Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Requisitos de red
Como se muestra en la Figura 6-2 , FW proporciona una salida de Internet para PC en la LAN. La red de la empresa
está prevista de la siguiente manera:
Todas las PC en la LAN se implementan en el segmento de red 10.1.1.0/24, y obtienen dinámicamente
direcciones IP a través de DHCP.
El dispositivo se conecta a todas las PC de la empresa a través del enlace descendente.
El dispositivo se aplica para el servicio de Internet del proveedor a través del enlace ascendente. El servicio de
acceso a Internet se proporciona utilizando el protocolo PPPoE.
De acuerdo con los requisitos anteriores, especifique el FW como un cliente PPPoE. Una vez que el cliente obtiene las
direcciones IP y DNS del servidor del operador, los usuarios de la intranet pueden acceder a Internet.
Figura 6-2 Diagrama de redes de acceso a Internet a través de PPPoE
En este ejemplo, la información proporcionada por el transportista se utiliza solo como referencia.
Datos Descripción
Número de interfaz: GigabitEthernet 1/0/1 El dispositivo obtiene las direcciones IP y DNS del servidor PPPoE
Zona de seguridad: untrust. (implementado por el operador) a través del acceso telefónico.
Nombre de usuario de acceso telefónico: user
Contraseña de acceso telefónico: password
Número de interfaz: GigabitEthernet 1/0/3 DHCP se utiliza para asignar dinámicamente direcciones IP a PC en la
Dirección IP: 10.3.0.1/24 LAN.
Zona de seguridad: trust
Mapa de configuración
1. Configurar el enlace descendente.
Habilite el servidor DHCP en la interfaz GigabitEthernet 1/0/3 para que asigne dinámicamente las
direcciones IP a las PC, y especifique la dirección IP de la interfaz GigabitEthernet 1/0/3 como la puerta de
enlace y las direcciones del servidor DNS para las PC.
Las PC suelen requerir la resolución de nombres de dominio para acceder a Internet. Por esta razón, se debe
especificar un servidor DNS. En este ejemplo, FW funciona como una retransmisión de DNS.
2. Configure el enlace ascendente y utilice PPPoE para obtener direcciones IP y DNS.
3. Agregue las interfaces en las zonas de seguridad y configure las políticas de seguridad.
Agregue la interfaz conectada a la LAN a una zona de seguridad de alta prioridad (Zona trust), y la interfaz
ascendente conectada a Internet a una zona de seguridad de baja prioridad (Zona untrust).
4. Las direcciones IP utilizadas en las LAN son direcciones IP privadas, que NAT las convierte en direcciones
IP públicas para el acceso a Internet si es necesario. En este ejemplo, la interfaz ascendente obtiene su
dirección IP mediante acceso telefónico. La dirección IP obtenida puede variar para cada conexión de
acceso telefónico. Por lo tanto, se recomienda IP fácil.
Procedimiento
1. Configure la dirección IP de la interfaz GigabitEthernet 1/0/3.
2. <FW> system-view
3. [FW] interface GigabitEthernet 1/0/3
4. [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.128
5. [FW-GigabitEthernet1/0/3] quit
13. Configure el dispositivo como un servidor DHCP para asignar direcciones IP a las PC en la LAN.
# Habilitar la función DHCP.
[FW] dhcp enable
# Cree un grupo de direcciones de interfaz en la interfaz y especifique el servidor DNS para las PC de la
intranet.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] dhcp select interface
[FW-GigabitEthernet1/0/3] dhcp server ip-range 10.3.0.1 10.3.0.125
[FW-GigabitEthernet1/0/3] dhcp server dns-list 9.9.9.9
[FW-GigabitEthernet1/0/3] dhcp server gateway-list 10.3.0.1
[FW-GigabitEthernet1/0/3] quit
Configure la interfaz GigabitEthernet 1/0/1 para que obtenga las direcciones IP y DNS utilizando PPPoE.
1. [FW] dialer-rule 1 ip permit
2. [FW] interface Dialer 1
3. [FW-Dialer1] link-protocol ppp
4. [FW-Dialer1] dialer user PPPOE
5. [FW-Dialer1] ip address ppp-negotiate
6. [FW-Dialer1] ppp ipcp dns admit-any
7. [FW-Dialer1] dialer-group 1
8. [FW-Dialer1] dialer bundle 1
9. [FW-Dialer1] ppp pap local-user PPPOE password cipher PPPOE
[FW-Dialer1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface Dialer 1
[FW-zone-untrust] quit
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv4
[FW-GigabitEthernet1/0/1] quit
14. Configure una política de seguridad para permitir que las PC de la intranet accedan a Internet.
15. [FW] security-policy
16. [FW-security-policy] rule name policy_sec_1
17. [FW-security-policy-policy_sec_1] source-address 10.3.0.0 mask 255.255.255.128
18. [FW-security-policy-policy_sec_1] source-zone trust
19. [FW-security-policy-policy_sec_1] destination-zone untrust
20. [FW-security-policy-policy_sec_1] action permit
21. [FW-security-policy-policy_sec_1] quit
[FW-security-policy] quit
22. Configure una política de NAT para permitir que los usuarios de la intranet accedan a Internet.
23. [FW] nat-policy
24. [FW-policy-nat] rule name policy_nat_1
25. [FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.128
26. [FW-policy-nat-rule-policy_nat_1] source-zone trust
27. [FW-policy-nat-rule-policy_nat_1] egress-interface dialer 1
28. [FW-policy-nat-rule-policy_nat_1] action nat easy-ip
29. [FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit
30. Configure una ruta predeterminada para asegurarse de que los usuarios de LAN sean enrutables a Internet. El
siguiente salto es la dirección de la puerta de enlace asignada por el operador a la empresa.
[ FW ] ip route-static 0.0.0.0 0.0.0.0 Dialer 1
Verificación
1. Muestre la información detallada de GigabitEthernet 1/0/1 y verifique si el estado físico y el estado de IPv4
de la interfaz es Arriba.
2. [FW] display interface GigabitEthernet 1/0/1
3. GigabitEthernet 1/0/1 current state : UP
4. Line protocol current state : UP
5. GigabitEthernet 1/0/1 current firewall zone : untrust
6. Description : GigabitEthernet 1/0/1 Interface, Route Port
7. The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
8. Internet Address is 1.1.1.1/24
9. IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-a101
10. Media type is twisted pair, loopback not set, promiscuous mode not set
11. 100Mb/s-speed mode, full-duplex mode, link type is auto negotiation
12. max-bandwidth : 100000 Kbps
13. Max input bit rate:528530448 bits/sec at 2015-05-07 12:53:46
14. Max output bit rate:5280418 bits/sec at 2015-05-07 12:54:26
15. Max input packet rate:750753 packets/sec at 2015-05-07 22:43:46
16. Max output packet rate:7843 packets/sec at 2015-05-07 22:53:58
17. Last 300 seconds input rate 8 bytes/sec, 0 packets/sec
18. Last 300 seconds output rate 8 bytes/sec, 0 packets/sec
19. Input: 1149 packets, 99478 bytes
20. 12 unicasts, 4 broadcasts, 1133 multicasts, 0 pauses
21. 0 overruns, 0 runts, 0 jumbos, 0 FCS errors
22. 0 length errors, 0 code errors, 0 align errors
23. 0 fragment errors, 0 giants, 0 jabber errors
24. 0 dribble condition detected, 0 other errors
25. Output: 1104 packets, 94646 bytes
26. 7 unicasts, 10 broadcasts, 1087 multicasts, 0 pauses
27. 0 underruns, 0 runts, 0 jumbos, 0 FCS errors
28. 0 fragment errors, 0 giants, 0 jabber errors
29. 0 collisions, 0 late collisions
30. 0 ex. collisions, 0 deferred, 0 other errors
31.
32. Compruebe si el estado PPPoE de FW está arriba. Compruebe si el valor de los paquetes de salida de sesión
PPPoE (OutP) no es 0.
33. [FW] display pppoe-client session summary
34. PPPoE Client Session:
35. ID Bundle Dialer Intf Client-MAC Server-MAC State
36. 0 1 1 GE1/0/1 00e0fc0254f3 00049a23b050 PPPUP
37. [FW] display pppoe-client session packet
38. 17:17:05 2015/11/28
39. PPPoE Client Session:
40. ID InP InO InD OutP OutO OutD
41. 0 0 0 0 254 7620 0
42. En una PC LAN, ejecute el comando ipconfig / all para verificar si las direcciones IP y DNS privadas se
han configurado correctamente para el adaptador de red. Lo siguiente usa Windows XP como ejemplo.
43. Ethernet adapter Local:
44.
45. Connection-specific DNS Suffix . :
46. Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
47. Physical Address. . . . . . . . . : 00-1B-21-B4-0B-35
48. Dhcp Enabled. . . . . . . . . . . : Yes
49. Autoconfiguration Enabled . . . . : Yes
50. IP Address. . . . . . . . . . . . : 10.3.0.3
51. Subnet Mask . . . . . . . . . . . : 255.255.255.0
52. Default Gateway . . . . . . . . . : 10.3.0.1
53. DHCP Server . . . . . . . . . . . : 10.3.0.1
54. DNS Servers . . . . . . . . . . . : 9.9.9.9
55. Lease Obtained. . . . . . . . . . : 2012-8-2 9:38:14
Lease Expires . . . . . . . . . . : 2012-8-13 9:38:14
56. Compruebe si las PC de LAN pueden acceder a los nombres de dominio en Internet. Si es así, las
configuraciones son correctas. Si no, compruebe y corrija las configuraciones.
Guión de configuración
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 24
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.254
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
dhcp enable
#
interface Dialer1
link-protocol ppp
ppp chap user user
ppp chap password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp pap local-user user password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user user
dialer bundle 1
dialer-group 1
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Dialer1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
source-address 10.3.0.0 24
egress-interface dialer 1
action nat easy-ip
#
return
Info: La contraseña es con menos complejidad. La longitud de la contraseña no debe ser inferior a 6. La contraseña debe
contener dos tipos de caracteres de los siguientes cuatro grupos: letras mayúsculas <A-Z>; Letras minúsculas <a-z>; Numerales
<0-9>; Símbolos (todos los caracteres no definidos como letras o números), como!, $, # Y%. La contraseña no debe ser relevante
para la ortografía del nombre de usuario.
<FW1>dis ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 6
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 7
<FW1>
<SERV>
Solicitud de página web desde el PC cliente web al servidor web
<FW1>dis firewall session table
Current Total Sessions : 2
http VPN: public --> public 10.3.0.126:2052[1.1.1.254:2050] --> 8.8.8.8:80
dns VPN: public --> public 10.3.0.126:49153[1.1.1.254:2051] --> 9.9.9.9:53
<FW1>
Configuración FW1
#
sysname FW1
#
#
dialer-rule 1 ip permit
#
#
interface Dialer1
link-protocol ppp
ppp pap local-user PPPOE password cipher %$%$.p1/1d-BuE^wq@PE,'YS}Pb}%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user PPPOE
dialer bundle 1
dialer-group 1
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.128
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.125
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Dialer1
#
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 25
action permit
rule name local_to_untrust
destination-zone untrust
action permit
#
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface Dialer1
source-address 10.3.0.0 25
action nat easy-ip
#
#
return
<FW1
#
interface Virtual-Template10
remote address pool PPPOE
ip address unnumbered interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0
pppoe-server bind Virtual-Template 10
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 8.8.8.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 9.9.9.1 255.255.255.0
#
#
ip route-static 1.1.1.0 255.255.255.0 Virtual-Template10
#
#
return
<SERV>
8.7 PPP
This section describes Point-to-Point Protocol (PPP) concepts and how to configure PPP.
8.7.1 Overview
The Point-to-Point Protocol (PPP) is a data link-layer protocol used to transmit and encapsulate network layer packets
on point-to-point (P2P) links.
Definition
A P2P connection is a simple WAN connection. Link layer protocols for PPP links are as follows:
PPP: supports both synchronous and asynchronous transmission.
High-level Data Link Control protocol (HDLC): only supports synchronous transmission.
PPP defines a set of protocols:
Link Control Protocol (LCP): used to establish, monitor, and terminate data links.
Network Control Protocol (NCP): used to establish and configure different network layer protocols and
negotiate the format and type of packets transmitted over data links.
Authentication protocols: include Password Authentication Protocol (PAP) and Challenge-Handshake
Authentication Protocol (CHAP).
Objective
Located at the data link layer of the Open Systems Interconnection (OSI) model, PPP supports both synchronous or
asynchronous full-duplex links to transmit data. PPP is widely used because it has the following advantages:
Provides user authentication.
Supports synchronous and asynchronous communications.
Is easily expanded.
8.7.2 Mechanism
This section describes the mechanism of Point-to-Point Protocol (PPP).
PPP Operation Process
Two devices establish a PPP link after they negotiate parameters using the following PPP protocols:
Link Control Protocol (LCP): establishes, monitors, and tears down PPP data links and determines data link
layer parameters, such as the maximum receive unit (MRU) and authentication mode.
Network Control Protocol (NCP): used by devices to negotiate formats and types of packets transmitted on data
links and IP addresses.
PPP-enabled devices on two ends of a link must send LCP packets to set up a P2P link.
After the LCP configuration parameters have been negotiated, the two communicating devices choose the
authentication mode according to the authentication parameters in the Configure-Request packets.
By default, the devices on the two ends do not authenticate each other. After the negotiation of the LCP configuration
parameters, the devices negotiate NCP configuration parameters without any authentication. After all the negotiations,
the two devices on the P2P link can transmit network-layer packets, and the whole link is available.
A link is torn down and a PPP session ends if one of the following situations occurs:
The device on either end receives an LCP or an NCP Terminate frame that aims at closing the link.
The physical layer cannot detect a carrier.
The network administrator shuts down the link.
NCP does not have the capability to close a link. The packets used to close the link are generated during the LCP
negotiation phase or application session phase.
Figure 8-71 shows the setup process of a PPP session and status transition.
Figure 8-71 PPP operation process
PAP
PAP supports two-way handshake authentication and simple passwords. The authentication process is performed in the
Link Establishment phase.
After the Link Establishment phase is complete, the user name and password of a supplicant are repeatedly sent to the
authenticator until authentication is successful or the link is ended.
PAP authentication is the optimal option when a password transmitted in plain text must be used to simulate logging
into a remote host.
Figure 8-72 shows the PAP authentication process.
Figure 8-72 PAP authentication process
CHAP
CHAP is a three-way handshake authentication protocol. CHAP authentication only allows user names to be
transmitted over a network. Compared with PAP, CHAP provides higher security because passwords are not
transmitted.
CHAP authentication is generally performed before the link is set up. However, it can be performed at any time using
CHAP negotiation packets.
After the Link Establishment phase ends, an authenticator sends a Challenge packet to a supplicant. After performing
the "one-way hash" algorithm, the supplicant returns a calculated value to the authenticator.
The authenticator compares the value it itself has calculated using the hash algorithm with the value provided by the
supplicant. If the two values match, authentication is successful. If the values do not match, the authentication fails,
and the link is torn down.
Figure 8-73 shows the CHAP authentication process.
Figure 8-73 CHAP authentication process
Procedure
1. Display the system view.
system-view
Prerequisites
A NGFW functions as an authenticator and uses PAP to authenticate its peer. PAP authentication is performed locally
on the authenticator or on a remote authentication server. To implement PAP authentication, configure user accounts
and the authentication mode. If remote authentication is used, configure an authentication server as well. For more
information about PAP authentication, see Users and Authentication.
Context
PAP uses simple passwords and is the least secure authentication protocol. After a PPP link is established, the device
to be authenticated repeatedly sends a user name and a password until authentication is complete. During PAP
authentication, the transmitted user name and password are susceptible to interception.
By default, PPP packets are not authenticated.
Procedure
Configure an authenticator to authenticate the peer end in PAP mode.
1. Display the system view.
system-view
3. Configure the local end to authenticate its peer end in PAP mode.
ppp authentication-mode [ chap ] pap
The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence over
PAP negotiation during LCP negotiation. If the authenticator supports neither of these two modes,
negotiation fails.
Configure the peer end to perform PAP authentication.
1. Display the system view.
system-view
3. Enable the local end to be authenticated by the peer end in PAP mode and send a PAP user name and a
password.
ppp pap local-user user-name password cipher password
Prerequisites
A NGFW functioning as an authenticator supports local and remote authentication. If local authentication is used, you
must configure a user account and an authentication mode. If remote authentication is used, you must also configure an
authentication server. For more information, see Users and Authentication.
If the NGFW is a supplicant, you must configure a user name, authentication mode, and an authentication server if a
user name is configured on the authenticator. For more information, see Users and Authentication.
Context
Devices enabled with CHAP authentication only transmit user names over a network. CHAP supports higher security
than the Password Authentication Protocol (PAP) because passwords are not transmitted.
By default, Point-to-Point Protocol (PPP) packets are not authenticated using CHAP.
Procedure
Configure an authenticator to use CHAP to authenticate the peer end when the user name is specified.
NOTE:
When an authenticator sets a user name, the authenticator must set the same password the same as that for the authenticated end.
The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence
over PAP negotiation during Link Control Protocol (LCP) negotiation. If the authenticator does not
support CHAP or PAP, LCP negotiation between the two devices fails.
4. Specify a local user name.
ppp chap user user-name
Configure the authenticator to authenticate the peer end in CHAP mode if the user name is not specified.
During authentication, the authenticator searches locally configured AAA user names. If the user name and
password configured on the peer interface match those on the local end, authentication succeeds.
Configure a NGFW that authenticates a peer end.
1. Display the system view.
system-view
The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence
over PAP negotiation during LCP negotiation. If the authenticator does not support CHAP or PAP,
LCP negotiation between the two devices fails.
Configure a NGFW that is authenticated by the local NGFW.
1. Display the system view.
system-view
4. Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
Context
Negotiation timeout period: If no response is received from the peer end within a specified interval during PPP
negotiation, PPP resends a negotiation request.
IP address negotiation: implemented in two modes based on device roles:
Client: When PPP is enabled on an interface, the interface IP address is not specified, and the IP address of
the peer end is specified, you can configure the IP address negotiation function for the local interface. The
local interface is assigned an IP address by the peer end during PPP negotiation. The configuration is
applicable when a NGFWaccesses the Internet through an ISP network and obtains an IP address assigned
by the ISP.
Server: Before a server assigns an IP address to a peer device, you must configure a local IP address pool
in the authentication domain view, specify the range of IP addresses in the address pool, and determine the
address pool used by an interface in the interface view.
DNS server address negotiation: You can implement both DNS server address negotiation and PPP address
negotiation on a NGFW simultaneously. The NGFW can be configured with a DNS server address assigned
by or provided for the peer end.
A network access server (NAS) can allocate IP addresses to PPP users through PPP address negotiation. The address
allocation rules are as follows:
For the user not to be authenticated:
If the interface is configured with an IP address to be allocated to the peer, the NAS allocates the address to
the peer directly.
If the interface is configured with an IP address in the address pool, the NAS allocates the address in the
global address pool to the peer.
For the default domain user passing the authentication process (The default user name has two types: the name
excluding @, such as "aaa" and the name including @, such as "aaa@default"):
If the server has delivered an IP address, the NAS directly allocates this address to the peer.
If the server has delivered an IP address pool ID, the NAS allocates the address in the global or domain
address pool to the peer.
If the server has not delivered an address pool ID but the interface has an IP address pool, the NAS
allocates the address in this global address pool to the peer. If the interface is configured with an IP address
pool, the NAS allocates the address in the address pool to the peer.
For the authenticated common domain user:
If the server has delivered an IP address, the NAS directly allocates this address to the peer.
If the server has delivered an IP address pool ID, the NAS allocates the address in the domain address pool
to the peer.
If the server has not delivered either an IP address or address pool ID, the NAS traverses from the first
address pool in the domain to search for an available IP address.
NOTE:
In the above three cases, both the global address pool and domain address pool are traversed for one time. If all the addresses in the specified
global address pool or the domain address pool are used, the NAS no longer traverses the address pool for an available IP address and directly
returns an invalid IP address 0.0.0.0.
The following addresses cannot be configured as valid start or end addresses of an address pool:
Class A addresses X.255.255.255 and X.0.0.0
Class B addresses X.X.255.255 and X.X.0.0
Class C addresses X.X.X.25 and X.X.X.0
If the address pool contains these addresses, the addresses cannot be allocated.
Procedure
Set the negotiation timeout.
1. Access the system view.
system-view
2. Select either of the following methods to assign an IP address to the peer device.
Configure a global IP address pool to assign IP addresses to PPP users.
a. Access the AAA view.
aaa
g. Prevent the client from using its own IP address when the server is configured to assign an IP
address to it.
ppp ipcp remote-address forced
h. Specify the IP address pool that is used when IP addresses are assigned to users.
remote address pool [ pool-number ]
g. Prevent the client from using its own IP address when the server to assign an IP address to it.
ppp ipcp remote-address forced
h. Specify the IP address pool that is used when IP addresses are assigned to users.
remote address pool [ pool-number ]
When the device serves as the client, perform the following steps:
1. Access the system view.
system-view
3. Specify the IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
By default, the NGFW does not provide the DNS server address for the peer end.
When the device serves as the client, perform the following steps:
1. Access the system view.
system-view
3. Configure the local end to request the peer end for the IP address of the DNS server.
ppp ipcp dns request
4. Enable the device to use any DNS server address proposed by the peer end.
ppp ipcp dns admit-any
By default, the DNS server address proposed by the peer end is not accepted.
Set the negotiation WINS server address.
1. Access the system view.
system-view
3. Enable the device to use any WINS server address proposed by the peer end.
ppp ipcp nbns request
By default, the device does not request for the IP address of the WINS server from the peer end.
Context
If the network delay is long or congestion is serious, you can lengthen the polling interval to reduce network flapping.
During the settings of polling intervals, ensure that the settings on both ends are identical.
Procedure
1. Access the system view.
system-view
8.7.3.6 Preventing the Peer Host Route from Being Added to the Local Routing Table as a
Direct Route
You can decide whether a peer host route is added to the local routing table as a direct route.
Context
A PPP link does not strictly require that the peer and local routes exist on the same network segment. Two ends of the
PPP link on different network segments can communicate. In addition, the peer host route on a different network
segment is automatically added to local routing table of direct routes.
However, when one end is configured with an incorrect IP address, the other end automatically adds the incorrect peer
host route to the local routing table of direct routes. As a result, the incorrect routing information is advertised across
the network.
Procedure
1. Access the system view.
system-view
3. Prevent the peer host route from being added to the local routing table as a direct route.
ppp peer hostroute-suppress
NOTE:
The local routing table does not contain the peer host route as a direct route after the ppp peer hostroute-suppress command is
performed.
NOTICE:
Enabling the debugging deteriorates system performance. After the debugging is complete, run the undo debugging
all command to disable the debugging immediately.
For the description of the debugging commands, see Debugging Reference.
Table 8-109 lists the commands to debug PPP information.
Table 8-109 Debugging PPP
Action Command
Enable the debugging of all PPP information. debugging ppp all [ verbose ] [ interface interface-type
interface-number ]
Enable the debugging of PPP EAP packets. debugging ppp eap { all | error | event | packet | state }
Enable the debugging of PPP packets. debugging ppp { ip | lqc | mpls-multicast | mpls-
unicast | osi-npdu | scp | vjcomp } packet [ verbose ]
[ interface interface-type interface-number ]
Enable the debugging of PPP core events. debugging ppp core event [ interface interface-type
interface-number]
8.8 PPPoE
This section describes Point-to-Point Protocol over Ethernet (PPPoE) concepts and how to configure PPPoE, as well as
provides configuration examples.
8.8.1 Overview
PPPoE describes the method used to set up PPPoE sessions and encapsulate Point-to-Point Protocol (PPP) datagram
over the Ethernet. These functions require a point-to-point (P2P) relationship between the peers instead of the multi-
point relationships that are available in the Ethernet and other multi-access environments.
Definition
PPP provides a standard method for transporting multi-protocol datagrams over point-to-point links. Although PPP is
widely used, it does not apply to an Ethernet. Therefore, the PPPoE technology was introduced. PPPoE is an extension
to PPP and applies PPP to an Ethernet.
PPPoE connects a network of Ethernet hosts to a remote access device to gain access to the Internet. PPPoE allows you
to perform access control and accounting on a per-host basis. PPPoE is widely used because it is highly cost-effective.
A common application scenario for PPPoE is constructing a network in a residential area.
Purpose
PPPoE performs the following functions when multiple users access a server using PPP links:
Provides cost effective access services for users and allows a few or no configuration changes. An Ethernet is
the most cost-effective networking mode.
Allows a service provider to connect multiple hosts at a remote site to the same access server and supports
access control and accounting functions in a way similar to dial-up services using PPP.
PPPoE enables a bridged access server to connect multiple hosts on a network to a remote access server.
NOTE:
A NGFW currently supports IPv4 PPPoE server and client functions and IPv6 client functions.
8.8.2 Mechanism
This section describes the Point-to-Point Protocol over Ethernet (PPPoE) mechanism.
PPPoE works in the client/server mode. PPPoE provides point-to-point connectivity over Ethernet networks by
encapsulating PPP packets in Ethernet frames.
Figure 8-74 shows the process for establishing an IPv4 PPPoE connection.
Figure 8-74 Process for establishing an IPv4 PPPoE connection
Discovery Phase
After the Discovery phase is complete, both ends of a connection obtain the PPPoE Session_ID and peer Ethernet
address. The PPPoE Session_ID and peer Ethernet address together define a unique PPPoE session.
The Discovery phase consists of the following steps:
1. A host broadcasts a PPPoE Active Discovery Initial (PADI) packet within a local Ethernet. This packet
contains service information required by the host.
NOTE:
A PPPoE server checks service names as follows:
If a PPPoE server is configured with a service name, a PPPoE client sends a PADI packet at the Discovery phase to the server
to request for a connection.
If this PADI packet contains a non-null service name, the server examines whether the configured service name matches the
service name in this packet. If the service names match, the server provides follow-up services. If the service names do not
match, the server does not provide services.
The preceding situation applies when two service names are not null. If either of the service names is null, the server does not
check the service names and proceeds with the packet processing.
2. After receiving this PADI packet, the servers on the Ethernet compare the requested services with the
services the servers can provide. Then, the server that can provide the requested services send back a PPPoE
Active Discovery Offer (PADO) packet.
3. Upon receipt, the host obtains information from the PADO packet and sends a PPPoE Active Discovery
Request (PADR) packet to the server.
4. The server generates a unique session identifier to identify a PPPoE session. Then, the server sends this
session identifier in a PPPoE Active Discovery Session-confirmation (PADS) packet to the host.
If the server successfully sends and the host received the PADS packet, both the server and host enter the
PPPoE Session phase.
Session Phase
The host encapsulates a PPP packet as the payload of a PPPoE frame into an Ethernet frame before sending the
Ethernet frame to its peer. The Ethernet frame carries a Session_ID determined at the Discovery phase and a peer
MAC address. The PPP packet section in the frame begins at the Protocol ID. An Ethernet packet is a unicast packet.
In the Session phase, either the host or server may send PPPoE Active Discovery Terminate (PADT) packets to
instruct the other to end this session.
Prerequisites
PPPoE authentication works in either local or remote mode. You must configure a user account and an authentication
mode to implement authentication. If remote authentication is used, you must also configure an authentication server.
For more information, see Users and Authentication.
A PPPoE server uses address pools to allocate IP addresses to many clients. The ip pool command creates an address
pool.
Context
You can use PPPoE to allow many hosts on a single Ethernet to connect to a peer server and create PPPoE sessions to
implement access control and the accounting.
NOTICE:
A NGFW serves both as a PPPoE server to provide local access services and as a Layer 2 Tunneling Protocol (L2TP)
access concentrator (LAC) to provide remote dial-up services. After a PPPoE server is started and LAC configuration
is implemented on the NGFW, L2TP configuration takes precedence over PPPoE server configuration. For example, if
a user name is set to user123 in both L2TP and PPPoE configurations, the NGFW initiates a dial-up using the user
name user123 and performs L2TP authentication, not PPPoE authentication.
Procedure
1. Configure a Virtual-Template (VT) interface.
A PPPoE server communicates with its clients using a VT interface. If no IP address is specified on a client,
the PPPoE server allocates an IP address to the client. The IP address to be allocated must be specified on the
VT interface.
a. Display the system view.
system-view
c. Set an IP address.
ip address ip-address { mask | mask-length }
e. Optional: Prevent the client from using its own IP address when the server is configured to assign an IP
address to it.
ppp ipcp remote-address forced
g. Optional: Set an IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
Context
After configuring PPPoE, configure PPPoE parameters as required to optimize links. The configurations include:
Log the PPPoE user status changes.
Specify the maximum number of PPPoE sessions that can be set up using a local MAC address.
Specify the maximum number of PPPoE sessions that can be set up using a peer MAC address.
Specify the maximum number of PPPoE sessions that can be set up on the local system.
Procedure
Log PPPoE user status changes.
2. Specify the maximum number of sessions that can be created using a local MAC address.
pppoe-server max-sessions local-mac number
Set the maximum number of sessions that can be created using a local MAC address.
2. Specify the maximum number of sessions that can be created using a local MAC address.
pppoe-server max-sessions local-mac number
Set the maximum number of sessions that can be created using a peer MAC address.
2. Specify the maximum number of sessions that can be created using a peer MAC address.
pppoe-server max-sessions remote-mac number
Set the maximum number of sessions that can be created in the system.
2. Specify the maximum number of sessions that can be created in the system is specified.
pppoe-server max-sessions total number
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single dialer interface. A PPPoE
session can be created using a dialer interface.
Procedure
1. Display the system view.
system-view
Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
NOTE:
The IP address negotiated by the device is a host IP address with a 32-digit mask. If the device needs to communicate with other
PPPoE clients, run the ip route-static command to manually configure the static route to the network segment.
NOTE:
The same group-number value must be specified in the dialer-rule and dialer-group commands.
11. Create a PPPoE session and specify the dialer bundle for the session.
pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds [ queue-
length packets ] ] [ ipv4 | ipv6 ]
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single dialer interface. A PPPoE
session can be created using a dialer interface.
The way a dialer interface obtains an IPv6 address depends on the application scenario of an IPv6 PPPoE client.
When a device serves as a client that needs to access the Internet, the dialer interface can obtain an IPv6 address
using one of the following methods:
Stateless address autoconfiguration
DHCPv6
When a device serves as a gateway, the device supports the following functions:
(Optional) Obtains an IPv6 address using stateless address autoconfiguration.
Obtains a prefix using DHCPv6-PD and assigns prefixes to intranet users.
Procedure
1. Display the system view.
system-view
3. Configure an authentication mode. The server may use PAP or CHAP authentication. Configuring both PAP
and CHAP user names and passwords is recommended.
Configure PAP authentication.
Specify a PAP user name and a password.
ppp pap local-user user-name password cipher password
Configure the DHCPv6 client to obtain an IPv6 address from the server.
dhcpv6 client ia-address [ ipv6-address ] [ rapid-commit | unicast-option ] *
b. Configure the DHCPv6 client to obtain an IPv6 prefix from the server.
dhcpv6 client ia-prefix prefix-name prefix-name [ prefix-address/prefix-length ]
[ rapid-commit | unicast-option ] *
6. Configure the dialer bundle.
dialer bundle bundle-number
Follow-up Procedure
After the configurations are complete, the device obtains an IPv6 address or prefix.
To view the obtained IPv6 address or prefix, run either of the following commands:
display ipv6 auto-configuration prefix all: displays the IPv6 prefix and the derived IPv6 address that the
device uses stateless address autoconfiguration to obtain.
display dhcpv6 client { all | interface interface-type interface-number }: displays the IPv6 address that
the device uses DHCPv6 to obtain.
If the device serves as a gateway and uses DHCPv6-PD to obtain a prefix, the device uses RA messages to
assign prefixes to intranet users.
1. Run the display dhcpv6 client { all | interface interface-type interface-number } command to view the
IPv6 address obtained by the DHCPv6 client.
2. Run the undo ipv6 nd ra halt command in the interface view to enable RA advertisement.
3. Run the ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | [ prefix-name ] ipv6-prefix/ipv6-prefix-
length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ] command in the interface view to
configure a prefix in an RA message.
Display information display pppoe-server session { all | packet | statistic interface interface-type interface-number }
about all PPPoE
sessions.
information about
PPPoE session
packets.
NOTICE:
Enabling the debugging deteriorates system performance. After the debugging is complete, run the undo debugging
all command to disable the debugging immediately.
For the description of the debugging commands, see Debugging Reference.
Table 8-111 lists the commands to debug PPPoE.
Table 8-111 Debugging PPPoE
Action Command
Enable the debugging of all debugging pppoe-client all [ interface interface-type interface-number ]
PPPoE client information.
Enable the debugging of a debugging pppoe-client [ data | error | event | packet | verbose ] [ interface interface-type
PPPoE client. interface-number]
Enable the debugging of a debugging pppoe-server [ data | error | event | packet ] [ interface interface-type interface-
PPPoE server. number ]
NOTICE:
Cleared PPPoE statistics cannot be recovered. Exercise caution when performing this operation.
You can run the command in Table 8-112 in the user view to clear PPPoE statistics.
Table 8-112 Clearing PPPoE statistics
Action Command
Clear statistics about PPPoE sessions on a specified interface. reset pppoe-server session statistic interface interface-type
interface-number
Reset a session on a PPPoE client and re-establish a session reset pppoe-client { all | dial-bundle-number number }
later.
Networking Requirements
As shown in Figure 8-75, NGFW_A functions as a PPPoE client, and NGFW_B functions as a PPPoE
server. NGFW_B assigns an IP address to NGFW_A allowing PCs on networks A and B to communicate.
NGFW_B (server) runs PAP to authenticate NGFW_A (client). The user name is set to usera, and the password is set
to Password1. NGFW_B assigns NGFW_A an IP address 10.2.0.2.
Figure 8-75 IPv4 PPPoE networking
Procedure
1. # Configure NGFW_B.
# Configure interfaces and assign them to security zones.
<NGFW_B> system-view
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.4.0.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
NOTE:
PAP is not a secure protocol, and CHAP is recommended.
[NGFW_B] interface virtual-template 1
[NGFW_B-Virtual-Template1] ppp authentication-mode pap
The command is used to configure the PPP authentication mode on the local end.
Confirm that the peer end adopts the corresponding PPP authentication. Continue[Y/N]: y
[NGFW_B-Virtual-Template1] ip address 10.2.0.1 24
[NGFW_B-Virtual-Template1] remote address pool 1
[NGFW_B-Virtual-Template1] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface virtual-template 1
[NGFW_B-zone-untrust] quit
2. Configure NGFW_A.
# Configure interfaces and assign them to security zones.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust] quit
Example
After completing the configuration, check statistics about PPPoE session packets.
Check statistics about PPPoE packets of the PPPoE server.
[NGFW_B] display pppoe-server session all
SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template1:0 UP GE1/0/1 0022.a100.11ab 0018.82cf.ebed
Check statistics about PPPoE packets of the PPPoE client.
[NGFW_A] display pppoe-client session summary dial-bundle-number 1
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 GE1/0/1 0022a10011ab 001882cfebed PPPUP
Configuration Scripts
Configuration script for NGFW_A:
#
dialer-rule 1 ip permit
#
sysname NGFW_A
#
interface Dialer1
link-protocol ppp
ppp pap local-user usera password cipher %$%$UQ"HLOehx>*n^PPqyBQVaNE<%$%$
ip address ppp-negotiate
dialer user usera
dialer-group 1
dialer bundle 1
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface dialer 1
#
ip route-static 10.4.0.0 24 dialer 1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.1.0 24
destination-address 10.4.1.0 24
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
source-address 10.4.1.0 24
destination-address 10.3.1.0 24
action permit
#
return
Networking Requirements
The NGFW shown in Figure 8-76 functions as an IPv6 PPPoE client and uses stateless address autoconfiguration to
obtain an IPv6 address from an IPv6 PPPoE server.
Figure 8-76 Networking diagram for configuring an IPv6 PPPoE client
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the interface to access
an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that a dialer interface can automatically obtain an
IPv6 address.
4. Configure a global unicast address for GigabitEthernet 1/0/1 on the PPPoE server and enable RA
advertisement to advertise the IPv6 prefix to GigabitEthernet 1/0/1 of the NGFW using a router
advertisement (RA) message.
Procedure
1. Configure the NGFW.
# Configure the NGFW as an IPv6 PPPoE client.
<NGFW> system-view
[NGFW] interface Dialer1
[NGFW-Dialer1] link-protocol ppp
[NGFW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[NGFW-Dialer1] dialer user admin-example
[NGFW-Dialer1] dialer bundle 1
[NGFW-Dialer1] quit
# Enable IPv6.
[NGFW] ipv6
Configuration Verification
1. After complete the configuration, run the display ipv6 auto-configuration prefix command on the NGFW.
The NGFW has obtained an IPv6 address with a prefix 3001::/64.
2. The PPPoE client can access the IPv6 network.
Configuration Script
#
sysname NGFW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F]Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
ipv6 address auto link-local
ipv6 address autoconfig
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv6
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface Dialer 1
#
return
8.8.7.3 Example for Configuring an IPv6 PPPoE Client for DHCPv6-PD Address
Assignment
This section provides an example for configuring an IPv6 PPPoE client for DHCPv6-PD Address Assignment.
A NGFW functions as an IPv6 PPPoE client and obtains an IPv6 prefix before assigning the prefix to PCs attached to
the NGFW. After obtaining the IPv6 addresses, the PCs can access IPv6 networks.
Networking Requirements
The NGFW shown in Figure 8-77 functions as an IPv6 PPPoE client and uses DHCPv6-PD to obtain an IPv6 prefix
from an IPv6 PPPoE server. The NGFW then connects PCs to the IPv6 network.
Figure 8-77 Networking diagram for configuring an IPv6 PPPoE client (for DHCPv6-PD address assignment)
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the interface to access
an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that the dialer interface can automatically obtain an
IPv6 address and an IPv6 prefix and assign the prefix to the PCs on the intranet.
4. Configure an address pool on the PPPoE server for DHCPv6-PD address assignment.
Procedure
1. Configure the NGFW.
# Configure the NGFW as an IPv6 PPPoE client.
<NGFW> system-view
[NGFW] interface Dialer1
[NGFW-Dialer1] link-protocol ppp
[NGFW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[NGFW-Dialer1] dialer user admin-example
[NGFW-Dialer1] dialer bundle 1
[NGFW-Dialer1] quit
# Enable IPv6.
[NGFW] ipv6
# Enable the DHCPv6 client to obtain IPv6 prefix 2001::1/64 and save the prefix in prefix pool abc.
[NGFW-Dialer1] dhcpv6 client enable
[NGFW-Dialer1] dhcpv6 client ia-prefix prefix-name abc 2001::1/64
2. Configure a PPPoE server. The configuration varies with devices. The configuration details are not provided.
# Create a PPPoE user with a user name admin-example and a password Admin@123, which are the same
as those on the PPPoE client.
# Configure a delegated prefix pool.
Configuration Verification
1. If the configurations are successful, a PC can obtain an IPv6 address with the prefix 2001::.
2. Check whether a PC can access the IPv6 network. If the PC can access the IPv6 network, the configuration is
successful. If the PC fails to access the IPv6 network, modify the configuration and try again.
Configuration Script
#
sysname NGFW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F ] Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
ipv6 address auto link-local
ipv6 address autoconfig
dhcpv6 client enable
dhcpv6 client ia-prefix prefix-name abc 2001::1/64
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv6
#
interface GigabitEthernet1/0/3
undo ipv6 nd ra halt
ipv6 nd ra prefix abc 2001::1/64
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Dialer 1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
action permit
#
return
8.9.1 Overview
A MAC address table is an interface-based Layer 2 forwarding table. It stores information about the MAC addresses
learned by a device.
MAC Address Entry Configuration Method Aging Time Be Saved After the Device
Restarts (Configurations are
saved.)
When forwarding packets, the NGFW takes the following measures based on the mapping between the destination
MAC address in the received packet and the entry in the MAC address table:
If a mapping entry exists, the NGFW directly forwards the packet through the corresponding port.
If no mapping entry exists, the NGFW forwards the packet in broadcast mode.
After the broadcast packet is sent, the following situations may occur:
The packet reaches the device with the destination MAC address. The destination device replies to the
broadcast packet, and the MAC address of the destination device is included in the reply packet (namely,
the source MAC address of the reply packet).
After receiving the reply packet, the NGFW learns the source MAC address of the reply packet and adds
the MAC address to the MAC address table.
Therefore, packets with the source MAC address of the reply packet as the destination MAC address are
directly forwarded based on the entry.
The packet cannot reach the device with the destination MAC address, the NGFW broadcasts the packet.
Prerequisites
Interfaces mapped to the MAC addresses in the MAC address table work in Layer 2 mode.
Procedure
1. Display the system view.
system-view
To configure MAC address entries in the interface view, perform the following steps:
a. Display the interface view.
interface interface-type interface-number
The value can be 0s or ranges from 30s to 65535s. If the seconds parameter is set to 0, a MAC address entry
never ages.
The default aging time is 300s.
Context
A limit rule for learning dynamic MAC addresses is applicable to insecure networks with fixed access users, such as
cell access network or intranet that lacks security management.
When the number of access users reaches the upper limit, the MAC addresses of new users cannot be learned, and the
packets of the new users are discarded.
NOTICE:
Before configuring a limit rule for learning dynamic MAC addresses, if learned MAC addresses exist on the port, run
the undo mac-address dynamic command in the system view to clear the MAC addresses. If this command is not run,
the limit rule cannot function properly.
Procedure
1. Access the system view.
system-view
2. Access the Ethernet interface view.
interface interface-type interface-number
Display the aging time the MAC address entries. display mac-address aging-time
Display the limit rules for learning MAC addresses. display mac-limit [ interface-type interface-number ]
Networking Requirements
GigabitEthernet 1/0/3 on a NGFW works at Layer 2 and is connected to a server with MAC address 00e0-fa33-dc51 on
the network shown in Figure 8-79.
To help prevent the NGFW from flooding the server with packets, a static MAC address entry is configured on
the NGFW. This entry maps MAC address 00e0-fa33-dc51 to both GigabitEthernet 1/0/3 and VLAN1, to
which GigabitEthernet 1/0/3 is assigned. The NGFW sends packets destined for the server out of GigabitEthernet
1/0/3, instead of flooding the server with packets.
Figure 8-79 NGFW with a MAC address table
Procedure
1. Display the system view.
<NGFW> system-view
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/3
portswitch
port link-type access
mac-address static 00e0-fa33-dc51 GigabitEthernet1/0/3 vlan 1
#
return
8.10 ARP
This section describes Address Resolution Protocol (ARP) concepts and how to configure ARP, as well as provides
configuration examples.
8.10.1 Overview
The Address Resolution Protocol (ARP) is at the link layer of the TCP/IP protocol suite. An Ethernet device must
support ARP. ARP dynamically map Layer 3 IP addresses and Layer 2 Medium Access Control (MAC) addresses.
Definition
ARP maps IP addresses to MAC addresses. ARP entries are classified as static and dynamic ARP entries. In addition,
ARP provides extension application functions, such as proxy ARP and gratuitous ARP.
Objective
Each host or router in a local area network (LAN) has a 32-bit IP address for communicating with other hosts. IP
addresses are independent of hardware addresses. On an Ethernet, a host or a router transmits Ethernet frames based on
48-bit MAC addresses. A MAC address is also called a physical or hardware address. It is allocated to an Ethernet
interfaces when a device is produced. In actual networking, MAC and IP addresses must be mapped using an address
resolution mechanism.
ARP supports the following functions:
Dynamic ARP
ARP dynamically resolves an IP address into an Ethernet MAC address based on ARP packets. No network
administrator interference is required.
Static ARP
Static ARP establishes a fixed mapping between the IP and MAC addresses, which cannot be dynamically
adjusted on a host or router. Network administrator interference is required.
Proxy ARP
Also called routed proxy ARP. If a host is not configured with a default gateway address, the host can send an
ARP Request packet to request the destination host MAC address. After the device enabled with proxy ARP
receives the packet, it sends an ARP Reply packet containing its own MAC address so that internal hosts on
different physical networks but on the same network segment can communicate.
Gratuitous ARP
Gratuitous ARP checks existing IP addresses and declares new MAC addresses.
Authorized ARP
Authorized ARP, valid on only devices enabled with the DHCP server function, applies when the DHCP
server and DHCP client reside on the same network segment to prevent attackers from forging the IP
addresses or MAC addresses of legitimate DHCP clients to launch attacks.
8.10.2 Mechanism
This section describes the mechanism of the Address Resolution Protocol (ARP).
2. ARP reply
All hosts on the network, including host B, receive the ARP request packet. Only host B responds to the
ARP request packet. Host B shown in Figure 8-81 sends an ARP reply packet carrying a local MAC address
to host A.
Host A obtains host B's MAC address and uses this MAC address to communicate with host B.
Figure 8-81 ARP reply
Static ARP
Static ARP supports the fixed mappings between IP and MAC addresses. Hosts and routers involved cannot change
mappings dynamically. Static ARP is configured manually by network administrators.
Static ARP entries are used in the following situations:
A gateway on a local network segment is used to forward packets with destination addresses on other network
segments.
Packets with invalid IP addresses can be filtered out by binding these IP addresses to a nonexistent MAC
address.
IP addresses are bound to MAC addresses to defend against attacks, such as ARP flood attacks.
Static ARP entries have a higher priority than dynamic ARP entries. When you configure a static ARP entry for an IP
address that maps to a dynamic ARP entry in the ARP table, the static ARP entry replaces the dynamic ARP entry.
Proxy ARP
Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is
not on that network.
Proxy ARP has the following features:
All processes are performed on ARP Subnet Gateways. Hosts on the networks have no change.
Any host faces a standard IP network, not a subnet.
Proxy ARP affects only the ARP high-speed caches on hosts, not the ARP high-speed caches or routing tables
on gateways.
After proxy ARP is enabled, a small ARP aging time should be set to rapidly invalidate invalid ARP entries to
reduce the number of packets that are sent to routers but the routers cannot forward.
The NGFW supports two proxy ARP modes:
Routed proxy ARP
Allows communication between hosts or routers in the same network segment but on different physical
networks.
In actual situations, if no default gateway address is set on a host connected to a router (the proxy to this
network is unknown), the router cannot forward data for this host. Routed proxy ARP can resolve this issue.
The host sends an ARP request (to request the MAC address of the destination host), the proxy ARP-enabled
router uses its MAC address to return an ARP reply.
Inner-VLAN proxy ARP
Allows communication between hosts or routers in the same VLAN configured with user isolation.
If two users belong to one VLAN and the VLAN is configured with user isolation, inner-VLAN proxy ARP
must be enabled on the interface associated with the VLAN for communication between the users.
As shown in Figure 8-82, HOST_A and HOST_B are attached to the NGFW. The interfaces connecting
the NGFW to the hosts belong to VLAN 10, and the hosts are isolated on the switch. The hosts cannot
communicate at Layer 2. You can enable inner-VLAN proxy ARP on the interfaces of the NGFW to resolve
this issue. If the NGFW receives an ARP request that is not destined for itself, it does not discard the packet.
Instead, it searches the ARP table for an ARP entry related to HOST_B. If the ARP entry is found,
the NGFW sends its MAC address to HOST_A and forwards the packets from HOST_A to HOST_B. In this
manner, the NGFW serves as a proxy for HOST_B.
Figure 8-82 Networking diagram for inner-VLAN proxy ARP
Dynamic ARP
Dynamic ARP dynamically and automatically resolves IP addresses into Ethernet MAC addresses. Dynamic ARP does
not require the involvement of an administrator.
A NGFW creates or updates an ARP entry if a received ARP packet satisfies any of the following conditions:
The ARP packet carries a non-broadcast source address that is on the same network segment as the inbound
interface address. The ARP packet is bound for the IP address of the inbound interface.
The ARP packet carries a non-broadcast source address that is on the same network segment as the inbound
interface address. The ARP packet is bound for the virtual IP address of a Virtual Router Redundancy
Protocol (VRRP) backup group created on the inbound interface.
The ARP packet is bound for an address in a Network Address Translation (NAT) address pool configured on
the inbound interface.
If the source IP address of the received ARP packet maps to an ARP entry of the inbound interface, the NGFW also
updates the ARP entry.
Gratuitous ARP
Gratuitous ARP enables a device to send an ARP Request packet to its own IP address. Gratuitous ARP provides the
following functions:
IP address conflicts: If a device receives no reply to a gratuitous ARP request packet, the device has a unique IP
address. If the device receives an ARP reply packet in response to a gratuitous ARP request packet, there is an
IP address conflict.
New MAC address advertising: If a device has its NIC replaced and its MAC address is changed, the device
sends a gratuitous ARP to notify all hosts of the MAC address update before the ARP entry aging time
elapses.
Authorized ARP
Authorized ARP allows a DHCP server to automatically add an ARP entry that contains the MAC and IP addresses of
the client after assigning an IP address to the client.
Authorized ARP entries
Authorized ARP entries do not age. After a DHCP server logs out DHCP clients, the DHCP server
automatically deletes their authorized ARP entries from an ARP table.
Authorized ARP entries have higher priorities than dynamic ARP entries, but lower than static ARP entries. A
new authorized ARP entry overrides a duplicate dynamic ARP entry, but not a duplicate static ARP entry. The
authorized ARP entry can be overridden by a duplicate static ARP entry.
Working mechanism
Authorized ARP combines the ARP and DHCP working mechanisms. The authorized ARP function is only
available on devices with the DHCP server function enabled when the DHCP server and client reside on the
same network segment. Authorized ARP is not applicable to DHCP relay scenarios.
The authorized ARP mechanism is as follows:
1. A DHCP client broadcasts a DHCPDISCOVER message. After receiving this message, a DHCP server
replies with a DHCPOFFER message carrying network parameters, including an IP address.
2. If many DHCP servers send DHCPOFFER messages to the client at the same time, the client accepts the
first DHCPOFFER message. The client then broadcasts a DHCPREQUEST message to all DHCP servers.
The DHCPREQUEST message contains the MAC address of the DHCP client and IP address request.
3. After the selected DHCP server receives the DHCPREQUEST message, the DHCP server sends a
DHCPACK message to the client. The message contains network parameters, including the assigned IP
address. Meanwhile, the DHCP server automatically adds an authorized ARP entry that contains the IP
and MAC addresses of the DHCP client.
4. The DHCP server uses the authorized ARP entry to prevent DHCP clients from dynamically learning
MAC addresses in invalid ARP responses. An attacker forges the IP or MAC address of a valid DHCP
client to originate an ARP request. Upon receipt, the DHCP server (gateway) finds that the IP or MAC
address in the request does not match an authorized ARP entry and sends no response. The attacker,
therefore, cannot access the network, which improves network security. The address of the DHCP server
is the same as the gateway address when the DHCP server and client reside on the network segment.
Context
A static ARP entry is manually added. It does not age and cannot be overwritten by a dynamic ARP entry. Static ARP
entries are valid as long as the device works properly.
Static ARP entries improve communication security. Static ARP entries ensure communication between a local device
and a specified device using the specified MAC address. Attackers cannot modify the mapping between IP and MAC
addresses in static ARP entries.
Procedure
1. Access the system view.
system-view
To configure a common static ARP entry in a virtual local area network (VLAN), perform the following
steps:
Configure a static ARP entry.
arp static ip-address mac-address vid vlan-id
If the interface of a specified VLAN is bound to a virtual private network (VPN), the device can
automatically associate the configured static ARP entry with the VPN. This command is applicable to
port-based VLANs.
Bind the static entry to a VPN instance.
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlan-id
This command is applicable to a sub-interface that supports VLAN and can be bound to a VPN
instance.
To configure a static ARP entry in a VPN instance, run:
arp static ip-address mac-address vpn-instance vpn-instance-name
Example
# Map the Ethernet MAC address 0022-a101-2259 to the IP address 192.168.0.1.
<NGFW> system-view
[NGFW] arp static 192.168.0.1 0022-a101-2259
Follow-up Procedure
Run the display arp static command to view the static ARP entry.
<NGFW> display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
192.168.0.1 0022-a101-2259 S
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:1 Interface:0 Authorized:0 SNMP:0
The TYPE field displays S, which indicates a static ARP entry. If the EXPIRE (M) field is null, the entry does not
age.
Context
If the device needs to update ARP entries frequently, reduce the aging timeout period of ARP entries and increase the
aging detection frequency.
Procedure
1. Access the system view.
system-view
If the multicast MAC address learning function is disabled, the NGFW can learn only unicast MAC
addresses from ARP packets.
On the network shown in Figure 8-83, the NGFW works at Layer 3 and the switch works at Layer 2. The
server cluster has a virtual IP address and a virtual MAC address which is a multicast address.
The NGFW needs the virtual MAC address of the server cluster in order to forward service packets from
clients to the server cluster. Enable MAC address learning on interface GigabitEthernet1/0/2 so that
the NGFW can learn this address.
Figure 8-83 A standalone firewall learning the MAC address
To enhance network availability, you can deploy two NGFWs to implement dual-system hot backup, as
shown in Figure 8-84. A routing loop is formed if multicast MAC address learning is enabled on the NGFWs
in dual-system hot backup deployment. The following example explains how the routing loop is formed on
Switch_Active.
a. NGFW_Active (the active firewall) encapsulates the MAC address of the server cluster into a service
packets from a client, and forwards the packet to Switch_Active.
b. Switch_Active broadcasts this packet. Switch_Standby receives the broadcast packet and forwards it
to NGFW_Standby (the standby firewall).