performanceof network resources. To avoid this problem, a CA publishes multiple CRLs and use CRLdistribution points (CDPs) to indicate the location of these CRLs.

12.2 PKI Features Supported by the AR200-SOn the AR200-S, you can configure PKI entities, PKI domains, manually or automatically enrollcertificates, authenticate certificate validity, manage certificates, import or export certificates,and delete expired certificates.

PKI System Architecture

Figure 12-1 shows the PKI system architecture.

Figure 12-1 PKI system architecture

Cer

tific

ate/

CR

L re

posi

tory

End entity

RA

CA

CA

CDP

Operational interaction

Outbandcertificate loading

Management interaction

PKI end entity

PKI management entity

Management interaction

Management interactionIssue

certificate

Issue certificate and CRL

Issue CRL Certificate

Outband issuing

The public key infrastructure (PKI) system consists of the following components:

l PKI entityA PKI entity refers to an end entity or a PKI management entity.

– An end entity is a certificate applicant or user.

– A PKI management entity is an authority that issues or manages certificates. Certificateauthorities (CAs), registration authorities (RAs), and certificate revocation list (CRL)issuers are PKI management entities. Sometimes an attribute authority (AA) functionsas a CRL issuer.



224

l PKI repository

The PKI repository stores certificates and CRLs for PKI entities to query and manage.

l PKI protocol suite

The PKI protocol suite consists of the Public Key Infrastructure And X.509 (PKIX) andPublic-Key Cryptography Standards (PKCS).

The PKI and X.509 were developed by the PKIX Working Group. PKIX defines a seriesof standards and protocols used for communication between PKI entities or between a PKIentity and a PKI repository. These standards define operation rules, certificate formats andcontent, CRL formats and content, cryptography and signature algorithms, PKI policies,PKI repository protocols, and certificate management protocols.

PKCS was jointly developed by RSA Laboratories and other secure systems developers toimplement cooperation between public-key cryptography systems. It defines various keyand data formats, algorithms and application programming interfaces, abstract syntaxnotation, and basic encoding rules. The data formats and algorithm defined in PKCS arethe basis of PKI implementation.

The Rivest-Shamir-Adleman (RSA) algorithm is one of commonly used public algorithms.PKCS#1 defines the RSA cryptography specifications, including formats for RSA publickey functions, calculation methods for digital signatures, formats for digital signatures anddata to be signed, syntax for public and private keys.

l Other protocols

Some protocols do not belong to the PKCS family, but PKCS uses encoding rules in theseprotocols to describe objects. These protocols include Abstract Syntax Notation One (ASN.1), Distinguished Encoding Rules (DER), Basic Encoding Rules (BER), and Base64.

ASN.1 (also called X.208) defines rules for describing the structure of objects and datastructures in representing, encoding, transmitting, and decoding data.

PKI Working Process

On a PKI network, PKI is configured on the AR200-S to allow the AR200-S to obtain a localcertificate from a CA and verify certificate validity. The PKI working process is as follows:

1. An entity applies for a certificate from a registration authority (RA).

2. The RA authenticates the entity's identity and sends the entity's identity information andpublic key as a digital signature to a certificate authority (CA).

3. The CA authenticates the digital signature, issues a certificate if it approves the entity'srequest, and sends it to the RA.

4. The RA receives the certificate and notifies the entity that its certificate has been issued.

5. The entity obtains the certificate and uses it to securely communicate with other entities bymeans of encrypted data or digital signatures.

6. The entity sends a revocation request to the CA if it needs to revoke its certificate. The CAapproves the entity's revocation request and updates its CRL.

PKI Configuration Roadmap

Figure 12-2 shows the PKI configuration roadmap.



225

Figure 12-2 PKI configuration roadmap

Configure a PKI entity Configure a PKI entity identifier (Optional) Configure PKI entity attributes

Configure a PKI domain

Create a PKI domain Configure the trusted CA name and enrollment URL (Optional) Configure CA certificate fingerprint (Optional) Configure other attributes in the PKI domain

Configure manual certificate enrollment, configure automatic certificate enrollment and update, or configure a self-signed or local certificate

Configure certificate enrollment

Delete a CA certificate or local certificate Import a certificate Export a certificate

(Optional) Configure certificate authentication

(Optional) Manage certificates

Configure the certificate check mode Check certificate validity

License Support

The PKI function is used with a license. To use the PKI function, apply for and purchase thefollowing license from the Huawei local office:

l AR150&200 Value-Added Security Package

12.3 Configuring a PKI EntityA certificate binds a public key to a set of information that uniquely identifies a PKI entity. APKI entity identifies a certificate applicant.

12.3.1 Establishing the Configuration TaskBefore configuring a PKI entity, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for configuration. This will help youcomplete the configuration task quickly and accurately.


A certificate binds a public key to a set of information that uniquely identifies a PKI entity. Adistinguished name (DN) of an entity is the identity information of the entity. The identityinformation provided by an entity uniquely identifies a certificate applicant.



226

Pre-configuration TasksNone

Data PreparationTo configure a PKI entity, you need the following data.

No. Data

1 PKI entity's common name, fully qualified domain name(FQDN), or both (each of the two uniquely identifies a PKIentity)

2 (Optional) PKI entity's country code, state name,organization name, department name, and IP address

12.3.2 Configuring a PKI Entity IdentifierYou can configure a common name, a fully qualified domain name (FQDN), or both to uniquelyidentify a PKI entity.

Procedure



Step 2 Run:pki entity entity-name

The PKI entity view is displayed.

By default, no PKI entity is configured on the AR200-S.

Step 3 Run the following commands to configure the PKI entity identifiers:l Run the common-name common-name command to configure the common name for the

PKI entity.By default, no PKI entity name is configured on the AR200-S.

l Run the fqdn fqdn-name command to configure the FQDN for the PKI entity.By default, no FQDN is configured on the AR200-S.

Either common-name or fqdn-name can identify a PKI entity. To identify a PKI entity, specifycommon-name or fqdn-name.

----End

12.3.3 (Optional) Configuring PKI Entity AttributesIn addition to configuring a common name or an FQDN for a PKI entity, you can configure thecountry code, state name or province name, and department name for the PKI entity to identifythis PKI entity.



227

Procedure



Step 2 Run:pki entity entity-name

The PKI entity view is displayed.

Step 3 Run:country country-code

A country code is configured for the PKI entity.

By default, no country code is configured for a PKI entity.

Step 4 Run:state state-name

A state name or province name is configured for the PKI entity.

By default, no state name or province name is configured for a PKI entity.

Step 5 Run:organization organization-name

An organization name is configured for the PKI entity.

By default, no organization name is configured for a PKI entity.

Step 6 Run:organization-unit organization-unit-name

A department name is configured for the PKI entity.

By default, no department name is configured for a PKI entity.

Step 7 Run:ip-address ip-address

An IP address is configured for the PKI entity.

By default, no IP address is configured for a PKI entity.

----End

12.3.4 Checking the ConfigurationAfter a PKI entity is configured, you can view the PKI entity configuration.

Procedurel Run the display pki entity [ entity-name ] command to check the PKI entity configuration.

----End



228

12.4 Configuring a PKI DomainBefore an entity applies for a PKI certificate, registration information needs to be configuredfor the entity. A set of the registration information is the PKI domain of the entity.

12.4.1 Establishing the Configuration TaskBefore configuring a PKI domain, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for configuration. This willhelp you complete the configuration task quickly and accurately.


A PKI domain is a set of identity information required when a PKI entity enrolls a certificate.A PKI domain allows other applications, such as Internet Key Exchange (IKE) and SecureSockets Layer (SSL), to reference the PKI configuration easily. A PKI domain configured on adevice is unavailable to CAs or other devices. Each PKI domain has its own domain parameters.


Before creating a PKI domain, complete the following task:

l Creating a PKI entity

Data Preparation

To configure a PKI domain, you need the following data.

No. Data

1 PKI domain name

2 Bound PKI entity name

3 Trusted CA name and enrollment URL

4 (Optional) CA root certificate fingerprint

5 (Optional) Certificate revocation password, Rivest, Shamir,and Adelman (RSA) key length, source IP address used inTCP connection setup

12.4.2 Creating a PKI DomainA PKI domain is a set of identity information required when a PKI entity enrolls a certificate.A PKI domain allows other applications, such as Internet Key Exchange (IKE) and SecureSockets Layer (SSL), to reference the PKI configuration easily.



229

Procedure



Step 2 Run:pki realm realm-name

A PKI domain is created.

By default, no PKI domain is configured on the AR200-S.

----End

12.4.3 Configuring a PKI Entity NameIn a PKI domain, configure a name for the PKI entity applying for a certificate. A PKI entityname binds to only one PKI entity.

ContextWhen a PKI entity sends a certificate request to a CA, the PKI entity must specify the used entityname to show its identity information to the CA.

Procedure




A PKI domain is configured.


Step 3 Run:entity entity-name

A PKI entity is specified.

By default, no PKI entity is specified on the AR200-S.

----End

12.4.4 Configuring the Trusted CA Name and Enrollment URLA trusted authentication authority enrolls and issues certificates to entities. Therefore, a trustedCA name and enrollment URL must be configured.

ContextA registration authority (RA) receives registration requests from users, checks users' certificatecredentials, and decides whether a CA can issue digital certificates to the users. An RA does not



230

issue certificates to users and it only checks users' certificate credentials. Sometimes, a CAimplements the registration management function and therefore no independent RA is required.

Before an entity requests a certificate, an enrollment URL must be specified. The entity requestsa certificate using the Simple Certificate Enrollment Protocol (SCEP) with the server specifiedby the enrollment URL. SCEP is used by entities to communicate with CAs.

Procedure






Step 3 Run:ca id ca-name

A trusted CA name is configured.

By default, no trusted CA is configured on the AR200-S.

Step 4 Run:enrollment-url url [ interval minutes ] [ times count ] [ ra ]

An enrollment URL is configured.

By default, no enrollment URL is configured on the AR200-S.

----End

12.4.5 (Optional) Configuring CA Certificate FingerprintBefore the AR200-S obtains a root certificate from a CA, the AR200-S needs to check the CAroot certificate fingerprint. The CA root certificate fingerprint is the hash value of the rootcertificate and is unique to each certificate. If the CA root certificate fingerprint is different fromthe fingerprint configured in a specified PKI domain, the AR200-S refuses the issued rootcertificate.

Procedure








231

Step 3 Run:fingerprint { md5 | sha1 } fingerprint

The CA certificate fingerprint used in CA certificate authentication is configured.

A CA certificate fingerprint is usually sent to the AR200-S using emails. By default, no CAcertificate fingerprint is configured on the AR200-S.

----End

12.4.6 (Optional) Configuring a Certificate Revocation PasswordConfiguring a certificate revocation password prevents users from incorrectly revokingcertificates. This improves operation security.

Procedure






Step 3 Run:password [ cipher ] password

A certificate revocation password is configured.

By default, no certificate revocation password is configured on the AR200-S.

----End

12.4.7 (Optional) Configuring the RSA Key Length of CertificatesAfter the RSA key length of certificates is set, the AR200-S generates the RSA key of thespecified length when requesting a certificate.

ContextAn RSA key pair contains a public key and a private key. When host A requests a certificate,the certificate request must contain the public key. After a certificate is granted to host A, hostB uses the public key of host A to encrypt data sent to host A. Host A saves the private key anduses it to decrypt data sent from host B or generates a digital signature for data sent to host B.

Procedure





232




Step 3 Run:rsa-key-size size

The RSA key length of certificates is set.

By default, the RSK key length of certificates is 1024 on the AR200-S.

----End

12.4.8 (Optional) Configuring a Source IP Address for TCPConnection Setup

The AR200-S uses a specified source IP address to establish a TCP connection with the SimpleCertificate Enrollment Protocol (SCEP) server or Online Certificate Status Protocol (OCSP)server.

Procedure






Step 3 Run:source interface interface-name

The source interface is specified. The AR200-S uses the IP address of this interface to set up aTCP connection.

By default, the AR200-S uses an outbound interface's IP address as the source IP address forTCP connection setup.

----End

12.4.9 Checking the ConfigurationAfter a PKI domain is configured, you can check the PKI domain configuration.

Procedurel Run the display pki realm [ pki-realm-name ] command to check the PKI domain

configuration.

----End



233

12.5 Configuring Certificate EnrollmentCertificate enrollment is a process in which an entity registers with a CA and obtains a certificatefrom the CA. During this process, the entity provides the identity information and public key,which will be added to the certificate issued to the entity.

12.5.1 Establishing the Configuration TaskBefore configuring certificate enrollment, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for configuration. This willhelp you complete the configuration task quickly and accurately.


Certificates can be enrolled using the following methods:

l Manual certificate enrollment: A PKI device is configured to enroll a certificate with a CA.

l Automatic certificate enrollment: A PKI device uses the Simple Certification EnrollmentProtocol (SCEP) to request a certificate from a CA when the configuration required forcertificate enrollment is complete but no local certificate is available.

l Self-signed certificate enrollment: A PKI device issues a self-signed certificate to itself.


Before configuring certificate enrollment, complete the following tasks:

l Creating a PKI entity

l Creating a PKI domain

Data Preparation

To configure certificate enrollment, you need the following data.

No. Data

1 PKI domain name and (optional) certificate requestinformation in PKCS#10 format

2 (Optional) Percentage of the certificate's validity period

3 Self-signed certificate file name

12.5.2 Configuring Manual Certificate EnrollmentAn entity can apply to a CA for a certificate online or offline. In offline enrollment mode, theentity provides the identity information and public key in an outband way. For example, theentity can make a call or send an email to the CA.



234

PrerequisitesA PKI domain has been created and configured. For details, see 12.4 Configuring a PKIDomain.

Procedure



Step 2 Run:pki enroll-certificate pki-realm-name [ pkcs10 [ filename filename ] ]

Manual certificate enrollment is configured.

If pkcs10 is specified, an entity applies to a CA for a certificate offline. The entity saves thecertificate request information in a file in PKCS#10 format and sends the file to the CA in anoutband way.

If pkcs10 is not specified, an entity applies to a CA for a certificate online.

Step 3 (Optional) Run:pki get-certificate { ca | local } pki-realm-name

A certificate is obtained.

When a certificate is enrolled manually, the CA certificate and local certificate are downloadedand saved in the default path automatically. If the CA certificate or local certificate is deletedunexpectedly, run the pki get-certificate command to obtain the CA certificate or devicecertificate again.

----End

12.5.3 Configuring Automatic Certificate Enrollment and UpdateWhen the certificates are unavailable, will expire, or have expired, an entity automaticallyrequests a new certificate or renews the certificate using the Simple Certification EnrollmentProtocol (SCEP).

PrerequisitesA PKI domain has been created and configured. For details, see 12.4 Configuring a PKIDomain.

Procedure







235


Step 3 Run:auto-enroll [ percent ] [ regenerate ]

The automatic certificate enrollment and update function is enabled.

After the automatic certificate enrollment and update function is enabled, users do not need tomanually enroll certificates. When an external application requires a CA or local certificate, itinstructs the system to register a CA or local certificate.

----End

12.5.4 Creating a Self-signed Certificate or Local CertificateA PKI device can generate a self-signed certificate or local certificate and issue the certificateto a user.

Procedure



Step 2 Run:pki create-certificate [ self-signed ] { filename file-name }

A self-signed certificate or local certificate is created.

----End

12.5.5 Checking the ConfigurationAfter a certificate is obtained from a CA, or a self-signed certificate or local certificate is created,you can view certificate information.

Procedurel Run the display pki certificate { local | ca } pki-realm-name [ verbose ] command to

check certificate information.l Run the display pki certificate enroll-status pki-realm-name command to view the

certificate enrollment status.

----End

12.6 Configuring Certificate AuthenticationBefore a certificate is used, it must be authenticated.

12.6.1 Establishing the Configuration TaskBefore configuring certificate authentication, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required forconfiguration. This will help you complete the configuration task quickly and accurately.



236

Applicable EnvironmentBefore a certificate is used, it must be authenticated. In a certificate, the issuing date, issuerinformation, and certificate validity need to be authenticated. A valid certificate must be withinthe validity period and has not been revoked.

A PKI entity uses any of the following methods to check the peer certificate status:l Certificate revocation list (CRL)l Online Certificate Status Protocol (OCSP)l None: The PKI entity does not check the peer certificate status.

Pre-configuration TasksBefore configuring certificate authentication, complete the following task:

Obtaining and enrolling a certificate

Data PreparationTo configure certificate authentication, you need the following data.

No. Data

1 PKI domain name

2 (Optional) CDP URL and interval at which a PKI entitydownloads a CRL from the CRL storage server

3 (Optional) OCSP server URL

12.6.2 Configuring the Certificate Check ModeThere are three certificate check modes: CRL, OCSP, or none.

Procedure






Step 3 Run:certificate-check { crl | none | ocsp }

The certificate check mode is configured.

By default, the AR200-S checks certificates using CRLs.



237

l If CRL is used for certificate check, CRLs are automatically downloaded from a CA serverduring each certificate check. To use CRL to check a certificate, perform the followingoperations according to networking requirements:– Run:

cdp-url cdp-urlA CRL distribution point (CDP) URL used to obtain the CRL issued by a CA isconfigured.Certificates issued by the CA contain the CDP information, specifying how and whereto obtain the CRL. A PKI entity uses the method specified in the CDP information todownload the CRL.If the CDP URL is configured in the PKI domain, the PKI entity obtains the CRL fromthe specified URL.

– Run:crl cacheThe AR200-S is configured to use the buffered CRL for certificate check, withouthaving to download the CRL from the CA.

– Run:crl update-period hoursThe interval at which a PKI entity downloads a CRL from a CRL storage server isconfigured.

– Run:quitReturn to the system view.

– If the PKI entity suspects that the CRL expires, run:pki get-crl pki-realm-nameThe AR200-S is configured to download the latest CRL from the CA.

l To use OCSP for certificate check, perform the following operation:– Run:

ocsp-url ocsp-urlThe OCSP server's URL is configured.This URL will override the OCSP server's address in the certificate.

----End

12.6.3 Checking Certificate ValidityAfter the certificate validity check mode is configured, you can check certificate validity.

Procedure



Step 2 Run:pki validate-certificate { ca | local } pki-realm-name

The CA certificate validity or local certificate validity is checked.

----End



238

12.6.4 Checking the ConfigurationAfter the certificate authentication mode is configured, you can view certificate information.

Procedurel Run the display pki certificate enroll-status pki-realm-name command to check the

certificate enrollment status.l Run the display pki crl pki-realm-name command to check CRL information.

----End

12.7 Managing CertificatesManaging certificates include deleting, importing, and exporting certificates, and configuringthe default path where certificates are stored.

12.7.1 Deleting a CertificateWhen a certificate expires or a user wants to request a new certificate, you can delete the existingcertificate.

Procedure



Step 2 Run:pki delete-certificate { ca | local | ocsp } pki-realm-name

The certificate is deleted.

----End

12.7.2 Importing a CertificateTo use an external certificate, copy it to a storage device in an outband way and import it to theAR200-S.

Procedure



Step 2 Run:pki import-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }

The external certificate is imported to the AR200-S.

----End



239

12.7.3 Exporting a CertificateTo provide a certificate for another device, export the certificate.


system-view


Step 2 Run:pki export-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }

The certificate is exported and saved in a file.

----End

12.7.4 Configuring the Default Path Where Certificates Are StoredYou can configure the default path where certificate files are stored.


system-view


Step 2 Run:pki credential-storage local-dir

The default path and directory where the CA certificate, local certificate, and private key arestored are configured.

By default, the CA certificate, local certificate, and private key are stored in flash:/.

----End

12.8 Configuration Examples

12.8.1 Example for Configuring Manual Certificate Enrollment

Networking RequirementsThis section describes how to configure a PKI entity (a router) to request a local certificate froma CA.

Figure 12-3 Configuring a PKI entity to request a certificate from a CA

InternetInternet

PKI entity

CARouter



240

Table 12-1 Data plan

Item Data

PKI entity PKI entity name: user01l Entity's common name: hellol Entity's country code: CNl Entity's province name: jiangsul Entity's organization name: huaweil Entity's department name: info

PKI domain name PKI domain name: testl Trusted CA name: ca_rootl Certificate's enrollment URL: http://

10.137.145.158:8080/certsrv/mscep/mscep.dlll Bound PKI entity name: user01l CA's fingerprint algorithm: secure hash algorithm

(SHA)Fingerprint:17A34D94624B1C1BCBF6D763C4A67035D5B578EAF

Configuration Roadmap1. Configure a PKI entity to identify a certificate applicant.2. Configure a PKI domain and specify identity information required for certificate

enrollment, including the trusted CA name, bound entity name, enrollment URL, and rootcertificate fingerprint.

3. Obtain a local certificate manually.

Procedure

Step 1 Configure interface IP addresses and routes to enable the PKI entity and CA to communicate.

Step 2 Configure a PKI entity to identify a certificate applicant.

# Configure a PKI entity user01.

<Huawei> system-view[Huawei] pki entity user01[Huawei-pki-entity-user01] common-name hello[Huawei-pki-entity-user01] country cn[Huawei-pki-entity-user01] state jiangsu[Huawei-pki-entity-user01] organization huawei[Huawei-pki-entity-user01] organization-unit info[Huawei-pki-entity-user01] quit

Step 3 Configure a PKI domain and specify the identity information required for certificate enrollmentin the PKI domain.



241

# Configure the trusted CA, bound entity, enrollment URL, and root certificate fingerprint.

[Huawei] pki realm test[Huawei-pki-realm-test] ca id ca_root[Huawei-pki-realm-test] entity user01[Huawei-pki-realm-test] enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra[Huawei-pki-realm-test] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF[Huawei-pki-realm-test] quit

Step 4 Enroll the certificate manually.[Huawei] pki enroll-certificate test Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.

You will be prompted to enter the password during certificate enrollment. If you do not have apassword, press Enter.


After the preceding configurations are complete, the CA issues a certificate to the PKI entity.In the certificate information, the issued to field value is the entity common name hello.

Run the display pki certificate { local | ca } pki-realm-name [ verbose ] command on the PKIentity to view the certificate.

<Huawei> display pki certificate local testCertificate Status : Available Version: 3 Serial Number: 19 36 41 af 00 00 00 00 02 ba Subject: C=CN ST=jiangsu O=huawei OU=info CN=hello

Associated Pki Realm : test

Total Number: 1

----End

Configuration Files#pki entity user01 country CN state jiangsu organization huawei organization-unit info common-name hello#pki realm test ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity user01



242

fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf#return

12.8.2 Example for Configuring PKI in IPSec

Networking RequirementsAs shown in Figure 12-4, devices in two subnets communicate with the Internet using respectivegateways and need to establish an IPSec tunnel to transmit data flows. To meet this requirement,perform the following operations:

l Establish an IPSec tunnel between the two gateways to protect security of data flowstransmitted between subnet 1 at 10.1.1.0/24 and subnet at 11.1.1.0/24.

l Establish a security tunnel between the two gateways using Internet Key Exchange (IKE)negotiation. During IKE negotiation, PKI certificates are used for identity authentication.

Figure 12-4 Configuring PKI in IPSec

InternetInternet

10.1.1.2/24 11.1.1.2/24

10.1.1.1/24 11.1.1.1/24Eth0/0/1 Eth0/0/1

CA

Eth0/0/8 Eth0/0/8

IPSec Tunnel

Group 1 Group 2

RouterA RouterB

1.1.1.1/24 2.2.2.1/24VLANIF 10 VLANIF 20



243

Table 12-2 Data plan of RouterA

Item Data

PKI entity PKI entity name: routeral Entity's common name: helloal Entity's country code: CNl Entity's province name: jiangsul Entity's organization name: huaweil Entity's department name: info

PKI domain name PKI domain name: testl Trusted CA name: ca_rootl Certificate's enrollment URL: http://

10.137.145.158:8080/certsrv/mscep/mscep.dlll Bound entity name: routeral CA's fingerprint algorithm: secure hash algorithm (SHA)

Fingerprint:17A34D94624B1C1BCBF6D763C4A67035D5B578EAF

IKE proposal l Encryption algorithm: 3DES-CBCl Authentication algorithm: SHA1l Authentication mode: Rivest, Shamir, and Adelman

(RSA) signature

IKE peer l IKE peer name: routeral Local peer's ID type: IP addressl Local IP address: 1.1.1.1l Remote IP address: 2.2.2.1l Negotiation mode: main

IPSec proposal l Transport protocol: ESPl Authentication algorithm: SHA1l Encryption algorithm: 3DESl Encapsulation mode: tunnel

IPSec policy Security association (SA) triggering mode: automatic



244

Table 12-3 Data plan of RouterB

Item Data

PKI entity PKI entity name: routerbl Entity's common name: hellobl Entity's country code: CNl Entity's province name: jiangsul Entity's organization name: huaweil Entity's department name: marketing

PKI domain name PKI domain name: testbl Trusted CA name: ca_rootl Certificate's enrollment URL: http://

10.137.145.158:8080/certsrv/mscep/mscep.dlll Bound entity name: routerbl CA's fingerprint algorithm: secure hash algorithm (SHA)

Fingerprint:17A34D94624B1C1BCBF6D763C4A67035D5B578EAF

IKE proposal l Encryption algorithm: 3DES-CBCl Authentication mode: RSA signaturel Authentication algorithm: SHA1

IKE peer l IKE peer name: routerbl Negotiation mode: mainl Local peer's ID type: IP addressl Local IP address: 2.2.2.1l Remote IP address: 1.1.1.1

IPSec proposal l Transport protocol: ESPl Authentication algorithm: SHA1l Encryption algorithm: 3DESl Encapsulation mode: tunnel

IPSec policy SA triggering mode: automatic

Configuration Roadmap1. Configure a PKI entity to identify a certificate applicant.2. Configure a PKI domain and specify the identity information required for certificate

enrollment in the PKI domain.3. Configure IKE to use a digital signature for identity authentication.4. Configure IPSec to protect data flows between two subnets.5. Request a certificate and download it for IKE negotiation.



245

Procedure

Step 1 Configure interface IP addresses and routes to enable IPSec peers and CA to communicate.

Step 2 Configure a PKI entity.

# Configure RouterA.

<Huawei> system-view[Huawei] pki entity routera[Huawei-pki-entity-routera] common-name helloa[Huawei-pki-entity-routera] country cn[Huawei-pki-entity-routera] state jiangsu[Huawei-pki-entity-routera] organization huawei[Huawei-pki-entity-routera] organization-unit info[Huawei-pki-entity-routera] quit

# Configure RouterB.

<Huawei> system-view[Huawei] pki entity routerb[Huawei-pki-entity-routerb] common-name hellob[Huawei-pki-entity-routerb] country cn[Huawei-pki-entity-routerb] state jiangsu[Huawei-pki-entity-routerb] organization huawei[Huawei-pki-entity-routerb] organization-unit marketing[Huawei-pki-entity-routerb] quit

Step 3 Configure a PKI domain.


[Huawei] pki realm testa[Huawei-pki-realm-testa] ca id ca_root[Huawei-pki-realm-testa] entity routera[Huawei-pki-realm-testa] enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra[Huawei-pki-realm-testa] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF[Huawei-pki-realm-testa] certificate-check none[Huawei-pki-realm-testa] quit

#Configure RouterB.

[Huawei] pki realm testb[Huawei-pki-realm-testb] ca id ca_root[Huawei-pki-realm-testb] entity routerb[Huawei-pki-realm-testb] enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra[Huawei-pki-realm-testb] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF[Huawei-pki-realm-testb] certificate-check none[Huawei-pki-realm-testb] quit

Step 4 Configure IKE to use a digital signature for identity authentication.


[Huawei] ike proposal 1 [Huawei-ike-proposal-1] encryption-algorithm 3des-cbc [Huawei-ike-proposal-1] authentication-method rsa-signature [Huawei-ike-proposal-1] authentication-algorithm sha1 [Huawei-ike-proposal-1] quit [Huawei] ike peer routera v2 [Huawei-ike-peer-routera] ike-proposal 1 [Huawei-ike-peer-routera] local-address 1.1.1.1 [Huawei-ike-peer-routera] remote-address 2.2.2.1 [Huawei-ike-peer-routera] pki realm testa




246

[Huawei] ike proposal 1 [Huawei-ike-proposal-1] encryption-algorithm 3des-cbc [Huawei-ike-proposal-1] authentication-method rsa-signature [Huawei-ike-proposal-1] authentication-algorithm sha1 [Huawei-ike-proposal-1] quit [Huawei] ike peer routerb v2 [Huawei-ike-peer-routerb] ike-proposal 1 [Huawei-ike-peer-routerb] local-address 2.2.2.1 [Huawei-ike-peer-routerb] remote-address 1.1.1.1 [Huawei-ike-peer-routerb] pki realm testb

Step 5 Configure access control lists (ACLs) and define the data flows to be protected in the ACLs.


[Huawei] acl 3000[Huawei-acl-adv-3000] rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0 [Huawei-acl-adv-3000] rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 [Huawei-acl-adv-3000] quit


[Huawei] acl 3000[Huawei-acl-adv-3000] rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0 [Huawei-acl-adv-3000] rule 10 permit ip source 11.1.1.1 0 destination 10.1.1.1 0 [Huawei-acl-adv-3000] quit

Step 6 Configure IPSec to protect data flows between two subnets.


[Huawei] ipsec proposal routera [Huawei-ipsec-proposal-routera] transform esp [Huawei-ipsec-proposal-routera] esp authentication-algorithm sha1 [Huawei-ipsec-proposal-routera] esp encryption-algorithm 3des [Huawei-ipsec-proposal-routera] quit [Huawei] ipsec policy routera 1 isakmp [Huawei-ipsec-policy-isakmp-routera-1] security acl 3000 [Huawei-ipsec-policy-isakmp-routera-1] ike-peer routera [Huawei-ipsec-policy-isakmp-routera-1] proposal routera [Huawei-ipsec-policy-isakmp-routera-1] quit


[Huawei] ipsec proposal routerb [Huawei-ipsec-proposal-routerb] transform esp [Huawei-ipsec-proposal-routerb] esp authentication-algorithm sha1 [Huawei-ipsec-proposal-routerb] esp encryption-algorithm 3des[Huawei-ipsec-proposal-routerb] quit [Huawei] ipsec policy routerb 1 isakmp [Huawei-ipsec-policy-isakmp-routerb-1] security acl 3000 [Huawei-ipsec-policy-isakmp-routerb-1] ike-peer routerb [Huawei-ipsec-policy-isakmp-routerb-1] proposal routerb [Huawei-ipsec-policy-isakmp-routerb-1] quit

Step 7 Bind IPSec policies to interfaces.


[Huawei] interface ethernet 0/0/8 [Huawei-Ethernet0/0/8] ipsec policy routera[Huawei-Ethernet0/0/8] quit




247

[Huawei] interface ethernet 0/0/8 [Huawei-Ethernet0/0/8] ipsec policy routerb[Huawei-Ethernet0/0/8] quit

Step 8 Configure devices to request a certificate and download it for IKE negotiation.


[Huawei] pki enroll-certificate testa Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.


[Huawei] pki enroll-certificate testb Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ... Certificate is enrolling now,It will take a few minutes or more. Please waiting... The certificate enroll successful.


Run the display ike sa v2 command on RouterA and RouterB to view IKE SA information. Thecommand output shows that RouterA and RouterB have established an IKE SA and can pingeach other successfully.

The display on RouterA is as follows.

[Huawei] display ike sa v2 Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------- 898 2.2.2.1 0 RD|ST 2 895 2.2.2.1 0 RD|ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [Huawei]

The display on RouterB is as follows.

[Huawei] display ike sa v2 Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------- 874 1.1.1.1 0 RD 2 873 1.1.1.1 0 RD 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

Ping RouterB from RouterA. RouterA can ping RouterB successfully.



248

[Huawei] ping 2.2.2.1 PING 2.2.2.1: 56 data bytes, press CTRL_C to break Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 2.2.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 2.2.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 2.2.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 2.2.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 2.2.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms

NOTE

During IKE negotiation, if RouterA and Router B do not obtain CA certificates or local certificates, IKEnegotiation fails.

----End

Configuration FilesConfiguration file of RouterA

# router id 1.1.1.1 # acl number 3000 rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0 rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 # ipsec proposal routera esp authentication-algorithm sha1 esp encryption-algorithm 3des # ike proposal 1 encryption-algorithm 3des-cbc authentication-method rsa-signature # ike peer routera v2 ike-proposal 1 local-address 1.1.1.1 remote-address 2.2.2.1 pki realm testa # ipsec policy routera 1 isakmp security acl 3000 ike-peer routera proposal routera #interface Vlanif10 ip address 10.1.1.1 255.255.255.0#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface Ethernet0/0/8 ip address 1.1.1.1 255.255.255.0 ipsec policy routera # ospf 1 area 0.0.0.0



249

network 1.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255 # pki entity routera country CN state jiangsu organization huawei organization-unit info common-name helloa # pki realm testa ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routera fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none # return

Configuration file of RouterB

# router id 3.3.3.3 # acl number 3000 rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0 rule 10 permit ip source 11.1.1.1 0 destination 10.1.1.1 0 # ipsec proposal routerb esp authentication-algorithm sha1 esp encryption-algorithm 3des # ike proposal 1 encryption-algorithm 3des-cbc authentication-method rsa-signature # ike peer routerb v2 ike-proposal 1 local-address 2.2.2.1 remote-address 1.1.1.1 pki realm testb # ipsec policy routerb 1 isakmp security acl 3000 ike-peer routerb proposal routerb #interface Vlanif20 ip address 11.1.1.1 255.255.255.0#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 # interface Ethernet0/0/8 ip address 2.2.2.1 255.255.255.0 ipsec policy routerb # ospf 1 area 0.0.0.0 network 2.2.2.0 0.0.0.255 network 11.1.1.0 0.0.0.255 # pki entity routerb country CN state jiangsu organization huawei organization-unit marketing common-name hellob



250

# pki realm testb ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routerb fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none # return



251

13 Keychain Configuration

About This Chapter

This chapter describes the keychain fundamentals. It also provides keychain configuration stepsbased on different parameters along with typical example.

13.1 Introduction to Keychain

13.2 Keychain Features Supported by the AR200-S

13.3 Configuring Basic Keychain FunctionsThis section descries how to configure the basic functions of keychain module.

13.4 Configuring TCP Authentication parametersThis section descries how to configure the TCP Authentication parameters of Keychain module.

13.5 Configuration ExamplesThis section provides configuration examples of the keychain module.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security 13 Keychain Configuration


252

13.1 Introduction to Keychain

Keychain provides authentication function to all the applications. The keychain also providesdynamic change of authentication keys without any packet drops.

Applications exchange authenticated packets on networks for security reasons. Authenticationalgorithms along with the secret shared key are used to determine whether a message sent overan insecure channel has been tampered. This type of authentication requires that the sender andthe receiver share the secret key and the authentication algorithm used to authenticate the packet.Also the secret key should never be sent over the network.

If each application maintains its own set of authentication rules (authentication algorithm andshared secret key), then there are many instances in which the same set of authentication is used.This results in duplication of data and reprocessing of the authentication information. Also eachof the applications uses a constant authentication key unless the administrator of the networkchanges the key manually. The manual change of authentication is a cumbersome procedure andduring the change of keys, there can be packet drops as it is very difficult to change the keysinstantaneously on all the Routers.

Thus the system needs a mechanism to achieve centralization of all authentication processingand dynamic changes of authentication algorithm and keys without much human intervention.To achieve this functionality the keychain module is used.

13.2 Keychain Features Supported by the AR200-S

The AR200-S supports the following keychain features:

l Authentication for applicationsApplication that requires authentication support has to quote a keychain. A keychain canhave one or multiple key-ids. Key-id comprises of authentication algorithm and the keystring (secret shared key). Each key-id is associated with send and receive lifetime basedon which it will be send active or receive active or both at an instant of time. Key-id thatis send active at one end should be receive active at the other end. Administrator has toconfigure the key-ids under the keychain in such a way that both sides can communicatewithout any packet loss.

l Receive ToleranceWhen the send key-id on a Router changes, the corresponding receive key-id on the peerRouter should change instantaneously. Due to clock non-synchronization, there can be atime lag between the change of the key-ids on the two Routers. During this period, therecan be packet drops because of inconsistent use of key-ids. To prevent this and toaccommodate for a smooth transition from one key-id to another, a grace period is allowedduring which both keys will be used. This grace period is termed as receive toleranceperiod, and it is applicable only to the receive keys. The receive time period will be extendedby a period equal to the receive tolerance on both the start and end time of a receive key.

l Default send-key-idWhen administrator does not configure a key-id for some interval of time, there can be achance that there is no active key-id. During that period, application will not be able to haveauthenticated communication. In order to avoid this situation there should be a default send-key-id which will be always active. Any key-id in a keychain can be marked as the default



253

send-key-id. There can be only one default send-key-id in a keychain. When any key-idbecomes active, the application uses the new active key-id instead of the default send-key-id. Similarly when active key-id becomes inactive and when there is no other active key-id then application uses the default send-key-id.

l TCP-kind and TCP algorithm-id configurationTCP based applications can communicate with other vendor nodes by using theauthenticated TCP connection. For authenticated communication, TCP uses TCP EnhancedAuthentication Option. Currently different vendors use different kind-value to representthe TCP Enhanced Authentication Option type. So in order to communicate with othervendors, kind-value should be made configurable, so that it can be changed based on thetype of vendor to which it is connected. Similarly TCP Enhanced Authentication Optionhas a field named algorithm-id which represents the authentication algorithm type. Asalgorithm-ids are not defined by IANA. Currently different vendor uses different algorithm-id to represent the same algorithm. In order to communicate with the other vendors, userhas to configure the TCP algorithm-id in the keychain for the algorithms depending on thepeer node type.

13.3 Configuring Basic Keychain FunctionsThis section descries how to configure the basic functions of keychain module.

13.3.1 Establishing the Configuration Task


Keychain is used to provide authentication support to the applications. A keychain can have oneor multiple key-ids. Key-id comprises of authentication algorithm and the key-string (secretshared key). Each key-id is associated with send and receive lifetime. Based on the send andreceive lifetime, a key-id will be send-active or receive-active or both. When the key-id is send-active or receive-active, it will be used for authenticated communication. When the key-id issend-active, then it will be used to send out authenticated packet. On the receiver side that key-id should be receive-active to process the authenticated packet. The administrator has toconfigure the key-ids under the keychain in such a way that both sides can communicate withoutany packet loss.


Before configuring the keychain on the peer Routers, configure the Network Time Protocol(NTP) so that the time is consistent on the two Routers.

Data Preparation

To configure basic keychain features, you need the following data.

No. Data

1 Keychain name

2 Key-ids for the keychain



254

No. Data

3 Key-string for each key-id

4 Authentication algorithm for each key-id

5 Send and Receive time for each key-id

6 Receive tolerance if required

13.3.2 Creating a Keychain

Procedure



Step 2 Run:keychain keychain-name [ mode { absolute | periodic { daily | weekly | monthly | yearly } } ]

Keychain is created and keychain view is entered.

NOTE

When creating a keychain, timing mode is mandatory. Once a keychain is created, to enter the keychainview timing mode need not be specified.

----End

13.3.3 Configuring Receive Tolerance of a Keychain

Procedure


The system view is entered.

Step 2 Run:keychain keychain-name

Keychain view is entered

Step 3 Run:receive-tolerance { value | infinite }

The receive tolerance period for the keychain is configured.



255

NOTE

Receive tolerance can be configured in the following two ways:l Specifying a particular receive tolerance value in minutes, which can be a maximum of 10 days (14400

minutes).l Specifying an infinite receive tolerance using infinite keyword.

----End

13.3.4 Configuring a key-id in a Keychain

Procedure




The keychain view is entered.

Step 3 Run:key-id key-id

Key-id is created and key-id view is entered.

NOTE

To configure a key-id in a keychain, a unique id within the keychain is required. This id should be an integerand the value ranges from 0 to 63.

----End

13.3.5 Configuring key-string of a key-id

Procedure







Step 4 Run:key-string { [ plain ] plain-text | cipher cipher-text }

The key-string for the key-id is configured.



256

Key-string is the authentication string used while sending and receiving the packets. In case ofplain text the password string is displayed as un-encrypted text. In case of Cipher text thepassword string is displayed in encrypted form. Both are case sensitive.

NOTE

Key-id will be inactive if the key-string is not configured.

----End

13.3.6 Configuring Authentication Algorithm of a key-id

Procedure







Step 4 Run:algorithm { hmac-md5 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | simple }

The authentication algorithm for the key-id is configured.

NOTE

Key-id will be inactive if the authentication algorithm is not configured.

----End

13.3.7 Configuring a key-id as the Default send-key-id

Procedure









257

Step 4 Run:default send-key-id

The key-id is set as the default send-key-id.

NOTE

Only one key-id in a keychain can be configured as the default send-key-id.

----End

13.3.8 Configuring send-time of a key-id

Procedurel Absolute Timing Mode

1. Run:system-view

The system view is entered.2. Run:

keychain keychain-name mode absolute

The keychain is created in absolute timing mode and keychain view is entered.3. Run:

key-id key-id

The key-id is created and key-id view is entered.4. Run:

send-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }

The send-time for the key-id is configured.l Daily Periodic Timing Mode

1. Run:system-view


keychain keychain-name mode periodic daily

The keychain is created in daily periodic timing mode and keychain view is entered.3. Run:

key-id key-id


send-time daily start-time to end-time

The send-time for the key-id is configured.l Weekly Periodic Timing Mode

1. Run:system-view



258


2. Run:keychain keychain-name mode periodic weekly

The keychain is created in weekly periodic timing mode and keychain view is entered.

3. Run:key-id key-id

The key-id is created and key-id view is entered.

4. Run:send-time day { { start-day-name } &<1-7> } [ to end-day-name ]

The send-time for the key-id is configured.

l Monthly Periodic Timing Mode

1. Run:system-view


2. Run:keychain keychain-name mode periodic monthly

The keychain is created in monthly periodic timing mode and keychain view is entered.



4. Run:send-time date { { start-date-value } &<1-31> } [ to end-date-value ]


l Yearly Periodic Timing Mode

1. Run:system-view


2. Run:keychain keychain-name mode periodic yearly

The keychain is created in yearly periodic timing mode and keychain view is entered.



4. Run:send-time month { { start-month-name } &<1-12> } [ to end-month-name ]




259

NOTE

Send-time for a key-id is configured according to the timing mode defined for the keychain.Only one send key-id in a keychain can be active at a time. The send-time of different key-idsin a keychain must not overlap each other.

To re-configure send-time, we need to undo the send-time that is currently configured.

----End

13.3.9 Configuring receive-time of a key-id

Procedurel Absolute Timing Mode

1. Run:system-view


keychain keychain-name mode absolute

The keychain is created in absolute timing mode and keychain view is entered.3. Run:

key-id key-id


receive-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date }

The receive-time for the key-id is configured.l Daily Periodic Timing Mode

1. Run:system-view


keychain keychain-name mode periodic daily

The keychain is created in daily periodic timing mode and keychain view is entered.3. Run:

key-id key-id


receive-time daily start-time to end-time

The receive-time for the key-id is configured.l Weekly Periodic Timing Mode

1. Run:system-view




260

2. Run:keychain keychain-name mode periodic weekly

The keychain is created in weekly periodic timing mode and keychain view is entered.3. Run:

key-id key-id


receive-time day { { start-day-name } &<1-7> } [ to end-day-name ]

The receive-time for the key-id is configured.l Monthly Periodic Timing Mode

1. Run:system-view


keychain keychain-name mode periodic monthly

The keychain is created in monthly periodic timing mode and keychain view is entered.3. Run:

key-id key-id


receive-time date { { start-date-value } &<1-31> } [ to end-date-value ]

The receive-time for the key-id is configured.l Yearly Periodic Timing Mode

1. Run:system-view


keychain keychain-name mode periodic yearly

The keychain is created in yearly periodic timing mode and keychain view is entered.3. Run:

key-id key-id


receive-time month { { start-month-name } &<1-12> } [ to end-month-name ]

The receive-time for the key-id is configured.

NOTE

Receive-time for a key-id is configured in accordance with the timing mode defined for thekeychain. The receive-time for a key-id can be configured in five different ways namelyabsolute, daily periodic, weekly periodic, monthly periodic and yearly periodic depending uponthe timing mode. More than one receive key-id can not be active at the same time.To re-configure receive time you need to undo the receive time that is currently configured.

----End



261


PrerequisitesThe configurations of the keycahin are complete.

Procedurel Run the display keychain keychain-name command to view the current configuration of

a keychain.l Run the display keychain keychain-name key-id key-id command to view the current

configuration of a key-id inside a keychain.

----End

ExampleThe configurations of the keycahin are complete, Run the display keychain keychain-namecommand to view the current configuration of a keychain, for example:

<Huawei> display keychain earth Keychain Information: --------------------- Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 0 TCP Kind : 254 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 3 SHA1 : 4 Number of Key IDs : 0 Active Send Key ID : None Active Receive Key IDs : None Default send Key ID : Not configured

The configurations of the keycahin are complete, Run the display keychain keychain-namekey-id key-id command to view the current configuration of a key-id inside a keychain, forexample:

<Huawei> display keychain earth key-id 1 Keychain Information: --------------------- Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 100 TCP Kind : 182 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 17 SHA1 : 4

Key ID Information: ------------------- Key ID : 1 Key string : hello (plain) Algorithm : MD5



262

SEND TIMER : Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active RECEIVE TIMER : Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active DEFAULT SEND KEY ID INFORMATION Default : Not configured

13.4 Configuring TCP Authentication parametersThis section descries how to configure the TCP Authentication parameters of Keychain module.

13.4.1 Establishing the Configuration Task


Keychain is needed to provide authentication support to all the needed applications.Authenticated TCP communication is required between two peers.TCP based applications cancommunicate with other vendor nodes by using the authenticated TCP connection.

For authenticated communication, TCP uses TCP Enhanced Authentication Option. Currentlydifferent vendors use different Kind value to represent the TCP Enhanced Authentication Optiontype. So in order to communicate with other vendors, kind value should be made configurablebased on the type of vendor to which it is connected. Similarly TCP Enhanced AuthenticationOption has a field named algorithm ID which represents the authentication algorithm type. Asalgorithm IDs are not defined by IANA(Internet Assigned Numbers Authority), Currentlydifferent vendor uses different algorithm ID to represent the same algorithm.

In order to communicate with the other vendors, user has to configure the TCP algorithm ID inthe key chain for the algorithms depending on the peer node type.


Before configuring the Keychain feature on the peer Router s, configure the Network TimeProtocol (NTP) so that the time is consistent on the two Router s.

Data Preparation

To configure basic keychain features, you need the following data.

No. Data

1 Keychain Name

2 TCP kind value

3 TCP algorithm id for each authentication algorithm



263

13.4.2 Configuring TCP Kind of a Keychain

Procedure





Step 3 Run:tcp-kind kind-value

The TCP kind value for the keychain is configured. The range of the kind-value can be <28-255>.

NOTE

TCP uses TCP Enhanced Authentication Option for authenticated communication. The kind value used torepresent the TCP Enhanced Authentication Option type for a keychain can be configured.

----End

13.4.3 Configuring TCP Algorithm-id in a Keychain

Procedure





Step 3 Run:tcp-algorithm-id { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 } algorithm-id

The range of the algorithm-id can be 1 to 63.

NOTE

The algorithm-id used to represent authentication algorithm type in TCP Enhanced Authentication Optionfor a keychain can be configured.

----End




264

PrerequisitesThe configurations of the keycahin are complete.

Procedurel Run the display keychain keychain-name command to view the current configuration of

a keychain.l Run the display keychain keychain-name key-id key-id command to view the current

configuration of a key-id inside a keychain.

----End

ExampleThe configurations of the keycahin are complete, Run the display keychain keychain-namecommand to view the current configuration of a keychain, for example:

<Huawei> display keychain earth Keychain Information: --------------------- Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 0 TCP Kind : 254 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 3 SHA1 : 4 Number of Key IDs : 0 Active Send Key ID : None Active Receive Key IDs : None Default send Key ID : Not configured

The configurations of the keycahin are complete, Run the display keychain keychain-namekey-id key-id command to view the current configuration of a key-id inside a keychain, forexample:

<Huawei> display keychain earth key-id 1 Keychain Information: --------------------- Keychain Name : earth Timer Mode : Absolute Receive Tolerance(min) : 100 TCP Kind : 182 TCP Algorithm IDs : HMAC-MD5 : 5 HMAC-SHA1-12 : 2 HMAC-SHA1-20 : 6 MD5 : 17 SHA1 : 4

Key ID Information: ------------------- Key ID : 1 Key string : hello (plain) Algorithm : MD5 SEND TIMER : Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active RECEIVE TIMER :



265

Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active DEFAULT SEND KEY ID INFORMATION Default : Not configured

13.5 Configuration ExamplesThis section provides configuration examples of the keychain module.

13.5.1 Example for Configuring Keychain Authentication for Non-TCP Application

Networking RequirementsAs shown in Figure 13-1, it is required to enable RIP and keychain authentication on allinterfaces of Router A and Router B. The Router s interconnect with each other using RIP-2.

Figure 13-1 Networking diagram of keychain

Eth0/0/8192.168.1.1/24

Eth0/0/8192.168.1.2/24

RouterA RouterB


1. Configure keychain basic functions.2. Configure the application RIP on both the Routers to use keychain.


l keychain namel key-idl algorithm and key-stringl send and receive timel receive tolerance

ProcedureStep 1 # Configure RouterA

Configuring Keychain Authentication

<RouterA> system-view



266

[RouterA] keychain huawei mode absolute[RouterA-keychain] receive-tolerance 100[RouterA-keychain] key-id 1[RouterA-keychain-keyid-1] algorithm md5[RouterA-keychain-keyid-1] key-string plain hello[RouterA-keychain-keyid-1] send-time utc 14:40 2008-10-10 to 14:50 2008-10-10[RouterA-keychain-keyid-1] receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10[RouterA-keychain-keyid-1] quit

Configuring the basic function of RIP

<RouterA> system-view[RouterA] interface ethernet 0/0/8[RouterA-Ethernet0/0/8] ip address 192.168.1.1 24[RouterA-Ethernet0/0/8] rip authentication-mode md5 nonstandard keychain huawei[RouterA-Ethernet0/0/8] quit

Step 2 # Configure RouterB.

Configuring Keychain Authentication

[RouterB] keychain huawei mode absolute[RouterB-keychain] receive-tolerance 100[RouterB-keychain] key-id 1[RouterB-keychain-keyid-1] algorithm md5[RouterB-keychain-keyid-1] key-string plain hello[RouterB-keychain-keyid-1] send-time utc 14:40 2008-10-10 to 14:50 2008-10-10[RouterB-keychain-keyid-1] receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10[RouterB-keychain-keyid-1] quit

Configuring the basic function of RIP

[RouterB] interface ethernet 0/0/8[RouterB-Ethernet0/0/8] ip address 192.168.1.2 24[RouterB-Ethernet0/0/8] rip authentication-mode md5 nonstandard keychain huawei[RouterB-Ethernet0/0/8] quit

----End

Configuration Filel #Configuration file of RouterA.

# sysname RouterA#interface Ethernet0/0/8ip address 192.168.1.1 255.255.255.0rip authentication-mode md5 nonstandard keychain huawei#keychain huawei mode absolutereceive-tolerance 100 key-id 1 algorithm md5 key-string plain hello send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10#return

l #Configuration file of RouterB.# sysname RouterB#interface Ethernet0/0/8ip address 192.168.1.2 255.255.255.0rip authentication-mode md5 nonstandard keychain huawei#keychain huawei mode absolute



267

receive-tolerance 100 key-id 1 algorithm md5 key-string plain hello send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10#return



268

14 Configuration of Attack Defense andApplication Layer Association

About This Chapter

Attack defense and application layer association can prevent the attack of packets to the CPU,which ensures that the device runs normally when it is attacked.

14.1 Overview to Attack Defense and Application Layer AssociationAttacks on TCP/IP networks increase steadily. Attacks to network devices may cause thenetwork to be disabled or unavailable.

14.2 Configuring Abnormal Packet Attack DefenseMalformed packet attacks are classified into flood attacks without IP payload, IGMP null packetattacks, LAND attacks, Smurf attacks, and TCP flag-bit invalid attacks.

14.3 Configuring Fragmented Packet Attack DefenseFragmented packet attacks can be classified into attacks of a huge number of fragments, TearDrop, syndrop, nesta, fawx, bonk, NewTear, Bonk, Rose, huge-offset, Ping of death, Jolt, andduplicated fragmentation.

14.4 Configuring Flood Attack DefenseFlood attacks include SYN flood attacks, UDP flood attacks, and ICMP flood attacks.

14.5 Configuring Application Layer AssociationApplication layer association controls forwarding and discarding of protocol packets by enablingor disabling application layer protocols. In this manner, application layer association can defenseattacks.

14.6 Maintenance Attack Defense and Application Layer AssociationThis section describes how to clear statistics about attack defense.

14.7 Configuration ExampleThis section provides an example for improving network security through attack defense.Familiarize yourself with the configuration procedures against the networking diagram. Eachconfiguration example consists of the networking requirements, configuration precautions,configuration roadmap, configuration procedures, and configuration files.

Huawei AR200-S Series Enterprise RoutersConfiguration Guide - Security

14 Configuration of Attack Defense and Application LayerAssociation


269

14.1 Overview to Attack Defense and Application LayerAssociation

Attacks on TCP/IP networks increase steadily. Attacks to network devices may cause thenetwork to be disabled or unavailable.

14.1.1 Overview of Attack Defense and Application LayerAssociation

Improving the capability of the device to defense DoS attacks, scan and probe attacks, malformedpacket attacks can enhance the system security and meet the demands of service deployment.

TCP/IP Attack DefenseThe attacks on the TCP/IP network keep increasing because the TCP/IP protocols have defectsand loose implementation. As a result, the impact on the TCP/IP network is greater and greater.Especially the attacks on the network devices may lead to network failure.

The attacks on the TCP/IP network are classified into three types: denial of service (DoS) attacks,scanning attacks, and abnormal packet attacks.

l DoS attackDoS attackers send so massive packets to the system that the system cannot process normalrequests or the resources are exhausted. DoS attackers use SYN flood or fraggle methodsto attack the system.DoS attacks are different from other attacks because DoS attackers does not search for theingress of a network but prevents valid users from accessing resources or Router .

l Scanning attackScanning attacks identify the systems running on the network through ping scanning (ICMPand TCP) and thus accurately obtain the potential victims. TCP and UDP port scanning canbe used to detect the type of operating system and potential services.Through scanning, the attacker can learn the service types provided by the target systemand the latent security loopholes, thus getting ready to attack the system.

l Abnormal packet attackAbnormal packet attacks use abnormal packets. That is, the attacker sends defective IPpackets to the target system, and the target system may crash when processing such IPpackets. Main abnormal packet attacks include Ping of Death and Teardrop.

Router are used in a large number on core networks and MANs. You can enhance the systemsecurity to meet the service requirements by enhancing the attack defense performance ofRouter .

Application Layer AssociationRouter s may simultaneously use multiple services or functions, including Layer 2 services (STP,MSTP, and RRPP), route services (OSPF and BGP), MPLS services (LDP and RSVP), systemservices (FTP Server and TFTP Server), and diagnosis functions (Ping and Tracert).

In this case, attackers can send packets of different types to attack Router s. If the sent packetsare multicast packets or the destination address is the address of a port (including the loopback




270

port) of the Router , the Router directly sends the packets to the CPU. As a result, the RouterCPU and system resources are wasted, which is the aim of DoS attack.

To prevent such attacks, switch control is used on some services and protocols. If the protocolis enabled, the packet of this protocol is sent. If the protocol is disabled, the packets of thisprotocol are discarded. In this way, the protocol packet is controlled and application layerassociation is implemented.

Some protocols support a whitelist. The module of application layer association detects sentprotocol packet and allows the sending with larger bandwidth and higher rate if the protocolpackets to be sent match the whitelist.

14.1.2 Attack Defense and Application Layer AssociationSupported by AR200-S

The AR200-S supports defense against various attacks such as malformed packet attacks,fragmented packet attacks, and flooding attacks. In addition, the AR200-S offers the applicationlayer association module to implement association with the application layer and packet filteringat the application layer.

Attack Defense Supported by AR200-SThe AR200-S supports TCP/IP attack defense of the following types:

l Defense against Abnormal packetsThe defense against abnormal packets prevents attacks from using excessive CPUresources. These abnormal packets lead to system crash and network failure. Thus, theAR200-S directly discards these abnormal packets after they are detected. The followingactions can be taken to defend against abnormal packet attacks:– Flood attacks without IP payload: The IP packets without any higher layer data are

considered useless and directly discarded.– IGMP null packet attacks: If the length of the IGMP packets is smaller than 28 bytes,

the packets are considered null and thus discarded.– LAND attacks: The router detects whether the source address and the destination

address in the TCP SYN packet are consistent and whether the source interface and thedestination interface are consistent. If they are consistent, the packets are consideredabnormal and thus directly discarded.

– Smurf attacks: The ICMP echo request packets with the broadcast address or the subnetbroadcast address as its destination address are considered abnormal and thus discarded.

– TCP flag bit invalid attacks: Check each flag bit of the TCP packets. If the URG, ACK,PSH, RST, SYN, and FIN flag bits are all 1s or 0s, or the both SYN and FIN are 1s, thepackets are directly discarded.

l Defense against packet fragment attacks– The offsets of packet fragments may be overlapped. The system reassembles packet

fragments with excessive resources, and thus the network connection fails. This is theprinciple of Teardrop attacks. When defending against Teardrop attacks, the AR200-S discards the packets with overlapped offsets in reassembly to guarantee correctreassembly of packet fragments.

– The offset length of packet fragments is larger than 65515. Thus, the system reassemblespackets with excessive resources and the network services are disrupted. This is theprinciple of huge offset attacks. When processing huge offset attacks, the AR200-S




271

determines whether the total length of the offset is larger than 65515. If so, the packetsare discarded.

– Repeated fragmented packet attack refers to sending the repeated packet fragmentsmultiple times, including resending the same packet fragments; the offset is the samebut the packet fragments are different. As a result, the system fails to reassemble packetfragments and the CPU usage is overhigh. To defend repeated fragmented packetattacks, the AR200-S restricts the rate of sending packet fragments on the interfaceboard and thus ensure that the CPU is not attacked and the Committed Access Rate(CAR) can be configured.

l Defense against Flood attacksFlood attacks include TCP SYN flood attacks, UDP flood attacks (including fraggle attacksand UDP diagnosis port attacks), and TCMP flood attacks. The AR200-S defends againstTCP SYN flood attacks and ICMP flood attacks by restricting rate to prevent the CPUresources from being exhausted. To defend against UDP flood attacks, the AR200-Sdiscards those UDP packets with port numbers 7, 13, and 19.

NOTE

Attack defense configurations take effect for only the main control board.

Application Layer Association Supported by the AR200-S

The AR200-S supports application layer association. The application layer association modulecontrols some protocols and functions.

l When a protocol is disabled, the AR200-S directly discards packets of this protocol toprevent attacks.

l When a protocol is enabled, the AR200-S limits the rate of protocol packets sent to theCPU to protect the CPU.

The application layer association module supports SNMP, HW-TACACS, NTP, SSH, DHCP,802.1x, and PIM protocols and supports HTTP server, Telnet server, STelnet server, FTP server,SFTP server, BFD, UDP helper, and VRRP services.

NOTE

You can configure application layer association for different protocols and services.

14.2 Configuring Abnormal Packet Attack DefenseMalformed packet attacks are classified into flood attacks without IP payload, IGMP null packetattacks, LAND attacks, Smurf attacks, and TCP flag-bit invalid attacks.

14.2.1 Establishing the Configuration TaskThis section describes the applicable environment, required tasks, and data for configuringdefense against malformed packets.


Different types of attacks on a network cause network devices overused, and even failed, thusaffecting network services.




272

To prevent the network devices from being attacked and to ensure normal network services,defense against abnormal packet attacks must be configured.

Pre-configuration TasksBefore configuring defense against abnormal packet attacks, complete the following tasks:

l Setting the link layer protocol parameters (and the IP address) for the interface to make thestatus of link protocol Up


14.2.2 Enabling Defense Against Abnormal Packet AttacksThe major measure to defend attacks from malformed packets is to determine the packet type.If a packet is of the malformed type, it is discarded directly.

ContextDo as follows on the router:

Procedure

Step 1 Run the system-view command to enter the system view.

Step 2 Run the anti-attack abnormal enable command to enable defense against abnormal packetattacks.

The defense against abnormal packet attacks is enabled by default. If defense against abnormalpacket attacks is disabled, run the command to enable it.

----End

14.2.3 Checking the ConfigurationAfter configuring defense against attacks from malformed packets, you can view statistics aboutdefense against malformed packets.

PrerequisitesThe configurations of the abnormal packet attack defense are complete.

Procedure

Step 1 Run the display anti-attck statistics abnormal command to check the statistics of defenseagainst abnormal packet attacks on the interface board.

----End

ExampleAfter the configuration is complete, run the display anti-attck statistics abnormal commandto check the statistics of defense against abnormal packet attacks on the interface board.




273

<Huawei> display anti-attck statistics abnormalPackets Statistic Information:-------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L)-------------------------------------------------------------------------------Abnormal 0 0 0 0 0 0-------------------------------------------------------------------------------

14.3 Configuring Fragmented Packet Attack DefenseFragmented packet attacks can be classified into attacks of a huge number of fragments, TearDrop, syndrop, nesta, fawx, bonk, NewTear, Bonk, Rose, huge-offset, Ping of death, Jolt, andduplicated fragmentation.

14.3.1 Establishing the Configuration TaskThis section describes the applicable environment, required tasks, and data for configuringdefense against fragmented packet attacks.

Applicable EnvironmentDifferent types of attacks on a network cause network devices overused, and even failed, thusaffecting network services.

To prevent the network devices from being attacked and to ensure normal network services,defense against packet fragment attacks must be configured.

Pre-configuration TasksBefore configuring defense against packet fragment attacks, complete the following tasks:


Data PreparationTo configure defense against packet fragment attacks, you need the following data:

No. Data

1 Restricted rate of packet fragments

14.3.2 Configuring Defense Against Packet Fragment AttacksThe major measure to defend fragmented packet attacks is to limit the packet rate. In this manner,you can prevent attackers from sending a great number of fragmented packets to cause a highCPU usage and ensure that the CPU works normally when being attacked.





274

Procedure



Step 2 Run:anti-attack fragment enable

Defense against packet fragment attacks is enabled.

Defense against packet fragment attacks is enabled by default. Thus, you need to configure therestricted rate only. If defense against packet fragment attacks is disabled, run the command toenable it.

Step 3 Run:anti-attack fragment car cir cir

The rate of sending packet fragments is restricted.

----End

14.3.3 Checking the ConfigurationAfter configuring defense against fragmented packet attacks, you can view statistics aboutdefense against fragmented packets on the LPU.

PrerequisitesThe configurations of the fragmented packet attack defense are complete.

Procedure

Step 1 Run the display anti-attck statistics fragment command to check the statistics of defenseagainst packet fragment attacks on the interface board.

----End

ExampleAfter the configuration is complete, run the display anti-attck statistics fragment commandto check the statistics of defense against packet fragment attacks on the interface board.

<Huawei> display anti-attck statistics fragmentPackets Statistic Information:-------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L)-------------------------------------------------------------------------------Fragment 0 0 0 0 0 0-------------------------------------------------------------------------------

14.4 Configuring Flood Attack DefenseFlood attacks include SYN flood attacks, UDP flood attacks, and ICMP flood attacks.




275

14.4.1 Establishing the Configuration TaskThis section describes the applicable environment, required tasks, and data for configuringdefense against flood attacks.

Applicable EnvironmentDifferent types of attacks on a network cause network devices overused, and even failed, thusaffecting network services.

To prevent the network devices from being attacked and to ensure normal network services,defense against flood attacks must be configured.

Pre-configuration TasksBefore configuring defense against flood attacks, complete the following tasks:


Data PreparationTo configure defense against flood attacks, you need the following data:

No. Data

1 Rate restricted by TCP SYN packets and rate restricted by ICMP flood packets

14.4.2 Configuring Defense Against SYN Flood AttacksThe major measure to defend SYN flood attacks is to limit the rate of TCP SYN packets.


Procedure



Step 2 Run:anti-attack tcp-syn enable

Defense against SYN flood attacks is enabled.

Defense against SYN flood attacks is enabled by default. Thus, you need to configure therestricted rate only. If defense against SYN flood attacks is disabled, run the command to enableit.

Step 3 Run:anti-attack tcp-syn car cir cir




276

The rate of sending TCP SYN packets is restricted.

----End

14.4.3 Configuring Defense Against UDP Flood AttacksThe major measure to defend UDP flood attacks is to limit the rate of UDP packets.



system-view


Step 2 Run:anti-attack udp-flood enable

Defense against UDP flood attacks is enabled.

Defense against UDP flood attacks is enabled by default. If defense against UDP flood attacksis disabled, run the command to enable it.

----End

14.4.4 Configuring Defense Against ICMP Flood AttacksThe major measure to defend ICMP flood attacks is to limit the rate of ICMP packets.

ContextConfigure router as follows:


system-view


Step 2 Run:anti-attack icmp-flood enable

Defense against ICMP flood attacks is enabled.

Defense against ICMP flood attacks is enabled by default. Thus, you need to configure therestricted rate only. If defense against ICMP flood attacks is disabled, run the command to enableit.

Step 3 Run:anti-attack icmp-flood car cir cir

The rate of sending ICMP flood packets is restricted.

----End




277

14.4.5 Checking the ConfigurationAfter configuring defense against flood attacks, you can view statistics about defense againstflood attacks on the interface board.

PrerequisitesThe configurations of the flood attack defense are complete.

Procedure

Step 1 Run the display anti-attck statistics [ tcp-syn | udp-flood | icmp-flood ] command to checkthe statistics of defense against flood attacks on the interface board.

----End

Example

After the configuration is complete, run the display anti-attck statistics [ tcp-syn | udp-flood | icmp-flood ] command to check the statistics of defense against flood attacks on theinterface board.

<Huawei> display anti-attck statistics tcp-synPackets Statistic Information:-------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L)-------------------------------------------------------------------------------Tcp-syn 0 0 0 0 0 0-------------------------------------------------------------------------------<Huawei> display anti-attack statistics udp-floodPackets Statistic Information:-------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L)-------------------------------------------------------------------------------Udp-flood 0 0 0 0 0 0------------------------------------------------------------------------------- <Huawei>display anti-attack statistics icmp-floodPackets Statistic Information:-------------------------------------------------------------------------------AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L)-------------------------------------------------------------------------------Icmp-flood 0 0 0 0 0 0-------------------------------------------------------------------------------

14.5 Configuring Application Layer AssociationApplication layer association controls forwarding and discarding of protocol packets by enablingor disabling application layer protocols. In this manner, application layer association can defenseattacks.

14.5.1 Establishing the Configuration TaskThis section describes the applicable environment, required tasks, and data for configuringapplication layer association.




278

Applicable EnvironmentTo prevent network devices from being attacked by the packets of idle protocols and to preventthe network from running busily, overhigh usage of CPU, and DoS attack, the application layerassociation is required and the protocol module must be disabled. In this way, the protocolpackets are discarded without being sent to the CPU. Thus, the CPU works normally.

Pre-configuration TasksBefore configuring application layer association, complete the following tasks:


Data PreparationTo configure association layer association, you need the following data.

No. Data

1 Protocols to be enabled/disabled

2 Packet policy that does not match the application layer association module

14.5.2 Configuring Application Layer AssociationEnabling of the application layer association module depends on whether a protocol is enabled.Whether a packet that mismatches the application layer association module is forwarded ordiscarded depends on the configuration of the device.

ContextThe application layer association module uses the switch to control whether the application layerassociation is enabled. If the protocol is enabled, the packets of the protocol are sent. If theprotocol is disabled, the packets of the protocol are directly discarded.

To prevent the attacks from the packets of idle protocols, the protocol module must be disabled.If the protocol is enabled, which cannot filter invalid packets, use the rate restriction function torestrict the rate of sending packets and protect the CPU from being attacked.

Do as follows on the router:

Procedure

Step 1 Run the system-view command to enter the system view.

Step 2 For all the protocols and functions that match the application layer association, enable thenecessary protocols and disable the idle protocols to prevent attacks on the CPU.

Step 3 (Optional) Run the application-apperceive default drop to discard the packets if no applicationlayer association policy is found.

----End




279

14.6 Maintenance Attack Defense and Application LayerAssociation

This section describes how to clear statistics about attack defense.

14.6.1 Clearing Statistics of Attack Defense and Application LayerAssociation

After confirming that you need to clear statistics about attack defense, you can run a commandto do it.

Context

CAUTIONThe statistics cannot be recovered if cleared. Perform the action with caution.

Procedure

Step 1 Run the reset anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmp-flood ] command to clear the statistics of defense again packet attacks.

----End

14.7 Configuration ExampleThis section provides an example for improving network security through attack defense.Familiarize yourself with the configuration procedures against the networking diagram. Eachconfiguration example consists of the networking requirements, configuration precautions,configuration roadmap, configuration procedures, and configuration files.

14.7.1 Example of Configuring Attack DefenseThis section describes the applications of attack defense on an actual network, including defenseagainst malformed packet attacks, fragmented packet attacks, and flood attacks.


As shown in Figure 14-1, Router B as a client is connected to Router A on the public network.To prevent Router A from being attacked by the TCP/IP attack packets sent by a hacker on theLAN, the following attack defense measures must be used on Router A.

l Enable defense against abnormal packet attacks.




280

l Enable defense against packet fragment attacks and restrict the rate for sending packetfragments to 15000 bit/s to prevent packet fragments from attacking the CPU and usingexcessive CPU and system resources.

l Enable defense against flood attacks as follows:– Enable defense against SYN flood attacks and restrict the rate for sending TCP SYN

packets to 15000 bit/s to prevent the TCP SYN packets from using excessive CPUresources.

– Enable defense against UDP flood attacks to discard the UDP packets sent on specifiedports.

– Enable defense against ICMP flood attacks and restrict the rate for sending ICMP floodpackets to 15000 bit/s to prevent the ICMP flood packets from using excessive CPUresources.

Figure 14-1 Networking diagram of configuring Attack Defense

Router A

Internet

user userhacker

VLAN200

VLAN100 VLAN300Router B

Eth0/0/7100.111.1.1/24

Eth0/0/7100.111.1.2/24


1. Configure the IP addresses and routes of each interface to guarantee internetworking.2. Enable defense against abnormal packet attacks on Router A.3. Enable defense against packet fragment attacks on Router A.4. Enable defense against flood attacks on Router A.





281

l IP address of each interfacel Restricted rate of sending packets to the CPU

Procedure

Step 1 Configure the IP addresses and routes of each interface to guarantee internetworking (omitted).

Step 2 Enable defense against abnormal packet attacks on Router A.<RouterA> system-view[RouterA] anti-attack abnormal enable

Step 3 # Enable defense against packet fragment attacks on Router A and restrict the rate for sendingfragments packet to 15000 bit/s.[RouterA] anti-attack fragment enable

#

[RouterA] anti-attack fragment car cir 15000

Step 4 # Enable defense against SYN flood attacks on Router A and restrict the rate for sending TCPSYN packets to 15000 bit/s.[RouterA] anti-attack tcp-syn enable[RouterA] anti-attack tcp-syn car cir 15000

# Enable defense against UDP flood attacks on Router A to discard the UDP packets sent onspecified ports.

[RouterA] anti-attack udp-flood enable

# Enable defense against ICMP flood attacks on Router A and restrict the rate for sending ICMPflood packets to 15000 bit/s.

[RouterA] anti-attack icmp-flood enable[RouterA] anti-attack icmp-flood car cir 15000


After the configuration is complete, run the display anti-attack statistics [ abnormal |fragment | tcp-syn | udp-flood | icmp-flood ] command to check the statistics of packet attackdefense.

<RouterA> display anti-attck statisticsPackets Statistic Information: ------------------------------------------------------------------------------- AntiAtkType TotalPacketNum DropPacketNum PassPacketNum (H) (L) (H) (L) (H) (L) ------------------------------------------------------------------------------- URPF 0 0 0 0 0 0 Abnormal 0 0 0 0 0 0 Fragment 0 0 0 0 0 0 Tcp-syn 0 30 0 0 0 30 Udp-flood 0 0 0 0 0 0 Icmp-flood 0 40 0 0 0 40 -------------------------------------------------------------------------------

----End

Configuration Filesl Configuration file of Router A

# sysname RouterA#




282

interface GigabitEthernet1/0/0 ip address 100.111.1.1 255.255.255.252#anti-attack fragment car cir 15000 anti-attack tcp-syn car cir 15000 anti-attack icmp-flood car cir 15000#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet2/0/0 ip address 100.111.1.2 255.255.255.252#return




283

configuration guide - security(v200r002c00_02)

Documents