HUAWEI NetEngine9000

V800R023C00SPC500

Configuration Guide

Issue 01
Date 2023-09-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2023. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: https://www.huawei.com
Email: support@huawei.com

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. i

HUAWEI NetEngine9000
Configuration Guide Contents

Contents

1 Configuration............................................................................................................................1
1.1 Security....................................................................................................................................................................................... 1
1.1.1 About This Document........................................................................................................................................................ 1
1.1.2 AAA and User Management Configuration................................................................................................................7
1.1.2.1 AAA and User Management Overview..................................................................................................................... 7
1.1.2.2 Feature Requirements for AAA and User Management (Administrative User)..........................................8
1.1.2.3 Configuring AAA............................................................................................................................................................... 8
1.1.2.3.1 Configuring AAA Schemes......................................................................................................................................... 9
1.1.2.3.2 (Optional) Configuring Local Users..................................................................................................................... 11
1.1.2.3.3 (Optional) Configuring an HWTACACS Server Template............................................................................. 14
1.1.2.3.4 (Optional) Configuring a RADIUS Server Group............................................................................................. 18
1.1.2.3.5 Configuring AAA Schemes for the Domain....................................................................................................... 18
1.1.2.3.6 Verifying the AAA Configuration........................................................................................................................... 20
1.1.2.4 Configuring a Device as a RADIUS Client.............................................................................................................. 21
1.1.2.4.1 Configuring Basic RADIUS Functions................................................................................................................... 21
1.1.2.4.2 (Optional) Configuring RADIUS Packets and Attributes Carried in the Packets.................................. 28
1.1.2.4.3 (Optional) Configuring RADIUS Server Status Detection.............................................................................36
1.1.2.4.4 (Optional) Configuring Whitelist Session-CAR for RADIUS Sessions....................................................... 38
1.1.2.4.5 Verifying the Configuration.....................................................................................................................................39
1.1.2.5 Configuring Command-Line Authorization...........................................................................................................40
1.1.2.5.1 Configuring Level Authorization........................................................................................................................... 40
1.1.2.5.2 Configuring Task Authorization............................................................................................................................. 41
1.1.2.5.3 Verifying the Command-line Authorization Configuration..........................................................................43
1.1.2.6 Configuring the Command-Line Recording Scheme..........................................................................................43
1.1.2.7 Configuring AAA Security Measures........................................................................................................................44
1.1.2.7.1 Security Hardening for Local User Accounts.....................................................................................................44
1.1.2.7.2 Configuring a Forbidden Password String for Local Users........................................................................... 51
1.1.2.7.3 Configuring the Locking Function for Administrators Who Fail Remote Authentication................. 52
1.1.2.8 Maintaining AAA and User Management............................................................................................................. 52
1.1.2.8.1 Displaying the AAA Operation Information...................................................................................................... 52
1.1.2.8.2 Clearing AAA Statistics............................................................................................................................................. 53
1.1.2.8.3 Logging Out Users..................................................................................................................................................... 54
1.1.2.9 Configuration Examples for AAA and User Management............................................................................... 55

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. ii

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.2.9.1 Examples for Configuring User Group Authorization.................................................................................... 55

1.1.2.9.2 Example for Configuring Local Authentication and Authorization........................................................... 58
1.1.2.9.3 Example for Configuring HWTACACS Authentication, Authorization, and Accounting for Access
Users................................................................................................................................................................................................. 61
1.1.2.9.4 Example for Configuring HWTACACS Authentication and Authorization for Administrators......... 65
1.1.3 ARP Security Configuration............................................................................................................................................ 68
1.1.3.1 Overview of ARP Security........................................................................................................................................... 68
1.1.3.2 Feature Requirements for ARP Security................................................................................................................. 71
1.1.3.3 Configuring a Rate Limit for ARP Packets to Be Sent to the CPU................................................................ 71
1.1.3.3.1 Enabling ARP Bidirectional Isolation.................................................................................................................... 72
1.1.3.3.2 Configuring ARP VLAN CAR.................................................................................................................................... 72
1.1.3.3.3 Checking the Configuration.................................................................................................................................... 74
1.1.3.4 Configuring Anti-ARP Spoofing.................................................................................................................................74
1.1.3.4.1 Validity Check of ARP Packets................................................................................................................................74
1.1.3.4.2 Filtering ARP Packets.................................................................................................................................................75
1.1.3.4.3 Checking the Destination IP Addresses of ARP Packets................................................................................ 75
1.1.3.4.4 Verifying the Anti-ARP Spoofing Configuration...............................................................................................76
1.1.3.5 Configuring Anti-ARP Flooding................................................................................................................................. 76
1.1.3.5.1 Restricting Dynamic ARP Entry Learning........................................................................................................... 77
1.1.3.5.2 Strict ARP Learning.................................................................................................................................................... 77
1.1.3.5.3 ARP Entry Limit........................................................................................................................................................... 79
1.1.3.5.4 Configuring an ARP Packet Rate Limit................................................................................................................ 80
1.1.3.5.5 Configuring an ARP Miss Message Rate Limit................................................................................................. 81
1.1.3.5.6 (Optional) Enabling the Device to Record Logs and Generate Alarms About Potential Attacks
............................................................................................................................................................................................................ 82
1.1.3.5.7 Disabling Gratuitous ARP Packet Sending......................................................................................................... 83
1.1.3.5.8 Configuring Gratuitous ARP Packet Discarding............................................................................................... 83
1.1.3.5.9 Verifying the Anti-ARP Flooding Configuration............................................................................................... 84
1.1.3.6 Maintaining ARP Security............................................................................................................................................85
1.1.3.6.1 Clearing ARP Security Statistics............................................................................................................................. 85
1.1.3.6.2 Monitoring the Operating Status of ARP Security.......................................................................................... 86
1.1.3.6.3 Clearing ARP Bidirectional Isolation Statistics on an Interface Board......................................................86
1.1.3.7 Configuration Examples for ARP Security............................................................................................................. 87
1.1.3.7.1 Example for Configuring ARP Security................................................................................................................ 87
1.1.3.7.2 Example for Configuring ARP Bidirectional Isolation and ARP VLAN CAR.............................................89
1.1.4 DHCP Snooping Configuration..................................................................................................................................... 91
1.1.4.1 DHCP Snooping Overview.......................................................................................................................................... 91
1.1.4.2 Feature Requirements for DHCP Snooping........................................................................................................... 91
1.1.4.3 Configuring Defense Against Bogus DHCP ServerAttacks............................................................................... 91
1.1.4.3.1 Enabling DHCP Snooping........................................................................................................................................ 92
1.1.4.3.2 Configuring an Interface as a Trusted Interface.............................................................................................. 94
1.1.4.3.3 (Optional) Enabling Bogus DHCP Server Detection.......................................................................................96
1.1.4.3.4 (Optional) Configuring the Alarm Function forDiscarded DHCP Reply Packets.................................. 96

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. iii

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.4.3.5 Checking the Configuration.................................................................................................................................... 98

1.1.4.4 Configuring Defense Against Man-in-the-Middle Attacks and IP/MAC Address Spoofing..................98
1.1.4.4.1 Enabling DHCP Snooping........................................................................................................................................ 98
1.1.4.4.2 Enabling DHCP Request Packet Check............................................................................................................. 100
1.1.4.4.3 (Optional) Configuring the DHCP Snooping Binding Table...................................................................... 101
1.1.4.4.4 (Optional) Configuring Option 82 Field Insertion........................................................................................ 104
1.1.4.4.5 (Optional) Configuring the Alarm Function for Discarded Man-in-the-Middle Attack and IP/MAC
Address Spoofing Packets....................................................................................................................................................... 107
1.1.4.4.6 Verifying the Configuration of Defense Against Man-in-the-Middle Attacks and IP/MAC Address
Spoofing........................................................................................................................................................................................ 109
1.1.4.5 Preventing DoS Attacks by Changing the CHADDRField............................................................................... 109
1.1.4.5.1 Enabling DHCP Snooping...................................................................................................................................... 110
1.1.4.5.2 Configuring CHADDR Field Check...................................................................................................................... 112
1.1.4.5.3 (Optional) Configuring the Alarm Function forDiscarded DHCP Packets with Incorrect CHADDR
Fields.............................................................................................................................................................................................. 113
1.1.4.5.4 Checking the Configuration.................................................................................................................................. 114
1.1.4.6 Configuring Defense Against DHCP Exhaustion Attacks............................................................................... 115
1.1.4.6.1 Enabling DHCP Snooping...................................................................................................................................... 115
1.1.4.6.2 Enabling DHCP Request Packet Check............................................................................................................. 117
1.1.4.6.3 (Optional) Configuring Option 82 Field Insertion........................................................................................ 118
1.1.4.6.4 (Optional) Configuring the Alarm Function forDiscarded DHCP Packets for Extending the IP
Address Lease.............................................................................................................................................................................. 122
1.1.4.6.5 Checking the Configuration.................................................................................................................................. 123
1.1.4.7 Setting the Maximum Number of DHCP Clients.............................................................................................. 123
1.1.4.8 Configuring the DHCP Snooping Packet Sending Method........................................................................... 125
1.1.4.9 Configuring DHCP Snooping Whitelists............................................................................................................... 126
1.1.4.10 Configuring DHCP Snooping Binding Table Maintenance.......................................................................... 127
1.1.4.10.1 Configuring DHCP Binding Table Update......................................................................................................128
1.1.4.11 Maintaining DHCP Snooping................................................................................................................................ 129
1.1.4.11.1 Resetting Statistics on the Number of DiscardedDHCP Packets........................................................... 129
1.1.4.11.2 Clearing Statistics About Packets Matching a DHCP Snooping Whitelist Rule................................130
1.1.4.12 Configuration Examples for DHCP Snooping.................................................................................................. 130
1.1.4.12.1 Example for Configuring DHCP Snooping for a Layer 2 Device............................................................ 130
1.1.4.12.2 Example for Configuring DHCP Snooping for a Layer 3 Device............................................................ 137
1.1.5 DHCPv6 Snooping Configuration.............................................................................................................................. 142
1.1.5.1 Overview of DHCPv6 Snooping.............................................................................................................................. 142
1.1.5.2 Feature Requirements for DHCPv6 Snooping.................................................................................................... 142
1.1.5.3 Configuring IPv6/MAC Spoofing Attack Defense............................................................................................. 142
1.1.5.3.1 Enabling DHCPv6 Snooping................................................................................................................................. 143
1.1.5.3.2 Enabling the Packet Check Function................................................................................................................. 143
1.1.5.3.3 (Optional) Configuring a DHCPv6 Snooping Binding Table..................................................................... 143
1.1.5.3.4 (Optional) Configuring a Policy for Checking Invalid IPv6 Packets........................................................145
1.1.5.3.5 (Optional) Configuring the Alarm Function for IPv6/MAC Spoofing Attacks.....................................146

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. iv

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.5.3.6 Verifying the Configuration.................................................................................................................................. 146

1.1.5.4 Enabling Association Between ND Probe and DHCPv6 Snooping..............................................................147
1.1.5.5 Maintaining DHCPv6 Snooping.............................................................................................................................. 147
1.1.5.5.1 Clearing DHCPv6 Snooping Statistics............................................................................................................... 147
1.1.5.6 Configuration Examples for DHCPv6 Snooping................................................................................................ 148
1.1.5.6.1 Example for Configuring DHCPv6 Snooping on a Layer 3 Device.......................................................... 148
1.1.6 GTSM Configuration...................................................................................................................................................... 151
1.1.6.1 Overview of GTSMs.................................................................................................................................................... 151
1.1.6.2 Feature Requirements for GTSM............................................................................................................................ 152
1.1.6.3 Configuring OSPF GTSM........................................................................................................................................... 152
1.1.6.4 Configuring OSPFv3 GTSM.......................................................................................................................................153
1.1.6.5 Configuring BGP GTSM............................................................................................................................................. 154
1.1.6.6 Configuring BGP4+ GTSM.........................................................................................................................................156
1.1.6.7 Configuring LDP GTSM.............................................................................................................................................. 158
1.1.6.8 Configuring GTSM for RIP........................................................................................................................................ 160
1.1.6.9 Maintaining GTSMs.................................................................................................................................................... 161
1.1.6.9.1 Clearing the Statistics About the GTSM........................................................................................................... 161
1.1.6.10 Configuration Examples for GTSMs.................................................................................................................... 162
1.1.6.10.1 Example for Configuring OSPF GTSM............................................................................................................ 162
1.1.6.10.2 Example for Configuring the BGP GTSM....................................................................................................... 167
1.1.6.10.3 Example for Configuring LDP GTSM............................................................................................................... 176
1.1.7 HIPS Configuration......................................................................................................................................................... 179
1.1.7.1 Overview of HIPS......................................................................................................................................................... 179
1.1.7.2 Feature Requirements for HIPS.............................................................................................................................. 180
1.1.7.3 Enabling HIPS............................................................................................................................................................... 180
1.1.8 Keychain Configuration.................................................................................................................................................180
1.1.8.1 Overview of Keychain................................................................................................................................................ 181
1.1.8.1.1 Introduction to Keychain....................................................................................................................................... 181
1.1.8.2 Feature Requirements for Keychain...................................................................................................................... 182
1.1.8.3 Configuring Basic Keychain Functions..................................................................................................................182
1.1.8.3.1 Creating a Keychain................................................................................................................................................ 183
1.1.8.3.2 (Optional) Configuring Receive Tolerance of a Keychain.......................................................................... 183
1.1.8.3.3 Creating a Key-id in a Keychain.......................................................................................................................... 184
1.1.8.3.4 Configuring Key-string of a Key-id.....................................................................................................................184
1.1.8.3.5 Configuring Authentication Algorithm of a Key-id...................................................................................... 185
1.1.8.3.6 (Optional) Configuring a Key-id as the Default Send-key-id................................................................... 186
1.1.8.3.7 Configuring Send-time of a Key-id.................................................................................................................... 186
1.1.8.3.8 Configuring Receive-time of a Key-id............................................................................................................... 188
1.1.8.3.9 Verifying the Keychain Configuration............................................................................................................... 191
1.1.8.4 Configuring TCP Authentication Parameters..................................................................................................... 191
1.1.8.4.1 Configuring TCP Kind of a Keychain..................................................................................................................191
1.1.8.4.2 Configuring TCP Algorithm-id in a Keychain.................................................................................................. 192

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. v

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.8.4.3 Checking the Configuration.................................................................................................................................. 193

1.1.8.5 Configuration Examples for Keychain.................................................................................................................. 193
1.1.8.5.1 Example for Configuring Keychain Authentication for Non-TCP Application..................................... 193
1.1.8.5.2 Example for Configuring Keychain Authentication for TCP Application............................................... 195
1.1.9 TCP-AO Configuration................................................................................................................................................... 198
1.1.9.1 Overview of TCP-AO................................................................................................................................................... 198
1.1.9.2 Feature Requirements for TCP-AO........................................................................................................................ 198
1.1.9.3 Configuring a Keychain............................................................................................................................................. 198
1.1.9.4 Configuring a TCP-AO and Binding It to a Keychain...................................................................................... 200
1.1.9.5 Applying a TCP-AO......................................................................................................................................................201
1.1.9.6 Configuration Examples............................................................................................................................................ 202
1.1.9.6.1 Example for Configuring TCP-AO Authentication for BGP........................................................................ 202
1.1.10 URPF Configuration..................................................................................................................................................... 207
1.1.10.1 URPF Overview.......................................................................................................................................................... 207
1.1.10.2 Feature Requirements for URPF........................................................................................................................... 209
1.1.10.3 Configuring URPF on an Interface...................................................................................................................... 209
1.1.10.4 Configuring Flow-based URPF.............................................................................................................................. 210
1.1.10.4.1 Configuring a Traffic Classifier.......................................................................................................................... 211
1.1.10.4.2 Configuring a Traffic Behavior.......................................................................................................................... 212
1.1.10.4.3 Configuring a Traffic Policy................................................................................................................................ 212
1.1.10.4.4 Applying the Traffic Policy.................................................................................................................................. 213
1.1.10.5 Configuring Peer-based URPF............................................................................................................................... 213
1.1.10.5.1 Configuring a Peer Group ID and Applying It to a Route-Policy...........................................................214
1.1.10.5.2 Configuring Peer-based URPF on an Interface............................................................................................ 214
1.1.10.6 Maintaining URPF..................................................................................................................................................... 215
1.1.10.7 Configuration Examples for URPF....................................................................................................................... 215
1.1.10.7.1 Example for Configuring URPF......................................................................................................................... 215
1.1.11 Local Attack Defense Configuration...................................................................................................................... 217
1.1.11.1 Introduction to Local Attack Defense................................................................................................................ 218
1.1.11.2 Feature Requirements for Local Attack Defense............................................................................................ 218
1.1.11.3 Configuring Attack Source Tracing...................................................................................................................... 218
1.1.11.3.1 Creating an Attack Defense Policy...................................................................................................................219
1.1.11.3.2 Enabling Attack Source Tracing........................................................................................................................ 219
1.1.11.3.3 Configuring Sampling Parameters for Attack Source Tracing................................................................ 220
1.1.11.3.4 Applying the Attack Defense Policy................................................................................................................ 221
1.1.11.3.5 Checking the Configurations............................................................................................................................. 221
1.1.11.4 Configuring the Alarm Function for Packet Discarding............................................................................... 222
1.1.11.5 Configuring Local URPF.......................................................................................................................................... 223
1.1.11.5.1 Creating the Attack Defense Policy................................................................................................................. 224
1.1.11.5.2 Configuring Local URPF....................................................................................................................................... 224
1.1.11.5.3 Applying the Attack Defense Policy................................................................................................................ 225
1.1.11.5.4 Verifying the Local URPF Configuration........................................................................................................ 225

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. vi

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.11.6 Configuring TCP/IP Attack Defense.................................................................................................................... 225

1.1.11.6.1 Creating an Attack Defense Policy...................................................................................................................226
1.1.11.6.2 Enabling Defense Against Malformed Packet Attacks..............................................................................226
1.1.11.6.3 Enabling Defense Against Fragmented Packet Attacks............................................................................227
1.1.11.6.4 Enabling Defense Against TCP SYN Flooding Attacks.............................................................................. 228
1.1.11.6.5 Enabling Defense Against UDP Packet Attacks........................................................................................... 228
1.1.11.6.6 Applying the Attack Defense Policy................................................................................................................ 229
1.1.11.6.7 Verifying the TCP/IP Attack Defense Configuration.................................................................................. 229
1.1.11.7 Configuring Invalid ND Packet Attack Defense.............................................................................................. 230
1.1.11.8 Configuring the CAR................................................................................................................................................ 230
1.1.11.8.1 Creating an Attack Defense Policy...................................................................................................................231
1.1.11.8.2 Configuring a Whitelist........................................................................................................................................ 231
1.1.11.8.3 Configuring a Blacklist......................................................................................................................................... 233
1.1.11.8.4 Configuring User-Defined Flow Rules............................................................................................................ 235
1.1.11.8.5 Configuring the Packet Matching Order........................................................................................................236
1.1.11.8.6 Configuring the CAR............................................................................................................................................. 237
1.1.11.8.7 Configuring the Packet Sending Priority........................................................................................................237
1.1.11.8.8 Setting Bandwidth Values and Weights for the Protocol Group Whose Packets Are to Be Sent to
the CPU......................................................................................................................................................................................... 238
1.1.11.8.9 Applying the Attack Defense Policy................................................................................................................ 242
1.1.11.8.10 Verifying the Configurations........................................................................................................................... 242
1.1.11.9 Configuring VLAN CAR............................................................................................................................................ 244
1.1.11.10 Configuring ND VLAN CAR..................................................................................................................................245
1.1.11.11 Configuring Interface-based CAR...................................................................................................................... 247
1.1.11.12 Configuring Dynamic Link Protection..............................................................................................................248
1.1.11.13 Configuring the Management Protocol ACL Delivering Function......................................................... 248
1.1.11.14 Configuring the Function of Receiving Broadcast ICMP Echo Request Packets................................249
1.1.11.15 Configuring Application Layer Association.................................................................................................... 250
1.1.11.15.1 Creating an Attack Defense Policy................................................................................................................ 250
1.1.11.15.2 Setting the Mode of Processing the Packets Sent to the CPU.............................................................251
1.1.11.15.3 Applying the Attack Defense Policy.............................................................................................................. 252
1.1.11.15.4 Verifying the Application Layer Association Configuration.................................................................. 252
1.1.11.16 Configuring Management and Service Plane Protection.......................................................................... 253
1.1.11.16.1 Configuring a Global Policy for Management and Service Plane Protection.................................253
1.1.11.16.2 Configuring an interface board-based Policy for Management and Service Plane Protection
......................................................................................................................................................................................................... 254
1.1.11.16.3 Configuring an Interface-based Policy for Management and Service Plane Protection.............255
1.1.11.16.4 Verifying the Configuration of Management and Service Plane Protection...................................256
1.1.11.17 Configuring Layer 2 Loop Detection................................................................................................................ 256
1.1.11.17.1 Configuring Actions In Response to Layer 2 Loops................................................................................. 257
1.1.11.17.2 (Optional) Disabling Layer 2 Loop Detection........................................................................................... 258
1.1.11.17.3 (Optional) Configuring the Layer 2 Loop Detection Threshold.......................................................... 259
1.1.11.17.4 Verifying the Layer 2 Loop Detection Configuration.............................................................................. 260

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. vii

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.11.18 Configuring Layer 3 Loop Detection................................................................................................................ 260

1.1.11.19 Maintaining Local Attack Defense.................................................................................................................... 260
1.1.11.20 Configuration Examples for Local Attack Defense......................................................................................261
1.1.11.20.1 Example for Configuring Attack Defense for the CPU........................................................................... 261
1.1.12 SOC Configuration....................................................................................................................................................... 275
1.1.12.1 Overview of SOC....................................................................................................................................................... 275
1.1.12.1.1 Introduction to SOC.............................................................................................................................................. 275
1.1.12.2 Feature Requirements for SOC............................................................................................................................. 276
1.1.12.3 Configuring the SOC................................................................................................................................................ 276
1.1.12.3.1 Enabling the SOC................................................................................................................................................... 276
1.1.12.3.2 Analyzing Attack Events...................................................................................................................................... 277
1.1.12.3.3 (Optional) Configuring a User-Defined Group for Which Attack Defense Is Enabled.................. 279
1.1.12.3.4 (Optional) Configuring Attack Source Tracing Parameters.....................................................................280
1.1.12.3.5 (Optional) Configuring Attack Detection Parameters.............................................................................. 281
1.1.12.3.6 Verifying the SOC Configuration...................................................................................................................... 282
1.1.12.4 Maintaining the SOC................................................................................................................................................282
1.1.12.4.1 Clearing SOC Statistics......................................................................................................................................... 282
1.1.13 Packet Header Obtaining Configuration.............................................................................................................. 283
1.1.13.1 Overview of Packet Header Obtaining.............................................................................................................. 283
1.1.13.2 Feature Requirements for Packet Header Obtaining....................................................................................283
1.1.13.3 Configuring a Device to Obtain Packet Headers Sent to its CPU.............................................................283
1.1.13.4 Configuring a Device to Obtain Forwarded Packet Headers..................................................................... 285
1.1.13.5 Maintaining Packet Headers Obtain.................................................................................................................. 288
1.1.13.5.1 Clearing Information About Obtained Packet Headers............................................................................288
1.1.13.6 Configuration Examples for Packet Header Obtaining................................................................................ 288
1.1.13.6.1 Example for Configuring a Device to Obtain Packet Headers Sent to its CPU................................ 289
1.1.13.6.2 Example for Configuring a Device to Obtain Forwarded Packet Headers.........................................290
1.1.14 BGP Flow Specification Configuration...................................................................................................................293
1.1.14.1 Overview of BGP Flow Specification.................................................................................................................. 293
1.1.14.2 Feature Requirements for BGP Flow Specification........................................................................................ 295
1.1.14.3 Configuring Dynamic BGP Flow Specification................................................................................................ 295
1.1.14.4 Configuring Static BGP Flow Specification....................................................................................................... 305
1.1.14.5 Configuring Dynamic BGP IPv6 Flow Specification.......................................................................................319
1.1.14.6 Configuring Static BGP IPv6 Flow Specification............................................................................................. 324
1.1.14.7 Configuring Dynamic BGP VPN Flow Specification.......................................................................................333
1.1.14.8 Configuring Static BGP VPN Flow Specification............................................................................................. 340
1.1.14.9 Configuring Dynamic BGP IPv6 VPN Flow Specification............................................................................. 349
1.1.14.10 Configuring Static BGP IPv6 VPN Flow Specification................................................................................. 355
1.1.14.11 Configuring Dynamic BGP VPNv4 Flow Specification................................................................................363
1.1.14.12 Configuring Static BGP VPNv4 Flow Specification...................................................................................... 367
1.1.14.13 Configuring Dynamic BGP VPNv6 Flow Specification................................................................................372
1.1.14.14 Configuring Static BGP VPNv6 Flow Specification...................................................................................... 375

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. viii

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.14.15 Configuring the BMP Device to Report Local-RIB Routes in the BGP-Flow Address Family........ 380
1.1.14.16 Configuring the BMP Device to Report Local-RIB Routes in the BGP-IPv6-Flow Address Family
......................................................................................................................................................................................................... 382
1.1.14.17 Configuration Examples for BGP Flow Specification.................................................................................. 383
1.1.14.17.1 Example for Configuring Dynamic BGP Flow Specification..................................................................383
1.1.14.17.2 Example for Configuring Static BGP Flow Specification........................................................................ 387
1.1.14.17.3 Example for Configuring dynamic BGP Flow Specification with a BGP RR.................................... 392
1.1.14.17.4 Example for Configuring Dynamic BGP IPv6 Flow Specification........................................................ 397
1.1.14.17.5 Example for Configuring Static BGP IPv6 Flow Specification.............................................................. 401
1.1.14.17.6 Example for Configuring dynamic BGP IPv6 Flow Specification with a BGP RR...........................406
1.1.14.17.7 Example for Configuring Dynamic BGP VPN Flow Specification........................................................411
1.1.14.17.8 Example for Configuring Static BGP VPN Flow Specification.............................................................. 415
1.1.14.17.9 Example for Configuring Dynamic BGP IPv6 VPN Flow Specification.............................................. 420
1.1.14.17.10 Example for Configuring Static BGP IPv6 VPN Flow Specification.................................................. 423
1.1.14.17.11 Example for Configuring Dynamic BGP VPNv4 Flow Specification.................................................427
1.1.14.17.12 Example for Configuring Static BGP VPNv4 Flow Specification....................................................... 431
1.1.14.17.13 Example for Configuring Dynamic BGP VPNv6 Flow Specification.................................................435
1.1.14.17.14 Example for Configuring Static BGP VPNv6 Flow Specification....................................................... 439
1.1.15 IPsec Configuration...................................................................................................................................................... 444
1.1.15.1 Overview of IPsec...................................................................................................................................................... 445
1.1.15.2 Feature Requirements for IPsec............................................................................................................................446
1.1.15.3 Configuring an IPsec SA Manually...................................................................................................................... 446
1.1.15.3.1 Configuring a Security Proposal....................................................................................................................... 446
1.1.15.3.2 Configuring an SA................................................................................................................................................. 447
1.1.15.3.3 Applying IPsec......................................................................................................................................................... 448
1.1.15.3.4 Checking the Manual IPsec Configuration....................................................................................................450
1.1.15.4 Configuration Examples for IPsec........................................................................................................................ 450
1.1.15.4.1 Manual IPsec Configuration Scenario.............................................................................................................450
1.1.16 PKI Configuration......................................................................................................................................................... 456
1.1.16.1 Overview of PKI......................................................................................................................................................... 456
1.1.16.2 Feature Requirements for PKI............................................................................................................................... 457
1.1.16.3 Configuring CMP-based Certificate Management......................................................................................... 457
1.1.16.3.1 Creating an RSA Key Pair.................................................................................................................................... 458
1.1.16.3.2 Configuring Entity Information......................................................................................................................... 458
1.1.16.3.3 Configuring CMP Sessions.................................................................................................................................. 460
1.1.16.3.4 Configuring CMP-based Certificate Management..................................................................................... 461
1.1.16.3.5 Verifying the Configuration of CMP-based Certificate Management................................................. 463
1.1.16.4 Configuring PKI Certificate.....................................................................................................................................464
1.1.16.4.1 Creating an RSA Key Pair.................................................................................................................................... 464
1.1.16.4.2 Configuring Entity Information......................................................................................................................... 465
1.1.16.4.3 Obtaining a Certificate.........................................................................................................................................467
1.1.16.4.4 Verifying the PKI Certificate Configuration...................................................................................................468
1.1.16.5 Configuring Certificate Validity Check............................................................................................................... 469

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. ix

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.16.5.1 Configuring the CRL Function........................................................................................................................... 469

1.1.16.5.2 Verifying the Certificates..................................................................................................................................... 472
1.1.16.6 Controlling Certificate Access Based on Certificate Attributes.................................................................. 473
1.1.16.7 Maintaining PKI......................................................................................................................................................... 475
1.1.16.7.1 Deleting Certificates............................................................................................................................................. 475
1.1.16.7.2 Deleting RSA Key Pairs........................................................................................................................................ 476
1.1.16.7.3 Clearing CMP Session Statistics........................................................................................................................ 476
1.1.16.7.4 Updating the Expired Local Certificate and CRL Certificate................................................................... 476
1.1.17 Mirroring Configuration............................................................................................................................................. 478
1.1.17.1 Overview of Mirroring............................................................................................................................................. 478
1.1.17.2 Feature Requirements for Mirroring................................................................................................................... 478
1.1.17.3 Configuring Port Mirroring.................................................................................................................................... 479
1.1.17.3.1 Configuring an Observing Port......................................................................................................................... 479
1.1.17.3.2 Configuring a Mirrored Port...............................................................................................................................480
1.1.17.3.3 Specifying an Observing Port for Mirroring................................................................................................. 483
1.1.17.3.4 Configuring Port Mirroring in Integrated Mode......................................................................................... 486
1.1.17.3.5 (Optional) Configuring the CAR Function for Mirrored Traffic............................................................. 487
1.1.17.3.6 (Optional) Configuring the Function to Mirror Packet Content of a Specified Length................ 488
1.1.17.3.7 (Optional) Enabling Mirroring Statistics Collection...................................................................................490
1.1.17.3.8 Verifying the Configuration................................................................................................................................ 490
1.1.17.3.9 Disabling Port Mirroring......................................................................................................................................491
1.1.17.4 Configuring Flow Mirroring................................................................................................................................... 492
1.1.17.4.1 Configuring an Observing Port......................................................................................................................... 493
1.1.17.4.2 Specifying an Observing Port for Mirroring................................................................................................. 493
1.1.17.4.3 Defining a Traffic Policy for Mirrored Traffic............................................................................................... 494
1.1.17.4.4 Applying a Traffic Policy to a Mirrored Port.................................................................................................497
1.1.17.4.5 (Optional) Configuring the Mirroring Statistics Function....................................................................... 497
1.1.17.4.6 Verifying the Configuration................................................................................................................................ 498
1.1.17.4.7 Disabling Flow Mirroring.................................................................................................................................... 498
1.1.17.5 Maintaining Mirroring Statistics.......................................................................................................................... 500
1.1.17.5.1 Checking Mirroring Statistics............................................................................................................................. 500
1.1.17.5.2 Clearing Mirroring Statistics.............................................................................................................................. 500
1.1.17.6 Configuration Examples for Mirroring............................................................................................................... 500
1.1.17.6.1 Example for Configuring Board-based Mirroring....................................................................................... 501
1.1.17.6.2 Example for Configuring Port Mirroring........................................................................................................ 503
1.1.17.6.3 Example for Configuring Observing Ports for the Upstream and Downstream Packets of a
Mirrored Port............................................................................................................................................................................... 506
1.1.17.6.4 Example for Configuring Port Mirroring (1:N Scenario).......................................................................... 509
1.1.17.6.5 Example for Configuring EVC Port Mirroring............................................................................................... 512
1.1.17.6.6 Example for Configuring Local Flow Mirroring........................................................................................... 518
1.1.18 Layer 2 Traffic Suppression Configuration...........................................................................................................522
1.1.18.1 Overview of Layer 2 Traffic Suppression.......................................................................................................... 522
1.1.18.2 Feature Requirements for Layer 2 Traffic Suppression................................................................................ 522

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. x

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.18.3 Configuring Interface-related Traffic Suppression.........................................................................................522

1.1.18.3.1 Configuring Interface-based Traffic Suppression........................................................................................523
1.1.18.3.2 (Optional) Configuring Sub-interface-based Traffic Suppression........................................................ 524
1.1.18.3.3 Configuring Interface- and VLAN-based Traffic Suppression.................................................................525
1.1.18.3.4 Verifying the Configuration................................................................................................................................ 526
1.1.18.4 Configuring Traffic Suppression over a VSI......................................................................................................526
1.1.18.5 Configuring BD-based Traffic Suppression.......................................................................................................528
1.1.18.6 (Optional) Configuring VSI PW-based Traffic Suppression........................................................................ 529
1.1.18.6.1 Verifying the Configuration of Traffic Suppression over a VSI PW...................................................... 530
1.1.18.7 Configuring Traffic Suppression for Special Reserved Multicast Groups............................................... 531
1.1.18.8 Maintaining Layer 2 Traffic Suppression.......................................................................................................... 531
1.1.18.9 Configuration Examples for Layer 2 Traffic Suppression............................................................................ 532
1.1.18.9.1 Example for Configuring VSI PW-based Broadcast Traffic Suppression............................................. 532
1.1.19 MPAC Configuration.................................................................................................................................................... 539
1.1.19.1 Introduction to MPAC.............................................................................................................................................. 539
1.1.19.2 Feature Requirements for MPAC..........................................................................................................................540
1.1.19.3 Configuring MPAC.....................................................................................................................................................540
1.1.19.3.1 Configuring an IPv4 MPAC Policy.................................................................................................................... 540
1.1.19.3.2 Configuring an IPv6 MPAC Policy.................................................................................................................... 543
1.1.19.3.3 Verifying the MPAC Configuration...................................................................................................................545
1.1.19.4 Maintaining MPAC.................................................................................................................................................... 545
1.1.19.4.1 Clearing MPAC Statistics..................................................................................................................................... 545
1.1.19.5 Configuration Examples for MPAC...................................................................................................................... 545
1.1.19.5.1 Example for Configuring MPAC........................................................................................................................ 545
1.1.20 MACsec Configuration................................................................................................................................................ 547
1.1.20.1 Overview of MACsec................................................................................................................................................ 547
1.1.20.2 Feature Requirements for MACsec...................................................................................................................... 548
1.1.20.3 Activating the MACsec License of Interfaces................................................................................................... 548
1.1.20.4 Configuring Basic Functions of MACsec............................................................................................................ 548
1.1.20.4.1 Configuring Static CKN and CAK...................................................................................................................... 548
1.1.20.4.2 Verifying the Basic MACsec Configuration................................................................................................... 549
1.1.20.5 Configuring Extended Functions of MACsec....................................................................................................549
1.1.20.5.1 Configuring the MACsec Encryption Mode...................................................................................................549
1.1.20.5.2 Configuring the MACsec Encryption Algorithm.......................................................................................... 550
1.1.20.5.3 Configuring the MACsec Encryption Offset.................................................................................................. 551
1.1.20.5.4 Configuring the MKA Key Server Priority...................................................................................................... 551
1.1.20.5.5 Configuring the SAK Lifetime............................................................................................................................ 552
1.1.20.5.6 Configuring the MACsec Replay Window Size............................................................................................ 552
1.1.20.5.7 Configuring the MACsec VLAN Tag in the Clear Function...................................................................... 553
1.1.20.5.8 Configuring the Strict MACsec Mode............................................................................................................. 553
1.1.20.5.9 Checking the Configuration............................................................................................................................... 554
1.1.20.6 Maintaining MACsec................................................................................................................................................ 554

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. xi

HUAWEI NetEngine9000
Configuration Guide Contents

1.1.20.7 Configuration Examples for MACsec.................................................................................................................. 555

1.1.20.7.1 Configuring Point-to-Point MACsec................................................................................................................ 555
1.1.20.7.2 Configuring the MACsec VLAN Tag in the Clear Function...................................................................... 557
1.1.21 Security Risk Query Configuration..........................................................................................................................558
1.1.21.1 Checking Security Risks........................................................................................................................................... 559
1.1.21.2 Querying Security Configurations....................................................................................................................... 559
1.1.22 System Master Key Configuration.......................................................................................................................... 560
1.1.22.1 Feature Requirements for System Master Key................................................................................................560
1.1.22.2 Configuring the System Master Key................................................................................................................... 560
1.1.23 Trusted System Configuration.................................................................................................................................. 562
1.1.23.1 Overview of Trusted System.................................................................................................................................. 562
1.1.23.2 Configuring Secure Boot......................................................................................................................................... 563
1.1.23.3 Configuring Remote Attestation.......................................................................................................................... 564

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. xii

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1 Configuration

1.1 Security

1.1.1 About This Document

Purpose
This document provides the basic concepts, configuration procedures, and
configuration examples in different application scenarios of the security feature.

Licensing Requirements
For details about the License, see the License Guide.
● Enterprise users: License Usage Guide

Related Version
The following table lists the product version related to this document.

Product Name Version

HUAWEI NetEngine9000 V800R023C00SPC500

iMaster NCE-IP V100R023C00SPC100

Intended Audience
This document is intended for:

● Data configuration engineers

● Commissioning engineers

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 1

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Network monitoring engineers

● System maintenance engineers

Security Declaration
● Notice on Limited Command Permission
The documentation describes commands when you use Huawei devices and
make network deployment and maintenance. The interfaces and commands
for production, manufacturing, repair for returned products are not described
here.
If some advanced commands and compatible commands for engineering or
fault location are incorrectly used, exceptions may occur or services may be
interrupted. It is recommended that the advanced commands be used by
engineers with high rights. If necessary, you can apply to Huawei for the
permissions to use advanced commands.
● Encryption algorithm declaration
The encryption algorithms DES/3DES/RSA (with a key length of less than
3072 bits)/MD5 (in digital signature scenarios and password encryption)/
SHA1 (in digital signature scenarios) have a low security, which may bring
security risks. If protocols allowed, using more secure encryption algorithms,
such as AES/RSA (with a key length of at least 3072 bits)/SHA2/HMAC-SHA2
is recommended.
For security purposes, insecure protocols Telnet, FTP, and TFTP as well as
weak security algorithms in BGP, LDP, PECP, MSDP, DCN, TCP-AO, MSTP, VRRP,
E-Trunk, AAA, IPsec, BFD, QX, port extension, SSH, SNMP, IS-IS, RIP, SSL, NTP,
OSPF, and keychain features are not recommended. To use such weak security
algorithms, run the undo crypto weak-algorithm disable command to enable
the weak security algorithm function. For details, see the Configuration Guide.
● Password configuration declaration
– When the password encryption mode is cipher, avoid setting both the
start and end characters of a password to "%^%#". This causes the
password to be displayed directly in the configuration file.
– To further improve device security, periodically change the password.
● MAC addresses and Public IP addresses Declaration
– For purposes of introducing features and giving configuration examples,
the MAC addresses and public IP addresses of real devices are used in the
product documentation. Unless otherwise specified, these addressees are
used as examples only.
– Open-source and third-party software may contain public addresses
(including public IP addresses, public URLs/domain names, and email
addresses), but this product does not use these public addresses. This
complies with industry practices and open-source software usage
specifications.
– For purposes of implementing functions and features, the device uses the
following public IP addresses:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 2

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-1 Public IP Address List

Public IP address Description

http://www.huawei.com Huawei official website address

support_e@huawei.com Huawei Enterprise User Service

Mailbox

● Personal data declaration

– Your purchased products, services, or features may use users' some
personal data during service operation or fault locating. You must define
user privacy policies in compliance with local laws and take proper
measures to fully protect personal data.
– When discarding, recycling, or reusing a device, back up or delete data on
the device as required to prevent data leakage. If you need support,
contact after-sales technical support personnel.
● Preset Certificate Usage Declaration
Huawei certificates preset on Huawei devices during production are
mandatory identity credentials for Huawei devices. The usage declarations of
preset certificates are as follows:
– Huawei preset certificates are used only to establish initial security
channels for devices to connect to the customer network and to connect
devices in the deployment phase. Huawei does not promise or guarantee
the security of preset certificates.
– The customer shall handle the security risks and security events caused
by using Huawei preset certificates as service certificates and be
responsible for the consequences.
– Huawei preset certificates expire from 2041. You can run the display pki
cert_list domain default command to check the actual validity period.
– After a preset certificate expires, services using the certificate are
interrupted.
– It is recommended that customers deploy the PKI system to issue
certificates for devices and software on the live network and manage the
lifecycle of the certificates. To ensure security, certificates with short
validity periods are recommended.
– The Huawei PKI root certificate is used for initial configuration and
connection of Huawei products during network access. You are advised to
disable this certificate after completing the network access configuration
and configuring a CA certificate you have obtained for the products. (This
certificate can be re-enabled if a new Huawei device needs to be verified
for network access.) If you do not disable this certificate, security risks
exist and you should be liable for the consequences caused by related
security events.
● Product Life Cycle
Huawei's regulations on product life cycle are subject to the Product End of
Life Policy. For details about the policy, see the following website: https://
support.huawei.com/ecolumnsweb/en/warranty-policy
● Vulnerability

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 3

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Huawei's regulations on product vulnerability management are subject to

"Vul. Response Process". For details about the policy, see the following
website: https://www.huawei.com/en/psirt/vul-response-process
For enterprise customers who need to obtain vulnerability information, visit:
https://securitybulletin.huawei.com/enterprise/en/security-advisory

● Life Cycle of Product Documentation

Huawei released the Huawei Product Documentation Lifecycle Policy for after-
sales customer documentation. For details about this policy, see the website
of Huawei's official website: https://support.huawei.com/enterprise/en/
bulletins-website/ENEWS2000017761
● Preconfigured Digital Certificate
Huawei has released the Huawei Preset Digital Certificate Disclaimer for the
preconfigured digital certificates delivered with devices. For details about the
disclaimer, visit the following website: https://support.huawei.com/
enterprise/en/bulletins-service/ENEWS2000015789
● Device Upgrade and Patch Installation Declaration
When upgrading or installing a patch on a device, use the software digital
signature (OpenPGP) verification tool to verify the software. To prevent
software from being tampered with or replaced, you are advised to perform
this operation.
● Feature declaration
– The NetStream feature may be used to analyze the communication
information of terminal customers for network traffic statistics and
management purposes. Before enabling the NetStream feature, ensure
that it is performed within the boundaries permitted by applicable laws
and regulations. Effective measures must be taken to ensure that
information is securely protected.
– The mirroring feature may be used to analyze the communication
information of terminal customers for a maintenance purpose. Before
enabling the mirroring function, ensure that it is performed within the
boundaries permitted by applicable laws and regulations. Effective
measures must be taken to ensure that information is securely protected.
– The packet header obtaining feature may be used to collect or store
some communication information about specific customers for
transmission fault and error detection purposes. Huawei cannot offer
services to collect or store this information unilaterally. Before enabling
the function, ensure that it is performed within the boundaries permitted
by applicable laws and regulations. Effective measures must be taken to
ensure that information is securely protected.
● Reliability design declaration
Network planning and site design must comply with reliability design
principles and provide device- and solution-level protection. Device-level
protection includes planning principles of dual-network and inter-board dual-
link to avoid single point or single link of failure. Solution-level protection
refers to a fast convergence mechanism, such as FRR and VRRP. If solution-
level protection is used, ensure that the primary and backup paths do not
share links or transmission devices. Otherwise, solution-level protection may
fail to take effect.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 4

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Special Declaration
● This document package contains information about the NE9000. For details
about hardware, such as devices or boards sold in a specific country/region,
see Hardware Description.
● This document serves only as a guide. The content is written based on device
information gathered under lab conditions. The content provided by this
document is intended to be taken as general guidance, and does not cover all
scenarios. The content provided by this document may be different from the
information on user device interfaces due to factors such as version upgrades
and differences in device models, board restrictions, and configuration files.
The actual user device information takes precedence over the content
provided by this document. The preceding differences are beyond the scope of
this document.
● The maximum values provided in this document are obtained in specific lab
environments (for example, only a certain type of board or protocol is
configured on a tested device). The actually obtained maximum values may
be different from the maximum values provided in this document due to
factors such as differences in hardware configurations and carried services.
● Interface numbers used in this document are examples. Use the existing
interface numbers on devices for configuration.
● The pictures of hardware in this document are for reference only.
● The supported boards are described in the document. Whether a
customization requirement can be met is subject to the information provided
at the pre-sales interface.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
● The configuration precautions described in this document may not accurately
reflect all scenarios.
● Log Reference and Alarm Reference respectively describe the logs and alarms
for which a trigger mechanism is available. The actual logs and alarms that
the product can generate depend on the types of services it supports.
● All device dimensions described in this document are designed dimensions
and do not include dimension tolerances. In the process of component
manufacturing, the actual size is deviated due to factors such as processing or
measurement.

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk which, if

not avoided, will result in death or serious injury.

Indicates a hazard with a medium level of risk

which, if not avoided, could result in death or
serious injury.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 5

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Symbol Description

Indicates a hazard with a low level of risk which, if

not avoided, could result in minor or moderate
injury.

Indicates a potentially hazardous situation which, if

not avoided, could result in equipment damage,
data loss, performance deterioration, or
unanticipated results.
NOTICE is used to address practices not related to
personal injury.

Supplements the important information in the main

text.
NOTE is used to address information not related to
personal injury, equipment damage, and
environment deterioration.

Command Conventions
The command conventions that may be found in this document are defined as
follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are

optional.

{ x | y | ... } Optional items are grouped in braces and separated

by vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and

separated by vertical bars. One item is selected or
no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated

by vertical bars. A minimum of one item or a
maximum of all items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and

separated by vertical bars. Several items or no item
can be selected.

&<1-n> The parameter before the & sign can be repeated 1

to n times.

# A line starting with the # sign is comments.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 6

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Change History
Changes between document issues are cumulative. The latest document issue
contains all the changes made in earlier issues.

Product Version Issue Release Date

V800R023C00SPC500 01 2023-09-30

1.1.2 AAA and User Management Configuration

This function is used to check user validity and grant rights to authorized users to
ensure network security.

1.1.2.1 AAA and User Management Overview

AAA provides security functions for user authentication, authorization, and
accounting.

AAA
Authentication, Authorization, and Accounting (AAA) refers to a combination of
security-related technologies used to authenticate and authorize users, as well as
to account for the service provided to the users.
● Authentication: checks whether a user has the rights to access the network.
● Authorization: authorizes a user so that the user can use a specified service.
● Accounting: records the usage of network resources for charging purposes.
AAA uses the client/server model. This model features good extensibility and
facilitates centralized management over user information, as shown in Figure 1-1.

Figure 1-1 AAA networking

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 7

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.2.2 Feature Requirements for AAA and User Management

(Administrative User)

1.1.2.3 Configuring AAA

Before configuring AAA, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and
efficiently.

Usage Scenario
● Local authentication and authorization
If user authentication or authorization is required when no RADIUS or
HWTACACS server is deployed on the network, user authentication or
authorization can be implemented in local authentication or authorization
mode. Local authentication and authorization feature fast processing and low
operation cost, whereas the amount of information that can be stored is
limited by the hardware capacity of the device.
Local authentication and authorization are often used for administrators.
Local authentication is a backup of RADIUS authentication and HWTACACS
authentication; local authorization is a backup of HWTACACS authorization.
● HWTACACS authentication, authorization, and accounting: The
authentication, authorization, and accounting in HWTACACS mode can
prevent unauthorized users from attacking the network. In addition, the
HWTACACS mode supports the authorization of command lines. Compared
with RADIUS, HWTACACS is more reliable in transmission and encryption and
is more suitable for security control.
● RADIUS authentication and accounting: The authentication and accounting in
RADIUS mode can prevent unauthorized users from attacking the network.
The RADIUS mode is often used in network environments requiring high
security and remote access control.

Pre-configuration Tasks
Before configuring AAA, complete the following tasks:
● Power on the router or switch and ensuring that the self-test is successful.
● Ensure that the device is accessible.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 8

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Procedures

Figure 1-2 AAA configuration flowchart

1.1.2.3.1 Configuring AAA Schemes

This section describes how to configure authentication, authorization, and
accounting (AAA) schemes.

Context
Configuring AAA schemes include:
● Configure an authentication scheme.
● Configure an authorization scheme.
● Configure an accounting scheme.

Procedure
● Configure an authentication scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run authentication-scheme scheme-name
An authentication scheme is created, and its view is displayed.
A maximum of 32 authentication schemes can be configured.
d. Run authentication-mode { hwtacacs | radius | local }*
An authentication mode is configured.
The radius parameter can be specified only for the admin VS.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 9

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

If multiple authentication modes are configured in an authentication

scheme, authentication modes are used in the sequence in which they are
configured.

NOTE

The next configured authentication mode is used only when the current one does
not take effect (for example, the server does not respond). If the current
authentication succeeds or fails, the next authentication mode is not used.
In the scenario where HWTACACS authentication and then local authentication
are configured, after the authentication-reliability auto-change-next
command is run, a user is automatically switched to local authentication if
HWTACACS remote authentication fails.
e. (Optional) Run authentication-reliability auto-change-next
The device is configured to automatically perform local authentication for
users who fail HWTACACS remote authentication.
f. Run commit
The configuration is committed.
● Configure an authorization scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run authorization-scheme authorization-scheme-name
An authorization scheme is created, and its view is displayed.
A maximum of 32 authorization schemes can be configured.
d. Run authorization-mode authorization-mode1 [ authorization-mode2
[ authorization-mode3 [ authorization-mode4 ] ] ]
An authorization mode is configured.
If multiple authorization modes are configured in an authorization
scheme, the authorization modes are used in the sequence in which they
are configured.

NOTE

The next configured authorization mode is used only when the current one does
not take effect (for example, the server does not respond). If the current
authorization succeeds or fails, the next authorization mode is not used.
e. Run commit
The configuration is committed.
● Configure an accounting scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 10

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Run accounting-scheme acct-scheme-name

An accounting scheme is created, and its view is displayed.

A maximum of 256 accounting schemes can be configured.

d. Run accounting-mode { hwtacacs | radius | none }

An accounting mode is configured.

The radius parameter can be specified only for the admin VS.
e. Run commit

The configuration is committed.

----End

Follow-up Procedure
Perform one of the following operations based on the configured authentication,
authorization, and accounting modes:

● Configure a local user.

● Configure an HWTACACS server template.
● 1.1.2.4 Configuring a Device as a RADIUS Client

1.1.2.3.2 (Optional) Configuring Local Users

When the authentication and authorization are implemented in local mode, the
authentication and authorization information (such as the user name, password,
level, maximum number of user accesses, and maximum number of continuous
authentication failures).

Procedure
● Configuring local users in AAA view.
a. Run system-view

The system view is displayed.

b. Run aaa

The AAA view is displayed.

c. Run local-user user-name password [ cipher password | irreversible-
cipher irreversible-cipher-password ]

A local user is created, and the password of the user is configured.

▪ If the user name contains the at sign (@), the characters before the
at sign (@) are the user name, and the characters after the at sign
(@) are the domain name

▪ If the user name does not contain the at sign (@), the entire
character string is the user name, and the domain name is
default_admin.

▪ The user name cannot contain two or more at signs (@).

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 11

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

▪ Input in simple text: When the user security policy is configured, the
password cannot be the same as the user name or its reverse. The
password must contain the following characters: upper-case
character, lower-case character, digit, and special character.
NOTE

● The question mark (?) is not counted as a special character.

● A space contained can only be located in the middle but not the
beginning or end of the password. Use double quotation marks (")
around the password.
● If the local-user service-type command has been run to configure a
user as an administrator by specifying the user type as the Telnet, FTP,
SSH, SNMP, or terminal user, the system automatically changes the user
password to an irreversible ciphertext key.
d. (Optional) Run user-password password-force-change disable

The function to forcibly change the initial password of the local user is
disabled.
e. (Optional) Run local-user user-name password-force-change disable

Forcible modification of the initial password is disabled for a specified

local user.

NOTE

To ensure device security, a local user must change the initial password upon the
first login. You are not advised to disable forcible modification of the initial
password for a local user.
f. (Optional) Run local-user user-name service-type { { terminal | telnet |
ftp | ssh | qx | snmp | mml | http } * | ppp }

The access type of the local user is configured.

g. (Optional) Run local-user user-name ftp-directory directory [ access-
permission { read execute | read write execute } ]

The FTP directory right of the local user is configured.

NOTE

If the access type of the local user is set to FTP, the FTP directory of the local user
must be configured and the level of local user cannot be lower than
management level. Otherwise, FTP user login will fail.
h. Configure the level of the local user or the group to which the local user
belongs according to the command-line authorization mode.

▪ Run the local-user user-name level level command to configure the

level of the local user.
NOTE

The configured level of the local user cannot be higher than that of the login-in
user.

▪ Run the local-user user-name user-group user-group-name

command to add the local user to the specified user group.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 12

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

i. (Optional) Run local-user user-name state { active | block }

The status of the local user is configured.
The system processes the authentication requests of the users are as
follows:

▪ If a local user is in the active state, the system accepts the

authentication request from the user and performs further
processing.

▪ If a local user is in the block state, the system rejects the

authentication request from the user.
j. (Optional) Run local-user user-name access-limit max-number
The maximum number of user accesses is set.
k. (Optional) Run user-block failed-times failed-times-value period
period-value
The maximum times of continuous authentication failures for the local
user are configured.

NOTE

If a local user is in the locked state, you need to unlock it. Two ways are available
for you to choose:
● In the AAA view, run the user-block reactive reactive-time command to
configure the interval at which a user will be automatically unlocked. If the
locking time for a user exceeds the time set in the configuration, the user will
be automatically unlocked.
● In the user view, run the activate aaa local-user user-name command to
manually unlock the specified local user.
l. Run quit
Return to the system view.
m. (Optional) Run aaa abnormal-offline-record
The abnormal logout events are recorded.
After this function is enabled, information about abnormal logout events
can be provided for administrators to manage and maintain user
information.
n. Run quit
Return to the user view.
o. (Optional) Run local-user change-password
The password of the local user is changed.
p. Run commit
The configuration is committed.
● Configuring a local user in the local AAA server view.
a. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 13

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

b. Run local-aaa-server
The local AAA server view is displayed.
c. Run user username { password { cipher cipher-password | irreversible-
cipher irreversible-password } | authentication-type type-mask | { active
| block [ fail-times fail-times-value interval interval-value ] } | ftp-
directory ftp-directory | level level | user-group user-group-name } *
A local user account is added.

NOTE

If the user usr-name authentication-type authentication-type command has been

run to configure a user as an administrator by specifying the user type as the Telnet,
FTP, SSH, SNMP, or terminal user, the system automatically changes the user
password to an irreversible ciphertext key.
d. (Optional) Run user user-name expire expiretime
The expiration time of the local user is modified.
e. (Optional) Run user user-name block [ fail-times fail-times-value
interval interval-value ]
The local user is blocked.
The parameters terminal, qx and mml are supported only on the Admin-
VS.
f. Run commit
The configuration is committed.
----End

1.1.2.3.3 (Optional) Configuring an HWTACACS Server Template

When configuring an HWTACACS server template, you must specify the IP address,
port number, and shared key of a specified HWTACACS server. Other
configurations, such as whether the HWTACACS username carries the domain
name and the time for the primary server to switch to the active state, have
default settings and can be modified as required.

Context
You can configure an HWTACACS server template as follows:
● Configure a shared key for the communication between the device and
HWTACACS server.
● Configure an IP address for the primary and for the secondary
HWTACACS servers using either of the following methods:
– Configure IP addresses for the primary and secondary HWTACACS
common servers.
– Configure IP addresses for the primary and secondary HWTACACS
authentication servers, primary and secondary HWTACACS authorization
servers, and primary and secondary HWTACACS accounting servers.
● Configure a source address for the device to communicate with the
HWTACACS server.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 14

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Configure a response timeout period for the HWTACACS server.

● Configure a timer value for the primary server to switch to the active
state.
● Configure the username to be sent to the HWTACACS server to carry the
domain name or not.
● Modify the password of an HWTACACS user.
NOTE

To prevent data transmission risks between the device and HWTACACS server, you are
advised to deploy them in a security domain.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run hwtacacs enable

HWTACACS is enabled.

Step 3 Run hwtacacs-server service-name service-name

The HWTACACS server name is set.

On an HWTACACS server, a user name can be allocated different rights based on

different service names. After the hwtacacs-server service-name command is
run, a user logging in to the device is allocated a right based on the configured
HWTACACS service name.

Step 4 (Optional) Run hwtacacs-server default remote-address

A default remote address is configured for the communication between the device
(HWTACACS client) and an HWTACACS server.

When interworking with a third-party TACACS server, the third-party TACACS

server may require the rem_addr field. In this case, you need to run the hwtacacs-
server default remote-address command to configure the default remote
address for the HWTACACS client to communicate with the HWTACACS server.
When the HWTACACS client sends authentication, authorization, and accounting
request packets to the HWTACACS server, if the rem_addr field in the packets is
empty, the configured address is inserted into the rem_addr field of the packets
sent to the HWTACACS server.

Step 5 Run hwtacacs-server template template-name

An HWTACACS server template is created, and its view is displayed.

Step 6 Run hwtacacs-server shared-key { cipher cipher-string | key-string }

A shared key is configured for the communication between the device and the
HWTACACS server.

Setting the key improves the security of the communication between the NE9000
and the HWTACACS server.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 15

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

To ensure the validity of both parties, the router and the HWTACACS server must be
configured with the same key.

Step 7 You can use either of the following methods to configure an IP address and shared
key for the primary/secondary HWTACACS server.
NOTE

● When the common server is configured as the primary server, the configurations of the
primary authentication, accounting, and authorization servers are deleted. When
another type of server (authentication, accounting, or authorization server) is
configured as the primary server, the configurations of the common server are deleted.
● When the common server is configured as the primary server and the server is available,
the configurations of other types of servers (authentication, accounting, and
authorization servers) do not take effect.
● The IP addresses and host names of the primary and the secondary servers must be
different; otherwise, the server configuration fails.
● Configure an IP address and a shared key for the primary/secondary
HWTACACS common server.
For an IPv4 server, run the hwtacacs-server ip-address [ port ] [ shared-key
{ key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-
instance-name | public-net } ] * [ secondary ] command.
For an IPv6 server, run the hwtacacs-server ipv6-address [ port ] [ shared-
key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-
instance-name ]* [ secondary ] command.
● Configure IP addresses and shared keys for the primary/secondary HWTACACS
authentication server, HWTACACS authorization server, and HWTACACS
accounting server.
a. Configure an IP address and a shared key for the primary/secondary
HWTACACS authentication server.

▪ For an IPv4 server, run the hwtacacs-server authentication { ip-

address } [ port ] [ shared-key { key-string | cipher cipher-string } |
mux-mode | { vpn-instance vpn-instance-name | public-net } ]*
[ secondary ] command.

▪ For an IPv6 server, run the hwtacacs-server authentication ipv6-

address [ port ] [ shared-key { key-string | cipher cipher-string } |
mux-mode | vpn-instance vpn-instance-name ]* [ secondary ]
command.
b. Configure an IP address and a shared key for the primary/secondary
HWTACACS authorization server.

▪ For an IPv4 server, run the hwtacacs-server authorization { ip-

address } [ port ] [ shared-key { key-string | cipher cipher-string } |
mux-mode | { vpn-instance vpn-instance-name | public-net } ]*
[ secondary ] command.

▪ For an IPv6 server, run the hwtacacs-server authorization ipv6-

address [ port ] [ shared-key { key-string | cipher cipher-string } |
mux-mode | vpn-instance vpn-instance-name ]* [ secondary ]
command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 16

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Configure an IP address and a shared key for the primary/secondary

HWTACACS accounting server.

▪ For an IPv4 server, run the hwtacacs-server accounting ip-address

[ port ] [ shared-key { key-string | cipher cipher-string } | mux-
mode { vpn-instance vpn-instance-name | public-net } ]*
[ secondary ] command.

▪ For an IPv6 server, run the hwtacacs-server accounting ipv6-address

[ port ] [ shared-key { key-string | cipher cipher-string } | mux-
mode | vpn-instance vpn-instance-name ]* [ secondary ] command.

Step 8 (Optional) Run hwtacacs-server { source-ip ip-address | source-ipv6 ipv6-

address}

A source address is configured for the communication between the device and the
HWTACACS server.

Step 9 (Optional) Run hwtacacs-server timer response-timeout value

A response timeout period is set for the HWTACACS server.

If the device does not receive any response from the HWTACACS server within the
specified response timeout period, the device considers the HWTACACS server
unavailable. In this case, the device attempts to use other methods for
authentication, authorization, and accounting.

Step 10 (Optional) Run hwtacacs-server timer quiet value

A timer value for the primary server to switch to the active state is set.

Step 11 (Optional) Run hwtacacs-server user-name domain-included

The device is configured to encapsulate the domain name into the username to be
sent to the HWTACACS server.

If the HWTACACS server does not accept the username containing the domain
name, you can configure the device to delete the domain name and then send the
username without the domain name to the HWTACACS server.

NOTE

The format of a username is username@domain name.

Step 12 (Optional) Run hwtacacs-user change-password hwtacacs-server template-

name

The password of the HWTACACS user is modified.

Step 13 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 17

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.2.3.4 (Optional) Configuring a RADIUS Server Group

Context
Configure the RADIUS authentication server and accounting server. For details, see
Configuring a RADIUS Server Group.

1.1.2.3.5 Configuring AAA Schemes for the Domain

Associate the remote authentication, authorization, and accounting schemes of
the domain user with the server template by configuring a domain. Then,
corresponding authentication, authorization, and accounting will be implemented
for the users accessing the domain.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 (Optional) Run service-type terminal force-domain domain-name
A forced domain is configured for a console interface.
When users logging in through the console interface and users logging in using
other login methods must be distinguished, run the service-type terminal force-
domain command to specify a forced domain for the console interface. After the
configuration becomes effective, users logging in through the console interface
automatically enter the forced domain and are not allocated any other domain
based on the user names. In this manner, users logging in through the console
interface and users logging using other methods are distinguished and allocated
different rights.
In VS mode, this command is supported only by the admin VS.
Step 4 (Optional) Run default-domain { admin | access } domain-name
The domain name created in the preceding step is configured as the default
domain name.
After you manually create a domain name, for example, first_domain, you must
suffix @first_domain to the user name during authentication, which is
inconvenient. To facilitate user authentication, run the default-domain command
to set the domain name first_domain as the default domain name. With this
configuration, @first_domain is automatically suffixed to user names.
Step 5 (Optional) Run domain-name-delimiter delimiter
The domain name delimiter is configured.
Step 6 (Optional) Run domain-location { after-delimiter | before-delimiter }
The domain name location is configured so that the system can correctly parse
the user name and domain name.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 18

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

By default, a user uses user name@domain name to log in to a device. To

configure a user to use domain name@user name to log in, run the domain-
location command to configure the domain name to be located before the
delimiter.
Step 7 (Optional) Run domainname-parse-direction { left-to-right | right-to-left }
The direction in which the domain name is parsed is configured so that the system
can correctly parse the user name and domain name.
When a user name contains multiple domain name delimiters, run the
domainname-parse-direction command to configure the direction in which the
domain name is parsed.Use user1@abcd@domain1 as an example. When the
domain name is parsed from left to right, the first delimiter @ from the left is
considered the domain name delimiter. When the domain name is parsed from
right to left, the first delimiter @ from the right is considered the domain name
delimiter. The other delimiters are considered part of the user name or domain
name.
Step 8 Run domain domain-name
A domain is created and the AAA domain view is displayed.
Step 9 Run authentication-scheme scheme-name
The authentication scheme is configured for the domain.
Step 10 Run authorization-scheme authorization-scheme-name
The authorization scheme is configured for the domain.
Step 11 Run accounting-scheme accounting-scheme-name
The accounting scheme is configured for the domain.
Step 12 Select the server template according to the configured authentication,
authorization, and accounting modes.
● Run the radius-server group (AAA domain view) group-name command to
configure the RADIUS server group for the domain.
In VS mode, this command is supported only by the admin VS.
● Run the hwtacacs-server template-name command to configure the
HWTACACS server template for the domain.
Step 13 Run block
The status of the domain is configured.
When a domain is in block state, users of the domain cannot access the network.
Step 14 (Optional) Run access-limit access-limit-number
The maximum number of access users for the domain is set.
Step 15 (Optional) Run adminuser-priority level
The default user level for administrators in a specific AAA domain is configured.
If a user level is not assigned by the local device (using the local-user level
command) or by a remote server, administrators are not allowed to access a
specific domain in management mode. To resolve this issue, run the adminuser-

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 19

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

priority command to configure a default level for administrators in a specific AAA

domain. Then, the administrators will take this user level for login.
A user level assigned by the local device or a remote server takes precedence over
a user level configured using the adminuser-priority command. When the user is
added to a user group, the configuration of user group takes precedence over a
user level configured using the adminuser-priority command.

NOTE

The configured default level of the local user cannot be higher than that of the login-in user.

Step 16 (Optional) Run service-type { ftp | ppp | ssh | telnet | terminal | snmp | qx | mml
| http } *
The access type of users in a domain is configured.
The parameters terminal, qx and mml are supported only on the Admin-VS.
The local-user service-type command configures the user access type for a
specific user. When a user attempts to log in, the access type configured in the
domain view and the access type configured using the local-user service-type
command are checked in sequence. The user is allowed to log in only when both
access types are authenticated.
Step 17 Run commit
The configuration is committed.

----End

1.1.2.3.6 Verifying the AAA Configuration

After the AAA configuration is complete, you can view the configurations of the
authentication, authorization, and accounting schemes.

Prerequisites
Related AAA configurations are complete.

Procedure
● Run display accounting-scheme
The configuration of the accounting scheme is displayed.
● Run display authentication-scheme [authentication-scheme-name ]
The configuration of the authentication scheme is displayed.
● Run display authorization-scheme [authorization-scheme-name ]
The configuration of the authorization scheme is displayed.
● Run display domain domain-name
The configuration of the domain is displayed.
● Run display hwtacacs current-status
The current status information about the HWTACACS is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 20

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run display hwtacacs-server template

The configuration of the HWTACACS server is displayed.

● Run display radius-attribute [ name attribute-name | { type { huawei |
standard } attribute-id } ]

The RADIUS attributes supported by the NE9000 is displayed.

● Run display recording-scheme

The configuration of the recording scheme is displayed.

----End

1.1.2.4 Configuring a Device as a RADIUS Client

When a device functions as a RADIUS client to perform authentication,
authorization, and accounting for users through a remote RADIUS server, you need
to configure RADIUS information on the device.

Context
NOTE

In VS mode, this configuration task applies only to the admin VS.

1.1.2.4.1 Configuring Basic RADIUS Functions

Configuring a RADIUS Server Group

Context
If remote authentication, authorization, and accounting are performed for users
through a RADIUS server, you need to configure a RADIUS server group.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run radius-server group group-name

The RADIUS server group view is displayed.

Step 3 Run radius-server { shared-key key-string | shared-key-cipher key-string-cipher }

[ { authentication | accounting } { ip-address | ipv6-address [ vpn-instance
instance-name ] } [ source { { interface-name | interface-type interface-number } |
ip-address ip-address } ] port [ weight weight ]

A shared key is configured for the communication with the RADIUS server.

Step 4 Configure the RADIUS authentication server as required.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 21

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-2 Configuring a RADIUS authentication server

Operation Command Description

Specify an IPv4 RADIUS ● radius-server ● Weights of RADIUS

authentication server. authentication ip- authentication servers
address port { vpn- apply only to load
instance instance- balancing scenarios,
name | { shared-key and the default value
key-string | shared- is 0.
key-cipher cipher- ● The specified DTLS
string | dtls-policy policy takes effect
dtls-policy-name } | only for
source { interface- administrators. For
name | interface-type details about how to
interface-num | ip- configure a DTLS
address ip-address } } policy, see Basic
* [ weight weight-
Configuration >
value ] Accessing Other
● radius-server Devices Configuration
authentication ip- > Configuring and
address [ vpn- Binding an SSL Policy.
instance instance- ● To improve the
name | source security of
{ { interface-name | administrators, you
interface-type are advised to specify
interface-num } | ip- a DTLS policy for the
address source-ip- RADIUS server.
address } | { shared-
key key-string |
shared-key-cipher
cipher-string | dtls-
policy dtls-policy-
name } ] * port
[ weight weight-
value ]
Specify an IPv6 RADIUS radius-server
authentication server. authentication ipv6-
address [ vpn-instance
instance-name | source
{ interface-name |
interface-type interface-
num } | { shared-key
key-string | shared-key-
cipher cipher-string |
dtls-policy dtls-policy-
name } ] * port [ weight
weight-value ]

Step 5 Configure the RADIUS accounting server as required.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 22

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-3 Configuring a RADIUS accounting server

Operation Command Description

Specify an IPv4 RADIUS ● radius-server ● Weights of RADIUS

accounting server. accounting ip- accounting servers
address port { vpn- apply only to load
instance instance- balancing scenarios,
name | { shared-key and the default value
key-string | shared- is 0.
key-cipher cipher- ● The specified DTLS
string | dtls-policy policy takes effect
dtls-policy-name } | only for
source { interface- administrators. For
name | interface-type details about how to
interface-num | ip- configure a DTLS
address ip-address } } policy, see Basic
* [ weight weight-
Configuration >
value ] Accessing Other
● radius-server Devices Configuration
accounting ip- > Configuring and
address [ vpn- Binding an SSL Policy.
instance instance- ● To improve the
name | source security of
{ { interface-name | administrators, you
interface-type are advised to specify
interface-num } | ip- a DTLS policy for the
address source-ip- RADIUS server.
address } | { shared-
key key-string |
shared-key-cipher
cipher-string | dtls-
policy dtls-policy-
name } ] * port
[ weight weight-
value ]
Specify an IPv6 RADIUS radius-server
accounting server. accounting ipv6-address
[ vpn-instance instance-
name | source
{ interface-name |
interface-type interface-
num } | { shared-key
key-string | shared-key-
cipher cipher-string |
dtls-policy dtls-policy-
name } ] * port [ weight
weight-value ]

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 23

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

RADIUS authentication and accounting servers can use the same IP address, indicating that
one server can perform both RADIUS authentication and accounting functions. If a server
performs both RADIUS authentication and accounting functions, it uses a separate interface
for each function.

Step 6 (Optional) Run radius-server algorithm { loading-share | master-backup { strict

| sequence } * }
The algorithm for selecting RADIUS servers is configured.
After strict is configured, the accounting server is strictly selected based on the
configured algorithm. The primary accounting server is preferentially selected,
regardless of the authentication server selection result. Otherwise, the RADIUS
accounting server is selected based on the authentication server selection result. In
other words, the RADIUS server that authenticates a user is the RADIUS server
that performs accounting for the user.
Step 7 Run commit
The configuration is committed.

----End

(Optional) Configuring a Source Interface for a RADIUS Server

Context
To determine the route between a device and each RADIUS server to which it
connects, you can configure a source interface (which connects the device to a
RADIUS server) for each RADIUS server in the system view, RADIUS server group
view, or both. If a source interface is configured in the RADIUS server group view,
all RADIUS servers in this group use the configured interface to communicate with
the device. Otherwise, the global source interface configured in the system view is
used.
When the device sends packets to a RADIUS server deployed in a VPN, the device
preferentially uses the IP address of the source interface configured using the
radius-server source interface command as the source address. In scenarios
where no source interface is configured, the device searches for a reachable route
based on the VPN and destination IP address. If a route is found, the device uses
the IP address of the route's outbound interface as the source address; otherwise,
the device selects the IP address of any interface in the VPN as the source address.

Procedure
● Configure a global source interface for RADIUS servers.
a. Run system-view
The system view is displayed.
b. Run radius-server source interface interface-type interface-number
A global source interface is configured for RADIUS servers.
c. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 24

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

● Configure a source interface for a specified RADIUS server group.
a. Run system-view
The system view is displayed.
b. Run radius-server group group-name
The RADIUS server group view is displayed.
c. Run radius-server source interface interface-type interface-number
A source interface is configured for the RADIUS server group.
d. Run commit
The configuration is committed.
----End

(Optional) Configuring Negotiation Parameters for a RADIUS Server

Context
A device must use the negotiated RADIUS parameters and message format to
communicate with a RADIUS server.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure global negotiation parameters between the device and RADIUS server
as required.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 25

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-4 Configuring global negotiation parameters between the device and
RADIUS server
Operation Command Description

Configure a mode for radius-server packet When a Huawei device

collecting statistics about statistics algorithm interworks with a non-
RADIUS authentication { version1 | version2 } Huawei NMS, run this
request and response command to adjust the
packets. mode for collecting
statistics about RADIUS
authentication request
and response packets. By
default, the MIB object
radiusAccClientRequests
object collects statistics
about authentication
request packets, and the
MIB object
radiusAccClientResponses
collects statistics about
authentication success
packets. In the display
radius-server packet ip-
address ip-address
authentication
command output, the
Access Requests field
indicates the number of
authentication request
packets, and the Access
Accepts field indicates
the number of
authentication success
packets.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 26

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command Description

Configure the device to radius-server admin- If RADIUS authentication,

apply the undo radius- user domain-exclude authorization, and
server user-name enable accounting need to be
domain-included performed for an
command configuration administrator but some
to the default RADIUS servers do not
management domain or support the username
the domain with the format with a domain
adminuser-priority level name, configure the
command configured. device to delete the
domain name in a
username before sending
it to the RADIUS server.
In this case, the
username of the
administrator does not
carry the domain name.
Therefore, run this
command to bind the
administrator to the
default administrative
domain or the domain
configured with the
adminuser-priority level
command after running
the undo radius-server
user-name domain-
included command.

Configure the maximum radius-server The processing capability

number of pending { accounting | of the RADIUS server is
packets that can be sent authentication } [ip- limited. To ensure that
to the RADIUS server. address [ vpn-instance the device receives a
vpn-instance ] ] [ port ] response packet for each
pending-limit pending- packet sent to the
limit RADIUS server, run this
command.

Configure the idle radius-server dtls idle- The authentication and

timeout period of a DTLS timeout idle-timeout- accounting requests of
session. value an administrator trigger
the creation of a DTLS
session. When a DTLS
session is idle for a
period of time, the
RADIUS server needs to
delete the session. You
can run this command to
configure the idle
timeout period of a DTLS
session.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 27

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 3 Run radius-server group group-name

The RADIUS server group view is displayed.

Step 4 Configure negotiation parameters between the device and RADIUS server group as
required.

Table 1-5 Configuring negotiation parameters between the device and RADIUS
server group

Operation Command Description

Configure the username radius-server user- Run this command to

format supported by the name { domain- configure whether the
RADIUS server. included | original } username sent from the
device to the RADIUS
server contains the
domain name according
to the type of the
RADIUS server.
By default, a username
contains a domain name.

Step 5 Run commit

The configuration is committed.

----End

1.1.2.4.2 (Optional) Configuring RADIUS Packets and Attributes Carried in the

Packets

Configuring Caching and Retransmission Mechanisms for RADIUS Packets

Context
To ensure that factors such as network faults or delay do not prevent the device
from receiving response packets sent by the RADIUS server, configure the caching
and retransmission mechanisms for request packets to be sent to the RADIUS
server. Perform configurations based on site requirements.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run radius-server group group-name

The RADIUS server group view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 28

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 3 Run radius-server { authentication | accounting } retransmit retry-times

timeout second
The number of transmissions and the retransmission timeout period are
configured for request packets to be sent to the RADIUS server.
When you run this command:
● If neither the authentication nor the accounting parameter is specified, the
configuration takes effect for all RADIUS authentication and accounting
servers in the RADIUS server group.
● If only the authentication parameter is specified, the configuration takes
effect for all RADIUS authentication servers in the RADIUS server group.
● If only the accounting parameter is specified, the configuration takes effect
for all RADIUS accounting servers in the RADIUS server group.
Step 4 Run commit
The configuration is committed.

----End

Configuring a DSCP Value for RADIUS Packets

Context
To prevent RADIUS packets sent by a device from being discarded due to network
congestion, you can configure a DSCP value for the RADIUS packets sent by the
device to the RADIUS server in either the system view or the RADIUS server group
view. The DSCP value configured in the RADIUS server group view takes
precedence over that configured in the system view.

Procedure
● In the system view, configure a DSCP value for RADIUS packets:
a. Run system-view
The system view is displayed.
b. Run radius-server packet dscp dscp-value
A DSCP value is configured for RADIUS packets sent by the device.
c. Run commit
The configuration is committed.
● In the RADIUS server group view, configure a DSCP value for RADIUS packets:
a. Run system-view
The system view is displayed.
b. Run radius-server group group-name
The RADIUS server group view is displayed.
c. Run radius-server packet dscp dscp-value
A DSCP value is configured for RADIUS packets sent by the device.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 29

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run commit
The configuration is committed.
----End

Configuring the Device to Use Extended Source Ports to Send and Receive RADIUS
Packets

Context
You can configure the device to use extended source ports instead of the default
ports for sending and receiving RADIUS packets. This configuration also enables
you to increase the number of non-retransmitted packets sent to the RADIUS
server in a certain period of time.
The first half of the extended source ports are used to send and receive RADIUS
authentication packets, whereas the second half of the ports are used to send and
receive RADIUS accounting packets. If an odd number of ports is specified, one
port more is used for sending and receiving authentication packets than for
accounting packets.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server extended-source-ports [ start-port start-port-number ] port-
number port-number
Extended source ports for sending and receiving RADIUS packets are configured.

NOTE

If you do not specify start-port-number when configuring extended source ports, the system
assigns a configured number of valid extended source ports.

Step 3 Run radius-server extended-source-ports algorithm round-robin

The device is configured to use the round-robin algorithm to select extended
source ports for sending RADIUS packets.
Step 4 Run commit
The configuration is committed.

----End

Configuring RADIUS Packets to Carry Attributes

Context
To prevent the RADIUS server from receiving too many attributes that are not
required or recognized, many attributes are not sent to the RADIUS server by
default. These attributes can be carried in RADIUS packets.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 30

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run radius-server group group-name

The RADIUS server group view is displayed.

Step 3 Configure RADIUS packets to carry certain attributes as required.

Table 1-6 Configuring RADIUS packets to carry certain attributes

Operation Command

Configure RADIUS packets to carry a radius-attribute include radius-

new attribute. attribute-name
Configure accounting-on/accounting- radius-attribute include nas-ip-
off packets to carry the NAS-Ip- address { accounting-on | accounting-
Address attribute. off } *

Configure accounting-on or radius-attribute include event-

accounting-off packets to carry the timestamp { accounting-on |
Event-Timestamp attribute. accounting-off }

Configure authentication or radius-attribute include hw-avpair

accounting packets to carry the HW- { hw-avpair-name packet-type | hw-
Avpair attribute. avpair-name-without-packet-type }
Configure authentication request radius-attribute include cmcc-nas-
packets and accounting packets to type
carry the CMCC-NAS-Type attribute.

Configure accounting request packets radius-attribute enable framed-ip-

to carry the 32-bit Framed-IP- netmask netmask-length account-
Netmask attribute. request

Configure accounting request packets radius-attribute include { hw-tunnel-

to carry the HW-Tunnel-Group-Name, group-name | hw-client-primary-dns |
HW-Client-Primary-DNS, or HW- hw-client-secondary-dns }
Client-Secondary-DNS attribute. accounting-request

Configure authentication request radius-attribute include hw-dhcp-

packets to carry the HW-DHCP- option option-num &<1-16>
Option attribute.

Configure authentication request radius-attribute include hw-dhcpv6-

packets to carry the HW-DHCPv6- option v6-option-num &<1-16>
Option attribute.

Configure accounting packets to carry radius-attribute include hw-dhcpv6-

the HW-DHCPv6-Option37 attribute. option37 accounting-request

Configure accounting packets to carry radius-attribute include hw-vpn-

the HW-VPN-Instance attribute. instance accounting-request

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 31

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command

Configure accounting packets to carry radius-attribute include framed-route

the Framed-Route attribute. accounting-request

Configure accounting packets to carry radius-attribute include hw-web-url

the HW-Web-Url attribute. accounting-request

Configure Accounting Stop packets to radius-attribute include hw-acct-

carry the HW-Acct-terminate- terminate-subcause [ edsg ]
subcause attribute.

Configure CoA-NAK messages to radius-attribute include reply-

carry the Reply-Message attribute. message coa-nak

Configure ACK packets to carry the radius-attribute include reply-

Reply-Message attribute when a message logon-ack
switchover from the CoA-based pre-
authentication domain to the
authentication domain is performed
successfully.

Configure CoA Query ACK packets to radius-attribute include reply-

carry the Reply-Message attribute. message query-ack

Configure CoA ACK packets to carry radius-attribute include { session-

the remaining online duration, online timeout | online-time | user-group }
duration, and user group information. coa-query-ack

Configure DHCPv4 Access-Request radius-attribute include hw-gateway-

packets to be sent to the RADIUS address access-request
server to carry the gateway IP
address.

Step 4 Run commit

The configuration is committed.

----End

Configuring RADIUS Attribute Translation

Context
Different vendors define some RADIUS attributes differently and provide RADIUS
servers that support different RADIUS attribute sets. To communicate with
different RADIUS servers, the device provides the RADIUS attribute translation
function.
After this function is configured, the device can encapsulate or parse src-attribute
by using the format of dest-attribute when sending or receiving RADIUS packets,
enabling the device to communicate with different types of RADIUS servers.
This function is applied when one attribute has multiple formats. For example, the
nas-port-id attribute has a new format and an old format. If the device uses the

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 32

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

new format but the RADIUS server uses the old format, you can run the radius-
attribute translate nas-port-id nas-port-identify-old receive send command on
the device.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run radius-server group group-name

The RADIUS server group view is displayed.

Step 3 Run radius-server attribute translate

RADIUS attribute translation is enabled.

Step 4 Perform any of the following operations to configure RADIUS attribute translation:

Table 1-7 Attribute translation modes

Operation Command

Configure attribute translation for radius-attribute translate src-attr-

response or request packets. description dest-attr-description
{ { receive | send } * }

Configure attribute translation for any radius-attribute translate src-attr-

combination of Access-Accept, Access- description dest-attr-description
Request, or accounting packets. { access-accept | { access-request |
account }* }

Configure extended attribute radius-attribute translate extend src-

translation for any combination of attr-description dest-attr-description
Access-Accept, Access-Request, or { access-accept | { access-request |
accounting packets. account} * }

Configure extended attribute radius-attribute translate extend src-

translation for Access-Request packets, attr-description vendor-specific src-
accounting packets, or both. vendor-id src-sub-attr-id { access-
request | account } *

Configure extended attribute radius-attribute translate extend

translation for Access-Accept packets. vendor-specific src-vendor-id src-sub-
attr-id dest-attr-description access-
accept

Step 5 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 33

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Disabling RADIUS Attributes

Prerequisites
You must enable RADIUS attribute translation before disabling RADIUS attributes.

Context
RADIUS attributes need to be disabled in the following scenarios:
● The RADIUS server cannot identify or does not expect some RADIUS
attributes. In this scenario, you can disable the device from encapsulating
some attributes into the packets it sends to the RADIUS server.
● You want the device to ignore some attributes sent by the RADIUS server. In
this scenario, you can disable the device from processing the attributes.
This function takes effect on only the RADIUS servers in the RADIUS server group
within which it is configured. A maximum of 64 attributes can be disabled in a
RADIUS server group.
You can disable RADIUS attributes of both the sent and received packets on the
device.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server group group-name
The RADIUS server group view is displayed.
Step 3 Run radius-server attribute translate
RADIUS attribute translation is enabled.
Step 4 Run any of the following commands to disable RADIUS attributes:

Table 1-8 Attribute disabling modes

Operation Command

Disable attributes for response radius-attribute disable { attr-

packets, request packets, or both. description | hw-acct-update-
address } { receive | send } *

Disable attributes for any combination radius-attribute disable { attr-

of Access-Accept, Access-Request, or description | hw-acct-update-
accounting packets. address } { access-request | access-
accept | account [ start ] } *

Disable extended attributes for any radius-attribute disable extend attr-

combination of Access-Accept, Access- description { access-request | access-
Request, or accounting packets. accept | account } *

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 34

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command

Disable extended attributes for Access- radius-attribute disable extend

Accept packets. vendor-specific src-vendor-id src-sub-
attr-id access-accept
Disable RADIUS attributes with radius-attribute disable { attr-
specified data types and carried in description | hw-acct-update-
response packets. address } { ip forbid-ip | string forbid-
string | bin forbid-bin-value | integer
vendor-id } receive

Step 5 Run commit

The configuration is committed.

----End

Configuring Standard RADIUS Attributes

Context
For details about the RADIUS attributes supported by the device, see Description
of RADIUS Attributes. The content, format, and encapsulation mode of some
RADIUS attributes can be configured.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server group group-name
The RADIUS server group view is displayed.
Step 3 Configure standard RADIUS attributes in the RADIUS server group view as
required.

Table 1-9 Configuring standard RADIUS attributes in the RADIUS server group
view

Operation Command Description

Configure the No. 25 radius-attribute assign Run this command to

RADIUS attribute (Class). class partial-match configure the device to
string-value pppoe encapsulate the Class
motm [ encap-format attribute into a PPP
format-sting delimiter | packet's MOTM field.
exclude local ] *

Step 4 Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 35

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

----End

Configuring Extended RADIUS Attributes

Context
The content or format of some Huawei proprietary RADIUS attributes can be
configured.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run radius-server group group-name

The RADIUS server group view is displayed.

Step 3 Configure extended RADIUS attributes in the RADIUS server group view as
required.

Table 1-10 Configuring extended RADIUS attributes in the RADIUS server group
view

Operation Command Description

Configure Huawei No. 31 radius-attribute case- Run this command to

extended RADIUS sensitive qos-profile- configure the Huawei
attribute (HW-QOS- name No. 31 extended RADIUS
Profile-Name). attribute HW-QOS-
Profile-Name to be case-
sensitive. The QoS profile
name on the device is
case-sensitive. If the QoS
profile name delivered
by the RADIUS server is
also case-sensitive, the
QoS profile names must
be of the same case.
Otherwise, the QoS
policy may be incorrect.

Step 4 Run commit

The configuration is committed.

----End

1.1.2.4.3 (Optional) Configuring RADIUS Server Status Detection

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 36

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
RADIUS clients can detect the status of RADIUS servers and, based on the
responses they receive, determine the real-time status of the servers. This helps
identify which servers are in the Up state so that user request packets can be
processed in real time.
The configuration is valid for all RADIUS servers.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server { dead-count count [ fail-rate fail-rate ] | dead-timedead-time
[ recover-count invalid ] | dead-interval interval }*
Parameters are configured for determining whether the state of a RADIUS server
changes from Up to Down.
If the device consecutively sends the number of RADIUS packets specified by
dead-count to the RADIUS server but receives no response and the interval
between when the device expects to receive the first response and the value
specified by dead-count is longer than the value of dead-interval, the device
considers that the RADIUS server is abnormal. In this case, the device sets the
state of the RADIUS server to Down.
Step 3 Configure a mode for restoring the Up state of the RADIUS server after its state is
set to Down.

Table 1-11 Configuring a mode for restoring the Up state of the RADIUS server
after its state is set to Down
Operation Command Description

Configure automatic radius-server dead-time After the device sets the

recovery of the RADIUS time-value [ recover- state of a RADIUS server
server state. count invalid ] to Down, the device
waits a period specified
by dead-time. The
device then sets the
state of the RADIUS
server to Up and
attempts to set up a
connection with it. If the
connection cannot be set
up, the device sets the
state of the RADIUS
server to Down again.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 37

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command Description

Configure RADIUS server radius-server state- Run this command to

state detection and recovery-detect enable RADIUS server
restoration. { authentication | state detection and
accounting } username restoration so that the
username [ detect- device can accurately
interval detect-interval ] determine the state of
[ detect-threshold the RADIUS server. The
detect-threshold ] device then sends
detection packets to the
RADIUS server at an
interval specified by
detect-interval. If
detection succeeds for a
consecutive number of
times specified by
detect-threshold, the
device sets the RADIUS
server state to Up again.
NOTE
After this command is run,
the radius-server dead-
time dead-time [ recover-
count invalid ] command
does not take effect. That
is, the RADIUS server state
will not be automatically
set to Up after the period
specified by dead-time
expires.

Step 4 Run commit

The configuration is committed.

----End

1.1.2.4.4 (Optional) Configuring Whitelist Session-CAR for RADIUS Sessions

Context
When packets sent to the RADIUS server form a traffic burst, RADIUS sessions
may preempt bandwidth. To resolve this problem, you can configure whitelist
session-CAR for RADIUS sessions to isolate bandwidth resources by session. If the
default parameters of whitelist session-CAR for RADIUS do not meet service
requirements, you can adjust them as required.

Procedure
Step 1 Run system-view

The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 38

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 2 Run whitelist session-car radius { cir cir-value | pir pir-value | cbs cbs-value | pbs
pbs-value } *

Bandwidth parameters are configured for whitelist session-CAR of RADIUS.

Step 3 (Optional) Run whitelist session-car radius disable

Whitelist session-CAR for RADIUS sessions is disabled.

Whitelist session-CAR for RADIUS sessions can be disabled only when this function
is abnormal. Under normal circumstances, enabling whitelist session-CAR for
RADIUS sessions is recommended.

Step 4 Run commit

The configuration is committed.

----End

1.1.2.4.5 Verifying the Configuration

Prerequisites
The server template has been configured.

Context
After configuring a RADIUS server, you can view the server configurations, the
supported RADIUS attributes, and statistics about RADIUS packets.

Procedure
● Run the display radius-server configuration [ group groupname ] command
to check the configuration of the RADIUS server group.

● Run the display radius-attribute [ name attribute-name | { type { 3gpp |

cmcc | dsl | huawei | microsoft | redback | standard | cisco } attribute-
number } ] command to check the RADIUS attributes supported by the
system.
● Run the display radius-attribute [ server-group server-group-name packet
{ access-request | access-accept | access-reject | accounting-request |
accounting-response | coa-request | coa-ack | coa-nak | dm-request | dm-
ack | dm-nak | accounting-on | accounting-off } ] command to check the
attributes carried in various packets in the RADIUS server group.
● Run the display radius-server packet { ip-address | ipv6-address } ip-
address [ vpn-instance vpn-instance ] { accounting | authentication | coa |
dm } command to check statistics about packets on the RADIUS server with a
specified IP address.
● Run the display radius-attribute packet-count command to check the
number of times an attribute occurs in a RADIUS packet.
● Run the display cpu-defend whitelist session-car radius statistics slot slot-
id command to check statistics about whitelist session-CAR for RADIUS
sessions on a specified interface board.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 39

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the display cpu-defend whitelist-v6 session-car radiusv6 statistics slot

slot-id command to check statistics about whitelist session-CAR for RADIUSv6
sessions on a specified interface board.
----End

1.1.2.5 Configuring Command-Line Authorization

Command-line authorization determines whether the user has the right to run a
command. Command-line authorization is classified into level authorization and
task authorization.

Usage Scenario
Command-line authorization is used to implement the management and
authorization for the command-line rights of users.

NOTE
The priority of level authorization is higher than that of task authorization, that is, if both
the level authorization and task authorization are configured on a local user, the level
authorization takes effect.

Pre-configuration Tasks
Before configuring command-line authorization, configure link layer protocol
parameters and IP addresses for interfaces to ensure that link layer protocols on
each interface are Up.

1.1.2.5.1 Configuring Level Authorization

Configuring level authorization involves configuring the level authorization mode,
adjusting the level of the user or command line, and configuring the user level
promotion authentication mode.

Context
Configuring level authorization involves the following configurations:
● Configuring the level authorization mode
Level authorization is classified into local authorization and remote
HWTACACS authorization.
● Adjusting the level of the command line
The user can customize the level of the command line.

Procedure
● Configure the level authorization mode.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 40

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Run authorization-scheme authorization-scheme-name

The authorization scheme view is displayed.

d. Run authorization-cmd [ privilege-level ] mode1 [ mode2 ]

The level authorization mode is configured.

e. Run commit

The configuration is committed.

● Adjust the level of the command line.

For how to adjust the command line level, see Configuring Command Levels.

----End

1.1.2.5.2 Configuring Task Authorization

Compared with level authorization, task authorization supports the customization
of the user group and task group according to the application scenario. Therefore,
task authorization provides a more flexible right control granularity.

Context
Configuring task authorization involves the following configurations:

● Adding tasks to the task group

● Adding task groups to the user group

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run aaa

The AAA view is displayed.

Step 3 Run authorization-scheme authorization-scheme-name

The authorization scheme view is displayed.

Step 4 Run authorization-cmd [ privilege-level ] mode1 [ mode2 ]

The level authorization mode is configured.

Step 5 Run quit

The AAA view is displayed.

Step 6 Run task-group task-group-name

The task group is created, and the task group view is displayed.

Step 7 Run one of the following commands to set task permissions.

● Run the task task-name { read | write | execute | debug } * command to set
permissions for a specific task.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 41

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the batch-task { read | write | execute | debug } * task-name-list { task-

name &<1-20> } command to set permissions for tasks in batches.
● Run the task-all { read | write | execute | debug } * command to set
permissions for all tasks in batches.
Step 8 (Optional) Run rule command rule-name permit view view-name expression
command-string
The operation is allowed to be implemented on a specific command.
This command applies to a single command. Compared with the task command,
this command is more granular and can be used for a single command or a batch
of commands with the same prefix.
In the same task group, the priority of the rule command command is higher
than that of the task command. When the rule command command
configuration conflicts with the task command configuration, the rule command
command configuration takes effect preferentially.
Step 9 (Optional) Run include task-group task-group-name
A specific task group is added to the current task group.
To allow the authority of the current task group to contain the authority of
another task group or the current task group to inherit the authority of an existing
task group, run the include task-group command.
If the authority of the contained task group changes, the authority of the current
task group will change.
Step 10 Run quit
The AAA view is displayed.
Step 11 Run user-group user-group-name
The user group is created, and the user group view is displayed.
Step 12 Run task-group task-group-name
The specified task group is added to the current user group.
Step 13 (Optional) Run include user-group user-group-name
A specific user group is added to the current user group.
To allow the authority of the current user group to contain the authority of
another user group or the current user group to inherit the authority of an
existing user group, run the include user-group command.
The authority of a user group is determined by that of the user group it contains.
If the authority of the contained user group changes, the authority of the current
user group will change.
Step 14 (Optional) Run rule command rule-name { permit | deny } view view-name
expression command-string
The operation is allowed to be implemented on a specific command.
This command applies to a single command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 42

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The priorities of rules are displayed in descending order of rules configured in the
user group view (including the rules inherited from other user groups using the
include user-group command), rules configured in the task group view (rule
command), and tasks configured in the task group (task).

If the rules configured in a user group conflict with the rules inherited from other
user groups using the include user-group command, the rules configured in the
user group take effect preferentially.

Step 15 Run quit

The AAA view is displayed.

Step 16 Run local-user user-name password [ cipher password | irreversible-cipher

irreversible-cipher-password ]
A local user is created, and the password of the user is configured.

NOTE

The new password is at least eight characters long and contains at least two of the following
types: upper-case letters, lower-case letters, digits, and special characters, except the question
mark (?) and space.

Step 17 Run local-user user-name user-group user-group-name

The local user is added to the specified user group.

Step 18 Run commit

The configuration is committed.

----End

1.1.2.5.3 Verifying the Command-line Authorization Configuration

After command-line authorization is configured, you can view the information
about the task group and the user group.

Prerequisites
Related configurations of command-line authorization are complete.

Procedure
● Run display task-group [ task-group-name ]

Related information about the task group is displayed.

● Run display aaa user-group [ user-group-name ]

Related information about the user group is displayed.

----End

1.1.2.6 Configuring the Command-Line Recording Scheme

Before configuring the command-line recording scheme, you must configure the
HWTACACS server template.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 43

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run aaa

The AAA view is displayed.

Step 3 Run recording-scheme recording-scheme-name

The recording scheme is created, and the recording scheme view is displayed.

Step 4 Run recording-mode hwtacacs template-name

The HWTACACS server template associated with the recording scheme is

configured.

Step 5 Run quit

The AAA view is displayed.

Step 6 Run cmd recording-scheme recording-scheme-name

The command-line recording scheme is configured for the user.

Step 7 Run system recording-scheme recording-scheme-name

The recording scheme sets are set on the device.

Step 8 Run outbound recording-scheme recording-scheme-name

An outbound recording scheme in which the remote login operations of the device
that functions as the client are recorded.

Step 9 Run commit

The configuration is committed.

----End

1.1.2.7 Configuring AAA Security Measures

You can set the password strength requirement and maximum number of
unsuccessful login attempts to improve AAA security.

1.1.2.7.1 Security Hardening for Local User Accounts

To enhance the security of local accounts, you can configure the maximum
number of user login failures, password complexity restriction, and minimum
password length.

Context
To prevent security issues such as account theft caused by simple usernames and
passwords and excessive login failures, you can improve password complexity and
limit the number of login failures. This helps enhance system security.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 44

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

If the login password does not satisfy the security hardening policy, the system
prompts you to change your password. Change your password based on the
prompted message.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run user-security-policy enable
A security policy is configured for local user accounts.
Step 3 Run aaa
The AAA view is displayed.
Step 4 Perform the following configurations in the AAA view to improve user security as
required.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 45

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-12 Configurations to improve user security in the AAA view

Operation Command Description

Enable forced undo user-password ● If the current device

change of initial password-force-change version supports forced
password for local disable change of initial password
users. for local users, this
function is enabled by
default, and you do not
need to run this command.
When a local user created
or reset by the
administrator logs in for
the first time, the user is
forced to change the initial
password. To ensure user
security, you are advised
not to disable this
function.
● If the device is upgraded
from an earlier version
that does not support
forced change of initial
password for local users to
a later version that
supports this function, this
function is disabled by
default. That is, the user-
password password-
force-change disable
command is delivered by
default. In this case, you
can run this command to
enable forced change of
initial password for local
users to improve user
security.
● To disable forced change
of initial password upon
first login for a specified
user, run the local-user
user-name password-
force-change disable
command. This function
may bring security risks.
Exercise caution when
performing this operation.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 46

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command Description

Configure the user-name minimum- After this command is run,

minimum length length the newly created local user
username length name must comply with the
for local users. command configuration.
Otherwise, the user cannot
be created.

Configure the user-password min-len This command applies to

minimum password min-length passwords in plain text only.
length for local
users.

Enable password user-password -

complexity check complexity-check
for local users.

Configure the user-password history- -

number of password-check
historical historyPwdNum
passwords that
cannot be used as
a new password for
local users.

Configure the user-password change -

function to prompt
a local
administrator to
change the initial
password upon a
second login.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 47

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command Description

Configure the ● user-aging aging- To age a local user account

aging period of a period that has been idle for a long
local account. ● local-user user-name time, run this command. If a
aging aging-period user account remains idle for
a configured aging period,
the user account
automatically ages.
The user-aging command
applies to all users in the
system. The local-user aging
command applies only to a
specified user.
If an aging period has been
configured for all users using
the user-aging command:
● If the local-user aging
command is not run, the
aging time configured
using the user-aging
command takes effect.
● If the local-user aging
command is run, the aging
time configured using the
local-user aging
command takes effect.

Configure an local-user user-name If all administrative users

expiration date for expire date (terminal, Telnet, FTP, and
a local user SSH users) on a device have
account. an expiration date configured
for their accounts, the
account that expires last
remains valid. This prevents
all user accounts on the
device from expiring.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 48

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command Description

Configure the local-user user-name To harden network security,

period after which password expire days administrators can run the
a local user local-user password expire
password expires. command to configure the
period after which a
password expires.
When the password is
changed, the system resets
the period.
The command applies only to
local users. After a password
expires, reconfigure a new
password for the user.
Otherwise, user login fails.

Set the password user-password expire To prevent administrator

validity period and expire-days prompt accounts from being stolen
the period for prompt-days due to unchanged passwords
advance warning and other security issues, run
before the this command to set the
password expires password validity period and
for administrators. the period for advance
warning before the password
expires.
Only a level-3 or higher-level
administrator can run the
command.
● The command applies only
to administrators. The
system prompts the
administrator to change
the password n days
before the password
expires.
● If the administrator does
not change the password
till the password expires,
the administrator is denied
access to the device.

Configure the local-user user-name -

period during login-period begin-time
which a local user to end-time begin-day to
is allowed to log in. end-day
Sets the state of a local-user user-name -
local user. state { active | block
[ fail-times fail-times-
value interval interval-
value ] }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 49

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command Description

Configure alarm login-failed threshold- -

and alarm alarm upper-limit report-
clearance times lower-limit
thresholds within a resume-times period
specified period. period

Step 5 Run quit

Return to the system view.

Step 6 Run local-aaa-server

The local AAA server view is displayed.

Step 7 Perform the following configurations in the local AAA view to improve user
security as required.

Table 1-13 Configurations to improve user security in the local AAA view

Operation Command Description

Enable password user-password -

complexity check complexity-check
for local users.

Configure the user-password min-len This command applies to

minimum password min-length passwords in plain text only.
length for local
users.

Configure the user-password change -

function to prompt
a local
administrator to
change the initial
password upon a
second login.

Set the password user-password expire -

validity period and expire-days prompt
the period for prompt-days
advance warning
before the
password expires.

Set the state of a user username block -

local user to [ fail-times fail-times-
blocked. value interval interval-
value ]

Step 8 Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 50

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

----End

Result
You can run the display current-configuration configuration configuration-type
command to view the configuration.

1.1.2.7.2 Configuring a Forbidden Password String for Local Users

To improve local account security, specify character strings that are not allowed in
passwords.

Context
Simple passwords can be easily compromised. To avoid security problems caused
by simple passwords, you can specify character strings that are not allowed in
passwords.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run security password

The password security view is displayed.

Step 3 Run rule admin

The rules management view is displayed.

Step 4 Run forbidden word word

A forbidden password string is configured.

After a forbidden password string is configured, new passwords cannot contain

this string, regardless of case.

The forbidden word command takes effect only with local users' passwords. After
the forbidden word command is executed, a newly configured or modified
password cannot contain any forbidden password string. Otherwise, the
configuration fails. If an existing password contains a forbidden password string,
the system will prompt the user to change the password. The user, however, can
continue to use the password.

A device supports a maximum of 32 password configuration rules. Each rule can

specify only one forbidden password string. The same forbidden password string
can be specified in different rules.

Step 5 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 51

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.2.7.3 Configuring the Locking Function for Administrators Who Fail Remote
Authentication
To ensure account and password security of administrators, enable the account
locking function for administrators who fail remote authentication.

Context
After the account locking function is enabled for administrators who fail remote
authentication, the account will be locked if the number of consecutive incorrect
account or password attempts reaches the upper limit within the retry interval.
The account will be automatically unlocked after the locking period expires.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run administrator remote authen-fail retry-interval retry-interval retry-time
retry-time block-time block-time
The account locking function is enabled for administrators who fail remote
authentication.
Step 4 Run commit
The configuration is committed.
Step 5 Run remote-user authen-fail unblock { all | username username }
The remote authentication accounts that fail authentication are unlocked.

----End

Result
Run the display remote-user authen-fail [ blocked | username username ]
command to check the accounts that fail remote AAA authentication.

1.1.2.8 Maintaining AAA and User Management

Maintaining AAA and user management involves displaying AAA configurations,
clearing AAA statistics, and forcing users to log out of the network.

1.1.2.8.1 Displaying the AAA Operation Information

You can view the AAA operation information if necessary.

Context
In routine maintenance, you can run the following commands in any view to view
the AAA operating status.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 52

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Run display aaa offline-record

User logout records are displayed.

User logout is recorded only after the record user logout function is enabled.

By default, this function is enabled.

If this function is disabled, you can run the aaa offline-record command to
enable this function again.
● Run display aaa online-fail-record

User login failure records are displayed.

User login failures are recorded only after the record user login failure
function is enabled.

By default, this function is enabled.

If this function is disabled, you can run the aaa online-fail-record command
to enable this function again.
● Run display access-user

The information about the users that pass AAA authentication is displayed.
● Run display hwtacacs current-status

The current status information about the HWTACACS server is displayed.

● Run display hwtacacs-server template

The configuration of the HWTACACS server is displayed.

● Run display local-user

The attributes of the local user are displayed.

● Run display recording-scheme

The configuration of the recording scheme is displayed.

● Run display task-group [ task-group-name ]

Related information about the task group is displayed.

● Run display user-group [ user-group-name ]

Related information about the user group is displayed.

● Run display aaa user-group [ user-group-name ]

Related information about the user group is displayed.

----End

1.1.2.8.2 Clearing AAA Statistics

You can clear AAA statistics by running the reset command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 53

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context

NOTICE

Statistics cannot be restored after being cleared. Therefore, confirm the action
before you run the following commands.

Procedure
● Run the reset radius statistics packet command in the system view to clear
statistics about the RADIUS server.
● After confirming that the statistics on the user login failures need to be
cleared, run the following command in the user view.

reset aaa online-fail-record

● After confirming that the statistics on the user offline records need to be
cleared, run the following command in the user view.

reset aaa offline-record

● After confirming that the statistics on the user offline records need to be
cleared, run the following command in the user view.

reset aaa abnormal-offline-record

● Run the reset aaa statistics { authentication | accounting } [ domain
domain-name ] command in any view to clear statistics about authentication
or accounting packets.
● After confirming that the statistics on the HWTACACS server need to be
cleared, run the following command in the user view.

reset hwtacacs-server statistics { all | authentication | authorization |

accounting | common }
● After confirming that the count of the attributes in RADIUS packets needs to
be cleared, run the following command in the user view.

reset radius-attribute packet-count

● Run the reset cpu-defend whitelist session-car radius statistics slot slot-id
command to clear statistics about CAR for whitelisted RADIUS sessions on a
specified board.
● Run the reset cpu-defend whitelist-v6 session-car radiusv6 statistics slot
slot-id command to clear statistics about CAR for whitelisted RADIUSv6
sessions on a specified board.

----End

1.1.2.8.3 Logging Out Users

In some scenarios, for example, when the online duration of a user expires, you
can log out the user through AAA.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 54

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● To log out users, run the following commands in the AAA view.
– Run the cut access-user ip-address ip-address [ end-ip-address ] [ vpn-
instance instance-name ] command to log out online users based on IP
addresses.
– Run the cut access-user ipv6-address ipv6-address [ vpn-instance
instance-name ] command to log out an online user based on an IPv6
address.
– Run the cut access-user username user-name { all | hwtacacs | local |
none | radius | radius-proxy } command to log out an online user based
on a username.
– Run the cut access-user domain domain-name command to log out
online users based on a domain name.
– Run the cut access-user user-id start-num [ end-num ] command to log
out an online user based on a user ID.
NOTE

● If the connection is torn down based on the domain name, all online users in
the domain are logged out.
● When connections are torn down according to usernames or user IDs, if there
are multiple connections satisfying the condition, they are torn down at the
same time.

----End

1.1.2.9 Configuration Examples for AAA and User Management

The configuration examples refer to the applications of the user group, local
authentication and authorization, RADIUS authentication and authorization, and
HWTACACS authentication and authorization on the actual network.

1.1.2.9.1 Examples for Configuring User Group Authorization

This section provides an example for configuring user group authentication on a
network so that the user groups network and service in the domain huawei can
manage the routing module and service module respectively.

Networking Requirements
As shown in Figure 1-3, two administrators (adminA and adminB)
simultaneously manage the Device. To normalize the operations, adminA and
adminB are required to manage the route module and MPLS module, respectively.
In addition, they have no permission to operate each other's module.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 55

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-3 User group authorization

Precautions
During the configuration, note the following:
● adminA and adminB must belong to different user groups.
● The user groups to which adminA and adminB belong cannot overlap on
routes or MPLS permissions.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure task groups and add task instances of the corresponding modules.
2. Configure user groups and add corresponding task groups.
3. Configure users and specify user groups for them.

Data Preparation
To complete the configuration, you need the following data:
● Task group names
● User group names
● Domain name
● Local authentication for users

Procedure
Step 1 Configure task groups.
# Configure a task group for the routing module.
<Device> system-view

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 56

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~Device] aaa
[~Device-aaa] task-group route
[*Device-aaa-task-group-route] task ospf read write
[*Device-aaa-task-group-route] task isis read write
[*Device-aaa-task-group-route] task bgp read write
[*Device-aaa-task-group-route] commit
[~Device-aaa-task-group-route] quit

# Configure a task group for the MPLS module.

[~Device-aaa] task-group mpls
[*Device-aaa-task-group-mpls] task mpls-base read write
[*Device-aaa-task-group-mpls] task mpls-ldp read write
[*Device-aaa-task-group-mpls] task mpls-te read write
[*Device-aaa-task-group-mpls] commit
[~Device-aaa-task-group-mpls] quit

Step 2 Configure user groups.

# Configure the user group groupA.
[~Device-aaa] user-group groupA
[*Device-aaa-user-group-groupa] task-group route
[*Device-aaa-user-group-groupa] commit
[~Device-aaa-user-group-groupa] quit

# Configure the user group groupB.

[~Device-aaa] user-group groupB
[*Device-aaa-user-group-groupb] task-group mpls
[*Device-aaa-user-group-groupb] commit
[~Device-aaa-user-group-groupb] quit

Step 3 Configure users.

Configure the user adminA.
[~Device-aaa] local-user adminA password
Please configure the password (8-128)
Enter Password:
Confirm Password:
[*Device-aaa] local-user adminA user-group groupA
[*Device-aaa] commit

Configure the user adminB.

[~Device-aaa] local-user adminB password
Please configure the password (8-128)
Enter Password:
Confirm Password:
[*Device-aaa] local-user adminB user-group groupB
[*Device-aaa] commit

Step 4 Verify the configuration.

After the preceding configurations are complete, run the display task-group
[ task-group-name ] command to check the user group information.
<Device> display task-group route
-----------------------------------------------------------
Task group name : route
-----------------------------------------------------------

Task authorization
-----------------------------------------------------------
TaskName Authorization
-----------------------------------------------------------
ospf read write
bgp read write

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 57

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

interface-mgr read write execute

config read write execute
vlan read write execute
isis read write
shell read write execute
cli read execute
-----------------------------------------------------------
Total 8, 8 printed

----End

Configuration Files
#
diffserv domain default
#
admin
#
user-interface con 0
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
task-group route
task ospf read write
task bgp read write
task isis read write
#
task-group mpls
task mpls-base read write
task mpls-ldp read write
task mpls-te read write
#
user-group groupa
task-group route
#
user-group groupb
task-group mpls
#
domain default
local-user admina password cipher %^%#pPgn;|W90$J72.Ak$Y,IQ:gqIfPBTLjqW%,N`M_~%^%#
local-user admina user-group groupa
local-user adminb password cipher %^%#pPgn4@^7&QB*OY_,UMTLjqW%D0PV(YTLjqW%O1!!%^%#
local-user adminb user-group groupb
#
task defaultTask1
#
task defaultTask2
return

1.1.2.9.2 Example for Configuring Local Authentication and Authorization

This section provides an example for configuring local authentication and
authorization on a network.

Networking Requirements
As shown in Figure 1-4, the administrator admin@aaa logs in to the router
through Telnet, and local authentication and authorization are used. This user can
run all AAA commands and view ACL commands, but cannot configure ACL
commands.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 58

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-4 Configuring local authentication and authorization

Precautions
None

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a task group and add the task instance of the corresponding
module.
2. Configure a user group, bind the user group to the corresponding task group,
and bind the user group to a domain.
3. Configure a user and specify a user group for the user.
4. Configure authentication and authorization modes.

Data Preparation
To complete the configuration, you need the following data:
● Task group name
● User group name
● Domain name
● Local authentication is performed for users on the device.

Procedure
Step 1 Configure a task group.
# Create a task group.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] task-group admin

# Add the AAA read and write task and ACL read-only task to the task group.
[*HUAWEI-aaa-task-group-admin] task aaa execute write read
[*HUAWEI-aaa-task-group-admin] task acl read
[*HUAWEI-aaa-task-group-admin] task config read write execute debug
[*HUAWEI-aaa-task-group-admin] commit
[~HUAWEI-aaa-task-group-admin] quit

Step 2 Create a user group, bind the user group to a domain, and bind the task group to
the user group.
# Create a user group.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 59

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~HUAWEI-aaa] user-group admin

# Bind the task group to the user group.

[*HUAWEI-aaa-user-group-admin] task-group admin
[*HUAWEI-aaa-user-group-admin] commit
[~HUAWEI-aaa-user-group-admin] quit

Step 3 Configure authentication and authorization schemes for the user.

# Configure a local authentication scheme.
[~HUAWEI-aaa] authentication-scheme localtype
[*HUAWEI-aaa-authen-localtype] authentication-mode local
[*HUAWEI-aaa-authen-localtype] commit
[~HUAWEI-aaa-authen-localtype] quit

# Configure a local authorization scheme.

[~HUAWEI-aaa] authorization-scheme localtype
[*HUAWEI-aaa-author-localtype] authorization-mode local
[*HUAWEI-aaa-author-localtype] commit
[~HUAWEI-aaa-author-localtype] quit

# Apply the authentication and authorization schemes to a domain.

[~HUAWEI-aaa] domain aaa
[*HUAWEI-aaa-domain-aaa] authentication-scheme localtype
[*HUAWEI-aaa-domain-aaa] authorization-scheme localtype
[*HUAWEI-aaa-domain-aaa] commit
[~HUAWEI-aaa-domain-aaa] quit

Step 4 Create a local user.

[~HUAWEI-aaa] local-user admin@aaa password
Please configure the password (8-128)
Enter Password:
Confirm Password:
[*HUAWEI-aaa] local-user admin@aaa user-group admin
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
[~HUAWEI] telnet server enable
[*HUAWEI] commit

Step 5 Verify the configuration.

After completing the preceding configurations, the user goes online through
Telnet. It is found that the user can run AAA commands and view ACL commands
but cannot configure ACL commands.
[~HUAWEI] acl 3000
Error: No permission to run the command.

----End

Configuration Files
#
aaa
local-user admin@aaa password cipher %^%#pPgn;|W90$J72.Ak$Y,IQ:gqIfPBTLjqW%,N`M_~%^%#
local-user admin@aaa user-group admin
#
authentication-scheme default
#
authentication-scheme localtype
#
authorization-scheme default
#
authorization-scheme localtype

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 60

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
accounting-scheme default
#
domain default
#
domain aaa
authentication-scheme localtype
authorization-scheme localtype
#
task-group admin
task acl read
task aaa read write execute
task config read write execute debug
#
user-group admin
task-group admin
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.137.217.251 255.255.254.0
#
ip route-static 0.0.0.0 0.0.0.0 10.137.216.1
#
user-interface vty 0 4
authentication-mode aaa
return

1.1.2.9.3 Example for Configuring HWTACACS Authentication, Authorization, and

Accounting for Access Users
This section provides an example for configuring HWTACACS authentication,
authorization, and accounting for users in the domain huawei on a network so
that the users are authenticated, authorized, and charged using HWTACACS.

Networking Requirements
As shown in Figure 1-5:
● Access users are first authenticated locally. If local authentication fails, the
HWTACACS server is used to authenticate the users.
● HWTACACS authentication is required before the level of access users is
upgraded. If HWTACACS authentication fails, local authentication is used.
● HWTACACS authorization is performed for access users.
● All access users need to be charged.
● The HWTACACS server at 192.168.66.66/32 functions as the primary server,
with authentication port 49, authorization port 49, and accounting port 49.
The HWTACACS server at 192.168.66.67/32 functions as the secondary server,
with authentication port 49, authorization port 49, and accounting port 49 by
default.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 61

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-5 Configuring HWTACACS authentication, authorization, and accounting

for access users

Precautions
None

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an HWTACACS server template.
2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization
scheme, and accounting scheme to a domain.

Data Preparation
To complete the configuration, you need the following data:
● IP addresses of the primary and secondary HWTACACS authentication servers
● IP addresses of the primary and secondary HWTACACS authorization servers
● IP addresses of the primary and secondary HWTACACS accounting servers
● Local or HWTACACS authentication is performed for users on DeviceB.

Procedure
Step 1 Enable HWTACACS and configure an HWTACACS server template.
# Enable HWTACACS and configure an HWTACACS server template named ht.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 62

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

<HUAWEI> system-view
[~HUAWEI] hwtacacs enable
[*HUAWEI] hwtacacs-server template ht

# Configure IP addresses and port numbers for the primary HWTACACS

authentication, authorization, and accounting servers.
[*HUAWEI-hwtacacs-ht] hwtacacs-server authentication 192.168.66.66 49
[*HUAWEI-hwtacacs-ht] hwtacacs-server authorization 192.168.66.66 49
[*HUAWEI-hwtacacs-ht] hwtacacs-server accounting 192.168.66.66 49

# Configure IP addresses and port numbers for the secondary HWTACACS

authentication, authorization, and accounting servers.
[*HUAWEI-hwtacacs-ht] hwtacacs-server authentication 192.168.66.67 49 secondary
[*HUAWEI-hwtacacs-ht] hwtacacs-server authorization 192.168.66.67 49 secondary
[*HUAWEI-hwtacacs-ht] hwtacacs-server accounting 192.168.66.67 49 secondary

# Configure a key for the HWTACACS server.

[*HUAWEI-hwtacacs-ht] hwtacacs-server shared-key cipher YsHsjx_202206
[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit

Step 2 Configure authentication, authorization, and accounting schemes.

# Enter the AAA view.

[~HUAWEI] aaa

# Configure an authentication scheme named l-h and allow local authentication

to be performed before HWTACACS authentication.
[~HUAWEI–aaa] authentication-scheme l-h
[*HUAWEI-aaa-authen-l-h] authentication-mode local hwtacacs
[*HUAWEI-aaa-authen-l-h] commit
[*HUAWEI-aaa-authen-l-h] quit

# Configure an authorization scheme named scheme2 and set the authorization

mode to HWTACACS.
[*HUAWEI–aaa] authorization-scheme scheme2
[*HUAWEI–aaa-author-scheme2] authorization-mode hwtacacs
[*HUAWEI–aaa-author-scheme2] authorization-cmd hwtacacs
[*HUAWEI–aaa-author-scheme2] commit
[~HUAWEI–aaa-author-scheme2] quit

# Configure an accounting scheme named scheme3 and set the accounting mode
to HWTACACS.
[~HUAWEI–aaa] accounting-scheme scheme3
[*HUAWEI–aaa-accounting-scheme3] accounting-mode hwtacacs
[*HUAWEI–aaa-accounting-scheme3] commit
[~HUAWEI–aaa-accounting-scheme3] quit

Step 3 Configure a domain named huawei, and apply authentication scheme l-h,
authorization scheme scheme2, accounting scheme scheme3, and HWTACACS
server template ht to the domain.
[~HUAWEI-aaa] domain huawei
[*HUAWEI-aaa-domain-huawei] authentication-scheme l-h
[*HUAWEI-aaa-domain-huawei] authorization-scheme scheme2
[*HUAWEI-aaa-domain-huawei] accounting-scheme scheme3
[*HUAWEI-aaa-domain-huawei] hwtacacs-server ht
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 63

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 Verify the configuration.

Run the display hwtacacs-server template command on the router. The
command output shows that the HWTACACS server template configurations meet
the requirements.
<HUAWEI> display hwtacacs-server template ht
-------------------------------------------------
Template Name : ht
Template ID : 0
Primary Authentication Server : 192.168.66.66-49:-
Primary Authorization Server : 192.168.66.66-49:-
Primary Accounting Server : 192.168.66.66-49:-
Primary Common Server : 192.168.66.66-49:-
Current Authentication Server : 192.168.66.66-49:-
Current Authorization Server : 192.168.66.66-49:-
Current Accounting Server : 192.168.66.66-49:-
Source IP Address : 0.0.0.0
Shared Key : ****************
Quiet-interval (min) : 5
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 1
Secondary Author Server Count : 1
Secondary Account Server Count : 1
Secondary Common Server Count : 1
-------------------------------------------------

Run the display domain command on the router. The command output shows
that the domain configurations meet the requirements.
<HUAWEI>display domain huawei
---------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Authorization-scheme-name : scheme2
Accounting-scheme-name : scheme3
User-access-limit : No
Online-number :0
HWTACACS-server-template : ht
RADIUS-server-template :-
---------------------------------------------------------------

----End

Configuration Files
#
Sysname HUAWEI
#
hwtacacs enable
#
hwtacacs-server template ht
hwtacacs-server authentication 192.168.66.66
hwtacacs-server authentication 192.168.66.67 secondary
hwtacacs-server authorization 192.168.66.66
hwtacacs-server authorization 192.168.66.67 secondary
hwtacacs-server accounting 192.168.66.66
hwtacacs-server accounting 192.168.66.67 secondary
hwtacacs-server shared-key cipher %#%#pbft&Zu2$Z<,,g4=vX~7958dF@U%YGfREMUAQA{:%#%#

#
aaa
#
authentication-scheme default
#
authentication-scheme l-h

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 64

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

authentication-mode local hwtacacs

#
authorization-scheme default
#
authorization-scheme scheme2
authorization-mode hwtacacs
authorization-cmd hwtacacs
#
accounting-scheme default
#
accounting-scheme scheme3
accounting-mode hwtacacs
#
domain default
#
domain huawei
authentication-scheme l-h
authorization-scheme scheme2
accounting-scheme scheme3
hwtacacs-server ht
#
return

1.1.2.9.4 Example for Configuring HWTACACS Authentication and Authorization

for Administrators
This section provides an example for configuring HWTACACS authentication and
authorization for administrators.

Networking Requirements
As shown in Figure 1-6, Administrator is an administrator of the HUAWEI. To
prevent unauthorized administrators from accessing the device, perform
HWTACACS authentication and authorization for administrators.

Figure 1-6 Configuring HWTACACS authentication and authorization for

administrators

Precautions
When the type of a user is set to terminal, Telnet, FTP, SNMP, or SSH using the
local-user service-type command, the user becomes an administrator.

Configuration Roadmap
The configuration roadmap is as follows:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 65

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Configure an HWTACACS server template.

2. Configure an HWTACACS authentication scheme and an authorization
scheme.
3. Apply the HWTACACS server template, authentication scheme, and
authorization scheme to a domain.

Data Preparation
To complete the configuration, you need the following data:

● HWTACACS server template name ht, authentication scheme name scheme1,

authorization scheme name scheme2
● IP address 172.16.1.1/32 of the primary HWTACACS server, authentication
port number 49, and authorization port number 49
● IP address 172.16.1.2/32 of the secondary HWTACACS server, default
authentication port number 49, and default authorization port number 49
● HWTACACS authentication is performed for users on DeviceA.

Procedure
Step 1 Enable HWTACACS and configure an HWTACACS server template.

# Enable HWTACACS and configure an HWTACACS server template named ht.

<HUAWEI> system-view
[~HUAWEI] hwtacacs enable
[*HUAWEI] hwtacacs-server template ht

# Configure an IP address and port number for the primary HWTACACS

authentication and authorization server.
[*HUAWEI-hwtacacs-ht] hwtacacs-serve authentication 172.16.1.1 49
[*HUAWEI-hwtacacs-ht] hwtacacs-server authorization 172.16.1.1 49

# Configure an IP address and port number for the secondary HWTACACS

authentication and authorization server.
[*HUAWEI-hwtacacs-ht] hwtacacs-server authentication 172.16.1.2 49 secondary
[*HUAWEI-hwtacacs-ht] hwtacacs-server authorization 172.16.1.2 49 secondary

# Configure a key for the HWTACACS server.

[*HUAWEI-hwtacacs-ht] hwtacacs-server shared-key cipher YsHsjx_202206
[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit

Step 2 Configure authentication and authorization schemes.

# Enter the AAA view.

[~HUAWEI] aaa

# Configure an authentication scheme named scheme1 and set the

authentication mode to HWTACACS.
[~HUAWEI-aaa] authentication-scheme scheme1
[*HUAWEI-aaa-authen-scheme1] authentication-mode hwtacacs
[*HUAWEI-aaa-authen-scheme1] commit
[*HUAWEI-aaa-authen-scheme1] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 66

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Configure an authorization scheme named scheme2 and set the authorization

mode to HWTACACS.
[*HUAWEI-aaa] authorization-scheme scheme2
[*HUAWEI-aaa-author-scheme2] authorization-mode hwtacacs
[*HUAWEI-aaa-author-scheme2] commit
[~HUAWEI-aaa-author-scheme2] quit

Step 3 Configure a domain named huawei. Apply the HWTACACS authentication scheme
scheme1, HWTACACS authorization scheme scheme2, and HWTACACS server
template ht to the domain. When a user requests to go online, the username
must carry domain name huawei so that HWTACACS authentication and
authorization can be performed for the user.
[~HUAWEI-aaa] domain huawei
[*HUAWEI-aaa-domain-huawei] authentication-scheme scheme1
[*HUAWEI-aaa-domain-huawei] authorization-scheme scheme2
[*HUAWEI-aaa-domain-huawei] hwtacacs-server ht
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit

Step 4 Verify the configuration.

Run the display hwtacacs-server template command on the router. The

command output shows that the HWTACACS server template configurations meet
the requirements.
<HUAWEI> display hwtacacs-server template ht
-------------------------------------------------
Template Name : ht
Template ID : 0
Primary Authentication Server : 172.16.1.1-49:-
Primary Authorization Server : 172.16.1.1-49:-
Primary Accounting Server : 0.0.0.0-0:-
Primary Common Server : 0.0.0.0-0:-
Current Authentication Server : 172.16.1.1-49:-
Current Authorization Server : 172.16.1.1-49:-
Current Accounting Server : 0.0.0.0-0:-
Source IP Address : 0.0.0.0
Shared Key : ****************
Quiet-interval (min) : 5
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 1
Secondary Author Server Count : 1
Secondary Account Server Count : 0
Secondary Common Server Count : 0
-------------------------------------------------

Run the display domain command on the router. The command output shows
that the domain configurations meet the requirements.
<HUAWEI>display domain
---------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : scheme1
Authorization-scheme-name : scheme2
Accounting-scheme-name :-
User-access-limit : No
Online-number :0
HWTACACS-server-template : ht
RADIUS-server-template :-
---------------------------------------------------------------

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 67

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

When users in the domain huawei attempt to access the device, HWTACACS
authentication scheme scheme1 and authorization scheme scheme2 are used to
authenticate and authorize the users.

----End

Configuration Files
# DeviceA configuration file
#
sysname DeviceA
#
hwtacacs enable
#
hwtacacs-server template ht
hwtacacs-server authentication 172.16.1.1
hwtacacs-server authentication 172.16.1.2 secondary
hwtacacs-server authorization 172.16.1.1
hwtacacs-server authorization 172.16.1.2 secondary
hwtacacs-server shared-key cipher %#%#pbft&Zu2$Z<,,g4=vX~7958dF@U%YGfREMUAQA{:%#%

#
aaa
#
authentication-scheme default
#
authentication-scheme scheme1
authentication-mode hwtacacs
#
authorization-scheme default
#
authorization-scheme scheme2
authorization-mode hwtacacs
#
accounting-scheme default
#
domain default
#
domain huawei
authentication-scheme scheme1
authorization-scheme scheme2
hwtacacs-server ht
#
return

1.1.3 ARP Security Configuration

This chapter describes how to configure Address Resolution Protocol (ARP)
security, including anti-ARP proofing and anti-ARP flooding, to improve the
security and robustness of the network communication and network devices.

1.1.3.1 Overview of ARP Security

Address Resolution Protocol (ARP) security protects devices from attacks that
tamper with or forge ARP packets. ARP security implementation enhances device
and network security.

ARP Security Background

The Address Resolution Protocol (ARP) is an Internet protocol used to map IP
addresses to MAC addresses.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 68

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

If two hosts need to communicate, the sender must know the network-layer IP
address of the receiver. IP datagrams, however, must be encapsulated with MAC
addresses before they can be transmitted over the physical network. Therefore,
ARP is needed to map IP addresses to MAC addresses to ensure the transmission
of datagrams.

ARP Attack Type

ARP is easy to use but lacks security protection mechanisms. Attackers may use
ARP to attack network devices. The following ARP attacks exist on networks:
● ARP spoofing attack
Attackers send bogus ARP messages to modify ARP entries on gateways or
valid hosts, interrupting the transmission of valid ARP messages.
● ARP flooding attack
Attackers forge and send to a device excessive ARP request messages and
gratuitous ARP messages with IP addresses that cannot be mapped to MAC
addresses. As a result, the device's ARP buffer overflows, and the device is
incapable of caching valid ARP entries. In this case, valid ARP messages
cannot be transmitted.

ARP Security Application

These ARP attacks pose a serious threat to the network security. ARP security
offers various technologies to detect and protect against ARP attacks. Table 1-14
describes ARP security implementation in defense against ARP attacks.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 69

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-14 ARP security solutions

Attack ARP Defense Function Description Benefits
Type

ARP Validity Check After receiving an ARP The ARP anti-spoofing

spoofing of ARP Packets message, the device function can
checks whether the effectively defend
source and destination against attacks
MAC addresses in the initiated using ARP
Ethernet header are messages, ensuring
the same as those in the security and
the data field of the reliability of network
ARP message. If the communication.
source and destination
MAC addresses in the
Ethernet packet
header are different
from those in the Data
field of the ARP
message, the device
discards the ARP
message. Otherwise,
the ARP message is
allowed to pass
through.

ARP Strict ARP A device learns only The ARP anti-flooding

flooding Learning the ARP Response function can
messages in response effectively reduce the
to the ARP Request CPU load and prevent
messages sent by ARP entry overflow,
itself. This prevents ensuring the normal
attacks from ARP running of network
Request messages and devices.
ARP Response
messages in response
to the ARP Request
messages sent by
other devices.

ARP Entry Limit The device limits the

maximum number of
ARP entries that an
interface can learn to
prevent ARP entry
overflow and
implement ARP entry
security.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 70

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Attack ARP Defense Function Description Benefits

Type

ARP Message The device counts the

Rate Limiting number of ARP
messages received
within a specified
period. If the number
of received ARP
messages exceeds the
threshold, the device
ignores the excess ARP
messages and does
not process them,
preventing ARP entry
overflow.

ARP Miss The device counts the

Message Rate number of ARP Miss
Limit messages received
within a specified
period. If the number
of received ARP Miss
messages exceeds the
configured threshold,
the device ignores the
excess ARP Miss
messages. This
reduces the CPU load.

Gratuitous ARP After the function of

Packet discarding gratuitous
Discarding ARP messages is
enabled, the device
directly discards
gratuitous ARP
messages to prevent
ARP entry overflow.

1.1.3.2 Feature Requirements for ARP Security

1.1.3.3 Configuring a Rate Limit for ARP Packets to Be Sent to the CPU
Before configuring a rate limit for Address Resolution Protocol (ARP) packets to be
sent to the CPU, familiarize yourself with the applicable environment, complete
the pre-configuration tasks for the configuration.

Applicable Environment
You can configure a rate limit for ARP packets to be sent to the CPU in the
following situations:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 71

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● The router has many sub-interfaces configured, and therefore may encounter
ARP request packet bursts.
● The router has received a large number of ARP request packets, and valid ARP
packets are affected.

Pre-configuration Tasks
Before configuring a rate limit for ARP packets to be sent to the CPU, complete
the following task:

● Configuring link layer protocol parameters and IP addresses for interfaces to

ensure that the link layer protocol on each interface is Up

1.1.3.3.1 Enabling ARP Bidirectional Isolation

Address Resolution Protocol (ARP) bidirectional isolation enables the router to
process ARP request and reply packets separately, improving the fault locating
efficiency when a large number of ARP packets are received in a short period.

Context
Configure ARP bidirectional isolation on interfaces of the router.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number [ .sub-interface-number ]

The interface view is displayed.

Step 3 Run arp-safeguard enable

ARP bidirectional isolation is enabled.

NOTE

ARP bidirectional isolation is mutually exclusive to of L2VPN and proxy ARP. Before
configuring ARP bidirectional isolation, delete L2VPN and proxy ARP configurations, if
present.

Step 4 Run commit

The configuration is committed.

----End

1.1.3.3.2 Configuring ARP VLAN CAR

ARP VLAN CAR allows you to limit the rate of ARP packets on the attacked
interface without affecting other interfaces. This minimizes the impact of attacks
on devices and services. After the alarm function is enabled for ARP VLAN CAR
and the number of ARP packets to be sent to the CPU exceeds the threshold
configured for ARP VLAN CAR, an alarm is reported.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 72

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
Configure ARP VLAN CAR on interfaces of the router

In VS mode, this feature is supported only by the admin VS.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Run slot slot-id

The slot view is displayed.

Step 3 Run undo alarm drop-rate arp-vlan-car disable

The alarm function is enabled for ARP VLAN CAR.

Step 4 (Optional) Run quit

Return to the system view.

Step 5 Run interface interface-type interface-number [ .sub-interface-number ]

The interface view is displayed.

Step 6 Run arp rate-limit rate

The rate limit of ARP VLAN CAR for ARP packets on an interface is configured.

NOTE

If you configure a rate limit (1024 pps, for example) which is larger than the default rate
limit of CP-CAR, the configured ARP VLAN CAR cannot take effect. CP-CAR can be
configured by running the car arp cir cir-value command. For details, see 1.1.11.8
Configuring the CAR. The configuration of CP-CAR can be checked by running the display
cpu-defend car information command.

Step 7 Run quit

Return to the system view.

Step 8 (Optional) Set the percentage of the bandwidth of level-2 CAR for ARP VLAN CAR
in the bandwidth of CP-CAR for the ARP packets.
1. (Optional) Run slot slot-id

The slot view is displayed.

2. Run arp attack rate-limit-percent rate-value

The percentage of the bandwidth of level-2 CAR for ARP VLAN CAR in the
bandwidth of CP-CAR for ARP protocol packets is configured.
3. (Optional) Run quit

Return to the system view.

Step 9 Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 73

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

----End

1.1.3.3.3 Checking the Configuration

After configuring the rate limit for Address Resolution Protocol (ARP) packets to
be sent to the CPU, you can check the configuration.

Procedure
● Run the display arp-safeguard statistics slot slot-id command to check ARP
bidirectional isolation statistics on an interface board.
● Run the display arp rate-limit interface interface-type interface-number
command to check the ARP packet rate limit on an interface.
● Run the display arp attack interface { interface-type interface-num |
interface-name } [ vlan-id vlan-number | pe-vid pe-vid ce-vid ce-vid ]
[ history ] command to check ARP attack information on an interface.
● Run the display arp attack slot { slot-id | all } [ history ] command to check
ARP attack information on an interface board.
----End

1.1.3.4 Configuring Anti-ARP Spoofing

You can configure ARP packet filtering, validity check of ARP packets, and check
the Destination IP Addresses of ARP Packets. These anti-ARP spoofing mechanisms
improve network security and stability.

Usage Scenario
Attackers send fake ARP packets to modify ARP entries on gateways or valid hosts.
As a result, valid ARP packets cannot be transmitted. To protect against ARP
spoofing attacks, configure the following anti-ARP spoofing functions.

Pre-configuration Tasks
Before configuring anti-ARP spoofing, complete the following tasks:
● Configure the physical parameters for the interface and ensure that the
physical layer status of the interface is Up.
● Configure the link layer parameters for the interface and ensure that the link
layer protocol status of the interface is Up.

1.1.3.4.1 Validity Check of ARP Packets

After validity check of Address Resolution Protocol (ARP) packets is enabled, when
receiving an ARP packet, the device checks whether the source and destination
MAC addresses in the Ethernet header match those in the Data field of the packet.

Procedure
Step 1 Run system-view

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 74

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The system view is displayed.

Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run arp validate { destination-mac source-mac | source-mac destination-mac }
Validity check of ARP packets is enabled.
Step 4 Run commit
The configuration is committed.

----End

1.1.3.4.2 Filtering ARP Packets

This section describes how to filter out ARP packets, including invalid ARP packets,
gratuitous ARP packets, and ARP packets with non-null destination MAC
addresses.

Context
Perform the following on the router to filter out ARP packets on its interfaces:

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [sub-interface-number]
The interface view is displayed.
Step 3 Run arp filter { gratuitous | mac-illegal | tha-filled-request }
The interface is configured to filter out invalid ARP packets.

NOTE

You can decide which types of ARP packets are to be filtered out according to actual
situations. The NE9000 can filter out the following ARP packets:
● Invalid ARP packets
● Gratuitous ARP packets
● ARP packets whose destination MAC addresses are not null

Step 4 Run commit

The configuration is committed.

----End

1.1.3.4.3 Checking the Destination IP Addresses of ARP Packets

This section describes how to check the destination addresses of ARP packets,
therefore discarding packets with incorrect destination addresses and enhancing
CPU protection.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 75

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
Perform the following steps on the router whose ARP entries are to be prevented
from being attacked.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run arp check-destination-ip enable
The check of the destination IP address of ARP packets is enabled.
The arp check-destination-ip enable command is used to protect the CPU. After
the command is run, the system checks whether the destination IP addresses of
the packets on the interface are correct. If the IP addresses are correct, packets are
sent to the CPU; otherwise, packets are discarded.
Step 4 Run commit
The configuration is committed.
----End

1.1.3.4.4 Verifying the Anti-ARP Spoofing Configuration

Check the configurations of Address Resolution Protocol (ARP) anti-spoofing
functions.

Prerequisites
All ARP anti-spoofing functions are configured.

Procedure
● Run the display arp packet statistics command to display statistics about
Address Resolution Protocol (ARP) packets.
● Run the display arp-check { check-destination-ip | check-valid } statistics
slot slot-id command to display statistics about discarded invalid ARP packets
on a specific interface board.

----End

1.1.3.5 Configuring Anti-ARP Flooding

Anti-ARP Flooding functions relieve CPU load and prevent an ARP entry overflow,
ensuring normal network operation.

Usage Scenario
Attackers forge and send to a device excessive ARP request messages and
gratuitous ARP messages with IP addresses that cannot be mapped to MAC

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 76

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

addresses. As a result, the device's ARP buffer overflows, and the device is
incapable of caching valid ARP entries. In this case, valid ARP messages cannot be
transmitted.
The ARP anti-flooding function can effectively reduce the CPU load and prevent
ARP entry overflow, ensuring the normal running of network devices.

Pre-configuration Tasks
Before configuring anti-ARP flooding, complete the following tasks:
● Configure the physical parameters for the interface and ensure that the
physical layer status of the interface is Up.
● Configure the link layer parameters for the interface and ensure that the link
layer protocol status of the interface is Up.

1.1.3.5.1 Restricting Dynamic ARP Entry Learning

When a large number of ARP entries are generated on a specified interface, you
can prevent the interface to dynamically learn ARP entries.

Background Information

NOTICE

● If dynamic ARP entry learning is disabled on an interface, traffic forwarding

may fail on this interface.
● After dynamic ARP entry learning is disabled on an interface, the system will
not automatically delete the ARP entries that were learnt previously on this
interface. You can delete or retain these dynamic ARP entries as required.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run arp learning disable
Dynamic ARP entry learning is disabled on the interface.
Step 4 Run commit
The configuration is committed.

----End

1.1.3.5.2 Strict ARP Learning

Strict Address Resolution Protocol (ARP) learning enabled allows the device to
learn the media access control (MAC) addresses of only the ARP reply packets in

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 77

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

response to the ARP request packets sent by itself. Therefore, this function
prevents attacks caused by sending ARP request packets and ARP reply packets
that are not in response to the request packets that the device itself sends.

Background Information
This function can be configured in the system view or interface view.
● If strict ARP learning is not configured, the device processes ARP entries as
follows:
– After receiving an ARP reply packet in response to the ARP request packet
that the device itself sends, the device check whether the source IP
address in the packet matches an ARP entry.

▪ If no matching entry exists, the device creates an ARP entry using

source IP and MAC addresses carried in the packet.

▪ If a matching entry exists, the device updates the entry based on the
source IP and MAC addresses carried in the packet.
– After receiving an ARP request packet, the device sends an ARP reply
packet and then creates an ARP entry.
● If strict ARP learning is configured, the device processes ARP packets as
follows:
– After receiving an ARP reply packet, the device checks whether the packet
is in response to an ARP request packets sent by itself. If so, the device
creates an ARP entry or updates the existing ARP entry based on the
packet. If not, the device does not create an ARP entry or update the
existing ARP entry.
– After receiving an ARP request packet, the device sends an ARP reply
packet but does not create an ARP entry or update the existing ARP entry.

Procedure
● Enable strict ARP learning globally.
a. Run system-view
The system view is displayed.
b. Run arp learning strict
Strict ARP learning is enabled globally.
c. Run commit
The configuration is committed.
● Enable strict ARP learning for an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run arp learning strict force-enable
Strict ARP learning is enabled for the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 78

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run commit

The configuration is committed.

NOTE

After strict ARP learning is enabled globally, strict ARP learning is enabled on all
interfaces. When strict ARP learning is enabled globally:
● You can run the arp learning strict force-disable command in the interface view
to disable strict ARP learning for the specified interface.
● You can run the arp learning strict trust command to configure the specified
interface to use the global strict ARP learning configuration.

----End

1.1.3.5.3 ARP Entry Limit

After Address Resolution Protocol (ARP) entry limit is enabled, the device limits
the number of ARP entries that an interface can learn, to prevent ARP entry
overflow and improve ARP entry security.

Background Information
If a device receives excessive ARP packets in a short period, the device's buffer will
overflow, interrupting services of authorized users. This problem can be solved by
configuring an ARP entry limit on the device. After ARP entry limit is configured,
the device limits the number of ARP entries that each interface can learn,
preventing ARP entry overflow and improving ARP entry security.

● Ethernet, GE, and Eth-Trunk interfaces can be Layer 2 or Layer 3 interfaces.

vlan-id cannot be configured for Layer 3 interfaces, but must be configured
for Layer 2 interfaces.
● Ethernet, GE, and Eth-Trunk sub-interfaces can be common sub-interfaces or
QinQ termination sub-interfaces. When the sub-interfaces are common sub-
interfaces, vlan-id cannot be configured for common sub-interfaces, but must
be configured for QinQ termination sub-interfaces. vlan-id indicates the outer
virtual local area network (VLAN) ID of a QinQ termination sub-interface.

Procedure
● Configure ARP entry limit for a physical interface.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The physical interface view is displayed.

c. Run arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

ARP entry limit is configured for the physical interface.

d. Run commit

The configuration is committed.

● Configure ARP entry limit for a VLANIF interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 79

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

a. Run system-view
The system view is displayed.
b. Run interface vlanif interface-number
The VLANIF interface view is displayed.
c. Run arp-limit maximum limitnum
ARP entry limit is configured for a VLANIF interface.
d. Run commit
The configuration is committed.
● Configure ARP entry limit for a sub-interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number [.subnumber ]
The sub-interface view is displayed.
c. Run arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum limitnum
ARP entry limit is configured for the physical interface.
d. Run commit
The configuration is committed.
----End

1.1.3.5.4 Configuring an ARP Packet Rate Limit

If a device receives excessive Address Resolution Protocol (ARP) packets in a short
period, the device becomes busy learning entries and replying to the ARP packets,
which can interrupt the processing of other services. To resolve this problem,
configure an ARP packet rate limit on the device.

Context
The device has no sufficient CPU resource to process other services when
processing a large number of ARP packets. To protect CPU resources of the device,
limit the rate of ARP packets.
After a rate limit is configured for ARP packets, if the number of ARP packets
received in one second exceeds the limit, the device discards the excess ARP
packets.

Procedure
● Configure ARP packet rate limit based on user addresses.
a. Run system-view
The system view is displayed.
b. Run arp speed-limit { destination-ip | source-ip } maximum maximum
[ slot slot-id ]
ARP packet rate limit based on user addresses is configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 80

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Run commit

The configuration is committed.

----End

1.1.3.5.5 Configuring an ARP Miss Message Rate Limit

If a device generates a large number of ARP Miss messages in a specified period
of time, the device will not process the ARP Miss messages exceeding a configured
threshold.

Background Information
After the ARP Miss message rate limit is configured, the device counts the number
of received ARP Miss messages. If the number of ARP Miss messages received in a
specified period exceeds a specified limit, the device does not process additional
ARP Miss messages.

If a large number of VLANs are configured on an interface, ARP request packets

that are triggered by ARP Miss messages need to be copied and sent on all these
VLANs, causing the software to be overloaded and not to be able to send ARP
request packets to terminals in time. To resolve this problem, you can configure a
penalty interval to suppress dynamic ARP fake entry aging. When ARP Miss
messages are triggered again after ARP learning fails, the system accumulatively
increases the aging time of fake ARP entries by the configured penalty interval to
dynamically prolong the life cycle of ARP fake entries, reducing the software
workload of sending ARP request packets.

Procedure
● Configure ARP Miss message rate limit based on source IP addresses.
a. Run system-view

The system view is displayed.

b. Run arp-miss speed-limit source-ip maximum maximum [ slot slot-id ]

ARP Miss message rate limit based on source IP addresses is configured.

c. Run commit

The configuration is committed.

● (Optional) Setting the aging expiry time of a fake dynamic ARP Entries.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

c. Run arp-fake expire-time expire-time

The aging expiry time of a fake dynamic ARP entries is set.

d. Run commit

The configuration is committed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 81

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● (Optional) Configure a penalty interval to suppress dynamic ARP fake entry

aging.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

c. Run arp-fake penalty-time penalty-time

A penalty interval is configured to suppress dynamic ARP fake entry

aging.

NOTE

If the aging time of dynamic ARP fake entries is set using the arp-fake expire-
time command, the penalty interval configuration does not take effect.
d. Run commit

The configuration is committed.

----End

1.1.3.5.6 (Optional) Enabling the Device to Record Logs and Generate Alarms
About Potential Attacks
To locate and resolve potential attacks, you can enable the device to record logs
and generate alarms about potential attacks.

Background Information
After Address Resolution Protocol (ARP) Miss message rate limit is configured, the
device counts the number of received ARP Miss messages. If the number of ARP
Miss messages received in a specified period exceeds a specified limit, the device
discards additional ARP Miss messages. The device considers this problem as a
potential attack. The device records logs and generates alarms about potential
attacks.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run arp anti-attack log-trap-timer timer

The device is enabled to record logs and generate alarms about potential attacks.

Step 3 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 82

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.3.5.7 Disabling Gratuitous ARP Packet Sending

You can disable an interface from sending gratuitous ARP packets to prevent CPU
overload.

Context
If a device has a large number of interfaces and all interfaces are Up and are
allocated IP addresses, the device may keep sending gratuitous ARP packets,
consuming excessive CPU resources. As a result, services are affected. To prevent
CPU overload, you can disable an interface from sending gratuitous ARP packets.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run arp gratuitous-arp send disable
The interface is disabled from sending gratuitous ARP packets.

NOTICE

Using the arp gratuitous-arp send disable command will prevent sending
gratuitous arp packet, and may cause IP collision detection failure and services to
be interrupted. Exercise caution when running this command.

Step 4 Run commit

The configuration is committed.

----End

1.1.3.5.8 Configuring Gratuitous ARP Packet Discarding

After gratuitous Address Resolution Protocol (ARP) packet discarding is configured,
the device discards all received gratuitous ARP packets to prevent excessive CPU
consumption.

Context
When a device is connected to a network for the first time, the device broadcasts
gratuitous ARP packets to announce its existence and checks whether its IP
address conflicts with any other device IP address in the broadcast domain. Any
device can send gratuitous ARP packets and receive gratuitous ARP packets
without authentication. As a result, a large number of gratuitous ARP packets can
be generated, causing devices to be busy processing these packets. This process
overloads the CPU and affects the processing of other services. To resolve this
problem, you can enable gratuitous ARP packet discarding. After gratuitous ARP

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 83

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

packet discarding is enabled, the device discards all received gratuitous ARP
packets to prevent excessive CPU consumption.

Gratuitous ARP packet discarding can be enabled in the system view or in the
interface view.
● If the arp anti-attack gratuitous-arp drop command is enabled in the
system view, the device discards gratuitous ARP packets received from all
interfaces.
● If the arp anti-attack gratuitous-arp drop command is enabled in the
interface view, the device discards gratuitous ARP packets received from a
specified interface.
Gratuitous ARP request discarding enabled in the system view is independent
upon that enabled in the interface view.

Procedure
● Configure gratuitous ARP packet discarding globally.
a. Run system-view

The system view is displayed.

b. Run arp anti-attack gratuitous-arp drop

Gratuitous ARP packet discarding is enabled globally.

c. Run commit

The configuration is committed.

● Configure gratuitous ARP packet discarding for an interface.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

c. Run arp anti-attack gratuitous-arp drop

Gratuitous ARP packet discarding is enabled for an interface.

d. Run commit

The configuration is committed.

----End

1.1.3.5.9 Verifying the Anti-ARP Flooding Configuration

This section describes how to check the configurations of Address Resolution
Protocol (ARP) anti-flood functions.

Prerequisites
All ARP anti-flooding functions have been configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 84

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Run the display arp learning strict command to check the configuration of
strict ARP learning.
● Run the display arp-limit [ interface interface-type interface-number ]
[ vlan vlan-id ] command to check the configuration of ARP entry limit.
● Run the display arp speed-limit { destination-ip | source-ip } [ slot slot-id ]
command to check the configuration of ARP packet rate limit.
● Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to
check the configuration of ARP Miss message rate limit.
● Run the display arp-safeguard statistics slot slot-id command to check ARP
bidirectional isolation statistics on an interface board.
● Run the display arp rate-limit interface interface-type interface-number
command to check the ARP packet rate limit on an interface.
● Run the display arp attack interface interface-type interface-number
command to check ARP attack information on an interface.
● Run the display arp attack slot { slot-id | all } command to check ARP attack
information on an interface board.
● Run the display arp anti-attack record command to display information
about discarded ARP packets whose rate exceeds the limit.
● Run the display arp miss anti-attack record command to display
information about discarded ARP Miss messages whose rate exceeds the limit.
----End

1.1.3.6 Maintaining ARP Security

This section describes how to reset Address Resolution Protocol (ARP) security
statistics and monitor the ARP status.

1.1.3.6.1 Clearing ARP Security Statistics

This section describes how to clear Address Resolution Protocol (ARP) security
statistics

Background Information

NOTICE

ARP security statistics cannot be restored after they are cleared. Exercise caution
before clearing the statistics.

Procedure
● Run the reset arp packet statistics [ slot slot-id ] command in the user view
to reset ARP statistics of a specified or all boards.
● Run the reset arp packet statistics interface [ interface-type interface-
number ] command in the user view to reset ARP statistics of a specified or
all Layer 3 interfaces.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 85

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the reset arp-check { check-destination-ip | check-valid } statistics slot

slot-id command in the user view to clear statistics about discarded invalid
ARP packets on a specific interface board.

In VS mode, this command is supported only by the admin VS.

----End

1.1.3.6.2 Monitoring the Operating Status of ARP Security

This section describes how to monitor the operating status of Address Resolution
Protocol (ARP) security.

Context
For routine maintenance, you can run the following commands in any view to
check the operating status of ARP security.

Procedure
● Run the display arp packet statistics [ slot slot-id | interface [ interface-type
interface-number ] ] command in any view to check statistics on ARP packets.

----End

1.1.3.6.3 Clearing ARP Bidirectional Isolation Statistics on an Interface Board

You can clear ARP bidirectional isolation statistics on an interface board if you do
not need the statistics any more.

Context

NOTICE

ARP bidirectional isolation statistics on an interface board cannot be restored after

they are cleared. Exercise caution before clearing the statistics.

Procedure
● Run the reset arp-safeguard statistics slot slot-id command in the user view
to clear ARP bidirectional isolation statistics on an interface board.

This command is supported only on the Admin-VS.

● Run the reset arp-check { check-destination-ip | check-valid } statistics slot
slot-id command in the user view to clear statistics about discarded invalid
ARP packets on a specific interface board.

This command is supported only on the Admin-VS.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 86

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.3.7 Configuration Examples for ARP Security

This section provides examples for ARP attack defense. A configuration example
consists of the networking requirements, configuration roadmap, data preparation,
and configuration procedures.

1.1.3.7.1 Example for Configuring ARP Security

This example describes ARP security configuration procedures.

Networking Requirements
ARP is a basic link layer protocol that can be used on the Ethernet. It maps
devices' IP addresses to MAC addresses. ARP is simple to use but does not have
any security guarantee. Attackers may send forged ARP packets to attack
networks, causing normal services to be interrupted and devices to break down.
Therefore, carriers want to enhance backbone network security.
As shown in Figure 1-7, an Internet bar is connected to the Internet through the
Device. ARP security needs to be configured on the Device to protect the Internet
bar against ARP attacks.

Figure 1-7 Networking diagram of configuring ARP security

Precautions
None.

Configuration Roadmap
The configuration roadmap is as follows:
● Limit the ARP packet processing rate on interface boards. This effectively
prevents devices from continuously processing a large number of invalid ARP
packets (with destination IP addresses unable to be resolved) sent by
attackers. Burdens on the devices' CPUs are relieved and valid packets can be
properly processed on the devices.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 87

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Limit the number of ARP entries on interfaces. This effectively prevents

devices from processing invalid ARP packets with forged source IP addresses
sent by attackers. The devices can then process valid ARP packets and
generate valid ARP entries, ensuring proper data forwarding.
● Configure strict ARP entry learning on interfaces. This effectively prevents
devices from receiving invalid ARP packets sent by attackers.

Data Preparation
To complete the configuration, you need the following data:
● Interface board slot number: 1; number of ARP packets that the interface
board processes every second: 50
● Maximum number of ARP entries that an interface can learn: 20

Procedure
Step 1 Configure the interface board in slot 1 to process 50 ARP packets to a specific
destination every second.
<HUAWEI> system-view
[~HUAWEI] sysname Device
[*HUAWEI] commit
[~Device] arp speed-limit destination-ip maximum 50 slot 1
[*Device] commit

Step 2 Configure GE 1/0/0 to learn a maximum of 20 ARP entries and enable strict ARP
entry learning on GE 1/0/0.
[~Device] interface gigabitethernet 1/0/0
[~Device-GigabitEthernet1/0/0] arp-limit maximum 20
[*Device-GigabitEthernet1/0/0] arp learning strict force-enable
[*Device-GigabitEthernet1/0/0] commit
[~Device-GigabitEthernet1/0/0] quit

Step 3 Verify the configuration.

Use a tool to send gratuitous ARP packets to the Device. Run the display arp
command on the Device. The command output shows that the Device has not
learned the received gratuitous ARP packets.
<Device> display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.200 00e0-fc7f-7258 I- GE1/0/0
172.16.1.180 00e0-fc56-7741 9 D-0 GE2/0/0
10.2.1.1 00e0-fc11-8894 I- GE1/0/1
10.1.1.1 00e0-fc39-f564 I- GE2/0/1
10.1.1.2 00e0-fc22-18d5 9 D-3 GE2/0/1
------------------------------------------------------------------------------
Total:5 Dynamic:2 Static:0 Interface:3 Remote:0
Redirect:0

Run the display arp speed-limit command on the Device to view the configured
ARP packet processing rate.
<Device> display arp speed-limit destination-ip slot 1
Slot SuppressType SuppressValue
---------------------------------------------------
1 ARP 50

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 88

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Files
#
sysname Device
arp speed-limit destination-ip maximum 50 slot 1
#
interface GigabitEthernet1/0/0
undo shutdown
arp learning strict force-enable
arp-limit maximum 20
#
return

1.1.3.7.2 Example for Configuring ARP Bidirectional Isolation and ARP VLAN CAR
This section provides an example for configuring ARP bidirectional isolation and
ARP VLAN CAR. A configuration networking diagram is provided to help you
understand the configuration procedure. The example provides the networking
requirements, configuration roadmap, configuration procedure, and configuration
files.

Networking Requirements
ARP is an open protocol and sets up IP-address-to-MAC-address mappings. When
being used on an Ethernet network, ARP offers possibilities for malicious attackers
because of its simplicity, openness, and lack of security measures. Attackers forge
and send excessive ARP request and response packets to the router. The ARP
buffer of the router has a limited storage capability, so that it will be incapable of
caching legitimate ARP packets after being overflowed. ARP security enables the
router to process ARP request and reply packets separately, so that the router can
rapidly respond to ARP request packets. In addition, ARP security allows you to set
a rate limit for ARP packets, so that excessive ARP packets will be discarded when
the preset rate limit is reached.
As shown in Figure 1-8, only the user-side interface is connected to the Layer 2
devices. Therefore, configure ARP bidirectional isolation and ARP VLAN CAR on the
user-side interface GE 1/0/0.

Figure 1-8 Network diagram of configuring ARP security

NOTE

● The configurations in this example are performed on Device. NE9000 can function as
Device.
● Interface 1 in this example represents GE 1/0/0.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 89

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Roadmap
The configuration roadmap is as follows:

1. Enable ARP bidirectional isolation.

2. Configure the rate limit of packets to be sent to the CPU.

Data Preparation
To complete the configuration, you need the following data:

● Rate limit of ARP packets to be sent to the CPU

Procedure
Step 1 Configure VLANs on the router. The configuration details are not provided here.

Step 2 Enable ARP bidirectional isolation.

<HUAWEI> system-view
[~HUAWEI] sysname Device
[*HUAWEI] commit
[~Device] interface gigabitethernet 1/0/0
[~Device-GigabitEthernet1/0/0] arp-safeguard enable
[*Device-GigabitEthernet1/0/0] commit

Step 3 Configure the rate limit of ARP packets on GE 1/0/0.

[~Device-GigabitEthernet1/0/0] arp rate-limit 50
[*Device-GigabitEthernet1/0/0] commit
[~Device-GigabitEthernet1/0/0] quit

Step 4 Verify the configuration.

Check ARP bidirectional isolation statistics on the interface board in slot 1.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 90

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

<Device> display arp-safeguard statistics slot 1

ArpRequest-Count : 23
ArpReply-Count : 23
ArpToCp-Count : 23
ArpDrop-Count : 23

Check the rate limit of ARP packets on GE 1/0/0.

<Device> display arp rate-limit interface gigabitethernet 1/0/0
Interface: GigabitEthernet1/0/0
arp rate-limit: 50

----End

Configuration Files
#
sysname Device
#
vlan 100
vlan 200
#
interface GigabitEthernet1/0/0
undo shutdown
portswitch
port trunk allow-pass vlan 100 200
arp safe-guard enable
arp rate-limit 50
#
return

1.1.4 DHCP Snooping Configuration

This chapter describes how to configure Dynamic Host Configuration Protocol
(DHCP) snooping to provide more secure and stable network services for users.

1.1.4.1 DHCP Snooping Overview

This section describes the basic concepts of Dynamic Host Configuration Protocol
(DHCP) snooping.

Dynamic Host Configuration Protocol (DHCP) snooping is a DHCP security feature

that functions in a similar way to a firewall between DHCP clients and servers. A
DHCP-snooping-capable device monitors DHCP packets and uses information
carried in the packets to create a DHCP snooping binding table. This table records
hosts' media access control (MAC) addresses, IP addresses, IP address lease time,
virtual local area network (VLAN) IDs, and interface information. The device uses
this table to check the validity of received DHCP packets. If a DHCP reply packet is
received from an untrusted interface, the device discards the packet.

1.1.4.2 Feature Requirements for DHCP Snooping

1.1.4.3 Configuring Defense Against Bogus DHCP ServerAttacks

This section describes how to configure defense against bogus Dynamic Host
Configuration Protocol (DHCP) server attacks.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 91

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Applicable Environment
A bogus DHCP server on the network may send a DHCP offer packet to the DHCP
client. The DHCP offer packet contains incorrect information such as the incorrect
gateway address, incorrect Domain Name Server (DNS) server, and incorrect IP
address. As a result, the DHCP client cannot connect to the network or may
connect to an incorrect network.
To prevent a bogus DHCP server attack, configure DHCP snooping on the device,
configure the network-side interface to be trusted and the user-side interface to
be untrusted, and configure the device to discard DHCP reply packets received
from untrusted interfaces.
Enable bogus DHCP server detection on the device. The device obtains relevant
information about the DHCP server and logs the information, which helps you
maintain the network.

Pre-configuration Tasks
Before you configure defense against bogus DHCP server attacks, configure the
DHCP server.

1.1.4.3.1 Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions,
enable DHCP snooping first.

Context
Enable DHCP snooping in the following sequence:
1. Enable DHCP globally.
2. Enable DHCP snooping globally.
3. Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure
● Enable DHCP snooping globally for a VLAN to prevent Layer 2 devices from
bogus DHCP server attacks.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

d. Run vlan vlan-id

The VLAN view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled for the VLAN.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 92

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

f. Run quit
Return to the system view.
g. Run commit
The configuration is committed.
● Enable DHCP snooping in the BD view.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
c. Run dhcp snooping enable
DHCP snooping is enabled globally.
d. Run bridge-domain bd-id
The BD view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled.
f. Run commit
The configuration is committed.
● Enable DHCP snooping globally for an interface to prevent Layer 3 devices
from bogus DHCP server attacks.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.
d. Run interface interface-type interface-number
The interface view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled for the interface.
f. Run commit
The configuration is committed.
● Enable DHCP snooping in the BD view.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
By default, DHCP is enabled globally.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 93

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

By default, DHCP snooping is disabled globally.

d. Run bridge-domain bd-id

The BD view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled.

By default, DHCP snooping is disabled.

f. Run commit

The configuration is committed.

----End

1.1.4.3.2 Configuring an Interface as a Trusted Interface

After Dynamic Host Configuration Protocol (DHCP) snooping is enabled, trusted
interfaces must be configured so that clients can go online through trusted
interfaces.

Context
After DHCP snooping is enabled on a device, you can configure interfaces of the
device as trusted or untrusted.
● After receiving DHCP reply packets from a trusted interface, the device
forwards the packets so that DHCP clients can obtain correct IP addresses.
● After receiving DHCP reply packets from an untrusted interface, the device
discards the packets to prevent DHCP clients from obtaining incorrect IP
addresses.

Generally, the interfaces connected to legitimate DHCP servers are configured as

trusted and all other interfaces are configured as untrusted.

NOTE

After DHCP snooping is enabled, trusted interfaces must be configured and server-side
interfaces and user-side interfaces must be in the same virtual local area network (VLAN).
DHCP clients cannot go online if server-side interfaces and user-side interfaces are in
different VLANs.

Procedure
● Configure an interface as a trusted interface in a VLAN to prevent Layer 2
devices from bogus DHCP server attacks.
a. Run system-view

The system view is displayed.

b. Run vlan vlan-id

The VLAN view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 94

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Run dhcp snooping trusted [ interface interface-type interface-

number ]
An interface is configured as a trusted interface in the VLAN.

NOTE

Before you configure an interface as a trusted interface in the VLAN view, make
sure that the interface is in the VLAN.
d. Run commit
The configuration is committed.
● Configure interfaces as trusted interfaces in the BD view.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp snooping trusted
Interfaces are configured as trusted interfaces.
d. Run commit
The configuration is committed.
● Configure an interface as a trusted interface in the interface view to prevent
Layer 3 devices from bogus DHCP server attacks.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp snooping trusted
The interface is configured as a trusted interface.
d. Run commit
The configuration is committed.
● Configure interfaces as trusted interfaces in the BD view.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp snooping trusted
Interfaces are configured as trusted interfaces.
d. Run commit
The configuration is committed.
----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 95

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.4.3.3 (Optional) Enabling Bogus DHCP Server Detection

After bogus Dynamic Host Configuration Protocol (DHCP) server detection is
enabled, the system generates logs about DHCP servers.

Context
Before enabling bogus DHCP server detection, ensure that DHCP snooping is
enabled globally for the interface. Otherwise, the detection function does not take
effect.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run dhcp snooping server record

Bogus DHCP server detection is enabled.

Step 3 Run commit

The configuration is committed.

----End

1.1.4.3.4 (Optional) Configuring the Alarm Function forDiscarded DHCP Reply

Packets
By configuring the function described in this chapter, you can have an alarm
generated when a specified number of Dynamic Host Configuration Protocol
(DHCP) reply packets are discarded.

Context
After trusted and untrusted interfaces are configured, the device discards all DHCP
reply packets received from untrusted interfaces. You can set a threshold for the
number of discarded packets. When the number of discarded packets reaches the
threshold, an alarm is generated.

For a Layer 2 device, configure the alarm function for discarded DHCP reply
packets in a VLAN view. For a Layer 3 device, configure the alarm function for
discarded DHCP reply packets in an interface view or in a BD view.

Procedure
● Configure the alarm function for discarded DHCP reply packets in a VLAN
view.
a. Run system-view

The system view is displayed.

b. Run vlan vlan-id

The VLAN view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 96

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Run dhcp snooping alarm dhcp-reply enable [ interface interface-type

interface-number ]
The alarm function for discarded DHCP reply packets is enabled for the
VLAN.
d. Run dhcp snooping alarm dhcp-reply threshold threshold [ interface
interface-type interface-number ]
The alarm threshold for the number of discarded packets is configured
for the VLAN.
e. Run commit

The configuration is committed.

● Configure the alarm function for discarded DHCP packets with incorrect
CHADDR fields in a BD view.
a. Run system-view

The system view is displayed.

b. Run bridge-domain bd-id

The BD view is displayed.

c. Run dhcp snooping alarm dhcp-reply enable

The alarm function for discarded DHCP reply packets is enabled.

d. Run dhcp snooping alarm threshold threshold-value

The alarm threshold for the number of discarded packets is configured in

a BD.
e. Run commit

The configuration is committed.

● Configure the alarm function for discarded DHCP reply packets in an interface
view.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

c. Run dhcp snooping alarm dhcp-reply enable

The alarm function for discarded DHCP reply packets is enabled for the
interface.
d. Run dhcp snooping alarm dhcp-reply threshold threshold-value

The alarm threshold for the number of discarded packets is configured

for the interface.
e. Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 97

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.4.3.5 Checking the Configuration

This section describes how to check the configuration of defense against bogus
Dynamic Host Configuration Protocol (DHCP) server attacks.

Prerequisites
The configurations of defense against bogus DHCP server attacks are complete.

Procedure
● Run the display dhcp snooping { interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] | bridge-domain
bd-id } command to check the DHCP snooping configuration.
----End

1.1.4.4 Configuring Defense Against Man-in-the-Middle Attacks and IP/MAC

Address Spoofing
This section describes how to configure the IP/MAC address binding and Option 82
functions to prevent man-in-the-middle attacks and IP/MAC address spoofing.

Applicable Environment
In man-in-the-middle attacks and IP/MAC address spoofing, attackers pretend to
be servers and clients. The servers consider that all packets are sent from and
destined for the clients, and so do the clients. Actually these packets are second-
hand information from man-in-the-middle, and in this manner attackers can
obtain the data on the servers and clients.
To prevent man-in-the-middle attacks and IP/MAC address spoofing, enable the
Dynamic Host Configuration Protocol (DHCP) snooping function on a device so
that the device forwards a packet only if the packet info matches an entry in the
DHCP snooping binding table. If a packet does not match any entry in the DHCP
snooping binding table, the device discards the packet.

Pre-configuration Tasks
Before you configure defense against man-in-the-middle attacks and IP/MAC
address spoofing, configure DHCP snooping.

1.1.4.4.1 Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions,
enable DHCP snooping first.

Context
Enable DHCP snooping in the following sequence:
1. Enable DHCP globally.
2. Enable DHCP snooping globally.
3. Enable DHCP snooping in an interface, BD, or VLAN view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 98

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Enable DHCP snooping for a VLAN.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
c. Run dhcp snooping enable
DHCP snooping is enabled globally.
d. Run vlan vlan-id
The VLAN view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled for the VLAN.
f. Run quit
The system view is displayed.
g. Run commit
The configuration is committed.
● Enable DHCP snooping in the BD view.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
c. Run dhcp snooping enable
DHCP snooping is enabled globally.
d. Run bridge-domain bd-id
The BD view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled in a BD.
f. Run commit
The configuration is committed.
● Enable DHCP snooping for an interface.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 99

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run interface interface-type interface-number

The interface view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled for the interface.

f. Run commit

The configuration is committed.

● Enable DHCP snooping in the BD view.
a. Run system-view

The system view is displayed.

b. Run dhcp enable

DHCP is enabled globally.

By default, DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

By default, DHCP snooping is disabled globally.

d. Run bridge-domain bd-id

The BD view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled in a BD.

By default, DHCP snooping is disabled in a BD.

f. Run commit

The configuration is committed.

----End

1.1.4.4.2 Enabling DHCP Request Packet Check

To prevent man-in-the-middle attacks and IP/MAC address spoofing, enable
Dynamic Host Configuration Protocol (DHCP) request packet check. After packet
check is enabled on a device, the device checks the received Address Resolution
Protocol (ARP) or IP packets to see whether the combination of source IP
addresses and source MAC addresses in the packets match entries in the DHCP
snooping binding table.

Context
For DHCP users, the DHCP snooping binding table is automatically generated
when DHCP snooping is enabled. For users using static IP addresses, the DHCP
snooping binding table needs to be manually configured.

Enable DHCP snooping in an interface, BD, or VLAN view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 100

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Enable DHCP request packet check in a VLAN view.
a. Run system-view

The system view is displayed.

b. Run vlan vlan-id

The VLAN view is displayed.

c. Run dhcp snooping check { arp | ip } enable [ interface interface-type
interface-number ]

DHCP request packet check is enabled for the VLAN.

d. Run commit

The configuration is committed.

● Enable DHCP request packet check in a BD view.
a. Run system-view

The system view is displayed.

b. Run bridge-domain bd-id

The BD view is displayed.

c. Run dhcp snooping check { arp | ip } enable

DHCP request packet check is enabled in a BD.

d. Run commit

The configuration is committed.

● Enable DHCP request packet check in an interface view.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

c. Run dhcp snooping check { arp | ip } enable

DHCP request packet check is enabled for the interface.

d. Run commit

The configuration is committed.

----End

1.1.4.4.3 (Optional) Configuring the DHCP Snooping Binding Table

Dynamic entries in the DHCP snooping binding table are automatically generated
when DHCP snooping is enabled. Static entries in the DHCP snooping binding
table must be manually configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 101

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
NOTE

The static IP address and the IP address allocated to a user in static mode are the IP
addresses that are manually configured on the client. Static users are those who use static
IP addresses.

If the IP addresses allocated to users are static IP addresses, static binding entries
can be configured for these IP addresses, ensuring static IP address anti-
embezzlement. If there are a large number of static users, static binding entries
must be configured for each static IP address; otherwise, unauthorized users who
attempt to embezzle static IP addresses cannot be isolated.
Dynamic entries in the DHCP snooping binding table do not need to be
configured. They are automatically generated when DHCP snooping is enabled.
However, static entries in the DHCP snooping binding table must be configured by
running commands.

NOTE

● For the IP addresses dynamically allocated to users, devices automatically learn the MAC
addresses of users and create a binding relationship table. The table does not need to
be configured manually.
● For the IP addresses statically allocated to users, devices cannot create a binding
relationship table. The table must be created manually.

If the binding relationship table for static users is not created manually, the
following situations occur:

NOTE

● If the device is configured to forward packets that do not match any entry in the
binding relationship table, the packets of all static users are forwarded. All static users
can access the DHCP server normally. This is the default condition of the devices.
● If the device is configured for discard packets that do not match any entry in the
binding relationship table, the packets of all static users are discarded. All static users
cannot access the DHCP server.

If the created binding table must contain interface information, the Option82
function must be enabled. If the Option82 function is not enabled and DHCP
snooping is enabled on the VLANIF interface, entries in the created DHCP
snooping binding table do not contain interface information. For details, see the
description of how to "configure the Option82 function".
When an interface receives an Address Resolution Protocol (ARP) or IP packet, the
interface matches the source IP address and source MAC address of the ARP or IP
packet with entries in the DHCP snooping binding table. The interface checks the
MAC address, IP address, interface, and virtual local area network (VLAN)
information. Based on this check, the interface performs the following actions:
● The ARP or IP packet is discarded if its source IP address and source MAC
address do not match any entry in the DHCP snooping binding table.
● The ARP or IP packet is forwarded if its source IP address and source MAC
address match an entry in the DHCP snooping binding table.
When an interface receives an ARP or IP packet, the interface matches the source
IP address and source MAC address of the ARP or IP packet with entries in the

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 102

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

DHCP snooping binding table. The ARP or IP packet is forwarded if its source IP
address and source MAC address match an entry in the DHCP snooping binding
table, or is discarded if its source IP address and source MAC address do not match
any entry in the DHCP snooping binding table.

Procedure
● Configure DHCP snooping static entries for a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp snooping bind-table static ip-address ip-address [ mac-
address mac-address ] [ interface interface-type interface-number [ ce-
vlan ce-vlan-id ] ]
The static DHCP snooping entry is configured for the VLAN.
d. Run commit
The configuration is committed.
● Configure static DHCP snooping binding entries.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp snooping bind-table static ip-address ip-address [ mac-
address mac-address ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]
The static DHCP snooping entry is configured.
d. Run commit
The configuration is committed.
● Configure static DHCP snooping binding entries.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp snooping bind-table static ip-address ip-address [ mac-
address mac-address ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]
The static DHCP snooping entry is configured.
d. Run commit
The configuration is committed.
● Configure backup for the DHCP snooping binding table.
a. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 103

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

b. Run dhcp snooping bind-table autosave filename

Automatic backup is configured for the DHCP snooping binding table.
After this configuration, the system backs up the file that stores the
DHCP snooping binding table in the specified backup path at an interval
of 60 minutes or When 150 entries are dynamically generated.
c. Run commit
The configuration is committed.
● (Optional) Configure the file integrity check mode of the DHCP snooping
binding table.
a. Run system-view
The system view is displayed.
b. Run dhcp snooping database authentication-mode { check | no-check
| force-check }
The file integrity check mode of the DHCP snooping binding table is
configured.
c. Run commit
The configuration is committed.
----End

1.1.4.4.4 (Optional) Configuring Option 82 Field Insertion

After Option 82 field insertion is enabled on a device, the device can record the
location information of the DHCP client or create binding entries with accurate
interface information based on the Option 82 information.

Context
The Option 82 field contains the location information of Dynamic Host
Configuration Protocol (DHCP) hosts, such as information about the login
interface, virtual local area network (VLAN), and address. After DHCP snooping is
configured, the device can create binding entries with accurate interface
information based on the Option 82 field. In addition, the DHCP server that
supports the Option 82 field can allocate different IP policies to different clients
based on the Option 82 information. This provides more flexible address allocation
modes.

Procedure
● Configure Option 82 field insertion in the VLAN view.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp option82 insert enable [ interface interface-type interface-
number ] or dhcp option82 rebuild enable [ interface interface-type
interface-number ]

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 104

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Option 82 field insertion is enabled.

▪ After the dhcp option82 insert enable command is run: If no Option

82 field exists in a received DHCP packet, the device inserts the
Option 82 field into the packet; if the Option 82 field exists in a
received DHCP packet, the device checks whether the Option 82 field
contains sub-options. If the Option 82 field contains sub-options, the
device does not change the sub-options. If the Option 82 field does
not contain sub-options and the sub-option format is configured, the
device inserts sub-options into the Option 82 field.

▪ After the dhcp option82 rebuild enable command is run: If no

Option 82 field exists in a received DHCP packet, the device inserts
the Option 82 field into the packet; if the Option 82 field exists in a
DHCP packet, the device deletes the Option 82 field and inserts a
new Option 82 field into the packet.
d. Run quit
Return to the system view.
e. (Optional) Run dhcp option82 inner-vlan insert enable
Option 82 information is encapsulated into the inner and outer VLAN IDs
of a double-tagged user packet.
In scenarios where users go online through Layer 2 interfaces or VLANIF
interfaces and device interworking and version upgrade are involved, you
can determine whether to run this command as required.
f. Run commit
The configuration is committed.
● Configure Option 82 field insertion in the BD view.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp option82 insert enable
Option 82 field insertion is enabled.

▪ After the dhcp option82 insert enable command is run: If no Option

82 field exists in a received DHCP packet, the device inserts the
Option 82 field into the packet; if the Option 82 field exists in a
received DHCP packet, the device checks whether the Option 82 field
contains sub-options. If the Option 82 field contains sub-options, the
device does not change the sub-options. If the Option 82 field does
not contain sub-options and the sub-option format is configured, the
device inserts sub-options into the Option 82 field.

▪ After the dhcp option82 rebuild enable command is run: If no

Option 82 field exists in a received DHCP packet, the device inserts
the Option 82 field into the packet; if the Option 82 field exists in a
DHCP packet, the device deletes the Option 82 field and inserts a
new Option 82 field into the packet.
d. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 105

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

● Configure Option 82 field insertion on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp option82 insert enable or dhcp option82 rebuild enable
Option 82 field insertion is enabled.

▪ After the dhcp option82 insert enable command is run: If no Option

82 field exists in a received DHCP packet, the device inserts the
Option 82 field into the packet; if the Option 82 field exists in a
received DHCP packet, the device checks whether the Option 82 field
contains sub-options. If the Option 82 field contains sub-options, the
device does not change the sub-options. If the Option 82 field does
not contain sub-options and the sub-option format is configured, the
device inserts sub-options into the Option 82 field.

▪ After the dhcp option82 rebuild enable command is run: If no

Option 82 field exists in a received DHCP packet, the device inserts
the Option 82 field into the packet; if the Option 82 field exists in a
DHCP packet, the device deletes the Option 82 field and inserts a
new Option 82 field into the packet.
d. (Optional) Run dhcp option82 link-selection insert enable
The function of inserting sub-option 5 into Option 82 is enabled.
e. (Optional) Run dhcp option82 link-selection subnet-ip-address
An IP address corresponding to sub-option 5 in Option 82 is configured.
f. (Optional) Run dhcp option82 vendor-specific insert enable
The device is enabled to insert Option 82's sub-option 9 into a DHCP
packet.
g. (Optional) Run dhcp option82 vendor-specific format
A format is configured for Option 82's sub-option 9 carried in a DHCP
packet.
h. Run quit
Return to the system view.
i. (Optional) Run dhcp option82 inner-vlan insert enable
Option 82 information is encapsulated into the inner and outer VLAN IDs
of a double-tagged user packet.
In scenarios where users go online through Layer 2 interfaces or VLANIF
interfaces and device interworking and version upgrade are involved, you
can determine whether to run this command as required.
j. Run commit
The configuration is committed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 106

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Follow-up Procedure
After Option 82 field insertion is enabled, you can configure the format of the
Option 82 field as required.

● Configure the format of the Option 82 field in the VLAN view.

a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp option82 format { user-defined text | type1 | type2 | self-
define self-define | cn-telecom | cn-telecom-inherit } interface
interface-type interface-number
The format of the Option 82 field is configured for the VLAN.
d. Run commit
The configuration is committed.
● Configure the format of the Option 82 field on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp option82 format { self-define extendtext | type1 | type2 | cn-
telecom | cn-telecom-inherit } or dhcp option82 { circuit-id | remote-
id } format self-define extendtext or dhcp option82 [ circuit-id |
remote-id ] format user-defined text
The format of the Option 82 field is configured.
d. Run commit
The configuration is committed.

1.1.4.4.5 (Optional) Configuring the Alarm Function for Discarded Man-in-the-

Middle Attack and IP/MAC Address Spoofing Packets
By configuring the function described in this chapter, you can have an alarm
generated when a specified number of man-in-the-middle attack and IP/MAC
address spoofing packets are discarded.

Context
After packet check is enabled, if a received Address Resolution Protocol (ARP) or IP
packet of a man-in-the-middle attack or IP/MAC address spoofing does not match
any entry in the Dynamic Host Configuration Protocol (DHCP) snooping binding
table, the device discards the ARP or IP packet. With the function described in this
section configured, when the number of discarded packets reaches a specified
threshold, an alarm is generated.

Configure the alarm function for discarded man-in-the-middle attack and IP/MAC
address spoofing packets in a VLAN, BD, or interface view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 107

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Configure the alarm function for discarded man-in-the-middle attack and
IP/MAC address spoofing packets in a VLAN view.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp snooping alarm { arp | ip } enable [ interface interface-type
interface-number ]
The alarm function for discarded man-in-the-middle attack and IP/MAC
address spoofing packets is enabled for the VLAN.
d. Run dhcp snooping alarm { arp | ip } threshold threshold [ interface
interface-type interface-number ]
The alarm threshold for the number of discarded packets is configured
for the VLAN.
e. Run commit
The configuration is committed.
● Configure the alarm function for discarded man-in-the-middle attack and
IP/MAC address spoofing packets in a BD view.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp snooping alarm { arp | ip } enable
The alarm function is enabled for discarded man-in-the-middle attack
and IP/MAC address spoofing packets in the BD view.
d. Run commit
The configuration is committed.
● Configure the alarm function for discarded man-in-the-middle attack and
IP/MAC address spoofing packets in an interface view.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp snooping alarm { arp | ip } enable
The alarm function for discarded man-in-the-middle attack and IP/MAC
address spoofing packets is enabled for the interface.
d. Run dhcp snooping alarm { arp | ip } threshold threshold-value
The alarm threshold for the number of discarded packets is configured
for the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 108

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

e. Run commit

The configuration is committed.

----End

1.1.4.4.6 Verifying the Configuration of Defense Against Man-in-the-Middle

Attacks and IP/MAC Address Spoofing
This section describes how to check the configuration of defense against man-in-
the-middle attacks and IP/MAC address spoofing.

Prerequisites
The configuration of defense against man-in-the-middle attacks and IP/MAC
address spoofing is complete.

Procedure
● Run the display dhcp snooping global command to check the global DHCP
snooping information.
● Run the display dhcp snooping bind-table { all | dynamic | interface
interface-type interface-number | ip-address ip-address | mac-address mac-
address | static | vlan vlan-id [interface interface-type interface-number ] |
vsi vsi-name | bridge-domain bd-id } command to check the information
about the Dynamic Host Configuration Protocol (DHCP) snooping binding
table.
● Run the display dhcp snooping { interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] | bridge-domain
bd-id } command to check the DHCP snooping configuration.
● Run the display dhcp option82 configuration [ interface interface-type
interface-number | vlan vlan-id | bridge-domain bd-id ] command to check
the Option 82 configuration.

----End

1.1.4.5 Preventing DoS Attacks by Changing the CHADDRField

This section describes how to prevent attackers from attacking the Dynamic Host
Configuration Protocol (DHCP) server by modifying the client hardware address
(CHADDR) field.

Applicable Environment
Attackers may change the CHADDR field carried in DHCP packets to apply for IP
addresses continuously. The device, however, only checks validity of packets based
on the source media access control (MAC) address in the frame header. Attack
packets can still be forwarded and the MAC address limit cannot take effect.

To prevent the attacker from changing the CHADDR field, configure DHCP
snooping to check the CHADDR field carried in DHCP request packets. If the
CHADDR field matches the source MAC address in the frame header, the packet is
forwarded. Otherwise, the packet is discarded.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 109

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Pre-configuration Tasks
Before you configure defense against DoS attacks by changing the CHADDR field,
configure DHCP Snooping.

1.1.4.5.1 Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions,
enable DHCP snooping first.

Context
Enable DHCP snooping in the following sequence:
1. Enable DHCP globally.
2. Enable DHCP snooping globally.
3. Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure
● Enable DHCP snooping for a VLAN.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
c. Run dhcp snooping enable
DHCP snooping is enabled globally.
d. Run vlan vlan-id
The VLAN view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled for the VLAN.
f. Run quit
The system view is displayed.
g. Run commit
The configuration is committed.
● Enable DHCP snooping in the BD view.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
c. Run dhcp snooping enable
DHCP snooping is enabled globally.
d. Run bridge-domain bd-id

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 110

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The BD view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled in a BD.

f. Run commit

The configuration is committed.

● Enable DHCP snooping for an interface.
a. Run system-view

The system view is displayed.

b. Run dhcp enable

DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

d. Run interface interface-type interface-number

The interface view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled for the interface.

f. Run commit

The configuration is committed.

● Enable DHCP snooping in the BD view.
a. Run system-view

The system view is displayed.

b. Run dhcp enable

DHCP is enabled globally.

By default, DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

By default, DHCP snooping is disabled globally.

d. Run bridge-domain bd-id

The BD view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled in a BD.

By default, DHCP snooping is disabled in a BD.

f. Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 111

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.4.5.2 Configuring CHADDR Field Check

If you want your device to check the client hardware address (CHADDR) field
validity, configure CHADDR field check.

Context
The CHADDR field check function allows the device to check whether the media
access control (MAC) address in the CHADDR field of a received Dynamic Host
Configuration Protocol (DHCP) request packet matches that in the header of the
packet. If they match, the device considers the packet valid and forwards it. If they
do not match, the device considers the packet an attack packet and discards it.
Configure CHADDR field check in a VLAN, BD, or interface view.

Procedure
● Configure CHADDR field check for a virtual local area network (VLAN).
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp check chaddr enable [ interface interface-type interface-
number ]
CHADDR field check is enabled for the VLAN.
d. Run commit
The configuration is committed.
● Enable CHADDR field check in a BD.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp check chaddr enable
CHADDR field check is enabled.
d. Run commit
The configuration is committed.
● Configure CHADDR field check for an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp check chaddr enable
CHADDR field check is enabled for the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 112

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run commit

The configuration is committed.

● Enable CHADDR field check in a BD.
a. Run system-view

The system view is displayed.

b. Run bridge-domain bd-id

The BD view is displayed.

c. Run dhcp snooping check mac-address enable

CHADDR field check is enabled.

By default, CHADDR field check is disabled.

d. Run commit

The configuration is committed.

----End

1.1.4.5.3 (Optional) Configuring the Alarm Function forDiscarded DHCP Packets

with Incorrect CHADDR Fields
By configuring the function described in this chapter, you can have an alarm
generated when a specified number of Dynamic Host Configuration Protocol
(DHCP) packets with incorrect client hardware address (CHADDR) fields are
discarded.

Context
After CHADDR field check is enabled, the device checks whether the media access
control (MAC) address in the CHADDR field of a received DHCP packet matches
that in the frame header of the packet. If they match, the device considers the
packet valid and forwards it. If they do not match, the device considers the packet
an attack packet and discards it. The device generates an alarm when the number
of discarded DHCP packets with incorrect CHADDR fields reaches the
predetermined threshold.

Configure the alarm function for discarded DHCP packets with incorrect CHADDR
fields in a VLAN, BD, or interface view.

Procedure
● Configure the alarm function for discarded DHCP packets with incorrect
CHADDR fields in a VLAN view.
a. Run system-view

The system view is displayed.

b. Run vlan vlan-id

The VLAN view is displayed.

c. Run dhcp snooping alarm dhcp-chaddr enable [ interface interface-
type interface-number ]

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 113

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

CHADDR field check is enabled for the VLAN.

d. Run dhcp snooping alarm dhcp-chaddr threshold threshold [ interface
interface-type interface-number ]
The alarm threshold for discarded DHCP packets with incorrect CHADDR
fields is configured for the VLAN.
e. Run commit

The configuration is committed.

● Configure the alarm function for discarded DHCP packets with incorrect
CHADDR fields in a BD view.
a. Run system-view

The system view is displayed.

b. Run bridge-domain bd-id

The BD view is displayed.

c. Run dhcp snooping alarm dhcp-chaddr enable

CHADDR field check is enabled.

d. Run dhcp snooping alarm dhcp-chaddr threshold threshold

The alarm threshold for discarded DHCP packets with incorrect CHADDR
fields is configured.
e. Run commit

The configuration is committed.

● Configure the alarm function for discarded DHCP packets with incorrect
CHADDR fields in an interface view.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

c. Run dhcp snooping alarm dhcp-chaddr enable

CHADDR field check is enabled for the interface.

d. Run dhcp snooping alarm dhcp-chaddr threshold threshold-value

The alarm threshold for discarded DHCP packets with incorrect CHADDR
fields is configured for the interface.
e. Run commit

The configuration is committed.

----End

1.1.4.5.4 Checking the Configuration

This section describes how to check the configuration of the client hardware
address (CHADDR) field check function.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 114

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Prerequisites
The configuration of defense against denial of service (DoS) attacks by changing
the CHADDR field is complete.

Procedure
● Run the display dhcp snooping { interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] | bridge-domain
bd-id } command to check the Dynamic Host Configuration Protocol (DHCP)
snooping configuration.

----End

1.1.4.6 Configuring Defense Against DHCP Exhaustion Attacks

This section describes how to prevent the attackers from attacking the Dynamic
Host Configuration Protocol (DHCP) server by forging the DHCP packets for
extending IP address leases.

Applicable Environment
Attackers disguise as authorized clients to send DHCP request packets for
extending the IP address lease. As a result, DHCP servers cannot reclaim IP
addresses assigned to clients.

This problem can be resolved by enabling DHCP snooping. After DHCP snooping is
enabled, when receiving a DHCP request packet, the device checks whether the IP
address and VLAN ID carried in the packet match an entry in the DHCP snooping
binding table. If no matching entry exists, the device considers the DHCP request
packet as a new request packet and forwards it. If a matching entry exists, the
device considers the DHCP request packet as a lease renewal packet and checks
whether the MAC address carried in the packet matches any entry in the binding
table. If a matching entry exists, the device forwards the packet. If no matching
entry exists, the device discards the packet.

Pre-configuration Tasks
Before you configure defense against attacks by sending bogus DHCP packets to
extend IP address leases, configure the DHCP server.

1.1.4.6.1 Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions,
enable DHCP snooping first.

Context
Enable DHCP snooping in the following sequence:
1. Enable DHCP globally.
2. Enable DHCP snooping globally.
3. Enable DHCP snooping in an interface, BD, or VLAN view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 115

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Enable DHCP snooping for a VLAN.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
c. Run dhcp snooping enable
DHCP snooping is enabled globally.
d. Run vlan vlan-id
The VLAN view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled for the VLAN.
f. Run quit
The system view is displayed.
g. Run commit
The configuration is committed.
● Enable DHCP snooping in the BD view.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.
c. Run dhcp snooping enable
DHCP snooping is enabled globally.
d. Run bridge-domain bd-id
The BD view is displayed.
e. Run dhcp snooping enable
DHCP snooping is enabled in a BD.
f. Run commit
The configuration is committed.
● Enable DHCP snooping for an interface.
a. Run system-view
The system view is displayed.
b. Run dhcp enable
DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 116

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run interface interface-type interface-number

The interface view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled for the interface.

f. Run commit

The configuration is committed.

● Enable DHCP snooping in the BD view.
a. Run system-view

The system view is displayed.

b. Run dhcp enable

DHCP is enabled globally.

By default, DHCP is enabled globally.

c. Run dhcp snooping enable

DHCP snooping is enabled globally.

By default, DHCP snooping is disabled globally.

d. Run bridge-domain bd-id

The BD view is displayed.

e. Run dhcp snooping enable

DHCP snooping is enabled in a BD.

By default, DHCP snooping is disabled in a BD.

f. Run commit

The configuration is committed.

----End

1.1.4.6.2 Enabling DHCP Request Packet Check

To prevent unauthorized clients from sending Dynamic Host Configuration
Protocol (DHCP) request packets to request IP addresses, the device checks
whether information carried in a received DHCP request packet matches an entry
in the DHCP snooping binding table. The checked information includes the source
IP and MAC addresses. If a matching entry exists, the device considers the packet
valid and forwards it. If no matching entry exists, the device considers the packet
an attack packet and discards it.

Context
In dynamic address assignment mode, the device generates a DHCP snooping
binding table to record DHCP client information. In static address assignment
mode, configure a DHCP static binding table to record DHCP client information.

Enable DHCP request packet check in a VLAN, BD, or interface view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 117

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Enable DHCP request packet check for a VLAN.
a. Run system-view

The system view is displayed.

b. Run vlan vlan-id

The VLAN view is displayed.

c. Run dhcp snooping check dhcp-request enable [ interface interface-
type interface-number ]
DHCP request packet check is enabled for the VLAN.
d. Run commit

The configuration is committed.

● Enable DHCP snooping in the BD view.
a. Run system-view

The system view is displayed.

b. Run bridge-domain bd-id

The BD view is displayed.

c. Run dhcp snooping check dhcp-request enable

DHCP request packet check is enabled.

d. Run commit

The configuration is committed.

● Enable DHCP request packet check for an interface.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

The interface is the user-side interface.

c. Run dhcp snooping check dhcp-request enable

DHCP request packet check is enabled for the interface.

d. Run commit

The configuration is committed.

----End

1.1.4.6.3 (Optional) Configuring Option 82 Field Insertion

After Option 82 field insertion is enabled on a device, the device can record the
location information of the DHCP client or create binding entries with accurate
interface information based on the Option 82 information.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 118

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
The Option 82 field contains the location information of Dynamic Host
Configuration Protocol (DHCP) hosts, such as information about the login
interface, virtual local area network (VLAN), and address. After DHCP snooping is
configured, the device can create binding entries with accurate interface
information based on the Option 82 field. In addition, the DHCP server that
supports the Option 82 field can allocate different IP policies to different clients
based on the Option 82 information. This provides more flexible address allocation
modes.

Procedure
● Configure Option 82 field insertion in the VLAN view.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp option82 insert enable [ interface interface-type interface-
number ] or dhcp option82 rebuild enable [ interface interface-type
interface-number ]
Option 82 field insertion is enabled.

▪ After the dhcp option82 insert enable command is run: If no Option

82 field exists in a received DHCP packet, the device inserts the
Option 82 field into the packet; if the Option 82 field exists in a
received DHCP packet, the device checks whether the Option 82 field
contains sub-options. If the Option 82 field contains sub-options, the
device does not change the sub-options. If the Option 82 field does
not contain sub-options and the sub-option format is configured, the
device inserts sub-options into the Option 82 field.

▪ After the dhcp option82 rebuild enable command is run: If no

Option 82 field exists in a received DHCP packet, the device inserts
the Option 82 field into the packet; if the Option 82 field exists in a
DHCP packet, the device deletes the Option 82 field and inserts a
new Option 82 field into the packet.
d. Run quit
Return to the system view.
e. (Optional) Run dhcp option82 inner-vlan insert enable
Option 82 information is encapsulated into the inner and outer VLAN IDs
of a double-tagged user packet.
In scenarios where users go online through Layer 2 interfaces or VLANIF
interfaces and device interworking and version upgrade are involved, you
can determine whether to run this command as required.
f. Run commit
The configuration is committed.
● Configure Option 82 field insertion in the BD view.
a. Run system-view

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 119

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The system view is displayed.

b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp option82 insert enable
Option 82 field insertion is enabled.

▪ After the dhcp option82 insert enable command is run: If no Option

82 field exists in a received DHCP packet, the device inserts the
Option 82 field into the packet; if the Option 82 field exists in a
received DHCP packet, the device checks whether the Option 82 field
contains sub-options. If the Option 82 field contains sub-options, the
device does not change the sub-options. If the Option 82 field does
not contain sub-options and the sub-option format is configured, the
device inserts sub-options into the Option 82 field.

▪ After the dhcp option82 rebuild enable command is run: If no

Option 82 field exists in a received DHCP packet, the device inserts
the Option 82 field into the packet; if the Option 82 field exists in a
DHCP packet, the device deletes the Option 82 field and inserts a
new Option 82 field into the packet.
d. Run commit
The configuration is committed.
● Configure Option 82 field insertion on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp option82 insert enable or dhcp option82 rebuild enable
Option 82 field insertion is enabled.

▪ After the dhcp option82 insert enable command is run: If no Option

82 field exists in a received DHCP packet, the device inserts the
Option 82 field into the packet; if the Option 82 field exists in a
received DHCP packet, the device checks whether the Option 82 field
contains sub-options. If the Option 82 field contains sub-options, the
device does not change the sub-options. If the Option 82 field does
not contain sub-options and the sub-option format is configured, the
device inserts sub-options into the Option 82 field.

▪ After the dhcp option82 rebuild enable command is run: If no

Option 82 field exists in a received DHCP packet, the device inserts
the Option 82 field into the packet; if the Option 82 field exists in a
DHCP packet, the device deletes the Option 82 field and inserts a
new Option 82 field into the packet.
d. (Optional) Run dhcp option82 link-selection insert enable
The function of inserting sub-option 5 into Option 82 is enabled.
e. (Optional) Run dhcp option82 link-selection subnet-ip-address
An IP address corresponding to sub-option 5 in Option 82 is configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 120

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

f. (Optional) Run dhcp option82 vendor-specific insert enable

The device is enabled to insert Option 82's sub-option 9 into a DHCP
packet.
g. (Optional) Run dhcp option82 vendor-specific format
A format is configured for Option 82's sub-option 9 carried in a DHCP
packet.
h. Run quit
Return to the system view.
i. (Optional) Run dhcp option82 inner-vlan insert enable
Option 82 information is encapsulated into the inner and outer VLAN IDs
of a double-tagged user packet.
In scenarios where users go online through Layer 2 interfaces or VLANIF
interfaces and device interworking and version upgrade are involved, you
can determine whether to run this command as required.
j. Run commit
The configuration is committed.

Follow-up Procedure
After Option 82 field insertion is enabled, you can configure the format of the
Option 82 field as required.
● Configure the format of the Option 82 field in the VLAN view.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp option82 format { user-defined text | type1 | type2 | self-
define self-define | cn-telecom | cn-telecom-inherit } interface
interface-type interface-number
The format of the Option 82 field is configured for the VLAN.
d. Run commit
The configuration is committed.
● Configure the format of the Option 82 field on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp option82 format { self-define extendtext | type1 | type2 | cn-
telecom | cn-telecom-inherit } or dhcp option82 { circuit-id | remote-
id } format self-define extendtext or dhcp option82 [ circuit-id |
remote-id ] format user-defined text
The format of the Option 82 field is configured.
d. Run commit
The configuration is committed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 121

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.4.6.4 (Optional) Configuring the Alarm Function forDiscarded DHCP Packets for
Extending the IP Address Lease
By configuring the function described in this chapter, you can have an alarm
generated when a specified number of Dynamic Host Configuration Protocol
(DHCP) packets for extending the IP address lease are discarded.

Context
After DHCP request packet check is enabled, the device checks whether the source
IP address, source MAC address, virtual local area network (VLAN) ID, and
interface information carried in a received DHCP request packet match an entry in
the DHCP snooping binding table. If no matching entry exists, the device considers
the packet an attack packet and discards it. The device generates an alarm when
the number of discarded DHCP packets for extending the IP address lease exceeds
the threshold.
Configure the alarm function for discarded DHCP packets for extending the IP
address lease in a VLAN, BD, or interface view.

Procedure
● Configure the alarm function for discarded DHCP packets for extending the IP
address lease in a VLAN view.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run dhcp snooping alarm dhcp-request enable [ interface interface-
type interface-number ]
DHCP request packet check is enabled for the VLAN.
By default, DHCP request packet check is disabled for a VLAN.
d. Run dhcp snooping alarm dhcp-request threshold threshold [ interface
interface-type interface-number ]
The alarm threshold for the number of discarded DHCP packets for
extending the IP address lease is configured for the VLAN.
e. Run commit
The configuration is committed.
● Configure the alarm function for discarded DHCP packets for extending the IP
address lease in a BD view.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp snooping alarm dhcp-request enable
Check for DHCP packets for extending the IP address lease is enabled.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 122

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run dhcp snooping alarm dhcp-request threshold threshold-value

An alarm threshold for the number of discarded DHCP packets for
extending the IP address lease is configured.
e. Run commit
The configuration is committed.
● Configure the alarm function for discarded DHCP packets for extending the IP
address lease in an interface view.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run dhcp snooping alarm dhcp-request enable
DHCP request packet check is enabled for the interface.
d. Run dhcp snooping alarm dhcp-request threshold threshold-value
The alarm threshold for the number of discarded DHCP packets for
extending the IP address lease is configured for the interface.
e. Run commit
The configuration is committed.
----End

1.1.4.6.5 Checking the Configuration

This section describes how to check the configuration of defense against the
attacker from sending bogus Dynamic Host Configuration Protocol (DHCP)
packets for extending the IP address leases.

Prerequisites
The configurations of defense against the attacker from sending bogus DHCP
packets for extending the IP address leases are complete.

Procedure
● Run the display dhcp snooping { interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] | bridge-domain
bd-id } command to check the DHCP snooping configuration.
● Run the display dhcp option82 configuration [ interface interface-type
interface-number | vlan vlan-id | bridge-domain bd-id ] command to check
the configuration of the option 82 field insertion function.

----End

1.1.4.7 Setting the Maximum Number of DHCP Clients

The maximum number of Dynamic Host Configuration Protocol (DHCP) clients
that log in from an interface can be specified.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 123

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Usage Scenario
After the number of login clients reaches the maximum number, no client can
obtain IP address. To prevent malicious IP address application, configure the
maximum number of DHCP clients.
In the VXLAN scenario, the maximum number for the entire system must be
greater than or equal to the sum of maximum number for all BDs.
When the number of login users on a DHCP snooping device reaches the
maximum number, check whether the IP address of DHCP ACK packets exists in
the binding entries and determine whether the login users are new ones. In this
case, you can configure the MAC address strict check function. DHCP snooping can
determine whether the users are new ones by checking the MAC addresses of the
DHCP Discover packets sent by them. If the MAC address of a user does not exist
in DHCP snooping binding entries, the user is not allowed to go online, and
packets are not sent to the DHCP server. In this manner, the DHCP server is not
affected by unauthorized users.

Pre-configuration Tasks
Before you set the maximum number of DHCP clients, configure DHCP snooping
and trusted interfaces.

Procedure
● Configure the maximum number of DHCP clients for a VLAN.
a. Run system-view
The system view is displayed.
b. (Optional) Run dhcp snooping strict-check mac-address
DHCP snooping is enabled to strictly check the MAC addresses of login
users.
c. Run vlan vlan-id
The VLAN view is displayed.
d. Run dhcp snooping max-user-number max-user-number [ interface
interface-type interface-number ]
The maximum number of DHCP clients is configured for the VLAN.
e. (Optional) Run dhcp snooping alarm user-limit enable [ interface
interface-type interface-number ]
The alarm function for discarded DHCP packets because the maximum
number of DHCP clients is reached is enabled for the VLAN.
f. (Optional) Run dhcp snooping alarm user-limit threshold threshold
[ interface interface-type interface-number ]
The maximum number of DHCP clients is configured for the VLAN.
g. Run commit
The configuration is committed.
● Configure the maximum number of DHCP clients for an interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 124

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

a. Run system-view
The system view is displayed.
b. (Optional) Run dhcp snooping strict-check mac-address
DHCP snooping is enabled to strictly check the MAC addresses of login
users.
c. Run interface interface-type interface-number
The interface view is displayed.
d. Run dhcp snooping max-user-number max-user-number
The maximum number of DHCP clients is configured for the interface.
e. (Optional) Run dhcp snooping alarm user-limit enable
The alarm function for discarded DHCP packets because the maximum
number of DHCP clients is reached is enabled for the interface.
f. (Optional) Run dhcp snooping alarm user-limit threshold threshold-
value
The maximum number of DHCP clients is configured for the interface.
g. Run commit
The configuration is committed.
● Configure the maximum number of DHCP clients for a BD.
a. Run system-view
The system view is displayed.
b. Run bridge-domain bd-id
The BD view is displayed.
c. Run dhcp snooping max-user-number max-user-number
The maximum number of DHCP clients is configured for the BD.
d. Run commit
The configuration is committed.
----End

Result
Run the display dhcp snooping { interface interface-type interface-number | vlan
vlan-id [ interface interface-type interface-number ] | bridge-domain bd-id }
command to check the maximum number of DHCP clients.

1.1.4.8 Configuring the DHCP Snooping Packet Sending Method

Usage Scenario
When DHCP snooping unicast packets are forwarded using CPU, the EXP values of
MPLS packets sent to the tunnel side are mapped to the DSCP values (equal to
the EXP values) of IP packets. After CPU forwarding is disabled for DHCP snooping
unicast packets, DHCP snooping unicast packets are forwarded using hardware.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 125

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The EXP values of MPLS packets sent to the tunnel side are mapped to the DSCP
values (6 by default) of IP packets based on the DSCP-EXP mappings specified
using the host-packet dscp map command.

Procedure
Step 1 Enable DHCP snooping.
1. Run system-view
The system view is displayed.
2. Run dhcp enable
DHCP is enabled globally.
3. Run dhcp snooping enable
DHCP snooping is enabled.

Step 2 Configure the DHCP snooping packet sending method.

1. Run dhcp snooping unicast cpu-forward disable
Hardware forwarding is configured for DHCP snooping unicast packets.
2. Run commit
The configuration is committed.

----End

1.1.4.9 Configuring DHCP Snooping Whitelists

This section describes how to configure the whitelist function for DHCP snooping
so that DHCP packets are filtered based on the whitelist rules.

Usage Scenario
Generally, only the trusted and untrusted functions of DHCP snooping can be used
to control DHCP packets to be sent to the CPU. On the trusted interface, DHCP
request and response packets are sent to the CPU. On the untrusted interface, only
request packets are sent to the CPU, and response packets are dropped. To
accurately control packets to be sent to the CPU on a trusted client or server,
configure the whitelist function for DHCP snooping so that DHCP packets are
filtered based on the whitelist rules. After a whitelist is configured for DHCP
snooping, only DHCP packets matching the whitelist rules are sent to the CPU,
and the DHCP packets that do not match the whitelist rules are simply forwarded.
This protects the device against attacks.

In VS mode, this feature is supported only on the Admin-VS.

Configuration Roadmap
The configuration roadmap is as follows:

1. Enable DHCP snooping.

2. Create a whitelist.
3. Configure whitelist rules.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 126

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

4. Apply the whitelist.

Procedure
Step 1 Enable DHCP snooping.
1. Run system-view
The system view is displayed.
2. Run dhcp snooping enable
DHCP snooping is enabled globally.
Step 2 Create a whitelist.
Run dhcp snooping packet whitelist whitelist-name
A whitelist is configured to filter DHCP packets.
Step 3 Configure whitelist rules.
1. Run dhcp packet-rule ruleid { source-ip source-ip-address { source-ip-mask |
source-ip-mask-length } | destination-ip destination-ip-address { destination-
ip-mask | destination-ip-mask-length } } * [ source-port { bootpc | bootps } ]
[ destination-port { bootpc | bootps } ]
Whitelist rules are configured.
2. Run commit
The configuration is committed.
3. Run quit
Return to the system view.
Step 4 Apply the whitelist.
1. Run dhcp snooping apply packet whitelist whitelist-name
The whitelist is applied to filter DHCP packets.
2. Run commit
The configuration is committed.

----End

Checking the Configurations

After the configuration is complete, run the display dhcp snooping white-list
[ rule-id rule-id ] [ slot slot-id ] statistics command to check statistics about
packets matching a DHCP snooping whitelist rule.

1.1.4.10 Configuring DHCP Snooping Binding Table Maintenance

Dynamic Host Configuration Protocol (DHCP) snooping binding table
maintenance allows the device to delete, back up, and transfer the DHCP binding
table.

Applicable Environment
After DHCP snooping binding table maintenance is enabled, the device can
perform the following operations:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 127

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● When a client goes offline, the DHCP snooping binding entry for the client
needs to be updated. The update can be implemented by enabling client
online status or deleting the DHCP snooping binding table manually.
● If a client obtains an IP address and goes online from an interface, the device
creates a DHCP binding entry for the client. After DHCP snooping binding
table transfer is enabled, the DHCP binding entry can be applied on other
interfaces so that the client can go online from another interface.
● You can configure DHCP binding table backup to prevent the DHCP binding
table from being lost after the system is restarted.

Pre-configuration Tasks
Before you configure DHCP snooping binding table maintenance, enable DHCP
snooping and configure trusted interfaces.

1.1.4.10.1 Configuring DHCP Binding Table Update

The Dynamic Host Configuration Protocol (DHCP) binding table update function
contains the client online status detection function and the DHCP snooping
binding entry deletion function.

Usage Scenario
● If a client obtains an IP address and goes offline abnormally, the client cannot
release the IP address by sending a DHCP release packet. To resolve this
problem, you can configure client online status detection. After client online
status detection is enabled, the system uses Address Resolution Protocol
(ARP) to detect a client periodically. If the system cannot detect the client for
specified times, the system will delete the DHCP snooping binding entry for
the client. The system also sends a release packet to the DHCP server to
release the client's IP address.
NOTE

This function can only be deployed on Layer 3 devices.

● A DHCP snooping binding entry can be deleted manually if required. You can
configure the client to send a release packet to the DHCP server to release the
client's IP address.

This function dynamically maintains the DHCP snooping binding table. You can
delete DHCP snooping binding entries based on virtual local area networks
(VLANs), interfaces, BD, or IP addresses.

Procedure
● Configure client online status detection.
a. Run system-view

The system view is displayed.

b. Run arp dhcp-snooping-detect enable

Client online status detection is enabled.

c. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 128

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

● Configure DHCP snooping binding entry deletion in a BD.

Run reset user-bind dhcp snooping bridge-domain [ bd-id ]

The DHCP snooping binding entry in a BD is deleted.

● Configure dynamic DHCP snooping binding entry deletion.
a. Run system-view

The system view is displayed.

b. Run reset dhcp snooping bind-table [ vlan vlan-id [ interface interface-
type interface-number ] | bridge-domain bd-id | interface interface-type
interface-number | vpn-instance vpn-instance-name | public-net | ip-
address ip-address [ interface interface-type interface-number ] | vsi vsi-
name ] [ release ]

The dynamic DHCP snooping binding entry is deleted.

Using the release parameter, you can configure the client to send a
release packet to the DHCP server to release the client's IP address.
● Configure static DHCP snooping binding entry deletion.
a. Run system-view

The system view is displayed.

b. Run undo dhcp snooping bind-table static [ vlan vlan-id [ interface
interface-type interface-number ] | interface interface-type interface-
number | vsi vsi-name | ip-address ip-address | bridge-domain bd-id ]

The static DHCP snooping binding entry is deleted.

c. Run commit

The configuration is committed.

----End

1.1.4.11 Maintaining DHCP Snooping

This section describes how to delete statistics on Dynamic Host Configuration
Protocol (DHCP) snooping globally.

1.1.4.11.1 Resetting Statistics on the Number of DiscardedDHCP Packets

The clearing statistics on the number of discarded Dynamic Host Configuration
Protocol (DHCP) packets function allows the device to clear statistics on the
number of discarded DHCP packets.

Usage Scenario
After the alarm functions are enabled, the system collects statistics on the number
of discarded DHCP packets. You can run the display dhcp snooping command to
view the statistics. To ensure accuracy, you can clear the existing statistics.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 129

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTICE

Statistics on discarded DHCP packets cannot be restored after you clear them.
Therefore, exercise cautions before you clear the statistics.

Procedure
● Run the reset dhcp snooping statistics { vlan vlan-id [ interface interface-
type interface-number] | interface interface-type interface-number | bridge-
domain bd-id } command in the system view to clear statistics on the number
of discarded DHCP packets.

----End

1.1.4.11.2 Clearing Statistics About Packets Matching a DHCP Snooping Whitelist

Rule
This section describes how to clear statistics about packets matching a DHCP
snooping whitelist rule.

Usage Scenario
After the DHCP snooping whitelist function is configured, the system collects
statistics about packets matching DHCP snooping whitelists. You can run the
display dhcp snooping white-list [ rule-id rule-id ] [ slot slot-id ] statistics
command to check statistics about packets matching a DHCP snooping whitelist
rule. Before running the display command to check statistics about packets
matching a DHCP snooping whitelist rule, clear existing statistics.

NOTICE
The statistics about packets matching a DHCP snooping whitelist rule cannot be
restored after you clear them. Therefore, excise cautions before you clear the
statistics.

Procedure
Run the reset dhcp snooping white-list [ rule-id rule-id ] [ slot slot-id ]
statistics command in the system view to clear statistics about packets matching
a DHCP snooping whitelist rule.

1.1.4.12 Configuration Examples for DHCP Snooping

This section provides configuration examples for configurations related to
Dynamic Host Configuration Protocol (DHCP) snooping.

1.1.4.12.1 Example for Configuring DHCP Snooping for a Layer 2 Device

This section provides an example for configuring Dynamic Host Configuration
Protocol (DHCP) snooping for a Layer 2 device.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 130

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Networking Requirements
As shown in Figure 1-9, a DHCP client is connected to DeviceA through VLAN 10.
Configure DHCP snooping on the Layer 2 interfaces, GE1/0/0 and GE1/0/1, of
DeviceA. Configure the interfaces connecting to DHCP clients as untrusted
interfaces and the interface connecting to the DHCP relay as a trusted interface.
Configure DHCP snooping on DeviceA to prevent the following attacks:
● Bogus DHCP server attacks
● Man-in-the-middle attacks and IP/MAC address spoofing
● Denial of service (DoS) attacks by changing the CHADDR field value
● Attacks by sending bogus DHCP request packets for extending IP address
lease
DHCP client 1 uses a dynamic IP address, and DHCP client 2 uses a static IP
address.

NOTE

Interfaces 1 through 3 in this example represent GE 1/0/0, GE 1/0/1 and GE 1/0/2,

respectively.

Figure 1-9 Networking diagram for configuring DHCP snooping for a Layer 2
device

Configuration Roadmap
The configuration roadmap is as follows:
1. Enable DHCP snooping in the system view and a virtual local area network
(VLAN) view.
2. Configure trusted and untrusted interfaces to prevent bogus DHCP server
attacks.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 131

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

3. Configure the DHCP snooping binding table so that the device can check ARP,
IP, and DHCP request packets to prevent man-in-the-middle attacks, IP/MAC
address spoofing, and attacks by sending bogus DHCP request packets for
extending IP address lease.
4. Enable CHADDR field check to prevent attacks that change CHADDR field
values in packets.
5. Configure Option 82 to create a binding table containing accurate interface
information.
6. Configure the device to report alarms to the Network Management System
(NMS).
7. (Optional) Configure the whitelist function for DHCP snooping.

Data Preparation
To complete the configuration, you need the following data:
● ID of the VLAN to which the interface belongs
● Static IP address to which packets can be forwarded
● Threshold of reporting alarms to the NMS

Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
<HUAWEI> system-view
[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] dhcp snooping enable

# Switch Layer 3 interfaces to Layer 2 interfaces.

[~DeviceA] interface gigabitethernet 1/0/0
[~DeviceA-GigabitEthernet1/0/0] portswitch
[*DeviceA-GigabitEthernet1/0/0] port default vlan 10
[*DeviceA-GigabitEthernet1/0/0] commit
[~DeviceA-GigabitEthernet1/0/0] quit
[~DeviceA] interface gigabitethernet 1/0/1
[~DeviceA-GigabitEthernet1/0/1] portswitch
[*DeviceA-GigabitEthernet1/0/1] port default vlan 10
[*DeviceA-GigabitEthernet1/0/1] commit
[~DeviceA-GigabitEthernet1/0/1] quit
[~DeviceA] interface gigabitethernet 1/0/2
[~DeviceA-GigabitEthernet1/0/2] portswitch
[*DeviceA-GigabitEthernet1/0/2] port default vlan 10
[*DeviceA-GigabitEthernet1/0/2] commit
[~DeviceA-GigabitEthernet1/0/2] quit

NOTE

If the interfaces are Layer 2 interfaces, skip this step.

# Enable DHCP snooping on the Layer 2 interfaces.

[~DeviceA] vlan 10
[*DeviceA-vlan10] port gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] port gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping enable interface gigabitethernet 1/0/1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 132

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*DeviceA-vlan10] port gigabitethernet 1/0/2

[*DeviceA-vlan10] dhcp snooping enable interface gigabitethernet 1/0/2
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

Step 2 Configure trusted interfaces.

# Configure the interface connecting to the DHCP server as a trusted interface,

and enable DHCP snooping on all the interfaces connecting to the DHCP client. (If
the interface on the client side is not configured as a trusted interface, the default
interface mode is untrusted after DHCP snooping is enabled on the interface.) This
prevents bogus DHCP server attacks.
[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp snooping trusted interface gigabitethernet 1/0/2
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

Step 3 Enable packet check and configure the DHCP snooping binding table.

# Configure the device to check Address Resolution Protocol (ARP) and IP packets
on the interface on the DHCP client side. This prevents man-in-the-middle attacks
and IP/MAC address spoofing.
[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp snooping check arp enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping check arp enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping check ip enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping check ip enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

# Configure the device to check DHCP request packets on the interface on the
DHCP client side. This prevents attacks in which the attacker sends bogus DHCP
request packets for extending IP address lease.
[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp snooping check dhcp-request enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping check dhcp-request enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

# Configure the device to check packets containing the CHADDR field on the
interface on the DHCP client side. This prevents DoS attacks in which the attacker
changes the CHADDR field value.
[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp check chaddr enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp check chaddr enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

# Configure static DHCP snooping binding table entries.

For users using static IP addresses, static DHCP snooping binding table entries
must be manually configured.
[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp snooping bind-table static ip-address 10.1.3.1 mac-address 00e0-fc5e-008a
interface gigabitethernet 1/0/1
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

Step 4 Configure Option 82 field insertion.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 133

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Enable Option 82 field insertion to set up dynamic binding table entries with
accurate interface information.
[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp option82 insert enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp option82 insert enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

NOTE

To configure a Layer 2 device to strip the Option 82 field before sending DHCP Relay
packets to the client, perform either of the following operations:
● Enable Option 82 field insertion on the interfaces connecting to the client and server.
● Enable DHCP snooping for the VLAN to which the interface connecting to the client
belongs, and configure this interface as a trusted interface.

Step 5 Configure the device to report alarms to the NMS.

# Enable alarm reporting to the NMS.
[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp snooping alarm dhcp-reply enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm dhcp-reply enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm arp enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm arp enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm ip enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm ip enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm dhcp-chaddr enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm dhcp-chaddr enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm dhcp-request enable interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm dhcp-request enable interface gigabitethernet 1/0/1
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

# Configure the alarm thresholds.

[~DeviceA] vlan 10
[*DeviceA-vlan10] dhcp snooping alarm dhcp-reply threshold 10 interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm dhcp-reply threshold 10 interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm arp threshold 10 interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm arp threshold 10 interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm ip threshold 10 interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm ip threshold 10 interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm dhcp-chaddr threshold 10 interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm dhcp-chaddr threshold 10 interface gigabitethernet 1/0/1
[*DeviceA-vlan10] dhcp snooping alarm dhcp-request threshold 10 interface gigabitethernet 1/0/0
[*DeviceA-vlan10] dhcp snooping alarm dhcp-request threshold 10 interface gigabitethernet 1/0/1
[*DeviceA-vlan10] commit
[~DeviceA-vlan10] quit

Step 6 (Optional) Configure the whitelist function for DHCP snooping.

# Create a whitelist.
[~DeviceA] dhcp snooping packet whitelist whitelist1

# Configure rules for the whitelist.

[*DeviceA-dhcpsnp-whitelist-whitelist1] dhcp packet-rule 1 source-ip 1.1.1.1 255.255.255.0 destination-
ip 2.2.2.2 255.255.255.0 source-port bootps destination-port bootpc
[*DeviceA-dhcpsnp-whitelist-whitelist1] commit
[~DeviceA-dhcpsnp-whitelist-whitelist1] quit

# Apply the whitelist.

[~DeviceA] dhcp snooping apply packet whitelist whitelist1
[*DeviceA] commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 134

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 7 Verify the configuration.

Run the display dhcp snooping global command on DeviceA. You can see that
DHCP snooping is enabled in the system view and interface view. You can also
view the statistics on the alarms sent to the NMS.
[~DeviceA] display dhcp snooping global
dhcp snooping enable
[~DeviceA] display dhcp snooping vlan 10 interface gigabitethernet 1/0/0
dhcp snooping enable interface GigabitEthernet1/0/0
dhcp snooping check arp enable interface GigabitEthernet1/0/0
dhcp snooping alarm arp enable interface GigabitEthernet1/0/0
dhcp snooping alarm arp threshold 10 interface gigabitethernet 1/0/0
dhcp snooping check ip enable interface GigabitEthernet1/0/0
dhcp snooping alarm ip enable interface GigabitEthernet1/0/0
dhcp snooping alarm ip threshold 10 interface gigabitethernet 1/0/0
dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/0
dhcp check chaddr enable interface gigabitethernet 1/0/0
dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/0
dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/0
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
[~DeviceA] display dhcp snooping vlan 10 interface gigabitethernet 1/0/1
dhcp snooping enable interface GigabitEthernet1/0/1
dhcp snooping check arp enable interface GigabitEthernet1/0/1
dhcp snooping alarm arp enable interface GigabitEthernet1/0/1
dhcp snooping alarm arp threshold 10 interface gigabitethernet 1/0/1
dhcp snooping check ip enable interface GigabitEthernet1/0/1
dhcp snooping alarm ip enable interface GigabitEthernet1/0/1
dhcp snooping alarm ip threshold 10 interface gigabitethernet 1/0/1
dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/1
dhcp check chaddr enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/1
dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/1
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
[~DeviceA] display dhcp snooping vlan 10 interface gigabitethernet 1/0/2
dhcp snooping enable interface GigabitEthernet1/0/2
dhcp snooping trusted interface GigabitEthernet1/0/2
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
[~DeviceA] display dhcp snooping bind-table static
bind-table:
ifname vrf/vsi/bdid p/cvlan mac-address ip-address tp lease
-------------------------------------------------------------------------------
GE1/0/1 -- 0100/0000 00e0-fc5e-008a 010.001.003.001 S 0
-------------------------------------------------------------------------------
binditem count: 1 binditem total count: 1
[~DeviceA] display dhcp option82 vlan 10 interface gigabitethernet 1/0/0
dhcp option82 insert enable interface GigabitEthernet1/0/0
[~DeviceA] display dhcp option82 vlan 10 interface gigabitethernet 1/0/1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 135

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

dhcp option82 insert enable interface GigabitEthernet1/0/1

----End

Configuration Files
#
sysname DeviceA
#
vlan batch 10
#
dhcp snooping enable
#
dhcp snooping packet whitelist whitelist1
dhcp packet-rule 1 source-ip 1.1.1.1 255.255.255.0 destination-ip 2.2.2.2 255.255.255.0 source-port bootps
destination-port bootpc
#
dhcp snooping apply packet whitelist whitelist1
#
vlan 10
dhcp snooping alarm dhcp-reply threshold 1000
dhcp check chaddr enable
dhcp snooping alarm dhcp-chaddr enable
dhcp snooping alarm dhcp-chaddr threshold 100
dhcp snooping check dhcp-request enable
dhcp snooping alarm dhcp-request enable
dhcp snooping alarm dhcp-request threshold 100
dhcp snooping enable interface GigabitEthernet1/0/0
dhcp snooping check arp enable interface GigabitEthernet1/0/00
dhcp snooping alarm arp enable interface GigabitEthernet1/0/0
dhcp snooping alarm arp threshold 10 interface GigabitEthernet1/0/0
dhcp snooping check ip enable interface GigabitEthernet1/0/0
dhcp snooping alarm ip enable interface GigabitEthernet1/0/0
dhcp snooping alarm ip threshold 10 interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/0
dhcp check chaddr enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/0
dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/0
dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/0
dhcp snooping enable interface GigabitEthernet1/0/1
dhcp snooping check arp enable interface GigabitEthernet1/0/1
dhcp snooping alarm arp enable interface GigabitEthernet1/0/1
dhcp snooping alarm arp threshold 10 interface GigabitEthernet1/0/1
dhcp snooping check ip enable interface GigabitEthernet1/0/1
dhcp snooping alarm ip enable interface GigabitEthernet1/0/1
dhcp snooping alarm ip threshold 10 interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-reply enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-reply threshold 10 interface GigabitEthernet1/0/1
dhcp check chaddr enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-chaddr enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-chaddr threshold 10 interface GigabitEthernet1/0/1
dhcp snooping check dhcp-request enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-request enable interface GigabitEthernet1/0/1
dhcp snooping alarm dhcp-request threshold 10 interface GigabitEthernet1/0/1
dhcp snooping enable interface GigabitEthernet1/0/2
dhcp snooping trusted interface GigabitEthernet1/0/2
dhcp check chaddr enable interface GigabitEthernet1/0/2
dhcp snooping bind-table static ip-address 10.1.3.1 mac-address 00e0-fc5e-008a interface gigabitethernet
1/0/1
dhcp option82 insert enable interface GigabitEthernet1/0/0
dhcp option82 insert enable interface GigabitEthernet1/0/1
dhcp option82 insert enable interface GigabitEthernet1/0/2
port gigabitethernet 1/0/0
port gigabitethernet 1/0/1
port gigabitethernet 1/0/2
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 136

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

interface GigabitEthernet1/0/0
undo shutdown
portswitch
port default vlan 10
#
interface GigabitEthernet1/0/1
undo shutdown
portswitch
port default vlan 10
#
interface GigabitEthernet1/0/2
undo shutdown
portswitch
port default vlan 10
#
return

1.1.4.12.2 Example for Configuring DHCP Snooping for a Layer 3 Device

This section provides an example for configuring Dynamic Host Configuration
Protocol (DHCP) snooping for a Layer 3 device.

Networking Requirements
As shown in Figure 1-10, DHCP clients are connected to DHCP relay through the
switch. Configure DHCP snooping on the Layer 3 interfaces, GE1/0/0 and GE1/0/1,
of the DHCP relay. Configure the interfaces connecting to DHCP clients as
untrusted interfaces and the interface connecting to the DHCP relay as a trusted
interface.
If a user abnormally logs out after obtaining an IP address, the system
automatically detects this fault, deletes the entry in the DHCP binding table, and
instructs the DHCP server to release the IP address.
Configure DHCP snooping on the DHCP relay to prevent the following attacks:
● Bogus DHCP server attacks
● Man-in-the-middle attacks and IP/MAC address spoofing
● Denial of service (DoS) attacks by changing the CHADDR field value
● Attacks by sending bogus DHCP request packets for extending IP lease
● Attacks by sending the DHCP request packets
DHCP client 1 uses a dynamic IP address, and DHCP client 2 uses a static IP
address.

Figure 1-10 Networking diagram for configuring DHCP snooping for a Layer 3
device
NOTE

Interfaces 1 and 2 in this example represent GE 1/0/0 and GE 2/0/0, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 137

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Enable DHCP snooping in the system view and an interface view.
2. Configure trusted and untrusted interfaces to prevent bogus DHCP server
attacks.
3. Configure the DHCP snooping binding table so that the device can check ARP,
IP, and DHCP request packets to prevent man-in-the-middle attacks, IP/MAC
address spoofing, and attacks by sending bogus DHCP request packets for
extending IP address lease.
4. Enable CHADDR field check to prevent attacks that change CHADDR field
values in packets.
5. Configure Option 82 to create a binding table containing accurate interface
information.
6. Configure the device to report alarms to the Network Management System
(NMS).
7. (Optional) Configure the whitelist function for DHCP snooping.

Data Preparation
To complete the configuration, you need the following data:
● ID of the virtual local area network (VLAN) to which the interface belongs
● Threshold of reporting alarms to the NMS

Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally and for the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 138

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

<HUAWEI> system-view
[~HUAWEI] sysname DHCP-relay
[*HUAWEI] commit
[~DHCP-relay] dhcp snooping enable
[~DHCP-relay] interface gigabitethernet 1/0/0
[~DHCP-relay-GigabitEthernet1/0/0] dhcp snooping enable
[*DHCP-relay-GigabitEthernet1/0/0] quit
[*DHCP-relay] interface gigabitethernet 1/0/1
[*DHCP-relay-GigabitEthernet1/0/1] dhcp snooping enable
[*DHCP-relay-GigabitEthernet1/0/1] commit
[~DHCP-relay-GigabitEthernet1/0/1] quit

Step 2 Configure trusted interfaces.

# Configure the interface connecting to the DHCP server as a trusted interface,

and enable DHCP snooping on all the interfaces connecting to the DHCP client. (If
the interface on the client side is not configured as a trusted interface, the default
interface mode is untrusted after DHCP snooping is enabled on the interface.) This
prevents bogus DHCP server attacks.
[~DHCP-relay] interface gigabitethernet 1/0/1
[*DHCP-relay-GigabitEthernet1/0/1] dhcp snooping trusted
[*DHCP-relay-GigabitEthernet1/0/1] commit
[~DHCP-relay-GigabitEthernet1/0/1] quit

Step 3 Enable packet check and configure the DHCP snooping binding table.

# Configure the device to check Address Resolution Protocol (ARP) and IP packets
on the interface on the DHCP client side. This prevents man-in-the-middle attacks
and IP/MAC address spoofing.
[~DHCP-relay] interface gigabitethernet 1/0/0
[~DHCP-relay-GigabitEthernet1/0/0] dhcp snooping check arp enable
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping check ip enable
[*DHCP-relay-GigabitEthernet1/0/0] commit
[~DHCP-relay-GigabitEthernet1/0/0] quit

# Configure the device to check DHCP request packets on the interface on the
DHCP client side. This prevents attacks in which the attacker sends bogus DHCP
request packets for extending IP address lease.
[~DHCP-relay] interface gigabitethernet 1/0/0
[~DHCP-relay-GigabitEthernet1/0/0] dhcp snooping check dhcp-request enable
[*DHCP-relay-GigabitEthernet1/0/0] commit
[~DHCP-relay-GigabitEthernet1/0/0] quit

# Configure the device to check packets containing the CHADDR field on the
interface on the DHCP client side. This prevents DoS attacks in which the attacker
changes the CHADDR field value.
[~DHCP-relay] interface gigabitethernet 1/0/0
[~DHCP-relay-GigabitEthernet1/0/0] dhcp check chaddr enable
[*DHCP-relay-GigabitEthernet1/0/0] commit
[~DHCP-relay-GigabitEthernet1/0/0] quit

# Configure static DHCP snooping binding table entries.

For users using static IP addresses, static DHCP snooping binding table entries
must be manually configured.
[~DHCP-relay] interface gigabitethernet 1/0/0
[~DHCP-relay-GigabitEthernet1/0/0] dhcp snooping bind-table static ip-address 10.1.3.1 mac-address
00e0-fc5e-008a
[*DHCP-relay-GigabitEthernet1/0/0] commit
[~DHCP-relay-GigabitEthernet1/0/0] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 139

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 Configure Option 82 field insertion.

# Enable Option 82 field insertion to set up dynamic binding table entries with
accurate interface information.
[~DHCP-relay] interface gigabitethernet 1/0/0
[*DHCP-relay-GigabitEthernet1/0/0] dhcp option82 insert enable
[*DHCP-relay-GigabitEthernet1/0/0] commit
[~DHCP-relay-GigabitEthernet1/0/0] quit

Step 5 Configure the device to report alarms to the NMS.

# Enable alarm reporting to the NMS.
[~DHCP-relay] interface gigabitethernet 1/0/0
[~DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-reply enable
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm arp enable
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm ip enable
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-chaddr enable
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-request enable
[*DHCP-relay-GigabitEthernet1/0/0] commit
[~DHCP-relay-GigabitEthernet1/0/0] quit

# Configure the alarm thresholds.

[~DHCP-relay] interface gigabitethernet 1/0/0
[~DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-reply threshold 10
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm arp threshold 10
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm ip threshold 10
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-chaddr threshold 10
[*DHCP-relay-GigabitEthernet1/0/0] dhcp snooping alarm dhcp-request threshold 10
[*DHCP-relay-GigabitEthernet1/0/0] commit
[~DHCP-relay-GigabitEthernet1/0/0] quit

Step 6 Configure the DHCP binding table update function.

# The system performs ARP probing on the IP addresses whose aging time expires
in DHCP snooping entries and that do not exist in ARP entries. If the system fails
to detect the user after the specified number of attempts, it removes the
corresponding binding relationship in the DHCP snooping binding table and
instructs the DHCP server to release the user's IP address.
[~DHCP-relay] arp dhcp-snooping-detect enable
[*DHCP-relay] commit

Step 7 (Optional) Configure the whitelist function for DHCP snooping.

# Create a whitelist.
[~DHCP-relay] dhcp snooping packet whitelist whitelist1

# Configure rules for the whitelist.

[*DHCP-relay-dhcpsnp-whitelist-whitelist1] dhcp packet-rule 1 source-ip 10.1.2.2 255.255.255.0
destination-ip 10.1.1.2 255.255.255.0 source-port bootpc destination-port bootps
[*DHCP-relay-dhcpsnp-whitelist-whitelist1] commit
[~DHCP-relay-dhcpsnp-whitelist-whitelist1] quit

# Apply the whitelist.

[~DHCP-relay] dhcp snooping apply packet whitelist whitelist1
[*DHCP-relay] commit

Step 8 Verify the configuration.

Run the display dhcp snooping global command on the DHCP relay. You can see
that DHCP snooping is enabled in the system view and interface view. You can
also view the statistics on the alarms sent to the NMS.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 140

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~DHCP-relay] display dhcp snooping global

dhcp snooping enable
[~DHCP-relay] display dhcp snooping interface gigabitethernet 1/0/0
dhcp snooping enable
dhcp snooping check arp enable
dhcp snooping alarm arp enable
dhcp snooping alarm arp threshold 10
dhcp snooping check ip enable
dhcp snooping alarm ip enable
dhcp snooping alarm ip threshold 10
dhcp snooping alarm dhcp-reply enable
dhcp snooping alarm dhcp-reply threshold 10
dhcp check chaddr enable
dhcp snooping alarm dhcp-chaddr enable
dhcp snooping alarm dhcp-chaddr threshold 10
dhcp snooping alarm dhcp-request enable
dhcp snooping alarm dhcp-request threshold 10
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
[~DHCP-relay] display dhcp snooping interface gigabitethernet 1/0/1
dhcp snooping enable
dhcp snooping trusted
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
[~DHCP-relay] display dhcp snooping bind-table static
bind-table:
ifname vrf/vsi/bdid p/cvlan mac-address ip-address tp lease
-------------------------------------------------------------------------------
GE1/0/0 -- 0000/0000 00e0-fc5e-008a 010.001.003.001 S 0
-------------------------------------------------------------------------------
binditem count: 1 binditem total count: 1
[~DHCP-relay] display dhcp option82 interface gigabitethernet 1/0/0
dhcp option82 insert enable

----End

Configuration Files
#
sysname DHCP-relay
#
dhcp snooping enable
arp dhcp-snooping-detect enable
#
dhcp snooping packet whitelist whitelist1
dhcp packet-rule 1 source-ip 10.1.2.2 255.255.255.0 destination-ip 10.1.1.2 255.255.255.0 source-port
bootpc destination-port bootps
#
dhcp snooping apply packet whitelist whitelist1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.2.1 255.255.255.0
dhcp select relay
ip relay address 10.1.1.2
dhcp snooping enable
dhcp snooping check arp enable
dhcp snooping alarm arp enable
dhcp snooping alarm arp threshold 10
dhcp snooping check ip enable
dhcp snooping alarm dhcp-reply enable
dhcp snooping alarm dhcp-reply threshold 10
dhcp check chaddr enable

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 141

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

dhcp snooping alarm dhcp-chaddr enable

dhcp snooping alarm dhcp-chaddr threshold 10
dhcp snooping alarm dhcp-request enable
dhcp snooping alarm dhcp-request threshold 10
dhcp snooping bind-table static ip-address 10.1.3.1 mac-address 00e0-fc5e-008a
dhcp option82 insert enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.1 255.255.255.0
dhcp snooping enable
dhcp snooping trusted
#
return

1.1.5 DHCPv6 Snooping Configuration

1.1.5.1 Overview of DHCPv6 Snooping

This section describes the basic concepts of DHCPv6 snooping.

DHCPv6 snooping is a DHCPv6 security feature that establishes and maintains a

DHCPv6 snooping binding table that records information about DHCPv6 clients by
intercepting DHCPv6 packets between a DHCPv6 server and the DHCPv6 clients.
Such a binding table contains user information such as the MAC address, IPv6
address, lease, VLAN ID, and interface information. Based on this table, the device
analyzes and processes packets as well as filtering out attack packets, providing
security services for DHCPv6.

1.1.5.2 Feature Requirements for DHCPv6 Snooping

1.1.5.3 Configuring IPv6/MAC Spoofing Attack Defense

This section describes how to configure the IPv6 packet check function, a static
binding table, and a policy for detecting IPv6 packets to prevent IPv6/MAC
spoofing attacks against a DHCPv6 server.

Usage Scenario
When an IPv6/MAC spoofing attack occurs on a network, the attacker forges a
DHCPv6 client, and the DHCPv6 server incorrectly considers that all the packets
are sent to or received from this client. However, these packets actually have been
tampered with. In this way, the attacker can obtain data from the DHCPv6 server.

To prevent IPv6/MAC spoofing attacks, you can configure DHCPv6 snooping on a

device. The device then forwards a packet only when the information in the packet
matches an entry in the DHCPv6 snooping binding table. Otherwise, the device
discards the packet.

Pre-configuration Tasks
Before configuring IPv6/MAC spoofing attack defense on a Layer 3 device,
complete the following task:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 142

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Configure DHCPv6 snooping.

1.1.5.3.1 Enabling DHCPv6 Snooping

Before configuring DHCPv6 snooping, you must enable DHCPv6 snooping.

Context
Enable DHCPv6 snooping in the following sequence:

1. Enable DHCPv6 snooping globally.

2. Enable DHCPv6 snooping on an interface.

Procedure
1. Run the system-view command to enter the system view.
2. Run the dhcpv6 snooping enable command to enable DHCPv6 snooping
globally.
3. Run the interface interface-type interface-number command to enter the
interface view.
4. Run the dhcpv6 snooping enable command to enable DHCPv6 snooping on
the interface.

1.1.5.3.2 Enabling the Packet Check Function

To prevent IPv6/MAC spoofing attacks on a device, you can enable the packet
check function on the device. Upon receipt of an IPv6 packet, the device checks
whether the source IPv6 address and source MAC address of the IPv6 packet
match an entry in the DHCPv6 snooping binding table.

Context
After DHCPv6 snooping is enabled, binding entries are automatically generated
when DHCPv6 users go online. If DHCPv6 users are statically assigned IPv6
addresses, you need to manually configure static binding entries for the users.

Procedure
1. Run the system-view command to enter the system view.
1. Run the interface interface-type interface-number command to enter the
interface view.
2. Run the dhcpv6 snooping check ipv6 enable command to enable the IPv6
packet check function on the interface.
3. Run the commit command to commit the configuration.

1.1.5.3.3 (Optional) Configuring a DHCPv6 Snooping Binding Table

After DHCPv6 snooping is enabled, dynamic DHCPv6 snooping binding entries are
automatically generated when users go online. Static DHCPv6 snooping binding
entries need to be manually configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 143

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
NOTE

Both the static IPv6 addresses and the IPv6 addresses statically assigned to users refer to
the IPv6 addresses manually configured on clients. Static users are those who use static
IPv6 addresses.

If the IPv6 addresses assigned to users are static IPv6 addresses, you can configure
static binding entries for these addresses to prevent unauthorized users from
embezzling the static IPv6 addresses. If there are a large number of static IPv6
users, static binding entries must be configured for each static IPv6 address;
otherwise, unauthorized users who attempt to embezzle static IPv6 addresses
cannot be isolated.

Dynamic entries in a DHCPv6 snooping binding table do not need to be

configured. Instead, they are automatically generated after DHCPv6 snooping is
enabled. Static entries, however, need to be configured using commands.

● For the IPv6 address dynamically assigned to a user, the device automatically
learns the user's MAC address and generates a binding entry. In this case, no
binding entry needs to be configured.
● For the IPv6 address statically assigned to a user, the device cannot
automatically generate a binding entry. Therefore, you need to manually
configure a binding entry for the user.

If no binding entries are created for static users, the following situations may
occur:
● All static users can access the DHCPv6 server normally. This is the default
setting for the device.
● No static user can access the DHCPv6 server.

If an interface enabled with the packet check function receives an IPv6 packet, the
interface matches the source IPv6 address and source MAC address of the IPv6
packet against the DHCPv6 snooping binding table to check the MAC address,
IPv6 address, interface information, and VLAN ID. If no entry is matched, the
packet is discarded. If an entry is completely matched, the packet is properly
forwarded.

Procedure
● Configure a static DHCPv6 snooping binding entry on an interface.
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the
interface view.
c. Run the dhcpv6 snooping bind-table static { ipv6-address ipv6-address
[ mac-address mac-address ] | ipv6-prefix ipv6-prefix-mask } [ vlan
vlan-id [ ce-vlan ce-vlanid ] ] command to configure a static entry for
the mapping between the IPv6 address, MAC address, and VLAN ID.
d. Run the commit command to commit the configuration.
● Back up the DHCPv6 snooping binding table.
a. Run the system-view command to enter the system view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 144

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

b. Run the dhcpv6 snooping bind-table autosave enable command to

back up the DHCPv6 snooping binding table.
Once configured, the system backs up the binding entries in a specified
backup path at an interval of 30 minutes or after 4096 entries are
dynamically generated.
c. (Optional) Run the dhcpv6 snooping database authentication-mode
command to configure a file integrity check mode for the binding table.
d. Run the commit command to commit the configuration.

1.1.5.3.4 (Optional) Configuring a Policy for Checking Invalid IPv6 Packets

When an IPv6/MAC spoofing attack occurs in a DHCPv6 scenario, you can
configure the IPv6 packet check function to allow the device to check whether the
source IPv6 address and source MAC address in an IPv6 packet match an entry in
the DHCPv6 snooping binding table.

Context
The policy for checking IPv6 packets based on the DHCPv6 snooping binding table
can be classified as a discard policy or forward policy.
● Discard policy: If no matching entry is found in the DHCPv6 snooping binding
table based on the source IPv6 address, prefix, VLAN ID, and VPN information
in an IPv6 packet, the IPv6 packet is discarded. If a matching entry is found in
the DHCPv6 snooping binding table based on the source IPv6 address, prefix,
VLAN ID, and VPN information in the IPv6 packet but the source MAC address
and interface information in the IPv6 packet do not match this entry, the IPv6
packet is also discarded.
● Forward policy: If no matching entry is found in the DHCPv6 snooping binding
table based on the source IPv6 address, prefix, VLAN ID, and VPN information
in an IPv6 packet, the packet can be properly forwarded. If a matching entry
is found in the DHCPv6 snooping binding table based on the source IPv6
address, prefix, VLAN ID, and VPN information in the IPv6 packet but the
source MAC address and interface information in the IPv6 packet do not
match this entry, the IPv6 packet is discarded.

Procedure
● Configure a policy for checking invalid IPv6 packets in the system view.
a. Run the system-view command to enter the system view.
b. Run the dhcpv6 snooping nomatch-packet ipv6 action forward
command to configure a forward policy for checking IPv6 packets based
on the DHCPv6 snooping binding table.
c. Run the commit command to commit the configuration.
● Configure a policy for checking invalid IPv6 packets in the interface view.
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the
interface view.
c. Run the dhcpv6 snooping nomatch-packet ipv6 action forward
command to configure a forward policy for checking IPv6 packets based
on the DHCPv6 snooping binding table on the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 145

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run the commit command to commit the configuration.

1.1.5.3.5 (Optional) Configuring the Alarm Function for IPv6/MAC Spoofing

Attacks
This section describes how to configure the device to generate an alarm when the
number of discarded IPv6/MAC spoofing attack packets reaches the specified
threshold.

Context
After a DHCPv6 snooping binding table is configured, if the information in an IPv6
packet under an IPv6/MAC spoofing attack is inconsistent with that in the binding
table, the IPv6 packet will be discarded. You can also configure an alarm threshold
for discarding packets. An alarm is generated when the number of discarded
packets exceeds the specified threshold.

Procedure
1. Run the system-view command to enter the system view.
2. Run the interface interface-type interface-number command to enter the
interface view.
3. Run the dhcpv6 snooping check ipv6 enable command to enable the IPv6
packet check function on the interface.
4. Run the dhcpv6 snooping alarm ipv6 enable command to enable the alarm
function for IPv6/MAC spoofing attacks on the interface.
5. (Optional) Run the dhcpv6 snooping alarm ipv6 threshold threshold-value
command to set an alarm threshold for discarding IPv6 packets on the
interface.
NOTE

Alternatively, you can run the dhcpv6 snooping alarm threshold threshold-value
command in the system view to set a global alarm threshold for IPv6 packet
discarding.
If the alarm function for discarding IPv6 packets has been enabled on an interface but
no alarm threshold is configured on the interface, the alarm threshold configured in
the system view is used. If an alarm threshold is configured both globally and on the
interface, the alarm threshold configured on the interface is used.
6. Run the commit command to commit the configuration.

1.1.5.3.6 Verifying the Configuration

After configuring IPv6/MAC spoofing attack defense, you can view statistics about
discarded IPv6 and DHCPv6 packets and the binding relationships between
interface names, MAC addresses, and IPv6 addresses in the DHCPv6 snooping
binding table.

Prerequisites
IPv6/MAC spoofing attack defense has been configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 146

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Run the display dhcpv6 snooping bind-table { interface { interface-type
interface-num | interface-name } | ipv6-address ipv6-address | ipv6-prefix
ipv6-prefix-mask | mac-address mac-address | vpn-instance vpn-name |
static | dynamic | all } command to check information about the DHCPv6
snooping binding table.
● Run the display dhcpv6 snooping interface { interface-name | interface-type
interface-num } command to check the running information about the
DHCPv6 snooping function.
● Run the display dhcpv6 snooping statistics command to check statistics
about the DHCPv6 packets sent and received after the DHCPv6 snooping
function is enabled.

1.1.5.4 Enabling Association Between ND Probe and DHCPv6 Snooping

The system periodically performs ND probe on users' IPv6 addresses. If a user
cannot be detected for the specified number of probes, the system will delete the
DHCPv6 binding entry corresponding to the user and construct a DHCPv6 Release
message to notify the DHCPv6 server of releasing the user's IPv6 address.

Context
If a user goes offline unexpectedly after obtaining an IPv6 address, the client
cannot send a DHCPv6 Release message to release this IPv6 address, causing a
waste of IPv6 resources. To avoid this, you can enable association between ND
probe and DHCPv6 snooping.

Procedure
1. Run the system-view command to enter the system view.
2. Run the dhcpv6 snooping nd-detect enable command to enable association
between ND probe and DHCPv6 snooping.
3. Run the commit command to commit the configuration.

1.1.5.5 Maintaining DHCPv6 Snooping

1.1.5.5.1 Clearing DHCPv6 Snooping Statistics

This section describes how to clear DHCPv6 snooping statistics.

Context
After the alarm function is configured for DHCPv6 snooping, the system will
collect statistics about the discarded attack packets. You can run the display
dhcpv6 snooping interface { interface-name | interface-type interface-num }
command to check statistics about the discarded packets. To get accurate
statistics, you can clear the existing statistics about discarded packets.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 147

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTICE

DHCPv6 snooping statistics cannot be restored after they are cleared. Exercise
caution when running the commands.

Procedure
● Run the reset dhcpv6 snooping bind-table [ { interface { interface-type
interface-num | interface-name } | ipv6-address ipv6-address | ipv6-prefix
ipv6-prefix-mask | mac-address mac-address } ] [ release ] command in the
user view to clear entries in a dynamic DHCPv6 snooping binding table.
● Run the reset dhcpv6 snooping interface { interface-name | interface-type
interface-num } command in the user view to clear statistics about discarded
DHCPv6 snooping packets.
● Run the reset dhcpv6 snooping statistics command in the user view to clear
statistics about the packets sent and received after DHCPv6 snooping is
enabled.

1.1.5.6 Configuration Examples for DHCPv6 Snooping

1.1.5.6.1 Example for Configuring DHCPv6 Snooping on a Layer 3 Device

Applications of DHCPv6 snooping on Layer 3 devices include IPv6/MAC spoofing
attack defense.

Networking Requirements
As shown in Figure 1-11, DHCPv6 snooping needs to be configured on the Layer 3
interface GE 1/0/0 of the DHCPv6 relay agent to allow DHCPv6 client access.
If a user goes offline unexpectedly after obtaining an IPv6 address, the system can
automatically detect the logout, delete the corresponding DHCPv6 binding entry,
and instruct the DHCPv6 server to release this IPv6 address. In addition, DHCPv6
snooping enabled on the DHCPv6 relay can prevent against IPv6/MAC spoofing
attacks.
DHCPv6 client 1 uses a dynamically assigned IPv6 address, and DHCPv6 client 2
uses a statically assigned IPv6 address.

Figure 1-11 Network diagram of configuring DHCPv6 snooping on a Layer 3

device
NOTE

In this example, interface 1 and interface 2 represent GE 1/0/0 and GE 2/0/0, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 148

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure IPv6 addresses for interfaces.

2. Enable DHCPv6 snooping in the system view and interface view.
3. Configure a DHCPv6 snooping binding table to check IPv6 packets against the
binding table in order to prevent against IPv6/MAC spoofing attacks.
4. Enable association between ND probe and DHCPv6 snooping.

Procedure
1. Configure IPv6 addresses for interfaces.
# Configure IPv6 addresses for GE 1/0/0 and GE 2/0/0.
<HUAWEI> system-view
[~HUAWEI] sysname DHCPv6-relay
[*HUAWEI] commit
[~DHCPv6-relay] interface gigabitethernet 1/0/0
[~DHCPv6-relay-GigabitEthernet1/0/0] ipv6 enable
[*DHCPv6-relay-GigabitEthernet1/0/0] ipv6 address 2001:db8:2::1/64
[*DHCPv6-relay-GigabitEthernet1/0/0] commit
[~DHCPv6-relay-GigabitEthernet1/0/0] quit
[~DHCPv6-relay] interface gigabitethernet 2/0/0
[~DHCPv6-relay-GigabitEthernet2/0/0] ipv6 enable
[*DHCPv6-relay-GigabitEthernet2/0/0] ipv6 address 2001:db8:3::1/64
[*DHCPv6-relay-GigabitEthernet2/0/0] commit
[~DHCPv6-relay-GigabitEthernet2/0/0] quit

2. Enable DHCPv6 snooping.

# Enable DHCPv6 snooping both globally and on an interface.
[~DHCPv6-relay] dhcpv6 snooping enable
[*DHCPv6-relay] interface gigabitethernet 1/0/0
[*DHCPv6-relay-GigabitEthernet1/0/0] dhcpv6 snooping enable
[*DHCPv6-relay-GigabitEthernet1/0/0] commit
[~DHCPv6-relay-GigabitEthernet1/0/0] quit

3. Configure the IPv6 packet check function and a DHCPv6 snooping binding
entry.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 149

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Configure the IPv6 packet check function on the DHCPv6 client-side

interface to prevent IPv6/MAC spoofing attacks.
[~DHCPv6-relay] interface gigabitethernet 1/0/0
[~DHCPv6-relay-GigabitEthernet1/0/0] dhcpv6 snooping check ipv6 enable
[*DHCPv6-relay-GigabitEthernet1/0/0] commit
[~DHCPv6-relay-GigabitEthernet1/0/0] quit

# Configure a static binding entry.

NOTE

For users who use static IPv6 addresses, you need to configure static DHCPv6
snooping binding entries for them.
[~DHCPv6-relay] interface gigabitethernet 1/0/0
[~DHCPv6-relay-GigabitEthernet1/0/0] dhcpv6 snooping bind-table static ipv6-address
2001:db8:1::1 mac-address 00e0-fc12-3456
[*DHCPv6-relay-GigabitEthernet1/0/0] commit

# Configure a destination IPv6 address for the DHCPv6 packets on GE 1/0/0.

[~DHCPv6-relay-GigabitEthernet1/0/0] dhcpv6 relay destination 2001:db8:3::2
[*DHCPv6-relay-GigabitEthernet1/0/0] commit

4. Enable association between ND probe and DHCPv6 snooping.

# Configure the system to perform ND probe for the IPv6 addresses that have
reached the aging time in DHCPv6 snooping entries and do not exist in ND
entries. If the system fails to detect a user within the specified number of
probes, the system will delete the corresponding DHCPv6 snooping binding
entry and instruct the DHCPv6 server to release the user's IPv6 address.
[~DHCPv6-relay] dhcpv6 snooping nd-detect enable
[*DHCPv6-relay] commit

5. Verify the configuration.

# Run the display dhcpv6 snooping interface command to check whether
the DHCPv6 snooping function is enabled.
[~DHCPv6-relay] display dhcpv6 snooping interface gigabitethernet 1/0/0
dhcpv6 snooping enable
dhcpv6 snooping check ipv6 enable
ipv6 total 0

# Run the display dhcpv6 snooping bind-table static command to check

information about the DHCPv6 snooping binding table.
[~DHCPv6-relay] display dhcpv6 snooping bind-table static
bind-table:
ifname vrf p/cvlan mac-address ipv6-address tp lease
---------------------------------------------------------------------------------------
GE1/0/0 -- 0000/0000 00e0-fc12-3456 2001:DB8:1::1/128 S 0
---------------------------------------------------------------------------------------
binditem count: 1 binditem total count: 1

Configuration Files
#
sysname DHCPv6-relay
#
dhcpv6 snooping enable
dhcpv6 snooping nd-detect enable
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 2001:DB8:2::1/64
dhcpv6 snooping enable
dhcpv6 snooping check ipv6 enable
dhcpv6 relay destination 2001:DB8:3::2

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 150

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

dhcpv6 snooping bind-table static ipv6-address 2001:DB8:1::1 mac-address 00e0-fc12-3456

#
interface GigabitEthernet2/0/0
undo shutdown
ipv6 enable
ipv6 address 2001:DB8:3::1/64
#
return

1.1.6 GTSM Configuration

The GTSM mechanism defends against attacks by checking the TTL value.

1.1.6.1 Overview of GTSMs

The Generalized TTL Security Mechanism (GTSM) is designed to protect devices
against CPU utilization-based attacks by checking whether the time to live (TTL)
value in the IP header is within a specified range.

The attack of "valid packets" on the network makes the device overloaded and
consumes the device resources, such as the CPU. For example, an attacker keeps
sending packets to the device by simulating BGP packets. After receiving these
packets, the device finds that it is the destination of these packets. Then, the
forwarding plane directly sends the packets to the control plane for BGP
processing without checking the validity of the packets. The device busies itself
with processing these "valid" packets and the its CPU is thus highly occupied.

Th GTSM protects the services above the IP layer against attacks by checking
whether the TTL value in the IP header is within a pre-defined range. In
applications, the GTSM is mainly used to protect the TCP/IP-based control plane
including the routing protocols against attacks of the CPU-utilization type, such as
CPU overload.

When configuring GTSM, note the following precautions:

● The GTSM supports only unicast addresses; therefore, the GTSM must be
configured on all the routers configured with routing protocols.
● When being configured in the BGP view, the GTSM is also applicable to MP-
BGP VPNv4 extensions because they use the same TCP connection.
● The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent
BGP packets and they conflict with each other. Thus, for a peer or a peer
group, you can use only either of them.
● GTSM does not support tunnel-based neighbors. For example, an IP packet
that carries a BGP packet is transmitted through a tunnel. When the IP packet
reaches the peer end of the tunnel, the tunnel protocol parses the IP packet.
The TTL value in the IP packet cannot reflect the number of forwarding hops;
therefore, the GTSM cannot be applied.

A device that is enabled with GTSM checks the TTL values in all protocol packets.
As required by the actual networking, packets whose TTL values are not within the
specified range are discarded. If GTSM is not configured, the received protocol
packets are forwarded if the neighbor configuration is matched. Otherwise, the
received protocol packets are discarded. This prevents bogus protocol packets from
consuming CPU resources.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 151

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.6.2 Feature Requirements for GTSM

1.1.6.3 Configuring OSPF GTSM

To apply OSPF GTSM functions, enable GTSM on the two ends of the OSPF
connection.

Usage Scenario
The GTSM prevents attacks through TTL detection. If an attacker simulates real
OSPF unicast packets and keeps sending them to the router, an interface board on
the router receives the packets and directly sends them to the control plane for
OSPF processing, without checking the validity of the packets. The control plane of
the router needs to process the "legal" packets. As a result, the system becomes
abnormally busy and the CPU usage is high.

The GTSM protects the router by checking whether the TTL value in an IP header
is within a pre-defined range to enhance the system security.

Pre-configuration Tasks
Before configuring the OSPF GTSM, complete the following task:

● Configuring basic OSPF functions

Procedure
Step 1 Configure basic OSPF GTSM functions.

To apply the GTSM, you need to enable GTSM on both ends of the OSPF
connection.

Perform the following steps on the GTSM routers at the two ends of the virtual
link or sham link:

1. Run system-view

The system view is displayed.

2. Run ospf valid-ttl-hops ttl [ nonstandard-multicast ] [ vpn-instance vpn-
instance-name ]
The OSPF GTSM is configured.

NOTE

– The ospf valid-ttl-hops command has two functions: enabling the OSPF GTSM
and configuring the TTL value to be detected. The vpn-instance parameter is valid
only for the latter function.
– The valid TTL range of detected packets is [255 - hops + 1, 255].
3. Run commit

The configuration is committed.

Step 2 Set the default action for packets that do not match the GTSM policy.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 152

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

GTSM only checks the TTL values of packets that match the GTSM policy. Packets
that do not match the GTSM policy can be allowed or dropped.
You can enable the log function to record packet drop for troubleshooting.
Perform the following configurations on the GTSM-enabled router:
1. Run system-view
The system view is displayed.
2. Run gtsm default-action { drop | pass }
The default action for packets that do not match the GTSM policy is
configured.

NOTE

If the default action is configured but no GTSM policy is configured, GTSM does not
take effect.
This command is supported only on the Admin-VS and cannot be configured in other
VSs. This command takes effect on all VSs.
3. Run commit
The configuration is committed.

----End

Checking the Configurations

Run the following commands to check the previous configurations.
● Run the display gtsm statistics { slot-id | all } command to view the statistics
about the GTSM.
NOTE

In VS mode, this command is supported only by the admin VS.

1.1.6.4 Configuring OSPFv3 GTSM

To apply OSPFv3 GTSM functions, enable GTSM on the two ends of the OSPFv3
connection.

Pre-configuration Tasks
Before configuring the OSPFv3 GTSM, complete the following task:
● Configuring basic OSPFv3 functions

Procedure
Step 1 Configure basic OSPFv3 GTSM functions.
To apply the GTSM, you need to enable GTSM on both ends of the OSPFv3
connection.
1. Run system-view

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 153

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The system view is displayed.

2. Run ospfv3 valid-ttl-hops ttl [ vpn-instance vpn-instance-name ]
The OSPFv3 GTSM is configured.

NOTE

– The ospfv3 valid-ttl-hops command has two functions: enabling the OSPFv3
GTSM and configuring the TTL value to be detected. The vpn-instance parameter
is valid only for the latter function.
– The valid TTL range of detected packets is [255 - hops + 1, 255].
3. Run commit
The configuration is committed.
Step 2 Set the default action for packets that do not match the GTSM policy.
GTSM only checks the TTL values of packets that match the GTSM policy. Packets
that do not match the GTSM policy can be allowed or dropped.
You can enable the log function to record packet drop for troubleshooting.
Perform the following configurations on the GTSM-enabled router:
1. Run system-view
The system view is displayed.
2. Run gtsm default-action { drop | pass }
The default action for packets that do not match the GTSM policy is
configured.

NOTE

If the default action is configured but no GTSM policy is configured, GTSM does not
take effect.
This command is supported only on the Admin-VS and cannot be configured in other
VSs. This command takes effect on all VSs.
3. Run commit
The configuration is committed.

----End

Checking the Configurations

Run the following commands to check the previous configurations.
● Run the display gtsm statistics { slot-id | all } command to view the statistics
about the GTSM.
NOTE

In VS mode, this command is supported only by the admin VS.

1.1.6.5 Configuring BGP GTSM

BGP GTSM must be configured on both peers.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 154

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Usage Scenario
GTSM prevents attacks through TTL detection. An attacker simulates real BGP
packets and sends the packets in a large quantity to the router. After receiving the
packets, an interface board of the router directly sends the packets to the BGP
module of the control plane if the interface board finds that the packets are sent
by the local router, without checking the validity of the packets. The control plane
of the router needs to process the "legal" packets. As a result, the system becomes
abnormally busy and the CPU usage is high.
GTSM protects the router by checking whether the TTL value in an IP packet
header is within a pre-defined range to enhance the system security.

NOTE

● GTSM supports only unicast addresses; therefore, GTSM must be configured on all the
routers configured with routing protocols.

Pre-configuration Tasks
Before configuring the BGP GTSM, complete the following task:
● Configuring Basic BGP Functions
Perform the following steps on both BGP peers:

Procedure
Step 1 Configure the basic BGP GTSM functions.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run peer { group-name | ipv4-address } valid-ttl-hops [ hops ]
The BGP GTSM is configured.
The valid TTL range of detected packets is [255 - hops + 1, 255]. For example,
for an EBGP direct route, the number of hops is 1, that is, the valid TTL value
is 255

NOTE

– When being configured in the BGP view, GTSM is also applicable to MP-BGP VPNv4
extensions because they use the same TCP connection.
– The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP
messages and they conflict with each other. Thus, for a peer or a peer group, you
can use only either of them.

A BGP router that is enabled with GTSM checks the TTL values in all BGP
packets. As required by the actual networking, packets whose TTL values are
not within the specified range are discarded. If GTSM is not configured on a
BGP router, the received BGP packets are forwarded if the BGP peer
configuration is matched. Otherwise, the received BGP packets are discarded.
This prevents bogus BGP packets from consuming CPU resources.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 155

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

4. Run commit
The configuration is committed.
Step 2 Set the default action for packets that do not match the GTSM policy.
GTSM only checks the TTL values of packets that match the GTSM policy. Packets
that do not match the GTSM policy can be allowed or dropped. If "drop" is set as
the default GTSM action for packets, you need to configure TTL values for all the
packets sent from valid peers in the GTSM policy. If TTL values are not configured
for the packets sent from a peer, the device will discard the packets sent from the
peer and cannot establish a connection to the peer. Therefore, GTSM enhances
security but reduces the ease of use.
You can enable the log function to record packet drop for troubleshooting.
Perform the following configurations on the GTSM-enabled router:
1. Run system-view
The system view is displayed.
2. Run gtsm default-action { drop | pass }
The default action for packets that do not match the GTSM policy is
configured.

NOTE

If the default action is configured but no GTSM policy is configured, GTSM does not
take effect.
This command is supported only on the Admin-VS and cannot be configured in other
VSs. This command takes effect on all VSs.
3. Run commit
The configuration is committed.

----End

Checking the Configurations

Run the following command to check the previous configurations.
● Run the display gtsm statistics { slot-id | all } command to check the
statistics about GTSM.
NOTE

In VS mode, this command is supported only by the admin VS.

1.1.6.6 Configuring BGP4+ GTSM

BGP4+ GTSM must be configured on both peers.

Usage Scenario
The GTSM prevents attacks through TTL detection. An attacker simulates real
BGP4+ packets and sends the packets in a large quantity to the router. After
receiving the packets, an interface board of the router directly sends the packets

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 156

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

to the BGP4+ module of the control plane if the interface board finds that the
packets are sent by the local router, without checking the validity of the packets.
The control plane of the router needs to process the "legal" packets. As a result,
the system becomes abnormally busy and the CPU usage is high.

The GTSM protects the router by checking whether the TTL value in an IP packet
header is within a pre-defined range to enhance the system security.

NOTE

● The GTSM supports only unicast addresses; therefore, the GTSM must be configured on
all the routers configured with routing protocols.

Pre-configuration Tasks
Before configuring the BGP4+ GTSM, complete the following task:

● Configuring Basic BGP4+ Functions

Perform the following steps on both BGP4+ peers:

Procedure
Step 1 Configure the basic BGP4+ GTSM functions.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run peer { group-name | ipv6-address } valid-ttl-hops [ hops ]

The BGP4+ GTSM is configured.

The valid TTL range of detected packets is [255 - hops + 1, 255]. For example,
for an EBGP direct route, the number of hops is 1, that is, the valid TTL value
is 255.

NOTE

– When being configured in the BGP view, the GTSM is also applicable to MP-BGP
VPNv4 extensions because they use the same TCP connection.
– The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP4+
messages and they conflict with each other. Thus, for a peer or a peer group, you
can use only either of them.

A BGP4+ router that is enabled with GTSM checks the TTL values in all BGP4+
packets. As required by the actual networking, packets whose TTL values are
not within the specified range are discarded. If GTSM is not configured on a
BGP4+ router, the received BGP4+ packets are forwarded if the BGP4+ peer
configuration is matched. Otherwise, the received BGP4+ packets are
discarded. This prevents bogus BGP4+ packets from consuming CPU resources.
4. Run commit

The configuration is committed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 157

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 2 Set the default action for packets that do not match the GTSM policy.
GTSM only checks the TTL values of packets that match the GTSM policy. Packets
that do not match the GTSM policy can be allowed or dropped. If "drop" is set as
the default GTSM action for packets, you need to configure TTL values for all the
packets sent from valid peers in the GTSM policy. If TTL values are not configured
for the packets sent from a peer, the device will discard the packets sent from the
peer and cannot establish a connection to the peer. Therefore, GTSM enhances
security but reduces the ease of use.
You can enable the log function to record packet drop for troubleshooting.
Perform the following configurations on the GTSM-enabled router:
1. Run system-view
The system view is displayed.
2. Run gtsm default-action { drop | pass }
The default action for packets that do not match the GTSM policy is
configured.

NOTE

If the default action is configured but no GTSM policy is configured, GTSM does not
take effect.
This command is supported only on the Admin-VS and cannot be configured in other
VSs. This command takes effect on all VSs.
3. Run commit
The configuration is committed.

----End

Checking the Configurations

Run the following command to check the previous configurations.
● Run the display gtsm statistics { slot-id | all } command to check the
statistics about the GTSM.
NOTE

In VS mode, this command is supported only by the admin VS.

1.1.6.7 Configuring LDP GTSM

To configure LDP GTSM, you need to configure both LDP peers.

Usage Scenario
The GTSM prevents attacks through TTL detection. An attacker simulates real LDP
unicast packets and keeps sending them to the router. After receiving the packets,
an interface board of the router directly sends the packets to LDP of the control
plane if the interface board finds that the packets are sent to the local router,
without checking the validity of the packets. The control plane of the router needs
to process the "legal" packets; therefore, the system becomes abnormally busy
and the CPU usage is high.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 158

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The GTSM protects the router by checking whether the TTL value in the LDP
packet header is within a pre-defined range to improve the system security.

Pre-configuration Tasks
Before configuring the LDP GTSM, complete the following task:

● Enable MPLS and MPLS LDP.

Context
Perform the following steps on the two LDP peers that need to be configured with
the GTSM:

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run mpls ldp

The MPLS-LDP view is displayed.

Step 3 Run gtsm peer ip-address valid-ttl-hops hops

The LDP GTSM is configured.

If the value of hops is set to the maximum number of valid hops permitted by the
GTSM, when the TTL values carried in the packets sent by an LDP peer are within
the range [255 - hops + 1, 255], the packets are accepted; otherwise, the packets
are discarded.

NOTE

The valid TTL range is from 1 to 255 or from 1 to 64, depending on the specific vendor. If a
Huawei device is connected to a non-Huawei device, set hops to a value in a valid range
that both devices support; otherwise, the Huawei device will discard packets sent by the
non-Huawei device, resulting in LDP session interruption.

Step 4 Run commit

The configuration is committed.

----End

Checking the Configurations

Run the following command to check the previous configurations.

● Run the display gtsm statistics { slot-id | all } command to view the statistics
about the GTSM.
NOTE

In VS mode, this command is supported only by the admin VS.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 159

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.6.8 Configuring GTSM for RIP

To apply RIP GTSM functions, enable GTSM on the two ends of the RIP
connection.

Context
During network attacks, attackers may simulate RIP packets and continuously
send them to a router. If the packets are destined for the router, it directly
forwards them to the control plane for processing without validating them. As a
result, the increased processing workload on the control plane results in high CPU
usage. Generalized TTL Security Mechanism (GTSM) defends against attacks by
checking whether the time to live (TTL) value in each IP packet header is within a
pre-defined range.

Pre-configuration Tasks
Before configuring the RIP GTSM, complete the following task:

● Configuring basic RIP functions

● Perform the following operations on the peers at both ends:

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run rip valid-ttl-hops valid-ttl-hops-value [ vpn-instance vpn-instance-name ]

GTSM is configured for RIP.

NOTE

The valid TTL range of the detected packets is [ 255 -valid-ttl-hops-value + 1, 255 ].

Step 3 Run commit

The configuration is committed.

Step 4 Set the default action for packets that do not match the GTSM policy.

GTSM only checks the TTL values of packets that match the GTSM policy. Packets
that do not match the GTSM policy can be allowed or dropped.

You can enable the log function to record packet drop for troubleshooting.

Perform the following configurations on the GTSM-enabled router:

1. Run system-view

The system view is displayed.

2. Run gtsm default-action { drop | pass }

The default action for packets that do not match the GTSM policy is
configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 160

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

If the default action is configured but no GTSM policy is configured, GTSM does not
take effect.
This command is supported only on the Admin-VS and cannot be configured in other
VSs. This command takes effect on all VSs.
3. Run commit

The configuration is committed.

----End

Checking the Configurations

Run the following commands to check the previous configurations.

● Run the display gtsm statistics { slot-id | all } command to view the statistics
about the GTSM.
NOTE

In VS mode, this command is supported only by the admin VS.

1.1.6.9 Maintaining GTSMs

This section describes how to clear the GTSM statistics for a new statistics
collection.

1.1.6.9.1 Clearing the Statistics About the GTSM

Before collecting the GTSM statistics within a certain period on a board, you need
to clear the existing statistics.

Context

NOTICE

The statistics about the GTSM cannot be restored after being cleared. Therefore,
use this command with caution.

Procedure
Step 1 After confirming that you need to clear the statistics about the GTSM from a
board, run the reset gtsm statistics { slot-id | all } command in the user view.

In VS mode, this command is supported only by the admin VS.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 161

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.6.10 Configuration Examples for GTSMs

This section describes the typical application scenario of the GTSM, including
networking requirements, configuration roadmap, and data preparation, and
provides related configuration files.

1.1.6.10.1 Example for Configuring OSPF GTSM

This section describes how to configure OSPF GTSM to protect devices on an OSPF
network against CPU utilization-based attacks.

Networking Requirements
As shown in Figure 1-12, OSPF runs on the routers and the GTSM is enabled on
Device C.

The valid TTL ranges of the packets sent from each router to Device C are as
follows:

● Device A and Device E are the neighbors of Device C. The valid TTL range of
the packets from Device A and Device E to Device C is 255.
● The valid TTL ranges of the packets sent from Device B, Device D, and Device
F to Device C are [254, 255], [253, 255], and [252, 255] respectively.

Figure 1-12 Configuring OSPF GTSM

NOTE

Interfaces 1 and 2 in this example represent GE 1/0/0 and GE 2/0/0, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 162

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Notes
None.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions.
2. Enable the GTSM on each router and specify the valid TTL range of packets.

Data Preparation
To complete the configuration, you need the following data:
● OSPF process ID of each router
● Valid TTL range of the packets transmitted between the routers

Procedure
Step 1 Configure IP addresses for interfaces. The configuration details are not mentioned
here.
Step 2 Configure the basic OSPF functions. The configuration details are not mentioned
here.
Step 3 Configure the OSPF GTSM.
# Configure the valid TTL range of the packet from Device C to other routers as
[252, 255].
[~DeviceC] ospf valid-ttl-hops 4
[*DeviceC] commit

# Configure the valid TTL range of the packets from Device A to Device C as [255,
255].
[~DeviceA] ospf valid-ttl-hops 1
[*DeviceA] commit

# Configure the valid TTL range of the packets from Device B to Device C as [254,
255].
[~DeviceB] ospf valid-ttl-hops 2
[*DeviceB] commit

# Configure the valid TTL range of the packets from Device D to Device C as [253,
255].
[~DeviceD] ospf valid-ttl-hops 3
[*DeviceD] commit

# Configure the valid TTL range of the packets from Device E to Device C as [255,
255].
[~DeviceE] ospf valid-ttl-hops 1
[*DeviceE] commit

# Configure the valid TTL range of the packets from Device F to Device C as [252,
255].

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 163

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~DeviceF] ospf valid-ttl-hops 4

[*DeviceF] commit

Step 4 Verify the configuration.

# Check whether OSPF neighbor relationships between the routers are established
normally. Take Device A as an example. You can view the status of the neighbor
relationship is Full, that is, neighbors are established normally.
[~DeviceA] display ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 192.168.0.1(GigabitEthernet1/0/0)'s neighbors
Router ID: 2.2.2.2 Address: 192.168.0.2
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00:15:04
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet2/0/0)'s neighbors
Router ID: 3.3.3.3 Address: 192.168.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 39 sec
Retrans timer interval: 5
Neighbor is up for 00:07:32
Authentication Sequence: [ 0 ]

# Run the display gtsm statistics all command on Device C. You can view the
statistics about the GTSM. If the default action that is performed on the packets is
"pass" and all the packets are valid, no packet is dropped.
<DeviceC> display gtsm statistics all
GTSM Statistics Table
----------------------------------------------------------------
SlotId Protocol Total Counters Drop Counters Pass Counters
----------------------------------------------------------------
1 BGP 0 0 0
1 BGPv6 0 0 0
1 OSPF 0 0 0
1 LDP 0 0 0
1 OSPFv3 0 0 0
1 RIP 0 0 0
2 BGP 0 0 0
2 BGPv6 0 0 0
2 OSPF 0 0 0
2 LDP 0 0 0
2 OSPFv3 0 0 0
2 RIP 0 0 0
3 BGP 0 0 0
3 BGPv6 0 0 0
3 OSPF 0 0 0
3 LDP 0 0 0
3 OSPFv3 0 0 0
3 RIP 0 0 0
4 BGP 0 0 0
4 BGPv6 0 0 0
4 OSPF 0 0 0
4 LDP 0 0 0
4 OSPFv3 0 0 0
4 RIP 0 0 0
5 BGP 0 0 0
5 BGPv6 0 0 0
5 OSPF 0 0 0
5 LDP 0 0 0
5 OSPFv3 0 0 0
5 RIP 0 0 0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 164

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

7 BGP 0 0 0
7 BGPv6 0 0 0
7 OSPF 0 0 0
7 LDP 0 0 0
7 OSPFv3 0 0 0
7 RIP 0 0 0
----------------------------------------------------------------

If the host PC simulates OSPF packets of Device A to attack Device C, the packets
are dropped because the TTL value is not 255 when the packets reach Device C. In
the GTSM statistics on Device C, the number of dropped packets also increases.

----End

Configuration Files
● Device A configuration file
#
sysname DeviceA
#
router id 1.1.1.1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
ospf valid-ttl-hops 1
#
return

● Device B configuration file

#
sysname DeviceB
#
router id 2.2.2.2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.0.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.2
network 192.168.2.0 0.0.0.255
#
ospf valid-ttl-hops 2
#
return

● Device C configuration file

#
sysname DeviceC

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 165

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
router id 3.3.3.3
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
ospf valid-ttl-hops 4
#
return
● Device configuration file
#
sysname DeviceD
#
router id 4.4.4.4
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 172.17.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.2.2 255.255.255.0
#
ospf 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
ospf valid-ttl-hops 3
#
return
● Device E configuration file
#
sysname DeviceE
#
router id 5.5.5.5
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 172.16.1.2 255.255.255.0
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
ospf valid-ttl-hops 1
#
return
● Device F configuration file
#
sysname DeviceF
#
router id 6.6.6.6
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 172.17.1.2 255.255.255.0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 166

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
ospf 1
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
ospf valid-ttl-hops 4
#
return

1.1.6.10.2 Example for Configuring the BGP GTSM

On a BGP network, BGP GTSM is configured to protect routers against CPU-
utilization attacks.

Networking Requirements
Attacks by bogus packets on networks cause overload and consumption of the
limited resources (such as CPUs) of devices. For example, an attacker sends bogus
BGP packets to a router continuously. When the router determines that the
received packets are destined for the local device, the forwarding plane sends the
packets to the control plane for BGP processing without checking the validity of
the packets. This causes a high CPU usage rate to the router because the router
keeps processing the packets.

The Generalized TTL Security Mechanism (GTSM) is designed to protect routers

from CPU-utilization-based attacks by checking whether the TTL value in the
header of an IP packet is within the predefined range.

As shown in Figure 1-13, DeviceA belongs to AS10; DeviceB, DeviceC, and DeviceD
all belong to AS20. BGP operates on the network as shown in Figure 1-13, and
the BGP GTSM is used to protect DeviceB from CPU-utilization attacks.

Figure 1-13 Networking diagram of configuring the BGP GTSM

NOTE

Interfaces 1 and 2 in this example represent GE 1/0/0 and GE 2/0/0, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 167

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Notes
When configuring BGP GTSM, note the following:
● GTSM must be enabled on both ends of a BGP connection.
● The valid-ttl-hops value set on both ends of a BGP connection must be the
same.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF on DeviceA, DeviceB, DeviceC, and DeviceD in AS20 for
interworking.
2. Establish an EBGP connection between DeviceA and DeviceB; establish an
IBGP full mesh between DeviceB, DeviceC, and DeviceD through the loopback
interfaces.
3. Configure the GTSM on DeviceA, DeviceB, DeviceC, and DeviceD.

Data Preparation
To complete the configuration, you need the following data:
● Router ID and AS numbers of DeviceA, DeviceB, DeviceC, and DeviceD
● Valid TTL range between DeviceA and DeviceB, DeviceB and DeviceC, DeviceC
and DeviceD, and DeviceB and DeviceD

Procedure
Step 1 Configure IP addresses for interfaces. The configuration details are not mentioned
here.
Step 2 Configure OSPF. The configuration details are not mentioned here.
Step 3 Configure the IBGP full mesh.
# Configure DeviceB.
[~DeviceB] bgp 20
[*DeviceB-bgp] router-id 10.2.2.9
[*DeviceB-bgp] peer 10.3.3.9 as-number 20
[*DeviceB-bgp] peer 10.3.3.9 connect-interface LoopBack0
[*DeviceB-bgp] peer 10.3.3.9 next-hop-local
[*DeviceB-bgp] peer 10.4.4.9 as-number 20
[*DeviceB-bgp] peer 10.4.4.9 connect-interface LoopBack0
[*DeviceB-bgp] peer 10.4.4.9 next-hop-local
[*DeviceB-bgp] commit

# Configure DeviceC.
[~DeviceC] bgp 20
[*DeviceC-bgp] router-id 10.3.3.9
[*DeviceC-bgp] peer 10.2.2.9 as-number 20
[*DeviceC-bgp] peer 10.2.2.9 connect-interface LoopBack0
[*DeviceC-bgp] peer 10.4.4.9 as-number 20
[*DeviceC-bgp] peer 10.4.4.9 connect-interface LoopBack0
[*DeviceC-bgp] commit

# Configure DeviceD.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 168

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~DeviceD] bgp 20
[*DeviceD-bgp] router-id 10.4.4.9
[*DeviceD-bgp] peer 10.2.2.9 as-number 20
[*DeviceD-bgp] peer 10.2.2.9 connect-interface LoopBack0
[*DeviceD-bgp] peer 10.3.3.9 as-number 20
[*DeviceD-bgp] peer 10.3.3.9 connect-interface LoopBack0
[*DeviceD-bgp] commit

Step 4 Configure EBGP connections.

# Configure DeviceA.
[~DeviceA] bgp 10
[*DeviceA-bgp] router-id 10.1.1.9
[*DeviceA-bgp] peer 10.1.1.2 as-number 20
[*DeviceA-bgp] commit

# Configure Device B.
[~DeviceB-bgp] peer 10.1.1.1 as-number 10
[*DeviceB-bgp] commit

# View the status of the peer connections.

<DeviceB> display bgp peer
BGP local router ID : 10.2.2.9
Local AS number : 20
Total number of peers : 3 Peers in established state : 3

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.3.3.9 4 20 8 7 0 00:05:06 Established 0

10.4.4.9 4 20 8 10 0 00:05:33 Established 0
10.1.1.1 4 10 7 7 0 00:04:09 Established 0

You can view that the BGP connections between DeviceB and the other routers are
set up.
Step 5 Configure the GTSM between DeviceA and DeviceB. The two routers are directly
connected; therefore, the valid TTL range of the packets between them is [255,
255]. That is, the value of valid-ttl-hops is 1.
# Configure the GTSM on DeviceA.
[~DeviceA] bgp 10
[*DeviceA-bgp] peer 10.1.1.2 valid-ttl-hops 1
[*DeviceA-bgp] commit

# Configure the GTSM for the EBGP connections on DeviceB.

[~DeviceB] bgp 20
[*DeviceB-bgp] peer 10.1.1.1 valid-ttl-hops 1
[*DeviceB-bgp] commit

# View the configuration of the GTSM.

<DeviceB> display bgp peer 10.1.1.1 verbose
BGP Peer is 10.1.1.1, remote AS 10
Type: EBGP link
BGP version 4, Remote router ID 10.1.1.9

Group ID : 2
BGP current state: Established, Up for 00h49m35s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 169

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Port: Local - 179 Remote - 52876

Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 59 messages
Update messages 0
Open messages 2
KeepAlive messages 57
Notification messages 0
Refresh messages 0
Sent: Total 79 messages
Update messages 5
Open messages 2
KeepAlive messages 71
Notification messages 1
Refresh messages 0
Last keepalive received: 2009-02-20 13:54:58
Minimum route advertisement interval is 30 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
GTSM has been enabled, valid-ttl-hops: 1
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured

You can view that the GTSM is enabled, the number of valid TTL hops is 1, and the
status of the BGP connection is Established.
Step 6 Configure the GTSM between DeviceB and DeviceC. The two routers are directly
connected; therefore, the valid TTL range of the packets between them is [255,
255]. That is, the value of valid-ttl-hops is 1.
# Configure the GTSM on DeviceB.
[~DeviceB] bgp 20
[*DeviceB-bgp] peer 10.3.3.9 valid-ttl-hops 1
[*DeviceB-bgp] commit

# Configure the GTSM for the IBGP connections on DeviceC.

[~DeviceC-bgp] peer 10.2.2.9 valid-ttl-hops 1
[*DeviceC-bgp] commit

# View the configuration of the GTSM.

<DeviceB> display bgp peer 10.3.3.9 verbose
BGP Peer is 10.3.3.9, remote AS 20
Type: IBGP link
BGP version 4, Remote router ID 10.3.3.9

Group ID : 0
BGP current state: Established, Up for 00h54m36s
BGP current event: KATimerExpired
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 54998 Remote - 179
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 170

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Peer supports bgp multi-protocol extension

Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 63 messages
Update messages 0
Open messages 1
KeepAlive messages 62
Notification messages 0
Refresh messages 0
Sent: Total 69 messages
Update messages 10
Open messages 1
KeepAlive messages 58
Notification messages 0
Refresh messages 0
Last keepalive received: 2009-02-20 13:57:43
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Nexthop self has been configured
Connect-interface has been configured
GTSM has been enabled, valid-ttl-hops: 1
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured

You can view that the GTSM is enabled, the number of valid TTL hops is 1, and the
status of the BGP connection is Established.
Step 7 Configure the GTSM between DeviceC and DeviceD. The two routers are directly
connected; therefore, the valid TTL range of the packets between them is [255,
255]. That is, the value of valid-ttl-hops is 1.
# Configure the GTSM for the IBGP connections on DeviceC.
[~DeviceC] bgp 20
[*DeviceC-bgp] peer 10.4.4.9 valid-ttl-hops 1
[*DeviceC-bgp] commit

# Configure the GTSM for the IBGP connections on DeviceD.

[~DeviceD] bgp 20
[*DeviceD-bgp] peer 10.3.3.9 valid-ttl-hops 1
[*DeviceD-bgp] commit

# View the configuration of the GTSM.

<DeviceC> display bgp peer 10.4.4.9 verbose
BGP Peer is 10.4.4.9, remote AS 20
Type: IBGP link
BGP version 4, Remote router ID 10.4.4.9

Group ID : 1
BGP current state: Established, Up for 00h56m06s
BGP current event: KATimerExpired
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 179 Remote - 53758
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 171

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Peer supports bgp 4-byte-as capability

Address family IPv4 Unicast: advertised and received
Received: Total 63 messages
Update messages 0
Open messages 1
KeepAlive messages 62
Notification messages 0
Refresh messages 0
Sent: Total 63 messages
Update messages 0
Open messages 2
KeepAlive messages 61
Notification messages 0
Refresh messages 0
Last keepalive received: 2009-02-20 14:00:06
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Connect-interface has been configured
GTSM has been enabled, valid-ttl-hops: 1
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured

You can view that the GTSM is enabled, the number of valid TTL hops is 1, and the
status of the BGP connection is Established.
Step 8 Configure the GTSM between DeviceB and DeviceD. The two routers are
connected through DeviceC. Because of the hop of router C, the valid TTL range of
the packets between the two routers is [254, 255]. That is, the value of valid-ttl-
hops is 2.
# Configure the GTSM for the IBGP connections on DeviceB.
[~DeviceB-bgp] peer 10.4.4.9 valid-ttl-hops 2
[*DeviceB-bgp] commit

# Configure the GTSM on DeviceD.

[~DeviceD-bgp] peer 10.2.2.9 valid-ttl-hops 2
[*DeviceD-bgp] commit

# View the configuration of the GTSM.

<DeviceB> display bgp peer 10.4.4.9 verbose
BGP Peer is 10.4.4.9, remote AS 20
Type: IBGP link
BGP version 4, Remote router ID 10.4.4.9

Group ID : 0
BGP current state: Established, Up for 00h57m48s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 53714 Remote - 179
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 72 messages
Update messages 0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 172

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Open messages 1
KeepAlive messages 71
Notification messages 0
Refresh messages 0
Sent: Total 82 messages
Update messages 10
Open messages 1
KeepAlive messages 71
Notification messages 0
Refresh messages 0
Last keepalive received: 2009-02-20 14:01:27
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Nexthop self has been configured
Connect-interface has been configured
GTSM has been enabled, valid-ttl-hops: 2
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured

You can view that the GTSM is enabled, the number of valid TTL hops is 2, and the
status of the BGP connection is Established.

NOTE

● In this example, if the value of valid-ttl-hops of either DeviceB or DeviceD is smaller

than 2, the IBGP connection cannot be established.
● The GTSM must be enabled on both ends of the BGP connection at the same time.

Step 9 Check the configuration.

# Run the display gtsm statistics all command on DeviceB, and you can view the
statistics about the GTSM on DeviceB. If the default action that is performed on
the packets is "pass" and all the packets are valid, no packet is dropped.
<DeviceB> display gtsm statistics all
GTSM Statistics Table
----------------------------------------------------------------
SlotId Protocol Total Counters Drop Counters Pass Counters
----------------------------------------------------------------
0 BGP 17 0 17
0 BGPv6 0 0 0
0 OSPF 0 0 0
0 LDP 0 0 0
0 OSPFv3 0 0 0
0 RIP 0 0 0
1 BGP 0 0 0
1 BGPv6 0 0 0
1 OSPF 0 0 0
1 LDP 0 0 0
1 OSPFv3 0 0 0
1 RIP 0 0 0
2 BGP 0 0 0
2 BGPv6 0 0 0
2 OSPF 0 0 0
2 LDP 0 0 0
2 OSPFv3 0 0 0
2 RIP 0 0 0
3 BGP 0 0 0
3 BGPv6 0 0 0
3 OSPF 0 0 0
3 LDP 0 0 0
3 OSPFv3 0 0 0
3 RIP 0 0 0
4 BGP 32 0 32

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 173

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

4 BGPv6 0 0 0
4 OSPF 0 0 0
4 LDP 0 0 0
4 OSPFv3 0 0 0
4 RIP 0 0 0
5 BGP 0 0 0
5 BGPv6 0 0 0
5 OSPF 0 0 0
5 LDP 0 0 0
5 OSPFv3 0 0 0
5 RIP 0 0 0
7 BGP 0 0 0
7 BGPv6 0 0 0
7 OSPF 0 0 0
7 LDP 0 0 0
7 OSPFv3 0 0 0
7 RIP 0 0 0
----------------------------------------------------------------

If the host PC simulates BGP packets of DeviceA to attack DeviceB, the packets are
dropped because the TTL value is not 255 when the packets reach DeviceB. In the
GTSM statistics on Device B, the number of dropped packets also increases.

----End

Configuration Files
● Device A configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 10
router-id 10.1.1.9
peer 10.1.1.2 as-number 20
peer 10.1.1.2 valid-ttl-hops 1
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
return

● Device B configuration file

#
sysname DeviceB
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#
interface LoopBack0
ip address 10.2.2.9 255.255.255.255
#
bgp 20
router-id 10.2.2.9
peer 10.3.3.9 as-number 20
peer 10.3.3.9 valid-ttl-hops 1
peer 10.3.3.9 connect-interface LoopBack0
peer 10.4.4.9 as-number 20
peer 10.4.4.9 valid-ttl-hops 2
peer 10.4.4.9 connect-interface LoopBack0
peer 10.1.1.1 as-number 10

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 174

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

peer 10.1.1.1 valid-ttl-hops 1

#
ipv4-family unicast
undo synchronization
import-route ospf 1
peer 10.3.3.9 enable
peer 10.3.3.9 next-hop-local
peer 10.4.4.9 enable
peer 10.4.4.9 next-hop-local
peer 10.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.2.2.9 0.0.0.0
#
return
● Device C configuration file
#
sysname DeviceC
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.3.3.9 255.255.255.255
#
bgp 20
router-id 10.3.3.9
peer 10.2.2.9 as-number 20
peer 10.2.2.9 valid-ttl-hops 1
peer 10.2.2.9 connect-interface LoopBack0
peer 10.4.4.9 as-number 20
peer 10.4.4.9 valid-ttl-hops 1
peer 10.4.4.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.2.2.9 enable
peer 10.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
network 10.3.3.9 0.0.0.0
#
return
● Device D configuration file
#
sysname DeviceD
#
interface GigabitEthernet1/0/0
ip address 10.2.2.2 255.255.255.0
#
interface LoopBack0
ip address 10.4.4.9 255.255.255.255
#
bgp 20
router-id 10.4.4.9
peer 10.2.2.9 as-number 20
peer 10.2.2.9 valid-ttl-hops 2
peer 10.2.2.9 connect-interface LoopBack0
peer 10.3.3.9 as-number 20
peer 10.3.3.9 valid-ttl-hops 1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 175

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

peer 10.3.3.9 connect-interface LoopBack0

#
ipv4-family unicast
undo synchronization
peer 10.2.2.9 enable
peer 10.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 10.2.2.0 0.0.0.255
network 10.4.4.9 0.0.0.0
#
return

1.1.6.10.3 Example for Configuring LDP GTSM

This section provides an example for configuring LDP GTSM, which consists of
enabling MPLS and MPLS LDP on each router and each interface and configuring
LDP GTMP on both LDP peers.

Networking Requirements
As shown in Figure 1-14, LSRs run MPLS and MPLS LDP. An attacker can send
simulated unicast LDP packets to LSRB, causing LSRB to be busy processing
packets and resulting in high CPU usage. To defend against the attack, LSRB can
be configured with the GTSM to accept packets carrying the TTL values within a
specified range, improving system security.

Figure 1-14 Configuring LDP GTSM

NOTE

Interfaces 1 and 2 in this example represent GE 1/0/0 and GE 2/0/0, respectively.

Configuration Notes
None.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic MPLS and MPLS LDP functions.

2. Configure the GTSM at the two ends of the LDP peer.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 176

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Data Preparation
To complete the configuration, you need the following data:
● LSR ID of the LDP peer
● Maximum number of valid hops permitted by the GTSM

Procedure
Step 1 Configure IP addresses for interfaces. The configuration details are not mentioned
here.
Step 2 Configure OSPF to advertise the network segments connecting to interfaces on
each node and to advertise the routes of the hosts with LSR IDs. The configuration
details are not mentioned here.
Step 3 Configure MPLS and MPLS LDP on each interface and node. The configuration
details are not mentioned here.
After the preceding configurations, you can run the display mpls ldp session
command on each node. The command output shows that the LDP session is set
up. Take the command output on LSR A as an example.
<LSRA> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
An asterisk (*) before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:02 9/9
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.

Step 4 Configure LDP GTSM.

# On LSR A, configure the range of valid TTL values carried in LDP packets
received from LSR B to be from 253 to 255.
<LSRA> system-view
[~LSRA] mpls ldp
[*LSRA-mpls-ldp] gtsm peer 2.2.2.9 valid-ttl-hops 3
[*LSRA-mpls-ldp] commit

# On LSR B, configure the range of valid TTL values carried in the LDP packets
received from LSR A to be from 252 to 255, and the range of valid TTL values
carried in LDP packets received from LSR C to be from 251 to 255.
<LSRB> system-view
[~LSRB] mpls ldp
[*LSRB-mpls-ldp] gtsm peer 1.1.1.9 valid-ttl-hops 4
[*LSRB-mpls-ldp] gtsm peer 3.3.3.9 valid-ttl-hops 5
[*LSRB-mpls-ldp] commit

# On LSR C, configure the range of valid TTL values carried in LDP packets
received from LSR B to be from 250 to 255.
<LSRC> system-view
[~LSRC] mpls ldp
[*LSRC-mpls-ldp] gtsm peer 2.2.2.9 valid-ttl-hops 6
[*LSRC-mpls-ldp] commit

Then, if the host PC simulates the LDP packets of LSR A to attack LSR B, LSR B
directly discards the packets because the TTL values carried in the LDP packets are

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 177

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

not within the range of 252 to 255. In the GTSM statistics on LSR B, the number of
discarded packets also increases.

----End

Configuration Files
● LSR A configuration file
#
sysname LSRA
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
gtsm peer 2.2.2.9 valid-ttl-hops 3
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

● LSR B configuration file

#
sysname LSRB
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
gtsm peer 1.1.1.9 valid-ttl-hops 4
gtsm peer 3.3.3.9 valid-ttl-hops 5
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.2.1.0 0.0.0.3
#
return

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 178

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● LSR C configuration file

#
sysname LSRC
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
gtsm peer 2.2.2.9 valid-ttl-hops 6
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.3
#
return

1.1.7 HIPS Configuration

1.1.7.1 Overview of HIPS

Definition
The Host-based Intrusion Prevention System (HIPS) monitors a device's system for
intrusions and infections. Unlike the Intrusion Prevention System (IPS) — which
analyzes and processes the traffic passing through a device to protect devices and
users on the internal network — HIPS protects the device's system.

Purpose
The security of network devices, which are important components of ICT
infrastructure, directly affects the security of the entire network. Network devices
are prone to hacker attacks and intrusions because they are usually deployed in
front of servers and terminals. After intruding into a network device, a hacker can
further penetrate the network through the device. To prevent this, HIPS is
introduced to monitor the device's operating system, as shown in Figure 1-15.
Once a suspected intrusion or infection event is detected, HIPS immediately sends
a log to prompt the administrator to isolate and protect the device, preventing
further intrusions and compromising the security of other devices.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 179

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-15 HIPS diagram

1.1.7.2 Feature Requirements for HIPS

1.1.7.3 Enabling HIPS

Context
After HIPS is enabled, the configuration and enabling status of each detection
module are determined by the HIPS policy file. The policy file content cannot be
modified on the device and all detection modules are enabled by default. You can
configure the policy file on the NMS, which then instructs the device to obtain and
apply the newly configured policy file.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run hips enable

The HIPS function is enabled.

Step 3 Run commit

The configurations are committed.

----End

Follow-up Procedure
Run the display hips state command in any view to check the status of each HIPS
detection module.

1.1.8 Keychain Configuration

This chapter describes the keychain fundamentals. It also provides keychain
configuration steps based on different parameters along with typical example.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 180

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.8.1 Overview of Keychain

This section describes the keychain concept and the different features it supports.

1.1.8.1.1 Introduction to Keychain

Keychain provides authentication function to all the applications. The keychain

also provides dynamic change of authentication keys without any packet drops.

Applications exchange authenticated packets on networks for security reasons.

Authentication algorithms along with the secret shared key are used to determine
whether a message sent over an insecure channel has been tampered with. This
type of authentication requires that the sender and the receiver share the secret
key and the authentication algorithm used to authenticate the packet. Also the
secret key should never be sent over the network.

If each application maintains its own set of authentication rules (authentication

algorithm and shared secret key), then there are many instances in which the
same set of authentication is used. This results in duplication of data and
reprocessing of the authentication information. Also each of the applications uses
a constant authentication key unless the administrator of the network changes
the key manually. The manual change of authentication is a cumbersome
procedure and during the change of keys, there can be packet drops as it is very
difficult to change the keys instantaneously on all the routers.

Thus the system needs a mechanism to achieve centralization of all authentication

processing and dynamic change of authentication keys without much human
intervention. To achieve this functionality the keychain module is used.

The NE9000 supports the following keychain features:

● Authentication for applications

Application that requires authentication support has to quote a keychain. A
keychain can have one or more key-ids. Key-id comprises of authentication
algorithm and the key string (secret shared key). Each key-id is associated
with send and accept lifetime based on which it will be send active or receive
active or both at an instant of time. Key-id that is send active at one end
should be receive active at the other end. Administrator has to configure the
key-ids under the keychain in such a way that both sides can communicate
without any packet loss.
● Receive Tolerance
When the send key-id on a router changes, the corresponding receive key-id
on the peer router should change instantaneously. Due to clock non-
synchronization, there can be a time lag between the changes of the key-ids
on the two routers. During this period, there can be packet drops because of
inconsistent use of key-ids. To prevent this and to accommodate for a smooth
transition from one key-id to another, a grace period is allowed during which
both keys will be used. This grace period is termed as receive tolerance
period, and it is applicable only to the receive keys. The receive time period
will be extended by a period equal to the receive tolerance on both the start
and end time of a receive key.
● Default send-key-id

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 181

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

When administrator does not configure a key-id for some interval of time,
there can be a chance that there is no active send key-id. During that period,
application will not be able to have authenticated communication. In order to
avoid this situation there should be a default send key-id which will be always
active. Any key-id in a keychain can be marked as the default send key-id.
There can be only one default send key-id in a keychain. When any send key-
id becomes active, the application uses the new active send key-id instead of
the default send key-id. Similarly when active send key-id becomes inactive
and when there is no other active send key-id, then application uses the
default send key-id.
● TCP-kind and TCP algorithm-id configuration
TCP based applications can communicate with other vendor nodes by using
the authenticated TCP connection. For authenticated communication, TCP
uses TCP Enhanced Authentication Option. Currently different vendors use
different kind-value to represent the TCP Enhanced Authentication Option
type. So in order to communicate with other vendors, kind-value should be
made configurable, so that it can be changed based on the type of vendor to
which it is connected. Similarly TCP Enhanced Authentication Option has a
field named algorithm-id which represents the authentication algorithm type.
As algorithm-ids are not defined by IANA. Currently different vendor uses
different algorithm-id to represent the same algorithm. In order to
communicate with the other vendors, user has to configure the TCP
algorithm-id in the keychain for the algorithms depending on the peer node
type.
NOTE

For security purposes, you are not advised to use the weak security algorithm in this
feature. To use the weak security algorithm, run the undo crypto weak-algorithm
disable command to enable the weak security algorithm.

High Availability in Keychain

The keychain module backups the entire keychain configuration to the slave board
to ensure smooth working of the keychain module after switch over to the slave
board. Backup is done simultaneously during its configuration (from the CLI).
When the Keychain module on the slave board is consistent with the Keychain
module on the master board, if any switch over from master to slave board
happens, then the Keychain module transition from old master board to new
master board should be smooth in terms of functionality. This is achieved through
CLI backup. At any point of time Keychain configuration in Master and Slave will
be synchronous and hence no extra processing is required for switchover

1.1.8.2 Feature Requirements for Keychain

1.1.8.3 Configuring Basic Keychain Functions

This section describes how to configure basic Keychain functions.

Usage Scenario
Keychain is used to provide authentication support to the applications. A keychain
can have one or more key-ids. Key-id comprises of authentication algorithm and

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 182

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

the key-string (secret shared key). Each key-id is associated with send and accept
lifetime. Based on the send and accept lifetime, a key-id will be send-active or
receive-active or both. When the key-id is send-active or receive-active, it will be
used for authenticated communication. When the key-id is send-active, then it will
be used to send out authenticated packet. On the receiver side that key-id should
be receive-active to process the authenticated packet. The administrator has to
configure the key-ids under the keychain in such a way that both sides can
communicate without any packet loss.

Pre-configuration Tasks
Before configuring the keychain on the peer routers, configure the Network Time
Protocol (NTP) so that the time is consistent on the two routers.

1.1.8.3.1 Creating a Keychain

Procedure
Step 1 Run system-view

The system view is entered.

Step 2 Run keychain keychain-name mode { absolute | periodic { daily | weekly |

monthly | yearly } }

Keychain is created and keychain view is entered.

NOTE

When creating a keychain, timing mode is mandatory. Once a keychain is created, to enter
the keychain view timing mode need not be specified.

Step 3 Run commit

The configurations are committed.

----End

1.1.8.3.2 (Optional) Configuring Receive Tolerance of a Keychain

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run keychain keychain-name

The keychain view is displayed.

Step 3 Run receive-tolerance { value | infinite | seconds secvalue }

The receive tolerance period for the keychain is configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 183

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

Receive tolerance can be configured in the following two ways:

● Specifying a particular receive tolerance value in minutes or in seconds, which can be a
maximum of 10 days (14400 minutes or 864000 seconds).
● Specifying an infinite receive tolerance using infinite keyword, so the receive key will
always be valid.

Step 4 Run commit

The configurations are committed.

----End

1.1.8.3.3 Creating a Key-id in a Keychain

Procedure
Step 1 Run system-view
The system view is entered.
Step 2 Run keychain keychain-name
The keychain view is entered.
Step 3 Run key-id key-id
Key-id is created and key-id view is entered.

NOTE

To configure a key-id in a keychain, a unique id within the keychain is required. This id

should be an integer and the value ranges from 0 to 63.

Step 4 Run commit

The configurations are committed.

----End

1.1.8.3.4 Configuring Key-string of a Key-id

Procedure
Step 1 Run system-view
The system view is entered.
Step 2 Run keychain keychain-name
The keychain view is entered.
Step 3 Run key-id key-id
Key-id is created and key-id view is entered.
Step 4 Run key-string { plain plain-text | [ cipher ] plain-cipher-text }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 184

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The key-string for the key-id is configured.

Key-string is the authentication string used while sending and receiving the
packets.

NOTE

For security purposes, you are advised to configure a password in ciphertext mode. To
further improve device security, periodically change the password.
Key-id will be inactive if the key-string is not configured.

Step 5 Run commit

The configurations are committed.

----End

1.1.8.3.5 Configuring Authentication Algorithm of a Key-id

Procedure
Step 1 Run system-view

The system view is entered.

Step 2 Run keychain keychain-name keychain-name mode { absolute | periodic { daily |

weekly | monthly | yearly } }

The keychain view is entered.

Step 3 Run key-id key-id

Key-id is created and key-id view is entered.

Step 4 Run algorithm { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 |

hmac-sha-256 | sha-256 | sm3 | aes-128-cmac | hmac-sha-384 | hmac-sha-512 }

The authentication algorithm for the key-id is configured.

NOTE

The aes-128-cmac algorithm is used only when the key of the keychain is bound to TCP-AO
authentication. Keychain authentication cannot use the aes-128-cmac algorithm.
Key-id will be inactive if the authentication algorithm is not configured.
To ensure high security, do not use the MD5 or SHA-1 algorithm.

Step 5 (Optional) Run quit

Return to the Keychain view.

Step 6 (Optional) Run digest-length { hmac-sha-256 | sha-256 | hmac-sha1-20 } length

The digest length of the encryption algorithm is set.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 185

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

The HMAC-SHA1-20 algorithm uses a 20-byte digest for encryption and decryption by
default. You can run the digest-length hmac-sha1-20 16 command to allow for
interconnection with an earlier version. By default, the HMAC-SHA-256 and SHA-256
algorithms use a 32-byte digest for encryption and decryption. You can run the digest-
length hmac-sha-256 16 or digest-length sha-256 16 command to allow for
interconnection with an earlier version.

Step 7 Run commit

The configurations are committed.

----End

1.1.8.3.6 (Optional) Configuring a Key-id as the Default Send-key-id

Procedure
Step 1 Run system-view
The system view is entered.
Step 2 Run keychain keychain-name
The keychain view is entered.
Step 3 Run key-id key-id
Key-id is created and key-id view is entered.
Step 4 Run default send-key-id
The key-id is set as the default send-key-id.
Only one key-id in a keychain can be configured as the default send-key-id.
Step 5 Run commit
The configurations are committed.

----End

1.1.8.3.7 Configuring Send-time of a Key-id

Context
The time modes for sending key IDs vary according to keychain configuration
modes.

Procedure
● Absolute Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode absolute

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 186

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The keychain is created in absolute timing mode and keychain view is

entered.
c. Run time mode { utc | lmt }
The time mode for keychain is configured.
d. Run key-id key-id
The key-id is created and key-id view is entered.
e. Run send-time start-time start-date { duration { duration-value |
infinite } | { to end-time end-date } }
The send-time for the key-id is configured.
f. Run commit
The configurations are committed.
● Daily Periodic Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode periodic daily
The keychain is created in daily periodic timing mode and keychain view
is entered.
c. Run time mode { utc | lmt }
The time mode for keychain is configured.
d. Run key-id key-id
The key-id is created and key-id view is entered.
e. Run send-time daily start-time to end-time
The send-time for the key-id is configured.
f. Run commit
The configurations are committed.
● Weekly Periodic Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode periodic weekly
The keychain is created in weekly periodic timing mode and keychain
view is entered.
c. Run time mode { utc | lmt }
The time mode for keychain is configured.
d. Run key-id key-id
The key-id is created and key-id view is entered.
e. Run send-time day { start-day to end-day | start-day &<1-7> }
The send-time for the key-id is configured.
f. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 187

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configurations are committed.

● Monthly Periodic Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode periodic monthly
The keychain is created in monthly periodic timing mode and keychain
view is entered.
c. Run time mode { utc | lmt }
The time mode for keychain is configured.
d. Run key-id key-id
The key-id is created and key-id view is entered.
e. Run send-time date { start-date to end-date | start-date &<1-31> }
The send-time for the key-id is configured.
f. Run commit
The configurations are committed.
● Yearly Periodic Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode periodic yearly
The keychain is created in yearly periodic timing mode and keychain view
is entered.
c. Run time mode { utc | lmt }
The time mode for keychain is configured.
d. Run key-id key-id
The key-id is created and key-id view is entered.
e. Run send-time month { start-month to end-month | start-month
&<1-12> }
The send-time for the key-id is configured.
Send-time for a key-id is configured according to the timing mode
defined for the keychain. Only one send key-id in a keychain can be
active at a time. The send-time of different key-ids in a keychain must
not overlap each other.
To re-configure send-time, we need to undo the send-time that is
currently configured.
f. Run commit
The configurations are committed.
----End

1.1.8.3.8 Configuring Receive-time of a Key-id

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 188

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
The time modes for receiving key IDs vary according to keychain configuration
modes.

Procedure
● Absolute Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode absolute
The keychain is created in absolute timing mode and keychain view is
entered.
c. Run time mode { utc | lmt }
The time mode for keychain is configured.
d. Run key-id key-id
The key-id is created and key-id view is entered.
e. Run receive-time start-time start-date { duration { duration-value |
infinite } | { to end-time end-date } }
The receive-time for the key-id is configured.
f. Run commit
The configurations are committed.
● Daily Periodic Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode periodic daily
The keychain is created in daily periodic timing mode and keychain view
is entered.
c. Run time mode { utc | lmt }
The time mode for keychain is configured.
d. Run key-id key-id
The key-id is created and key-id view is entered.
e. Run receive-time daily start-time to end-time
The receive-time for the key-id is configured.
f. Run commit
The configurations are committed.
● Weekly Periodic Timing Mode
a. Run system-view
The system view is entered.
b. Run keychain keychain-name mode periodic weekly

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 189

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The keychain is created in weekly periodic timing mode and keychain

view is entered.
c. Run time mode { utc | lmt }

The time mode for keychain is configured.

d. Run key-id key-id

The key-id is created and key-id view is entered.

e. Run receive-time day { start-day to end-day | start-day &<1-7> }

The receive-time for the key-id is configured.

f. Run commit

The configurations are committed.

● Monthly Periodic Timing Mode
a. Run system-view

The system view is entered.

b. Run keychain keychain-name mode periodic monthly

The keychain is created in monthly periodic timing mode and keychain

view is entered.
c. Run time mode { utc | lmt }

The time mode for keychain is configured.

d. Run key-id key-id

The key-id is created and key-id view is entered.

e. Run receive-time date { start-date to end-date | start-date &<1-31> }

The receive-time for the key-id is configured.

f. Run commit

The configurations are committed.

● Yearly Periodic Timing Mode
a. Run system-view

The system view is entered.

b. Run keychain keychain-name mode periodic yearly

The keychain is created in yearly periodic timing mode and keychain view
is entered.
c. Run time mode { utc | lmt }

The time mode for keychain is configured.

d. Run key-id key-id

The key-id is created and key-id view is entered.

e. Run receive-time month { start-month to end-month | start-month
&<1-12> }

The receive-time for the key-id is configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 190

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Receive-time for a key-id is configured in accordance with the timing

mode defined for the keychain.

To re-configure receive time you need to undo the receive time that is
currently configured.
f. Run commit

The configurations are committed.

----End

1.1.8.3.9 Verifying the Keychain Configuration

Prerequisites
The configurations of the keychain are complete.

Procedure
● Run the display keychain keychain-name command to view the current
configuration of a keychain.
● Run the display keychain keychain-name key-id key-id command to view the
current configuration of a key-id inside a keychain.

----End

1.1.8.4 Configuring TCP Authentication Parameters

Describes how to configure of TCP Authentication Parameters.

Usage Scenario
Keychain is used to provide authentication support to all the applications.
Authenticated TCP communication is required between two peers. TCP based
applications can communicate with other vendor nodes by using the
authenticated TCP connection. For authenticated communication, TCP uses TCP
Enhanced Authentication Option. Currently different vendors use different kind
value to represent the TCP Enhanced Authentication Option type. Hence, kind
value should be made configurable based on the type of vendor to which it is
connected. Similarly TCP Enhanced Authentication Option has a field named
algorithm-id which represents the authentication algorithm type. As algorithm-ids
are not defined by IANA, currently different vendor uses different algorithm-id to
represent the same algorithm. In order to communicate with the other vendors,
user has to configure the TCP algorithm-id in the keychain.

Pre-configuration Tasks
Before configuring the keychain feature on the peer routers supporting TCP,
configure the Network Time Protocol (NTP) so that the time is consistent on the
two routers.

1.1.8.4.1 Configuring TCP Kind of a Keychain

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 191

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run keychain keychain-name

Keychain view is entered

Step 3 Run tcp-kind kind-value

The TCP kind value for the keychain is configured. The range of the kind-value can
be 28 to 255.

Step 4 Run commit

The configurations are committed.

----End

Follow-up Procedure
TCP uses TCP Enhanced Authentication Option for authenticated communication.
The kind value used to represent the TCP Enhanced Authentication Option type for
a keychain can be configured.

1.1.8.4.2 Configuring TCP Algorithm-id in a Keychain

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run keychain keychain-name

Keychain view is entered

Step 3 Run tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-

sha1-20 | md5 | sha-1 | sha-256 | aes-128-cmac | sm3 | hmac-sha-384 | hmac-
sha-512 } algorithm-id

The range of the algorithm-id can be 1 to 63.

To ensure high security, do not use the MD5 or SHA-1 algorithm.

Step 4 Run commit

The configurations are committed.

----End

Follow-up Procedure
The algorithm-id used to represent authentication algorithm type in TCP Enhanced
Authentication Option for a keychain can be configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 192

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.8.4.3 Checking the Configuration

Prerequisites
The configurations of the keychain are complete.

Procedure
● Run the display keychain keychain-name command to view the current
configuration of a keychain.
● Run the display keychain keychain-name key-id key-id command to view the
current configuration of a key-id inside a keychain.
----End

1.1.8.5 Configuration Examples for Keychain

This section provides examples for configuring the keychain module.

1.1.8.5.1 Example for Configuring Keychain Authentication for Non-TCP Application

Networking Requirements
As shown in Figure 1-16, it is required to enable IS-IS and keychain authentication
on all interfaces of Device A and Device B. The routers interconnect with each
other using IS-IS.

Figure 1-16 Keychain

NOTE

Interface 1 in this example represents GE 1/0/0.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IS-IS basic functions.
2. Configure keychain basic functions.
3. Configure the application IS-IS on both the Device A and Device B to use
keychain and set the key-id authentication algorithm to hmac-sha-256..

Data Preparation
To complete the configuration, you need the following data:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 193

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● keychain name
● key-id
● algorithm and key-string
● send and receive time
● receive tolerance

Procedure
Step 1 Configure Device A.

# Configure IS-IS basic functions. The configuration details are not mentioned
here.

# Configuring Keychain.
[~DeviceA] keychain huawei mode absolute
[*DeviceA-keychain-huawei] receive-tolerance 100
[*DeviceA-keychain-huawei] key-id 1
[*DeviceA-keychain-huawei-keyid-1] algorithm hmac-sha-256
[*DeviceA-keychain-huawei-keyid-1] key-string cipher YsHsjx_202206
[*DeviceA-keychain-huawei-keyid-1] send-time 14:40 2017-10-10 to 14:50 2017-10-10
[*DeviceA-keychain-huawei-keyid-1] receive-time 14:30 2017-10-10 to 14:50 2017-10-10
[*DeviceA-keychain-huawei-keyid-1] default send-key-id
[*DeviceA-keychain-huawei-keyid-1] commit
[~DeviceA-keychain-huawei-keyid-1] quit
[~DeviceA-keychain-huawei] quit

# Configuring Keychain Authentication for IS-IS.

[~DeviceA] interface gigabitethernet 1/0/0
[*DeviceA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[*DeviceA-GigabitEthernet1/0/0] isis authentication-mode keychain huawei
[*DeviceA-GigabitEthernet1/0/0] commit
[~DeviceA-GigabitEthernet1/0/0] quit

Step 2 # Configure Device B

# Configure IS-IS basic functions. The configuration details are not mentioned
here.

# Configuring Keychain.
[~DeviceB] keychain huawei mode absolute
[*DeviceB-keychain-huawei] receive-tolerance 100
[*DeviceB-keychain-huawei] key-id 1
[*DeviceB-keychain-huawei-keyid-1] algorithm hmac-sha-256
[*DeviceB-keychain-huawei-keyid-1] key-string cipher YsHsjx_202206
[*DeviceB-keychain-huawei-keyid-1] send-time 14:40 2017-10-10 to 14:50 2017-10-10
[*DeviceB-keychain-huawei-keyid-1] receive-time 14:30 2017-10-10 to 14:50 2017-10-10
[*DeviceB-keychain-huawei-keyid-1] default send-key-id
[*DeviceB-keychain-huawei-keyid-1] commit
[~DeviceB-keychain-huawei-keyid-1] quit
[~DeviceB-keychain-huawei] quit

# Configuring Keychain Authentication for IS-IS.

[~DeviceB] interface gigabitethernet 1/0/0
[~DeviceB-GigabitEthernet1/0/0] ip address 192.168.1.2 24
[*DeviceB-GigabitEthernet1/0/0] isis authentication-mode keychain huawei
[*DeviceB-GigabitEthernet1/0/0] commit
[~DeviceB-GigabitEthernet1/0/0] quit

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 194

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration File
● Device A configuration file
#
sysname DeviceA
#
keychain huawei mode absolute
receive-tolerance 100
key-id 1
algorithm hmac-sha-256
key-string cipher @%@%b{br9\zi%X+/Y@:Y>Lw(L\v#@%@%
send-time 14:30 2017-10-10 to 14:50 2017-10-10
receive-time 14:40 2017-10-10 to 14:50 2017-10-10
default send-key-id
#
interface gigabitethernet1/0/0
ip address 192.168.1.1 24
isis authentication-mode keychain huawei
#
return

● Device B configuration file

#
sysname DeviceB
#
keychain huawei mode absolute
receive-tolerance 100
key-id 1
algorithm hmac-sha-256
key-string cipher @%@%VBNCG\zi%X+/Y@:YMHKJES/@%@%
send-time 14:40 2017-10-10 to 14:50 2017-10-10
receive-time 14:30 2017-10-10 to 14:50 2017-10-10
default send-key-id
#
interface Gigabitethernet1/0/0
ip address 192.168.1.2 24
isis authentication-mode keychain huawei
#
return

1.1.8.5.2 Example for Configuring Keychain Authentication for TCP Application

Networking Requirements
As shown in Figure 1-17, it is required to enable BGP and keychain authentication
on all interfaces of DeviceA and DeviceB. The routers interconnect with each other
using BGP.

Figure 1-17 Keychain

NOTE

Interface 1 in this example represents GE 1/0/0.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 195

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure keychain basic functions.
2. Configure the application BGP on both the routers to use keychain.

Data Preparation
To complete the configuration, you need the following data:
● keychain name
● key-id
● algorithm and key-string
● send and receive time
● receive tolerance
● tcp-kind value and tcp-algorithm-id of SHA-256 authentication algorithm.

Procedure
Step 1 # Configure DeviceA.
Configuring Keychain
[~DeviceA] keychain huawei mode absolute
[*DeviceA-keychain-huawei] tcp-kind 182
[*DeviceA-keychain-huawei] tcp-algorithm-id sha-256 17
[*DeviceA-keychain-huawei] receive-tolerance 100
[*DeviceA-keychain-huawei] key-id 1
[*DeviceA-keychain-huawei-keyid-1] algorithm sha-256
[*DeviceA-keychain-huawei-keyid-1] key-string cipher YsHsjx_202206
[*DeviceA-keychain-huawei-keyid-1] send-time 14:40 2017-10-10 to 14:50 2017-10-10
[*DeviceA-keychain-huawei-keyid-1] receive-time 14:30 2017-10-10 to 14:50 2017-10-10
[*DeviceA-keychain-huawei-keyid-1] default send-key-id
[*DeviceA-keychain-huawei-keyid-1] commit
[~DeviceA-keychain-huawei-keyid-1] quit
[*DeviceA-keychain-huawei] key-id 2
[*DeviceA-keychain-huawei-keyid-2] algorithm sha-256
[*DeviceA-keychain-huawei-keyid-2] key-string cipher YsHsjx_202207
[*DeviceA-keychain-huawei-keyid-2] send-time 08:30 2017-10-10 to 13:30 2017-10-10
[*DeviceA-keychain-huawei-keyid-2] receive-time 09:30 2017-10-10 to 14:30 2017-10-10
[*DeviceA-keychain-huawei-keyid-2] commit
[~DeviceA-keychain-huawei-keyid-2] quit
[~DeviceA-keychain-huawei] quit

Configuring Keychain Authentication

[~DeviceA] interface gigabitethernet 1/0/0
[~DeviceA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[*DeviceA-GigabitEthernet1/0/0] quit
[*DeviceA] bgp 1
[*DeviceA-bgp] router-id 1.1.1.1
[*DeviceA-bgp] peer 192.168.1.2 as-number 1
[*DeviceA-bgp] peer 192.168.1.2 keychain huawei
[*DeviceA-bgp] commit
[~DeviceA-bgp] quit

Step 2 # Configure DeviceB.

Configuring Keychain
[~DeviceB] keychain huawei mode absolute

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 196

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*DeviceB-keychain-huawei] tcp-kind 182

[*DeviceB-keychain-huawei] tcp-algorithm-id sha-256 17
[*DeviceB-keychain-huawei] receive-tolerance 100
[*DeviceB-keychain-huawei] key-id 1
[*DeviceB-keychain-huawei-keyid-1] algorithm sha-256
[*DeviceB-keychain-huawei-keyid-1] key-string cipher YsHsjx_202206
[*DeviceB-keychain-huawei-keyid-1] send-time 14:40 2017-10-10 to 14:50 2017-10-10
[*DeviceB-keychain-huawei-keyid-1] receive-time 14:30 2017-10-10 to 14:50 2017-10-10
[*DeviceB-keychain-huawei-keyid-1] default send-key-id
[*DeviceB-keychain-huawei-keyid-1] commit
[~DeviceB-keychain-huawei-keyid-1] quit
[*DeviceB-keychain-huawei] key-id 2
[*DeviceB-keychain-huawei-keyid-2] algorithm sha-256
[*DeviceB-keychain-huawei-keyid-2] key-string cipher YsHsjx_202207
[*DeviceB-keychain-huawei-keyid-2] send-time 09:30 2017-10-10 to 14:30 2017-10-10
[*DeviceB-keychain-huawei-keyid-2] receive-time 08:30 2017-10-10 to 13:30 2017-10-10
[*DeviceB-keychain-huawei-keyid-2] commit
[~DeviceB-keychain-huawei-keyid-2] quit
[~DeviceB-keychain-huawei] quit

Configuring Keychain Authentication

[~DeviceB] interface gigabitethernet 1/0/0
[~DeviceB-GigabitEthernet1/0/0] ip address 192.168.1.2 24
[*DeviceB-GigabitEthernet1/0/0] quit
[*DeviceB] bgp 1
[*DeviceB-bgp] router-id 2.2.2.2
[*DeviceB-bgp] peer 192.168.1.1 as-number 1
[*DeviceB-bgp] peer 192.168.1.1 keychain huawei
[*DeviceB-bgp] commit
[~DeviceB-bgp] quit

----End

Configuration File
● Device A configuration file
#
sysname DeviceA
#
keychain huawei mode absolute
tcp-kind 182
tcp-algorithm-id sha-256 17
receive-tolerance 100
#
key-id 1
algorithm sha-256
key-string cipher @%@%Hb'c;\@iU'@X,k6.E\Z,*.S#@%@%
send-time 14:40 2017-10-10 to 14:50 2017-10-10
receive-time 14:30 2017-10-10 to 14:50 2017-10-10
default send-key-id
#
key-id 2
algorithm sha-256
key-string cipher %^%#[aqxE3`@U8L*%n."1(<$,]k_QrVTf1X;K+;My)k;%^%#
send-time 08:30 2017-10-10 to 13:30 2017-10-10
receive-time 09:30 2017-10-10 to 14:30 2017-10-10
#
interface gigabitethernet1/0/0
ip address 192.168.1.1 24
#
bgp 1
router-id 1.1.1.1
peer 192.168.1.2 as-number 1
peer 192.168.1.2 keychain huawei
#
return

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 197

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Device B configuration file

#
sysname DeviceB
#
keychain huawei mode absolute
tcp-kind 182
tcp-algorithm-id sha-256 17
receive-tolerance 100
#
key-id 1
algorithm sha-256
key-string cipher @%@%;TYJ;\@iU'SGHRH.C\V,*.A#@%@%
send-time 14:40 2017-10-10 to 14:50 2017-10-10
receive-time 14:30 2017-10-10 to 14:50 2017-10-10
default send-key-id
#
key-id 2
algorithm sha-256
key-string cipher %^%#X=O%EC@ta4QKkn"ur~Y::h@#'6737A4eq<W^~qn+%^%#
send-time 09:30 2017-10-10 to 14:30 2017-10-10
receive-time 08:30 2017-10-10 to 13:30 2017-10-10
#
interface gigabitethernet1/0/0
ip address 192.168.1.2 24
#
bgp 1
router-id 2.2.2.2
peer 192.168.1.1 as-number 1
peer 192.168.1.1 keychain huawei
#
return

1.1.9 TCP-AO Configuration

1.1.9.1 Overview of TCP-AO

When TCP is used as the transport layer protocol for an application, such as the
BGP, MSDP, or LDP application, a TCP connection must be created before a session
can be established between two ends.

The TCP Authentication Option (TCP-AO) is an authentication option carried in

TCP packets. TCP-AO provides flexible authentication and key string management
for TCP connections, safeguarding the applications that use TCP.

NOTE

For security purposes, you are advised not to use weak security algorithms in this feature. If
you need to use such an algorithm, run the undo crypto weak-algorithm disable
command to enable the weak security algorithm function first.

1.1.9.2 Feature Requirements for TCP-AO

1.1.9.3 Configuring a Keychain

Context
To implement TCP-AO on a device, a TCP-AO needs to be associated with the
authentication algorithm, authentication key string, and lifetime of a key in a

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 198

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

keychain. Therefore, before configuring a TCP-AO, you need to configure a

keychain and a key for the keychain.

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the keychain keychain-name mode { absolute | periodic { daily | weekly |
monthly | yearly } } command to create a keychain and enter its view.
NOTE

When creating a keychain, a time mode must be specified. However, if the desired keychain
has been created, you can directly run the keychain keychain-name command to enter the
keychain view, without specifying a time mode.

Step 3 Run the receive-tolerance { value | infinite } command to set a tolerance time for
the keychain.
NOTE

By default, the tolerance time is 0, indicating no tolerance.

You are advised to set the tolerance time to prevent packet loss caused by clock jitters. The
recommended setting is 5 minutes.

Step 4 (Optional) Run the time mode { lmt | utc } command to set a time mode for the
keychain. The default time format of a keychain is LMT.

Step 5 Run the key-id key-id command to create a key and enter the key ID view.

Step 6 Run the algorithm { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 |

hmac-sha-256 | sha-256 | sm3 | aes-128-cmac } command to configure an
authentication algorithm for the key.
NOTE

For security purposes, you are not advised to specify md5 or sha-1

Step 7 Run the key-string { plain-cipher-text | plain plain-text | cipher plain-cipher-text }

command to configure an authentication key string (a character string used for
encryption) for the key.
NOTE

For security purposes, you are advised to use the cipher mode. In this mode, the configured
key is displayed in ciphertext in the configuration file.

Step 8 Run any of the following commands to configure a lifetime for the key:

Table 1-15 Configuring a lifetime for the key

Time Mode of the Keychain Command for Configuring a Lifetime

for a Key

Absolute time mode: absolute send-time start-time start-date

{ duration { duration-value | infinite }
| { to end-time end-date } }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 199

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Time Mode of the Keychain Command for Configuring a Lifetime

for a Key

Periodic mode (daily): periodic daily send-time daily start-time to end-

time
Periodic mode (weekly): periodic send-time day { start-day to end-day
weekly | start-day &<1-7> }

Periodic mode (monthly): periodic send-time date { start-date to end-

monthly date | start-date &<1-31> }
Periodic mode (yearly): periodic send-time month { start-month to
yearly end-month | start-month &<1-12> }

Step 9 Run the commit command to commit the configuration.

----End

1.1.9.4 Configuring a TCP-AO and Binding It to a Keychain

Prerequisites
A keychain has been configured.

Context
To implement TCP-AO on a device, a TCP-AO needs to be associated with the
authentication algorithm, authentication key string, and lifetime of a key in a
keychain. Therefore, during TCP-AO configuration, you need to bind the TCP-AO to
an existing keychain.

Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the tcp ao tcpaoname command to create a TCP-AO and enter the TCP-AO
Policy view.
Step 3 Run the binding keychain kcName command to bind the TCP-AO to an existing
keychain.
NOTE

After being bound to a keychain, a TCP-AO can be associated with the authentication
algorithm, authentication key string, and lifetime of a key in the keychain.
Multiple TCP-AOs can be bound to the same keychain to reduce the configuration workload
and implement centralized management of multiple TCP-AO keys.

Step 4 (Optional) Run the accept-mismatch enable command to configure the local end
to permit received TCP connection setup request packets that do not carry the
TCP-AO option.
Step 5 Run the key-id KeyId command to create a key ID for the TCP-AO and enter the
TCP-AO key ID view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 200

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

The key ID specified in this step must be the same as a key ID configured in the bound
keychain. Otherwise, the authentication algorithm, authentication key string, and lifetime
of the keychain fail to be associated with the TCP-AO.

Step 6 Run the send-id sndId receive-id rcvId command to configure the send-id and
receive-id for the key ID.
NOTE

send-id and receive-id determine the KeyID (SendKeyID) and RNextKeyID (ReceiveKeyID)
of a TCP-AO to be carried in a TCP packet header. Their combination represents the
currently active key.
For example, Key1 (SendKeyID=1, ReceiveKeyID=2) indicates that the local end uses the
authentication algorithm and key in Key1 for encryption. The peer end selects the
authentication algorithm and key in Key1 (SendKeyID=2, ReceiveKeyID=1) based on
ReceiveKeyID=2 in the received packet to decrypt the packet.

Step 7 (Optional) Run the option-authentication disable command to disable the

options in TCP packet headers from participating in the MAC calculation for a
TCP-AO.
NOTE

A TCP packet header can contain multiple optional options. TCP-AO (Kind=29) is a type of
option.
You can run this command to include or exclude TCP packet headers' options during the
MAC calculation for a TCP-AO.
Note: The TCP-AO option is excluded during the MAC calculation for a TCP-AO even if the
function to include the options in TCP packet headers is enabled.

Step 8 Run the commit command to commit the configuration.

----End

1.1.9.5 Applying a TCP-AO

Prerequisites
A TCP-AO has been configured.

Context
TCP-AO implements two-way authentication during TCP connection setup.

When TCP is used as the transport layer protocol for an application, such as the
BGP, MSDP, or LDP application, a TCP connection must be created before a session
can be established between two ends.

TCP-AOs can be used in these applications to protect session security at the

transport layer.

For details about how to apply a TCP-AO, see the reference configuration sections
listed in Table 1-16.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 201

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-16 Applying a TCP-AO in an application

Application Reference Section

BGP IP Routing > BGP Configuration > Improving BGP Security >
Configuring TCP-AO Authentication
IP Routing > BGP4+ Configuration > Improving BGP4+
Security > Configuring BGP4+ Authentication

LDP MPLS > MPLS LDP Configuration > Configuring LDP Security
Features > Configuring LDP TCP-AO Authentication

MSDP IP Multicast > MSDP Configuration > Controlling MSDP Peer

Connections > Configuring MSDP Peer Authentication

The following uses BGP as an example to describe how to apply a TCP-AO.

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the bgp as-number command to enter the BGP view.

Step 3 Run the peer { ipv4-address | group-name } tcp-ao policy tcp-ao-name command
to configure TCP-AO authentication.
NOTE

● The TCP-AO authentication configured in the BGP view also takes effect for the BGP
extended address family view because they use the same TCP connection.
● BGP MD5 authentication, BGP keychain authentication, and BGP TCP-AO authentication
are mutually exclusive.
● A TCP connection cannot be set up if the specified TCP-AO has not been configured or
the TCP-AO does not have an active key.
● After a TCP-AO is applied, the TCP connection does not support NAT traversal.

Step 4 Run the commit command to commit the configuration.

----End

1.1.9.6 Configuration Examples

1.1.9.6.1 Example for Configuring TCP-AO Authentication for BGP

Networking Requirements
In Figure 1-18, DeviceA and DeviceB communicate through BGP.

To ensure the stability and security of the BGP connection, configure TCP-AO to
provide dynamic security authentication services for BGP.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 202

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-18 Network diagram of configuring TCP-AO authentication for BGP

NOTE

Interface 1 in this example represents GE 1/0/0.

To complete the configuration, you need the following data:

● Keychain name
● Tolerance time
● ID of the key in the keychain
● Authentication algorithm HMAC-SHA-256 and authentication key (character
string used for encryption) of the key
● Lifetime of the key
● TCP-AO name
● ID of the key in the TCP-AO
● send-id and receive-id in the key

Precautions
● Ensure that NTP and BGP have been configured.
● The keychain names configured on DeviceA and DeviceB must be the same.
● The time modes of the keychains configured on DeviceA and DeviceB must be
the same.
● The key IDs in the keychains configured on DeviceA and DeviceB must be the
same. When multiple keys are configured, the key quantity and IDs must be
the same as those on the other end, respectively.
● The authentication algorithm and key string for the same keys configured on
DeviceA and DeviceB must be the same.
● The TCP-AO names configured on DeviceA and DeviceB must be the same.
● The key IDs in the TCP-AOs configured on DeviceA and DeviceB must be the
same. When multiple keys are configured, the key quantity and IDs must be
the same as those on the other end, respectively.
● For the same key, the send-id and receive-id configured on DeviceA must
match those configured on DeviceB. That is, the receive-id of DeviceA equals
the send-id of DeviceB, and the send-id of DeviceA equals the receive-id of
DeviceB.

Configuration Roadmap
1. Configure a keychain.
2. Configure a TCP-AO and bind it to the keychain.
3. Configure TCP-AO authentication for BGP.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 203

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Configure a keychain.
# Configure DeviceA.
<HUAWEI> system-view
[~HUAWEI] sysname DeviceA
[*DeviceA] keychain huawei mode absolute
[*DeviceA-keychain-huawei] receive-tolerance 5
[*DeviceA-keychain-huawei] key-id 1
[*DeviceA-keychain-huawei-keyid-1] algorithm hmac-sha-256
[*DeviceA-keychain-huawei-keyid-1] key-string cipher YsHsjx_202206
[*DeviceA-keychain-huawei-keyid-1] send-time 12:00 2019-12-10 to 15:00 2019-12-10
[*DeviceA-keychain-huawei-keyid-1] quit
[*DeviceA-keychain-huawei] key-id 2
[*DeviceA-keychain-huawei-keyid-2] algorithm hmac-sha-256
[*DeviceA-keychain-huawei-keyid-2] key-string cipher YsHsjx_202207
[*DeviceA-keychain-huawei-keyid-2] send-time 15:01 2019-12-10 to 18:00 2019-12-10
[*DeviceA-keychain-huawei-keyid-2] quit
[*DeviceA-keychain-huawei] quit
[*DeviceA] commit

# Configure DeviceB.
<HUAWEI> system-view
[~HUAWEI] sysname DeviceB
[*DeviceB] keychain huawei mode absolute
[*DeviceB-keychain-huawei] receive-tolerance 5
[*DeviceB-keychain-huawei] key-id 1
[*DeviceB-keychain-huawei-keyid-1] algorithm hmac-sha-256
[*DeviceB-keychain-huawei-keyid-1] key-string cipher YsHsjx_202206
[*DeviceB-keychain-huawei-keyid-1] send-time 12:00 2019-12-10 to 15:00 2019-12-10
[*DeviceB-keychain-huawei-keyid-1] quit
[*DeviceB-keychain-huawei] key-id 2
[*DeviceB-keychain-huawei-keyid-2] algorithm hmac-sha-256
[*DeviceB-keychain-huawei-keyid-2] key-string cipher YsHsjx_202207
[*DeviceB-keychain-huawei-keyid-2] send-time 15:01 2019-12-10 to 18:00 2019-12-10
[*DeviceB-keychain-huawei-keyid-2] quit
[*DeviceB-keychain-huawei] quit
[*DeviceB] commit

Step 2 Configure a TCP-AO and bind it to the keychain.

# Configure DeviceA.
[~DeviceA] tcp ao huawei
[*DeviceA-tcp-ao-huawei] binding keychain huawei
[*DeviceA-tcp-ao-huawei] key-id 1
[*DeviceA-tcp-ao-huawei-keyid-1] send-id 1 receive-id 2
[*DeviceA-tcp-ao-huawei-keyid-1] quit
[*DeviceA-tcp-ao-huawei] key-id 2
[*DeviceA-tcp-ao-huawei-keyid-2] send-id 3 receive-id 4
[*DeviceA-tcp-ao-huawei-keyid-2] quit
[*DeviceA-tcp-ao-huawei] quit
[*DeviceA] commit

# Configure DeviceB.
[~DeviceB] tcp ao huawei
[*DeviceB-tcp-ao-huawei] binding keychain huawei
[*DeviceB-tcp-ao-huawei] key-id 1
[*DeviceB-tcp-ao-huawei-keyid-1] send-id 2 receive-id 1
[*DeviceB-tcp-ao-huawei-keyid-1] quit
[*DeviceB-tcp-ao-huawei] key-id 2
[*DeviceB-tcp-ao-huawei-keyid-2] send-id 4 receive-id 3
[*DeviceB-tcp-ao-huawei-keyid-2] quit
[*DeviceB-tcp-ao-huawei] quit
[*DeviceB] commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 204

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 3 Configure TCP-AO authentication for BGP.

# Configure DeviceA.
[~DeviceA] interface gigabitethernet 1/0/0
[~DeviceA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[*DeviceA-GigabitEthernet1/0/0] quit
[*DeviceA] bgp 1
[*DeviceA-bgp] router-id 1.1.1.1
[*DeviceA-bgp] peer 192.168.1.2 as-number 1
[*DeviceA-bgp] peer 192.168.1.2 tcp-ao policy huawei
[*DeviceA-bgp] quit
[*DeviceA] commit

# Configure DeviceB.
[~DeviceB] interface gigabitethernet 1/0/0
[~DeviceB-GigabitEthernet1/0/0] ip address 192.168.1.2 24
[*DeviceB-GigabitEthernet1/0/0] quit
[*DeviceB] bgp 1
[*DeviceB-bgp] router-id 2.2.2.2
[*DeviceB-bgp] peer 192.168.1.1 as-number 1
[*DeviceB-bgp] peer 192.168.1.1 tcp-ao policy huawei
[*DeviceB-bgp] quit
[*DeviceB] commit

----End

Verifying the Configuration

Check whether TCP-AO authentication is configured successfully for BGP. The
following example uses the command output on DeviceA.
Run the display bgp peer ipv4-address verbose command to check that the
authentication type configured for the BGP peer is TCP-AO(huawei).
<DeviceA> display bgp peer 192.168.1.2 verbose
BGP Peer is 192.168.1.2, remote AS 1
Type: IBGP link
BGP version 4, Remote router ID 2.2.2.2
Update-group ID: 3
BGP current state: Established, Up for 00h27m26s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 2
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 58168 Remote - 179
Configured: Connect-retry Time: 32 sec
Configured: Min Hold Time: 0 sec
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 34 messages
Update messages 1
Open messages 1
KeepAlive messages 32
Notification messages 0
Refresh messages 0
Sent: Total 33 messages
Update messages 1
Open messages 1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 205

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

KeepAlive messages 31
Notification messages 0
Refresh messages 0
Authentication type configured: TCP-AO(huawei)
Last keepalive received: 2019-12-10 10:12:29+00:00
Last keepalive sent : 2019-12-10 10:12:04+00:00
Last update received: 2019-12-10 09:45:14+00:00
Last update sent : 2019-12-10 09:45:14+00:00
No refresh received since peer has been configured
No refresh sent since peer has been configured
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured

Configuration Scripts
● DeviceA
#
sysname DeviceA
#
keychain huawei mode absolute
receive-tolerance 5
#
key-id 1
algorithm hmac-sha-256
key-string cipher %^%#1h29-c>>[H,XTu>Q}##;"}JOQOK#c>TD6>~d-BaJ%^%#
send-time 12:00 2019-12-10 to 15:00 2019-12-10
#
key-id 2
algorithm hmac-sha-256
key-string cipher %^%#^<Sn.IK2iK'N%[VnMhv-I)|C4d<K$F$a.6%jEN@K%^%#
send-time 15:01 2019-12-10 to 18:00 2019-12-10
#
tcp ao huawei
binding keychain huawei
#
key-id 1
send-id 1 receive-id 2
key-id 2
send-id 3 receive-id 4
#
interface gigabitethernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
bgp 1
router-id 1.1.1.1
peer 192.168.1.2 as-number 1
peer 192.168.1.2 tcp-ao policy huawei
#
ipv4-family unicast
peer 192.168.1.2 enable
#
return
● DeviceB
#
sysname DeviceB
#
keychain huawei mode absolute
receive-tolerance 5
#
key-id 1
algorithm hmac-sha-256
key-string cipher %^%#p8cb/;OMFES0Wx@PY^"Ka{6q2MB;oG|[ZO-_]u}&%^%#
send-time 12:00 2019-12-10 to 15:00 2019-12-10

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 206

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
key-id 2
algorithm hmac-sha-256
key-string cipher %^%#&Yq4=s*P:L<"8iG-|o1ZB*Qi0qCn%N{Y3a&Z-zuD%^%#
send-time 15:01 2019-12-10 to 18:00 2019-12-10
#
tcp ao huawei
binding keychain huawei
#
key-id 1
send-id 2 receive-id 1
key-id 2
send-id 4 receive-id 3
#
interface gigabitethernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
bgp 1
router-id 2.2.2.2
peer 192.168.1.1 as-number 1
peer 192.168.1.1 tcp-ao policy huawei
#
ipv4-family unicast
peer 192.168.1.1 enable
#
return

1.1.10 URPF Configuration

Unicast reverse path forwarding (URPF) can prevent attacks initiated based on
source address spoofing.

1.1.10.1 URPF Overview

URPF prevents network attacks based on source address spoofing and can be
performed in strict or loose mode.

Unicast Reverse Path Forwarding (URPF) is a technology used to defend against

network attacks based on source address spoofing.

Generally, upon receiving a packet, a router first obtains the destination IP address
of the packet and then searches the forwarding table for a route to the
destination address. If the router finds such a route, it forwards the packet;
otherwise, it discards the packet. A URPF-enabled router, however, obtains the
source IP address of a received packet and searches for a route to the source
address. If the router fails to find the route, it considers that the source address is
a forged one and discards the packet. In this manner, URPF can effectively protect
against malicious attacks that are launched by changing the source addresses of
packets.

Figure 1-19 Source address spoofing attacks

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 207

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

DeviceA generates a packet with a pseudo source IP address 2.1.1.1 and sends the
packet to DeviceB. DeviceB sends a response packet to DeviceC whose IP address
actually is 2.1.1.1. In this manner, DeviceA attacks both DeviceB and DeviceC by
sending illegal packets.
URPF can be applied on the upstream inbound interfaces of the router, including
two application environments: single-homed client and multi-homed client.
● Single-homed client
Figure 1-20 shows the connection between the client and the aggregation
router of the ISP. Enable URPF on interface1 of the ISP router to protect the
router and Internet from source address spoofing attacks from the client
network.

Figure 1-20 Application of a URPF single-homed client

● Multi-homed client
URPF can be applied in the case that multiple connections are set up between
the client and the ISP, as shown in Figure 1-21. For URPF, ensure that the
links between the client router and the ISP router that the packets from the
client to a host on the Internet and the packets from the host to the client
traverse are identical. That is, you need to ensure the route symmetry.
Otherwise, URPF discards certain normal packets because of interface
unmatching.

Figure 1-21 Application of the URPF multi-homed client

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 208

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Multi-homed client and multi-ISP

URPF can be applied in the case that a client is connected to multiple ISPs, as
shown in Figure 1-22. In this case, route symmetry has to be ensured.

URPF applied in the scenario where a client is connected to multiple ISPs has the
following features:

● If route symmetry cannot be ensured, you can use the loose check. That is,
URPF does not check the consistency of the interfaces and as along as a route
contains the source address of the packet, the packet can pass.
● The routers of multiple users may have only one default route to the router of
the ISP. Therefore, matching the default route entry needs to be supported.
● As the security system on the ingress, URPF is better than the conventional
firewall in performance.

Figure 1-22 Application of multi-homed ISPs of URPF

1.1.10.2 Feature Requirements for URPF

1.1.10.3 Configuring URPF on an Interface

You can configure URPF on an interface to check packets in order to prevent
source address spoofing attacks.

Usage Scenario
To prevent source address spoofing attacks, you can configure URPF to check the
source address and inbound interface of packets. If the source address passes the
check, the packets are allowed to pass; otherwise, the source address is considered
forged and the packets are discarded.

Pre-configuration Tasks
Before configuring URPF, complete the following task:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 209

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Configure link layer protocol parameters and IP addresses for interfaces and
ensure that the link layer protocol of each interface is up.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run the following commands based on the network type:

1. On an IPv4 network, run the ip urpf { loose | strict } [ allow-default]
[ statistics enable ] command to enable URPF on the interface.
2. On an IPv6 network, run the ipv6 urpf { loose | strict } [ allow-default ]
[ statistics enable ] command to enable IPv6 URPF on the interface.

If loose is configured, URPF performs checks in loose mode. Specifically, the device
searches the forwarding information base (FIB) table for the outbound interface
according to the source IP address of a received packet. If the outbound interface
is found, the packet is forwarded; otherwise, the packet is discarded.

If strict is configured, URPF performs checks in strict mode. Specifically, the device
searches the FIB table for the slot ID, interface number, and VLAN ID (if the packet
is a VLAN packet) according to the source IP address of a received packet. It then
compares them with the slot ID and interface number of the packet's inbound
interface as well as the VLAN ID (if the packet is a VLAN packet) carried in the
packet. If they are the same, the device considers the packet to have passed the
URPF check and forwards it. Otherwise, the packet is discarded.

Step 4 Run commit

The configuration is committed.

----End

1.1.10.4 Configuring Flow-based URPF

By configuring flow-based URPF, you can perform URPF check for flows of certain
types on an interface. In this manner, you can prevent the packets of these types
from starting source address spoofing attacks.

Usage Scenario
To prevent network attacks based on source address spoofing, you need to
configure URPF and check whether the source address of the packets matches the
inbound interface. If the source IP address matches the inbound interface, the
source IP address is considered as legal and the packet is allowed to pass;
otherwise, the source IP address is considered as a pseudo one and the packet is
discarded.

If you need to prevent flows of certain types from starting source address spoofing
attacks, you need to configure flow-based URPF.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 210

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Pre-configuration Tasks
Before configuring flow-based URPF, complete the following task:
● Parameters of the link layer protocol and IP addresses have been configured
for the interfaces and the link layer protocol on the interfaces is Up.

1.1.10.4.1 Configuring a Traffic Classifier

To classify traffic on a network, you need to define traffic classifiers based on
information such as ACL rules, IP precedence, MAC addresses, and protocol
addresses.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is defined and its view is displayed.
The traffic classifier specified by classifier-name cannot be a pre-defined one in
the system. You can directly use the pre-defined traffic classifiers when defining
traffic policies. For details about traffic classifiers, see HUAWEI NetEngine9000
Core Router Configuration Guide - QoS.
Step 3 Configure matching rules based on the actual networking.
● To define a matching rule to classify traffic based on the 802.1p priority in a
VLAN packet, run the if-match 8021p 8021p-value command.
● To define ACL rules, run the if-match [ ipv6 ] acl { acl-number | name acl-
name } command.
● To define rules for matching all packets, run the if-match [ ipv6 ] any
command.
● To define a matching rule to classify traffic based on the destination MAC
address of packets, run the if-match destination-mac mac-address
command.
● To define a matching rule to classify traffic based on the destination IPv6
address, run the if-match ipv6 destination-address ipv6-address prefix-
length command.
● To define a rule to match traffic with a specified DSCP value, run the if-
match [ ipv6 ] dscp dscp-value command.
● To define a matching rule to classify traffic based on the MPLS EXP value, run
the if-match mpls-exp exp-value command.
● To define a matching rule to classify traffic based on the IP precedence, run
the if-match ip-precedence ip-precedence command.
● To define a matching rule to classify traffic based on the source MAC address
of packets, run the if-match source-mac mac-address command.
● To define a matching rule to classify traffic based on the IPv4 TCP flag value,
run the if-match tcp syn-flag { tcpflag-value [ mask tcpflag-mask ] | bit-
match { established | fin | syn | rst | psh | ack | urg | ece | cwr | ns } }
command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 211

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● To define a matching rule for MF classification based on the SYN Flag value in
the IPv6 TCP header, run the if-match ipv6 tcp syn-flag { tcpflag-value
[ mask tcpflag-mask ] | bit-match { established | fin | syn | rst | psh | ack |
urg } } command.

You can select one or more rules in Step 3 as required.

Step 4 Run commit

The configuration is committed.

----End

1.1.10.4.2 Configuring a Traffic Behavior

If the routes between the interface where URPF check is performed and the source
address of packets are symmetrical, you must perform strict URPF check. In other
cases, you can perform loose URPF check.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run traffic behavior behavior-name

A traffic behavior is defined and its view is displayed.

The traffic behavior specified by behavior-name cannot be a pre-defined one in

the system. You can directly use the pre-defined traffic behaviors when defining
traffic policies. For details about traffic behaviors, see HUAWEI NetEngine9000
Core Router Configuration Guide - QoS.
Step 3 Run ip urpf { loose | strict } [ allow-default ]

URPF is enabled.

Step 4 Run commit

The configuration is committed.

----End

1.1.10.4.3 Configuring a Traffic Policy

After being classified, the traffic must be associated with the traffic behavior. In
this manner, a traffic policy can be formed.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run traffic policy policy-name

A traffic policy is defined and the traffic policy view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 212

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

policy-name defined by users cannot be the one pre-defined by the system. For
details on traffic policies, see HUAWEI NetEngine9000 Core Router Configuration
Guide - QoS.
Step 3 Run classifier classifier-name behavior behavior-name

The traffic behavior is specified for the specified traffic class in the traffic policy.

NOTE

Traffic of the same class cannot match two traffic behaviors at the same time.

Step 4 Run commit

The configuration is committed.

----End

1.1.10.4.4 Applying the Traffic Policy

The traffic policy must be applied to an interface for the configured traffic
behavior to take effect on the traffic passing through the interface.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run traffic-policy policy-name { inbound | outbound } [ link-layer | mpls-layer ]

The traffic policy is applied to the interface.

Step 4 Run commit

The configuration is committed.

----End

1.1.10.5 Configuring Peer-based URPF

You can configure peer-based URPF to check the ID of the peer group bound to an
interface and match the IP address of the BGP peer in the peer group against the
IP address of the packet sender to prevent source address spoofing attacks.

Usage Scenario
To prevent source address spoofing attacks, you can configure peer-based URPF to
enable an interface to check the ID of the peer group bound to the interface and
match the IP address of the BGP peer in the peer group against the IP address of
the packet sender. If the IP addresses match, the interface considers the source IP
address valid and forwards the packet. Otherwise, the interface considers the
source IP address faked and discards the packet.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 213

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Prerequisites
Before configuring peer-based URPF, complete the following task:
● Configure data link layer protocol parameters and IP addresses for interfaces
to ensure that the data link layer protocol on each interface is Up.

1.1.10.5.1 Configuring a Peer Group ID and Applying It to a Route-Policy

You can use a route-policy to set a peer group ID for the imported routes as
required.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run route-policy route-policy-name permit node node
A route-policy node is created, and the route-policy view is displayed.
Step 3 Run apply peer-id peerId
A BGP peer group ID is set.
Step 4 Run quit
Return to the system view.
Step 5 Run bgp as-number
The BGP view is displayed.
Step 6 Run ipv4-family unicast
The IPv4 unicast address family view is displayed.
Step 7 Run peer { group-name | ipv4-address | ipv6-address } route-policy route-policy-
name import
The route-policy is applied to the routes received from the specified peer or peer
group to control route acceptance.
Step 8 Run commit
The configuration is committed.

----End

1.1.10.5.2 Configuring Peer-based URPF on an Interface

You can configure peer-based URPF to check the validity of packets to be sent to
the CPU.

Procedure
Step 1 Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 214

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run ip urpf peer-based peer-id peer-id [ statistics enable ] or ipv6 urpf peer-
based peer-id peer-id [ statistics enable ]

IPv4/IPv6 peer-based URPF is configured on the interface.

Step 4 Run commit

The configuration is committed.

----End

1.1.10.6 Maintaining URPF

Before collecting statistics on the packets that fail the URPF check and are
discarded, you need to delete the existing statistics.

Procedure
Step 1 Run the reset ip urpf discard statistics interface { interface-type interface-
number | all } command to clear statistics on the packets that fail the URPF check
and are discarded on interfaces.

Step 2 Run the reset { ip | ipv6 } urpf discard statistics [ slot slot-id ] command to clear
the statistics on the packets that fail the URPF check and are discarded on an
interface board.

----End

1.1.10.7 Configuration Examples for URPF

This section describes the typical application scenario of URPF, including
networking requirements, configuration roadmap, and data preparation, and
provides related configuration files.

1.1.10.7.1 Example for Configuring URPF

Flow-based URPF can be used to prevent source address spoofing attacks based
on certain types of packets.

Networking Requirements
This example describes how to enable URPF on the ISP ingress. As shown in
Figure 1-23, DeviceA is directly connected to the ISP's DeviceB. Enable URPF on
DeviceB's GE 1/0/0. Perform URPF check on the packets whose source address
matches ACL 2010. Enable URPF on DeviceA's GE 1/0/0, and enable default route
matching.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 215

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-23 Networking diagram for configuring URPF

NOTE

● The configurations in this example are performed on DeviceA and DeviceB. The HUAWEI
NetEngine9000 can function as DeviceA and DeviceB.
● interface1 in this example represents GE 1/0/0.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a traffic policy on the ISP router to allow traffic from a specified
network segment to pass the URPF check.
2. Configure an IP address for the interface on the client router and enable
URPF.

Data Preparation
To complete the configuration, you need the following data:
● IP address of each interface
● IP addresses in the network segment that passes the URPF check

Procedure
Step 1 Configure DeviceB to perform URPF check on the packets whose source address
matches ACL 2010.
# Configure ACL 2010.
<DeviceB> system-view
[~DeviceB] acl number 2010
[*DeviceB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255
[*DeviceB-acl-basic-2010] commit
[~DeviceB-acl-basic-2010] quit

# Configure a traffic classifier and define an ACL-based matching rule.

[~DeviceB] traffic classifier classifier1
[*DeviceB-classifier-classifier1] if-match acl 2010
[*DeviceB-classifier-classifier1] commit
[~DeviceB-classifier-classifier1] quit

# Define a traffic behavior and configure URPF.

[~DeviceB] traffic behavior behavior1
[*DeviceB-behavior-behavior1] ip urpf strict
[*DeviceB-behavior-behavior1] commit
[~DeviceB-behavior-behavior1] quit

# Define a traffic policy to associate the traffic classifier with the traffic behavior.
[~DeviceB] traffic policy policy1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 216

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*DeviceB-trafficpolicy-policy1] classifier classifier1 behavior behavior1

[*DeviceB-trafficpolicy-policy1] commit
[~DeviceB-trafficpolicy-policy1] quit

# Apply the traffic policy to the interface.

[~DeviceB] interface gigabitethernet 1/0/0
[~DeviceB-GigabitEthernet1/0/0] undo shutdown
[*DeviceB-GigabitEthernet1/0/0] ip address 172.19.139.2 255.255.255.252
[*DeviceB-GigabitEthernet1/0/0] traffic-policy policy1 inbound
[*DeviceB-GigabitEthernet1/0/0] commit

Step 2 Configure DeviceA.

# Configure GE 1/0/0.
<DeviceA> system-view
[~DeviceA] interface gigabitethernet 1/0/0
[~DeviceA-GigabitEthernet1/0/0] undo shutdown
[*DeviceA-GigabitEthernet1/0/0] ip address 172.19.139.1 255.255.255.252

# Enable URPF on GE 1/0/0.

[*DeviceA-GigabitEthernet1/0/0] ip urpf strict allow-default
[*DeviceA-GigabitEthernet1/0/0] commit

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.19.139.1 255.255.255.252
ip urpf strict allow-default
#
return
● DeviceB configuration file
#
sysname DeviceB
#
acl number 2010
rule 5 permit source 10.1.1.0 0.0.0.255
#
traffic classifier classifier1 operator or
if-match acl 2010
#
traffic behavior behavior1
ip urpf strict
#
traffic policy policy1
classifier classifier1 behavior behavior1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.19.139.2 255.255.255.252
traffic-policy policy1 inbound
#
return

1.1.11 Local Attack Defense Configuration

Local attack defense restricts the packets to be sent to the CPU through attack
source tracing, TCP/IP attack defense, CAR, application layer association, and

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 217

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

management/control plane protection to ensure the device security and normal

service processing on the CPU.

1.1.11.1 Introduction to Local Attack Defense

Local attack defense can protect the CPUs of devices against various attacks.

The development and wide application of the network pose higher requirements
for the network and device security. On the network, there are a large number of
packets to be sent to the CPU and malicious packets attempting to attack the
CPU. If the CPU receives excessive packets, the CPU usage is high, lowering the
performance and affecting normal services; if the CPU is congested with malicious
packets, it becomes busy processing these attack packets. Consequently, other
services are interrupted. In extreme cases, the system fails.

At present, the router faces the following security risks:

● Owing to the inherent defects and flawed implementation of the TCP/IP
protocol suite, attacks on the TCP/IP network are increasing, which greatly
impacts the network.
● When a large number of packets are sent to the CPU at the same time, the
packet sending rate cannot be limited, and as a result, the CPU cannot
process these packets by priority.
● The router runs multiple application protocols, and all these application
protocols, including those unnecessary, send packets to the CPU. Hackers can
thus exploit such a security vulnerability to launch flooding attacks to exhaust
CPU resources, preventing the process of normal services.
● Interfaces on the router can be classified into management interfaces and
non-management interfaces. Hackers can control the router through non-
management interfaces or launch flooding attacks through management
interfaces. All these put the router in danger.
● Attack packets are of various types, and once being attacked, the router
cannot trace the attack source.
● A large number of packets are discarded but no alarm message is generated.

You can protect the CPU of the NE9000 against attacks by configuring defense
against TCP/IP attacks, CAR, application layer association, management plane
protection, or attack source tracing.

1.1.11.2 Feature Requirements for Local Attack Defense

1.1.11.3 Configuring Attack Source Tracing

After being configured with attack source tracing, the router saves received attack
packets to its memory for attack analysis and defense.

Usage Scenario
When being attacked, the router enabled with attack source tracing can save
attack packets to its memory for attack analysis and defense. The attack source
tracing module checks whether packet loss occurs at an interval of 1 minute. If

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 218

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

packet loss is detected, the attack source tracing module records information
about the attack packets in the memory.

NOTE

When the size of packets in memory exceeds the upper limit of the storage file, the
previous packets are overridden when more packets are saved. Therefore, you are
recommended to run the save attack-source-trace slot command to save the data in
memory to the flash memory of the main control board. After being exported in SFTP
mode, the data can be exported.

In VS mode, this feature is supported only by the admin VS.

Pre-configuration Tasks
Before configuring attack source tracing, configure the parameters of the link layer
protocol and IP addresses for interfaces and ensure that the link layer protocol on
the interfaces is Up.

1.1.11.3.1 Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These
features take effect after the attack defense policy is applied to the interface
board.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

An attack defense policy is created.

Step 3 (Optional) Run description text

The description of the attack defense policy is configured.

Step 4 Run commit

The configuration is committed.

----End

Follow-up Procedure
You must run the cpu-defend-policy command on the interface board to apply
the attack defense policy to the interface board. In this manner, the configured
attack defense policy can take effect.

1.1.11.3.2 Enabling Attack Source Tracing

If attack source tracing is manually disabled, you need do as follows to enable it.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 219

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run attack-source-trace enable

The attack source tracing function is enabled.

After the attack-source-trace enable command is run, attack source tracing is

enabled on all functional modules. After the undo attack-source-trace enable
command is run, attack source tracing is disabled on all functional modules.

Step 4 Run attack-source-trace { car | tcpip-defend | ma-defend | application-

apperceive | totalcar } enable

Attack defense tracing is enabled for a certain local attack defense feature.

Step 5 Run commit

The configuration is committed.

----End

1.1.11.3.3 Configuring Sampling Parameters for Attack Source Tracing

You can do as follows to change the value of sampling parameters.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

An attack defense policy is created and the attack defense view is displayed.

Step 3 Run attack-source-trace sample-rate sample-rate-value

The ratio for sampling the packet that records attack source tracing is set.

Step 4 Run save attack-source-trace slot { slot-id | all } [ file filename ] linktype
ethernet

Information about attack source tracing saved in the memory of an interface

board is saved as a file.

Step 5 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 220

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.3.4 Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the
interface board.

Context
The NE9000 defines a default attack defense policy. This policy cannot be
modified or deleted. When the NE9000 starts, this policy is automatically applied
to the interface board. Configurations in the policy are default configurations of
each feature. To apply a specified attack defense policy to the interface board, you
need to run the cpu-defend-policy policy-number command on the interface
board to bind the policy to be applied to the interface board. If the cpu-defend-
policy policy-number command is not used, the default attack defense policy is
applied to the interface board.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run slot slot-id
The slot view is displayed.
Step 3 Run cpu-defend-policy policy-number
The attack defense policy is applied to the interface board.
You must apply the attack defense policy to the interface board; otherwise, the
policy does not take effect.
The attack defense policy specified by policy-number must be a configured one.
Otherwise, the policy cannot be applied.
Step 4 Run commit
The configuration is committed.

----End

1.1.11.3.5 Checking the Configurations

After configuring attack source tracing, you can view information about packets
discarded by each functional module, including the interface that receives the
packets, VLAN to which the interface that receives the packets belongs, and the
time packets are discarded.

Procedure
Step 1 Run the following commands to view verbose information about attack source
tracing.
● display attack-source-trace slot { slot-id | all } verbose [ { attack-type
{ totalcar | car | application-apperceive | tcpip-defend | ma-defend } } |
{ source-mac source-mac source-mac-mask } | { destination-mac dest-mac
dest-mac-mask } | { vlan vlan-id } | { source source-ip source-ip-mask } |

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 221

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

{ destination destination-ip destination-ip-mask } | { source-port source-

port-number } | { destination-port dest-port-number } | { protocol-number
protocol-number } | { time-range from begin-time [ to end-time ] } | { car-
index car-index } | { source-ipv6 source-ipv6-address source-ipv6-prefixlen } |
{ destination-ipv6 destination-ipv6-address destination-ipv6-prefixlen } |
{ next-header next-header } ] *
● display attack-source-trace file filename verbose [ { source-mac source-
mac source-mac-mask } | { destination-mac dest-mac dest-mac-mask } |
{ source source-ip source-ip-mask } | { destination destination-ip destination-
ip-mask } | { source-port source-port-number } | { vlan vlan-id } |
{ destination-port destination-port-number } | { protocol-number protocol-
number } | { time-range from begin-time [ to end-time ] } | { source-ipv6
source-ipv6-address source-ipv6-prefixlen } | { destination-ipv6 destination-
ipv6-address destination-ipv6-prefixlen } | { next-header next-header } ] *
Step 2 Run the following commands to view brief information about attack source
tracing.
● display attack-source-trace slot { slot-id | all } brief [ { source source-ip
source-ip-mask } | { destination destination-ip destination-ip-mask } |
{ source-port source-port-number } | { destination-port dest-port-number } |
{ protocol-number protocol-number } | { time-range from begin-time [ to
end-time ] } | { attack-type { totalcar | car | application-apperceive | tcpip-
defend | ma-defend } } | { car-index car-index } | { source-ipv6 source-ipv6-
address source-ipv6-prefixlen } | { destination-ipv6 destination-ipv6-address
destination-ipv6-prefixlen } | { next-header next-header } ] *
● display attack-source-trace file filename brief [ { source source-ip source-
ip-mask } | { destination destination-ip destination-ip-mask } | { source-port
source-port-number } | { destination-port destination-port-number } |
{ protocol-number protocol-number } | { time-range from begin-time [ to
end-time ] } | { source-ipv6 source-ipv6-address source-ipv6-prefixlen } |
{ destination-ipv6 destination-ipv6-address destination-ipv6-prefixlen } |
{ next-header next-header } ] *
Step 3 Run the display attack-source-trace slot { slot-id | all } original-information
command to check original information about attack source tracing on the
interface board.

----End

1.1.11.4 Configuring the Alarm Function for Packet Discarding

You can set the interval for checking the number of discarded packets and the
alarm threshold for the packet discarding rate.

Context
To view the status of a device that drops too many packets, configure the alarm
function for packet discarding. When the alarm function is enabled, the router
checks the number of the packets dropped within a specified time period. If the
number of dropped packets reaches or exceeds the set alarm threshold, an alarm
is reported.
In VS mode, this feature is supported only by the admin VS.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 222

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run alarm drop-rate { application-apperceive | blacklist | index index | ma-

defend | tcpip-defend | tcpip-defend-v6 | total-packet | user-defined-flow flow-
id | whitelist | whitelist-v6 | urpf } enable

The alarm for the discarding of the packets sent to the CPU is enabled.

Step 4 Run alarm drop-rate { application-apperceive | index index | tcpip-defend |

tcpip-defend-v6 | user-defined-flow flow-id | whitelist | whitelist-v6 | urpf }
{ threshold threshold-value | interval interval-value | speed-threshold speed-
value } *

The alarm threshold of discarding the packets to be sent to the CPU is set.

Step 5 Run commit

The configuration is committed.

The configured alarm threshold and intervals still take effect after the undo alarm
drop-rate enable and then alarm drop-rate enable commands are used.

----End

1.1.11.5 Configuring Local URPF

This section describes how to configure local URPF.

Usage Scenario
When massive packets are to be sent to the CPU on the network, you can apply
URPF to check whether the source IP address is valid. Therefore, packets with
invalid source IP addresses are discarded. This prevents the source IP address
spoofing attacks and flood attacks.

The local URPF function is applied to the packets to be sent to the CPU only. In
this case, the CPU processes only normal packets and therefore its performance is
not affected.

In VS mode, this feature is supported only by the admin VS.

Pre-configuration Tasks
Before configuring local URPF, configure parameters of the link layer protocol and
IP addresses for the interfaces and ensuring that the status of the link layer
protocol on the interfaces is Up.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 223

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.5.1 Creating the Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These
features take effect after the attack defense policy is applied to the interface
board.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

An attack defense policy is created.

Step 3 (Optional) Run description text

The description of the attack defense policy is configured.

Step 4 Run commit

The configuration is committed.

----End

Follow-up Procedure
You must run the cpu-defend-policy command on the interface board to apply
the attack defense policy to the interface board. In this manner, the configured
attack defense policy can take effect.

1.1.11.5.2 Configuring Local URPF

The local URPF function is used to check only the packets to be sent to the CPU,
therefore preventing the CPU from forwarding excessive packets and ensuring the
proper performance of the device.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run ip urpf { loose | strict } [ allow-default ]

Local URPF is configured.

Step 4 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 224

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.5.3 Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the
interface board.

Context
The NE9000 defines a default attack defense policy. This policy cannot be
modified or deleted. When the NE9000 starts, this policy is automatically applied
to the interface board. Configurations in the policy are default configurations of
each feature. To apply a specified attack defense policy to the interface board, you
need to run the cpu-defend-policy policy-number command on the interface
board to bind the policy to be applied to the interface board. If the cpu-defend-
policy policy-number command is not used, the default attack defense policy is
applied to the interface board.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run slot slot-id
The slot view is displayed.
Step 3 Run cpu-defend-policy policy-number
The attack defense policy is applied to the interface board.
You must apply the attack defense policy to the interface board; otherwise, the
policy does not take effect.
The attack defense policy specified by policy-number must be a configured one.
Otherwise, the policy cannot be applied.
Step 4 Run commit
The configuration is committed.

----End

1.1.11.5.4 Verifying the Local URPF Configuration

By running display commands, you can view the configured local URPF functions.

Procedure
Step 1 Run the display cpu-defend urpf statistics [ slot slot-id ] command to check the
checking information about local URPF.

----End

1.1.11.6 Configuring TCP/IP Attack Defense

Defense against TCP/IP attacks protects the CPU of the router against malformed
packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that
normal services can be processed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 225

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Usage Scenario
Defense against TCP/IP attacks is applied to the router on the edge of the network
or other routers that are easily to be attacked by illegal TCP/IP packets. Defense
against TCP/IP attacks can protect the CPU of the router against malformed
packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that
normal services can be processed.

In VS mode, this feature is supported only by the admin VS.

Pre-configuration Tasks
Before configuring TCP/IP attack defense, configure the parameters of the link
layer protocol and IP addresses for interfaces and ensure that the link layer
protocol on the interfaces is Up.

1.1.11.6.1 Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These
features take effect after the attack defense policy is applied to the interface
board.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

An attack defense policy is created.

Step 3 (Optional) Run description text

The description of the attack defense policy is configured.

Step 4 Run commit

The configuration is committed.

----End

Follow-up Procedure
You must run the cpu-defend-policy command on the interface board to apply
the attack defense policy to the interface board. In this manner, the configured
attack defense policy can take effect.

1.1.11.6.2 Enabling Defense Against Malformed Packet Attacks

With defense against malformed packet attacks, the router checks the validity of
received packets and filters out illegal packets, thus defending the CPU against
attacks of IP packets with null load, null IGMP packets, LAND attack packets,
Smurf attack packets, and packets with invalid TCP flag bits.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 226

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Perform either of the following operations as required:

● Run the abnormal-packet-defend enable command to enable defense
against IPv4 malformed packet attacks.
● Run the ipv6-abnormal-packet-defend enable command to enable defense
against IPv6 malformed packet attacks.

Defense against IPv4 malformed packet attacks can defend against attacks of
various malformed packets, including IP packets with null load, null IGMP packets,
LAND attack packets, Smurf attack packets, and packets with invalid TCP flag bits.

Defense against IPv6 malformed packet attacks can defend against attacks of
various malformed packets, including LAND attack packets, and packets with
invalid TCP flag bits.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.6.3 Enabling Defense Against Fragmented Packet Attacks

Defense against fragmented packet attacks protects the CPU by restricting the
sending rate of fragmented packets and ensuring the correctness of packet
reassembly.

Procedure
Step 1 Run system-view

The system view is displayed

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run fragment-flood enable

Defense against fragmented packet attacks is enabled.

Step 4 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 227

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.6.4 Enabling Defense Against TCP SYN Flooding Attacks

The TCP SYN flooding attack is a denial-of-service attack. Defense against TCP
SYN flooding attacks protects the CPU by restricting the rate at which packets are
sent to the CPU.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
The attack defense policy view is displayed.
Step 3 Perform either of the following operations as required:
● Run the tcpsyn-flood enable command to enable defense against IPv4 TCP
SYN flooding attacks.
● Run the ipv6-tcpsyn-flood enable command to enable defense against IPv6
TCP SYN flooding attacks.
The TCP SYN flooding attack is a denial-of-service attack in which an attacker
sends a flood of TCP SYN packets to the target host, causing the target host to
become too busy to answer legitimate requests. In extreme cases, the target host
is suspended.
Step 4 Run commit
The configuration is committed.

----End

1.1.11.6.5 Enabling Defense Against UDP Packet Attacks

With defense against UDP packet attacks, the router can identify packets in
Fraggle attacks and attack packets on UDP diagnosis ports according to the
destination port of the received UDP packets.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
The attack defense policy view is displayed.
Step 3 Perform either of the following operations as required:
● Run the udp-packet-defend enable command to enable defense against IPv4
UDP packet attacks.
● Run the ipv6-udp-packet-defend enable command to enable defense
against IPv6 UDP packet attacks.
Defense against UDP packet attacks protects the router against Fraggle attacks
and UDP diagnosis port attacks. UDP packets with the destination port number

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 228

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

being 7, 13, or 19 are regarded as malformed packets and directly discarded by

the router.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.6.6 Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the
interface board.

Context
The NE9000 defines a default attack defense policy. This policy cannot be
modified or deleted. When the NE9000 starts, this policy is automatically applied
to the interface board. Configurations in the policy are default configurations of
each feature. To apply a specified attack defense policy to the interface board, you
need to run the cpu-defend-policy policy-number command on the interface
board to bind the policy to be applied to the interface board. If the cpu-defend-
policy policy-number command is not used, the default attack defense policy is
applied to the interface board.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run slot slot-id

The slot view is displayed.

Step 3 Run cpu-defend-policy policy-number

The attack defense policy is applied to the interface board.

You must apply the attack defense policy to the interface board; otherwise, the
policy does not take effect.

The attack defense policy specified by policy-number must be a configured one.

Otherwise, the policy cannot be applied.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.6.7 Verifying the TCP/IP Attack Defense Configuration

After defense against TCP/IP attacks is configured, you can view the statistics
about it, including the total number of illegal TCP/IP packets, the number of legal
TCP/IP packets, and the number of discarded packets.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 229

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run the display cpu-defend tcpip-defend statistics [ slot slot-id ] [ ap-id ap-id ]
command to view information about defense against TCP/IP attacks.
Step 2 Run the display cpu-defend tcpip-defend-v6 statistics [ slot slot-id ] [ ap-id ap-
id ] command to view information about defense against TCP/IPv6 attacks.
----End

1.1.11.7 Configuring Invalid ND Packet Attack Defense

Usage Scenario
Invalid ND packet attack defense is implemented by filtering out six types of
invalid ND packets (NS/NA/RS/RA/Redirect/CPS) to protect the CPU.
In VS mode, this feature is supported only by the admin VS.

Prerequisites
None

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run set nd packet filter enable
Invalid ND packet attack defense is enabled.
Step 3 Run commit
The configuration is committed.

----End

Verifying the Configuration of Invalid ND Packet Attack Defense

After configuring invalid ND packet attack defense, verify the configuration.
Run the display nd packet filter statistics [ slot slot-id ] command to check
statistics about invalid ND packet attack defense.

1.1.11.8 Configuring the CAR

This section describes how to configure the CAR.

Usage Scenario
When a large number of users access the router, a lot of packets need be sent to
the CPU for processing. In such a case, the router is prone to be attacked. To
protect the router from being attacked, you need to configure the CAR on the
router.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 230

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

In VS mode, this feature is supported only by the admin VS.

Pre-configuration Tasks
Before configuring the CAR, connect interfaces and set the physical parameters of
the interfaces and ensure that their physical layer status is Up.

1.1.11.8.1 Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These
features take effect after the attack defense policy is applied to the interface
board.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

An attack defense policy is created.

Step 3 (Optional) Run description text

The description of the attack defense policy is configured.

Step 4 Run commit

The configuration is committed.

----End

Follow-up Procedure
You must run the cpu-defend-policy command on the interface board to apply
the attack defense policy to the interface board. In this manner, the configured
attack defense policy can take effect.

1.1.11.8.2 Configuring a Whitelist

This section describes how to configure a whitelist. Secure packets that match ACL
rules can be added to the whitelist and then provided with higher bandwidth.

Prerequisites
The ACL bound to the whitelist must be a configured one. You cannot bind a non-
existing ACL to the whitelist. When the ACL is bound to the whitelist, all the
packets that match the ACL rules are added to the whitelist automatically. The
whitelist function must be enabled. Otherwise, the self-defined whitelist does not
take effect although you can configure a self-defined whitelist.

NOTE

In router, the whitelist is needed to configure for monitored network elements to ensure its
service smooth running.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 231

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run whitelist [ ipv6 ] acl { acl-number | name acl-name }

The whitelist is configured.

The packets generated by Active Link Protection (ALP) is dynamically added to the
whitelist.

A self-defined whitelist can be bound to only one ACL. If you bind a self-defined
whitelist to several ACLs, only the latest configuration takes effect. An address or
port pool can be specified in an ACL rule, and the ACL rule can be delivered.

NOTE

● The address pool function can be delivered in the attack defense policy only when the
cp-acl ip-pool enable command is configured.
● By default, the IPv6 address pool function is disabled in an attack defense policy. If this
function is disabled, the device can only deliver source address pool rules of the BGP
IPv6 peer type based on a whitelist. To enable the device to support other types of IPv6
address pool rules, run the cp-acl ipv6-pool enable command.
● The vpn-instance field in an ACL configured in an attack defense policy can be
delivered and takes effect only when the cp-acl vpn-instance enable command is
configured.
● The ports in the port pool specified in a delivered ACL take effect based on the
configuration order instead of the lexicographical order.
● If the ACL rule in which both a port pool and a TTL range are specified is delivered, the
TTL range does not take effect.
● ACL rules with the neq parameter are not supported.
● If the address pool function is not enabled, the ACL rule in which both address and port
pools are specified cannot be delivered.

Step 4 (Optional) Run ipv6-enhance acl enable

Some IPv6 packets to be sent to the CPU are matched against the ACL that
contains a blacklist, whitelist, or user-defined flow.

Step 5 (Optional) Run cp-acl ip-pool enable

The address pool function is enabled for an attack defense policy.

NOTE

Before enabling the address pool function for an attack defense policy, configure an address
pool and bind the address pool to an ACL rule.

Step 6 (Optional) Run cp-acl ipv6-pool enable

The address pool function is enabled for an attack defense policy.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 232

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

Before enabling the address pool function for an attack defense policy, configure an address
pool and bind the address pool to an ACL rule.

Step 7 (Optional) Run the cp-acl ipv6-fragment enable

The CPACL is enabled to support fragmented IPv6 packets.
Step 8 (Optional) Run cp-acl vpn-instance enable
The VPN field in the attack defense policy is configured to take effect.
Step 9 (Optional) Run acl ipv4-multicast-fib-miss enable
Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or
user-defined flow.
Step 10 (Optional) Run acl dhcp-discover enable
Enable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist,
or user-defined flow.
Step 11 Run commit
The configuration is committed.

----End

1.1.11.8.3 Configuring a Blacklist

This section describes how to configure a blacklist. Insecure packets that match
ACL rules can be added to the blacklist and then provided with lower bandwidth.

Prerequisites
The ACL bound to the blacklist must be a configured one. You can bind a non-
existing ACL to the blacklist. When the ACL is bound to the blacklist, all the
packets that match the ACL rules are added to the blacklist automatically. The
blacklist function must be enabled. Otherwise, the self-defined blacklist does not
take effect although you can configure a self-defined blacklist.

Context
If you determine that certain packets cannot be sent to the CPU or are invalid, you
can add them to the blacklist by setting ACL rules. In this manner, you can discard
these packets. All the users in the blacklist need to be manually configured. There
is no default user in the blacklist.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
The attack defense policy view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 233

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 3 Run blacklist [ ipv6 ] acl { acl-number | name acl-name }

A self-defined blacklist is created.

A self-define blacklist can be bound to only one ACL. If you bind a self-define
blacklist to several ACLs, only the latest configuration takes effect. An address or
port pool can be specified in an ACL rule, and the ACL rule can be delivered.

NOTE

● The address pool function can be delivered in the attack defense policy only when the
cp-acl ip-pool enable command is configured.
● By default, the IPv6 address pool function is disabled in an attack defense policy. If this
function is disabled, the device can only deliver source address pool rules of the BGP
IPv6 peer type based on a blacklist. To enable the device to support other types of IPv6
address pool rules, run the cp-acl ipv6-pool enable command.
● The vpn-instance field in an ACL configured in an attack defense policy can be
delivered and takes effect only when the cp-acl vpn-instance enable command is
configured.
● The ports in the port pool specified in a delivered ACL take effect based on the
configuration order instead of the lexicographical order.
● If the ACL rule in which both a port pool and a TTL range are specified is delivered, the
TTL range does not take effect.
● ACL rules with the neq parameter are not supported.
● If the address pool function is not enabled, the ACL rule in which both address and port
pools are specified cannot be delivered.

Step 4 (Optional) Run ipv6-enhance acl enable

Some IPv6 packets to be sent to the CPU are matched against the ACL that
contains a blacklist, whitelist, or user-defined flow.

Step 5 (Optional) Run cp-acl ip-pool enable

The address pool function is enabled for an attack defense policy.

NOTE

Before enabling the address pool function for an attack defense policy, configure an address
pool and bind the address pool to an ACL rule.

Step 6 (Optional) Run cp-acl ipv6-pool enable

The address pool function is enabled for an attack defense policy.

NOTE

Before enabling the address pool function for an attack defense policy, configure an address
pool and bind the address pool to an ACL rule.

Step 7 (Optional) Run the cp-acl ipv6-fragment enable

The CPACL is enabled to support fragmented IPv6 packets.

Step 8 (Optional) Run cp-acl vpn-instance enable

The VPN field in the attack defense policy is configured to take effect.

Step 9 (Optional) Run acl ipv4-multicast-fib-miss enable

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 234

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or
user-defined flow.
Step 10 (Optional) Run acl dhcp-discover enable
Enable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist,
or user-defined flow.
Step 11 Run commit
The configuration is committed.

----End

1.1.11.8.4 Configuring User-Defined Flow Rules

This section describes how to configure customized traffic. You can perform traffic
policing by matching a specified type of traffic with ACL rules.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
The attack defense policy view is displayed.
Step 3 Run user-defined-flow flow-id acl { acl-number | name acl-name } [ prior ] Or
Run user-defined-flow flow-id ipv6 acl { acl-number | name acl-name }
A user-defined flow is configured. An address or port pool can be specified in an
ACL rule, and the ACL rule can be delivered.

NOTE

● The address pool function can be delivered in the attack defense policy only when the
cp-acl ip-pool enable command is configured.
● By default, the IPv6 address pool function is disabled in an attack defense policy. If this
function is disabled, the device can only deliver source address pool rules of the BGP
IPv6 peer type based on the user-defined flow. To enable the device to support other
types of IPv6 address pool rules, run the cp-acl ipv6-pool enable command.
● The vpn-instance field in an ACL configured in an attack defense policy can be
delivered and takes effect only when the cp-acl vpn-instance enable command is
configured.
● The ports in the port pool specified in a delivered ACL take effect based on the
configuration order instead of the lexicographical order.
● If the ACL rule in which both a port pool and a TTL range are specified is delivered, the
TTL range does not take effect.
● ACL rules with the neq parameter are not supported.
● If the address pool function is not enabled, the ACL rule in which both address and port
pools are specified cannot be delivered.

Step 4 (Optional) Run ipv6-enhance acl enable

Some IPv6 packets to be sent to the CPU are matched against the ACL that
contains a blacklist, whitelist, or user-defined flow.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 235

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 5 (Optional) Run cp-acl ip-pool enable

The address pool function is enabled for an attack defense policy.

NOTE

Before enabling the address pool function for an attack defense policy, configure an address
pool and bind the address pool to an ACL rule.

Step 6 (Optional) Run cp-acl ipv6-pool enable

The address pool function is enabled for an attack defense policy.

NOTE

Before enabling the address pool function for an attack defense policy, configure an address
pool and bind the address pool to an ACL rule.

Step 7 (Optional) Run the cp-acl ipv6-fragment enable

The CPACL is enabled to support fragmented IPv6 packets.
Step 8 (Optional) Run cp-acl vpn-instance enable
The VPN field in the attack defense policy is configured to take effect.
Step 9 (Optional) Run acl ipv4-multicast-fib-miss enable
Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or
user-defined flow.
Step 10 (Optional) Run acl dhcp-discover enable
Enable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist,
or user-defined flow.
Step 11 Run commit
The configuration is committed.

----End

1.1.11.8.5 Configuring the Packet Matching Order

After the packets to be sent to the CPU pass the GTSM check, set the matching
sequence of packets: TCPSYN packets, packet fragments, dynamic link protection,
whitelist, blacklist, and user-defined flow.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
The attack defense policy view is displayed.
Step 3 Run process-sequence { fragment-flood | tcpsyn-flood | dynamic-link-
protection | whitelist | blacklist | user-defined-flow | management-acl }
&<7-7> or process-sequence { blacklist whitelist user-defined-flow | blacklist

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 236

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

user-defined-flow whitelist | user-defined-flow blacklist whitelist | user-

defined-flow whitelist blacklist | whitelist blacklist user-defined-flow |
whitelist user-defined-flow blacklist } *

The matching sequence of packets to be sent to the CPU is set: TCPSYN packets,
packet fragments, dynamic link protection, management protocol ACL, whitelist,
blacklist, and user-defined flow.

NOTE

The parameters in the command are mandatory. You can specify them as required.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.8.6 Configuring the CAR

This section describes how to configure the CAR. Traffic policing prevents packets
to be sent to the CPU from causing higher CPU usage to affect normal services.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run car { protocol-name | index index | whitelist [ bgp | ldp | ospf | radius | rsvp
| isis ] | whitelist-v6 [ bgpv6 | ospfv3 ] | blacklist | tcpsyn | fragment | user-
defined-flow flow-id } { cir cir-value | cbs cbs-value | min-packet-length min-
packet-length-value } *

The packet CAR is set.

Step 4 Run car total-packet { high | low | middle | total-packet-rate }

The rate of sending packets to the CPU is set.

Step 5 Run commit

The configuration is committed.

----End

1.1.11.8.7 Configuring the Packet Sending Priority

This section describes how to prioritize packets to be sent to the CPU. Sending
higher-priority packets preferentially can protect the CPU when the queues are full
of packets to be sent to the CPU.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 237

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run priority { protocol-name | index index | whitelist | whitelist-v6 | blacklist |

tcpsyn | fragment | user-defined-flow flow-id } { high | middle | low | be | af1 |
af2 | af3 | af4 | ef | cs6 | cs7 }

The packet sending priority is set.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.8.8 Setting Bandwidth Values and Weights for the Protocol Group Whose
Packets Are to Be Sent to the CPU
You can specify the CIR, and weight for a protocol group of packets to be sent to
the CPU according to the actual networking requirements. With the configuration,
if the queues of packets to be sent to the CPU are full, the packets of the specified
protocol group can be processed by the CPU in time.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run protocol-group { whitelist | user-defined-flow | management | route-

protocol | multicast | arp | mpls | access-user | link-layer | network-layer |
system-message | blacklist | check-failed | fwddata-to-cp } { cir cir-value |
weight weight-value } *

The bandwidth and weight are set for a specified protocol group.

Step 4 Set a weight for packets in a specified protocol queue of a protocol group.

Table 1-17 Setting weights for protocol queues

Operation Command

Set a weight for packets in protocol-group whitelist queue { whitelist-bgp |

a protocol queue of the whitelist-ldp | whitelist-management | whitelist-
whitelist protocol group. multicast | whitelist-reserve } weight weight-
value

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 238

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command

Set a weight for packets in protocol-group user-defined-flow queue { user-

a protocol queue of the define-flow-1 | user-define-flow-2 | user-define-
user-defined flow protocol flow-3 | user-define-flow-4 | user-define-flow-5 |
group. user-define-flow-6 | user-define-flow-7 | user-
define-flow-8 } weight weight-value

Set a weight for packets in protocol-group management queue { dcn | ftp |

a protocol queue of the ntp | snmp | ssh | sshv6 | syslog | telnet } weight
management protocol weight-value
group.

Set a weight for packets in protocol-group route-protocol queue { bgp |

a protocol queue of the bgpv6 | isis | ospf | ospfv3 | rip } weight weight-
routing protocol group. value
Set a weight for packets in protocol-group multicast queue { igmp |
a protocol queue of multicast-reserve | msdp | pim } weight weight-
multicast packets. value
Set a weight for packets in protocol-group arp queue { arp | nd } weight
a protocol queue of the weight-value
ARP protocol group.

Set a weight for packets in protocol-group mpls queue { ldp | oam-ping |

a protocol queue of the rsvp | vxlan } weight weight-value
MPLS protocol group.

Set a weight for packets in protocol-group access-user queue { bas-arp |

a protocol queue of the bas-igmp | bas-nd | bas-trigger | dhcp | dhcpv6 |
user access protocol eapol | l2tp | lldp | ppp | vbas-reserve | web }
group. weight weight-value

Set a weight for packets in protocol-group link-layer queue { 3ah | bfd |

a protocol queue of the link-detect | trunk | y1731 | interface-rdi | lag-
link-layer protocol group. check | lag-ping-trace | mac-vlan } weight
weight-value
Set a weight for packets in protocol-group network-layer queue { clock |
a protocol queue of the default | dns | fragment | gre | hwtacas | icmp |
network-layer protocol icmpv6 | ipv4-reserve | ipv6-option | nhrp | vrrp |
group. radius-diameter } weight weight-value

Set a weight for packets in protocol-group system-message queue system-

a protocol queue of the message weight weight-value
system-message protocol
group.

Set a weight for packets in protocol-group blacklist queue blacklist weight

a protocol queue of the weight-value
blacklist protocol group.

Set a weight for packets in protocol-group check-failed queue check-failed

a protocol queue of the weight weight-value
detection protocol group.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 239

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command

Set a weight for packets in protocol-group fwddata-to-cp queue forward-

a protocol queue of the data weight weight-value
forwarded-packet protocol
group.

Step 5 Set a weight for packets of a specified priority in a protocol queue.

Table 1-18 Setting weights for packets of specified priority values in protocol
queues
Operation Command

Set a weight for packets protocol-group whitelist queue { whitelist-bgp |

with a specified priority in whitelist-ldp | whitelist-management | whitelist-
a specified protocol queue multicast | whitelist-reserve } priority { be | af1 |
of the whitelist protocol af2 | af3 | af4 | ef | cs6 | cs7 } weight weight-value
group.

Set a weight for packets protocol-group user-defined-flow queue { user-

with a specified priority in define-flow-1 | user-define-flow-2 | user-define-
a specified protocol queue flow-3 | user-define-flow-4 | user-define-flow-5 |
of the user-defined-flow user-define-flow-6 | user-define-flow-7 | user-
protocol group. define-flow-8 } priority { be | af1 | af2 | af3 | af4
| ef | cs6 | cs7 } weight weight-value

Set a weight for packets protocol-group management queue { dcn | ftp |

with a specified priority in ntp | snmp | ssh | sshv6 | syslog | telnet } priority
a specified protocol queue { be | af1 | af2 | af3 | af4 | ef | cs6 | cs7 } weight
of the management weight-value
protocol group.

Set a weight for packets protocol-group route-protocol queue { bgp |

with a specified priority in bgpv6 | isis | ospf | ospfv3 | rip } priority { be |
a specified protocol queue af1 | af2 | af3 | af4 | ef | cs6 | cs7 } weight weight-
of the routing protocol value
group.

Set a weight for packets protocol-group multicast queue { igmp |

with a specified priority in multicast-reserve | msdp | pim } priority { be |
a specified protocol queue af1 | af2 | af3 | af4 | ef | cs6 | cs7 } weight weight-
of the multicast protocol value
group.

Set a weight for packets protocol-group arp queue { arp | nd } priority

with a specified priority in { be | af1 | af2 | af3 | af4 | ef | cs6 | cs7 } weight
a specified protocol queue weight-value
of the ARP protocol group.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 240

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command

Set a weight for packets protocol-group mpls queue { ldp | oam-ping |

with a specified priority in rsvp | vxlan } priority { be | af1 | af2 | af3 | af4 |
a specified protocol queue ef | cs6 | cs7 } weight weight-value
of the MPLS protocol
group.

Set a weight for packets protocol-group access-user queue { bas-arp |

with a specified priority in bas-igmp | bas-nd | bas-trigger | dhcp | dhcpv6 |
a specified protocol queue eapol | l2tp | lldp | ppp | vbas-reserve | web }
of the access-user priority { be | af1 | af2 | af3 | af4 | ef | cs6 | cs7 }
protocol group. weight weight-value

Set a weight for packets protocol-group link-layer queue { 3ah | bfd |

with a specified priority in link-detect | trunk | y1731 | interface-rdi | lag-
a specified protocol queue check | lag-ping-trace | mac-vlan } priority { be |
of the link-layer protocol af1 | af2 | af3 | af4 | ef | cs6 | cs7 } weight weight-
group. value
Set a weight for packets protocol-group network-layer queue { clock |
with a specified priority in default | dns | fragment | gre | hwtacas | icmp |
a specified protocol queue icmpv6 | ipv4-reserve | ipv6-option | nhrp | vrrp |
of the network-layer radius-diameter } priority { be | af1 | af2 | af3 |
protocol group. af4 | ef | cs6 | cs7 } weight weight-value

Set a weight for packets protocol-group system-message queue system-

with a specified priority in message priority { be | af1 | af2 | af3 | af4 | ef |
a specified protocol queue cs6 | cs7 } weight weight-value
of the system-message
protocol group.

Set a weight for packets protocol-group blacklist queue blacklist priority

with a specified priority in { be | af1 | af2 | af3 | af4 | ef | cs6 | cs7 } weight
a specified protocol queue weight-value
of the blacklist protocol
group.

Set a weight for packets protocol-group check-failed queue check-failed

with a specified priority in priority { be | af1 | af2 | af3 | af4 | ef | cs6 | cs7 }
a specified protocol queue weight weight-value
of the detection protocol
group.

Set a weight for packets protocol-group fwddata-to-cp queue forward-

with a specified priority in data priority { be | af1 | af2 | af3 | af4 | ef | cs6 |
a specified protocol queue cs7 } weight weight-value
of the forwarded-packet
protocol group.

Step 6 Run commit

The configuration is committed.
----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 241

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.8.9 Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the
interface board.

Context
The NE9000 defines a default attack defense policy. This policy cannot be
modified or deleted. When the NE9000 starts, this policy is automatically applied
to the interface board. Configurations in the policy are default configurations of
each feature. To apply a specified attack defense policy to the interface board, you
need to run the cpu-defend-policy policy-number command on the interface
board to bind the policy to be applied to the interface board. If the cpu-defend-
policy policy-number command is not used, the default attack defense policy is
applied to the interface board.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run slot slot-id
The slot view is displayed.
Step 3 Run cpu-defend-policy policy-number
The attack defense policy is applied to the interface board.
You must apply the attack defense policy to the interface board; otherwise, the
policy does not take effect.
The attack defense policy specified by policy-number must be a configured one.
Otherwise, the policy cannot be applied.
Step 4 Run commit
The configuration is committed.

----End

1.1.11.8.10 Verifying the Configurations

By running the following display commands, you can view the configured CAR
functions.

Procedure
Step 1 Run the display cpu-defend policy policy-number command to check rules for
filtering the packets to be sent to the CPU.
Step 2 Run the display cpu-defend { all | application-apperceive | tcpip-defend | tcpip-
defend-v6 | total-packet | urpf } statistics [ slot slot-id ] [ ap-id ap-id ]
command to check statistics about packets discarded by CAR.
Step 3 Run the display cpu-defend protocol-group { whitelist | user-defined-flow |
management | route-protocol | multicast | arp | mpls | access-user | link-layer |

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 242

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

network-layer | all } configuration slot slot-id ap-id ap-id or display cpu-defend

protocol-group { whitelist | user-defined-flow | management | route-protocol |
multicast | arp | mpls | access-user | link-layer | network-layer | system-
message | blacklist | check-failed | fwddata-to-cp | all } configuration slot slot-
id command to check the bandwidth and weight of packets are sent to the CPU in
a protocol group.
Step 4 Run the display cpu-defend protocol-group { whitelist | user-defined-flow |
management | route-protocol | multicast | arp | mpls | access-user | link-layer |
network-layer | all } statistics slot slot-id ap-id ap-id or display cpu-defend
protocol-group { whitelist | user-defined-flow | management | route-protocol |
multicast | arp | mpls | access-user | link-layer | network-layer | system-
message | blacklist | check-failed | fwddata-to-cp | all } statistics slot slot-id
command to check statistics about protocol packets to be sent to the CPU in a
protocol group.
Step 5 Run the following commands to check the weights of packets to be sent to the
CPU in protocol queues of the protocol groups.

Table 1-19 Displaying the weights of packets to be sent to the CPU in protocol
queues of the protocol groups
Operation Command

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the whitelist queue { whitelist-bgp |
whitelist protocol group. whitelist-ldp | whitelist-
management | whitelist-multicast |
whitelist-reserve } configuration slot
slot-id
Query the weight of packets to be sent display cpu-defend protocol-group
to the CPU in a specific queue of the user-defined-flow queue { user-
user-defined flow protocol group. define-flow-1 | user-define-flow-2 |
user-define-flow-3 | user-define-
flow-4 | user-define-flow-5 | user-
define-flow-6 | user-define-flow-7 |
user-define-flow-8 } configuration
slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the management queue { dcn | ftp | ntp |
management protocol group. snmp | ssh | sshv6 | syslog | telnet }
configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the route-protocol queue { bgp | bgpv6 |
routing protocol group. isis | ospf | ospfv3 | rip }
configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the multicast queue { igmp | multicast-
routing protocol group. reserve | msdp | pim } configuration
slot slot-id

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 243

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Operation Command

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the arp queue { arp | nd } weight
ARP protocol group. configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the mpls queue { ldp | oam-ping | rsvp |
MPLS protocol group. vxlan } configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the access-user queue { bas-arp | bas-
MPLS protocol group. igmp | bas-nd | bas-trigger | dhcp |
dhcpv6 | eapol | l2tp | lldp | ppp |
vbas-reserve | web } configuration
slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the link-layer queue { 3ah | bfd | link-
link-layer protocol group. detect | trunk | y1731 | interface-rdi |
lag-check | lag-ping-trace | mac-
vlan } configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the network-layer queue { clock | default
network-layer protocol group. | dns | fragment | gre | hwtacas |
icmp | icmpv6 | ipv4-reserve | ipv6-
option | nhrp | vrrp | radius-
diameter } configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the system-message queue system-
system-message protocol group. message configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the blacklist queue blacklist
blacklist protocol group. configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the check-failed queue check-failed
detection protocol group. configuration slot slot-id

Query the weight of packets to be sent display cpu-defend protocol-group

to the CPU in a specific queue of the fwddata-to-cp queue forward-data
detection protocol group. configuration slot slot-id

----End

1.1.11.9 Configuring VLAN CAR

When an access device is under attack, you can configure VLAN CAR to restrict the
rate at which specific packets are sent to the CPU to protect the CPU against
attacks.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 244

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Usage Scenario
When an access device is under attack, you can configure port+VLAN-based CAR
to restrict the rate at which packets are sent to the CPU to protect the CPU
against attacks.

Prerequisites
None

Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the interface interface-type interface-number command to enter the
interface view.
Step 3 Perform one of the following operations as required:
● On an Ethernet interface, Ethernet sub-interface, GE interface, GE sub-
interface, Eth-Trunk interface, or Eth-Trunk sub-interface, POS interface, IP-
Trunk interface, and EVC sub-interface on which packets are encapsulated in
untag or default mode, run the cp-rate-limit { port | { dhcp | dhcpv6 | icmp |
icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6
| vrrpv6 }* } cir cir-value [ cbs cbs-value ] [ prior ] command to set the rate at
which ICMP/DHCP/DHCPv6/ICMPv6/LDP-HELLO/RSVP/OSPF/RIP/PIM/ISIS/
VRRP/OSPFv3/RIPNG/PIMv6/VRRPv6 packets are sent to the CPU.
● On a sub-interface for dot1q VLAN tag termination, and EVC sub-interface on
which packets are encapsulated in dot1q, untag or default mode, run the cp-
rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf |
rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } vlan vlan-id-begin
[to vlan-id-end ] cir cir-value [ cbs cbs-value [ prior ] ] command to set the
rate at which ICMP/DHCP/DHCPv6/ICMPv6/LDP-HELLO/RSVP/OSPF/RIP/PIM/
ISIS/VRRP/OSPFv3/RIPNG/PIMv6/VRRPv6 packets are sent to the CPU.
● On a sub-interface for QinQ VLAN tag termination, and EVC sub-interface on
which packets are encapsulated in QinQ, untag or default mode, run the cp-
rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf |
rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } pe-vid pe-vid ce-vid
ce-vid-begin [ to ce-vid-end ] cir-value [ cbs cbs-value ] [ prior ] command to
set the rate at which ICMP/DHCP/DHCPv6/ICMPv6/LDP-HELLO/RSVP/
OSPF/RIP/PIM/ISIS/VRRP/OSPFv3/RIPNG/PIMv6/VRRPv6 packets are sent to
the CPU.
----End

Checking the Configurations

After configuring VLAN CAR, check the configurations.
Run the display cp-rate-limit command to check statistics about all protocol
packets or specific protocol packets that attack an interface.

1.1.11.10 Configuring ND VLAN CAR

ND VLAN CAR allows you to limit the rate of ND packets on the attacked interface
without affecting other interfaces. This minimizes the impact of attacks on devices

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 245

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

and services. After the alarm function is enabled for ND VLAN CAR and the
number of ND packets to be sent to the CPU exceeds the threshold configured for
ND VLAN CAR, an alarm is reported.

Context
Configure ND VLAN CAR on interfaces of the router.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run slot slot-id
The slot view is displayed.
Step 3 Run undo alarm ipv6 nd { na | ns-multicast | ns-unicast } attack disable
The alarm function is enabled for ND VLAN CAR.
In VS mode, this feature is supported only by the admin VS.
Step 4 Run quit
Return to the system view.
Step 5 Run interface interface-type interface-number
The interface view is displayed.
Step 6 Run ipv6 nd { na | ns-multicast | ns-unicast } rate-limit rate
The rate limit of ND VLAN CAR for ND packets on an interface is configured.
Step 7 Run quit
Return to the system view.
Step 8 (Optional)
1. Run slot slot-id
The slot view is displayed.
2. Run ipv6 nd { na | ns-multicast | ns-unicast } rate-limit-percent rate-value
The percentage of the bandwidth of level-2 CAR for ND VLAN CAR in the
bandwidth of CP-CAR for ND protocol packets is configured.
In VS mode, this feature is supported only by the admin VS.
3. Run quit
Return to the system view.

----End

Checking the Configuration

After configuring ND VLAN CAR, verify the configuration.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 246

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run the display ipv6 nd { na | ns-multicast | ns-unicast } rate-limit

interface { interface-type interface-num | interface-name } command to
check the ND packet rate limit of an interface.
2. Run the display ipv6 nd { na | ns-multicast | ns-unicast } attack interface
{ interface-type interface-num | interface-name } [ vlan-id vlan-number | pe-
vid pe-vid ce-vid ce-vid ] [ history ] command to check the ND attack
information on an interface.
3. Run the display ipv6 nd { na | ns-multicast | ns-unicast } attack slot { slotid
| all } [ history ] command to check the ND attack information of a slot.

1.1.11.11 Configuring Interface-based CAR

When an access device is under attack, you can configure interface-based CAR to
restrict the rate at which all or specific packets are sent to the CPU to protect the
CPU against attacks.

Usage Scenario
When an access device is under attack, to protect the CPU against attacks,
configure interface-based CAR to restrict the rate at which all or specific protocol
packets are sent to the CPU.

Prerequisites
None

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run cp-rate-limit enhance { port | { dhcp | dhcpv6 | icmp | icmpv6 } } cir cir-
value [ cbs cbs-value ]

The rate at which all or specific protocol packets are sent to the CPU is restricted.

----End

Checking the Configurations

After configuring interface-based CAR, check the configurations.

Run the display cp-rate-limit [ enhance ] { port | dhcp | dhcpv6 | icmp |

icmpv6 } [ slot slot-id ] [ verbose ] command to check statistics about interface-
based CAR on the board.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 247

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.12 Configuring Dynamic Link Protection

You can configure dynamic link protection to allow protocol packets used to
establish sessions to be preferentially sent to the CPU when the bandwidth is
guaranteed.

Usage Scenario
As various network protocol packets exist on a network, protocol packets that
require sessions to be established, such as BGP, IS-IS, and FTP protocol packets,
need sufficient bandwidth for session establishment. In the case of insufficient
bandwidth, packets used to establish sessions are dropped, causing the protocol
sessions not to be established. When the dynamic link protection function is
enabled, after a protocol session is established, sufficient bandwidth can be
allocated to ensure uninterrupted protocol sessions.
In VS mode, this feature is supported only by the admin VS.

Prerequisites
None

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
The attack defense policy view is displayed.
Step 3 Run undo dynamic-link-protection disable
The dynamic link protection function is enabled.
Step 4 Run commit
The configuration is committed.

----End

Checking the Configurations

After configuring interface-based CAR, check the configurations.
Run the display cpu-defend policy policy-number command to view information
about the user-defined attack defense policy.

1.1.11.13 Configuring the Management Protocol ACL Delivering Function

Usage Scenario
When there is no need to filter out invalid management protocol packets to be
sent to the CPU using hardware, run the management-acl disable command to
disable the management protocol ACL delivering function. The management-acl

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 248

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

disable command takes effect for FTP, Telnet, SSH, and SNMP. For example, if an
FTP ACL is configured and the management-acl disable command is run, the FTP
ACL does not take effect.

In VS mode, this feature is supported only by the admin VS.

Prerequisites
None

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run undo management-acl disable

The management protocol ACL delivering function is enabled.

Step 4 Run commit

The configuration is committed.

----End

Checking the Configurations

After configuring interface-based CAR, check the configurations.

Run the display cpu-defend policy policy-number command to view information

about the user-defined attack defense policy.

1.1.11.14 Configuring the Function of Receiving Broadcast ICMP Echo

Request Packets

Usage Scenario
A device drops ICMP echo request packets that carry broadcast addresses
(including subnet broadcast and network broadcast addresses) as destination IP
addresses by default. When the device is required to normally process broadcast
ICMP echo request packets, run the icmp-broadcast-address-echo enable
command to enable the device to receive broadcast ICMP echo request packets.

In VS mode, this feature is supported only by the admin VS.

Prerequisites
None

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 249

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run cpu-defend policy policy-number

The attack defense policy view is displayed.

Step 3 Run icmp-broadcast-address-echo enable

The system is enabled to receive broadcast ICMP echo request packets.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.15 Configuring Application Layer Association

This section describes how to configure association between the application layer
and lower layers.

Usage Scenario
There are various application protocols on the router, but not all of them are used
in actual networking. To save CPU resources and defend against attacks,
unnecessary application protocol packets are not sent to the CPU for processing.

To save router resources, you can configure application layer association to have
only packets of the enabled protocol be sent to the CPU for processing. The
packets of the disabled protocol are sent to the CPU at a minimum bandwidth by
default.

When application layer association and protocols are enabled, packets are sent to
the CPU at the default bandwidth; when application layer association is enabled
but protocols are disabled, packets are sent to the CPU at a minimum bandwidth
or simply dropped. When application layer association is disabled, protocols are
not associated. In this case, packets are sent to the CPU at the default bandwidth
regardless of whether the protocols are enabled.

In VS mode, this feature is supported only by the admin VS.

Pre-configuration Tasks
Before configuring application layer association, configure parameters of the link
layer protocol and IP addresses for interfaces and ensure that the link layer
protocol on the interfaces is Up.

1.1.11.15.1 Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These
features take effect after the attack defense policy is applied to the interface
board.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 250

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
An attack defense policy is created.
Step 3 (Optional) Run description text
The description of the attack defense policy is configured.
Step 4 Run commit
The configuration is committed.

----End

Follow-up Procedure
You must run the cpu-defend-policy command on the interface board to apply
the attack defense policy to the interface board. In this manner, the configured
attack defense policy can take effect.

1.1.11.15.2 Setting the Mode of Processing the Packets Sent to the CPU
This section describes the default mode of handling protocol packets when
association between the application layer and lower layers is enabled whereas no
upper layer protocol is enabled.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-number
An attack defense policy is created and the attack defense policy view is displayed.
Step 3 (Optional) Run undo application-apperceive disable
The application layer association is enabled.
To disable application layer association, you need to run the application-
apperceive disable command.
Step 4 Run application-apperceive default-action { drop | min-to-cp }
The default mode of processing the packets to be sent to the CPU through
application layer association is set. The default mode can be drop or min-to-cp.
The advantage of the min-to-cp mode is that when a certain protocol for
application layer association is disabled because of attack, you can gather
information about the attack through attack source tracing. If the default mode is
set to drop, the possibility of being attacked is reduced, but the attack source may
be untraceable. You can select either mode as required.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 251

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 5 Run commit

The configuration is committed.

----End

1.1.11.15.3 Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the
interface board.

Context
The NE9000 defines a default attack defense policy. This policy cannot be
modified or deleted. When the NE9000 starts, this policy is automatically applied
to the interface board. Configurations in the policy are default configurations of
each feature. To apply a specified attack defense policy to the interface board, you
need to run the cpu-defend-policy policy-number command on the interface
board to bind the policy to be applied to the interface board. If the cpu-defend-
policy policy-number command is not used, the default attack defense policy is
applied to the interface board.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run slot slot-id

The slot view is displayed.

Step 3 Run cpu-defend-policy policy-number

The attack defense policy is applied to the interface board.

You must apply the attack defense policy to the interface board; otherwise, the
policy does not take effect.

The attack defense policy specified by policy-number must be a configured one.

Otherwise, the policy cannot be applied.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.15.4 Verifying the Application Layer Association Configuration

Procedure
Step 1 Run the display application-apperceive [ slot slot-id ] [ ap-id ap-id ] command
to view information about application layer association.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 252

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 2 Run the display cpu-defend application-apperceive statistics [ slot slot-id ]

[ ap-id ap-id ] command to view information about the packets discarded by
application layer association.

----End

1.1.11.16 Configuring Management and Service Plane Protection

This section describes how to configure management and service plane protection.
This function allows only specified protocol packets to be sent to CPUs, and
reduces malicious packet attacks on these CPUs to ensure that devices work
properly.

Applicable Environment
NOTE

Attacks intending to paralyze TCP/IP networks, especially network devices, continue to

increase at alarming rates. MPAC servers better for protecting devices against such attacks.
Using MPAC is recommended.

If the router is likely to be controlled by unauthorized users through non-

management interfaces or attacked by flooding packets, management and service
plane protection needs to be deployed. The protection function ensures that only
specified management interfaces will be allowed to receive management packets.
Packets received by non-management interfaces will be directly dropped. This
saves resources.

NOTE

FTP, SSH, SNMP, TELNET, and TFTP are usually disabled globally on a device but enabled on
some specified interfaces. If the interfaces enabled with these protocols are all Down, the
global configurations will cease to take effect (that is, these protocols will be automatically
enabled on other interfaces), which ensures connectivity to the device.

NOTE

This configuration task is supported only on the Admin-VS.

Pre-configuration Tasks
Before configuring management and service plane protection, complete the
following task:

● Configuring link layer protocol parameters for interfaces to ensure that the
link layer protocol on the interfaces is Up

1.1.11.16.1 Configuring a Global Policy for Management and Service Plane

Protection
A global policy for management and service plane protection can be applied to
the entire device to filter packets of certain types.

Context
Perform the following steps on the device.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 253

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ma-defend global-policy
A global policy for management and service plane protection is created.
Step 3 Run protocol { { bgp | ftp | isis | ldp | ospf | pimsm | rip | rsvp | snmp | ssh |
telnet | tftp } | ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } { permit |
deny }
A rule about whether to send the packets of specified protocols to the CPU is
configured in the global policy.

NOTE

If FTP, SSH, SNMP, TFTP, or TELNET is disabled globally by running the protocol command
and is not enabled on any active interface, connectivity to the device will be interrupted.
(An active interface is an interface that can properly receive and send packets.)
To ensure connectivity to the device, configure additional active interfaces and enable these
protocols on them.

Step 4 Run enable

The global policy is enabled.
Step 5 Run commit
The configuration is committed.

----End

1.1.11.16.2 Configuring an interface board-based Policy for Management and

Service Plane Protection
An interface board-based policy for management and service plane protection can
be applied to an interface board to filter packets of certain types.

Context
An interface board-based policy takes effect only on the specified interface board.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ma-defend slot-policy slot-policy-id
An interface board-based policy for management and service plane protection is
created.
Step 3 Run protocol { { bgp | ftp | isis | ldp | ospf | pimsm | rip | rsvp | snmp | ssh |
telnet | tftp } | ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } { permit |
deny }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 254

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The rule about whether to send the packets of specified protocols to the CPU is
configured in the interface board-based policy.

NOTE

If FTP, SSH, SNMP, TFTP, or TELNET is disabled globally by running the protocol command
and is not enabled on any active interface, connectivity to the device will be interrupted.
(An active interface is an interface that can properly receive and send packets.)
To ensure connectivity to the device, configure additional active interfaces and enable these
protocols on them.

Step 4 Run quit

Return to the system view.

Step 5 Run slot slot-id

The slot view is displayed.

Step 6 Run ma-defend-slot slot-policy-id

The configured interface board-based policy is applied to the interface board in

the slot.

Step 7 Run commit

The configuration is committed.

----End

1.1.11.16.3 Configuring an Interface-based Policy for Management and Service

Plane Protection
An interface-based policy for management and service plane protection can be
applied to an interface to filter packets of certain types.

Context
An interface-based policy takes effect only on the specified interface.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run ma-defend interface-policy interface-policy-id

An interface-based policy for management and service plane protection is created.

Step 3 Run protocol { { bgp | ftp | isis | ldp | ospf | pimsm | rip | rsvp | snmp | ssh |
telnet | tftp } | ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } { permit |
deny }

A rule about whether to send the packets of specified protocols to the CPU is
configured in the interface-based policy.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 255

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

If all the active interfaces enabled with FTP, SSH, SNMP, TFTP, or TELNET are Down, connectivity
to the device will be interrupted. (An active interface is an interface that can properly receive
and send packets.) To ensure connectivity to the device, configure additional active interfaces
and enable these protocols on them.

Step 4 Run quit

Return to the system view.
Step 5 Run interface interface-type interface-number
The interface view is displayed.
Step 6 Run ma-defend-interface ma-defend-intf-policyid
The configured interface-based policy is applied to the interface.
Step 7 Run commit
The configuration is committed.

----End

1.1.11.16.4 Verifying the Configuration of Management and Service Plane

Protection
After configuring management and service plane protection, you can run display
commands to check the configuration.

Procedure
● Run the display ma-defend { all | global-policy | interface-policy interface-
policy-id | slot-policy slot-policy-id } command to check information about
policies for management and service plane protection.
----End

1.1.11.17 Configuring Layer 2 Loop Detection

This section describes how to configure Layer 2 loop detection.

Usage Scenario
Networks are prone to loops, and loops may occur due to various reasons, such as
incorrect link connection and loop prevention protocol failure on an attacked or
overloaded ring network. When a Layer 2 loop occurs on an interface, the
interface will receive a large number of broadcast and multicast packets, such as
Address Resolution Protocol (ARP) packets and Open Shortest Path First (OSPF)
packets.
To minimize service loss caused by Layer 2 loops, configure actions in response to
an existing or potential Layer 2 loop. This function allows protocols to work
normally and prevents major network faults.
The CPU determines whether to enable or disable Layer 2 loop detection based on
packet loss caused by the committed access rate (CAR). After Layer 2 loop

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 256

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

detection is enabled, the CPU will take the configured responsive action after
detecting an existing or a potential loop on an interface.
In VS mode, this feature is supported only by the admin VS.

Pre-configuration Tasks
None

1.1.11.17.1 Configuring Actions In Response to Layer 2 Loops

The CPU determines whether to enable or disable Layer 2 loop detection based on
packet loss caused by the committed access rate (CAR). After Layer 2 loop
detection is enabled, the CPU will take the configured actions in response to Layer
2 loops after the system detects an existing or a potential loop on an interface.

Context
The system can be configured to take one of the following actions in response to
an existing or possible Layer 2 loop on an interface:
● Shut down the interface: The system will shut down the interface only after
detecting an existing Layer 2 loop on the interface. This action stops the
interface from sending numerous packets to the CPU.
● Send a trap: The system will send a trap after detecting an existing or a
potential Layer 2 loop. The trap message can help a user locate the interface
where the Layer 2 loop has occurred or may occur.
● Send a trap and shut down the interface: The system will send a trap and shut
down the interface after detecting an existing Layer 2 loop on the interface.
● Ignore Layer 2 loops: The system will stop Layer 2 loop, but not shut down
the interface or send a trap.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run slot slot-id
The slot view is displayed.
Step 3 Run l2-loop-detect action { shutdown [ up-times up-times | up-interval up-
interval ] * | trap disable }
A responsive action for Layer 2 loops is configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 257

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

● To enable the system to shut down the interface, run the l2-loop-detect action
shutdown [ up-times up-times | up-interval up-interval ] * command.
● By default, the function of sending a trap is enabled. If the function is disabled, running
the undo l2-loop-detect action trap disable command will enable it.
● To enable the system to send a trap and shut down the interface, run the undo l2-loop-
detect action trap disable command to enable the function of sending a trap, and run
the l2-loop-detect action shutdown [ up-times up-times | up-interval up-interval ] *
command to enable the system to shut down the interface.
● To configure the system to ignore Layer 2 loops, run the undo l2-loop-detect action
shutdown and l2-loop-detect action trap disable commands to disable the function of
shutting down the interface and the function of sending a trap, respectively.

Step 4 Run commit

The configuration is committed.

----End

1.1.11.17.2 (Optional) Disabling Layer 2 Loop Detection

If you confirm that Layer 2 loops do not occur on a board, you can disable the
Layer 2 loop detection function to improve the fault locating efficiency.

Context

NOTICE

If you need to disable Layer 2 loop detection, contact Huawei technical support
engineers.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run slot slot-id

The slot view is displayed.

Step 3 Run l2-loop-detect disable

Layer 2 loop detection is disabled.

Step 4 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 258

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.17.3 (Optional) Configuring the Layer 2 Loop Detection Threshold

If the Layer 2 loop detection threshold is not properly set, Layer 2 loop detection
may be unexpectedly enabled or display incorrect loop levels, affecting Layer 2
loop detection results. As a result, some services may be affected.

Context
The system calculates the default Layer 2 loop detection threshold based on the
packet loss detection and default algorithm. If the Layer 2 loop detection
threshold is not properly set, Layer 2 loop detection may not be enabled or be
unexpectedly enabled. To resolve this problem, perform the following operations
to modify the Layer 2 loop detection threshold:

NOTICE

It is recommended that you run this command with assistance from Huawei
engineers. Before performing the operation, obtain experience values of packet
loss statistics on the specified board.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run slot slot-id
The slot view is displayed.
Step 3 Run l2-loop-detect packets-drop-threshold packets-drop-threshold
The Layer 2 loop detection threshold is configured.
Step 4 (Optional) Run l2-loop-detect loop-level-threshold main-interface determined
determined-threshold suspect suspect-threshold notification notification-
threshold
The loop level threshold is configured on a detected main interface.
Step 5 (Optional) Run l2-loop-detect loop-level-threshold sub-interface determined
determined-threshold suspect suspect-threshold notification notification-
threshold
The loop level threshold is configured on a detected sub-interface.
The loop level threshold on a main interface must be greater than that on a sub-
interface. If the loop level threshold on a main interface is smaller than that on a
sub-interface and a loop occurs on the sub-interface, the system considers that
the loop occurs on the main interface, and detection on the sub-interface does not
take effect.
Step 6 Run commit
The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 259

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.11.17.4 Verifying the Layer 2 Loop Detection Configuration

Check information about Layer 2 loop detection on a specified board and
information about packets that cause Layer 2 loops on a specified board.

Procedure
Step 1 Run the display l2-loop-detect status-info slot slot-id command to check
information about Layer 2 loop detection on a specified board.

Step 2 Run the display l2-loop-detect packets-info slot slot-id command to check
information about packets that cause Layer 2 loops on a specified board.

----End

1.1.11.18 Configuring Layer 3 Loop Detection

Layer 3 loop detection reports traps when detecting a routing loop so that you can
take rapid measures to ensure proper service running.

Usage Scenario
The Layer 3 loop detection function detects whether a loop exists on a network. If
a routing loop is detected, the device generates reports a trap.

Perform the following operations when no routing loop trap information is

required.

NOTE

To ensure network reliability, exercise caution when running the l3-loop-detect disable
command.

In VS mode, this feature is supported only by the admin VS.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run l3-loop-detect disable

Layer 3 loop detection is disabled.

Step 3 Run commit

The configuration is committed.

----End

1.1.11.19 Maintaining Local Attack Defense

Before collecting attack defense statistics, delete the existing statistics.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 260

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context

NOTICE

Attack defense statistics cannot be restored after being cleared. Therefore, exercise
caution when running the following reset anti-attack statistics commands.

Procedure
Step 1 To clear attack defense statistics, run the reset cpu-defend { all | application-
apperceive | tcpip-defend | tcpip-defend-v6 | total-packet | urpf } statistics
[ slot slot-id ] [ ap-id ap-id ] command in the user view.

In VS mode, this command is supported only by the admin VS.

Step 2 To clear information about attack source tracing stored in the memory of the
interface board, run the reset attack-source-trace slot { slot-id | all }command in
the user view.

In VS mode, this command is supported only by the admin VS.

Step 3 To clear statistics about packets of a specified protocol group or all protocol
groups, run the reset cpu-defend protocol-group { whitelist | user-defined-flow
| management | route-protocol | multicast | arp | mpls | access-user | link-layer
| network-layer | all } statistics slot slot-id ap-id ap-id or reset cpu-defend
protocol-group { whitelist | user-defined-flow | management | route-protocol |
multicast | arp | mpls | access-user | link-layer | network-layer | system-
message | blacklist | check-failed | fwddata-to-cp | all } statistics slot slot-id
command in the user view.

Step 4 To clear statistics about ND invalid packet attack defense, run the reset nd packet
filter statistics [ slot slot-id ] command in the user view.

Step 5 To clear ND attack statistics, run the reset ipv6 nd { na | ns-multicast | ns-
unicast } attack interface { interface-type interface-num | interface-name } or
reset ipv6 nd { na | ns-multicast | ns-unicast } attack slot { slotid | all }
command in the user view.

----End

1.1.11.20 Configuration Examples for Local Attack Defense

This section describes the typical application scenario of local attack defense,
including networking requirements, configuration roadmap, and data preparation,
and provides related configuration files.

1.1.11.20.1 Example for Configuring Attack Defense for the CPU

Deploying attack defense protects the CPU against attacks and ensures normal
CPU processing.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 261

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Networking Requirements
As shown in Figure 1-24, Device A always receives excessive packets and thus the
volume of the traffic sent to Device A must be restricted.

Figure 1-24 Configuring local attack defense

NOTE

● The configurations in this example are performed on Device A, Device B, and Device C
can function as Device A, Device B, and Device C.
● Interfaces 1 and 2 in this example represent GE 1/0/0 and GE 2/0/0, respectively.

Configuration Notes
These functions, however, are disabled in this configuration example.

Configuration Roadmap
The configuration roadmap is as follows:

1. On Device A, define a blacklist and limit the rate of sending packets to the
CPU by setting the CAR.
2. On Device B, configure TCP/IP attack defense, application layer association,
and attack source tracing.
3. On Device C, configure management plane protection.

Recommended Configuration
● Collect and classify protocols on the device. The system matches traffic to be
sent to the CPU in sequence and checks the TCP/IP attack packets first. If the
packets match the blacklist, the system discards the packets.
● Add valid protocol packets and the service packet that needs protection to the
whitelist or user-define flow.
● Add the attack, invalid or unknown packets to the blacklist. Minimize the
bandwidth for them or directly drop them.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 262

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Data Preparation
To complete the configuration, you need the following data:
● Number of the attack defense policy
● Index of the packet to be sent to the CPU, number of the user-defined flow
● CIR and CBS values of the packet to be sent
● Sampling rate and file name for saving information about attack source
tracing
● Slot number of the interface board where board-level management plane
protection is to be applied
● Type and number of the interface where interface-level management plane
protection is to be applied
● Number of the interface board to which the attack defense policy is to be
applied

Procedure
Step 1 Configure an IP address for each interface. The configuration details are not
mentioned here.
Step 2 Configure the sending rule for the blacklist on Device A.
<DeviceA> system-view
[~DeviceA] acl 2001
[*DeviceA-acl4-basic-2001] rule deny fragment-type fragment
[*DeviceA-acl4-basic-2001] commit
[~DeviceA-acl4-basic-2001] quit
[~DeviceA] cpu-defend policy 4
[*DeviceA-cpu-defend-policy-4] blacklist acl 2001
[*DeviceA-cpu-defend-policy-4] car blacklist cir 1000
[*DeviceA-cpu-defend-policy-4] priority blacklist low
[*DeviceA-cpu-defend-policy-4] car total-packet 5000
[*DeviceA-cpu-defend-policy-4] alarm drop-rate blacklist enable
[*DeviceA-cpu-defend-policy-4] alarm drop-rate blacklist interval 60 threshold 1000
[*DeviceA-cpu-defend-policy-4] commit

Step 3 On Device B, configure the functions such as TCP/IP attack defense and
application layer association to defend against attack packets.
# Configure attack source tracing.
<DeviceB> system-view
[~DeviceB] cpu-defend policy 4
[*DeviceB-cpu-defend-policy-4] attack-source-trace enable
[*DeviceB-cpu-defend-policy-4] attack-source-trace sample-rate 1000

# Configure TCP/IP attack defense.

[*DeviceB-cpu-defend-policy-4] udp-packet-defend enable
[*DeviceB-cpu-defend-policy-4] abnormal-packet-defend enable

# Configure application layer association.

[*DeviceB-cpu-defend-policy-4] application-apperceive default-action min-to-cp
[*DeviceB-cpu-defend-policy-4] commit

Step 4 On Device C, configure management plane protection.

# Configure global management plane protection.
<DeviceC> system-view

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 263

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~DeviceC] ma-defend global-policy

[*DeviceC-app-sec-global] protocol bgp permit
[*DeviceC-app-sec-global] enable
[*DeviceC-app-sec-global] commit
[~DeviceC-app-sec-global] quit

# Configure board-level management plane protection.

[~DeviceC] ma-defend slot-policy 4
[*DeviceC-app-sec-slot-4] protocol ftp permit
[*DeviceC-app-sec-slot-4] commit
[~DeviceC-app-sec-slot-4] quit
[~DeviceC] slot 1
[~DeviceC-slot-1] ma-defend-slot 4
[*DeviceC-slot-1] commit
[~DeviceC-slot-1] quit

# Configure interface-level management plane protection.

[~DeviceC] ma-defend interface-policy 4
[*DeviceC-app-sec-interface-4] protocol ospf permit
[*DeviceC-app-sec-interface-4] commit
[~DeviceC-app-sec-interface-4] quit
[~DeviceC] interface gigabitethernet 2/0/0
[~DeviceC-GigabitEthernet2/0/0] ma-defend-interface 4
[*DeviceC-GigabitEthernet2/0/0] commit
[~DeviceC-GigabitEthernet2/0/0] quit

Step 5 Apply the attack defense policy.

Apply attack defense policy 4 on interface board 1 of Device A.
<DeviceA> system-view
[~DeviceA] slot 1
[*DeviceA-slot-1] cpu-defend-policy 4
[*DeviceA-slot-1] commit

Apply attack defense policy 4 on interface board 1 of Device B.

<DeviceB> system-view
[~DeviceB] slot 1
[~DeviceB-slot-1] cpu-defend-policy 4
[*DeviceB-slot-1] commit

Step 6 Verify the configuration.

# Run the display cpu-defend policy 4 command to check the rules configured in
attack defense policy 4.

----End

Configuration example of User Defined Flow

The following table lists a configuration planning for user defined flow. You can
modify the list or add more items based on the actual network conditions.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 264

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-20 Configuration planning for user defined flow

Class Matched Prior Protection Action Remarks
Content ity

Trusted Source IP High Add source IP Use ACL 3330 to

network address addresses on the filter packets
segment trusted network containing source IP
segment to user- addresses on the
defined list 1. trusted network
segment.
Set the rate limit for
user-defined list 1 to
1 Mbit/s.

Routing BGP High Add BGP packets to Use ACL 3331 to

protocol user-defined list 2. filter packets
containing the IP
Set the rate limit for address of the BGP
user-defined list 2 to peer.
1 Mbit/s.

LDP High Add LDP packets to Use ACL 3332 to

user-defined list 3. filter packets
containing the
Set the rate limit for source IP addresses
user-defined list 3 to of the LDP peer and
1 Mbit/s. directly connected
interface.

OSPF High Add OSPF and RIP Use ACL 3333 to

packets to user- filter packets
defined list 4. containing the
source IP address of
RIP Set the rate limit for the OSPF neighbor.
user-defined list 4 to
1 Mbit/s.

ISIS NA NA No ACL is involved

because IS-IS is a
Layer 2 protocol.
CPU defend policy
supports basic ACL
and advanced ACL,
that is, only supports
to filter L3 and L4
protocol.

Protocol VRRP Medi Add VRRP packets to Use ACL 3334 to

ensuring um user-defined list 5. filter VRRP packets.
reliability
Set the rate limit for
user-defined list 5 to
1 Mbit/s.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 265

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Class Matched Prior Protection Action Remarks

Content ity

Multicast PIM Medi Add PIM, IGMP, and Use ACL 3335 to
protocol um MSDP packets to filter PIM, IGMP, and
IGMP user-defined list 6. MSDP packets.
MSDP Set the rate limit for
user-defined list 6 to
1 Mbit/s.

Reserved Medi Add reserved Use ACL 3336 to

multicast um multicast addresses filter packets
addresses to user-defined list containing the
7. Set the rate limit following reserved
for user-defined list multicast addresses:
7 to 1 Mbit/s. ● 224.0.0.1
● 224.0.0.2
● 255.255.255.255

Access SSH Medi Add Telnet packets Use ACL 3337 to

protocol um to user-defined list filter Telnet packets.
8.

TELNET Set the rate limit for

user-defined 8 to
512 kbit/s.

FTP Low Add FTP and TFTP Use ACL 3338 to

packets to user- filter FTP and TFTP
defined list 9. packets.

TFTP Set the rate limit for

user-defined 9 to
512 kbit/s.

FTP-DATA Low Add FTP-DATA to Use ACL 3339 to

user-defined list 10. filter FTP-DATA.

Do not set the rate

limit for user-
defined list 10.

Network SNMP Low Add SNMP packets Use ACL 3340 to

manageme to user-defined list filter SNMP packets.
nt 11.
protocols
Set the rate limit for
user-defined list 11
to 1 Mbit/s.

Service TACACS Low Add TACACS and Use ACL 3341 to

protocol NTP packets to user- filter TACACS
defined list 12. (including standard
TACACS and Huawei

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 266

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Class Matched Prior Protection Action Remarks

Content ity

NTP Set the rate limit for TACACS) and NTP

user-defined 12 to packets.
512 kbit/s.

Tool ICMP Low Add ICMP packets to Use ACL 3342 to

protocol user-defined list 13. filter ICMP TTL
Exceeded packets,
Set the rate limit for ICMP Port-
user-defined list 13 unreachable packets,
to 1 Mbit/s. ICMP Echo packets,
and ICMP Echo
Reply packets.

Other Unknown Low Reserve 256 KB best- Use ACL 3360 to

or attack effort bandwidth in filter unknown and
packets the blacklist. attack packets.

NOTICE

This document just introduces a configuration example. The solution and data of
your actual network conditions, such as the running protocols, the IP addresses of
the protocols, may be different from this example. Please check and keep them
consistent with your network.
If your network needs more configurations, such as more BGP peer, OSPF peer,
modify or add the rules in the relative ACL.

Configuration example of User Defined Flow

1. Add the source IP addresses on the trusted network segment to ACL

3330.

Source IP addresses on the trusted network segment indicate the IP addresses

allowed to access the device
Example:
acl number 3330
rule permit ip source 10.1.1.0 0.0.0.255
rule permit ip source 10.1.2.0 0.0.0.255
...

If there are new trusted network segments, add them to ACL 3330. For example,
if the network maintenance engineer needs to telnet to the device to
troubleshoot, the source IP address needs to be added to this ACL. It is allowed
to temporally add rule permit ip instead for an urgency case. Delete the
temporal command after the troubleshooting finished.
acl number 3330
rule permit ip source 10.1.1.0 0.0.0.255
...
rule permit ip

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 267

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration example of User Defined Flow

2. Add BGP protocol to ACL 3331.

TCP session in BGP is established based on peer IP addresses. Therefore, add the
peer IP address to the ACL. The peer IP address can be obtained from the
following commands:
<HUAWEI> display bgp peer
BGP local router ID : 1.1.1.33
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.31 4 100 3 3 0 00:01:16 Established 0
10.1.1.32 4 100 3 3 0 00:05:20 Established 0

In the preceding information, the device has two BGP peers and the IP addresses
of the BGP peers are 10.1.1.31 and 10.1.1.32. So the ACL rule is configured as
follows.
Precise configuration based on source IP address and port number:
acl number 3331
rule permit tcp source 10.1.1.31 0 destination-port eq bgp
rule permit tcp source 10.1.1.31 0 source-port eq bgp
rule permit tcp source 10.1.1.32 0 destination-port eq bgp
rule permit tcp source 10.1.1.32 0 source-port eq bgp

Simplified configuration based only on port-number:

acl number 3331
rule permit tcp destination-port eq bgp
rule permit tcp source-port eq bgp
NOTE
If there are more BGP peers, add a rule for each peer for precise configuration.
Simplified configuration has less security.

3. Add LDP protocol to ACL 3332.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 268

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration example of User Defined Flow

LDP protocol uses TCP to set up session and UDP to discover peers and maintain
peer relationships. This process involves not only the peer IP address, but also
the IP address of the directly connected interface. These IP addresses need to be
added to ACL.
1. Collect the transport address of LDP Peer.
<HUAWEI> display mpls ldp peer
LDP Peer Information in Public network
A '*' before a peer means the peer is being deleted.
--------------------------------------------------------------------
PeerID TransportAddress DiscoverySource
--------------------------------------------------------------------
10.5.5.9:0 10.5.5.9 Remote Peer : 54
GigabitEthernet1/0/0
---------------------------------------------------------------------

Get the UDP source IP addresses used to discover adjacency peers and
maintain peer relationships.
<HUAWEI> display mpls ldp adjacency peer 5.5.5.9 verbose
LDP Adjacency Information
---------------------------------------------------------------------
LDP Peer ID : 10.5.5.9
VPNInstance name : -
CreateDate : 2010-09-14
CreateTime : 09:19:02
Adjacency Age : 0000:01:24
AdjacencyType : Remote Adjacency
Discovery-Source : -
UDP Source Address : 10.5.5.9
UDP Socket ID : 216
Sequence No. : 0
Configuration Hello Hold Timer(sec) : 45
Hello Message Rcvd : 340
Adjacency Deletion Status : No
---------------------------------------------------------------------
LDP Peer ID : 5.5.5.9
VPNInstance name : -
CreateDate : 2010-09-14
CreateTime : 09:17:55
Adjacency Age : 0000:01:25
AdjacencyType : Local Adjacency
Discovery-Source : GigabitEthernet1/0/0
UDP Source Address : 10.4.5.5
UDP Socket ID : 149
Sequence No. : 0
Configuration Hello Hold Timer(sec) : 256
Hello Message Rcvd : 5129
Adjacency Deletion Status : No
----------------------------------------------------------------------

2. Add the UDP source IP addresses to ACL.

LDP discovers the adjacency peers by sending UDP packets actively. The
destination port of the UDP is 646. After the LDP session is established, LDP
sends UDP packet to maintain the peer relationships. Add the UDP source IP
addresses to ACL according to the following commands.
acl number 3332
rule permit udp source 10.5.5.9 0 destination-port eq 646
rule permit udp source 10.4.5.5 0 destination-port eq 646

3. Add the LDP transport address to ACL.

LDP sent TCP packets to set up session. After the LDP session is established,
LDP sends TCP Keepalive messages. The source address of the TCP is

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 269

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration example of User Defined Flow

TransportAddress. The device can be LDP active end or passive end, so both
the source port and destination port need to be added to ACL.
acl number 3332
rule permit tcp source 10.5.5.9 0 destination-port eq 646
rule permit tcp source 10.5.5.9 0 source-port eq 646

Configuration summary:
● Precise configuration based on source IP address and port number:
acl number 3332
rule permit udp source 10.5.5.9 0 destination-port eq 646
rule permit udp source 10.4.5.5 0 destination-port eq 646
rule permit tcp source 10.5.5.9 0 destination-port eq 646
rule permit tcp source 10.5.5.9 0 source-port eq 646

● Simplified configuration based only on port number:

acl number 3332
rule permit udp destination-port eq 646
rule permit tcp destination-port eq 646
rule permit tcp source-port eq 646
NOTE
● If there are more LDP peers, add a rule for each peer for precise configuration.
● Simplified configuration has less security.

4. Add OSPF or RIP protocol to ACL 3333.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 270

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration example of User Defined Flow

OSPF sets up neighbor based on interface IP address, so the interface IP address

needs to be added to ACL.
1. Collect the information about OSPF peer.
<HUAWEI> display ospf peer
OSPF Process 100 with Router ID 1.1.1.33
Neighbors
Area 0.0.0.0 interface 10.55.1.2(GigabitEthernet1/0/1.1)'s neighbors
Router ID: 10.110.200.32 Address: 10.55.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: 5.5.5.1 BDR: 5.5.5.2 MTU: 0
Dead timer due in 42 sec
Neighbor is up for 00:23:41
Authentication Sequence: [ 0 ]

OSPF Process 200 with Router ID 1.1.1.33

Neighbors
Area 0.0.0.0 interface 10.66.1.2(GigabitEthernet1/0/1.2)'s neighbors
Router ID: 10.110.200.32 Address: 10.66.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: 6.6.6.1 BDR: None MTU: 0
Dead timer due in 31 sec
Neighbor is up for 00:00:05
Authentication Sequence: [ 0 ]

2. The 10.55.1.1 and 10.66.1.1 are the neighbor IP addresses. So, add these IP
addresses to ACL.
Precise configuration based on source IP address:
acl number 3333
rule permit ospf source 10.55.1.1 0
rule permit ospf source 10.66.1.1 0

Simplified configuration based only on port number:

acl number 3333
rule 5 permit ospf
NOTE
● If there are more OSPF peers, add a rule for each peer for precise configuration.
● Simplified configuration has less security.
● The ACL configuration for RIP protocol is the same as OSPF.

5. Add VRRP protocol to ACL 3334.

VRRP is based on IP and its protocol ID is 112. VRRP peer sends packets with the
peer virtual IP address. So, add the peer virtual IP address and the protocol ID to
ACL.
1. Collect information about VRRP peer.
Get the peer virtual IP address from the configuration of the VRRP.
2. Precise configuration based on source IP address:
acl number 3334
rule permit 112 source 10.55.1.100 0

Simplified configuration based only on port number:

acl number 3334
rule 5 permit 112
NOTE
● If there are more VRRP peers, add a rule for each peer virtual IP address for precise
configuration.
● Simplified configuration has less security.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 271

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration example of User Defined Flow

6. Add multicast protocol to ACL 3335.

Multicast protocols include PIM (protocol number 103), IGMP (protocol number
2), and MSDP (protocol number 639).
acl number 3335
rule permit 103
rule permit igmp
rule permit udp destination-port eq 639
rule permit udp source-port eq 639
rule permit tcp destination-port eq 639
rule permit tcp source-port eq 639

7. Add reserved multicast addresses to ACL 3336.

The reserved multicast addresses are 224.0.0.0/24 and 255.255.255.255/0.

acl number 3336
rule permit ip destination 224.0.0.0 0.0.0.255
rule permit ip destination 255.255.255.255 0

8. Add Telnet and SSH protocols to ACL 3337.

Telnet and SSH are TCP-based protocols used for normal login or console login.
The two protocols are very important and are therefore added to an
independent ACL for protection. Both source port and destination port need to
be specified. The port number of SSH is 22.
Precise configuration based on source IP address and port number:
acl number 3337
rule permit tcp source 10.97.3.0 0.0.0.255 source-port eq telnet
rule permit tcp source 10.97.3.0 0.0.0.255 destination-port eq telnet
rule permit tcp source 10.97.3.0 0.0.0.255 source-port eq 22
rule permit tcp source 10.97.3.0 0.0.0.255 destination-port eq 22

Simplified configuration based only on port number:

acl number 3337
rule permit tcp source-port eq telnet
rule permit tcp destination-port eq telnet
rule permit tcp source-port eq 22
rule permit tcp destination-port eq 22
NOTE
● Simplified configuration has less security.
● Make sure the source address of Telnet and SSH be correct.

9. Add FTP and TFTP protocols to ACL 3338.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 272

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration example of User Defined Flow

FTP is TCP-based protocol, and TFTP is UDP-based protocol. Each source IP

address of the FTP/TFTP user needs three rules, as shown in the following
commands.
Precise configuration based on source IP address and port number:
acl number 3338
rule permit udp source 10.97.3.0 0.0.0.255 destination-port eq tftp
rule permit tcp source 10.97.3.0 0.0.0.255 source-port eq ftp
rule permit tcp source 10.97.3.0 0.0.0.255 destination-port eq ftp

Simplified configuration based only on port number:

acl number 3338
rule permit udp destination-port eq tftp
rule permit tcp source-port eq ftp
rule permit tcp destination-port eq ftp
NOTE
Inaccurate configuration has less security.

10. Add FTP-DATA protocol to ACL 3339.

FTP-DATA is used to transmit data. When the device gets files from remote
endpoint, the data is sent to CPU. The transmission rate must be ensured, that
is, the bandwidth for the FTP-DATA cannot be limit. Therefore, add FTP-DATA to
an independent ACL for protection.
Precise configuration based on source IP address and port number:
acl number 3339
rule permit tcp source 10.97.3.0 0.0.0.255 source-port eq ftp-data
rule permit tcp source 10.97.3.0 0.0.0.255 destination-port eq ftp-data

Simplified configuration based only on port number:

acl number 3339
rule permit tcp source-port eq ftp
rule permit tcp destination-port eq ftp
NOTE
Simplified configuration has less security.

11. Add SNMP protocol to ACL 3340.

An NMS is deployed on most live networks. An NMS server sends a large

number of UDP request packets to devices, and devices send UDP reply packets
through SNMP ports. As a large number of packets need to be exchanged, these
devices need to be added to an independent ACL for protection. Configuration
example:
Precise configuration based on source IP address and port number:
acl number 3340
rule permit udp source 10.43.48.0 0.0.0.255 destination-port eq snmp
rule permit udp source 10.97.3.0 0.0.0.255 destination-port eq snmp

Simplified configuration based only on port number:

acl number 3340
rule permit udp destination-port eq snmp
NOTE
● The source address segment added to the ACL must be correct. Otherwise, the NMS will
fail to manage some devices with source IP addresses not in the ACL.
● If the device is not managed by the NMS, you can use the simplified configuration.

12. Add TACACS and NTP protocol to ACL 3341.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 273

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration example of User Defined Flow

TACACS and NTP are service-oriented protocols. The NTP port number is 123.
TACACS have two types: Huawei-specific TCP-based TACACS and UDP-based
standard TACACS. It is recommended that you add both types to the ACL.
Configuration example:
Precise configuration based on source IP address and port number:
acl number 3341
rule permit udp source 10.43.0.0 0.0.255.255 source-port eq 123
rule permit udp source 10.43.0.0 0.0.255.255 destination-port eq 123
rule permit tcp source 10.43.53.20 0 source-port eq tacacs
rule permit tcp source 10.43.49.20 0 destination-port eq tacacs
rule permit udp source 10.43.53.20 0 source-port eq tacacs-ds
rule permit udp source 10.43.49.20 0 destination-port eq tacacs-ds

Simplified configuration based only on port number:

acl number 3341
rule permit udp source- port eq 123
rule permit udp destination- port eq 123
rule permit tcp source-port eq tacacs
rule permit tcp destination-port eq tacacs
rule permit udp source-port eq tacacs-ds
rule permit udp destination-port eq tacacs-ds
NOTE
Simplified configuration has less security.

13. Add ICMP Ping-LSP and Tracert to ACL 3342.

acl number 3342
rule permit icmp icmp-type echo
rule permit icmp icmp-type echo-reply
rule permit icmp icmp-type ttl-exceeded
rule permit icmp icmp-type port-unreachable
rule permit icmp icmp-type Fragmentneed-DFset
rule permit icmp
rule permit udp destination-port range 33434 33678 ///ping-lsp
rule permit udp destination-port eq 3503 ///tracert

14. Add BFD protocol to ACL 3343.

BFD is UDP-based protocol and its port number is 3784.

Precise configuration based on source IP address and port number:
acl number 3343
rule permit udp source 10.43.0.0 0.0.255.255 destination -port eq 3784
rule permit udp source 10.43.0.0 0.0.255.255 source -port eq 3784

Simplified configuration based only on port number:

acl number 3343
rule permit udp destination-port eq 3784
rule permit udp source-port eq 3784
NOTE
Simplified configuration has less security.

Example for configuring the blacklist rule

Example for configuring the blacklist rule

Add invalid or unknown protocols to ACL 3360.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 274

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Example for configuring the blacklist rule

ACL 3330 to ACL 3343 are used to filter normal protocol packets and packets on
the trusted network segment. Other packets are considered invalid or unknown.
Use ACL 3360 to filter invalid or unknown packets. The configuration is as
follows:
acl number 3360
rule permit ip
rule permit igmp
rule permit 103 ///PIM protocol
rule permit ospf

Result:
● IP packets that do not match the user-defined flow match the rule "rule
permit ip".
● IGMP packets that do not match the user-defined flow match the rule "rule
permit igmp".
● PIM packets that do not match the user-defined flow match the rule "rule
permit 103".
● OSPF packets that do not match the user-defined flow match the rule "rule
permit ospf".

The packets to be sent to the CPU comply with the following match sequence
by default: TCPSYN packets, packet fragments, dynamic link protection,
management protocol ACL, whitelist, blacklist, and user-defined flow. In the
preceding example, packets need to match against the user-defined flow before
the blacklist. Therefore, run the command to adjust the match sequence as
required.
#
cpu-defend policy 10
process-sequence tcpsyn-flood fragment-flood dynamic-link-protection management-acl whitelist user-
defined-flow blacklist
#

1.1.12 SOC Configuration

The Security Operating Center (SOC) implements intelligent detection and attack
event analysis and provides attack event reports based on the analysis, which
makes security maintenance more efficient. This chapter describes the basic
concepts, configuration procedures, and attack event analysis methods of the SOC.

1.1.12.1 Overview of SOC

Before configuring the Security Operating Center (SOC), familiarize yourself with
the basic concepts and usage scenarios of the SOC.

1.1.12.1.1 Introduction to SOC

The Security Operating Center (SOC) determines whether the NE9000 is being
attacked by constantly monitoring statistics collected by security detection
modules, service modules, and system monitoring modules, and takes measures
accordingly to defend against attacks.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 275

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

To ensure system reliability and protect services against attacks, the NE9000
supports security techniques, such as rate limiting by committed access rate (CAR),
attack detection, and attack defense. However, in absence of a global
management center that can summarize and analyze all attack information,
attack detection and defense are not comprehensive for the NE9000.
To address this problem, the SOC has been developed to summarize and analyze
information reported by all security detection modules in the system. Then the
SOC presents attack event reports, attack sources, cause analysis, and solutions in
a centralized and concise manner.

NOTE

The SOC does not display information about minor attack events that affect only a function
in the system. The SOC also does not display information about events that cause system
breakdown by sending constructed malformed packets or a small number of packets to
attack the system. Information about the events that cause system breakdown is displayed
by service modules, the NMS, the log function, and the attack source tracing function.
The SOC displays only information about attack events that cause system risks. These
attack events have the following characteristics:
● CPU usage when the attack event occurs is much higher than that in normal cases.
● The rate of packet loss caused by CPCAR exceeds a normal threshold.
● A protocol module detects a large number of invalid packets or sessions, and the
percentage of the number of invalid packets or sessions to the total number of
packets or sessions exceeds a normal threshold.

1.1.12.2 Feature Requirements for SOC

1.1.12.3 Configuring the SOC

This section describes how to configure the Security Operating Center (SOC).

Applicable Environment
When an exception occurs, for example, services are interrupted, the system
performance deteriorates, or service flapping occurs, maintenance personnel can
use the SOC to quickly determine if the exception has been caused by a security
attack. Maintenance personnel can also use the SOC to perform routine
maintenance and management to check if any security attack has occurred and
take immediate measures.

Pre-configuration Tasks
None

1.1.12.3.1 Enabling the SOC

You can enable the Security Operating Center (SOC) by enabling attack detection,
attack source tracing, and attack defense.

Context
Attack detection and attack source tracing are key SOC functions. Before using the
SOC, ensure that these functions are enabled. If attack detection and attack

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 276

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

source tracing are left disabled, the SOC can still be triggered by timers to collect
the CPU usage, protocol module's state data, including the number of invalid
packets and sessions, and CPCAR-related packet loss statistics. However, the SOC
neither performs attack detection and attack source tracing nor generates alarms,
and therefore cannot locate attack events.
After attack defense is enabled, the SOC automatically delivers attack defense
policies if the NE9000 is being attacked. This function isolates attacks or protects
the NE9000 against attacks.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run soc
Attack detection and attack source tracing are enabled, and the SOC view is
displayed.
Step 3 (Optional) Run attack-defend enable
Attack defense is enabled.
If the SOC determines that an attack event has occurred, enable attack defense.
Step 4 Run commit
The configuration is committed.

----End

1.1.12.3.2 Analyzing Attack Events

The SOC determines whether an attack event has occurred by analyzing attack
event reports and statistics. If attack defense is enabled, you can also check packet
loss statistics of the interface under attack.

Context
If an exception occurs or an attack event alarm is generated on the NE9000,
perform the following procedures to determine whether an attack event has
occurred:
1. Check attack event reports and identify the attack event to be analyzed.
2. Check the Location and Reasons fields in attack event reports to find out the
slot ID and protocol of the attack event and check the historical statistics.
Historical statistics include the CPCAR statistics and protocol statistics.
Determine whether the attack event is caused by protocol packets sent to the
CPU or invalid packets or sessions on a protocol module.
3. After the attack event is determined, enable attack defense. Then the NE9000
uses the configured attack defense policies to defend against subsequent
attack packets. You can also check packet loss statistics of the interface under
attack.
Perform the following steps in any view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 277

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Check attack event reports.
1. Run the display soc attack-event command to check a summary of attack
events.
2. Run the display soc attack-event slot slot-id [ verbose ] command to check
information about attack events on the board in a specified slot.
The specified slot is identified by checking the Location field in the attack
event summary. Detailed information about attack events is displayed if
verbose is configured.
3. Run the display soc attack-event event-number event-number [ verbose ]
command to check information about the specified attack event.
The specified attack event is identified by checking the Seq. field in the attack
event summary or information about attack events on the board in a
specified slot.
Step 2 Check historical statistics.
NOTE

In the following commands, slot-id must be the same as the slot-id specified in the display
soc attack-event command, and protocol-name must be the same as the Reasons field
value in the display soc attack-event command output.

Check CPCAR statistics.

1. Run the display soc attack-detect statistics car slot slot-id protocol
protocol-name command to check all CPCAR statistics monitored by the SOC.
Identify CarName of the CPCAR with the highest packet loss rate or the
largest number of lost packets.
NOTE

CAR is a traffic policing instance. CPCAR functions for packets to be sent to the CPU.
2. Run the display soc attack-detect statistics car slot slot-id protocol
protocol-name [ cpcar-name history { 15-minutes | 60-minutes | 72-
hours } ] command to check the packet loss rate of the protocol packets
identified by cpcar-name within a specified period.
3. Run the display soc attack-detect cpu-usage slot slot-id history { 15-
minutes | 60-minutes | 72-hours } command to check the CPU usage within
a specified period. If the CPU usage and packet loss rate within a specified
period have similar tendencies, the CPU overload is caused by the protocol
packets identified by cpcar-name.
Check protocol statistics.
1. Run the display soc attack-detect statistics application slot slot-id
command to check statistics about the protocol packets and sessions on the
board in a specified slot. Identify the protocol module that has the largest
percentage of the number of invalid packets or sessions to the total number
of packets or sessions. This protocol module can be considered to have the
poorest security.
2. Run the display soc attack-detect statistics application slot slot-id protocol
protocol-name history { 15-minutes | 60-minutes | 72-hours } command to

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 278

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

check statistics about the protocol packets and sessions and the average CPU
usage within the last 15 minutes, 1 hour, or 72 hours. If the CPU usage is high
while the percentage of the number of invalid packets or sessions to the total
number of packets or sessions is high, attacks to the protocol module cause
the CPU overload. If you cannot identify the problem by querying the average
CPU usage, run the following command to check detailed information about
the CPU usage within the specified period.
3. (Optional) Run the display soc attack-detect cpu-usage slot slot-id history
{ 15-minutes | 60-minutes | 72-hours } command to check detailed
information about the CPU usage within a specified period.

Step 3 (Optional) Run the display soc attack-defend statistics slot slot-id port-vlan-car
command to check statistics about the packets that pass through or are discarded
by interfaces being attacked on the board in a specified slot.

After attack defense is enabled and the NE9000 is being attacked, you can run this
command.

----End

1.1.12.3.3 (Optional) Configuring a User-Defined Group for Which Attack Defense

Is Enabled
You can determine whether an attack event or source exists by checking alarm
information and attack event reports. After an attack source is confirmed, you can
configure a user-defined group for which attack defense is enabled to isolate the
attack source.

Context
If a device works abnormally (for example, a device encounters CPU overloads,
logout, route interruption), you can configure a user-defined group for which
attack defense is enabled to isolate the attack sources.

NOTE

Only when attack events or sources are confirmed, you can run the attack-defend user-
enable-group command to configure a user-defined group for which attack defense is
enabled. After a user-defined group for which attack defense is enabled and specific
protocols are defined in the user-defined group, when a protocol attack is detected, the
system automatically delivers an attack defense policy.

Procedure
Step 1 Check whether the alarm SOC_1.3.6.1.4.1.2011.5.25.165.1.11.12
hwBaseSocAttackTrap is generated. The alarm content includes the attack
position, protocol type, sub-interface, and MAC address information.

Step 2 If the alarm is generated, run the display soc attack-event slot slot-id command
in any view to query more detailed information about the attack event on the
board in a specific slot, such as the attack possibility, physical interface under
attacks, VLAN, and attack cause (protocol flooding or broadcast storm).

Step 3 Locate and isolate the attack source based on the obtained attack position and
cause.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 279

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. If CPU overloads, severe service damage, or even service interruptions occur,

shut down the interface under attack based on the attack position and attack
packet information (MAC address, IP address, and protocol type) or run the
blacklist acl command in the attack defense policy view to blacklist the
attack packets and make adjustment based on live network situation.
2. If CPU overloads occur but services run properly with a few packets being
dropped, analyze the service deployment on the interface and check whether
attack protocol packets are sent to the interface. If attack protocol packets are
confirmed, blacklist the attack protocol and make adjustment based on live
network situation.
If services are restored and run properly later after the preceding operations,
deliver an attack defense policy to apply the blacklist and interface or sub-
interface shutdown actions to the forwarding plane.

NOTE

If CPU overloads frequently occur due to device attacks, you can check service deployment
on the interface under attack based on the port information of the attack event. If
unexpected protocol packet loss is detected, run the attack-defend user-enable-group
command to configure a user-defined group for which attack defense is enabled and define
the protocol in the group. After that, when the protocol packets are sent to attack the
device again, an attack defense policy is automatically delivered to protect the CPU.

----End

1.1.12.3.4 (Optional) Configuring Attack Source Tracing Parameters

If attack event reports present incorrect or missing decisions on attack events,
adjust attack source tracing parameters to allow attack source tracing to function
precisely.

Context
As network configurations and traffic characteristics vary, the default attack source
tracing thresholds may cause incorrect or missing decisions on attack events. You
can adjust the attack source tracing parameters based on actual conditions. If an
object under attack fails to be located, the attack source tracing thresholds are set
high and need to be lowered. If an object not under attack is identified as being
attacked, the attack source tracing threshold is set low and needs to be increased.
NOTE

Each attack source tracing threshold has its default value. Adjust the thresholds based on
your networking environment by referring to the default values and value ranges provided
in the command reference. It is recommended that you adjust attack source tracing
thresholds with assistance from Huawei engineers.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run soc
The SOC view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 280

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 3 Configure thresholds for determining attack events.

● To configure the threshold for determining the location of an attack event,
run the attack-trace location-type { interface | qinq | source-ip | source-
mac | sub-interface | vlan | vni } threshold threshold-value command.
● To configure the threshold for determining the probability of an attack event,
run the attack-trace probability { top5-user | top5-source-mac | top5-
source-ip | broadcast-flood | app-error-percent } { determined |
notification | suspicion } threshold-value command.
● To configure the threshold for determining the cause of an attack event, run
the attack-trace reason { broadcast-flood percentage percentage-value1 |
change-source-packet percentage percentage-value2 | app-packet
percentage percentage-value3 } command.

Step 4 Run commit

The configuration is committed.

----End

1.1.12.3.5 (Optional) Configuring Attack Detection Parameters

If attack event reports present incorrect or missing decisions on attack events,
adjust attack detection parameters to allow attack detection to function precisely.

Context
The security Operating Center (SOC) determines whether the system is being
attacked based on the statistics analysis. To correctly obtain these statistics on a
live network, you must set proper alarm thresholds for security attack events. The
traffic models vary with different networkings in different scenarios.
● On small-scale networks where the traffic rate is low, router bandwidth is low,
and the number of users is small, setting a low alarm threshold is
recommended.
● On large-scale networks where the traffic rate is high, router bandwidth is
high, and the number of users is great, setting a high alarm threshold is
recommended.

Additionally, you can also adjust the threshold based on the security attack event
reports. If false alarms are frequently reported, you can increase the alarm
threshold. However, if some security attacks are ignored (the security attacks are
detected by other monitoring systems but not reported by the SOC), you can
lower the alarm threshold.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run soc

The SOC view is displayed.

Step 3 Configure thresholds for determining attack events.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 281

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the attack-detect protocol protocol-name car { min-rate rate-value |

drop-packet-percent percentage } * command to set the rate threshold for
sending protocol packets to the CPU and the packet loss percentage threshold
for attack detection.
● Run the attack-detect cpu-usage-threshold threshold-value command to set
the CPU usage threshold for attack detection.
Step 4 Run commit
The configuration is committed.

----End

1.1.12.3.6 Verifying the SOC Configuration

After configuring attack source tracing parameters, check the configurations. If
some parameters are not configured, their default values are displayed.

Procedure
Step 1 Run the display soc attack-trace threshold configuration command to check
attack source tracing thresholds.
Step 2 Run the display soc attack-detect car threshold configuration command to
check the configured CP-CAR thresholds for attack detection.

----End

1.1.12.4 Maintaining the SOC

After SOC configurations are complete, you can maintain the SOC.

1.1.12.4.1 Clearing SOC Statistics

SOC statistics can be cleared, including statistics on packets that match ACL rules
and statistics on packets to which CAR is implemented after they match ACL rules.

Context
After the SOC's attack defense function is enabled, if an interface is attacked, the
SOC separately collects statistics on packets that match ACL rules and statistics on
packets to which CAR is implemented after they match ACL rules. Before collecting
statistics again, clear the existing statistics.

NOTICE

SOC statistics cannot be restored after they are cleared. Exercise caution when
running the reset command.

Procedure
● Run the reset soc attack-defend statistics slot slot-id command in the user
view to clear statistics on packets that match ACL rules and statistics on

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 282

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

packets to which CAR is implemented after they match ACL rules on the
attacked interfaces on the board in a specified slot.

----End

1.1.13 Packet Header Obtaining Configuration

Packet header getting enables a device to obtain packet headers sent to central
processing units (CPUs) or forwarded packet headers for fault locating.

Context
NOTE

Based on your requirements to detect failures in telecom transmission, this feature may
collect or store some communication information about specific customers. Huawei cannot
offer services to collect or store this information unilaterally. Before enabling the function,
ensure that it is performed within the boundaries permitted by applicable laws and
regulations. Effective measures must be taken to ensure that information is securely
protected.

1.1.13.1 Overview of Packet Header Obtaining

Packet header obtaining enables devices to promptly obtain packet headers for
fault analysis and locating.

If a device has high central processing unit (CPU) usage or interface traffic is
abnormal, configure packet header obtaining to obtain packets sent to this
device's CPU or packets forwarded by this device. The device saves these obtained
packet headers to a specified file, and you can use the file to locate network
faults. Packet header obtaining does not affect packet transmission.

1.1.13.2 Feature Requirements for Packet Header Obtaining

1.1.13.3 Configuring a Device to Obtain Packet Headers Sent to its CPU

This section describes how to configure a device to obtain packet headers sent to
its central processing unit (CPU).

Usage Scenario
With the expansion of networks and the increasing number of applications, device
CPUs may become overloaded if required to process large numbers of packets. The
high CPU usage deteriorates device performance and affects normal service
processing. To address these issues, specify filter criteria and configure devices to
obtain packet headers sent to their CPUs based on the criteria. You can then
analyze the obtained packet headers and locate network faults accordingly.

Before using an access control list (ACL) as a filter criterion, you must create it.
For details about the ACL configuration, see "ACL Configuration" in NE9000
Configuration Guide - IP Services.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 283

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Pre-configuration Tasks
Before configuring a device to obtain packet headers sent to its CPU, complete the
following tasks:
● Configure link layer protocol parameters for interfaces to ensure that the link
layer protocol status of the interfaces is Up.
● Create an ACL.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Configure an ACL rule.
NOTE

After an ACL rule is configured, the headers of packets that match the ACL rule can be obtained.
With the packet header obtaining function, packets are processed as follows:
● If packets match the ACL rule with the permit action, their headers are obtained.
● If packets match the ACL rule with the deny action, they are dropped instead of being
forwarded. This may adversely affect services.
● If packets match no ACL rule, they are properly forwarded, without having their headers
obtained.
● If the referenced ACL does not exist or an existent ACL in which no rule is defined is
referenced, packets are properly forwarded, without having their headers obtained.
● When packets are matched against an ACL rule, the vpn-instance vpn-instance-name
parameter configured in the rule does not take effect.

Table 1-21 ACL rule configuration

ACL Configuration Step 1: ACL Creation Step 2: ACL Rule
Category Through the acl Configuration Through
Command the rule Command

Configuring a Basic ACL Creating a Basic ACL Configuring a Basic ACL

Rule

Configuring an Advanced Creating an Advanced Configuring an Advanced

ACL ACL ACL Rule

Configuring a Layer 2 Creating a Layer 2 ACL Configuring Rules for a

ACL Layer 2 ACL

Configuring a Basic ACL6 Creating a Basic ACL6 Configuring a Basic ACL6

Rule

Configuring an Advanced Creating an Advanced Configuring an Advanced

ACL6 ACL6 ACL6 Rule

Step 3 Run quit

Return to the system view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 284

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 Run capture-packet local-host

The device is configured to obtain packet headers sent to its CPU. For details
about the command format, see Command Reference > Security Commands >
Packet Header Getting Configuration Commands > capture-packet local-host.

NOTE

● In the preceding command, the time-value and packet-number parameters can be

configured to specify the timeout period and the number of packet headers to be
obtained, respectively. If the specified timeout period expires or if the device has
obtained the specified number of packet headers, packet header obtaining ends.
● When configuring parameters for a packet header obtaining instance, set the parameter
values based on the traffic volume on the target interface. Specifically, if a large number
of packets are forwarded on the interface, set a small value for time-value but a large
value for packet-number. Otherwise, set a large value for time-value but a small value
for packet-number.
● If you specify file, the device saves packet header obtaining information to a packet
header obtaining file. If you specify terminal, the device displays packet header
obtaining information on a terminal screen. When you specify file, the device can save
packet header obtaining information only to a file with the maximum size of 2 MB each
time the packet header obtaining command is run. If the size of packet header
obtaining information exceeds 2 MB, the device discards excess information.
● Obtaining packet headers sent to CPUs has no impact on system performance.

Step 5 Run quit

Return to the system view.
Step 6 (Optional) Run capture-packet file limit limit-value
The maximum number of packet header obtaining files (.cap files) in the packet
header obtaining directory is specified. This command is supported only by the
admin VS.
----End

Verifying the Configuration

● Run the display capture-packet config-state command to check the
configuration of obtaining packet headers sent to the CPU, such as the packet
header obtaining index and packet header obtaining file name.
● Run the display capture-packet file file-name [ original-packet ] command
to check information about the packet header obtaining file.
● Run the display capture-packet information [ instance-id instance-id
[ from begin-packet-number [ to end-packet-number ] ] [ format-cap ]
[ verbose ] ] command to check information about the packet header
obtaining instance in the memory of the main control board.

1.1.13.4 Configuring a Device to Obtain Forwarded Packet Headers

This section describes how to configure a device to obtain forwarded packet
headers.

Usage Scenario
To check whether a traffic exception (such as voice quality deterioration and
mosaic) that occurs in network maintenance is caused by packet errors or packet

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 285

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

loss, specify filter criteria and configure devices to obtain forwarded packet
headers based on the criteria. You can then analyze the obtained packet headers
and rectify packet issues accordingly, thereby ensuring proper transmission of
network data.

Before using an access control list (ACL) as a filter criterion, you must create it.
For details about the ACL configuration, see "ACL Configuration" in NE9000
Configuration Guide - IP Services.

Pre-configuration Tasks
Before configuring a device to obtain forwarded packet headers, complete the
following tasks:

● Configure link layer protocol parameters for interfaces to ensure that the link
layer protocol status of the interfaces is Up.
● Create an ACL.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Configure an ACL rule.

NOTE

After an ACL rule is configured, the headers of packets that match the ACL rule can be obtained.
With the packet header obtaining function, packets are processed as follows:
● If packets match the ACL rule with the permit action, their headers are obtained.
● If packets match the ACL rule with the deny action, they are dropped instead of being
forwarded. This may adversely affect services.
● If packets match no ACL rule, they are properly forwarded, without having their headers
obtained.
● If the referenced ACL does not exist or an existent ACL in which no rule is defined is
referenced, packets are properly forwarded, without having their headers obtained.
● When packets are matched against an ACL rule, the vpn-instance vpn-instance-name
parameter configured in the rule does not take effect.

Table 1-22 ACL rule configuration

ACL Configuration Step 1: ACL Creation Step 2: ACL Rule

Category Through the acl Configuration Through
Command the rule Command

Configuring a Basic ACL Creating a Basic ACL Configuring a Basic ACL

Rule

Configuring an Advanced Creating an Advanced Configuring an Advanced

ACL ACL ACL Rule

Configuring a Layer 2 Creating a Layer 2 ACL Configuring Rules for a

ACL Layer 2 ACL

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 286

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

ACL Configuration Step 1: ACL Creation Step 2: ACL Rule

Category Through the acl Configuration Through
Command the rule Command

Configuring a Basic ACL6 Creating a Basic ACL6 Configuring a Basic ACL6

Rule

Configuring an Advanced Creating an Advanced Configuring an Advanced

ACL6 ACL6 ACL6 Rule

Step 3 Run quit

Return to the system view.
Step 4 Run capture-packet forwarding interface { interface-type interface-num |
interface-name } [ inbound | outbound ] [ vlan vlan-id [ to vlan-id ] | pvlan pe-
vlan-value cvlan ce-vlan-value [ to vlan-id ] ] [ [ ipv6 ] acl { acl-number | name
acl-name } ] [ [ time-out time-out ] | [ packet-num packet-number ] |
[ overwrite ] | [ packet-len length ] | { [ file file-name [ filesize ] ] | [ buffer-
only ] } ] *
The device is configured to obtain forwarded packet headers.

NOTE

● In the preceding command, the time-out and packet-number parameters can be

configured to specify the timeout period and the number of packet headers to be
obtained, respectively. If the specified timeout period expires or if the device has
obtained the specified number of packet headers, packet header obtaining ends.
● To control the rate at which a device obtains forwarded packet headers, set the cir
parameter in the car command to specify a packet forwarding bandwidth. The default
value of the cir parameter is 2 Mbit/s. A larger value indicates a higher packet
forwarding bandwidth and a higher packet header obtaining rate.
● When configuring parameters for a packet header obtaining instance, set the parameter
values based on the traffic volume on the target interface. Specifically, if a large number
of packets are forwarded on the interface, set a small value for time-out but a large
value for packet-number. Otherwise, set a large value for time-out but a small value for
packet-number.

NOTICE

Enabling the function of obtaining forwarded packet headers affects device

forwarding performance. Therefore, exercise caution when you enable the device
to obtain forwarded packet headers.

Step 5 Run quit

Return to the system view.
Step 6 (Optional) Run capture-packet file limit limit-value
The maximum number of packet header obtaining files (.cap files) in the packet
header obtaining directory is specified.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 287

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Verifying the Configuration

● Run the display capture-packet config-state command to check the
configuration of obtaining forwarded packet headers, such as the packet
header obtaining index and packet header obtaining file name.
● Run the display capture-packet file file-name [ original-packet ] command
to check information about the packet header obtaining file.
● Run the display capture-packet information [ instance-id instance-id
[ from begin-packet-number [ to end-packet-number ] ] [ format-cap ]
[ verbose ] ] command to check information about the packet header
obtaining instance in the memory of the main control board.

1.1.13.5 Maintaining Packet Headers Obtain

Maintaining packet headers obtain is mainly to clear information about getting
packet headers.

1.1.13.5.1 Clearing Information About Obtained Packet Headers

If packet header getting instances saved on the main control board's memory
need to be cleared, run the capture-packet free command.

Context

NOTICE

Cleared packet header getting instances cannot be restored. Therefore, exercise

caution when running this command.

Each packet header getting instance is saved as one file. By default, each packet
header getting instance on the main control board has a memory of 2 MB. An
instance is cleared automatically after being saved on the main control board for
10 minutes. If the main control board saves multiple packet header getting
instances within 10 minutes, the memory usage of the main control board may
become very high. This will affect main control board performance. To solve this
problem, clear one or more instances from the main control board's memory.

Procedure
Step 1 Run the capture-packet free { all | instance-id instance-id } command to clear
the information about packet header getting instances saved on the main control
board's memory.

----End

1.1.13.6 Configuration Examples for Packet Header Obtaining

This section provides examples that show how to configure devices to obtain
packet headers sent to central processing units (CPUs) and forwarded packet
headers. The configuration examples explain networking requirements,
configuration notes, and configuration roadmaps.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 288

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.13.6.1 Example for Configuring a Device to Obtain Packet Headers Sent to its
CPU
This section provides an example for configuring a device to obtain packet headers
sent to its central processing unit (CPU).

Networking Requirements
As shown in Figure 1-25, PC1 accesses the Internet over Device A and Device B.
Device B has high CPU usage. To find out the reason why Device B has high CPU
usage, configure Device B to obtain packet headers sent to its CPU.

Figure 1-25 Configuring Device B to obtain packet headers sent to its CPU
NOTE

Interfaces 1 through 3 in this example represent GE 1/0/0, GE 1/0/1, and GE 1/0/2,

respectively.

Configuration Roadmap
The configuration roadmap is as follows:
● Configure the function of obtaining packet headers sent to Device B's CPU.

Data Preparation
To complete the configuration, you need the following data:
● Interface IP addresses
● Packet header obtaining timeout time and number of obtained packet
headers

Procedure
Step 1 Configure interface IP addresses and routing protocol. The configuration details
are not provided.
Step 2 Configure Device B to obtain packet headers sent to its CPU.
<DeviceB> capture-packet local-host all interface gigabitethernet 1/0/2 packet-len 60 packet-num
1000 time-out 3600

Step 3 View the configuration and the packet header obtaining file.
# View the configuration.
<DeviceB> display capture-packet config-state
Capture-Packet Index 1
Type : local-host
SysID : all

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 289

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Interface : GigabitEthernet1/0/2
File Name : cfcard:/capture_host_all_GigabitEthernet3.0.2_2012-05-03-10-51-29.cap
Time-out : 3600 seconds
Packet-num : 1000
Packet-len : 60
BufferOnly : disabled

# View the packet header obtaining file.

<DeviceB> display capture-packet file cfcard:/
capture_host_all_GigabitEthernet3.0.2_2012-05-03-10-51-29.cap
a1 b2 c3 d4 00 02 00 04 00 00 00 00 00 00 00 00
00 00 ff ff 00 00 00 09 4d 10 36 db 00 0a d5 81
00 00 00 0c 00 00 00 0c ff 03 c0 21 09 9d 00 08
8a 8c bc c3 4d 10 36 db 00 0a d6 ae

----End

Configuration Files
● Device A configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return

● Device B configuration file

#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.5.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
capture-packet local-host all interface gigabitethernet 1/0/2 packet-len 60 packet-num 1000 time-out
3600
#
return

1.1.13.6.2 Example for Configuring a Device to Obtain Forwarded Packet Headers

This section provides an example for configuring a device to obtain forwarded
packet headers.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 290

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Networking Requirements
As shown in Figure 1-26, PC1 accesses the Internet over Device A and Device B.
Video quality on PC1 deteriorates, which may be caused by a fault that occurred
on Device B. To find out the reason why video quality deteriorates, configure
Device A to obtain packet headers forwarded by Device B to the inbound interface
GE 1/0/0 of Device A.

Figure 1-26 Configuring Device A to obtain forwarded packet headers

NOTE

Interfaces 1 through 3 in this example represent GE 1/0/0, GE 1/0/1 and GE 1/0/2,

respectively.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an access control list (ACL) rule.
2. Configure Device A to obtain forwarded packet headers.

Data Preparation
To complete the configuration, you need the following data:
● Interface IP addresses
● ACL number
● Packet header obtaining timeout time, number of obtained packet headers,
and packet header obtaining file name

Procedure
Step 1 Configure interface IP addresses and routing protocol. The configuration details
are not provided.
Step 2 Configure an ACL rule.
<DeviceA> system-view
[DeviceA] acl number 2001
[DeviceA-acl4-basic-2001] rule permit source 10.1.1.1 0.0.0.0
[DeviceA-acl4-basic-2001] commit
[DeviceA-acl4-basic-2001] quit
[DeviceA] quit

Step 3 Configure Device A to obtain forwarded packet headers.

<DeviceA> capture-packet forwarding interface gigabitethernet 1/0/0 inbound acl 2001 time-out 3600
packet-len 62 packet-num 900

Step 4 View the configuration and the packet header obtaining file.
# View the configuration.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 291

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

<DeviceA> display capture-packet config-state

Capture-Packet Index 1
Type : forwarding
Interface : GigabitEthernet
Direction : inbound
ACL : 2001
File Name : cfcard:/capture_fwd_GigabitEthernet3.0.0_2012-05-03-14-25-42.cap
Time-out : 3600 seconds
Packet-num : 900
Packet-len : 62
BufferOnly : disabled

# View the packet header obtaining file.

<DeviceA> display capture-packet file cfcard:/
capture_fwd_GigabitEthernet3.0.0_2012-05-03-14-25-42.cap
a1 b2 c3 d4 00 02 00 04 00 00 00 00 00 00 00 00
00 00 ff ff 00 00 00 09 4d 10 36 db 00 0a d5 81
00 00 00 0c 00 00 00 0c ff 03 c0 21 09 9d 00 08
8a 8c bc c3 4d 10 36 db 00 0a d6 ae

----End

Configuration Files
● Device A configuration file
#
sysname DeviceA
#
acl number 2001
rule 5 permit source 10.1.1.1 0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return

● Device B configuration file

#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.5.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 292

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.14 BGP Flow Specification Configuration

BGP Flow Specification is used to prevent denial-of-service (DoS) and distributed-
denial-of-service (DDoS) attacks for higher network security and availability.

1.1.14.1 Overview of BGP Flow Specification

The device configured with BGP Flow Specification sent a BGP Flow Specification
route carrying a filtering rule to BGP Flow Specification peers so that the traffic
that consumes a lot of network resources or aims to attack servers can be filtered
or controlled on the peers.

Definition
BGP flow specification is used to guard against denial of service (DoS) and
distributed denial of service (DDoS) attacks, improving network security and
availability.

Purpose
DoS and DDoS attacks pose a grave threat to network security. A DoS/DDoS
attacker can control thousands of devices through multiple control ends to launch
traffic attacks on the same destination address, subnet, or server. Such attacks
cause network congestion and may even cause a server to fail to provide services
due to excessive CPU usage.

Traditionally, there are two techniques for preventing DoS/DDoS attacks: traffic
classification and traffic redirection. However, these two techniques have their
own defects, as shown in Table 1-23.

Table 1-23 Comparison between the two traditional techniques for preventing
DoS or DDoS attacks

Preventat Technique Description Defects

ive
Techniqu
e

Traffic Traffic filtering rules and quality The technique has the following
classificati of service (QoS) policies are defects:
on manually configured to reduce ● It fails to guarantee real-time
the impact of DoS and DDoS attack defense. Coordination
attacks on the network. among network service
providers is needed to
identify attack sources.
● Traffic filtering policies need
to be manually modified,
thereby complicating
maintenance.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 293

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Preventat Technique Description Defects

ive
Techniqu
e

Traffic The next hop of the route The technique has the following
redirectio destined for the attack target is defects:
n modified based on a routing ● The traffic filtering rule is
policy. simplistic. Only destination
● The next hop of the route is addresses can be used as a
set to a blackhole, and attack basis for traffic filtering.
traffic is then discarded. ● Traffic filtering information
● The next hop of the route is and routing information are
set to a traffic cleaning transmitted together, which
device which cleans the complicates maintenance.
attack traffic to ensure
normal service traffic.

BGP Flow Specification helps correct the preceding defects:

● It uses BGP Network Layer Reachability Information (NLRI) defined in
standard protocols to transmit traffic filtering information. This allows traffic
filtering information and routing information to be separately transmitted,
improving maintainability.
● It provides various filtering conditions and actions to control traffic.
BGP Flow Specification supports BGP public network Flow Specification, BGP VPN
Flow Specification, BGP VPNv4 Flow Specification, and BGP VPNv6 Flow
Specification. Table 1-24 lists their differences.

Table 1-24 Comparison between BGP public network Flow Specification, BGP VPN
Flow Specification, BGP VPNv4 Flow Specification, and BGP VPNv6 Flow
Specification
BGP Flow Usage Scenario Address Family
Specification
Classificatio
n

BGP public Applies to public-network BGP-Flow address family and

network Flow scenarios. BGP-Flow IPv6 address family
Specification

BGP VPN Applies to VPN scenarios BGP-Flow VPN instance IPv4

Flow where BGP Flow Specification address family and BGP-Flow
Specification routes cannot be transmitted VPN instance IPv6 address
over the public network family
between VPNs.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 294

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

BGP Flow Usage Scenario Address Family

Specification
Classificatio
n

BGP VPNv4 Applies to VPN scenarios BGP-Flow VPN instance IPv4

Flow where BGP Flow Specification address family and BGP-Flow
Specification routes are transmitted over the VPNv4 address family
public network between VPNs.

BGP VPNv6 Applies to VPN scenarios BGP-Flow VPN instance IPv6

Flow where BGP Flow Specification address family and BGP-Flow
Specification routes are transmitted over the VPNv6 address family
public network between VPNs.

Benefits
BGP flow specification can improve the reliability and security of user networks.
Details are as follows:
● Real-time monitoring: BGP flow specification rapidly responds to attack traffic
through scheduled sampling, keeping attack traffic under control.
● Preemptive defense: Defense policies are configured manually in advance
based on the characteristics of common attack traffic to prevent common
attack traffic from damaging user networks.
● Reduced costs: You do not need to create a traffic control policy on each
device, improving maintainability.
● Minimized attack scope: BGP flow specification routes can be transmitted
across domains so that attack traffic can be filtered out of the device nearest
to the attack source. This significantly reduces the impact of attack traffic on
networks.

1.1.14.2 Feature Requirements for BGP Flow Specification

1.1.14.3 Configuring Dynamic BGP Flow Specification

Dynamic BGP Flow Specification allows a traffic analysis server to generate BGP
Flow Specification routes to control traffic.

Usage Scenario
When deploying dynamic BGP Flow Specification, a BGP Flow Specification peer
relationship needs to be established between the traffic analysis server and each
ingress of the network to transmit BGP Flow Specification routes.
In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be
deployed to reduce the number of BGP Flow Specification peer relationships to be
established and save network resources.
If you want to filter traffic matching a specified address prefix but BGP Flow
Specification routes matching the specified address prefix cannot pass validation,

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 295

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

disable the validation of the BGP Flow Specification routes received from a
specified peer.

Pre-configuration Tasks
Before configuring dynamic BGP Flow Specification, configure a BGP peer.

Procedure
Step 1 Configure a BGP Flow Specification peer relationship.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer ipv4-address enable
A BGP Flow Specification peer relationship is established.
After the BGP Flow Specification peer relationship is established in the BGP-
Flow address family view, BGP Flow Specification routes generated by a traffic
analysis server are automatically imported to the BGP routing table and then
sent to the BGP Flow Specification peer.
5. Run commit
The configuration is committed.
Step 2 (Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP Flow Specification peer relationship
between the Flow RR with the traffic analysis server and every network ingress.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer ipv4-address reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the network ingress and traffic analysis server function as
clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 296

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple Flow RRs, run this command to set the same cluster-
id for these RRs.

NOTE

The reflector cluster-id command is applicable only to Flow RRs.

7. Run commit
The configuration is committed.
Step 3 (Optional) Configure the device to check the AS_Path attribute during BGP Flow
Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run route validation-mode include-as
The device is configured to check the AS_Path attribute during BGP Flow
Specification route validation.
BGP Flow Specification route validation is performed in either of the following
modes:
– Validation mode 1: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route using the rules described in Figure 1-27. The route is
considered valid only if the validation succeeds.
– Validation mode 2: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route by checking whether the AS_Path attribute of the route carries
the AS_Set and AS_Sequence fields. The route is considered valid only if
its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
Validation mode 2 is configured using the route validation-mode include-as
command. If this command is configured, the device checks the validity of a
BGP Flow Specification route using mode 2 first.
– If the validation succeeds, the BGP Flow Specification route is considered
valid, and mode 1 is not used.
– If the validation fails, the device checks the validity of the BGP Flow
Specification route using mode 1.
If this command is not run, the device uses mode 1 to check the validity of
BGP Flow Specification routes.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 297

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-27 BGP Flow Specification validation rules

5. Run commit

The configuration is committed.

Step 4 (Optional) Disable BGP Flow Specification route validation.

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv4-family flow

The BGP-Flow address family view is displayed.

4. Run peer ipv4-address validation-disable

The device is disabled from validating the BGP Flow Specification routes
received from a specified peer.
5. Run commit

The configuration is committed.

Step 5 (Optional) Disable the device from validating the next hop of each route that
carries the redirection next-hop attribute and is received from a specified EBGP
peer.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv4-family flow

The BGP-Flow address family view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 298

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

4. Run peer ipv4-address redirect ip validation-disable

The device is disabled from validating the routes that carry a redirection
extended community attribute and are received from a specified EBGP peer.
5. Run commit
The configuration is committed.
Step 6 (Optional) Configure a BGP peer to process the received routes that carry the
redirection next-hop IPv6 address, color, and prefix SID attributes.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer ipv4-address redirect tunnelv6
The BGP peer is configured to process the received routes that carry the next-
hop IPv6 address, color, and prefix SID attributes.
5. Run commit
The configuration is committed.
Step 7 (Optional) Configure the redirection next-hop attribute ID for BGP Flow
Specification routes.
The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or
0x0800 (defined in a related draft). If a Huawei device needs to communicate with
a non-Huawei device that does not support the redirection next-hop attribute ID
of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP Flow
Specification routes as required. Perform one of the following configurations based
on the ID supported by non-Huawei devices:
● Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC)
for BGP Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-family flow
The BGP-Flow address family view is displayed.
d. Run peer ipv4-address redirect ip rfc-compatible
The redirection next-hop attribute ID of the BGP Flow Specification route
is set to 0x010C (defined in a related RFC).
e. Run commit
The configuration is committed.
● Change the redirection next-hop attribute ID of BGP Flow Specification routes
to 0x0800 (defined in a related draft).

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 299

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-family flow
The BGP-Flow address family view is displayed.
d. Run peer ipv4-address redirect ip draft-compatible
The redirection next-hop attribute ID of BGP Flow Specification routes is
changed to 0x0800 (defined in a related draft).
e. Run commit
The configuration is committed.

Step 8 (Optional) Configure the interface in the BGP Flow Specification as the traffic-
injection interface of the cleaned traffic to prevent the injected traffic from
matching the Flow Specification rules and being switched back to the cleaning
device.
1. Run system-view

The system view is displayed.

2. Run interface interface-type interface-number

The interface view is displayed.

3. Run flowspec refluence

The interface in BGP Flow Specification is configured as the traffic-injection

interface for cleaning traffic.

NOTE

This configuration conflicts with MF classification. Therefore, after this command is

configured on an interface, do not configure MF classification on the interface.
This command cannot be configured on Eth-Trunk member interfaces. The
configuration on a main interface also takes effect on its sub-interfaces.
4. Run commit

The configuration is committed.

Step 9 (Optional) Disable BGP Flow Specification on the interface.

1. Run system-view

The system view is displayed.

2. Run interface interface-type interface-number

The interface view is displayed.

3. Run flowspec disable [ ipv4 | ipv6 ]

BGP Flow Specification is disabled on the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 300

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

This command cannot be configured on Eth-Trunk member interfaces. The

configuration on a main interface also takes effect on its sub-interfaces.
If BGP Flow Specification does not need to be disabled on a sub-interface, run the
flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to
which the sub-interface belongs.
4. Run commit
The configuration is committed.
Step 10 (Optional) Configure the device to redirect traffic to a specified IPv6 next hop
after receiving a BGP Flow Specification route from a peer.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer ipv4-address redirect ipv6
The device is configured to redirect traffic to a specified IPv6 next hop after
receiving a BGP Flow Specification route from a peer.
5. Run commit
The configuration is committed.
Step 11 (Optional) Allow the device to recurse the received routes that carry a redirection
next hop IP address to tunnels.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run redirect ip recursive-lookup tunnel [ tunnel-selector tunnel-selector-
name ]
The device is allowed to recurse the received routes that carry a redirection
next hop IP address to tunnels.
5. Run commit
The configuration is committed.
Step 12 (Optional) Allow the device to recurse received routes with the next-hop IPv6
address, color attribute, and prefix SID attributes to tunnels.
1. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 301

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv4-family flow

The BGP-Flow address family view is displayed.

4. Run redirect tunnelv6 tunnel-selector tunnel-selector-name

The device is allowed to recurse received routes with the next-hop IPv6
address, color, and prefix SID attributes to tunnels.

NOTE

To trigger route recursion to SRv6 TE Policies, you must run both the redirect
tunnelv6 tunnel-selector tunnel-selector-name command and the peer ipv4-address
redirect tunnelv6 command.
5. Run commit

The configuration is committed.

Step 13 (Optional) Configure the device to validate the redirection next-hop IPv6 address
attribute carried in the routes that are received from an EBGP peer.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv4-family flow

The BGP-IPv4-Flow address family view is displayed.

4. Run peer ipv4-address redirect ipv6 validation

The device is configured to validate the redirection next-hop IPv6 address

attribute carried in the routes that are received from an EBGP peer.
5. Run commit

The configuration is committed.

Step 14 (Optional) Configure BGP Flow Specification for the packets leaving the public
network based on IP information.
1. Run system-view

The system view is displayed.

2. Run flowspec match-ip-layer mpls-pop

BGP Flow Specification is configured for the packets leaving the public
network based on IP information.
3. Run commit

The configuration is committed.

Step 15 (Optional) Enable CAR statistics collection and packet loss statistics collection for
BGP Flow Specification.
1. Run system-view

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 302

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The system view is displayed.

2. Run flowspec statistic enable
CAR statistics collection and packet loss statistics collection for BGP Flow
Specification are enabled.
3. Run commit
The configuration is committed.
Step 16 (Optional) Configure BGP Flow Specification for packets entering an IPv4 VXLAN
tunnel.
1. Run system-view
The system view is displayed.
2. Run flowspec match vxlan-packet enable
BGP Flow Specification is configured for packets entering an IPv4 VXLAN
tunnel.
3. Run commit
The configuration is committed.
Step 17 (Optional) Enable BGP Flow Specification on a GRE tunnel interface.
1. Run system-view
The system view is displayed.
2. Run interface tunnel interface-number
The tunnel interface view is displayed.
3. Run tunnel-protocol gre
The tunnel is encapsulated as a GRE tunnel.
4. Run flowspec match tunnel-pop
BGP Flow Specification is enabled on the GRE tunnel interface.
5. Run commit
The configuration is committed.
Step 18 (Optional) Disable BGP Flow Specification protection.
1. Run system-view
The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
BGP Flow Specification protection is disabled.
3. Run commit
The configuration is committed.
Step 19 (Optional) Enable the device to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
1. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 303

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Run flowspec ipv4-fragment-rule switch

The device is enabled to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
3. Run commit
The configuration is committed.
Step 20 (Optional) Enable the route policy distribution (RPD) capability for a BGP peer to
support the BGP Flow Specification routes carrying the RPD attribute and
delivered by the controller to forwarders.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer peerIPv4Addr capability-advertise route-policy-distribute receive
The RPD capability is enabled for the BGP peer.
5. Run commit
The configuration is committed.
Step 21 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view
The system view is displayed.
2. Run flowspec match srv6-inner-ip enable
BGP Flow Specification is enabled to match inner packet information about
the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit
The configuration is committed.
Step 22 (Optional) Disable the device from sending routes that carry the destination
community attribute rule to a specified peer.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer peerIPv4Addr advertise destination-community disable
The device is disabled from sending routes that carry the destination
community attribute rule to a specified peer. Perform this step if you do not

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 304

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

want the device to send routes that carry the destination community attribute
rule to a specified BGP Flow Specification peer.
5. Run commit
The configuration is committed.
Step 23 (Optional) Enable BGP Flow Specification to match an IPv4 destination
community attribute-based traffic filtering rule.
1. Run system-view
The system view is displayed.
2. Run flowspec match-rule enhance enable
BGP Flow Specification is enabled to match an IPv4 destination community
attribute-based traffic filtering rule.
3. Run commit
The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.
● Run the display bgp flow peer [ [ ipv4-address ] verbose ] command to
check information about BGP Flow Specification peers.
● Run the display bgp flow routing-table command to check BGP Flow
Specification routing information.
● Run the display bgp flow routing-table [ peer ipv4-address ] [ advertised-
routes | received-routes [ active ] ] statistics command to check BGP Flow
Specification route statistics.
● Run the display flowspec statistics reindex command to check statistics
about traffic transmitted over BGP Flow Specification routes.
● Run the display flowspec rule reindex-value slot slot-id command to check
information about combined rules in the local BGP Flow Specification rule
table.
● Run the display flowspec rule statistics slot slot-id command to check
statistics about the rules for BGP Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.4 Configuring Static BGP Flow Specification

BGP Flow Specification routes are generated manually to control traffic in static
BGP Flow Specification.

Usage Scenario
When static BGP Flow Specification is configured, a BGP Flow Specification route
needs to be generated manually, and a BGP Flow Specification peer relationship

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 305

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

needs to be established between the device that generates the BGP Flow
Specification route and each ingress on the network to advertise BGP Flow
Specification routes.
In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be
deployed to reduce the number of BGP Flow Specification peer relationships to be
established and save network resources.
If you want to filter traffic matching a specified address prefix but BGP Flow
Specification routes matching the specified address prefix cannot pass validation,
disable the validation of the BGP Flow Specification routes received from a
specified peer.

Pre-configuration Tasks
Before configuring static BGP Flow Specification, configure a BGP peer.

Procedure
Step 1 Create a BGP Flow Specification route manually.
1. Run the system-view command to enter the system view.
2. Run the flow-route flowroute-name command to create a static BGP Flow
Specification route and enter the Flow-Route view.
One BGP Flow Specification route can include multiple if-match and apply
clauses. if-match clauses define traffic filtering rules, and apply clauses
define traffic behaviors. The relationships among clauses are as follows:
– The relationship among if-match clauses of different types is "AND."
– If if-match clauses of the same type are configured repeatedly, some
rules override each other, and some other rules are in the OR
relationship. For details, see the precautions for the if-match command.
– The relationship among the traffic behaviors defined by apply clauses is
"AND."
The traffic behaviors defined by apply clauses apply to all traffic matching the
filtering rules of if-match clauses.
The traffic filtering rules for BGP Flow Specification routes configured in the
Flow-Route view take effect only in the system view, not on a specified
interface. To configure the traffic filtering rules for BGP Flow Specification
routes to take effect on a specified interface, perform the following steps:
a. Run the system-view command to enter the system view.
b. Run the flow-interface-group flow-interface-group-id command to
create a BGP Flow Specification interface group and enter the interface
group view.
c. (Optional) Run the description description command to configure a
description for the BGP Flow Specification interface group.
d. Run the interface interface-type interface-number command to add an
interface to the BGP Flow Specification interface group.
e. (Optional) Run the quit command to return to the system view.
f. (Optional) Run the flow-route flowroute-name command to enter the
Flow-Route view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 306

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

g. (Optional) Run the flow-interface-group flow-interface-group-id

command to associate the BGP Flow Specification interface group with
the BGP Flow Specification route.
NOTE

The filtering rule based on the start AS number of the destination IP address
cannot take effect globally. You must specify a BGP Flow Specification interface
group. That is, if you need to run the if-match destination-origin-as { as-
number-plain | as-number-dot } command to configure the filtering rule based
on the start AS number of the destination IP address, you must perform the
preceding steps.
Steps v, vi, and vii do not need to be configured between the controller and
forwarder. Steps v, vi, and vii must be configured between forwarders.
h. (Optional) Run the quit command to return to the system view.
i. (Optional) Run the reset flowspec statistics reindex [ flow-interface-
group flow-interface-group-id ] command to clear statistics about traffic
matching the BGP Flow Specification route.
j. (Optional) Run the flowspec ipv4 cascading-mode command to enable
the BGP Flow Specification cascading mode. In this way, if interface
group-based route query fails, global route query is performed.
3. According to characteristics of the traffic to be controlled, you can configure
one or more if-match clauses to define traffic filtering rules as needed:
– To set a destination address-based traffic filtering rule, run the if-match
destination ipv4-address { mask | mask-length } command.
NOTE

Traffic control is performed based on a specified destination IP address specified

in a rule configured using the if-match destination command, but BGP Flow
Specification routes matching the rule cannot pass validation. In this situation,
run the peer validation-disable command to disable the validation.
By default, 0.0.0.0/0 is used as the prefix of each BGP Flow Specification route
that matches the export or import policy configured for a peer. To enable a
device to change the prefix of each BGP Flow Specification route that matches
the export or import policy configured for a peer to the destination IP address
specified in the if-match destination command, run the route match-
destination command.
– To set a destination community attribute-based traffic filtering rule:
i. To control the range of destination community attribute-based traffic
filtering rules that can take effect, run the match-community
community-list community-list-name command.
NOTE

Before you run the match-community community-list community-list-

name command to control the range of destination community attribute-
based traffic filtering rules that can take effect, run the ip community-list
command to create a BGP community list, and run the community
command to configure community attributes for the BGP community list.
ii. To set a destination community attribute-based traffic filtering rule,
run the if-match destination-community community-value
command. The traffic filtering rule specified using community-value
in this command takes effect only when it is in the range of
destination community attribute-based traffic filtering rules
configured using community-list community-list-name.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 307

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

If you want to control traffic based on an address prefix, run the if-
match destination command to configure a destination address-based
traffic filtering rule. However, if there are a large number of routes of the
same type, configuring destination address-based traffic filtering rules
one by one for traffic control is complex and consumes many resources.
To address this issue, you can configure traffic filtering through
destination community attribute aggregation.
After the configuration is complete, run the display bgp flow routing-
table reIndex destination-community command to check details about
the traffic filtering rule that is based on the community attribute of the
destination IP address in a BGP Flow Specification route.
– To set a source address-based traffic filtering rule, run the if-match
source ipv4-address { mask | mask-length } command.
– To set a port number-based traffic filtering rule, run the if-match port
{ greater-than | less-than | equal } port or if-match port greater-than
port less-than upper-port-value command.
– To set a source port number-based traffic filtering rule, run the if-match
source-port { greater-than | less-than | equal } port or if-match
source-port greater-than source-port less-than upper-source-port-value
command.
– To set a destination port number-based traffic filtering rule, run the if-
match destination-port { greater-than | less-than | equal } port or if-
match destination-port greater-than port less-than upper-port-value
command.
NOTE

The if-match port command is mutually exclusive with the if-match

destination-port or if-match source-port command.
– To set a traffic bearing protocol-based traffic filtering rule, run the if-
match protocol { greater-than | less-than | equal } protocol or if-match
protocol greater-than protocol less-than upper-protocol-value
command.
– To set a DSCP-based traffic filtering rule, run the if-match dscp
{ greater-than | less-than | equal } dscp or if-match dscp greater-than
dscp less-than upper-dscp-value command.
– To set a TCP-flag value-based traffic filtering rule, run the if-match tcp-
flags { match | not | any-match } tcp-flags command.
Network attackers may send a large number of invalid TCP packets to
attack network devices. To control the unidirectional traffic of TCP
packets to ensure communication security, configure a filtering rule based
on the TCP flag for the BGP Flow Specification route using the if-match
tcp-flags command. The traffic behavior specified in the apply clause
applies to the traffic that matches the TCP flag value.
– To set a fragment type-based traffic filtering rule, run the if-match
fragment-type { match | not } fragment-type-name command.
– To set an ICMP message code-based traffic filtering rule, run the if-
match icmp-code { greater-than | less-than | equal } icmp-code or if-
match icmp-code greater-than icmp-code less-than upper-icmp-code-
value command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 308

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– To set an ICMP message type-based traffic filtering rule, run the if-match
icmp-type { greater-than | less-than | equal } icmp-type or if-match
icmp-type greater-than icmp-type less-than upper-icmp-type-value
command.

Table 1-25 icmp-type and icmp-code values corresponding to ICMP

message names
icmp-name icmp-type icmp-code
Echo 8 0

Echo-reply 0 0

Parameter-problem 12 0

Port-unreachable 3 3

Protocol-unreachable 3 2

Reassembly-timeout 11 1

Source-quench 4 0

Source-route-failed 3 5

Timestamp-reply 14 0

Timestamp-request 13 0

Ttl-exceeded 11 0

Fragmentneed-DFset 3 4

Host-redirect 5 1

Host-tos-redirect 5 3

Host-unreachable 3 1

Information-reply 16 0

Information-request 15 0

Net-redirect 5 0

Net-tos-redirect 5 2

Net-unreachable 3 0

– To set a filtering rule based on the packet length of a BGP Flow

Specification route, run the if-match packet-length { greater-than |
less-than | equal } packet-length-value or if-match packet-length
greater-than packet-length-value less-than upper-packet-length-value
command.
– To set a filtering rule based on the origin AS of the destination IP address,
run the if-match destination-origin-as as-number command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 309

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

After configuring the filtering rules, you need to configure the following:

▪ Run the peer ipv4-address advertise destination-origin-as command to

configure the device to advertise the matching rule that is based on the origin AS
number of the destination IP address.

▪ Run the check-origin-as enable command to allow the received BGP Flow
Specification routes carrying the matching rule that is based on the origin AS
number of the destination IP address to take effect.

▪ Create a BGP Flow Specification interface group and associate it with the BGP
Flow Specification route.
4. Run the following command as required to configure actions for apply
clauses:
– To discard the matched traffic, run the apply deny command. The apply
deny and apply traffic-rate commands cannot be used together.
– To redirect the matched traffic to the traffic cleaning device or blackhole,
run the apply redirect { vpn-target vpn-target-import | ip redirect-ip-rt }
command.
NOTE

The device can process the redirection next hop attribute configured using the
apply redirect ip redirect-ip-rt command received from a peer only after the
peer redirect ip command is run.
The device can process the redirection next hop attribute configured using the
apply redirect ip redirect-ip-rt color colorvalue command received from a peer
only after the peer redirect ip command is run.
The redirection load balancing function can be enabled on the device only after
the redirect load-balancing command is run. A maximum of eight redirection
routes can be used for load balancing.
– To redirect the matched traffic to an SR-MPLS TE Policy, run the apply
redirect ip redirect-ip-rt color colorvalue command.
– To redirect the matched traffic to the IPv6 address of a specified next
hop, run the apply redirect ipv6 redirect-ipv6-rt command.
NOTE

A device can process the redirection next-hop attribute configured using the
apply redirect ipv6 redirect-ipv6-rt command and carried in the routes that are
received from peers only after the peer ipv4-address redirect ipv6 command is
run.
The apply redirect ipv6 redirect-ipv6-rt command must be used together with
the local-route redirect ipv6 command to trigger traffic redirection to a
specified IPv6 next hop.
– To redirect the matched traffic to an SRv6 TE Policy, run the apply
redirect ipv6 redirect-ipv6-rt color colorvalue [ prefix-sid prefix-sid-
value ] command.
– To redirect the matched traffic to SR-MPLS TE Policies for load balancing
(a maximum of eight redirection paths are supported for load balancing),
run the apply redirect multi-ip redirectIP [ color color-value ] [ weight
weight-value ] command.
– To redirect the matched traffic to SRv6 TE Policies for load balancing (a
maximum of eight redirection paths are supported for load balancing),

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 310

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

run the apply redirect multi-ipv6 redirectIPv6 [ color color-value ]

[ weight weight-value ] command.
– To re-mark the service class of the matched traffic, run the apply
remark-dscp command.
– To limit the rate of the matched traffic, run the apply traffic-rate
command. The apply deny and apply traffic-rate commands cannot be
used together.
– To implement sampling for the matched traffic, run the apply traffic-
action sample command.
You can run the apply traffic-action sample command for a BGP Flow
Specification route to sample the traffic that matches the specified
filtering rules. Through sampling, abnormal traffic can be identified and
filtered out, which protects the attacked device and improves network
security.
NOTE

If the configured BGP Flow Specification route attribute does not need to take effect
locally, run the routing-table rib-only [ route-policy route-policy-name | route-filter
route-filter-name ] command to disable the device from delivering the BGP Flow
Specification route to the FES forwarding table.
5. Run commit
The configuration is committed.
Step 2 Configure BGP Flow Specification peer relationships.
BGP Flow Specification peer relationships must be established between the
network ingress and device on which the BGP Flow Specification route is manually
created.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer ipv4-address enable
The BGP Flow Specification peer relationship is enabled.
After the BGP Flow Specification peer relationship is established in the BGP-
Flow address family view, the manually generated BGP Flow Specification
route is imported to the BGP routing table and then sent to each peer.
5. Run commit
The configuration is committed.
Step 3 (Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP Flow Specification peer relationship
between the Flow RR and the device on which the BGP Flow Specification route is
generated and between the Flow RR and every network ingress.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 311

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer ipv4-address reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the specified peers function as clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.
If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple Flow RRs, run this command to set the same cluster-
id for these RRs.
The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
The configuration is committed.
Step 4 (Optional) Configure the device to check the AS_Path attribute during BGP Flow
Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run route validation-mode include-as
The device is configured to check the AS_Path attribute during BGP Flow
Specification route validation.
BGP Flow Specification route validation is performed in either of the following
modes:
– Validation mode 1: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route using the rules described in Figure 1-28. The route is
considered valid only if the validation succeeds.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 312

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– Validation mode 2: After receiving a BGP Flow Specification route with a

destination address-based filtering rule, the device checks the validity of
the route by checking whether the AS_Path attribute of the route carries
the AS_Set and AS_Sequence fields. The route is considered valid only if
its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
Validation mode 2 is configured using the route validation-mode include-as
command. If this command is configured, the device checks the validity of a
BGP Flow Specification route using mode 2 first.
– If the validation succeeds, the BGP Flow Specification route is considered
valid, and mode 1 is not used.
– If the validation fails, the device checks the validity of the BGP Flow
Specification route using mode 1.
If this command is not run, the device uses mode 1 to check the validity of
BGP Flow Specification routes.

Figure 1-28 BGP Flow Specification validation rules

5. Run commit
The configuration is committed.
Step 5 (Optional) Disable BGP Flow Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer ipv4-address validation-disable
The device is disabled from validating BGP Flow Specification routes received
from a specified peer.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 313

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

5. Run commit

The configuration is committed.

Step 6 (Optional) Disable the device from validating the next hop of each route that
carries the redirection next-hop attribute and is received from a specified EBGP
peer.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv4-family flow

The BGP-Flow address family view is displayed.

4. Run peer ipv4-address redirect ip validation-disable

The device is disabled from validating the routes that carry a redirection
extended community attribute and are received from a specified EBGP peer.
5. Run commit

The configuration is committed.

Step 7 (Optional) Allow the device to recurse received routes with the next-hop IPv6
address, color attribute, and prefix SID attributes to tunnels.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv4-family flow

The BGP-Flow address family view is displayed.

4. Run redirect tunnelv6 tunnel-selector tunnel-selector-name

The device is configured to recurse received routes with the redirection next-
hop IPv6 address, color, and prefix SID attributes to tunnels.
5. Run commit

The configuration is committed.

Step 8 (Optional) Configure the redirection next-hop attribute ID for BGP Flow
Specification routes.

The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or

0x0800 (defined in a related draft). If a Huawei device needs to communicate with
a non-Huawei device that does not support the redirection next-hop attribute ID
of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP Flow
Specification routes as required. Perform one of the following configurations based
on the ID supported by non-Huawei devices:

● Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC)

for BGP Flow Specification routes.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 314

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-family flow
The BGP-Flow address family view is displayed.
d. Run peer ipv4-address redirect ip rfc-compatible
The redirection next-hop attribute ID of the BGP Flow Specification route
is set to 0x010C (defined in a related RFC).
e. Run commit
The configuration is committed.
● Change the redirection next-hop attribute ID of BGP Flow Specification routes
to 0x0800 (defined in a related draft).
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-family flow
The BGP-Flow address family view is displayed.
d. Run peer ipv4-address redirect ip draft-compatible
The redirection next-hop attribute ID of BGP Flow Specification routes is
changed to 0x0800 (defined in a related draft).
e. Run commit
The configuration is committed.
Step 9 (Optional) Configure the interface in the BGP Flow Specification as the traffic-
injection interface of the cleaned traffic to prevent the injected traffic from
matching the Flow Specification rules and being switched back to the cleaning
device.
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The interface view is displayed.
3. Run flowspec refluence
The interface in BGP Flow Specification is configured as the traffic-injection
interface for cleaning traffic.

NOTE

This configuration conflicts with MF classification. Therefore, after this command is

configured on an interface, do not configure MF classification on the interface.
This command cannot be configured on Eth-Trunk member interfaces. The
configuration on a main interface also takes effect on its sub-interfaces.
4. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 315

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

Step 10 (Optional) Disable BGP Flow Specification on the interface.

1. Run system-view

The system view is displayed.

2. Run interface interface-type interface-number

The interface view is displayed.

3. Run flowspec disable [ ipv4 | ipv6 ]

BGP Flow Specification is disabled on the interface.

NOTE

This command cannot be configured on Eth-Trunk member interfaces. The

configuration on a main interface also takes effect on its sub-interfaces.
If BGP Flow Specification does not need to be disabled on a sub-interface, run the
flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to
which the sub-interface belongs.
4. Run commit

The configuration is committed.

Step 11 (Optional) Configure BGP Flow Specification for the packets leaving the public
network based on IP information.
1. Run system-view

The system view is displayed.

2. Run flowspec match-ip-layer mpls-pop

BGP Flow Specification is configured for the packets leaving the public
network based on IP information.
3. Run commit

The configuration is committed.

Step 12 (Optional) Enable CAR statistics collection and packet loss statistics collection for
BGP Flow Specification.
1. Run system-view

The system view is displayed.

2. Run flowspec statistic enable

CAR statistics collection and packet loss statistics collection for BGP Flow
Specification are enabled.
3. Run commit

The configuration is committed.

Step 13 (Optional) Configure BGP Flow Specification for packets entering an IPv4 VXLAN
tunnel.
1. Run system-view

The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 316

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Run flowspec match vxlan-packet enable

BGP Flow Specification is configured for packets entering an IPv4 VXLAN
tunnel.
3. Run commit
The configuration is committed.
Step 14 (Optional) Enable BGP Flow Specification on a GRE tunnel interface.
1. Run system-view
The system view is displayed.
2. Run interface tunnel interface-number
The tunnel interface view is displayed.
3. Run tunnel-protocol gre
The tunnel is encapsulated as a GRE tunnel.
4. Run flowspec match tunnel-pop
BGP Flow Specification is enabled on the GRE tunnel interface.
5. Run commit
The configuration is committed.
Step 15 (Optional) Disable BGP Flow Specification protection.
1. Run system-view
The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
BGP Flow Specification protection is disabled.
3. Run commit
The configuration is committed.
Step 16 (Optional) Enable the device to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
1. Run system-view
The system view is displayed.
2. Run flowspec ipv4-fragment-rule switch
The device is enabled to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
3. Run commit
The configuration is committed.
Step 17 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view
The system view is displayed.
2. Run flowspec match srv6-inner-ip enable

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 317

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

BGP Flow Specification is enabled to match inner packet information about

the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit
The configuration is committed.
Step 18 (Optional) Disable the device from sending routes that carry the destination
community attribute rule to a specified peer.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run peer peerIPv4Addr advertise destination-community disable
The device is disabled from sending routes that carry the destination
community attribute rule to a specified peer. Perform this step if you do not
want the device to send routes that carry the destination community attribute
rule to a specified BGP Flow Specification peer.
5. Run commit
The configuration is committed.
Step 19 (Optional) Enable the device to redirect traffic to a specified IPv6 next hop based
on a static BGP Flow Specification route.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-family flow
The BGP-Flow address family view is displayed.
4. Run local-route redirect ipv6
The device is enabled to redirect traffic to a specified IPv6 next hop based on
a static BGP Flow Specification route.
5. Run commit
The configuration is committed.
Step 20 (Optional) Enable BGP Flow Specification to match an IPv4 destination
community attribute-based traffic filtering rule.
1. Run system-view
The system view is displayed.
2. Run flowspec match-rule enhance enable
BGP Flow Specification is enabled to match an IPv4 destination community
attribute-based traffic filtering rule.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 318

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

3. Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

● Run the display bgp flow peer [ [ ipv4-address ] verbose ] command to

check information about BGP Flow Specification peers.
● Run the display bgp flow routing-table command to check BGP Flow
Specification routing information.
● Run the display bgp flow routing-table [ peer ipv4-address ] [ advertised-
routes | received-routes [ active ] ] statistics command to check BGP Flow
Specification route statistics.
● Run the display flowspec statistics reindex [ flow-interface-group flow-
interface-group-id ] command to check statistics about the traffic matching a
specified BGP Flow Specification route.
● Run the display flowspec rule reindex-value slot slot-id command to check
information about combined rules in the local BGP Flow Specification rule
table.
● Run the display flowspec rule statistics slot slot-id command to check
statistics about the rules for BGP Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.5 Configuring Dynamic BGP IPv6 Flow Specification

Dynamic BGP IPv6 Flow Specification uses a traffic analysis server to generate BGP
IPv6 Flow Specification routes to control traffic.

Usage Scenario
Before deploying dynamic BGP IPv6 Flow Specification, you need to establish a
BGP IPv6 Flow Specification peer relationship between the traffic analysis server
and each ingress of the network to transmit BGP IPv6 Flow Specification routes.

In an AS with multiple ingresses, a BGP IPv6 Flow route reflector (Flow RR) can be
deployed to reduce the number of BGP IPv6 Flow Specification peer relationships
and save network resources.

If you want to filter traffic based on the address prefix but the BGP IPv6 Flow
Specification route carrying the filtering rule cannot pass validation, disable the
validation of BGP IPv6 Flow Specification routes received from a specified peer.

Pre-configuration Tasks
Before configuring the dynamic BGP IPv6 Flow Specification function, complete
the following task:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 319

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Configure a BGP4+ peer or configure a BGP peer.

Procedure
Step 1 Establish a BGP IPv6 Flow Specification peer relationship.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } enable

A BGP IPv6 Flow Specification peer relationship is established.

After the peer relationship is established in the BGP-IPv6-Flow address family

view, the BGP IPv6 Flow Specification route generated by the traffic analysis
server is imported automatically to the BGP routing table and then sent to
the peer.
5. Run commit

The configuration is committed.

Step 2 (Optional) Configure a Flow RR.

Before configuring a Flow RR, establish a BGP IPv6 Flow Specification peer
relationship between the Flow RR and traffic analysis server and between the Flow
RR and every network ingress.

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } reflect-client

An IPv6 Flow RR is configured, and clients are specified for it.

The router on which the peer reflect-client command is run functions as a

Flow RR, and the network ingress and traffic analysis server function as
clients.
5. (Optional) Run undo reflect between-clients

Route reflection between clients through the RR is disabled.

If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 320

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }

A cluster ID is configured for the Flow RR.

If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.

NOTE

The reflector cluster-id command applies only to RRs.

7. Run commit

The configuration is committed.

Step 3 (Optional) Disable BGP IPv6 Flow Specification route validation.

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } validation-disable

The validation of BGP IPv6 Flow Specification routes received from a specified
peer is disabled.
5. Run commit

The configuration is committed.

Step 4 (Optional) Enable CAR statistics collection and packet loss statistics collection for
BGP flow specification.
1. Run system-view

The system view is displayed.

2. Run flowspec statistic enable

CAR statistics collection and packet loss statistics collection for BGP Flow
Specification are enabled.
3. Run commit

The configuration is committed.

Step 5 (Optional) Disable BGP Flow Specification on the interface.

1. Run system-view

The system view is displayed.

2. Run interface interface-type interface-number

The interface view is displayed.

3. Run flowspec disable [ ipv4 | ipv6 ]

BGP Flow Specification is disabled on the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 321

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

This command cannot be configured on Eth-Trunk member interfaces. The

configuration on a main interface also takes effect on its sub-interfaces.
If BGP Flow Specification does not need to be disabled on a sub-interface, run the
flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to
which the sub-interface belongs.
4. Run commit

The configuration is committed.

Step 6 (Optional) Disable BGP Flow Specification protection.

1. Run system-view

The system view is displayed.

2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

BGP Flow Specification protection is disabled.

3. Run commit

The configuration is committed.

Step 7 (Optional) Configure the device to redirect traffic to a specified IPv6 next hop
after receiving a BGP IPv6 Flow Specification route from a peer.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } redirect ipv6 recursive-lookup ip

The device is configured to redirect traffic to a specified IPv6 next hop after
receiving a BGP IPv6 Flow Specification route from a peer.
5. Run commit

The configuration is committed.

Step 8 (Optional) Allow the device to recurse the BGP IPv6 Flow Specification routes
received from a peer to a tunnel.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } redirect ipv6 recursive-lookup
tunnel tunnel-selector tunnel-selector-name

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 322

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The device is allowed to recurse the BGP IPv6 Flow Specification routes
received from a peer to a tunnel.
5. Run commit
The configuration is committed.
Step 9 (Optional) Disable the device from validating the redirection next-hop attribute
carried in the routes that are received from an EBGP peer.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-family flow
The BGP-IPv6-Flow address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } redirect ipv6 validation-disable
The device is disabled from validating the redirection next-hop attribute
carried in the routes that are received from an EBGP peer.
5. Run commit
The configuration is committed.
Step 10 (Optional) Enable the route policy distribution (RPD) capability for a BGP peer to
support the BGP Flow Specification routes carrying the RPD attribute and
delivered by the controller to forwarders.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-family flow
The BGP-IPv6-Flow address family view is displayed.
4. Run peer peerIPv6Addr capability-advertise route-policy-distribute receive
The RPD capability is enabled for the BGP peer.
5. Run commit
The configuration is committed.
Step 11 (Optional) Enable the DSCP-based BGP IPv6 Flow Specification traffic filtering
rule.
1. Run system-view
The system view is displayed.
2. Run flowspec allow ipv6 dscp
The DSCP-based BGP IPv6 Flow Specification traffic filtering rule is enabled.
3. Run commit
The configuration is committed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 323

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 12 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view

The system view is displayed.

2. Run flowspec match srv6-inner-ip enable

BGP Flow Specification is enabled to match inner packet information about

the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit

The configuration is committed.

Step 13 (Optional) Enable BGP IPv6 Flow Specification to match the internal protocol
number in the header of an IPv6 fragment.
1. Run system-view

The system view is displayed.

2. Run flowspec match ipv6 fragment-inner-protocol enable

BGP IPv6 Flow Specification is enabled to match the internal protocol number
in the header of an IPv6 fragment.
3. Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

● Run the display bgp flow ipv6 peer command to check information about
BGP IPv6 Flow Specification peers.
● Run the display bgp flow ipv6 routing-table command to check information
about BGP IPv6 Flow Specification routes.
● Run the display bgp flow ipv6 routing-table statistics command to check
statistics about BGP IPv6 Flow Specification routes.
● Run the display flowspec ipv6 rule reindex-value slot slot-id command to
check information about combined rules in the BGP IPv6 Flow Specification
route rule table.
● Run the display flowspec ipv6 rule statistics slot slot-id command to check
statistics about the rules for BGP IPv6 Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.6 Configuring Static BGP IPv6 Flow Specification

Static BGP IPv6 Flow Specification allows BGP IPv6 Flow Specification routes to be
manually created to control traffic.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 324

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Usage Scenario
Before deploying static BGP IPv6 Flow Specification, you need to manually create
a BGP IPv6 Flow Specification route and establish a BGP IPv6 Flow Specification
peer relationship between the device on which the BGP Flow Specification route is
created and each ingress on the network to transmit BGP IPv6 Flow Specification
routes.
In an AS with multiple ingresses, a BGP IPv6 Flow route reflector (Flow RR) can be
deployed to reduce the number of BGP IPv6 Flow Specification peer relationships
and save network resources.
If you want to filter traffic based on the address prefix but the BGP IPv6 Flow
Specification route carrying the filtering rule cannot pass validation, disable the
validation of BGP IPv6 Flow Specification routes received from a specified peer.

Pre-configuration Tasks
Before configuring static BGP IPv6 Flow Specification, complete the following task:
● Configure a BGP4+ peer or configure a BGP peer.

Procedure
Step 1 Generate a BGP IPv6 Flow Specification route manually.
1. Run system-view
The system view is displayed.
2. Run the flow-route flowroute-name ipv6 command to create a static BGP
IPv6 Flow Specification route and enter the Flow-Route-IPv6 view.
One BGP IPv6 Flow Specification route can include multiple if-match and
apply clauses. if-match clauses define traffic filtering rules, and apply clauses
define traffic behaviors. The relationships among clauses are as follows:
– The relationship among if-match clauses of different types is "AND."
– If if-match clauses of the same type are configured repeatedly, some
rules override each other, and some other rules are in the OR
relationship. For details, see the precautions for the if-match command.
– The relationship among the traffic behaviors defined by apply clauses is
"AND."
The traffic behaviors defined by apply clauses apply to all traffic matching the
filtering rules of if-match clauses.
The traffic filtering rules for BGP IPv6 Flow Specification routes configured in
the Flow-Route-IPv6 view take effect globally, not on a specified interface. To
configure the traffic filtering rules for BGP IPv6 Flow Specification routes to
take effect on a specified interface, perform the following steps:
a. Run the system-view command to enter the system view.
b. Run the flow-interface-group flow-interface-group-id command to
create a BGP Flow Specification interface group and enter the interface
group view.
c. (Optional) Run the description description command to configure a
description for the BGP Flow Specification interface group.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 325

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

d. Run the interface interface-type interface-number command to add an

interface to the BGP Flow Specification interface group.
e. (Optional) Run the quit command to return to the system view.
f. (Optional) Run the flow-route flowroute-name ipv6 command to enter
the Flow-Route-IPv6 view.
g. (Optional) Run the flow-interface-group flow-interface-group-id
command to associate the BGP Flow Specification interface group with
the BGP IPv6 Flow Specification route.
NOTE

Steps v, vi, and vii do not need to be performed for configuring traffic filtering
rules between the controller and forwarder but are mandatory for configuring
traffic filtering rules between forwarders.
h. (Optional) Run the quit command to return to the system view.
i. (Optional) Run the reset flowspec ipv6 statistics reindex [ flow-
interface-group ifGrpId ] command to clear traffic matching statistics
about interfaces in the specified BGP Flow Specification interface group
associated with the BGP IPv6 Flow Specification route.
j. (Optional) Run the flowspec ipv6 cascading-mode command to enable
the BGP Flow Specification cascading mode. In this way, if interface
group-based route query fails, global route query is performed.
3. According to characteristics of the traffic to be controlled, you can configure
one or more if-match clauses to define traffic filtering rules as needed:
– To filter traffic based on the destination IPv6 address, run the if-match
destination ipv6-address ipv6-mask-length command.
NOTE

If traffic must be filtered based on a destination IP address but the BGP IPv6
Flow Specification rule carrying the rule defined by the if-match destination
command cannot pass validation, run the peer validation-disable command to
disable the validation of BGP IPv6 Flow Specification routes.
By default, 0::0/0 is used as the prefix of each BGP IPv6 Flow Specification route
that matches the export or import policy of a peer. To enable a device to change
the prefix of each BGP IPv6 Flow Specification route that matches the export or
import policy configured for a peer to the destination IP address specified in the
if-match destination command, run the route match-destination command.
– To set a traffic filtering rule that is based on a source address, run the if-
match source ipv6-address ipv6-mask-length command.
– To set a port number-based traffic filtering rule, run the if-match port
{ greater-than | less-than | equal } port or if-match port greater-than
port less-than upper-port-value command.
– To set a source port number-based traffic filtering rule, run the if-match
source-port { greater-than | less-than | equal } port or if-match
source-port greater-than source-port less-than upper-source-port-value
command.
– To set a destination port number-based traffic filtering rule, run the if-
match destination-port { greater-than | less-than | equal } port or if-
match destination-port greater-than port less-than upper-port-value
command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 326

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

The if-match port command is mutually exclusive with the if-match

destination-port or if-match source-port command.
– To set a traffic bearing protocol-based traffic filtering rule, run the if-
match protocol { greater-than | less-than | equal } protocol or if-match
protocol greater-than protocol less-than upper-protocol-value
command.
– To set a DSCP-based traffic filtering rule, run the if-match dscp
{ greater-than | less-than | equal } dscp or if-match dscp greater-than
dscp less-than upper-dscp-value command.
NOTE

After the flow-route flowroute-name ipv6 command is run, the if-match dscp
command can be successfully run but does not take effect. To enable it to take
effect in this case, run the flowspec allow ipv6 dscp command to enable the
DSCP-based BGP IPv6 Flow Specification traffic filtering rule.
– To set a TCP-flag value-based traffic filtering rule, run the if-match tcp-
flags { match | not | any-match } tcp-flags command.
Network attackers may send a large number of invalid TCP packets to
attack network devices. To control the unidirectional traffic of TCP
packets to ensure communication security, configure a filtering rule based
on the TCP flag for the BGP IPv6 Flow Specification route using the if-
match tcp-flags command. Traffic matching the TCP flag is controlled
using the actions specified in the apply clauses.
– To set a fragment type-based traffic filtering rule, run the if-match
fragment-type { match | not } fragment-type-name command.
– To set an ICMP message code-based traffic filtering rule, run the if-
match icmp-code { greater-than | less-than | equal } icmp-code or if-
match icmp-code greater-than icmp-code less-than upper-icmp-code-
value command.
– To set an ICMP message type-based traffic filtering rule, run the if-match
icmp-type { greater-than | less-than | equal } icmp-type or if-match
icmp-type greater-than icmp-type less-than upper-icmp-type-value
command.
– To set a filtering rule based on the packet length of a BGP IPv6 Flow
Specification route, run the if-match packet-length { greater-than |
less-than | equal } packet-length-value or if-match packet-length
greater-than packet-length-value less-than upper-packet-length-value
command.
4. Run the following command as required to configure actions for apply
clauses:
– To discard the matched traffic, run the apply deny command.
– To redirect the matched traffic to the traffic cleaning device or blackhole,
run the apply redirect vpn-target vpn-target-import command.
– To redirect the matched traffic to the IPv6 address of a specified next
hop, run the apply redirect ipv6 redirect-ipv6-rt command. This
command must be used together with the local-route redirect ipv6
recursive-lookup ip command to trigger the redirection.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 327

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

A device can process the redirection next hop attribute configured using the
apply redirect ip redirect-ip-rt command received from a peer only after the
peer { ipv4-address | ipv6-address } redirect ipv6 recursive-lookup ip command
is run.
A device can process the redirection next-hop attribute configured using the
apply redirect ip redirect-ip-rt color colorvalue command and carried in routes
that are received from a peer only after the peer { ipv4-address | ipv6-address }
redirect ipv6 recursive-lookup tunnel tunnel-selector tunnel-selector-name
command is run.
The redirection load balancing function can be enabled on the device only after
the redirect load-balancing command is run. A maximum of eight redirection
routes can be used for load balancing.
– To redirect the matched traffic to an SRv6 TE Policy, run the apply
redirect ipv6 redirect-ipv6-rt color colorvalue [ prefix-sid prefix-sid-
value ] command. This command must be used together with the local-
route redirect ipv6 recursive-lookup tunnel tunnel-selector tunnel-
selector-name command so that traffic recursion to the SRv6 TE Policy
can be triggered.
– To redirect the matched traffic to the IPv6 address of the specified next
hop for load balancing (a maximum of eight redirection paths are
supported for load balancing), run the apply redirect multi-ipv6
redirectIPv6 command.
– To redirect the matched traffic to SRv6 TE Policies for load balancing (a
maximum of eight redirection paths are supported for load balancing),
run the apply redirect multi-ipv6 redirectIPv6 [ color color-value ]
[ weight weight-value ] command.
– To re-mark the service class of the matched traffic, run the apply
remark-dscp command.
– To limit the rate of the matched traffic, run the apply traffic-rate
command.
– To implement sampling for the matched traffic, run the apply traffic-
action sample command.
You can run the apply traffic-action sample command for a BGP IPv6
Flow Specification route to sample the traffic that matches the specified
filtering rules. Through sampling, abnormal traffic can be identified and
filtered out, which protects the attacked device and improves network
security.
NOTE

The apply deny and apply traffic-rate commands are mutually exclusive.
If the configured BGP IPv6 Flow Specification route attribute does not need to take
effect locally, run the routing-table rib-only [ route-policy route-policy-name |
route-filter route-filter-name ] command to disable the device from delivering the
BGP IPv6 Flow Specification route to the FES forwarding table.
5. Run commit

The configuration is committed.

Step 2 Establish a BGP IPv6 Flow Specification peer relationship.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 328

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

BGP IPv6 Flow Specification peer relationships must be established between the
network ingress and device on which the BGP IPv6 Flow Specification route is
manually created.

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } enable

A BGP IPv6 Flow Specification peer relationship is established.

After the peer relationship is established in the BGP-IPv6-Flow address family

view, the manually generated BGP Flow Specification route is automatically
imported to the BGP routing table and then sent to the peer.
5. Run commit

The configuration is committed.

Step 3 (Optional) Configure a Flow RR.

Before configuring a Flow RR, establish a BGP IPv6 Flow Specification peer
relationship between the Flow RR and the device on which the BGP IPv6 Flow
Specification route is generated and between the Flow RR and every network
ingress.

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } reflect-client

A Flow RR is configured, and clients are specified for it.

The router on which the peer reflect-client command is run functions as a

Flow RR, and the specified peers function as clients.
5. (Optional) Run undo reflect between-clients

Route reflection between clients through the RR is disabled.

If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }

A cluster ID is configured for the Flow RR.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 329

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

If a cluster has multiple Flow RRs, run this command to set the same cluster-
id for these RRs.

The reflector cluster-id command is applicable only to Flow RRs.

7. Run commit

The configuration is committed.

Step 4 (Optional) Disable BGP IPv6 Flow Specification route validation.

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run peer ipv6-address validation-disable

The device is disabled from validating BGP IPv6 Flow Specification routes
received from a specified peer.
5. Run commit

The configuration is committed.

Step 5 (Optional) Enable CAR statistics collection and packet loss statistics collection for
BGP Flow Specification.
1. Run system-view

The system view is displayed.

2. Run flowspec statistic enable

CAR statistics collection and packet loss statistics collection for BGP Flow
Specification are enabled.
3. Run commit

The configuration is committed.

Step 6 (Optional) Disable BGP Flow Specification on the interface.

1. Run system-view

The system view is displayed.

2. Run interface interface-type interface-number

The interface view is displayed.

3. Run flowspec disable [ ipv4 | ipv6 ]

BGP Flow Specification is disabled on the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 330

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

This command cannot be configured on Eth-Trunk member interfaces. The

configuration on a main interface also takes effect on its sub-interfaces.
If BGP Flow Specification does not need to be disabled on a sub-interface, run the
flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to
which the sub-interface belongs.
4. Run commit

The configuration is committed.

Step 7 (Optional) Disable BGP Flow Specification protection.

1. Run system-view

The system view is displayed.

2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

BGP Flow Specification protection is disabled.

3. Run commit

The configuration is committed.

Step 8 (Optional) Configure the device to redirect traffic to a specified IPv6 next hop
based on a static BGP IPv6 Flow Specification route.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run local-route redirect ipv6 recursive-lookup ip

The device is configured to redirect traffic to a specified IPv6 next hop based
on a static BGP IPv6 Flow Specification route.
5. Run commit

The configuration is committed.

Step 9 (Optional) Allow the device to recurse static BGP IPv6 Flow Specification routes to
tunnels.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-family flow

The BGP-IPv6-Flow address family view is displayed.

4. Run local-route redirect ipv6 recursive-lookup tunnel tunnel-selector
tunnel-selector-name

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 331

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The device is allowed to recurse static BGP IPv6 Flow Specification routes to
tunnels.
5. Run commit
The configuration is committed.
Step 10 (Optional) Enable the DSCP-based BGP IPv6 Flow Specification traffic filtering
rule.
1. Run system-view
The system view is displayed.
2. Run flowspec allow ipv6 dscp
The DSCP-based BGP IPv6 Flow Specification traffic filtering rule is enabled.
3. Run commit
The configuration is committed.
Step 11 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view
The system view is displayed.
2. Run flowspec match srv6-inner-ip enable
BGP Flow Specification is enabled to match inner packet information about
the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit
The configuration is committed.
Step 12 (Optional) Enable BGP IPv6 Flow Specification to match the internal protocol
number in the header of an IPv6 fragment.
1. Run system-view
The system view is displayed.
2. Run flowspec match ipv6 fragment-inner-protocol enable
BGP IPv6 Flow Specification is enabled to match the internal protocol number
in the header of an IPv6 fragment.
3. Run commit
The configuration is committed.
Step 13 (Optional) Enable the device to redirect traffic to a specified IPv6 next hop based
on a static BGP Flow Specification route.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-family flow
The BGP-IPv6-Flow address family view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 332

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

4. Run local-route redirect ipv6 recursive-lookup ip

The device is enabled to redirect traffic to a specified IPv6 next hop based on
a static BGP IPv6 Flow Specification route.
5. Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

● Run the display bgp flow ipv6 peer command to check information about
the BGP IPv6 Flow Specification peer.
● Run the display bgp flow ipv6 routing-table command to check information
about BGP IPv6 Flow Specification routes.
● Run the display bgp flow ipv6 routing-table statistics command to check
statistics about BGP IPv6 Flow Specification routes.
● Run the display flowspec ipv6 statistics reIndex [ flow-interface-group
infGrpId ] command to check statistics about traffic matching a specified BGP
IPv6 Flow Specification route.
● Run the display flowspec ipv6 rule reindex-value slot slot-id command to
check information about combined rules in the BGP IPv6 Flow Specification
route rule table.
● Run the display flowspec ipv6 rule statistics slot slot-id command to check
statistics about the rules for BGP IPv6 Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.7 Configuring Dynamic BGP VPN Flow Specification

Dynamic BGP VPN Flow Specification refers to the traffic control mode in which a
traffic analysis server generates BGP VPN Flow Specification routes to control
traffic in a VPN domain.

Usage Scenario
When deploying dynamic BGP VPN Flow Specification, a BGP VPN Flow
Specification peer relationship needs to be established between the traffic analysis
server and each ingress of the network to transmit BGP VPN Flow Specification
routes.

In an AS with multiple ingresses, a Flow RR can be deployed to reduce the number

of BGP VPN Flow Specification peer relationships and save network resources.

If you want to filter traffic based on the address prefix but the BGP VPN Flow
Specification route carrying the filtering rule cannot pass validation, disable
validation of BGP VPN Flow Specification routes received from a specified peer.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 333

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Pre-configuration Tasks
Before configuring dynamic BGP VPN Flow Specification, complete the following
tasks:
● Configure a VPN instance and bind interfaces to the VPN instance.

Procedure
Step 1 Establish a BGP VPN Flow Specification peer relationship.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run vpn-instance vpn-instance-name
A BGP-VPN instance is created, and the BGP-VPN instance view is displayed.
4. Run peer ipv4-address as-number as-number
The IP address of a peer and the number of the AS where the peer resides are
specified.
5. Run quit
The BGP view is displayed.
6. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family is enabled, and the BGP-Flow
VPN instance IPv4 address family view is displayed.
7. Run peer ipv4-address enable
A BGP VPN Flow Specification peer is specified.
After the BGP VPN Flow Specification peer relationship is established in the
BGP-Flow VPN instance IPv4 address family view, the BGP VPN Flow
Specification route generated by the traffic analysis server is imported
automatically to the BGP routing table and then sent to the peer.
8. Run commit
The configuration is committed.
Step 2 (Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP VPN Flow Specification peer
relationship between the Flow RR and traffic analysis server, and between the
Flow RR and each network ingress.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 334

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The BGP-Flow VPN instance IPv4 address family view is displayed.

4. Run peer ipv4-address reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the network ingress and traffic analysis server function as
clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.
If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.

NOTE

The reflector cluster-id command is applicable only to Flow RRs.

7. Run commit
The configuration is committed.
Step 3 (Optional) Configure the device to check the AS_Path attribute during BGP VPN
Flow Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run route validation-mode include-as
The device is configured to check the AS_Path attribute during BGP VPN Flow
Specification route validation.
BGP Flow Specification route validation is performed in either of the following
modes:
– Validation mode 1: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route using the rules described in Figure 1-29. The route is
considered valid only if the validation succeeds.
– Validation mode 2: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route by checking whether the AS_Path attribute of the route carries
the AS_Set and AS_Sequence fields. The route is considered valid only if
its AS_Path attribute does not carry the AS_Set or AS_Sequence field.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 335

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Validation mode 2 is configured using the route validation-mode include-as

command. If this command is configured, the device checks the validity of a
BGP Flow Specification route using mode 2 first.
– If the validation succeeds, the BGP Flow Specification route is considered
valid, and mode 1 is not used.
– If the validation fails, the device checks the validity of the BGP Flow
Specification route using mode 1.
If this command is not run, the device uses mode 1 to check the validity of
BGP Flow Specification routes.

Figure 1-29 BGP Flow Specification validation rules

5. Run commit
The configuration is committed.
Step 4 (Optional) Disable BGP VPN Flow Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run peer ipv4-address validation-disable
The device is disabled from validating BGP VPN Flow Specification routes
received from a specified peer.
5. Run commit
The configuration is committed.
Step 5 (Optional) Allow the device to recurse the BGP VPN IPv6 Flow Specification routes
received from a peer to a tunnel.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 336

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run system-view
The system view is displayed.
2. Run tunnel-selector name matchMode node node
A tunnel selector is created and its view is displayed.
3. Run quit
The system view is displayed.
4. Run commit
The configuration is committed.
5. Run bgp as-number
The BGP view is displayed.
6. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
7. Run peer peerIpv4Addr redirect ipv6 recursive-lookup tunnel tunnel-
selector tunnel-selector-name
The device is configured to recurse the BGP VPN IPv4 Flow Specification route
received from the specified peer to a tunnel.
8. Run commit
The configuration is committed.
Step 6 (Optional) Disable the device from validating the next hop of each route that
carries the redirection next-hop attribute and is received from a specified EBGP
peer.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run peer ipv4-address redirect ip validation-disable
The device is disabled from validating the next hop of each route that carries
the redirection next-hop attribute and is received from a specified EBGP peer.
5. Run commit
The configuration is committed.
Step 7 (Optional) Configure a redirection next-hop attribute ID for BGP VPN Flow
Specification routes.
The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or
0x0800 (defined in a related draft). If a Huawei device needs to communicate with
a non-Huawei device that does not support the redirection next-hop attribute ID
of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPN Flow
Specification routes as required. Perform one of the following configurations based
on the ID supported by non-Huawei devices:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 337

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC)

for BGP VPN Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
d. Run peer ipv4-address redirect ip rfc-compatible
The redirection next hop attribute ID of BGP VPN Flow Specification
routes is set to 0x010C (defined in a related RFC).
e. Run commit
The configuration is committed.
● Set the redirection next-hop attribute ID to 0x0800 (defined in a related draft)
for BGP VPN Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
d. Run peer ipv4-address redirect ip draft-compatible
The redirection next-hop attribute ID of BGP VPN Flow Specification
routes is set to 0x0800 (defined in a related draft).
e. Run commit
The configuration is committed.
Step 8 (Optional) Enable CAR statistics collection and packet loss statistics collection for
BGP Flow Specification.
1. Run system-view
The system view is displayed.
2. Run flowspec statistic enable
CAR statistics collection and packet loss statistics collection are enabled for
BGP Flow Specification.
3. Run commit
The configuration is committed.
Step 9 (Optional) Disable BGP Flow Specification on the interface.
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The interface view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 338

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

3. Run flowspec disable [ ipv4 | ipv6 ]

BGP Flow Specification is disabled on the interface.

NOTE

This command cannot be configured on Eth-Trunk member interfaces. The

configuration on a main interface also takes effect on its sub-interfaces.
If BGP Flow Specification does not need to be disabled on a sub-interface, run the
flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to
which the sub-interface belongs.
4. Run commit
The configuration is committed.
Step 10 (Optional) Disable BGP Flow Specification protection.
1. Run system-view
The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
BGP Flow Specification protection is disabled.
3. Run commit
The configuration is committed.
Step 11 (Optional) Enable the device to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
1. Run system-view
The system view is displayed.
2. Run flowspec ipv4-fragment-rule switch
The device is enabled to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
3. Run commit
The configuration is committed.
Step 12 (Optional) Enable the route policy distribution (RPD) capability for a BGP peer to
support the BGP Flow Specification routes carrying the RPD attribute and
delivered by the controller to forwarders.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run peer ipv4-address capability-advertise route-policy-distribute receive
The RPD capability is enabled for the specified BGP peer.
5. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 339

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

Step 13 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view

The system view is displayed.

2. Run flowspec match srv6-inner-ip enable

BGP Flow Specification is enabled to match inner packet information about

the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

● Run the display bgp flow vpnv4 vpn-instance vpn-instance-name peer

[ [ ipv4-address ] verbose ] command to check information about BGP VPN
Flow Specification peers.
● Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-
table command to check information about BGP VPN Flow Specification
routes.
● Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-
table [ peer ipv4-address { advertised-routes | received-routes [ active ] } ]
statistics command to check statistics about BGP VPN Flow Specification
routes.
● Run the display flowspec rule reindex-value slot slot-id command to check
information about combined rules in the local BGP Flow Specification rule
table.
● Run the display flowspec rule statistics slot slot-id command to check
statistics about the rules for BGP Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.8 Configuring Static BGP VPN Flow Specification

In VPNs, BGP VPN Flow Specification routes are generated manually to control
traffic in static BGP VPN Flow Specification.

Usage Scenario
When deploying static BGP VPN Flow Specification, a BGP VPN Flow Specification
route needs to be generated manually, and a BGP VPN Flow Specification peer
relationship needs to be established between the device that generates the BGP
VPN Flow Specification route and each ingress in the network to transmit BGP
VPN Flow Specification routes.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 340

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

In an AS with multiple ingresses, a BGP VPN Flow route reflector (Flow RR) can be
deployed to reduce the number of BGP VPN Flow Specification peer relationships
and save network resources.
If you want to filter traffic based on the address prefix but the BGP VPN Flow
Specification route carrying the filtering rule cannot pass validation, disable the
validation of BGP VPN Flow Specification routes received from a specified peer.

Pre-configuration Tasks
Before configuring static BGP VPN Flow Specification, configure a VPN instance
and bind interfaces to a VPN instance.

Procedure
Step 1 Generate a BGP VPN Flow Specification route manually.
1. Run system-view
The system view is displayed.
2. Run flow-route flowroute-name vpn-instance vpn-instance-name
A static BGP VPN Flow Specification route is created, and the Flow-Route VPN
instance view is displayed.
One BGP VPN Flow Specification route can include multiple if-match and
apply clauses. if-match clauses define traffic filtering rules, and apply clauses
define traffic behaviors. The relationships among clauses are as follows:
– The relationship among if-match clauses of different types is "AND."
– If if-match clauses of the same type are configured repeatedly, some
rules override each other, and some other rules are in the OR
relationship. For details, see the precautions for the if-match command.
– The relationship among the traffic behaviors defined by apply clauses is
"AND."
The traffic behaviors defined by apply clauses apply to all traffic matching the
filtering rules of if-match clauses.
3. Based on the characteristics of the traffic to be controlled, choose one or
multiple if-match clauses as the filtering rule.
– To set a destination address-based traffic filtering rule, run the if-match
destination ipv4-address { mask | mask-length } command.
NOTE

Traffic control is performed based on a specified destination IP address specified

in a rule configured using the if-match destination command, but BGP VPN
Flow Specification routes matching the rule cannot pass validation. In this
situation, run the peer validation-disable command to disable the validation.
By default, 0.0.0.0/0 is used as the prefix of each BGP VPN Flow Specification
route that matches the export or import policy of a peer. To enable a device to
change the prefix of each BGP VPN Flow Specification route that matches the
export or import policy of a peer to the destination IP address specified in the if-
match destination command, run the route match-destination command.
– To configure a filtering rule based on the source address, run the if-
match source ipv4-address { mask | mask-length } command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 341

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– To set a port number-based traffic filtering rule, run the if-match port
{ greater-than | less-than | equal } port or if-match port greater-than
port less-than upper-port-value command.
– To set a source port number-based traffic filtering rule, run the if-match
source-port { greater-than | less-than | equal } port or if-match
source-port greater-than source-port less-than upper-source-port-value
command.
– To set a destination port number-based traffic filtering rule, run the if-
match destination-port { greater-than | less-than | equal } port or if-
match destination-port greater-than port less-than upper-port-value
command.
NOTE

if-match port and if-match destination-port or if-match source-port are

mutually exclusive.
– To set a traffic bearing protocol-based traffic filtering rule, run the if-
match protocol { greater-than | less-than | equal } protocol or if-match
protocol greater-than protocol less-than upper-protocol-value
command.
– To set a DSCP-based traffic filtering rule, run the if-match dscp
{ greater-than | less-than | equal } dscp or if-match dscp greater-than
dscp less-than upper-dscp-value command.
– To set a TCP-flag value-based traffic filtering rule, run the if-match tcp-
flags { match | not | any-match } tcp-flags command.
Network attackers may send a large number of invalid TCP packets to
attack network devices. To control invalid TCP packets to ensure
communication security, configure a filtering rule based on the TCP flag
for the BGP VPN Flow Specification route using the if-match tcp-flags
command. Traffic matching the TCP flag is filtered or controlled using the
actions specified in the apply clauses.
– To configure a filtering rule based on the fragment type, run the if-
match fragment-type { match | not } fragment-type-name command.
– To set an ICMP message code-based traffic filtering rule, run the if-
match icmp-code { greater-than | less-than | equal } icmp-code or if-
match icmp-code greater-than icmp-code less-than upper-icmp-code-
value command.
– To set an ICMP message type-based traffic filtering rule, run the if-match
icmp-type { greater-than | less-than | equal } icmp-type or if-match
icmp-type greater-than icmp-type less-than upper-icmp-type-value
command.
– To set a filtering rule based on the packet length of a BGP VPN Flow
Specification route, run the if-match packet-length { greater-than |
less-than | equal } packet-length-value or if-match packet-length
greater-than packet-length-value less-than upper-packet-length-value
command.
4. Run the following command as required to configure actions for apply
clauses:
– To discard the matched traffic, run the apply deny command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 342

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– To redirect the matched traffic to the traffic cleaning device or blackhole,

run the apply redirect { vpn-target vpn-target-import | ip redirect-ip-rt }
command.
NOTE

The device can process the redirection next hop attribute configured using the
apply redirect ip redirect-ip-rt command received from a peer only after the
peer redirect ip command is run.
– To redirect the matched traffic to an SRv6 TE Policy, run the apply
redirect ipv6 redirect-ipv6-rt color colorvalue [ prefix-sid prefix-sid-
value ] command.
– To re-mark the service class of the matched traffic, run the apply
remark-dscp command.
– To limit the rate of the matched traffic, run the apply traffic-rate
command.
– To implement sampling for the matched traffic, run the apply traffic-
action sample command.
You can run the apply traffic-action sample command for a BGP VPN
Flow Specification route to sample the traffic that matches the specified
filtering rules. Through sampling, abnormal traffic can be identified and
filtered out, which protects the attacked device and improves network
security.
NOTE

The apply deny and apply traffic-rate commands are mutually exclusive.
If the configured BGP VPN Flow Specification route attribute does not need to take
effect locally, run the routing-table rib-only [ route-policy route-policy-name |
route-filter route-filter-name ] command to disable the device from delivering the
BGP VPN Flow Specification route to the FES forwarding table.
5. Run commit
The configuration is committed.
Step 2 Establish a BGP VPN Flow Specification peer relationship.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run vpn-instance vpn-instance-name
A BGP-VPN instance is created, and its view is displayed.
4. Run peer ipv4-address as-number as-number
An IP address and AS number are specified for the peer.
5. Run quit
The BGP view is displayed.
6. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family is enabled, and its view is
displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 343

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

7. Run peer ipv4-address enable

A BGP VPN Flow Specification peer is specified.
After the BGP VPN Flow Specification peer relationship is established in the
BGP-Flow VPN instance IPv4 address family view, the BGP VPN Flow
Specification route generated by the traffic analysis server is imported
automatically to the BGP routing table and then sent to the peer.
8. Run commit
The configuration is committed.
Step 3 (Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP VPN Flow Specification peer
relationship between the Flow RR and device on which the BGP VPN Flow
Specification route is generated and between the Flow RR and every network
ingress.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run peer ipv4-address reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the specified peers function as clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.
If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id {cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.
The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
The configuration is committed.
Step 4 (Optional) Configure the device to check the AS_Path attribute during BGP VPN
Flow Specification route validation.
1. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 344

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Run bgp as-number

The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run route validation-mode include-as
The device is configured to check the AS_Path attribute during BGP VPN Flow
Specification route validation.
BGP Flow Specification route validation is performed in either of the following
modes:
– Validation mode 1: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route using the rules described in Figure 1-30. The route is
considered valid only if the validation succeeds.
– Validation mode 2: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route by checking whether the AS_Path attribute of the route carries
the AS_Set and AS_Sequence fields. The route is considered valid only if
its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
Validation mode 2 is configured using the route validation-mode include-as
command. If this command is configured, the device checks the validity of a
BGP Flow Specification route using mode 2 first.
– If the validation succeeds, the BGP Flow Specification route is considered
valid, and mode 1 is not used.
– If the validation fails, the device checks the validity of the BGP Flow
Specification route using mode 1.
If this command is not run, the device uses mode 1 to check the validity of
BGP Flow Specification routes.

Figure 1-30 BGP Flow Specification validation rules

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 345

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

5. Run commit
The configuration is committed.
Step 5 (Optional) Disable BGP VPN Flow Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run peer ipv4-address validation-disable
The device is disabled from validating BGP VPN Flow Specification routes
received from a specified peer.
5. Run commit
The configuration is committed.
Step 6 (Optional) Disable the device from validating the routes that carry a redirection
extended community attribute and are received from a specified EBGP peer.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
4. Run peer ipv4-address redirect ip validation-disable
The device is disabled from validating the routes that carry a redirection
extended community attribute and are received from a specified EBGP peer.
5. Run commit
The configuration is committed.
Step 7 (Optional) Configure a redirection next-hop attribute ID for BGP VPN Flow
Specification routes.
The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or
0x0800 (defined in a related draft). If a Huawei device needs to communicate with
a non-Huawei device that does not support the redirection next-hop attribute ID
of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPN Flow
Specification routes as required. Perform one of the following configurations based
on the ID supported by non-Huawei devices:
● Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC)
for BGP VPN Flow Specification routes.
a. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 346

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

b. Run bgp as-number

The BGP view is displayed.
c. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
d. Run peer ipv4-address redirect ip rfc-compatible
The redirection next hop attribute ID of BGP VPN Flow Specification
routes is set to 0x010C (defined in a related RFC).
e. Run commit
The configuration is committed.
● Set the redirection next-hop attribute ID to 0x0800 (defined in a related draft)
for BGP VPN Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv4 address family view is displayed.
d. Run peer ipv4-address redirect ip draft-compatible
The redirection next-hop attribute ID of BGP VPN Flow Specification
routes is set to 0x0800 (defined in a related draft).
e. Run commit
The configuration is committed.

Step 8 (Optional) Enable CAR statistics collection and packet loss statistics collection for
BGP Flow Specification.
1. Run system-view

The system view is displayed.

2. Run flowspec statistic enable

CAR statistics collection and packet loss statistics collection are enabled for
BGP Flow Specification.
3. Run commit

The configuration is committed.

Step 9 (Optional) Disable BGP Flow Specification on the interface.

1. Run system-view

The system view is displayed.

2. Run interface interface-type interface-number

The interface view is displayed.

3. Run flowspec disable [ ipv4 | ipv6 ]

BGP Flow Specification is disabled on the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 347

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

This command cannot be configured on Eth-Trunk member interfaces. The

configuration on a main interface also takes effect on its sub-interfaces.
If BGP Flow Specification does not need to be disabled on a sub-interface, run the
flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to
which the sub-interface belongs.
4. Run commit

The configuration is committed.

Step 10 (Optional) Disable BGP Flow Specification protection.

1. Run system-view

The system view is displayed.

2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

BGP Flow Specification protection is disabled.

3. Run commit

The configuration is committed.

Step 11 (Optional) Enable the device to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
1. Run system-view

The system view is displayed.

2. Run flowspec ipv4-fragment-rule switch

The device is enabled to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
3. Run commit

The configuration is committed.

Step 12 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view

The system view is displayed.

2. Run flowspec match srv6-inner-ip enable

BGP Flow Specification is enabled to match inner packet information about

the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 348

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the display bgp flow vpnv4 vpn-instance vpn-instance-name peer

[ [ ipv4-address ] verbose ] command to check information about BGP VPN
Flow Specification peers.
● Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-
table command to check information about BGP VPN Flow Specification
routes.
● Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-
table [ peer ipv4-address { advertised-routes | received-routes [ active ] } ]
statistics command to check statistics about BGP VPN Flow Specification
routes.
● Run the display flowspec rule reindex-value slot slot-id command to check
information about combined rules in the local BGP Flow Specification rule
table.
● Run the display flowspec rule statistics slot slot-id command to check
statistics about the rules for BGP Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.9 Configuring Dynamic BGP IPv6 VPN Flow Specification

Dynamic BGP IPv6 VPN Flow Specification refers to the traffic control mode in
which a traffic analysis server generates BGP IPv6 VPN Flow Specification routes
to control traffic in an IPv6 VPN domain.

Usage Scenario
When deploying dynamic BGP IPv6 VPN Flow Specification, a BGP IPv6 VPN Flow
Specification peer relationship needs to be established between the traffic analysis
server and each ingress of the network to transmit BGP IPv6 VPN Flow
Specification routes.
In an AS with multiple ingresses, a Flow RR can be deployed to reduce the number
of BGP IPv6 VPN Flow Specification peer relationships and save network resources.
If you want to filter traffic based on the address prefix but the BGP IPv6 VPN Flow
Specification route carrying the filtering rule cannot pass validation, disable
validation of BGP IPv6 VPN Flow Specification routes received from a specified
peer.

Pre-configuration Tasks
Before configuring dynamic BGP IPv6 VPN Flow Specification, complete the
following tasks:
● Configure a VPN instance and bind interfaces to the VPN instance.

Procedure
Step 1 Establish a BGP IPv6 VPN Flow Specification peer relationship.
1. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 349

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Run bgp as-number

The BGP view is displayed.

3. Run vpn-instance vpn-instance-name

A BGP-VPN instance is created, and the BGP-VPN instance view is displayed.

4. Run peer { ipv4-address | ipv6-address } as-number as-number

A peer IP address and the number of the AS where the peer resides are
specified.
5. Run quit

The BGP view is displayed.

6. Run ipv6-flow vpn-instance vpn-instance-name

The BGP-Flow VPN instance IPv6 address family is enabled, and the BGP-Flow
VPN instance IPv6 address family view is displayed.
7. Run peer { ipv4-address | ipv6-address } enable

A BGP IPv6 VPN Flow Specification peer relationship is established.

After the peer relationship is established in the BGP-Flow VPN instance IPv6
address family view, the BGP IPv6 VPN Flow Specification route generated by
the traffic analysis server is imported automatically to the BGP routing table
and then sent to the peer.
8. Run commit

The configuration is committed.

Step 2 (Optional) Configure a Flow RR.

Before configuring a Flow RR, establish a BGP IPv6 VPN Flow Specification peer
relationship between the Flow RR and traffic analysis server, and between the
Flow RR and each network ingress.

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-flow vpn-instance vpn-instance-name

The BGP-Flow VPN instance IPv6 address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } reflect-client

A Flow RR is configured, and clients are specified for it.

The router on which the peer reflect-client command is run functions as a

Flow RR, and the network ingress and traffic analysis server function as
clients.
5. (Optional) Run undo reflect between-clients

Route reflection between clients through the RR is disabled.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 350

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.

NOTE

The reflector cluster-id command is applicable only to Flow RRs.

7. Run commit
The configuration is committed.
Step 3 (Optional) Configure the device to check the AS_Path attribute during BGP IPv6
VPN Flow Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run route validation-mode include-as
The device is configured to check the AS_Path attribute during BGP IPv6 VPN
Flow Specification route validation.
BGP Flow Specification route validation is performed in either of the following
modes:
– Validation mode 1: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route using the rules described in Figure 1-31. The route is
considered valid only if the validation succeeds.
– Validation mode 2: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route by checking whether the AS_Path attribute of the route carries
the AS_Set and AS_Sequence fields. The route is considered valid only if
its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
Validation mode 2 is configured using the route validation-mode include-as
command. If this command is configured, the device checks the validity of a
BGP Flow Specification route using mode 2 first.
– If the validation succeeds, the BGP Flow Specification route is considered
valid, and mode 1 is not used.
– If the validation fails, the device checks the validity of the BGP Flow
Specification route using mode 1.
If this command is not run, the device uses mode 1 to check the validity of
BGP Flow Specification routes.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 351

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-31 BGP Flow Specification validation rules

5. Run commit
The configuration is committed.
Step 4 (Optional) Disable BGP IPv6 VPN Flow Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } validation-disable
The device is disabled from validating BGP IPv6 VPN Flow Specification routes
received from a specified peer.
5. Run commit
The configuration is committed.
Step 5 (Optional) Disable BGP Flow Specification protection.
1. Run system-view
The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
BGP Flow Specification protection is disabled.
3. Run commit
The configuration is committed.
Step 6 (Optional) Configure the device to redirect traffic to a specified IPv6 next hop
after receiving a BGP VPN IPv6 Flow Specification route from a peer.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 352

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-flow vpn-instance vpn-instance-name

The BGP-Flow VPN instance IPv6 address family view is displayed.

4. Run peer { ipv4-address | ipv6-address } redirect ipv6 recursive-lookup ip

The device is configured to redirect traffic to a specified IPv6 next hop after
receiving a BGP VPN IPv6 Flow Specification route from a peer.
5. Run commit

The configuration is committed.

Step 7 (Optional) Allow the device to recurse the BGP VPN IPv6 Flow Specification routes
received from a peer to a tunnel.
1. Run system-view

The system view is displayed.

2. Run tunnel-selector name matchMode node node

A tunnel selector is created and its view is displayed.

3. Run quit

The system view is displayed.

4. Run commit

The configuration is committed.

5. Run bgp as-number

The BGP view is displayed.

6. Run ipv6-flow vpn-instance vpn-instance-name

The BGP-Flow VPN instance IPv6 address family view is displayed.

7. Run peer { ipv4-address | ipv6-address } redirect ipv6 recursive-lookup
tunnel tunnel-selector tunnel-selector-name

The device is allowed to recurse the BGP VPN IPv6 Flow Specification routes
received from a peer to a tunnel.
8. Run commit

The configuration is committed.

Step 8 (Optional) Disable the device from validating the redirection next-hop attribute
carried in the routes that are received from an EBGP peer.
1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 353

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

3. Run ipv6-flow vpn-instance vpn-instance-name

The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } redirect ipv6 validation-disable
The device is disabled from validating the next-hop attribute of the routes
carrying the redirection next-hop attribute that are received from the specified
EBGP peer.
5. Run commit
The configuration is committed.
Step 9 (Optional) Enable the route policy distribution (RPD) capability for a BGP peer to
support the BGP Flow Specification routes carrying the RPD attribute and
delivered by the controller to forwarders.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run peer peerIPv6Addr capability-advertise route-policy-distribute receive
The RPD capability is enabled for the BGP peer.
5. Run commit
The configuration is committed.
Step 10 (Optional) Enable the DSCP-based BGP IPv6 Flow Specification traffic filtering
rule.
1. Run system-view
The system view is displayed.
2. Run flowspec allow ipv6 dscp
The DSCP-based BGP IPv6 Flow Specification traffic filtering rule is enabled.
3. Run commit
The configuration is committed.
Step 11 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view
The system view is displayed.
2. Run flowspec match srv6-inner-ip enable
BGP Flow Specification is enabled to match inner packet information about
the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit
The configuration is committed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 354

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 12 (Optional) Enable BGP IPv6 Flow Specification to match the internal protocol
number in the header of an IPv6 fragment.
1. Run system-view

The system view is displayed.

2. Run flowspec match ipv6 fragment-inner-protocol enable

BGP IPv6 Flow Specification is enabled to match the internal protocol number
in the header of an IPv6 fragment.
3. Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

● Run the display bgp flow vpnv6 vpn-instance vpn-instance-name peer

[ [ ipv4-address | ipv6-address ] verbose ] command to check information
about BGP IPv6 VPN Flow Specification peers.
● Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-
table command to check information about BGP IPv6 VPN Flow Specification
routes.
● Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-
table [ peer { ipv4-address | ipv6-address } { advertised-routes | received-
routes [ active ] } ] statistics command to check statistics about BGP IPv6
VPN Flow Specification routes.
● Run the display flowspec ipv6 rule reindex-value slot slot-id command to
check information about combined rules in the BGP IPv6 Flow Specification
route rule table.
● Run the display flowspec ipv6 rule statistics slot slot-id command to check
statistics about the rules for BGP IPv6 Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.10 Configuring Static BGP IPv6 VPN Flow Specification

In IPv6 VPNs, BGP IPv6 VPN Flow Specification routes are generated manually to
control traffic in static BGP IPv6 VPN Flow Specification.

Usage Scenario
When deploying static BGP IPv6 VPN Flow Specification, a BGP IPv6 VPN Flow
Specification route needs to be generated manually, and a BGP IPv6 VPN Flow
Specification peer relationship needs to be established between the device that
generates the BGP IPv6 VPN Flow Specification route and each ingress in the
network to transmit BGP IPv6 VPN Flow Specification routes.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 355

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

In an AS with multiple ingresses, a BGP IPv6 VPN Flow route reflector (Flow RR)
can be deployed to reduce the number of BGP IPv6 VPN Flow Specification peer
relationships and save network resources.
If you want to filter traffic based on the address prefix but the BGP IPv6 VPN Flow
Specification route carrying the filtering rule cannot pass validation, disable the
validation of BGP IPv6 VPN Flow Specification routes received from a specified
peer.

Pre-configuration Tasks
Before configuring static BGP IPv6 VPN Flow Specification, configure a VPN
instance and bind interfaces to a VPN instance.

Procedure
Step 1 Generate a BGP IPv6 VPN Flow Specification route manually.
1. Run system-view
The system view is displayed.
2. Run flow-route flowroute-name ipv6 vpn-instance vpn-instance-name
A static BGP IPv6 VPN Flow Specification route is created, and the Flow-Route
IPv6 VPN instance view is displayed.
One BGP IPv6 VPN Flow Specification route can include multiple if-match
and apply clauses. if-match clauses define traffic filtering rules, and apply
clauses define traffic behaviors. The relationships among clauses are as
follows:
– The relationship among if-match clauses of different types is "AND."
– If if-match clauses of the same type are configured repeatedly, some
rules override each other, and some other rules are in the OR
relationship. For details, see the precautions for the if-match command.
– The relationship among the traffic behaviors defined by apply clauses is
"AND."
The traffic behaviors defined by apply clauses apply to all traffic matching the
filtering rules of if-match clauses.
3. According to characteristics of the traffic to be controlled, you can configure
one or more if-match clauses to define traffic filtering rules as needed:
– To set a destination address-based traffic filtering rule, run the if-match
destination ipv6-address { mask | mask-length } command.
NOTE

Traffic control is performed based on a specified destination IP address specified

in a rule configured using the if-match destination command, but BGP IPv6
VPN Flow Specification routes matching the rule cannot pass validation. In this
situation, run the peer validation-disable command to disable the validation.
By default, 0.0.0.0/0 is used as the prefix of each BGP IPv6 VPN Flow
Specification route that matches the export or import policy of a peer. To enable
a device to change the prefix of each BGP IPv6 VPN Flow Specification route that
matches the export or import policy of a peer to the destination IP address
specified in the if-match destination command, run the route match-
destination command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 356

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– To configure a filtering rule based on the source address, run the if-
match source ipv6-address { mask | mask-length } command.
– To set a port number-based traffic filtering rule, run the if-match port
{ greater-than | less-than | equal } port or if-match port greater-than
port less-than upper-port-value command.
– To set a source port number-based traffic filtering rule, run the if-match
source-port { greater-than | less-than | equal } port or if-match
source-port greater-than source-port less-than upper-source-port-value
command.
– To set a destination port number-based traffic filtering rule, run the if-
match destination-port { greater-than | less-than | equal } port or if-
match destination-port greater-than port less-than upper-port-value
command.
NOTE

if-match port and if-match destination-port or if-match source-port are

mutually exclusive.
– To set a traffic bearing protocol-based traffic filtering rule, run the if-
match protocol { greater-than | less-than | equal } protocol or if-match
protocol greater-than protocol less-than upper-protocol-value
command.
– To set a DSCP-based traffic filtering rule, run the if-match dscp
{ greater-than | less-than | equal } dscp or if-match dscp greater-than
dscp less-than upper-dscp-value command.
– To set a TCP-flag value-based traffic filtering rule, run the if-match tcp-
flags { match | not | any-match } tcp-flags command.
Network attackers may send a large number of invalid TCP packets to
attack network devices. To control invalid TCP packets to ensure
communication security, configure a filtering rule based on the TCP flag
for the BGP IPv6 VPN Flow Specification route using the if-match tcp-
flags command. Traffic matching the TCP flag is filtered or controlled
using the actions specified in the apply clauses.
– To set a fragment type-based traffic filtering rule, run the if-match
fragment-type { match | not } fragment-type-name command.
– To set an ICMP message code-based traffic filtering rule, run the if-
match icmp-code { greater-than | less-than | equal } icmp-code or if-
match icmp-code greater-than icmp-code less-than upper-icmp-code-
value command.
– To set an ICMP message type-based traffic filtering rule, run the if-match
icmp-type { greater-than | less-than | equal } icmp-type or if-match
icmp-type greater-than icmp-type less-than upper-icmp-type-value
command.
– To set a filtering rule based on the packet length of a BGP IPv6 VPN Flow
Specification route, run the if-match packet-length { greater-than |
less-than | equal } packet-length-value or if-match packet-length
greater-than packet-length-value less-than upper-packet-length-value
command.
4. Run the following command as required to configure actions for apply
clauses:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 357

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– To discard the matched traffic, run the apply deny command.

– To redirect the matched traffic to the traffic cleaning device or blackhole,
run the apply redirect vpn-target vpn-target-import command.
– To re-mark the service class of the matched traffic, run the apply
remark-dscp command.
– To limit the rate of the matched traffic, run the apply traffic-rate
command.
– To implement sampling for the matched traffic, run the apply traffic-
action sample command.
You can run the apply traffic-action sample command for a BGP IPv6
VPN Flow Specification route to sample the traffic that matches the
specified filtering rules. Through sampling, abnormal traffic can be
identified and filtered out, which protects the attacked device and
improves network security.
– To redirect the matched traffic to the IPv6 address of a specified next
hop, run the apply redirect ipv6 redirect-ipv6-rt [ color colorValue
[ prefix-sid prefix-sid-value ] ] command.
The apply redirect ipv6 redirect-ipv6-rt command must be used together
with the local-route redirect ipv6 recursive-lookup ip command so that
the matched traffic can be redirected to the IPv6 address of the specified
next hop.
The apply redirect ipv6 redirect-ipv6-rt color colorValue prefix-sid
prefix-sid-value command must be used together with the local-route
redirect ipv6 recursive-lookup tunnel tunnel-selector tunnel-selector-
name command to trigger tunnel recursion.
NOTE

The apply deny and apply traffic-rate commands are mutually exclusive.
If the configured BGP IPv6 VPN Flow Specification route attribute does not need to
take effect locally, run the routing-table rib-only [ route-policy route-policy-name |
route-filter route-filter-name ] command to disable the device from delivering the
BGP IPv6 VPN Flow Specification route to the FES forwarding table.
5. Run commit
The configuration is committed.
Step 2 Establish a BGP IPv6 VPN Flow Specification peer relationship.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run vpn-instance vpn-instance-name
A BGP-VPN instance is created, and its view is displayed.
4. Run peer { ipv4-address | ipv6-address } as-number as-number
An IP address and AS number are specified for the peer.
5. Run quit
The BGP view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 358

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

6. Run ipv6-flow vpn-instance vpn-instance-name

The BGP-Flow VPN instance IPv6 address family is enabled, and its view is
displayed.
7. Run peer { ipv4-address | ipv6-address } enable
A BGP IPv6 VPN Flow Specification peer relationship is established.
After the BGP IPv6 VPN Flow Specification peer relationship is established in
the BGP-Flow VPN instance IPv6 address family view, the BGP IPv6 VPN Flow
Specification route generated by the traffic analysis server is imported
automatically to the BGP routing table and then sent to the peer.
8. Run commit
The configuration is committed.
Step 3 (Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP IPv6 VPN Flow Specification peer
relationship between the Flow RR with the device that generates the BGP IPv6
VPN Flow Specification route and every ingress.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the specified peers function as clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.
If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.
The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
The configuration is committed.
Step 4 (Optional) Configure the device to check the AS_Path attribute during BGP IPv6
VPN Flow Specification route validation.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 359

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run route validation-mode include-as
The device is configured to check the AS_Path attribute during BGP IPv6 VPN
Flow Specification route validation.
BGP Flow Specification route validation is performed in either of the following
modes:
– Validation mode 1: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route using the rules described in Figure 1-32. The route is
considered valid only if the validation succeeds.
– Validation mode 2: After receiving a BGP Flow Specification route with a
destination address-based filtering rule, the device checks the validity of
the route by checking whether the AS_Path attribute of the route carries
the AS_Set and AS_Sequence fields. The route is considered valid only if
its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
Validation mode 2 is configured using the route validation-mode include-as
command. If this command is configured, the device checks the validity of a
BGP Flow Specification route using mode 2 first.
– If the validation succeeds, the BGP Flow Specification route is considered
valid, and mode 1 is not used.
– If the validation fails, the device checks the validity of the BGP Flow
Specification route using mode 1.
If this command is not run, the device uses mode 1 to check the validity of
BGP Flow Specification routes.

Figure 1-32 BGP Flow Specification validation rules

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 360

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

5. Run commit
The configuration is committed.
Step 5 (Optional) Disable BGP IPv6 VPN Flow Specification route validation.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } validation-disable
The device is disabled from validating BGP IPv6 VPN Flow Specification routes
received from a specified peer.
5. Run commit
The configuration is committed.
Step 6 (Optional) Disable BGP Flow Specification protection.
1. Run system-view
The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
BGP Flow Specification protection is disabled.
3. Run commit
The configuration is committed.
Step 7 (Optional) Configure the device to redirect traffic to a specified IPv6 next hop
based on a static BGP VPN IPv6 Flow Specification route.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run local-route redirect ipv6 recursive-lookup ip
The device is configured to redirect traffic to a specified IPv6 next hop based
on a static BGP VPN IPv6 Flow Specification route.
5. Run commit
The configuration is committed.
Step 8 (Optional) Allow the device to recurse static BGP VPN IPv6 Flow Specification
routes to tunnels.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 361

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run system-view

The system view is displayed.

2. Run bgp as-number

The BGP view is displayed.

3. Run ipv6-flow vpn-instance vpn-instance-name

The BGP-Flow VPN instance IPv6 address family view is displayed.

4. Run local-route redirect ipv6 recursive-lookup tunnel tunnel-selector
tunnel-selector-name
The device is allowed to recurse static BGP VPN IPv6 Flow Specification routes
to tunnels.
5. Run commit

The configuration is committed.

Step 9 (Optional) Enable the DSCP-based BGP IPv6 Flow Specification traffic filtering
rule.
1. Run system-view

The system view is displayed.

2. Run flowspec allow ipv6 dscp

The DSCP-based BGP IPv6 Flow Specification traffic filtering rule is enabled.
3. Run commit

The configuration is committed.

Step 10 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view

The system view is displayed.

2. Run flowspec match srv6-inner-ip enable

BGP Flow Specification is enabled to match inner packet information about

the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit

The configuration is committed.

Step 11 (Optional) Enable BGP IPv6 Flow Specification to match the internal protocol
number in the header of an IPv6 fragment.
1. Run system-view

The system view is displayed.

2. Run flowspec match ipv6 fragment-inner-protocol enable

BGP IPv6 Flow Specification is enabled to match the internal protocol number
in the header of an IPv6 fragment.
3. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 362

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

● Run the display bgp flow vpnv6 vpn-instance vpn-instance-name peer

[ [ ipv4-address | ipv6-address ] verbose ] command to check information
about BGP IPv6 VPN Flow Specification peers.
● Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-
table command to check information about BGP IPv6 VPN Flow Specification
routes.
● Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-
table [ peer { ipv4-address | ipv6-address } { advertised-routes | received-
routes [ active ] } ] statistics command to check statistics about BGP IPv6
VPN Flow Specification routes.
● Run the display flowspec ipv6 rule reindex-value slot slot-id command to
check information about combined rules in the BGP IPv6 Flow Specification
route rule table.
● Run the display flowspec ipv6 rule statistics slot slot-id command to check
statistics about the rules for BGP IPv6 Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.11 Configuring Dynamic BGP VPNv4 Flow Specification

Dynamic BGP VPNv4 Flow Specification allows BGP VPNv4 Flow Specification
routes to be transmitted and traffic filtering policies to be generated. The policies
improve security of devices in VPNs.

Usage Scenario
Before deploying dynamic BGP VPNv4 Flow Specification, you need to establish a
BGP VPNv4 Flow Specification peer relationship between the traffic analysis server
and each ingress of the network to transmit BGP VPNv4 Flow Specification routes.

In an AS with multiple ingresses, a Flow RR can be deployed to reduce the number

of BGP VPNv4 Flow Specification peer relationships and save network resources.

Pre-configuration Tasks
Before configuring dynamic BGP VPNv4 Flow Specification, complete the following
tasks:

● Configure BGP peer relationships.

Procedure
Step 1 Establish a BGP VPNv4 Flow Specification peer relationship.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 363

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run peer ipv4-address as-number as-number
The IP address of a peer and the number of the AS where the peer resides are
specified.
4. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and the BGP-Flow VPNv4
address family view is displayed.
5. Run peer ipv4-address enable
A BGP VPNv4 Flow Specification peer is specified.
6. Run commit
The configuration is committed.
Step 2 (Optional) Configure a Flow RR.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and the BGP-Flow VPNv4
address family view is displayed.
4. Run peer ipv4-address reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the network ingress and traffic analysis server function as
clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.
If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.

NOTE

The reflector cluster-id command is applicable only to Flow RRs.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 364

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

7. Run commit

The configuration is committed.

Step 3 (Optional) Configure the redirection next-hop attribute ID for BGP VPNv4 Flow
Specification routes.

The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or

0x0800 (defined in a related draft). If a Huawei device needs to communicate with
a non-Huawei device that does not support the redirection next-hop attribute ID
of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPNv4 Flow
Specification routes as required. Perform one of the following configurations based
on the ID supported by non-Huawei devices:

● Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC)

for BGP VPNv4 Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and the BGP-Flow VPNv4
address family view is displayed.
d. Run peer ipv4-address redirect ip rfc-compatible
The redirection next hop attribute ID of BGP VPNv4 Flow Specification
routes is set to 0x010C (defined in a related RFC).
e. Run commit
The configuration is committed.
● Set the redirection next-hop attribute ID to 0x0800 (defined in a related draft)
for BGP VPNv4 Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and the BGP-Flow VPNv4
address family view is displayed.
d. Run peer ipv4-address redirect ip draft-compatible
The redirection next-hop attribute ID of BGP VPNv4 Flow Specification
routes is set to 0x0800 (defined in a related draft).
e. Run commit
The configuration is committed.

Step 4 (Optional) Disable BGP Flow Specification protection.

1. Run system-view

The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 365

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

BGP Flow Specification protection is disabled.
3. Run commit
The configuration is committed.
Step 5 (Optional) Enable the device to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
1. Run system-view
The system view is displayed.
2. Run flowspec ipv4-fragment-rule switch
The device is enabled to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
3. Run commit
The configuration is committed.
Step 6 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view
The system view is displayed.
2. Run flowspec match srv6-inner-ip enable
BGP Flow Specification is enabled to match inner packet information about
the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit
The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.
● Run the display bgp flow vpnv4 all peer [ [ ipv4-address ] verbose ]
command to check information about all BGP VPN Flow Specification peers
and BGP VPNv4 Flow Specification peers.
● Run the display bgp flow vpnv4 { all | route-distinguisher route-
distinguisher } routing-table [ reindex ] command to check information
about all BGP VPN Flow Specification routes and BGP VPNv4 Flow
Specification routes or the BGP VPN Flow Specification routes and BGP VPNv4
Flow Specification routes with a specified RD.
● Run the display bgp flow vpnv4 { all | route-distinguisher route-
distinguisher } routing-table statistics command to check statistics about all
BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes
or the BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification
routes with a specified RD.
● Run the display flowspec rule reindex-value slot slot-id command to check
information about combined rules in the local BGP Flow Specification rule
table.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 366

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the display flowspec rule statistics slot slot-id command to check
statistics about the rules for BGP Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.12 Configuring Static BGP VPNv4 Flow Specification

Static BGP VPNv4 Flow Specification allows BGP VPNv4 Flow Specification routes
to be transmitted and traffic filtering policies to be generated. The policies
improve security of devices in VPNs.

Usage Scenario
To deploy static BGP VPNv4 Flow Specification, a BGP VPN Flow Specification
route needs to be created manually first. After the BGP-Flow VPNv4 address
family is enabled, a BGP VPNv4 Flow Specification route is generated
automatically. Then a BGP VPNv4 Flow Specification peer relationship needs be
established between the device on which the BGP VPN Flow Specification route is
created and the network ingress device to transmit the BGP VPNv4 Flow
Specification route.

In an AS with multiple ingresses, a BGP VPNv4 Flow route reflector (Flow RR) can
be deployed to reduce the number of BGP VPN Flow Specification peer
relationships and save network resources.

Pre-configuration Tasks
Before configuring static BGP VPNv4 Flow Specification, complete the following
tasks:

● Configure BGP peer relationships.

● Enable the BGP-Flow VPN instance IPv4 address family.

Procedure
Step 1 Generate a BGP VPN Flow Specification route manually.
1. Run system-view

The system view is displayed.

2. Run flow-route flowroute-name vpn-instance vpn-instance-name

A static BGP VPN Flow Specification route is created, and the Flow-Route VPN
instance view is displayed.

One BGP VPN Flow Specification route can include multiple if-match and
apply clauses. if-match clauses define traffic filtering rules, and apply clauses
define traffic behaviors. The relationships among clauses are as follows:
– The relationship among if-match clauses of different types is "AND."
– If if-match clauses of the same type are configured repeatedly, some
rules override each other, and some other rules are in the OR
relationship. For details, see the precautions for the if-match command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 367

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– The relationship among the traffic behaviors defined by apply clauses is

"AND."
The traffic behaviors defined by apply clauses apply to all traffic matching the
filtering rules of if-match clauses.
3. According to characteristics of the traffic to be controlled, you can configure
one or more if-match clauses to define traffic filtering rules as needed:
– To set a destination address-based traffic filtering rule, run the if-match
destination ipv4-address { mask | mask-length } command.
NOTE

Traffic control is performed based on a specified destination IP address specified

in a rule configured using the if-match destination command, but BGP VPN
Flow Specification routes matching the rule cannot pass validation. In this
situation, run the peer validation-disable command to disable the validation.
By default, 0.0.0.0/0 is used as the prefix of each BGP VPN Flow Specification
route that matches the export or import policy of a peer. To enable a device to
change the prefix of each BGP VPN Flow Specification route that matches the
export or import policy of a peer to the destination IP address specified in the if-
match destination command, run the route match-destination command.
– To configure a filtering rule based on the source address, run the if-
match source ipv4-address { mask | mask-length } command.
– To set a filtering rule based on the port number, run the if-match port
operator port command.
– To configure a filtering rule based on the source port number, run the if-
match source-port operator port command.
– To configure a filtering rule based on the destination port number, run
the if-match destination-port operator port command.
NOTE

if-match port and if-match destination-port or if-match source-port are

mutually exclusive.
– To set a traffic filtering rule that is based on the protocol used to carry
traffic, run the if-match protocol operator protocol command.
– To configure a filtering rule based on the service type, run the if-match
dscp operator dscp command.
– To configure a filtering rule based on the TCP flag, run the if-match tcp-
flags { match | not } tcp-flags command.
Network attackers may send a large number of invalid TCP packets to
attack network devices. To control invalid TCP packets to ensure
communication security, configure a filtering rule based on the TCP flag
for the BGP VPN Flow Specification route using the if-match tcp-flags
command. Traffic matching the TCP flag is filtered or controlled using the
actions specified in the apply clauses.
– To configure a filtering rule based on the fragment type, run the if-
match fragment-type { match | not } fragment-type-name command.
– To set a traffic filtering rule that is based on an ICMP packet code, run
the if-match icmp-code operator icmp-code command.
– To set a traffic filtering rule that is based on an ICMP packet type, run the
if-match icmp-type { greater-than | less-than | equal } icmp-type
command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 368

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– To configure a filtering rule based on the packet length of BGP VPN Flow
Specification routes, run the if-match packet-length { greater-than |
less-than | equal } packet-length-value command.
4. Run the following command as required to configure actions for apply
clauses:
– To discard the matched traffic, run the apply deny command.
– To redirect the matching traffic to the traffic cleaning device or blackhole,
run the apply redirect { vpn-target vpn-target-import | ip redirect-ip-rt }
command.
NOTE

The device can process the redirection next hop attribute configured using the
apply redirect ip redirect-ip-rt command received from a peer only after the
peer redirect ip command is run.
– To re-mark the service class of the matching traffic, run the apply
remark-dscp command.
– To limit the rate of the matched traffic, run the apply traffic-rate
command.
NOTE

The apply deny and apply traffic-rate commands are mutually exclusive.
If the configured BGP VPN Flow Specification route attribute does not need to take
effect locally, run the routing-table rib-only [ route-policy route-policy-name |
route-filter route-filter-name ] command to disable the device from delivering the
BGP VPN Flow Specification route to the FES forwarding table.
5. Run commit
The configuration is committed.
Step 2 Establish a BGP VPNv4 Flow Specification peer relationship.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run peer ipv4-address as-number as-number
An IP address and AS number are specified for the peer.
4. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and its view is displayed.
5. Run peer ipv4-address enable
A BGP VPNv4 Flow Specification peer relationship is established.
6. Run commit
The configuration is committed.
Step 3 (Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP VPNv4 Flow Specification peer
relationship between the Flow RR with the device that generates the BGP VPN
Flow Specification route and every ingress.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 369

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and its view is displayed.
4. Run peer ipv4-address reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the specified peers function as clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.
If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
A cluster ID is configured for the Flow RR.
If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.
The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
The configuration is committed.
Step 4 (Optional) Configure the redirection next-hop attribute ID for BGP VPNv4 Flow
Specification routes.
The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or
0x0800 (defined in a related draft). If a Huawei device needs to communicate with
a non-Huawei device that does not support the redirection next-hop attribute ID
of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPNv4 Flow
Specification routes as required. Perform one of the following configurations based
on the ID supported by non-Huawei devices:
● Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC)
for BGP VPNv4 Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and the BGP-Flow VPNv4
address family view is displayed.
d. Run peer ipv4-address redirect ip rfc-compatible

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 370

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The redirection next hop attribute ID of BGP VPNv4 Flow Specification

routes is set to 0x010C (defined in a related RFC).
e. Run commit
The configuration is committed.
● Set the redirection next-hop attribute ID to 0x0800 (defined in a related draft)
for BGP VPNv4 Flow Specification routes.
a. Run system-view
The system view is displayed.
b. Run bgp as-number
The BGP view is displayed.
c. Run ipv4-flow vpnv4
The BGP-Flow VPNv4 address family is enabled, and the BGP-Flow VPNv4
address family view is displayed.
d. Run peer ipv4-address redirect ip draft-compatible
The redirection next-hop attribute ID of BGP VPNv4 Flow Specification
routes is set to 0x0800 (defined in a related draft).
e. Run commit
The configuration is committed.

Step 5 (Optional) Disable BGP Flow Specification protection.

1. Run system-view

The system view is displayed.

2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

BGP Flow Specification protection is disabled.

3. Run commit

The configuration is committed.

Step 6 (Optional) Enable the device to follow RFC 5575 when dealing with BGP Flow
Specification IPv4 fragmentation rules.
1. Run system-view

The system view is displayed.

2. Run flowspec ipv4-fragment-rule switch

BGP Flow Specification IPv4 fragmentation rules are enabled to comply with
RFC 5575.
3. Run commit

The configuration is committed.

Step 7 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view

The system view is displayed.

2. Run flowspec match srv6-inner-ip enable

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 371

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

BGP Flow Specification is enabled to match inner packet information about

the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit

The configuration is committed.

----End

Verifying the Configuration

After completing the configuration, verify it.

● Run the display bgp flow vpnv4 all peer [ [ ipv4-address ] verbose ]
command to check information about all BGP VPN Flow Specification peers
and BGP VPNv4 Flow Specification peers.
● Run the display bgp flow vpnv4 { all | route-distinguisher route-
distinguisher } routing-table [ reindex ] command to check information
about all BGP VPN Flow Specification routes and BGP VPNv4 Flow
Specification routes or the BGP VPN Flow Specification routes and BGP VPNv4
Flow Specification routes with a specified RD.
● Run the display bgp flow vpnv4 { all | route-distinguisher route-
distinguisher } routing-table statistics command to check statistics about all
BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes
or the BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification
routes with a specified RD.
● Run the display flowspec rule reindex-value slot slot-id command to check
information about combined rules in the local BGP Flow Specification rule
table.
● Run the display flowspec rule statistics slot slot-id command to check
statistics about the rules for BGP Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.13 Configuring Dynamic BGP VPNv6 Flow Specification

Dynamic BGP VPNv6 Flow Specification allows BGP VPNv6 Flow Specification
routes to be transmitted and traffic filtering policies to be generated. The policies
improve security of devices in VPNs.

Usage Scenario
When deploying dynamic BGP VPNv6 Flow Specification, a BGP VPNv6 Flow
Specification peer relationship needs to be established between the traffic analysis
server and each ingress of the network to transmit BGP VPNv6 Flow Specification
routes.

In an AS with multiple ingresses, a Flow RR can be deployed to reduce the number

of BGP VPNv6 Flow Specification peer relationships and save network resources.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 372

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Pre-configuration Tasks
Before configuring dynamic BGP VPNv6 Flow Specification, complete the following
tasks:
● Configure BGP peer relationships.

Procedure
Step 1 Establish a BGP VPNv6 Flow Specification peer relationship.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run peer ipv4-address as-number as-number
The IP address of a peer and the number of the AS where the peer resides are
specified.
4. Run ipv6-flow vpnv6
The BGP-Flow VPNv6 address family is enabled, and the BGP-Flow VPNv6
address family view is displayed.
5. Run peer ipv4-address enable
A BGP VPNv6 Flow Specification peer is specified.
6. Run commit
The configuration is committed.
Step 2 (Optional) Configure a Flow RR.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpnv6
The BGP-Flow VPNv6 address family is enabled, and the BGP-Flow VPNv6
address family view is displayed.
4. Run peer ipv4-address reflect-client
A Flow RR is configured, and clients are specified for it.
The router on which the peer reflect-client command is run functions as a
Flow RR, and the network ingress and traffic analysis server function as
clients.
5. (Optional) Run undo reflect between-clients
Route reflection between clients through the RR is disabled.
If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 373

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }

A cluster ID is configured for the Flow RR.
If a cluster has multiple flow RRs, run this command to set the same cluster-
id for these RRs.

NOTE

The reflector cluster-id command is applicable only to Flow RRs.

7. Run commit
The configuration is committed.
Step 3 (Optional) Disable BGP Flow Specification protection.
1. Run system-view
The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
BGP Flow Specification protection is disabled.
3. Run commit
The configuration is committed.
Step 4 (Optional) Enable the DSCP-based BGP IPv6 Flow Specification traffic filtering
rule.
1. Run system-view
The system view is displayed.
2. Run flowspec allow ipv6 dscp
The DSCP-based BGP IPv6 Flow Specification traffic filtering rule is enabled.
3. Run commit
The configuration is committed.
Step 5 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view
The system view is displayed.
2. Run flowspec match srv6-inner-ip enable
BGP Flow Specification is enabled to match inner packet information about
the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit
The configuration is committed.
Step 6 (Optional) Enable BGP IPv6 Flow Specification to match the internal protocol
number in the header of an IPv6 fragment.
1. Run system-view
The system view is displayed.
2. Run flowspec match ipv6 fragment-inner-protocol enable

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 374

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

BGP IPv6 Flow Specification is enabled to match the internal protocol number
in the header of an IPv6 fragment.
3. Run commit
The configuration is committed.
----End

Verifying the Configuration

After the configuration is complete, verify the configuration.
● Run the display bgp flow vpnv6 all peer [ [ ipv4-address ] verbose ]
command to check information about all BGP IPv6 VPN Flow Specification
peers and BGP VPNv6 Flow Specification peers.
● Run the display bgp flow vpnv6 { all | route-distinguisher route-
distinguisher } routing-table [ reindex ] command to check information
about all BGP IPv6 VPN Flow Specification routes and BGP VPNv6 Flow
Specification routes or the BGP IPv6 VPN Flow Specification routes and BGP
VPNv6 Flow Specification routes with a specified RD.
● Run the display bgp flow vpnv6 { all | route-distinguisher route-
distinguisher } routing-table statistics command to check statistics about all
BGP IPv6 VPN Flow Specification routes and BGP VPNv6 Flow Specification
routes or the BGP IPv6 VPN Flow Specification routes and BGP VPNv6 Flow
Specification routes with a specified RD.
● Run the display flowspec ipv6 rule reindex-value slot slot-id command to
check information about combined rules in the BGP IPv6 Flow Specification
route rule table.
● Run the display flowspec ipv6 rule statistics slot slot-id command to check
statistics about the rules for BGP IPv6 Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.14 Configuring Static BGP VPNv6 Flow Specification

Static BGP VPNv6 Flow Specification allows BGP VPNv6 Flow Specification routes
to be transmitted and traffic filtering policies to be generated. The policies
improve security of devices in VPNs.

Usage Scenario
To deploy static BGP VPNv6 Flow Specification, create a BGP IPv6 VPN Flow
Specification route first, and then establish a BGP VPNv6 Flow Specification peer
relationship between the device on which the BGP IPv6 VPN Flow Specification
route is created and the network ingress to transmit the BGP VPNv6 Flow
Specification route.
In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be
deployed to reduce the number of BGP VPNv6 Flow Specification peer
relationships and save network resources.
If you want to filter traffic based on an address prefix and the BGP VPNv6 Flow
Specification route carrying the filtering rule cannot pass validation, disable the

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 375

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

validation of the BGP VPNv6 Flow Specification routes received from a specified
peer.

Pre-configuration Tasks
Before configuring static BGP VPNv6 Flow Specification, configure a VPN instance
and bind an interface to the VPN instance.

Procedure
Step 1 Create a BGP IPv6 VPN Flow Specification route.
1. Run system-view
The system view is displayed.
2. Run flow-route flowroute-name ipv6 vpn-instance vpn-instance-name
A static BGP IPv6 VPN Flow Specification route is created, and the Flow-Route
IPv6 VPN instance view is displayed.
One BGP IPv6 VPN Flow Specification route can include multiple if-match
and apply clauses. if-match clauses define traffic filtering rules, and apply
clauses define traffic behaviors. The relationships among clauses are as
follows:
– The relationship among if-match clauses of different types is "AND."
– If if-match clauses of the same type are configured repeatedly, some
rules override each other, and some other rules are in the OR
relationship. For details, see the precautions for the if-match command.
– The relationship among the traffic behaviors defined by apply clauses is
"AND."
The traffic behaviors defined by apply clauses apply to all traffic matching the
filtering rules of if-match clauses.
3. According to characteristics of the traffic to be controlled, you can configure
one or more if-match clauses to define traffic filtering rules as needed:
– To set a traffic filtering rule that is based on a destination IP address, run
the if-match destination ipv6-address { mask | mask-length } command.
NOTE

Traffic control is performed based on a specified destination IP address specified

in a rule configured using the if-match destination command, but BGP IPv6
VPN Flow Specification routes matching the rule cannot pass validation. In this
situation, run the peer validation-disable command to disable the validation.
By default, 0.0.0.0/0 is used as the prefix in the peer import or export policy
against which BGP IPv6 VPN Flow Specification routes are matched. To use a
peer import or export policy to match BGP IPv6 VPN Flow Specification routes
against the destination IPv6 address specified in the if-match destination
command, run the route match-destination command.
– To set a traffic filtering rule that is based on a source IP address, run the
if-match source ipv6-address { mask | mask-length } command.
– To set a filtering rule based on the port number, run the if-match port
operator port command.
– To set a traffic filtering rule that is based on a source port number, run
the if-match source-port operator port command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 376

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

– To set a traffic filtering rule that is based on a destination port number,

run the if-match destination-port operator port command.
NOTE

if-match port and if-match destination-port or if-match source-port are

mutually exclusive.
– To set a traffic filtering rule that is based on the protocol used to carry
traffic, run the if-match protocol operator protocol command.
– To set a traffic filtering rule that is based on a service type, run the if-
match dscp operator dscp command.
– To set a traffic filtering rule that is based on a TCP flag value, run the if-
match tcp-flags { match | not } tcp-flags command.
Network attackers may send a large number of invalid TCP packets to
attack network devices. To control the unidirectional traffic of TCP
packets for the sake of communication security, you can run the if-match
tcp-flags command to match BGP VPN IPv6 Flow Specification routes
against a specified TCP flag value. The traffic behavior specified in the
apply clause applies to the traffic that matches the TCP flag value.
– To set a traffic filtering rule that is based on a packet fragmentation type,
run the if-match fragment-type { match | not } fragment-type-name
command.
– To set a traffic filtering rule that is based on an ICMP packet code, run
the if-match icmp-code operator icmp-code command.
– To set a traffic filtering rule that is based on an ICMP packet type, run the
if-match icmp-type { greater-than | less-than | equal } icmp-type
command.
– To set a traffic filtering rule that is based on the length of the message
carrying the BGP IPv6 VPN Flow Specification route, run the if-match
packet-length { greater-than | less-than | equal } packet-length-value
command.
4. Run the following command as required to configure actions for apply
clauses:
– To discard the matching traffic, run the apply deny command.
– To redirect the matching traffic to the traffic cleaning device or blackhole,
run the apply redirect vpn-target vpn-target-import command.
– To re-mark the service class of the matching traffic, run the apply
remark-dscp command.
– To limit the rate of the matching traffic, run the apply traffic-rate
command.
– To implement sampling for the matching traffic, run the apply traffic-
action sample command.
You can run the apply traffic-action sample command for a BGP IPv6
VPN Flow Specification route to sample the traffic that matches the
specified filtering rules. Through sampling, abnormal traffic can be
identified and filtered out, which protects the attacked device and
improves network security.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 377

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

The apply deny and apply traffic-rate commands are mutually exclusive.
If a configured BGP IPv6 VPN Flow Specification route does not need to take effect
locally, you can run the routing-table rib-only [ route-policy route-policy-name |
route-filter route-filter-name ] command to disable the device from delivering the
BGP IPv6 VPN Flow Specification route to the FES forwarding table.
5. Run commit
The configuration is committed.
Step 2 Establish a BGP VPNv6 Flow Specification peer relationship.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run vpn-instance vpn-instance-name
A BGP-VPN instance is created, and its view is displayed.
4. Run peer { ipv4-address | ipv6-address } as-number as-number
An IP address and AS number are specified for the peer.
5. Run quit
The BGP view is displayed.
6. Run ipv6-flow vpnv6
The BGP-Flow VPNv6 address family is enabled, and its view is displayed.
7. Run peer { ipv4-address | ipv6-address } enable
A BGP VPNv6 Flow Specification peer relationship is established.
After the BGP VPNv6 Flow Specification peer relationship is established in the
BGP-Flow VPNv6 address family view, the BGP IPv6 VPN Flow Specification
route generated by the traffic analysis server is imported automatically to the
BGP routing table and then sent to the peer.
8. Run commit
The configuration is committed.
Step 3 (Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP VPNv6 Flow Specification peer
relationship between the Flow RR and device on which the BGP IPv6 VPN Flow
Specification route is generated, and between the Flow RR and each network
ingress.
1. Run system-view
The system view is displayed.
2. Run bgp as-number
The BGP view is displayed.
3. Run ipv6-flow vpnv6

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 378

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The BGP-Flow VPNv6 address family is enabled, and its view is displayed.
4. Run peer { ipv4-address | ipv6-address } reflect-client

A Flow RR is configured, and clients are specified for it.

The router on which the peer reflect-client command is run functions as a

Flow RR, and the specified peers function as clients.
5. (Optional) Run undo reflect between-clients

Route reflection between clients through the RR is disabled.

If the clients of a Flow RR are fully meshed, you can run the undo reflect
between-clients command on the Flow RR to disable route reflection
between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }

A cluster ID is configured for the Flow RR.

If a cluster has multiple Flow RRs, run this command to set the same cluster-
id for these RRs.
The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit

The configuration is committed.

Step 4 (Optional) Disable BGP Flow Specification protection.

1. Run system-view

The system view is displayed.

2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

BGP Flow Specification protection is disabled.

3. Run commit

The configuration is committed.

Step 5 (Optional) Enable the DSCP-based BGP IPv6 Flow Specification traffic filtering
rule.
1. Run system-view

The system view is displayed.

2. Run flowspec allow ipv6 dscp

The DSCP-based BGP IPv6 Flow Specification traffic filtering rule is enabled.
3. Run commit

The configuration is committed.

Step 6 (Optional) Enable BGP Flow Specification to match inner packet information
about the packets that leave an SRv6 TE Policy or SRv6 BE egress.
1. Run system-view

The system view is displayed.

2. Run flowspec match srv6-inner-ip enable

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 379

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

BGP Flow Specification is enabled to match inner packet information about

the packets that leave an SRv6 TE Policy or SRv6 BE egress.
3. Run commit
The configuration is committed.
Step 7 (Optional) Enable BGP IPv6 Flow Specification to match the internal protocol
number in the header of an IPv6 fragment.
1. Run system-view
The system view is displayed.
2. Run flowspec match ipv6 fragment-inner-protocol enable
BGP IPv6 Flow Specification is enabled to match the internal protocol number
in the header of an IPv6 fragment.
3. Run commit
The configuration is committed.
----End

Verifying the Configuration

After the configuration is complete, verify the configuration.
● Run the display bgp flow vpnv6 all peer [ [ ipv4-address ] verbose ]
command to check information about all BGP VPNv6 Flow Specification peers.
● Run the display bgp flow vpnv6 { all | route-distinguisher route-
distinguisher } routing-table [ reindex ] command to check information
about all BGP VPNv6 Flow Specification routes or about the BGP VPNv6 Flow
Specification routes with a specified RD.
● Run the display bgp flow vpnv6 { all | route-distinguisher route-
distinguisher } routing-table statistics command to check statistics about all
BGP VPNv6 Flow Specification routes or about the BGP VPNv6 Flow
Specification routes with a specified RD.
● Run the display flowspec ipv6 rule reindex-value slot slot-id command to
check information about combined rules in the BGP IPv6 Flow Specification
route rule table.
● Run the display flowspec ipv6 rule statistics slot slot-id command to check
statistics about the rules for BGP IPv6 Flow Specification routes to take effect.
● Run the display flowspec resource rule { ipv4 | ipv6 } [ interface-based ]
[ slot slot-id ] command to check the resource usage information about BGP
Flow Specification route rules.

1.1.14.15 Configuring the BMP Device to Report Local-RIB Routes in the

BGP-Flow Address Family
BGP Monitoring Protocol (BMP) allows the BGP status of devices on the network
to be monitored in real time.

Usage Scenario
BMP is mainly used on a network where a monitoring server exists and the BGP
status of devices on the network needs to be monitored. The status includes the

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 380

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

establishment and disconnection of peer relationships and update of routing

information. BMP greatly improves the efficiency of network monitoring, because
without it, BGP status of devices can be obtained only through manual query.

Pre-configuration Tasks
Before configuring BMP, complete the following tasks:
● Configure basic BGP functions.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bmp
BMP is enabled, and the BMP view is displayed.
Step 3 (Optional) Run statistics-timer time
An interval at which the BMP device sends BGP running statistics to a monitoring
server is configured.
You can configure the interval at which the BMP device sends BGP running
statistics to a monitoring server based on BGP stability requirements. Generally, if
high network quality is required, you need to set a small interval for reporting the
statistics. However, if the statistics are frequently reported, some network
bandwidth resources are occupied.
By default, the interval at which the BMP device reports BGP running statistics to
a monitoring server is 3600s. Using the default interval is recommended.
Step 4 Run bmp-session [ vpn-instance vrf-name ] ipv4-address [ alias alias-name ]
An IPv4 session address is specified for the TCP connection to be established
between the BMP device and the monitoring server.
alias alias-name specifies a session alias. If the device needs to establish TCP
connections with monitoring servers that have the same destination IP address but
different destination port numbers, specify different values for the alias alias-
name parameter to differentiate the connections.
Step 5 Run one of the following commands to enter the BMP-Monitor view:
● monitor public: displays the BMP-Monitor view and allows the status of all
BGP peers in public address families to be monitored.
● monitor vpn-instance: displays the BMP-Monitor view and allows the status
of all BGP peers in address families of a specified VPN instance to be
monitored.
Step 6 Run route-mode ipv4-family flow local-rib [ report route-identifier ]
The BMP device is configured to send statistics about Local-RIB routes of BGP
peers in the BGP-Flow address family to the monitoring server.
Step 7 Run quit
Return to the BMP session view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 381

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 8 Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.
● Run the display bmp session [ vpn-instance vrf-name ] [ ipv4-address
[ alias alias-name ] verbose ] command to check BMP session configurations.
● Run the display bgp bmp-monitor all command to check information about
all the BGP peers monitored by BMP.

1.1.14.16 Configuring the BMP Device to Report Local-RIB Routes in the

BGP-IPv6-Flow Address Family
The BGP Monitoring Protocol (BMP) monitors BGP4+ running status of devices in
real time, such as the establishment and termination status of BGP4+ peer
relationships and route update status.

Usage Scenario
Without BMP, you have to run a query command on a BGP4+ device if you want
to learn the BGP4+ running status of the device, which is inconvenient. To improve
the network monitoring efficiency, you can configure BMP so that the BGP4+
running status of a client can be monitored by servers.

Pre-configuration Tasks
Before configuring BMP, configure basic BGP4+ functions.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bmp
BMP is enabled, and the BMP view is displayed.
Step 3 (Optional) Run statistics-timer time
An interval at which the BMP device sends BGP4+ running statistics to a
monitoring server is configured.
You can configure the interval at which the BMP device sends BGP4+ running
statistics to a monitoring server based on BGP4+ stability requirements. Generally,
if high network quality is required, you need to set a small interval for reporting
the statistics. However, if the statistics are frequently reported, some network
bandwidth resources are occupied.
By default, the interval at which the BMP device reports BGP4+ running statistics
to a monitoring server is 3600s. Using the default interval is recommended.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 382

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 Run bmp-session [ vpn-instance vrf-name ] ipv6-address [ alias alias-name ]

An IPv6 session address is specified for the TCP connection to be established

between the BMP device and the monitoring server.

alias alias-name specifies a session alias. If the device needs to establish TCP
connections with monitoring servers that have the same destination IPv6 address
but different destination port numbers, specify different values for the alias alias-
name parameter to differentiate the connections.

Step 5 Run one of the following commands to enter the BMP-Monitor view:
● monitor public: displays the BMP-Monitor view and allows the status of all
BGP4+ peers in public address families to be monitored.
● monitor vpn-instance: displays the BMP-Monitor view and allows the status
of all BGP4+ peers in address families of a specified VPN instance to be
monitored.

Step 6 Run route-mode ipv6-family flow local-rib [ report route-identifier ]

The BMP device is configured to send statistics about Local-RIB routes of BGP4+
peers in the BGP-IPv6-Flow address family to the monitoring server.

Step 7 Run quit

Return to the BMP session view.

Step 8 Run commit

The configuration is committed.

----End

Verifying the Configuration

After the configuration is complete, verify the configuration.

● Run the display bmp session [ vpn-instance vrf-name ] [ ipv6-address

[ alias alias-name ] verbose ] command to check BMP session configurations.
● Run the display bgp bmp-monitor all command to check information about
all the BGP4+ peers monitored by BMP.

1.1.14.17 Configuration Examples for BGP Flow Specification

BGP Flow Specification configuration examples explain networking requirements,
networking diagram, configuration notes, configuration roadmap, and
configuration procedure.

1.1.14.17.1 Example for Configuring Dynamic BGP Flow Specification

If the characteristics of DoS or DDoS attack traffic are unknown, a traffic analysis
server can help implement BGP Flow Specification to ensure network security.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 383

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Networking Requirements
On the network shown in Figure 1-33, DeviceA belongs to AS 100; DeviceB,
DeviceC, and Server belong to AS 200; DeviceB is the ingress of AS 200. AS 100
and AS 200 communicate with each other through DeviceB.

When an attack source appears in AS 100, attack traffic flows into AS 200 through
DeviceB, posing a threat to AS 200. To ensure network security, configure dynamic
BGP Flow Specification. Specifically, deploy a traffic analysis server on the network
and establish a BGP Flow Specification peer relationship between the traffic
analysis server and DeviceB. DeviceB periodically samples traffic and sends
sampled traffic to the traffic analysis server. The traffic analysis server generates a
BGP Flow Specification route based on the characteristics of sampled attack traffic
and sends the route to DeviceB. DeviceB converts the route into a traffic policy to
filter and control attack traffic, ensuring the normal running of services in AS 200.

Figure 1-33 Configuring dynamic BGP Flow Specification

NOTE

In this example, interface1, interface2, and interface3 represent GE1/0/0, GE2/0/0, and
GE3/0/0, respectively.

Precautions
None

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure interface IP addresses.

2. Configure DeviceB to establish a BGP Flow Specification peer relationship with
the traffic analysis server (Server) so that the automatically generated BGP
Flow Specification route can be sent to DeviceB to form a traffic filtering
policy.
NOTE

The traffic analysis server is a third-party device and must be able to establish BGP
Flow Specification peer relationships.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 384

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Data Preparation
To complete the configuration, you need the following data:
● Router IDs of DeviceA and DeviceB (1.1.1.1 and 2.2.2.2, respectively)
● AS number of DeviceA: 100; AS number of DeviceB, DeviceC, and Server: 200

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Establish a BGP Flow Specification peer relationship and disable route validation.
# Configure DeviceB.
[~DeviceB] bgp 200
[*DeviceB-bgp] peer 10.2.1.2 as-number 200
[*DeviceB-bgp] ipv4-family flow
[*DeviceB-bgp-af-ipv4-flow] peer 10.2.1.2 enable
[*DeviceB-bgp-af-ipv4-flow] peer 10.2.1.2 validation-disable
[*DeviceB-bgp-af-ipv4-flow] commit
[~DeviceB-bgp-af-ipv4-flow] quit
[~DeviceB-bgp] quit

Step 3 Verify the configuration.

# Check the state of the BGP Flow Specification peer relationship on DeviceB. The
command output shows that the peer relationship has been successfully
established.
<DeviceB> display bgp flow peer

BGP local router ID : 2.2.2.2

Local AS number : 200
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.2.1.2 4 200 9 10 0 00:00:35 Established 1

# Display information about the BGP Flow Specification routes received by

DeviceB.
<DeviceB> display bgp flow routing-table
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Total Number of Routes: 1

* > ReIndex : 97
Dissemination Rules:
FragmentType : match (Don't fragment)
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP Flow Specification route
based on the corresponding ReIndex shown in the preceding command output.
<DeviceB> display bgp flow routing-table 97
BGP local router ID : 2.2.2.2
Local AS number : 200

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 385

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

ReIndex : 97
Order : 2147483647
Dissemination Rules :
FragmentType : match (Don't fragment)

BGP flow-ipv4 routing table entry information of 97:

Match action :
apply deny
From: 10.2.1.2 (10.2.1.2)
Route Duration: 0d00h02m26s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, internal, pre 255
Not advertised to any peers yet

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.1 255.255.255.0
#
bgp 100
peer 10.10.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.10.1.2 enable
#
return

● DeviceB configuration file

#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
peer 10.2.1.2 as-number 200
peer 10.10.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
peer 10.10.1.1 enable
#
ipv4-family flow
peer 10.2.1.2 enable
peer 10.2.1.2 validation-disable
#
return

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 386

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.14.17.2 Example for Configuring Static BGP Flow Specification

For DoS/DDoS attacks whose attack traffic characteristics can be predicted, you
can manually configure BGP Flow Specification routes to implement static BGP
Flow Specification, ensuring device security on the network.

Networking Requirements
On the network shown in Figure 1-34, DeviceA belongs to AS 100; DeviceB,
DeviceC, and DeviceD belong to AS 200; DeviceB is the ingress of AS 200. AS 100
and AS 200 communicate with each other through DeviceB.

If an attack source appears in AS 100, attack traffic flows into AS 200 through
DeviceB, which severely affects the network performance of AS 200.

Static BGP flow specification can be configured to resolve this problem.

Specifically, you can manually configure a BGP flow specification route, and
establish a BGP flow specification peer relationship to allow the BGP flow
specification route to be sent to DeviceB. In this way, the attack traffic is discarded,
or its rate is limited.

Figure 1-34 Configuring static BGP Flow Specification

NOTE

In this example, interface1, interface2, and interface3 represent GE1/0/0, GE2/0/0, and
GE3/0/0, respectively.

Precautions
None

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure OSPF on DeviceB, DeviceC, and DeviceD in AS 200 for interworking.

2. Configure a BGP flow specification route named FlowSpec1 on DeviceC to
discard the attack traffic with the source port number being 159.
3. Configure a BGP flow specification route named FlowSpec2 on DeviceD to
limit the rate of the attack traffic with the source port number being 170.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 387

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

4. Establish BGP flow specification peer relationships between DeviceB and

DeviceC and between DeviceB and DeviceD using loopback interfaces so that
the BGP flow specification routes can be sent to DeviceB to form traffic
filtering policies.

Data Preparation
To complete the configuration, you need the following data:
● Router IDs of DeviceA, DeviceB, DeviceC, and DeviceD: 1.1.1.1, 2.2.2.2, 3.3.3.3,
and 4.4.4.4
● AS number of DeviceA: 100; AS number of DeviceB, DeviceC, and DeviceD:
200

Procedure
Step 1 Configure an IP address for each interface.

For configuration details, see the configuration files.

Step 2 Configure OSPF.

For configuration details, see the configuration files.

Step 3 Establish BGP connections.

# Configure DeviceA.
[~DeviceA] bgp 100
[*DeviceA-bgp] router-id 1.1.1.1
[*DeviceA-bgp] peer 10.10.1.2 as-number 200
[*DeviceA-bgp] commit
[~DeviceA-bgp] quit

# Configure DeviceB.
[~DeviceB] bgp 200
[*DeviceB-bgp] router-id 2.2.2.2
[*DeviceB-bgp] peer 10.10.1.1 as-number 100
[*DeviceB-bgp] peer 3.3.3.3 as-number 200
[*DeviceB-bgp] peer 3.3.3.3 connect-interface LoopBack1
[*DeviceB-bgp] peer 4.4.4.4 as-number 200
[*DeviceB-bgp] peer 4.4.4.4 connect-interface LoopBack1
[*DeviceB-bgp] commit
[~DeviceB-bgp] quit

# Configure DeviceC.
[~DeviceC] bgp 200
[*DeviceC-bgp] router-id 3.3.3.3
[*DeviceC-bgp] peer 2.2.2.2 as-number 200
[*DeviceC-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*DeviceC-bgp] commit
[~DeviceC-bgp] quit

# Configure DeviceD.
[~DeviceD] bgp 200
[*DeviceD-bgp] router-id 4.4.4.4
[*DeviceD-bgp] peer 2.2.2.2 as-number 200
[*DeviceD-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*DeviceD-bgp] commit
[~DeviceD-bgp] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 388

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 Configure BGP flow specification routes.

# Configure DeviceC.
[~DeviceC] flow-route FlowSpec1
[*DeviceC-flow-route] if-match source-port equal 159
[*DeviceC-flow-route] apply deny
[*DeviceC-flow-route] commit
[~DeviceC-flow-route] quit

# Configure DeviceD.
[~DeviceD] flow-route FlowSpec2
[*DeviceD-flow-route] if-match source-port equal 170
[*DeviceD-flow-route] apply traffic-rate 10000
[*DeviceD-flow-route] commit
[~DeviceD-flow-route] quit

Step 5 Establish BGP flow specification peer relationships.

# Configure DeviceB.
[~DeviceB]bgp 200
[*DeviceB-bgp] ipv4-family flow
[*DeviceB-bgp-af-ipv4-flow] peer 3.3.3.3 enable
[*DeviceB-bgp-af-ipv4-flow] peer 4.4.4.4 enable
[*DeviceB-bgp-af-ipv4-flow] commit
[~DeviceB-bgp-af-ipv4-flow] quit
[~DeviceB-bgp] quit

# Configure DeviceC.
[~DeviceC]bgp 200
[*DeviceC-bgp] ipv4-family flow
[*DeviceC-bgp-af-ipv4-flow] peer 2.2.2.2 enable
[*DeviceC-bgp-af-ipv4-flow] commit
[~DeviceC-bgp-af-ipv4-flow] quit
[~DeviceC-bgp] quit

# Configure DeviceD.
[~DeviceD]bgp 200
[*DeviceD-bgp] ipv4-family flow
[*DeviceD-bgp-af-ipv4-flow] peer 2.2.2.2 enable
[*DeviceD-bgp-af-ipv4-flow] commit
[~DeviceD-bgp-af-ipv4-flow] quit
[~DeviceD-bgp] quit

Step 6 Verify the configuration.

# Check the states of the BGP flow specification peer relationships on DeviceB.
The command output shows that the peer relationships have been successfully
established.
<DeviceB> display bgp flow peer
BGP local router ID : 2.2.2.2
Local AS number : 200
Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

3.3.3.3 4 200 17 17 0 00:00:47 Established 1
4.4.4.4 4 200 39 38 0 00:00:03 Established 1

# Display information about the BGP flow specification routes received by

DeviceB.
<DeviceB> display bgp flow routing-table
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 389

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

h - history, i - internal, s - suppressed, S - Stale

Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Total Number of Routes: 2

* > ReIndex : 33
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i
* > ReIndex : 34
Dissemination Rules:
Src. Port : eq 170
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP flow specification route based
on the corresponding ReIndex shown in the preceding command output.
<DeviceB> display bgp flow routing-table 33
BGP local router ID : 2.2.2.2
Local AS number : 200
ReIndex : 33
Order : 1610612735
Dissemination Rules :
Src. Port : eq 159

BGP flow-ipv4 routing table entry information of 33:

Match action :
apply deny
From: 3.3.3.3 (10.2.1.2)
Route Duration: 0d00h01m52s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Not advertised to any peers yet
<DeviceB> display bgp flow routing-table 34
BGP local router ID : 2.2.2.2
Local AS number : 200
ReIndex : 34
Order : 2952790015
Dissemination Rules :
Src. Port : eq 170

BGP flow-ipv4 routing table entry information of 34:

Match action :
apply traffic-rate 10000 KBps
From: 4.4.4.4 (10.1.1.2)
Route Duration: 0d00h11m01s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Not advertised to any peers yet

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.1 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 390

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

bgp 100
router-id 1.1.1.1
peer 10.10.1.2 as-number 200
ipv4-family unicast
undo synchronization
peer 10.10.1.2 enable
#
return
● DeviceB configuration file
#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
router-id 2.2.2.2
peer 3.3.3.3 as-number 200
peer 3.3.3.3 connect-interface LoopBack1
peer 4.4.4.4 as-number 200
peer 4.4.4.4 connect-interface LoopBack1
peer 10.10.1.1 as-number 100
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
peer 4.4.4.4 enable
peer 10.10.1.1 enable
ipv4-family flow
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
● DeviceC configuration file
#
sysname DeviceC
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 200
router-id 3.3.3.3
peer 2.2.2.2 as-number 200
peer 2.2.2.2 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
import-route direct

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 391

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

peer 2.2.2.2 enable

ipv4-family flow
peer 2.2.2.2 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.255
#
flow-route FlowSpec1
if-match source-port equal 159
apply deny
#
return
● DeviceD configuration file
#
sysname DeviceD
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 200
router-id 4.4.4.4
peer 2.2.2.2 as-number 200
peer 2.2.2.2 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
ipv4-family flow
peer 2.2.2.2 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
#
flow-route FlowSpec2
if-match source-port equal 170
apply traffic-rate 10000
#
return

1.1.14.17.3 Example for Configuring dynamic BGP Flow Specification with a BGP RR
Deploying BGP flow specification with a BGP RR can reduce the number of BGP
flow specification peer connections.

Networking Requirements
BGP flow specification can be configured to defend against DoS/DDoS attacks.
Generally, the characteristics of such attack traffic are unknown. Therefore,
dynamic BGP flow specification needs to be deployed on a traffic analysis server.
In an AS with multiple ingresses, a flow route reflector (Flow RR) can be
configured to avoid unnecessary mesh connections between the ingresses and the
traffic analysis server. The ingresses and the traffic analysis server function as
clients, and the Flow RR reflects the BGP flow specification routes generated by
the traffic analysis server to the ingresses.
On the network shown in Figure 1-35, AS 100 can communicate with other ASs
through boundary devices DeviceA and DeviceB. If DoS/DDoS attack traffic enters

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 392

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

AS 100 through DeviceA and DeviceB, it causes impacts such as congestion in AS

100. In this case, you can deploy BGP flow specification (dynamic BGP flow
specification is used in this example) to eliminate the impact. In addition, to
reduce resource consumption of the server and the number of BGP flow
specification peer relationships maintained by the server, configure a Flow RR in
AS 100. The Flow RR is used to reflect the BGP flow specification routes generated
by the server to DeviceA and DeviceB for them to control attack traffic.

Figure 1-35 Configuring BGP flow specification with a Flow RR

NOTE

In this example, interface1, interface2, and interface3 represent GE1/0/0, GE2/0/0, and
GE3/0/0, respectively.

Configuration Roadmap
The configuration roadmap is as follows:
1. Establish OSPF connections between the Flow RR and DeviceA, between the
Flow RR and DeviceB, and between the Flow RR and the server for
interworking.
2. Establish BGP flow specification peer relationships between the Flow RR and
DeviceA, between the Flow RR and DeviceB, and between the Flow RR and
the server.
NOTE

The traffic analysis server is a third-party device and must be able to establish BGP
flow specification peer relationships.
3. Configure the Flow RR function on the Flow RR and specify DeviceA, DeviceB,
and the server as clients so that the Flow RR can reflect the BGP flow
specification routes generated by the server to DeviceA and DeviceB.

Data Preparation
To complete the configuration, you need the following data:
● Router IDs of DeviceA, DeviceB, and Flow RR: 1.1.1.1, 2.2.2.2, and 3.3.3.3
● Number of the AS where DeviceA, DeviceB, Flow RR, and the server reside:
100

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 393

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● ID of the cluster to which the Flow RR belongs: 1

Procedure
Step 1 Configure an IP address for each interface.
For configuration details, see the configuration files.
Step 2 Configure OSPF.
For configuration details, see the configuration files.
Step 3 Establish BGP flow specification peer relationships.
# Configure DeviceA.
[~DeviceA] bgp 100
[*DeviceA-bgp] router-id 1.1.1.1
[*DeviceA-bgp] peer 3.3.3.3 as-number 100
[*DeviceA-bgp] peer 3.3.3.3 connect-interface LoopBack1
[*DeviceA-bgp] ipv4-family flow
[*DeviceA-bgp-af-ipv4-flow] peer 3.3.3.3 enable
[*DeviceA-bgp-af-ipv4-flow] commit
[~DeviceA-bgp-af-ipv4-flow] quit
[~DeviceA-bgp] quit

# Configure DeviceB.
[~DeviceB] bgp 100
[*DeviceB-bgp] router-id 2.2.2.2
[*DeviceB-bgp] peer 3.3.3.3 as-number 100
[*DeviceB-bgp] peer 3.3.3.3 connect-interface LoopBack1
[*DeviceB-bgp] ipv4-family flow
[*DeviceB-bgp-af-ipv4-flow] peer 3.3.3.3 enable
[*DeviceB-bgp-af-ipv4-flow] commit
[~DeviceB-bgp-af-ipv4-flow] quit
[~DeviceB-bgp] quit

# Configure the Flow RR.

[~Flow RR] bgp 100
[*Flow RR-bgp] router-id 3.3.3.3
[*Flow RR-bgp] peer 1.1.1.1 as-number 100
[*Flow RR-bgp] peer 1.1.1.1 connect-interface LoopBack1
[*Flow RR-bgp] peer 2.2.2.2 as-number 100
[*Flow RR-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*Flow RR-bgp] peer 10.2.1.2 as-number 100
[*Flow RR-bgp] ipv4-family flow
[*Flow RR-bgp-af-ipv4-flow] peer 1.1.1.1 enable
[*Flow RR-bgp-af-ipv4-flow] peer 2.2.2.2 enable
[*Flow RR-bgp-af-ipv4-flow] peer 10.2.1.2 enable
[*Flow RR-bgp-af-ipv4-flow] peer 10.2.1.2 validation-disable
[*Flow RR-bgp-af-ipv4-flow] commit
[~Flow RR-bgp-af-ipv4-flow] quit
[~Flow RR-bgp] quit

Step 4 Configure the Flow RR.

# Configure the Flow RR.
[Flow RR]bgp 100
[Flow RR-bgp] ipv4-family flow
[Flow RR-bgp-af-ipv4-flow] reflector cluster-id 1
[Flow RR-bgp-af-ipv4-flow] peer 1.1.1.1 reflect-client
[Flow RR-bgp-af-ipv4-flow] peer 2.2.2.2 reflect-client
[Flow RR-bgp-af-ipv4-flow] peer 10.2.1.2 reflect-client
[Flow RR-bgp-af-ipv4-flow] commit
[Flow RR-bgp-af-ipv4-flow] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 394

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[Flow RR-bgp] quit

Step 5 Verify the configuration.

# Display information about the BGP flow specification route received by DeviceA.
<DeviceA> display bgp flow routing-table
BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Total Number of Routes: 1

* > ReIndex : 33
Dissemination Rules:
Port : eq 100
FragmentType : match (Don't fragment)

MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in the BGP flow specification route based
on the value of ReIndex in the preceding command output.
<DeviceA> display bgp flow routing-table 33
BGP local router ID : 1.1.1.1
Local AS number : 100
ReIndex : 33
Order : 2147483647
Dissemination Rules :
Port : eq 100
FragmentType : match (Don't fragment)

BGP flow-ipv4 routing table entry information of 33:

Match action :
apply traffic-rate 9600 KBps
From: 3.3.3.3 (3.3.3.3)
Route Duration: 0d00h16m31s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Originator: 10.2.1.2
Cluster list: 0.0.0.1
Not advertised to any peer yet

The command output shows that DeviceA has learned the route advertised by the
server from the Flow RR. The Originator and Cluster_ID attributes of the route are
also displayed.

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
router-id 1.1.1.1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 395

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

peer 3.3.3.3 as-number 100

peer 3.3.3.3 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
ipv4-family flow
peer 3.3.3.3 enable
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.3.1.0 0.0.0.255
#
return
● DeviceB configuration file
#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
router-id 2.2.2.2
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family flow
peer 3.3.3.3 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
● Flow RR configuration file
#
sysname Flow RR
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
router-id 3.3.3.3
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 396

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

peer 10.2.1.2 as-number 100

#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 2.2.2.2 enable
peer 10.2.1.2 enable
#
ipv4-family flow
reflector cluster-id 1
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client
peer 2.2.2.2 enable
peer 2.2.2.2 reflect-client
peer 10.2.1.2 enable
peer 10.2.1.2 reflect-client
peer 10.2.1.2 validation-disable
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return
● Server configuration file
#
sysname Server
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 100
router-id 4.4.4.4
peer 3.3.3.3 as-number 100
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
ipv4-family flow
peer 3.3.3.3 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return

1.1.14.17.4 Example for Configuring Dynamic BGP IPv6 Flow Specification

If the characteristics of DoS or DDoS attack traffic is unknown, a traffic analysis
server can help implement BGP IPv6 Flow Specification to ensure network security.

Networking Requirements
As shown in Figure 1-36, Device A belongs to AS 100, while Device B, Device C,
and Server belong to AS 200. Device B is an ingress of AS 200. AS 200
communicates with AS 100 through Device B.
The attack source in AS 100 may flow into AS 200 through Device B, posing a
threat to AS 200. In this situation, configure dynamic BGP IPv6 Flow Specification

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 397

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

to ensure network security. The operation process is as follows: Deploy a traffic

analysis server and establish a BGP IPv6 Flow Specification peer relationship
between the traffic analysis server and Device B. Device B samples traffic
periodically and sends the sampled traffic to the traffic analysis server. The traffic
analysis server generates a BGP IPv6 Flow Specification route based on the
characteristics of sampled attack traffic and sends the route to Device B. Device B
converts the route into a traffic policy to filter and control attack traffic, ensuring
proper service running in AS 200.

Figure 1-36 Configuring dynamic BGP IPv6 Flow Specification

NOTE

Interfaces 1 through 3 in this example represent GE 1/0/0, GE 2/0/0, and GE 3/0/0,

respectively.

Precautions
None

Configuration Roadmap
The configuration roadmap is as follows:

1. Assign an IP address to each interface.

2. Establish a BGP IPv6 Flow Specification peer relationship between Device B
and Server to enable the generated BGP IPv6 Flow Specification routes to be
sent to Device B. Then a traffic policy is generated.
NOTE

The traffic analysis server is a non-Huawei device, and it must be a BGP IPv6 Flow
Specification peer of another device.

Data Preparation
To complete the configuration, you need the following data:
● Router ID of Device A (1.1.1.1) and router ID of Device B (2.2.2.2)
● AS number (100) of Device A and AS number (200) of Device B, Device C, and
Server

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 398

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Assign an IP address to each interface.
For detailed configurations, see the configuration files in this example.
Step 2 Configure an IPv4 peer.
# Configure Device A.
[~DeviceA] bgp 100
[*DeviceA-bgp] peer 10.10.1.2 as-number 200
[*Device-bgp] commit

Step 3 Configure a BGP IPv6 Flow Specification peer and disable route authentication.
# Configure Device B.
[~DeviceB] bgp 200
[*DeviceB-bgp] peer 10.2.1.2 as-number 200
[*DeviceB-bgp] peer 10.10.1.1 as-number 100
[*DeviceB-bgp] ipv6-family flow
[*DeviceB-bgp-af-ipv6-flow] peer 10.2.1.2 enable
[*DeviceB-bgp-af-ipv6-flow] peer 10.2.1.2 validation-disable
[*DeviceB-bgp-af-ipv6-flow] commit
[~DeviceB-bgp-af-ipv6-flow] quit
[~DeviceB-bgp] quit

Step 4 Verify the configuration.

# Check BGP IPv6 Flow Specification peer connection status on Device B. BGP IPv6
Flow Specification peer relationships are successfully established.
<DeviceB> display bgp flow ipv6 peer
BGP local router ID : 2.2.2.2
Local AS number : 200
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.2.1.2 4 200 9 10 0 00:00:35 Established 1

# Check BGP IPv6 Flow Specification routes received by Device B.

<DeviceB> display bgp flow ipv6 routing-table
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Total Number of Routes: 1

* > ReIndex : 2
Dissemination Rules:
FragmentType : match (Don't fragment)
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic policy in each BGP IPv6 Flow Specification route based on the
ReIndex shown in the preceding output.
<DeviceB> display bgp flow ipv6 routing-table 2
BGP local router ID : 2.2.2.2
Local AS number : 200
Paths: 1 available, 1 best
ReIndex : 2
Order : 2147483647
Dissemination Rules :

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 399

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

FragmentType : match (Don't fragment)

BGP flow-ipv6 routing table entry information of 2:

Match action :
apply deny
From: 10.2.1.2 (10.2.1.2)
Route Duration: 0d00h02m26s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, internal, pre 255
Not advertised to any peers yet

----End

Configuration Files
● Device A configuration file
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.1 255.255.255.0
#
bgp 100
peer 10.10.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.10.1.2 enable
#
return

● Device B configuration file

#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
peer 10.2.1.2 as-number 200
peer 10.10.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
peer 10.10.1.1 enable
#
ipv6-family flow
peer 10.2.1.2 enable
peer 10.2.1.2 validation-disable
#
return

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 400

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.14.17.5 Example for Configuring Static BGP IPv6 Flow Specification

For DoS/DDoS attacks whose attack traffic characteristics can be predicted, you
can manually configure BGP IPv6 Flow Specification routes to implement static
BGP IPv6 Flow Specification, ensuring device security on the network.

Networking Requirements
On the network shown in Figure 1-37, DeviceA belongs to AS 100; DeviceB,
DeviceC, and DeviceD belong to AS 200; DeviceB is the ingress of AS 200. AS 100
and AS 200 communicate with each other through DeviceB.

If an attack source appears in AS 100, attack traffic flows into AS 200 through
DeviceB, which severely affects the network performance of AS 200.

Static BGP IPv6 flow specification can be configured to resolve this problem.
Specifically, you can manually configure a BGP IPv6 flow specification route, and
establish a BGP IPv6 flow specification peer relationship to allow the BGP IPv6
flow specification route to be sent to DeviceB. In this way, the attack traffic is
discarded, or its rate is limited.

Figure 1-37 Networking for configuring static BGP IPv6 Flow Specification
NOTE

In this example, interface1, interface2, and interface3 represent GE1/0/0, GE2/0/0, and
GE3/0/0, respectively.

Precautions
None

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure OSPF on DeviceB, DeviceC, and DeviceD in AS 200 for interworking.

2. Configure a BGP IPv6 flow specification route named FlowSpec1 on DeviceC
to discard the attack traffic with the source port number being 159.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 401

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

3. Configure a BGP IPv6 flow specification route named FlowSpec2 on DeviceD

to limit the rate of the attack traffic with the source port number being 170.
4. Establish BGP IPv6 flow specification peer relationships between DeviceB and
DeviceC and between DeviceB and DeviceD using loopback interfaces so that
the BGP IPv6 flow specification routes can be sent to DeviceB to form traffic
filtering policies.

Data Preparation
To complete the configuration, you need the following data:
● Router IDs of DeviceA, DeviceB, DeviceC, and DeviceD: 1.1.1.1, 2.2.2.2, 3.3.3.3,
and 4.4.4.4
● AS number of DeviceA: 100; AS number of DeviceB, DeviceC, and DeviceD:
200

Procedure
Step 1 Configure an IP address for each interface.
For configuration details, see the configuration files.
Step 2 Configure OSPF.
For configuration details, see the configuration files.
Step 3 Establish BGP connections.
# Configure DeviceA.
[~DeviceA] bgp 100
[*DeviceA-bgp] router-id 1.1.1.1
[*DeviceA-bgp] peer 10.10.1.2 as-number 200
[*Device-bgp] commit

# Configure DeviceB.
[~DeviceB] bgp 200
[*DeviceB-bgp] router-id 2.2.2.2
[*DeviceB-bgp] peer 10.10.1.1 as-number 100
[*DeviceB-bgp] peer 3.3.3.3 as-number 200
[*DeviceB-bgp] peer 3.3.3.3 connect-interface LoopBack1
[*DeviceB-bgp] peer 4.4.4.4 as-number 200
[*DeviceB-bgp] peer 4.4.4.4 connect-interface LoopBack1
[*DeviceB-bgp] commit

# Configure DeviceC.
[~DeviceC] bgp 200
[*DeviceC-bgp] router-id 3.3.3.3
[*DeviceC-bgp] peer 2.2.2.2 as-number 200
[*DeviceC-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*DeviceC-bgp] commit

# Configure DeviceD.
[~DeviceD] bgp 200
[*DeviceD-bgp] router-id 4.4.4.4
[*DeviceD-bgp] peer 2.2.2.2 as-number 200
[*DeviceD-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*DeviceD-bgp] commit

Step 4 Configure BGP IPv6 flow specification routes.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 402

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Configure DeviceC.
[~DeviceC] flow-route FlowSpec1 ipv6
[*DeviceC-flow-route-ipv6] if-match source-port equal 159
[*DeviceC-flow-route-ipv6] apply deny
[*DeviceC-flow-route-ipv6] commit
[~DeviceC-flow-route-ipv6] quit

# Configure DeviceD.
[~DeviceD] flow-route FlowSpec2 ipv6
[*DeviceD-flow-route-ipv6] if-match source-port equal 170
[*DeviceD-flow-route-ipv6] apply traffic-rate 10000
[*DeviceD-flow-route-ipv6] commit
[~DeviceD-flow-route-ipv6] quit

Step 5 Establish BGP IPv6 flow specification peer relationships.

# Configure DeviceB.
[~DeviceB]bgp 200
[*DeviceB-bgp] ipv6-family flow
[*DeviceB-bgp-af-ipv6-flow] peer 3.3.3.3 enable
[*DeviceB-bgp-af-ipv6-flow] peer 4.4.4.4 enable
[*DeviceB-bgp-af-ipv6-flow] commit
[~DeviceB-bgp-af-ipv6-flow] quit
[~DeviceB-bgp] quit

# Configure DeviceC.
[~DeviceC]bgp 200
[*DeviceC-bgp] ipv6-family flow
[*DeviceC-bgp-af-ipv6-flow] peer 2.2.2.2 enable
[*DeviceC-bgp-af-ipv6-flow] commit
[~DeviceC-bgp-af-ipv6-flow] quit
[~DeviceC-bgp] quit

# Configure DeviceD.
[~DeviceD]bgp 200
[*DeviceD-bgp] ipv6-family flow
[*DeviceD-bgp-af-ipv6-flow] peer 2.2.2.2 enable
[*DeviceD-bgp-af-ipv6-flow] commit
[~DeviceD-bgp-af-ipv6-flow] quit
[~DeviceD-bgp] quit

Step 6 Verify the configuration.

# Check the states of the BGP IPv6 flow specification peer relationships on
DeviceB. The command output shows that the peer relationships have been
successfully established.
<DeviceB> display bgp flow ipv6 peer
BGP local router ID : 2.2.2.2
Local AS number : 200
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.3 4 200 6 5 0 01:38:07 Established 1
4.4.4.4 4 200 5 4 0 01:38:07 Established 1

# Display information about the BGP IPv6 flow specification routes received by
DeviceB.
<DeviceB> display bgp flow ipv6 routing-table
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 403

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Total Number of Routes: 2

* > ReIndex : 1
Dissemination Rules:
Src. Port : eq 170
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i
* > ReIndex : 2
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP IPv6 flow specification route
based on the corresponding ReIndex shown in the preceding command output.
<DeviceB> display bgp flow ipv6 routing-table 2
BGP local router ID : 2.2.2.2
Local AS number : 200
ReIndex : 2
Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-ipv6 routing table entry information of 2:

Match action :
apply deny
From: 3.3.3.3 (3.3.3.3)
Route Duration: 0d00h22m05s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre
255
Not advertised to any peer yet

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.1 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
router-id 1.1.1.1
peer 10.10.1.2 as-number 200
ipv4-family unicast
undo synchronization
peer 10.10.1.2 enable
#
return

● DeviceB configuration file

#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 404

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
router-id 2.2.2.2
peer 3.3.3.3 as-number 200
peer 3.3.3.3 connect-interface LoopBack1
peer 4.4.4.4 as-number 200
peer 4.4.4.4 connect-interface LoopBack1
peer 10.10.1.1 as-number 100
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
peer 4.4.4.4 enable
peer 10.10.1.1 enable
#
ipv6-family flow
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

● DeviceC configuration file

#
sysname DeviceC
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 200
router-id 3.3.3.3
peer 2.2.2.2 as-number 200
peer 2.2.2.2 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
import-route direct
peer 2.2.2.2 enable
ipv6-family flow
peer 2.2.2.2 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.255
#
flow-route FlowSpec1 ipv6
if-match source-port equal 159
apply deny
#
return

● DeviceD configuration file

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 405

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
sysname DeviceD
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 200
router-id 4.4.4.4
peer 2.2.2.2 as-number 200
peer 2.2.2.2 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
ipv6-family flow
peer 2.2.2.2 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
#
flow-route FlowSpec2 ipv6
if-match source-port equal 170
apply traffic-rate 10000
#
return

1.1.14.17.6 Example for Configuring dynamic BGP IPv6 Flow Specification with a
BGP RR
Deploying BGP IPv6 flow specification with a BGP RR can reduce the number of
BGP IPv6 flow specification peer connections.

Networking Requirements
BGP IPv6 flow specification can be configured to defend against DoS/DDoS
attacks. Generally, the characteristics of such attack traffic are unknown.
Therefore, dynamic BGP IPv6 flow specification needs to be deployed on a traffic
analysis server. In an AS with multiple ingresses, a flow route reflector (Flow RR)
can be configured to avoid unnecessary mesh connections between the ingresses
and the traffic analysis server. The ingresses and the traffic analysis server function
as clients, and the Flow RR reflects the BGP IPv6 flow specification routes
generated by the traffic analysis server to the ingresses.
On the network shown in Figure 1-38, AS 100 can communicate with other ASs
through boundary devices DeviceA and DeviceB. If DoS/DDoS attack traffic enters
AS 100 through DeviceA and DeviceB, it causes impacts such as congestion in AS
100. In this case, you can deploy BGP IPv6 flow specification (dynamic BGP IPv6
flow specification is used in this example) to eliminate the impact. In addition, to
reduce resource consumption of the server and the number of BGP IPv6 flow
specification peer relationships maintained by the server, configure a Flow RR in
AS 100. The Flow RR is used to reflect the BGP IPv6 flow specification routes
generated by the server to DeviceA and DeviceB for them to control attack traffic.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 406

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-38 Configuring BGP IPv6 flow specification with a Flow RR

NOTE

In this example, interface1, interface2, and interface3 represent GE1/0/0, GE2/0/0, and
GE3/0/0, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Establish OSPF connections between the Flow RR and DeviceA, between the
Flow RR and DeviceB, and between the Flow RR and the server for
interworking.
2. Establish BGP IPv6 flow specification peer relationships between the Flow RR
and DeviceA, between the Flow RR and DeviceB, and between the Flow RR
and the server.
NOTE

The traffic analysis server is a third-party device and must be able to establish BGP
IPv6 flow specification peer relationships.
3. Configure the Flow RR function on the Flow RR and specify DeviceA, DeviceB,
and the server as clients so that the Flow RR can reflect the BGP IPv6 flow
specification routes generated by the server to DeviceA and DeviceB.

Data Preparation
To complete the configuration, you need the following data:
● Router IDs of DeviceA, DeviceB, and Flow RR: 1.1.1.1, 2.2.2.2, and 3.3.3.3
● Number of the AS where DeviceA, DeviceB, Flow RR, and the server reside:
100
● ID of the cluster to which the Flow RR belongs: 1

Procedure
Step 1 Configure an IP address for each interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 407

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

For configuration details, see the configuration files.

Step 2 Configure OSPF.
For configuration details, see the configuration files.
Step 3 Establish BGP IPv6 flow specification peer relationships.
# Configure DeviceA.
[~DeviceA] bgp 100
[*DeviceA-bgp] router-id 1.1.1.1
[*DeviceA-bgp] peer 3.3.3.3 as-number 100
[*DeviceA-bgp] peer 3.3.3.3 connect-interface LoopBack1
[*DeviceA-bgp] ipv6-family flow
[*DeviceA-bgp-af-ipv6-flow] peer 3.3.3.3 enable
[*DeviceA-bgp-af-ipv6-flow] commit
[~DeviceA-bgp-af-ipv6-flow] quit
[~DeviceA-bgp] quit

# Configure DeviceB.
[~DeviceB] bgp 100
[*DeviceB-bgp] router-id 2.2.2.2
[*DeviceB-bgp] peer 3.3.3.3 as-number 100
[*DeviceB-bgp] peer 3.3.3.3 connect-interface LoopBack1
[*DeviceB-bgp] ipv6-family flow
[*DeviceB-bgp-af-ipv6-flow] peer 3.3.3.3 enable
[*DeviceB-bgp-af-ipv6-flow] commit
[~DeviceB-bgp-af-ipv6-flow] quit
[~DeviceB-bgp] quit

# Configure the Flow RR.

[~Flow RR] bgp 100
[*Flow RR-bgp] router-id 3.3.3.3
[*Flow RR-bgp] peer 1.1.1.1 as-number 100
[*Flow RR-bgp] peer 1.1.1.1 connect-interface LoopBack1
[*Flow RR-bgp] peer 2.2.2.2 as-number 100
[*Flow RR-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*Flow RR-bgp] peer 10.2.1.2 as-number 100
[*Flow RR-bgp] ipv6-family flow
[*Flow RR-bgp-af-ipv6-flow] peer 1.1.1.1 enable
[*Flow RR-bgp-af-ipv6-flow] peer 2.2.2.2 enable
[*Flow RR-bgp-af-ipv6-flow] peer 10.2.1.2 enable
[*Flow RR-bgp-af-ipv6-flow] peer 10.2.1.2 validation-disable
[*Flow RR-bgp-af-ipv6-flow] commit
[~Flow RR-bgp-af-ipv6-flow] quit
[~Flow RR-bgp] quit

Step 4 Configure the Flow RR.

# Configure the Flow RR.
[Flow RR]bgp 100
[Flow RR-bgp] ipv6-family flow
[Flow RR-bgp-af-ipv6-flow] reflector cluster-id 1
[Flow RR-bgp-af-ipv6-flow] peer 1.1.1.1 reflect-client
[Flow RR-bgp-af-ipv6-flow] peer 2.2.2.2 reflect-client
[Flow RR-bgp-af-ipv6-flow] peer 10.2.1.2 reflect-client
[Flow RR-bgp-af-ipv6-flow] commit
[Flow RR-bgp-af-ipv6-flow] quit
[Flow RR-bgp] quit

Step 5 Verify the configuration.

# Display information about the BGP IPv6 flow specification routes received by
DeviceA.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 408

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

<DeviceA> display bgp flow ipv6 routing-table

BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Total Number of Routes: 1

* > ReIndex : 2
Dissemination Rules:
Port : eq 100
FragmentType : match (Don't fragment)

MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP IPv6 flow specification route
based on the corresponding ReIndex shown in the preceding command output.
<DeviceA> display bgp flow ipv6 routing-table 2
BGP local router ID : 1.1.1.1
Local AS number : 100
Paths: 1 available, 1 best
ReIndex : 2
Order : 2147483647
Dissemination Rules :
Port : eq 100
FragmentType : match (Don't fragment)

BGP flow-ipv6 routing table entry information of 2:

Match action :
apply traffic-rate 9600 KBps
From: 3.3.3.3 (3.3.3.3)
Route Duration: 0d00h16m31s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Originator: 10.2.1.2
Cluster list: 0.0.0.1
Not advertised to any peer yet

The command output shows that DeviceA has learned the route advertised by the
server from the Flow RR. The Originator and Cluster_ID attributes of the route are
also displayed.

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
router-id 1.1.1.1
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
ipv6-family flow

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 409

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

peer 3.3.3.3 enable

#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.3.1.0 0.0.0.255
#
return
● DeviceB configuration file
#
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
router-id 2.2.2.2
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
ipv6-family flow
peer 3.3.3.3 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
● Flow RR configuration file
#
sysname Flow RR
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
router-id 3.3.3.3
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 2.2.2.2 enable
peer 10.2.1.2 enable
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 410

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

ipv6-family flow
reflector cluster-id 1
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client
peer 2.2.2.2 enable
peer 2.2.2.2 reflect-client
peer 10.2.1.2 enable
peer 10.2.1.2 reflect-client
peer 10.2.1.2 validation-disable
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return

● Server configuration file

#
sysname Server
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 100
router-id 4.4.4.4
peer 3.3.3.3 as-number 100
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
ipv6-family flow
peer 3.3.3.3 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return

1.1.14.17.7 Example for Configuring Dynamic BGP VPN Flow Specification

If the characteristics of DoS or DDoS attack traffic are unknown in a VPN domain,
a traffic analysis server can help implement BGP VPN Flow Specification to ensure
network security in the domain.

Networking Requirements
As shown in Figure 1-39, in the VPN domain, the CE belongs to AS 100; PE1 and
Server belong to AS 200; PE1 is the ingress of AS 200. AS 200 can communicate
with AS 100 through PE1.

When an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, posing a threat to AS 200. To ensure VPN security, configure dynamic BGP
VPN Flow Specification. Specifically, deploy a traffic analysis server (Server) on the
network and establish a BGP VPN Flow Specification peer relationship between
the server and PE1. PE1 periodically samples traffic and sends sampled traffic to
the traffic analysis server. The traffic analysis server generates a BGP VPN Flow

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 411

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Specification route based on the characteristics of sampled attack traffic and sends
the route to PE1. PE1 then converts the route into a traffic filtering policy to filter
and control attack traffic, ensuring the security of VPN services in AS 200.

Figure 1-39 Configuring dynamic BGP VPN Flow Specification

NOTE

Interfaces 1 and 2 in this example represent GE1/0/0 and GE2/0/0, respectively.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface IP addresses.
2. Create a VPN instance on PE1 and Server and bind the VPN instance to their
interfaces.
3. Configure PE1 to establish a BGP VPN Flow Specification peer relationship
with Server so that the automatically generated BGP VPN Flow Specification
route can be sent to PE1 to form a traffic filtering policy.
NOTE

The traffic analysis server is a third-party device and must be able to establish BGP
VPN Flow Specification peer relationships.

Data Preparation
To complete the configuration, you need the following data:
● Router IDs of CE1 and PE1: 1.1.1.1 and 2.2.2.2, respectively
● AS number (100) of CE1 and the AS number (200) of PE1 and Server
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind it to each interface.
# Configure PE1.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 412

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~PE1] ip vpn-instance vpna

[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface GigabitEthernet2/0/0
[~PE1-GigabitEthernet2/0/0] undo shutdown
[*PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet2/0/0] ip address 10.2.1.1 255.255.255.0
[*PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit

Step 3 Establish a BGP VPN Flow Specification peer relationship and disable route
validation.
# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] router-id 2.2.2.2
[*PE1-bgp] commit
[~PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] peer 10.1.1.1 as-number 100
[*PE1-bgp-instance-vpna] peer 10.2.1.2 as-number 200
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv4-flow vpn-instance vpna
[*PE1-bgp-flow-vpna] peer 10.1.1.1 enable
[*PE1-bgp-flow-vpna] peer 10.2.1.2 enable
[*PE1-bgp-flow-vpna] peer 10.1.1.1 validation-disable
[*PE1-bgp-flow-vpna] peer 10.2.1.2 validation-disable
[*PE1-bgp-flow-vpna] commit
[~PE1-bgp-flow-vpna] quit
[~PE1-bgp] quit

Step 4 Verify the configuration.

# Check the status of BGP VPN Flow Specification peer relationships on PE1. The
command output shows that the BGP VPN Flow Specification peer relationships
have been successfully established.
<PE1> display bgp flow vpnv4 vpn-instance vpna peer

BGP local router ID : 2.2.2.2

Local AS number : 200

VPN-Instance vpna, Router ID 2.2.2.2:

Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.1.1.1 4 100 3 5 0 00:00:06 Established 0
10.2.1.2 4 200 9523 9530 0 0138h31m Established 1

# Check information about the BGP VPN Flow Specification routes received by
PE1.
<PE1> display bgp flow vpnv4 vpn-instance vpna routing-table
Total Number of Routes: 1
* > ReIndex : 2
Dissemination Rules:
Protocol : eq 6
Src. Port : eq 159

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 413

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

ICMP Code : eq 3
FragmentType : match (Don't fragment)
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP VPN Flow Specification route
based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv4 vpn-instance vpna routing-table 2
ReIndex : 2
Order : 0
Dissemination Rules :
Protocol : eq 6
Src. Port : eq 159
ICMP Code : eq 3
FragmentType : match (Don't fragment)

BGP flow-ipv4 routing table entry information of 2:

Match action :
apply deny
From: 10.2.1.2 (3.3.3.3)
Route Duration: 0d00h04m37s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Advertised to such 1 peers:
10.1.1.1

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
router-id 1.1.1.1
peer 10.1.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
ipv4-family flow
peer 10.1.1.2 enable
#
return

● PE1 configuration file

#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 414

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

ip binding vpn-instance vpna

ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
router-id 2.2.2.2
#
ipv4-family unicast
undo synchronization
#
vpn-instance vpna
peer 10.1.1.1 as-number 100
peer 10.2.1.2 as-number 200
#
ipv4-flow vpn-instance vpna
peer 10.1.1.1 enable
peer 10.2.1.2 enable
#
return

1.1.14.17.8 Example for Configuring Static BGP VPN Flow Specification

In a VPN domain, you can manually configure BGP VPN Flow Specification routes
to implement static BGP VPN Flow Specification for DoS/DDoS attacks whose
characteristics can be predicted, ensuring device security in the VPN.

Networking Requirements
As shown in Figure 1-40, in the VPN, CE1 belongs to AS 100; PE1 and PE2 belong
to AS 200; all devices are in the same VPN domain. PE1 is the ingress of the VPN
domain in AS 200. AS 200 can communicate with AS 100 through PE1.
If an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, which severely affects the VPN performance of AS 200.
Static BGP VPN Flow Specification can be configured to resolve this problem.
Specifically, you can manually configure a BGP Flow Specification route, and
establish a BGP Flow Specification peer relationship to allow the BGP VPN Flow
Specification route to be sent to PE1. In this way, the attack traffic is discarded, or
its rate is limited.

Figure 1-40 Configuring static BGP VPN Flow Specification

NOTE

Interfaces 1 and 2 in this example represent GE1/0/0 and GE2/0/0, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 415

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface IP addresses.
2. Create a VPN instance on PE1 and PE2 and bind it to their interfaces.
3. Configure a BGP VPN Flow Specification route named FlowSpec1 on PE2 to
discard the attack traffic with the source port number being 159.
4. Establish a BGP VPN Flow Specification peer relationship between PE1 and
PE2 so that the created BGP VPN Flow Specification route can be sent to PE1
to form a traffic filtering policy.

Data Preparation
To complete the configuration, you need the following data:
● Router IDs of CE1, PE1, and PE2: 1.1.1.1, 2.2.2.2, and 3.3.3.3, respectively
● AS number of CE1: 100; AS number of PE1 and PE2: 200
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind it to each interface.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 416

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0

[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface GigabitEthernet2/0/0
[~PE1-GigabitEthernet2/0/0] undo shutdown
[*PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet2/0/0] ip address 10.2.1.1 255.255.255.0
[*PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit

# Configure PE2.
[~PE2] ip vpn-instance vpna
[*PE2-vpn-instance-vpna] ipv4-family
[*PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[*PE2-vpn-instance-vpna-af-ipv4] commit
[~PE2-vpn-instance-vpna-af-ipv4] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] interface GigabitEthernet1/0/0
[~PE2-GigabitEthernet1/0/0] undo shutdown
[*PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 255.255.255.0
[*PE2-GigabitEthernet1/0/0] commit
[~PE2-GigabitEthernet1/0/0] quit

Step 3 Configure a BGP VPN Flow Specification route.

# Configure PE2.
[~PE2] flow-route FlowSpec1 vpn-instance vpna
[*PE2-flow-route-vpna] if-match source-port equal 159
[*PE2-flow-route-vpna] apply deny
[*PE2-flow-route-vpna] commit
[~PE2-flow-route-vpna] quit

Step 4 Establish a BGP VPN Flow Specification peer relationship.

# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] router-id 2.2.2.2
[*PE1-bgp] commit
[~PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] peer 10.1.1.1 as-number 100
[*PE1-bgp-instance-vpna] peer 10.2.1.2 as-number 200
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv4-flow vpn-instance vpna
[*PE1-bgp-flow-vpna] peer 10.1.1.1 enable
[*PE1-bgp-flow-vpna] peer 10.2.1.2 enable
[*PE1-bgp-flow-vpna] commit
[~PE1-bgp-flow-vpna] quit
[~PE1-bgp] quit

# Configure PE2.
[~PE2]bgp 200
[*PE2-bgp] router-id 3.3.3.3
[*PE2-bgp] commit
[~PE2-bgp] vpn-instance vpna
[*PE2-bgp-instance-vpna] peer 10.2.1.1 as-number 200
[*PE2-bgp-instance-vpna] quit
[*PE2-bgp] ipv4-flow vpn-instance vpna
[*PE2-bgp-flow-vpna] peer 10.2.1.1 enable
[*PE2-bgp-flow-vpna] commit
[~PE2-bgp-flow-vpna] quit
[~PE2-bgp] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 417

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 5 Verify the configuration.

# Check the status of BGP VPN Flow Specification peer relationships on PE1. The
command output shows that the BGP VPN Flow Specification peer relationships
have been successfully established.
<PE1> display bgp flow vpnv4 vpn-instance vpna peer

BGP local router ID : 2.2.2.2

Local AS number : 200

VPN-Instance vpna, Router ID 2.2.2.2:

Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.1.1.1 4 100 3 5 0 00:00:06 Established 0
10.2.1.2 4 200 9523 9530 0 0138h31m Established 1

# Check information about the BGP VPN Flow Specification routes received by
PE1.
<PE1> display bgp flow vpnv4 vpn-instance vpna routing-table
Total Number of Routes: 1
* > ReIndex : 1
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP VPN Flow Specification route
based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv4 vpn-instance vpna routing-table 1
ReIndex : 1
Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-ipv4 routing table entry information of 1:

Match action :
apply deny
From: 10.2.1.2 (3.3.3.3)
Route Duration: 0d15h13m20s
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Advertised to such 1 peers:
10.1.1.1

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
router-id 1.1.1.1
peer 10.1.1.2 as-number 200
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 418

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
ipv4-family flow
peer 10.1.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
router-id 2.2.2.2
#
ipv4-family unicast
undo synchronization
#
vpn-instance vpna
peer 10.1.1.1 as-number 100
peer 10.2.1.2 as-number 200
#
ipv4-flow vpn-instance vpna
peer 10.1.1.1 enable
peer 10.2.1.2 enable
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 200
router-id 3.3.3.3

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 419

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
ipv4-family unicast
undo synchronization
#
vpn-instance vpna
peer 10.2.1.1 as-number 200
#
ipv4-flow vpn-instance vpna
peer 10.2.1.1 enable
#
flow-route FlowSpec1 vpn-instance vpna
if-match source-port equal 159
apply deny
#
return

1.1.14.17.9 Example for Configuring Dynamic BGP IPv6 VPN Flow Specification
If the characteristics of DoS or DDoS attack traffic are unknown in an IPv6 VPN
domain, a traffic analysis server can help implement BGP IPv6 VPN Flow
Specification to ensure network security in the domain.

Networking Requirements
As shown in Figure 1-41, in the IPv6 VPN domain, the CE belongs to AS 100; PE1
and Server belong to AS 200; PE1 is the ingress of AS 200. AS 200 can
communicate with AS 100 through PE1.

When an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, posing a threat to AS 200. To ensure IPv6 VPN security, configure dynamic
BGP IPv6 VPN Flow Specification. Specifically, deploy a traffic analysis server
(Server) on the network and establish a BGP IPv6 VPN Flow Specification peer
relationship between the server and PE1. PE1 periodically samples traffic and
sends sampled traffic to the traffic analysis server. The traffic analysis server
generates a BGP IPv6 VPN Flow Specification route based on the characteristics of
sampled attack traffic and sends the route to PE1. PE1 then converts the route
into a traffic filtering policy to filter and control attack traffic, ensuring the
security of VPN services in AS 200.

Figure 1-41 Configuring dynamic BGP IPv6 VPN Flow Specification

NOTE

Interface 1 in this example represents GE1/0/0.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 420

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface IP addresses.
2. Create a VPN instance on PE1 and Server and bind the VPN instance to their
interfaces.
3. Configure PE1 to establish a BGP IPv6 VPN Flow Specification peer
relationship with Server so that the automatically generated BGP IPv6 VPN
Flow Specification route can be sent to PE1 to form a traffic filtering policy.
NOTE

The traffic analysis server is a third-party device and must be able to establish BGP
IPv6 VPN Flow Specification peer relationships.

Data Preparation
To complete the configuration, you need the following data:
● AS number (100) of CE1 and the AS number (200) of PE1 and Server
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind it to each interface.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv6-family
[*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 2:2
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 2:2 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 2:2 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] commit
[~PE1-vpn-instance-vpna-af-ipv6] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ipv6 enable
[*PE1-GigabitEthernet1/0/0] ipv6 address 2001:db8:1::2 64
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit

Step 3 Establish a BGP IPv6 VPN Flow Specification peer relationship.

# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] peer 2001:db8:1::1 as-number 100
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv6-flow vpn-instance vpna
[*PE1-bgp-flow-6-vpna] peer 2001:db8:1::1 enable
[*PE1-bgp-flow-6-vpna] commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 421

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~PE1-bgp-flow-6-vpna] quit
[~PE1-bgp] quit

Step 4 Verify the configuration.

# Check the status of the BGP IPv6 VPN Flow Specification peer relationship on
PE1. The command output shows that the BGP IPv6 VPN Flow Specification peer
relationship has been successfully established.
<PE1> display bgp flow vpnv6 vpn-instance vpna peer

BGP local router ID : 0.0.0.0

Local AS number : 200
Total number of peers : 1 Peers in established state : 0

VPN-Instance vpna, Router ID 0.0.0.0:

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2001:DB8:1::1 4 200 0 0 0 00:06:15 Idle 0

# Check the information about the BGP IPv6 VPN Flow Specification routes
received by PE1.
<PE1> display bgp flow vpnv6 vpn-instance vpna routing-table

BGP Local router ID is 0.0.0.0

Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

VPN-Instance vpna, Router ID 0.0.0.0:

Total Number of Routes: 1

* > ReIndex : 1
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref:
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP IPv6 VPN Flow Specification
route based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv6 vpn-instance vpna routing-table 1

BGP local router ID : 0.0.0.0

Local AS number : 200
ReIndex : 1
Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-ipv6 routing table entry information of 1:

Local : FlowSpec1
Match action :
apply deny
Route Duration: 0d00h07m04s
AS-path Nil, origin igp, MED 0, pref-val 0, valid, local, best, pre 0
Not advertised to any peer yet

----End

Configuration Files
● CE1 configuration file
#
sysname CE1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 422

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 2001:db8:1::1/64
#
bgp 100
peer 2001:db8:1::2 as-number 200
#
ipv4-family unicast
undo synchronization
#
ipv6-family flow
peer 2001:db8:1::2 enable
#
return

● PE1 configuration file

#
sysname PE1
#
ip vpn-instance vpna
ipv6-family
route-distinguisher 2:2
apply-label per-instance
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ipv6 enable
ipv6 address 2001:db8:1::2/64
#
bgp 200
#
ipv4-family unicast
undo synchronization
#
vpn-instance vpna
peer 2001:db8:1::1 as-number 200
#
ipv6-flow vpn-instance vpna
peer 2001:db8:1::1 enable
#
return

1.1.14.17.10 Example for Configuring Static BGP IPv6 VPN Flow Specification
In an IPv6 VPN domain, you can manually configure BGP IPv6 VPN Flow
Specification routes to implement static BGP IPv6 VPN Flow Specification for DoS/
DDoS attacks whose characteristics can be predicted, ensuring device security in
the VPN.

Networking Requirements
As shown in Figure 1-42, in the IPv6 VPN, CE1 belongs to AS 100; PE1 belongs to
AS 200. CE1 and PE1 are in the same VPN domain. PE1 is the ingress of the VPN
domain in AS 200. AS 200 can communicate with AS 100 through PE1.
If an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, which severely affects the VPN performance of AS 200.
Static BGP IPv6 VPN Flow Specification can be configured to resolve this problem.
Specifically, you can manually configure a BGP IPv6 Flow Specification route, and

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 423

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

establish a BGP IPv6 VPN Flow Specification peer relationship to allow the BGP
IPv6 VPN Flow Specification route to be sent to PE1. In this way, the attack traffic
is discarded, or its rate is limited.

Figure 1-42 Configuring static BGP IPv6 VPN Flow Specification

NOTE

Interface 1 in this example represents GE1/0/0.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface IP addresses.
2. Create a VPN instance on PE1 and bind the VPN instance to each interface.
3. Configure a BGP IPv6 VPN Flow Specification route named FlowSpec1 on PE1
to discard the attack traffic with the source port number being 159.

Data Preparation
To complete the configuration, you need the following data:
● AS number (100) of CE1 and the AS number (200) of PE1
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind it to each interface.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv6-family
[*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 2:2
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 2:2 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 2:2 import-extcommunity

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 424

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*PE1-vpn-instance-vpna-af-ipv6] commit
[~PE1-vpn-instance-vpna-af-ipv6] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ipv6 enable
[*PE1-GigabitEthernet1/0/0] ipv6 address 2001:db8:1::2 64
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit

Step 3 Configure a BGP IPv6 VPN Flow Specification route.

# Configure PE1.
[~PE1] flow-route FlowSpec1 ipv6 vpn-instance vpna
[*PE1-flow-route-ipv6-vpna] if-match source-port equal 159
[*PE1-flow-route-ipv6-vpna] apply deny
[*PE1-flow-route-ipv6-vpna] commit
[~PE1-flow-route-ipv6-vpna] quit

Step 4 Establish a BGP IPv6 VPN Flow Specification peer relationship.

# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] peer 2001:db8:1::2 as-number 100
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv6-flow vpn-instance vpna
[*PE1-bgp-flow-6-vpna] peer 2001:db8:1::2 enable
[*PE1-bgp-flow-6-vpna] commit
[~PE1-bgp-flow-6-vpna] quit
[~PE1-bgp] quit

Step 5 Verify the configuration.

# Check the status of the BGP IPv6 VPN Flow Specification peer relationship on
PE1. The command output shows that the BGP IPv6 VPN Flow Specification peer
relationship has been successfully established.
<PE1> display bgp flow vpnv6 vpn-instance vpna peer

BGP local router ID : 0.0.0.0

Local AS number : 200
Total number of peers : 1 Peers in established state : 0

VPN-Instance vpna, Router ID 0.0.0.0:

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2001:DB8:1::1 4 200 0 0 0 00:06:15 Idle 0

# Check the information about the BGP IPv6 VPN Flow Specification routes
received by PE1.
<PE1> display bgp flow vpnv6 vpn-instance vpna routing-table

BGP Local router ID is 0.0.0.0

Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

VPN-Instance vpna, Router ID 0.0.0.0:

Total Number of Routes: 1

* > ReIndex : 1
Dissemination Rules:
Src. Port : eq 159

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 425

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

MED :0 PrefVal : 0
LocalPref:
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP IPv6 VPN Flow Specification
route based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv6 vpn-instance vpna routing-table 1

BGP local router ID : 0.0.0.0

Local AS number : 200
ReIndex : 1
Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-ipv6 routing table entry information of 1:

Local : FlowSpec1
Match action :
apply deny
Route Duration: 0d00h07m04s
AS-path Nil, origin igp, MED 0, pref-val 0, valid, local, best, pre 0
Not advertised to any peer yet

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 2001:db8:1::1/64
#
bgp 100
peer 2001:db8:1::2 as-number 200
#
ipv4-family unicast
undo synchronization
#
ipv6-family flow
peer 2001:db8:1::2 enable
#
return

● PE1 configuration file

#
sysname PE1
#
ip vpn-instance vpna
ipv6-family
route-distinguisher 2:2
apply-label per-instance
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ipv6 enable
ipv6 address 2001:db8:1::2/64
#
bgp 200
#
ipv4-family unicast

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 426

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

undo synchronization
#
vpn-instance vpna
peer 2001:db8:1::1 as-number 200
#
ipv6-flow vpn-instance vpna
peer 2001:db8:1::1 enable
#
flow-route FlowSpec1 ipv6 vpn-instance vpna
if-match source-port equal 159
apply deny
#
return

1.1.14.17.11 Example for Configuring Dynamic BGP VPNv4 Flow Specification

This section provides an example for configuring dynamic BGP VPNv4 Flow
Specification to allow BGP VPNv4 Flow Specification routes to be transmitted and
traffic filtering policies to be generated. The policies improve security of devices in
VPNs.

Networking Requirements
As shown in Figure 1-43, in a VPN, the CE belongs to AS 100; PE1 and Server
belong to AS 200; PE1 is a network ingress of AS 200. AS 200 can communicate
with AS 100 through PE1.
When an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, posing a threat to AS 200. To ensure VPN security, configure dynamic BGP
VPNv4 Flow Specification. Specifically, deploy a traffic analysis server on the
network and establish a BGP VPNv4 Flow Specification peer relationship between
the traffic analysis server and PE1. PE1 periodically samples traffic and sends
sampled traffic to the traffic analysis server. The traffic analysis server generates a
BGP VPNv4 Flow Specification route based on the characteristics of sampled
attack traffic and sends the route to PE1. PE1 then converts the route into a traffic
filtering policy to filter and control attack traffic, ensuring the security of VPN
services in AS 200.

Figure 1-43 Configuring dynamic BGP VPNv4 Flow Specification

NOTE

Interfaces 1 and 2 in this example represent GE1/0/0 and GE2/0/0, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 427

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface IP addresses.
2. Create a VPN instance on PE1 and Server and bind the VPN instance to PE1's
interface that is connected to CE1.
3. Configure PE1 to establish a BGP VPNv4 Flow Specification peer relationship
with Server so that the automatically generated BGP VPNv4 Flow
Specification route can be sent to PE1 to form a traffic filtering policy.
NOTE

The traffic analysis server is a third-party device and must be able to establish BGP
VPNv4 Flow Specification peer relationships.

Data Preparation
To complete the configuration, you need the following data:
● AS number (100) of CE1 and the AS number (200) of PE1 and Server
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind the VPN instance to the PE1's interface that is
connected to CE1.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface GigabitEthernet2/0/0
[~PE1-GigabitEthernet2/0/0] undo shutdown
[*PE1-GigabitEthernet2/0/0] ip address 10.2.1.1 255.255.255.0
[*PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit

Step 3 Establish a BGP VPNv4 Flow Specification peer relationship.

# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] peer 10.2.1.2 as-number 200
[*PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 428

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*PE1-bgp] ipv4-flow vpn-instance vpna

[*PE1-bgp-flow-vpna] quit
[*PE1-bgp] ipv4-flow vpnv4
[*PE1-bgp-af-flow-vpnv4] peer 10.2.1.2 enable
[*PE1-bgp-af-flow-vpnv4] commit
[~PE1-bgp-af-flow-vpnv4] quit
[~PE1-bgp] quit

Step 4 Verify the configuration.

# Check whether the BGP VPNv4 Flow Specification peer relationship with the
server is established on PE1. The command output shows that the peer
relationship is established. In addition, the BGP VPN Flow Specification peer
relationship is established between CE1 and PE1.
<PE1> display bgp flow vpnv4 all peer

BGP local router ID : 10.1.1.2

Local AS number : 200
Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.2.1.2 4 200 1076 1067 0 15:30:19 Established 1

Peer of for vpn instance :

VPN-Instance vpna, Router ID 10.1.1.2:

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 100 1057 1058 0 15:19:07 Established 0

# Check information about the BGP VPNv4 Flow Specification routes received by
PE1. The command output also shows information about the received BGP VPN
Flow Specification routes.
<PE1> display bgp flow vpnv4 all routing-table
BGP Local router ID is 10.1.1.2
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Total number of routes from all PE: 1

* > ReIndex : 536870913
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

VPN-Instance vpna, Router ID 10.1.1.2:

Total Number of Routes: 1

* > ReIndex : 1
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP VPNv4 Flow Specification
route based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv4 all routing-table 536870913

BGP local router ID : 10.1.1.2

Local AS number : 200
ReIndex : 536870913

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 429

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-vpnv4 routing table entry information of 536870913:

Route Distinguisher: 200:1
Match action :
apply deny
From: 10.2.1.2 (10.2.1.2)
Route Duration: 0d13h59m46s
Ext-Community: RT <111 : 1>
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Not advertised to any peer yet

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 100
peer 10.1.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
ipv4-family flow
peer 10.1.1.2 enable
#
return

● PE1 configuration file

#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
bgp 200
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
vpn-instance vpna
#
ipv4-flow vpn-instance vpna

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 430

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
ipv4-flow vpnv4
policy vpn-target
peer 10.2.1.2 enable
#
return

1.1.14.17.12 Example for Configuring Static BGP VPNv4 Flow Specification

This section provides an example for configuring static BGP VPNv4 Flow
Specification to allow BGP VPNv4 Flow Specification routes to be transmitted and
traffic filtering policies to be generated. The policies improve security of devices in
VPNs.

Networking Requirements
As shown in Figure 1-44, in the VPN, CE1 belongs to AS 100; PE1 and PE2 belong
to AS 200, all devices are in the same VPN domain. PE1 is the ingress of the VPN
domain in AS 200. AS 200 can communicate with AS 100 through PE1.

If an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, which severely affects the VPN performance of AS 200.

Static BGP VPNv4 Flow Specification can be configured to resolve this problem.
Specifically, configure a BGP VPN Flow Specification route on PE2 and enable the
BGP-Flow VPNv4 address family so that a BGP VPNv4 Flow Specification route can
be generated automatically. Then, establish a BGP VPNv4 Flow Specification peer
relationship between PE1 and PE2 to transmit the BGP VPNv4 Flow Specification
route and form a traffic policy. Then attack traffic is filtered and controlled.

Figure 1-44 Configuring static BGP VPNv4 Flow Specification

NOTE

Interfaces 1 and 2 in this example represent GE1/0/0 and GE2/0/0, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure interface IP addresses.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 431

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Create a VPN instance on PE1 and PE2 and bind it to the interface connecting
PE1 to CE1.
3. Configure a BGP VPN Flow Specification route named FlowSpec1 on PE2 to
discard the attack traffic with the source port number being 159.
4. Establish a BGP VPNv4 Flow Specification peer relationship between PE1 and
PE2 so that the generated BGP VPNv4 Flow Specification route can be sent to
PE1 to form traffic policy.

Data Preparation
To complete the configuration, you need the following data:
● AS number of CE1: 100; AS number of PE1 and PE2: 200
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind the VPN instance to the PE1's interface that is
connected to CE1.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface GigabitEthernet2/0/0
[~PE1-GigabitEthernet2/0/0] undo shutdown
[*PE1-GigabitEthernet2/0/0] ip address 10.2.1.1 255.255.255.0
[*PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit

# Configure PE2.
[~PE2] ip vpn-instance vpna
[*PE2-vpn-instance-vpna] ipv4-family
[*PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[*PE2-vpn-instance-vpna-af-ipv4] commit
[~PE2-vpn-instance-vpna-af-ipv4] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] interface GigabitEthernet1/0/0
[~PE2-GigabitEthernet1/0/0] undo shutdown
[*PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 255.255.255.0
[*PE2-GigabitEthernet1/0/0] commit
[~PE2-GigabitEthernet1/0/0] quit

Step 3 Configure a BGP VPN Flow Specification route.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 432

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Configure PE2.
[~PE2] flow-route FlowSpec1 vpn-instance vpna
[*PE2-flow-route-vpna] if-match source-port equal 159
[*PE2-flow-route-vpna] apply deny
[*PE2-flow-route-vpna] commit
[~PE2-flow-route-vpna] quit

Step 4 Establish a BGP VPNv4 Flow Specification peer relationship.

# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] peer 10.2.1.2 as-number 200
[*PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv4-flow vpn-instance vpna
[*PE1-bgp-flow-vpna] quit
[*PE1-bgp] ipv4-flow vpnv4
[*PE1-bgp-af-flow-vpnv4] peer 10.2.1.2 enable
[*PE1-bgp-af-flow-vpnv4] commit
[~PE1-bgp-af-flow-vpnv4] quit
[~PE1-bgp] quit

# Configure PE2.
[~PE2]bgp 200
[*PE2-bgp] peer 10.2.1.1 as-number 200
[*PE2-bgp] vpn-instance vpna
[*PE2-bgp-instance-vpna] quit
[*PE2-bgp] ipv4-flow vpn-instance vpna
[*PE2-bgp-flow-vpna] quit
[*PE2-bgp] ipv4-flow vpnv4
[*PE2-bgp-af-flow-vpnv4] peer 10.2.1.1 enable
[*PE2-bgp-af-flow-vpnv4] commit
[~PE2-bgp-af-flow-vpnv4] quit
[~PE2-bgp] quit

Step 5 Verify the configuration.

# Check the status of the BGP VPNv4 Flow Specification peer relationship on PE2.
The command output shows that the BGP VPNv4 Flow Specification peer
relationship has been successfully established.
<PE2> display bgp flow vpnv4 all peer

BGP local router ID : 10.2.1.2

Local AS number : 200
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.2.1.1 4 200 1042 1051 0 15:07:49 Established 0

# Check information about the BGP VPNv4 Flow Specification routes received by
PE1.
<PE1> display bgp flow vpnv4 route-distinguisher 200:1 routing-table

BGP Local router ID is 10.2.1.1

Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Route Distinguisher: 200:1

Total Number of Routes: 1

* > ReIndex : 536870913

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 433

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP VPNv4 Flow Specification
route based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv4 all routing-table 536870913

BGP local router ID : 10.2.1.1

Local AS number : 200
ReIndex : 536870913
Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-vpnv4 routing table entry information of 536870913:

Route Distinguisher: 200:1
Match action :
apply deny
From: 10.2.1.2 (10.2.1.2)
Route Duration: 0d13h59m46s
Ext-Community: RT <111 : 1>
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Not advertised to any peer yet

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
return

● PE1 configuration file

#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
bgp 200
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 434

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
vpn-instance vpna
#
ipv4-flow vpn-instance vpna
#
ipv4-flow vpnv4
policy vpn-target
peer 10.2.1.2 enable
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
bgp 200
peer 10.2.1.1 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.2.1.1 enable
#
vpn-instance vpna
#
ipv4-flow vpn-instance vpna
#
ipv4-flow vpnv4
policy vpn-target
peer 10.2.1.1 enable
#
flow-route FlowSpec1 vpn-instance vpna
if-match source-port equal 159
apply deny
#
return

1.1.14.17.13 Example for Configuring Dynamic BGP VPNv6 Flow Specification

This section provides an example for configuring dynamic BGP VPNv6 Flow
Specification to allow BGP VPNv6 Flow Specification routes to be transmitted and
traffic filtering policies to be generated. The policies improve security of devices in
VPNs.

Networking Requirements
As shown in Figure 1-45, in a VPN, the CE belongs to AS 100; PE1 and Server
belong to AS 200; PE1 is a network ingress of AS 200. AS 200 can communicate
with AS 100 through PE1.
When an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, posing a threat to AS 200. In this case, it is required that dynamic BGP VPNv6
Flow Specification be configured to address this problem. To meet the
requirement, you need to deploy a traffic analysis server (Server) and establish a
BGP VPNv6 Flow Specification peer relationship between the server and PE1. PE1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 435

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

periodically samples traffic and sends sampled traffic to the traffic analysis server.
The traffic analysis server generates a BGP VPNv6 Flow Specification route based
on the characteristics of sampled attack traffic and sends the route to PE1. PE1
then converts the route into a traffic filtering policy to filter and control attack
traffic, ensuring the security of VPN services in AS 200.

Figure 1-45 Configuring dynamic BGP VPNv6 Flow Specification

NOTE

Interfaces 1 and 2 in this example represent GE1/0/0 and GE2/0/0, respectively.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface IP addresses.
2. Create a VPN instance on PE1 and Server and bind the VPN instance to PE1's
interface that is connected to CE1.
3. Establish a BGP VPNv6 Flow Specification peer relationship between PE1 and
the server so that the generated BGP VPNv6 Flow Specification route can be
sent to PE1 and be used by PE1 to generate a traffic filtering policy.
NOTE

The traffic analysis server is a third-party device and must be able to establish BGP
VPNv6 Flow Specification peer relationships.

Data Preparation
To complete the configuration, you need the following data:
● AS number (100) of CE1 and the AS number (200) of PE1 and Server
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind the VPN instance to the PE1's interface that is
connected to CE1.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 436

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Configure PE1.
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv6-family
[*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] commit
[~PE1-vpn-instance-vpna-af-ipv6] quit
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ipv6 enable
[*PE1-GigabitEthernet1/0/0] ipv6 address 2001:db8:1::2 64
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface GigabitEthernet2/0/0
[~PE1-GigabitEthernet2/0/0] undo shutdown
[*PE1-GigabitEthernet2/0/0] ip address 10.2.1.1 255.255.255.0
[*PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit

Step 3 Establish a BGP VPNv6 Flow Specification peer relationship.

# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] peer 10.2.1.2 as-number 200
[*PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv6-flow vpn-instance vpna
[*PE1-bgp-flow-vpna] quit
[*PE1-bgp] ipv6-flow vpnv6
[*PE1-bgp-af-flow-6-vpnv6] peer 10.2.1.2 enable
[*PE1-bgp-af-flow-6-vpnv6] commit
[~PE1-bgp-af-flow-6-vpnv6] quit
[~PE1-bgp] quit

Step 4 Verify the configuration.

# Check whether the BGP VPNv6 Flow Specification peer relationship with the
server is established on PE1. The command output shows that the peer
relationship is established. In addition, the BGP IPv6 VPN Flow Specification peer
relationship is established between CE1 and PE1.
<PE1> display bgp flow vpnv6 all peer

BGP local router ID : 2001:db8:1::2

Local AS number : 200
Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.2.1.2 4 200 1076 1067 0 15:30:19 Established 1

Peer of for vpn instance :

VPN-Instance vpna, Router ID 2001:db8:1::2:

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2001:db8:1::1 4 100 1057 1058 0 15:19:07 Established 0

# Check information about the BGP VPNv6 Flow Specification routes received by
PE1. The command output also shows information about the received BGP IPv6
VPN Flow Specification routes.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 437

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

<PE1> display bgp flow vpnv6 all routing-table

BGP Local router ID is 2001:db8:1::2
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Total number of routes from all PE: 1

* > ReIndex : 536870913
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

VPN-Instance vpna, Router ID 2001:db8:1::2:

Total Number of Routes: 1

* > ReIndex : 1
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP VPNv6 Flow Specification
route based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv6 all routing-table 536870913

BGP local router ID : 2001:db8:1::2

Local AS number : 200
ReIndex : 536870913
Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-vpnv6 routing table entry information of 536870913:

Route Distinguisher: 200:1
Match action :
apply deny
From: 10.2.1.2 (10.2.1.2)
Route Duration: 0d13h59m46s
Ext-Community: RT <111 : 1>
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Not advertised to any peer yet

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 2001:db8:1::1 255.255.255.0
#
bgp 100
peer 2001:db8:1::2 as-number 200
#
ipv6-family unicast
undo synchronization
peer 2001:db8:1::2 enable
#
ipv6-family flow

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 438

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

peer 2001:db8:1::2 enable

#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv6-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ipv4-family
route-distinguisher 100:1
apply-label per-instance
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ipv6 enable
ipv6 address 2001:db8:1::2/64
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
bgp 200
peer 10.2.1.2 as-number 200
#
ipv6-family unicast
undo synchronization
peer 10.2.1.2 enable
#
vpn-instance vpna
#
ipv6-flow vpn-instance vpna
#
ipv6-flow vpnv6
policy vpn-target
peer 10.2.1.2 enable
#
return

1.1.14.17.14 Example for Configuring Static BGP VPNv6 Flow Specification

This section provides an example for configuring static BGP VPNv6 Flow
Specification to allow BGP VPNv6 Flow Specification routes to be transmitted and
traffic filtering policies to be generated. The policies improve security of devices in
VPNs.

Networking Requirements
As shown in Figure 1-46, in the VPN, CE1 belongs to AS 100; PE1 and PE2 belong
to AS 200, all devices are in the same VPN domain. PE1 is the ingress of the VPN
domain in AS 200. AS 200 can communicate with AS 100 through PE1.
If an attack source appears in AS 100, attack traffic flows into AS 200 through
PE1, which severely affects the VPN performance of AS 200.
In this case, it is required that static BGP VPNv6 Flow Specification be configured
to address this problem. To meet the requirement, you need to create a BGP IPv6
VPN Flow Specification route on PE2, and enable the BGP-Flow VPNv6 address
family so that a BGP VPNv6 Flow Specification route is generated automatically.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 439

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Then establish a BGP VPNv6 Flow Specification peer relationship between PE1 and
PE2 to transmit the BGP VPNv6 Flow Specification route. The BGP VPNv6 Flow
Specification route is used to generate a traffic filtering policy for traffic filtering
and control.

Figure 1-46 Configuring static BGP VPNv6 Flow Specification

NOTE

Interfaces 1 and 2 in this example represent GE1/0/0 and GE2/0/0, respectively.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface IP addresses.
2. Create a VPN instance on PE1 and PE2 and bind it to the interface connecting
PE1 to CE1.
3. Configure a BGP VPN Flow Specification route named FlowSpec1 on PE2 to
discard the attack traffic with the source port number being 159.
4. Establish a BGP VPNv6 Flow Specification peer relationship between PE1 and
PE2 so that the generated BGP VPNv6 Flow Specification route can be sent to
PE1 and be used by PE1 to generate a traffic filtering policy.

Data Preparation
To complete the configuration, you need the following data:
● AS number of CE1: 100; AS number of PE1 and PE2: 200
● VPN instance name: vpna

Procedure
Step 1 Configure IP addresses for interfaces.
For configuration details, see the configuration files.
Step 2 Create a VPN instance and bind the VPN instance to the PE1's interface that is
connected to CE1.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 440

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Configure PE1.
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv6-family
[*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] commit
[~PE1-vpn-instance-vpna-af-ipv6] quit
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet1/0/0
[~PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface GigabitEthernet2/0/0
[~PE1-GigabitEthernet2/0/0] undo shutdown
[*PE1-GigabitEthernet2/0/0] ip address 10.2.1.1 255.255.255.0
[*PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit

# Configure PE2.
[~PE2] ip vpn-instance vpna
[*PE2-vpn-instance-vpna] ipv6-family
[*PE2-vpn-instance-vpna-af-ipv6] route-distinguisher 200:1
[*PE2-vpn-instance-vpna-af-ipv6] vpn-target 111:1 export-extcommunity
[*PE2-vpn-instance-vpna-af-ipv6] vpn-target 111:1 import-extcommunity
[*PE2-vpn-instance-vpna-af-ipv6] commit
[~PE2-vpn-instance-vpna-af-ipv6] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] interface GigabitEthernet1/0/0
[~PE2-GigabitEthernet1/0/0] undo shutdown
[*PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 255.255.255.0
[*PE2-GigabitEthernet1/0/0] commit
[~PE2-GigabitEthernet1/0/0] quit

Step 3 Configure a BGP IPv6 VPN Flow Specification route.

# Configure PE2.
[~PE2] flow-route FlowSpec1 ipv6 vpn-instance vpna
[*PE2-flow-route-vpna] if-match source-port equal 159
[*PE2-flow-route-vpna] apply deny
[*PE2-flow-route-vpna] commit
[~PE2-flow-route-vpna] quit

Step 4 Establish a BGP VPNv6 Flow Specification peer relationship.

# Configure PE1.
[~PE1]bgp 200
[*PE1-bgp] peer 10.2.1.2 as-number 200
[*PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv6-flow vpn-instance vpna
[*PE1-bgp-flow-vpna] quit
[*PE1-bgp] ipv6-flow vpnv6
[*PE1-bgp-af-flow-vpnv6] peer 10.2.1.2 enable
[*PE1-bgp-af-flow-vpnv6] commit
[~PE1-bgp-af-flow-vpnv6] quit
[~PE1-bgp] quit

# Configure PE2.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 441

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~PE2]bgp 200
[*PE2-bgp] peer 10.2.1.1 as-number 200
[*PE2-bgp] vpn-instance vpna
[*PE2-bgp-instance-vpna] quit
[*PE2-bgp] ipv6-flow vpn-instance vpna
[*PE2-bgp-flow-6-vpna] quit
[*PE2-bgp] ipv6-flow vpnv6
[*PE2-bgp-af-flow-vpnv6] peer 10.2.1.1 enable
[*PE2-bgp-af-flow-vpnv6] commit
[~PE2-bgp-af-flow-vpnv6] quit
[~PE2-bgp] quit

Step 5 Verify the configuration.

# Check the status of the BGP VPNv6 Flow Specification peer relationship on PE2.
The command output shows that the BGP VPNv6 Flow Specification peer
relationship has been successfully established.
<PE2> display bgp flow vpnv6 all peer

BGP local router ID : 10.2.1.2

Local AS number : 200
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.2.1.1 4 200 1042 1051 0 15:07:49 Established 0

# Check information about the BGP VPNv6 Flow Specification routes received by
PE1.
<PE1> display bgp flow vpnv6 route-distinguisher 200:1 routing-table

BGP Local router ID is 10.1.1.2

Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V - valid, I - invalid, N - not-found

Route Distinguisher: 200:1

Total Number of Routes: 1

* > ReIndex : 536870913
Dissemination Rules:
Src. Port : eq 159
MED :0 PrefVal : 0
LocalPref: 100
Path/Ogn : i

# Check the traffic filtering rule carried in each BGP VPNv6 Flow Specification
route based on the value of ReIndex in the preceding command output.
<PE1> display bgp flow vpnv6 all routing-table 536870913

BGP local router ID : 10.1.1.2

Local AS number : 200
ReIndex : 536870913
Order : 0
Dissemination Rules :
Src. Port : eq 159

BGP flow-vpnv6 routing table entry information of 536870913:

Route Distinguisher: 200:1
Match action :
apply deny
From: 10.2.1.2 (10.2.1.2)
Route Duration: 0d13h59m46s
Ext-Community: RT <111 : 1>

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 442

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
Not advertised to any peer yet

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 100
peer 10.1.1.2 as-number 200
#
ipv6-family unicast
undo synchronization
peer 10.1.1.2 enable
#
ipv6-family flow
peer 10.1.1.2 enable
#
return

● PE1 configuration file

#
sysname PE1
#
ip vpn-instance vpna
ipv6-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ipv4-family
route-distinguisher 100:1
apply-label per-instance
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
bgp 200
peer 10.2.1.2 as-number 200
#
ipv6-family unicast
undo synchronization
peer 10.2.1.2 enable
#
vpn-instance vpna
#
ipv6-flow vpn-instance vpna
#
ipv6-flow vpnv6
policy vpn-target
peer 10.2.1.2 enable
#
return

● PE2 configuration file

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 443

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
sysname PE2
#
ip vpn-instance vpna
ipv6-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
bgp 200
peer 10.2.1.1 as-number 200
#
ipv6-family unicast
undo synchronization
peer 10.2.1.1 enable
#
vpn-instance vpna
#
ipv6-flow vpn-instance vpna
#
ipv6-flow vpnv6
policy vpn-target
peer 10.2.1.1 enable
#
flow-route FlowSpec1 ipv6 vpn-instance vpna
if-match source-port equal 159
apply deny
#
return

1.1.15 IPsec Configuration

Configure IPsec to provide more secure network services for users.

NOTE

The HUAWEI NetEngine9000 does not support data encryption on an IPsec VPN tunnel. To
comply with RFC standards, IPsec on the HUAWEI NetEngine9000 applies only to the
DHCPv6, IGMP, IPv4 PIM, IPv6 PIM, MLD, OSPFv3, RIPng protocol packets but not to the
transmitted data.

NOTE

The maximum transmission unit (MTU) of an Ethernet interface indicates the maximum
size of an IP packet that can be transmitted without being fragmented. The Ethernet
interface discards a packet if the size of the packet sent to the Ethernet interface exceeds
the specified interface MTU. The TCP maximum segment size (MSS) indicates the
maximum size of the TCP payload that can be transmitted without being fragmented. For
TCP packets, the MTU value is equal to the sum of the TCP MSS value, TCP header length
(20 bytes), and IP header length (20 bytes) (TCP MSS + 40 bytes).
Before packets pass through an IPsec tunnel, the encryption and authentication fields are
added to the original packets. In transport mode, these fields are added between the IP and
TCP headers. In tunnel mode, a new IP header and the encryption and authentication fields
are added before the existing IP header. In this case, the sum length of the TCP MSS, 40
bytes, and added fields may exceed the interface MTU. As a result, packet loss occurs.
Therefore, when deploying IPsec, run the tcp max-mss command to adjust the TCP MSS
value. You can reduce the TCP MSS value to ensure that the IP packet size does not exceed
the MTU of the peer interface after the packet is encapsulated and transmitted along the
IPsec tunnel.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 444

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

For security purposes, you are advised not to use weak security algorithms in this feature. If
you need to use such an algorithm, run the undo crypto weak-algorithm disable
command to enable the weak security algorithm function first.

1.1.15.1 Overview of IPsec

Based on protocol packet encryption and authentication at the IP layer, Internet
Protocol Security (IPsec) provides integrity, authenticity, and confidentiality for
protocol packets transmitted over networks.

IPsec is an open network-layer framework protocol designed by Internet

Engineering Task Force (IETF). It is not a single protocol, but a collection of
protocols and services that provide security for IP networks. IPsec protocols include
security protocols, , and certain algorithms used for authentication and encryption.
The security protocols include Authentication Header (AH) and Encapsulating
Security Payload (ESP).

At the advent of IPv4, the Internet scale was small, and physical isolation alone
was a sufficient means for Internet security. IPv4 security protection, however, was
beyond consideration during IPv4 design and development, since no one expected
the explosive growth of the Internet.

Because IP does not provide any security, IP addresses are easily forged, contents
in IP packets may be tampered with, and packets may be replayed or intercepted
in transit. Therefore, conventional IP layer protocols cannot safeguard received IP
packets. Application-layer methods resolve the security problem, but are effective
only on specific applications. Therefore, there is an urgent need in protocols that
provide security services on the IP layer. The IPsec technology resolves this
problem.

IPsec provides following security services for IP packets mainly through encryption
and authentication:
● Data encryption
IPsec encrypts data to ensure data confidentiality.
● Data integrity authentication
IPsec ensures that the data is not tampered with during transmission using
data integrity authentication.
● Data origin authentication
IPsec authenticates data origins to ensure that data comes from real senders.
● Anti-replay
IPsec prevents malicious users from sending obtained packets by enabling the
receiver to discard duplicate packets.

IPsec has the following advantages:

● All IP-capable applications and services can use IPsec, without the need to
modify the applications or services.
● Protocol packet encryption is based on individual protocol packets instead of
packet flows, significantly enhancing protocol packet security and protecting
against network attacks.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 445

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.15.2 Feature Requirements for IPsec

1.1.15.3 Configuring an IPsec SA Manually

Configure an Internet Protocol Security (IPsec) Security Association (SA) manually.

Usage Scenario
IPsec can be configured to prevent protocol packets from being intercepted or
faked on a simple network.

1.1.15.3.1 Configuring a Security Proposal

A security proposal can be configured to define the security protocol,
authentication and encryption algorithms for protocol packets, and encapsulation
mode.

Context
Before using IPsec to authenticate and encrypt protocol packets, you must create a
security proposal and define the security protocol type, authentication and
encryption algorithms, and encapsulation mode in the security proposal.

The security protocols, authentication and encryption algorithms for protocol

packets, and encapsulation modes must be the same on IPsec peers.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run ipsec proposal proposal-name

A security proposal is created and the security proposal view is displayed.

Step 3 Run encapsulation-mode transport

The protocol packet encapsulation mode is configured.

Step 4 (Optional) Run transform { ah | esp }

A security protocol is configured.

NOTE

Because AH does not support encryption in IPsec scenarios, ESP is recommended.

Step 5 An authentication algorithm and an encryption algorithm are configured based on

the selected security protocol.
● If Authentication Header (AH) is configured, run the ah authentication-
algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to
configure an authentication algorithm.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 446

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

To help provide high security, do not use the MD5 or SHA1 algorithm as an AH
authentication algorithm.
● If ESP is configured, run the esp authentication-algorithm { md5 | sha1 |
sha2-256 | sha2-384 | sha2-512 } command to configure an authentication
algorithm.
NOTE

To help provide high security, do not use the MD5 or SHA1 algorithm as an ESP
authentication algorithm.
● If ESP is configured, run the esp encryption-algorithm { des | 3des | aes
{ 128 | 192 | 256 } } command to configure an ESP encryption algorithm.
NOTE

To help provide high security, do not use the DES or 3DES algorithm as an ESP
encryption algorithm.

Step 6 Run commit

The configuration is committed.

----End

1.1.15.3.2 Configuring an SA
Configure a Security Association (SA) and specify a security protocol, a security
parameter index (SPI), and authentication keys.

Context
An SA is unidirectional. Incoming and outgoing protocol packets are processed by
different SAs. To ensure smooth SA negotiation, configure the same parameters
for the SAs that apply to incoming protocol packets and outgoing protocol packets
of the same flow, respectively. The parameters are as follows:
● Security proposal: defines the specific protection, including the authentication
and encryption algorithms.
● SPI: is a Security Parameter Index that identifies an SA.
● Key: is used to calculate message digests and encrypt protocol packets.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run ipsec sa sa-name

An SA is created, and the SA view is displayed.

Step 3 Run proposal proposal-name

A security proposal is applied to the SA.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 447

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

A security proposal must be configured before it can be associated with protocol packet
flows.
One SA can use only one security proposal. If a security proposal has been applied to an SA,
the SA can use another security proposal only after the original one is deleted.

Step 4 Run sa spi { inbound | outbound } { ah | esp } spi-number

An SPI is set.

NOTE

The SPI uniquely identifies an SA. The inbound and outbound SPIs are set, and the inbound
SPI on the local end must be the same as the outbound SPI on the peer end.

Step 5 To configure the authentication key, run either of the following commands:
1. Run sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ]
key-cipher-key

An authentication key in hexadecimal format or ciphertext is set.

2. Run sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-
cipher-key

An authentication key in string format is set.

NOTE

An authentication key for outgoing protocol packets on the local end must be identical with
that for incoming protocol packets on the peer end.
If multiple authentication keys are configured, the latest one takes effect.
Updating keys periodically is recommended.

Step 6 (Optional) Run sa encryption-hex { inbound | outbound } esp [ cipher ] hex-

cipher-key

An encryption key is set.

Step 7 Run commit

The configuration is committed.

----End

1.1.15.3.3 Applying IPsec

After configuring IPsec, you can configure protocols to use it for protocol packet
authentication.

Context
To defend against network attacks, configure IPsec so that IPsec can be
implemented on protocol packets exchanged between routers. Table 1-26
describes IPsec applications.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 448

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-26 IPsec applications

Proto Usage scenario Reference
col

DHCP If an attacker pretends to be a DHCPv6 server Configuring IPsec on

v6 and sends bogus DHCPv6 messages to a client, a DHCPv6 Relay
Relay the client may suffer from DoS attacks or be Agent
incorrectly configured. To defend against DoS
attacks, implement IPsec on packets exchanged
between DHCPv6 relay agents or between a
DHCPv6 relay agent and a DHCPv6 server.

RIPng If IPsec authentication is configured on a RIPng Configuring IPsec

network, the sent and received RIPng packets Authentication for
will be authenticated, and those cannot pass RIPng
authentication will be discarded. This can
improve the security of the RIPng network.

OSPF OSPFv3 IPsec uses a set of IPsec mechanisms to Configuring OSPFv3

v3 authenticate sent and received OSPFv3 packets, IPsec
protecting devices against invalid OSPFv3
packets.

IGMP On a multicast network, forged IGMP messages Configuring IGMP

may be used to attack devices, causing devices IPsec
unable to forward multicast traffic. To protect a
device against attacks launched using forged
IGMP messages, use this feature to authenticate
sent and received IGMP messages based on a
specified SA.

MLD On a multicast network, forged MLD messages Configuring MLD

may be used to attack devices, causing devices IPsec
unable to forward multicast traffic. To protect a
device against attacks launched using forged
MLD messages, use this feature to authenticate
sent and received MLD messages based on a
specified SA.

IPv4 On a multicast network, forged IPv4 PIM Configuring IPv4

PIM messages may be used to attack devices, PIM IPsec
causing devices unable to forward multicast
traffic. To protect a device against attacks
launched using forged IPv4 PIM messages, use
this feature to authenticate sent and received
IPv4 PIM messages based on a specified SA.

IPv6 On a multicast network, forged IPv6 PIM Configuring IPv6

PIM messages may be used to attack devices, PIM IPsec
causing devices unable to forward multicast
traffic. To protect a device against attacks
launched using forged IPv6 PIM messages, use
this feature to authenticate sent and received
IPv6 PIM messages based on a specified SA.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 449

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Proto Usage scenario Reference

col

DHCP An attacker pretends to be a DHCPv4 relay (Optional)

Relay agent and sends bogus DHCPv4 packets to the Configuring IPsec on
DHCPv4 server, which may cause a denial of a DHCP Relay Agent
service attack on the DHCPv4 server. The
performs IPsec authentication on DHCPv4
packets between DHCPv4 relay agents or
between DHCPv4 relay agents and servers to
defend against network attacks.

DHCP An attacker pretends to be a DHCPv4 server and (Optional)

Server sends bogus DHCP packets to the DHCPv4 relay Configuring IPsec on
agent, which may cause the DHCPv4 relay agent a DHCP Server
to suffer DoS attacks. The DHCPv4 relay agent
performs IPsec authentication by sending
DHCPv4 packets between the DHCPv4 server
and the relay agent to defend against network
attacks.

1.1.15.3.4 Checking the Manual IPsec Configuration

After configuring Internet Protocol Security, you can view the IPsec configurations.

Prerequisites
The security proposal and SA have been configured.

Procedure
Step 1 Run the display ipsec sa manual [ brief | name sa-name [ brief ] ] command to
check information about SAs.
Step 2 Run the display ipsec proposal [ name proposal-name | brief ] command to
check information about a security proposal.
Step 3 Run the display ipsec statistics [ sa-name sa-name ] [ slot slot-number ]
command to check statistics about protocol packets processed by IPsec.

----End

1.1.15.4 Configuration Examples for IPsec

1.1.15.4.1 Manual IPsec Configuration Scenario

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 450

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Example for Configuring IPsec for OSPFv3

Networking Requirements
On the network shown in Figure 1-47, DeviceA and DeviceB are connected over a
public network, and OSPFv3 is deployed for their communication.

Figure 1-47 Configuring IPsec

NOTE

Interface1 in this example represents GE 1/0/1.

If no authentication mechanism is configured, routing protocol packets

transmitted between DeviceA and DeviceB may be modified or spoofed by
attackers. As a result, their connection may be torn down, or incorrect routes may
be imported.
To prevent such attacks, establish an IPsec tunnel between DeviceA and DeviceB
to protect OSPFv3 packets transmitted between them. Configure Encapsulating
Security Payload (ESP) as the security protocol, and Secure Hash Algorithm 2-256
(SHA2-256) as the authentication algorithm.

Configuration Notes
● The encapsulation modes and security protocols on both IPsec peers must be
identical.
● The authentication modes and encryption algorithms on the two IPsec peers
must be identical.
● The security parameter indexes (SPIs) and authentication keys on the two
IPsec peers must be identical.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPFv3 functions on DeviceA and DeviceB.
2. Configure IPsec proposals. Configure ESP as the security protocol, SHA2-256
as the authentication algorithm, and AES-256 as the encryption algorithm.
3. Set SA parameters.
4. Apply SAs to OSPFv3 processes, enabling IPsec to protect OSPFv3 packets
transmitted between DeviceA and DeviceB.

Data Preparation
To complete the configuration, you need the following data:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 451

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Device Name Router ID Process ID SPI Authenticati

on Key in
String
Format

DeviceA 1.1.1.1 1 12345 abcdef

DeviceB 2.2.2.2 1 12345 abcdef

Procedure
Step 1 Configure OSPFv3 on DeviceA and DeviceB.
# Configure DeviceA.
<HUAWEI> system-view
[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] ospfv3 1
[*DeviceA-ospfv3-1] router-id 1.1.1.1
[*DeviceA-ospfv3-1] area 0
[*DeviceA-ospfv3-1-area-0.0.0.0] commit
[~DeviceA-ospfv3-1-area-0.0.0.0] quit

# Configure DeviceB.
<HUAWEI> system-view
[~HUAWEI] sysname DeviceB
[*HUAWEI] commit
[~DeviceB] ospfv3 1
[*DeviceB-ospfv3-1] router-id 2.2.2.2
[*DeviceB-ospfv3-1] area 0
[*DeviceB-ospfv3-1-area-0.0.0.0] commit
[~DeviceB-ospfv3-1-area-0.0.0.0] quit

Step 2 Configure IPv6 addresses for and enable OSPFv3 on interfaces.

# Configure DeviceA.
[~DeviceA] interface gigabitethernet1/0/1
[~DeviceA-GigabitEthernet1/0/1] ipv6 enable
[*DeviceA-GigabitEthernet1/0/1] ipv6 address 2001:db8::1 64
[*DeviceA-GigabitEthernet1/0/1] ospfv3 1 area 0
[*DeviceA-GigabitEthernet1/0/1] commit
[~DeviceA-GigabitEthernet1/0/1] quit

# Configure DeviceB.
[~DeviceB] interface gigabitethernet1/0/1
[~DeviceB-GigabitEthernet1/0/1] ipv6 enable
[*DeviceB-GigabitEthernet1/0/1] ipv6 address 2001:db8::2 64
[*DeviceB-GigabitEthernet1/0/1] ospfv3 1 area 0
[*DeviceB-GigabitEthernet1/0/1] commit
[~DeviceB-GigabitEthernet1/0/1] quit

Step 3 Configure security proposals on DeviceA and DeviceB.

# Configure a security proposal on DeviceA.
[~DeviceA] ipsec proposal proposal1
[*DeviceA-ipsec-proposal-proposal1] encapsulation-mode transport
[*DeviceA-ipsec-proposal-proposal1] transform esp
[*DeviceA-ipsec-proposal-proposal1] esp encryption-algorithm aes 256
[*DeviceA-ipsec-proposal-proposal1] esp authentication-algorithm sha2-256

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 452

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*DeviceA-ipsec-proposal-proposal1] commit
[~DeviceA-ipsec-proposal-proposal1] quit

# Configure a security proposal on DeviceB.

[~DeviceB] ipsec proposal proposal2
[*DeviceB-ipsec-proposal-proposal2] encapsulation-mode transport
[*DeviceB-ipsec-proposal-proposal2] transform esp
[*DeviceB-ipsec-proposal-proposal2] esp encryption-algorithm aes 256
[*DeviceB-ipsec-proposal-proposal2] esp authentication-algorithm sha2-256
[*DeviceB-ipsec-proposal-proposal2] commit
[~DeviceB-ipsec-proposal-proposal2] quit

# Run the display ipsec proposal command on DeviceA and DeviceB to check the
configuration. The following example uses the command output on DeviceA.
[~DeviceA] display ipsec proposal
Total IP security proposal number: 1
IP security proposal name: proposal1
encapsulation mode: transport
transform: esp-new
ESP protocol: authentication SHA2-HMAC-256, encryption 256-AES

Step 4 Configure IPsec SAs on DeviceA and DeviceB and apply a proposal to each SA.
# Configure an IPsec SA on DeviceA and apply a proposal to it.
[~DeviceA] ipsec sa sa1
[*DeviceA-ipsec-sa-sa1] proposal proposal1
[*DeviceA-ipsec-sa-sa1] commit

# Configure an IPsec SA on DeviceB and apply a proposal to it.

[~DeviceB] ipsec sa sa2
[*DeviceB-ipsec-sa-sa2] proposal proposal2
[*DeviceB-ipsec-sa-sa2] commit

Step 5 # Configure SPIs and authentication keys in string format on DeviceA and DeviceB.
# Configure SPIs and authentication keys in string format on DeviceA.
[~DeviceA] ipsec sa sa1
[*DeviceA-ipsec-sa-sa1] sa spi inbound esp 12345
[*DeviceA-ipsec-sa-sa1] sa spi outbound esp 12345
[*DeviceA-ipsec-sa-sa1] sa string-key inbound esp abcdef
[*DeviceA-ipsec-sa-sa1] sa string-key outbound esp abcdef
[*DeviceA-ipsec-sa-sa1] commit
[~DeviceA-ipsec-sa-sa1] quit

# Configure SPIs and authentication keys in string format on DeviceB.

[~DeviceB] ipsec sa sa2
[*DeviceB-ipsec-sa-sa2] sa spi outbound esp 12345
[*DeviceB-ipsec-sa-sa2] sa spi inbound esp 12345
[*DeviceB-ipsec-sa-sa2] sa string-key outbound esp abcdef
[*DeviceB-ipsec-sa-sa2] sa string-key inbound esp abcdef
[*DeviceB-ipsec-sa-sa2] commit
[~DeviceB-ipsec-sa-sa2] quit

Step 6 Apply SAs to OSPFv3 processes.

# Apply an SA to an OSPFv3 process on DeviceA.
[~DeviceA] ospfv3 1
[*DeviceA-ospfv3-1] ipsec sa sa1
[*DeviceA-ospfv3-1] commit

# Apply an SA to an OSPFv3 process on DeviceB.

[~DeviceB] ospfv3 1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 453

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*DeviceB-ospfv3-1] ipsec sa sa2

[*DeviceB-ospfv3-1] commit

Step 7 Verify the configuration.

# Run the display ipsec sa command on DeviceA and DeviceB to check the
configuration. The following example uses the command output on DeviceA.
[~DeviceA] display ipsec sa
Total IP security association number: 1
IP security association name: sa1
Number of references: 1
proposal name: proposal1
State: Complete
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi: 12345 (0x3039)
ESP string-key: %#%#<}jb{br9\zi%X+/Y@:Y>Lw(L\v#*^KsM"/8RaRe$%#%#
ESP encryption hex key:
ESP authentication hex key:
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi: 12345 (0x3039)
ESP string-key: %#%#<}j/@X4355SE9JZTD0>GQf"}w2@X,k6.E\Z,z\{#%#%#
ESP encryption hex key:
ESP authentication hex key:

# Run the display ipsec statistics command to check statistics about incoming
and outgoing protocol packets processed by IPsec and detailed information about
dropped protocol packets. If statistics about incoming and outgoing protocol
packets processed by IPsec are displayed, the configuration succeeds. For example:
[~DeviceA] display ipsec statistics
IPv6 security packet statistics:
input/output security packets: 184/19
input/output security bytes: 13216/1312
input/output dropped security packets: 0/0
dropped security packet detail:
memory process problem: 0
can't find SA: 0
queue is full: 0
authentication is failed: 0
wrong length: 0
replay packet: 0
too long packet: 0
invalid SA: 0
policy deny: 0
the normal packet statistics:
input/output dropped normal packets: 0/0
IPv4 security packet statistics:
input/output security packets: 0/0
input/output security bytes: 0/0
input/output dropped security packets: 0/0
dropped security packet detail:
memory process problem: 0
can't find SA: 0
queue is full: 0
authentication is failed: 0
wrong length: 0
replay packet: 0
too long packet: 0
invalid SA: 0
policy deny: 0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 454

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

the normal packet statistics:

input/output dropped normal packets: 0/0

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
ipsec proposal proposal1
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm aes 256
#
ipsec sa sa1
proposal proposal1
sa spi inbound esp 12345
sa string-key inbound esp %#%#<}jb{br9\zi%X+/Y@:Y>Lw(L\v#*^KsM"/8RaRe$%#%#
sa spi outbound esp 12345
sa string-key outbound esp %#%#<}j/@X4355SE9JZTD0>GQf"}w2@X,k6.E\Z,z\{#%#%#
#
ospfv3 1
router-id 1.1.1.1
ipsec sa sa1
area 0.0.0.0
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 2001:db8::1/64
ospfv3 1 area 0
#
return

● DeviceB configuration file

#
sysname DeviceB
#
ipsec proposal proposal2
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm aes 256
#
ipsec sa sa2
proposal proposal2
sa spi inbound esp 12345
sa string-key inbound esp %#%#<}j/@XSE9JZT5]2"T#]2"T<}j/@XSE9JZT5>%#%#
sa spi outbound esp 12345
sa string-key outbound esp %#%#)YTP%@nFE7bL^B&WSBiQ1[p#M"/8RaRe%$7$%#%#
#
ospfv3 1
router-id 2.2.2.2
ipsec sa sa2
area 0.0.0.0
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 2001:db8::2/64
ospfv3 1 area 0
#
return

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 455

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.16 PKI Configuration

Public Key Infrastructure (PKI) certificate is a digital certificate that authenticates
users that attempt to set up IPsec tunnels between each other. A certificate
provides a centralized key management mechanism for IPsec.

1.1.16.1 Overview of PKI

This section describes the background and basic concepts of PKI system.
The Public Key Infrastructure (PKI) is a framework that consists of a collection of
protocols and cryptographic algorithm suites that authenticates the device that
attempts to establish IPsec tunnels between each other.
PKI uses a sum total of the hardware, software, people, processes and policies
along with the asymmetric cryptography technology to facilitate the creation of a
digital identity, authentication and secure communication between two
communicating end parties.
With the development of e-commerce, online banking, and online securities
transaction, Internet security becomes increasingly important. Certain people may
intercept the plain-text data in applications and launch man-in-the-middle
attacks.
For example, as shown in Figure 1-48, peer A attempts to establish an IPsec VPN
to peer B, but the attacker intercepts the information sent by peer A to peer B,
and acts as peer B to establish the connection with peer A. To ensure security, peer
A and peer B must authenticate the identities of each other before establishing a
connection.

Figure 1-48 Man-in-the-Middle Attack

In an IPsec VPN, peers are authenticated using pre-shared keys or certificates. A

pre-shared key is the key configured on both devices. When one end checks that
its key is the same as the key of the other end, they can set up a connection. This

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 456

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

authentication mode is easy to configure. On the network deployed with a large

number of devices, the pre-shared key needs to be re-configured on all devices
when a new device is added to the network. As a result, the configuration
workload increases exponentially and is easy to make errors.
To implement authentication on a wide range of devices and reduce middleman
attacks, certificates can be used for user authentication in large VPNs. Peers first
apply for certificates from the Certificate Authority (CA). Before establishing a
VPN, peers attempt to authenticate each other's certificates. The connection
between the peers can be established only if both certificates have been
authenticated. This effectively prevents middleman attacks.
PKI offers the following benefits:
● PKI is a secure channel for communication.
● PKI offers a variety of services like authentication, integrity protection,
confidentiality and access control.
● PKI offers a scalable method to secure networks and simplify the deployment
of network infrastructures by enabling security features, including IPsec,
Secure Shell (SSH), Secure Socket Layer (SSL) and so on.
● PKI offers a large scale security compared to the traditional form of
authentication like: username and password.

NOTE

For security purposes, you are not advised to use the weak security algorithm in this
feature. To use the weak security algorithm, run the undo crypto weak-algorithm disable
command to enable the weak security algorithm.

1.1.16.2 Feature Requirements for PKI

1.1.16.3 Configuring CMP-based Certificate Management

Configuring CMP-based certificate management involves creating RSA key pairs,
configuring entity information, configuring CMP sessions, and obtaining
certificates.

Usage Scenario
Two devices need to obtain each other's identity information during an IPsec
negotiation. The NE9000 can use either a pre-shared key or certificate for identity
authentication. If you use certificates for device identity authentication, configure
the devices to obtain certificates before they perform an IPsec negotiation.
The NE9000 can obtain certificates either using CMP or in outband mode. CMP is
recommended to obtain and manage certificates on a CMP-capable network that
has many devices deployed.

Pre-configuration Tasks
Before configuring CMP-based certificate management, complete the following
tasks:
● Complete basic configurations for a CA server so that the CA server can
automatically issue certificates.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 457

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Ensure that each device has a predefined certificate.

1.1.16.3.1 Creating an RSA Key Pair

Before applying for certificates, create RSA key pairs.

Usage Scenario
Generating a key pair is important for applying a certificate. The key pair consists
of a private key and a public key. The private key is reserved by a user, and the
public key and other information are delivered to the CA. Then, the CA generates a
certificate and signs it with the public key. If the private key is disclosed, the user
must delete the old key pair, create a new key pair, and reapply for a certificate.

NOTE

The private key on the device is encrypted before being stored.

An RSA key pair is the abbreviation of the three names: Ron Rivest, Adi Shamirh,
and LenAdleman and is a public key encryption algorithm. RSA key pairs are
categorized into host key pairs and server key pairs. Each key pair is composed of
a private key and a public key. These two key pairs are used by SSH. The server
key pair is periodically changed by the local server, while the host key pair remains
unchanged. The host key pair is used when you apply for a certificate.

NOTE

● If an unnamed RSA key pair exists on a device, a newly created key pair overwrites the
old one. If multiple RSA key pairs exist or a named RSA key exists on a device, delete the
existing RSA key pairs before creating and renaming RSA key pairs.
● After the key pair is deleted or replaced, the existing certificate becomes invalid. You
need to apply for a new certificate, which ensures the RSA key pair and certificate
match.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run rsa pki local-key-pair [ key-name ] create
The local key pair is created.

NOTE

If the RSA key pair already exists on the device, you can also run the pki import rsa-key-
pair keypair-name { der key-filename | pem key-filename password password-val }
command to import the RSA key pair to the device memory for the configuration to take
effect. In this case, you do not need to create an RSA key pair.

----End

1.1.16.3.2 Configuring Entity Information

When applying for certificates, an entity must add entity information to a
certificate request file and send the file to the CA. The CA uses a piece of

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 458

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

important information to describe an entity, and identifies the entity using a

unique Distinguished Name (DN).

Context
The local certificate associates user identity information with the user public key,
while the identity information must be associated with a specific PKI entity. The
CA identifies the certificate applicant based on the identity information that the
entity provides. The entity information includes:
● Common name of the entity
● Country code of the entity
● Email address of the entity
● Fully Qualified Domain Name (FQDN) of the entity
● IP address of the entity
● Name of the region where the entity resides
● Organization name of the entity
● Department name of the entity
● State or province of the entity
NOTE

In the entity information, the common name of the entity is mandatory. Whether to
configure other attributes depends on the certificate issuing policy on the CA server. If
the attributes used to filter certificates do not map the certificate issuing policy,
certificate application will fail.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run pki entity entity-name
An entity name is created and the entity view is displayed.
Step 3 Configure entity attributes.
● Run common-name cn-name
The common name of the entity is configured.
● (Optional) Run country country-code
The country code of the entity is specified.
● (Optional) Run email email-address
The email address of the entity is configured.
● (Optional) Run fqdn fqdn-name
The FQDN of the entity is configured.
● (Optional) Run ip-address ip-address
The IP address of the entity is configured.
● (Optional) Run locality locality-name
The name of the locality where the entity resides is specified.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 459

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● (Optional) Run organization organization-name

The organization name of the entity is specified.
● (Optional) Run organization-unit org-unit
The department name of the entity is configured.
● (Optional) Run state state-province-name
The department name of the entity is configured.
Step 4 Run commit
The configuration is committed.

----End

1.1.16.3.3 Configuring CMP Sessions

To configure a CMP session, specify an RSA key pair, a CA server name, and PKI
entity information used to obtain a certificate using CMP.

Context
If CMP is used to obtain and manage certificates, the NE9000 and CA server
establish a CMP session to exchange the information required for generating
certificates. Before a CMP session is established, ensure that the NE9000 has the
following information to establish the CMP session:
● PKI entity
● RSA key pair
● Name of the CA server with which the NE9000 establishes the CMP session
● Certificate for authenticating the identity of the NE9000
● URL of the CMP server that receives CMP requests
Each digital certificate has a validity period. To ensure service availability, apply for
a new certificate before the existing certificate expires. However, manual operation
may leave certain certificates not updated. The NE9000 supports automatic
certificate update. The NE9000 initiates a certificate update request to the
connected CMPv2 server when the percentage of the certificate's remaining
validity period reaches a specified value. The obtained certificate overwrites the
certificate on the CF card and in the memory.
Perform the following steps on the NE9000 that needs to use CMP to obtain a
certificate:

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run pki domain domain-name
A PKI domain is created, and the PKI domain name configuration view is
displayed.
Step 3 Run pki cmp session session-name

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 460

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

A CMP session is created, and the CMP session view is displayed.

Step 4 Run cmp request entity entity-name
A PKI entity is specified to initiate a CMP request.
Step 5 Run cmp request rsa local-key-pair key-name [ regenerate [ key-bit ] ]
A local RSA key pair is specified to initiate a CMP request.

NOTICE

An RSA key pair can be referenced by only one CMP session or PKI domain.

Step 6 Run cmp request ca-name ca-name

A CA server is specified by its name to receive CMP requests.
Step 7 Run cmp request authentication-cert cert-name
A certificate for device identity authentication is specified to initiate a CMP
request.
Step 8 Run cmp request server url url-address
A CMP server at a URL is specified to receive CMP requests.
Step 9 (Optional) Run cmp source interface interface-type interface-number
The source interface of CMPv2 packets is configured. To be specific, the IP address
of the configured source interface is used as the source IP address of the CMPv2
packets sent from the device to the CMPv2 server.
Step 10 Run commit
The configuration is committed.

----End

1.1.16.3.4 Configuring CMP-based Certificate Management

The following types of CMP requests are used in the CMP-based certificate
application process: initialization request (IR) and key update request (KUR).

Prerequisites
Before configuring automatic update, verify the functions to ensure that the
network and server are normal.

Context
The NE9000 supports IRs and KURs.
● IR: When the NE9000 does not obtain a certificate authorized by a carrier, it
needs to send an IR to request an identity authentication certificate.
● KUR: Each certificate has a validity period with definite start and end dates.
Therefore, the NE9000 needs to update its certificate before the certificate
expires. Automatic certificate update can be configured on the NE9000.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 461

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Certificates obtained using IRs are stored on the CF card but do not take effect.
These certificates take effect only after they are imported to the memory using a
command. Certificates obtained using KURs can be automatically saved in the
memory if the KUR function is enabled.

Perform the following steps on the NE9000 where you need to apply for a
certificate.

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the pki domain domain-name command to enter the PKI domain name
configuration view.

Step 3 Run the pki cmp initial-request command to use IRs to apply for a certificate for
the local device.

Step 4 (Optional) Stop the process of polling a CMP request.

If the NE9000 does not receive any response from the connected CA server after
sending a CMP request, it polls the CMP request. You can perform the following
steps to stop the CMP request polling process.

1. Run the pki cmp session session-name command to enter the CMP session
view.
2. Run the cmp poll-request stop command to manually stop the process of
polling a CMP request.
3. Run the quit command to return to the PKI domain name configuration view.

Step 5 Run the quit command to return to the system view.

Step 6 Run the pki import-certificate local [ domain domainName ] filename file-
name command to import the local certificate.
NOTE

To ensure high security, you are advised not to import certificates that use the MD5 or
SHA1 algorithm. The recommended key length of a certificate is 2048 bits or more.
The default domain of the PKI is a reserved domain. In the default domain, you can run the
pki import-certificate command to install the downloaded user certificate or run the pki
load preset-local domain default command to load the preconfigured local certificate. By
default, a preconfigured local certificate has been loaded to the default domain.

Step 7 Run the pki domain domain-name command to enter the PKI domain name
configuration view.

Step 8 Run the pki cmp session session-name command to enter the CMP session view.

Step 9 Run the cmp request authentication-cert cert-name command to configure a

certificate to be carried in a CMPv2 request for identity authentication.

Step 10 Run the quit command to return to the PKI domain name configuration view.

Step 11 Run the quit command to return to the system view.

Step 12 Run the pki import-certificate ca [ domain domainName ] filename file-name

command to import the CA certificate.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 462

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

To ensure high security, you are advised not to import certificates that use the MD5 or
SHA1 algorithm. The recommended key length of a certificate is 2048 bits or more.
The default domain of the PKI is a reserved domain. In the default domain, you can run the
pki import-certificate command to install the downloaded user certificate or run the pki
load preset-ca domain default command to load the preconfigured CA certificate.

Step 13 (Optional) Enable the automatic certificate update function.

1. Run the pki domain domain-name command to enter the PKI domain name
configuration view.
2. Run the pki cmp session session-name command to enter the CMP session
view.
3. Run the certificate auto-update enable command to enable the automatic
certificate update.
4. (Optional) Run the certificate update expire-time valid-percent command to
configure the percentage of the time for automatic certificate update.

Step 14 Run the commit command to commit the configuration.

Step 15 Verify the configuration.

If IR-based certificate application succeeds, DomainName_ir.cer and

DomainName_caX.cer files exist on the CF card. There are several
DomainName_caX.cer files, such as, DomainName_ca0.cer,
DomainName_ca1.cer, and DomainName_ca2.cer.

----End

1.1.16.3.5 Verifying the Configuration of CMP-based Certificate Management

After configuring CMP-based certificate management, check the configurations.

Prerequisites
CMP-based certificate management has been configured.

Procedure
Step 1 Run the display rsa pki local-key-pair public command to check RSA key pairs.

Step 2 Run the display pki match-rsa-key certificate-filename file-name command to

check the RSA key pair used by a specific certificate.

Step 3 Run the display pki cert-req filename file-name command to check the
certificate request file with a specific name.

Step 4 Run the display pki certificate filename file-name command to check the
certificate file with a specific name.

Step 5 Run the display pki crl filename file-name command to check the CRL file with a
specific name.

Step 6 Run the display pki ca_list [ domain domainName ] command to check the CA
certificates and CRL in the memory of a device.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 463

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 7 Run the display pki cert_list [ domain domainName ] command to check local
certificates in the memory of a device.

----End

1.1.16.4 Configuring PKI Certificate

Configuring PKI certificate involves creating RSA key pairs, configuring entity
information, obtaining certificates and verifying the certification validity.

Applicable Environment
Two devices use digital certificates to authenticate each other's identity when
establishing a VPN, which prevents middleman attacks.
As shown in Figure 1, Device A and Device B apply for certificates from a same CA
server, and download CA certificates and local certificates from the server. When
an IPsec VPN needs to be established for data transmission between Device A and
Device B, Device A and Device B must authenticate each other using certificates.
When both have passed authentication, they can set up the IPsec VPN.

Figure 1-49 Diagram for configuring certificate-based authentication

Pre-configuration Tasks
Before configuring the entity information, complete the following tasks:
● Assign an IP address to each interface.
● Configure routes between the devices that use digital certificates to
authenticate each other's identity when establishing a VPN.

1.1.16.4.1 Creating an RSA Key Pair

Before applying for certificates, create RSA key pairs.

Usage Scenario
Generating a key pair is important for applying a certificate. The key pair consists
of a private key and a public key. The private key is reserved by a user, and the

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 464

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

public key and other information are delivered to the CA. Then, the CA generates a
certificate and signs it with the public key. If the private key is disclosed, the user
must delete the old key pair, create a new key pair, and reapply for a certificate.

NOTE

The private key on the device is encrypted before being stored.

An RSA key pair is the abbreviation of the three names: Ron Rivest, Adi Shamirh,
and LenAdleman and is a public key encryption algorithm. RSA key pairs are
categorized into host key pairs and server key pairs. Each key pair is composed of
a private key and a public key. These two key pairs are used by SSH. The server
key pair is periodically changed by the local server, while the host key pair remains
unchanged. The host key pair is used when you apply for a certificate.

NOTE

● If an unnamed RSA key pair exists on a device, a newly created key pair overwrites the
old one. If multiple RSA key pairs exist or a named RSA key exists on a device, delete the
existing RSA key pairs before creating and renaming RSA key pairs.
● After the key pair is deleted or replaced, the existing certificate becomes invalid. You
need to apply for a new certificate, which ensures the RSA key pair and certificate
match.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run rsa pki local-key-pair [ key-name ] create

The local key pair is created.

NOTE

If the RSA key pair already exists on the device, you can also run the pki import rsa-key-
pair keypair-name { der key-filename | pem key-filename password password-val }
command to import the RSA key pair to the device memory for the configuration to take
effect. In this case, you do not need to create an RSA key pair.

----End

1.1.16.4.2 Configuring Entity Information

When applying for certificates, an entity must add entity information to a
certificate request file and send the file to the CA. The CA uses a piece of
important information to describe an entity, and identifies the entity using a
unique Distinguished Name (DN).

Context
The local certificate associates user identity information with the user public key,
while the identity information must be associated with a specific PKI entity. The
CA identifies the certificate applicant based on the identity information that the
entity provides. The entity information includes:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 465

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Common name of the entity

● Country code of the entity
● Email address of the entity
● Fully Qualified Domain Name (FQDN) of the entity
● IP address of the entity
● Name of the region where the entity resides
● Organization name of the entity
● Department name of the entity
● State or province of the entity
NOTE

In the entity information, the common name of the entity is mandatory. Whether to
configure other attributes depends on the certificate issuing policy on the CA server. If
the attributes used to filter certificates do not map the certificate issuing policy,
certificate application will fail.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run pki entity entity-name

An entity name is created and the entity view is displayed.

Step 3 Configure entity attributes.

● Run common-name cn-name
The common name of the entity is configured.
● (Optional) Run country country-code
The country code of the entity is specified.
● (Optional) Run email email-address
The email address of the entity is configured.
● (Optional) Run fqdn fqdn-name
The FQDN of the entity is configured.
● (Optional) Run ip-address ip-address
The IP address of the entity is configured.
● (Optional) Run locality locality-name
The name of the locality where the entity resides is specified.
● (Optional) Run organization organization-name
The organization name of the entity is specified.
● (Optional) Run organization-unit org-unit
The department name of the entity is configured.
● (Optional) Run state state-province-name
The department name of the entity is configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 466

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 Run commit

The configuration is committed.

----End

1.1.16.4.3 Obtaining a Certificate

To use certificates to authenticate users, the entity needs to obtain a local
certificate and CA certificates. A local certificate proves the identity of the entity,
and a CA certificate proves that the local certificate is issued by a legal CA.

Context
NOTE

In the two-node cluster scenario, you are advised to set different certificate expiration dates
for the active and standby devices to prevent the active and standby devices from both
being unavailable.

You can perform the following operations to obtain the certificates:

● Configure a PKI domain.
Before sending a certificate request, create a PKI domain and configure the
entity information in the PKI domain.
A PKI domain is valid only on the local device and unavailable to certificate
authorities (CAs) or other devices. Each PKI domain has its own parameters.
● Manually apply for certificates.
After the NE9000 generates a certificate request file, users send the file to the
CA through FTP, disk, or email to apply for certificates from the CA.
● Manually download certificates.
After the certificates are generated on the CA server, you can download the
CA certificate and local certificate through FTP, disk, or email.
● Install certificates.
After obtaining CA certificates and a local certificate, install them on the
device to take effect.

Procedure
● Configure a PKI domain.
a. Run the system-view command to enter the system view.
b. Run the pki domain domain-name command to create a PKI domain and
enter the PKI domain view.
NOTE

If a non-default key pair is required, perform the following operations:

1. Run the pki cmp session session-name command to create a CMP session
and enter the PKI CMP session view.
2. Run the cmp request rsa local-key-pair key-name [ regenerate [ key-bit ] ]
command to specify a local RSA key pair used in CMP requests.
c. Run the certificate request entity entity-name command to specify an
entity name.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 467

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The entity name must already exist.

d. Run the commit command to commit the configuration.
● Apply for a certificate.
a. Run the system-view command to enter the system view.
b. (Optional) Run the pki file-format { der | pem } command to configure
the certificate file format.
c. Run the pki request-certificate domain domain-name pkcs10 command
to generate a certificate request file named domain-name.req.
d. Apply for a local certificate.
A user can use FTP, a floppy disk, or an email to send a certificate
application file to the CA to apply for a local certificate.
e. (Optional) Run the commit command to commit the configuration.
● Download the certificates manually.
● Install the certificate.
a. Run the system-view command to enter the system view.
b. Run the pki import-certificate { ca | local | peer } [ domain
domainName ] filename file-name command to install the CA certificate
or local certificate.
NOTE

To ensure high security, you are advised not to import certificates that use the
MD5 or SHA1 algorithm. The recommended key length of a certificate is 2048
bits or more.
The default domain of the PKI is a reserved domain. In the default domain, you
can run the pki import-certificate command to install the downloaded user
certificate or run the pki load { preset-ca | preset-local } domain default
command to load the preconfigured local certificate or CA certificate. By default,
a preconfigured local certificate has been loaded to the default domain.
c. (Optional) Run the pki strict-mode command to enable the PKI strict
check mode.
----End

1.1.16.4.4 Verifying the PKI Certificate Configuration

After configuring PKI certificates, check the configurations.

Prerequisites
PKI certificates have been configured.

Procedure
Step 1 Run the display rsa pki local-key-pair [ file-name ] public command to check
information about the public key of the RSA key pair.
Step 2 Run the display pki cert-req filename file-name command to check contents in
the specific certificate request file.
Step 3 Run the display pki certificate filename file-name command to check contents
in the specific certificate.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 468

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 Run the display pki ca_list [ domain domainName ] command to check contents
in the CA certificates that are imported into the memory of the device.
Step 5 Run the display pki cert_list [ domain domainName ] command to check
contents in the local certificate that is imported into the memory of the device.

----End

1.1.16.5 Configuring Certificate Validity Check

To ensure communication security during IPsec negotiation, configure certificate
validity check.

Context
When a certificate is obtained, an IPsec tunnel can be set up between two devices
after the devices pass the identity verification during IPsec negotiation. To ensure
communication security during IPsec negotiation, configure certificate validity
check. A router supports CRL check, CA certificates, and local certificates.

Pre-configuration Tasks
Before configuring certificate validity check, complete the task of Obtaining
Certificates.

1.1.16.5.1 Configuring the CRL Function

Configuring the CRL function consists of enabling CRL check and updating the
CRL. After the CRL function is configured, a device checks the validity of the peer
device's certificate. If the serial number of the peer device's certificate is listed in
the CRL, the peer device's certificate has been revoked and is considered invalid.

Prerequisites
Before setting automatic CRL update, verify functions to ensure that the network
and server are normal.

Context
Before configuring the CRL function, be aware of the following information:
● Enable CRL check.
Before configuring CRL, enable CRL check.
When a certificate is being verified after CRL check is enabled, the CRL is
queried for checking whether it contains the serial number of the certificate. If
the CRL contains the serial number of the certificate, the certificate has been
revoked and considered invalid. For details about how to verify the certificate
validity, see 1.1.16.5.2 Verifying the Certificates.
● Update the CRL.
To ensure that the latest CRL is used, check the CRL status periodically and
download the latest CRL from the CRL server using HTTP or LDAP.
Updating the CRL consists of automatically updating the CRL and manually
updating the CRL. Automatically updating the CRL can be implemented using

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 469

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

HTTP or LDAP. After the specified interval elapses, the system automatically
downloads the CRL using HTTP or LDAP. When the latest CRL is urgently
required, manually update the CRL by downloading the CRL from the CRL
server.

If the device does not have any homogeneous CRL certificate, the new CRL
certificate is imported to the non-domain.

If the device has only one homogeneous CRL certificate, the new CRL certificate
replaces this certificate.

If the device has multiple homogeneous CRL certificates, the new CRL certificate
preferentially replaces the homogeneous CRL certificate in the local domain. If this
condition is not met, the new CRL certificate replaces the homogeneous CRL
certificate in the non-domain. If both of the preceding conditions are not met, the
new CRL certificate is imported into the non-domain.

Homogeneous certificates refer to certificates with the same issuer and subject.
Local domain refers to the PKI domain where configurations need to be
automatically updated. Non-domain refers to an isolated domain that does not
belong to any PKI domain.

Procedure
Step 1 Enable CRL check.
1. Run the system-view command to enter the system view.
2. Run the pki crl check enable command to enable CRL check.

Step 2 Update the CRL.

NOTE

When the system is configured to automatically update the CRL using HTTP or LDAP, note
the following:
● There is sufficient space in the CF card for the CRL file.

Perform the following operations as needed.

● Enable the function of automatically updating the CRL using HTTP.
a. Run the system-view command to enter the system view.
b. Run the pki domain domain-name command to enter the PKI domain
name configuration view.
c. Run the crl auto-update enable command to enable automatic CRL
update.
d. Run the crl update-period interval command to set an interval between
two consecutive automatic CRL updates.
e. Run the crl http command to enable the function of automatically
updating the CRL using HTTP.
f. Run the crl url url-addr [ source source-ip-address ] [ vpn-instance vpn-
instance-name ] command to configure the URL of the CRL distribution
point (CDP).
This command can be executed only after the crl http command is run.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 470

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

g. Run the commit command to commit the configuration.

● Enable the function of automatically updating the CRL using LDAP.
a. Run the system-view command to enter the system view.
b. (Optional) Run the ssl policy policy-name command to create an SSL
policy and enter the SSL policy view.
After creating the SSL policy, import a CA certificate to it. For details, see
Basic Configuration > Accessing Other Devices Configuration >
Configuring and Binding an SSL Policy.
c. Run the quit command to return to the system view.
d. (Optional) Run the pki ldap bind ssl-policy policy-name command to
bind the SSL policy to the device functioning as an LDAP client.
e. Run the pki domain domain-name command to enter the PKI domain
name configuration view.
f. Run the crl auto-update enable command to enable automatic CRL
update.
g. Run the crl update-period interval command to set an interval between
two consecutive automatic CRL updates.
h. Run the crl ldap command to enable the function of automatically
updating the CRL using LDAP.
i. Run the ldap-server { authentication ldap-dn ldap-password | ip ldap-
ip-address [ vpn-instance vpn-instance-name ] [ source source-ip-
address ] { [ port port ] | [ version version ] } * [ ssl ] } command to
configure the LDAP server.
NOTE

If the ssl parameter is specified, you need to bind the SSL policy to the LDAP
client. For details, see optional steps b and d.
This command can be executed only after the crl ldap command is run.
j. Run the crl ldap [ attribute attr-value ] dn dn-value command to
configure the attributes and identifier used to obtain the CRL from the
LDAP server.
This command can be executed only after the crl ldap command is run.
k. Run the commit command to commit the configuration.
● Manually update the CRL.
a. Download a CRL. Select a CRL download mode as needed.

▪ Run the system-view command to enter the system view.

▪ Run the pki http url-addr [ vpn-instance vpn-instance-name ] save-

name [ source source-ip-address ] command to download a CRL
through HTTP.

▪ Run the pki ldap ip ldap-ip-address [ vpn-instance vpn-instance-

name ] [ source source-ip-address ] port port version version
[ attribute attr-value ] [ authentication ldap-dn ldap-password ]
[ ssl ] save-name dn dn-value command to download a CRL through
LDAP.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 471

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

b. Run the pki import-certificate crl [ domain domainName ] filename

file-name command to import the CRL.
----End

1.1.16.5.2 Verifying the Certificates

This section describes how to verify the certificates on the local and peer devices.

Prerequisites
● Creating an RSA Key Pair
● Obtaining Certificates
● (Optional) Configuring the CRL Function

Context
If IPsec negotiation that is implemented using certificates fails between two
devices, run the pki validate-certificate command to check the signature and
validity period of certificates for fault locating.
If the CRL check function has been enabled (for detailed configuration, see Step 1
in 1.1.16.5.1 Configuring the CRL Function), the system checks whether the
serial number of the peer device's certificate is listed in the CRL and then verify
the signature and validity period information.
The device automatically checks the validity of all installed local certificates and
CA certificates periodically. The default check period is 5 minutes. If a fault is
detected, an alarm is generated. For certificate validity check, the default
expiration pre-warning period is 90 days. That is, an alarm is generated 90 days
before the certificate expires, prompting a user to prepare to obtain a new
certificate in advance.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Manually verify certificates.
NOTE

The pki validate-certificate ca command verifies only root CA certificates but not
subordinate certificates. If a NE9000 device imports multiple CA certificates, run the pki
validate-certificate local command to verify subordinate certificates.
If an imported CA file contains multiple certificates, only the first certificate is verified.
● Run pki validate-certificate ca { domain domainName | filename file-
name }
The root certificate is verified.
● Run pki validate-certificate local { domain domainName | filename file-
name }
The local certificate or subordinate certificate is verified.
● Run pki validate-certificate peer { domain domainName | filename file-
name }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 472

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The peer certificate is verified.

Step 3 (Optional) Run pki set-certificate check-period period-value
The automatic certificate validity check interval is configured.
Step 4 (Optional) Run pki set-certificate expire-prewarning prewarning-days
The pre-warning time for certificate expiration is configured.
Step 5 Run commit
The configuration is committed.

----End

1.1.16.6 Controlling Certificate Access Based on Certificate Attributes

The access control policy based on certificate attributes is an extra measure for
certificate-based authentication. Only the certificates meeting specific
requirements can be authenticated. This achieves refined control on user access
permissions.

Context
In the application scenario where the certificate verification mechanism is used to
establish an IPsec tunnel, there is a possibility that only the certificates meeting
specific requirements can be authenticated for the establishment of the IPsec
tunnel. For example, only certificates issued by a specific CA can be authenticated.
You can also configure the access control policy that allows only certificates of
specific devices to be authenticated, and these specific devices can establish IPsec
tunnels. This achieves refined control on user access permissions.
If information in a certificate does not match the rules in the access control policy,
the default action permit in the access control policy is performed on the NE9000.
As a result, the certificate can be authenticated.

Procedure
● Configure the access control policy based on certificate attributes.
NOTE

● If multiple attribute rules are configured in a certificate attribute group, the

relationship between the rules is "And". This means that the action defined in the
certificate attribute group will be implemented only if the certificate to be
authenticated matches all the rules.
● If multiple control rules are configured in an access control policy based on
certificate attributes, the relationship between the rules is "Or". This means that
the action defined in the access control policy is implemented as long as the
certificate to be authenticated matches one rule. The following rules will not be
matched.
● If multiple access control policies are configured in the system based on certificate
attributes, the policies are matched one by one. If the certificate to be
authenticated matches no control policy, the action in the default access control
policy is implemented.
a. Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 473

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

b. Run pki certificate attribute-group group-name

A certificate attribute group is created and the PKI attribute configuration

view is displayed.
c. Run the following commands to configure certificate attribute rules:

▪ Run attribute id alt-subject-name fqdn { ctn | equ | nctn | nequ }

attribute-value
The attribute rule for matching a specific FQDN in an alternative
subject name is configured.

▪ Run attribute id alt-subject-name ip { ctn | equ | nctn | nequ } ip-

address
The attribute rule for matching a specific IP address in an alternative
subject name is configured.

▪ Run attribute id issuer-name dn { ctn | equ | nctn | nequ }

attribute-value
The attribute rule for matching a specific certificate issuer name is
configured.

▪ Run attribute id subject-name dn { ctn | equ | nctn | nequ }

attribute-value
The attribute rule for matching a specific certificate subject name is
configured.
d. Run quit

Return to the system view.

e. Run pki certificate access-control-policy policy-name

The access control policy based on certificate attributes is created and the
PKI access configuration view is displayed.
f. Run rule id { permit | deny } group-name

The control rules for certificate attributes are configured.

g. Run commit

The configuration is committed.

● Configure the default access control policy based on certificate attributes.
a. Run system-view

The system view is displayed.

b. Run pki certificate access-control-policy default { deny | permit }

The default access control policy based on certificate attributes is

configured.

If the certificate access control policy is not required during negotiation

for establishing an IPsec tunnel, run the pki certificate access-control-
policy default permit command to permit the certificate to be
authenticated.
c. Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 474

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

----End

1.1.16.7 Maintaining PKI

Maintaining certificates involves deleting certificates and deleting RSA key pairs.

NOTICE

A device runs a version earlier than and has PKI configured. A PKI key is changed
after the device is upgraded from a version earlier than V800R011C10 to the
current version. After the device is rolled back to a version earlier than
V800R011C10, the new key does not take effect. In this case, you need to create a
certificate again.

NOTICE

If the current version is downgraded to a version earlier than V800R021C00, run

the dir ca_config.ini command in the user view to query the size of the current
PKI configuration file. If the file size exceeds 19 KB, the PKI certificate import and
deletion functions cannot be used after the downgrade. Therefore, you need to
delete some certificates before the downgrade and ensure that the file size is less
than 19 KB.

1.1.16.7.1 Deleting Certificates

When a certificate with a specific name expires, delete the certificate. When a key
is disclosed, delete all related CA certificates, the related local certificate, and re-
send a certificate application.

Context

NOTICE

Certificates cannot be restored after being deleted. Exercise caution when running
the deletion command.

Procedure
● Delete the CA certificate and local certificate with specific names.
a. Run the system-view command to enter the system view.
b. Run the pki delete-certificate { ca | crl | local | peer } [ domain
domainName ] filename file-name command to delete a CA certificate
or local certificate with a specific name from the memory. It is not
deleted from the CF card.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 475

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

When the pki delete-certificate command is run to delete a CA certificate or

local certificate with a specific name, the system first checks whether the CA
certificate or local certificate is restored in the CF card. If it is not found in the CF
card, the deletion fails. In this case, you can run the reset pki all-cert command
to clear all certificates.
● Run the reset pki all-cert command to delete all local certificates, CA
certificates, CRLs from the memory. They are not deleted from the CF card.
----End

1.1.16.7.2 Deleting RSA Key Pairs

When a user's key is disclosed, the corresponding key pair must be deleted, and a
new key pair needs to be created.

Context

NOTICE
After you delete the RSA key pair used by a certificate, the certificate cannot be
updated, and the RSA key pair cannot be restored. Exercise caution when deleting
an RSA key pair.

Procedure
● Run the rsa pki local-key-pair [ key-name ] destroy command to delete a
local RSA pair.
----End

1.1.16.7.3 Clearing CMP Session Statistics

To re-collect CMP session statistics within a specific period, clear existing CMP
session statistics.

Context
NOTE
CMP session statistics cannot be restored after they are cleared. Exercise caution when
running the reset pki cmp statistics command. Before running the reset pki cmp
statistics command, run the display pki cmp statistics session session-name command to
check whether the CMP session statistics to be cleared are still required.

Procedure
Step 1 Run the reset pki cmp statistics session session-name command to clear CMP
session statistics.

----End

1.1.16.7.4 Updating the Expired Local Certificate and CRL Certificate

If the local certificate or CRL certificate expires, you need to update it.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 476

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
A local certificate has a validity period and has a specific start date and end date.
During certificate verification, the system checks whether the certificate is within
the validity period. If the certificate is not within the validity period, the certificate
verification fails. The CRL certificate has a validity period. If the validity period
expires, the CRL certificate cannot be used for verification, causing security risks.

NOTE

The local certificate and CRL certificate must be updated before they expire. Otherwise,
service loss or security risks may occur.

Procedure
● Update an expired local certificate in offline mode.
a. Run the system-view command to enter the system view.
b. Run the pki delete-certificate local [ domain domainName ] filename
file-name command to configure the device to delete the expired local
certificate file with the specified name from the memory.
c. Obtain the certificate. For details, see 1.1.16.4.3 Obtaining a Certificate.
● Configure CMP to update the expired local certificate.
a. Run the system-view command to enter the system view.
b. Run the pki delete-certificate local [ domain domainName ] filename
file-name command to configure the device to delete the expired local
certificate file with the specified name from the memory.
c. Configure CMP certificate application. For details, see 1.1.16.3.4
Configuring CMP-based Certificate Management.
● Configure CMP-based update of expired certificates for device identity
verification.
a. Manually apply for a new device identity certificate file from the CA
server of the CMP. For details, see 1.1.16.4.3 Obtaining a Certificate.
b. Upload the new license file to cfcard:/.
c. Run the system-view command to enter the system view.
d. Run the pki domain domain-name command to enter the view of the
PKI domain in which the certificate is to be replaced.
e. Run the pki cmp session session-name command to create a CMP
session and enter the PKI CMP session view.
f. Run the cmp request authentication-cert cert-name command to
update the certificate in a specified certificate request file.
g. Run the commit command to commit the configuration. The new
identity certificate is replaced.
● Update expired CRL certificates.
a. Run the system-view command to enter the system view.
b. Run the pki delete-certificate crl [ domain domainName ] filename
file-name command to configure the device to delete expired CRL files
with specified names from the memory.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 477

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Configure the CRL certificate. For details, see 1.1.16.5.1 Configuring the
CRL Function.

----End

1.1.17 Mirroring Configuration

Mirroring helps you monitor a network and troubleshoot faults.

Context
NOTE

The mirroring feature may be used to analyze the communication information of terminal
customers for a maintenance purpose. Before enabling the mirroring function, ensure that
it is performed within the boundaries permitted by applicable laws and regulations.
Effective measures must be taken to ensure that information is securely protected.

1.1.17.1 Overview of Mirroring

With the mirroring function, you can observe the traffic on a specific interface for
locating faults on the network by obtaining packets sent to or received by the
interface.

Interfaces on a network router often need to be monitored and analyzed during

network operation. Directly monitoring or analyzing interfaces that are forwarding
packets deteriorates the forwarding efficiency. To address this problem, you can
configure the mirroring function. This allows a mirroring interface to copy sent or
received packets to an observing port. After receiving the packets, the observing
port sends the packets to its directly connected analyzer. This allows you to
analyze mirrored packets to monitor network operation or locate faults in the
network.

Mirroring can be classified into the following types according to the conditions
that the packets to be copied meet:
● Port mirroring: The packets sent and received by a mirroring interface are
completely copied to a specific observing port.
● Flow mirroring: On the basis of traffic classification, only the packets that
match specific rules are copied and the other packets are filtered out. By
filtering out packets that the system does not concern about, the system to
control packets with fine granularity and improving the efficiency for the
packet analyzer.

Mirroring can also be classified into the following types according to the direction
in which the packets are copied:
● Upstream mirroring: All packets or packets that match specific rules received
by a mirroring interface are copied to a specific observing port.
● Downstream mirroring: All packets or the packets that match specific rules to
be sent by a mirroring interface are copied to a specific observing port.

1.1.17.2 Feature Requirements for Mirroring

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 478

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.17.3 Configuring Port Mirroring

Port mirroring enables a device to copy the traffic on a specified port (mirrored
port) to an observing port for analysis, so that you can determine the traffic status
of the mirrored port.

Usage Scenario
Port mirroring applies to scenarios where you want to observe and analyze the
traffic status of a port on the network device directly connected to a router. In
such scenarios, you can configure port mirroring for the router to mirror the traffic
of that port to a dedicated packet analyzer for analysis, thereby avoiding
complicated analysis on the port.

NOTE

You can configure port mirroring in either of the following ways:

● Configure port mirroring in integrated mode.
● Configure an observing port and a mirrored port, and specify the observing port for
mirroring.
Although you can configure an observing port, configure a mirrored port, and specify
the observing port for mirroring in any sequence, you need to perform all these
operations. Otherwise, port mirroring cannot take effect. When the mirroring function is
not required, you are advised to disable it so that it does not adversely affect other
services.

Pre-configuration Tasks
Before configuring port mirroring, complete the following task:
● Connect interfaces and configure physical parameters for them to ensure that
their physical status is up.

1.1.17.3.1 Configuring an Observing Port

An observing port is used to copy the traffic on a mirrored port to a packet
analyzer. To prevent running services from being adversely affected, do not use the
observing port as a service port.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port-observing observe-index observe-index [ without-filter ]
The interface is configured as an observing port.
An observing port sends the traffic obtained from the mirrored port to a packet
analyzer without filtering or modifying frames. On the input side, frames are
mirrored before having their headers removed. On the output side, frames are
mirrored after being modified.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 479

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 4 (Optional) Run port-observing with-linklayer-header

Local mirroring is configured to mirror packets from their link layer headers.
Step 5 (Optional) Run port-observing dest-mac dest-mac-address
A destination MAC address is configured for mirrored packets of the observing
port.
The port-observing dest-mac dest-mac-address and port-observing pop-label
commands are mutually exclusive.
Step 6 Run commit
The configuration is committed.

----End

1.1.17.3.2 Configuring a Mirrored Port

To analyze the traffic sent or received by an interface, you can configure this
interface as a mirrored port.

Context
Local mirroring can be implemented in both common mode and mirroring
instance mode. The characteristics of the two modes are as follows:
● The common mode supports interface-based mirroring, whereas the mirroring
instance mode supports board-based mirroring.
● Both modes allow you to limit the rate of mirrored traffic. In common mode,
the rate limit needs to be configured on a specified interface. In mirroring
instance mode, a shared CAR can be configured for a specified mirroring
instance and then applied to different interfaces bound to the mirroring
instance. As such, the mirroring instance mode offers simpler configuration
and higher forwarding performance.
● The mirroring instance mode supports instance sharing, so that multiple
interfaces can share the same mirroring instance. This enables more interfaces
to support port mirroring in scenarios with limited mirroring specifications.

Table 1-27 Interfaces supporting local mirroring

Interface Type Mirrored Port Observing Port

Layer 3 Ethernet main Supported Supported

interfaces (including Eth-
Trunk interfaces)

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 480

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Interface Type Mirrored Port Observing Port

Ethernet sub-interfaces Supported Supported

(including Eth-Trunk sub- NOTE NOTE
interfaces) A sub-interface supports A sub-interface
the mirroring function functioning as a dot1q
even when configured as VLAN tag termination or
a dot1q, EVC, dot1q VLAN QinQ VLAN tag
tag termination, or QinQ termination sub-interface
VLAN tag termination does not support
sub-interface. observing port
configuration.
An EVC sub-interface can
be configured as an
observing port only when
it adopts the untag or
dot1q encapsulation
mode.
If an Eth-Trunk interface is
configured as an observing
port, downstream
mirroring is performed,
and packets are mirrored
from their Layer 3 headers,
the mirroring starts from
the first member interface.
Other traffic is mirrored
among member interfaces
in load balancing mode,
which depends on the
configured load balancing
mode and hash factors.

POS interfaces Supported Supported

IP-Trunk interfaces Supported Supported

Procedure
● Mirroring in common mode
a. Run system-view
The system view is displayed.
b. (Optional) Run observe user-defined-filter id { offset offset-value value
value value-mask } &<1-4>
A user-defined any-byte matching rule is configured for mirrored packets.
c. Run interface interface-type interface-number
The interface view is displayed.
d. According to observation requirements, run the corresponding command
for configuration.

▪ Run the port-mirroring { inbound [ cpu-packet ] | outbound }

[ user-defined-filter user-defined-filter-id ] command to configure
the mirroring function on the interface.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 481

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

NOTE

If cpu-packet is specified, only the packets sent from the interface to the
CPU are mirrored.

▪ Run the port-mirroring { inbound | outbound } vlan vlan-id1 [ to

vlan-id2 ] command to configure VLAN-based mirroring.
e. (Optional) Run port-mirroring without-linklayer-header

The mirrored port is configured to mirror packets from their Layer 3

headers.

If this command is run on the mirrored port, the port-observing

observe-index observe-index without-filter command needs to be run
on the corresponding observing port.
f. Run commit

The configuration is committed.

● Mirroring in mirroring instance mode
a. To configure mirroring in mirroring instance mode for an EVC Layer 2
sub-interface, perform the following operations:
i. Run system-view
The system view is displayed.
ii. Run mirror instance instance-name location
A mirroring instance is created.
iii. Run commit
The configuration is committed.
iv. Run interface interface-type interface-number.subnum mode l2
The EVC Layer 2 sub-interface view is displayed.
v. According to the traffic encapsulation type of the EVC Layer 2 sub-
interface, run the corresponding command to observe the traffic of
the sub-interface:
○ If the traffic encapsulation type is QinQ, run the port-mirroring
instance instance-name { inbound | outbound } [ pe-vid pe-
vlan-id ce-vid ce-vlan-id-begin [to ce-vlan-id-end ] ] identifier
{ none | pe-vid | ce-vid | pe-ce-vid } [ group group-name ]
command.
○ If the traffic encapsulation type is dot1q, run the port-mirroring
instance instance-name { inbound | outbound } [ vid vlan-id-
begin [to vlan-id-end ] ] identifier { none | vid } [ group group-
name ] command.
○ If the traffic encapsulation type is Untag or Default, run the
port-mirroring instance instance-name { inbound | outbound }
[ group group-name ] command.
vi. Run commit
The configuration is committed.
b. To configure mirroring in mirroring instance mode for a BD, perform the
following operations:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 482

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

i. Run system-view
The system view is displayed.
ii. Run mirror instance instance-name location
A mirroring instance is created.
iii. Run commit
The configuration is committed.
iv. Run bridge-domain bd-id
The BD view is displayed.
v. Run port-mirroring instance instance-name { inbound | outbound }
[ group group-name ]
The traffic in the BD is observed.
vi. Run commit
The configuration is committed.

----End

1.1.17.3.3 Specifying an Observing Port for Mirroring

This section describes how to specify an observing port for mirroring. You can then
associate this port with the corresponding mirrored port.

Context
You can use either of the following methods to specify an observing port for
mirroring:
● Specify an observing port for board-based mirroring.
With this method, the mirrored traffic of the entire interface board on the
NE9000 is sent to only the same observing port.
NOTE

The observing port specified for board-based mirroring can be configured on either
the local or non-local interface board.
The mirroring instance mode supports only board-based mirroring.
● Specify an observing port for interface-based mirroring.
With this method, the mirrored traffic of an interface on the NE9000 is sent
to the specified observing port.
NOTE

Packets on an interface can be mirrored to an observing port on any interface board.

This means that the observing port can reside on the same interface board as the
mirrored port or reside on another interface board. In scenarios where observing ports
are specified for both interface-based mirroring and board-based mirroring, if the
observing port specified for interface-based mirroring is up, this port takes effect.
However, if this port is down, the observing port specified for board-based mirroring
takes effect.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 483

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-28 Interfaces supporting local mirroring

Interface Type Mirrored Port Observing Port

Layer 3 Ethernet main Supported Supported

interfaces (including Eth-
Trunk interfaces)

Ethernet sub-interfaces Supported Supported

(including Eth-Trunk sub- NOTE NOTE
interfaces) A sub-interface supports A sub-interface
the mirroring function functioning as a dot1q
even when configured as VLAN tag termination or
a dot1q, EVC, dot1q VLAN QinQ VLAN tag
tag termination, or QinQ termination sub-interface
VLAN tag termination does not support
sub-interface. observing port
configuration.
An EVC sub-interface can
be configured as an
observing port only when
it adopts the untag or
dot1q encapsulation
mode.
If an Eth-Trunk interface is
configured as an observing
port, downstream
mirroring is performed,
and packets are mirrored
from their Layer 3 headers,
the mirroring starts from
the first member interface.
Other traffic is mirrored
among member interfaces
in load balancing mode,
which depends on the
configured load balancing
mode and hash factors.

POS interfaces Supported Supported

IP-Trunk interfaces Supported Supported

Procedure
Step 1 Run system-view

The system view is displayed.

Specify an observing port for board-based mirroring or interface-based mirroring

as required.

1. Specify an observing port for board-based mirroring.

– Run the slot slot-id command to enter the slot view.
– Run the mirror to observe-index observe-index command to specify an
observing port for board-based mirroring.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 484

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

2. Specify an observing port for interface-based mirroring.

– Run the interface interface-type interface-number command to enter the
interface view.
– Run the port-mirroring to observe-index observe-index command to
specify an observing port for the upstream and downstream packets of
the mirrored port.
– Run the port-mirroring to observe-index observe-index &<2-8>
[ inbound | outbound ] command to specify multiple observing ports for
the upstream or downstream packets of the mirrored port.
– Run the port-mirroring to null0 command to specify the observing port
null0 for the upstream and downstream packets of the mirrored port.
– Run the port-mirroring to observe-index observe-index { inbound |
outbound } command to specify an observing port for the upstream or
downstream packets of the mirrored port.
NOTE

The upstream and downstream packets of the mirrored port can be mirrored to either
the same observing port or different observing ports. If observing ports for upstream
and downstream packets are not both specified, the observing port specified for
board-based mirroring is used for the packets whose observing port is not specified.

Step 2 Specify an observing port for board-based mirroring or interface-based mirroring

as required.
1. Specify an observing port for board-based mirroring.

Run the mirror to observe-index observe-index command to specify an

observing port for board-based mirroring.
2. Specify an observing port for interface-based mirroring.
– Run the interface interface-type interface-number command to enter the
interface view.
– Perform the following configuration as required:

▪ Run the port-mirroring to observe-index { observe-index | null0 }

command to specify an observing port for the upstream and
downstream packets of the mirrored port.

▪ Run the port-mirroring to observe-index observe-index { inbound |

outbound } command to specify an observing port for the upstream
or downstream packets of the mirrored port.
NOTE

The upstream and downstream packets of the mirrored port can be

mirrored to either the same observing port or different observing ports. If
observing ports for upstream and downstream packets are not both
specified, the observing port specified for board-based mirroring is used for
the packets whose observing port is not specified.

Step 3 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 485

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.17.3.4 Configuring Port Mirroring in Integrated Mode

Context
To simplify port mirroring configuration, you can configure port mirroring in
integrated mode.

NOTE

You can configure port mirroring in either of the following ways:

● Configure port mirroring in integrated mode.
● Configure an observing port and a mirrored port, and specify the observing port for
mirroring.
Although you can configure an observing port, configure a mirrored port, and specify
the observing port for mirroring in any sequence, you need to perform all these
operations. Otherwise, port mirroring cannot take effect. When the mirroring function is
not required, you are advised to disable it so that it does not adversely affect other
services.

Table 1-29 Interfaces supporting local mirroring

Interface Type Mirrored Port Observing Port

Layer 3 Ethernet main Supported Supported

interfaces (including Eth-
Trunk interfaces)

Ethernet sub-interfaces Supported Supported

(including Eth-Trunk sub- NOTE NOTE
interfaces) A sub-interface supports A sub-interface
the mirroring function functioning as a dot1q
even when configured as VLAN tag termination or
a dot1q, EVC, dot1q VLAN QinQ VLAN tag
tag termination, or QinQ termination sub-interface
VLAN tag termination does not support
sub-interface. observing port
configuration.
An EVC sub-interface can
be configured as an
observing port only when
it adopts the untag or
dot1q encapsulation
mode.
If an Eth-Trunk interface is
configured as an observing
port, downstream
mirroring is performed,
and packets are mirrored
from their Layer 3 headers,
the mirroring starts from
the first member interface.
Other traffic is mirrored
among member interfaces
in load balancing mode,
which depends on the
configured load balancing
mode and hash factors.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 486

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Interface Type Mirrored Port Observing Port

POS interfaces Supported Supported

IP-Trunk interfaces Supported Supported

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port-mirroring to { null0 | interface interface-type interface-number
observe-index observe-index } { inbound | cpu-packet | outbound } [ user-
defined-filter user-defined-filter-id ]
Port mirroring is configured in integrated mode.

Step 4 Run commit

The configuration is committed.

----End

1.1.17.3.5 (Optional) Configuring the CAR Function for Mirrored Traffic

This section describes how to configure the committed access rate (CAR) function
for mirrored traffic. This function helps prevent a large volume of mirrored traffic
from affecting packet processing.

Context
The mirrored port and observing port required for mirroring must be configured
before you configure the CAR function for mirrored traffic.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number if the mirrored port is not an EVC
Layer 2 sub-interface
The interface view is displayed.
In this case, the interface functions as the mirrored port. The CAR function takes
effect only when the corresponding observing port is a logical interface.
To limit the rate of mirrored traffic in a scenario where the mirrored port is an EVC
Layer 2 sub-interface or a BD, enter the corresponding view to configure the CAR
function. The view varies according to the scenario.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 487

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● If the mirrored port is configured in common mode, run the interface

interface-type interface-number.subnum mode l2 command to enter the EVC
Layer 2 sub-interface view.
● If the mirrored port is configured in mirroring instance mode, run the mirror
instance instance-name location command to enter the mirroring instance
view.
Step 3 Run port-mirroring car cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-
value ] ]
The CAR function is configured to limit the rate of mirrored traffic.

----End

1.1.17.3.6 (Optional) Configuring the Function to Mirror Packet Content of a

Specified Length
You can specify the length of packet content to be mirrored. This configuration
reduces the bandwidth consumed by the observing port and improves service
performance.

Context
The mirrored port and observing port required for mirroring must be configured
before you configure the function to mirror packet content of a specified length.

Table 1-30 Interfaces supporting local mirroring

Interface Type Mirrored Port Observing Port

Layer 3 Ethernet main Supported Supported

interfaces (including Eth-
Trunk interfaces)

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 488

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Interface Type Mirrored Port Observing Port

Ethernet sub-interfaces Supported Supported

(including Eth-Trunk sub- NOTE NOTE
interfaces) A sub-interface supports A sub-interface
the mirroring function functioning as a dot1q
even when configured as VLAN tag termination or
a dot1q, EVC, dot1q VLAN QinQ VLAN tag
tag termination, or QinQ termination sub-interface
VLAN tag termination does not support
sub-interface. observing port
configuration.
An EVC sub-interface can
be configured as an
observing port only when
it adopts the untag or
dot1q encapsulation
mode.
If an Eth-Trunk interface is
configured as an observing
port, downstream
mirroring is performed,
and packets are mirrored
from their Layer 3 headers,
the mirroring starts from
the first member interface.
Other traffic is mirrored
among member interfaces
in load balancing mode,
which depends on the
configured load balancing
mode and hash factors.

POS interfaces Supported Supported

IP-Trunk interfaces Supported Supported

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number if the mirrored port is not an EVC
Layer 2 sub-interface

The interface view is displayed.

To configure the function to mirror packet content of a specified length in a

scenario where the mirrored port is an EVC Layer 2 sub-interface or a BD, enter
the corresponding view to implement the configuration. The view varies according
to the scenario.
● If the mirrored port is configured in common mode, run the interface
interface-type interface-number.subnum mode l2 command to enter the EVC
Layer 2 sub-interface view.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 489

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● If the mirrored port is configured in mirroring instance mode, run the mirror
instance instance-name location command to enter the mirroring instance
view.
Step 3 Run port-mirroring slice-size slice-size-value
The length of packet content to be mirrored is specified.

----End

1.1.17.3.7 (Optional) Enabling Mirroring Statistics Collection

You can enable mirroring statistics collection to check information about mirrored
packets.

Context
To enable mirroring statistics collection, perform the following operations.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mirror statistic enable
Mirroring statistics collection is enabled.
Step 3 Run commit
The configuration is committed.

----End

1.1.17.3.8 Verifying the Configuration

After configuring port mirroring, you can view the configuration of the mirrored
port and observing port.

Procedure
● Run the display port-mirroring interface [ interface-type interface-number |
slot slot-id ] command to check the configuration of the mirrored port.
● Run the display port-observing interface [ interface-type interface-number |
slot slot-id ] command to check the configuration of the observing port.
● Run the display port-observing observe-index [ observe-index ] command
to check the index of the observing port.
● Run the display mirror instance [ instance-name ] location command to
check the configuration of the specified mirroring instance on an EVC Layer 2
sub-interface.
● Run the display observe user-defined-filter [ id ] command to check user-
defined mirroring filter rules.
● Run the display port-mirroring integration [ interface interface-type
interface-number ] command to check the configuration of port mirroring
configured in integrated mode.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 490

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the display port-observing slot [slotid] command to check the mapping
between the observing port for board-based mirroring and the slot ID of the
associated interface board.

----End

1.1.17.3.9 Disabling Port Mirroring

When the port mirroring function is not required, disable it so that it does not
adversely affect user services.

Context
When disabling port mirroring, you can delete the observing port configuration of
the involved board, the observing port configuration of the involved interface, and
the mirrored-port configuration of the involved interface in any sequence.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run slot slot-id

The slot view is displayed.

Step 3 Run undo mirror to observe-index observe-index

The observing port configuration of the board is deleted.

Step 4 Run quit

Return to the system view.

Step 5 Run undo observe user-defined-filter id

The user-defined any-byte matching rule for mirrored packets is deleted.

Step 6 Run interface interface-type interface-number

The interface view is displayed.

This interface functions as the observing port.

Step 7 Run undo port-observing observe-index observe-index [ without-filter ]

The observing port configuration of the interface is deleted.

Step 8 Run quit

Return to the system view.

Step 9 Run interface interface-type interface-number

The interface view is displayed.

This interface functions as the mirrored port.

Step 10 Delete port mirroring-related configurations as required.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 491

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1. Run the undo port-mirroring { inbound [ cpu-packet ] | outbound } [ user-

defined-filter user-defined-filter-id ] command to delete the mirrored-port
configuration of the interface.
2. Run the undo port-mirroring to observe-index observe-index command to
delete the configuration of the observing port specified for the upstream and
downstream packets of the mirrored port.
3. Run the undo port-mirroring to observe-index observe-index &<2-8>
[ inbound | outbound ] command to delete the configuration used to specify
multiple observing ports for the upstream or downstream packets of the
mirrored port.
4. Run the undo port-mirroring to null0 command to delete the configuration
of the observing port null0 specified for the upstream and downstream
packets of the mirrored port.
5. Run the undo port-mirroring to observe-index observe-index { inbound |
outbound } command to delete the configuration of the observing port
specified for the upstream or downstream packets of the mirrored port.
6. Run the undo port-mirroring instance instance-name { inbound |
outbound } pe-vid pe-vlan-id ce-vid ce-vlan-id-begin [to ce-vlan-id-end ]
command to delete the port mirroring configuration.
7. Run the undo port-mirroring instance instance-name { inbound |
outbound } vid vlan-id-begin [to vlan-id-end ] command to delete the port
mirroring configuration.
8. Run the undo port-mirroring instance instance-name { inbound |
outbound } command to delete the port mirroring configuration.
9. Run the undo mirror instance instance-name command to delete the
mirroring instance configuration.
Step 11 Run commit
The configuration is committed.

----End

1.1.17.4 Configuring Flow Mirroring

You can configure flow mirroring to copy the traffic of a specified type on the
mirrored port to the observing port for analysis, thereby learning about the status
of such traffic on the mirrored port.

Usage Scenario
If refined control is required for the packets sent to a packet analyzer, you can use
flow mirroring. In this manner, only the packets that meet specific conditions are
copied and the other packets are filtered out, improving the efficiency of the
analyzer.

NOTE

Although you can configure an observing port, specify the observing port for board-based
mirroring, and apply a traffic policy to a mirrored port in any sequence, you need to
perform all these operations. Otherwise, flow mirroring cannot take effect. When the
mirroring function is not required, you are advised to disable it so that it does not adversely
affect other services.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 492

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Pre-configuration Tasks
Before configuring flow mirroring, complete the following task:
● Connect interfaces and configure physical parameters for them to ensure that
their physical status is up.

1.1.17.4.1 Configuring an Observing Port

An observing port is used to copy the traffic on a mirrored port to a packet
analyzer. To prevent running services from being adversely affected, do not use the
observing port as a service port.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port-observing observe-index observe-index [ without-filter ]
The interface is configured as an observing port.
An observing port sends the traffic obtained from the mirrored port to a packet
analyzer without filtering or modifying frames. On the input side, frames are
mirrored before having their headers removed. On the output side, frames are
mirrored after being modified.
Step 4 (Optional) Run port-observing with-linklayer-header
Local mirroring is configured to mirror packets from their link layer headers.
Step 5 (Optional) Run port-observing dest-mac dest-mac-address
A destination MAC address is configured for mirrored packets of the observing
port.
The port-observing dest-mac dest-mac-address and port-observing pop-label
commands are mutually exclusive.
Step 6 Run commit
The configuration is committed.

----End

1.1.17.4.2 Specifying an Observing Port for Mirroring

This section describes how to specify an observing port for mirroring. You can then
associate this port with the corresponding mirrored port.

Context
You can use either of the following methods to specify an observing port for
mirroring:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 493

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Specify an observing port for board-based mirroring.

With this method, the mirrored traffic of the entire interface board on the
NE9000 is sent to only the same observing port.
NOTE

The observing port specified for board-based mirroring can be configured on either
the local or non-local interface board.
● Specify an observing port for interface-based mirroring.
With this method, the mirrored traffic of an interface on the NE9000 is sent
to the specified observing port.
NOTE

Packets on an interface can be mirrored to an observing port on any interface board.

This means that the observing port can reside on the local or any other interface
board. If observing ports are specified for both interface-based mirroring and board-
based mirroring, the observing port specified for interface-based mirroring takes
effect.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Specify an observing port for board-based flow mirroring or interface-based flow
mirroring as required.

Specify an observing port for board-based flow mirroring.

1. Run the slot slot-id command to enter the slot view.

2. Run the mirror to observe-index observe-index command to specify an
observing port for board-based mirroring.
3. Run the commit command to commit the configuration.

Specify an observing port for interface-based flow mirroring.

1. Run the traffic behavior behavior-name command to define a traffic

behavior and enter the traffic behavior view.
2. Run the port-mirroring to { observe-index observe-index &<1-8> }
command to specify an observing port for interface-based flow mirroring.

Step 3 Run commit

The configuration is committed.

----End

1.1.17.4.3 Defining a Traffic Policy for Mirrored Traffic

This section describes how to define a traffic policy for mirrored traffic. It covers
configuring a traffic classifier to define the traffic to be mirrored, specifying a
traffic behavior, enabling flow mirroring, and defining a traffic policy to associate
the traffic classifier with the traffic behavior.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 494

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
● Define a traffic classifier.
a. Run system-view

The system view is displayed.

b. Run traffic classifier classifier-name [ operator { and | or } ]

A traffic classifier is defined and its view is displayed.

The classifier name specified by the classifier-name parameter cannot be

any predefined classifier name in the system. For details about traffic
classifiers, see HUAWEI NetEngine9000 Core Router Configuration Guide
- QoS.
c. Define a matching rule according to network requirements.

▪ To define a matching rule for multi-field (MF) classification based on

the 802.1p values of VLAN packets, run the if-match 8021p 8021p-
value command.

▪ To define a matching rule for MF classification based on an IPv4 or

IPv6 ACL list, run the if-match [ ipv6 ] acl { acl-number | name acl-
name } command.

▪ To define a matching rule for MF classification of all IPv4 or IPv6

packets, run the if-match [ ipv6 ] any command.

▪ To define a matching rule for MF classification based on the

destination MAC addresses of packets, run the if-match destination-
mac mac-address command.

▪ To define a matching rule for MF classification based on the

destination IP addresses of IPv6 packets, run the if-match ipv6
destination-address ipv6-address prefix-length command.

▪ To define a matching rule for MF classification based on the source

IP addresses of IPv6 packets, run the if-match ipv6 source-address
ipv6-address prefix-length command.

▪ To define a matching rule for MF classification based on the DSCP

values of IPv4 or IPv6 packets, run the if-match [ ipv6 ] dscp dscp-
value command.

▪ To define a matching rule for MF classification based on the EXP

values of MPLS packets, run the if-match mpls-exp exp-value
command.

▪ To define a matching rule for MF classification based on the

preference values of IP packets, run the if-match ip-precedence ip-
precedence command.

▪ To define a matching rule for MF classification based on the value of

the next IPv6 header, run the if-match ipv6 next-header header-
number first-next-header command.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 495

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

▪ To define a matching rule for MF classification based on the source

MAC addresses of packets, run the if-match source-mac mac-
address command.
▪ To define a matching rule for MF classification based on the SYN
Flag value in the TCP header, run the if-match tcp syn-flag
{ tcpflag-value [ mask tcpflag-mask ] | bit-match { established | fin
| syn | rst | psh | ack | urg | ece | cwr | ns } } command.

▪ To define a matching rule for MF classification based on the SYN

Flag value in the IPv6 TCP header, run the if-match ipv6 tcp syn-
flag { tcpflag-value [ mask tcpflag-mask ] | bit-match { established
| fin | syn | rst | psh | ack | urg } } command.
You can configure one or more matching rules in Step 3 as needed.
NOTE

If the device functions as a PE, perform the following operations:

● To perform MF classification based on the IP layer information of outbound
packets on the public network, run the traffic-policy match-ip-layer mpls-
pop command in the slot view.
● To perform MF classification based on the IP layer information of inbound
packets on the public network, run the traffic-policy match-ip-layer mpls-
push command in the slot view.
d. Run commit
The configuration is committed.
e. Run return
Return to the user view.
● Define a traffic behavior and enable flow mirroring.
a. Run system-view
The system view is displayed.
b. Run traffic behavior behavior-name
A traffic behavior is defined and its view is displayed.
c. Run port-mirroring enable
Flow mirroring is enabled.
d. (Optional) Run port-mirroring car cir cir-value [ pir pir-value ] [ cbs cbs-
value [ pbs pbs-value ] ]
The CAR function is implemented for mirrored traffic.
e. (Optional) Run port-mirroring slice-size slice-size-value
The length of packet content to be mirrored is configured.
f. (Optional) Run port-mirroring without-linklayer-header
The mirrored port is configured to mirror packets from their Layer 3
headers.
g. Run commit
The configuration is committed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 496

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

h. Run return
Return to the user view.
● Define a traffic policy to associate the traffic classifier with the traffic
behavior.
a. Run system-view
The system view is displayed.
b. Run traffic policy policy-name
A traffic policy is defined and its view is displayed.
c. Run classifier classifier-name behavior behavior-name
A traffic behavior is specified for the traffic classifier in the traffic policy.
d. Run commit
The configuration is committed.
----End

1.1.17.4.4 Applying a Traffic Policy to a Mirrored Port

A traffic policy must be applied to an interface for the configured traffic behavior
to take effect when the traffic passing through the interface matches the specified
traffic classification rule.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
This interface functions as the mirrored port.
Step 3 Run traffic-policy policy-name { inbound | outbound } [ all-layer | link-layer |
mpls-layer ]
A traffic policy is applied to the interface.
Step 4 Run commit
The configuration is committed.

----End

1.1.17.4.5 (Optional) Configuring the Mirroring Statistics Function

You can enable mirroring statistics collection to check information about mirrored
packets.

Context
To enable mirroring statistics collection, perform the following operations.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 497

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mirror statistic enable
Mirroring statistics collection is enabled.
Step 3 Run commit
The configuration is committed.

----End

1.1.17.4.6 Verifying the Configuration

After configuring flow mirroring, you can check the traffic behavior, traffic
classifier, traffic policy, and port mirroring configurations.

Procedure
● Run the display traffic behavior { system-defined | user-defined }
[ behavior-name ] command to check the traffic behavior configuration.
● Run the display traffic classifier { system-defined | user-defined }
[ classifier-name ] command to check the traffic classifier configuration.
● Run the display traffic policy { system-defined | user-defined } [ policy-
name [ classifier classifier-name ] ] command to check the configurations of
a specified or all traffic classifiers in a specified or all traffic policies as well as
the configurations of the traffic behaviors associated with the traffic
classifiers.
● Run the display port-observing interface [ interface-type interface-number |
slot slot-id ] command to check the observing port configuration of a
specified interface or interface board.
----End

1.1.17.4.7 Disabling Flow Mirroring

When the flow mirroring function is not required, disable it so that it does not
adversely affect user services.

Context
When disabling flow mirroring, you can delete the observing port configuration of
the specified interface, the observing port configuration for mirroring, and the
traffic policy applied to the corresponding interface in any sequence.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 498

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The interface view is displayed.

This interface functions as the observing port.
Step 3 Run undo port-observing observe-index observe-index
The observing port configuration is deleted.
Step 4 Run quit
Return to the system view.
Step 5 Run slot slot-id
The slot view is displayed.
Step 6 Run undo mirror to observe-index observe-index
The observing port configuration for mirroring is deleted.
Step 7 Run quit
Return to the system view.
Step 8 Run interface interface-type interface-number
The interface view is displayed.
This interface functions as the mirrored port.
Step 9 Run undo traffic-policy { inbound | outbound } [ link-layer | mpls-layer ]
The traffic policy applied to the interface is deleted.
Step 10 Run quit
Return to the system view.
Step 11 Run traffic behavior behavior-name
The traffic behavior view is displayed.
Step 12 Run undo port-mirroring to { observe-index observe-index &<1-8> }
The configuration of the observing port specified for interface-based flow
mirroring is deleted.
Step 13 Run undo port-mirroring enable
Flow mirroring is disabled.
Step 14 Run quit
Return to the system view.
The traffic policy, behavior, and classifier defined for mirrored packets can be
deleted if they are no longer required.
Step 15 Run undo traffic policy policy-name
The traffic policy defined for flow mirroring is deleted.
Step 16 Run undo traffic behavior behavior-name
The traffic behavior defined for flow mirroring is deleted.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 499

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 17 Run undo traffic classifier classifier-name

The traffic classifier defined for flow mirroring is deleted.
Step 18 Run commit
The configuration is committed.

----End

1.1.17.5 Maintaining Mirroring Statistics

1.1.17.5.1 Checking Mirroring Statistics

Procedure
● Run the display port-mirroring interface interface-type interface-number
traffic-policy policy-name verbose command to check statistics about a
specified mirrored port.
----End

1.1.17.5.2 Clearing Mirroring Statistics

You can run the following command to clear existing mirroring statistics.

Context

NOTICE

Statistics cannot be restored after being cleared. Exercise caution when you run
the reset command.

Procedure
● Run the reset mirror counters interface interface-type interface-number
command to clear mirroring statistics about a specified interface.
----End

1.1.17.6 Configuration Examples for Mirroring

This section provides examples for configuring port mirroring and flow mirroring
in typical scenarios. It covers networking requirements, configuration roadmaps,
data preparations, and corresponding configuration files.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 500

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.17.6.1 Example for Configuring Board-based Mirroring

Networking Requirements
NOTE

This example uses the method of specifying an observing port for board-based mirroring.
To specify an observing port for interface-based mirroring, see Step 1.2 in 1.1.17.3.3
Specifying an Observing Port for Mirroring.

In Figure 1-50, to monitor the packets sent from DeviceA to GE3/0/0 on DeviceB,
specify GE1/0/0 on DeviceB as an observing port and configure board-based
mirroring on GE3/0/0. In this way, all the packets received by GE3/0/0 are copied
to GE1/0/0 for analysis by HostD (the analyzer).

Figure 1-50 Networking diagram for configuring board-based mirroring

NOTE

The configurations in this example are performed on DeviceA, DeviceB, and DeviceC, all of
which can be HUAWEI NetEngine9000 devices.

Device Name Interface Number Interface IP Address Interface MAC

Address

DeviceA GE1/0/0 1.1.1.1/24 -

DeviceB GE1/0/0 - -

DeviceB GE3/0/0 1.1.1.2/24 -

DeviceB GE3/0/1 2.1.1.2/24 -

DeviceC GE1/0/0 2.1.1.1/24 -

Configuration Notes
Do not configure an interface as both an observing port and a mirrored port.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/0 on DeviceB as an observing port.
2. Configure GE3/0/0 on DeviceB as a mirrored port and enable board-based
mirroring.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 501

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Data Preparation
To complete the configuration, you need the following data:
● IP address of each interface
● Types and numbers of the observing port and mirrored port

Procedure
Step 1 Configure IP addresses for interfaces and ensure that the corresponding routes are
reachable. For configuration details, see Configuration Files in this section.
Step 2 Configure GE1/0/0 as an observing port.
<DeviceB> system-view
[~DeviceB] interface gigabitethernet1/0/0
[~DeviceB-GigabitEthernet1/0/0] port-observing observe-index 1
[*DeviceB-GigabitEthernet1/0/0] commit
[~DeviceB-GigabitEthernet1/0/0] quit

Step 3 Specify the observing port for board-based mirroring.

[~DeviceB] slot 3
[~DeviceB-slot-3] mirror to observe-index 1
[*DeviceB-slot-3] commit
[~DeviceB-slot-3] quit

Step 4 Enable board-based mirroring for upstream packets on GE3/0/0.

[~DeviceB] interface gigabitethernet3/0/0
[~DeviceB-GigabitEthernet3/0/0] port-mirroring inbound
[*DeviceB-GigabitEthernet3/0/0] commit
[~DeviceB-GigabitEthernet3/0/0] quit

After the preceding configuration is complete, all packets received by GE3/0/0 and
packets to be sent to the CPU are mirrored to GE1/0/0.
Step 5 Verify the configuration.
Check mirroring information through the ping command or another traffic
generation method. For example, if DeviceA sends 10 ping packets to GE3/0/0 on
DeviceB, HostD is expected to receive all the packets sent by DeviceA.
Check statistics about GE1/0/0 on DeviceB.
<DeviceB> display interface gigabitethernet1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
Description:XXXXXX, GigabitEthernet1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc7d-a497
The Vendor PN is HFBR-5710L
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 550m
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and Receive Enable
Statistics last cleared:never
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 107628 bytes, 1016 packets
Output: 107628 bytes, 1016 packets
Input:
Unicast: 0, Multicast: 0
Broadcast: 0, JumboOctets: 0
CRC: 0, Symbol: 0
Overrun: 0 , InRangeLength: 0
LongPacket: 0 , Jabber: 0, Alignment: 0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 502

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Fragment: 0, Undersized Frame: 0

RxPause: 0
Output:
Unicast: 10, Multicast: 0
Broadcast: 0, Jumbo: 0
Lost: 0, Overflow: 0, Underrun: 0
TxPause: 0

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
return

● DeviceB configuration file

#
sysname DeviceB
#
slot 3
#
interface GigabitEthernet3/0/0
ip address 1.1.1.2 255.255.255.0
port-mirroring inbound
#
interface GigabitEthernet3/0/1
ip address 2.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port-observing observe-index 1
#
slot 3
mirror to observe-index 1
#
return

● DeviceC configuration file

#
sysname DeviceC
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
#
return

1.1.17.6.2 Example for Configuring Port Mirroring

Networking Requirements
In Figure 1-51, to monitor the packets sent from DeviceA to interface 2 on
DeviceB, specify interface 1 on DeviceB as an observing port and configure port
mirroring on interface 2. In this way, all the packets received by interface 2 are
copied to interface 1 for analysis by HostD (the analyzer).

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 503

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Figure 1-51 Networking diagram for configuring port mirroring

NOTE

The configurations in this example are performed on DeviceA, DeviceB, and DeviceC, all of
which can be HUAWEI NetEngine9000 devices.

Device Name Interface Number Interface IP Address Interface MAC

Address

DeviceA GE1/0/0 10.1.1.1/24 -

DeviceB GE1/0/0 (interface1) - -

DeviceB GE3/0/0 (interface2) 10.1.1.2/24 -

DeviceB GE3/0/1 (interface3) 10.10.1.2/24 -

DeviceC GE1/0/0 10.10.1.1/24 -

Configuration Notes
Do not configure an interface as both an observing port and a mirrored port.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure interface 1 on DeviceB as an observing port.

2. Configure interface 2 on DeviceB as a mirrored port and enable port
mirroring.

Data Preparation
To complete the configuration, you need the following data:

● IP address of each interface

● Types and numbers of the observing port and mirrored port

Procedure
Step 1 Configure IP addresses for interfaces and ensure that the corresponding routes are
reachable. For configuration details, see Configuration Files in this section.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 504

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 2 Configure GE1/0/0 as an observing port.

<DeviceB> system-view
[~DeviceB] interface gigabitethernet1/0/0
[~DeviceB-GigabitEthernet1/0/0] port-observing observe-index 1
[*DeviceB-GigabitEthernet1/0/0] commit
[~DeviceB-GigabitEthernet1/0/0] quit

Step 3 Enable upstream port mirroring on GE3/0/0.

[~DeviceB] interface gigabitethernet3/0/0
[~DeviceB-GigabitEthernet3/0/0] port-mirroring inbound
[*DeviceB-GigabitEthernet3/0/0] commit
[~DeviceB-GigabitEthernet3/0/0] quit

Step 4 Specify the observing port for mirroring.

[~DeviceB] interface gigabitethernet3/0/0
[~DeviceB-GigabitEthernet3/0/0] port-mirroring to observe-index 1
[*DeviceB-GigabitEthernet3/0/0] commit
[~DeviceB-GigabitEthernet3/0/0] quit

After the preceding configuration is complete, all packets received by GE3/0/0 are
mirrored to GE1/0/0.
Step 5 Verify the configuration.
Check mirroring information through the ping command or another traffic
generation method. For example, if DeviceA sends 10 ping packets to GE3/0/0 on
DeviceB, HostD is expected to receive all the packets sent by DeviceA.
Check statistics about GE1/0/0 on DeviceB.
<DeviceB> display interface gigabitethernet1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
Description:XXXXXX, GigabitEthernet1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is xxxx-xxxx-xxxx
The Vendor PN is XXXX-XXXXX
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 550m
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and Receive Enable
Statistics last cleared:never
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 107628 bytes, 1016 packets
Output: 107628 bytes, 1016 packets
Input:
Unicast: 0, Multicast: 0
Broadcast: 0, JumboOctets: 0
CRC: 0, Symbol: 0
Overrun: 0 , InRangeLength: 0
LongPacket: 0 , Jabber: 0, Alignment: 0
Fragment: 0, Undersized Frame: 0
RxPause: 0
Output:
Unicast: 10, Multicast: 0
Broadcast: 0, Jumbo: 0
Lost: 0, Overflow: 0, Underrun: 0
TxPause: 0

----End

Configuration Files
● DeviceA configuration file
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 505

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

sysname DeviceA
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
return

● DeviceB configuration file

#
sysname DeviceB
#
interface GigabitEthernet3/0/0
ip address 10.1.1.2 255.255.255.0
port-mirroring inbound
port-mirroring to observe-index 1
#
interface GigabitEthernet3/0/1
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port-observing observe-index 1
#
return

● DeviceC configuration file

#
sysname DeviceC
#
interface GigabitEthernet1/0/0
ip address 10.10.1.1 255.255.255.0
#
return

1.1.17.6.3 Example for Configuring Observing Ports for the Upstream and
Downstream Packets of a Mirrored Port

Networking Requirements
As shown in Figure 1-52, SwitchA forwards user packets from VLAN 10 and VLAN
20 to DeviceB. To monitor the upstream and downstream packets forwarded by
SwitchA from VLAN 10 to interface 2 on DeviceB, specify interface 1 on DeviceB as
the observing port for the upstream VLAN packets of interface 2, and specify
interface 4 on DeviceB as the observing port for the downstream VLAN packets of
interface 2. Then, configure port mirroring on interface 2. In this way, all the
packets received by interface 2 are copied to interface 1 for analysis by HostD, and
all the downstream packets sent by interface 2 are copied to interface 4 for
analysis by HostE.

Figure 1-52 Networking diagram for configuring observing ports for the upstream
and downstream packets of a mirrored port
NOTE

● The configurations in this example are performed on DeviceB and DeviceC, both of
which can be HUAWEI NetEngine9000 devices.
● Interfaces 1 through 4 in this example represent GE1/0/0, GE3/0/0, GE3/0/1, and
GE1/0/1, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 506

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Device Name Interface Number Interface IP Address Interface MAC

Address

DeviceB GE1/0/0 10.10.1.1/24 -

DeviceB GE3/0/0 - -

DeviceB GE3/0/1 10.1.1.2/24 -

DeviceB GE1/0/1 10.20.1.1/24 -

DeviceC GE1/0/0 10.1.1.1/24 -

Configuration Notes
Do not configure an interface as both an observing port and a mirrored port.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/0 and GE1/0/1 on DeviceB as the observing ports for the
upstream and downstream packets of the mirrored port, respectively.
2. Configure GE3/0/0 on DeviceB as a mirrored port and enable port mirroring.

Data Preparation
To complete the configuration, you need the following data:
● Types and numbers of the observing ports and mirrored port

Procedure
Step 1 Configure IP addresses for interfaces and ensure that the corresponding routes are
reachable. For configuration details, see Configuration Files in this section.
Step 2 Configure GE1/0/0 as one observing port.
<DeviceB> system-view
[~DeviceB] interface gigabitethernet1/0/0
[~DeviceB-GigabitEthernet1/0/0] port-observing observe-index 1
[*DeviceB-GigabitEthernet1/0/0] commit
[~DeviceB-GigabitEthernet1/0/0] quit

Step 3 Configure GE1/0/1 as the other observing port.

<DeviceB> system-view
[~DeviceB] interface gigabitethernet1/0/1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 507

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~DeviceB-GigabitEthernet1/0/1] port-observing observe-index 2

[*DeviceB-GigabitEthernet1/0/1] commit
[~DeviceB-GigabitEthernet1/0/1] quit

Step 4 Enable VLAN-based upstream and downstream port mirroring on GE3/0/0.

[~DeviceB] vlan 10
[*DeviceB-vlan10] commit
[~DeviceB-vlan10] quit
[~DeviceB] interface gigabitethernet3/0/0
[~DeviceB-GigabitEthernet3/0/0] portswitch
[*DeviceB-GigabitEthernet3/0/0] port default vlan 10
[*DeviceB-GigabitEthernet3/0/0] port-mirroring inbound vlan 10
[*DeviceB-GigabitEthernet3/0/0] port-mirroring outbound vlan 10
[*DeviceB-GigabitEthernet3/0/0] commit
[~DeviceB-GigabitEthernet3/0/0] quit

Step 5 Specify observing ports for the upstream and downstream packets of the mirrored
port.
[~DeviceB] interface gigabitethernet3/0/0
[~DeviceB-GigabitEthernet3/0/0] port-mirroring to observe-index 1 inbound
[*DeviceB-GigabitEthernet3/0/0] port-mirroring to observe-index 2 outbound
[*DeviceB-GigabitEthernet3/0/0] commit
[~DeviceB-GigabitEthernet3/0/0] quit

After the preceding configuration is complete, the upstream packets received by

the mirrored port GE3/0/0 are mirrored to GE1/0/0, and the downstream packets
sent by the mirrored port GE3/0/0 are mirrored to GE1/0/1.
Step 6 Verify the configuration.
Check mirroring information through the ping command or another traffic
generation method. For example, if SwitchA sends 10 ping packets to GE3/0/0 on
DeviceB, HostD is expected to receive all the packets sent by SwitchA.
Check statistics about GE1/0/0 on DeviceB.
<DeviceB> display interface gigabitethernet1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
Description:XXXXXX, GigabitEthernet1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc7d-a497
The Vendor PN is HFBR-5710L
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 550m
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and Receive Enable
Statistics last cleared:never
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 107628 bytes, 1016 packets
Output: 107628 bytes, 1016 packets
Input:
Unicast: 0, Multicast: 0
Broadcast: 0, JumboOctets: 0
CRC: 0, Symbol: 0
Overrun: 0 , InRangeLength: 0
LongPacket: 0 , Jabber: 0, Alignment: 0
Fragment: 0, Undersized Frame: 0
RxPause: 0
Output:
Unicast: 10, Multicast: 0
Broadcast: 0, Jumbo: 0
Lost: 0, Overflow: 0, Underrun: 0
TxPause: 0

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 508

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Files
● DeviceB configuration file
#
sysname DeviceB
vlan 10
#
interface GigabitEthernet3/0/0
portswitch
port default vlan 10
port-mirroring inbound vlan 10
port-mirroring outbound vlan 10
port-mirroring to observe-index 1 inbound
port-mirroring to observe-index 2 outbound
#
interface GigabitEthernet3/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.10.1.1 255.255.255.0
port-observing observe-index 1
#
interface GigabitEthernet1/0/1
ip address 10.20.1.1 255.255.255.0
port-observing observe-index 2
#
return

1.1.17.6.4 Example for Configuring Port Mirroring (1:N Scenario)

Networking Requirements
As shown in Figure 1-53, the switch forwards user packets from VLAN 10 and
VLAN 20 to the Device. To monitor the packets forwarded by the switch to
interface 1 on the Device, specify interface 2 and interface 3 on the Device as
observing ports. In addition, specify interface 1 as a mirrored port and enable the
port mirroring function for the traffic of VLAN 10. Then, map the mirrored port to
the observing ports. In this way, all the packets of VLAN 10 received by interface 1
are copied to interface 2 and interface 3.

Figure 1-53 Networking diagram for configuring port mirroring in a 1:N scenario
NOTE

● The configurations in this example are performed on the Device. The HUAWEI
NetEngine9000 can function as a Device.
● Interfaces 1 through 3 in this example represent GE1/0/0, GE2/0/0, and GE3/0/0,
respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 509

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Device Name Interface Name Interface IP Address

Device GE1/0/0 -

Device GE2/0/0 10.10.1.1/24

Device GE3/0/0 10.1.1.2/24

Configuration Notes
Do not configure an interface as both an observing port and a mirrored port.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure GE2/0/0 and GE3/0/0 on the Device as observing ports.

2. Configure GE1/0/0 on the Device as a mirrored port and enable the port
mirroring function for the traffic of VLAN 10.
3. Map the mirrored port to the observing ports and enable mirroring analysis
on GE1/0/0.

Data Preparation
To complete the configuration, you need the following data:

● Types and numbers of the observing ports and mirrored port

Procedure
Step 1 Configure IP addresses for interfaces and ensure that the corresponding routes are
reachable. For configuration details, see Configuration Files in this section.

Step 2 Configure GE2/0/0 and GE3/0/0 as observing ports.

<Device> system-view
[~Device] interface gigabitethernet2/0/0
[~Device-GigabitEthernet2/0/0] port-observing observe-index 1
[*Device-GigabitEthernet2/0/0] commit
[~Device-GigabitEthernet2/0/0] quit
[~Device] interface gigabitethernet3/0/0
[~Device-GigabitEthernet3/0/0] port-observing observe-index 2
[~Device-GigabitEthernet3/0/0] commit
[~Device-GigabitEthernet3/0/0] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 510

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 3 Enable VLAN-based upstream port mirroring on GE1/0/0.

[~Device] vlan 10
[*Device-vlan10] commit
[~Device-vlan10] quit
[~Device] interface gigabitethernet1/0/0
[~Device-GigabitEthernet1/0/0] portswitch
[*Device-GigabitEthernet1/0/0] port default vlan 10
[*Device-GigabitEthernet1/0/0] port-mirroring inbound vlan 10
[*Device-GigabitEthernet1/0/0] commit
[~Device-GigabitEthernet1/0/0] quit

Step 4 Map the mirrored port GE1/0/0 to the observing ports GE2/0/0 and GE3/0/0.
[~Device] interface gigabitethernet1/0/0
[~Device-GigabitEthernet1/0/0] port-mirroring to observe-index 1 2
[*Device-GigabitEthernet1/0/0] commit
[~Device-GigabitEthernet1/0/0] quit

After the preceding configuration is complete, the packets of VLAN 10 received by

GE1/0/0 are mirrored to GE2/0/0 and GE3/0/0.

Step 5 Verify the configuration.

For example, if the switch sends 10 packets with the VLAN ID being 10 to the
mirrored port GE1/0/0 of the Device, check that the observing ports GE2/0/0 and
GE3/0/0 can forward all the packets with the VLAN ID being 10 received by the
mirrored port GE1/0/0. Run the display interface command to check packet
statistics about GE2/0/0.
<Device> display interface gigabitethernet2/0/0
GigabitEthernet2/0/0 current state : UP
Line protocol current state : UP
Description:XXXXXX, GigabitEthernet2/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc7d-a497
The Vendor PN is HFBR-5710L
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 550m
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and Receive Enable
Statistics last cleared:never
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 560 bytes, 10 packets
Output: 560 bytes, 10 packets
Input:
Unicast: 0, Multicast: 0
Broadcast: 0, JumboOctets: 0
CRC: 0, Symbol: 0
Overrun: 0 , InRangeLength: 0
LongPacket: 0 , Jabber: 0, Alignment: 0
Fragment: 0, Undersized Frame: 0
RxPause: 0
Output:
Unicast: 10, Multicast: 0
Broadcast: 0, Jumbo: 0
Lost: 0, Overflow: 0, Underrun: 0
TxPause: 0

----End

Configuration Files
● Device configuration file
#
sysname Device

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 511

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

vlan 10
#
interface GigabitEthernet1/0/0
portswitch
port default vlan 10
port-mirroring inbound vlan 10
port-mirroring to observe-index 1 2
#
interface GigabitEthernet2/0/0
ip address 10.10.1.1 255.255.255.0
port-observing observe-index 1
#
interface GigabitEthernet3/0/0
ip address 10.1.1.2 255.255.255.0
port-observing observe-index 2
#
return

1.1.17.6.5 Example for Configuring EVC Port Mirroring

Networking Requirements
This section provides an example for configuring port mirroring for the traffic of
an EVC Layer 2 sub-interface through the EVC model.
On the network shown in Figure 1-54, services such as Internet, IPTV, and VoIP
services are deployed in communities 1 and 2. To facilitate management, network
administrators allocate the same services to the same VLAN, and allocate different
services to different VLANs. In addition, an EVC model is used to achieve service
interworking between the two communities.
For security purposes, VLAN 10 traffic transmitted from CE1 to PE1 through sub-
interface 1.1 needs to be monitored and analyzed. This can be achieved by
specifying interface 2 on PE1 as an observing port and configuring port mirroring
on sub-interface 1.1. In this way, all the packets received through sub-interface 1.1
are copied to interface 2 for analysis by the analyzer.

Figure 1-54 Networking diagram for configuring EVC port mirroring

NOTE

● The configurations in this example are performed on CE1, CE2, PE1, and PE2. The
HUAWEI NetEngine9000 functions only as PE1.
● Interface 1, sub-interface 1.1, sub-interface 1.2, interface 2, interface 3, and interface 4
in this example represent GE1/0/1, GE1/0/1.1, GE1/0/1.2, GE2/0/1, GE1/0/2, and
GE1/0/3, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 512

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Configuration Notes
Services in all VLANs are on the same subnet.

Configuration Roadmap
Deploy EVC port mirroring to configure the EVC Layer 2 sub-interface GE1/0/1.1 as
a mirrored port and GE2/0/1 as an observing port. In this way, the inbound traffic
of GE1/0/1.1 is copied to GE2/0/1 for analysis by the analyzer.

The configuration roadmap is as follows:

1. Deploy an EVC model to achieve service interworking between communities 1

and 2.
2. Configure GE2/0/1 on PE1 as an observing port to which the copied traffic is
sent.
3. Configure GE1/0/1.1 on PE1 as a mirrored port so that the inbound traffic of
GE1/0/1.1 is copied.
4. Specify the observing port for mirroring and enable the device to mirror the
traffic entering GE1/0/1.1.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 513

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Data Preparation
To complete the configuration, you need the following data:
● Numbers of interfaces connecting devices to the user side
● Numbers of interfaces interconnecting devices
● IDs of VLANs to which services belong
● BD IDs
● Mirroring instance name
● Number of the mirrored port
● Number of the observing port

Procedure
Step 1 Deploy an EVC model to achieve service interworking between communities 1 and
2.
# Configure CE1.
<HUAWEI> system-view
[~HUAWEI] sysname CE1
[*HUAWEI] commit
[~CE1] vlan 10
[*CE1-vlan10] quit
[*CE1] interface gigabitethernet 1/0/1
[*CE1-GigabitEthernet1/0/1] undo shutdown
[*CE1-GigabitEthernet1/0/1] portswitch
[*CE1-GigabitEthernet1/0/1] port link-type access
[*CE1-GigabitEthernet1/0/1] port default vlan 10
[*CE1-GigabitEthernet1/0/1] quit
[*CE1] interface gigabitethernet 1/0/2
[*CE1-GigabitEthernet1/0/2] undo shutdown
[*CE1-GigabitEthernet1/0/2] portswitch
[*CE1-GigabitEthernet1/0/2] port link-type trunk
[*CE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[*CE1-GigabitEthernet1/0/2] quit
[*CE1] commit

# Configure CE2.
<HUAWEI> system-view
[~HUAWEI] sysname CE2
[*HUAWEI] commit
[~CE2] vlan batch 10 30
[*CE2] interface gigabitethernet 1/0/1
[*CE2-GigabitEthernet1/0/1] undo shutdown
[*CE2-GigabitEthernet1/0/1] portswitch
[*CE2-GigabitEthernet1/0/1] port link-type access
[*CE2-GigabitEthernet1/0/1] port default vlan 30
[*CE2-GigabitEthernet1/0/1] quit
[*CE2] interface gigabitethernet 1/0/3
[*CE2-GigabitEthernet1/0/3] undo shutdown
[*CE2-GigabitEthernet1/0/3] portswitch
[*CE2-GigabitEthernet1/0/3] port link-type access
[*CE2-GigabitEthernet1/0/3] port default vlan 10
[*CE2-GigabitEthernet1/0/3] quit
[*CE2] interface gigabitethernet 1/0/2
[*CE2-GigabitEthernet1/0/2] undo shutdown
[*CE2-GigabitEthernet1/0/2] portswitch
[*CE2-GigabitEthernet1/0/2] port link-type trunk
[*CE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 30
[*CE2-GigabitEthernet1/0/2] quit
[*CE2] commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 514

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

# Configure PE1.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[*HUAWEI] commit
[~PE1] bridge-domain 10
[~PE1-bd10] quit
[*PE1] interface gigabitethernet 1/0/1
[*PE1-GigabitEthernet1/0/1] undo shutdown
[*PE1-GigabitEthernet1/0/1] quit
[*PE1] interface gigabitethernet 1/0/1.1 mode l2
[*PE1-GigabitEthernet1/0/1.1] encapsulation dot1q vid 10
[*PE1-GigabitEthernet1/0/1.1] bridge-domain 10
[*PE1-GigabitEthernet1/0/1.1] quit
[~PE1] interface gigabitethernet 1/0/2
[*PE1-GigabitEthernet1/0/2] undo shutdown
[*PE1-GigabitEthernet1/0/2] quit
[*PE1] interface gigabitethernet 1/0/2.1 mode l2
[*PE1-GigabitEthernet1/0/2.1] encapsulation dot1q vid 10
[*PE1-GigabitEthernet1/0/2.1] bridge-domain 10
[*PE1-GigabitEthernet1/0/2.1] commit
[~PE1-GigabitEthernet1/0/2] quit

# Configure PE2.
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[*HUAWEI] commit
[~PE2] bridge-domain 10
[~PE2-bd10] quit
[*PE2] interface gigabitethernet 1/0/1
[*PE2-GigabitEthernet1/0/1] undo shutdown
[*PE2-GigabitEthernet1/0/1] quit
[*PE2] interface gigabitethernet 1/0/1.1 mode l2
[*PE2-GigabitEthernet1/0/1.1] encapsulation dot1q vid 10
[*PE2-GigabitEthernet1/0/1.1] bridge-domain 10
[*PE2-GigabitEthernet1/0/1.1] quit
[*PE2] interface gigabitethernet 1/0/1.2 mode l2
[*PE2-GigabitEthernet1/0/1.2] encapsulation dot1q vid 30
[*PE2-GigabitEthernet1/0/1.2] rewrite map 1-to-1 vid 10
[*PE2-GigabitEthernet1/0/1.2] bridge-domain 10
[*PE2-GigabitEthernet1/0/1.2] quit
[~PE2] interface gigabitethernet 1/0/2
[*PE2-GigabitEthernet1/0/2] undo shutdown
[*PE2-GigabitEthernet1/0/2] quit
[*PE2] interface gigabitethernet 1/0/2.1 mode l2
[*PE2-GigabitEthernet1/0/2.1] encapsulation dot1q vid 10
[*PE2-GigabitEthernet1/0/2.1] bridge-domain 10
[*PE2-GigabitEthernet1/0/2.1] commit
[~PE2-GigabitEthernet1/0/2] quit

Step 2 Configure GE2/0/1 on PE1 as an observing port.

[*PE1] interface gigabitethernet 2/0/1
[*PE1-GigabitEthernet2/0/1] port-observing observe-index 1
[*PE1-GigabitEthernet2/0/1] commit
[~PE1-GigabitEthernet2/0/1] quit

Step 3 Configure GE1/0/1.1 on PE1 as a mirrored port.

[*PE1] mirror instance evcto201 location
[*PE1] commit
[~PE1] interface gigabitethernet 1/0/1.1 mode l2
[*PE1-GigabitEthernet1/0/1.1] port-mirroring instance evcto201 inbound vid 10 identifier none
[*PE1-GigabitEthernet1/0/1.1] commit
[~PE1-GigabitEthernet1/0/1.1] quit

Step 4 Map the mirrored port to the observing port.

[*PE1] slot 1
[*PE1-slot1] mirror to observe-index 1

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 515

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*PE1-slot1] commit
[~PE1-slot1] quit

Step 5 Verify the configuration.

After completing the preceding configuration, run the display bridge-domain
command to check BD information, including the BD to which an EVC Layer 2
sub-interface belongs and the BD status. The following example uses the
command output on PE1.
[~PE1] display bridge-domain
The total number of bridge-domains is : 1
--------------------------------------------------------------------------------
MAC_LRN: MAC learning; STAT: Statistics; SPLIT: Split-horizon;
BC: Broadcast; MC: Unknown multicast; UC: Unknown unicast;
*down: Administratively down; FWD: Forward; DSD: Discard;
--------------------------------------------------------------------------------

BDID State MAC-LRN STAT BC MC UC SPLIT Description

--------------------------------------------------------------------------------
10 up enable disable FWD FWD FWD disable

Run the display ethernet uni information command. The command output
shows the traffic encapsulation and traffic behavior information configured on
each EVC Layer 2 sub-interface. The following example uses the command output
on PE2.
[~PE2] display ethernet uni information
GigabitEthernet1/0/1.1
Total encapsulation number: 1
encapsulation dot1q vid 10
No action
GigabitEthernet1/0/1.2
Total encapsulation number: 1
encapsulation dot1q vid 30
Rewrite map 1-to-1 vid 10
GigabitEthernet1/0/2.1
Total encapsulation number: 1
encapsulation dot1q vid 10
No action

Through the EVC model, the users in community 1 and community 2 can
communicate with each other.
Run the display mirror instance [ instance-name ] location command to check
the configuration of the specified mirroring instance on an EVC Layer 2 sub-
interface.
[~PE1] display mirror instance location
instance evcto201
car :-

----End

Configuration Files
● PE1 configuration file
#
sysname PE1
#
mirror instance evcto201 location
#
slot 1
mirror to observe-index 1
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 516

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/1.1 mode l2
encapsulation dot1q vid 10
bridge-domain 10
port-mirroring instance evcto201 inbound vid 10 identifier none
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/2.1 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
interface GigabitEthernet2/0/1
port-observing observe-index 1
#
return
● PE2 configuration file
#
sysname PE2
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/1.1 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
interface GigabitEthernet1/0/1.2 mode l2
encapsulation dot1q vid 30
rewrite map 1-to-1 vid 10
bridge-domain 10
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/2.1 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
return
● CE1 configuration file
#
sysname CE1
#
vlan 10
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10
#
return
● CE2 configuration file
#
sysname CE1
#
vlan batch 10 30

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 517

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type access
port default vlan 30
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10 30
#
interface GigabitEthernet1/0/3
portswitch
undo shutdown
port link-type access
port default vlan 10
#
return

1.1.17.6.6 Example for Configuring Local Flow Mirroring

Networking Requirements
On the network shown in Figure 1-55, to monitor the packets sent from DeviceA
to interface 3 on DeviceB, specify interface 5 on DeviceB as an observing port and
configure flow mirroring on interface 3. To improve the working efficiency of
HostD, configure a traffic policy on interface 3 of DeviceB. In this way, only the
packets with the source address of 2.2.2.2 are copied to interface 5.

Figure 1-55 Networking diagram for configuring flow mirroring

NOTE

● The configurations in this example are performed on DeviceA, DeviceB, and DeviceC, all
of which can be HUAWEI NetEngine9000 devices.
● Interfaces 1 through 5 in this example represent GE1/0/0, GE2/0/0, GE1/0/1, GE1/0/2,
and GE1/0/3, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 518

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Device Name Interface Number Interface IP Address Interface MAC

Address

DeviceA GE1/0/0 10.70.1.1/24 -

DeviceA GE2/0/0 10.1.1.0/24 -

DeviceA GE1/0/1 10.20.2.2/24 -

DeviceB GE1/0/1 10.70.1.2/24 -

DeviceB GE1/0/2 10.80.1.2/24 -

DeviceB GE1/0/3 10.90.1.1/24 -

DeviceC GE1/0/0 10.80.1.1/24 -

Configuration Notes
● Do not configure an interface as both an observing port and a mirrored port.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure GE1/0/3 on DeviceB as an observing port.

2. Configure a traffic policy on GE1/0/1 of DeviceB and apply the policy to the
mirrored port.

Data Preparation
To complete the configuration, you need the following data:

● IP address of each interface

● Types and numbers of the observing port and mirrored port
● ACL number, traffic classifier name, traffic behavior name, and traffic policy
name

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 519

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Configure IP addresses for interfaces and ensure that the corresponding routes are
reachable. For configuration details, see Configuration Files in this section.
Step 2 Configure GE1/0/3 as an observing port.
<DeviceB> system-view
[~DeviceB] interface gigabitethernet1/0/3
[~DeviceB-GigabitEthernet1/0/3] port-observing observe-index 3
[*DeviceB-GigabitEthernet1/0/3] commit

Step 3 Specify an observing port for board-based mirroring.

[~DeviceB] slot 1
[~DeviceB-slot-1] mirror to observe-index 3
[*DeviceB-slot-1] commit
[~DeviceB-slot-1] quit

Step 4 Configure a traffic policy on the mirrored port GE1/0/1.

# Define an ACL rule.
[~DeviceB] acl 2001
[*DeviceB-acl-basic-2001] rule 5 permit source 10.20.2.2 0.0.0.0
[*DeviceB-acl-basic-2001] commit
[~DeviceB-acl-basic-2001] quit

# Configure a traffic classifier and define an ACL-based matching rule.

[~DeviceB] traffic classifier a
[*DeviceB-classifier-a] if-match acl 2001
[*DeviceB-classifier-a] commit
[~DeviceB-classifier-a] quit

# After the configuration is complete, run the display traffic classifier user-
defined command to check the traffic classifier configuration.
[~DeviceB] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: a
Operator: OR
Rule(s) : if-match acl 2001 precedence 2

# Define a traffic behavior and enable flow mirroring.

[~DeviceB] traffic behavior e
[*DeviceB-behavior-e] port-mirroring enable
[*DeviceB-behavior-e] commit
[~DeviceB-behavior-e] quit

# Define a traffic policy to associate the traffic classifier with the traffic behavior.
[~DeviceB] traffic policy 1
[*DeviceB-trafficpolicy-1] classifier a behavior e
[*DeviceB-trafficpolicy-1] commit
[~DeviceB-trafficpolicy-1] quit

# Apply the traffic policy to the corresponding interface.

[~DeviceB] interface gigabitethernet1/0/1
[~DeviceB-GigabitEthernet1/0/1] traffic-policy 1 inbound
[*DeviceB-GigabitEthernet1/0/1] commit
[~DeviceB-GigabitEthernet1/0/1] quit

Step 5 Verify the configuration.

Check mirroring information through the ping command or another traffic
generation method. For example, if DeviceA sends 10 ping packets with the source

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 520

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

address of 10.20.2.2/32 and another 10 ping packets with the source address of
10.1.1.0/32 to GE1/0/1, HostD is expected to receive the packets with the source
address of 10.20.2.2/32 from DeviceA, not the packets with the source address of
10.1.1.0/32.

----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.70.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.20.2.2 255.255.255.0
#
return
● DeviceB configuration file
#
sysname DeviceB
#
acl number 2001
rule 5 permit source 10.20.2.2 0
#
traffic classifier a operator or
if-match acl 2001
#
traffic behavior e
port-mirroring enable
#
traffic policy 1
classifier a behavior e
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.70.1.2 255.255.255.0
traffic-policy 1 inbound
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.80.1.2 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
port-observing observe-index 3
#
slot 1
mirror to observe-index 3
#
return
● DeviceC configuration file
#
sysname DeviceC
#
interface GigabitEthernet1/0/0
undo shutdown

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 521

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

ip address 10.80.1.1 255.255.255.0

#
return

1.1.18 Layer 2 Traffic Suppression Configuration

Layer 2 traffic suppression limits the bandwidth for forwarding broadcast,
multicast, and unknown unicast traffic, which ensures the proper forwarding of
traffic.

1.1.18.1 Overview of Layer 2 Traffic Suppression

The traffic involved in Layer 2 traffic suppression includes broadcast, multicast,
and unknown unicast traffic.

Layer 2 Traffic Classification

Traffic on a Layer 2 network is classified into the following types:

● Unicast traffic: consists of unicast packets whose destination MAC addresses

are in the MAC address table. The NE9000 forwards these packets in unicast
mode according to the information in the MAC address table.
● Unknown unicast traffic: consists of unicast packets whose destination MAC
addresses are not in the MAC address table. The NE9000 broadcasts these
packets.
● Multicast traffic: consists of packets that use multicast addresses as
destination MAC addresses. The NE9000 broadcasts these packets.
● Broadcast traffic: consists of packets that use broadcast addresses as
destination MAC addresses. The NE9000 broadcasts these packets.

To ensure the transmission of unicast traffic, the NE9000 can limit the bandwidth
for forwarding broadcast, multicast, and unknown unicast traffic.

Traffic Suppression
Most Layer 2 network scenarios require unicast traffic to be much heavier than
broadcast traffic. This is also a requirement for networking. If broadcast traffic is
not suppressed, forwarding a large volume of such traffic consumes numerous
bandwidth resources, reducing network performance and even causing a
communication interruption.

In this case, you can configure broadcast traffic suppression on the NE9000 to
ensure that the device can reserve some bandwidth for forwarding unicast traffic
when broadcast traffic bursts.

1.1.18.2 Feature Requirements for Layer 2 Traffic Suppression

1.1.18.3 Configuring Interface-related Traffic Suppression

This section describes how to configure interface-related traffic suppression.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 522

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Usage Scenario
In addition to user traffic management and bandwidth allocation, an Ethernet
requires broadcast, multicast, and unknown unicast traffic to be suppressed to
ensure the secure transmission of unicast traffic and properly utilize bandwidth
resources.
Most networks require unicast traffic to be much heavier than broadcast traffic. If
broadcast traffic is not suppressed, forwarding a large volume of such traffic
consumes numerous bandwidth resources, reducing network performance and
even causing a communication interruption.

Pre-configuration Tasks
Before configuring Layer 2 traffic suppression, complete the following task:
● Connect interfaces and set their physical parameters to ensure that the
interfaces are physically up.

1.1.18.3.1 Configuring Interface-based Traffic Suppression

This section describes how to configure interface-based traffic suppression in order
to reduce the traffic burden on a network.

Context
Traffic suppression can be implemented only on a Layer 2 interface.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run portswitch
The interface is configured to work in Layer 2 mode.
Step 4 Run broadcast-suppression { percent-value | value bw-value } { inbound |
outbound }
Broadcast traffic suppression is configured on the interface.
Step 5 Run multicast-suppression { percent-value | value bw-value } { inbound |
outbound }
Multicast traffic suppression is configured on the interface.
Step 6 Run unknown-unicast-suppression { percent-value | value bw-value } { inbound
| outbound }
Unknown unicast traffic suppression is configured on the interface.
Step 7 Run commit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 523

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The configuration is committed.

----End

1.1.18.3.2 (Optional) Configuring Sub-interface-based Traffic Suppression

This section describes how to configure sub-interface-based traffic suppression in
order to reduce the traffic burden on a network.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vsi vsi-name [ static ]
A VSI is created.
Step 3 Run suppression { inbound | outbound } enable
Traffic suppression is enabled for the VSI.
Step 4 Run pwsignal ldp
A signaling mode is configured for the VSI.
Step 5 Run vsi-id vsi-id
An ID is configured for the VSI.
Step 6 Run quit
Return to the VSI view.
Step 7 Run quit
Return to the system view.
Step 8 Run interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.
Step 9 Run vlan-type dot1q vlan-id
The sub-interface is associated with a VLAN, and a VLAN encapsulation mode is
configured for the sub-interface.
Step 10 Run l2 binding vsi vsi-name [ access-port ]
The sub-interface is bound to the VSI.
Step 11 Run broadcast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Broadcast traffic suppression is configured on the sub-interface.
Step 12 Run multicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }
Multicast traffic suppression is configured on the sub-interface.
Step 13 Run unknown-unicast-suppression cir cir-value [ cbs cbs-value ] { inbound |
outbound }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 524

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Unknown unicast traffic suppression is configured on the sub-interface.

Step 14 Run commit
The configuration is committed.

----End

1.1.18.3.3 Configuring Interface- and VLAN-based Traffic Suppression

This section describes how to configure interface- and VLAN-based traffic
suppression in order to reduce the traffic burden on a network.

Context
Traffic suppression can be implemented only on a Layer 2 interface.
If you configure broadcast packet suppression on an interface for multiple times,
the latest configuration overrides the previous one. However, if you reconfigure
traffic suppression on an interface that is added to a VLAN, the previous
configuration needs to be deleted before the reconfiguration.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run portswitch
The interface is configured to work in Layer 2 mode.
Step 4 Run quit
Return to the system view.
Step 5 Run vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
A VLAN is created.
Step 6 Run port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
The interface is added to the VLAN.
Step 7 Run suppression { inbound | outbound } enable
Traffic suppression is enabled for the VLAN.
Step 8 Run unknown-multicast discard
Interfaces in the VLAN are disabled from forwarding unknown multicast packets.
Step 9 Run unknown-unicast discard
Interfaces in the VLAN are disabled from forwarding unknown unicast packets.
Step 10 Run quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 525

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Return to the system view.

Step 11 Run interface interface-type interface-number

The interface view is displayed.

Step 12 Run broadcast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }

{vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> }

Interface- and VLAN-based broadcast traffic suppression is configured.

Step 13 Run multicast-suppression cir cir-value [ cbs cbs-value ] { inbound | outbound }

{vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> }

Interface- and VLAN-based multicast traffic suppression is configured.

Step 14 Run unknown-unicast-suppression cir cir-value [ cbs cbs-value ] { inbound |

outbound } {vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> }

Interface- and VLAN-based unknown unicast traffic suppression is configured.

Step 15 Run commit

The configuration is committed.

----End

1.1.18.3.4 Verifying the Configuration

You can run the corresponding display commands to check interface-specific
Layer 2 traffic suppression statistics.

Procedure
Step 1 Run the display interface { interface-name | interface-type interface-num }
suppression vsi vsi-name or display traffic-statistics suppression interface
{ interface-name | interface-type interface-num } vsi vsi-name command to check
Layer 2 traffic suppression statistics about specified VPLS services on the specified
interface.

Step 2 Run the display traffic-statistics suppression interface { interface-name |

interface-type interface-number } [ vlan vlan-id | bd bd-id ] or display interface
interface-type interface-number suppression [ vlan vlan-id | bd bd-id ] command
to check Layer 2 traffic suppression statistics about specified Layer 2 services on
the specified interface.

Step 3 Run the display traffic-statistics vsi vsi-name suppression peer peer-address
[ negotiation-vc-id vcIdValue ] command to check PW traffic suppression
statistics.

----End

1.1.18.4 Configuring Traffic Suppression over a VSI

This section describes how to configure traffic suppression in a specified virtual
switch instance (VSI) to prevent a large volume of traffic from overloading the
network.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 526

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Applicable Environment
On an Ethernet network, to manage user traffic, user bandwidth must be
assigned. In addition, to ensure secure transmission of unicast traffic and proper
bandwidth utilization, unknown unicast, multicast, and broadcast traffic must be
suppressed.

On most networks, the unicast traffic volume is far higher than the broadcast
traffic volume. If broadcast traffic is not suppressed, in case of heavy broadcast
traffic, a great amount of network bandwidth is consumed, causing the network
performance to deteriorate and even communication interruption.

Pre-configuration Tasks
Before configuring traffic suppression, connect interfaces and configure their
physical parameters so that they can go Up physically.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run vsi vsi-name [ static ]

The VSI view is displayed.

Step 3 Run suppression { inbound | outbound } enable

Traffic suppression is enabled in the VSI.

Step 4 Run broadcast-suppression cir cir-value [ cbs cbs-value ] { uni-inbound | uni-

outbound }

Broadcast traffic over the VSI AC is suppressed.

Step 5 Run multicast-suppression cir cir-value [ cbs cbs-value ] { uni-inbound | uni-

outbound }

Multicast traffic over the VSI AC is suppressed.

Step 6 Run unknown-unicast-suppression cir cir-value [ cbs cbs-value ] { uni-inbound |

uni-outbound }

Unknown unicast traffic over the VSI AC is suppressed.

Step 7 Run commit

The configuration is committed.

----End

Checking the Configurations

After configuring traffic suppression, check the configurations.

Run the display traffic-statistics vsi vsi-name suppression uni command to

check traffic suppression statistics in a VSI.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 527

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.18.5 Configuring BD-based Traffic Suppression

This section describes how to configure BD-based traffic suppression in order to
reduce the traffic burden on a network.

Prerequisites
Before configuring Layer 2 traffic suppression, complete the following task:
Connect interfaces and set their physical parameters to ensure that the physical
status of the interfaces is up.

Context
As broadcast, multicast, and unknown unicast packets increase on a network,
more network resources are consumed, adversely affecting network services.
When the rates of broadcast, multicast, and unknown unicast packets exceed the
configured committed information rate (CIR), the system discards excess packets
to control the packet rate within a proper range.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 The bridge-domain bd-id
The BD view is displayed.
Step 3 Run broadcast-suppression cir cir-value [ cbs cbs-value ] { uni-inbound | uni-
outbound }
The maximum broadcast traffic rate allowed by the BD is configured.
Step 4 Run multicast-suppression cir cir-value [ cbs cbs-value ] { uni-inbound | uni-
outbound }
The maximum multicast traffic rate allowed by the BD is configured.
Step 5 Run unknown-unicast-suppression cir cir-value [ cbs cbs-value ] { uni-inbound |
uni-outbound }
The maximum unknown unicast traffic rate allowed by the BD is configured.
Step 6 Run commit
The configuration is committed.

----End

Follow-up Procedure
After the configuration is complete, perform the following operation to verify the
configuration:
Run the display traffic-statistics suppression bd bd-id command to check Layer
2 traffic suppression statistics about the specified BD.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 528

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.18.6 (Optional) Configuring VSI PW-based Traffic Suppression

This section describes how to configure VSI PW-based traffic suppression in order
to reduce the traffic burden on a network.

Usage Scenario
In addition to user traffic management and bandwidth allocation, an Ethernet
requires broadcast, multicast, and unknown unicast traffic to be suppressed to
ensure the secure transmission of unicast traffic and properly utilize bandwidth
resources.

Most networks require unicast traffic to be much heavier than broadcast,

multicast, and unknown unicast traffic. If broadcast, multicast, and unknown
unicast traffic is not suppressed, forwarding a large volume of such traffic
consumes numerous bandwidth resources, reducing network performance and
even causing a communication interruption. If interface-based traffic suppression
is configured, the broadcast, multicast, and unknown unicast traffic of all PWs
created on the interface is suppressed. To implement more convenient and flexible
traffic suppression, you can configure VSI PW-based suppression for broadcast,
multicast, and unknown unicast traffic.

Pre-configuration Tasks
Before configuring Layer 2 traffic suppression, complete the following tasks:

● Connect interfaces and set their physical parameters to ensure that the
interfaces are physically up.
● Enable the MPLS L2VPN function.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run vsi vsi-name [ static ]

The VSI view is displayed.

Step 3 Run suppression { inbound | outbound } enable

Traffic suppression is enabled for the VSI.

Step 4 Configure VSI PW-based LDP interface traffic suppression in the VSI-LDP-PW view,
VSI PW-based BGP interface traffic suppression in the VSI-BGP-PW view, or VSI
PW-based BGP AD interface traffic suppression in the VSI-BGP AD-PW view.
● Configure VSI PW-based LDP interface traffic suppression in the VSI-LDP-PW
view.
a. Run pwsignal ldp
The VSI-LDP view is displayed.
b. Run vsi-id vsi-id
A VSI ID is configured.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 529

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

c. Run peer peer-address [ negotiation-vc-id vc-id ] pw pw-name

A PW is created, and the VSI-LDP-PW view is displayed.
● Configure VSI PW-based BGP interface traffic suppression in the VSI-BGP-PW
view.
a. Run pwsignal bgp
The VSI-BGP view is displayed.
b. Run route-distinguisher route-distinguisher
An RD is configured for the current VSI.
c. Run vpn-target vpn-target both
The current VSI is associated with the specified VPN target.
d. Run peer peer-address remote-site remote-site-id pw pw-name
A PW is created, and the VSI-BGP-PW view is displayed.
● Configure VSI PW-based BGP AD interface traffic suppression in the VSI-BGP
AD-PW view.
a. Run bgp-ad
The BGP AD view is displayed.
b. Run vpls-id vplsIdValue
The ID of the VPLS domain to which the VSI belongs is specified.
c. Run vpn-target vpn-target both
The current VSI is associated with the specified VPN target.
d. Run peer peer-address pw pw-name
A PW is created, and the VSI-BGP AD-PW view is displayed.
Step 5 Run broadcast-suppression cir cir-value [ cbs cbs-value ]
VSI PW-based broadcast traffic suppression is implemented.
Step 6 Run multicast-suppression cir cir-value [ cbs cbs-value ]
VSI PW-based multicast traffic suppression is implemented.
Step 7 Run unknown-unicast-suppression cir cir-value [ cbs cbs-value ]
VSI PW-based unknown unicast traffic suppression is implemented.
Step 8 Run commit
The configuration is committed.

----End

1.1.18.6.1 Verifying the Configuration of Traffic Suppression over a VSI PW

You can run the corresponding display commands to check interface-specific
Layer 2 traffic suppression statistics.

Procedure
Step 1 Run the display interface { interface-name | interface-type interface-num }
suppression vsi vsi-name or display traffic-statistics suppression interface

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 530

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

{ interface-name | interface-type interface-num } vsi vsi-name command to check

Layer 2 traffic suppression statistics about specified VPLS services on the specified
interface.

Step 2 Run the display traffic-statistics suppression interface { interface-name |

interface-type interface-number } [ vlan vlan-id | bd bd-id ] or display interface
interface-type interface-number suppression [ vlan vlan-id | bd bd-id ] command
to check Layer 2 traffic suppression statistics about specified Layer 2 services on
the specified interface.

Step 3 Run the display traffic-statistics vsi vsi-name suppression peer peer-address
[ negotiation-vc-id vcIdValue ] command to check PW traffic suppression
statistics.

----End

1.1.18.7 Configuring Traffic Suppression for Special Reserved Multicast

Groups
This section describes how to configure traffic suppression for special reserved
multicast groups in order to reduce the traffic burden on a network.

Usage Scenario
A growing number of special reserved multicast group packets in the broadcast
domain consume a large amount of network resources, which severely affects
service running. To address this issue, you can configure traffic suppression for
such packets, thereby reducing the multicast traffic volume to a proper range.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run standard-group mac-address suppression enable

Traffic suppression is enabled for special reserved multicast groups.

Step 3 Run commit

The configuration is committed.

----End

1.1.18.8 Maintaining Layer 2 Traffic Suppression

Before you start collecting statistics about Layer 2 traffic suppression, clear the
existing statistics.

Procedure
Step 1 To clear Layer 2 traffic suppression statistics about specified VPLS services on the
specified interface, run the reset traffic-statistics suppression interface
{ interface-name | interface-type interface-number } vsi vsi-name or reset

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 531

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

counters interface interface-type interface-number suppression vsi vsi-name

command.
Step 2 To clear traffic suppression statistics about the specified PW, run the reset traffic-
statistics suppression vsi name vsi-name peer peer-address [ negotiation-vc-id
negotiation-vc-id ] command.
Step 3 To clear Layer 2 traffic suppression statistics about specified Layer 2 services on
the specified interface, run the reset traffic-statistics suppression interface
{ interface-name | interface-type interface-number } [ vlan vlanid | bd bd-id ] or
reset counters interface interface-type interface-number suppression [ vlan
vlan-id | bd bd-id ] command.
Step 4 To clear traffic suppression statistics about the specified VSI, run the reset traffic-
statistics suppression vsi name vsi-name [ peer peer-address [ negotiation-vc-id
negotiation-vc-id ] | uni ] command.
Step 5 To clear Layer 2 traffic suppression statistics about the specified BD, run the reset
traffic-statistics suppression bd bd-id command.

----End

1.1.18.9 Configuration Examples for Layer 2 Traffic Suppression

This chapter provides examples for configuring Layer 2 traffic suppression.

1.1.18.9.1 Example for Configuring VSI PW-based Broadcast Traffic Suppression

This section provides an example for configuring VSI PW-based broadcast traffic
suppression in order to properly allocate user bandwidth and improve network
performance.

Networking Requirements
In addition to user traffic management and bandwidth allocation, an Ethernet
requires broadcast, multicast, and unknown unicast traffic to be suppressed to
ensure the secure transmission of unicast traffic and properly utilize bandwidth
resources. If these types of traffic are not suppressed, forwarding a large volume
of such traffic consumes numerous bandwidth resources, reducing network
performance and even causing a communication interruption.
On the network shown in Figure 1-56, CE1 and CE2 belong to the same LDP VPLS
network and can communicate with each other. If you configure broadcast traffic
suppression on an interface, the broadcast traffic of all PWs created on the
interface is suppressed. In this case, you can configure broadcast traffic
suppression for only the PW in a specified VSI. This makes traffic suppression more
convenient and flexible.

Figure 1-56 Networking diagram for configuring VSI PW-based broadcast traffic
suppression
NOTE

interface1, interface2, subinterface1.1, and subinterface2.1 in this example represent

GE1/0/0, GE2/0/0, GE1/0/0.1, and 2/0/0.1, respectively.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 532

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Device Name Interface Number Interface IP Address Interface MAC

Address

CE1 GE1/0/0.1 10.1.1.1/24 -

PE1 Loopback1 1.1.1.1/32 -

PE1 GE2/0/0 172.16.1.1/24 -

P Loopback1 2.2.2.2/32 -

P GE1/0/0 172.16.1.2/24 -

P GE2/0/0 192.168.1.1/24 -

PE2 Loopback1 3.3.3.3/32 -

PE2 GE1/0/0 192.168.1.2/24 -

CE2 GE2/0/0.1 10.1.1.2/24 -

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a routing protocol on the backbone network to implement

interworking.
2. Establish a remote LDP session between the PEs.
3. Establish a tunnel for data transmission between the PEs.
4. Enable MPLS L2VPN on the PEs.
5. Create a VSI on each PE, specify LDP as the signaling protocol, and bind an
AC interface to the VSI.
6. Configure VSI PW-based broadcast traffic suppression.

Data Preparation
To complete the configuration, you need the following data:

● VSI names and IDs

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 533

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Peer IP address and tunnel policy used for establishing the peer relationship
● Interfaces to be bound to the VSIs
● Committed information rate (CIR) for broadcast traffic

Procedure
Step 1 Configure an IGP.
OSPF is used in this example. The configuration details are not provided here.
After the configuration is complete, run the display ip routing-table command
on PE1, the P, and PE2. The command output shows that the devices have learned
routes from their peers.
Configure addresses for interfaces on PE1, the P, and PE2, as shown in Figure
1-56. During OSPF configuration, enable the devices to advertise their 32-bit
loopback addresses (LSR-IDs).
Step 2 Configure basic MPLS functions and LDP.
The configuration details are not provided here.
After the configuration is complete, run the display mpls ldp session command
on PE1, the P, and PE2. The command output shows that the status of the peer
relationship between PE1 and the P and the status of the peer relationship
between PE2 and the P are both Operational. This means that the peer
relationships have been established. To check information about LSP
establishment, run the display mpls lsp command.
Step 3 Establish a remote LDP session between the PEs.
# Configure PE1.
[~PE1] mpls ldp remote-peer 3.3.3.3
[*PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[*PE1-mpls-ldp-remote-3.3.3.3] quit
[*PE1] commit

# Configure PE2.
[~PE2] mpls ldp remote-peer 1.1.1.1
[*PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[*PE2-mpls-ldp-remote-1.1.1.1] quit
[*PE2] commit

After the configuration is complete, run the display mpls ldp session command
on PE1 or PE2. The command output shows that the status of the peer
relationship between PE1 and PE2 is Operational. This means that the remote
peer relationship has been established.
Step 4 Enable MPLS L2VPN on the PEs.
# Configure PE1.
[~PE1] mpls l2vpn
[*PE1-l2vpn] quit
[*PE1] commit

# Configure PE2.
[~PE2] mpls l2vpn
[*PE2-l2vpn] quit

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 534

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*PE2] commit

Step 5 Configure a VSI on each PE and configure VSI PW-based traffic suppression.
# Configure VSI PW-based broadcast, multicast, and unknown unicast traffic
suppression on PE1.
[~PE1] vsi a2 static
[*PE1-vsi-a2] suppression inbound enable
[*PE1-vsi-a2] pwsignal ldp
[*PE1-vsi-a2-ldp] vsi-id 2
[*PE1-vsi-a2-ldp] peer 3.3.3.3
[*PE1-vsi-a2-ldp] peer 3.3.3.3 pw 1
[*PE1-vsi-a2-ldp-pw-1] broadcast-suppression cir 1000
[*PE1-vsi-a2-ldp-pw-1] multicast-suppression cir 1000
[*PE1-vsi-a2-ldp-pw-1] unknown-unicast-suppression cir 1000
[*PE1-vsi-a2-ldp-pw-1] quit
[*PE1-vsi-a2-ldp] quit
[*PE1-vsi-a2] quit
[*PE1] commit

# Configure VSI PW-based broadcast, multicast, and unknown unicast traffic

suppression on PE2.
[~PE2] vsi a2 static
[*PE2-vsi-a2] suppression inbound enable
[*PE2-vsi-a2] pwsignal ldp
[*PE2-vsi-a2-ldp] vsi-id 2
[*PE2-vsi-a2-ldp] peer 1.1.1.1
[*PE2-vsi-a2-ldp] peer 1.1.1.1 pw 1
[*PE2-vsi-a2-ldp-pw-1] broadcast-suppression cir 1000
[*PE2-vsi-a2-ldp-pw-1] multicast-suppression cir 1000
[*PE2-vsi-a2-ldp-pw-1] unknown-unicast-suppression cir 1000
[*PE2-vsi-a2-ldp-pw-1] quit
[*PE2-vsi-a2-ldp] quit
[*PE2-vsi-a2] quit
[*PE2] commit

Step 6 Bind interfaces to the VSIs on the PEs.

# Configure PE1.
[~PE1] interface gigabitethernet1/0/0.1
[*PE1-GigabitEthernet1/0/0.1] shutdown
[*PE1-GigabitEthernet1/0/0.1] vlan-type dot1q 10
[*PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2
[*PE1-GigabitEthernet1/0/0.1] undo shutdown
[*PE1-GigabitEthernet1/0/0.1] quit
[*PE1] commit

# Configure PE2.
[~PE2] interface gigabitethernet2/0/0.1
[*PE2-GigabitEthernet2/0/0.1] shutdown
[*PE2-GigabitEthernet2/0/0.1] vlan-type dot1q 10
[*PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[*PE2-GigabitEthernet2/0/0.1] undo shutdown
[*PE2-GigabitEthernet2/0/0.1] quit
[*PE2] commit

Step 7 Configure the CEs.

# Configure CE1.
<HUAWEI> sysname CE1
<HUAWEI> commit
[~CE1] interface gigabitethernet1/0/0.1
[*CE1-GigabitEthernet1/0/0.1] shutdown
[*CE1-GigabitEthernet1/0/0.1] vlan-type dot1q 10

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 535

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[*CE1-GigabitEthernet1/0/0.1] ip address 10.1.1.1 255.255.255.0

[*CE1-GigabitEthernet1/0/0.1] undo shutdown
[*CE1-GigabitEthernet1/0/0.1] quit
[*CE1] commit

# Configure CE2.
<HUAWEI> sysname CE2
<HUAWEI> commit
[~CE2] interface gigabitethernet1/0/0.1
[*CE2-GigabitEthernet1/0/0.1] shutdown
[*CE2-GigabitEthernet1/0/0.1] vlan-type dot1q 10
[*CE2-GigabitEthernet1/0/0.1] ip address 10.1.1.2 255.255.255.0
[*CE2-GigabitEthernet1/0/0.1] undo shutdown
[*CE2-GigabitEthernet1/0/0.1] quit
[*CE1] commit

Step 8 Verify the configuration.

After the configuration is complete, run the display vsi name a2 verbose
command on PE1. The command output shows that a PW to PE2 has been
established for the VSI a2 and the VSI state is up.
[PE1] display vsi name a2 verbose
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index :0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : 255
Domain Name :
Ignore AcState : disable
Multicast Fast Switch : disable
Create Time : 0 days, 3 hours, 30 minutes, 31 seconds
VSI State : up
VSI ID :2
*Peer Router ID : 3.3.3.3
primary or secondary : primary
ignore-standby-state : no
VC Label : 18
Peer Type : dynamic
Session : up
Tunnel ID : 0x0000000001004c4b82
Broadcast Tunnel ID : --
Broad BackupTunnel ID : --
CKey :6
NKey :5
StpEnable :0
PwIndex :0
Interface Name : GigabitEthernet1/0/0.1
State : up
Last Up Time : 2012/10/10 10:14:46
Total Up Time : 0 days, 0 hours, 1 minutes, 2 seconds
**PW Information:
*Peer Ip Address : 3.3.3.3
PW State : up
Local VC Label : 18
Remote VC Label : 18
PW Type : label
Tunnel ID : 0x0000000001004c4b82
Broadcast Tunnel ID : --
Broad BackupTunnel ID : --

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 536

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Ckey :1
Nkey : 1610612838
Main PW Token : 0x0
Slave PW Token : 0x0
Tnl Type : LdP
OutInterface : LDP LSP
Backup OutInterface :
Stp Enable :0
PW Last Up Time : 2012-10-10 10:15:59
PW Total Up Time : 0 days, 0 hours, 1 minutes, 3 seconds

# Check that CE1 (10.1.1.1) can ping CE2 (10.1.1.2).

[CE1] ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=90 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=77 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=34 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=46 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=94 ms
--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/68/94 ms

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
#
interface GigabitEthernet1/0/0.1
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.1 255.255.255.0
#
return

● CE2 configuration file

#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
#
interface GigabitEthernet1/0/0.1
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.2 255.255.255.0
#
return

● PE1 configuration file

#
sysname PE1
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls l2vpn
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 537

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
peer 3.3.3.3 pw 1
broadcast-suppression cir 1000
multicast-suppression cir 1000
unknown-unicast-suppression cir 1000
suppression inbound enable
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface GigabitEthernet1/0/0
undo shutdown
#
interface GigabitEthernet1/0/0.1
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 538

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

return

● PE2 configuration file

#
sysname PE2
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 1.1.1.1 pw 1
broadcast-suppression cir 1000
multicast-suppression cir 1000
unknown-unicast-suppression cir 1000
suppression inbound enable
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
#
interface GigabitEthernet2/0/0.1
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

1.1.19 MPAC Configuration

1.1.19.1 Introduction to MPAC

Management Plane Access Control (MPAC) enhances system security by
protecting devices against Denial of Service (DoS) attacks.
In a common deployment scenario, the router may run multiple services at the
same time, such as routing services OSPF and BGP, MPLS services LDP and RSVP,
system service TFTP server, and diagnostic functions ping and tracert.
This enables attackers to send various attack packets to the router. Unless
protective features such as MPAC are enabled, the router sends packets destined

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 539

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

for its interfaces (including the loopback interface) directly to the CPU without any
filtering. As a result, CPU and system resources are wasted and the system comes
under DoS attacks.
To prevent such attacks, define an MPAC policy to filter packets.

1.1.19.2 Feature Requirements for MPAC

1.1.19.3 Configuring MPAC

Management Plane Access Control (MPAC) policies can be applied to sub-
interfaces, to interfaces, or globally to filter packets destined for the CPU.

Usage Scenario
MPAC can be configured to filter packets destined for the CPU, thereby helping
protect network devices against Denial of Service (DoS) attacks.

Pre-configuration Tasks
Before configuring MPAC, configure link layer protocol parameters and IP
addresses for interfaces to ensure that the link layer protocol on the interfaces is
in the Up state.

1.1.19.3.1 Configuring an IPv4 MPAC Policy

An IPv4 Management Plane Access Control (MPAC) policy can be configured to
filter IPv4 packets destined for the CPU.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run service-security policy ipv4 security-policy-name
An IPv4 MPAC policy is created, and the IPv4 MPAC policy view is displayed.
Step 3 Add a rule to the IPv4 MPAC policy. See the following table.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 540

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Table 1-31 Rules for an IPv4 MPAC policy

Protocol Command
Remarks
Type

TCP or rule [ rule-id ] [ name rule-name ] { permit |

UDP deny } protocol { tcp | tcp-protocol-number |
udp | udp-protocol-number } [ [ source-port
source-port-number ] | [ destination-port
destination-port-number ] | [ source-ip -
{ source-ipv4-address { source-ipv4-mask | 0 } |
any } ] | [ destination-ip { destination-ipv4-
address { destination-ipv4-mask | 0 } | any } ] ]
*

BGP, rule [ rule-id ] [ name rule-name ] { permit |

Dynami deny } protocol { ip-protocol-number | bgp |
c Host dhcp-c | dhcp-r | ftp | ip | ldp | lsp-ping | ntp |
Configur ospf | pim | rip | rsvp | snmp | ssh | telnet |
ation tftp | igmp } [ [ source-ip { source-ipv4-
Protocol address { source-ipv4-mask | 0 } | any } ] |
- [ destination-ip { destination-ipv4-address
C(DHCP { destination-ipv4-mask | 0 } | any } ] ] *
-C),
Dynami
c Host
Configur
ation
Protocol
- -
R(DHCP
-R), FTP,
IP, LDP,
LSP
ping,
NTP,
OSPF,
PIM, RIP,
RSVP,
SNMP,
SSH,
Telnet,
TFTP, or
IGMP

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 541

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Protocol Command
Remarks
Type

IS-IS or rule [ rule-id ] [ name rule-name ] { deny | Exercise caution

any permit } protocol { any | isis } when using the
other rule [ rule-id ]
protocol deny protocol any
command. After
this command is
applied globally, no
protocol packets
are sent to the CPU,
causing the device
to be out of
management.

Step 4 (Optional) Run step step

The step is configured for rules in the MPAC policy.

Step 5 (Optional) Run description text

The description is configured for the MPAC policy.

Step 6 Run quit

Return to the system view.

Step 7 Apply an IPv4 MPAC policy.

● Apply an IPv4 MPAC policy globally.
Run service-security global-binding ipv4 security-policy-name
An MPAC policy is applied globally.
● Apply an IPv4 MPAC policy to an interface.
a. Run interface interface-type interface-number
The interface view is displayed.
b. Run service-security binding ipv4 security-policy-name
The MPAC policy is applied to the interface.
NOTE
The MPAC policies on a sub-interface, interface, or configured globally are listed in
descending order of priorities. When different MPAC policies are applied globally, to an
interface, and to a sub-interface, the MPAC policy on the sub-interface takes effect
preferentially, and then the MPAC policy on the interface, and then the MPAC policy applied
globally.

Step 8 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 542

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.19.3.2 Configuring an IPv6 MPAC Policy

An IPv6 Management Plane Access Control (MPAC) policy can be configured to
filter IPv6 packets destined for the CPU.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run service-security policy ipv6 security-policy-name
An IPv6 MPAC policy is created, and the IPv6 MPAC policy view is displayed.
Step 3 Add a rule to the IPv6 MPAC policy.

Table 1-32 Rules for an IPv6 MPAC policy

Protocol Command Remarks
Type

TCP or rule [ rule-id ] [ name rule-name ] { permit | -

UDP deny } protocol { tcp | tcp-protocol-number |
udp | udp-protocol-number } [ [ source-port
source-port-number ] | [ destination-port
destination-port-number ] | [ source-ip
{ source-ipv6-address { source-ipv6-prefix-
length | 0 } | any } ] | [ destination-ip
{ destination-ipv6-address { destination-ipv6-
prefix-length | 0 } | any } ] ] *
BGP, rule [ rule-id ] [ name rule-name ] { permit | -
DHCP-C, deny } protocol { ip-protocol-number | bgp |
DHCP-R, dhcp-c | dhcp-r | ftp | ip | ldp | lsp-ping | ntp |
FTP, IP, ospf | pim | rip | rsvp | snmp | ssh | telnet |
LDP, LSP tftp } [ [ source-ip { source-ipv6-address
ping, { source-ipv6-prefix-length | 0 } | any } ] |
NTP, [ destination-ip { destination-ipv6-address
OSPF, { destination-ipv6-prefix-length | 0 } | any } ] ]
PIM, RIP, *
RSVP,
SNMP,
SSH,
Telnet,
or TFTP

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 543

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Protocol Command Remarks

Type

Any rule [ rule-id ] [ name rule-name ] { deny | Exercise caution

protocol permit } protocol any when using the
rule [ rule-id ]
deny protocol any
command. After
this command is
applied globally, no
protocol packets
are sent to the CPU,
causing the device
to be out of
management.

SRH rule [ rule-id ] [ name rule-name ] { permit | -

deny } ipv6-ext-header source-routing-typer
srh

Step 4 (Optional) Run step step

The step is configured for rules in the MPAC policy.
Step 5 (Optional) Run description text
The description is configured for the MPAC policy.
Step 6 Run quit
Return to the system view.
Step 7 Apply an IPv6 MPAC policy.
● Apply an IPv6 MPAC policy globally.
Run service-security global-binding ipv6 security-policy-name
An MPAC policy is applied globally.
● Apply an IPv6 MPAC policy to an interface.
a. Run interface interface-type interface-number
The interface view is displayed.
b. Run service-security binding ipv6 security-policy-name
The MPAC policy is applied to the interface.
NOTE
The MPAC policies on a sub-interface, interface, or configured globally are listed in
descending order of priorities. When different MPAC policies are applied globally, to an
interface, and to a sub-interface, the MPAC policy on the sub-interface takes effect
preferentially, and then the MPAC policy on the interface, and then the MPAC policy applied
globally.

Step 8 Run commit

The configuration is committed.

----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 544

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.19.3.3 Verifying the MPAC Configuration

After configuring the Management Plane Access Control (MPAC) policy, check the
configurations.

Prerequisites
An MPAC policy has been configured.

Procedure
● Run the display service-security policy { ipv4 | ipv6 } [ security-policy-name
[ slot slot-id ] ] command to check information about all MPAC policies.
● Run the display service-security binding { ipv4 | ipv6 } [ interface interface-
type interface-number [ slot slot-id ] ] command to check information about
MPAC policies on interfaces.
● Run the display service-security statistics { ipv4 | ipv6 } [ security-policy-
name ] command to check statistics about all matched MPAC rules.
----End

1.1.19.4 Maintaining MPAC

This section describes how to clear MPAC statistics.

1.1.19.4.1 Clearing MPAC Statistics

This section describes how to clear MPAC statistics.

Context

NOTICE

MPAC statistics cannot be restored after being cleared. Exercise caution when
running the reset service-security counters { ipv4 | ipv6 } [ security-policy-
name ] command.

Procedure
● Run the reset service-security counters { ipv4 | ipv6 } [ security-policy-
name ] command to clear MPAC statistics.
----End

1.1.19.5 Configuration Examples for MPAC

This section provides MPAC configuration examples.

1.1.19.5.1 Example for Configuring MPAC

This section provides Management Plane Access Control (MPAC) configuration
examples.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 545

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Networking Requirements
To prevent an attacker from sending various types of TCP/IP attack packets to
paralyze Device A, MPAC is deployed on Device A, as shown in Figure 1-57.

Figure 1-57 MPAC networking

NOTE

Interface 1 in this example is GE 1/0/0.

Configuration Notes
None.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure an IP address and routes for each interface to ensure network

connectivity.
2. Configure an IPv4 MPAC policy named test on Device A.
3. Apply the IPv4 MPAC policy named test to GE 1/0/0.
4. Apply the IPv4 MPAC policy named test to Device A.

Data Preparation
To complete the configuration, you need the following data:

● IP address and routes on each interface

● Name of the policy with which the rate for sending packets to the CPU is
restricted
● IPv4 MPAC policy applied to Device A
● IPv4 MPAC policy applied to GE 1/0/0

Procedure
Step 1 Configure an IP address and routes for each interface to ensure network
connectivity. For configuration details, see "Configuration Files" in this section.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 546

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 2 Configure an IPv4 MPAC policy named test on Device A.

<~DeviceA> system-view
[~DeviceA] service-security policy ipv4 test
[*DeviceA-service-sec-test] rule 10 deny protocol ip source-ip 10.10.1.1 0
[*DeviceA-service-sec-test] step 10
[*DeviceA-service-sec-test] description rule 10 is deny ip packet which from 10.10.1.1
[*DeviceA-service-sec-test] commit
[~DeviceA-service-sec-test] quit

Step 3 Apply the IPv4 MPAC policy named test to Device A.

[~DeviceA] service-security global-binding ipv4 test
[*DeviceA] commit

Step 4 Apply the IPv4 MPAC policy named test to GE 1/0/0 on Device A.
[~DeviceA] interface gigabitethernet 1/0/0
[~DeviceA-GigabitEthernet1/0/0] service-security binding ipv4 test
[*DeviceA-GigabitEthernet1/0/0] commit
[~DeviceA-GigabitEthernet1/0/0] quit

Step 5 Verify the configuration.

After completing the configurations, run the display service-security statistics
command to view the statistics about the IPv4 MPAC policy.
[~DeviceA] display service-security statistics ipv4 test
Policy Name : test
Description : rule 10 is deny ip packet which from 10.10.1.1
Step : 10
rule 10 deny protocol ip source-ip 10.10.1.1 0 (10 times matched)

----End

Configuration Files
● Device A configuration file
#
sysname DeviceA
#
service-security global-binding ipv4 test
#
service-security policy ipv4 test
description rule 10 is deny ip packet which from 10.10.1.1
step 10
rule 10 deny protocol ip source-ip 10.10.1.1 0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.1.2 255.255.255.0
service-security binding ipv4 test
#

1.1.20 MACsec Configuration

1.1.20.1 Overview of MACsec

Media Access Control Security (MACsec) is a secure communication method on a

local area network (LAN) based on the 802.1AE and 802.1X protocols. The
functions such as identity authentication, data encryption, integrity check, and
replay protection ensure the security of Ethernet data frames and prevent devices
from processing attack packets.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 547

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Generally, most data is transmitted in plaintext on LAN links, which brings security
risks. For example, the bank account information may be stolen or tampered with.
After MACsec is deployed on the network, Ethernet data frames can be protected,
reducing information leak and malicious network attack risks.
MACsec uses the Layer 2 encryption technology to provide secure data
transmission for hop-by-hop devices. It is applicable to scenarios that require high
data confidentiality. For example, if optical transmission devices are used between
two routers, the MACSec encryption technology can be used to ensure secure data
transmission on intermediate transmission devices.

1.1.20.2 Feature Requirements for MACsec

1.1.20.3 Activating the MACsec License of Interfaces

Pre-configuration Tasks
The license file has been loaded for MACsec.
1. The license file on the main control board has been activated by running the
license active file-name command.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run license
The license view is displayed.
Step 3 Run active port-macsec slot slotid card cardid port port-list
The MACsec license of interfaces is activated.
Step 4 Run commit
The configuration is committed.

----End

Checking the Configurations

Run the display license resource usage port-macsec { all | slot slot-id } [ active |
deactive ] command to check the MACsec license status of interfaces on a board.
In VS mode, this command is supported only by the admin VS.

1.1.20.4 Configuring Basic Functions of MACsec

This section describes how to configure basic functions of MACsec.

1.1.20.4.1 Configuring Static CKN and CAK

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 548

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Context
The key used by MACsec to encrypt and decrypt data packets is generated and
distributed by the key server based on the encryption algorithm in the MKA
protocol and the configured static CAK. Therefore, you need to configure the CKN
and corresponding CAK on the interface.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number [ .subinterface-number ]

The interface view is displayed.

Step 3 Run mka cak-mode static ckn ckn cak { simple cak-simple | cipher cak-cipher }

Static CKN and CAK are configured.

Step 4 Run commit

The configuration is committed.

----End

1.1.20.4.2 Verifying the Basic MACsec Configuration

After configuring MACsec, you can view the MACsec configurations.

Procedure
Step 1 Run the display macsec statistics interface { interface-name | interface-type
interface-number } command to check statistics about data packets protected by
MACsec.

Step 2 Run the display mka interface { interface-name | interface-type interface-

number } command to check MKA session information.

----End

1.1.20.5 Configuring Extended Functions of MACsec

This section describes how to configure extended functions of MACsec, including
MACsec encryption mode, encryption algorithm, and encryption offset.

1.1.20.5.1 Configuring the MACsec Encryption Mode

Context
When data packets sent by an interface are encrypted using MACsec, you can
configure an encryption mode for the interface.
● normal: implements both integrity check and data encryption.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 549

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● integrity-only: implements only integrity check but not data encryption.

Data encryption and integrity check are as follows:
● Data encryption: The sender encrypts the data and transmits the data in
ciphertext on the LAN link. The receiver decrypts the received encrypted data
and then performs other processing.
● Integrity check: The receiver checks the integrity of received data to determine
whether the data is tampered with. The sender calculates the Integrity Check
Value (ICV) based on the data packet and encryption algorithm and adds it to
the tail of the packet. After receiving the packet, the receiver calculates the
ICV based on the data packet excluding the ICV field and the same encryption
algorithm, and compares the obtained ICV with the ICV in the packet. If they
are the same, the packet is considered complete and passes the check.
Otherwise, the packet is discarded.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 3 Run macsec mode { normal | integrity-only }
The MACsec encryption mode is configured.
Step 4 Run commit
The configuration is committed.

----End

1.1.20.5.2 Configuring the MACsec Encryption Algorithm

Context
When data packets sent by an interface are encrypted using MACsec, you can
configure an encryption algorithm for the interface. When the interface rate
reaches 100 Gbit/s or higher, using the gcm-aes-xpn-128 algorithm is
recommended.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 3 Run macsec cipher-suite { gcm-aes-128 | gcm-aes-xpn-128 | gcm-aes-256 |
gcm-aes-xpn-256 | gcm-aes-xpn-128-compatible }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 550

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

The MACsec encryption algorithm is configured.

Step 4 Run commit
The configuration is committed.

----End

1.1.20.5.3 Configuring the MACsec Encryption Offset

Context
The MACsec encryption offset indicates that encryption starts after the specified
offset bytes from the MACsec TAG field. Some applications (such as load
balancing) that need to identify the IPv4/IPv6 header require that the packet
header not be encrypted. In this case, the encryption offset must be configured.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 3 Run macsec confidentiality-offset offset-value
The MACsec encryption offset is configured.
Step 4 Run commit
The configuration is committed.

----End

1.1.20.5.4 Configuring the MKA Key Server Priority

Context
When MACsec is used to encrypt and decrypt data packets, the local device
interface and the peer device interface must use the same security key to establish
MKA sessions. The key server is responsible for generating and distributing the key.
Therefore, you need to configure the priority of the key server on the interfaces of
both ends. A smaller value indicates a higher priority. The interface with a higher
priority is elected as the key server. If the key servers of the two interfaces have
the same priority, the interface with a smaller Secure Channel Identifier (SCI)
value is elected as the key server. The SCI is formed based on the MAC address
and Port ID.

Procedure
Step 1 Run system-view
The system view is displayed.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 551

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Step 2 Run interface interface-type interface-number [ .subinterface-number ]

The interface view is displayed.

Step 3 Run mka keyserver priority priority

The MKA key server priority is configured.

Step 4 Run commit

The configuration is committed.

----End

1.1.20.5.5 Configuring the SAK Lifetime

Context
When MACsec is used for secure communication, the SAK is used to encrypt and
decrypt data packets. To ensure the security of data packets, if the number of
packets encrypted using one SAK exceeds a certain value or one SAK is used for a
certain period of time, replace the SAK.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number [ .subinterface-number ]

The interface view is displayed.

Step 3 Run mka timer sak-life life-time

The SAK lifetime is configured.

Step 4 Run commit

The configuration is committed.

----End

1.1.20.5.6 Configuring the MACsec Replay Window Size

Context
To prevent against attacks based on repeatedly sent data packets, the receiver
discards duplicate or out-of-order data packets. In some cases, however, because
the priorities of data packets are different, the packets are reordered in the
forwarding process. When the packets arrive at the receive end, they are in
disorder. To ensure that these out-of-order data packets can be received normally,
configure the replay protection window.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 552

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 3 Run macsec replay-window window-size
The MACsec replay window size is configured.
Step 4 Run commit
The configuration is committed.

----End

1.1.20.5.7 Configuring the MACsec VLAN Tag in the Clear Function

Context
The MACsec VLAN tag in the clear function allows MACsec not to encrypt VLAN
tags. The hub site router uses a Layer 3 (IP) sub-interface of each VLAN that is
associated with each remote site branch. The result is a highly flexible MACsec
hub/spoke design that eliminates the older solutions that require a physical
interface "per remote site" on the hub router.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.
Step 3 Run macsec { dot1q-in-clear | qinq-in-clear }
The MACsec VLAN tag in the clear function is configured.
Step 4 Run commit
The configuration is committed

----End

1.1.20.5.8 Configuring the Strict MACsec Mode

Context
By default, if MACsec negotiation fails, traffic is still forwarded, and data packets
are not encrypted. This poses security risks in scenarios that require high data
confidentiality. To address this issue, configure the strict MACsec mode on a

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 553

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

device, allowing it to discard all packets except MKA, LLDP, and Pause packets if
MACsec negotiation fails.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run macsec strict-mode
The strict MACsec mode is configured.
Step 3 Run commit
The configuration is committed.

----End

1.1.20.5.9 Checking the Configuration

After configuring MACsec, you can view the MACsec configurations.

Procedure
Step 1 Run the display macsec statistics interface { interface-name | interface-type
interface-number } command to check statistics about data packets protected by
MACsec.
Step 2 Run the display mka interface { interface-name | interface-type interface-
number } command to check MKA session information.
----End

1.1.20.6 Maintaining MACsec

Before you start collecting MACsec statistics, clear the existing statistics.

Context

NOTICE
Statistics cannot be restored after being cleared. Therefore, you must use the
following command with caution.

Procedure
Step 1 Run the reset macsec statistics interface { interface-name | interface-type
interface-number } command to clear statistics about data packets protected by
MACsec.
Step 2 Run the reset mka statistics interface { interface-name | interface-type interface-
number } command to clear MKA session information.
----End

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 554

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.20.7 Configuration Examples for MACsec

This section provides MACsec configuration examples.

1.1.20.7.1 Configuring Point-to-Point MACsec

MACsec defines IEEE 802-based data security communication methods. MACsec
provides users with secure data sending and receiving services at the MAC layer,
including data encryption, data frame integrity check, data source validity check
and anti-replay functions. MACsec uses Layer 2 encryption technology to provide
secure hop-by-hop transmission of data. It applies to scenarios that require high
data confidentiality.

Networking Requirements
As shown in Figure 1-58, routerDeviceA and routerDeviceB are directly connected,
and MACsec data packets are encrypted and decrypted on GE 1/0/0 of DeviceA
and DeviceB.

Figure 1-58 Configuring point-to-point MACsec

NOTE

● The configurations in this example are performed on DeviceA and DeviceB. The HUAWEI
NetEngine9000 can function as DeviceA and DeviceB.
● Interface1 in this example represents GE 1/0/0.

Configuration Roadmap
The configuration roadmap is as follows:
Configure the same static CKN and CAK on GE 1/0/0 of DeviceA and DeviceB.

Data Preparation
To complete the configuration, you need the following data:
● CKN and CAK values of the interface
● The MACsec encryption algorithm gcm-aes-xpn-128, which is to be
configured on the interface of DeviceA

Procedure
Step 1 Configure DeviceA.
# Configure CKN and CAK in ciphertext on GE 1/0/0.
<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 555

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

[~DeviceA-GigabitEthernet1/0/0] mka cak-mode static ckn a1 cak cipher

b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1
[*DeviceA-GigabitEthernet1/0/0] commit

NOTE

The following are optional MACsec extended configurations.

# Set the MKA key server priority on GE 1/0/0.

<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0
[~DeviceA-GigabitEthernet1/0/0] mka keyserver priority 10
[*DeviceA-GigabitEthernet1/0/0] commit

# Set the SAK lifetime on GE 1/0/0.

<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0
[~DeviceA-GigabitEthernet1/0/0] mka timer sak-life 500
[*DeviceA-GigabitEthernet1/0/0] commit

# Configure the MACsec encryption algorithm on GE 1/0/0. .

<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0
[~DeviceA-GigabitEthernet1/0/0] macsec cipher-suite gcm-aes-xpn-128
[*DeviceA-GigabitEthernet1/0/0] commit

# Set the MACsec encryption offset on GE 1/0/0.

<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0
[~DeviceA-GigabitEthernet1/0/0] macsec confidentiality-offset 50
[*DeviceA-GigabitEthernet1/0/0] commit

# Set the MACsec encryption mode on GE 1/0/0. .

<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0
[~DeviceA-GigabitEthernet1/0/0] macsec mode integrity-only
[*DeviceA-GigabitEthernet1/0/0] commit

# Set the MACsec replay window size on GE 1/0/0.

<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0
[~DeviceA-GigabitEthernet1/0/0] macsec replay-window 512
[*DeviceA-GigabitEthernet1/0/0] commit

Step 2 Configure DeviceB.

# Configure CKN and CAK in ciphertext on GE 1/0/0.
<DeviceB> system-view
[~DeviceB] interface gigabitethernet1/0/0
[~DeviceB-GigabitEthernet1/0/0] mka cak-mode static ckn a1 cak cipher
b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1
[*DeviceB-GigabitEthernet1/0/0] commit

----End

Configuration Files
● DeviceA configuration file
sysname DeviceA
#
interface GigabitEthernet1/0/0
undo shutdown
mka cak-mode static ckn a1 cak cipher %^%#C1ad()KRM~r1ZmJ:K09&H]R=<*0^A,H.fZE"<WxS%^%#
macsec replay-window 512
macsec mode integrity-only
macsec confidentiality-offset 50

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 556

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

macsec cipher-suite gcm-aes-xpn-128

mka keyserver priority 10
mka timer sak-life 500
● DeviceB configuration file
sysname DeviceB
#
interface GigabitEthernet1/0/0
undo shutdown
mka cak-mode static ckn a1 cak cipher %^%#C1ad()KRM~r1ZmJ:K09&H]R=<*0^A,H.fZE"<WxS%^%#
#

1.1.20.7.2 Configuring the MACsec VLAN Tag in the Clear Function

This section describes how to configure MACsec VLAN tag in the clear on the
HUAWEI NetEngine9000s.

Networking Requirements
As shown in Figure 1-59, routerDevice A and routerDevice B are directly
connected, and MACsec data packets are encrypted and decrypted on GE 1/0/0.1
of Device A and Device B.

Figure 1-59 Configuring MACsec VLAN tag in the clear

NOTE

● The operations in this example are performed on the Device A and Device B, which can
be HUAWEI NetEngine9000s.
● Interface 1 in this example represents GE 1/0/0.1

Configuration Roadmap
The configuration roadmap is as follows:
Configure the same vlan id on GE 1/0/0.1 of Device A and Device B.
Configure the same static CKN and CAK on GE 1/0/0.1 of Device A and Device B.
Configure MACsec VLAN tag in the clear on GE 1/0/0.1 of Device A and Device B.

Data Preparation
To complete the configuration, you need the following data:
● CKN and CAK values of the interface

Procedure
Step 1 Configure Device A.
# Configure the dot1q encapsulation type on GE 1/0/0.1 and associate GE 1/0/0.1
with VLAN 10.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 557

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

<DeviceA> system-view
[~DeviceA] interface gigabitethernet1/0/0.1
[~DeviceA-GigabitEthernet1/0/0.1] vlan-type dot1q 10
[*DeviceA-GigabitEthernet1/0/0.1] commit

# Configure CKN and CAK in ciphertext on GE 1/0/0.1.

[~DeviceA-GigabitEthernet1/0/0.1] mka cak-mode static ckn a1 cak cipher
b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1
[*DeviceA-GigabitEthernet1/0/0.1] commit

# Configure MACsec VLAN tag in the clear on GE 1/0/0.1.

[~DeviceA-GigabitEthernet1/0/0.1] macsec dot1q-in-clear
[*DeviceA-GigabitEthernet1/0/0.1] commit

Step 2 Configure Device B.

# Configure the dot1q encapsulation type on GE 1/0/0.1 and associate GE 1/0/0.1
with VLAN 10.
<DeviceB> system-view
[~DeviceB] interface gigabitethernet1/0/0.1
[~DeviceB-GigabitEthernet1/0/0.1] vlan-type dot1q 10
[*DeviceB-GigabitEthernet1/0/0.1] commit

# Configure CKN and CAK in ciphertext on GE 1/0/0.1.

[~DeviceB-GigabitEthernet1/0/0.1] mka cak-mode static ckn a1 cak cipher
b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1b1
[*DeviceB-GigabitEthernet1/0/0.1] commit

# Configure MACsec VLAN tag in the clear on GE 1/0/0.1.

[~DeviceB-GigabitEthernet1/0/0.1] macsec dot1q-in-clear
[*DeviceB-GigabitEthernet1/0/0.1] commit

----End

Configuration Files
● Device A configuration file
#
sysname DeviceA
#
interface GigabitEthernet1/0/0.1
undo shutdown
vlan-type dot1q 10
mka cak-mode static ckn a1 cak cipher %^
%#C1ad()KRM~r1ZmJ:K09&amp;H]R=&lt;*0^A,H.fZE"&lt;WxS%^%#
macsec dot1q-in-clear
● Device B configuration file
#
sysname DeviceB
#
interface GigabitEthernet1/0/0.1
undo shutdown
vlan-type dot1q 10
mka cak-mode static ckn a1 cak cipher %^
%#C1ad()KRM~r1ZmJ:K09&amp;H]R=&lt;*0^A,H.fZE"&lt;WxS%^%#
macsec dot1q-in-clear

1.1.21 Security Risk Query Configuration

Run the display security risk command to check security risks in the system. Then
clear the security risks as prompted.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 558

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

1.1.21.1 Checking Security Risks

Run the display security risk command to check security risks in the system. Then
clear the security risks as prompted.

Context
Protocols have different security performances, and some protocols may have
security risks. Run the display security risk command to identify security risks in
the system. Then clear the security risks according to the repair action in the
command output. For example, if SNMPv1 is configured, the display security risk
command output will prompt for the use of SNMPv3.

Procedure
Step 1 Run display security risk [ [ feature feature-name ] | [ level level-para ] | [ type
type-para ] ]*

Security risks in the system and suggested solutions are displayed.

NOTE

The security risks that are displayed vary with user levels. The system administrators can view all
security risks in the system. Other users can only view the security risks whose level is lower
than or equal to their levels.

----End

Example
Run the display security risk command to view security risks in the system.
<HUAWEI> display security risk
Risk level : high
Feature name : SNMP
Risk Type : insecure-protocol
Risk information : SNMP V1/V2c is enabled.
Repair action : Disable SNMP V1/V2c and enable SNMP V3 only.

Risk Level : medium

Feature Name : FTPS
Risk Type : insecure-protocol
Risk Information : FTP is not a secure protocol.
Repair Action : It is recommended to use SFTP.

1.1.21.2 Querying Security Configurations

You can run commands to query security configurations in the system.

Context
Security performance of different protocols differs, and using some protocols may
pose security risks. You can run the display security configuration command to
check security configurations in the system.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 559

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

Procedure
Step 1 Run the display security configuration [ feature feature-name ] command in the
user view to check security configurations.

----End

Example
Run the display security configuration command to view security configurations.
<HUAWEI> display security configuration
Feature Name : FTPS
Security Item : ftp security configuration
Item content : Ftp server is disabled.Ftp Ipv6 server is disabled.IP block feature is disabled.The FTP server
does not bind all interface.

Feature Name : TELNET

Security Item : telnet security configuration
Item content : The Telnet server function is used.The TELNET server bind all interface.

1.1.22 System Master Key Configuration

You can configure the system master key to enhance data security and reliability.

1.1.22.1 Feature Requirements for System Master Key

1.1.22.2 Configuring the System Master Key

You can configure the system master key to enhance data security and reliability.

Background Information
In an actual network environment, the network and devices are provided and
maintained by network providers, and the data belongs to tenants. To provide
secure data transmission and storage on the network, ensure that keys are under
complete control of the specific user and cannot be obtained by network providers
or other tenants. To be specific, users need to have their own key management
schemes.
Users can manually modify the system master key based on actual requirements
to enhance data security and reliability.

Procedure
Step 1 Run the set master-key command in the user view to set the system master key.
NOTE

To delete historical system master key, run the clear master-key command.

Note the following during the interactive process:

● After the system master key is input, users need to input Y on the terminal
interface to proceed to the next step. If a user inputs N, the system stops the
current operation and exits.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 560

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● A user needs to input the new master key twice. The system proceeds to the
next operation only when the two input master keys are identical.
If an error occurs during master key modification, the system prompts a message
indicating a master key modification failure and instructs the user to retry it. If the
failure persists, contact Huawei technical support personnel.
After the master key is modified, devices cannot share the configuration files.
After a configuration file is copied from another device to the local device for next
startup, if the master key on the source device is not the default master key and
does not exist on the local device, the configuration fails. To resolve this problem,
perform one of the following operations:
● Change the master key on the device to be configured to be the same as that
on the device that provides the configuration file.
● Change the master key on the device that provides the configuration file to be
the same as that on the device to be configured. After that, save and export
the configuration file, upload it to the device to be configured, and specify the
configuration file for next startup.
● Specify the default master key as the master key on the device that provides
the configuration file. After that, save and export the configuration file,
upload it to the device to be configured, and specify the configuration file for
next startup.
After the master key is changed and a configuration file is copied from another
device to the local device for next startup, if the master key on the source device is
not the default master key and does not exist on the local device, the local device
cannot decrypt the copied file due to master key mismatch. To resolve this
problem, perform one of the following operations:
● Change the master key on the local device to be the same as that on the
device that provides the encrypted file.
● Change the master key on the device that provides the encrypted file to be
the same as that on the local device. After that, export the encrypted file and
upload it to the local device.
● Specify the default master key as the master key on the device that provides
the encrypted file. After that, export the encrypted file and upload it to the
local device for decryption.
Step 2 (Option) Run the set master-key auto-update interval interval-time command in
the system view to enable the automatic update function of the system master
key and set the interval for automatic update.
The system master key can be the default master key or a manually configured
master key.
If the default master key is used for a long time, it may be stolen or cracked. The
master key that is manually configured needs to be periodically changed and
maintained.
To reduce manual maintenance workload, run the set master-key auto-update
interval interval-time command to enable automatic update of the master key.
The system then periodically generates a new master key that is a string of 32
characters.
To disable the automatic update function, run the undo set master-key auto-
update [ interval interval-time ] command. After the automatic update function

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 561

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

is disabled, the latest master key of the system is maintained and will not be
automatically updated.

----End

Checking the Configurations

When the preceding configuration is complete, you can run the following
commands to check the configuration.
● Run the display master-key configuration command to check the
configuration of the system master key.
In VS mode, this command is supported only by the admin VS.
● Run the display master-key version command to display the KMC versions of
all boards on a device.
In VS mode, this command is supported only by the admin VS.

1.1.23 Trusted System Configuration

1.1.23.1 Overview of Trusted System

Definition
You can use the trusted system to view and manage the digital signature, trusted
boot, secure boot, and remote attestation functions on a device to implement
system trustworthiness.

A trusted system indicates that system hardware and software are running as
designed. The prerequisite for a trusted system is that the system software
integrity is high and free of intrusion or unauthorized modification.

Purpose
Global communications service providers, enterprises, and government networks
depend on the running of communications networks. The integrity of data and IT
infrastructure is the basis for maintaining these networks and users' trust. In
addition, the threat environment is changing. Protecting networks from intrusion,
forgery, and tampering becomes critical.

A communication device is composed of multiple embedded computer systems.

The software of a device may be attacked by viruses, or may be tampered with or
attacked by Trojan horses by means of vulnerabilities. Once untrusted devices
access the network, the security of the entire network may be compromised. A
network can be trustworthy only when it can be accessed only by trusted devices.
With digital signature, trusted boot, secure boot, and remote attestation users can
ensure that all devices accessing the network are trusted.

Benefits
A trusted system consists of digital signature, trusted boot, secure boot, and
remote attestation and offers the following benefits:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 562

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Use the device hardware capability and initial boot code to establish
trustworthiness on the trusted boot platform.
● Trusted boot provides software integrity measurement, trusted status query,
and trusted status warning.
● Secure boot allows only trusted devices to start.
● RA allows users to remotely check device trustworthiness.

1.1.23.2 Configuring Secure Boot

The secure boot function establishes a trust root for the secure boot platform
based on device hardware capabilities and initial boot code.

Context
A communication device is composed of multiple embedded computer systems.
The software of a device may be attacked by viruses, or may be tampered with or
attacked by Trojan horses by means of vulnerabilities.
After the system is upgraded from a version that does not support secure boot to
a version that supports secure boot, if secure boot is not enabled on the device,
the system prompts users to enable secure boot during their Telnet login.

NOTE

For details about the boards that support secure boot, contact Huawei engineers for
product specifications.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run display boot status
The status of the secure boot function is displayed.
If RoT is displayed as -, the device hardware does not support secure boot. If RoT
is displayed as Flash/Locked or CPU, the device is in secure boot mode. If RoT is
displayed as Flash/Unlocked, the device is not in secure boot mode. In this case,
go to the next step.
Step 3 Run set flash-lock { immediately | delay day days }
Secure boot is enabled.
Step 4 Run commit
The configuration is committed.

----End

Verifying the Configuration

● Run the display boot status command to check the status of the secure boot
function.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 563

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

● Run the check system-software running command to check whether the

basic input/output system (BIOS) of the device is normal.
To check whether the BIOS SHA256 value in the system software package is
the same as that in the flash memory of a board, run the check system-
software running command. If the values are the same, the value of result in
the command output is PASS. If the values are different, the value of result is
FAIL, indicating that the BIOS SHA256 value in the flash memory of the board
is tampered with. In this case, you need to further locate the cause. This
problem prevents the device from being properly restarted.

1.1.23.3 Configuring Remote Attestation

This section describes how to configure the remote attestation (RA) function to
allow an RA server to authenticate a device and determine whether the device is
trustworthy.

Pre-configuration Tasks
In a trusted environment, after the RA function is enabled on a device that
supports trusted boot, the device sends information to a remote RA server. The
remote RA server then compares the information it receives with locally stored
information to determine whether the device is trustworthy. Therefore, RA
provides users with a method of remotely checking device trustworthiness.

Before configuring RA, complete the following tasks:

● Configure the device to communicate with the RA server, and configure the
RA function on the RA server.
● Create a public key infrastructure (PKI) domain on the device to implement
PKI certificate management between the Certificate Authority (CA) and device
through the Certificate Management Protocol (CMP).

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run pki import-certificate ca file-name file-name

The downloaded certificate is imported to the device.

Step 3 Run trustem

The trusted management view is displayed.

Step 4 Run remote-attestation enable

RA is enabled.

Step 5 (Optional) Run remote-attestation pki bind domain domainName

A specified PKI domain is bound to RA.

Step 6 (Optional) If the PKI certificate is ineffective, run remote-attestation pki update-
request { all | slot slotID }

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 564

HUAWEI NetEngine9000
Configuration Guide 1 Configuration

PKI certificate information is updated.

Step 7 Run commit
The configuration is committed.
Step 8 Run quit
Return to the system view.
Step 9 Run quit
Return to the user view.
Step 10 (Optional) Run set tpm password { slot slotId | all }
The TPM password is changed.

NOTE

If the device needs to be rolled back to a version that does not support the configuration of
the TPM password, run the set tpm password { slot slotId | all }command to restore the
default TPM password Changeme_123 before the rollback.
After the set tpm password { slot slotId | all } command is run, the device must be
restarted. Otherwise, the TPM cannot be accessed and the remote attestation function is
unavailable.

----End

Verifying the Configuration

Run the display trustem remote-attestation bd-status { slot slotId | all }
command to check the RA status.

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 565