Understanding MFF

CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

About This Document
AAA Configuration
- Overview of AAA
- Understanding AAA
- Application Scenarios for AAA
- Licensing Requirements and Limitations for AAA
- Summary of AAA Configuration Tasks
- Configuring Local Authentication and Authorization
- Configuring RADIUS AAA
- Configuring HWTACACS AAA
- Clearing AAA Statistics
- Configuration Examples for AAA
  - Example for Configuring RADIUS Authentication and Accounting
  - Example for Configuring HWTACACS Authentication, Accounting, and Authorization
- Troubleshooting AAA
  - An AAA Local User Cannot Be Created Due to Incorrect Password Setting
802.1x Authentication Configuration
- Understanding 802.1x Authentication
- Application Scenarios for 802.1x Authentication
- Licensing Requirements and Limitations for 802.1x Authentication
- Default Settings for 802.1x Authentication
- Configuring 802.1x Authentication
- Maintaining 802.1x Authentication
  - Clearing Statistics on 802.1x Authentication Packets
  - Forcing Users Offline
- Configuration Examples for 802.1x Authentication
  - Example for Configuring 802.1x Authentication to Control Users' Internal Access
ACL Configuration
- Overview of ACLs
- Understanding ACLs
- Application Scenarios for ACLs
- Licensing Requirements and Limitations for ACLs
- Default Settings for ACLs
- Configuring a Basic ACL
- Configuring an Advanced ACL
- Configuring a Layer 2 ACL
- Configuring a User-defined ACL
- Configuring an ARP-based ACL
- Configuring a Basic ACL6
- Configuring an Advanced ACL6
- Maintaining an ACL
  - Clearing ACL Statistics
  - Checking ACL Resource Usages
- Configuration Examples for ACLs
- ACL FAQ
  - Which Packets Cannot Be Filtered by the ACL Used by a Traffic Policy?
TCAM ACL Customization Configuration
- Overview of TCAM ACL Customization
- Licensing Requirements and Limitations for TCAM ACL Customization
- Configuring TCAM ACL Customization
  - Enabling TCAM ACL Customization
  - Configuring the TCAM ACL Customization Function for Services
- Displaying Information about a TCAM ACL Customization Profile or Preset Profile
- Configuration Examples for TCAM ACL Customization
  - Example for Configuring TCAM ACL Customization
Microsegmentation Configuration
- Overview of Microsegmentation
- Understanding Microsegmentation
- Application Scenarios for Microsegmentation
- Licensing Requirements and Limitations for Microsegmentation
- Configuring Microsegmentation
- Maintaining Microsegmentation
  - Checking Microsegmentation Statistics
  - Clearing Microsegmentation Statistics
- Configuration Examples for Microsegmentation
  - Example for Configuring IP Address-based Microsegmentation
Local Attack Defense Configuration
- Overview of Local Attack Defense
- Licensing Requirements and Limitations for Local Attack Defense
- Default Settings for Local Attack Defense
- Configuring CPU Attack Defense
- Configuring Attack Source Tracing
- Maintaining Local Attack Defense
- Configuration Examples for Local Attack Defense
  - Example for Configuring Local Attack Defense
- Troubleshooting Local Attack Defense
MFF Configuration
- Overview of MFF
- Understanding MFF
- Application Scenarios for MFF
- Licensing Requirements and Limitations for MFF
- Configuring MFF
- Configuration Examples for MFF
  - Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection
- Troubleshooting MFF
  - Users Fail to Access the Internet After MFF Is Configured
Attack Defense Configuration
- Overview of Attack Defense
- Understanding Attack Defense
- Application Scenarios for Attack Defense
- Licensing Requirements and Limitations for Attack Defense
- Default Settings for Attack Defense
- Configuring Defense Against Malformed Packet Attacks
- Configuring Defense Against Packet Fragment Attacks
- Configuring Defense Against Flood Attacks
- Clearing Attack Defense Statistics
- Configuration Examples for Attack Defense
  - Example for Configuring Attack Defense
Traffic Suppression and Storm Control Configuration
- Overview of Traffic Suppression and Storm Control
- Understanding Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Application Scenarios for Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Licensing Requirements and Limitations for Traffic Suppression and Storm Control
- Default Settings for Traffic Suppression and Storm Control
- Configuring Traffic Suppression
- Configuring Storm Control
- Configuration Examples for Traffic Suppression and Storm Control
  - Example for Configuring Traffic Suppression
  - Example for Configuring Storm Control
ARP Security Configuration
- Overview of ARP Security
- Understanding ARP Security
- Application Scenarios for ARP Security
  - Defense Against ARP Flood Attacks
  - Defense Against ARP Spoofing Attacks
- Licensing Requirements and Limitations for ARP Security
- Default Settings for ARP Security
- Configuring Defense Against ARP Flood Attacks
- Configuring Defense Against ARP Spoofing Attacks
- Maintaining ARP Security
- Configuration Examples for ARP Security
  - Example for Configuring ARP Security Functions
  - Example for Configuring Defense Against ARP MITM Attacks
Port Security Configuration
- Overview of Port Security
- Understanding Port Security
- Application Scenarios for Port Security
- Licensing Requirements and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Configuration Examples for Port Security
  - Example for Configuring Port Security
MACsec Configuration
- Overview of MACsec
- Understanding MACsec
- Application Scenarios for MACsec
- Default Configuration
- Licensing Requirements and Limitations for MACsec
- Configuring MACsec
- Maintaining MACsec
  - Displaying MACsec Statistics
  - Clearing MACsec Statistics
- Configuration Examples for MACsec
  - Example for Configuring Point-to-Point MACsec
DHCP Snooping Configuration
- Overview of DHCP Snooping
- Understanding DHCP Snooping
  - DHCP Snooping Fundamentals
  - Option 82 Supported by DHCP Snooping
- Application Scenarios for DHCP Snooping
- Licensing Requirements and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring Basic Functions of DHCP Snooping
- Configuring DHCP Snooping Attack Defense
- Inserting the Option 82 Field in a DHCP Message
- Maintaining DHCP Snooping
- Configuration Examples for DHCP Snooping
  - Example for Configuring DHCP Snooping Attack Defense
- Troubleshooting DHCP Snooping
  - DHCP Clients Cannot Go Online Due to DHCP Snooping
IPSG Configuration
- Overview of IPSG
- Licensing Requirements and Limitations for IPSG
- Default Settings for IPSG
- Configuring IPSG
- Maintaining IPSG
  - Checking Statistics on Discarded IP Packets
  - Clearing Statistics on Discarded IP Packets
- Configuration Examples for IPSG
  - Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries
URPF Configuration
- Overview of URPF
- Understanding URPF
- Application Scenarios for URPF
- Licensing Requirements and Limitations for URPF
- Default Settings for URPF
- Configuring URPF
- Configuration Examples for URPF
  - Example for Configuring URPF (CE12800)
  - Example for Configuring URPF (CE12800E)
SSL Configuration
- Overview of SSL
- Understanding SSL
- Application Scenarios for SSL
  - Application of SSL in Information Center
- Licensing Requirements and Limitations for SSL
- Configuring SSL
  - Configuring an SSL Policy
  - Applying an SSL Policy
- Configuration Examples for SSL
  - Example for Outputting SSL-Encrypted Logs to a Log Host
Keychain Configuration
- Overview of Keychains
- Understanding Keychains
- Application Scenarios for Keychains
- Licensing Requirements and Limitations for Keychain
- Configuring a Keychain
- Configuration Examples for Keychains
  - Example for Applying the Keychain to RIP
  - Example for Applying the Keychain to BGP
FIPS Configuration
- Overview of FIPS
- Configuring the FIPS Mode
Separating the Management Port from the Service Plane
Checking Security Risks
Setting the System Master Key

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Understanding MFF

Implementation

Figure 7-1 demonstrates MFF implementation on an Ethernet network where the gateway performs unified network management and accounting. MFF is enabled on the Ethernet Access Node (EAN) so that user traffic passes through the gateway before being forwarded to other users at Layer 3. MFF isolates users at Layer 2 and helps enable traffic monitoring and accounting capabilities.

MFF uses the proxy ARP mechanism to reduce the number of broadcast packets between the network and users, thereby enabling isolation at Layer 2 while ensuring users are still able to communicate at Layer 3. The Proxy ARP mechanism will be described in this chapter.

Figure 7-1 MFF application scenario

Interface Roles

Two types of interfaces are available on an MFF-enabled device: user interfaces and network interfaces.

A user interface connects to user terminals and processes different packets as follows:

Discards IGMP Query messages and permits other IGMP protocol packets and DHCP packets to pass through.
Sends ARP packets to the CPU for processing.
Processes the unicast packets of which the destination address is the gateway MAC address as follows:
- If the gateway MAC address has been learned, the user interface forwards these unicast packets and discards other packets.
- If the gateway MAC address has not been learned, the user interface discards all packets.
Rejects multicast and broadcast data packets.

A network interface connects to such network devices as access switches, aggregation switches, or gateway and processes different packets as follows:

Permits multicast and DHCP packets to pass through.
Sends ARP packets to the CPU for processing.

MFF Functions

MFF provides the following functions: obtainment of gateway and user information, proxy ARP mechanism, gateway detection, application server access, User online status detection, isolated interface, and MFF security.

Obtainment of gateway and user information

Users can be allocated static IP addresses or dynamically obtain IP addresses using DHCP. Accordingly, a MFF-enabled device can obtain a manually configured gateway IP address or dynamically obtain a gateway IP address using the DHCP snooping function.
- Manually configured gateway IP address
  
  If IP addresses are manually assigned, the MFF-enabled device cannot obtain the gateway IP address through DHCP packets; therefore, the gateway IP address needs to be manually configured on the MFF-enabled device. After an IP address is configured for a static gateway, the MFF-enabled device captures the ARP request packets at the user side to trigger or update the MFF entries carrying user information. If the MFF-enabled device receives an ARP request packet without learning the gateway MAC address, the MFF-enabled device does not forward this ARP request packet. Instead, the MFF-enabled device sends an ARP request packet with the user's IP and MAC addresses as source information to the gateway, and learns the gateway MAC address from the ARP reply packet returned by the gateway.
- Gateway IP address dynamically obtained with the DHCP snooping function
  
  If the IP addresses are dynamically allocated through DHCP, the MFF-enabled device obtains the user's IP and MAC addresses from the DHCP snooping table and parses the option 121 or option 3 field in the DHCP ACK packets sent by the network interface to obtain the gateway IP address. The MFF-enabled device then sends an ARP request packet with the user's IP and MAC addresses as source information to the gateway, and learns the gateway MAC address from the ARP reply packet returned by the gateway.
  
  The MFF-enabled device uses by default the first gateway MAC address to respond to ARP request packets from users after learning multiple gateway MAC addresses. As a result, ARP request packets are sent to the first gateway.
Proxy ARP

The MFF-enabled device captures the ARP request packets from users, and sends an ARP reply packet with the gateway MAC address as the source MAC address. This process ensures that all user devices map the gateway MAC address to the gateway IP address in their ARP tables so that all the packets from the user devices are destined for the gateway. The gateway can monitor traffic and perform accounting, and network security is enhanced.

When receiving an ARP request packet sent by a gateway to request a user MAC address, the MFF-enabled device responds with the MAC address.
Gateway detection

To detect gateway MAC address change in time, MFF supports timed gateway address detection. After the detection function is enabled, the MFF-enabled device scans recorded gateway information every 30 seconds. For each gateway recorded, the MFF-enabled device uses information about any user to construct an ARP request packet and sends it to the network interface. The MFF-enabled device then learns the gateway MAC address from the ARP reply packet. If the gateway MAC address has changed, the MFF-enabled device immediately updates the gateway information and broadcasts gratuitous ARP packets to user devices, so that user devices can update the gateway address.

If no user exists in a VLAN, the MFF-enabled device does not send any ARP request packet to the gateway until a user goes online.
Application server access

In addition to the gateway, a network may deploy application servers such as the DHCP, multicast, or another server, as illustrated in Figure 7-2. When users access an application server whose IP address is not specified on the MFF-enabled device, the MFF-enabled device forwards user traffic to the gateway. The gateway then forwards it to the application server. This increases uplink traffic, consumes bandwidth, and wastes forwarding resources on the gateway.

To address this problem, specify IP addresses of application servers on the MFF-enabled device and set up a list of them. When receiving an ARP request packet from a user, the MFF-enabled device sends an ARP reply packet with the application server MAC address as the source address. When receiving an ARP request packet from an application server, the MFF-enabled device sends an ARP reply packet with the requested user MAC address. In this way, users directly communicate with application servers at Layer 2.

Figure 7-2 Accessing the application server on a network
User online status detection

If the gateway is used to perform accounting according to the length of time users are online, the gateway must be able to accurately record these durations. By default, a MFF-enabled device sends ARP reply packets in response to ARP request packets sent from the gateway. As a result, the gateway considers users online even if they have gone offline. To solve this problem, configure the MFF-enabled device to transparently transmit ARP request packets sent from the gateway to the user. Then, the MFF-enabled device does not respond to the ARP packets. If the gateway does not receive the ARP reply packet from a user, the gateway considers that the user has gone offline.
Isolated interface

In Figure 7-3, UserA and UserB connect to the network through an interface on SwitchB. When UserA sends an ARP request packet to request the MAC address of UserB, the ARP request packet is broadcast to both SwitchB and UserB. If SwitchB sends an ARP reply packet with the gateway MAC address to UserA, UserA receives two ARP reply packets. If the two ARP reply packets conflict, UserA may learn an incorrect ARP entry for UserB. The MFF-enabled device can perform interface consistency check for ARP request packets to solve this problem. If the interface that sends an ARP request packet is the same as the interface connected to the user with the requested address, the MFF-enabled device discards the ARP request packet.

Figure 7-3 Sharing an access link

In a data center that deploys server virtualization, multiple virtual machines (VMs) in a physical server may belong to the same VLAN and require Layer 2 isolation. The VMs connect to the same user interface on the MFF-enabled device and share an access link. Services on the VMs are often isolated, so the MFF-enabled device must function as an agent for the VMs and respond to ARP request packets to ensure Layer 3 communication among VMs.

To address this problem, the MFF-enabled device provides the isolated interface function. After an isolated interface is configured, the MFF-enabled device does not check interface consistency for ARP request packets sent from this interface and consequentially directly responds with ARP reply packets.
MFF security

A MFF-enabled device may learn information about some users through ARP snooping. If these users send forged ARP request packets to the MFF-enabled device, the MFF-enabled device learns information about a large number of nonexistent users. This wastes device resources and prevents the MFF-enabled device from learning information about authorized users and processing their legitimate services.

You can disable dynamic user learning for ARP snooping to prevent the MFF-enabled device from learning information about unauthorized users. Another solution is to set the maximum number of users in a VLAN low enough to prevent unauthorized access; this works because the number of DHCP users or static users on a network does not change greatly.

Translation

简体中文

Download

Updated: 2021-09-17

Document ID: EDOC1100075347

Downloads: 89

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Implementation

Interface Roles

MFF Functions

Related Version

Related Documents

Digital Signature File