ZXR10 8900&8900E

Series Switch
Configuration Guide (Security)

Version: V3.00.01

ZTE CORPORATION
NO. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://ensupport.zte.com.cn
E-mail: [email protected]
LEGAL INFORMATION
Copyright © 2011 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History

Revision No. Revision Date Revision Reason

R1.0 2012-01-31 First edition

Serial Number: SJ-20110624091725-014

Publishing Date: 2012-01-31(R1.0)

Contents
About This Manual ......................................................................................... I
Chapter 1 Safety Instruction...................................................................... 1-1
1.1 Safety Instruction ............................................................................................... 1-1
1.2 Safety Signs ...................................................................................................... 1-1

Chapter 2 ACL Configuration .................................................................... 2-1

2.1 ACL Overview.................................................................................................... 2-1
2.2 ACL Principle ..................................................................................................... 2-1
2.3 Configuring ACL................................................................................................. 2-1
2.3.1 Configuring IPv4-ACL ............................................................................... 2-1
2.3.2 Configuring Link-ACL ............................................................................... 2-3
2.3.3 Configuring MIXED-ACL ........................................................................... 2-5
2.3.4 Configuring ACL Binding on a VLAN.......................................................... 2-7
2.4 Maintaining ACL................................................................................................. 2-8
2.4.1 Maintaining IPV4-ACL .............................................................................. 2-8
2.4.2 Maintaining LINK-ACL ............................................................................ 2-10
2.4.3 Maintaining MIXED-ACL ......................................................................... 2-10
2.4.4 Maintaining ACL Binding for a VLAN ........................................................2-11
2.5 ACL Configuration Example .............................................................................. 2-12
2.6 ACL Fault Treatment ........................................................................................ 2-14
2.6.1 Network Environment ............................................................................. 2-14
2.6.2 Malfunction Analysis............................................................................... 2-14
2.6.3 Treatment Scheme ................................................................................. 2-15
2.6.4 Treatment Steps..................................................................................... 2-15

Chapter 3 TACACS+ Configuration........................................................... 3-1

3.1 TACACS+ Overview ........................................................................................... 3-1
3.2 TACACS+ Principle ............................................................................................ 3-1
3.3 Configuring TACACS+ ........................................................................................ 3-3
3.4 Maintaining TACACS+ ........................................................................................ 3-5
3.5 TACACS+ Configuration Example ....................................................................... 3-6
3.6 TACACS+ Fault Treatment.................................................................................. 3-8
3.6.1 Network Environment ............................................................................... 3-8
3.6.2 Malfunction Analysis................................................................................. 3-8
3.6.3 Treatment Scheme ................................................................................... 3-8

I
 3.6.4 Treatment Steps....................................................................................... 3-9

Chapter 4 AAA Configuration.................................................................... 4-1

4.1 AAA Overview.................................................................................................... 4-1
4.2 AAA Principle..................................................................................................... 4-1
4.3 Configuring AAA ................................................................................................ 4-2
4.4 Maintaining AAA ................................................................................................ 4-6
4.5 AAA Configuration Example................................................................................ 4-7
4.6 AAA Fault Treatment .......................................................................................... 4-9
4.6.1 Network Environment ............................................................................... 4-9
4.6.2 Malfunction Analysis................................................................................. 4-9
4.6.3 Treatment Scheme ................................................................................... 4-9
4.6.4 Treatment Steps..................................................................................... 4-10

Chapter 5 RADIUS Configuration.............................................................. 5-1

5.1 RADIUS Overview.............................................................................................. 5-1
5.2 RADIUS Principle............................................................................................... 5-2
5.3 Configuring RADIUS........................................................................................... 5-3
5.3.1 Configuring RADIUS Authentication Group ................................................ 5-3
5.3.2 Configuring RADIUS Accounting Group ..................................................... 5-6
5.3.3 Configuring RADIUS Debugging Commands............................................ 5-10
5.3.4 Configuring RADIUS Ping Commands ......................................................5-11
5.3.5 Sending RADIUS Accounting-Off Packets Manually ..................................5-11
5.4 Maintaining RADIUS..........................................................................................5-11
5.5 RADIUS Configuration Example ........................................................................ 5-14
5.6 RADIUS Fault Treatment .................................................................................. 5-17
5.6.1 Network Environment ............................................................................. 5-17
5.6.2 Malfunction Analysis............................................................................... 5-18
5.6.3 Treatment Scheme ................................................................................. 5-18
5.6.4 Treatment Steps..................................................................................... 5-19

Chapter 6 URPF Configuration.................................................................. 6-1

6.1 URPF Overview ................................................................................................. 6-1
6.2 URPF Principle .................................................................................................. 6-1
6.2.1 Strict URPF.............................................................................................. 6-1
6.2.2 Loose URPF ............................................................................................ 6-1
6.2.3 Loose URPF Ignoring Default Route.......................................................... 6-2
6.3 URPF Configuration ........................................................................................... 6-2
6.4 Maintaining URPF .............................................................................................. 6-2
6.5 URPF Configuration Example ............................................................................. 6-4

II
 6.6 URPF Fault Treatment........................................................................................ 6-5
6.6.1 Network Environment ............................................................................... 6-5
6.6.2 Malfunction Analysis................................................................................. 6-6
6.6.3 Treatment Scheme ................................................................................... 6-6
6.6.4 Treatment Steps....................................................................................... 6-7

Chapter 7 User Management Module Configuration............................... 7-1

7.1 User Management Module Overview ................................................................... 7-1
7.2 User Management Module Principle .................................................................... 7-1
7.3 Configuring User Management Module ................................................................ 7-1
7.4 Maintaining User Management Module ................................................................ 7-7
7.5 User Management Module Configuration Example ............................................... 7-8
7.5.1 Local Authentication and Authorization User Configuration Example............ 7-8
7.5.2 RADIUS-LOCAL Authentication and Authorization User Configuration
Example ................................................................................................. 7-9
7.5.3 TACACS+ Authentication and Authorization User Configuration
Example ............................................................................................... 7-10
7.5.4 Password Prompt Question Configuration For Resetting a Password..........7-11
7.6 User Management Module Fault Treatment........................................................ 7-13
7.6.1 Networking Environment......................................................................... 7-13
7.6.2 Malfunction Analysis............................................................................... 7-13
7.6.3 Treatment Scheme ................................................................................. 7-13
7.6.4 Treatment Steps..................................................................................... 7-14

Chapter 8 SNMP Anti-Violence Attack Configuration ............................. 8-1

8.1 SNMP Anti-Violence Attack Overview .................................................................. 8-1
8.2 SNMP Anti-Violence Attack Principle ................................................................... 8-1
8.3 Configuring Security Function ............................................................................. 8-2
8.4 Maintaining Security Function ............................................................................. 8-4
8.5 SNMP Anti-Violence Attack Configuration Example .............................................. 8-5
8.6 SNMP Anti-Violence Attack Fault Treatment ........................................................ 8-6
8.6.1 Networking Environment........................................................................... 8-6
8.6.2 Fault Analysis .......................................................................................... 8-7
8.6.3 Treatment Scheme ................................................................................... 8-7
8.6.4 Treatment Steps....................................................................................... 8-8

Chapter 9 anti-dos Configuration ............................................................. 9-1

9.1 About anti-dos.................................................................................................... 9-1
9.2 anti-dos Principles .............................................................................................. 9-1
9.2.1 Land Attack.............................................................................................. 9-1

III
 9.2.2 TCP Null Scan Attack ............................................................................... 9-2
9.2.3 Ping of Death Attack................................................................................. 9-2
9.2.4 TCP FIN Scan Attack ............................................................................... 9-2
9.2.5 SYN Packet Port Number Below 1024 ....................................................... 9-2
9.2.6 TCP xma scan ......................................................................................... 9-2
9.2.7 Smurf Attack ............................................................................................ 9-2
9.2.8 Ping Flood ............................................................................................... 9-3
9.2.9 Syn-flood Attack ....................................................................................... 9-3
9.3 Configuring anti-dos ........................................................................................... 9-3
9.4 Maintaining anti-dos ........................................................................................... 9-4
9.5 anti-dos Configuration Example........................................................................... 9-4
9.6 anti-dos Fault Treatment ..................................................................................... 9-5
9.6.1 Networking Environment........................................................................... 9-5
9.6.2 Fault Analysis .......................................................................................... 9-6
9.6.3 Treatment Process ................................................................................... 9-6
9.6.4 Treatment Steps....................................................................................... 9-6

Chapter 10 CPU_GUARD Configuration................................................. 10-1

10.1 About CPU_GUARD....................................................................................... 10-1
10.2 CPU_GUARD Principles ................................................................................. 10-1
10.3 Configuring CPU_GUARD .............................................................................. 10-1
10.4 Maintaining CPU_GUARD .............................................................................. 10-3
10.5 CPU_GUARD Configuration Example.............................................................. 10-9
10.5.1 Enabling the CPU Guard Function ......................................................... 10-9
10.5.2 Disabling the CPU Guard Function ........................................................ 10-9
10.5.3 Clearing the Counter of CPU Statistics................................................... 10-9
10.5.4 Configuring the Hardware Queue of the CPU Guard Protocol.................10-10
10.5.5 Configuring the Size of the CPU Guard CoS Queue ..............................10-10
10.5.6 Configuring the Token Bucket of the CPU Guard Interface Protocol ........10-10
10.5.7 Enabling the CPU Guard Interface Protocol...........................................10-10

Chapter 11 DOT1X Configuration............................................................ 11-1

11.1 About DOT1X..................................................................................................11-1
11.2 DOT1X Principles ............................................................................................11-2
11.3 Configuring DOT1X .........................................................................................11-4
11.3.1 Configuring DOMAIN .............................................................................11-4
11.3.2 Binding a Domain to an Interface ............................................................11-5
11.3.3 Configuring DOT1X Parameters .............................................................11-6
11.3.4 Configuring a Local Authentication User..................................................11-7

IV
 11.3.5 Managing DOT1X Authentication Access Users ......................................11-8
11.4 Maintaining DOT1X .........................................................................................11-8
11.5 DOT1X Configuration Example....................................................................... 11-10
11.5.1 Application of DOT1X RADIUS Authentication ....................................... 11-10
11.5.2 Application of DOT1X Trunk Authentication ........................................... 11-13
11.5.3 Application of DOT1X Local Authentication............................................ 11-14
11.6 DOT1X Fault Treatment ................................................................................. 11-16
11.6.1 Networking Environment ...................................................................... 11-16
11.6.2 Fault Analysis...................................................................................... 11-17
11.6.3 Treatment Process .............................................................................. 11-17
11.6.4 Treatment Steps .................................................................................. 11-18

Chapter 12 LOOPDETECT Configuration............................................... 12-1

12.1 About LOOPDETECT ..................................................................................... 12-1
12.2 Configuring LOOPDETECT............................................................................. 12-1
12.3 LOOPDETECT Configuration Example ............................................................ 12-2
12.3.1 LOOPDETECT Configuration Example 1 ............................................... 12-2
12.3.2 LOOPDETECT Configuration Example 2 ............................................... 12-4
12.3.3 LOOPDETECT Configuration Example 3 ............................................... 12-5
12.3.4 LOOPDETECT Configuration Example 4 ............................................... 12-6

Figures............................................................................................................. I
Glossary ........................................................................................................ III

V
VI
About This Manual
Purpose
First, thank you for choosing the ZXR10 switch of ZTE Corporation (ZTE for short)!
This manual is the ZXR10 8900&8900E (V3.00.01) Series Switch Configuration Guide
(Security), which is applicable to the ZXR10 8900&8900E (V3.00.01) series switches.

Intended Audience
This manual is intended for:
l Network planning engineer
l Debugging engineer
l Attendant

What Is in This Manual

This manual contains the following contents:

Chapter Summary

Chapter 1, Safety Describes the safety precautions related to the use of the switch and
Instruction the symbols used in this manual.

Chapter 2, ACL Describes the ACL technology and principles, and provides ACL
Configuration configuration and maintenance commands, configuration examples,
and troubleshooting methods.

Chapter 3, TACACS+ Describes the port TACACS+ technology and principles, and
Configuration provides port TACACS+ configuration and maintenance commands,
configuration examples, and troubleshooting methods.

Chapter 4 , AAA Describes the AAA technology and principles, and provides AAA
Configuration configuration and maintenance commands, configuration examples,
and troubleshooting methods.

Chapter5, RADIUS Describes the RADIUS technology and principles, and provides
Configuration RADIUS configuration and maintenance commands, configuration
examples, and troubleshooting methods.

Chapter 6, URPF Describes the URPF technology and principles, and provides URPF
Configuration configuration and maintenance commands, configuration examples,
and troubleshooting methods.

Chapter 7, User Describes the user management module technology and principles,
Management Module and provides related configuration and maintenance commands,
Configuration configuration examples, and troubleshooting methods.

I
Chapter Summary

Chapter8, SNMP Describes the SNMP anti-violence attack technology and principles,
Anti-violence Attack and provides related configuration and maintenance commands.
Configuration

Chapter 9, anti-dos Describes the anti-dos technology and principles, and provides related
Configuration configuration and maintenance commands and configuration examples.

Chapter 10, CPU_GUARD Describes the CPU_GUARD technology and principles, and provides
Configuration CPU_GUARD configuration and maintenance commands, configuration
examples, and troubleshooting methods.

Chapter 11, DOT1X Describes the DOT1X technology and principles, and provides DOT1X
Configuration configuration and maintenance commands, configuration examples,
and troubleshooting methods.

Chapter 12, Describes the LOOPDETECT technology and principles, and provides
LOOPDETECT LOOPDETECT configuration and maintenance commands and
Configuration configuration examples.

II
 Chapter 1
Safety Instruction
Table of Contents
Safety Instruction .......................................................................................................1-1
Safety Signs ...............................................................................................................1-1

1.1 Safety Instruction

Only duly trained and qualified personnel can install, operate and maintain the devices.
During the device installation, operation and maintenance, please abide by the local
safety specifications and related operation instructions, otherwise physical injury may
occur or devices may be broken. The safety precautions mentioned in this manual are
only supplement of local safety specifications.
The debug commands on the devices will affect the performance of the devices, which
may bring serious consequences. So take care to use debug commands. Especially, the
debug all command will open all debug processes, so this command must not be used on
the devices with services. It is not recommended to use the debug commands when the
user networks are in normal state.
ZTE Corporation will assume no responsibility for consequences resulting from violation
of general specifications for safety operations or of safety rules for design, production and
use of the devices.

1.2 Safety Signs

The information that users should pay attention to when they install, operate and maintain
devices are explained in the following formats:

Warning!
Indicates the matters needing close attention. If this is ignored, serious injury accidents
may happen or devices may be damaged.

Caution!
Indicates the matters needing attention during configuration.

1-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Note:
Indicates the description, hint, tip, and so on for configuration operations.

1-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2
ACL Configuration
Table of Contents
ACL Overview ............................................................................................................2-1
ACL Principle .............................................................................................................2-1
Configuring ACL.........................................................................................................2-1
Maintaining ACL.........................................................................................................2-8
ACL Configuration Example .....................................................................................2-12
ACL Fault Treatment ................................................................................................2-14

2.1 ACL Overview

Access Control List (ACL) is flow classification tool. It can realize port-ACL, Unicast
Reverse Path Forwarding (URPF), PBR functions, and so on.

2.2 ACL Principle

The main principle of ACL is that filtrat e packets according the field s containing in
the packets, such as 5–tuple of Internet Protocol (IP) packet (source/destination IP
addresses, protocol type and source/destination port numbers). In this version, ACL on
ZXR10 8900&8900E supports link-access and filter of Layer 2 packets.

An ACL list can contain many rules. Each rule describes some matching conditions.
Starting from the first rule, a packet is permitted or denied (the preset actions) once it
matches the rule. In some applications, the preset actions can be customized by service
module. For example, policy route, it takes effect at forwarding layer.

2.3 Configuring ACL

2.3.1 Configuring IPv4-ACL
To configure IPv4–ACL on ZXR10 8900&8900E, perform the following steps.

Step Command Function

ZXR10(config)#ipv4-access-list <name> This configures ACL list.

1
ZXR10(config)#no ipv4-access-list <name> This deletes ACL list.

2-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny}{ source This configures a standard source

[<source-wildcard>]| any}][ time-range <name>][log] address-based ACL rule.

ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny} protocol { This configures the extended ACL

source [<source-wildcard>]| any }{ destination [<destination-wildcard>]| rule.
any }[{tos <value>| precedence <value>| dscp <value>}][ time-range
<name>][log]

ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny} tcp { This configures TCP based ACL

source [<source-wildcard>]| any }[oper <source-port>]{ destination rule.
[<destination-wildcard>]| any }[oper <destination-port>][establish][{tos
2 <value>| precedence <value>| dscp <value>}][ time-range
<name>][log]

ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny} udp { This configures UDP based ACL

source [<source-wildcard>]| any }[oper <source-port>]{ destination rule.
[<destination–wildcard>]| any }[oper <destination-port>][{tos <value>|
precedence <value>| dscp <value>}][ time-range <name>][log]

ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | This configures ICMP based ACL

deny} icmp {source [<source-wildcard>]| any }{ destination rule.
[<destination–wildcard>]| any }[ icmp-type |icmp-code][{tos <value>|
precedence <value>| dscp <value>}][ time-range <name>][log]

ZXR10(config-ipv4-acl)#move < target-rule-id>< target-New-rule This moves an ACL rule.

3
-id>

ZXR10(config-ipv4-acl)#no rule {<rule-id>| all } This deletes a specified ACL rule or

4
all of ACL rules.

5 ZXR10(config)#ipv4-access-group {interface <interface-name>}{ingr This binds the ACL to an interface.

ess | egress<acl-name>}

ZXR10(config-if)#no ipv4-access-group {ingress | egress} This deletes the ACL that is bound
to an interface.

Descriptions of the parameters in Step 2:

Parameter Description

<rule-id> It is an unique identifier of the rule in ACL list. This ID decides the
sequence of the rule in ACL list. The range is 1-2147483644.
If the command is used without this parameter, the rule is placed at
the ending of list by default, and the rule-id is allocated according to
base and increment.

permit Keyword. It indicates that this is a permitted rule.

deny Keyword. It indicates that this is a denied rule.

2-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2 ACL Configuration

Parameter Description

protocol The protocol type to be matched. It can be anyone of the keywords,

TCP, UDP and IP. Or, it is a integer between 0 to 255 to represent
IP protocol number. The IP indicates that any protocol type can be
matched.

source Source IPv4 address, in dotted decimal notation

<source-wildcard> The wildcard of source IPv4 address, in dotted decimal notation

destination Destination IPv4 address, in dotted decimal notation

<sdestination-wildcard> The wildcard of destination IPv4 address, in dotted decimal notation

oper The type of operations to the port. It can be anyone of the keywords,
eq, ge, le and range. Here, specify two ports.

<source-port> Source port number, in the range of 0-65535

<destination-port> Destination port number, in the range of 0-65535

precedence <value> Precedence, in the range of 0-7

tos <value> Tos field, in the range of 0-15

dscp <value> Decp field, in the range of 0-63

time-range Setting time-range parameter

established The keyword for establishing TCP connection, only available for TCP

Tip:
1. If the IPv4-ACL is bound on the egress, the le, ge, and range of the source-port and
destination-port are invalid.
2. The port numbers of UDP and TCP support range configuration. But the total range
of source port and destination port could not exceed 16, and the overranging will not
be valid on some boards.

2.3.2 Configuring Link-ACL

To configure Link-ACL on ZXR10 8900&8900E, perform the following steps.

Step Command Function

1 ZXR10(config)#link-access-list <name> This configures a link-ACL.

ZXR10(config)#no link-access-list <name> This deletes a link-ACL.

2-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

2 ZXR10(config-link-acl)#rule [<rule-id>]{permit | deny}{ This configures a MAC address

source-mac<source mac-wildcard>| any }[time-range <name>] based ACL rule.

ZXR10(config-link-acl)#rule [<rule-id>]{permit | deny}{ This configures a MAC address and

source-mac<source- mac-wildcard>| any }{ destination-mac VLAN based ACL rule.
<destination- mac-wildcard>| any }[{ inner-cos <value>| inner-VLAN
<value>| outer-cos <value>| outer- VLAN <value>}][time-range
<name>]

ZXR10(config-link-acl)#rule [<rule-id>]{permit|deny}[{link-proto This configures a link-protocal and

cal<value>|[{source-mac<source mac-wildcard>| any }][time-range MAC based ACL rule.
<name>]

ZXR10(config-link-acl)#rule rule [<rule-id>]{permit|deny}[{lin This configures a link-protocal, MAC

k-protocal<value>|[{source-mac<source mac-wildcard>| any }][{ and VLAN based ACL rule.
inner-cos <value>| inner-VLAN <value>| outer-cos <value>| outer-
VLAN <value>}][time-range <name>]

ZXR10(config-link-acl)#move < target-rule-id>< target-New-rule This moves an ACL rule.

-id>

3 ZXR10(config-link-acl)#no rule {<rule-id>| all } This deletes an ACL rule or all rules.

4 ZXR10(config)#link-access-group interface <interface-name>{ingress This binds an ACL to an interface.

| egress<acl-name>}

ZXR10(config-if)#no ipv4-access-group {ingress | egress} This deletes an ACL that has been
or bound to an interface.
ZXR10(config-if)#no link-access-group interface<interface-name>{i
ngress | egress}

Descriptions of the parameters in Step 2:

Parameter Description

<rule-id> It is an unique identifier of the rule in ACL list. This ID decides the sequence
of the rule in ACL list. The range is 1-2147483644.
If the command is used without this parameter, the rule is placed at the
ending of list by default, and the rule-id is allocated according to base
and increment.

permit Keyword. It indicates that this is a permitted rule.

deny Keyword. It indicates that this is a denied rule.

link-protocal The Layer 2 protocol type to be matched, in the range of 0-255

source-mac Source MAC address, in dotted hex notation

<source mac-wildcard> The wildcard of source MAC address, in dotted hex notation

destination-mac Destination MAC address, in dotted decimal notation

2-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2 ACL Configuration

Parameter Description

<destination- mac-wildcard> The wildcard of destination MAC address, in dotted hex notation

inner-cos Inner priority in the VLAN header, in the range of 0-7

inner-VLAN nner ID in the VLAN header, in the range of 1-4094

outer-cos Outer priority in the VLAN header, in the range of 0-7

outer-VLAN Outer ID in the VLAN header, in the range of 1-4094

time-range Setting time-range parameter

Tip:
1. If the LINK-ACL is bound to a VLAN, and the bound VLAN is not consistent with
out-vlan matched in the rule, the bound VLAN should be used as the matched out-vlan.
2. If the LINK-ACL is bound on the egress, and the condition "inner-cos=0" is in the rule,
it also takes effect on the packets that have no inner-vlan tag.

2.3.3 Configuring MIXED-ACL

To configure MIXED-ACL on ZXR10 8900&8900E, use the following commands:

Step Command Function

ZXR10(config)#ipv4-mixed-access-list <name> This configures an ACL list.

1
ZXR10(config)#no ipv4-mixed-access-list <name> This deletes an ACL list.

ZXR10(config-ipv4-mixed-acl)#rule[<rule-id>]{permit| deny} This configures a standard ACL rule

protocol{ source[<source-wildcard>]| any}{ destination[<destination-wil based on the source address.
dcard>]| any}[{<tos-value>|<precedence-value>|<dscp-value>}]

ZXR10(config-ipv4-mixed-acl)#rule [<rule-id>]{permit | This configures an ACL rule based

deny}[{link-protocal<value>|[{source-mac<source mac-wildcard>| on the LINK ACL and extension.
any }][{ inner-cos <value>| inner-vlan <value>| outer-cos <value>|
outer- vlan <value>}] protocol { source [<source-wildcard>]| any }{
destination [<destination-wildcard>]| any }[{tos <value>| precedence
2 <value>| dscp <value>}][ time-range <name>][log]

ZXR10(config-ipv4-mixed-acl)#[<rule-id>]{permit | This configures an ACL rule based

deny}[{link-protocal<value>|[{source-mac<source mac-wildcard>| on the LINK ACL and TCP protocol.
any }][{ inner-cos <value>| inner-vlan <value>| outer-cos
<value>| outer- vlan <value>}] tcp { source [<source-wildcard>]|
any }[oper <source-port>]{ destination [<destination-wildcard>]|
any }[oper <destination-port>][establish][{tos <value>| precedence
<value>| dscp <value>}][fin][psh][range][rst][syn][urg][ time-range
<name>][log]

2-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

ZXR10(config-ipv4-mixed-acl)#rule [<rule-id>]{permit | This configures an ACL rule based

deny}[{link-protocal<value>|[{source-mac<source mac-wildcard>| on the LINK ACL and UDP protocol.
any }][{ inner-cos <value>| inner-vlan <value>| outer-cos <value>|
outer- vlan <value>}]udp { source [<source-wildcard>]| any }[oper
<source-port>]{ destination [<destination–wildcard>]| any }[oper
<destination-port>][{tos <value>| precedence <value>| dscp
<value>}][ time-range <name>][log]

ZXR10(config-ipv4-mixed-acl)#rule [<rule-id>]{permit | This configures an ACL rule based

deny}[{link-protocal<value>|[{source-mac<source mac-wildcard>| on the LINK ACL and ICMP protocol.
any }][{ inner-cos <value>| inner-vlan <value>| outer-cos
<value>| outer- vlan <value>}] icmp {source [<source-wildcard>]|
any }{ destination [<destination–wildcard>]| any }[ icmp-type
|icmp-code][{tos <value>| precedence <value>| dscp <value>}][
time-range <name>][log]

ZXR10(config-ipv4-mixed-acl)#move < target-rule-id>< This moves an ACL rule.

3
target-New-rule-id>

ZXR10(config-ipv4-mixed-acl)#no rule {<rule-id>| all } This deletes an ACL rule or all ACL
4
rules.

Description of parameters in Step 2:

Parameter Description

<rule-id> Uniquely identifies a rule in an ACL list and determines the position of
the rule in the list. The value range is 1–2147483644. If no value is set,
the system inserts the rule to the end of the list, and allocate the rule-id
according to the default base and increment.

permit Keyword. It specifies that the rule is a permit rule.

deny Keyword. It specifies that the rule is a deny rule.

protocol Indicates the matched protocol type. It can be one of the keywords TCP,
UDP, and IP, or an integer ranging from 0 to 255 that represents the IP
protocol number. "IP" indicates that any type of protocol can be matched.

source Source IPv4 address (decimal).

<source-wildcard> Wildcard mask of the source IPv4 address (decimal).

destination Destination IPv4 address (decimal).

<sdestination-wildcard> Wildcard mask of the destination IPv4 address (decimal).

oper According to the operation type of the port, the value can be one of the
keywords: eq, ge, le, and range. Two port operation numbers should be
specified after "range".

source-port Source port number. Value range: 0–65535.

2-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2 ACL Configuration

Parameter Description

destination-port Destination port number. Value range: 0–65535.

precedence <value> Precedence. Value range: 0–7.

established ,fin,rst,ack,urg,psh,syn A TCP link establishment keyword. It is available only for TCP.

tos <value> The tos field. Value range: 0–15.

dscp <value> The dscp field. Value range: 0–63.

time-tange Time range.

established A TCP link establishment keyword. It is available only for TCP.

link-protocol The layer 2 protocol type to be matched. Value range: 0–255.

source-mac Source MAC address (hexadecimal).

<source-mac-wildcard> Wildcard mask of the source MAC address (hexadecimal).

destination-mac Destination MAC address (hexadecimal).

<destination-mac-wildcard> Wildcard mask of the destination MAC address (hexadecimal).

inner-cos Priority of the inner layer of the VLAN header. Value range: 0–7.

inner-vlan ID of the inner layer of the VLAN header. Value range: 1–4094.

outer-cos Priority of the outer layer of the VLAN header. Value range: 0–7.

outer-vlan ID of the outer layer of the VLAN header. Value range: 1–4094.

Tip:
1. If the MIXED-ACL is bound to a VLAN, and the bound VLAN is not consistent with
out-vlan matched in the rule, the bound VLAN should be used as the matched out-vlan.
2. If the MIXED-ACL is bound on the egress, and the condition "inner-cos=0" is in the
rule, it also takes effect on the packets that have no inner-vlan tag.
3. If the MIXED-ACL is bound on the egress, the le, ge, and range of the source-port and
destination-port are invalid.

2.3.4 Configuring ACL Binding on a VLAN

To configure ACL binding on a VLAN on ZXR10 8900&8900E, use the following
commands:

Step Command Function

1 ZXR10(config)#ipv4-access-group vlan <vlan-id>{ingress | egress} This binds an IPv4 ACL on the

VLAN.

ZXR10(config)#no ipv4-access-group vlan <vlan-id>{ingress | egress} This deletes an IPv4 ACL from the
VLAN.

2-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

2 ZXR10(config)#ipv6-access-group vlan <vlan-id>{ingress | egress} This binds an IPv6 ACL on the

VLAN.

ZXR10(config)#no ipv6-access-group vlan <vlan-id>{ingress | egress} This deletes an IPv6 ACL from the
VLAN.

3 ZXR10(config)#link-access-group vlan <vlan-id>{ingress | egress} This binds a link (layer 2) ACL on

the VLAN.

ZXR10(config)#no link-access-group vlan <vlan-id>{ingress | egress} This deletes a link (layer 2) ACL from
the VLAN.

4 ZXR10(config)#ipv4-mixed-access-group vlan <vlan-id>{ingress | This binds a mixed v4 (layer 2 and

egress} v4) ACL on the VLAN.

ZXR10(config)#no ipv4-mixed-access-group vlan <vlan-id>{ingress | This deletes a mixed v4 (layer 2 and

egress} v4) ACL from the VLAN.

5 ZXR10(config)#ipv6-mixed-access-group vlan <vlan-id>{ingress | This binds a mixed v6 (layer 2 and

egress} v6) ACL on the VLAN.

ZXR10(config)#no ipv6-mixed-access-group vlan <vlan-id>{ingress | This deletes a mixed v6 (layer 2 and

egress} v6) ACL from the VLAN.

Parameter descriptions:

Parameter Description

ingress Indicates that the ACL is bound on the ingress.

egress Indicates that the ACL is bound on the egress.

2.4 Maintaining ACL

2.4.1 Maintaining IPV4-ACL
To maintain IPv4–ACL on ZXR10 8900&8900E, use the following commands:

Command Function

ZXR10#show ipv4-access-lists name<acl-name>[{from<value>|to This shows the ACL list information.

<value>}|{usage <interface-name>{ingress | egress}{Port-ACL }[{ESU- |
MPU- | PFU- | SFU- ||{begin|exclude|include}]

ZXR10#show ipv4-access-lists brief {name<acl-name>|[|{begin|exclude|in This shows the brief information about
clude}]} the ACL list.

ZXR10#show ipv4-access-lists |{begin|exclude|include} This shows the ACL list information.

ZXR10#show ipv4-access-lists config [|{begin|exclude|include}] This shows the ACL configuration.

2-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2 ACL Configuration

Command Function

ZXR10#show ipv4-access-lists usage <interface-name>{ingress | This shows the ACL board information.
egress}{Port-ACL }[{ESU- | MPU- | PFU- | SFU- ||{begin|exclude|include}]

ZXR10#show ipv4-access-groups [{by-access-list <acl-name>|by-direction This shows the binding information.

{ingress | egress}|by-interface <interface-name>}]

Parameter descriptions:

Parameter Description

<acl-name> Filters the display by ACL name.

ingress Filters the display by interface ingress.

egress Filters the display by interface egress.

<interface-name> Filters the display by interface name.

usage Statistics.

config System configuration.

begin Filters the display by the keyword "begin".

include Filters the display by the keyword "include".

exclude Filters the display by the keyword "exclude".

Port-ACL Port ACL.

The following is an example of the show ipv4-access-lists command:

ZXR10#show ipv4-access-lists name myacl
ipv4-access-list myacl
2/2 (showed/total)
1 deny tcp 171.69.2.88 0.0.255.255 any eq 23
2 deny any

ZXR10(config)#resequence-access-list ipv4 myacl

ZXR10(config-ipv4-acl)#rule 15 deny 10.1.1.3

ZXR10#show ipv4-access-listsname myacl

ipv4-access-list myacl
3/3 (showed/total)
10 deny tcp 171.69.2.88 0.0.255.255 any eq 23
15 deny 10.1.1.3
20 deny any

The following is an example of the show ipv4-access-groups command:

ZXR10(config)#show ipv4-access-groups

2-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Interface name|vlan Direction ACl name

------------------------------------------------------
gei-0/9/0/10 Ingress myacl
gei-0/2/1/8 Egress myacl

2.4.2 Maintaining LINK-ACL

To maintain link–ACL on ZXR10 8900&8900E, use the following commands.

Command Function

ZXR10#show link-access-lists name<acl-name>[{from<value>|to This shows ACL list information.

<value>}|{begin|exclude|include}]

ZXR10#show link -access-lists brief {name<acl-name>|[|{begin|exclude|in This shows brief ACL list information.
clude}]}

ZXR10#show link-access-lists |{begin|exclude|include} This shows ACL information.

ZXR10#show link-access-lists config [{begin|exclude|include}] This shows the ACL configuration

information.

ZXR10#show link -access-groups[{by-access-list <acl-name>|by-direction This shows binding information.

{ingress | egress}|by-interface <interface-name>}]

Parameter descriptions:

Parameter Description

<acl-name> Display the result according to ACL names

ingress Display the result according to ingress

egress Display the result according to output

<interface-name> Display the result according to interface name

config System configuration

begin Information of beginning matching characters

include Information of matching characters included

exclude Information of matching characters excluded

2.4.3 Maintaining MIXED-ACL

To maintain MIXED-ACL on ZXR10 8900&8900E, use the following commands:

Command Function

ZXR10#show ipv4-mixed-access-lists name<acl-name>[{from<value>|to This shows the ACL list information.

<value>}|{begin|exclude|include}]

2-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2 ACL Configuration

Command Function

ZXR10#show ipv4-mixed -access-lists brief {name<acl-name>|[|{begin|ex This shows the brief information about
clude|include}]} the ACL list.

ZXR10#show ipv4-mixed -access-lists |{begin|exclude|include} This shows the ACL list information.

ZXR10#show ipv4-mixed -access-lists config [{begin|exclude|include}] This shows the ACL configuration.

ZXR10#show ipv4-mixed -access-groups[{by-access-list This shows the binding information.

<acl-name>|by-direction {ingress | egress}|by-interface <interface-name>}]

2.4.4 Maintaining ACL Binding for a VLAN

To maintain ACL binding for a VLAN on ZXR10 8900&8900E, use the following commands:

Command Function

ZXR10(config)#show running-config port-acl This shows all ACL binding information.

ZXR10#show ipv4-access-groups [[by-access-list <acl-name>][by-direction This shows IPv4 ACL binding

{ingress | egress}][by-interface-or-vlan <vlan-id>]] information.

ZXR10#show ipv6-access-groups [[by-access-list <acl-name>][by-direction This shows IPv6 ACL binding

{ingress | egress}][by-interface-or-vlan <vlan-id>]] information.

ZXR10#show link-access-groups [[by-access-list <acl-name>][by-direction This shows link ACL binding

{ingress | egress}][by-interface-or-vlan <vlan-id>]] information.

ZXR10#show ipv4-mixed-access-groups [[by-access-list <acl-name>][by-dir This shows mixed v4 ACL binding

ection {ingress | egress}][by-interface-or-vlan <vlan-id>]] information.

ZXR10#show ipv6-mixed-access-groups [[by-access-list <acl-name>][by-dir This shows mixed v6 ACL binding

ection {ingress | egress}][by-interface-or-vlan <vlan-id>]] information.

Parameter descriptions:

Parameter Description

<acl-name> Filters the display by ACL name.

ingress/egress Filters the display by binding direction.

<vlan-id> Filters the display by vlan-id.

The following is an example of the show ipv4-access-groups command:

Interface name|vlan Direction ACl name
----------------------------------------------------------------
vlan 2 Ingress kkk

The following is an example of the show running-config port-acl command:

ZXR10(config)#show running-config port-acl

2-11

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

! <PORT_ACL>
ipv4-access-group vlan 2 ingress kkk
ipv6-access-group vlan 3 ingress lll
! </PORT_ACL>
ZXR10(config)#

2.5 ACL Configuration Example

Configuration Description
As shown in Figure 2-1, PC1 and PC2 both send Telnet requests to R1 through R2, but
R1 only wants to receive the Telnet request coming from PC1 but not PC2. To realize the
requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the Telnet packets coming
from PC2 (The ACL also can be bound to egress of gei-0/1/0/2).

Figure 2-1 ACL Configuration Example Topology

Here, create a ACL and add the rule into the ACL. The rule is that deny the packets which
IP addresses belong to PC2, protocol type is TCP and the port type is Telnet. Bind the
ACL to ingress of gei-0/1/0/1 or egress of gei-0/1/0/2.
After that, the Telnet request coming from PC2 can not arrive at R1 even if PC2 gets R1's
Telnet user name and password. The Telnet request packet is discarded by R2. The other
communications between R1 and PC2 are not affected.

Configuration Thought
1. Create a ACL ipv4-access-list. User can name the list. The length of this list name
can not be more than 31 characters.
2. Enter IPv4 ACL configuration mode after the list is created. Add rules in IPv4 ACL
configuration mode. Each rule can designate a kind of packets, and define this kind
of packets is denied or permitted.
3. According to the requirements for traffic filtering, bind the customized ACL
ipv4-access-list to the egress or ingress of interface to be filtered the traffic.

2-12

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2 ACL Configuration

Configuration Process
R2 configuration,
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
R2(config-ipv4-acl)#rule 20 permit any
R2(config-ipv4-acl)#exit
R2(config)#ipv4-access-group gei-0/1/0/1 ingress test

Configuration Check
There are three methods to view ACL configuration

R2(config)#show ipv4-access-lists brief

/*This shows the name and rule quantity of each ACL.*/
No. ACL RuleSum
------------------------------------------------------
1 test 2

R2(config)#show ipv4-access-lists name test

/*This shows the information of a ACL. Brief or full information
can be selected to view if the ACL name is specified.
By default, full information is shown.**/
ipv4-access-list test
(contain 2 rules)
rule 10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
rule 20 permit any
R2(config)#show ipv4-access-lists name test brief
No. ACL RuleSum
------------------------------------------------------
1 test 2

R2(config)#show ipv4-access-lists
/*This shows all the ACL configured on the device.
Full information is shown.*/
ipv4-access-list test
(contain 2 rules)
rule 10 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0
rule 20 permit any

This shows the information of the interface binding with ACL.

R2(config)#show ipv4-access-groups
Interface name Direction ACl name
---------------------------------------------------------
gei-0/1/0/1 Ingress test

2-13

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

2.6 ACL Fault Treatment

2.6.1 Network Environment
Take the case of the topology shown in Figure 2-2 to describe how to perform ACL fault
treatment.

Figure 2-2 ACL Fault Treatment Topology

2.6.2 Malfunction Analysis

The following ACL configuration faults are likely to appear,

l Users fail to create ACL List according to the specified name.

l Users fail to bind ACL to an interface.
l ACL filtering is improperly that the traffic to be permitted is denied while the traffic to
be denied is still be forwarded by device.
To locate and solve the faults, perform the following inspections.
l The name of ACL supports 31 characters at most, which can not contain “, ? and
space.
l ACL name is case sensitive.
l It is not recommended that perform binding before creating ACL, even if ZXR10
8900&8900E support this function.
l Binding an empty ACL list to interface that means all packets are permitted.
l A rule deny any is added into the end of the list automatically if a non-empty ACL list
is bound to an interface, which means the packets that can not match with all the rules
will be denied.
l If an ACL rule is bound with time-range, it will take effect only when the time-range is
in active state.

2-14

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 2 ACL Configuration

2.6.3 Treatment Scheme

Assume that the packets with the source address 1.1.1.1/32 should be permitted.
However, these packets cannot be forwarded. The ACL fault treatment flow is shown in
Figure 2-3.

Figure 2-3 ACL Fault Treatment Flow Diagram

2.6.4 Treatment Steps

To locate and solve ACL faults, perform the following steps.

1. To view whether the packets to be filtered are covered by ACL rule, use the show
ipv4-access-list name <acl-name> command.
ZXR10(config)#show ipv4-access-lists name 1
ipv4-access-list 1

2-15

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

1/1 (showed/total)
10 permit 1.1.1.1 0.0.0.0 time-range test
2. In the display of the show ipv4-access-list name <acl-name> command, compare the
action properties of all the rules and check whether the rules are in a correct order. In
Step 1, the action of rule 10 is "permit".
3. If a rule is bound with time-range, check the time-range status with the show time-range
<name> command. The following is an example:
ZXR10(config)#show time-range test

Current time is 20:15:37 04-22-2010 Thursday

time-range test <inactive>
absolute start 23:59:45 12-30-20

If the time-range test is "inactive", it indicates that rule 1 bound to this time-range in
Step 1 is invalid now.
4. To view the correctness of binding relationship (name and direction), use the show
ipv4-access-group command.
ZXR10(config)#show ipv4-access-groups
Interface name Direction ACl name
--------------------------------------------------------
gei-0/1/0/2 Ingress 1

It indicates that an ACL called 1 is bound to the ingress of the interface gei-0/1/0/2.
5. To view whether the interface configuration s are incompatible, use the show running
command.

2-16

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 3
TACACS+ Configuration
Table of Contents
TACACS+ Overview ...................................................................................................3-1
TACACS+ Principle ....................................................................................................3-1
Configuring TACACS+................................................................................................3-3
Maintaining TACACS+................................................................................................3-5
TACACS+ Configuration Example ..............................................................................3-6
TACACS+ Fault Treatment .........................................................................................3-8

3.1 TACACS+ Overview

Terminal Access Controller Access-Control System Plus (TACACS+) provides access
controlling service for router, network access server and other network processing devices
by one or more central servers. Compare with RADIUS, TACACS+ supports independent
authentication, authorization and accounting function.
TACACS+ is the latest version of TACACS. TACACS is a UDP-based access control
protocol developed by BBN company. CISCO extended and advanced TACACS protocol
many times to make it develop to XTACACS protocol.
TACACS+ makes authentication, authorization and accounting as an independent part
respectively, and encrypts the data transmission between NAS and security server.
TACACS+ permits the packets without fixe d length, and it also permits the authentication
mechanism with any form to be applied in TACACS+ client. TACACS+ is able to extend
site customization and function adding. The packets transmission is ensured by using
TCP protocol in transmission layer. TCP permits TaCACS+ client to request the accurate
access control, and it also permits TACACS+ server to respond every request part.
Authentication, authorization and accounting has their own functional features, and they
will play more important role. The advantage is that authorization is a dynamic processing
procedure, and people do not need to perform authorization after authenticating.
TACACS+ can combine with PPP, ARAP and so on to use that it will be more flexible.
TACACS+ accounting can provide security auditing and service accounting functions.

3.2 TACACS+ Principle

As shown in Figure 3-1, there are remote client, Network Access Server (NAS) and
TACACS+ server.
l Remote client: The remote users whom want to access local resource.
l NAS: It provides network service for remote client.

3-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

l TACACS+ server: It has a data base to maintain security data (such as user identifier
information, authorization information and access record).

Figure 3-1 TACACS+ Networking Structure

The remote client can either be a PC or a router. It accesses NAS through

Modulator-Demodulator (MODEM) or Integrated Services Digital Network (ISDN) by
using Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP) or Apple Remote
Access Protocol (ARAP) protocol and so on. TACACS+ client runs on NAS, it interacts
with security server by using TACACS+ protocol to finis h the following functions:

1. Identity authentication
It provides full identity authentication service by means of user name, password and
challenge response and so on.

2. Authorization
It provides authorization service during user session. For example, it permits user to
use some level of shell command only, or it permits user to use File Transfer Protocol
(FTP) only.
3. Accounting
The informations about user accessing network are collected to TACACS+ server,
such as, the time for user logging in and ending session, the executed commands,
flow statistic data (IP packets and bytes count and so on. These informations can be
applied to accounting and security auditing.
TACACS+ provides independent 3A supporting. Authentication, authorization, accounting
are implemented by independent servers. The data transmitted by TACACS+ is encrypted
between NAS and security server.
The authentication, authorization and accounting process between TACACS+ client and
server is shown in Figure 3-2.

3-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 3 TACACS+ Configuration

Figure 3-2 TACACS+ Packets Interaction

3.3 Configuring TACACS+

To configure TACACS+, perform the following steps on ZXR10 8900&8900E.

Step Command Function

ZXR10(config)#tacacs enable This enables TACACS+ function.

TACACS+ function has to be enabled
before configuring other TACACS+
1
functions. Otherwise, TACACS+
function can not take effect.

ZXR10(config)#tacacs disable This disables TACACS+ function.

3-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

ZXR10(config)#tacacs-server timeout <timeout-value> This configures TACACS+ global

timeout value in global configuratio n
mode. That is, configure the timeout
value of the connection between
2 TACACS+ client and server. The
unit is second, the range is 1-1000,
and the default value is 5 seconds.

ZXR10(config)#no tacacs-server timeout This deletes the configured timeout

value.

ZXR10(config)#tacacs-server key <key-string> This configures global TACACS+

protocol encrypted key in global con-
figuration mode. The key is available
3 for all the servers without specified
keys. The length is 1-127 characters
(The key can not contain space).

ZXR10(config)#no tacacs-server key This deletes the shared key.

ZXR10(config)#tacacs-server packet <length> This configures the maximum length

of TACACS+ packet. The range is
1024-4096, the unit is byte, and the
4
default value is 1024 bytes.

ZXR10(config)#no tacacs-server packet This deletes the setting about the

maximum TACACS+ packet length.

ZXR10(config)#tacacs-client <ip-address>[port <port-number>] This configures IP address

of TACACS+ client in global
configuration mode. The IP
5
address is used to communicate
with TACACS+ server byZXR10
8900&8900E.

ZXR10(config)#tacacs-server host [vrf <vrf-name>]<ip-address>[port This configures one or more servers

<port-number>][timeout <timeout-value>][key <key_string>] in global configuration mode.

ZXR10(config)#tacplus group-server <group-name> This configures a server group in

6
global configuration mode.

ZXR10(config-sg)#server [vrf <vrf-name>]<ip-address>[port<por This adds server into server group.

t-number>]

Descriptions of the parameters in Step 5:

Parameter Description

<ip-address> IP address of TACACS+ client. It is the IP address of the interface on

NAS to communicate with server.

3-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 3 TACACS+ Configuration

Parameter Description

port <port-number> L4 port of TACACS+ client. The range is 1025-65535.

Step 6 describes how to create server group, enter TACACS+ server group configuratio
n mode, add the configure d servers into server group. Four servers can be added into a
server group at most. Use no command to delete server group configuration.
Descriptions of the parameters in Step 6:

Parameter Description

vrf <vrf-name> VPN name

<ip-address> IP address of TACACS+ server

port <port-number> Port number of TACACS+ server. The default port is No.49.

timeout <timeout-value> Connection timeout value, 1-1000, the unit is second.

key <key_string> The encrypted key is used by NAS and TACACS+ server. The length
is 1-127 characters (The key can not contain space).

<group-name> The name of TACACS+ server group, 1-31 characters. In TACACS+,

256 server groups are supported at most, and 4 servers are configured
in a server group at most.

3.4 Maintaining TACACS+

To maintain TACACS+, use the following command on ZXR10 8900&8900E.

Command Function

ZXR10#show running-config tacacs+ all This shows all the configurations of

TACACS+ module.

Example
This example describes what will be displayed after show running-config tacacs+ all is used.
It shows all the configuration s of TACACS+ module.
ZXR10(config)#show running-config tacacs+ all
! <TACPLUS>
tacacs enable
tacacs-server timeout 10
tacacs-server packet 1025
tacacs-server host 192.168.88.10 timeout 30 key zxr10
tacplus group-server tacacs_test
server 192.168.88.10
!
! </TACPLUS>

3-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Descriptions of the command output:

Command Output Description

tacacs enable TACACS+ protocol is enabled

tacacs-server timeout 10 Global timeout of TACACS+ server is 10 seconds

tacacs-server packet 1025 The maximum size of TACACS+ packet is 1025 bytes.

tacacs-server host 192.168.88.10 timeout Timeout of the TACACS+ server which IP address is 192.168.88.10 is
30 key zxr10 30 seconds, and the key is zxr10.

tacplus group-server tacacs_test server The name of TACACS+ server group is tacacs_test, and the server
192.168.88.10 which IP address is 192.168.88.10 is added into server group.

3.5 TACACS+ Configuration Example

Configuration Description
As shown in Figure 3-3, TACACS+ authentication is enabled on ZXR10, a PC whose
IP address is 192.168.7.209 wants to access ZXR10, 192.168.1.2 is the IP address
of TACACS+ authentication server. TACACS+ authentication is required when
192.168.7.209 wants to log in to ZXR10. If the authentication passes, the PC can log in
to ZXR10. Otherwise, a prompt appears to indicate that the login fails.

Figure 3-3 TACACS+ Configuration Example Topology

Configuration Thought
1. Enable the TACACS+ function.
2. Configure a TACACS+ server called TACACS-Server.
3. Configure the parameters of TACACS+ server (It is optional configuration)
4. Create tacplus group-server of the TACACS+, and add the previously configured
TACACS-Server to the tacplus group-server.
5. Configure IP address of TCACS+ client. The IP address is used for the communication
between ZXR10 router/switch and TACACS+ server (It is optional configuration).
6. Configure the AAA authentication template. In this template, the authentication mode
is TACACS, and the authentication group is the configured TACACS group.
7. Configure the AAA authorization template. In this template, the authorization mode is
mix-tacacs, and the authorization group is the configured TACACS group.

3-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 3 TACACS+ Configuration

8. Configure the authentication template and authorization template of the user

management module, and bind the AAA templates in these template. Then create a
user, and bind the user with the user management module templates.

Configuration Process
ZXR10 configuration:
ZXR10(config)#tacacs enable
ZXR10(config)#tacacs-client 192.168.1.1
ZXR10(config)#tacacs-server host 192.168.1.2 key zte
ZXR10(config)#tacplus group-server zte
ZXR10(config-sg)#server 192.168.1.2
ZXR10(config-sg)#exit
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type tacacs
ZXR10(config-aaa-authen-template)#authentication-tacacs-group zte
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type mix-tacacs
ZXR10(config-aaa-author-template)#authorization-tacacs-group zte
ZXR10(config-aaa-author-template)#exit
ZXR10(config)#system-user
ZXR10(config-system-user)#authentication-template 1
ZXR10(config-authen-temp)#bind-authentication-template 2001
ZXR10(config-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 1
ZXR10(config-author-temp)#bind-authorization-template 2001
ZXR10(config-system-user)#exit
ZXR10(config-system-user)#username who password who authentication-template 1
authorization-template 1

Configuration Check
ZXR10(config)#show running-config tacacs+
! <TACPLUS>
tacacs enable
tacacs-client 192.168.1.1
tacacs-server host 192.168.1.2 key zte
tacplus group-server zte
server 192.168.1.2
!
! </TACPLUS>

3-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

3.6 TACACS+ Fault Treatment

3.6.1 Network Environment
Take the case of the topology shown in Figure 3-4 to describe how to perform TACACS+
fault treatment.

Figure 3-4 TACACS+ Fault Treatment Topology

3.6.2 Malfunction Analysis

Analyze fault reason according to the following points,
1. TACACS+ configuration has to be performed in strict order. For example, TACACS+
server has be configure d and specified before adding it into TACACS+ server
group. It is suggested that user configures TACACS+ according to the steps listed in
Configuring TACACS+.
2. User login authentication mode is not TACACS+ authentication. Therefore, user
adopts default local authentication for login.
3. In order to prevent users from failing to log into the clients due to TACACS+ server
faults, tacacs-local authentication mode can be used, and local authentication mode
can be used as standby authentication mode.
4. AAA authentication mode list of TACACS+ service has to be configure d
before configuring TACACS+ to user login authentication mode. Otherwise, the
communication between devices is interrupted improperly in configuration process,
and the chassis fails to be logged in. For such fault, restart chassis by using the
original configuration.
5. Device TACACS+ character configuration needs to be consistent with that of Server.
6. The server will be marked as unavailable if the authentication sending to server is not
replied. In this time, authentication message will not be sent to the server.

3.6.3 Treatment Scheme

TACACS+ fault treatment flow is shown in Figure 3-5.

3-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 3 TACACS+ Configuration

Figure 3-5 TACACS+ Fault Treatment Flow Diagram

3.6.4 Treatment Steps

When user fails to log in by using TACACS+ mode, perform the following inspections,
1. Inspect whether TACACS+ service is enabled or not by using tacacs enable command.
2. Configure TACACS+ server globally (192.168.1.2). Make sure that TACACS+ server
and client can ping each other.
3. Check whether the TACACS+ server (192.168.1.2) is added into the TACACS+ server
group.
4. Perform the following steps to configur e AAA authentication mode,

3-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

l Designate authentication and authorization mode as TACACS+.

l Define authentication mode list.
Make sure that the correct TACACS+ authentication group name is entered.
5. Inspect whether user authentication mode is TACACS+ mode.

3-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 4
AAA Configuration
Table of Contents
AAA Overview ............................................................................................................4-1
AAA Principle .............................................................................................................4-1
Configuring AAA.........................................................................................................4-2
Maintaining AAA.........................................................................................................4-6
AAA Configuration Example .......................................................................................4-7
AAA Fault Treatment ..................................................................................................4-9

4.1 AAA Overview

All of network service providers (SP) have to protect the reasonable applications of network
resource and user profit safely, effectively and reliably. Authentication, Authorization and
Accounting (AAA) is developed to solve the requirements, which provides an effective
platform to manage users.

4.2 AAA Principle

Authentication is a process that validates the identities of users when they claim to use
network resources.

Authorization is a process that authorizes users to use network resource by the specifi c
method.
Accounting is a process that network system charges and audits users through collecting
and recording the usage of network resource.
AAA function is realized by client and server. The client is responsible for forming and
sending data to the specified server, receiving responding messages from server. The
server is responsible for receiving connection requests from users, authenticating user
identity, and sending user configuration informations back. The client asks various
applications to do different processing. In fact, the client is a resident program running on
a router, and the server is an AAA server program running on a remote PC.

Remote Authentication Dial In User Service (RADIUS) realize AAA. Currently, AAA
supports RADIUS authentication, authorization and accounting. AAA also supports
TACACS+ authentication and authorization.
For example, a user wants to log in a router by Telnet. User identity needs to be
authenticated. Telnet program sends some authenticated informations (user name,
password and so on) to AAA server. AAA server checks the received authenticated

4-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

informations by using database, and decides whether the authentication can be passed.
User can execute commands with some privilege levels after passing the authentication.

4.3 Configuring AAA

Configuring AAA is mainly to configure method lists, including authentication,
authorization, and accounting method lists. After the method lists are configured, the user
can perform authentication, authorization, and accounting according to the configured
methods.
To configure AAA onZXR10 8900&8900E, use the following commands:

Step Command Function

ZXR10(config)#aaa-authentication-template <number> This chooses an authentication template and

1 enters authentication configuration mode.
The range of the number is 1-2128.

ZXR10(config-aaa-authen-template)#aaa-authentication This configures the authentication mode in

2 -type {none|local|radius|local-radius|radius-local|radius-none the authentication template in authentication
|local-tacacs|tacacs|tacacs-local|tacac-none} configuration mode.

ZXR10(config-aaa-authen-template)#authentication-ra This configures a RADIUS authentication

dius-group <group-number> group in authentication configuration mode.
The RADIUS group should have been
3 configured. The range of the group number
is 1-10.

ZXR10(config-aaa-authen-template)#no This deletes a RADIUS authentication group

authentication-radius-group in authentication configuration mode.

ZXR10(config-aaa-authen-template)#authentication-t This configures a TACACS authentication

acacs-group <tacacs-name> group in authentication configuration mode.
The TACACS group should have been
4
configured.

ZXR10(config-aaa-authen-template)#no This deletes a TACACS authentication group

authentication-tacacs-group in authentication configuration mode.

ZXR10(config-aaa-authen-template)#descript <name > This configures description information in

5 authentication configuration mode. The
description is with 1-31 characters.

ZXR10(config-aaa-authen-template)#no descript This deletes description information in

6
authentication configuration mode.

ZXR10(config-aaa-authen-template)#authentication-vpd This configures a vpdn group in

7
n-group <vpdn name> authentication configuration mode.

ZXR10(config-aaa-authen-template)#no This deletes a vpdn group in authentication

8
authentication-vpdn-group configuration mode.

4-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 4 AAA Configuration

Step Command Function

ZXR10(config)#aaa-authorization-template <number> This chooses an authorization template and

9 enters authorization configuration mode. The
range of the number is 1-2128.

ZXR10(config-aaa-author-template)#aaa-authorization-t This configures the authorization mode in

ype {none|mix-radius|mix-tacacs|tacacs|radius} the authorization template in authorization
configuration mode. The tacacs authorization
and radius authorization are authorizations in
command authorization mode.

ZXR10(config)#command-authorization <pri-level>[config This configures command authorization. It

10 -command]<number> specifies the authorization for commands
used in user mode and privileged mode (and
global configuration mode) and matching
the pri-level. The < number> is the AAA
authorization template number.

ZXR10(config)#no command-authorization <pri-level> This restores the default configuration, that

is, no command authorization.

ZXR10(config-aaa-author-template)#authorization-taca This configures a TACACS authorization

cs-group <tacacs-name> group in authorization configuration mode.
11
The TACACS group should have been
configured.

ZXR10(config-aaa-author-template)#no This deletes a TACACS authorization group

12
authorization-tacacs-group in authorization configuration mode.

ZXR10(config-aaa-author-template)#descript <name > This configures description information

13 in authorization configuration mode. The
description is with 1-31 characters.

ZXR10(config-aaa-author-template)#no descript This deletes description information in

14
authorization configuration mode.

ZXR10(config)#aaa-accounting-template <number> This chooses an accounting template and

15 enters accounting configuration mode. The
range of the number is 1-2128.

ZXR10(config-aaa-acct-template)#aaa-accounting-type This configures the accounting mode in

16 { none|radius |tacacs } an accounting template in accounting
configuration mode.

ZXR10(config-aaa-acct-template)#accounting-radius-gr This configures a RADIUS accounting group

17
oup first< group-number > second < group-number > in accounting configuration mode.

ZXR10(config-aaa-acct-template)#no accounting-radi This deletes a RADIUS accounting group in

18
us-group accounting configuration mode.

4-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

ZXR10(config-aaa-acct-template)#descript <name > This configures description information

19 in accounting configuration mode. The
description is with 1-31 characters.

ZXR10(config-aaa-acct-template)#no descript This deletes description information in

20
accounting configuration mode.

ZXR10(config-aaa-acct-template)#accounting-tacacs- This configures a TACACS accounting

group <tacacs-name > group in accounting configuration mode.
21
The TACACS group should have been
configured.

Descriptions of the parameter in Step 1, 9 and 15:

Parameter Description

<number> The number of authentication template, authorization template or

accounting template

Descriptions of the parameters in Step 2:

Parameter Description

none No authentication

local Local authentication

radius RADIUS remote authentication

local-radius Use local authentication first. If the user does not exist, use
RADIUS authentication. If local authentication is refused, RADIUS
authentication is not used.

radius-local Use RADIUS authentication first. If RADIUS configuration is wrong or

timed out, use local authentication. If radius authentication is refused,
local authentication is not used.

radius-none Use RADIUS authentication first. If RADIUS configuration is wrong or

timed out, use none authentication.

local-tacacs Use local authentication first. If the user does not exist, use
TACACS authentication. If local authentication is refused, TACACS
authentication is not used.

tacacs TACACS remote authentication

tacacs-local Use TACACS authentication first. If TACACS configuration is wrong

or timed out, use local authentication. If TACACS authentication is
refused, local authentication is not used.

tacacs-none Use TACACS authentication first. If TACACS configuration is wrong or

timed out, none authentication is used.

4-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 4 AAA Configuration

Descriptions of the parameter in Step 3 and 17:

Parameter Description

<group-number> Radius group number

Descriptions of the parameters in Step 4 and 11:

Parameter Description

<tacacs-name> TACACS group name

Descriptions of the parameters in Steps 5, 13, and 19:

Parameter Description

<name > Description of the template

Descriptions of the parameters in Step 10:

Parameter Description

none None authorization

mix-radius RADIUS hybrid authorization

mix-tacacs TACACS hybrid authorization

tacacs TACACS authorization, user authorization mode when command

authorization is configured

radius RADIUS authorization, no command authorization, the same as

mix-radius

pri-level User priority level

config-command Authorization for commands used in global configuration mode

number AAA authorization template number

Descriptions of the parameters in Step 16:

Parameter Description

none None accounting

radius RADIUS accounting

Example
Assume that the TACACS+ server group tacNtTac and RADIUS No.4 server group have
been configured.
Configure authentication template 2001. Use TACACS authentication. The group is
named tacNtTac.
ZXR10(config)#aaa-authentication-template 2001

4-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

ZXR10(config-aaa-authen-template)#aaa-authentication-type tacacs
ZXR10(config-aaa-authen-template)#authentication-tacacs-group tacNtTac
ZXR10(config-aaa-authen-template)#exit

Configure accounting template 2. Use RADIUS accounting. The group is named RADIUS
4.
ZXR10(config)#aaa-accounting-template 2
ZXR10(config-aaa-acct-template)#aaa-accounting-type radius
ZXR10(config-aaa-acct-template)#accounting-radius-group first 4
ZXR10(config-aaa-acct-template)#exit

Configure authorization template 2003. Use none authorization.

ZXR10(config-aaa-author-template)#aaa-authorization-template 2003
ZXR10(config-aaa-author-template)#aaa-authorization-type none
ZXR10(config-aaa-author-template)#exit

4.4 Maintaining AAA

To maintain AAA, use the following commands on ZXR10 8900&8900E.

Command Function

ZXR10#show running-config aaa This views configuration related to AAA.

ZXR10#show aaa-authentication-template This views configuration related to the

authentication template.

ZXR10#show aaa-accounting-template This views configuration related to the

accounting template.

ZXR10#show aaa-authorization-template This views configuration related to the

authorization template.

This example describes what will be displayed after show running-config aaa is used.
ZXR10(config)#show running-config aaa
!
aaa-authentication-template 2001
aaa-authentication-type tacacs
authentication-tacacs-group tacNtTac
aaa-authorization-template 2003
aaa-authorization-type none
!
aaa-accounting-template 2
aaa-accounting-type radius
accounting-radius-group first 4
!

Descriptions of the command output:

4-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 4 AAA Configuration

Command Output Description

aaa-authentication-type tacacs The authentication mode is TACACS. The authentication group

authentication-tacacs-group tacNtTac configured is tacNtTac. The TACACS+ client sends an authentication
request to the server in the tacNtTac group.

aaa-authorization-type none The authorization mode is none. After user authentication succeeds,
the corresponding rights in the TACACS+ server is authorized with
precedence. If authorization configuration on the TACACS+ server is
wrong or timed out, the default rights will be authorized.

aaa-accounting-type radius The accounting mode is RADIUS. The RADIUS group 4 is accounted
accounting-radius-group first 4 with precedence.

The authentication, authorization and accounting method lists can also be displayed
respectively, as shown below.
ZXR10#show aaa-authentication-template 2001
authen-template:2001
authen-type:tacacs
authen-tacacs-group: tacNtTac

Descriptions of the command output:

Command Output Description

authen-template:2001 Authentication template number

authen-type:tacacs TACACS authentication

authen-tacacs-group: tacNtTac The authentication group is tacNtTac.

4.5 AAA Configuration Example

Configuration Description
AAA means authentication, authorization, and accounting. On the ZXR10, you can
respectively configure templates for authentication, authorization, and accounting. In an
authentication template, the authentication method can be TACACS+, RADIUS, LOCAL,
NONE, or their combinations. In an authorization template, the authorization method
can be mix-radius, mix-tacacs, none, tacacs, and radius. In an accounting template, the
accounting method can be radius or none. The following figure shows an example of
AAA configuration. In this example, the method in the authentication and authorization
templates is TACACS+. The method in the accounting template is RADIUS.
As shown in Figure 4-1, AAA mode is TACACS+ mode.

4-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 4-1 AAA Configuration Example Topology

Configuration Thought
1. In AAA mode list configuration, authentication, authorization and accounting are
configured by three commands respectively.
In an authentication template, the method can be TACACS+, RADIUS, LOCAL, NONE,
or their combinations. In a method combination, such as radius-local and radius, radius
is the preferred method. The local method is used only when radius does not respond.
After configuring the methods in all the templates, configure the server groups
corresponding to the methods (not necessary for the local and none methods).
2. Configure the authentication and authorization templates of the user management
module. Then bind the AAA templates in the user management templates.

Configuration Process
ZXR10 configuration:
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type tacacs-local
ZXR10(config-aaa-authen-template)#authentication-tacacs-group zte
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type mix-tacacs
ZXR10(config-aaa-author-template)#authorization-tacacs-group zte
ZXR10(config-aaa-author-template)#exit
ZXR10(config)#aaa-accounting-template 1
ZXR10(config-aaa-acct-template)#aaa-accounting-type radius
ZXR10(config-aaa-acct-template)#accounting-radius-group first 1

Configuration Check
View AAA configuration:
ZXR10(config)#show running-config aaa
! <AAA>
aaa-authentication-template 2001
aaa-authentication-type tacacs-local
authentication-tacacs-group zte
!
aaa-authorization-template 2001
aaa-authorization-type mix-tacacs

4-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 4 AAA Configuration

authorization-tacacs-group zte
!
aaa-accounting-template 1
aaa-accounting-type radius
accounting-radius-group first 1
!
! </AAA>

4.6 AAA Fault Treatment

4.6.1 Network Environment
Take the cast of the topology shown in Figure 4-2 to describe how to perform AAA fault
treatment.

Figure 4-2 AAA Fault Treatment Topology

4.6.2 Malfunction Analysis

Fault phenomenon:
The configurations of authentication, authorization and accounting are failed.

Notice:
1. The server group name to be used needs to be specified when AAA mode is specified.
2. If the default mode is not configured when authentication and authorization mode list
are configured, users will not have the stand-by mode when the preference mode is
failed. Therefore, it is suggested that configure both the preference and default modes.
3. For functional fault, inspect whether the available Server is added into the specified
AAA group.

4.6.3 Treatment Scheme

AAA fault treatment flow is shown in Figure 4-3.

4-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 4-3 AAA Fault Treatment Flow Diagram

4.6.4 Treatment Steps

To locate and solve AAA faults, perform the following steps.
1. Inspect whether TACACS+ and RADIUS servers are enabled. Enable TACACS+ and
RADIUS services if they are disabled.
2. Inspect whether the server group to be specified into AAA mode list is existing. The
server group can not be added into AAA mode list if it is not specified before.

4-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5
RADIUS Configuration
Table of Contents
RADIUS Overview......................................................................................................5-1
RADIUS Principle .......................................................................................................5-2
Configuring RADIUS ..................................................................................................5-3
Maintaining RADIUS ................................................................................................5-11
RADIUS Configuration Example ...............................................................................5-14
RADIUS Fault Treatment..........................................................................................5-17

5.1 RADIUS Overview

RADIUS is a protocol, which authenticates accounting and configuration information
between network access device and authentication server. RADIUS protocol has the
most widely applications in authentication, authorization and accounting. It has the
following features,
1. It uses client/server structure.

NAS acts as RADIUS client. The client is responsible for transmitting user information
to the specified RADIUS server, and processing the responding coming from RADIUS
server.
RADIUS server is responsible for receiving connection requests coming from users,
authenticating the users, and sending the required necessary configuration information
to the client. RADIUS server can act as agent client for RADIUS server or other
authentication servers.
2. It adopts shared key to ensure network transmission safety.

The interaction between client and RADIUS server is authenticated by using shared
key. The shared key is not transmitted in network. Additionally, to prevent user
password from intercepting in unsafe network, the passwords transmitted between
client and RADIUS server are encrypted.

3. Excellent expansibility
RADIUS server supports multiple modes to authenticate users. RADIUS supports PPP
Password Authentication Protocol (PAP), or Challenge Handshake Authentication
Protocol (CHAP), UNIX login or other authentication modes.

4. It provides flexible authentication mechanism.

All interaction packets are formed by many Attribute-Length-Value triples with different
length. The adding of new attribute does not destroy the original function of protocol.

5-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

RADIUS protocol is borne by UDP. The official port No.1812 is used for authentication
and authorization, and No.1813 port is used for accounting.

5.2 RADIUS Principle

As shown in Figure 5-1, RADIUS network structure consists of remote client, NAS and
RADIUS server.
l Remote client: The remote users whom want to access local resource.
l NAS: It provides network service for remote client.
l RADIUS server: It has a data base to maintain security data (such as user identifier
information, authorization information and access record).

Figure 5-1 RADIUS Network Structure

The remote client can either be a PC or a switch. It accesses NAS through MODEM or
ISDN by using PPP, SLIP or ARAP protocol and so on. RADIUS client runs on NAS, it
interacts with security server by using RADIUS protocol to finish the following functions:

l Identity authentication
It provides full identity authentication service by means of user name, password and
challenge response and so on.
l Accounting

The informations about user accessing network are collected to RADIUS server, such
as, the time for user logging in and ending session, the executed commands, flow
statistic data (IP packets and bytes count), and so on. These informations can be
applied to accounting and security auditing.

l Remote client sends authentication and accounting requests to NAS (RADIUS client).
RADIUS client forms and sends authentication and accounting packets to RADIUS
server according to requirement of users. Moreover, it receives the responding
packets from RADIUS server, authenticate and accounts remote users.

5-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

5.3 Configuring RADIUS

5.3.1 Configuring RADIUS Authentication Group
To configure RADIUS authentication group on ZXR10 8900&8900E, perform the following
steps.

Step Command Function

ZXR10(config)#radius authentication-group This creates RADIUS authentication group

<group-number> and enters RADIUS authentication group
1
configuration mode. <group-number> ranges
from 1 to 10.

ZXR10(config-authgrp-1)#algorithm {first | round-robin} This configures algorithm of RADIUS server.

There are two modes:
l first: It always selects an effective
current server as user authentication
2
server.
l round-robin: It always selects the next
effective server as authentication server.
The default mode is "first".

ZXR10(config-authgrp-1)#alias <name-string> This configures the alias of RADIUS server.

The alias is an unique ASCII character string.
ZXR10(config-authgrp-1)#no alias
3 It can be any character number string. The
alias can not contain space. The length can
not be more than 32 characters.

ZXR10(config-authgrp-1)#calling-station-format { class1 This configures the format of calling-station-id

| class2 | class3 | user-defined {[slot]|[port]|[sub-slot]|[vlan]|[s field. The value ranges from 1 to 7, and the
4
econd-vlan]|[mac1]|[mac2]|[mac3]|[mac4]|[mac5]|[mac6]|text default value is 3.
<string>}}

ZXR10(config-authgrp-1)#deadtime <time> This configures the deadtime of the

authentication server.
ZXR10(config-authgrp-1)#no deadtime
The RADIUS client sends an authentication
packet to the authentication server and it
does not receive a response. In such a case,
the authentication packet is retransmitted
5 many times, and the ZXR10 M6000
considers that this authentication server is
invalid in a time range. This time range
is configured with the deadtime <time>
command. ZXR10 8900&8900E attempts to
reuse the authentication server after the time
range is passed.

5-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

The unit is minute, the range is 0-3600, and

the default value is 5 minutes.
It is suggested that deadtime be set to 0 if
only one authentication server is configured
in the authentication group.
It is suggested that the default value be used
if many authentication servers are configured
in the authentication group.

ZXR10(config-authgrp-1)#ip vrf <vrf-name> This associates a RADIUS authentication

server group with a VRF, whose name is a
ZXR10(config-authgrp-1)#no ip vrf
string of 1 to 32 characters.
By default, a RADIUS authentication server
group is associated with the global routing
table. After a RADIUS authentication server
6
group is associated with a VRF, it can use the
resources defined by the VRF. If a RADIUS
authentication server group is not associated
with any VRF, it belongs to the global routing
domain. The command with no deletes the
existing association.

ZXR10(config-authgrp-1)#max-retries <times> This sets the times for retransmitting

authentication packets after RADIUS
7 ZXR10(config-authgrp-1)#no max-retries
authentication server times out. The range is
1 to 255, and the default value is 3.

ZXR10(config-authgrp-1)#nas-ip-address <ip-address> This configures the NAS-IP of RADIUS

server. The NAS-IP corresponds to NAS-IP
8 ZXR10(config-authgrp-1)#no nas-ip-address
field and source IP address of protocol
packet.

ZXR10(config-authgrp-1)#nas-ipv6-address <XX::XXs> This configures the NAS-IPv6 of RADIUS

server. The NAS-IPv6 corresponds to
9 ZXR10(config-authgrp-1)#no nas-ipv6-address
NAS-IPv6 field and source IPv6 address of
protocol packet.

ZXR10(config-authgrp-1)#server <server-number><ip-addr This sets RADIUS server parameters,

ess>[master] key <keystring>[port <port-number>] including server id, server IP address, and
10
the key shared by server, NAS, server port
ZXR10(config-authgrp-1)#no server <server-num>
number and so on.

ZXR10(config-authgrp-1)#server6 <server-number><XX::X This sets RADIUS IPv6 server parameters,

X>[master] key <keystring>[port <port-number>] including server id, server IPv6 address, and
11
the key shared by server, NAS, server port
ZXR10(config-authgrp-1)#no server6 <server-num>
number and so on.

5-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

Step Command Function

ZXR10(config-authgrp-1)#timeout <time> This sets the timeout value of RADIUS

12 server. This unit is second, the range is 1 to
ZXR10(config-authgrp-1)#no timeout
255, and the default value is 3 seconds.

ZXR10(config-authgrp-1)#user-name-format This configures the format of user name field

{include-domain | strip-domain} to be sent to RADIUS server.
After strip-domain is selected, the user name
field sent to RADIUS server by BRAS does
not contain domain name.
13 For example, the real user name is
xxx@local. After include-domain is selected,
the user name sent to authentication server
is xxx@local. After strip-domain is selected,
the user name sent to authentication server
is xxx.

ZXR10(config-authgrp-1)#vendor {enable | disable} This configures whether to send manufactory

self-defined attributes with RADIUS protocol
packets.
l enable: Send manufactory self-defined
14
attributes
l disable: Do not send manufactory
self-defined attributes
enable is the default setting.

Descriptions of the parameters in Step 10:

Parameter Description

<server-num> Server ID, the range is 1-4.

<ip-address> Server IP address

master It is an optional parameter. It indicates that this server is the master

server. One authentication group has one master server only.

<keystring> The key shared by server and NAS. The maximum length is 31
characters.

<port-num> It is an optional parameter. Server port number, the range is

1025-65535, and the default value is 1812.

Descriptions of the parameters in Step 11:

Parameter Description

<server-num> Server ID. The range is 1-4.

<XX::XX> Server IPv6 address

5-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Parameter Description

master It is an optional parameter. It indicates that this server is the master

server. One authentication group has one master server only.

<keystring> The key shared by server and NAS. The maximum length is 31
characters.

<port-num> It is an optional parameter. Server port number. The range is

1025-65535, and the default value is 1812.

Descriptions of the parameters in Step 13:

Parameter Description

include-domain Indicates that the user name contains a domain name.

strip-domain Indicates that the user name does not contain a domain name.

5.3.2 Configuring RADIUS Accounting Group

To configure RADIUS accounting group, perform the following ste;ps on ZXR10
8900&8900E.

Step Command Function

ZXR10(config)#radius accounting-group <group-number> This creates RADIUS accounting group and

enters RADIUS accounting group configura-
1
tion mode.<group-number> ranges from 1 to
10.

ZXR10(config-acctgrp-1)#algorithm {first | round-robin} This configure s algorithm of RADIUS server.

There are two modes,
l first: It always selects an effective
current server as a new user accounting
2
server.
l round-robin: It always selects the next
effective server as accounting server.
The default mode is first.

ZXR10(config-acctgrp-1)#alias <name-string> This configure s the alias of RADIUS server.

The alias is an unique ASCII character string.
ZXR10(config-acctgrp-1)#no alias
3 It can be any character number string. The
alias can not contain space. The length can
not be more than 32 characters.

ZXR10(config-acctgrp-1)#calling-station-format { class1 This configures the format of calling-station-id

| class2 | class3 | user-defined {[slot]|[port]|[sub-slot]|[vlan]|[s field. The value is 1-7, and the default value
4
econd-vlan]|[mac1]|[mac2]|[mac3]|[mac4]|[mac5]|[mac6]|text is 3.
<string>}}

5-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

Step Command Function

ZXR10(config-acctgrp-1)#deadtime <time> This configure s the deadtime of accounting

server.
ZXR10(config-acctgrp-1)#no deadtime
RADIUS client sends an accounting packet
to accounting server and it does not receive
responding. In such case, the accounting
packet will be retransmitted many times,
and ZXR10 8900&8900E will consider this
accounting server is invalid in a time range.
This time range is configured deadtime <
time> command. ZXR10 8900&8900E will
5
try to reuse the accounting server after the
time range is passed.
The unit is minute, the range is 0-3600, and
the default value is 5 minutes.
It is suggested that set dead time value as 0
if only one accounting server is configured
in accounting group.
It is suggested that use the default value if
many accounting servers are configured in
accounting group.

ZXR10(config-acctgrp-1)#ip vrf <vrf-name> This associates RADIUS accounting server

group to a VRF. The length of VRF name
ranges from 1 to 32 characters.
By default, RADIUS accounting server
group is associated with global routing
table. RADIUS accounting server group can
6
associate with a VRF. After the association,
this RADIUS accounting server group uses
the resource defined by the VRF. The
RADIUS accounting server group which does
not relates to VRF belongs to global routing
area. Use no ip vrf to delete the association.

ZXR10(config-acctgrp-1)#interim-packet-quota <quota> This configure s the quota that accounting

update packets in accounting sending queue.
ZXR10(config-acctgrp-1)#no interim-packet-quota
The quota is a percentage value. The larger
7 quota, the larger percentage of accounting
update packets, the smaller percentage of
accounting starting and ending packets. The
default quota value is 100.

5-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

ZXR10(config-acctgrp-1)#local-buffer {enable | disable} This configure s whether accounting server

group perform local buffer.
8
l enablePerform accounting local buffer
l disable: Do not perform local buffer.

ZXR10(config-acctgrp-1)#max-retries <times> This sets the times for retransmitting

accounting packets after RADIUS accounting
ZXR10(config-acctgrp-1)#no max-retries
9 server times out.
The range is 1 to 255, and the default value
is 3.

ZXR10(config-acctgrp-1)#nas-ip-address <ip-address> This configures the NAS-IP of RADIUS

server. The NAS-IP corresponds to NAS-IP
10 ZXR10(config-acctgrp-1)#no nas-ip-address
field and source IP address of protocol
packet.

ZXR10(config-acctgrp-1)#nas-ipv6-address <XX::XX> This configures the NAS-IPv6 of RADIUS

server. The NAS-IPv6 corresponds to
11 ZXR10(config-acctgrp-1)#no nas-ipv6-address
NAS-IPv6 field and source IPv6 address of
protocol packet.

ZXR10(config-acctgrp-1)#server <server-number><ip-addr This sets RADIUS server parameters,

ess>[master] key <keystring>[port <port-number>] including server id, server IP address, and
12
the key shared by server, NAS, server port
ZXR10(config-acctgrp-1)#no server <server-num>
number and so on.

ZXR10(config-acctgrp-1)#server6 <server-number><XX:X This sets RADIUS IPv6 server parameters,

X>[master] key <keystring>[port <port-number>] including server id, server IPv6 address, and
13
the key shared by server, NAS, server port
ZXR10(config-acctgrp-1)#no server6 <server-num>
number and so on.

ZXR10(config-acctgrp-1)#timeout <time> This sets the timeout value of RADIUS server.

ZXR10 8900&8900E sends accounting
ZXR10(config-acctgrp-1)#no timeout
information to the RADIUS server. If there is
14 no response after the value set, accounting
information will be sent again. The value is
in the unit of second, in the range of 1-255.
The default value is 3 seconds.

5-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

Step Command Function

ZXR10(config-acctgrp-1)#user-name-format This configure s the format of user name fiel

{include-domain | strip-domain} d to be sent to RADIUS server.
After strip-domain is selected, the user name
fiel d sent to RADIUS server by BRAS does
not contain domain name.
15
For example, the real user name is xxx@lo-
cal. After include-domain is selected, the
user name sent to accounting server is
xxx@local. After strip-domain is selected, the
user name sent to accounting server is xxx.

ZXR10(config-acctgrp-1)#vendor {enable | disable} This configures whether send manufactory

self-defined attributes with RADIUS protocol
packets.
l enable: Send manufactory self-define d
16
attributes
l disable: Do not send manufactory
self-define d attributes
enableis the default setting.

Descriptions of the parameters in Step 10:

Parameter Description

<server-num> Server ID, the range is 1-4.

<ip-address> Server IP address

master It is an optional parameter. It indicates that this server is the master

server. One accounting group has one master server only.

<keystring> The key shared by server and NAS. The maximum length is 31
characters.

<port-num> It is an optional parameter. Server port number, the range is

1025-65535. The default value is accounting server group 1813.

Descriptions of the parameters in Step 11:

Parameter Description

<server-num> Server ID, the range is 1-4.

<XX:XX> Server IPv6 address

master It is an optional parameter. It indicates that this server is the master

server. One accounting group has one master server only.

<keystring> The key shared by server and NAS. The maximum length is 31
characters.

5-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Parameter Description

<port-num> It is an optional parameter. Server port number, the range is

1025-65535. The default value is accounting server group 1813.

Descriptions of the parameters in Step 15:

Parameter Description

include-domain User name contains domain name

strip-domain User name does not contain domain name

5.3.3 Configuring RADIUS Debugging Commands

ZXR10 8900&8900E provides the following RADIUS debugging commands.

Step Command Function

1 ZXR10#debug radius all This shows all RADIUS debugging

information.

2 ZXR10#debug radius authentication data This shows RADIUS authentication

group data information.

3 ZXR10#debug radius authentication error This shows RADIUS authentication

group error information.

4 ZXR10#debug radius authentication event This shows RADIUS authentication

group event information.

5 ZXR10#debug radius authentication packet {<number>| all} This shows RADIUS authentication
group packet information.

6 ZXR10#debug radius accounting data This shows RADIUS accounting

group data information.

7 ZXR10#debug radius accounting error This shows RADIUS accounting

group error information.

8 ZXR10#debug radius accounting event This shows RADIUS accounting

group event information.

9 ZXR10#debug radius accounting packet {<number>| all} This shows RADIUS accounting
group packet information.

10 ZXR10#debug radius exception This shows RADIUS exception

information.

11 ZXR10#debug radius user <username><domianname> This shows RADIUS information of

a specified user.

5-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

5.3.4 Configuring RADIUS Ping Commands

ZXR10 8900&8900E provides the following RADIUS ping commands.

Step Command Function

1 ZXR10#radius-ping authentication-group <group_number><username This checks whether the RADIUS

><password>[domain <domain_name>]{PAP | CHAP} authentication group is reachable.

2 ZXR10#radius-ping accounting-group <group_number><username>[d This checks whether the RADIUS

omain <domain_name>] accounting group is reachable.

5.3.5 Sending RADIUS Accounting-Off Packets Manually

ZXR10 8900&8900E provides the following command to send RADIUS accounting-off
packets manually.

Command Function

ZXR10#radius accounting-off{all | group <group_number>} This sends RADIUS accounting-off

packets manually.

5.4 Maintaining RADIUS

To maintain RADIUS on ZXR10 8900&8900E, use the following commands.

Command Function

ZXR10#show configuration radius all This shows all RADIUS configuration.

ZXR10#show configuration radius server-port-check This shows configuration of RADIUS

server-port-check.

ZXR10#show configuration radius attribute This shows configuration of RADIUS

attribute.

ZXR10#show debug radius This shows the RADIUS debugging

functions that are enabled.

ZXR10#show radius-server all This shows information of all RADIUS

servers.

ZXR10#show radius-server authentication-group <group_number> This shows information of a specified

RADIUS authentication server group.

ZXR10#show radius-server accounting-group <group_number> This shows information of a specified

RADIUS accounting server group.

This example shows what will be displayed after the show configuration radius all command
is used.
ZXR10#show configuration radius all

5-11

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

!
radius authentication-group 1
server 1 100.1.1.10 master key zte port 1812
algorithm first
timeout 3
max-retries 3
deadtime 0
calling-station-format 1
nas-port-id-format 1
nas-ip-address 100.1.1.1
user-name-format strip-domain
vendor enable
!
!
radius accounting-group 1
server 1 100.1.1.10 master key zte port 1813
algorithm first
timeout 3
max-retries 1
deadtime 0
calling-station-format 1
nas-port-id-format 1
nas-ip-address 100.1.1.1
user-name-format strip-domain
vendor enable
local-buffer enable
life-time 2
interim-packet-quota 100
!
ZXR10#

This example shows what will be displayed after the show configuration radius server-port
-check command is used.
ZXR10#show configuration radius server-port-check
Check ports of all radius servers on
ZXR10#

This example shows what will be displayed after the show configuration radius attribute
command is used.
ZXR10#show configuration radius attribute
Radius vendor-id : 4096
ZXR10#

This example shows what will be displayed after the show debug radius command is used.
ZXR10#show debug radius
Radius:

5-12

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

Radius exception is on
Radius event authentication is on
Radius packet authentication group all is on
Radius data authentication is on
Radius data accounting is on
Radius error authentication is on
Radius user user123@zte is on
ZXR10#

This example shows what will be displayed after the show radius-server all command is
used.
ZXR10#show radius-server all

radius authentication-group 1 svr_num 1

authentication server 1-1 100.1.1.10 master key:zte port:1812
state:active current server
radius accounting-group 1 svr_num 1
accounting server 1-1 100.1.1.10 master key:zte port:1813 state:active
current server
ZXR10#

This example shows what will be displayed after the show radius-server authentication-gr
oup command is used.
ZXR10#show radius-server authentication-group 1
radius authentication-group 1 svr_num 1
authentication server 1-1 100.1.1.10 master key:zte port:1812
state:active current server
ZXR10#

This example shows what will be displayed after the show radius-server accounting-group
command is used.
ZXR10#show radius-server accounting-group 1
radius accounting-group 1 svr_num 1
accounting server 1-1 100.1.1.10 master key:zte port:1813 state:active
current server
ZXR10#

Descriptions of the command output:

Command Output Description

algorithm The algorithm to select a RADIUS server

alias The alias of a RADIUS server group

calling-station-format The format of calling-station-id fiel

nas-port-id-format The format of nas-port-id-format fiel

deadtime The deadtime of an authentication server

5-13

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Command Output Description

ip vrf Associating a RADIUS accounting server with a VRF

max-retries The number of retry attempts when a RADIUS accounting server times out

nas-ip-address RADIUS server nas-ip

nas-ipv6-address RADIUS server nas-ipv6

server <servernum><ipaddress>[mast Setting a RADIUS server and its parameters:

er] key <keystr>[port <portnum>] <servernum> : server number, in the range of 1-4
<ipaddress> : server IP address
master: optional, indicating that the server is the master server
<keystr> : the key between the server and BAS, with 32 characters at most
<portnum> : optional, server port number, in the range of 1025-65535. The
default port number of an authentication server group is 1812.

server6 <servernum>< X:X::X:X Setting a RADIUS server (IPv6 address) and its parameters:
>[master] key <keystr>[port <servernum> : server number, in the range of 1-4
<portnum>] < X:X::X:X > : IPv6 address of a server
master: optional, indicating that the server is the master server
<keystr> : the key between the server and BAS, with 32 characters at most
<portnum> : optional, server port number, in the range of 1025-65535. The
default port number of an authentication server group is 1812.

timeout Timeout value of a RADIUS server

user-name-format The user name format sent to a RADIUS server

vendor Whether to contain attributes define d by vendors in RADIUS protocol

packets sent

interim-packet-quota (accounting The percentage of accounting update packets in accounting packet queue
group)

local-buffer (accounting group) Local buffer of an accounting server group

5.5 RADIUS Configuration Example

Configuration Description
As shown in Figure 5-2, users log in router or switch by using a PC, the switch (RADIUS
Client) which enables RADIUS authentication service interacts authentication messages
with RADIUS server. The user whom passes the authentication can log in router or switch.
Otherwise, a prompt appears to show that the authentication is failed and the login request
is rejected.

5-14

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

Figure 5-2 RADIUS Authentication Common Network Topology

Configuration Thought
1. Create a RADIUS authentication group, and enter RADIUS authentication group
configuration mode.
2. Configure servers in RADIUS authentication group.
3. Configure RADIUS server parameters.
4. Configure an AAA authentication template. In the template, set the authentication
mode to radius. The authentication group is radius that has been configured.
5. Configure an AAA authorization template. In the template, set the authorization mode
to mix-radius.
6. Configure an authentication template and an authorization template in the user
management module. Bind the user management module template to the AAA
templates. Create a user, and then bind the user to the user management module
template.

Configuration Process
Configuration of network device,
ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#ip vrf vrf1
ZXR10(config-authgrp-1)#server 1 192.168.70.5 master key zte port 1812
ZXR10(config-authgrp-1)#algorithm first
ZXR10(config-authgrp-1)#timeout 5
ZXR10(config-authgrp-1)#max-retries 10
ZXR10(config-authgrp-1)#deadtime 5
ZXR10(config-authgrp-1)#calling-station-format class1
ZXR10(config-authgrp-1)#nas-ip-address 192.168.70.1
ZXR10(config-authgrp-1)#user-name-format strip-domain
ZXR10(config-authgrp-1)#vendor disable
ZXR10(config-authgrp-1)#exit
ZXR10(config)#aaa-authentication-template 2001

5-15

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

ZXR10(config-aaa-authen-template)#aaa-authentication-type radius
ZXR10(config-aaa-authen-template)#authentication-radius-group 1
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type mix-radius
ZXR10(config-aaa-author-template)#exit
ZXR10(config)#system-user
ZXR10(config-system-user)#authentication-template 1
ZXR10(config-authen-temp)#bind-authentication-template 2001
ZXR10(config-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 1
ZXR10(config-author-temp)#bind-authorization-template 2001
ZXR10(config-author-temp)#exit
ZXR10(config-system-user)#username who password who authentication-template 1
authorization-template 1

Configuration of accounting,
ZXR10(config)#radius accounting-group 1
ZXR10(config-acctgrp-1)#alias acc_grp1
ZXR10(config-acctgrp-1)#ip vrf vrf1
ZXR10(config-acctgrp-1)#server 1 192.168.70.5 master key zte port 1813
ZXR10(config-acctgrp-1)#algorithm first
ZXR10(config-acctgrp-1)#timeout 5
ZXR10(config-acctgrp-1)#max-retries 10
ZXR10(config-acctgrp-1)#deadtime 3
ZXR10(config-acctgrp-1)#calling-station-format class2
ZXR10(config-acctgrp-1)#nas-ip-address 192.168.70.2
ZXR10(config-acctgrp-1)#user-name-format include-domain
ZXR10(config-acctgrp-1)#vendor enable
ZXR10(config-acctgrp-1)#local-buffer enable
ZXR10(config-acctgrp-1)#exit
ZXR10(config)#aaa-accounting-template 2001
ZXR10(config-aaa-acct-template)#aaa-accounting-type radius
ZXR10(config-aaa-acct-template)#accounting-radius-group first 1
ZXR10(config-aaa-acct-template)#exit
ZXR10(config)#account-switch on bind-account-template 2001

Configuration Check
Use the show command to validate configuration result,
ZXR10(config)#show configuration radius all
!
radius authentication-group 1
server 1 192.168.70.5 master key zte port 1812

5-16

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

algorithm first
timeout 5
max-retries 10
deadtime 5
calling-station-format 1
nas-ip-address 192.168.70.1
user-name-format strip-domain
vendor disable
!
!
radius accounting-group 1
alias acc_grp1
ip vrf vrf1
server 1 192.168.70.5 master key zte port 1813
algorithm first
timeout 5
max-retries 10
deadtime 3
calling-station-format 2
nas-ip-address 192.168.70.2
user-name-format include-domain
vendor enable
local-buffer enable
life-time 2
interim-packet-quota 100
!

5.6 RADIUS Fault Treatment

5.6.1 Network Environment
Take the case of the topology shown in Figure 5-3 to describe how to perform RADIUS
fault treatment.

5-17

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 5-3 RADIUS Authentication Fault Treatment Topology

5.6.2 Malfunction Analysis

To locate and solve RADIUS fault, perform the following steps.
1. Inspect whether RADIUS server is enabled.
2. Inspect whether the configurations of RADIUS group and Server are correct.
3. Inspect whether RADIUS Server is marked as available.
4. Inspect whether the Server parameters configured in device are consistent with that
of Server.
5. Inspect whether the authentication mode or accounting mode is configured as
RADIUS.

5.6.3 Treatment Scheme

Figure 5-4shows RADIUS fault treatment flow.

5-18

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 5 RADIUS Configuration

Figure 5-4 RADIUS Fault Treatment Flow Diagram

5.6.4 Treatment Steps

To locate and solve a RADIUS fault, perform the following steps.

5-19

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

1. Make sure that the user name and password are correct.
2. Use the show running-config adm-mgr command to check whether the user has bound
the correct adm_mgr template and the AAA template bound in the Adm_mgr template
is the configured AAA template.
3. Use the show running-config aaa command to check whether the authentication
method and authorization method in the AAA templates bound in the user
management module are radius, and whether the authentication group in the
authentication template is the configured radius group.
4. Check the RADIUS group configuration and see whether the IP address, key and port
used by the specified server are correct.
5. Check whether the RADIUS client marks the RADIUS server as available (deadtime)
by using the show radius-server all command.
ZXR10(config)#show radius-server all
radius authentication-group 1 svr_num 1
authentication server 1-1 192.168.107.15 master key:zxr10 port:1812
state: active current server
6. Check whether the RADIUS server and client can ping each other, especially, ip vrf
mng and vrf are configured.
7. Check whether the RADIUS server works properly and the RADIUS software is started
on the specified server.

5-20

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 6
URPF Configuration
Table of Contents
URPF Overview .........................................................................................................6-1
URPF Principle...........................................................................................................6-1
URPF Configuration ...................................................................................................6-2
Maintaining URPF ......................................................................................................6-2
URPF Configuration Example.....................................................................................6-4
URPF Fault Treatment ...............................................................................................6-5

6.1 URPF Overview

Unicast Reverse Path Forwarding (URPF) can prevent the network attack behavior that
based on the source address spoofing.

6.2 URPF Principle

By checking the source IP addresses contained in packets, URPF decides whether traffi
c is valid and whether to forward or drop the packets according to the interface on which
packets are received and whether the routes of the source addresses exist in the routing
table.
URPF is divided into three kinds,
l sRPF: strict URPF
l lRPF: loose URPF
l lnRPF: loose URPF ignoring default route

6.2.1 Strict URPF

If strict URPF is configured on an interface, the system will search for the source address
of a packet entering this interface. If the source address of the packet exists in the routing
table (normal source address route or default route), and the egress of the packet equals
to the egress, the packet will be considered valid, otherwise the packet will be dropped.
If strict URPF is configured, when routes are not symmetrical, URPF will drop packets that
are not for attacks by mistake. In such situations, it is necessary to use loose URPF.

6.2.2 Loose URPF

In loose RPF mode, router only inspects whether the source IP address of packet exists
in the routing table (normal source address route or default route). It does not inspect

6-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

whether the ingress for receiving packets matches with the content of routing table. In
this way, URPF can effectively prevent network from attacking, and it also can avoid to
intercept legal user packets.

6.2.3 Loose URPF Ignoring Default Route

If a default route is configured on the device, when URPF checks a source address route
according to the routing table, the next hop of the source address will always exist. For
such situations, users can configure whether to allow URPF to introduce default route (not
to check default routes).

6.3 URPF Configuration

To configure URPF, perform the following steps.

Step Command Function

1 ZXR10(config)#ip verify unicast source reachable-via {rx|any} This enables IPv4 URPF function on
interface <interface-name>[ignore-default-route] an interface.

ZXR10(config)#no ip verify unicast source reachable-via interface This disables IPv4 URPF function on
<interface-name> an interface.

ZXR10(config)#interface <interface-name> This enters interface configuration

mode.

2 ZXR10(config-if)#ip verify unicast source reachable-via This enables interface IPv4 URPF
{rx|any}[ignore-default-route] function on an interface configuration
mode.

ZXR10(config-if)#no ip verify unicast source reachable-via{rx|an This disables interface IPv4 URPF
y}[acl-name <acl-name>][ignore-default-route] function on an interface configuration
mode.

Descriptions of the parameters in Step 1 and 2:

Parameter Description

rx Strict mode

any Loose mode

interface <interface-name> The interface to be configured with URPF

ignore-default-route InRPF. It is only available for loose mode.

6.4 Maintaining URPF

To maintain URPF on ZXR10 8900&8900E, use the following commands.

6-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 6 URPF Configuration

Command Function

ZXR10#show running-config urpf This shows all the URPF configurations.

ZXR10#show running-config-interface urpf [<interface-name>] This shows URPF configuration of a

specified interface

l This example describes what will be displayed after show running-config urpf is used.
ZXR10(config)#show running-config urpf
! <URPF>
interface gei-0/1/0/1
ipv4 verify unicast source reachable-via rx
!
interface gei-0/1/0/2
ipv4 verify unicast source reachable-via any
ignore-default-route
!
interface gei-0/1/0/1
ipv6 verify unicast source reachable-via rx
!
interface gei-0/1/0/2
ipv6 verify unicast source reachable-via any
ignore-default-route
!
! </URPF>
l This example describes what will be displayed after show running-config-interface urpf
[<interface-name>] is used.
ZXR10(config)#show running-config-interface urpf gei-0/1/0/1
! <URPF>
interface gei-0/1/0/1
ipv4 verify unicast source reachable-via rx
!
interface gei-0/1/0/1
ipv6 verify unicast source reachable-via rx
!
! </URPF>

Descriptions of the command output:

Command Output Description

rx Strict mode

any Loose mode

ignore-default-route Ignore default route

6-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

6.5 URPF Configuration Example

Configuration Description
As shown in Figure 6-1, strict URPF is configure d in the interface gei-0/1/0/1 on R1, which
prevents the network users coming from 168.22.0.0/24 attack the network connecting to
R1, and permits the data flo w 22.1.1.0/24 to pass URPF inspection.

Figure 6-1 URPF Configuration Example Topology

Configuration Thought
1. Configure interface IP address.
2. Create ACL, add the ACL matching requirements. For example, permit the traffic
coming from 22.1.1.2/24 to pass.
3. Bind strict URPF with ACL list to interface.

Configuration Process
R1 configuration,
R1(config)#switchvlan-configuration
R1(config-swvlan)#interface gei-0/1/0/1
R1(config-swvlan-intf)#switchport access vlan 50
R1(config)#interface vlan50
R1(config-if)#ip address 168.22.0.1 255.255.255.0
R1(config-if)#exit
R1(config)#ipv4-access-list acl
R1(config-ipv4-acl)#rule 1 permit 22.1.1.2 0.0.0.255
R1(config-ipv4-acl)#exit
R1(config)#ipv4-access-group inter gei-0/1/0/1 ingress acl
R1(config)#ipv4 verify unicast source reachable-via rx interface gei-0/1/0/1

Configuration Check
Validate configuration result,
R1(config)#show running-config urpf
!
ipv4 verify unicast source reachable-via rx interface gei-0/1/0/1

6-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 6 URPF Configuration

R1(config)#show running-config-interface gei-0/1/0/1

!
<INTERFACE>
interface gei-0/1/0/1
no shutdown
!
!
</INTERFACE>
!
<PORT_ACL>
interface gei-0/1/0/1
ipv4-access-group ingress acl
!
!
</PORT_ACL>
!
<VLAN>
switchvlan
interface gei-0/1/0/1
switchport access vlan 50
!
</VLAN>!
<URPF>
interface gei-0/1/0/1
ip verify unicast source reachable-via rx
!
!
</URPF>
R1(config)#show ipv4-access-lists name acl
ipv4-access-list acl

1/1 (showed/total)
1 permit 22.1.1.2 0.0.0.255

6.6 URPF Fault Treatment

6.6.1 Network Environment
Take the case of the topology shown in Figure 6-2 to describe how to perform URPF fault
treatment.

6-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 6-2 URPF Fault Treatment Topology

6.6.2 Malfunction Analysis

In strict URPF mode, to pass the URPF inspection, the route pointing to the source IP
address of data packets is required, and the egress of routing has to be consistent with
the ingress of data packets coming. In this way, the data packets are permitted to pass.
Fault phenomenon: Strict URPF is configured on interface already to filter and discard the
packets coming from some source IP address, but the packets still can pass the interface.
Fault reasons:
l Strict URPF is not configured in uplink interface of data packets transmitting.
l Router finds the route entry of the data packet source IP address in routing. That is
to say, these packets are trusted, they will not be discarded.
l There is a default route, and the egress of default route is the same to the ingress of
packets.

6.6.3 Treatment Scheme

Figure 6-3 shows URPF fault treatment flo

6-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 6 URPF Configuration

Figure 6-3 URPF Fault Treatment Flow

6.6.4 Treatment Steps

To locate and solve URPF fault treatment, perform the following steps.
1. Inspect whether strict URPF is bound to the uplink interface of data flow.
Use show running-config-interface <interface-name> or show running-config
urpfcommand to view URPF interface binding.
2. Use show ip forwarding route command to inspect whether there is a route pointing to
source IP address of data packets and the egress of route is the same to the ingress
of data packet transmitting.
3. Use show ip forwarding route to inspect whether there is a default route, and the egress
port of default route is the same to the ingress port of data packets transmitting.
Take the case of the topology shown in Network Environment to list the fault treatment
steps.
The requirements for user configuration s are that filter the data flo w with illegal source
IP address coming from 168.22.0.0 on R1, bind strict URPF on gei-0/1/0/1 to prevent that

6-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

the network attack influence s on the network behind R1. Here, the data flo w coming from
22.22.0.2/24 is malicious. Filter the data packets coming from 22.22.0.2/24.
Fault phenomena: The data packets coming from 22.22.0.2/24 are configure d to be filter
on R1, but R2 still can receive the data packets.
Fault treatment steps are listed below.
1. Use show running-config-interface gei-0/1/0/1 or show running-config urpf to inspect
whether strict URPF is bound to the uplink interface gei-0/1/0/1 on R1.
R1(config)#show running-config-interface gei-0/1/0/1
!
<INTERFACE>
interface gei-0/1/0/1
no shutdown
!
!
</INTERFACE>
!
<PORT_ACL>
interface gei-0/1/0/1
ipv4-access-group ingress acl
!
!
</PORT_ACL>
!
<VLAN>
switchvlan
interface gei-0/1/0/1
switchport access vlan 50
!
</VLAN>
R1(config)#show running-config-interface urpf gei-0/1/0/1
R1(config)#

Fault location: Strict URPF is not bound to gei-0/1/0/1, configur e strict URPF on
interface.

R1(config)#ipv4 verify unicast source reachable-via rx interface gei-0/1/0/1

R1(config)#show running-config-interface gei-0/1/0/1
!
<INTERFACE>
interface gei-0/1/0/1
no shutdown
!
!
</INTERFACE>
!

6-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 6 URPF Configuration

<PORT_ACL>
interface gei-0/1/0/1
ipv4-access-group ingress acl
!
!
</PORT_ACL>!
<VLAN>
switchvlan
interface gei-0/1/0/1
switchport access vlan 50
!
</VLAN>
!
<URPF>
interface gei-0/1/0/1
ip verify unicast source reachable-via rx
!
!
</URPF>

View whether the fault still exists after configuring gei-0/1/0/1. Perform step 2 if the
fault still exists .
2. Use show ip forwarding route to inspect whether the route pointing to data source
exists, and the egress port of route is the same to the ingress port of data packet
transmitting.
R1(config)#show ip forwarding route
IPv4 Routing Table:
Dest Gw Interface Owner Pri Metric
10.1.0.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
10.1.1.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
10.1.49.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
10.64.1.4/30 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
10.64.1.24/30 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
22.22.0.0/24 168.22.0.2 vlan168 STATIC 1 0
30.1.0.0/24 30.1.0.1 vlan30 DIRECT 0 0
30.1.0.0/32 30.1.0.0 vlan30 MARTIAN 0 0
30.1.0.1/32 30.1.0.1 vlan30 ADDRESS 0 0
30.1.0.255/32 30.1.0.255 vlan30 BROADCAST 0 0
34.10.10.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
41.41.41.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
50.0.0.0/8 158.1.1.2 vlan158 ISIS_LEVEL2 115 20
70.1.1.0/24 70.1.1.1 vlan70 DIRECT 0 0
70.1.1.0/32 70.1.1.0 vlan70 MARTIAN 0 0
70.1.1.1/32 70.1.1.1 vlan70 ADDRESS 0 0
70.1.1.255/32 70.1.1.255 vlan70 BROADCAST 0 0

6-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

70.2.2.0/24 178.12.45.2 vlan178 STATIC 1 0

100.1.1.0/24 100.1.1.1 vlan100 DIRECT 0 0
100.1.1.0/32 100.1.1.0 vlan100 MARTIAN 0 0
100.1.1.1/32 100.1.1.1 vlan100 ADDRESS 0 0
100.1.1.255/32 100.1.1.255 vlan100 BROADCAST 0 0
101.201.1.0/24 158.8.1.2 vlan158 OSPF 110 2
101.201.2.0/24 158.8.1.2 vlan158 OSPF 110 2
101.201.3.0/24 158.8.1.2 vlan158 OSPF 110 2

Fault location: A route pointing to 22.22.0.1/24 exists, and the egress interface of route
is the same to the ingress interface of packet transmitting. Modify the next hop of route
or delete the route. Here, the route is deleted.

R1(config)#no ip
route 22.22.0.0 255.255.255.0
R1(config)#show ip forwarding route
IPv4 Routing Table:
Dest Gw Interface Owner Pri
Metric
10.1.0.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.1.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.49.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.64.1.4/30 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.64.1.24/30 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
30.1.0.0/24 30.1.0.1 vlan30 DIRECT 0
0
30.1.0.0/32 30.1.0.0 vlan30 MARTIAN 0
0
30.1.0.1/32 30.1.0.1 vlan30 ADDRESS 0
0
30.1.0.255/32 30.1.0.255 vlan30 BROADCAST 0
0
34.10.10.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
41.41.41.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
50.0.0.0/8 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
70.1.1.0/24 70.1.1.1 vlan70 DIRECT 0
0
70.1.1.0/32 70.1.1.0 vlan70 MARTIAN 0

6-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 6 URPF Configuration

0
70.1.1.1/32 70.1.1.1 vlan70 ADDRESS 0
0
70.1.1.255/32 70.1.1.255 vlan70 BROADCAST 0
0
70.2.2.0/24 178.12.45.2 vlan178 STATIC 1
0
100.1.1.0/24 100.1.1.1 vlan100 DIRECT 0
0
100.1.1.0/32 100.1.1.0 vlan100 MARTIAN 0
0
100.1.1.1/32 100.1.1.1 vlan100 ADDRESS 0
0
100.1.1.255/32 100.1.1.255 vlan100 BROADCAST 0
0
101.201.1.0/24 158.8.1.2 vlan158 OSPF 110
2
101.201.2.0/24 158.8.1.2 vlan158 OSPF 110
2
101.201.3.0/24 158.8.1.2 vlan158 OSPF 110

View whether the fault still exists after 22.22.0.0/24 route is deleted. Perform step 3 if
the fault still exists.

3. Inspect whether the default route exists and whether the egress port of default route
is the same to the ingress port of data packet transmitting (both of ports is gei-0/1/0/1)
by using show ip forwarding route command.
R1(config)#show ip forwarding route
IPv4 Routing Table:
Dest Gw Interface Owner Pri
Metric
0.0.0.0/0 168.22.0.2 vlan168 STATIC 1
0
10.1.0.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.1.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.2.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.3.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.4.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
30.1.0.0/24 30.1.0.1 vlan30 DIRECT 0
0

6-11

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

30.1.0.0/32 30.1.0.0 vlan30 MARTIAN 0

0
30.1.0.1/32 30.1.0.1 vlan30 ADDRESS 0
0
30.1.0.255/32 30.1.0.255 vlan30 BROADCAST 0
0
34.10.10.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
41.41.41.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
50.0.0.0/8 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
70.1.1.0/24 70.1.1.1 vlan70 DIRECT 0
0
70.1.1.0/32 70.1.1.0 vlan70 MARTIAN 0
0
70.1.1.1/32 70.1.1.1 vlan70 ADDRESS 0
0
70.1.1.255/32 70.1.1.255 vlan70 BROADCAST 0
0
70.2.2.0/24 178.12.45.2 vlan178 STATIC 1
0
100.1.1.0/24 100.1.1.1 vlan100 DIRECT 0
0
100.1.1.0/32 100.1.1.0 vlan100 MARTIAN 0
0
100.1.1.1/32 100.1.1.1 vlan100 ADDRESS 0
0
100.1.1.255/32 100.1.1.255 vlan100 BROADCAST 0
0
101.201.1.0/24 158.8.1.2 vlan158 OSPF 110
2
101.201.2.0/24 158.8.1.2 vlan158 OSPF 110
2
101.201.3.0/24 158.8.1.2 vlan158 OSPF 110
2

Fault location: The default route exists, and the egress port of route is the same to
the ingress port of packet transmitting, both of the ports is gei-0/1/0/1. Modify the next
hop of default route or delete the default route. Here, the default route is deleted.

R1(config)#no ip
route 0.0.0.0 0.0.0.0
R1(config)#show ip forwarding route
IPv4 Routing Table:
Dest Gw Interface Owner Pri

6-12

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 6 URPF Configuration

Metric
10.1.0.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.1.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.2.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.3.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
10.1.4.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
30.1.0.0/24 30.1.0.1 vlan30 DIRECT 0
0
30.1.0.0/32 30.1.0.0 vlan30 MARTIAN 0
0
30.1.0.1/32 30.1.0.1 vlan30 ADDRESS 0
0
30.1.0.255/32 30.1.0.255 vlan30 BROADCAST 0
0
34.10.10.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
41.41.41.0/24 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
50.0.0.0/8 158.1.1.2 vlan158 ISIS_LEVEL2 115
20
70.1.1.0/24 70.1.1.1 vlan70 DIRECT 0
0
70.1.1.0/32 70.1.1.0 vlan70 MARTIAN 0
0
70.1.1.1/32 70.1.1.1 vlan70 ADDRESS 0
0
70.1.1.255/32 70.1.1.255 vlan70 BROADCAST 0
0
70.2.2.0/24 178.12.45.2 vlan178 STATIC 1
0
100.1.1.0/24 100.1.1.1 vlan100 DIRECT 0
0
100.1.1.0/32 100.1.1.0 vlan100 MARTIAN 0
0
100.1.1.1/32 100.1.1.1 vlan100 ADDRESS 0
0
100.1.1.255/32 100.1.1.255 vlan100 BROADCAST 0
0
101.201.1.0/24 158.8.1.2 vlan158 OSPF 110
2

6-13

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

101.201.2.0/24 158.8.1.2 vlan158 OSPF 110

2
101.201.3.0/24 158.8.1.2 vlan158 OSPF 110
2

After the three steps above, the fault can be solved usually.

6-14

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 7
User Management Module
Configuration
Table of Contents
User Management Module Overview..........................................................................7-1
User Management Module Principle ...........................................................................7-1
Configuring User Management Module ......................................................................7-1
Maintaining User Management Module ......................................................................7-7
User Management Module Configuration Example .....................................................7-8
User Management Module Fault Treatment..............................................................7-13

7.1 User Management Module Overview

User management module is use to manage users, which realizes user configuration and
authentication. This function is used for SSH and TELNET login.

7.2 User Management Module Principle

User management module configures and manages users. By cooperating with AAA
module, it can realize user local authentication and authorization, none authentication and
authorization, and RADIUS authentication and authorization, TACACS+ authentication
and authorization, and RADIUS hybrid authorization and TACACS+ hybrid authorization.

7.3 Configuring User Management Module

To configure user management module, perform the following steps.

Step Command Function

1 ZXR10(config)#system-user This enters user management

module configuration mode.

ZXR10(config)#account-switch {off | on bind-account-template This overall command accounting

<2001-2128>} switch.

ZXR10(config)#enable-authentication-type {local | aaa This configures overall enable

enable-authen-template <1-128>} authentication type.

ZXR10(config)#gl-authen-author-type authentication-template <1-1 This configure overall authentication

28> authentication-method {chap| pap|ascii} authorization-template authorization type.
<1-128>

7-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

2 ZXR10(config-system-user)#default-privilege-level <0-15> This configures default privilege

level.

ZXR10(config-system-user)#authentication-template <1-128> This configures user management

module template and enters the
template configuration mode.

ZXR10(config-system-user)#authorization-template <1-128> This configures user management

module authorization template and
enters the template configuration
mode.

ZXR10(config-system-user)#username <name> password This configures username

{<pwd>|encrypted <pwd>}authentication-template <1-128> authentication information.
authorization-template <1-128>

ZXR10(config-system-user)#user-duration <name>{<0>|<9-360>} This configures user account

duration.

ZXR10(config-system-user)#once-password <username> This configures first login password

modification function.

ZXR10(config-system-user)#strong-password length <6-32> This configures character

character {[number]|[ capital]|[lowercase]|[special-character]} combination style of strong
password.

ZXR10(config-system-user)#user-authen-restriction fail-time This configures maximum times for

<3-16> lock-minute<1-1440> user login failure continuously and
the lock time.

3 ZXR10(config-system-user)#user-password recover-remind This configures the information

<name> related to username and password
recovery.

ZXR10(config-authen-temp)#bind-authentication-template This binds AAA authentication

<2001-2128> template on user management
module authentication template
configuration mode.

ZXR10(config-authen-temp)#bind-acl <acl_name> This binds ACL template on user

management module authentication
template configuration mode.

ZXR10(config-authen-temp)#description < description > This adds description information

of the user management module
authentication template on user
management module authentication
template configuration mode.

7-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 7 User Management Module Configuration

Step Command Function

ZXR10(config-author-temp)#bind-authorization-template This binds AAA authorization

<2001-2128> template on user management
module authorization template
configuration mode.

ZXR10(config-author-temp)#local-privilege-level <0-15> This configures local authorization

level on user management module
authorization template mode.

ZXR10(config-author-temp)#description < description > This adds description information

of the user management module
authentication template on user
management module authorization
template configuration mode.

Descriptions of the parameters in command account-switch {off | on bind-account-templ

ate <2001-2128>} of Step 1:

Parameter Description

off This disables overall command accounting switch.

on bind-account-template <2001-2128> This enables overall command accounting

switch, the bind-account-template is ranging from
2001~2128

Descriptions of the parameters in command enable-authentication-type {local | aaa enabl

e-authen-template <1-128>} of Step 1:

Parameter Description

local This configures overall enable authentication type

to local.

aaa enable-authen-template <1-128> This configures overall enable authentication type

to aaa. The range of adm_mgr template is from
1 to 128.

Descriptions of the parameters in command gl-authen-author-type authentication-template

<1-128> authentication-method {chap| pap|ascii} authorization-template <1-128> of Step
1:

Parameter Description

authentication-template <1-128> This configures global authentication template

number.

authentication-method {chap| pap|ascii} This configures global authentication method:

chap, pap, or ascii.

7-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Parameter Description

authorization-template <1-128> This configures global authorization template

number.

Descriptions of the parameters in command default-privilege-level <0-15> of Step 2:

Parameter Description

<0-15> Privilege value, 0-15

Descriptions of the parameters in command authentication-template <1-128> of Step 2:

Parameter Description

<1-128> User management module authentication template

number, 1-128

Descriptions of the parameters in command authorization-template <1-128> of Step 2:

Parameter Description

<1-128> User management module authorization template

number, 1-128

Descriptions of the parameters in command username <name> password {<pwd>|encrypte

d <pwd>}authentication-template <1-128> authorization-template <1-128> of Step 2:

Parameter Description

<name> User name, 1-32 characters

<pwd> Plain password, 3-32 characters

encrypted <pwd> Encrypted password, 64 characters

authentication-template <1-128> User management module authentication template

number, 1-128

authorization-template <1-128> User management module authorization template

number, 1-128

Descriptions of the parameters in command user-duration <name>{<0>|<9-360>} of Step 2:

Parameter Description

<name> user name, in the length of 1~32 characters

<0> This configures user never out of duration.

<9-360> This configures the valid date of user password, in

the range of 9~360.

Descriptions of the parameters in command once-password <username> of Step 2:

7-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 7 User Management Module Configuration

Parameter Description

<username> user name, in the length of 1~32 characters

Descriptions of the parameters in command strong-password length <6-32> character {[nu

mber]|[ capital]|[lowercase]|[special-character]} of Step 2:

Parameter Description

<6-32> The minimum length of strong password.

character {[number]|[ capital]|[lowercase]|[special-character]} This configures character combination style:

l number: number
l capital: capital letter
l lowercase: small letter
l special- character: special character

Descriptions of the parameters in command user-authen-restriction fail-time <3-16> lock-

minute<1-1440> of Step 2:

Parameter Description

fail-time<3-16> This configures maximum times for user login

failure continuously.

lock-minute<1-1440> This configures the lock time, and the unit is minute.

Descriptions of the parameters in command user-password recover-remind <name> of Step

3:

Parameter Description

<name> User name, 1-32 characters

This example shows how to use user-password recover-remind <name> command.

eg1:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:what is your name
answer:zte
ZXR10(config-system-user)#

eg2:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
%Code 59958: Password is wrong!
ZXR10(config-system-user)#

eg3:

7-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

ZXR10(config-system-user)#user-password recover-remind zte

password is:***
question:question is 012345678901234567890124567890123456789
%Code 59959: Question has been to upper limit!The limit is 50 characters!
ZXR10(config-system-user)#

eg4:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:what is your name
answer:zte 01234567890123456789012345678901234567890123456
%Code 59960: Answer has been to upper limit!The limit is 50 characters!
ZXR10(config-system-user)#

Descriptions of the command output:

Command Output Description

password is: Enter the password. Plain text password, 3-32

characters, displayed as ***. Continue to execute
command if the password is correct. If the
password is incorrect, an error prompt appears and
the command stops (refer to eg2).

question: The prompt question for password recovering.

The length is 50 characters, including space. The
question can not be composed of spaces. “?” is not
permitted. An error prompt appears if the length is
more than 50 characters (refer to eg3).

answer: The answer has to be the same to the question.

The length is 50 characters, including space. The
answer can not be composed of spaces. “?” is not
permitted. An error prompt appears if the length is
more than 50 characters (refer to eg4).

Descriptions of the parameters in command bind-authentication-template <2001-2128> of

Step 3:

Parameter Description

<2001-2128> AAA authentication template number, 2001-2128

Descriptions of the parameters in command bind-acl <acl_name> of Step 3:

Parameter Description

<acl_name> ACL rule name, 1-31 characters

Descriptions of the parameters in command description < description > of Step 3:

7-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 7 User Management Module Configuration

Parameter Description

<description> Description information character string, 1-127

characters

Descriptions of the parameters in command bind-authorization-template <2001-2128> of

Step 3:

Parameter Description

<2001-2128> AAA authorization template number, 2001-2128

Descriptions of the parameters in command local-privilege-level <0-15> of Step 3:

Parameter Description

<0-15> Privilege value, 0-15

Descriptions of the parameters in command description < description > of Step 3:

Parameter Description

<description> Description information character string, 1-127

characters

7.4 Maintaining User Management Module

To maintain user management module on ZXR10 8900&8900E, use the following
command.

Command Function

ZXR10#show running-config adm-mgr This shows user management module

configuration.

This example describes what will be displayed after show running-config adm-mgr is used.
ZXR10(config-system-user)#show running-config adm-mgr
! <ADMMGR>
system-user
authentication-template 1
bind-authentication-template 2001
bind-acl aclname
description adm_mgr_authen_temp_1
$
authorization-template 1
bind-authorization-template 2001
local-privilege-level 15
description adm_mgr_author_temp_1

7-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

$
default-privilege-level 15
username zte password zte authentication-template 1 authorization-template 1
! </ADMMGR>

7.5 User Management Module Configuration Example

7.5.1 Local Authentication and Authorization User Configuration
Example
Configuration Description
As shown in Figure 7-1, PC logs in to the router by serial port or Telnet, enters configuratio
n mode and creates a user who uses local authentication mode.

Figure 7-1 Local Authentication and Authorization Configuration

Configuration Thought
1. Create a user, bind authentication and authorization templates.
2. Configure an authentication template.
3. Configure an authorization template.

Configuration Process
ZXR10(config)#system-user
ZXR10(config-system-user)#username zte password zte
authentication-template 1 authorization-template 1

ZXR10(config-system-user)#authentication-template 1
ZXR10(config-authen-temp)#bind-authentication-template 2001
ZXR10(config-authen-temp)#exit

ZXR10(config-system-user)#authorization-template 1
ZXR10(config-author-temp)#bind-authorization-template 2001
ZXR10(config-author-temp)#local-privilege-level 15
ZXR10(config-author-temp)#exit

7-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 7 User Management Module Configuration

ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
ZXR10(config-aaa-authen-template)#exit

ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type none
ZXR10(config-aaa-author-template)#exit

7.5.2 RADIUS-LOCAL Authentication and Authorization User

Configuration Example
Configuration Description
As shown in Figure 7-2, PC logs in to the router by serial port or Telnet, enters configuratio
n mode and creates a user who uses RADIUS-local authentication mode.

Figure 7-2 RADIUS-LOCAL Authentication and Authorization User Configuration

Configuration Thought
1. Create a user, bind authentication and authorization templates.
2. Configure an authentication template.
3. Configure an authorization template.
4. Configure a RADIUS group.

Configuration Process
ZXR10(config)#system-user
/*This creates user.*/
ZXR10(config-system-user)#username zte password zte authentication-template
1 authorization-template 1

/*This binds authentication template.*/

ZXR10(config-system-user)#authentication-template 1
ZXR10(config-authen-temp)#bind-authentication-template 2001
ZXR10(config-authen-temp)#exit

7-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

/*This binds authorization template.*/

ZXR10(config-system-user)#authorization-template 1
ZXR10(config-author-temp)#bind-authorization-template 2001
ZXR10(config-author-temp)#local-privilege-level 15
ZXR10(config-author-temp)#exit

//*This configures authentication template.*/

ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type radius-local
ZXR10(config-aaa-authen-template)#authentication-radius-group 1
ZXR10(config-aaa-authen-template)#exit

/*This configures authorization template.*/

ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type mix-radius
ZXR10(config-aaa-author-template)#exit

/*This configures radius*/

ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#server 1 10.1.1.1 master key zte
ZXR10(config-authgrp-1)#algorithm round-robin
ZXR10(config-authgrp-1)#max-retries 3
ZXR10(config-authgrp-1)#timeout 30
ZXR10(config-authgrp-1)#deadtime 0

7.5.3 TACACS+ Authentication and Authorization User

Configuration Example
Configuration Description
As shown in Figure 7-3, PC logs in to the router by serial port or Telnet, enters configuratio
n mode and creates a user who uses TACACS+ authentication mode.

Figure 7-3 TACACS+ Authentication and Authorization User Configuration

7-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 7 User Management Module Configuration

Configuration Thought
1. Create a user, bind authentication and authorization templates.
2. Configure an authentication template.
3. Configure an authorization template.

Configuration Process
ZXR10(config)#system-user
ZXR10(config-system-user)#username zte password zte
authentication-template 1 authorization-template 1

ZXR10(config-system-user)#authentication-template 1
ZXR10(config-authen-temp)#bind-authentication-template 2001
ZXR10(config-authen-temp)#exit

ZXR10(config-system-user)#authorization-template 1
ZXR10(config-author-temp)#bind-authorization-template 2001
ZXR10(config-author-temp)#local-privilege-level 15
ZXR10(config-author-temp)#exit

ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type tacacs
ZXR10(config-aaa-authen-template)#exit

ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type tacacs
ZXR10(config-aaa-author-template)#exit

ZXR10(config)#tacacs enable
ZXR10(config)#tacacs-server host 10.1.1.1 key zte
ZXR10(config)#tacplus group-server ztegrouup
ZXR10(config-sg)#server 10.1.1.1

7.5.4 Password Prompt Question Configuration For Resetting a

Password
Configuration Description
As shown in Figure 7-4, PC logs in to the router by serial port or Telnet. Enter configuration
mode to create an authentication user. Users of any authentication mode can configure
the password restorage information. For password restorage validation, only local
authentication users are valid.

7-11

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 7-4 Password Prompt Question Configuration For Resetting a Password

Configuration Thought
1. Create a user.
2. Configure an authentication template.
3. Configure an authorization template.
4. Configure a password prompt question and an answer.
5. Log in to restore the password.

Configuration Process
Configuration of the switch:
ZXR10(config)#system-user
ZXR10(config-system-user)#username zte password zte
authentication-template 1 authorization-template 1
ZXR10(config-system-user)#authentication-template 1
ZXR10(config-authen-temp)#bind-authentication-template 2001
ZXR10(config-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 1
ZXR10(config-author-temp)#bind-authorization-template 2001
ZXR10(config-author-temp)#local-privilege-level 15
ZXR10(config-author-temp)#exit
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type none
ZXR10(config-aaa-author-template)#exit
ZXR10(config-system-user)#user-password recover-remind who
password is:***
question: who are you
answer:123
ZXR10(config-system-user)#

/*Telnet to log in to the device. Use the password prompt

question to reset a password.*/
ZXR10#login
Username:recover-user who

7-12

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 7 User Management Module Configuration

question: who are you

answer:123
Recover-user password ok!New password is:zxr10
You should modify it later.
Username:who
Password:
ZXR10#

Note:
When the answer to the prompt question is correct, the password of the user who is
restored to the default password, zxr10.

7.6 User Management Module Fault Treatment

7.6.1 Networking Environment
Take the case of the topology shown in Figure 7-5 to describe how to solve user
management module fault.

Figure 7-5 User Management Module Network Environment

7.6.2 Malfunction Analysis

The following reasons can cause authentication or authorization failure,
l Authentication or authorization server is inaccessible.
l Authentication or authorization server does not enable the corresponding service.
l Username or password configuratio n is incorrect.

7.6.3 Treatment Scheme

User management module fault treatment flow is shown in Figure 7-6.

7-13

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 7-6 User Management Module Fault Treatment Flow

7.6.4 Treatment Steps

To locate and solve user management module fault, perform the following steps.
1. Ping the IP address of RADIUS server on switch. If the ping is failed, inspect network,
and make sure that the network between switch and RADIUS server runs well.
2. Inspect whether RADIUS server is enabled correctly. Make sure that the RADIUS
server is enabled. Inspect whether authentication or authorization service is correct.
3. Inspect whether the configuration of switch is correct. Inspect whether the username
and password are configured to be consistent with that of RADIUS server.
Please contact technical staff if the fault still exists.

7-14

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 8
SNMP Anti-Violence Attack
Configuration
Table of Contents
SNMP Anti-Violence Attack Overview.........................................................................8-1
SNMP Anti-Violence Attack Principle..........................................................................8-1
Configuring Security Function.....................................................................................8-2
Maintaining Security Function.....................................................................................8-4
SNMP Anti-Violence Attack Configuration Example....................................................8-5
SNMP Anti-Violence Attack Fault Treatment...............................................................8-6

8.1 SNMP Anti-Violence Attack Overview

Violence attack is a kind of simple and aggressive mode whose purpose is to break
software. It generates a lot of passwords by code generation software to try each one.
In this case, as long as there are enough chances and user has not protection, the most
complicated key can be broken.
The security policy specified by SNMPv1,v2 is very simple, that is, the community string
that plain text transmits is the password between snmp management process and agent
process. This password can be easily broken by attacker using violent attacking mode.
Therefore SNMP module has anti-violence attack function.

8.2 SNMP Anti-Violence Attack Principle

To help device prevent DOS attack and violent attack, introduce the two concepts Block
and quiet mode in SNMP security function. If detection policy is enabled, when router
finds that repeated SNMP community string fails, it can refuse all SNMP requests by Block
mode. This block can be configure d as a period which is called as "quiet period".
To ensure that trusted user can visit device normally, SNMP security function supports
dynamic learning and manually configure d trusted user. In quiet mode, device only allows
to handle the request from trusted user(if ACL is configure d in advance, the request still
need to be filtered through ACL)
The trusted user of dynamic learning means those users who ever visited device and is
automatically recorded by device. If these users have not visited device when the set
time(aging time) expires, they will be aged by device. Also the trusted user of dynamic
learning can be manually cleared. User can configure aging time(by default, it is 1800
seconds).

8-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

In practical application, sometimes some network management user addresses which can
visit device are firm. These users are reliable and do not need automatic aging. To meet
the requirement, device allows user to manually configure trusted user to make these users
not aging, and they can be cleared by no command.
To prevent that user accidentally fails to input password, device can configure the condition
of monitor, for example monitor will be enabled only when the input fails twenty times in
one minute. By default, monitor will be enabled only when the input fails fifty times in one
minute. Failure count does not distinguish IP address.
The total failure times in monitor period can be calculated(address is not distinguished), if
the times exceed limit device enters quiet mode.
In any state, when community string fails to try system log information and self-define d
trap will be generated by default, the sending trap includes the following informations: error
community string information, source IP and SNMP current state(normal/monitoring/quiet).
When device state is switched, system log information and trap alarm will be automatically
generated. This function can be disabled by using some command.
SNMP security state switching diagram is shown as Figure 8-1.

Figure 8-1 State Switching Diagram

8.3 Configuring Security Function

To configure the security function on ZXR10 8900&8900E, perform the following steps:

8-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 8 SNMP Anti-Violence Attack Configuration

Step Command Function

1 ZXR10(config)#snmp-server security block <block-seconds><detect SNMP security protection function is

-tries><detect-seconds>[when tries seconds ] disabled by default. This command
is the unique command for activating
SNMP security function. Only this
command is configured can other
snmp-server security command be
configured.

ZXR10(config)#snmp-server access-list {ipv4|ipv6} acl-number or This uses configured ACL to control

name the host that can access the system
through SNMP protocol. Execute no
command to cancel the control.

2 ZXR10(config)#snmp-server security dynamic-trust-user This configures aging time of user.

idle-timeout <seconds>

ZXR10(config)#snmp-server security dynamic-trust-user clear This clears dynamic-trust-user

<dyn-ip-addr> manually.

ZXR10(config)#snmp-server security static-trust-user This configures static-trust-user

<static-ip-addr> manually.

ZXR10(config)#snmp-server security on-failure log [and trap] This configures the generation of
log information and Trap when
community string fails to try or state
is switched.

Descriptions of the parameters in Step 1:

Parameter Description

block-seconds Block time (the period of quiet time), unit is second,

range: 1-65535

detect-tries The maximum failure try times of monitor mode, range:

1-65535

detect-seconds The maximum detection time of monitor mode, unit is

second, range: 1-65535

tries The maximum failure try times of normal mode, range:

1-65535, the default value is 50

seconds The maximum monitoring time of normal mode, unit is

second, range: 1-65535, the default value is 60

ipv4 It means that currently configure d ACL filtering rule

points to IPv4 ad- dress.

ipv6 It means that currently configure d ACL filtering rule

points to IPv6 ad- dress.

8-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Parameter Description

acl-number or name Name of ACL filtering rule

Descriptions of the parameters in Step 2:

Parameter Description

seconds dynamic-trust-user aging time The unit is second.

range: 1-65535 The default is 1800 seconds.

dyn-ip-addr dynamic-trust-user address

static-ip-add static-trust-user address

log Enable or disable log information. The default is

disabled.

trap Enable or disable sending trap information. The

default is disabled.

8.4 Maintaining Security Function

To maintain security function, perform the following commands on ZXR10 8900&8900E.

Command Function

ZXR10#show snmp security [failures | trust-users] This shows SNMP security function parameter.
This command mainly views SNMP security
state, configuration information, current status
information and statistics information by nature
language format.

Parameter descriptions:

Parameter Description

failures It is optional. If this parameter is selected, the command is used to view

failure try detailed information.

trust-users It is optional. If this parameter is selected, the command is used to view

trust-user detailed information including dynamic learning and manual
configuration.

The example of the show snmp security command output is as follows:

ZXR10(config)#show snmp security
Access list about ipv4 has been configured.
No access list about ipv6 has been configured.
Static trust-user has been configured.
No dynamic trust-user has been learned.

8-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 8 SNMP Anti-Violence Attack Configuration

The max idle timeout of dynamic trust-user is default.

All failed requests are logged and generated SNMP traps.
Router is enable to watch for Attacks.
If more than 4 request failures occur in 60 seconds or less,requests will be
disabled for 60 seconds.
Router presently in Normal-Mode.

The example of the show snmp security failures command output is as follows:
ZXR10#show snmp-server security failures
Information about failure’s with the device
Source IPAddr Count Last TimeStamp
192.168.68.8 1 15:56:25 UTC Thu MAR 11 2010
192.168.68.45 4 16:36:30 UTC Thu MAR 11 2010
10.40.50.155 3 17:01:23 UTC Thu MAR 11 2010

The example of the show snmp security trust-users command output is as follows:
ZXR10#show snmp-server security trust-users
Information about trust user’s with the device
Source IPAddr Last TimeStamp max-inactive dynamic/static
192.168.68.8 15:46:25 UTC Thu MAR 11 2010 1800 dynamic
192.168.68.5 - - static
200:6 - - static
192.168.68.150 - - static

Descriptions of the command output:

Command Output Description

count The times that IP address visit failure in monitoring period

Last TimeStamp Lately visit time

max-inactive dynamic trust aging time

dynamic/static The current trusted user is generated dynamically or

statically

8.5 SNMP Anti-Violence Attack Configuration Example

Configuration Description
SNMP anti-violence attack configuration is a policy of preventing violence attack in
SNMPv1/2. Because security policy specified by SNMP protocol is very simple, such as
community string transmitted by plain text, therefore SNMP security function is introduced.
The example, shown as Figure 8-2, is configured between snmp management process
and agent process.

8-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 8-2 SNMP Anti-Violence Attack Configuration Example

Configuration Thought
1. At first, enable SNMP anti-violence attack function master switch.
2. Configures static-trust-user which can visit.
3. This configures aging time of dynamic-trust-user.
4. Configure trap information and log when user fails to try and state is switched.

Configuration Process
The configuration of ZXR10 is as follows:
ZXR10(config)#snmp-server security block 180 3 180 when 50 60
ZXR10(config)#snmp-server security dynamic-trust-user idle-timeout 100
ZXR10(config)#snmp-server security static-trust-user 169.1.110.6
ZXR10(config)#snmp-server security on-failure log and trap

Configuration Check
This displays configuration information about SNMP.
ZXR10(config)#show running-config snmp
snmp-server community public view AllView ro
snmp-server community private view AllView rw
snmp-server enable server-working
snmp-server security block 180 3 180 when 50 60
snmp-server security dynamic-trust-user idle-timeout 100
snmp-server security static-trust-user 169.1.110.6
snmp-server security on-failure log and trap

8.6 SNMP Anti-Violence Attack Fault Treatment

8.6.1 Networking Environment
Take the case of the topology shown in Figure 8-3 to describe SNMP anti-violence attack
fault treatment.

8-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 8 SNMP Anti-Violence Attack Configuration

Figure 8-3 SNMP Anti-Violence Attack Fault Treatment Topology Diagram

8.6.2 Fault Analysis

Fault Phenomena: SNMP cannot defend violent attack, the trusted user cannot visit or
trap information cannot happen.
Note:
1. If SNMP anti-violence attack master switch is enabled.
2. If the user which is dynamically learned has been aged when aging time is expired.
3. If Trap information master switch is enabled.

8.6.3 Treatment Scheme

SNMP anti-violence attack fault treatment flow diagram is shown as Figure 8-4.

Figure 8-4 SNMP Anti-Violence Attack Fault Treatment Flow Diagram

8-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

8.6.4 Treatment Steps

To locate and solve the fault, perform the following steps.
1. To locate and solve the fault, perform the following steps.
2. The visited device is in normal period, monitoring period or quiet period.
3. Configured static user and learned dynamic user cannot access device, if SNMP in-
troduces ACL filter .
4. If Trap message switch is enabled and log switch is enabled.

8-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 9
anti-dos Configuration
Table of Contents
About anti-dos ............................................................................................................9-1
anti-dos Principles ......................................................................................................9-1
Configuring anti-dos ...................................................................................................9-3
Maintaining anti-dos ...................................................................................................9-4
anti-dos Configuration Example..................................................................................9-4
anti-dos Fault Treatment.............................................................................................9-5

9.1 About anti-dos

Denial Of Service (DoS) means to launch a malicious attack on the defects of a network
protocol or directly consume the resources of the target by brutal means, so as to make
the target computer or network unable to provide services normally, stop responding, or
even crash. The service resources include network bandwidth, file system space, open
processes, and permitted connections.
Anti-DoS attack is one of the functions of ZTE switches. The function mainly detects
particular packets, judge whether a DoS attack occurs, and then perform related operations
on the packets.

9.2 anti-dos Principles

The anti-DoS attack function mainly guards against the following attacks: land | null-scan |
ping-of-death | smurf | sys-fin | syn-port-less-1024 | xma-scan | ping-flood | syn-flood. For
ping-flood | syn-flood attacks, speed limiting is supported.

9.2.1 Land Attack

A land attack is an old type of DoS attack. The attacker keeps sending fraud TCP SYN
packets whose source IP and destination IP addresses are the same address of a certain
server and the TCP source and destination ports are also the same to the target computer.
As a result, the computer continuously sends response messages to itself and at last is
paralyzed or restarted when it cannot bear more traffic any more.

Detect particular packets and judge whether there is a land attack. Then perform related
operations on the packets, so that the CPU of the computer can be protected.

9-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

9.2.2 TCP Null Scan Attack

Null scan is a detection method. By sending TCP packets without flags to the target
server, it judges which ports of the server are open and thus determines the attack targets.
According to the RFC793, the target system should return an RST flag for any closed port.
Detect particular packets and judge whether there is a null scan attack. Then perform
related operations on the packets, so that the CPU of the computer can be protected.

9.2.3 Ping of Death Attack

A ping of death attack sends numerous huge ping packets (generally greater than 65535
bytes) to the target host. As a result, the buffer of the target host overflows and the host
is down.
Detect particular packets and judge whether there is a ping of death attack. Then perform
related operations on the packets, so that the CPU of the computer can be protected.

9.2.4 TCP FIN Scan Attack

Fin scan is also a detection method that sends FIN packets to the target port. According
to the RFC793, the target system should return an RST flag for any closed port.
Detect particular packets and judge whether there is a FIN scan attack. Then perform
related operations on the packets, so that the CPU of the computer can be protected.

9.2.5 SYN Packet Port Number Below 1024

In a data packet whose SYN is set to 1, if the source port number is smaller than 1024,
the packet is an attack packet. It mainly affects common services.
Detect particular packets and judge whether there is an attack of SYN packet port number
below 1024. Then perform related operations on the packets, so that the CPU of the
computer can be protected.

9.2.6 TCP xma scan

Xma scan is also a detection method. It sends a packet containing FIN (finish), URG
(urgent), and PUSH (push) flags to the target port. According to the RFC793, the target
system should return an RST flag for any closed port.
Detect particular packets and judge whether there is a xma scan attack. Then perform
related operations on the packets, so that the CPU of the computer can be protected.

9.2.7 Smurf Attack

A Smurf attack is a powerful attack. Its target is a function of the IP protocol named "direct
broadcast addressing". The Smurf attack sends numerous Internet Control Message
Protocol (ICMP) echo requests to a switch.

9-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 9 anti-dos Configuration

9.2.8 Ping Flood

A ping flood attack sends numerous ping packets to the target host in a short time, which
causes network congestion or uses up the resources of the host.
Use an ACL to limit the rate of ping packet sending, so that the CPU of the computer can
be protected.

9.2.9 Syn-flood Attack

An Syn flood attack sends numerous requests that pretend to establish connections to
a firewall. The source addresses of these packets are unreachable addresses. Thus the
second handshaking of the attacked target cannot receive any response. As a result, there
are many half-open connections in the attacked host, and new connections cannot enter.
Finally, the service stops and the host is down.
Use an ACL to limit the rate of related packet sending, so that the maximum rate cannot
exceed the configured safe rate.

9.3 Configuring anti-dos

To configure anti-dos on ZXR10 8900&8900E, use the following commands:

Step Command Function

1 ZXR10(config)#anti-dos [{ land | null-scan | ping-of-death | smurf | This enables or disables the function
sys-fin | syn-port-less-1024 | xma-scan | ping-flood | sys-flood }]{ enable of preventing land | null-scan |
| disable } ping-of-death | smurf | sys-fin |
syn-port-less-1024 | xma-scan |
ping-flood | sys-flood attacks.

2 ZXR10(config)#anti-dos ping-pkt limit <1-65536 This configures the size limit for a
ping of death packet.

3 ZXR10(config)#anti-dos speed-limit { ping-flood | sys-flood }< 1- This configures the rate limit for a
10000 > ping-flood or sys-flood packet.

4 ZXR10#show anti-dos This shows all the current anti-DoS

ZXR10(config)#show anti-dos attack configuration.

Descriptions of parameters in Step 2:

Parameter Description

<1-65536> Indicates the size limit of a ping of death packet (in bytes).

Descriptions of parameters in Step 3:

Parameter Description

<1-10000> Indicates the rate limit of a ping-flood or sys-flood packet (in kilobits/s).

9-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

9.4 Maintaining anti-dos

To maintain anti-dos on ZXR10 8900&8900E, use the following command:

Command Function

ZXR10# show anti-dos This shows the current anti-dos configuration of

the device.

The following is an example of the show anti-dos command:

ZXR10(config)#show anti-dos
Anti-DoS Land status :enable
Anti-DoS Null-scan status :disable
Anti-DoS Ping-of-death status :enable
Anti-DoS Ping-pkt limit :15000
Anti-DoS Smurf status :disable
Anti-DoS Sys-fin status :disable
Anti-DoS Syn-port-less-1024 status :disable
Anti-DoS Xma-scan status :disable
Anti-DoS Ping-flood status :enable
Anti-DoS Ping-flood speed limit :100
Anti-DoS Sys-flood status :enable
Anti-DoS Sys-flood speed limit :100
ZXR10(config)#

9.5 anti-dos Configuration Example

Configuration Description
As shown in Figure 9-1, configure anti-dos on R1.

Figure 9-1 anti-dos Configuration

Configuration Thought
Enter the global configuration mode, and then configure anti-dos.

9-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 9 anti-dos Configuration

Configuration Process
The configuration on R1 is as follows:
ZXR10(config)#anti-dos enable
ZXR10(config)#anti-dos land enable
ZXR10(config)#anti-dos null-scan enable
ZXR10(config)#anti-dos ping-flood enable
ZXR10(config)#anti-dos ping-of-death enable
ZXR10(config)#anti-dos smurf enable
ZXR10(config)#anti-dos ping-pkt limit 1024
ZXR10(config)#anti-dos sys-fin enable
ZXR10(config)#anti-dos syn-port-less-1024 enable
ZXR10(config)#anti-dos xma-scan enable
ZXR10(config)#anti-dos sys-flood enable
ZXR10(config)#anti-dos speed-limit ping-flood 99
ZXR10(config)#anti-dos speed-limit sys-flood 88
ZXR10(config)#

Configuration Check
View whether the anti-dos configuration on R1 takes effect:
ZXR10(config)#show anti-dos
Anti-DoS Land status :enable
Anti-DoS Null-scan status :enable
Anti-DoS Ping-of-death status :enable
Anti-DoS Ping-pkt limit :1024
Anti-DoS Smurf status :enable
Anti-DoS Sys-fin status :enable
Anti-DoS Syn-port-less-1024 status :enable
Anti-DoS Xma-scan status :enable
Anti-DoS Ping-flood status :enable
Anti-DoS Ping-flood speed limit :99
Anti-DoS Sys-flood status :enable
Anti-DoS Sys-flood speed limit :88
ZXR10(config)#

9.6 anti-dos Fault Treatment

9.6.1 Networking Environment
In actual networking anti-dos faults mainly include the failure of the database in initiating
a change notification or the failure in issuing line card data. The following sections take

9-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 9-2 as an example to describe the possible causes and treatment methods of this
type of fault.

Figure 9-2 anti-dos Fault Handling

9.6.2 Fault Analysis

For the failure of the Anti-dos database in initiating a change notification, mainly analyze
whether the database table establishment is successful and the triggers are invoked
successfully. For the failure in issuing line card data, mainly analyze pmstack and mux.

9.6.3 Treatment Process

The process of handling an Anti-dos fault is as shown in Figure 9-3.

Figure 9-3 anti-dos Fault Handling Flow

9.6.4 Treatment Steps

To locate and solve the fault, perform the following steps.

9-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 9 anti-dos Configuration

1. Replace the cables. If the problem still persists, replace the line cards or interface
boards. If the problem still persists, replace the main control boards. If the problem
still persists, ask the related hardware development personnel for help.
2. Check whether the line card is inserted properly.
3. Use the show command to check whether the anti-dos is configured properly.

9-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

This page intentionally left blank.

9-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 10
CPU_GUARD Configuration
Table of Contents
About CPU_GUARD ................................................................................................10-1
CPU_GUARD Principles ..........................................................................................10-1
Configuring CPU_GUARD........................................................................................10-1
Maintaining CPU_GUARD........................................................................................10-3
CPU_GUARD Configuration Example ......................................................................10-9

10.1 About CPU_GUARD

CPU_GUARD means CPU protection. When a switch is attacked, speed limiting based on
software and hardware can be used to mask the attacking packets and restore the system
in time, so that the CPU usage ratio is not too high and the normal processing can continue.
Hardware speed limiting is to use ACLs or registers to prevent the attacking packets from
being sent to the CPU. Software speed limiting is to directly discard the attacking packets
without protocol processing, and thus CPU resources can be saved.

10.2 CPU_GUARD Principles

Through software monitoring, attacking packet can be found. If an attacking packet is sent
to the CPU through an ACL or register, the packet can be filtered by turning on and off
the transmission switch on the related port at scheduled time. For a layer 3 interface, if a
routeless attacking packet is found, the token bucket mechanism can be used to prevent
the attack. That is, some tokens are allocated to each port and protocol every second. If
an attack occurs, packets are not sent to the CPU when the tokens in the bucket are used
up. In this way, the CPU resources can be saved.

10.3 Configuring CPU_GUARD

To configure CPU_GUARD on ZXR10 8900&8900E, use the following commands:

Step Command Function

1 ZXR10(config)#cpu-guard {enable | disable} panel <1-12> This enables the CPU guard function.

2 ZXR10(config)#cpu-guard clearcounter panel <1-12> This clears the counter of received

packets.

3 ZXR10(config)#cpu-guard pp cos <1-12><0-47><10-2000> This configures the CoS queue.

10-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

4 ZXR10(config)#cpu-guard pp priority panel <1-12> mode { arp This configures the CoS queue of
| arp-vrrp | bpdu | dot1x | group-mng | icmp | igmp | ipv4-bgp | the protocol packet.
ipv4-dhcp | ipv4-isis | ipv4-ldp | ipv4-ospf | ipv4-pim | ipv4-rip |
ipv6-bgp | ipv6-dhcp | ipv6-isis | ipv6-ldp | ipv6-pim | ipv6-rip | isis2
| lacp | lldp | mac-ping | mld | msdp | ntp | ptp | radius | snmp | ssh |
tacacs | telnet | ttl | udld | untrust | vbas | vrrp}<0-47>

5 ZXR10(config)#cpu-guard pp interface <interface_list> alarm mode This configures the size of the token
{ arp | arp-vrrp | bpdu | group-mng | igmp | ipv4-isis | ipv4-ldp | bucket of the software speed limiting
ipv4-pim | ipv4-rip | ipv6-isis | ipv6-ldp | ipv6-pim | ipv6-rip | ptp protocol.
| untrust | vrrp }<0-400>

6 ZXR10(config)#cpu-guard pp interface <interface_list> mode { arp This enables or disables a protocol.

| arp-vrrp | bpdu | group-mng | igmp | ipv4-isis | ipv4-ldp | ipv4-pim
| ipv4-rip | ipv6-isis | ipv6-ldp | ipv6-pim | ipv6-rip | ptp | untrust |
vrrp }{enable | disable}

7 ZXR10#show running-config cpu-guard This shows the current CPU guard

configuration.

8 ZXR10#show cpu-guard panel <1-12> This shows the CPU guard

configuration of a line card.

9 ZXR10#show cpu-guard interface <interface_list> This shows the CPU guard

configuration of an interface.

10 ZXR10#show packet-statistic <interface_list> This shows the statistics on the

packets received and lost on an
interface.

11 ZXR10#show packet-statistic <interface_list><1-4000> This shows the statistics on the

packets received and lost on an
interface+VLAN.

12 ZXR10#show cpu-guard-log panel <1-12> level <1-3> This shows the CPU guard logs.

Descriptions of parameters in Step 3:

Parameter Description

<1-12 Slot number of a line card.

><0-47> Serial number of a CoS queue.

<10-2000> Size of a CoS queue.

Descriptions of parameters in Step 4:

Parameter Description

mode Type of the valid protocol.

10-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 10 CPU_GUARD Configuration

Descriptions of parameters in Step 5:

Parameter Description

<0-400> Size of the token bucket.

Descriptions of parameters in Step 11:

Parameter Description

<1-4000> VLAN ID

Descriptions of parameters in Step 12:

Parameter Description

<1-3> Printing level

10.4 Maintaining CPU_GUARD

To maintain CPU_GUARD on ZXR10 8900&8900E, use the following commands:

Command Function

ZXR10#show running-config cpu-guard all This shows the CPU guard configuration of the
device.

ZXR10#show cpu-guard panel < 1- 12 > This shows the CPU guard configuration of a line
card.

ZXR10#show cpu-guard interface <interface_list> This shows the CPU guard configuration of an
interface.

ZXR10#show packet-statistic <interface_list> This shows the statistics on the packets sent and
received on an interface.

ZXR10#show packet-statistic <interface_list><1-4000> This shows the statistics on the packets sent and
received on an interface+VLAN.

ZXR10#show cpu-guard-log panel <1-12> level <1-3> This shows the CPU guard log.

The following is an example of the show running-config cpu-guard command:

ZXR10(config)#show running-config cpuguard all
! <CPU-GUARD CONFIGURE>
cpu-guard enable panel 4
cpu-guard pp interface gei-0/4/0/2 mode ptp disable
cpu-guard pp cos 4 2 123
cpu-guard pp cos 4 7 333
cpu-guard pp priority panel 4 mode ptp 3
cpu-guard pp priority panel 4 mode ipv6-ldp 3
! </CPU-GUARD CONFIGURE>

10-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

ZXR10(config)

The following is an example of the show cpu-guard panel command:

ZXR10(config)#show cpu-guard panel 4
! <CPU-GUARD CONFIGURE>
cpu-guard enable panel 4
cpu-guard pp cos 4 2 123
cpu-guard pp cos 4 7 333
cpu-guard pp priority panel 4 mode ptp 3
cpu-guard pp priority panel 4 mode ipv6-ldp 3
! </CPU-GUARD CONFIGURE>
ZXR10(config)#

The following is an example of the show packet-statistic<interface_list> command:

ZXR10(config)#show packet-statistic gei-0/4/0/3
!<PACKETS STATISTIC INFO>
ProtocolName PacketsPass PacketsDrop
===============================================
v4_bgp_sp 0 0
v4_bgp_dp 0 0
v6_bgp_sp 0 0
v6_bgp_dp 0 0
v4_ospf 0 0
v6_ospf 0 0
V4_isis 0 0
v6_isis 0 0
rip 0 0
v6_ripng 0 0
v4_pim 0 0
v6_pim 0 0
igmp 0 0
v4_ldp_tcp 0 0
v4_ldp_udp 0 0
v6_ldp_tcp 0 0
v6_ldp_udp 0 0
v4_rsvp 0 0
v4_telnet 0 0
v6_telnet 0 0
v4_snmp 0 0
ssh 0 0
v4_super_telnet 0 0
v6_super_telnet 0 0
v4_http 0 0
ntp_pkt 0 0
ftp_20 0 0

10-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 10 CPU_GUARD Configuration

ftp_21 0 0
v4_bfd_3784 0 0
v4_bfd_4784 0 0
v4_icmp 0 0
v6_icmp 0 0
v6_mld_mp 0 0
v6_mld_np 0 0
v6_rs 0 0
v6_ra 0 0
v6_ns 0 0
v6_na 0 0
v4_tacas_sport 0 0
v4_tacas_dport 0 0
v4_radius_1812 0 0
v4_radius_1813 0 0
dhcp_67 0 0
dhcp_68 0 0
v6_dhcp_546 0 0
v6_dhcp_547 0 0
v4_lspping 0 0
v6_lspping 0 0
vrrp 0 0
vrrp_arp 0 0
arp_request 0 0
arp_reply 0 0
group_mng 0 0
vbas_pkt 0 0
ttl = 1 0 0
msdp_sport 0 0
msdp_dport 0 0
v6 hop = 1 0 0
v4_bpdu 0 0
v4_mutilcast 0 0
v6_mutilcast 0 0
mac_ping 0 0
ipsec_4500 0 0
ipsec_500 0 0
l2pt 0 0
v4_ptp_uni_319 0 0
v4_ptp_uni_320 0 0
V4_ptp_0180 0 0
V4_ptp_011B 0 0
UDLD 0 0
LLDP 0 0
DOT1X 0 0

10-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

v6_tacas_sport 0 0
v6_tacas_dport 0 0
v6_radius_1812 0 0
v6_radius_1813 0 0
v6_ntp_pkt 0 0
v6_ftp_20 0 0
v4_tftp 0 0
v6_tftp 0 0
v6_bfd_3784 0 0
v6_bfd_4784 0 0
v4_l2tp 0 0
v6_vrrp 0 0
v6_snmp 0 0
isis2 0 0
lacp 0 0
cfm 0 0
eaps 0 0
efm 0 0
sflow 0 0
loopdet 0 0
bfd 0 0
pkt_unknow 0 0
!
<PACKETS>

The following is an example of the show packet-statistic<interface_list><1-4000> command:

ZXR10(config)#show packet-statistic gei-0/4/0/3 20
!<PACKETS STATISTIC INFO>
ProtocolName PacketsPass PacketsDrop
===============================================
v4_bgp_sp 0 0
v4_bgp_dp 0 0
v6_bgp_sp 0 0
v6_bgp_dp 0 0
v4_ospf 0 0
v6_ospf 0 0
V4_isis 0 0
v6_isis 0 0
rip 0 0
v6_ripng 0 0
v4_pim 0 0
v6_pim 0 0
igmp 0 0
v4_ldp_tcp 0 0
v4_ldp_udp 0 0

10-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 10 CPU_GUARD Configuration

v6_ldp_tcp 0 0
v6_ldp_udp 0 0
v4_rsvp 0 0
v4_telnet 0 0
v6_telnet 0 0
v4_snmp 0 0
ssh 0 0
v4_super_telnet 0 0
v6_super_telnet 0 0
v4_http 0 0
ntp_pkt 0 0
ftp_20 0 0
ftp_21 0 0
v4_bfd_3784 0 0
v4_bfd_4784 0 0
v4_icmp 0 0
v6_icmp 0 0
v6_mld_mp 0 0
v6_mld_np 0 0
v6_rs 0 0
v6_ra 0 0
v6_ns 0 0
v6_na 0 0
v4_tacas_sport 0 0
v4_tacas_dport 0 0
v4_radius_1812 0 0
v4_radius_1813 0 0
dhcp_67 0 0
dhcp_68 0 0
v6_dhcp_546 0 0
v6_dhcp_547 0 0
v4_lspping 0 0
v6_lspping 0 0
vrrp 0 0
vrrp_arp 0 0
arp_request 0 0
arp_reply 0 0
group_mng 0 0
vbas_pkt 0 0
ttl = 1 0 0
msdp_sport 0 0
msdp_dport 0 0
v6 hop = 1 0 0
v4_bpdu 0 0
v4_mutilcast 0 0

10-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

v6_mutilcast 0 0
mac_ping 0 0
ipsec_4500 0 0
ipsec_500 0 0
l2pt 0 0
v4_ptp_uni_319 0 0
v4_ptp_uni_320 0 0
V4_ptp_0180 0 0
V4_ptp_011B 0 0
UDLD 0 0
LLDP 0 0
DOT1X 0 0
v6_tacas_sport 0 0
v6_tacas_dport 0 0
v6_radius_1812 0 0
v6_radius_1813 0 0
v6_ntp_pkt 0 0
v6_ftp_20 0 0
v4_tftp 0 0
v6_tftp 0 0
v6_bfd_3784 0 0
v6_bfd_4784 0 0
v4_l2tp 0 0
v6_vrrp 0 0
v6_snmp 0 0
isis2 0 0
lacp 0 0
cfm 0 0
eaps 0 0
efm 0 0
sflow 0 0
loopdet 0 0
bfd 0 0
pkt_unknow 0 0
!
<PACKETS>
ZXR10(config)#

The following is an example of the show cpu-guard-log command:

ZXR10(config)#show cpu-guard-log panel ?

<1-12> panel id
ZXR10(config)#show cpu-guard-log panel 2?
<1-12>
ZXR10(config)#show cpu-guard-log panel 2 ?
level print level

10-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 10 CPU_GUARD Configuration

ZXR10(config)#show cpu-guard-log panel 2 level 1?

<1-3>
ZXR10(config)#show cpu-guard-log panel 2 level 1
<CPU GUARD LOG>
[2011- 1-14 11:35:58] LIMIT HW(type:L2_ARP;port:2;MP:84;NP:26;passby:260)
[2011- 1-14 11:36: 1] RECOVER(type:L2_ARP;port:2;MP:15;NP:33)
[2011- 1-14 11:36: 3] LIMIT HW(type:L2_ARP;port:2;MP:85;NP:34;passby:300)
[2011- 1-14 11:36: 7] RECOVER(type:L2_ARP;port:2;MP:14;NP:31)
[2011- 1-14 11:36: 9] LIMIT HW(type:L2_ARP;port:2;MP:85;NP:27;passby:299)
[2011- 1-14 11:36:12] RECOVER(type:L2_ARP;port:2;MP:15;NP:32)
[2011- 1-14 11:36:14] LIMIT HW(type:L2_ARP;port:2;MP:84;NP:32;passby:300)
[2011- 1-14 11:36:18] RECOVER(type:L2_ARP;port:2;MP:15;NP:30)
[2011- 1-14 11:36:20] LIMIT HW(type:L2_ARP;port:2;MP:83;NP:27;passby:300)
[2011- 1-14 11:36:23] RECOVER(type:L2_ARP;port:2;MP:14;NP:33)
[2011- 1-14 11:36:25] LIMIT HW(type:L2_ARP;port:2;MP:85;NP:33;passby:299)
[2011- 1-14 11:36:28] RECOVER(type:L2_ARP;port:2;MP:14;NP:33)
[2011- 1-14 11:36:30] LIMIT HW(type:L2_ARP;port:2;MP:83;NP:33;passby:299)
[2011- 1-14 11:36:34] RECOVER(type:L2_ARP;port:2;MP:14;NP:30)
[2011- 1-14 11:36:36] LIMIT HW(type:L2_ARP;port:2;MP:85;NP:28;passby:299)
[2011- 1-14 11:36:40] RECOVER(type:L2_ARP;port:2;MP:14;NP:30)
[2011- 1-14 11:36:42] LIMIT HW(type:L2_ARP;port:2;MP:84;NP:32;passby:299)
[2011- 1-14 11:36:46] RECOVER(type:L2_ARP;port:2;MP:15;NP:30)
[2011- 1-14 11:36:48] LIMIT HW(type:L2_ARP;port:2;MP:84;NP:28;passby:300)
[2011- 1-14 11:36:51] RECOVER(type:L2_ARP;port:2;MP:16;NP:34)
[2011- 1-14 11:36:53] LIMIT HW(type:L2_ARP;port:2;MP:85;NP:34;passby:299)
<CPU GUARD LOG>

10.5 CPU_GUARD Configuration Example

10.5.1 Enabling the CPU Guard Function
To enable the CPU guard function, use the following command:

ZXR10(config)#cpu-guard enable panel 2

10.5.2 Disabling the CPU Guard Function

To disable the CPU guard function, use the following command:
ZXR10(config)#cpu-guard disable panel 2

10.5.3 Clearing the Counter of CPU Statistics

To clear the counter of CPU statistics, use the following command:

10-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

ZXR10(config)#cpu-guard clearcounter 2

10.5.4 Configuring the Hardware Queue of the CPU Guard Protocol

To configure the hardware queue of the CPU guard protocol, use the following command:
ZXR10(config)#cpu-guard pp priority panel 2 mode arp 3

10.5.5 Configuring the Size of the CPU Guard CoS Queue

To configure the size of the CPU guard CoS queue, use the following command:
ZXR10(config)#cpu-guard pp cos 4 2 500

10.5.6 Configuring the Token Bucket of the CPU Guard Interface

Protocol
To configure the token bucket of the CPU guard interface protocol, use the following
command:
ZXR10(config)#cpu-guard pp interface gei-0/4/0/2 alarm mode arp 300

10.5.7 Enabling the CPU Guard Interface Protocol

To enable the CPU guard interface protocol, use the following command:
ZXR10(config)#cpu-guard pp interface gei-0/4/0/2 mode ipv4-isis enable

10-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11
DOT1X Configuration
Table of Contents
About DOT1X...........................................................................................................11-1
DOT1X Principles.....................................................................................................11-2
Configuring DOT1X ..................................................................................................11-4
Maintaining DOT1X ..................................................................................................11-8
DOT1X Configuration Example .............................................................................. 11-10
DOT1X Fault Treatment ......................................................................................... 11-16

11.1 About DOT1X

DOT1X, or the IEEE 802.1x protocol, is a port-based access control protocol. It optimizes
the traditional authentication model and authentication system architecture, and solves
the problems of the PPPoE and Web/Portal authentication models. Therefore, DOT1X is
a better choice for broadband Ethernet.
The architecture of the IEEE 802.1x protocol is composed of three parts: supplicant
system, authenticator system, and authentication server system.
1. The supplicant (or client) system is generally a user terminal system. The terminal
system needs to install a client application. By starting the client application, the user
can initiate the IEEE802.1x authentication process. To support port-based access
control, the supplicant system should support the Extensible Authentication Protocol
Over LAN (EAPOL) protocol.
2. The authenticator system is generally a network device (for example, a switch) that
supports the IEEE802.1x protocol. For different user ports, which can be physical ports
or the MAC addresses, VLANs, and IP addresses of the user devices), the network
device provides two types of logical ports: control port and uncontrolled port.
l An uncontrolled port always stays in two-way connection state. It is mainly used
to transfer EAPOL protocol frames, and ensures that the client can always send
or receive authentication messages.
l A controlled port is open only when the authentication passes. This port is sued
to transport network resources and services. It can be configured as a two-way
controlled or input-only controlled port, so as to satisfy the requirements of various
application scenarios. If a user is not authorize successfully, the controlled port
is unauthorized state, and thus the user cannot access the services provided by
the authentication server system.

In the IEEE 802.1x protocol, "controlled port" and "uncontrolled port" are logical
concepts, and there are no such physical entities inside a device. For each user, the

11-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

IEEE 802.1x protocol establishes a logical authentication channel, which cannot be

used by other users. So, when a port is opened, it cannot be occupied by other users.
3. The authentication server is generally a RADIUS server. It stores the user related
information, such as the VLAN that the user belongs to, CAR parameters, priority,
and ACLs of the user. After the user is authenticated successfully, the authentication
server transfers the user related information to the authentication system, which then
builds a dynamic ACL for the user. The subsequent traffic of the user is monitored
by the parameters mentioned previously. The authentication system and the RADIUS
server communicate through the RADIUS protocol.

11.2 DOT1X Principles

Between the 802.1x-based authentication system and the client, the EAP protocol
is encapsulated in EAPOL format to transfer authentication messages. Between the
authentication system and the authentication server, the RADIUS protocol is used to
transfer authentication messages. Due to extensibility of the EAP protocol, the EAP-based
authentication system can use various authentication encryption algorithms, such as
EAP-MD5, EAP-TLS, EAP-SIM, EAP-TTLS, and EAP-AKA.
Takes EAP-MD5 as an example. EAP-MD5 is a unidirectional authentication mechanism
that allows the network to authentication users. However, the authentication process does
not support encryption keys. The 802.1x EAP-MD5 authentication flow is as shown in
Figure 11-1. The authentication steps are described as follows.

11-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

Figure 11-1 802.1x EAP-MD5 Authentication Flow

1. The client sends a EAPoL-Start message to the access device to start the 802.1x
authentication access.
2. The access device returns an EAP-Request/Identity message to the client, which re-
quests the client for the user name.
3. The client returns an EAP-Response/Identity message to the access device, which
contains the user name.
4. The access device encapsulates the EAP-Response/Identity message into a RADIUS
Access-Request message, and then forwards the latter to the authentication server.
5. The authentication server generates a Challenge and send the RADIUS
Access-Challenge message to the client through the access device. The message
contains the EAP-Request/MD5-Challenge.
6. The access device forwards the EAP-Request/MD5-Challenge message to the client,
which requests the client for authentication.

11-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

7. Upon receiving the EAP-Request/MD5-Challenge message, the client returns an

AP-Response/MD5-Challenge message to the access device, which contains the
password and the MD5–applied Challenge (Challenged-Pass-word).
8. The access device forwards the Challenge, Challenged Password, and user name
together to the RADIUS server. Then the RADIUS server authenticates the user.
9. According to the user information, the RADIUS server uses the MD5 algorithm to
check whether the user is legal. Then the RADIUS server returns an authentication
success/failure message to the access device. If the authentication succeeds, the
returned message contains the negotiated parameters and the user related service
attributes to authorize the user. If the authentication fails, the authentication flow is
over.
10. If the authentication succeeds, the user obtains the planned IP address through the
access device by using the standard DHCP protocol (it can be DHCP Relay.)
11. If the authentication succeeds, the access device initiates an accounting start request
to the RADIUS user authentication server. The RADIUS user authentication server
then respond to this request. Now, the user gets access completely.

11.3 Configuring DOT1X

11.3.1 Configuring DOMAIN
To configure DOMAIN on ZXR10 8900&8900E, use the following commands:

Step Command Function

1 ZXR10(config)#dot1x This enters the DOT1X configuration

mode.

2 ZXR10(config-dot1x)#domain <domain-id> This enters the DOT1X-DOMAIN

configuration mode. The value
range of domain-id is 1–512. The
no command can be used to delete
a domain.

3 ZXR10(config-dot1x-domain)#mode{ dot1x | dot1x-relay }{ enable | This enables/disables DOT1X

disable} authentication or relay in the
DOT1X-DOMAIN configuration
mode.

4 ZXR10(config-dot1x-domain)#aaa-authentic-template <1-2128> This binds an AAA authentication

template in the DOT1X-DOMAIN
configuration mode. The no
command can be used to delete a
bond.

11-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

Step Command Function

5 ZXR10(config-dot1x-domain)# aaa-accounting-template <1-2128> This binds an AAA accounting

template in the DOT1X-DOMAIN
configuration mode. The no
command can be used to delete a
bond.

6 ZXR10(config-dot1x-domain)# authorization { auto | unauthorized | This configures the authentication

authorized} and authorization method in the
DOT1X-DOMAIN configuration
mode.

7 ZXR10(config-dot1x-domain)# protocol { pap | chap | eap} This selects a protocol used

for authentication in the
DOT1X-DOMAIN configuration
mode.

8 ZXR10(config-dot1x-domain)#keepalive { enable [ period This configures a keepalive interval

<period-value>]| disable} in the DOT1X-DOMAIN configuration
mode.

9 ZXR10(config-dot1x-domain)#multiple-hosts { enable [max-hosts This configures whether multiple

< host-number>]| disable} users are allowed and the
maximum number of users in
the DOT1X-DOMAIN configuration
mode.

10 ZXR10(config-dot1x-domain)#default-isp < isp-name> This configures the default ISP name

in the DOT1X-DOMAIN configuration
mode.

11 ZXR10(config-dot1x-domain)#fullaccount { enable | disable} This configures whether a user

name carries an ISP domain name in
the DOT1X-DOMAIN configuration
mode.

12 ZXR10(config-dot1x-domain)#groupname< group-name> This configures the group name in

the DOT1X-DOMAIN configuration
mode.

11.3.2 Binding a Domain to an Interface

To bind a domain to an interface on ZXR10 8900&8900E, use the following commands:

Step Command Function

1 ZXR10(config)#dot1x This enters the DOT1X configuration

mode.

11-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

2 ZXR10(config-dot1x)# interface <name> This enters the DOT1X interface

configuration mode.

3 ZXR10(config-dot1x-if)#bind{vlan<vlan-id> domain<domain-id>| In the DOT1X interface configuration

domain< domain-id >} mode, bind a domain or vlan
plus domain. The value range
of domain-id is 1–512. The no
command can be used to delete a
bond.

11.3.3 Configuring DOT1X Parameters

To configure DOT1X parameters on ZXR10 8900&8900E, use the following commands:

Step Command Function

1 ZXR10(config)#dot1x This enters the DOT1X configuration

mode.

2 ZXR10(config-dot1x)#re-authentication{enable [ period <period>]| This configures the DOT1X

disable} re-authentication period.

3 ZXR10(config-dot1x)#quiet-period < period> This configures the quiet period of

DOT1X authentication.

4 ZXR10(config-dot1x)#tx-period < period> This configures the period for

requesting the DOT1X supplicant to
initiate authentication.

5 ZXR10(config-dot1x)#supplicant-timeout < period> This configures the timeout time of

the DOT1X supplicant.

6 ZXR10(config-dot1x)#server-timeout < period> This configures the timeout time of

the DOT1X authentication server.

7 ZXR10(config-dot1x)#max-requests <count> This configures the maximum

number of events requesting the
DOT1X supplicant for a response.

8 ZXR10(config-dot1x)#zte-dot1x-client enable This configures whether a ZTE

authentication client is used.

Descriptions of parameters in Step 2:

Parameter Description

<period> Re-authentication period. Range: 1–4294967295 (seconds).

Descriptions of parameters in Step 3:

11-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

Parameter Description

<period> Quiet period. Range: 0–65535 (seconds).

Descriptions of parameters in Step 4:

Parameter Description

<period> Period for requesting the DOT1X supplicant to initiate authentication.

Range: 1–65535 (seconds).

Descriptions of parameters in Step 5:

Parameter Description

<period> Timeout time of the supplicant. Range: 1–65535 (seconds).

Descriptions of parameters in Step 6:

Parameter Description

<period> Timeout time of the authentication server. Range: 1–65535 (seconds).

Descriptions of parameters in Step 7:

Parameter Description

<count> Maximum number of events requesting the supplicant for a response.

Range: 1–10.

11.3.4 Configuring a Local Authentication User

To configure a local authentication user on ZXR10 8900&8900E, use the following
commands:

Step Command Function

1 ZXR10(config)#dot1x This enters the DOT1X configuration

mode

2 ZXR10(config-dot1x)#localuser <localuser-id> This enters the DOT1X-

LOCALUSER configuration mode.
The value range of localuser-id is
1–2048. The no command can be
used to delete a localuser.

3 ZXR10(config-dot1x-localuser)#name < user-name>[ password This configure the user name

< user-password>] and password of a user in the
DOT1X-LOCALUSER configuration
mode.

11-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Step Command Function

4 ZXR10(config-dot1x-localuser)#port < port-name> This binds a user to a port in the

DOT1X-LOCALUSER configuration
mode.

5 ZXR10(config-dot1x-localuser)#vlan < vlan-id> This binds a user to a VLAN in the

DOT1X-LOCALUSER configuration
mode.

6 ZXR10(config-dot1x-localuser)#mac < mac-address> This binds a user to an MAC in the

DOT1X-LOCALUSER configuration
mode.

11.3.5 Managing DOT1X Authentication Access Users

To manage DOT1X authentication access users on ZXR10 8900&8900E, use the following
commands:

Step Command Function

1 ZXR10(config)#show clients{{ port <port-number>[ vlan <vlan-id>]}|{ This shows DOT1X authentication
slot <slot-number> all | client number <client-index >| domain access users.
<domain-id>| mac<mac-address>| vlan <vlan-id>}| statistics}

2 ZXR10(config-dot1x)#clear client [{ slot < slot-number> index This clears a specific user.
<index-number>}| port < port-name>| vlan < vlan-id>]

11.4 Maintaining DOT1X

To maintain DOT1X on ZXR10 8900&8900E, use the following commands:

Command Function

ZXR10(config)# show dot1x This shows the DOT1X parameter information.

ZXR10(config)#show dot1x domain {[<domain-id>]| statistic This shows the domain configuration of the
[<domain-id>]} DOT1X module.

ZXR10(config)#show dot1x interface < name >[ vlan < This shows the interface binding information
vlan-number>] of the DOT1X module.

ZXR10(config)#show dot1x localuser [<localuser-id>] This shows the local authentication user
configuration of the DOT1X module.

The following is an example of the show dot1x command:

ZXR10(config-dot1x)#show dot1x
TxPeriod : 30 QuietPeriod : 60
SuppTimeout : 30 ServerTimeout : 30

11-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

ReAuthPeriod: 3600 ReAuthenticate: disabled

MaxReq : 2
Zte_Dot1x_Client : disabled

The following is an example of the show dot1x domain<domain-id> command:

ZXR10(config-dot1x-domain)#show dot1x domain 1
RuleId: 1 Port: gei-0/4/0/6
Vlan: 1 Authorization: auto
Dot1x: enabled AuthenticationProtocol: eap
Dot1xRelay: disabled Groupname: aaa
KeepAlive: enabled KeepAlivePeriod: 10
AAAAuthenticationTemplate: 1 AAAAccountingTemplate: 2000
FullAccounts: disabled DefaultISP: zte
MaxHosts: 5 MultipleHosts: enabled
OnlineHosts: 0

The following is an example of the show dot1x domain command:

ZXR10(config-dot1x)#show dot1x domain
MaxDomain : 512
CurrentConfigTotal: 2

Id Dot1x Hosts KeepAlive MaxHosts Dot1xRelay

---- -------- ----- --------- -------- ----------
1 enabled 0 enabled 5 disabled
2 enabled 0 disabled 0 disabled

The following is an example of the show dot1x domain statistic [<domain-id>] command:
ZXR10(config)#show dot1x domain statistic 1
SlotNo OnlineHostsTotal
-------- ----------------
4 1

The following is an example of the show dot1x domain statistic command:

ZXR10(config)#show dot1x domain statistic
Id Port Vlan OnlineHostsTotal
---- ------------- ---- ----------------
1 gei-0/4/0/6 0 1

The following is an example of the show dot1x interface < name >[ vlan < vlan-number>]
command:

ZXR10(config)#show dot1x interface gei-0/4/0/6 vlan 1

DomainID Vlan InterfaceName

11-9

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

-------- ------- ----------------

1 1 gei-0/4/0/6

The following is an example of the show dot1x localuser [<localuser-id>] command:

ZXR10(config-dot1x-localuser)#show dot1x localuser 1
UserId : 1 UserName : aaa
Port : smartgroup1 Password : 123456
VlanId : 1 MacAddress: 0027.199b.72ba

The following is an example of the show dot1x localuser command:

ZXR10(config-dot1x-localuser)#show dot1x localuser
MaxLocalUsers : 2048
CurrentConfigTotal: 2

UserId : 1 UserName : aaa

Port : smartgroup1 Password : 123456
VlanId : 1 MacAddress: 0027.199b.72ba

UserId : 2 UserName :
Port : Password :
VlanId : 0 MacAddress: 0000.0000.0000

11.5 DOT1X Configuration Example

11.5.1 Application of DOT1X RADIUS Authentication
Configuration Description
As shown in Figure 11-2, the workstation of a user connects port Ethernet A of an Ethernet
switch.

11-10

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

Figure 11-2 Application of DOT1X RADIUS

Configuration Thought
1. User access authentication is performed on every port, so as to control the user’s
access to the Internet.
2. The access control mode is MAC address-based access control.
3. All DOT1X users belong to one default domain zte163.net.
4. The authentication is based on RADIUS.
5. If RADIUS accounting fails, the user is disconnected from the Internet.
6. In the access, the domain name is not added after the user name.
7. Two RADIUS servers form a server group, which connects the switch. The IP
addresses of the two servers respectively are 10.1.1.1 and 10.1.1.2. It is required that
the former address is used as the active authentication/standby accounting server,
and the latter is used as the standby authentication/active accounting server.
8. The encryption password for the interaction between the system and the authentication
RADIUS server is set to "dot1xzte". If the switch does not receive any response five
seconds after sending a packet to the RADIUS server, it resends the packet. If the
number of resend events reaches 5, the switch is asked to delete the domain name
from the user name and then send it to the RADUIS server.

Configuration Process
The configuration process is as follows:
ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#server 1 10.1.1.1 master key dot1xzte port 1812
ZXR10(config-authgrp-1)#server 2 10.1.1.2 key dot1xzte port 1812
ZXR10(config-authgrp-1)#max-retries 5
ZXR10(config-authgrp-1)#timeout 5
ZXR10(config-authgrp-1)#exit
ZXR10(config)#radius accounting-group 1

11-11

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

ZXR10(config-acctgrp-1)#server 1 10.1.1.2 master key dot1xzte port 1813

ZXR10(config-acctgrp-1)#server 2 10.1.1.1 key dot1xzte port 1813
ZXR10(config-acctgrp-1)#exit
ZXR10(config)#aaa-authentication-template 1
ZXR10(config-aaa-authen-template)#aaa-authentication-type radius
ZXR10(config-aaa-authen-template)#authentication-radius-group 1
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-accounting-template 1
ZXR10(config-aaa-acct-template)#aaa-accounting-type radius
ZXR10(config-aaa-acct-template)#accounting-radius-group first 1
ZXR10(config-aaa-acct-template)#exit
ZXR10(config)#
ZXR10(config)#dot1x
ZXR10(config-dot1x)#domain 1
ZXR10(config-dot1x-domain)#mode dot1x enable
ZXR10(config-dot1x-domain)#authorization auto
ZXR10(config-dot1x-domain)#multiple-hosts enable
ZXR10(config-dot1x-domain)#default-isp zte163.net
ZXR10(config-dot1x-domain)#fullaccount disable
ZXR10(config-dot1x-domain)#aaa-authentic-template 1
ZXR10(config-dot1x-domain)#aaa-accounting-template 1
ZXR10(config-dot1x-domain)#exit
ZXR10(config-dot1x)#interface gei-0/4/0/6
ZXR10(config-dot1x-if)#bind domain 1
ZXR10(config-dot1x-if)#exit

Configuration Check
Check whether the DOT1X configuration of the device takes effect:
ZXR10(config-dot1x)#show dot1x domain 1
RuleId: 1 Port: gei-0/4/0/6
Vlan: 0 Authorization: auto
Dot1x: enabled AuthenticationProtocol: eap
Dot1xRelay: disabled Groupname
KeepAlive: disabled KeepAlivePeriod: 10
AAAAuthenticationTemplate: 1 AAAAccountingTemplate: 1
FullAccounts: disabled DefaultISP: zte163.net
MaxHosts: 0 MultipleHosts: enabled
OnlineHosts: 1

11-12

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

11.5.2 Application of DOT1X Trunk Authentication

Configuration Description
Figure 11-3 shows an enterprise network. The authenticator is a layer 3 switch, and the
left four switches connecting the PC are layer 2 switches. The company requests that only
authenticated PCs can get access to the Internet, and unauthenticated PCs can only get
access to the resources within the enterprise network.

Figure 11-3 Application of DOT1X Trunk Authentication

Configuration Thought
According to the request, configure the PCs within the enterprise network in a sub-net, in
which two PCs can get access to each other. On the layer 2 switches, enable the 802.1X
relay function. On the layer 3 switch, enable 802.1X authentication. In this way, internal
users of the enterprise are not charged, but they are authenticated by the RADIUS server.
The active and standby servers respectively are 10.1.1.1 and 10.1.1.2.

Configuration Process
The configuration of layer 2 switches is as follows:
zte(cfg)#set dot1xreley enable

The configuration of the layer 3 switch is as follows:

ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#server 1 10.1.1.1 master key dot1xzte
port 1812
ZXR10(config-authgrp-1)#server 2 10.1.1.2 key dot1xzte port 1812
ZXR10(config-authgrp-1)#exit
ZXR10(config)#aaa-authentication-template 1
ZXR10(config-aaa-authen-template)#aaa-authentication-type radius

11-13

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

ZXR10(config-aaa-authen-template)#authentication-radius-group 1
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#dot1x
ZXR10(config-dot1x)#domain 1
ZXR10(config-dot1x-domain)#mode dot1x enable
ZXR10(config-dot1x-domain)#authorization auto
ZXR10(config-dot1x-domain)#multiple-hosts enable
ZXR10(config-dot1x-domain)#default-isp zte163.net
ZXR10(config-dot1x-domain)#fullaccount disable
ZXR10(config-dot1x-domain)#aaa-authentic-template 1
ZXR10(config-dot1x-domain)#exit
ZXR10(config-dot1x)#interface gei-0/4/0/6
ZXR10(config-dot1x-if)#bind domain 1
ZXR10(config-dot1x-if)#exit

Configuration Check
Check whether the configuration of the layer 3 switch takes effect:
ZXR10(config-dot1x)#show dot1x domain 1
RuleId: 1 Port: gei-0/4/0/6
Vlan: 0 Authorization: auto
Dot1x: enabled AuthenticationProtocol: eap
Dot1xRelay: disabled Groupname
KeepAlive: disabled KeepAlivePeriod: 10
AAAAuthenticationTemplate: 1 AAAAccountingTemplate: 1
FullAccounts: disabled DefaultISP: zte163.net
MaxHosts: 0 MultipleHosts: enabled
OnlineHosts: 1

11.5.3 Application of DOT1X Local Authentication

Configuration Description
Sometimes a company does not want to allocate an account for every user. Instead, it
only requests the network card address of every host. When a user logs in through the
DOT1X supplicant, the system only checks whether the MAC address of the network card
is legal or not. If yes, the login is permitted. As shown in Figure 11-4, the authenticator is
a switch. The local authentication function of the switch is used to satisfy the company’s
request. Only three addresses are permitted to get access, including00d0.d0d0.1234,
00d0.d0d0.1456, and 00d0.d0d0.1689.

11-14

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

Figure 11-4 Application of DOT1X Local Authentication

Configuration Thought
1. Configure the domain rule of the DOT1X.
2. Configure a local DOT1X user, and bind the user to the MAC addresses
00d0.d0d0.1234, 00d0.d0d0.1456, and 00d0.d0d0.1689.

Configuration Process
The DOT1X configuration of the authenticator is as follows:
ZXR10(config)#aaa-authentication-template 1
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#dot1x
ZXR10(config-dot1x)#domain 1
ZXR10(config-dot1x-domain)#mode dot1x enable
ZXR10(config-dot1x-domain)#authorization auto
ZXR10(config-dot1x-domain)#multiple-hosts enable
ZXR10(config-dot1x-domain)#default-isp zte163.net
ZXR10(config-dot1x-domain)#fullaccount disable
ZXR10(config-dot1x-domain)#exit
ZXR10(config-dot1x)#localuser 1
ZXR10(config-dot1x-localuser)#name A0001
ZXR10(config-dot1x-localuser)#mac 00d0.d0d0.1234
ZXR10(config-dot1x)#localuser 2
ZXR10(config-dot1x-localuser)#name A0002
ZXR10(config-dot1x-localuser)#mac 00d0.d0d0.1456
ZXR10(config-dot1x)#localuser 3
ZXR10(config-dot1x-localuser)#name A0003
ZXR10(config-dot1x-localuser)#mac 00d0.d0d0.1689

11-15

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Configuration Check
Check whether the DOT1X configuration of the authenticator takes effect:
ZXR10(config-dot1x)#show dot1x domain 1
RuleId: 1 Port: gei-0/4/0/6
Vlan: 0 Authorization: auto
Dot1x: enabled AuthenticationProtocol: eap
Dot1xRelay: disabled Groupname
KeepAlive: disabled KeepAlivePeriod: 10
AAAAuthenticationTemplate: 1 AAAAccountingTemplate: 1
FullAccounts: disabled DefaultISP: zte163.net
MaxHosts: 0 MultipleHosts: enabled
OnlineHosts: 1

ZXR10(config-dot1x)#show dot1x localuser

MaxLocalUsers : 2048
CurrentConfigTotal: 3

UserId : 1 UserName : A001

Port : Password :
VlanId : 0 MacAddress: 00d0.d0d0.1234

UserId : 2 UserName : A002

Port : Password :
VlanId : 0 MacAddress: 00d0.d0d0.1456

UserId : 3 UserName : A003

Port : Password :
VlanId : 0 MacAddress: 00d0.d0d0.1689

11.6 DOT1X Fault Treatment

11.6.1 Networking Environment
In actual networking, DOT1X faults mainly refer to user authentication failures. The
following sections take Figure 11-5 as an example to describe the possible causes and
treatment methods of this type of fault.

11-16

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

Figure 11-5 DOT1X Fault Handling

11.6.2 Fault Analysis

DOT1X user authentication failures can be analyzed from hardware and software aspects.
From the hardware aspect, check the main control boards, line cards, and network cables
(Check whether the directly associated interfaces of both ends are normally connected
by using the PING command.) If there is no hardware problem, check the software
configuration, such as DOT1X configuration, RADIUS configuration, group status, and
AAA template configuration.

11.6.3 Treatment Process

The process of handling a DOT1X fault is as shown in Figure 11-6.

11-17

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Figure 11-6 DOT1X Fault Handling Flow

11.6.4 Treatment Steps

1. Replace the cables. If the problem still persists, replace the line cards or interface
boards. If the problem still persists, replace the main control boards. If the problem
still persists, ask the related hardware development personnel for help.
2. Delete the bond between the interface and domain and check whether the interface,
ping, or ARP is normal.
3. Check the configuration of the RADIUS server; check the RADIUS authentication
and accounting groups and see whether the status is "active"; check whether the
AAA authentication and accounting templates and the bound RADIUS server group
is correct; check whether the authentication method is correct.

11-18

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 11 DOT1X Configuration

4. Check the DOT1X configuration and see whether the domain is correct and the bound
interface is for user authentication.
5. Show the online users and see whether the users that fail to be authenticated are
cleared.
6. Check the information about the authentication user, such as the user name and
password, and see whether the information is consistent with the configuration on the
RADIUS server.
7. Let the supplicant triggers a DOT1X authentication request. Check whether the
authentication request message can be received.

11-19

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

This page intentionally left blank.

11-20

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 12
LOOPDETECT Configuration
Table of Contents
About LOOPDETECT...............................................................................................12-1
Configuring LOOPDETECT ......................................................................................12-1
LOOPDETECT Configuration Example ....................................................................12-2

12.1 About LOOPDETECT

Port loopback detection (LOOPDETECT) can detect the loopback of a user or switch that
connects a port, and then handle the port accordingly. In this way, switch broadcast storm
and other abnormal situations can be avoided and the effect can be limited only to this
port.
On ZXR10 8900&8900E, you can enable loopback detection on some or all ports.
By default, loopback detection is disabled. A switch supports VLAN-based loopback
detection, which can be realized not only on the VLAN where the PVID of a port is in, but
also on the VLAN that a specified user belongs to. For one port, loopback detection can
be used for up to 8 VLANs.
The principle of port loopback detection is as follows: Aport sends layer 2 multicast packets
every 30 seconds. If loopback occurs under the port, the packets are finally returned to
the port. This can be used to detect loopback.

12.2 Configuring LOOPDETECT

Step Command Function

1 ZXR10(config)#loop-detect interface < port_name>{ enable | disable} This enables/disables loopback

detection on one or more ports.

2 ZXR10(config)#loop-detect interface < port_name> vlan <vlan_id>{ This enables/disables loopback

enable | disable} detection on the VLAN to which a
port belongs.

3 ZXR10(config)#loop-detect portstate { block | normal | protect}< This sets the loopback port status.
port_name> By default, it is "normal".

4 ZXR10(config)#loop-detect reopen-time < 1~16777216> This configures the reopen time of

a loopback port.

The < port_name> parameter can be set to one port (for example, gei-0/1/0/1) or multiple
ports (for example, gei-0/1/0/1-4 or gei-0/1/0/1, gei-0/1/0/2, gei-0/1/0/3, and gei-0/1/0/4).

12-1

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

The < vlan_id> parameter can be set to one VLAN (for example, vlan 1) or multiple VLANs
(for example, vlan 1-4 or vlan 1,2,3,and 4).
If loopback is detected, the device handles it according to the preset loopback port status:
l If the status is "block", the data stream on the port is interrupted, but the port status is
not down. In addition, an alarm is generated.
l If the status is "normal", the data stream on the port is interrupted, and the port status
is down. In addition, an alarm is generated.
l If the status is "protect", the data stream on the port is not interrupted, and the port
status is not down. Only an alarm is generated.

After the preset reopen time of the loopback port, the port is reopended for the next test.
By default, the reopen time is 10 minutes.
To maintain and diagnose a loopback port, use the following commands:

Step Command Function

1 ZXR10(config)#show loopdetect This shows the information about the

port on which loopback detection is
enabled.

2 ZXR10(config)#show loopdetect [ interface < port-name> ] This shows the loopback detection
information of one port.

3 ZXR10(config)#show loopdetect reopentime This shows the reopen time of a

loopback port.

12.3 LOOPDETECT Configuration Example

12.3.1 LOOPDETECT Configuration Example 1
Configuration Description
As shown in Figure 12-1, port gei-0/1/0/1 of S1 belongs to vlan1. Enable loopback
detection on gei-0/1/0/1 to detect the VLAN where the port PVID is located. The detection
mode is "normal" (default mode). The reopen time of the port is 5 minutes.

Figure 12-1 Configuration of Port Loopback Detection

Configuration Thought
Enter the global configuration mode and configure port loopback detection.

12-2

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 12 LOOPDETECT Configuration

Configuration Process
The configuration on S1 is as follows:
ZXR10(config)#switchvlan-configuration
ZXR10(config-swvlan)#interface gei-0/1/0/1
ZXR10(config-swvlan-intf)#switchport mode access
ZXR10(config-swvlan-intf)#switchport access vlan 1
ZXR10(config-swvlan-intf)#exit
ZXR10(config-swvlan)# exit
ZXR10(config)#loop-detect interface gei-0/1/0/1 enable
ZXR10(config)# loop-detect reopen-time 5

Configuration Check
Show the information about the port on which loopback detection is enabled (This
command can show all the ports that are configured with loopdetect.)
ZXR10#show loopdetect
interface monitor state vlanrage
---------------------------------------------------------
gei-0/1/0/1 ENABLE NORMAL

Show the loopback detection information of gei-0/1/0/1:

ZXR10#show loopdetect interface gei-0/1/0/1
interface monitor state vlanrage
---------------------------------------------------------
gei-0/1/0/1 ENABLE NORMAL

Show the reopen time of a loopback port:

ZXR10#show loopdetect reopentime
The reopen time of loopdetect : 5(minute)

After loopback is detected, port gei-0/1/0/1 is closed, the port is down, and an alarm is
generated:

A notification 520101 level 5 occurred at 15:58:16 12-16-2010

sent by ZXR10 NP-0-1-0%LOOPDETECT% There is loop! interface gei-0/1/0/1
detect loop!
An alarm 150101 level 5 occurred at 15:58:16 12-16-2010 sent by ZXR10
MP-0-3-0%IP% Interface status The interface(index=4,name='gei-0/1/0/1')
turned into DOWN

12-3

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

12.3.2 LOOPDETECT Configuration Example 2

Configuration Description
As shown in Figure 12-2, port gei-0/1/0/1 of S1 belongs to vlan1 and vlan2. Enable
loopback detection on gei-0/1/0/1, and perform loopback detection in vlan1 and vlan2 at
the same time. The detection mode is "block". The reopen time of the port is 5 minutes.

Figure 12-2 Configuration of Port Loopback Detection

Configuration Thought
Enter the global configuration mode and configure port loopback detection.

Configuration Process
The configuration on S1 is as follows:
ZXR10(config)#switchvlan-configuration
ZXR10(config-swvlan)#interface gei-0/1/0/1
ZXR10(config-swvlan-intf)#switchport mode trunk
ZXR10(config-swvlan-intf)#switchport trunk vlan 1-2
ZXR10(config-swvlan-intf)#exit
ZXR10(config-swvlan)# exit
ZXR10(config)#loop-detect interface gei-0/1/0/1 enable
ZXR10(config)#loop-detect interface gei-0/1/0/1 vlan 1-2 enable
ZXR10(config)#loop-detect portstate block gei-0/1/0/1
ZXR10(config)# loop-detect reopen-time 5

Configuration Check
Show the information about the port on which loopback detection is enabled (This
command can show all the ports that are configured with loopdetect.)
ZXR10#show loopdetect
interface monitor state vlanrage
---------------------------------------------------------
gei-0/1/0/1 ENABLE BLOCK 1,2

Show the loopback detection information of gei-0/1/0/1:

ZXR10#show loopdetect interface gei-0/1/0/1
interface monitor state vlanrage
---------------------------------------------------------

12-4

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 12 LOOPDETECT Configuration

gei-0/1/0/1 ENABLE BLOCK 1,2

Show the reopen time of a loopback port:

ZXR10#show loopdetect reopentime
The reopen time of loopdetect : 5(minute)

After loopback is detected in vlan1, port gei-0/1/0/1 is removed from vlan1, and an alarm
is generated:
A notification 520102 level 5 occurred at 15:59:16 12-16-2010
sent by ZXR10 NP-0-1-0%LOOPDETECT% There is loop in vlan! interface
gei-0/1/0/1 vlan 1 has loop!

12.3.3 LOOPDETECT Configuration Example 3

Configuration Description
As shown in Figure 12-3, port gei-0/1/0/1 of S1 belongs to vlan1. Enable loopback
detection on gei-0/1/0/1 to detect the VLAN where the port PVID is located. The detection
mode is "protect". The reopen time of the port is 5 minutes.

Figure 12-3 Configuration of Port Loopback Detection

Configuration Thought
Enter the global configuration mode and configure port loopback detection.

Configuration Process
The configuration on S1 is as follows:
ZXR10(config)#switchvlan-configuration
ZXR10(config-swvlan)#interface gei-0/1/0/1
ZXR10(config-swvlan-intf)#switchport mode access
ZXR10(config-swvlan-intf)#switchport access vlan 1
ZXR10(config-swvlan-intf)#exit
ZXR10(config-swvlan)# exit
ZXR10(config)#loop-detect interface gei-0/1/0/1 enable
ZXR10(config)#loop-detect portstate protect gei-0/1/0/1
ZXR10(config)# loop-detect reopen-time 5

12-5

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

Configuration Check
Show the information about the port on which loopback detection is enabled (This
command can show all the ports that are configured with loopdetect.)
ZXR10#show loopdetect
interface monitor state vlanrage
---------------------------------------------------------
gei-0/1/0/1 ENABLE PROTECT

Show the loopback detection information of gei-0/1/0/1:

ZXR10#show loopdetect interface gei-0/1/0/1
interface monitor state vlanrage
---------------------------------------------------------
gei-0/1/0/1 ENABLE PROTECT

Show the reopen time of a loopback port:

ZXR10#show loopdetect reopentime
The reopen time of loopdetect : 5(minute)

After loopback is detected, an alarm is generated:

A notification 520101 level 5 occurred at 15:58:16 12-16-2010

sent by ZXR10 NP-0-1-0%LOOPDETECT% There is loop! interface
gei-0/1/0/1 detect loop!

12.3.4 LOOPDETECT Configuration Example 4

Configuration Description
As shown in Figure 12-4, port gei-0/1/0/1 of S1 belongs to vlan1 and vlan2. Enable
loopback detection on gei-0/1/0/1, and perform loopback detection in vlan1 and vlan2 at
the same time. The detection mode is "protect". The reopen time of the port is 5 minutes.

Figure 12-4 Configuration of Port Loopback Detection

Configuration Thought
Enter the global configuration mode and configure port loopback detection.

12-6

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

 Chapter 12 LOOPDETECT Configuration

Configuration Process
The configuration on S1 is as follows:
ZXR10(config)#switchvlan-configuration
ZXR10(config-swvlan)#interface gei-0/1/0/1
ZXR10(config-swvlan-intf)#switchport mode trunk
ZXR10(config-swvlan-intf)#switchport trunk vlan 1-2
ZXR10(config-swvlan-intf)#exit
ZXR10(config-swvlan)# exit
ZXR10(config)#loop-detect interface gei-0/1/0/1 enable
ZXR10(config)#loop-detect interface gei-0/1/0/1 vlan 1, 2 enable
ZXR10(config)#loop-detect portstate protect gei-0/1/0/1
ZXR10(config)# loop-detect reopen-time 5

Configuration Check
Show the information about the port on which loopback detection is enabled (This
command can show all the ports that are configured with loopdetect.)
ZXR10#show loopdetect
interface monitor state vlanrage
---------------------------------------------------------
gei-0/1/0/1 ENABLE PROTECT 1,2

Show the loopback detection information of gei-0/1/0/1:

ZXR10#show loopdetect interface gei-0/1/0/1
interface monitor state vlanrage
---------------------------------------------------------
gei-0/1/0/1 ENABLE PROTECT 1,2

Show the reopen time of a loopback port:

ZXR10#show loopdetect reopentime
The reopen time of loopdetect : 5(minute)

After loopback is detected in vlan1, an alarm is generated:

A notification 520101 level 5 occurred at 15:58:16 12-16-2010
sent by ZXR10 NP-0-1-0%LOOPDETECT% There is loop! interface
gei-0/1/0/1 detect loop!

12-7

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

ZXR10 8900&8900E Configuration Guide (Security)

This page intentionally left blank.

12-8

SJ-20110624091725-014|2012-01-31(R1.0) ZTE Proprietary and Confidential

Figures
Figure 2-1 ACL Configuration Example Topology ................................................... 2-12
Figure 2-2 ACL Fault Treatment Topology............................................................... 2-14
Figure 2-3 ACL Fault Treatment Flow Diagram ....................................................... 2-15
Figure 3-1 TACACS+ Networking Structure .............................................................. 3-2
Figure 3-2 TACACS+ Packets Interaction ................................................................. 3-3
Figure 3-3 TACACS+ Configuration Example Topology............................................. 3-6
Figure 3-4 TACACS+ Fault Treatment Topology........................................................ 3-8
Figure 3-5 TACACS+ Fault Treatment Flow Diagram ................................................ 3-9
Figure 4-1 AAA Configuration Example Topology...................................................... 4-8
Figure 4-2 AAA Fault Treatment Topology................................................................. 4-9
Figure 4-3 AAA Fault Treatment Flow Diagram ....................................................... 4-10
Figure 5-1 RADIUS Network Structure...................................................................... 5-2
Figure 5-2 RADIUS Authentication Common Network Topology.............................. 5-15
Figure 5-3 RADIUS Authentication Fault Treatment Topology ................................. 5-18
Figure 5-4 RADIUS Fault Treatment Flow Diagram................................................. 5-19
Figure 6-1 URPF Configuration Example Topology ................................................... 6-4
Figure 6-2 URPF Fault Treatment Topology .............................................................. 6-6
Figure 6-3 URPF Fault Treatment Flow..................................................................... 6-7
Figure 7-1 Local Authentication and Authorization Configuration............................... 7-8
Figure 7-2 RADIUS-LOCAL Authentication and Authorization User
Configuration .......................................................................................... 7-9
Figure 7-3 TACACS+ Authentication and Authorization User Configuration............. 7-10
Figure 7-4 Password Prompt Question Configuration For Resetting a
Password.............................................................................................. 7-12
Figure 7-5 User Management Module Network Environment .................................. 7-13
Figure 7-6 User Management Module Fault Treatment Flow ................................... 7-14
Figure 8-1 State Switching Diagram.......................................................................... 8-2
Figure 8-2 SNMP Anti-Violence Attack Configuration Example ................................. 8-6
Figure 8-3 SNMP Anti-Violence Attack Fault Treatment Topology Diagram ............... 8-7
Figure 8-4 SNMP Anti-Violence Attack Fault Treatment Flow Diagram...................... 8-7
Figure 9-1 anti-dos Configuration.............................................................................. 9-4
Figure 9-2 anti-dos Fault Handling ............................................................................ 9-6

I
ZXR10 8900&8900E Configuration Guide (Security)

Figure 9-3 anti-dos Fault Handling Flow.................................................................... 9-6

Figure 11-1 802.1x EAP-MD5 Authentication Flow.................................................. 11-3
Figure 11-2 Application of DOT1X RADIUS............................................................11-11
Figure 11-3 Application of DOT1X Trunk Authentication........................................ 11-13
Figure 11-4 Application of DOT1X Local Authentication ........................................ 11-15
Figure 11-5 DOT1X Fault Handling ....................................................................... 11-17
Figure 11-6 DOT1X Fault Handling Flow............................................................... 11-18
Figure 12-1 Configuration of Port Loopback Detection ............................................ 12-2
Figure 12-2 Configuration of Port Loopback Detection ............................................ 12-4
Figure 12-3 Configuration of Port Loopback Detection ............................................ 12-5
Figure 12-4 Configuration of Port Loopback Detection ............................................ 12-6

II
Glossary
AAA
- Authentication, Authorization and Accounting
ACL
- Access Control List
CHAP
- Challenge Handshake Authentication Protocol
FTP
- File Transfer Protocol
IP
- Internet Protocol
ISDN
- Integrated Services Digital Network
MODEM
- Modulator-Demodulator
MPLS
- Multi Protocol Label Switching

PAP
- Password Authentication Protocol

PPP
- Point to Point Protocol
RADIUS
- Remote Authentication Dial In User Service
SP
- Service Provider
TACACS+
- Terminal Access Controller Access-Control System Plus
URPF
- Unicast Reverse Path Forwarding

III