MA5800 Security Hardening and Maintenance Guide 08
Uploaded by
soporteMA5800 Security Hardening and Maintenance Guide 08
Uploaded by
soporteSmartAX MA5800
Security Hardening and Maintenance
Guide
Issue 08
Date 2024-03-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://www.huawei.com
Email: [email protected]
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. i
Security Declaration
Vulnerability
Huawei's regulations on product vulnerability management are subject to the Vul. Response Process.
For details about this process, visit the following web page:
https://www.huawei.com/en/psirt/vul-response-process
For vulnerability information, enterprise customers can visit the following web page:
https://securitybulletin.huawei.com/enterprise/en/security-advisory
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. ii
SmartAX MA5800
Security Hardening and Maintenance Guide About This Document
About This Document
Purpose
This document describes how to harden and maintain the optical line terminals (OLTs) in an
access network.
The packet capturing feature may obtain, use, or store personal communication contents to
ensure network operations and services. Huawei cannot unilaterally collect or store users'
communications data. It is recommended that operators enable the corresponding functions
only in compliance with the applicable laws and regulations. You are obligated to take
sufficient measures to ensure that users' communications data is strictly protected when the
data is used or saved.
Intended Audience
This document is intended for:
Commissioning and configuration engineers
Field maintenance engineers
Network monitoring engineers
System maintenance engineers
Engineers performing network operations must have the following experience and skills:
Be familiar with the networking of the live network and versions of network elements
(NEs) on the network.
Have experience in equipment maintenance and master O&M modes of devices.
Symbol Conventions
The symbols that may be found in this document are described in the following table.
Symbol Description
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. iii
SmartAX MA5800
Security Hardening and Maintenance Guide About This Document
Symbol Description
Indicates a hazard with a high level of risk which, if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium level of risk which, if not
avoided, could result in death or serious injury.
Indicates a hazard with a low level of risk which, if not avoided,
could result in minor or moderate injury.
Used to transmit device or environment security warning
information, if not avoided, could result in equipment damage,
data loss, performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Supplements the important information in the main text.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Change Description
Issue Release Date Change Description
08 2024-03-30 Released with the V100R023C10 version.
07 2023-06-30 Released with the V100R023C00 version.
Added section 2 Security Configuration.
06 2023-03-20 Released with the V100R022C10 version.
05 2022-06-30 Released with the V100R022C00 version.
Modified section 4.2.1.3 Log Maintenance Suggestions.
Modified section 4.2.1.4 Digital Certificate Maintenance
Suggestions.
04 2022-02-28 Released with the V100R021C10 version.
Added section 4.2.1.5 Remote Attestation.
Modified the recommended secure algorithms in 3.2.1.2.2
SSH Login.
03 2021-06-21 1. Updated the security risk warning in 3.2.1.2.2 SSH Login.
2. Added section 4.2.1.4 Digital Certificate Maintenance
Suggestions.
02 2021-02-26 1. Added section 3.3.2.12 Configuring ARP Anti-Spoofing.
2. Optimized the document structure and content.
3. Add the Table 3-1 list.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. iv
SmartAX MA5800
Security Hardening and Maintenance Guide About This Document
Issue Release Date Change Description
01 2020-10-31 The issue is the first official release.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. v
SmartAX MA5800
Security Hardening and Maintenance Guide Contents
Contents
About This Document ................................................................................................................... iii
1 Security Hardening and Maintenance Overview ................................................................... 1
2 Security Configuration................................................................................................................. 3
2.1 Introduction to Security Configuration ......................................................................................................................... 3
2.2 Level 1 Security Configurations (Mandatory) .............................................................................................................. 8
2.2.1 Management Security ................................................................................................................................................ 8
2.2.1.1 Account and Password Management Security ........................................................................................................ 8
2.2.1.1.1 Setting a Valid Brute-Force Attack Defense Policy ............................................................................................. 8
2.2.1.1.2 Changing the Preset Password of a Default User ................................................................................................. 9
2.2.1.2 Device Login Security ............................................................................................................................................ 9
2.2.1.2.1 Disabling Insecure Telnet Services ...................................................................................................................... 9
2.2.1.3 Configuring the SSH Authentication Mode and Key ............................................................................................ 10
2.2.1.3.1 Disabling SSH Server Compatibility with an SSH1.X Client ........................................................................... 10
2.2.1.3.2 Configuring a Secure Key Exchange Algorithm on an SSH Server .................................................................. 11
2.2.1.3.3 Configuring a Secure Data Encryption Algorithm on an SSH Server ............................................................... 11
2.2.1.3.4 Configuring a Secure Public Key Algorithm on an SSH Server ........................................................................ 12
2.2.1.3.5 Configuring a Secure Data Integrity Check Algorithm on an SSH Server ........................................................ 13
2.2.1.3.6 Configuring the Number of Bits in the Secure DH Algorithm on an SSH Server ............................................. 13
2.2.1.4 Configuring a Secure TLS Communication Channel ........................................................................................... 14
2.2.1.4.1 Configuring a Secure TLS Protocol Version ...................................................................................................... 14
2.2.2 Control Plane ........................................................................................................................................................... 15
2.2.2.1 Defense Against IP/ICMP Attacks on the User Side ............................................................................................. 15
2.2.2.1.1 Configuring Defense Against ICMP DoS Attacks ............................................................................................. 15
2.2.2.1.2 Configuring Defense Against ICMPv6 DoS Attacks ......................................................................................... 15
2.2.2.1.3 Configuring Defense Against IP Packet DoS Attacks ........................................................................................ 16
2.2.2.1.4 Configuring Defense Against IPv6 Packet DoS Attacks .................................................................................... 17
2.2.2.2 Defense Against Abnormal Packet Attacks on the User Side ............................................................................... 17
2.2.2.2.1 Configuring Defense Against Invalid ARP Packet Attacks ................................................................................ 17
2.2.2.2.2 Configuring Defense Against Invalid ND Packet Attacks ................................................................................. 18
2.2.2.2.3 Configuring Defense Against Attacks of ND Packets with Invalid Hop Limits ................................................ 19
2.2.3 Line Security ............................................................................................................................................................ 20
2.2.3.1 PON Line Security ................................................................................................................................................ 20
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. vi
SmartAX MA5800
Security Hardening and Maintenance Guide Contents
2.2.3.1.1 Enabling OMCI Packet Encryption for GPON Line Management .................................................................... 20
2.2.3.1.2 Enabling Encryption of Unicast GEM Port Service Packets on a GPON Line.................................................. 21
2.2.3.1.3 Enabling Automatic Update of the Encryption Key on a GPON Line ............................................................... 23
2.2.3.1.4 Enabling Encryption on an EPON Line ............................................................................................................. 24
2.3 Level 2 Security Configurations (Optional)................................................................................................................ 25
2.3.1 Management Plane................................................................................................................................................... 25
2.3.1.1 Account and Password Management Security ...................................................................................................... 25
2.3.1.1.1 Configuring a Proper Password Validity Period ................................................................................................ 25
2.3.1.1.2 Configuring the Idle User Lockout Policy ......................................................................................................... 26
2.3.1.2 SNMP Management Device Security ................................................................................................................... 27
2.3.1.2.1 Configuring a Secure SNMP Protocol Version .................................................................................................. 27
2.3.1.2.2 Configuring a Secure SNMP User Authentication Mode................................................................................... 27
2.3.1.2.3 Configuring a Secure SNMP Encryption Mode ................................................................................................. 28
2.3.1.2.4 Configuring a Secure SNMPv3 User Group Security Level .............................................................................. 29
2.3.1.3 Configuring the SSH Authentication Mode and Key ............................................................................................ 29
2.3.1.3.1 Configuring a Secure Key Exchange Algorithm on an SSH Client ................................................................... 29
2.3.1.3.2 Configuring a Secure Data Encryption Algorithm on an SSH Client ................................................................ 30
2.3.1.3.3 Configuring a Secure Public Key Algorithm on an SSH Client ......................................................................... 31
2.3.1.3.4 Configuring a Secure Data Integrity Check Algorithm on an SSH Client ......................................................... 31
2.3.1.3.5 Configuring the Number of Bits in the Local RSA Key Pair for SSH ............................................................... 32
2.3.1.3.6 Configuring the Number of Bits in the Peer RSA Key Pair for SSH ................................................................. 33
2.3.1.4 Configuring a Secure File Transfer Mode............................................................................................................. 33
2.3.1.4.1 Configuring a Secure FTP Protocol ................................................................................................................... 33
2.3.1.4.2 Configuring the SFTP Server Authentication Function ..................................................................................... 34
2.3.1.5 Configuring a Secure TLS Communication Channel ........................................................................................... 35
2.3.1.5.1 Configuring a Secure SSL Algorithm Suite ....................................................................................................... 35
2.3.1.6 Configuring a Secure Log Transmission Channel ................................................................................................ 35
2.3.1.6.1 Configuring a Secure Syslog Transmission Channel ......................................................................................... 35
2.3.1.7 Server Protocol Source Interface and Source IP Address Management ................................................................ 36
2.3.1.7.1 Binding the Server Protocol to the Source Interfaces ........................................................................................ 36
2.3.1.7.2 Binding the Server Protocol to an All-Zero IP Address ..................................................................................... 37
2.3.1.8 Configuring a Security Channel with Remote Software Commissioning ............................................................. 37
2.3.1.8.1 Configuring a Secure TLS Channel for NAC Remote Software Commissioning ............................................. 37
2.3.1.8.2 Configuring Identity Authentication by Device Certificate for NAC Remote Software Commissioning on an
Extended Subrack ............................................................................................................................................................. 38
2.3.2 Data Plane ................................................................................................................................................................ 39
2.3.2.1 Configuring a System Master Key ........................................................................................................................ 39
2.3.2.1.1 Configuring the Automatic Update Policy for the System Master Key ............................................................. 39
2.3.3 Control Plane ........................................................................................................................................................... 40
2.3.3.1 Defense Against Control Packet DoS Attacks on the User Side ........................................................................... 40
2.3.3.1.1 Configuring a Rate Limit Against Broadcast Attacks ........................................................................................ 40
2.3.3.2 Defense Against Control Packet Spoofing on the User Side ................................................................................ 41
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. vii
SmartAX MA5800
Security Hardening and Maintenance Guide Contents
2.3.3.2.1 Configuring Defense Against IP Spoofing ......................................................................................................... 41
2.3.3.2.2 Configuring Defense Against IPv6 Spoofing ..................................................................................................... 42
2.3.3.2.3 Configure Defense Against MAC Address Spoofing ......................................................................................... 43
2.3.3.2.4 Configuring Defense Against MAC Address Flapping ...................................................................................... 44
2.3.3.2.5 Configuring Source Route Filter ........................................................................................................................ 46
2.3.3.3 Configuring Routing Protocol Communication Security ...................................................................................... 46
2.3.3.3.1 Configuring a Secure Authentication Mode for an OSPF Area ......................................................................... 46
2.3.3.3.2 Configuring a Secure Authentication Mode for OSPF Interfaces ...................................................................... 47
2.3.3.3.3 Configuring a Secure Authentication Mode for OSPFv3 Interfaces .................................................................. 48
2.3.3.3.4 Configuring a Secure Authentication Mode for OSPF Vlink Peers ................................................................... 49
2.3.3.3.5 Configuring a Secure Authentication Algorithm for LDP Public Network Peers .............................................. 50
2.3.3.3.6 Configuring a Secure Authentication Mode for RSVP Interfaces ...................................................................... 51
2.3.3.3.7 Configuring a Secure Authentication Mode for RSVP Peers ............................................................................. 52
2.3.3.3.8 Configuring a Secure Authentication Mode for BGP ........................................................................................ 52
2.3.3.3.9 Configure a Secure Authentication Mode for IS-IS ........................................................................................... 53
2.3.3.3.10 Configuring a Secure Authentication Mode for IS-IS Hello Packets ............................................................... 54
2.3.3.3.11 Configuring a Secure Authentication Algorithm for RIP Packets .................................................................... 55
2.3.3.4 Configuring NTP Clock Protocol Communication Security ................................................................................. 56
2.3.3.4.1 Configuring a Secure Authentication Algorithm for NTP ................................................................................. 56
2.3.4 Line Security ............................................................................................................................................................ 57
2.3.4.1 PON Line Security ................................................................................................................................................ 57
2.3.4.1.1 Enabling Encryption of Multicast GEM Port Service Packets on a GPON Line ............................................... 57
3 Security Hardening ..................................................................................................................... 59
3.1 Overview .................................................................................................................................................................... 59
3.2 Level-1 Security Hardening Policies and Configurations (Mandatory) ...................................................................... 60
3.2.1 Management Plane................................................................................................................................................... 60
3.2.1.1 Account and Password Management Security ...................................................................................................... 60
3.2.1.1.1 Changing Default Passwords ............................................................................................................................. 60
3.2.1.1.2 CLI Login Account and Password Management ............................................................................................... 67
3.2.1.2 Device Login Security .......................................................................................................................................... 68
3.2.1.2.1 Telnet Login ....................................................................................................................................................... 70
3.2.1.2.2 SSH Login ......................................................................................................................................................... 70
3.2.1.3 SNMP Management Device Security ................................................................................................................... 73
3.2.1.4 Service Port Management Security ....................................................................................................................... 76
3.2.1.5 Server Protocol Source Interface and Source IP Address Management ................................................................ 78
3.2.2 Control Plane ........................................................................................................................................................... 79
3.2.2.1 Configuring a Firewall .......................................................................................................................................... 79
3.2.2.2 Configuring Service and Management Isolation................................................................................................... 82
3.2.3 End-user Plane ......................................................................................................................................................... 84
3.2.3.1 Configuring Anti-DoS Protection ......................................................................................................................... 84
3.2.3.2 Preventing MAC Address Flapping ...................................................................................................................... 85
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. viii
SmartAX MA5800
Security Hardening and Maintenance Guide Contents
3.2.3.3 GPON Channel Encryption................................................................................................................................... 87
3.2.3.4 Configuring Intrusion Detection ........................................................................................................................... 88
3.3 (Optional) Level-2 Security Hardening Policies and Configurations ......................................................................... 90
3.3.1 Management Plane................................................................................................................................................... 90
3.3.1.1 Configuring the SSH Authentication Mode and Key ............................................................................................ 90
3.3.1.2 Configuring the SFTP Server Authentication Function ........................................................................................ 91
3.3.2 End-user Plane ......................................................................................................................................................... 91
3.3.2.1 Configuring Anti-MAC Spoofing ......................................................................................................................... 91
3.3.2.2 Configuring Static MAC Address Binding ........................................................................................................... 95
3.3.2.3 Configuring Static MAC Address Filtering .......................................................................................................... 98
3.3.2.4 Configuring VMAC ............................................................................................................................................ 100
3.3.2.4.1 Configuring 1:1 VMAC ................................................................................................................................... 100
3.3.2.4.2 Configuring N:1 VMAC .................................................................................................................................. 103
3.3.2.5 Anti-IP/ICMP Attack on the User Side ............................................................................................................... 105
3.3.2.5.1 Configuring Anti-IP/ICMP Address Attack ..................................................................................................... 106
3.3.2.5.2 Configuring Anti-IPv6/ICMPv6 Address Attack ............................................................................................. 107
3.3.2.6 Configuring Source Route Filter ......................................................................................................................... 108
3.3.2.7 Configuring Anti-IP Spoofing ............................................................................................................................. 109
3.3.2.8 Configuring Anti-theft and Roaming Using PITP .............................................................................................. 113
3.3.2.9 Configuring Anti-theft and Roaming Using DHCPv4 ........................................................................................ 129
3.3.2.10 Configuring Anti-ARP/NS Broadcast Storm .................................................................................................... 146
3.3.2.11 Configuring Anti-DoS Attack ........................................................................................................................... 147
3.3.2.12 Configuring ARP Anti-Spoofing ....................................................................................................................... 149
4 Security Maintenance ............................................................................................................... 150
4.1 Overview of Security Maintenance .......................................................................................................................... 150
4.2 Security Maintenance Configuration ........................................................................................................................ 151
4.2.1 Infrastructure Layer Security ................................................................................................................................. 151
4.2.1.1 CLI Account and Password Maintenance Suggestions ....................................................................................... 151
4.2.1.2 BIOS Login Maintenance Suggestions ............................................................................................................... 152
4.2.1.3 Log Maintenance Suggestions ............................................................................................................................ 155
4.2.1.4 Digital Certificate Maintenance Suggestions ...................................................................................................... 156
4.2.1.5 Remote Attestation .............................................................................................................................................. 159
4.2.1.6 Alarm and Event Maintenance Suggestions ....................................................................................................... 160
4.2.1.7 Configuration Data Saving Suggestions ............................................................................................................. 161
4.2.1.8 Database Backup Suggestions ............................................................................................................................ 162
4.2.1.9 Version Upgrade Suggestions ............................................................................................................................. 163
4.2.1.10 Patch Management Suggestions ....................................................................................................................... 163
4.2.1.11 Active/Standby Switchover Maintenance Suggestions ..................................................................................... 164
4.2.1.12 Suggestions on Clearing Data After Device Retirement ................................................................................... 165
4.2.2 Services Layer Security ......................................................................................................................................... 165
4.2.2.1 File Transfer Suggestions.................................................................................................................................... 165
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. ix
SmartAX MA5800
Security Hardening and Maintenance Guide Contents
4.2.2.2 Service Port Maintenance Suggestions ............................................................................................................... 166
4.2.2.3 Maintenance Suggestions on the Server Source Interface and Source IP Address ............................................. 168
4.2.2.4 Security Isolation of the Management Plane ...................................................................................................... 169
4.2.2.5 Maintenance Suggestions on Type B Dual-homing Synchronization ................................................................. 170
4.2.3 Applications Layer Security .................................................................................................................................. 171
4.2.3.1 Suggestions on Anti-DoS Attack ........................................................................................................................ 171
4.2.3.2 Suggestions on MAC Address Filtering.............................................................................................................. 171
4.2.3.3 Suggestions on Anti-MAC Spoofing Attacks ..................................................................................................... 172
4.2.3.4 Suggestions on Anti-MAC Duplicate Attacks..................................................................................................... 173
4.2.3.5 Suggestions on Anti-IP Spoofing Attacks ........................................................................................................... 173
4.2.3.6 Maintenance Suggestions on ONU Authentication Failures ............................................................................... 175
4.2.3.7 Maintenance Suggestions on Continuous-Mode ONUs ..................................................................................... 175
4.2.3.8 Maintenance Suggestions on User-Side Ring Networks ..................................................................................... 177
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. x
SmartAX MA5800
Security Hardening and Maintenance Guide 1 Security Hardening and Maintenance Overview
1 Security Hardening and Maintenance
Overview
This document describes the security hardening and maintenance policies, including attack
behavior, security policies, and operation procedures, to help users enhance network security.
In addition, the document provides guidance for users to perform hardening and maintenance
from the management, control, and end-user planes.
During daily maintenance, operators need to perform security hardening on systems and
resolve the identified security issues in a timely manner to ensure secure and proper system
running.
Purposes of Security Configuration, Hardening, and Maintenance
Operators need to set up a security maintenance mechanism to ensure proper running of
application systems in a secure environment.
Application systems face ever more serious security threats. If a problem occurs, services
may be interrupted, revenues decrease, or even the system crashes. Therefore, network
O&M personnel need to build and maintain a security barrier for the entire application
system at multiple layers to detect and handle potential security problems in advance.
Due to various security risks, it is difficult to ensure the security of the application
system by simply relying on technologies. Operators need to establish a security
management system based on security hardening and maintenance suggestions and
problems found in routine maintenance to ensure secure and proper running of the
application systems.
Security Solutions for Huawei Access Devices
Huawei mainly uses layered and in-depth defense schemes to protect the security of a telecom
network.
Layered defense: This scheme employs multiple methods to implement security policies in
different areas of the network to ensure that the network is protected against single-point
security faults.
In-depth defense: Based on the layered defense scheme, the in-depth defense scheme
enhances the network security. It adopts the multi-layer policy for managing risks. Such a
policy ensures that, in case one layer of defense fails, another layer of defense comes into play
and prevents devastating damage. In terms of depth, the in-depth defense scheme requires a
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 1
SmartAX MA5800
Security Hardening and Maintenance Guide 1 Security Hardening and Maintenance Overview
layered security system design that covers both the external and internal of the network (from
the network edge, to the internal network, and then to the core server).
For the design of layered in-depth defense, a telecom network is divided into the end-user
plane, control plane, and management plane according to data flows. Each plane is divided
into the applications, services, and infrastructure layers according to the network layers.
Figure 1-1 shows the security architecture model.
Figure 1-1 Huawei security architecture model
To ensure network security, select secure software and versions if third-party or open-source
software is required during device commissioning, configuration, or maintenance.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 2
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2 Security Configuration
2.1 Introduction to Security Configuration
By analyzing history security events, the cyber security industry has come to the conclusion
that O&M is as important as product security. Without unified and replicable security
configuration management, a system will have vulnerable configurations that can be exploited,
resulting in severe loss.
A software version is supposed to be secure at the time of release. However, as time goes on,
new security risks may arise in an installed-base version on the live network because of the
advancement in hacking tactics or secure configurations changed to insecure ones during
O&M. Therefore, routing maintenance must comply with a security baseline and be regularly
checked.
The O&M personnel can prioritize security maintenance items based on whether they are
mandatory or optional.
Mandatory: Refers to configuration items recommended by industrial specifications and standards.
Improper settings of mandatory parameters can cause higher security risks than that of optional
parameters. Users are advised to configure mandatory parameters based on cyber security requirements.
Table 2-1 Security configuration list
Category Configuration Item Mandato Reference
ry/Optio
nal
Access NE user lockout policy Mandator 2.2.1.1.1 Setting a Valid
Control configuration y Brute-Force Attack Defense Policy
Preset password for a Mandator 2.2.1.1.2 Changing the Preset
default NE user y Password of a Default User
User password validity Optional 2.3.1.1.1 Configuring a Proper
period Password Validity Period
User lockout when idle Optional 2.3.1.1.2 Configuring the Idle User
Lockout Policy
Manageme Insecure Telnet service Mandator 2.2.1.2.1 Disabling Insecure Telnet
nt protocol enabled y Services
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 3
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Category Configuration Item Mandato Reference
ry/Optio
nal
security SNMP version Optional 2.3.1.2.1 Configuring a Secure
SNMP Protocol Version
SNMP user Optional 2.3.1.2.2 Configuring a Secure
authentication mode SNMP User Authentication Mode
SNMP encryption mode Optional 2.3.1.2.3 Configuring a Secure
SNMP Encryption Mode
Security level of an Optional 2.3.1.2.4 Configuring a Secure
SNMPv3 user group SNMPv3 User Group Security
Level
SSH SSH server compatibility Mandator 2.2.1.3.1 Disabling SSH Server
protocol with an SSHv1.X client y Compatibility with an SSH1.X
security Client
SSH server key Mandator 2.2.1.3.2 Configuring a Secure Key
exchange algorithm y Exchange Algorithm on an SSH
Server
SSH server data Mandator 2.2.1.3.3 Configuring a Secure Data
encryption algorithm y Encryption Algorithm on an SSH
Server
SSH server public key Mandator 2.2.1.3.4 Configuring a Secure
algorithm y Public Key Algorithm on an SSH
Server
SSH server data integrity Mandator 2.2.1.3.5 Configuring a Secure Data
check algorithm y Integrity Check Algorithm on an
SSH Server
Number of bits in the Mandator 2.2.1.3.6 Configuring the Number of
SSH DH algorithm y Bits in the Secure DH Algorithm on
an SSH Server
SSH client key exchange Optional 2.3.1.3.1 Configuring a Secure Key
algorithm Exchange Algorithm on an SSH
Client
SSH client data Optional 2.3.1.3.2 Configuring a Secure Data
encryption algorithm Encryption Algorithm on an SSH
Client
SSH client public key Optional 2.3.1.3.3 Configuring a Secure
algorithm Public Key Algorithm on an SSH
Client
SSH client data integrity Optional 2.3.1.3.4 Configuring a Secure Data
check algorithm Integrity Check Algorithm on an
SSH Client
Number of bits in the Optional 2.3.1.3.5 Configuring the Number of
Bits in the Local RSA Key Pair for
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 4
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Category Configuration Item Mandato Reference
ry/Optio
nal
local RSA key pair SSH
Number of bits in the Optional 2.3.1.3.6 Configuring the Number of
peer RSA key pair Bits in the Peer RSA Key Pair for
SSH
Transmissi TLS version Mandator 2.2.1.4.1 Configuring a Secure TLS
on y Protocol Version
protocol
security Insecure FTP protocol Optional 2.3.1.4.1 Configuring a Secure FTP
Protocol
SFTP authentication Optional 2.3.1.4.2 Configuring the SFTP
server switch Server Authentication Function
SSL algorithm suite Optional 2.3.1.5.1 Configuring a Secure SSL
configuration Algorithm Suite
Syslog transmission Optional 2.3.1.6.1 Configuring a Secure
mode Syslog Transmission Channel
Data System master key Optional 2.3.2.1.1 Configuring the Automatic
security configuration Update Policy for the System
Master Key
Device Server protocol binding Optional 2.3.1.7.1 Binding the Server
security to all source interfaces Protocol to the Source Interfaces
Server protocol binding Optional 2.3.1.7.2 Binding the Server
to an all-zero IP address Protocol to an All-Zero IP Address
PON line OMCI packet encryption Mandator 2.2.3.1.1 Enabling OMCI Packet
encryption switch y Encryption for GPON Line
Management
GEM port encryption Mandator 2.2.3.1.2 Enabling Encryption of
switch y Unicast GEM Port Service Packets
on a GPON Line
Automatic update of Mandator 2.2.3.1.3 Enabling Automatic
OMCI and GEM port y Update of the Encryption Key on a
encryption keys GPON Line
Automatic update of Mandator 2.2.3.1.3 Enabling Automatic
OMCI and GEM port y Update of the Encryption Key on a
encryption keys on a GPON Line
PON port
Multicast GEM port Optional 2.3.4.1.1 Enabling Encryption of
encryption mode Multicast GEM Port Service Packets
on a GPON Line
Anti-DoS Global configuration of Mandator 2.2.2.1.1 Configuring Defense
defense against ICMP y Against ICMP DoS Attacks
attacks
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 5
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Category Configuration Item Mandato Reference
ry/Optio
nal
Global configuration of Mandator 2.2.2.1.2 Configuring Defense
defense against ICMPv6 y Against ICMPv6 DoS Attacks
attacks
Global configuration of Mandator 2.2.2.1.3 Configuring Defense
defense against IP y Against IP Packet DoS Attacks
attacks
Global configuration of Mandator 2.2.2.1.4 Configuring Defense
defense against IPv6 y Against IPv6 Packet DoS Attacks
attacks
Defense Invalid ARP packet Mandator 2.2.2.2.1 Configuring Defense
against check switch y Against Invalid ARP Packet Attacks
abnormal
packets Invalid ND packet check Mandator 2.2.2.2.2 Configuring Defense
switch y Against Invalid ND Packet Attacks
Defense against ND Mandator 2.2.2.2.3 Configuring Defense
packets with invalid hop y Against Attacks of ND Packets with
limits Invalid Hop Limits
Rate limit against Optional 2.3.3.1.1 Configuring a Rate Limit
broadcast attacks Against Broadcast Attacks
Anti-spoof Global configuration of Optional 2.3.3.2.1 Configuring Defense
ing defense against IP Against IP Spoofing
spoofing
Global configuration of Optional 2.3.3.2.2 Configuring Defense
defense against IPv6 Against IPv6 Spoofing
spoofing
Global configuration of Optional 2.3.3.2.3 Configure Defense Against
defense against MAC MAC Address Spoofing
address spoofing
Global configuration of Optional 2.3.3.2.4 Configuring Defense
defense against MAC Against MAC Address Flapping
flapping
Source route filtering Optional 2.3.3.2.5 Configuring Source Route
switch Filter
Remote NAC security mode Optional 2.3.1.8.1 Configuring a Secure TLS
software switch Channel for NAC Remote Software
commissio Commissioning
ning
security NAC authentication Optional 2.3.1.8.2 Configuring Identity
mode Authentication by Device
Certificate for NAC Remote
Software Commissioning on an
Extended Subrack
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 6
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Category Configuration Item Mandato Reference
ry/Optio
nal
Routing OSPF area Optional 2.3.3.3.1 Configuring a Secure
protocol authentication Authentication Mode for an OSPF
communic configuration Area
ation
security OSPF interface Optional 2.3.3.3.2 Configuring a Secure
authentication Authentication Mode for OSPF
configuration Interfaces
OSPF virtual link Optional 2.3.3.3.4 Configuring a Secure
neighbor authentication Authentication Mode for OSPF
configuration Vlink Peers
OSPFv3 interface Optional 2.3.3.3.3 Configuring a Secure
authentication Authentication Mode for OSPFv3
configuration Interfaces
LDP authentication Optional 2.3.3.3.5 Configuring a Secure
mode Authentication Algorithm for LDP
Public Network Peers
RSVP interface Optional 2.3.3.3.6 Configuring a Secure
authentication type Authentication Mode for RSVP
Interfaces
RSVP neighbor Optional 2.3.3.3.7 Configuring a Secure
authentication type Authentication Mode for RSVP
Peers
BGP authentication Optional 2.3.3.3.8 Configuring a Secure
mode Authentication Mode for BGP
IS-IS LSP and SNP Optional 2.3.3.3.9 Configure a Secure
packet authentication Authentication Mode for IS-IS
IS-IS Hello packet Optional 2.3.3.3.10 Configuring a Secure
authentication Authentication Mode for IS-IS
Hello Packets
RIP authentication Optional 2.3.3.3.11 Configuring a Secure
packet Authentication Algorithm for RIP
Packets
Time NTP server Optional 2.3.3.4.1 Configuring a Secure
security authentication key Authentication Algorithm for NTP
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 7
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.2 Level 1 Security Configurations (Mandatory)
2.2.1 Management Security
2.2.1.1 Account and Password Management Security
2.2.1.1.1 Setting a Valid Brute-Force Attack Defense Policy
Description
Check whether the lockout policy is optimal for a specified number of consecutive login
failures of a user.
If the count of entering an error password reaches the threshold when a user logs in to the
system, you can run the system lock type command to determine which lockout policy is
used. The lock type is listed as follows:
User: Only the user name is locked. The user with this name from any terminal cannot
log in to the device after the user name is locked.
IP: Only the IP address is locked. The user cannot log in to the device from the terminal
with this IP address after the IP address is locked. But the user can log in from other
unlocked terminals.
All: Both the IP address and the user name are locked. Neither the user with this name
nor the terminal with this IP address can log in to the device after the two are locked.
When the lock type is set to IP, the system can lock only a certain number of terminal IP addresses. The
same user name can be used to log in to other unlocked terminals. The lock type all is recommended. In
this type mode, neither a locked user nor the terminal used by the user can log in to the device.
Configuration Command
system lock type
Default Value
The lock type is all.
Recommended Value
The lock type all is recommended. In this type mode, neither a locked user nor the terminal
used by the user can log in to the device.
Correction Suggestion
1. In privilege mode, run the display system user parameter command to query the
current lockout policy of the system.
2. If the lockout policy is not all as recommended, run the system lock type all command
to set the lock type to all, so that neither a locked user nor the terminal used by the user
can log in to the device.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 8
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Implementation Impact:
If the count of entering incorrect passwords reaches the threshold when a user logs in to the
system, the system implements the lockout policy accordingly. If the lock type is set to all,
neither a locked user nor the terminal used by the user can log in to the device.
2.2.1.1.2 Changing the Preset Password of a Default User
Description
Check whether the default user has changed the preset password. The preset password of a
default user may be leaked and exploited by an unauthorized user.
Configuration Command
terminal user password
Default Value
The preset password has been changed.
Recommended Value
The preset password has been changed.
Correction Suggestion
Run the terminal user password command to change the root user password.
Starting from the version V100R020C00, a user must change the preset password upon the first login
during new deployment. In an update scenario, you need to check whether the preset password is
changed.
Implementation Impact:
Remember the new password after changing the preset password of the root user. Otherwise,
you cannot log in to the device.
2.2.1.2 Device Login Security
2.2.1.2.1 Disabling Insecure Telnet Services
Description
Check whether the insecure Telnet protocol is enabled.
If the Telnet is enabled, data is transmitted in plaintext, which may cause information leakage.
Configuration Command
sysman service telnet { disable | enable }
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 9
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Default Value
disable
Recommended Value
disable
Correction Suggestion
Run the sysman service telnet disable command to disable the Telnet port and use the SSH
protocol as recommended.
Implementation Impact
After the Telnet function is disabled, ensure that at least one other connection protocol is
enabled on the device, such as SSH or SNMP.
2.2.1.3 Configuring the SSH Authentication Mode and Key
2.2.1.3.1 Disabling SSH Server Compatibility with an SSH1.X Client
Description
Check whether the SSH server is compatible with the insecure SSH1.X.
When the SSH server is set to be compatible with an SSH1.X client, data leakage and client
identity spoofing may occur due to the SSH1.X protocol vulnerabilities to attacks.
Configuration Command
ssh server compatible_ssh1x enable
undo ssh server compatible_ssh1x
Default Value
By default, the earlier version compatible mode is disabled on an SSH server.
Recommended Value
Disable the compatibility with an SSH1.X client.
Correction Suggestion
Run the undo ssh server compatible_ssh1x command to disable the SSH server
compatibility with an SSH1.X client.
Implementation Impact
If the earlier version compatible mode is disabled, a client that only supports SSH1.X cannot
connect to the device.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 10
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.2.1.3.2 Configuring a Secure Key Exchange Algorithm on an SSH Server
Description
Check whether an insecure key exchange algorithm is enabled on the SSH server.
If an insecure key exchange algorithm is used by an SSH server, session keys may be leaked.
Configuration Command
ssh server key-exchange { dh_group1_sha1 | dh_group14_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep | curve25519_sha256 } *
Default Value
By default, key exchange algorithms curve25519_sha256 and dh_group_exchange_sha256
are enabled, and the algorithms dh_group1_sha1, dh_group_exchange_sha1,
dh_group14_sha1, ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521, and
sm2_kep are disabled on an SSH server.
Recommended Value
curve25519_sha256, dh_group_exchange_sha256
Correction Suggestion
Run the undo ssh server key-exchange command to restore the default key exchange
algorithm.
By default, only the secure key exchange algorithms dh_group_exchange_sha256 and
curve25519_sha256 are enabled. Other insecure algorithms are disabled.
Implementation Impact
A client must support at least one key exchange algorithm that is configured on the server.
Otherwise, the functions may be abnormal.
2.2.1.3.3 Configuring a Secure Data Encryption Algorithm on an SSH Server
Description
Check whether an insecure encryption algorithm is enabled on an SSH server.
If an insecure encryption algorithm is used on an SSH server, communication data may be
leaked.
Configuration Command
ssh server cipher { 3des_cbc | aes128_cbc | aes192_cbc | aes256_cbc | aes128_ctr |
aes192_ctr | aes256_ctr | arcfour128 | aes128_gcm | aes256_gcm | arcfour256 |
blowfish_cbc | chacha20_poly1305 } *
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 11
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Default Value
By default, encryption algorithms aes128_ctr, aes192_ctr, aes256_ctr, aes128_gcm,
aes256_gcm, and chacha20_poly1305 are enabled; and 3des_cbc, aes128_cbc, aes192_cbc,
aes256_cbc, arcfour128, arcfour256, and blowfish_cbc are disabled on an SSH server.
Recommended Value
aes128_ctr, aes192_ctr, aes256_ctr, aes128_gcm, aes256_gcm, and chacha20_poly1305
Correction Suggestion
Run the undo ssh server cipher command to restore the default encryption algorithm.
By default, only secure encryption algorithms aes128_ctr, aes192_ctr, aes256_ctr,
aes128_gcm, aes256_gcm, and chacha20_poly1305 are enabled. Other insecure algorithms
are disabled.
Implementation Impact
A client must support at least one encryption algorithm that is configured on the server.
Otherwise, the functions may be abnormal.
2.2.1.3.4 Configuring a Secure Public Key Algorithm on an SSH Server
Description
Check whether an insecure public key algorithm is enabled on an SSH server.
If an insecure public key algorithm is used on an SSH server, spoofing may occur.
Configuration Command
ssh server publickey { rsa | rsa_sha2_256 | rsa_sha2_512 | x509v3-ssh-rsa |
x509v3-rsa2048-sha256 | ed25519 } *
Default Value
By default, the X509V3-SSH-RSA, RSA_SHA2_256, RSA_SHA2_512,
X509V3-RSA2048-SHA256 and ED25519 public key algorithms are enabled.
Recommended Value
RSA_SHA2_256, RSA_SHA2_512, ED25519
Correction Suggestion
Run the ssh server publickey command to enable only secure public key algorithms
including RSA_SHA2_256, RSA_SHA2_512, X509V3-RSA2048-SHA256, and ED25519.
Implementation Impact
A client must support at least one public key algorithm that is configured on the server.
Otherwise, the functions may be abnormal.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 12
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.2.1.3.5 Configuring a Secure Data Integrity Check Algorithm on an SSH Server
Description
Check whether an insecure hash algorithm is enabled on the SSH server.
If an insecure HMAC algorithm is used on an SSH server, information carried by the protocol
may be tampered with.
Configuration Command
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *
undo ssh server hmac
Default Value
By default, HMAC authentication algorithms sha1, sha2_256, and sha2_512 are enabled, and
algorithms md5, md5_96, sha1_96, and sha2_256_96 are disabled on an SSH server.
Recommended Value
sha2_256, sha2_512
Correction Suggestion
Run the ssh server hmac command to enable only secure HMAC authentication algorithms
including the SHA2_256 and SHA2_512.
Implementation Impact
A client must support at least one data integrity check algorithm that is configured on the
server. Otherwise, the functions may be abnormal.
2.2.1.3.6 Configuring the Number of Bits in the Secure DH Algorithm on an SSH Server
Description
Check whether the DH key length is sufficient.
If the minimum length of the DH key exchange algorithm on an SSH server is shorter than
2048 bits, the key is vulnerable to cracking and spoofing.
Configuration Command
ssh server dh-exchange min-len { 1024 | 2048 | 3072 | 4096 }
Default Value
3072
Recommended Value
2048, 3072, 4096
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 13
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Correction Suggestion
Run the ssh server dh-exchange min-len command to set the minimum length of the DH key
exchange on an SSH server to 2048 bits.
Implementation Impact
A client must support the 2048-bit or longer key exchange algorithm. Otherwise, the functions
may be abnormal.
2.2.1.4 Configuring a Secure TLS Communication Channel
2.2.1.4.1 Configuring a Secure TLS Protocol Version
Description
Check whether the earliest SSL version is secure.
SSL3.0/TLS1.0/TLS1.1 has known vulnerabilities.
Configuration Command
ssl minimum version { tls1.1 | tls1.2 | tls1.3 }
Default Value
tls1.2
Recommended Value
tls1.2, tls1.3
Correction Suggestion
Run the ssl minimum version command to set the earliest SSL version to TLS1.2 or TLS1.3.
Implementation Impact
A client must support the SSL version that is configured on the server. Otherwise, a link
cannot be established between the client and the server.
If the earliest version is TLS1.3 and an insecure signature algorithm (such as SHA1) or a
certificate public key shorter than 2048 bits is used in an SSL policy, service links cannot be
established.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 14
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.2.2 Control Plane
2.2.2.1 Defense Against IP/ICMP Attacks on the User Side
2.2.2.1.1 Configuring Defense Against ICMP DoS Attacks
Description
To prevent malicious users from forging ICMP packets with the device IP address as the
destination address to attack the device, use this configuration to enable defense against ICMP
attacks on the device. After this function is enabled, the device discards the ICMP packets that
are sent from the user side if destination IP address is the IP address of the device.
Configuration Command
security anti-icmpattack { enable | disable }
Default Value
enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against ICMP attacks is enabled.
2. If defense against ICMP attacks is disabled, run the security anti-icmpattack enable
command in global config mode to enable the anti-attack function.
Implementation Impact
The device discards the ICMP packets that are sent from the user side if destination IP address
is the IP address of the device. As a result, the ping function is not available to devices on the
user side.
This issue does not affect the user services on the live network.
2.2.2.1.2 Configuring Defense Against ICMPv6 DoS Attacks
Description
To prevent malicious users from forging the ICMPv6 packets with the device IPv6 address as
the destination IP address to attack the device, use this configuration to enable defense against
ICMPv6 attacks on the device. After this function is enabled, the device discards the ICMPv6
packets that are sent from the user side if destination address is the device IPv6 address.
Configuration Command
security anti-ipv6attack { enable | disable }
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 15
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Default Value
enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against ICMPv6 attacks is enabled.
2. If defense against ICMPv6 attacks is disabled, run the security anti-icmv6pattack
enable command in global config mode to enable the anti-attack function.
Implementation Impact
The device discards the ICMPv6 packets that are sent from the user side if destination IP
address is the IPv6 address of the device. As a result, the ping function is not available to IPv6
devices on the user side.
This issue does not affect the user services on the live network.
2.2.2.1.3 Configuring Defense Against IP Packet DoS Attacks
Description
To prevent malicious users from forging IP packets with the device IP address as the
destination address to attack the device, use this configuration to enable defense against IP
attacks on the device. After this function is enabled, the device discards the IP packets that are
sent from the user side if destination address is the device IP address.
Configuration Command
security anti-ipattack { enable | disable }
Default Value
enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against IP attacks is enabled.
2. If defense against IP attacks is disabled, run the security anti- ipattack enable
command in global config mode to enable the anti-attack function.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 16
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Implementation Impact
The device discards the IP packets that are sent from the user side if destination IP address is
the IP address of the device. As a result, the ping and Telnet functions are not available to
devices on the user side.
This issue does not affect the user services on the live network.
2.2.2.1.4 Configuring Defense Against IPv6 Packet DoS Attacks
Description
To prevent malicious users from forging the IPv6 packets with the device IPv6 address as the
destination address to attack the device, use this configuration to enable defense against IPv6
attacks on the device. After this function is enabled, the device discards the IPv6 packets that
are sent from the user side if destination address is the device IPv6 address.
Configuration Command
security anti-ipv6attack { enable | disable }
Default Value
enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against IPv6 attacks is enabled.
2. If defense against IPv6 attacks is disabled, run the security anti- ipv6attack enable
command in global config mode to enable the anti-attack function.
Implementation Impact
The device discards the IPv6 packets that are sent from the user side if destination address is
the IPv6 address of the device. As a result, the ping and Telnet functions are not available to
IPv6 devices on the user side.
This issue does not affect the user services on the live network.
2.2.2.2 Defense Against Abnormal Packet Attacks on the User Side
2.2.2.2.1 Configuring Defense Against Invalid ARP Packet Attacks
Description
To filter invalid ARP packets, use this configuration. After this function is enabled, the system
checks whether the directly forwarded ARP packets received on the user port and ARP
packets delivered for CPU processing are valid. The system discards ARP packets received on
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 17
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
user ports whose source MAC address in the Ethernet header is different from the sha field in
the packet body.
Configuration Command
security anti-illegal-arp { enable | disable }
Default Value
enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against invalid ARP packet attacks is enabled.
2. If the function is disabled, run the security anti-illegal-arp enable command in global
config mode to enable defense against invalid ARP packets.
Implementation Impact
The system checks whether the directly forwarded ARP packets received on the user port and
ARP packets destined for CPU processing are valid. The system discards ARP packets
received on user ports whose source MAC address in the Ethernet header is different from the
sha field in the packet body.
This issue does not affect the user services on the live network.
QinQ VLAN does not support the anti-attack function against invalid ARP packets. Even if
the anti-attack function is enabled, ARP packets are not checked.
Connection-oriented service ports do not support the anti-attack function against invalid ARP
packets. Even if the anti-attack function is enabled, ARP packets are not checked.
2.2.2.2.2 Configuring Defense Against Invalid ND Packet Attacks
Description
Invalid ND packets refer to the NS/RS packets whose source MAC address in the Ethernet
packet header is different from the Source link-layer address option in the packet body, and
the NA packets whose source MAC address in the Ethernet packet header is different from the
Target link-layer address option in the packet body. To filter invalid ND packets, use this
configuration. After this function is enabled, the system discards invalid ND packets that are
received on the user port and are destined for CPU processing, and measures the statistics,
while the system does not check but transparently transmit the ND packets that are forwarded
directly.
Configuration Command
security anti-illegal-nd { enable | disable }
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 18
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Default Value
enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against invalid ND packet attacks is enabled.
2. If the function is disabled, run the security anti-illegal- nd enable command in global
config mode to enable defense against invalid ND packets.
Implementation Impact
The system discards invalid ND packets that are received on the user port and are destined for
CPU processing, and measures the statistics, while the system does not check but
transparently transmit the ND packets that are forwarded directly.
This issue does not affect the user services on the live network.
QinQ VLAN does not support protection against invalid ND packets. Even if protection is
enabled, ND packets are not checked.
Connection-oriented service ports do not support protection against invalid ND packets. Even
if protection is enabled, ND packets are not checked.
2.2.2.2.3 Configuring Defense Against Attacks of ND Packets with Invalid Hop Limits
Description
To filter ND packets with invalid hop limit by the hardware, use this configuration. After this
function is enabled, the system checks the hop limit field of ND packets received on the
board, and discards ND packets of which the hop limit is not 255.
Configuration Command
security anti-illegal-hoplimit-nd { enable | disable }
Default Value
enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against ND packets with invalid hop limits is enabled.
2. If the function is disabled, run the security anti-illegal-hoplimit-nd enable command in
global config mode to enable defense against ND packets with invalid hop limits.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 19
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Implementation Impact
The system checks the hop limit field of ND packets received on the board, and discards ND
packets of which the hop limit is not 255.
This issue does not affect the user services on the live network.
2.2.3 Line Security
2.2.3.1 PON Line Security
2.2.3.1.1 Enabling OMCI Packet Encryption for GPON Line Management
Description
After this function is enabled, OMCI packets are encrypted. If OMCI packets are not
encrypted, management packet may be leaked.
Configuration Command
Profile mode
GPON ONT line profile mode: omcc encrypt switch
Discrete mode
GPON mode: ont omcc encrypt portid ontid switch
Default Value
Profile mode
By default, line profile 0 is set to off, and other line profiles are set to on.
Discrete mode
Default: on.
Recommended Value
on
Correction Suggestion
V100R022C00 and later versions
Profile mode
1. In diagnose mode, run the display xpon security risk config detail omcc command to
check whether a non-recommended line profile is configured.
2. If a non-recommended line profile is configured, run the ont-lineprofile gpon profile-id
command in global config mode to enter this line profile, run the omcc encrypt on
command to enable OMCC encryption, and then run the commit command to commit
the configuration.
3. In diagnose mode, run the display xpon security risk config detail omcc command to
check whether the modification is completed.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 20
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Discrete mode
1. In diagnose mode, run the display xpon security risk config detail omcc command to
check whether a non-recommended ONT is configured.
2. If a non-recommended ONT is configured, run the interface gpon command to enter the
board mode, and then run the ont omcc encrypt portid ontid on command to enable
OMCC encryption.
3. In diagnose mode, run the display xpon security risk config detail omcc command to
check whether the modification is completed.
Versions earlier than V100R022C00
Profile mode
1. In global config mode, run the display ont-lineprofile gpon profile-id command to
query all line profiles and check whether OMCC encryption is enabled.
2. If a non-recommended line profile is configured, run the ont-lineprofile gpon profile-id
command to enter this line profile, run the omcc encrypt on command to enable OMCC
encryption, and then run the commit command to commit the configuration.
3. In global config mode, run the display ont-lineprofile gpon profile-id command to
query all line profiles and check whether the modification is completed.
Discrete mode
1. Run the interface gpon command to enter the board mode.
2. Run the display ont omcc encrypt portid ontid command to check whether OMCC
encryption is enabled for each ONT.
3. If OMCC encryption is disabled for an ONT, run the ont omcc encrypt portid ontid on
command to enable this function.
4. Run the display ont omcc encrypt portid ontid command to check whether OMCC
encryption is enabled for the ONT.
Implementation Impact
An ONT must support OMCI packet encryption. Otherwise, the ONT goes offline and
services are interrupted when this function is enabled.
The OMCI packet encryption function is defined by the ITU-T standard. OLTs and ONTs must comply
with the standard. If an ONT fails to go online because OMCI packet encryption is enabled on the OLT,
the ONT is not compliant with the ITU-T standard.
2.2.3.1.2 Enabling Encryption of Unicast GEM Port Service Packets on a GPON Line
Description
After this function is enabled, a unicast GEM port packet is encrypted. If a service packet
delivered from an OLT to an ONT on a GPON line is not encrypted, it may be leaked.
Configuration Command
Profile mode
gem add gem-index service-type tcont tcontid encrypt encrypt
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 21
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
gem modify gem-index encrypt encrypt
Discrete mode
gemport modify portid gemportid gemport-id encrypt encrypt
Default Value
on
Recommended Value
on
Correction Suggestion
V100R022C00 and later versions
Profile mode
1. In diagnose mode, run the display xpon security risk config detail gemport command
to check whether a non-recommended GEM port is configured.
2. If a non-recommended GEM port is configured, run the ont-lineprofile gpon profile-id
command in global config mode to enter this line profile, run the gem modify
gem-index encrypt on command to enable GEM port encryption, and then run the
commit command to commit the configuration.
3. In diagnose mode, run the display xpon security risk config detail gemport command
to check whether the modification is completed.
Discrete mode
1. In diagnose mode, run the display xpon security risk config detail gemport command
to check whether a non-recommended GEM port is configured.
2. If a non-recommended GEM port is configured, run the interface gpon command to
enter the board mode, run the gemport modify portid gemportid gemport-id encrypt
on command to enable GEM port encryption.
3. In diagnose mode, run the display xpon security risk config detail gemport command
to check whether a non-recommended GEM port is configured.
Versions earlier than V100R022C00
Profile mode
1. In global config mode, run the display ont-lineprofile gpon profile-id command to
query all line profiles and check whether GEM port encryption is disabled.
2. If GEM port encryption is disabled on a line profile, run the ont-lineprofile gpon
profile-id command to enter this line profile, run the gem modify gem-index encrypt
on command to enable GEM port encryption, and then run the commit command to
commit the configuration.
3. Run the display ont-lineprofile gpon profile-id command to check whether the
modification is complete.
Discrete mode
1. Run the interface gpon command to enter the board mode.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 22
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2. Run the display ont gemport portid ontid ontid command to query GEM port
information and check whether encryption is disabled.
3. If GEM port encryption is disabled, run the gemport modify portid gemportid
gemport-id encrypt on command to enable the function.
4. Run the display ont gemport portid ontid ontid command to check whether GEM port
encryption is modified.
Implementation Impact
An ONT must support GEM port encryption. Otherwise, the ONT goes offline and services
are interrupted when this function is enabled.
2.2.3.1.3 Enabling Automatic Update of the Encryption Key on a GPON Line
Description
After automatic update of the encryption key is enabled on a GPON line, the ONT
automatically updates the key at a specified interval. If the encryption keys of ONTs
connected to the PON ports in a system remain unchanged for a long time, they are more
vulnerable to cracking, and management packets and service packets may be leaked.
Configuration Command
Global config mode: gpon ont-password-renew { renew_interval | no_renew }
Diagnosis mode: gpon ont-password-renew clear
GPON mode: port portid ont-password-renew { renew_interval | extra { time |
no_renew } }
Default Value
In global config mode, the default interval for updating an ONT key is "-".
In GPON mode, the default interval for updating an ONT key is 1440 minutes.
By default, the function configuration takes effect at the port level instead of globally.
Recommended Value
5-1440
Correction Suggestion
In global config mode, run the display xpon global-config command to check whether the value of
GPON ONT password renew interval (min) is "-". If the value is "-", the configuration does not take
effect in global config mode. You only need to focus on the port configuration.
V100R022C00 and later versions
1. In diagnose mode, run the display xpon security risk config detail
ont-password-renew command to check whether a non-recommended GEM port
encryption key is configured for automatic update.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 23
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2. If the system displays a message indicating that the automatic update configuration for
the global GEM port encryption key is insecure, run the gpon ont-password-renew
command in global config mode to modify the configuration to the recommended value.
3. If the system displays a message indicating that the automatic update configuration for
the GEM port encryption key is insecure, run the interface gpon command to enter the
board mode, and then run the port portid ont-password-renew command to modify the
configuration to the recommended value.
4. In diagnose mode, run the display xpon security risk config detail
ont-password-renew command to check whether the configuration is modified.
Versions earlier than V100R022C00
1. In global config mode, run the display xpon global-config command to check whether
the GPON ONT password renew interval (min) is disabled.
2. If it is disabled, run the gpon ont-password-renew command in global config mode to
modify the configuration to the recommended value. If the value is "-", you do not need
to change it.
3. Run the interface gpon command to enter the board mode, and then run the display
port info portid command to check whether the encryption key switching intervals (min)
of ONTs connected to all ports are set to the recommended value.
4. If it is not set as recommended, run the port portid ont-password-renew command to
modify the value to the recommended value.
Implementation Impact
None
2.2.3.1.4 Enabling Encryption on an EPON Line
Description
After this function is enabled, EPON service packets are encrypted. If a service packet carried
on an EPON line is not encrypted, it may be leaked.
Configuration Command
llid encrypt encrypt-type
Default Value
off
Recommended Value
aes-128, triple-churning
Correction Suggestion
V100R022C00 and later versions
1. In diagnose mode, run the display xpon security risk config detail llid command to
check whether a non-recommended line profile is configured.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 24
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2. If a non-recommended line profile is configured, run the ont-lineprofile epon profile-id
command in global config mode to enter this line profile, run the llid encrypt on
command to enable LLID encryption, and then run the commit command to commit the
configuration.
3. In diagnose mode, run the display xpon security risk config detail llid command to
check whether the modification is completed.
Versions earlier than V100R022C00
1. In global config mode, run the display ont-lineprofile epon profile-id command to
query all line profiles and check whether the encrypt type is off.
2. If the encrypt type is off, run the ont-lineprofile epon profile-id command to enter the
line profile mode, run the llid encrypt on command to enable LLID encryption, and then
run the commit command to commit the configuration.
3. Run the display ont-lineprofile epon profile-id command to check whether the
modification is complete.
Implementation Impact
An ONT must support LLID port encryption. Otherwise, the ONT goes offline and services
are interrupted when this function is enabled.
2.3 Level 2 Security Configurations (Optional)
2.3.1 Management Plane
2.3.1.1 Account and Password Management Security
2.3.1.1.1 Configuring a Proper Password Validity Period
Description
Check whether a user password has a permanent validity period. If no proper validity period
is set for a user password, the password is permanently valid, increasing the risk of being
cracked.
Configuration Command
To bind a profile to a user when creating the user account, do as follows:
terminal user name
User profile name(<=15 chars)[root]: profile name
To modify a created user profile, do as follows:
terminal user user-profile
To create, delete, or modify a user profile, do as follows:
terminal user-profile { add | delete | modify option }
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 25
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Default Value
The default validity period of a user password is 180 days.
Recommended Value
Non-zero value (0 indicates that the password is permanently valid.)
Correction Suggestion
1. Run the display terminal user info to query the name of a profile bound to a user.
2. After the profile name is obtained, run the display terminal user-profile command to
query the profile information.
3. To modify the profile, run the terminal user-profile command to create, delete, or
modify the profile information.
4. Run the terminal user user-profile command to bind a profile with a proper password
validity period to a user account based on the account purpose.
Implementation Impact
An account password becomes invalid after the validity period expires.
2.3.1.1.2 Configuring the Idle User Lockout Policy
Description
Check whether idle user lockout is configured. If an idle account is not locked out in a timely
manner, it may be exploited by unauthorized users.
Configuration Command
system lock condition idle_timeout days
Default Value
0 (indicating no lockout for idle users)
Recommended Value
A non-zero value. Users can set a proper value based on specific requirements.
Correction Suggestion
1. In privilege mode, run the display system user parameter command to query the
current idle time before lockout of a system.
2. If it does not meet requirements, run the system lock condition idle_timeout command
to set a proper idle time before lockout.
Implementation Impact
If a user does not produce any login logs within the idle time, the user is locked out. You can
run the terminal unlock user command to cancel the user lockout.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 26
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
The root users cannot be locked after being idle for a period of time.
2.3.1.2 SNMP Management Device Security
2.3.1.2.1 Configuring a Secure SNMP Protocol Version
Description
Check whether the insecure SNMPv1 or SNMPv2c is enabled.
If an OLT, as a secondary end, works with the NMS to configure the SNMP version, it is recommended
that the NMS make the secure SNMPv3 a mandatory configuration.
Configuration Command
undo snmp-agent community community-name
To add or modify the SNMPv3 user:
snmp-agent usm-user v3 user-name group-name [ authentication-mode authen-protocol
authkey [ privacy-mode privacy-protocol prikey ] ]
Default Value
By default, SNMP is not supported.
Recommended Value
SNMPv3
Correction Suggestion
1. Run the display snmp-agent community { read | write } command to check whether
an SNMPv1/v2c community name is configured.
2. If the log count is not 0, run the undo snmp-agent community command to delete the
SNMPv1/v2c community name.
3. Run the snmp-agent usm-user command to create an SNMPv3 user, and configure a
secure and reliable algorithm by referring to 2.3.1.2.2 Configuring a Secure SNMP User
Authentication Mode, 2.3.1.2.3 Configuring a Secure SNMP Encryption Mode, and
2.3.1.2.4 Configuring a Secure SNMPv3 User Group Security Level.
Implementation Impact
If the device is connected to the NMS by SNMPv1/v2c, you need to reconnect the device to
the NMS using the newly created SNMPv3 account.
2.3.1.2.2 Configuring a Secure SNMP User Authentication Mode
Description
Check whether an SNMPv3 user authentication mode is secure.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 27
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
If an SNMPv3 user is not authenticated or authenticated using the insecure authentication
protocol MD5/SHA, the user is vulnerable to spoofing. As a result, the device is attacked and
intruded by an unauthorized user.
Configuration Command
snmp-agent usm-user v3 user-name authentication-mode { md5 | sha2-224 | sha2-256 |
sha2-384 | sha2-512 | sha }
Default Value
None
Recommended Value
hmac-sha2-256, hmac-sha2-384, hmac-sha2-512
Correction Suggestion
Run the snmp-agent usm-user v3 user-name authentication-mode command to change the
authentication mode of an SNMPv3 user to HMAC-SHA2.
Implementation Impact
The NMS needs to reconnect to the device using the SNMPv3 account.
2.3.1.2.3 Configuring a Secure SNMP Encryption Mode
Description
Check whether an SNMPv3 user encryption mode is secure.
If the SNMPv3 encryption mode is disabled, or the insecure encryption algorithm DES/3DES
is used, data transmitted using the protocol may be leaked.
Configuration Command
snmp-agent usm-user v3 user-name privacy-mode { 3des168 | aes128 | aes192 | aes256 |
des56 }
Default Value
None
Recommended Value
aes128, aes192, aes256
Correction Suggestion
Run the snmp-agent usm-user v3 user-name privacy-mode command to change the
encryption mode of an SNMPv3 user to AES128, AES192, or AES256.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 28
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Implementation Impact
The NMS needs to reconnect to the device using the SNMPv3 account.
2.3.1.2.4 Configuring a Secure SNMPv3 User Group Security Level
Description
Check the security level of an SNMPv3 user group.
Configuration Command
snmp-agent group v3 groupname { authentication | noauth | privacy } [ read-view
viewname | write-view viewname | notify-view viewname ] *
Default Value
noauth (no authentication and no encryption)
Recommended Value
Privacy (authentication and encryption required)
Correction Suggestion
Run the snmp-agent group v3 command to change the security level of an SNMPv3 user
group to authentication and encryption.
Implementation Impact
The NMS needs to reconnect to the device using the SNMPv3 account.
2.3.1.3 Configuring the SSH Authentication Mode and Key
2.3.1.3.1 Configuring a Secure Key Exchange Algorithm on an SSH Client
Description
Check whether an insecure key exchange algorithm is enabled on an SSH client.
If an insecure key exchange algorithm is used by an SSH client, session keys may be leaked.
Configuration Command
ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep | curve25519_sha256 } *
undo ssh client key-exchange
Default Value
By default, key exchange algorithms curve25519_sha256 and dh_group_exchange_sha256
are enabled, and algorithms ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521,
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 29
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
sm2_kep, dh_group1_sha1, dh_group14_sha1, and dh_group_exchange_sha1 are disabled on
an SSH client.
Recommended Value
dh_group_exchange_sha256, curve25519_sha256
Correction Suggestion
Run the undo ssh client key-exchange command to restore the key exchange algorithm to the
default value. By default, only secure key exchange algorithms dh_group_exchange_sha256
and curve25519_sha256 are enabled, and other insecure algorithms are disabled.
Implementation Impact
A server must support at least one key exchange algorithm that is configured on the client.
Otherwise, the functions may be abnormal.
2.3.1.3.2 Configuring a Secure Data Encryption Algorithm on an SSH Client
Description
Check whether an insecure encryption algorithm is enabled on an SSH client.
If an insecure encryption algorithm is used on an SSH client, communication data may be
leaked.
Configuration Command
ssh client cipher { 3des_cbc | aes128_cbc | aes192_cbc | aes256_cbc | aes128_ctr |
aes192_ctr | aes256_ctr | arcfour128 | aes128_gcm | aes256_gcm | arcfour256 |
chacha20_poly1305 } *
undo ssh client cipher
Default Value
By default, encryption algorithms aes128_ctr, aes192_ctr, aes256_ctr, aes128_gcm,
aes256_gcm, and chacha20_poly1305 are enabled; and algorithms 3des_cbc, aes128_cbc,
aes192_cbc, aes256_cbc, arcfour128, and arcfour256 are disabled on an SSH client.
Recommended Value
aes128_ctr, aes192_ctr, aes256_ctr, aes128_gcm, aes256_gcm, and chacha20_poly1305
Correction Suggestion
Run the undo ssh client cipher command to restore the default encryption algorithm. By
default, only secure encryption algorithms, including aes128_ctr, aes192_ctr, aes256_ctr,
aes128_gcm, aes256_gcm, and chacha20_poly1305, are enabled, and other insecure
algorithms are disabled.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 30
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Implementation Impact
A server must support at least one encryption algorithm that is configured on the client.
Otherwise, the functions may be abnormal.
2.3.1.3.3 Configuring a Secure Public Key Algorithm on an SSH Client
Description
Check whether an insecure public key algorithm is enabled on an SSH client.
If an insecure public key algorithm is used on an SSH client, spoofing may occur.
Configuration Command
ssh client publickey { rsa | rsa_sha2_256 | rsa_sha2_512 | ed25519 } *
undo ssh client publickey
Default Value
By default, the RSA_SHA2_256, RSA_SHA2_512, ED25519 public key algorithms are
enabled.
Recommended Value
RSA_SHA2_256, RSA_SHA2_512, ED25519
Correction Suggestion
Run the ssh client publickey command to enable the RSA_SHA2_256, RSA_SHA2_512,
and ED25519 secure public key algorithms only.
Implementation Impact
A server must support at least one public key algorithm that is configured on the client.
Otherwise, the functions may be abnormal.
2.3.1.3.4 Configuring a Secure Data Integrity Check Algorithm on an SSH Client
Description
Check whether an insecure hash algorithm is enabled on an SSH client.
If an insecure HMAC algorithm is used on an SSH client, information carried by the protocol
may be tampered with.
Configuration Command
ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 31
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Default Value
By default, HMAC authentication algorithms sha1, sha2_256, and sha2_512 are enabled, and
algorithms md5, md5_96, sha1_96, and sha2_256_96 are disabled on an SSH client.
Recommended Value
sha2_256, sha2_512
Correction Suggestion
Run the ssh client hmac command to enable the SHA2_256 and SHA2_512 secure HMAC
authentication algorithms only.
Implementation Impact
A server must support at least one data integrity check algorithm that is configured on the
client. Otherwise, the functions may be abnormal.
2.3.1.3.5 Configuring the Number of Bits in the Local RSA Key Pair for SSH
Description
Check whether the number of bits in the RSA host key pair is sufficient.
If an RSA host key is shorter than 3072 bits, and the communication data encryption strength
is insufficient, the key may be cracked and leaked.
Configuration Command
rsa local-key-pair create
Default Value
3072
Recommended Value
3072, 4096
Correction Suggestion
Run the rsa local-key-pair create command to create an RSA host key of at least 3072 bits.
Implementation Impact
If the SSH client does not support a key of 3072 bits or longer, the SSH client cannot connect
to the device.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 32
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.3.1.3.6 Configuring the Number of Bits in the Peer RSA Key Pair for SSH
Description
Check whether the number of bits in the RSA peer key pair is sufficient.
If the length of an RSA peer public key is shorter than 3072 bits, and the communication data
encryption strength is insufficient, the key may be cracked and leaked.
Configuration Command
rsa peer-public-key
Default Value
By default, rsa peer-public-key is not configured.
Recommended Value
3072 bits or more.
Correction Suggestion
1. Create an RSA key pair with a length of at least 3072 bits on the peer end.
2. Run the rsa peer-public-key command on the local end to set the peer public key.
Create a key pair with a length of 3072 or longer on the peer end, and then import the public key of the
peer end.
Implementation Impact
The peer public key configured on the server must match the public key of the SSH client.
Otherwise, SSH user authentication fails.
2.3.1.4 Configuring a Secure File Transfer Mode
2.3.1.4.1 Configuring a Secure FTP Protocol
Description
Check whether an insecure transmission protocol is enabled.
If an insecure file transfer mode is used for automatic loading and backup, data transmitted
using the protocol may be leaked or tampered with.
Configuration Command
file-server auto-backup filetype ipaddress { ftp | sftp | tftp }
file-server auto-load filetype ipaddress { ftp | sftp | tftp }
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 33
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Default Value
None
Recommended Value
sftp
Correction Suggestion
1. Run the file-server auto-backup command to change the transfer mode to SFTP.
2. Run the file-server auto-load command to change the transfer model to SFTP.
Implementation Impact
Transmission performance is affected due to encrypted transmission mode used by SFTP on
an SFTP server which needs to be configured.
2.3.1.4.2 Configuring the SFTP Server Authentication Function
Description
Check whether SFTP server authentication is enabled on a client.
If public key authentication is disabled on the SFTP server, the device cannot identify a
spoofed server. As a result, malicious files are loaded or data backed up by the host to the
server is leaked.
Configuration Command
ssh sftp peer-public-key authentication { enable | disable }
Default Value
disable
Recommended Value
enable
Correction Suggestion
Run the ssh sftp peer-public-key authentication enable command to enable public key
authentication for the SFTP server on the client.
Implementation Impact
After public key authentication is enabled on the SFTP server, if no public key is configured
on the server or public key authentication fails, file transfer fails.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 34
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.3.1.5 Configuring a Secure TLS Communication Channel
2.3.1.5.1 Configuring a Secure SSL Algorithm Suite
Description
Check whether an SSL algorithm suite contains weak algorithms.
If an insecure algorithm suite is used by the SSL policy, information (such as log information
and configuration data) transmitted by the protocol may be leaked.
Configuration Command
cipher-suite exclude key-exchange rsa
cipher-suite exclude cipher mode cbc
cipher-suite exclude hmac sha1
Default Value
All algorithms supported by SSL are secure algorithms.
Recommended Value
No insecure algorithms are supported by SSL.
Correction Suggestion
1. Run the cipher-suite exclude key-exchange rsa command to disable the RSA key
exchange algorithm.
2. Run the cipher-suite exclude cipher mode cbc command to disable the CBC encryption
algorithm.
3. Run the cipher-suite exclude hmac sha1 command to disable the HMAC-SHA1
algorithm.
Implementation Impact
If insecure algorithm suites are disabled, you need to ensure that the secure algorithm suites
are supported by both the client and server. Otherwise, authentication between the client and
server fails.
2.3.1.6 Configuring a Secure Log Transmission Channel
2.3.1.6.1 Configuring a Secure Syslog Transmission Channel
Description
Check whether a syslog transmission channel is secure. If a device does not use a secure
channel to connect to a syslog server, logs may be uploaded to a spoofed server, and log
information may be tampered with or leaked during transmission.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 35
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Configuration Command
loghost add { ip-address | ipv6-address } hostname [ local0 | local1 | local2 | local3 | local4 |
local5 | local6 | local7 | transporttcp [ ssl-policy policy-name [ verify-dns-name dns-name ] ]
| vpn-instance vpn-instance-name | severity { emergency | alert | critical | error | warning |
notice | informational | debug } * ] *
Default Value
Syslog-related parameters need to be manually configured.
Recommended Value
The syslog transmission protocol must be carried on an SSL channel by binding the SSL
policy to the device.
Correction Suggestion
Run the loghost add command to configure the syslog server to transmit data in SSL mode.
Implementation Impact
If a syslog server is configured to be connected in SSL encryption mode, the syslog server
must be configured with a trust certificate that matches the host identity certificate. Otherwise,
the connection fails to be established.
2.3.1.7 Server Protocol Source Interface and Source IP Address
Management
2.3.1.7.1 Binding the Server Protocol to the Source Interfaces
Description
Check whether the server protocol is bound to all source interfaces.
If the server protocol is bound to all source interfaces, system services are listened on at
unnecessary IP addresses, resulting in risks of attacking on the system services.
Configuration Command
sysman server source { ancp-proxy | ipdr | netconf | portal | snmp | ssh | telnet | trace |
twamp | web-proxy } { any-interface | meth meth-index | loopback loopback-index | vlanif
vlanif-index }
Default Value
any-interface (indicating that the service is bound to all types of interfaces on the device)
Recommended Value
meth, loopback, vlanif
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 36
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Correction Suggestion
Run the sysman server source command to bind the service protocol to a specified source
interface, such as a meth interface, loopback interface, or VLANIF interface.
Implementation Impact
None
2.3.1.7.2 Binding the Server Protocol to an All-Zero IP Address
Description
Check whether the server protocol is bound to an all-zero IP address.
If the server protocol is bound to all source interfaces or all source IP addresses, system
services are listened on at unnecessary IP addresses, resulting in risks of attacking on the
system services.
Configuration Command
sysman server source { netconf |snmp | ssh | telnet | web-proxy } ipv6 ipv6address
[ vpn-instance vpn-instance-name ]
Default Value
None
Recommended Value
Not-all-zero IP address (Currently, only IPv6 addresses are supported.)
Correction Suggestion
Run the sysman server source { netconf | snmp | ssh | telnet | web-proxy } ipv6
ipv6address command to bind the service to a specified IPv6 address instead of an all-zero IP
address.
Implementation Impact
None
2.3.1.8 Configuring a Security Channel with Remote Software
Commissioning
2.3.1.8.1 Configuring a Secure TLS Channel for NAC Remote Software Commissioning
Description
If the NAC security mode is disabled, the configuration parameters of the slave node may be
leaked. You are advised to enable the NAC security mode.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 37
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Configuration Command
nac enable [ lock ] master security frameid/slotid [ portlist ]
undo nac master security frameid/slotid [ portlist ]
Default Value
Enabled
Recommended Value
Enabled
Correction Suggestion
1. In privilege mode, run the display nac configuration master command to check
whether the security mode is enabled on the master node.
2. If the security mode is disabled, run the nac enable [ lock ] master security
frameid/slotid [ portlist ] command in global config mode to enable NAC and the NAC
security mode.
Implementation Impact
The master and extended subracks negotiate the algorithm for packet encryption. If they
cannot agree on the encryption algorithm, the pre-deployment parameters cannot be delivered,
resulting in service pre-deployment failure.
2.3.1.8.2 Configuring Identity Authentication by Device Certificate for NAC Remote
Software Commissioning on an Extended Subrack
Description
When the device needs to establish the NAC security channel according to the authentication
mode, use this configuration. When the authentication mode of the NAC channel is none, the
slave node may be spoofed. You are advised to set the authentication mode to certificate.
Configuration Command
nac authentication-mode { none | certificate } frameid/slotid [ portlist ]
Default Value
certificate
Recommended Value
certificate
Correction Suggestion
1. In privilege mode, run the display nac configuration master command to check
whether the authentication mode of the NAC channel is certificate.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 38
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2. If the authentication mode is not certificate, run the nac authentication-mode { none |
certificate } frameid/slotid [ portlist ] command in global config mode to set the
authentication mode to certificate.
When the authentication mode of the NAC channel is certificate, you need to bind a PKI domain to the
NAC channel for normal authentication. You can run the nac bind pki-domain command to bind a PKI
domain.
Implementation Impact
After the certificate authentication mode is enabled, the master subrack uses the pre-deployed
certificate to authenticate an extended subrack. If the authentication fails, service
pre-deployment or transparent channel login fails.
2.3.2 Data Plane
2.3.2.1 Configuring a System Master Key
2.3.2.1.1 Configuring the Automatic Update Policy for the System Master Key
Description
Check whether a master key is configured in the system or whether the master key is
automatically updated. If the system master key is not manually configured periodically or the
automatic update of the system master key is disabled, one key is used for a long time and is
vulnerable to cracking, leading to confidential information leakage.
Configuration Command
set master-key
set master-key auto-update interval interval-time
Default Value
Disabled
Recommended Value
Enabled
Correction Suggestion
Run the set master-key command or the set master-key auto-update command to manually
configure the system master key or enable automatic update of the system master key.
Implementation Impact
After the system master key is reset or automatic master key update is enabled, you are
advised to configure the exporting key for the master key. Otherwise, the configuration files
or database backed up on the device cannot be imported to other devices.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 39
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.3.3 Control Plane
2.3.3.1 Defense Against Control Packet DoS Attacks on the User Side
2.3.3.1.1 Configuring a Rate Limit Against Broadcast Attacks
Description
To enable traffic rate limit against broadcast attacks, use this configuration. After this
command is successfully executed, the system starts to detect whether there are excessive
ONT broadcast packets.
Configuration Command
security anti-broadcast-attack traffic-limit
undo security anti-broadcast-attack traffic-limit
security anti-broadcast-attack rate default xpon ont { value | no-limit }
security anti-broadcast-attack rate ont { all | frameid/slotid | frameid/slotid/portid [ ontid ] }
{ value | no-limit }
Default Value
Disabled
Recommended Value
Enabled
Correction Suggestion
1. In privilege mode, run the display security anti-broadcast-attack config command to
query the default rate threshold against broadcast attacks on an ONT and check whether
the traffic rate limit is enabled on the ONT.
2. If the function is disabled, run the security anti-broadcast-attack traffic-limit
command to enable it.
3. If the default rate threshold against broadcast attacks on the ONT is no-limit, run the
display security anti-broadcast-attack rate ont { frameid/slotid | frameid/slotid/portid
[ ontid ] } command to query the rate threshold.
4. If the rate threshold against broadcast attacks on the ONT is also no-limit, run the
security anti-broadcast-attack rate default xpon ont { value | no-limit } command to
set the default rate threshold or run the security anti-broadcast-attack rate ont { all |
frameid/slotid | frameid/slotid/portid [ ontid ] } { value | no-limit } command to set the
rate threshold against broadcast attacks on the ONT.
Implementation Impact
The system starts to detect whether there are excessive ONT broadcast packets. If it is
detected that the broadcast packet rate exceeds the threshold set by the security
anti-broadcast-attack rate ont command, the system is overloaded. The system discards the
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 40
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
broadcast packets whose rate exceeds the rate limit without reporting an alarm or shutting
down the ONT.
2.3.3.2 Defense Against Control Packet Spoofing on the User Side
2.3.3.2.1 Configuring Defense Against IP Spoofing
Description
To prevent malicious users from forging IP addresses to send packets to attack a device, use
this configuration. After defense against IP spoofing is enabled, the system binds a user with
an IP address automatically. Only when the source IP address of a user packet is the same as
the bound IP address, the user packet is transmitted upstream through the device. Otherwise,
the packet is discarded.
Configuration Command
security anti-ipspoofing { enable | disable }
security anti-ipspoofing service-port index { enable | disable }
Default Value
Global: disable
VLAN service profile: enable
Service flow: enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against IP spoofing is enabled.
2. If the function is disabled, run the security anti-ipspoofing enable command in global
config mode to enable defense against IP spoofing.
3. In global config mode, run the display vlan service-profile command to check whether
defense against IP spoofing is enabled for VLANs.
4. If this function is disabled, run the vlan service-profile command to enter the VLAN
service profile mode, and then run the security anti-ipspoofing enable and commit
commands to enable defense against IP spoofing for VLANs.
5. In global config mode, run the display security anti-ipspoofing service-port command
to check whether IP spoofing is enabled for service flows.
6. If this function is disabled, run the security anti-ipspoofing service-port command to
enable defense against IP spoofing for service flows.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 41
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Implementation Impact
The system binds a user with an IP address automatically. Only when the source IP address of
a user packet is the same as the bound IP address, the user packet pass through the device for
upstream transmission. Otherwise, the packet is discarded.
For DHCP users who dial up and go online before defense against IP spoofing is enabled,
services of these users are interrupted immediately after the function is enabled because there
are no dynamic IP address binding entries. To restore services, the users must re-dial up or
renew the lease so that the defense against IP spoofing feature can generate dynamic IP
address binding entries for them. In addition, the dial-up performance deteriorates.
If the VLAN forwarding mode is S+C, it is recommended that you disable defense against IP spoofing.
If a port on a board functions as a cascading port, defense against IP spoofing does not take effect.
2.3.3.2.2 Configuring Defense Against IPv6 Spoofing
Description
To prevent malicious users from forging IPv6 addresses to send packets to attack a device, use
this configuration. After defense against IPv6 spoofing is enabled, the system binds a user to
an IPv6 address automatically. Only when the first 64 bits of the source IPv6 address of a user
packet are the same as the first 64 bits of the bound IPv6 address, the packet can be
transmitted upstream to the network side through the device. Otherwise, the packet is
discarded.
Configuration Command
security anti-ipv6spoofing { enable | disable }
security anti-ipv6spoofing service-port service-portid { enable | disable }
Default Value
Global: disable
VLAN service profile: enable
Service flow: enable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether defense
against IPv6 spoofing is enabled.
2. If the function is disabled, run the security anti-ipv6spoofing enable command in
global config mode to enable defense against IPv6 spoofing.
3. In global config mode, run the display vlan service-profile command to check whether
defense against IPv6 spoofing is enabled for VLANs.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 42
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
4. If this function is disabled, run the vlan service-profile command to enter the VLAN
service profile mode, and then run the security anti-ipv6spoofing enable and commit
commands to enable defense against IPv6 spoofing for VLANs.
5. In global config mode, run the display security anti-ipv6spoofing service-port
command to check whether defense against IPv6 spoofing is enabled for service flows.
6. If this function is disabled, run the security anti-ipv6spoofing service-port command to
enable defense against IPv6 spoofing for service flows.
Implementation Impact
The system binds a user with an IPv6 address automatically. Only when the first 64 bits of the
source IPv6 address of a user packet are the same as the first 64 bits of the bound IPv6
address, the packet can be transmitted upstream to the network side through the device.
Otherwise, the packet is discarded.
For DHCPv6 users or SLAAC users who dial up and go online before defense against IPv6
spoofing is enabled, services of these users are interrupted immediately after the function is
enabled because there are no dynamic IPv6 address binding entries. To restore services, the
users must re-dial up or renew the lease so that the defense against IPv6 spoofing feature can
generate dynamic IPv6 address binding entries for them. In addition, the dial-up performance
deteriorates.
2.3.3.2.3 Configure Defense Against MAC Address Spoofing
Description
To prevent malicious users from forging MAC addresses to send packets to attack a device,
use this configuration. After defense against MAC address spoofing is enabled, the system
automatically binds a MAC address to a service flow. Only when the source MAC address of
a service flow is the same as the bound MAC address, the service flow can be transmitted
upstream through the device. Otherwise, the service flow is discarded. This can prevent
DHCP and PPPoE users from attacking the device by forging MAC addresses.
Configuration Command
security anti-macspoofing { enable | disable }
security anti-macspoofing vlan vlanid [ dedicated-net-id dedicated-net-id ] { enable |
disable }
security anti-macspoofing service-port service-portid { enable | disable }
Default Value
Global: disable
VLAN service profile: not configured
Discrete VLAN: disable
Service flow: enable
Recommended Value
enable
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 43
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Correction Suggestion
1. Enable defense against MAC address spoofing globally.
a. In privilege mode, run the display security config command to check whether
defense against MAC address spoofing is enabled.
b. If the function is disabled, run the security anti-macspoofing enable command in
global config mode to enable defense against MAC address spoofing.
2. Enable MAC address spoofing for VLANs. Choose either of the following configuration
modes:
Mode 1: Enable defense against MAC address spoofing for discrete VLANs.
a. In global config mode, run the display vlan-feature command to check whether
defense against MAC address spoofing is enabled for VLANs.
b. If this function is disabled, run the security anti-macspoofing vlan command to
enable defense against MAC address spoofing for VLANs.
Mode 2: Enable defense against MAC address spoofing for VLAN service profiles.
a. In global config mode, run the display vlan service-profile command to check
whether defense against MAC address spoofing is enabled for VLANs.
b. If this function is disabled, run the vlan service-profile command to enter the
VLAN service profile mode, and then run the security anti- macspoofing enable
and commit commands to enable defense against MAC address spoofing for
VLANs.
3. In global config mode, run the display security anti- macspoofing service-port
command to check whether defense against MAC address spoofing is enabled for service
flows.
4. If this function is disabled, run the security anti- macspoofing service-port command
to enable defense against MAC address spoofing for service flows.
Implementation Impact
The system automatically binds a MAC address to a service flow. Only when the source MAC
address of a service flow is the same as the bound MAC address, the service flow can be
transmitted upstream through the device. Otherwise, the service flow is discarded. This can
prevent PPPoE, DHCP, DHCPv6, and SLAAC users from attacking the device by forging
MAC addresses.
For PPPoE, DHCP, DHCPv6, and SLAAC users who dial up and go online before defense
against MAC address spoofing is enabled, services of these users are interrupted immediately
after the function is enabled because there are no dynamic MAC address binding entries. To
restore services, the users must re-dial up or renew the lease so that the defense against MAC
address spoofing feature can generate dynamic MAC address binding entries for them. In
addition, the dial-up performance deteriorates.
2.3.3.2.4 Configuring Defense Against MAC Address Flapping
Description
After defense against MAC address flapping is enabled, the system records the first MAC
address learned from a port and binds the address to the port and VLAN. If the system
receives a packet sent from a host with the same MAC address from other low-priority ports,
the system discards the packet directly. This can prevent malicious users from forging MAC
addresses to attack the device.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 44
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Configuration Command
security anti-macduplicate { enable | disable }
security anti-macduplicate vlan vlanid [ dedicated-net-id dedicated-net-id ] { enable |
disable }
Default Value
Global: disable
VLAN: enable
Recommended Value
enable
Correction Suggestion
1. Enable defense against MAC address flapping globally.
a. In privilege mode, run the display security config command to check whether
defense against MAC address flapping is enabled.
b. If the function is disabled, run the security anti- macduplicate enable command in
global config mode to enable defense against MAC address flapping.
2. Enable defense against MAC address flapping for VLANs. Choose either of the
following configuration modes:
Mode 1: Enable defense against MAC address flapping for discrete VLANs.
a. In global config mode, run the display vlan-feature command to check whether
defense against MAC address flapping is enabled for VLANs.
b. If this function is disabled, run the security anti- macduplicate vlan command to
enable defense against MAC address flapping for VLANs.
Mode 2: Enable defense against MAC address flapping for VLAN service profiles.
a. In global config mode, run the display vlan service-profile command to check
whether defense against MAC address flapping is enabled for VLANs.
b. If this function is disabled, run the vlan service-profile command to enter the
VLAN service profile mode, and then run the security anti- macduplicate enable
and commit commands to enable defense against MAC address flapping for
VLANs.
Implementation Impact
The system records the first MAC address learned from a port and binds the address to the
port and VLAN. If the system receives a packet sent from a host with the same MAC address
from other low-priority ports, the system discards the packet directly. This can prevent
malicious users from forging MAC addresses to attack the device.
This issue does not affect the user services on the live network.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 45
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.3.3.2.5 Configuring Source Route Filter
Description
To identify and discard IP packets with the source route option and to prevent malicious users
from forging IP packets to attack the carrier network, use this configuration. After source
route filtering is enabled, the device discards the IP packets with the source route option.
Configuration Command
security source-route { enable | disable }
Default Value
disable
Recommended Value
enable
Correction Suggestion
1. In privilege mode, run the display security config command to check whether source
route filtering is enabled.
2. If the function is disabled, run the security source-route enable command in global
config mode to enable source route filtering.
Implementation Impact
The device discards the IP packets with the source route option.
2.3.3.3 Configuring Routing Protocol Communication Security
2.3.3.3.1 Configuring a Secure Authentication Mode for an OSPF Area
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices
Configuration Command
authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]
authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text |
[ cipher ] cipher-text } ]
authentication-mode { md5 | hmac-md5 | hmac-sha256 } key-id [ cipher ]
authentication-mode simple cipher
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 46
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
undo authentication-mode
Default Value
No authentication mode is configured for an OSPF area.
Recommended Value
hmac-sha256
Correction Suggestion
1. Configure the OSPF command globally and determine the routing domain to be run.
2. To configure the authentication mode in a routing domain, do as follows:
huawei(config)#ospf 100
huawei(config-ospf-100)#area 0
huawei(config-ospf-100-area-0.0.0.0)#authentication-mode hmac-sha256 1 cipher
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.2 Configuring a Secure Authentication Mode for OSPF Interfaces
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Configuration Command
ospf authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]
ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text |
[ cipher ] cipher-text } ]
ospf authentication-mode null
ospf authentication-mode simple cipher password
ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } key-id [ cipher ] password
undo ospf authentication-mode
Default Value
No authentication mode is configured for OSPF interfaces.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 47
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Recommended Value
hmac-sha256
Correction Suggestion
1. Determine the Layer 3 interfaces on which OSPF is enabled.
2. To configure the OSPF authentication mode, do as follows:
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ospf authentication-mode hmac-sha256 1 cipher password
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.3 Configuring a Secure Authentication Mode for OSPFv3 Interfaces
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Configuration Command
authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text }
authentication-mode { hmac-sha256 key-id key-id [ cipher ] }
authentication-mode { keychain Keychain-Name }
undo authentication-mode hmac-sha256 key-id key-id
undo authentication-mode { keychain Keychain-Name }
Default Value
No authentication mode or password is configured for an OSPFv3 process or area.
Recommended Value
hmac-sha256
Correction Suggestion
1. Determine the OSPFv3 process and area.
2. Configure the authentication mode for the process and area respectively.
To configure HMAC-SHA256 authentication for OSPFv3 process 100, do as follows:
huawei(config)#ospfv3 100
huawei(config-ospfv3-100)#authentication-mode hmac-sha256 key-id 10 cipher
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 48
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
To configure HMAC-SHA256 authentication for OSPFv3 area 0, do as follows:
huawei(config)#ospfv3 100
huawei(config-ospfv3-100)#area 0
huawei(config-ospfv3-100-area-0.0.0.0)#authentication-mode hmac-sha256 key-id 10
cipher
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.4 Configuring a Secure Authentication Mode for OSPF Vlink Peers
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Configuration Command
vlink-peer router-id [ hello hello-interval | retransmit retransmit-interval | trans-delay
trans-delay-interval | dead dead-interval | smart-discover | [ simple [ plain plain-text |
[ cipher ] cipher-text ] | { hmac-sha256 | md5 | hmac-md5 } [ key-id { plain plain-text |
[ cipher ] cipher-text } ] | authentication-null ] ] *
vlink-peer router-id [ hello hello-interval | retransmit retransmit-interval | trans-delay
trans-delay-interval | dead dead-interval | smart-discover ] * { simple cipher password }
vlink-peer router-id [ hello hello-interval | retransmit retransmit-interval | trans-delay
trans-delay-interval | dead dead-interval | smart-discover ] * { { hmac-sha256 | md5 |
hmac-md5 } key-id [ cipher ] password }
undo vlink-peer router-id { hello | retransmit | trans-delay | dead | simple | hmac-sha256 |
md5 | hmac-md5 | authentication-null | smart-discover }
Default Value
No authentication mode is configured for OSPF virtual interfaces.
Recommended Value
hmac-sha256
Correction Suggestion
1. Confirm the OSPF domain.
2. To configure the authentication mode for vlink peers, do as follows:
huawei(config)#ospf 100
huawei(config-ospf-100)#area 2
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 49
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
huawei(config-ospf-100-area-0.0.0.2)#vlink-peer 10.1.1.1 hmac-sha256 1 password
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.5 Configuring a Secure Authentication Algorithm for LDP Public Network Peers
Description
If a device implements LDP learning from an insecure router and receives unexpected labels
advertised by the peer device, the device learns incorrect forwarding entries.
To prevent forwarded information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Configuration Command
keychain keychain-name
keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } }
undo keychain keychain-name
algorithm { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 | hmac-sha-256 |
sha-256 | sm3 | hmac-sha-384 | hmac-sha-512 }
undo algorithm
authentication key-chain peer peer-id name keychain-name
undo authentication key-chain peer peer-id
Default Value
LDP key chain authentication is disabled.
Recommended Value
Bind a key chain to the authentication and use a secure algorithm (SHA-256,
HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512).
Correction Suggestion
1. Configure a key chain.
huawei(config)#keychain test mode absolute
2. To use a secure algorithm, such as SHA-256, HMAC-SHA-256, HMAC-SHA-384, or
HMAC-SHA-512, in key ID mode, do as follows:
huawei(config-keychain-test)#key-id 1
huawei(config-keychain-test-keyid-1)#algorithm hmac-sha-256
3. Run the authentication key-chain peer command in MPLS-LDP mode as follows:
huawei(config-mpls-ldp)#authentication key-chain peer 10.2.2.2 name test
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 50
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Implementation Impact
The peer device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.6 Configuring a Secure Authentication Mode for RSVP Interfaces
Description
If a device implements RSVP negotiation with an insecure router and receives unexpected
information advertised by the peer device, the device learns incorrect forwarding entries.
To prevent forwarded information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Configuration Command
Interface Mode
mpls rsvp-te authentication
Default Value
RSVP key chain authentication is disabled.
Recommended Value
Bind a key chain to the authentication and use a secure algorithm (SHA-256,
HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512).
Correction Suggestion
1. Configure a key chain.
huawei(config)#keychain test mode absolute
2. To use a secure algorithm, such as SHA-256, HMAC-SHA-256, HMAC-SHA-384, or
HMAC-SHA-512, in key ID mode, do as follows:
huawei(config-keychain-test)#key-id 1
huawei(config-keychain-test-keyid-1)#algorithm hmac-sha-256
3. Run the mpls rsvp-te authentication keychain command as follows:
huawei(config)#interface vlanif 10
huawei(config-if-vlanif10)#mpls te
huawei(config-if-vlanif10)#mpls rsvp-te
huawei(config-if-vlanif10)#mpls rsvp-te authentication keychain test
Implementation Impact
The peer device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 51
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2.3.3.3.7 Configuring a Secure Authentication Mode for RSVP Peers
Description
If a device implements RSVP negotiation with an insecure router and receives unexpected
information advertised by the peer device, the device learns incorrect forwarding entries.
To prevent forwarded information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Configuration Command
MPLS RSVP-TE neighbor mode
mpls rsvp-te authentication
Default Value
RSVP key chain authentication is disabled.
Recommended Value
Bind a key chain to the authentication and use a secure algorithm (SHA-256,
HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512).
Correction Suggestion
1. Configure a key chain.
huawei(config)#keychain test mode absolute
2. To use a secure algorithm, such as SHA-256, HMAC-SHA-256, HMAC-SHA-384, or
HMAC-SHA-512, in key ID mode, do as follows:
huawei(config-keychain-test)#key-id 1
huawei(config-keychain-test-keyid-1)#algorithm hmac-sha-256
3. To configure authentication in neighbor mode, do as follows:
huawei (config)#mpls
huawei (config-mpls)#mpls rsvp-te
huawei (config-mpls)#mpls rsvp-te peer 1.1.1.1
huawei (config-mpls-rsvp-te-peer-1.1.1.1)#mpls rsvp-te authentication keychain test
Implementation Impact
The peer device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.8 Configuring a Secure Authentication Mode for BGP
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 52
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Configuration Command
peer { group-name | ipv4-address | ipv6-address } keychain keychain-name
undo peer { group-name | ipv4-address | ipv6-address } keychain
Default Value
Key chain authentication for BGP peers is disabled.
Recommended Value
Bind a key chain to the authentication and use a secure algorithm (SHA-256,
HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512).
Correction Suggestion
1. Configure a key chain.
huawei(config)#keychain test mode absolute
2. To use a secure algorithm, such as SHA-256, HMAC-SHA-256, HMAC-SHA-384, or
HMAC-SHA-512, in key ID mode, do as follows:
huawei(config-keychain-test)#key-id 1
huawei(config-keychain-test-keyid-1)#algorithm hmac-sha-256
3. To configure authentication in BGP mode, BGP-VPN instance IPv4 address family
mode, and BGP-VPN instance mode, do as follows:
huawei(config)#bgp 100
huawei(config-bgp)#peer 10.1.1.2 as-number 200
huawei(config-bgp)#peer 10.1.1.2 keychain test
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.9 Configure a Secure Authentication Mode for IS-IS
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 53
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Configuration Command
isis authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5
{ plain plain-text | [ cipher ] plain-cipher-text } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ]
plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
isis authentication-mode [ level-1 | level-2 ] [ ip | osi ] [ send-only ] simple cipher
isis authentication-mode [ level-1 | level-2 ] [ send-only ] hmac-sha256 key-id key-id
[ cipher ]
isis authentication-mode [ level-1 | level-2 ] [ ip | osi ] [ send-only ] md5 [ cipher ]
undo isis authentication-mode [ level-1 | level-2 ]
undo isis authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } |
md5 { plain plain-text | [ cipher ] plain-cipher-text } } [ level-1 | level-2 ] [ ip | osi ]
[ send-only ]
undo isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | cipher
plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
Default Value
No IS-IS authentication is configured.
Recommended Value
hmac-sha256
Correction Suggestion
Configure the IS-IS domain as follows:
huawei(config)#isis 1
huawei(config-isis-1)#area-authentication-mode hmac-sha256 key-id 2
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.10 Configuring a Secure Authentication Mode for IS-IS Hello Packets
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 54
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Configuration Command
isis authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5
{ plain plain-text | [ cipher ] plain-cipher-text } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ]
plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
isis authentication-mode [ level-1 | level-2 ] [ ip | osi ] [ send-only ] simple cipher
isis authentication-mode [ level-1 | level-2 ] [ send-only ] hmac-sha256 key-id key-id
[ cipher ]
isis authentication-mode [ level-1 | level-2 ] [ ip | osi ] [ send-only ] md5 [ cipher ]
undo isis authentication-mode [ level-1 | level-2 ]
undo isis authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } |
md5 { plain plain-text | [ cipher ] plain-cipher-text } } [ level-1 | level-2 ] [ ip | osi ]
[ send-only ]
undo isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | cipher
plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
Default Value
No IS-IS Hello authentication is configured.
Recommended Value
hmac-sha256
Correction Suggestion
1. Determine the Layer 3 interfaces on which IS-IS is enabled.
2. To configure authentication in interface mode, do as follows:
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#isis authentication-mode hmac-sha256 key-id 2
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.3.11 Configuring a Secure Authentication Algorithm for RIP Packets
Description
If a device establishes a route neighbor relationship with an insecure router and receives
unexpected routes advertised by the neighbor, the device learns incorrect routes.
To prevent routing information from being tampered with and improve security, enable
authentication and use a security algorithm so that the device negotiates only with authorized
devices.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 55
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Configuration Command
rip authentication-mode
Default Value
No RIP authentication is configured.
Recommended Value
hmac-sha256
Correction Suggestion
1. Determine the Layer 3 interfaces on which RIP is enabled.
2. To enable the authentication mode on the interface, do as follows:
huawei(config)#interface vlanif 10
huawei(config-if-vlanif10)#rip authentication-mode 200 hmac-sha256
Implementation Impact
The neighbor device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.3.4 Configuring NTP Clock Protocol Communication Security
2.3.3.4.1 Configuring a Secure Authentication Algorithm for NTP
Description
If a device establishes a relationship with an insecure NTP server and synchronizes the clock
from the NTP server, the system time is incorrect.
To prevent incorrect time synchronization and improve security, enable authentication and use
a security algorithm so that the device negotiates only with authorized devices.
Configuration Command
ntp-service authentication enable
undo ntp-service authentication enable
ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-sha256 |
aes-128-cmac | aes-256-cmac } [ plain plain-text | [ cipher ] password-key ]
undo ntp-service authentication-keyid key-id
Default Value
No authentication is configured.
Recommended Value
hmac-sha256
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 56
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
Correction Suggestion
To configure the NTP security authentication algorithm, do as follows:
huawei(config)#ntp-service authentication enable
huawei(config)#ntp-service authentication-keyid 10 authentication-mode hmac-sha256
Implementation Impact
The peer device must also be configured with the matching authentication algorithm.
Otherwise, protocol negotiation fails if the authentication algorithm is modified on an NE.
2.3.4 Line Security
2.3.4.1 PON Line Security
2.3.4.1.1 Enabling Encryption of Multicast GEM Port Service Packets on a GPON Line
Description
After this function is enabled, multicast GEM port packets are encrypted over a GPON. If the
multicast service packets carried on a GPON line are not encrypted, the packets may be
leaked.
Configuration Command
port multicast encrypt portid { adapt | disable | enable }
Default Value
disable
Recommended Value
enable
Correction Suggestion
V100R022C00 and later versions
1. In diagnose mode, run the display xpon security risk config detail multicast-gemport
command to check whether a non-recommended multicast GEM port encryption mode is
configured.
2. If a non-recommended multicast GEM port encryption mode is configured, run the
interface gpon command in global config mode to enter the board mode, and then run
the port multicast encrypt portid enable command to enable multicast encryption.
3. In diagnose mode, run the display xpon security risk config detail multicast-gemport
command to check whether the configuration is modified.
Versions earlier than V100R022C00
1. In global config mode, run the interface gpon command to enter the board mode.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 57
SmartAX MA5800
Security Hardening and Maintenance Guide 2 Security Configuration
2. Run the display port info portid command to query information about all ports and
check whether the multicast encrypt mode is off.
3. If the multicast encrypt mode is off, run the port multicast encrypt portid enable
command to enable multicast encryption.
4. Run the display port info portid command to query information about all ports and
check whether the multicast encrypt mode is modified.
Implementation Impact
An ONT must support GEM port encryption. Otherwise, the ONT goes offline and services
are interrupted when this function is enabled.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 58
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3 Security Hardening
This section describes the security hardening policies, including attack behavior, security
policies, and operation procedures, to help users enhance network and switch security. In
addition, the document provides guidance for users to perform hardening and maintenance
from the management, control, and end-user planes.
3.1 Overview
Before performing security hardening on switches, get familiar with the following
information to well understand security hardening policies in this document.
Before carrying out security hardening, perform the following operations:
Fully understand service requirements: Security is always service-oriented. An
appropriate security hardening policy can be developed only after the security protection
requirements of the service system are clearly understood.
Evaluate risks comprehensively: Analyze security threats to the service system, identify
vulnerabilities of the service system, balance the service system value against security
hardening costs, and comprehensively evaluate security risks. Provide defense measures
against unacceptable security risks. Treat acceptable risks as remaining risks, and
periodically review them throughout the service system life cycle to determine whether
to escalate the risk levels.
Design a security hardening solution: Based on the comprehensive risk evaluation,
design a solution that meets service requirements. Security is ensured by design, but not
configuration. Every security hardening engineer should adequately understand this
principle.
Implement security hardening policies: Before the implementation, evaluate the policy
impact on services to prevent service loss.
After security hardening is complete, continuous monitoring and maintenance on the service
system are required, which can help locate faults promptly, adjust security hardening policies,
and ensure that the policies have taken effect as expected. To sum up, security hardening is
a process requiring continuous improvement.
Hardening Principles
Security hardening must comply with the following principles:
Minimum number of accounts
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 59
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Minimum permission
Dedication
Auditing
Security Hardening Policy Levels
Based on network security requirements, security hardening policies can be classified into two
levels: Level-1 and Level-2.
Level-1: security hardening policies that must be configured
Level-2: enhanced security hardening policies which can be configured based on service
requirements
3.2 Level-1 Security Hardening Policies and
Configurations (Mandatory)
3.2.1 Management Plane
3.2.1.1 Account and Password Management Security
3.2.1.1.1 Changing Default Passwords
Default Device Accounts and Passwords
Table 3-1 Default device accounts and passwords
Account Account Function Default User Default Password
Type Name
Login After the device is powered root admin123
account of on, you can use this account to NOTE
the log in to the CLI of the device The default password
command-l to configure and manage the must be changed upon
ine device. the first login in
interface V100R020C00 and later
(CLI) versions.
BIOS login If you cannot log in to the N/A huawei123
account CLI, use this account to log in NOTE
to the BIOS. The default password
must be changed upon
the first login in
V100R020C00 and later
versions.
Network When NETCONF ZTP is used ncroot NFRoot.123
Configurati for deployment, NCE uses this
on Protocol account to log in to devices
(NETCON through NETCONF for
F) login configuration and
account management.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 60
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Account Account Function Default User Default Password
Type Name
System This account is used by the root N/A
process system process and cannot be
account accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
System This account is used by the ftpvrpv8 [email protected]
process system process and cannot be
account accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login. Only versions earlier than
V100R023C00 support this
account.
System This account is used by the lm_user N/A
process system process and cannot be
account accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the sm_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the cfg_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the srv_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the proto1_user N/A
account system process and cannot be
accessed externally.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 61
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Account Account Function Default User Default Password
Type Name
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the proto2_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the app_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the xpon_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the btv_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the omu_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the wce_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the baes_user N/A
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 62
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Account Account Function Default User Default Password
Type Name
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the secudetect_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the emp_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the otdr_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the telemetry_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the uam_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the oam1_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 63
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Account Account Function Default User Default Password
Type Name
login.
Internal This account is used by the ssmp_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the aec_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the otn_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the tpm_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the l3p_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the drv_user N/A
account system process and cannot be
accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the bootusr N/A
account board bootapp process and
cannot be accessed externally.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 64
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Account Account Function Default User Default Password
Type Name
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the operator N/A
account board cfg process and cannot
be accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Internal This account is used by the stack N/A
account board protocol process and
cannot be accessed externally.
NOTE
This account is for internal use
only and cannot be used for
login.
Differences in Login Password Rules
Table 3-2 Differences between password rules for logging in to the CLI and BIOS of different
versions
Item Version Earlier Than V100R020C0 V100R020C V100R021C00
V100R020C00 0 and 10 and and later
Patched Patched versions
Version Version
Passwor CLI login user: CLI login CLI login CLI login user:
d Length For the default user user: 8–15 user: 12–15 12–128
(Default) (root): 8–15
For other users: 6–15
BIOS login user: 8–32
Complex A password must contain at A password A password must contain
ity least one digit (0–9) and must contain uppercase letters (A–Z),
(Default) one letter (a–z, A–Z). at least one lowercase letters (a–z), special
Letters are case sensitive. digit (0–9) characters, and digits (0–9).
and one letter
(a–z, A–Z).
Letters are
case sensitive.
Passwor After the default user The password The password of the default
d change (root), a new user, or a user of the default user (root) must be changed,
rules whose password has been user (root) and BIOS password must be
reset logs in to the CLI for must be set upon the first CLI login.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 65
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Item Version Earlier Than V100R020C0 V100R020C V100R021C00
V100R020C00 0 and 10 and and later
Patched Patched versions
Version Version
the first time, password changed, and After a new user or a user
changing is not mandatory. BIOS whose password has been reset
Password changing is not password logs in to the CLI for the first
mandatory upon the first must be set time, password changing is
login to the BIOS. upon the first mandatory.
CLI login.
After a new
user or a user
whose
password has
been reset
logs in to the
CLI for the
first time,
password
changing is
not
mandatory.
Attack Behavior
If the default passwords are not changed in time after the device is deployed, attackers may
use the passwords to log in to the system and obtain the device management rights.
Security Policy
Before logging in to the CLI or BIOS of a new device for the first time, you need to
change the default passwords of the CLI and BIOS.
A password with low complexity is vulnerable to attacks and cracking by unauthorized
users, which affects device security. Maintenance engineers must ensure that the
password length and complexity meet security requirements when setting a password.
The password setting suggestions are as follows:
− Length: A password contains at least 12 characters.
− Complexity: A password contains uppercase letters (A–Z), lowercase letters (a–z),
special characters, and digits (0–9).
− Do not use a password with low complexity. A password cannot be the same as the
user name or the user name in reverse order.
Procedure
1. Use the default user name and password to log in to the CLI.
2. Change the default password of the root user and the BIOS password as prompted.
(V100R021C10 is used as an example.)
>>User name:root
>>User password:
When you first log on the system. Change your password
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 66
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
New Password(length<12,128>):
Confirm Password(length<12,128>):
The extended BIOS password of the active control board is required to modify
New Password(length<12,15>):
Confirm Password(length<12,15>):
The extended BIOS password of the standby control board is required to modify
New Password(length<12,15>):
Confirm Password(length<12,15>):
3.2.1.1.2 CLI Login Account and Password Management
Attack Behavior
Potential attackers may attempt to crack the user name and password through network
connections to obtain the device management rights.
Security Policy
When a user attempts to log in to a device through the CLI, the user must be authenticated
using the user name and password. Users are classified into different levels, and users at
different levels have different operation rights.
Table 3-3 Differences in system management users between versions
Version Earlier Than V100R020C00 V100R020C00 and Later
System management users are classified System management users are classified
into four levels: super user, administrator, into three levels: administrator, operator,
operator, and common user. and common user.
By default, the root user is a super user. By default, the root user is an administrator.
The super user can create administrator An administrator can create operators and
users. An administrator can create operators common users, and can also create
and common users, but cannot create administrators.
administrators.
Only the root user can run the commands at Administrators can run all commands in the
super user level. system.
Only the super user can enter the su mode. All administrators can enter the su mode,
but only one administrator can enter the su
mode at a time.
The maximum number of online root users The maximum number of online root users
is fixed to 1 and cannot be changed. is 1 by default and can be changed.
To defend against the preceding attacks, you need to ensure the security of the CLI login
accounts and passwords.
The security information involved in CLI account management includes the user name,
password, and user profile.
A user profile is recommended for checking user information and setting the validity
period of a user, expiration date of a password, and permitted login time.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 67
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
The minimum length of passwords can be configured to ensure password security. It is
recommended that a password contains no less than 12 characters and meets complexity
requirements.
The system supports the weak password database function. You cannot use a password in
the weak password database when setting or changing a password. The weak password
database is empty by default. You are advised to run the system user password exclude
command to add insecure passwords to the weak password database.
The system supports the weak password dictionary function in V100R020C10 and later
versions.. You cannot use the passwords in the weak password dictionary during
password configuration. The system provides a default weak password dictionary. To use
a user-defined weak password dictionary, run the load password-dictionary command
to load the dictionary.
The weak password dictionary is checked only when a new user is added or a user changes the password.
When an earlier version is upgraded to a version that supports the weak password dictionary function,
passwords configured in the database are encrypted using an irreversible algorithm and the weak
password dictionary check is not performed.
Procedure
Step 1 Create a user and associate the user with a proper user profile.
1. Run the terminal user-profile command to create a user profile.
2. Run the terminal user name command to create a user and specify a user profile for the
user.
3. Run the terminal user user-profile command to change the profile of an existing user.
Step 2 Run the system user password security-length command to set the minimum password
length.
Step 3 Run the system user password exclude command to add insecure passwords to the weak
password database.
Step 4 (Optional) Run the load password-dictionary command to load a user-defined weak
password dictionary.
----End
3.2.1.2 Device Login Security
Attack Behavior
If a valid user logs in to the system and leaves the site for a long time without logging out, a
malicious user may take over and perform illegal operations. A malicious user may also try to
crack the system account and password to log in to the system through continuous attempts.
Security Policy
A user who logs in to the system and then leaves the site for a long period of time must
exit the system to prevent the system from being operated by another user. The system
supports automatic logout. If there is no keyboard input for a long time, a user is forcibly
logged out. You are advised to set the idle time before automatic logout to 5 minutes
(default).
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 68
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
The system locks out an account or corresponding IP address if the number of login
failures exceeds the permitted number of login attempts. This function is enabled by
default to prevent unauthorized users from cracking the system account and password
through continuous attempts.
− Versions earlier than V100R020C00: The lockout time is fixed to 1 minute for the
root user. The default lockout time for other users is 15 minutes and can be set by
running the system lock interval command.
− V100R020C00 and later versions: The default lockout time for all users is 15
minutes and can be set by running the system lock interval command.
The system supports the management channel firewall function. After a management
channel firewall is configured, only management terminals with authorized IP addresses
can log in to the system.
Procedure
1. Run the idle-timeout command to set the terminal login timeout time.
Run the idle-timeout command to set the terminal login timeout time as required. After
logging in to the system and finishing operations, log out of the system promptly.
2. Configure the lockout policy for system login.
a. Run the system lock condition command to configure the number of allowed login
attempts.
b. Run the system lock interval command to configure the lockout duration.
c. Run the system lock type command to configure the lock type, which can be user
name, IP address, or both user name and IP address.
3. Run the sysman console disable command to disable the serial port.
4. Configure the firewall for the management plane. You can use either of the following
methods to configure the firewall for the management plane on the device.
− Configure the allowed and prohibited IP address segments.
i. Run the sysman ip-access {ssh | telnet | snmp} command to configure the IP
address segments allowed to access the device in SSH, telnet, and SNMP
modes.
ii. Run the sysman ip-refuse {ssh | telnet | snmp} command to configure the IP
address segments prohibited to access the device in SSH, telnet, or SNMP
mode.
iii. Run the sysman firewall {ssh | telnet | snmp} enable command to enable the
SSH, telnet, and SNMP firewalls.
− Bind an ACL rule.
i. Run the telnet server acl command to bind an ACL rule to the Telnet
protocol.
ii. Run the ssh server acl command to bind an ACL rule to the SSH protocol.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 69
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3.2.1.2.1 Telnet Login
Attack Behavior
Using Telnet, operators can remotely perform routine maintenance on devices without going
onsite.
Telnet are classified into outband Telnet and inband Telnet.
Outband telnet
The port used for outband telnet is the only Ethernet port (RJ45) on the front panel of the
control board. After configuring the IP address and related routes of this port, users can
log in to the device through telnet for related operations, maintenance, and management.
Inband telnet
The port used for inband telnet is the VLAN Layer 3 interface inside the device. The
device supports a maximum of 32 interface IP addresses. These IP addresses must be in
different subnets.
When remote telnet is used, it is advised that you configure allowed and prohibited IP address
segments to prevent users with unauthorized IP addresses from logging in.
Telnet is an insecure protocol. It may expose the device to a hacker, making the device
insecure. An attacker can damage the device even without cracking the user name and
password.
Security Policy
Telnet is an insecure protocol and is disabled by default in V100R019C1x and later
versions. If a device is upgraded from an earlier version, Telnet may be enabled
(depending on whether Telnet is enabled before the upgrade). You are advised to disable
Telnet.
The SSH mode is recommended.
Procedure
Step 1 Run the display sysman service state command to check whether the Telnet service is
enabled.
Step 2 Run the sysman service telnet disable command to disable the Telnet service.
----End
3.2.1.2.2 SSH Login
Attack Behavior
Brute force password cracking
After listening to the SSH port, an attacker attempts to connect to the SSH port and
perform brute force cracking to pass authentication and obtain access rights.
Denial of service attack
An SSH server supports a limited number of users. When the number of users reaches
the upper limit, other users cannot log in to the SSH server. This problem may be caused
by normal use or attacks.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 70
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Security Policy
To defend against the preceding attacks, configure the following security policies on the
device:
If you log in to the system in SSH mode, the SSHv2 mode is used by default. SSHv1 has
security vulnerabilities and is disabled by default. You are not advised to use SSHv1.
SSH user authentication supports seven authentication modes: user password
authentication (password), RSA public key authentication (rsa), user password and RSA
public key authentication (password-publickey), and X509V3-RSA certificate
authentication (x509v3-rsa), user password and X509V3-RSA certificate authentication
(password-x509v3-rsa), ED25519 authentication (ed25519), and user password and
ED25519 authentication (password-ed25519). To ensure better security, you are advised
to use password-publickey or password-ed25519 as the authentication mode for SSH
users.
The key pair used by the SSH service can be created and updated. It is recommended
that the RSA key length be 3072 ( in V100R020C00 and later versions).
The device supports the query of configured local RSA and ED25519 public keys. To
prevent the login to a forged device from a client, log in to the device using a reliable
method (for example, using a local serial port) during site deployment, query the local
RSA and ED25519 public keys of the device, and save the public keys in the database of
the client. In this way, when logging in to the device from a client, you can use the public
keys to authenticate this device.
The local serial port login mode can be used only at the near end of a device and supports user
name+password authentication. The serial port of a device is enabled by default and is usually
used during device deployment. If the serial port is enabled for a long time, security risks
exist. You are advised to run the sysman console disable command to disable the serial port
unless the port needs to be used. The SSH mode is recommended.
SSH supports multiple encryption, message verification, and key exchange algorithms.
The system preferentially selects a secure algorithm. Insecure algorithms are disabled by
default. The insecure algorithms listed in Table 3-4 have security risks. Exercise caution
when using them. You are advised to use a more secure encryption algorithm.
Table 3-4 Insecure SSH algorithms
Algorithm Type Algorithm Name
Host key algorithm rsa
x509v3-ssh-rsa
Encryption algorithm 3des_cbc
aes128_cbc
aes192_cbc
aes256_cbc
arcfour128
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 71
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Algorithm Type Algorithm Name
arcfour256
blowfish_cbc
Integrity protection md5
algorithm
md5_96
sha1
sha1_96
sha2_256_96
Key exchange algorithm dh_group1_sha1
dh_group14_sha1
dh_group_exchange_sha1
ecdh_sha2_nistp256
ecdh_sha2_nistp384
ecdh_sha2_nistp521
The SSH service is bound to the METH interface by default in V100R020C00 and later
versions.
Procedure
Step 1 Run the ssh server cipher, ssh server hmac, and ssh server key-exchange commands to
configure the encryption algorithm, message verification algorithm, and key exchange
algorithm used by the SSH server.
3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128, arcfour256, blowfish_cbc, sha1,
md5, md5_96, sha1_96, sha2_256_96, dh_group14_sha1, dh_group1_sha1,
dh_group_exchange_sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, and ecdh-sha2-nistp521
are insecure encryption algorithms. You are advised to use more secure encryption algorithms,
such as aes128_ctr, aes192_ctr, aes256_ctr, aes128_gcm, aes256_gcm, chacha20_poly1305,
sha2_256, sha2_512, sm2_kep, sm3, sm4_cbc, dh_group_exchange_sha256, and
curve25519_sha256.
Step 2 Run the ssh client cipher, ssh client hmac, and ssh client key-exchange commands to
configure the encryption algorithm, message verification algorithm, and key exchange
algorithm used by an SSH client.
Step 3 Run the ssh client key-exchange sftp command to configure the key exchange algorithm
used by the SSH SFTP client.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 72
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Step 4 Run the ssh server dh-exchange min-len command to set the minimum modulus for the
DH-GROUP-EXCHANGE algorithm to 3072.
Step 5 Run the ssh user username authentication-type command to configure the user
authentication mode.
Step 6 Run the ssh server rekey-interval command to configure the SSH key update interval.
Step 7 Run the rsa local-key-pair create command to configure a key pair for the SSH service.
----End
3.2.1.3 SNMP Management Device Security
Context
The Simple Network Management Protocol (SNMP) is a network management protocol that
is widely used in the TCP/IP network. It provides a means of managing network resources
using a central computer (network management workstation) that runs the network
management software.
Network management involves the following elements:
Managed nodes: monitored devices
Agent: software used to display the status of managed devices
Workstation: a core device used to communicate with agents about managed objects and
display the status of these agents
Network management protocol: a protocol used by network management workstations
and agents to exchange information, such as SNMP
Figure 3-1 shows a typical SNMP management system in which the network management
station functions as the management center of the entire network and runs various
management processes. Each managed object must have an agent process. Management
processes and agent processes use User Datagram Protocol (UDP) to transmit SNMP
messages for communication.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 73
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Figure 3-1 Typical SNMP configuration
The system supports SNMPv1/v2c/v3 for device management.
SNMPv1 and SNMPv2c have security risks due to protocol limitations. SNMPv3 is
recommended.
Attack Behavior
Common SNMP attacks are as follows:
An attacker changes the source IP address of a packet to obtain the rights of an
authorized user and perform unauthorized management operations.
An attacker intercepts the communication between the management station and SNMP
agents to obtain information, such as user names, passwords, and community names,
therefore gaining unauthorized rights.
An attacker intercepts, reorders, delays, or retransmits SNMP messages to affect normal
operations and obtain authorized operation rights.
Security Policy
SNMPv3 is recommended for device management. SNMPv3 supports the user-based
security model (USM) and authenticates and encrypts communication data to prevent
security issues such as message masquerading, tampering, and leakage.
SNMPv3 sets user security levels based on user groups. It supports the following
security levels: both authentication and encryption, authentication but no encryption, and
neither authentication nor encryption. You are advised to use the security level of both
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 74
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
authentication and encryption. In addition, configure authentication and encryption
passwords that meet complexity requirements.
− The system supports the MD5/SHA authentication algorithms and
DES56/3DES168/AES128/AES192/AES256 encryption algorithms in versions
earlier than V100R020C00.
− The system supports the SHA2-512/SHA2-384/SHA2-256/SHA2-224/MD5/SHA
authentication algorithms and the DES56/3DES168/AES128/AES192/AES256
encryption algorithms in V100R020C00 and later versions. You are advised to use
the SHA2 authentication algorithm and AES256 encryption algorithm.
To prevent unauthorized users from operating the system, change the password to a
password that meets complexity requirements after the first successful login. You are
advised to change the password periodically.
MD5 and SHA are insecure authentication algorithms. Exercise caution when using them.
SHA is more secure than MD5.
DES56 and 3DES168 are insecure encryption algorithms. Exercise caution when using
them.
The system supports firewall for SNMP packets. To prevent SNMP packets with
unauthorized addresses from accessing the system, configure the firewall for SNMP
packets. Then, only SNMP packets with authorized IP addresses can access the system.
Table 3-5 Security of each SNMP version
Protocol User Verification Encryption Authentication
Version
v1 No. Uses a community name. No No
v2 No. Uses a community name. No No
v3 Yes. Uses encryption and Yes Yes
decryption based on the user
name.
Procedure
Step 1 Run the snmp-agent sys-info version v3 command to enable SNMPv3.
Step 2 Run the snmp-agent group v3 groupname privacy command to set the security level of the
SNMPv3 group to authentication and encryption.
Step 3 Run the snmp-agent usm-user v3 command to configure the authentication and encryption
passwords for an SNMPv3 user.
Step 4 Configure the SNMP firewall. You can use either of the following methods to configure the
SNMP firewall on the device.
Configure the allowed and prohibited IP address segments.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 75
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
a. Run the sysman ip-access snmp command to configure the IP address segments
allowed to access the device through SNMP.
b. Run the sysman ip-refuse snmp command to configure the IP address segments
prohibited to access the device through SNMP.
c. Run the sysman firewall snmp enable command to enable the SNMP firewall.
Run the snmp-agent acl command to bind an ACL rule to the SNMP protocol.
----End
3.2.1.4 Service Port Management Security
Attack Behavior
A hacker can use service ports to attack networked devices.
Security Policy
Telnet, Telnetv6, and FTP have security risks due to protocol limitations. You are advised to
use SSH and SFTP.
Access devices support multiple management protocols, and many service ports are enabled
in the system. You are advised to disable unnecessary service ports based on service
requirements to enhance system security.
Table 3-6 Default settings of service ports
Service Description Default Setting
telnet Telnet service port Versions earlier than V100R019C10:
enabled
V100R019C10 and later versions:
disabled
dhcp-relay DHCP relay service Versions earlier than V100R020C00:
port enabled
V100R020C00 and later versions:
disabled
dhcpv6-relay DHCPv6 relay Versions earlier than V100R020C00:
service port enabled
V100R020C00 and later versions:
disabled
ntp NTP service port Enabled
ntp6 NTP IPv6 service Disabled
port
snmp SNMP service port Enabled
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 76
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Service Description Default Setting
ftp-client FTP client service ----: The current network service is not
port available, and no port or status information
is displayed.
sftp-client SFTP client service ----: The current network service is not
port available, and no port or status information
is displayed.
ipdr IPDR service port Enabled
twamp TWAMP service Enabled
port
ssh SSH service port Enabled
radius RADIUS service Enabled (By default, the port number is
port ----, that is, no port is allocated.)
trace Trace service port Disabled
netconf NETCONF service Disabled
port
telnetv6 Telnet IPv6 service Disabled
port
snmpv6 SNMP IPv6 service Disabled
port
sshv6 SSH IPv6 service Disabled
port
web-proxy Web-proxy service Disabled
portal Portal service port Disabled
(Added in
V100R021C00)
Procedure
Step 1 Run the display sysman service state command to query the status of the service ports of the
device.
Step 2 Run the sysman service command to disable unnecessary service ports based on service
requirements.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 77
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3.2.1.5 Server Protocol Source Interface and Source IP Address
Management
Attack Behavior
Services on different planes must be isolated from each other. Each system service must be
listened on at a specific IP address. If a system service is listened on at an unnecessary IP
address, attackers may use this IP address to attack the system service.
Security Policy
Access devices support multiple server protocols. Each server protocol requires a specific
local IP address to receive packets. You are advised to specify a local IP address for each
server protocol based on service requirements and network planning.
For the IPv4 protocol, you need to bind a Layer 3 interface to it. The system uses the
primary IP address of the Layer 3 interface as the local source IP address of the server
protocol. An IPv6 address can be directly bound to the IPv6 protocol. If no source
interface or source IP address is bound, the system does not enable the corresponding
service.
Telnet has security risks due to protocol limitations. You are advised to use SSH.
The following table lists the server protocols that need to be bound with source interfaces or
source IP addresses.
Table 3-7 Server protocols that need to be bound with source interfaces or source IP addresses
Service Description Source Interface or
Source IP Address Type
ancp-proxy ANCP-proxy service IPv4
ipdr IPDR service IPv4
netconf NETCONF service IPv4 or IPv6
snmp SNMP service IPv4 or IPv6
ssh SSH service IPv4 or IPv6
telnet Telnet service IPv4 or IPv6
trace Trace service IPv4
twamp TWAMP service IPv4
web-proxy Web proxy service IPv4 or IPv6
portal Portal service IPv4
(Added in V100R021C00)
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 78
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Procedure
Run the sysman server source command to bind a source interface or source IP address to a
server protocol.
3.2.2 Control Plane
3.2.2.1 Configuring a Firewall
Attack Behavior
Common Internet security threats can be classified as follows:
Unauthorized use of resources: Resources are used by unauthorized users or in an
unauthorized mode. For example, attackers gain access to a computer system and use
resources by guessing a user account and password combination.
DoS: Attackers exploit vulnerabilities of network protocol implementation to initiate
attacks or maliciously exhaust resources of the attacked object. A DoS attack is an
attempt to stop the target object from providing services or resources. For example,
attackers send a large number of data packets or deformed packets to a server to request
for connections or replies, overloading the server so much that it cannot execute
scheduled tasks.
Data tampering: Attackers modify, delete, delay, or realign system data or message flows,
or insert fake messages to compromise data consistency.
Information theft: Attackers do not invade the target system, but sniff it to steal important
data or information.
Security Policy
A firewall monitors data flows and admits authorized data flows to an access device. Firewalls
defend internal networks against unauthorized or unauthenticated access and attacks initiated
from external networks. The access network supports four firewall filtering technologies.
Table 3-8 Supported firewall technologies
Solution Function Feature
Firewall blacklist A firewall blacklist filters Matching source IP
data packets by source IP addresses against a blacklist
address. is simple, and packets can
be quickly filtered.
However, because data
packets are filtered by only
one rule, this process lacks
flexibility.
Access control list (ACL) An ACL-based packet Advantage: This technology
packet filtering firewall filtering firewall verifies supports more flexible
data packets at the network configurations and better
layer and forwards or denies filtering capabilities than the
them based on the security firewall blacklist.
policy. Disadvantages:
The packet filtering
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 79
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Solution Function Feature
performance deteriorates
sharply as the ACL
complexity increases.
The system does not
check the session status
or analyze any data, and
is vulnerable to IP
spoofing attacks.
Firewall blacklist + The combination of a Data packets are filtered
advanced ACL rules firewall blacklist and based on a firewall blacklist
advanced ACL rules enables and advanced ACL rules.
the system to further filter The filter rules can be
packets by advanced ACL flexibly configured.
rules.
Unauthorized user login The system prevents -
prevention unauthorized logins by
setting the IP address
segments permitted or
denied by the firewall for
specified protocol types.
If the firewall function is not configured, security risks exist. You are advised to configure a
firewall solution based on the requirements and characteristics of the actual scenario.
Procedure
Configure a firewall blacklist.
a. Manually add IP addresses to a firewall blacklist.
Run the firewall blacklist item command to add source IP addresses of untrusted
packets to the blacklist.
b. Enable the firewall blacklist function.
Run the firewall blacklist enable command to enable the firewall blacklist
function.
Users can specify the valid duration (aging time) of an IP address in the firewall blacklist. When the
duration expires, the IP address is removed from the blacklist. If users do not specify the aging time,
the IP address is permanently included in the blacklist unless manually deleted.
A blacklist entry added to a blacklist takes effect only after the firewall blacklist function is enabled.
Configure the firewall blacklist + advanced ACL rules.
a. Manually add IP addresses to a firewall blacklist. Run the firewall blacklist item
command to add source IP addresses of untrusted packets to the blacklist.
b. Configure advanced ACL rules for filtering data packets that carry the source IP
addresses specified in the blacklist.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 80
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
i. Run the acl command to create an ACL. Only advanced ACL rules can be
applied with the firewall blacklist function, so the ACL rule IDs range from
3000 to 3999.
ii. Run the acl(adv acl) command to create an advanced ACL rule.
iii. Run the quit command to return to the global config mode.
c. Enable the firewall blacklist function. Run the firewall blacklist enable
acl-number command to enable the firewall black list function and apply the ACL
rule to packets sent by users in the black list.
Configure the ACL packet filtering firewall.
a. Run the acl command to create an ACL. Only basic ACLs and advanced ACLs can
be used when packet filtering by firewall is configured, so ACL IDs range from
2000 to 3999.
b. You need to run different rule commands to create different ACLs.
Run the acl(basic acl) command to create a basic ACL rule.
Run the acl(adv acl) command to create an advanced ACL rule.
c. Run the quit command to return to the global config mode.
d. To configure the firewall filtering rule for the METH interface, run the interface
meth command to enter the MEth mode. To configure the firewall filtering rule for
the VLAN interface, run the interface vlanif command to enter the VLANIF mode.
e. Run the firewall packet-filter command to apply the firewall packet filtering rule
to the interface.
When you run the firewall packet-filter command to activate an ACL, the software determines the
execution priority of the sub-rules in the same ACL. The earlier a sub-rule is configured, the higher the
priority is.
f. Run the firewall default command to configure the packet filtering rule when no
ACL rule is matched.
g. Run the firewall enable command to enable the firewall function. By default, the
firewall function is disabled.
To filter data packets on a port based on ACL rules, the firewall function must be
enabled.
Prevent unauthorized users from logging in (configuring the allowed or denied
address segment).
− The system supports the firewall function for the management channel. To prevent
management terminals with invalid IP addresses from logging in to the system,
configure the firewall function for the management channel. Only management
terminals with valid IP addresses are permitted to log in to the system.
− The system supports the firewall function for SNMP packets. To prevent SNMP
packets with invalid IP addresses from accessing the system, configure the firewall
function for SNMP packets. The system only receives SNMP packets with valid IP
addresses.
You are advised to log in to the system in SSH mode.
SNMPv1 and SNMPv2 have security risks due to protocol limitations. You are advised to use
SNMPv3.
a. Configure the IPv4/IPv6 address segment that is permitted to access the device.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 81
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Run the sysman ip-access command to configure the IPv4/IPv6 address segment
that is allowed to access the device in the Telnet, SSH, or SNMP mode.
b. Configure the IPv4/IPv6 address segment that is refused to access the device.
Run the sysman ip-refuse command to configure the IPv4/IPv6 address segment
that is refused to access the device in the Telnet, SSH, or SNMP mode.
c. Enable the firewall function.
Run the sysman firewall command to enable the firewall function for the Telnet,
SSH, and SNMP protocols. By default, the protocol-based firewall is disabled.
----End
Example
To add IP address 192.168.10.18 to the firewall blacklist, and set the aging time to 100
minutes, do as follows:
huawei(config)#firewall blacklist item 192.168.10.18 timeout 100
To create an advanced ACL rule to allow packets from network segment 10.10.10.0 to pass
through and enable the blacklist function to prevent access from unauthorized users, do as
follows:
huawei(config)#acl 3000
huawei(config-acl-adv-3000)#rule permit ip source 10.10.10.0 0.0.0.255 destination
10.10.10.20 0
huawei(config-acl-adv-3000)#quit
huawei(config)#firewall blacklist enable acl-number 3000
To prevent the users in network segment 10.16.25.0 from accessing the VLAN 10 interface of
the device with the IP address of 10.16.25.28, do as follows:
huawei(config)#acl 3001
huawei(config-acl-adv-3001)#rule 5 deny icmp source 10.16.25.0 0.0.0.255 destination
10.16.25.28 0
huawei(config-acl-adv-3001)#quit
huawei(config)#firewall enable
huawei(config)#vlan 10
huawei(config)#interface vlanif 10
huawei(config-if-vlanif10)#firewall packet-filter 3001 inbound
ACL applied successfully
To enable the SNMP protocol firewall and allow refuse users in the IP address segment of
10.10.20.1 to 10.10.20.254 to access the device from the NMS, do as follows:
huawei(config)#sysman ip-refuse snmp 10.10.20.1 10.10.20.254
huawei(config)#sysman firewall snmp enable
3.2.2.2 Configuring Service and Management Isolation
Attack Behavior
Due to the diversity of application scenarios, the MA5800 provides configuration methods to
allow users to log in to and manage the device through service ports. Improper configurations
can make device vulnerable to attacks. For example:
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 82
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
If the management port and service port are configured in the same VLAN, the
management plane and service plane can communicate with each other at Layer 2.
If the management port and service port are not in the same VLAN, the management
plane and service plane can communicate with each other through Layer 3 routes.
An attacker may attempt to attack the management plane through service ports.
Security Policy
The control plane, end-user plane, and management plane can be isolated to protect the
management plane against external attacks.
The device supports the outband and inband network management solutions. In outband
network management, a dedicated network management channel is used to manage the device.
In this way, network management data and service data are separated so that the management
network is not affected when the service network is faulty or when attacks are initiated from
the service network.
Procedure
Configuring triple-plane isolation (outband network management)
a. Configure the maintenance network port.
Set the IP address of the local maintenance Ethernet port (outband network
management port) of the device to 10.50.1.10/24.
The default IP address of the system maintenance network port (ETH port on the control
board) is 10.11.104.2 and the subnet mask is 255.255.255.0. After logging in to the system,
run the ip address command to change the IP address.
huawei(config)#interface meth 0
huawei(config-if-meth0)#ip address 10.50.1.10 255.255.255.0
huawei(config-if-meth0)#quit
Configuring triple-plane isolation (Internet-based inband network management)
a. Create a VLANIF interface and enter the VLANIF mode.
If VLAN 2 has been created, create a second VLANIF interface for VLAN 2 and
enter the VLANIF mode.
huawei(config)#interface vlanif
{ <1-4093> }:2
huawei(config-if-vlanif2)#
b. Set the IP address of the inband network management port.
Set the IP address of the inband network management port to 10.50.1.11/24.
huawei(config-if-vlanif2)#ip address 10.50.1.11 255.255.255.0
c. Configure the firewall.
Create an ACL3000 and enable the firewall.
huawei(config)#acl 3000
huawei(config-acl-adv-3000)#rule deny tcp destination-port eq 23 //
Disable TELNET packets.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 83
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
huawei(config-acl-adv-3000)#rule deny tcp destination-port eq 22 //
Disable SSH packets.
huawei(config-acl-adv-3000)#rule deny udp destination-port eq 161 //
Disable SNMP packets.
huawei(config-acl-adv-3000)#quit
huawei(config)#firewall enable
d. Configure firewall packet filtering rules for the service VLANIF interface.
Firewall packet filtering rules must be configured for all service VLANIF interfaces.
Configure firewall packet filtering rules for the VLANIF interface of service VLAN
10.
huawei(config)#interface vlanif 10
huawei(config-if-vlanif10)#firewall packet-filter 3000 inbound
----End
3.2.3 End-user Plane
3.2.3.1 Configuring Anti-DoS Protection
Attack Behavior
A denial of service (DoS) attack is initiated by malicious users using a large number of
protocol packets. When hit by a DoS attack, the system cannot process service requests from
normal users.
Security Policy
You can configure the anti-DoS protection feature and processing policies for protocol
packets to prevent malicious users from sending a large number of protocol packets to attack
the system.
Procedure
Step 1 Configure the anti-DoS attack blacklist function.
Run the security anti-dos enable command to configure an anti-DoS attack blacklist.
Step 2 Configure a policy for processing protocol packets when a DoS attack occurs.
Run the security anti-dos control-packet policy command to configure the policy for
processing protocol packets when a DoS attack occurs.
An anti-DoS attack policy takes effect only after the security anti-dos enable command is
executed globally.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 84
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Step 3 Set the rate threshold for sending protocol packets to the CPU.
Run the security anti-dos control-packet rate command to set the rate threshold for sending
protocol packets to the CPU.
----End
3.2.3.2 Preventing MAC Address Flapping
Attack Behavior
MAC addresses may flap and become unstable when a loop occurs on the network or when a
hacker attacks the network.
Security Policy
To prevent malicious users from forging the MAC addresses of other users or upper-layer
network devices, the access network device supports the anti-MAC-duplicate feature.
When the anti-MAC-duplicate function is enabled on the device, the device checks whether
the MAC address exists in the MAC address table after receiving a packet with a certain
source MAC address from port A. If the MAC address corresponds to port B in the MAC
address table, the device determines whether to allow the MAC address to flap from port B to
port A according to the control board, service board, and port type. If MAC address flapping
is prohibited, the device discards the packets with the source MAC address received from port
A before the MAC address ages.
Procedure
Step 1 Run the security anti-macduplicate command to enable the anti-MAC-duplicate function.
Step 2 Run the security anti-macduplicate vlan command to enable the anti-MAC-duplicate
function at the VLAN level.
Step 3 Run the display security config command to query the global configuration result.
Step 4 Run the display vlan-feature command to query the configurations of the VLAN-based
functions and features.
----End
Example
In the following example, information irrelevant to the configuration task is omitted in the display
security config command output. For the complete command output, see the command reference.
To enable the anti-MAC-duplicate function of the device, do as follows:
huawei(config)#security anti-macduplicate enable
huawei(config)#display security config
Anti-macduplicate function : enable
Ton disable MAC anti-duplication for VLAN 10, do as follows:
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 85
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
huawei(config)#security anti-macduplicate vlan
{ vlanid<U><1,4093> }:10
{ disable<K>|enable<K> }:disable
Command:
security anti-macduplicate vlan 10 disable
To query the configuration of the functional features of VLAN 10, do as follows:
huawei(config)#display vlan-feature 10
-----------------------------------------------------------------------------
VLAN Anti-macspoofing PPPoE MAC mode PPPoA MAC mode Anti-macduplicate
-----------------------------------------------------------------------------
10 disable multi-MAC multi-MAC disable
-----------------------------------------------------------------------------
Reference Principles
MAC anti-duplication is related to the MAC address learning priority of a port, as shown in
the following table.
Table 3-9 MAC address learning priority of user-side ports lower than that of network-side ports
MAC Address Duplication Type Enabling MAC Disabling MAC
Anti-Duplication Anti-Duplication
The MAC address learned by a Prohibited Permitted
user-side port is duplicated to another
user-side port.
The MAC address learned by a Permitted Permitted
user-side port is duplicated to a
network-side port.
The MAC address learned by a Prohibited Prohibited
network-side port is duplicated to a
user-side port.
The MAC address learned by a Permitted Permitted
network-side port is duplicated to
another network-side port.
Table 3-10 MAC address learning priority of user-side ports higher than that of network-side ports
MAC Address Duplication Type Enabling MAC Disabling MAC
Anti-Duplication Anti-Duplication
The MAC address learned by a Prohibited Permitted
user-side port is duplicated to another
user-side port.
The MAC address learned by a Prohibited Prohibited
user-side port is duplicated to a
network-side port.
The MAC address learned by a Permitted Permitted
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 86
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
MAC Address Duplication Type Enabling MAC Disabling MAC
Anti-Duplication Anti-Duplication
network-side port is duplicated to a
user-side port.
The MAC address learned by a Permitted Permitted
network-side port is duplicated to
another network-side port.
Table 3-11 MAC address learning priority of user-side ports same as that of network-side ports
MAC Address Duplication Type Enabling MAC Disabling MAC
Anti-Duplication Anti-Duplication
The MAC address learned by a Prohibited Permitted
user-side port is duplicated to another
user-side port.
The MAC address learned by a Permitted Permitted
user-side port is duplicated to a
network-side port.
The MAC address learned by a Prohibited Permitted
network-side port is duplicated to a
user-side port.
The MAC address learned by a Permitted Permitted
network-side port is duplicated to
another network-side port.
3.2.3.3 GPON Channel Encryption
Attack Behavior
GPON uses the P2MP protocol. If the transmission encryption function is not enabled,
eavesdropping may occur.
Security Policy
In compliance with the ITU-T standard, encryption is provided for data channels in the GPON
downstream direction, and XG/XGS PON upstream and downstream directions.
The OMCC encryption function is enabled by default when a line profile is added, and
the encryption function is enabled by default when a GEM port is added in V100R20C00
and later versions.
OMCC encryption and GEM port encryption are disabled by default . You are advised to
enable them manually.
Procedure
Profile mode
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 87
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Run the gem add command to configure the encryption function for a specified GEM
index. When the encryption function is enabled, the device encrypts the service flow
carried on a GEM port. In this way, the security of the user data is enhanced.
Run the omcc encrypt command to configure the status of the ONT OMCC encryption
switch. When OMCC encryption is enabled, OMCC packets are encrypted; otherwise,
OMCC packets are not encrypted.
Discrete mode
Run the gemport add(distributing-mode) command to configure the encryption switch
for a GEM port. When the encryption function is enabled, the device encrypts the service
flow carried on a GEM port. In this way, the security of the user data is enhanced.
Run the ont omcc encrypt(distributing-mode) command to configure the status of the
ONT OMCC encryption switch. When the OMCC encryption function is enabled, the
ONT OMCC channel is encrypted.
3.2.3.4 Configuring Intrusion Detection
Context
This feature is supported in V100R021C10 and later versions.
Intrusion detection at the physical layer and network layer is added to V100R022C00 and later
versions.
Intrusion detection is one of the key technologies for system security defense. It is used to
proactively detect potential or existing anomalies or attacks in the system in a timely manner
and make correct responses to reduce system security risks.
Attack Behavior
During system running, the operation and maintenance (OM) layer and operating system (OS)
layer may be attacked by system intrusion.
Security Policy
After detecting an abnormal behavior, the device generates a security event or security log
and reports it to NCE. NCE analyzes the information reported by the NE and checks whether
an intrusion behavior occurs based on rules. If an intrusion behavior occurs, NCE triggers the
abnormal response processing.
The system supports intrusion detection at the OM layer, OS layer, physical layer, and
network layer. Detection in various scenarios can be controlled by switches. By default, this
function is disabled. You are advised to enable the intrusion detection function so that the
system can report detected abnormal behavior to the NMS in a timely manner to reduce
system security risks.
The system supports detection in the following scenarios at the OM layer:
− Brute force cracking of user accounts and passwords
− Illegal login
− Unauthorized account creation
− Unauthorized password change
− Illegal password change
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 88
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
− Unauthorized account activation
− Unauthorized account deletion
The system supports detection in the following scenarios at the OS layer:
− File privilege escalation
− Unauthorized user login
− Key file tampering
− Abnormal shell connection
− Rootkit attack
− Key processes abnormal exit
− Unauthorized process privilege escalation
− Kernel rootkit attack
− Malicious code implantation attack
− Unauthorized MAC access
− Control flow hijacking
− Illegal KO loading
The system supports detection in the following scenarios at the physical layer:
− Rogue ONU check and detection
The system supports detection in the following scenarios at the network layer:
− DoS attack detection on a GPON port
− IPv4 spoofing detection on a GPON port
− IPv6 spoofing detection on a GPON port
− MAC spoofing detection
− Illegal ARP detection
− ARP flapping detection
Procedure
Run the sysman security ssa command to enable intrusion detection in a specified scenario.
Exception Handling
The NMS analyzes the intrusion detection information reported by devices and detects
intrusion behaviors based on rules. If intrusion behavior occurs, the NMS triggers exception
response.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 89
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3.3 (Optional) Level-2 Security Hardening Policies and
Configurations
3.3.1 Management Plane
3.3.1.1 Configuring the SSH Authentication Mode and Key
Attack Behavior
Brute force password cracking
After listening to the SSH port, an attacker attempts to connect to the SSH port and
perform brute force cracking to pass authentication and obtain access rights.
Denial of service attack
An SSH server supports a limited number of users. When the number of users reaches
the upper limit, other users cannot log in to the SSH server. This problem may be caused
by normal use or attacks.
Security Policy
SSH user authentication supports seven authentication modes: user password
authentication (password), RSA public key authentication (rsa), user password and RSA
public key authentication (password-publickey), and X509V3-RSA certificate
authentication (x509v3-rsa), user password and X509V3-RSA certificate authentication
(password-x509v3-rsa), ED25519 authentication (ed25519), and user password and
ED25519 authentication (password-ed25519). To ensure better security, you are advised
to use password-publickey or password-ed25519 as the authentication mode for SSH
users.
The device supports the query of configured local RSA or ED25519 public keys. To
prevent the login to a forged device from a client, log in to the device using a reliable
method (for example, using a local serial port) during site deployment, query the local
RSA or ED25519 public key of the device, and save the public key in the database of the
client. In this way, when logging in to the device from the client, you can use the public
key to authenticate this device.
Procedure
Step 1 Run the ssh user username authentication-type command to configure the user
authentication mode.
Step 2 Run the ssh server rekey-interval command to configure the interval for updating the SSH
key.
Step 3 Run the rsa local-key-pair create or ed25519 local-key-pair create command to create the
host key and service key required by the SSH service.
Step 4 Run the display rsa local-key-pair public or display ed25519 local-key-pair public
command to query a local RSA or ED25519 public key.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 90
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3.3.1.2 Configuring the SFTP Server Authentication Function
Attack Behavior
The device supports file upload and download through SFTP. If an attacker forges the SFTP
server, the device may download a forged file or upload a file to a forged SFTP server.
Security Policy
SFTP supports two-way authentication. The device functions as an SFTP client and uses the
RSA public key of the SFTP server to authenticate the SFTP server.
Procedure
1. Run the rsa peer-public-key command to configure the RSA public key of the SFTP
server on the device.
2. Run the ssh sftp peer-public-key command to bind the IP address of the SFTP server
and the RSA public key.
3. Run the ssh sftp peer-public-key authentication enable command to enable SFTP
server authentication.
3.3.2 End-user Plane
3.3.2.1 Configuring Anti-MAC Spoofing
Attack Behavior
Malicious users attempt to interfere with normal network communication by forging their
source MAC addresses as the source MAC addresses of normal users or network devices.
Malicious users use MAC address spoofing to attack the device.
Security Policy
Anti-MAC spoofing is a common MAC address security measure when users dynamically
obtain IP addresses in PPPoE, DHCP, DHCPv6, or StateLess Address AutoConfiguration
(SLAAC) mode. The anti-MAC spoofing feature consists of dynamic source MAC address
binding and dynamic source MAC address filtering. Table 3-12 lists the applicable attack
scenarios. After the anti-MAC spoofing feature is enabled, the two functions are enabled at
the same time.
Table 3-12 Two functions of anti-MAC spoofing
Function Attack Scenario
Dynamic source MAC address Forging user MAC addresses
binding MAC address table depletion
Dynamic source MAC address Forging the MAC address of a network device
filtering
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 91
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Procedure
Step 1 Run the security anti-macspoofing enable command to enable the anti-MAC spoofing
function globally.
Step 2 Enable VLAN-level anti-MAC spoofing. Choose either of the following configuration modes:
Method 1: In global config mode, run the security anti-macspoofing vlan vlanid enable
command to enable VLAN-level anti-MAC spoofing.
Method 2: Configure the feature in a VLAN service profile:
a. Run the vlan service-profile command to create a VLAN service profile and enter
the VLAN service profile mode.
b. Run the security anti-macspoofing enable command to enable the VLAN-level
anti-MAC spoofing function.
c. Run the commit command to make the parameter settings in the VLAN service
profile take effect.
d. Run the quit command to quit the VLAN service profile mode.
e. Run the vlan bind service-profile command to bind the created VLAN service
profile to the VLAN.
When multiple parameters to be configured for a large number of VLANs have the same values,
configure these parameters in a VLAN service profile. Then bind the VLAN service profile to VLANs to
make VLAN configuration more efficient. Method 2 applies to this scenario.
Step 3 Run the security anti-macspoofing service-port service-portid enable command to enable
the anti-MAC-spoofing feature at the service port level.
Step 4 (Optional) Run the security anti-macspoofing max-mac-count command to configure the
maximum number of MAC addresses that can be bound to a service port.
Each service port can be bound with 8 MAC addresses by default. Perform this step when
fewer than 8 MAC addresses need to be bound.
Step 5 (Optional) Run the security anti-macspoofing exclude command to exclude a certain type of
packets (such as IGMP packets) from anti-MAC address spoofing check.
You can run the undo security anti-macspoofing exclude IGMP command to include
IGMP packets in anti-MAC address spoofing check. The device allows IGMP packets to
pass through only when the source MAC address of the IGMP packets is the same as the
bound MAC address.
After you run the security anti-macspoofing exclude IGMP command, the system does
not check the source MAC address of IGMP packets, and allows IGMP packets to pass
through regardless of whether the source MAC address of IGMP packets is the same as
the bound MAC address.
Step 6 (Optional) Enable power-off recovery of MAC address binding entries.
To allow users to automatically go online without re-dialing up after the device is powered off,
configure this function.
1. Run the security user auto-backup enable command to enable the auto-backup
function.
2. Run the file-server auto-backup udm command to configure the automatic backup
server.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 92
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3. Run the security user auto-backup period command to configure the automatic backup
period.
4. Run the security user auto-load timeout command to configure the timeout parameters
for automatic downloading. The timeout parameters include the total timeout time and
the interval between each download attempt. If download is not finished before the
timeout time ends, the system stops data download.
Step 7 Query the configuration results. The following table lists the query commands related to
anti-MAC spoofing.
Queried Information Command
Global anti-MAC spoofing configuration display security config
MAC address filtering entries display security mac-filter
Dynamically bound MAC address display security bind mac
Maximum number of MAC addresses that display security anti-macspoofing
can be bound to a service port max-mac-count
VLAN service profile configurations display vlan service-profile
----End
Example
In the following example, information irrelevant to the configuration task is omitted in the display
security config command output. For the complete command output, see the command reference.
An FTTH user accesses the Internet in PPPoE dialup mode. Assume that the service port
index is 1 and the S-VLAN ID is 1000. To enable the anti-MAC spoofing function for the user
and retain the default maximum number of MAC addresses that can be bound to a service port,
do as follows:
huawei(config)#security anti-macspoofing enable
huawei(config)#security anti-macspoofing vlan 1000 enable
huawei(config)#security anti-macspoofing service-port 1 enable
huawei(config)#display security config
Anti-macspoofing function : enable
Packet unaffected by anti-macspoofing : IGMP
To disable the anti-MAC spoofing feature for service port 1 on a trusted network, do as
follows:
huawei(config)#security anti-macspoofing service-port 1 disable
An FTTH user accesses the Internet in DHCPv6 dialup mode. Assume that the service port
index is 2 and the S-VLAN ID is 1000. To enable the anti-MAC spoofing function for the user
and set the maximum number of MAC addresses that can be bound to a service port to 3, do
as follows:
huawei(config)#security anti-macspoofing enable
huawei(config)#security anti-macspoofing vlan 1000 enable
huawei(config)#security anti-macspoofing max-mac-count service-port 2 3
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 93
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
huawei(config)#display security config
Anti-macspoofing function : enable
Packet unaffected by anti-macspoofing : IGMP
An FTTH user accesses the Internet in DHCP mode. Assume that the service port indexes are
3, 4, and 5, and the S-VLAN IDs are 1000, 1001, and 1002 for the Internet access, voice, and
video services respectively. To enable the anti-MAC spoofing function for the user and set the
maximum number of MAC addresses that can be bound to a service port to 2, do as follows:
The video service adopts the multicast mode and does not require anti-MAC address spoofing
check on IGMP packets. That is, the system default setting is used for IGMP packets.
huawei(config)#security anti-macspoofing enable
huawei(config)#vlan service-profile profile-id 1
huawei(config-vlan-srvprof-1)#security anti-macspoofing enable
huawei(config-vlan-srvprof-1)#commit
huawei(config-vlan-srvprof-1)#quit
huawei(config)#vlan bind service-profile 1000-1002 profile-id 1
huawei(config)#security anti-macspoofing max-mac-count service-port 3 2
huawei(config)#security anti-macspoofing max-mac-count service-port 4 2
huawei(config)#security anti-macspoofing max-mac-count service-port 5 2
huawei(config)#display security config
Anti-macspoofing function : enable
Packet unaffected by anti-macspoofing : IGMP
Reference Principles
The access device automatically generates MAC address entries for users and servers by
monitoring the interaction process of PPPoE, DHCP, DHCPv6, and StateLess Address
AutoConfiguration (SLAAC) protocol packets, and then forwards or discards packets
received through user ports based on the MAC address entries. Figure 3-2 shows the
online/offline process of a DHCP user.
Figure 3-2 Online/Offline process of a DHCP user
1. When user A goes online, the access device monitors DHCP packets exchanged between
user A and the DHCP server to obtain the MAC address and IP address lease time of
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 94
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
user A. The system generates a dynamic MAC address binding entry with index 50 to
record the VLAN, MAC address, and service flow index (FlowID) of user A.
2. The access device learns the source MAC address (MAC S1) from the response packet
sent by the DHCP server, and adds a MAC address filtering entry for MAC S1.
3. After user A goes online, the access device checks the validity of the MAC address of
data packets sent by user A based on the dynamic MAC address binding entry. Only the
data packets whose MAC address is MAC U1 are allowed to pass through. The data
packets with other MAC addresses are discarded.
4. After detecting that user A goes offline, the access device deletes the dynamic MAC
address binding entry of user A.
After MAC anti-spoofing is enabled, the access device will modify the exchange
identification (XID) of the DHCP packet sent by the user, so that the XID of the DHCP packet
sent by the DHCP client is different from that of the DHCP packet received by the DHCP
server. The DHCP server generally does not check XID values. Therefore, the XID value
change does not affect services. If an operator adds information into the XID of the packet
sent by a DHCP client for DHCP server verification (this is not defined in the standard), the
verification may fail and services will be affected.
XID in a DHCP packet functions as the number of the packet.
The MAC anti-spoofing feature monitors the interaction process of PPPoE, DHCP, DHCPv6,
and SLAAC packets to generate dynamic MAC address binding entries. For PPPoE, DHCP,
DHCPv6, and SLAAC users who have dialed up before the MAC anti-spoofing feature is
enabled, services will be immediately interrupted after this feature is enabled because these
users have no dynamic MAC address binding entries. To restore services, these users must
re-dial up or renew the lease so that the MAC anti-spoofing feature can generate dynamic
MAC address binding entries for them.
3.3.2.2 Configuring Static MAC Address Binding
Attack Behavior
Malicious users attempt to interfere with normal network communication by forging their
source MAC addresses as the source MAC addresses of normal users or network devices.
Malicious users use MAC address spoofing to attack the device.
Security Policy
When the IP address of a user is manually configured rather than dynamically obtained, static
MAC address binding is the most commonly used method to prevent the spoofing of the
user-side MAC address. After a static MAC address is bound to a service port, a user's MAC
address can be protected against forgery, and the user can be prevented from forging the MAC
addresses of other users or upper-layer devices.
Procedure
Step 1 Run the mac-address static command to configure the static MAC address to be bound.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 95
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Step 2 Run the mac-address max-mac-count command to set the maximum number of dynamic
MAC addresses to 0.
Step 3 Query the configuration results. The following table lists the query commands related to static
MAC address binding.
Queried Information Command
MAC address table of the device, including display mac-address
all static MAC addresses and the source
MAC addresses of service ports
Maximum number of dynamic MAC display mac-address max-mac-count
addresses that can be learned by a service
port
----End
Example
Assume that the service port index of an enterprise private line user is 100 and the source
MAC address is 00e0-fc00-1010. To bind the static MAC address 00e0-fc00-1010 to the
service port, do as follows:
huawei(config)#mac-address static service-port 100 00e0-fc00-1010
huawei(config)#mac-address max-mac-count service-port 100 0
huawei(config)#display mac-address service-port 100
Command:
display mac-address service-port 100
It will take some time, please wait...
-----------------------------------------------------------------------
SRV-P BUNDLE TYPE MAC MAC TYPE F /S /P VPI VCI VLAN ID
INDEX INDEX
-----------------------------------------------------------------------
100 - eth 00e0-fc00-1010 static - - 110
-----------------------------------------------------------------------
Total: 1
Note: F--Frame, S--Slot, P--Port, F/S/P indicates PW Index for PW,
A--The MAC address is learned or configured on the aggregation port,
VPI indicates ONT ID for PON, VCI indicates GEM index for GPON,
v/e--vlan/encap, pritag--priority-tagged,
ppp--pppoe, ip--ipoe, ip4--ipv4oe, ip6--ipv6oe,
F/S/P indicates VNI Index for VNI,
VPI/VCI indicates tunnel index(HEX) for VNI,
VLAN ID indicates BD ID for VNI or VAP
huawei(config)#display mac-address max-mac-count service-port 100
Command:
display mac-address max-mac-count service-port 100
--------------------------------------------------------------------------
SRV-P TYPE F /S /P VPI VCI VLAN ID FLOWTYPE FLOWPARA LEARNABLE
INDEX MAC NUMBER
--------------------------------------------------------------------------
100 eth - - 110 vlan 100 0
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 96
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
--------------------------------------------------------------------------
Total: 1
Note: F--Frame, S--Slot, P--Port,
A--The MAC address is learned or configured on the aggregation port,
VPI indicates ONT ID for PON, VCI indicates GEM index for GPON,
v/e--vlan/encap, pritag--priority-tagged,
ppp--pppoe, ip--ipoe, ip4--ipv4oe, ip6--ipv6oe
Reference Principles
After a static MAC address is bound to a service port, a user's MAC address can be protected
against forgery, and the user can be prevented from forging the MAC addresses of other users
or upper-layer devices. Figure 3-3 shows the principle of static MAC address binding.
Figure 3-3 Static MAC address binding
The port of user A is 0/2/1 and the service flow index (FlowID) is 100. The device configures
a static MAC address entry (MAC U1) for user A and sets the number of learnable dynamic
MAC addresses of user A to 0.
1. The packets with the source MAC address of MAC U1 sent by user A can pass through
the device.
2. The packets sent by user A using source MAC addresses other than MAC U1 are
discarded by the access device. In this manner, user A cannot forge the source MAC
addresses of other users or upper-layer devices. The principle is as follows: After the
number of learnable dynamic MAC addresses of a service port is set to 0, the service
port cannot learn dynamic MAC addresses and can only forward packets with the static
MAC address configured for the service port. If the packets sent by a user contain a
source MAC address (for example, the MAC address of the upper-layer device) that is
not configured for the service flow, the device discards the packets.
3. When user B sends packets with MAC address MAC U1, the device discards the packets
because the source MAC address is the same as the static MAC address of user A. This
prevents the source MAC address of user A from being forged by other malicious users.
The principle is as follows: A static MAC address takes priority over a dynamic MAC
address. If a MAC address is configured as a static MAC address for a port, the MAC
address will not be learned as a dynamic MAC address by other ports in the same
VLAN.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 97
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3.3.2.3 Configuring Static MAC Address Filtering
Attack Behavior
Malicious users attempt to interfere with normal network communication by forging their
source MAC addresses as the source MAC addresses of normal users or network devices.
Malicious users use MAC address spoofing to attack the device.
Security Policy
To prevent users from forging the MAC addresses of the upper layer network devices on the
access network or some well-known MAC addresses, you can configure these MAC addresses
as the MAC addresses to be filtered. In this way, the packets with these source or destination
MAC addresses are prohibited from passing through the device.
Procedure
Configure static source MAC address filtering.
Run the security mac-filter source command to configure the source MAC addresses to
be filtered.
Configure static destination MAC address filtering.
Run the security mac-filter destination command to configure the destination MAC
addresses to be filtered.
Run the display security mac-filter command to query the MAC address filtering table.
----End
Example
Assume that the MAC address of an upper-layer device (for example, the BRAS) is
00e0-fc00-3020. To add this MAC address to the source MAC address filtering table of the
access device to prevent users from forging the source MAC address, do as follows:
huawei(config)#security mac-filter source 00e0-fc00-3020
huawei(config)#display security mac-filter
{ <cr>|destination<K>|dynamic<K>|source<K> }:
Command:
display security mac-filter
-------------------------------------------------------------------------
Index MAC-Address Type Filter-Mode VLAN
-------------------------------------------------------------------------
0 00e0-fc00-3020 static source -
-------------------------------------------------------------------------
Total: 1
Assume that the MAC address of a well-known website is 00e0-fc00-4020. To add this MAC
address to the destination MAC address filtering table of the access device to prevent users
from sending a large number of packets with the destination MAC address to attack the
website, do as follows:
huawei(config)#security mac-filter destination 00e0-fc00-4020
huawei(config)#display security mac-filter
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 98
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
{ <cr>|destination<K>|dynamic<K>|source<K> }:
Command:
display security mac-filter
-------------------------------------------------------------------------
Index MAC-Address Type Filter-Mode VLAN
-------------------------------------------------------------------------
0 00e0-fc00-3020 static source -
1 00e0-fc00-4020 static destination -
-------------------------------------------------------------------------
Total: 2
Reference Principles
Static Source MAC Address Filtering
By manually adding the MAC address of an upper-layer device as a static source MAC
address filtering entry to the access device, you can prevent the MAC address of the
upper-layer device from being used by a user to send packets, thus preventing malicious users
from forging the MAC address of the upper-layer device. When the IP address of a user is
manually configured rather than dynamically obtained, the most common method of
preventing MAC address spoofing is static source MAC address filtering.
The basic principle of source MAC address filtering is as follows: A source MAC address
filtering entry is created on the device to discard all the packets whose source MAC addresses
are the same as the entry. Static source MAC address filtering is to manually add the source
MAC address of an upper-layer device as a source MAC address filtering entry.
You can also configure static MAC addresses for upstream ports to prevent MAC address
spoofing. Compared with configuring static MAC addresses for upstream ports, configuring
static source MAC address filtering has the following advantages and disadvantages:
Compared with a static MAC address for an upstream port, the static source MAC
address filtering mode cannot specify the corresponding service flow and port, which has
advantages as well as disadvantages.
− Advantage: The mapping between the upper-layer devices and upstream ports does
not need to be known before configuration, which reduces the configuration
workload. After the configuration is complete, the mapping between the upper-layer
devices and upstream ports can be changed.
− Disadvantage: Static source MAC address filtering can only prevent users from
using the MAC address of an upper-layer device as the source MAC address for
sending packets. However, an upper-layer device of an upstream port can use the
MAC address of the upper-layer device of another upstream port as the source
MAC address for sending packets. Therefore, the protection is weaker. Generally,
upstream ports are trustworthy, so this disadvantage can be ignored.
Compared with static MAC addresses, the number of static source MAC addresses that
can be filtered by the access device is much smaller. In normal cases, there are only a
few upper-layer devices, so the number of MAC addresses of upper-layer devices is also
small. Therefore, this disadvantage can also be ignored.
Compared with static MAC addresses, static source MAC address filtering takes effect
globally, which cannot be performed based on VLAN configuration.
Based on the preceding advantages and disadvantages, static source MAC address filtering is
more suitable for preventing MAC address spoofing.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 99
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Static Destination MAC Address Filtering
By manually configuring the MAC address of an upper-layer device of the access network as
a destination MAC address filtering entry, you can prevent the MAC address of the
upper-layer device from being used as the destination MAC address for sending packets. This
prevents malicious users from transmitting unicast packets to access the upper-layer device.
3.3.2.4 Configuring VMAC
Attack Behavior
Each MAC address on a Layer 2 network must be unique. The MAC address allocation
mechanism ensures global uniqueness of each address. However, hackers use scanning tools
to obtain existing MAC addresses, which allow hackers to impersonate genuine users. The
impersonation of a MAC address is known as MAC spoofing. Duplicate MAC addresses exist
in MAC spoofing; the same MAC address appears on different ports of a switch, causing a
MAC address transfer on the switch. As a result, data is sent to the hacker's device instead of
to the genuine user.
Security Policy
A VMAC address is a network-wide unique MAC address generated by an access device
based on certain rules. Because the VMAC address is generated by the access device (the
access node), it is considered trustworthy.
After the VMAC function is enabled, upon receiving packets from the user side in the
upstream direction, the access device converts the untrusted source MAC address of a user
into a trusted VMAC address and then forwards the packets to the upper-layer network. In the
downstream direction, the access device restores the VMAC addresses in packets received
from the network side to the actual MAC addresses of the user, and then sends these packets
to the user.
3.3.2.4.1 Configuring 1:1 VMAC
In 1:1 VMAC, the system generates trusted virtual MAC addresses (VMACs) according to
specified rules to replace source MAC addresses of end-users. 1:1 VMAC prevents users that
have untrustworthy MAC addresses from accessing operator networks and is an effective
countermeasure to MAC spoofing. In addition, an operator can directly locate a user in the
operator network by the VMAC and obtain precise user line information.
Prerequisites
The VMAC and anti-MAC spoofing functions are mutually exclusive. When VMAC is
enabled, make sure that anti-MAC spoofing is not enabled at the same time. You can run the
display security config command to query the status of the function.
Context
Table 3-13 System defaults of 1:1 VMAC parameters
Parameter Default Value
VMAC state disable
VLAN-service-profile-level VMAC disable
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 100
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Parameter Default Value
VMAC aging mode mac-learning (the common mode)
VMAC control-protocol IPv6oE disable
VMAC address count per P2P port 32
VMAC address count per ONT 8
PPPoE MAC mode multi-mac
Slot ID format Port-based: physical slot ID
ONT-based: physical slot ID + 1
Start port ID Port-based: 0
ONT-based: 1
Procedure
Step 1 Configure the system ID. It is used to identify a device on the network.
Make sure that the system ID is unique on the network. Planning is required in advance.
In xPON access mode, run the vmac olt-id command to configure an OLT ID as the
system ID.
In access modes other than xPON, run the vmac dslam-id command to configure a
DSLAM ID as the system ID.
If both DSLAM ID and OLT ID exist in the system:
Configure OLT ID as the system ID for xPON access users.
Configure DSLAM ID as the system ID for non-xPON access users.
Step 2 Configure the maximum VMAC address count on each port.
You can configure the maximum VMAC address count on each port to limit the user count of
the port and prevent system overload.
Run the vmac port-vmac-count command to configure the maximum VMAC address count
on each port.
Step 3 (Optional) In xPON access mode, configure the maximum VMAC address count on each
ONT.
You can configure the maximum VMAC address count on each ONT to limit the user count of
the ONT. This operation prevents an excessive user count on a single ONT. An ONT with too
many users will cause VMAC address insufficiency to the other ONTs connected to the same
OLT port.
Run the vmac ont-vmac-count command to configure the maximum VMAC address count
on each ONT.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 101
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Step 4 (Optional) Set the PPPoE MAC address allocation mode to multi-mac, that is, 1:1 VMAC
mode.
By default, the MAC address allocation mode is multi-mac. Perform this step only when the MAC
address allocation mode has been modified.
You can run the display pppoe mac-mode command to query the current PPPoE MAC address
allocation mode.
The MAC address mode can be configured globally (applicable to all VLAN users) or for a
specified VLAN service profile. You can select the configuration mode based on the service
deployment.
For PPPoE users, run the pppoe mac-mode command to set the MAC address allocation
mode to multi-mac.
Step 5 Configure the VMAC aging mode.
For unused VMAC addresses, the system ages them according to the aging mode to release
the VMAC address space. You can change the VMAC aging mode when the system default
does not meet requirements.
In VLAN service profile mode, run the vmac aging mode command to configure the VMAC
aging mode.
mac-learning:
In common aging mode, you can run the mac-address timer command to set the aging
time. The system periodically checks packets. If the system does not detect any packet,
whether sent or received, carrying the VMAC address within twice the configured aging
time, the system automatically releases the VMAC address, and this address can be
allocated to another user.
dhcp:
When the IP address is allocated through DHCP, the VMAC address will not be aged.
The VMAC address ages only when a user's IP address is released or is not renewed after
the lease expires.
The DHCP aging mode applies only to the DHCP dialup service with the multi-mac
MAC address allocation mode. This aging mode avoids frequent changes of system
entries because it maintains the mapping between the DHCP user's IP address and
VMAC address before the IP address is released. For example, after a computer wakes
up from hibernation, the computer will not perform DHCP dialup again. At this moment,
the IP address allocated to the computer through DHCP is not released, so the computer
can still use the mapping VMAC address.
Step 6 Enable the VMAC function.
The VMAC function can be configured at two levels: global level and VLAN service profile
level. The VMAC function is available only when it is enabled at both levels.
System level: Run the vmac { enable | disable } command to configure VMAC.
VLAN service profile level: In VLAN service profile mode, run the vmac{ enable |
disable } [ ipoe | pppoe ] command to configure VMAC. You can enable or disable
VMAC for all types of packets at VLAN level by running the vmac { enable | disable }
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 102
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
command, or enable or disable VMAC for a specific packet type (PPPoE, PPPoA, IPoE)
at VLAN level. Then bind this VLAN service profile to the VLAN.
----End
Example
On an IPv4 network, all users perform DHCP dialup through xPON access. VLAN 10
requires the VMAC function. To set the OLT ID to 0x0e02, maximum VMAC address count
on each OLT port to 8, and VMAC aging mode to DHCP mode, do as follows:
huawei(config)#vmac olt-id 0x0e02
huawei(config)#vmac port-vmac-count 8
huawei(config)#vlan service-profile profile-id 10
huawei(config-vlan-srvprof-10)#vmac aging-mode dhcp
huawei(config-vlan-srvprof-10)#vmac enable
huawei(config-vlan-srvprof-10)#commit
huawei(config-vlan-srvprof-10)#quit
huawei(config)#vlan bind service-profile 10 profile-id 10
huawei(config)#vmac enable
3.3.2.4.2 Configuring N:1 VMAC
In N:1 VMAC, the system generates trusted virtual MAC addresses (VMAC) to replace
source MAC addresses of end-users. N:1 VMAC prevents users that have untrustworthy
MAC addresses from accessing operator networks and is an effective countermeasure to
MAC spoofing. N:1 VMAC allows multiple MAC addresses to be translated into one VMAC
address, so the access node only needs to record one VMAC entry, instead of multiple MAC
entries, for a specified number of users. Using N:1 VMAC, an access node can accommodate
more users by using the same MAC address space.
Prerequisites
The VMAC and anti-MAC spoofing functions are mutually exclusive. When VMAC is
enabled, make sure that anti-MAC spoofing is not enabled at the same time. You can run the
display security config command to query the status of the function.
Context
Table 3-14 System defaults of N:1 VMAC parameters
Parameter Default Value
VMAC state disable
VLAN-service-profile-level VMAC disable
Maximum PPPoE session count of a port 8
Maximum PPPoE session count of each 8
service port
Number of MAC addresses in each MAC 256
address pool
MAC address allocation mode of PPPoE multi-mac
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 103
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Parameter Default Value
users
Procedure
Step 1 Configure the maximum PPPoE session count.
You can configure the maximum PPPoE session count to limit the access user count and
prevent system overload. The system supports two levels for configuring the maximum
PPPoE session count: physical port level and service port level.
Run the pppoe max-session-count command to configure the maximum PPPoE session
count of a physical port.
Run the pppoe max-session-count service-port command to configure the maximum
PPPoE session count of a service port.
Step 2 (Optional) Configure a VMAC address pool for the xPON protection group.
Perform this step only when an xPON protection group has been configured.
A system configured with xPON protection groups requires a VMAC address pool. The
system performs MAC address translation (MAT) using idle MAC addresses in the VMAC
address pool after receiving user packets.
1. Configure a MAC address pool. Run the mac-pool [ pool-index ] single-mac startmac
[ scope ] command to configure the MAC address pool that will be used for replacing
user MAC addresses through N:1 VMAC.
For network security considerations, ensure that you have planned the MAC address pool
during data planning, and that the MAC address pool does not conflict with the MAC
addresses of other devices on the network.
You can add or delete a MAC address pool, but cannot modify it.
2. Bind a MAC address pool to the xPON protection group. In protect-group mode, run the
bind mac-pool single-mac command to bind a MAC address pool to the protection
group.
Step 3 Set the PPPoE MAC address allocation mode to single-MAC mode (N:1 VMAC mode).
The MAC address allocation mode can be configured at system level (effective on users of all
VLANs) or at VLAN level (effective on users of a specified VLAN), depending on service
deployment.
For PPPoE users, run the pppoe mac-mode command to set the MAC address allocation
mode to single-mac for the system and for VLAN service profile, or run the pppoe vlan
command to set the MAC address allocation mode to single-mac for a single VLAN.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 104
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Example
A PPPoE user is configured on service port 10 and locates in VLAN 10. To set the maximum
PPPoE session count to 5 and set the MAC address allocation mode to single-mac globally
and for VLAN 10, do as follows:
huawei(config)#pppoe max-session-count service-port 10 5
huawei(config)#pppoe mac-mode single-mac
huawei(config)#pppoe vlan 10 mac-mode single-mac
Assume that the system is configured with xPON protection group 0. To set the maximum
number of PPPoE sessions of service port 10 to 5, configure a VMAC address pool (the start
MAC address is 00e0-fc00-3333, including 10 MAC addresses), and set the MAC address
allocation mode of VLAN 10 to single-mac, do as follows:
huawei(config)#pppoe max-session-count service-port 10 5
huawei(config)#mac-pool single-mac 00e0-fc00-3333 10
huawei(config)#protect-group 0
huawei(protect-group-0)#bind mac-pool single-mac
huawei(protect-group-0)#quit
huawei(config)#pppoe mac-mode single-mac
huawei(config)#vlan service-profile profile-id 10
huawei(config-vlan-srvprof-10)#pppoe mac-mode single-mac
huawei(config-vlan-srvprof-10)#commit
huawei(config-vlan-srvprof-10)#quit
huawei(config)#vlan bind service-profile 10 profile-id 10
3.3.2.5 Anti-IP/ICMP Attack on the User Side
Attack Behavior
User-side IP attack: The destination IP address of the packets sent by a regular user is not the
management IP address of the access device (unless otherwise specified by some operators).
Malicious users forge IP packets whose destination IP address is the management IP address
to attack the access device. During a common IP attack, malicious users send a large number
of packets to request responses from the access device. As a result, the access device is
overloaded and fails to process normal service requests from users. IP attacks can be
considered as DoS attacks.
User-side ICMP attack: The Internet Control Message Protocol (ICMP) is a sub-protocol of
the TCP/IP protocol suite, and is used for transmission of control messages (such as the PING
and trace route messages) between an IP host and routers. During fault locating, ICMP
packets can be sent from a peer device to the access device to check network connectivity and
route reachability.
Malicious users can ping an access device and initiate attacks.
Security Policy
To avoid IP attacks from malicious users (also called anti-IP attack), the access device can
identify and discard the IP packets received from a user port whose destination IP address is
the system management address.
To avoid ICMP attacks from malicious users (also called anti-ICMP attack), the access device
can identify and discard the ICMP packets received from a user port whose destination IP
address is the system management address.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 105
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Protections against ICMP, ICMPv6, IP, IPv6, and hop limit attacks are enabled by default in
V100R20C10 and later versions.
3.3.2.5.1 Configuring Anti-IP/ICMP Address Attack
The configuration of Internet Control Message Protocol (ICMP) or IP address attack
protection prevents malicious users from sending IP or ICMP packets to exhaust system
resources and ensures the proper running of access devices.
Context
Table 3-15 Potential system security risks and solutions
Potential Security Risk Solution Suggestion
Malicious users send ICMP or Anti-ICMP attack on the user This function is
IP packets to the access device. side used when the
As a result, access device Anti-IP attack on the user side following
resources are exhausted and the conditions are
access device may met:
malfunction. For example: The access
Malicious users send a large device works
number of ping packets to at Layer 3.
request responses from the The
access device. As a result, destination
the access device becomes address of
overloaded. ICMP or IP
Malicious users may find packets is not
system vulnerabilities by the system IP
pinging or logging in to the address of the
access device remotely and access device.
then initiate attacks. NOTICE
Disabling the
anti-IP/ICMP
attack function
poses security
risks. You are
advised to enable
this function.
Procedure
Enable anti-IP attack.
Run the security anti-ipattack enable command to enable the anti-IP attack function.
Configure anti-ICMP attack.
Run the security anti-icmpattack enable command to enable the anti-ICMP attack
function.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 106
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Example
To enable the anti-IP/ICMP attack function of the device and prohibit the device from
receiving IP/ICMP packets whose destination IP address is the device IP address from the user
side, do as follows:
huawei(config)#security anti-ipattack enable
huawei(config)#security anti-icmpattack enable
3.3.2.5.2 Configuring Anti-IPv6/ICMPv6 Address Attack
The configuration of Internet Control Message Protocol v6 (ICMPv6) or IPv6 address attack
protection prevents malicious users from sending ICMPv6 or IPv6 packets to exhaust system
resources and ensures the proper running of access devices.
Context
Table 3-16 Potential system security risks and solutions
Potential Security Risk Solution Suggestion
Malicious users send IPv6 or Anti-ICMPv6 Attack on the This function is
ICMPv6 packets to the IPv6 User Side used when the
address of an access device. As Anti-IPv6 Attack on the User following
a result, access device Side conditions are
resources are exhausted and the met:
access device may The access
malfunction. For example: device works
Malicious users send a large at Layer 3.
number of ping packets to The
request responses from the destination
access device. As a result, address of the
the access device becomes ICMPv6 or
overloaded. IPv6 packets is
Malicious users may find not the system
system vulnerabilities by IPv6 address
pinging or logging in to the of the access
access device remotely and device.
then initiate attacks. NOTICE
Disabling the
anti-IPv6/ICMPv6
attack function
poses security
risks. You are
advised to enable
this function.
Procedure
Configure anti-ICMPv6 attack.
Run the security anti-icmpv6attack enable command to enable the anti-ICMPv6 attack
function.
Configure anti-IPv6 attack.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 107
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Run the security anti-ipv6attack enable command to enable the anti-IPv6 attack
function.
----End
Example
To enable the anti-IPv6/ICMPv6 attack function of the device and prohibit the device from
receiving IPv6/ICMPv6 packets whose destination IP address is the IPv6 address of the
device from the user side, do as follows:
huawei(config)#security anti-icmpv6attack enable
huawei(config)#security anti-ipv6attack enable
3.3.2.6 Configuring Source Route Filter
Attack Behavior
Attackers may attack a network by changing the source route option of IP packets to any
address desired. A system under such an attack will fail to process normal service requests
from users.
Security Policy
When malicious users attack networks, they use source route options as an auxiliary method
of IP address spoofing. The following describes how to protect access devices from malicious
users' attacks.
Source route filtering: Filter out the IP packets that carry source route options from users.
Anti-IP spoofing: Prevent malicious users from forging the IP addresses of valid users.
Procedure
Configure the source route filtering function.
Run the security source-route enable command to enable the source route filtering
function. This function is mainly used to filter the packets that are carrying route
information and destined for the Layer 3 network.
----End
Example
An IP packet with the source route option specifies the transmission path of the packet. To
enable source route filtering to prevent attackers from forging a valid IP address using such a
packet to enter the network, do as follows:
huawei(config)#security source-route enable
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 108
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3.3.2.7 Configuring Anti-IP Spoofing
Attack Behavior
IP spoofing is an attack in which malicious users send packets with forged IP addresses to
attack the network. A malicious user destructs services of authorized users by forging their IP
addresses.
Security Policy
Through dynamic or static IP address binding, the anti-IP spoofing function prevents
malicious users from attacking the system by forging the IP addresses of valid users. It
protects the operator network against attacks and improves the security of user services.
Procedure
Bind IP addresses.
Run the bind ip command to bind IP addresses.
Configure the IP address binding to permit only the users of certain IP addresses to
access the system so that malicious users cannot access the system by forging the IP
addresses of valid users.
Configure anti-IP spoofing.
When a service port is bound with a VLAN service profile, the anti-IP spoofing function
can be enabled or disabled at three levels, and takes effect only when it is enabled at all
the three levels.
When a service port is not bound with any VLAN service profile, anti-IP spoofing can be
enabled or disabled at two levels (not including the VLAN level), and takes effect only
when it is enabled at both levels.
− Global switch: Run the security anti-ipspoofing command (or the security
anti-ipv6spoofing command in IPv6 networking) to configure the switch. By
default, the switch is disabled.
The ant-IP spoofing function is enabled at the VLAN and service port levels by default. When
the function is enabled at the global level, it takes effect on all service ports in the system. To
disable anti-IP spoofing for a service port, do as follows:
If the VLAN of the service port is bound with a VLAN service profile and anti-IP spoofing
needs to be disabled for service ports of all VLANs bound with the VLAN service profile,
disable anti-IP spoofing in the VLAN service profile using the VLAN-level switch.
If anti-IP spoofing needs to be disabled for only a specific service port, disable the
function at the port level.
− VLAN-level switch:
i. Run the vlan service-profile command to create a VLAN service profile and
enter the VLAN service profile mode.
ii. Run the security anti-ipspoofing command (or the security
anti-ipv6spoofing command in IPv6 networking) to configure the switch. By
default, the switch is enabled.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 109
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
iii. Run the commit command to make the profile configuration take effect. The
configuration of the VLAN service profile takes effect only after this
command is executed.
iv. Run the quit command to quit the VLAN service profile mode.
v. Run the vlan bind service-profile command to bind the VLAN to the VLAN
service profile.
− Service port level switch: Run the security anti-ipspoofing service-port command
(or the security anti-ipv6spoofing service-port command in IPv6 networking) to
configure the switch. By default, the switch is enabled.
When anti-IP spoofing is enabled after a user is already online, the IP address of this user is not bound in
the system. As a result, the service of this user is interrupted, this user goes offline, and the user needs to
go online again. Only the user who goes online after anti-IP spoofing is enabled can have the IP address
bound.
(Optional) Configure power-off recovery for IP address binding.
To allow users to automatically go online without re-dialing up after the device is
powered off, configure this function.
a. Run the security user auto-backup enable command to enable the auto-backup
function.
b. Run the file-server auto-backup udm command to configure the automatic backup
server.
c. Run the security user auto-backup period command to configure the automatic
backup period.
d. Run the security user auto-load timeout command to configure the timeout
parameters for automatic downloading. The timeout parameters include the total
timeout time and the interval between each download attempt. If download is not
finished before the timeout time ends, the system stops data download.
----End
Example
To bind IP address 10.1.1.245 to service port 2, that is, service port 2 permits only the packet
whose source IP address is 10.1.1.245, do as follows:
huawei(config)#bind ip service-port 2 10.1.1.245
To enable anti-IP spoofing for service port 1 in service VLAN 10, do as follows:
huawei(config)#security anti-ipspoofing enable
huawei(config)#vlan service-profile profile-id 2
huawei(config-vlan-srvprof-2)#security anti-ipspoofing enable
Info: Please use the commit command to make modifications take effect
huawei(config-vlan-srvprof-2)#commit
huawei(config-vlan-srvprof-2)#quit
huawei(config)#vlan bind service-profile 10 profile-id 2
huawei(config)#security anti-ipspoofing service-port 1 enable
Reference Principles
Dynamic IP Address Binding for Anti-IP Spoofing
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 110
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
The system monitors the DHCP online and offline processes of users. When a user goes
online, the system dynamically obtains the source IP address of the user and binds the
source IP address to the service flow of the user.
The system only forwards the packets whose source IP address is the IP address bound to
the service flow.
When a user goes offline, the system unbinds the user's source IP address from the
service flow.
After dynamic IP address binding for anti-IP spoofing is enabled, the access device will
modify the exchange identification (XID) of the DHCP packet sent by a user, so that the XID
of the DHCP packet sent by the DHCP client is different from that of the DHCP packet
received by the DHCP server. The DHCP server generally does not check XID values.
Therefore, the XID value change does not affect services. If an operator adds information into
the XID of the packet sent by a DHCP client for DHCP server verification (this is not defined
in the standard), the verification may fail and services will be affected.
XID in a DHCP packet functions as the number of the packet.
The dynamic anti-IP spoofing feature monitors the interaction process of DHCP packets to
generate dynamic IP address binding entries. Therefore, if DHCP users have already dialed up
before the dynamic anti-IP spoofing feature is enabled, after the dynamic anti-IP spoofing
feature is enabled, the services of these users are interrupted immediately because there are no
dynamic IP address binding entries. These users must re-dial up to go online or renew the
lease so that the dynamic anti-IP spoofing feature can generate dynamic IP address binding
entries. Then, the services of these users can be restored.
Static IP Address Binding for Anti-IP Spoofing
An access device can bind an IPv4 address to a service port. After IP addresses are bound to a
service port, the service port only allows packets with IP addresses bound to the port to pass
through. This improves system security.
IP address binding is recovered as follows:
The IP address binding entries are saved as user data management (UDM) data. When the
system is restarted, the UDM data is automatically restored to the memory. In this case, a user
is bound to the IP address without dialing up again. Recovery of IP address binding entries
supports power-off recovery and non-power-off recovery. In non-power-off recovery, the
memory area for storing UDM data is not cleared during the system reset. After the system
reset, UDM entries are recovered from the memory area to complete IP address binding.
Non-power-off recovery requires no extra configuration and the working principle is simpler
than that of the power-off recovery. The following describes the power-off recovery scenario.
When the system is running properly, the UDM data is periodically compressed and
backed up on the server through FTP/TFTP/SFTP. During automatic system backup,
DHCP, DHCPv6, stateless address autoconfiguration (SLAAC), and PPPoE dialup users
are forbidden to go online or offline to avoid data conflicts. If a device power failure
occurs during automatic system backup, the file stored on the server is incomplete. In
such a case, the UDM data cannot be recovered after the system is restarted.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 111
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
FTP and TFTP have security risks due to their limitations. SFTP is recommended.
When the system is restarted after a power failure, the system automatically downloads
the backup data from the server and restores it after decompression. Because automatic
download is performed during system startup, the upstream port may not be ready for
automatic download and the download channel may not be available. In this case,
automatic download cannot be smoothly carried out. The system makes attempts to
download data from the server till the timeout time elapses. If no attempt is successful,
the system does not make any further attempts. During automatic download, data
recovery, and data download attempts, dialup users are not allowed to go online or
offline to avoid data conflicts. Once automatic data backup is disabled during data
download or data download attempts, users can go online and offline. If automatic data
backup is disabled during data recovery after data download, users can go online and
offline only after the UDM data is recovered.
When the system configured with active/standby servers is restarted due to a power
failure, the system will try to download data from the active server first. If the active
server is not available, the system will try the standby server. When the file downloaded
from the active server fails to be verified or is not the latest, the system will not
download data from the standby server.
The lease time of the recovered UDM data may be different from that of the original
UDM data when the system time is changed in the following conditions: before a device
power failure occurs without any automatic data backup; after the system is restarted due
to a power failure while the UDM data has not been completely recovered.
If a device power failure occurs after you run the active configuration system command
but before the first UDM data backup is complete, IP address binding entries cannot be
correctly recovered after the system is restarted.
Principles of Anti-IPv6 Spoofing
The anti-IPv6 spoofing function is basically the same as the anti-IP spoofing in IPv4
networking. The general process of dynamically binding an IPv6 address is as follows:
1. The system monitors the DHCPv6 or SLAAC online and offline processes of users.
When a user goes online, the system dynamically obtains the source IPv6 address of the
user and binds the source IPv6 address to the service flow of the user.
2. The system only forwards the packets whose source IPv6 address is the IP address bound
to the service flow.
3. When a user goes offline, the system unbinds the user's source IPv6 address from the
service flow.
In an IPv6 network, users can obtain IPv6 addresses using SLAAC or DHCPv6.
In a network that uses SLAAC, the broadband network gateway (BNG) allocates IPv6
prefixes to users and the device dynamically binds these IPv6 prefixes to the service flow.
To do so, the device obtains IPv6 prefixes allocated to the users from the router
advertisement (RA) messages sent by the BNG and dynamically generates IP address
binding entries.
In a network that uses DHCPv6, IP address binding is triggered by DHCPv6 packets
when a user sends DHCPv6 packets to obtain an IP address. A DHCPv6 server may
assign one or more IPv6 addresses or IPv6 prefixes to a DHCPv6 packet. The device
obtains all the IPv6 addresses and prefixes assigned by the DHCPv6 server from the
DHCPv6 packets received, and then generates IP address binding entries.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 112
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
The dynamic anti-IPv6 spoofing feature monitors the interaction of DHCPv6 and SLAAC
packets to generate dynamic IPv6 address binding entries. Therefore, if DHCPv6 or SLAAC
users have already dialed up before the dynamic anti-IPv6 spoofing feature is enabled, after
the dynamic anti-IPv6 spoofing feature is enabled, the services of these users are interrupted
immediately because there are no dynamic IPv6 address binding entries. These users must
re-dial up to go online or renew the lease so that the dynamic anti-IPv6 spoofing feature can
generate dynamic IP address binding entries. Then, the services of these users can be restored.
On an IPv6 network, the device also supports static binding of IPv6 addresses. The binding of
an IPv6 address is different from that of an IPv4 address because of the structure difference
between an IPv6 and IPv4 address. In IPv6 binding, the device binds a variable-length IPv6
prefix to a service port to improve system security.
3.3.2.8 Configuring Anti-theft and Roaming Using PITP
Context
Currently, PPPoE is widely used. Due to the lack of effective methods for identifying and
binding the physical location of a user, a hacker can steal the account of a valid user and
damage the services of the user.
Security Policy
The PITP protocol is used to provide the information about the physical port of an access user
for the BRAS. After obtaining the user port information, the BRAS binds the user account to
the access port for authentication, protecting the user account against embezzlement and
roaming.
Table 3-17 Default settings related to PITP
Parameter Default Value
PITP function Global status: disabled
Port-level status: enabled
VLAN-level status: enabled
Service port-level status: enabled
PITP sub-option 90 function Disable
Whether a service port allows Enable
user-side PPPoE packets to carry a
vendor tag
Security risks exist if the PITP function is disabled. You are advised to enable the PITP
function.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 113
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Procedure
Step 1 Run the display pitp config or display pitp port to query the current PITP configuration.
The format of a packet providing the physical port of an access user to the BRAS is
determined by the relay agent info option (RAIO) mode. Therefore, configure a RAIO mode
before configuring PITP.
Step 2 RAIO can be configured in global or profile mode.
Global RAIO mode:
a. Run the raio-mode command to configure the RAIO mode in the PITP P mode or
PITP V mode.
b. (Optional) If the RAIO mode is user-defined, run the raio-format command to
configure the RAIO mode in PITP P mode or PITP V mode.
RAIO profile mode:
a. Run the raio-profile command to create a RAIO profile and enter the RAIO profile
mode.
b. Run the raio-mode command to configure the RAIO mode in the PITP P mode or
PITP V mode.
c. (Optional) If the RAIO mode is user-defined, run the raio-format command to
configure the RAIO mode in PITP P mode or PITP V mode.
d. Run the quit command to quit the RAIO profile mode.
e. Run the vlan bind raio-profile command to bind the RAIO profile to the VLAN.
Step 3 Configure the PITP switch.
Global switch: Run the pitp enable command to enable the global PITP switch. This
switch is disabled by default.
In the PITP V mode, run the pitp vmode ether-type command to set the protocol type to be the same as
that of the BRAS. Then, run the pitp enable vmode command to enable global PITP V mode.
Port-level switch: Run the pitp port or pitp board command to configure the port-level
switch. By default, the switch is enabled.
VLAN-level switch:
a. Run the vlan service-profile command to create a VLAN service profile and enter
the VLAN service profile mode.
b. Run the pitp enable command to enable the PITP switch at the VLAN level. By
default, the switch is enabled.
c. Run the commit command to make the profile configuration take effect. The
configuration of the VLAN service profile takes effect only after this command is
executed.
d. Run the quit command to quit the VLAN service profile mode.
e. Run the vlan bind service-profile command to bind the VLAN to the VLAN
service profile.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 114
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Switch at the service port level: Run the pitp service-port command to configure the
switch at the service port level. The switch is enabled by default.
Step 4 Configure the optional attributes of PITP.
Run the pitp permit-forwarding service-port command to configure whether a service
port allows user-side PPPoE packets to carry a vendor tag. By default, this function is
disabled.
(Supported only in P mode) Run the pitp sub-option90 command to configure the
Sub-option90 switch. By default, the switch is disabled. The P mode supports the
reporting of the line parameters (including the activation bandwidth) in Sub-option90.
Configure the sub-option as required.
----End
RAIO Reference Principles
RAIO encapsulates the obtained user access information into different protocol packets
according to packet formats, and provides the physical location information of users for the
BRAS or DHCP server to implement service operation and control as well as access security
management of user accounts.
Tag type
Tag type is specified in type-length-value (TLV). RAIO supports the following tag types:
Circuit ID (CID): used to identify a subscriber line. A CID contains the subrack ID, slot
ID, port ID, and VPI/VCI (VPI is the abbreviated form of virtual path identifier, and VCI
is the abbreviated form of virtual channel identifier). Operators use a CID to identify a
user and control the user access. A CID is in the TLV format and the value of Type is
fixed to 1.
Remote ID (RID): used to identify a remote user. An RID contains the remote flow
description, phone number, and user name. An RID is in the TLV format and the value of
Type is fixed to 2.
Option 18: an option defined by Dynamic Host Configuration Protocol version 6
(DHCPv6) and filled with a CID.
Option 37: an option defined by DHCPv6 and filled with an enterprise ID and an RID.
Information (INFO): dedicated for working objects in PITP V mode and filled with a
CID.
Suboption: a suboption except the CID and RID. For details about the definitions of
suboptions 0x81 to 0x91, see the following table.
Only the PITP V mode and DHCP Option 82 support suboptions.
Table 3-18 Description of suboptions
Suboption Description
Suboption 81 Actual upstream rate in the activated state.
Suboption 82 Actual downstream rate in the activated state.
Suboption 83 Minimum upstream data rate.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 115
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Suboption Description
Suboption 84 Minimum downstream data rate.
Suboption 85 Minimum upstream reserved rate.
Suboption 86 Minimum downstream reserved rate.
Suboption 87 Maximum upstream data rate.
Suboption 88 Maximum downstream data rate.
Suboption 89 Minimum upstream rate in low power state.
Suboption 8A Minimum downstream rate in low power state.
Suboption 8B Maximum upstream interleave delay.
Suboption 8C Actual upstream interleave delay.
Suboption 8D Maximum downstream interleave delay.
Suboption 8E Actual downstream interleave delay.
Suboption 8F Line status.
Suboption 90 Subscriber line type and data encapsulation type.
Suboption 91 Line transmission type.
RAIO mode
The format of tags carried in packets varies according to operators' requirements. RAIO
supports multiple working modes. Each working mode defines various tag formats. A RAIO
mode can be pre-defined or user-defined. A pre-defined mode focuses on customers'
requirements, and a user-defined mode features flexibility.
Table 3-19 RAIO modes
Mode Description
Pre-defined Standard Is proposed by standards organizations along with
mode pre-defined technology development. dslforum-default and broadband
NOTE mode forum (BBF) standard modes are supported.
In this Customer Is customized based on carriers' requirements. In this
mode, a tag
format is
pre-defined mode, tag formats are defined by operators. Generally, the
pre-defined mode operators defining the format are the mode users. For
.A example, cntel-xpon, cntel, ft, and ti are customer
pre-defined pre-defined modes.
mode can
be a Device Is a universal mode defined by devices.
standard pre-defined
pre-defined mode
mode,
customer
pre-defined
mode, or
device
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 116
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Mode Description
pre-defined
mode.
User-defined mode Features flexible configurations. The configurable elements
include the access type, keywords, separators, length, and
optional characters.
You can run the raio-mode command to set tag formats in the preceding RAIO modes.
RAIO tag format
A CID format identifies the global attributes of a device. The CID format varies according to
the RAIO mode and access mode. The following table lists the CID formats of different
access modes.
The following table lists only the tag formats in standard pre-defined, common, and user-defined modes.
The customer pre-defined mode is based on customers' requirements. In this mode, the tag formats are
customized and therefore are not described in the following table.
Table 3-20 Tag formats in various access modes
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
CID
format:
anid xpon
CID format: frame/slot/ CID format:
CID format: anid eth subslot/por anid eoc
anid atm frame/slot/su t: frame/slot/su
frame/slot/subsl bslot/port: ontid.gemp bslot/port:
ot/port: vpi.vci vlanid ort.vlanid cnuid
Common mode RID: null RID: null RID: null RID: null
xDSL port rate mode CID format: CID format: CID CID format:
NOTE
anid atm anid eth format: anid eth
In this mode, a CID is
frame/slot/subsl frame/slot/su anid xpon frame/slot/su
formed by adding the ot/port: bslot/port: frame/slot/ bslot/port:
upstream and downstream vpi.vci%up: vlanid%up: subslot/por vlanid%up:
rates of an ADSL port in the uprate down: uprate t: uprate down:
activated state to the end of dnrate down: ontid.gemp dnrate
the default CID format. Only dnrate ort.vlanid
ADSL2+ boards support the NOTE RID format:
xDSL port rate mode. %: followed RID format: %up: user-defined
by the rates user-defined uprate
in the down:
activated dnrate
state.
RID
up: indicates format:
the upstream
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 117
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
rate in the user-define
activated d
state.
down:
indicates the
downstream
rate in the
activated
state.
RID format:
user-defined
port-userlabel mode CID format: CID format: CID CID format:
NOTE anid atm anid eth format: anid eth
In this mode, a CID carries
slot/port: slot/port: anid xpon slot/port:
the label of a user port vpi.vci vlanid frame/slot/ vlanid
(user-defined port RID format: RID format: subslot/por RID format:
description) with a maximum
plabel plabel t: plabel
length of 32 bytes in addition ontid.gemp
to the information required ort.vlanid
by the default format. An
RID carries the label of a RID
user port. format:
plabel
service-port-userlabel CID format: CID CID CID format:
mode anid atm formats: formats: anid eth
NOTE slot/port: Multi-ser Multi-s slot/port:
In this mode, an RID carries
vpi.vci vice ervice vlanid
user-defined service flow RID format: based on based RID format:
description, which can be splabel VLANs: on splabel
configured by running the
anid eth VLANs
service-port desc command.
slot/port: : anid
flowpara xpon
Others: frame/s
anid eth lot/0/po
slot/port: rt:
vlanid gempor
t.ontid.f
RID format: lowpara
splabel
Others:
anid
xpon
frame/s
lot/0/po
rt:
gempor
t.ontid.
vlanid
RID
format:
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 118
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
splabel
dslforum-default mode CID format: CID CID CID format:
NOTE
anid atm formats: formats: anid eth
The dslforum-default mode
slot/port: Multi-ser Multi-s slot/port:
is the default mode of the vpi.vci vice ervice vlanid
DSL forum. RID: null based on based RID: null
VLANs: on
anid eth VLANs
slot/port: : anid
flowpara xpon
Others: frame/s
anid eth lot/0/po
slot/port: rt:
vlanid gempor
t.ontid.f
RID: null lowpara
Others:
anid
xpon
frame/s
lot/0/po
rt:
gempor
t.ontid.
vlanid
RID: null
BBF mode In digital In DSLAM - -
NOTE subscriber line scenarios:
This mode is defined by the
access CID
Broadband Forum and multiplexer format:
complies with the TR156 (DSLAM) anid eth
standard. scenarios: slot/port:
CID format: [vlan-id]
anid atm RID: null
slot/port:
vpi.vci In FTTx
scenarios:
RID: null
CID
In fiber to the x format:
(FTTx) anid eth
scenarios: slot/port/
CID format: onuid/slo
anid atm t/port:
slot/port/onu [vlan-id]
id/slot/port: RID
vpi.vci format:
RID format: ONT
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 119
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
ONT label label
anid is a character string that identifies an access node. It can contain any characters but
a space or separator is not recommended. In BBF mode, no space is allowed in anid. Fill
in anid according to the following rules:
− If anid has been configured, use the configured value.
− If anid has not been configured but the device name has been configured, use the
device name.
− If neither anid nor the device name has been configured, use the MAC address of
the device.
− In BBF mode, the value of anid cannot contain spaces. If user packets carry a
use-side VLAN, vlan-id is the ID of the VLAN.
The RID format is generally used to identify the user's access information (local
information).
Tag formats in user-defined mode
The CID and RID formats are customized in user-defined mode. The following describes the
syntax rules for the user-defined mode.
Only the keyword and separator sets defined in the system can be parsed. The keyword
set contains the minimum keyword set defined by TR101 and the keyword set extended
by the IAS. For details, see Table 3-21.
Maximum width
The maximum width refers to the maximum number of columns for a keyword. The
maximum widths of keywords specified in the system are greater than the maximum
width defined in TR101. The reason is that the actual maximum width required by some
manufacturers is greater than the maximum width defined in TR101. The maximum
width of anid is determined by the maximum character string length (50 characters)
supported by the system.
Configurable width
The number of columns for a keyword can be configured. The Router automatically adds
0s to the beginning of the number of used columns if the number of columns used by a
keyword is less than the configured width. The syntax is keyword+0+m, where m
indicates the number of columns used by a keyword. For example, slot03 indicates that
the number of columns used by the slot keyword is 3. Therefore, if a slot occupying two
columns, it is displayed as 002 in a packet. m must be less than or equal to the maximum
width. If the actual number of columns is greater than m, the actual number is displayed.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 120
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Table 3-21 User-defined keyword set
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
anid Name of an access node No 63
anip IP address of an access node No 15
eth Ethernet access mode No 3
accessty User access type, which takes effect only on xPON lines No 4
pe
atm ATM access mode No 3
xpon xPON access mode No 4
chassis Cabinet ID of an access node Yes 4
rack Rack ID of an access node Yes 4
frame Subrack ID Yes 4
slot Slot ID Yes 4
logicals Logical slot ID. Logical slot IDs in CIDs and RIDs are Yes 4
lot continuous service board slot IDs starting from 1. The slot
ID of the first service board is 1, and the slot ID increases
in ascending order. An idle service board slot also has a
logical slot ID. Non-service board slots, such as the slots
for control boards, upstream boards, and power boards, do
not have logical slot IDs.
subslot Daughter board ID, which is set to 0 Yes 4
port Port ID Yes 4
port+1 Port ID + 1. Port ID in a CID/RID = Actual port ID + 1. Yes 4
If a working object works in Access Node Control Protocol
(ANCP) mode, both the ancp port begin command and the
port+1 keyword can take effect. That is, if the port+1
keyword is selected annd the start port ID is set to 1 by
running the ancp port begin command, the port ID in the
CID and RID is the actual port ID plus 2.
ontporti ONT port ID Yes 4
d
cvlanid User-side VLAN ID. If the services carried on the service Yes 4
port of a user are differentiated by the user-side VLAN ID,
the VLAN ID is the user-side VLAN ID. Otherwise, the
VLAN ID is invalid.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 121
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
vlanid If the services carried on the service port are differentiated Yes 4
by user-side VLAN ID, the VLAN ID set in user-defined
RAIO mode is the user-side VLAN ID. Otherwise, the
VLAN ID is the network-side VLAN ID.
priority Priority of the traffic profile for service ports when Layer-2 Yes 4
PPPoE and DHCP Option 82 are enabled
plabel Description of a user port No 32
splabel Description of a user service port. You can run the No 64
service-port desc command to set this parameter.
sprlabel Remote description of a service port. You can run the No 64
service-port remote-desc command to set this parameter.
bslot BRAS slot ID Yes 4
bsubslot BRAS subslot ID Yes 4
bport BRAS port ID Yes 4
bportty BRAS access mode Yes 4
pe
8021p VLAN priority Yes 4
xpi When the network-side VLAN is a stacking VLAN, Yes 4
XPI is the network-side VLAN ID.
When the network-side VLAN is not a stacking VLAN,
XPI is always 4096.
xci When the network-side VLAN is a stacking VLAN, Yes 5
XCI is the label of the user service port.
When the network-side VLAN is not a stacking VLAN,
XCI is the network-side VLAN ID.
axpi VPI Yes 4
(for
ATM
access
mode)
axpi Network-side VLAN ID Yes 4
(for
Etherne
t and
xPON
access
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 122
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
modes)
axci VCI Yes 5
(for
ATM
access
mode)
axci When the network-side VLAN is a stacking VLAN: Yes 5
(for If the services carried on the user service port are
Etherne differentiated by user-side VLAN ID, AXCI is the
t and user-side VLAN ID.
xPON If the services carried on the user service port are not
access differentiated by user-side VLAN ID, AXCI is the label
modes) of the user service port.
When the network-side VLAN is not a stacking VLAN:
If the services carried on the user service port are
differentiated by user-side VLAN ID, AXCI is the
user-side VLAN ID.
If the services carried on the user service port are not
differentiated by user-side VLAN ID, AXCI is always
4096.
gem-ind GPON encapsulation mode (GEM) index of an xPON line Yes 4
ex
gemport GEM port ID of an xPON line Yes 4
uprate Upstream rate of an ATM or Ethernet port (The Ethernet Yes 10
port is only a PTM port.)
dnrate Downstream rate of an ATM or Ethernet port (The Ethernet Yes 10
port is only a PTM port.)
ontid Optical network unit (ONU) ID of an xPON line Yes 4
ontid+1 Optical network terminal (ONT) ID + 1. The ONT ID in a Yes 4
CID and RID is the actual ONT ID plus 1.
ontlabel ONT label, which takes effect only on xPON lines No 63
ontportt ONT port type, which can be: No 63
ype 1: indicates Ethernet ports, including those of the
wireless local area network (WLAN) type.
2: indicates POTS ports.
ontporti ONT port ID No 63
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 123
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
d NOTE
The value of this keyword is 0 for Ethernet ports of the WLAN
type and for POTS ports on a single voice access gateway (VAG).
onuid Indicates the ONU ID of an xPON line. It is the ONU Yes 24
authentication information and contains 24 bits. This
parameter is padded with 0s at the beginning if it is shorter
than 24 bits. According to the ONU authentication mode,
an ONU ID can be the MAC address, SN, authentication
password, or logical ONU ID (LOID) of an ONU.
onutag Data after ANID accesstype in the tag carried by a message No 255
transmitted or received by an ONU, which takes effect only
on xPON lines
For example, in ANID accesstype slot/port:vlanid, the
value of onutag is slot/port:vlanid.
SN ONT SN No 16
0002 Fixed to 0002 Yes 4
up Fixed to up Yes 2
down Fixed to down Yes 4
vpi VPI of an ATM line Yes 4
vci VCI of an ATM line Yes 4
ge Fixed to GE Yes 2
Plaintex Identified using a pair of quotation marks ("") during Yes -
t flexible configuration in RAIO mode
The plaintext consists of letters, numbers, spaces, and the
following special characters: +*-/|.:<>[],#@$%!.
Optiona Displayed in the format of square brackets ([]) to identify - -
l optional keywords during configuration in RAIO mode
characte Only cvlanid is optional.
r
The port type keyword identifies the format of a port type.
A format character string cannot contain keywords that are used for different port types.
For example, vpi and gemport, or eth and vci are invalid in a character string.
If a port type is not specified, the CID and RID are empty.
A separator identifies a character string in RAIO mode and will be added to a CID and
RID. Table 3-22 lists the RAIO separators defined in the system.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 124
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Table 3-22 User-defined separator set
Separator Symbol
Space
Period .
Colon :
Slash /
Hyphen -
Percent %
Comma ,
Semicolon ;
Pound sign #
Exclamatory mark !
Other rules
− The length ranges from 1 to 127 characters, all of which are lowercase letters.
− anid must be in front of the port type keyword.
− All separators in front of anid in a CID character string, RAIO separators (if
available) in anid, and the first separator following anid are used to identify and
parse anid in downstream packets.
The following provides an example of an RAIO field format in user-defined mode.
Assume:
Device name: DSLAM01
Slot ID: 1
Port ID: 2
VPI: 0
VCI: 35
Priority: 6
The user-defined CID is anid atm slot/port: vpi.vci%priority.
Therefore, the generated character string is dslam01 atm 1/2: 0.35%6.
Rebuilding
Enable rebuilding if a tagged packet must contain ONU and optical line terminal (OLT)
access information in FTTx scenarios. On the OLT, the ONU and OLT access information
must be integrated and rebuilt in the format defined by the RAIO mode. Ensure that the RAIO
modes configured on the ONU and the OLT are the same, and rebuilding is enabled on the
OLT.
Only the working objects of the PITP P mode and DHCP Option 82 support rebuilding. Run
the pitp and dhcp option82 commands to enable rebuilding, respectively.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 125
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
The rebuilding function must be used in BBF, vnpt, or user-defined mode. The reason is that
in the three modes, packets contain two tags for carrying the OLT and ONU information, as
shown in Figure 3-4.
Figure 3-4 Two tags
A DSLAM network is simpler than an FTTx network. The differences in rebuilding the tag
format in the two scenarios are as follows:
In DSLAM scenarios, rebuilding is disabled generally. If rebuilding is enabled, the
device selects the ATM or Ethernet type to rebuild tagged packets according to the user
access type. The tagged packets contain only the OLT access information.
The BBF mode is used as an example. In DSLAM scenarios, the tag format is anid atm slot/port: vpi.vci.
The tagged packets contain only the OLT access information.
In FTTx scenarios, if rebuilding is enabled, the device rebuilds tagged packets according
to the xPON type. The tagged packets contain the ONU and OLT access information.
In FTTx scenarios, if rebuilding is disabled, the device rebuilds tagged packets according
to the Ethernet type. The tagged packets contain only the OLT access information.
PITP Reference Principles
The Policy Information Transfer Protocol (PITP) can be enabled or disabled at the global, port,
service port, or VLAN level. It takes effect only after being enabled at all four levels. Then, an
access device can send the information about the physical locations of access users to the
broadband remote access server (BRAS).
Working Principle of the PITP P Mode
In PITP P mode, the information about the physical location of an access user is added to the
PPPoE packets at the PPPoE discovery stage for upper-layer servers to authenticate the access
user. Other PPPoE dialup processes in PITP P mode are the same as those in PPPoE mode
when PITP P is disabled.
Figure 3-5 shows the PPPoE dialup process in PITP P mode.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 126
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Figure 3-5 PPPoE dialup process in the PITP P mode
PADI: PPPoE Active Discovery Initiation
PADO: PPPoE Active Discovery Offer
PADR: PPPoE Active Discovery Request
PADS: PPPoE Active Discovery Session-confirmation
PADT: PPPoE Active Discovery Terminate
Principles of the PITP V Mode
In the PITP V mode, during the PPPoE negotiation between an access user and the BRAS, the
BRAS sends the VBAS request packet to the access device, requiring the access device to
report the information about the physical port of the access user. The access device sends the
port information to the BRAS through the VBAS response packet.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 127
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Figure 3-6 shows the PPPoE dialup process in PITP V mode.
Figure 3-6 PPPoE dialup process in PITP V mode
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 128
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Table 3-23 PITP packet processing policy
PITP Allowing Packet Access Device Processing Policy
Switch in Upstream Carrying
Global or Packet on Vendor Tag
VLAN Service Port to
Service Carry Vendor
Profile Tag
Mode
enable enable Yes Replaces the vendor tag carried in
upstream PITP packets with the local
vendor tag.
No Adds the local vendor tag to
upstream PITP packets.
disable Yes Discards upstream PITP packets.
No Adds the local vendor tag to
upstream PITP packets.
disable Any value Any value Directly forwards the user-side PITP
packets without processing them.
forward enable Yes Directly forwards the upstream PITP
NOTE packets without processing them.
Supported No Adds the local vendor tag to
only in the
pmode
upstream PITP packets.
mode.
disable Yes Discards upstream PITP packets.
No Adds the local vendor tag to
upstream PITP packets.
rebuild enable Yes Rebuilds the vendor tag by adding
NOTE the local vendor tag to the original
Supported
one.
only in the
pmode
No Adds the local vendor tag.
mode.
disable Yes Discards upstream PITP packets.
No Adds the local vendor tag to
upstream PITP packets.
3.3.2.9 Configuring Anti-theft and Roaming Using DHCPv4
Attack Behavior
Currently, the widely used dynamic host configuration protocol (DHCP) does not have the
authentication and security mechanism. Therefore, compared with the peer-peer protocol
(PPP), the DHCP function has many security problems, such as excessive DHCP broadcast
packets, DHCP IP exhaustion attacks, IP address spoofing, MAC address spoofing, and user
ID spoofing.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 129
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Security Policy
DHCP Option 82 is a user security mechanism, which encapsulates the user access
information obtained by access devices through relay agent info option (RAIO) into the
Option 82 field of the DHCP request packets sent from a user. The data is encapsulated in the
format specified by customers. This facilitates the upper-layer authentication server to
authenticate users and prevents user account embezzlement and roaming.
Table 3-24 Default settings related to DHCP option 82
Parameter Default Value
Dynamic Host Configuration Protocol Global status: disabled
(DHCP) Option 82 function Port-level status: enabled
VLAN-level status: enabled
Service port-level status: enabled
DHCP sub-option 7 function Disabled
DHCP sub-option 90 function Disabled
Whether a service port allows No
user-side DHCP packets to carry the
Option 82 information
By default, the global DHCP option 82 function, DHCP sub-option7, and DHCP sub-option90
are disabled, which poses security risks. You are advised to enable these functions in a timely
manner.
Procedure
Before using the DHCP option 82 function, you must complete the RAIO configuration.
RAIO can be configured in global or profile mode.
Global RAIO mode:
a. Run the raio-mode command to configure the RAIO mode for the DHCPv4 mode.
b. (Optional) If the RAIO mode is user-defined, run the raio-format dhcp-option82
command to configure the RAIO format for the DHCPv4 mode.
In a user-defined mode, configure the circuit ID (CID) and remote ID (RID).
If no access mode is selected, the configured format is valid to all access
modes. If an access mode is selected, the configured format is valid only to
this access mode.
For details about the RAIO input format, run the raio-format command.
In other modes except the user-defined mode, the RAIO format is fixed and does not need to be
manually configured.
RAIO profile mode:
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 130
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
a. Run the raio-profile command to create a RAIO profile and enter the RAIO profile
mode.
b. Run the raio-mode command to configure the RAIO mode for the DHCPv4 mode.
c. (Optional) If the RAIO mode is user-defined, run the raio-format dhcp-option82
command to configure the RAIO format for the DHCPv4 mode.
In a user-defined mode, configure the circuit ID (CID) and remote ID (RID).
If no access mode is selected, the configured format is valid to all access
modes. If an access mode is selected, the configured format is valid only to
this access mode.
For details about the RAIO input format, run the raio-format command.
In other modes except the user-defined mode, the RAIO format is fixed and does not need to be
manually configured.
d. Run the quit command to quit the RAIO profile mode.
e. Run the vlan bind raio-profile command to bind the RAIO profile to the VLAN.
(Optional) Run the dhcp-option82 permit-forwarding service-port command to
configure whether a service port allows user-side DHCP packets to carry the Option 82
information.
The system adds the device name, subrack ID, slot ID, and port ID to the Option 82 field
of DHCP packets to generate tagged packets. If this function is enabled, tagged packets
are forwarded; otherwise, tagged packets are discarded.
Configure the DHCP option 82 function.
The DHCP Option 82 function can be enabled or disabled at four levels: global, port,
VLAN, and service port. It takes effect only after being enabled at all four levels.
a. Global switch: Run the dhcp option82 command to configure the global switch. By
default, the switch is disabled.
b. Port-level switch: Run the dhcp option82 board or dhcp option82 port command
to configure the port-level switch. By default, the switch is enabled.
c. VLAN-level switch:
i. Run the vlan service-profile command to create a VLAN service profile and
enter the VLAN service profile mode.
ii. Run the dhcp option82 command to configure the switch. The switch is
enabled by default.
iii. Run the commit command to make the profile configuration take effect. The
configuration of the VLAN service profile takes effect only after this
command is executed.
iv. Run the quit command to quit the VLAN service profile mode.
v. Run the vlan bind service-profile command to bind the VLAN to the VLAN
service profile.
d. Switch at the service port level: Run the dhcp option82 service-port command to
configure the switch at the service port level. The switch is enabled by default.
(Optional) Configure the sub-option switch.
a. Run the dhcp sub-option7 command to enable or disable sub-option7. By default,
the switch is disabled.
b. Run the dhcp sub-option90 command to configure the Sub-option90 switch. By
default, the switch is disabled.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 131
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
c. After Sub-option90 is enabled, you can run the raio sub-option command to
configure the DHCP option82 and sub-options 81–91. When DHCP needs to
support the reporting of the line parameters related to sub options 0x81-0x91 as
defined in TR101, run this command to enable the DHCP Option 82 and the
sub-options.
----End
Example
The data planning is as follows:
RAIO is configured globally and the RAIO mode is user-defined.
CID format for the Ethernet access mode: subrack ID/slot ID/sub-slot ID/port ID:VLAN
ID
CID format for the xPON access mode: subrack ID/slot ID/sub-slot ID/port
ID:ontid.vlanid
RID: labels of service ports
huawei(config)#raio-mode user-defined dhcp-option82
huawei(config)#raio-format dhcp-option82 cid eth anid eth
frame/slot/subslot/port:vlanid
huawei(config)#raio-format dhcp-option82 cid xpon anid xpon
frame/slot/subslot/port:ontid.vlanid
huawei(config)#raio-format dhcp-option82 rid eth splabel
huawei(config)#raio-format dhcp-option82 rid xpon splabel
huawei(config)#dhcp option82 enable
RAIO Reference Principles
RAIO encapsulates the obtained user access information into different protocol packets
according to packet formats, and provides the physical location information of users for the
BRAS or DHCP server to implement service operation and control as well as access security
management of user accounts.
Tag type
Tag type is specified in type-length-value (TLV). RAIO supports the following tag types:
Circuit ID (CID): used to identify a subscriber line. A CID contains the subrack ID, slot
ID, port ID, and VPI/VCI (VPI is the abbreviated form of virtual path identifier, and VCI
is the abbreviated form of virtual channel identifier). Operators use a CID to identify a
user and control the user access. A CID is in the TLV format and the value of Type is
fixed to 1.
Remote ID (RID): used to identify a remote user. An RID contains the remote flow
description, phone number, and user name. An RID is in the TLV format and the value of
Type is fixed to 2.
Option 18: an option defined by Dynamic Host Configuration Protocol version 6
(DHCPv6) and filled with a CID.
Option 37: an option defined by DHCPv6 and filled with an enterprise ID and an RID.
Information (INFO): dedicated for working objects in PITP V mode and filled with a
CID.
Suboption: a suboption except the CID and RID. For details about the definitions of
suboptions 0x81 to 0x91, see the following table.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 132
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Only the PITP V mode and DHCP Option 82 support suboptions.
Table 3-25 Description of suboptions
Sub Option Description
Suboption 81 Actual upstream rate in the activated state.
Suboption 82 Actual downstream rate in the activated state.
Suboption 83 Minimum upstream data rate.
Suboption 84 Minimum downstream data rate.
Suboption 85 Minimum upstream reserved rate.
Suboption 86 Minimum downstream reserved rate.
Suboption 87 Maximum upstream data rate.
Suboption 88 Maximum downstream data rate.
Suboption 89 Minimum upstream rate in low power state.
Suboption 8A Minimum downstream rate in low power state.
Suboption 8B Maximum upstream interleave delay.
Suboption 8C Actual upstream interleave delay.
Suboption 8D Maximum downstream interleave delay.
Suboption 8E Actual downstream interleave delay.
Suboption 8F Line status.
Suboption 90 Subscriber line type and data encapsulation type.
Suboption 91 Line transmission type.
RAIO mode
The format of tags carried in packets varies according to operators' requirements. RAIO
supports multiple working modes. Each working mode defines various tag formats. A RAIO
mode can be pre-defined or user-defined. A pre-defined mode focuses on customers'
requirements, and a user-defined mode features flexibility.
Table 3-26 RAIO modes
Mode Description
Pre-defined Standard Is proposed by standards organizations along with
mode pre-defined technology development. dslforum-default and broadband
NOTE
mode forum (BBF) standard modes are supported.
In this Customer Is customized based on carriers' requirements. In this
mode, a tag
pre-defined mode, tag formats are defined by operators. Generally, the
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 133
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Mode Description
format is mode operators defining the format are the mode users. For
pre-defined example, cntel-xpon, cntel, ft, and ti are customer
.A
pre-defined modes.
pre-defined
mode can
Device Is a universal mode defined by devices.
be a
standard pre-defined
pre-defined mode
mode,
customer
pre-defined
mode, or
device
pre-defined
mode.
User-defined mode Features flexible configurations. The configurable elements
include the access type, keywords, separators, length, and
optional characters.
You can run the raio-mode command to set tag formats in the preceding RAIO modes.
RAIO tag format
A CID format identifies the global attributes of a device. The CID format varies according to
the RAIO mode and access mode. The following table lists the CID formats of different
access modes.
The following table lists only the tag formats in standard pre-defined, common, and user-defined modes.
The customer pre-defined mode is based on customers' requirements. In this mode, the tag formats are
customized and therefore are not described in the following table.
Table 3-27 Tag formats in various access modes
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
CID
format:
anid xpon
CID format: frame/slot/ CID format:
CID format: anid eth subslot/por anid eoc
anid atm frame/slot/su t: frame/slot/su
frame/slot/subsl bslot/port: ontid.gemp bslot/port:
ot/port: vpi.vci vlanid ort.vlanid cnuid
Common mode RID: null RID: null RID: null RID: null
xDSL port rate mode CID format: CID format: CID CID format:
NOTE
anid atm anid eth format: anid eth
In this mode, a CID is
frame/slot/subsl frame/slot/su anid xpon frame/slot/su
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 134
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
formed by adding the ot/port: bslot/port: frame/slot/ bslot/port:
upstream and downstream vpi.vci%up: vlanid%up: subslot/por vlanid%up:
rates of an ADSL port in the
uprate down: uprate t: uprate down:
activated state to the end of
the default CID format. Only dnrate down: ontid.gemp dnrate
ADSL2+ boards support the NOTE dnrate ort.vlanid RID format:
xDSL port rate mode. %: followed RID format: %up: user-defined
by the rates user-defined uprate
in the down:
activated dnrate
state.
RID
up: indicates format:
the upstream
rate in the
user-define
activated d
state.
down:
indicates the
downstream
rate in the
activated
state.
RID format:
user-defined
port-userlabel mode CID format: CID format: CID CID format:
NOTE
anid atm anid eth format: anid eth
In this mode, a CID carries
slot/port: slot/port: anid xpon slot/port:
the label of a user port vpi.vci vlanid frame/slot/ vlanid
(user-defined port RID format: RID format: subslot/por RID format:
description) with a maximum
plabel plabel t: plabel
length of 32 bytes in addition ontid.gemp
to the information required ort.vlanid
by the default format. An
RID carries the label of a RID
user port. format:
plabel
service-port-userlabel CID format: CID CID CID format:
mode anid atm formats: formats: anid eth
NOTE slot/port: Multi-ser Multi-s slot/port:
In this mode, an RID carries
vpi.vci vice ervice vlanid
user-defined service flow RID format: based on based RID format:
description, which can be splabel VLANs: on splabel
configured by running the
anid eth VLANs
service-port desc command.
slot/port: : anid
flowpara xpon
Others: frame/s
anid eth lot/0/po
slot/port: rt:
vlanid gempor
t.ontid.f
RID format: lowpara
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 135
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
splabel Others:
anid
xpon
frame/s
lot/0/po
rt:
gempor
t.ontid.
vlanid
RID
format:
splabel
dslforum-default mode CID format: CID CID CID format:
NOTE anid atm formats: formats: anid eth
The dslforum-default mode
slot/port: Multi-ser Multi-s slot/port:
is the default mode of the vpi.vci vice ervice vlanid
DSL forum. RID: null based on based RID: null
VLANs: on
anid eth VLANs
slot/port: : anid
flowpara xpon
Others: frame/s
anid eth lot/0/po
slot/port: rt:
vlanid gempor
t.ontid.f
RID: null lowpara
Others:
anid
xpon
frame/s
lot/0/po
rt:
gempor
t.ontid.
vlanid
RID: null
BBF mode In DSLAM In DSLAM - -
NOTE scenarios: scenarios:
This mode is defined by the CID format: CID
Broadband Forum and anid atm format:
complies with the TR156 slot/port: anid eth
standard.
vpi.vci slot/port:
RID: null [vlan-id]
RID: null
In FTTx
scenarios: In FTTx
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 136
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
RAIO Mode Access Mode
ATM VDSL/LA xPON EoC
N
CID format: scenarios:
anid atm CID
slot/port/onu format:
id/slot/port: anid eth
vpi.vci slot/port/
RID format: onuid/slo
ONT label t/port:
[vlan-id]
RID
format:
ONT
label
anid is a character string that identifies an access node. It can contain any characters but
a space or separator is not recommended. In BBF mode, no space is allowed in anid. Fill
in anid according to the following rules:
− If anid has been configured, use the configured value.
− If anid has not been configured but the device name has been configured, use the
device name.
− If neither anid nor the device name has been configured, use the MAC address of
the device.
− In BBF mode, the value of anid cannot contain spaces. If user packets carry a
use-side VLAN, vlan-id is the ID of the VLAN.
The RID format is generally used to identify the user's access information (local
information).
Tag formats in user-defined mode
The CID and RID formats are customized in user-defined mode. The following describes the
syntax rules for the user-defined mode.
Only the keyword and separator sets defined in the system can be parsed. The keyword
set contains the minimum keyword set defined by TR101 and the keyword set extended
by the IAS. For details, see Table 3-28.
Maximum width
The maximum width refers to the maximum number of columns for a keyword. The
maximum widths of keywords specified in the system are greater than the maximum
width defined in TR101. The reason is that the actual maximum width required by some
manufacturers is greater than the maximum width defined in TR101. The maximum
width of anid is determined by the maximum character string length (50 characters)
supported by the system.
Configurable width
The number of columns for a keyword can be configured. The Router automatically adds
0s to the beginning of the number of used columns if the number of columns used by a
keyword is less than the configured width. The syntax is keyword+0+m, where m
indicates the number of columns used by a keyword. For example, slot03 indicates that
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 137
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
the number of columns used by the slot keyword is 3. Therefore, if a slot occupying two
columns, it is displayed as 002 in a packet. m must be less than or equal to the maximum
width. If the actual number of columns is greater than m, the actual number is displayed.
Table 3-28 User-defined keyword set
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
anid Name of an access node No 63
anip IP address of an access node No 15
eth Ethernet access mode No 3
accessty User access type, which takes effect only on xPON lines No 4
pe
atm ATM access mode No 3
xpon xPON access mode No 4
chassis Cabinet ID of an access node Yes 4
rack Rack ID of an access node Yes 4
frame Subrack ID Yes 4
slot Slot ID Yes 4
logicals Logical slot ID. Logical slot IDs in CIDs and RIDs are Yes 4
lot continuous service board slot IDs starting from 1. The slot
ID of the first service board is 1, and the slot ID increases
in ascending order. An idle service board slot also has a
logical slot ID. Non-service board slots, such as the slots
for control boards, upstream boards, and power boards, do
not have logical slot IDs.
subslot Daughter board ID, which is set to 0 Yes 4
port Port ID Yes 4
port+1 Port ID + 1. Port ID in a CID/RID = Actual port ID + 1. Yes 4
If a working object works in Access Node Control Protocol
(ANCP) mode, both the ancp port begin command and the
port+1 keyword can take effect. That is, if the port+1
keyword is selected annd the start port ID is set to 1 by
running the ancp port begin command, the port ID in the
CID and RID is the actual port ID plus 2.
ontporti ONT port ID Yes 4
d
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 138
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
cvlanid User-side VLAN ID. If the services carried on the service Yes 4
port of a user are differentiated by the user-side VLAN ID,
the VLAN ID is the user-side VLAN ID. Otherwise, the
VLAN ID is invalid.
vlanid If the services carried on the service port are differentiated Yes 4
by user-side VLAN ID, the VLAN ID set in user-defined
RAIO mode is the user-side VLAN ID. Otherwise, the
VLAN ID is the network-side VLAN ID.
priority Priority of the traffic profile for service ports when Layer-2 Yes 4
PPPoE and DHCP Option 82 are enabled
plabel Description of a user port No 32
splabel Description of a user service port. You can run the No 64
service-port desc command to set this parameter.
sprlabel Remote description of a service port. You can run the No 64
service-port remote-desc command to set this parameter.
bslot BRAS slot ID Yes 4
bsubslot BRAS subslot ID Yes 4
bport BRAS port ID Yes 4
bportty BRAS access mode Yes 4
pe
8021p VLAN priority Yes 4
xpi When the network-side VLAN is a stacking VLAN, Yes 4
XPI is the network-side VLAN ID.
When the network-side VLAN is not a stacking VLAN,
XPI is always 4096.
xci When the network-side VLAN is a stacking VLAN, Yes 5
XCI is the label of the user service port.
When the network-side VLAN is not a stacking VLAN,
XCI is the network-side VLAN ID.
axpi VPI Yes 4
(for
ATM
access
mode)
axpi Network-side VLAN ID Yes 4
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 139
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
(for
Etherne
t and
xPON
access
modes)
axci VCI Yes 5
(for
ATM
access
mode)
axci When the network-side VLAN is a stacking VLAN: Yes 5
(for If the services carried on the user service port are
Etherne differentiated by user-side VLAN ID, AXCI is the
t and user-side VLAN ID.
xPON If the services carried on the user service port are not
access differentiated by user-side VLAN ID, AXCI is the label
modes) of the user service port.
When the network-side VLAN is not a stacking VLAN:
If the services carried on the user service port are
differentiated by user-side VLAN ID, AXCI is the
user-side VLAN ID.
If the services carried on the user service port are not
differentiated by user-side VLAN ID, AXCI is always
4096.
gem-ind GEM index of an xPON line Yes 4
ex
gemport GEM port ID of an xPON line Yes 4
uprate Upstream rate of an ATM or Ethernet port (The Ethernet Yes 10
port is only a PTM port.)
dnrate Downstream rate of an ATM or Ethernet port (The Ethernet Yes 10
port is only a PTM port.)
ontid ONU ID of an xPON line Yes 4
ontid+1 ONT ID + 1. The ONT ID in a CID and RID is the actual Yes 4
ONT ID plus 1.
ontlabel ONT label, which takes effect only on xPON lines No 63
ontportt ONT port type, which can be: No 63
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 140
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Keywo Description Wheth Maxi
rd er the mum
Width Width
Is
Confi
gurabl
e
ype 1: indicates Ethernet ports, including those of the
WLAN type.
2: indicates POTS ports.
ontporti ONT port ID No 63
d NOTE
The value of this keyword is 0 for Ethernet ports of the WLAN
type and for POTS ports on a single VAG.
onuid Indicates the ONU ID of an xPON line. It is the ONU Yes 24
authentication information and contains 24 bits. This
parameter is padded with 0s at the beginning if it is shorter
than 24 bits. According to the ONU authentication mode,
an ONU ID can be the MAC address, SN, authentication
password, or LOID of an ONU.
onutag Data after ANID accesstype in the tag carried by a message No 255
transmitted or received by an ONU, which takes effect only
on xPON lines
For example, in ANID accesstype slot/port:vlanid, the
value of onutag is slot/port:vlanid.
SN ONT SN No 16
0002 Fixed to 0002 Yes 4
up Fixed to up Yes 2
down Fixed to down Yes 4
vpi VPI of an ATM line Yes 4
vci VCI of an ATM line Yes 4
ge Fixed to GE Yes 2
Plaintex Identified using a pair of quotation marks ("") during Yes -
t flexible configuration in RAIO mode
The plaintext consists of letters, numbers, spaces, and the
following special characters: +*-/|.:<>[],#@$%!.
Optiona Displayed in the format of square brackets ([]) to identify - -
l optional keywords during configuration in RAIO mode
characte Only cvlanid is optional.
r
The port type keyword identifies the format of a port type.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 141
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
A format character string cannot contain keywords that are used for different port types.
For example, vpi and gemport, or eth and vci are invalid in a character string.
If a port type is not specified, the CID and RID are empty.
A separator identifies a character string in RAIO mode and will be added to a CID and
RID. Table 3-29 lists the RAIO separators defined in the system.
Table 3-29 User-defined separator set
Separator Symbol
Space
Period .
Colon :
Slash /
Hyphen -
Percent %
Comma ,
Semicolon ;
Pound sign #
Exclamation mark !
Other rules
− The length ranges from 1 to 127 characters, all of which are lowercase letters.
− anid must be in front of the port type keyword.
− All separators in front of anid in a CID character string, RAIO separators (if
available) in anid, and the first separator following anid are used to identify and
parse anid in downstream packets.
The following provides an example of an RAIO field format in user-defined mode.
Assume:
Device name: DSLAM01
Slot ID: 1
Port ID: 2
VPI: 0
VCI: 35
Priority: 6
The user-defined CID is anid atm slot/port: vpi.vci%priority.
Therefore, the generated character string is dslam01 atm 1/2: 0.35%6.
Rebuilding
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 142
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Enable rebuilding if a tagged packet must contain ONU and optical line terminal (OLT)
access information in FTTx scenarios. On the OLT, the ONU and OLT access information
must be integrated and rebuilt in the format defined by the RAIO mode. Ensure that the RAIO
modes configured on the ONU and the OLT are the same, and rebuilding is enabled on the
OLT.
Only the working objects of the PITP P mode and DHCP Option 82 support rebuilding. Run
the pitp and dhcp option82 commands to enable rebuilding, respectively.
The rebuilding function must be used in BBF, vnpt, or user-defined mode. The reason is that
in the three modes, packets contain two tags for carrying the OLT and ONU information, as
shown in Figure 3-7.
Figure 3-7 Two tags
A DSLAM network is simpler than an FTTx network. The differences in rebuilding the tag
format in the two scenarios are as follows:
In DSLAM scenarios, rebuilding is disabled generally. If rebuilding is enabled, the
device selects the ATM or Ethernet type to rebuild tagged packets according to the user
access type. The tagged packets contain only the OLT access information.
The BBF mode is used as an example. In DSLAM scenarios, the tag format is anid atm slot/port: vpi.vci.
The tagged packets contain only the OLT access information.
In FTTx scenarios, if rebuilding is enabled, the device rebuilds tagged packets according
to the xPON type. The tagged packets contain the ONU and OLT access information.
In FTTx scenarios, if rebuilding is disabled, the device rebuilds tagged packets according
to the Ethernet type. The tagged packets contain only the OLT access information.
DHCP Option 82 Reference Principles
The DHCP option 82 function can be enabled or disabled at global, port, service port, and
VLAN levels. The system adds the option 82 information to upstream DHCP packets only
when the DHCP option 82 function is enabled at all four levels.
The following figure shows the DHCP process when the DHCP option 82 function is enabled.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 143
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Figure 3-8 DHCP process with DHCP option82 enabled
If the request packets sent from a DHCP client to the DHCP server pass through the DHCP
relay agent, the DHCP relay agent adds Option 82 data to the request packets. The DHCP
Option 82 function enables the DHCP server to obtain the addresses of the DHCP client and
relay agent. By working with software, the DHCP Option 82 function implements accounting
and limited IP address assignment.
1. The DHCP client broadcasts request packets during initialization.
2. If a DHCP server is available, the DHCP client obtains an IP address from the server. If
there is no DHCP server on the LAN, the DHCP relay agent connected to the LAN
processes the request packets. The DHCP relay agent checks the packets for the option
82, and then processes the packets. Table 3-30 describes the policies.
3. After receiving DHCP request packets sent from the DHCP relay agent, the DHCP
server records the information contained in the Option 82 field and sends the packets
carrying DHCP configuration and Option 82 data to the DHCP relay agent.
4. After receiving the packets from the DHCP server, the DHCP relay agent processes the
Option 82 data in the packets according to the policy in Table 3-30 and sends the
processed packets to the DHCPv4 client.
User-side/Network-side DHCP packet processing policy used by the access device
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 144
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Figure 3-9 Network-side DHCP packet processing policy used by the access device
Table 3-30 User-side DHCP packet processing policy used by the access device
DHCP Allowing Packet Access Device Processing Policy
Option82 User-side Carrying
Switch in DHCP Packet Option 82
Global or to Carry
VLAN Option82 on
Service Port and
Profile Service Port
Mode
enable enable Yes Removes the option 82 information
from user-side DHCP packets and
adds the local user information.
No Adds local user information to
user-side DHCP packets.
disable Yes Discards user-side DHCP packets.
No Adds local user information to
user-side DHCP packets.
forward enable Yes Directly forwards user-side DHCP
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 145
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
DHCP Allowing Packet Access Device Processing Policy
Option82 User-side Carrying
Switch in DHCP Packet Option 82
Global or to Carry
VLAN Option82 on
Service Port and
Profile Service Port
Mode
packets without processing them.
No Adds local user information to
user-side DHCP packets.
disable Yes Discards user-side DHCP packets.
No Adds local user information to
user-side DHCP packets.
rebuild enable Yes Rebuilds the tags of user-side DHCP
packets.
No Rebuilds the tags of user-side DHCP
packets.
disable Yes Discards user-side DHCP packets.
No Rebuilds the tags of user-side DHCP
packets.
disable Any value Any value Directly forwards user-side DHCP
packets without processing them.
3.3.2.10 Configuring Anti-ARP/NS Broadcast Storm
Attack Behavior
Address Resolution Protocol (ARP) broadcast packets and neighbor solicitation (NS)
multicast packets sent to irrelevant users allow a malicious user to obtain the IP address of a
valid user, causing attacks to the valid user.
Security Policy
After receiving an ARP request (broadcast packet) or NS multicast packet on the network side,
the system searches for user online information based on the destination IP address and
VLAN. If a user goes online, the system performs ARP/NS proxy reply (not forwarding the
NS packet to the user side). If no user goes online, the system processes the packet according
to the configured policy.
ARP/NS proxy reply avoids sending ARP broadcast packets or NS multicast packets to
irrelevant users, improving system security.
Procedure
Configuring ARP proxy reply
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 146
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Run the security arp-reply command to enable ARP proxy reply. If a packet is a broadcast
packet, the system searches for the user online information based on the destination IPv4
address and VLAN ID.
Run the security arp-reply unknown-policy command to configure the policy for processing
ARP request packets.
If you set the policy to discard, the system broadcasts ARP request packets to
cascading-side and network-side ports (excluding the source port) in the VLAN. The
user side does not receive ARP request packets from the network side.
If you set the policy to forward, ARP request packets are broadcast to the user-side,
cascading-side, and network-side ports (excluding the source port) in the VLAN.
By default, the forward policy is used to process ARP request broadcast packets when no user goes
online.
Unicast ARP request packets are not affected by the ARP proxy reply function.
If ARP packets are gratuitous ARP packets (such packets are used for address announcement, not for
address resolution), they are broadcast.
Configuring NS proxy reply
Run the security ns-reply command to enable NS proxy reply. After receiving an NS packet
from the network side, the system searches for the user online information based on the
destination IPv6 address and VLAN ID.
Run the security ns-reply unknown-policy command to configure the policy for processing
NS packets.
If you set the policy to discard, the system broadcasts NS packets to cascading-side and
network-side ports (excluding the source port) in the VLAN. The user side does not
receive NS packets from the network side.
If you set the policy to forward, NS packets are broadcast to the user-side,
cascading-side, and network-side ports (excluding the source port) in the VLAN.
By default, the forward policy is used to process NS packets when no user goes online.
ARP broadcast-to-unicast conversion
a. Run the security arp-unicast ip command to create a network-side ARP
broadcast-to-unicast entry.
b. Run the security arp-unicast unknown-policy command to set the forwarding
policy.
NS multicast-to-unicast conversion
a. Run the security ns-unicast unknown-policy command to set the forwarding
policy.
3.3.2.11 Configuring Anti-DoS Attack
Attack Behavior
A denial of service (DoS) attack is initiated by malicious users using a large number of
protocol packets. When hit by a DoS attack, the system cannot process service requests from
normal users.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 147
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
Security Policy
The anti-DoS feature limits the rate of protocol packets and manages the blacklist of
malicious users who launch DoS attacks to achieve the following purposes:
Ensure that the access devices of operators run properly, and protect operator networks
against attacks.
Improve the security of end-user services and enable end users to enjoy stable and secure
services.
The anti-DoS attack feature safeguards CPU resources using the following mechanisms:
Blacklist: The port/ONT/GEM port to which DoS attack users belong is added to a
blacklist, and the administrator can force blacklisted users to go offline.
Packet processing policies for anti-DoS attack: If protocol packets are sent to the CPU at
a rate higher than the rate threshold, the rate can be limited or protocol packets can be
discarded according to the configured packet discarding policy.
1. The system limits the rate of protocol packets but does blacklist the packet sending port if the
firewall blacklist function is disabled and the packet processing policy for ant-DoS attack is deny
(protocol packets are discarded).
2. Packet processing policies for anti-DoS attack take effect only after the anti-DoS blacklist function
is enabled.
3. If a blacklist is generated, the blacklist is deleted after the anti-DoS policy is switched, for example,
from deny to permit. Then, the system performs an anti-DoS attack detection again.
Procedure
1. Configure the anti-DoS attack blacklist function. Run the security anti-dos enable
command to configure an anti-DoS attack blacklist.
2. Configure a policy for processing protocol packets when a DoS attack occurs. Run the
security anti-dos control-packet policy command to configure the policy for
processing protocol packets when a DoS attack occurs.
An anti-DoS attack policy takes effect only after the security anti-dos enable command is executed
globally.
3. Set the rate threshold for sending protocol packets to the CPU. Run the security anti-dos
control-packet rate command to set the rate threshold for sending protocol packets to
the CPU.
Example
To enable the global DoS anti-attack function, configure the system to add the related ports to
the DoS blacklist when DoS attacks occur, and set the threshold for the rate of sending all
protocol packets to the CPU to 20 pps on port 0/2/1, do as follows:
huawei(config)#security anti-dos enable
huawei(config)#security anti-dos control-packet policy permit
huawei(config)#security anti-dos control-packet rate 0/2/1 20
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 148
SmartAX MA5800
Security Hardening and Maintenance Guide 3 Security Hardening
3.3.2.12 Configuring ARP Anti-Spoofing
Attack Behavior
An attacker sends a forged ARP packet to the OLT, causing an ARP entry error on the OLT. As
a result, the packet is forwarded to the IP address specified by the attacker.
Security Policy
Configure static ARP to bind IP addresses to MAC addresses. This prevents attackers from
modifying ARP entries using ARP packets and ensures network communication security.
Procedure
Configure the static ARP function. Run the arp command to configure a static ARP mapping
list.
Example
To set the MAC address corresponding to IP address 10.10.20.1 in a LAN to 00e0-fc01-0022
and set the subrack ID/slot ID/port number to 0/1/0 (assume this port belongs to VLAN 100):
do as follows:
huawei(config)#arp 10.10.20.1 00e0-fc01-0022 100 0/1/0
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 149
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
4 Security Maintenance
This section provides guidance for routine security maintenance, including security patches
and security configurations.
4.1 Overview of Security Maintenance
Purpose of Security Maintenance
Operators need to set up a security maintenance mechanism to ensure proper running of
application systems in a secure environment.
Application systems face ever more serious security threats. If a problem occurs, services may
be interrupted, revenues decrease, or even the system crashes. Therefore, operators need to
build up and maintain security barriers for the application systems from multiple layers to find
potential security problems and resolve them if they occur.
Due to various security risks, it is difficult to ensure the security of the application system by
simply relying on technologies. Therefore, operators need to formulate the security
management system according to security maintenance suggestions and problems found to
guarantee secure system running.
Layered Security Maintenance
Data flows of different importance are faced with different security threats, which have
different impacts on operators. To avoid mutual impacts between data flows, 3 security planes
are planned.
The 3 security planes are as follows:
End-user plane: Focuses on the security of applications and service data for end users,
including the data flows such as voice, media, and file download.
Control plane: Focuses on the security of application control and signaling for end users,
including the user authentication information and service signaling.
Management plane: Focuses on the security of applications and service data for
management users. That is, the security of management information, including the
information about operation, maintenance, and management.
According to different elements in a telecom network, each plane is divided into the
infrastructure layer, service layer, and application layer.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 150
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Infrastructure layer: Focuses on the security of a single device, including the physical
security, system security, and application security.
Services layer: Focuses on connections from user terminals to the operator network,
connections between devices, basic network protocols that the network provides for
users, and basic connection services of the network.
Applications layer: Focuses on applications for end users such as website, VoIP, and
IPTV, and applications for management users such as service distribution and data
configuration. Applications such as the database application that is not user-oriented are
not considered in the applications layer.
Access devices use layered in-depth defense in the end-user plane, control plane, and
management plane to defend security threatens in infrastructure, services, and applications
layers.
4.2 Security Maintenance Configuration
4.2.1 Infrastructure Layer Security
4.2.1.1 CLI Account and Password Maintenance Suggestions
Maintenance Suggestions
An NE account refers to the user name and password used to manage an NE. You need to
update NE account information periodically to deny unauthorized access and enhance device
security.
A password used for a long period of time is more likely to be stolen or cracked. The
longer the usage period, the more likely the password to be stolen or cracked. Therefore,
you need to change a password periodically. It is recommended that you change a
password at least once every 3 months.
All device passwords and keys must be updated based on site requirements. The following
uses the SSH key as an example. You can run the ssh server rekey-interval command to
configure the key update interval.
Delete obsolete or unused accounts promptly to prevent unauthorized access to the
system.
Procedure
Step 1 Run the terminal user password command to change the password of a user.
Step 2 Run the undo terminal user name command to delete a user that is no longer used.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 151
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
4.2.1.2 BIOS Login Maintenance Suggestions
Context
The product supports BIOS login authentication. To improve device security, you need to
periodically change the password during maintenance. If you forget the password, you need to
return the device to Huawei for re-initialization. Therefore, keep the password secure after
setting it.
You need to set the BIOS login password on both the active and standby control boards.
Procedure
Step 1 Use a serial cable to connect the CON port on the device to a serial port on a PC. Then, log in
to the device through the serial port.
The MPLB board is used as an example in the following steps. In actual applications, the command
output is subject to the actual environment.
Step 2 Change the BIOS password.
To change the BIOS password for the first time, restart the system. During the system
startup, press D within 3 seconds when Press <D> key to stop auto-boot is displayed to
enter the BIOS menu.
The command output in the following steps uses V100R020C00 as an example. In actual applications,
the command output is subject to the actual environment.
The last update date of extended BIOS is : May 20 2020 19:06:45
System is booting from extended BIOS...
Extended BIOS version is 001
Press <D> key to stop auto-boot 3 //Press D.
Please input password: //If you have never changed the password, the
following information is displayed after you enter the default password, asking you
to change the BIOS password. If you have changed the password, you can directly access
the menus after entering the new password.
You are required to set your password, set password for BIOS menu now.
Please input the new password: //Set a new password.
Please input the new password again:
Set identify password success! //After the password is set successfully,
you can log in to the menu page. The new password takes effect immediately. You need
to enter the new password during the next login. If you enter an incorrect password,
you cannot log in to the menu page.
Main Menu:
==============================================
0 Boot program
1 Load files
9 Reboot system
debugmode Enter debugmode
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 152
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Please enter a choice :
Change the BIOS password again.
a. On the BIOS login page, enter debugmode and press Enter to access the main
menu.
Main Menu:
==============================================
1 Load files
9 Reboot system
debugmode Enter debugmode
Please enter a choice: debugmode //Enter debugmode and press Enter.
b. Select 4 to access the authentication switch menu.
=============In Debug Mode====================
Main Menu:
==============================================
1 Load files
4 Debug command
9 Reboot system
t Emtest
debugmode Leave debugmode
Please enter a choice: 4 //Select 4 and press Enter.
c. Enter passwordset, press Enter, and set a password as prompted.
=============In Debug Mode====================
SubMenu: Debug command
==============================================
0 Back to main menu
s Set lastword flag
printctrl Print ctrol : printctrl [mid] [printswitch] [printtype]
printhelp Show print mid printswitch printtype : printhelp
showerr Show error record : showerr
clearerr Clear error record : clearerr
showprintbuff Show print buffer : showprintbuff
clearprintbuff Clear print buffer : clearprintbuff
nandfsformat Format nand fs : nandfsformat
eraseall Erase all data : eraseall
passwordset Set password : passwordset
versioninfoshow Show version info : versioninfoshow
boardinfoshow Show board info : boardinfoshow
lastresetinfoshow Show last reset info : lastresetinfoshow
fpgaread Read fpga : fpgaread [offset]
deletepatch Delete patch
ShowDbUpdateRecords Show Db update records : ShowDbUpdateRecords
ClearUserData Clear user data : ClearUserData
LogicKeyInfo Logic key info : LogicKeyInfo [id]
DeleteSysmodeFile Delete Sysmode File
SetSerialFlag Set Serial Flag [0 off 1 open]
Please enter a choice: passwordset //Enter passwordset to set the password.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 153
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Please input the old password:
Please input the new password:
Please input the new password again:
Set identify password ok!
d. Enter 0 to return the previous menu. Enter 9 to reset the system for the password to
take effect.
=============In Debug Mode====================
SubMenu: Debug command
==============================================
0 Back to main menu
s Set lastword flag
printctrl Print ctrol : printctrl [mid] [printswitch] [printtype]
printhelp Show print mid printswitch printtype : printhelp
showerr Show error record : showerr
clearerr Clear error record : clearerr
showprintbuff Show print buffer : showprintbuff
clearprintbuff Clear print buffer : clearprintbuff
nandfsformat Format nand fs : nandfsformat
eraseall Erase all data : eraseall
passwordset Set password : passwordset
versioninfoshow Show version info : versioninfoshow
boardinfoshow Show board info : boardinfoshow
lastresetinfoshow Show last reset info : lastresetinfoshow
fpgaread Read fpga : fpgaread [offset]
deletepatch Delete patch
ShowDbUpdateRecords Show Db update records : ShowDbUpdateRecords
ClearUserData Clear user data : ClearUserData
LogicKeyInfo Logic key info : LogicKeyInfo [id]
DeleteSysmodeFile Delete Sysmode File
SetSerialFlag Set Serial Flag [0 off 1 open]
Please enter a choice: 0 //Enter 0 to return to the previous menu.
=============In Debug Mode====================
Main Menu:
==============================================
1 Load files
4 Debug command
9 Reboot system
t Emtest
s slave uart
upload Upload files to pc
debugmode Leave debugmode
Please enter a choice: 9 //Enter 9 to restart the system.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 154
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
4.2.1.3 Log Maintenance Suggestions
Maintenance Suggestions
Logs recorded help users obtain the overall system maintenance information for timely
troubleshooting. Logs can be classified into security logs and operation logs.
A security log is a log recorded by the system after a security event occurs. Security
events include user login and logout events, user lockout events, automatic backup
success events, automatic backup failure events, and so on.
An operation log records user login and logout information and other operations
performed on the system.
Generally, logs are queried through the CLI, syslog, or backup log file during troubleshooting.
Operation logs and security logs are reported to the NMS.
After saving the log information, keep it properly to avoid security risks.
It is recommended that you query and back up logs every week.
After system restart, logs recorded will not be lost.
When you log in to the system each time, query the system prompt messages to check
whether the last login is performed by yourself at a known time. If the last login is not
performed by yourself, a malicious user may have cracked your password. In this case,
check the operation logs to see what the user has done, and change your password
immediately.
The system can report logs to a log server using Syslog which supports UDP, TCP, and
SSL transmission modes, among which SSL is more secure and recommended.
Procedure
Step 1 Run the display log command to query operation logs, and run the display log security to
query security logs.
Step 2 Back up logs (including operation logs, security logs, alarms, and events) using the syslog
server. Specifically, run the loghost add command to create a log server and then run the
loghost activate command to activate the log server.
You are advised to enable the Syslog function.
Step 3 When you log in to the system each time, query the system prompt messages to check
whether the last login is performed by yourself at a known time.
Step 4 Log in to the system as user root and run the display terminal user login failure command to
obtain the information about malicious attacks.
1. If logs record abnormal information, locate problems and eliminate potential risks.
2. If the system is attacked by malicious users or IP attacks, add such users and IP
addresses to the blacklist.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 155
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
4.2.1.4 Digital Certificate Maintenance Suggestions
This feature is supported in V100R020C10 and later versions.
Context
A digital certificate is a file signed by a trusted certificate authority (CA) using a digital
signature. It contains the certificate owner's public key and identity information. A simplest
certificate contains a public key, a name, and a digital signature of the CA. Another important
feature of a digital certificate is that it is valid only within a specific period of time.
A digital certificate is an authoritative electronic document. It can be issued by a third-party
authority, that is, the CA center or enterprise-level CA system.
Digital certificate-based encryption technologies (such as encrypted transmission, digital
signature, and digital envelope) can encrypt and decrypt information transmitted on the
network, add digital signatures to transmitted information, and verify digital signatures,
thereby ensuring the confidentiality and integrity of information transmitted on the network
and the non-repudiation of transactions.
Certificates can be used in the following scenarios:
Syslog over SSL
A device functions as a client to send logs to the Syslog server through an SSL
connection. The SSL protocol supports two-way authentication between the device and
the Syslog server using a certificate.
SSH-based NETCONF transmission
During SSH-based NETCONF transmission, SSH provides the certificate authentication
mode. When a device enters the NETCONF callhome process, the NMS uses a
certificate to authenticate the device.
NAC secure channel
Certificates are required for authentication during the establishment of NAC secure
channels. The certificates include the Huawei root certificate and identity certificate.
When a device goes online for the first time, the master device uses the preset certificate
to authenticate the slave device to ensure encrypted data transmission.
Aggregation management security channel
In the aggregation management scenario, when a slave subrack goes online on the master
subrack, the master subrack authenticates the slave subrack through the TLS protocol
and establishes a secure encryption channel between the master and slave subracks. A
slave subrack is authenticated using its identity certificate. Currently, the identity
certificate is preset and cannot be replaced in the aggregation management scenario.
Maintenance Suggestions
A preset Huawei-issued device certificate has a validity period. After the certificate expires, it
becomes invalid and cannot be updated or applied for. Therefore, you are advised to
preferentially use the device certificate issued by the customer CA. If no device certificate
issued by the customer CA is available, you can use the CA service provided by the Huawei
NMS to issue a new device certificate to replace the preset certificate on the network. The CA
service provided by the Huawei NMS applies only to the scenario where device certificates
preset by Huawei need to be replaced for boards on the live network. It does not apply to
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 156
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
other scenarios, such as issuing a certificate to a third-party device or issuing a user
certificate.
Preset Certificate Usage Declaration
Huawei certificates preset on Huawei devices during production are mandatory identity
credentials for Huawei devices. The usage declarations of preset certificates are as follows:
Huawei preset certificates are used only to establish initial security channels for devices
to connect to the customer network in the deployment phase. Huawei does not promise
or guarantee the security of preset certificates.
The customer shall handle the security risks and security events caused by using Huawei
preset certificates as service certificates and be responsible for the consequences.
The validity period of Huawei preset certificates is 20 years or longer starting from the
manufacturing date. The validity period may vary depending on products. Customers can
query the validity period on the certificate management page of a device.
After a preset certificate expires, services that use the certificate may be affected. The
affected services vary depending on products and customization.
It is recommended that customers deploy the Huawei PKI system to issue certificates for
devices and software on the live network and manage the lifecycle of the certificates. To
ensure security, certificates with short validity periods are recommended.
Procedure
Huawei devices are delivered with preset certificates which are applied for and managed
using the Huawei PKI platform. The validity period of the device certificate preset by
Huawei on a device is 20 years or longer, which exceeds the typical service life of
products. The validity period may vary slightly with products. Customers can query the
validity period on the certificate management page of a device. Huawei is not responsible
for updating, applying for, or revoking device certificates after network admission.
To improve system security, customers are strongly advised to replace the preset
certificates and keys with those issued by a trusted CA and periodically update the
certificates and keys.
If a customer has deployed a device certificate, the validity period and security of the
certificate are maintained by the customer.
In SSH-based Syslog over SSL and NETCONF transmission, the device certificate can
be updated in either of the following ways:
Method 1: Apply for a certificate online using CMPv2.
a. Run the rsa pki local-key-pair create command to create a local RSA (Ron Rivest,
Adi Shamirh, Leonard Adleman) key pair.
b. Run the pki entity command to create a PKI entity.
c. Run the pki domain command to create a PKI domain and run the pki
import-certificate command to import a certificate file.
d. Run the ssl policy command to create an SSL policy and run the pki-domain
command to bind a PKI domain.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 157
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
e. Run the pki cmp session command to create a Certificate Management Protocol
(CMP) session and enter CMP session mode.
f. Run the cmp request command to configure a local certificate, CA certificate, and
URL of the CMP server.
g. Run the pki domain command to enter PKI domain mode, and run the certificate
request command to specify the local RSA key pair, PKI entity information, and
CMP session information for certificate application.
h. In PKI domain mode, run the cmp initial-request command to apply for a
certificate online.
Method 2: Apply for a certificate offline and import it to the device.
a. Apply for a certificate outside the device.
b. Run the load pki certificate command to load the obtained certificate to the device.
In the NAC secure channel scenario, perform the following operations to load the
certificate:
Run the display pki domain default command to check whether the master device has built-in digital
certificates (huawei_equipment_root_ca.crt and huawei_access_product_ca.crt). If so, you do not need
to reload the certificates, and the NAC secure channel can run properly. If not, perform the following
steps to load the certificates.
1. Visit https://support.huawei.com/pki/pkidetail and download the root certificate file
Huawei Equipment Root CA.pem and the level-2 CA certificate file Huawei Fixed
Network Product CA.pem.
2. Run the load pki certificate command to import the downloaded certificate file.
3. Run the pki domain command to create a PKI domain for the NAC secure channel.
4. Run the pki domain command to enter the PKI domain mode, and run the pki
import-certificate command to import the certificate file to the PKI domain of the NAC
secure channel.
5. Run the display pki domain command to check whether the certificate is successfully
loaded to the PKI domain of the NAC secure channel.
6. Run the nac bind pki-domain command to bind the NAC secure channel to a PKI
domain.
7. Run the display nac configuration master command to check whether the NAC secure
channel is successfully bound to the PKI domain.
In the aggregation management security channel scenario, you need to load certificates
to master subracks for V100R022C00–V100R022C10 versions. Perform the following
steps to load the certificates:
In the aggregation management scenario, the CA certificates and CRL corresponding to the
Huawei-preset identity certificates can be loaded using SFTP, but the identity certificates used in the
aggregation management scenario cannot be replaced.
You can run the display pki certificate trusted-ca list board frameid slotid command to check
whether the master subrack has built-in huawei_equipment_root_ca.crt and
huawei_access_product_ca.crt certificates. If yes, you do not need to reload the certificates. If no,
perform the following steps to load the certificates to the active and standby control boards in the
master subrack.
1. Visit https://support.huawei.com/pki/pkidetail and download the root certificate file
Huawei Equipment Root CA.pem and the level-2 CA certificate file Huawei Fixed
Network Product CA.pem.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 158
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
2. Run the ssh sftp set command to set the user name and password of the SFTP server.
3. Run the load pki certificate trusted-ca pem sftp [ ipv6 ] serverIpAddress filename
board frameid slotid command to load the downloaded CA certificates to the active and
standby control boards in the master subrack.
4. Run the display pki certificate trusted-ca list board frameid slotid command to check
whether the certificates are successfully loaded to the certificate domain for aggregation
management.
In the aggregation management security channel scenario, you do not need to load
certificates to master subracks for V100R023C00 and later versions
Huawei root certificates huawei_equipment_root_ca.crt and
huawei_access_product_newroot.crt are preset in a software package and are automatically
imported to the certificate list for aggregation management, so that the master subracks can
authenticate the slave subracks. Run the display pki certificate trusted-ca list board frameid
slotid command to query the certificates.
Exception Handling
Pay attention to the validity period of the certificates. Generally, a certificate takes effect at
the time it is issued, and expires when its preset expiration time is reached. You can run the
display pki certificate command to query the validity period of a certificate.
When a certificate is about to expire or has expired, the system reports an alarm to prompt
users to update the certificate in a timely manner.
4.2.1.5 Remote Attestation
Context
This feature is supported in V100R021C10 and later versions.
Remote attestation (RA) is one of the key technologies in the trusted computing solution and
is used to verify the trust status of devices.
The RA server obtains RA measurement data (including PCR measurement values and
measurement logs) from a device and compares the data with the baseline values to verify and
display the trust status of the device.
Feature Description
During integrity verification in the boot phase, RA must be used with measured boot. During
the measurement startup process, the measurement values (hash values) of software running
on the device in each startup phase are extended to the PCR register of the trusted platform
module (TPM). After an object to be verified is successfully booted, the RA server initiates a
challenge to this object, obtains the PCR measurement values and measurement logs, and
compares the measurement values with the baseline values to verify the trust status of the
software running on the object. The object is trusted only when the integrity of all software is
as expected. Otherwise, the object is untrusted. During integrity verification in the running
phase, RA must be used with IMA measurement and Dynamic Integrity Measurement.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 159
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Maintenance Suggestions
During device startup and running, attackers may exploit vulnerabilities to tamper with
programs and implant Trojan horses. RA NCE obtains integrity measurement data during
device boot or running, provides device identity and integrity verification reports, generates
alarms when a device is untrusted, and prompts you to handle file tampering attacks.
RA supports manual and automatic verification modes to verify the trust status of devices.
You are advised to configure an automatic verification policy to periodically check the trust
status of devices.
Procedure
Remote attestation needs to be performed on the Security Management app of NCE. For
details, see iMaster NCE-FAN Product Documentation > NCE-FAN Application Operation
and Maintenance > Basic Applications > Security Management > Remote attestation.
Exception Handling
Periodically check the trust status of devices on the NMS. If a device is untrusted, rectify the
fault based on the handling suggestions.
4.2.1.6 Alarm and Event Maintenance Suggestions
Maintenance Suggestions
The alarm and event management is to record, set, and count alarms and events. This
maintains the equipment and ensures effective running of the equipment.
After an alarm is generated, the system broadcasts the alarm to the preset terminals, including
the network management system (NMS) users and the command line interface (CLI) users.
Alarm and Event Severity
The severity can be critical, major, minor, or warning. Each alarm or event has a default
severity and users can change the severity when necessary. The content of an alarm or event
includes the name, parameters (such as subrack ID, slot ID, and port ID), description, possible
causes, and handling suggestions.
Main Alarm Features
Alarm anti-jitter: To prevent false alarms, the system supports the alarm anti-jitter
mechanism. An alarm is reported only after the alarm status lasts for a configured period
(ranging from 1s to 60s; 10s by default). If the alarm is cleared within the configured period,
the alarm is not reported.
Alarm statistics: This function is used to collect statistics on the frequency of generating an
alarm in a period of time. The statistics can be used to locate system faults.
Alarm correlation: If an alarm has a parent-child relationship, the system automatically
filters out the child alarms after the parent alarm is generated.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 160
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Alarm and event filtering: Users can set filtering conditions. The system reports only the
alarms and events that meet the filtering conditions to users. In this way, users can focus on
only important and specific alarms and events. Alarms and events can be filtered by ID,
severity, and type.
After saving the alarm information, keep it properly to avoid security risks.
You need to periodically query historical alarms, time, and active alarms every week. If any
abnormal information is found, locate problems and eliminate potential risks.
Furthermore, you can change severities of alarms and events and set the statistical period and
filter criteria for alarms and events according to actual requirements. If certain active alarms
are unimportant, these alarms can be deleted.
Procedure
Step 1 Run the display alarm history command to query the alarms generated in the system.
Step 2 Run the display alarm active command to query the active alarms in the system.
Step 3 Run the alarm active clear command to delete alarms that do not need attention during
maintenance.
Step 4 Run the alarm alarmlevel and event eventlevel commands to change severities of alarms and
events.
Step 5 Run the alarm jitter-proof command to configure the alarm anti-jitter function and the
anti-jitter period.
Step 6 Run the trap filter command to configure the filter criteria for alarms and events.
Step 7 When the alarm correlation feature is not required, run the alarm correlation command to set
the alarm correlation switch globally. When you need to enable or disable a specified alarm
correlation filtering rule, run the alarm correlation rule command.
----End
Exception Handling
If abnormal information is found in historical alarms, events, or active alarms, locate
problems and eliminate potential risks.
4.2.1.7 Configuration Data Saving Suggestions
Maintenance Suggestions
To avoid configuration loss caused by powering off and ensure security of the configuration
data, you need to save or back up the configuration data periodically and check backup every
week.
Before upgrade and configuration change, you are advised to run the save command to
manually save the configuration data.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 161
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
After saving the configuration data, keep it properly to avoid security risks.
Forcibly powering off the system or resetting it before the saving is complete damages the
data saved in the flash memory. Therefore, do not forcibly power off the system or reset it
before the saving progress reaches 100%.
Procedure
Save the system configuration data manually by running the save command.
Save the system configuration data automatically.
Method 1:
a. Run the autosave interval on command to enable the function of automatic saving
at intervals.
This function and the autosave time function cannot be enabled simultaneously.
b. Run the autosave interval time command to set the interval for automatic saving.
Method 2:
a. Run the autosave time on command to enable the function of scheduled automatic
saving.
b. Run the autosave time time-value command to set the time for automatic saving.
Save the changed configuration data automatically.
a. Run the autosave interval on command to enable the function of automatic saving
at intervals.
b. Run the autosave interval configuration command to set the interval for
automatically saving the changed configuration data.
----End
Exception Handling
If the system configuration data fails to be saved, troubleshoot the fault according to the
prompt message. Generally, the fault is rectified by saving the configuration data manually
later.
4.2.1.8 Database Backup Suggestions
Maintenance Suggestions
The system supports database backup and recovery. After an upgrade, you need to back up the
database file for recovering the system if a fault occurs to ensure normal running of a device.
After saving the database file, keep it properly to avoid security risks.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 162
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Procedure
Step 1 Run the backup data command to manually back up the database file of the system to the file
server.
----End
Exception Handling
If configuration or data loss is caused by a system fault, load the backup database file or
configuration file to restore the system. When the system encounters a fault and the fault
needs to be located, analyze the backup alarms, logs, and debugging information to find the
cause.
4.2.1.9 Version Upgrade Suggestions
Maintenance Suggestions
To introduce new functions or resolve system issues in earlier versions, operators are advised
to upgrade the version.
The system software package contains a digital signature. When a system software package is
loaded, the digital signature can be used to verify the validity of the software package. If the
software package does not contain a digital signature or the digital signature is incorrect, the
software package cannot be loaded.
The software package of a version earlier than V100R018C00 does not contain a digital
signature. To load a software package of a version earlier than V100R018C00, load a specific
downgrade patch first.
Procedure
Step 1 For details about the procedure, see the corresponding upgrade guide.
----End
Exception Handling
If an exception occurs in upgrade, load the backup database file of the earlier version to avoid
configuration data loss. If the new version is unstable or has a problem, refer to the Upgrade
Guide to roll back the system to the earlier version.
4.2.1.10 Patch Management Suggestions
Maintenance Suggestions
Operators are recommended to periodically obtain software patches released by Huawei to
know about the resolved problems and load the corresponding patch to the system.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 163
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
According to the condition that whether the system restarts after a patch is loaded, patches can
be divided into cold patches and hot patches. Cold patches take effect only after the system
restarts, leading to service interruption. Hot patches take effect without system restart.
Procedure
Operations on a hot patch:
a. Run the load patch command to load the patch.
b. Run the patch activate command to activate the patch. Then, the patch takes effect.
c. Run the patch run command to run the patch.
d. Run the display patch command to check whether the patch is installed
successfully.
Operations on a cold patch:
a. Run the load patch command to load the patch.
b. Run the patch activate command to activate the patch.
c. Run the patch run command to run the patch.
d. Run the save command to save the database file and configuration file in the current
system.
e. Run the reboot command to reset and restart the system. After the system restarts,
the patch takes effect.
f. Run the display patch command to check whether the patch is installed
successfully.
The preceding operations are commonly used methods for loading a patch. For details about patch
loading, see the patch installation guide for each patch.
----End
Exception Handling
If an exception occurs during patch loading, run the patch delete command to delete the
abnormal patch and then load the patch again.
After a hot patch is loaded, you can run the patch rollback command to roll back the
patch if the new patch is abnormal.
4.2.1.11 Active/Standby Switchover Maintenance Suggestions
Maintenance Suggestions
If both the active and standby control boards are configured, you need to periodically check
whether the data of the active control board is synchronized to the standby control board to
ensure reliable running of the system.
If necessary (for example, the active control board is faulty), you need to manually perform
active/standby switchover to improve reliability of the system. The active/standby switchover
involves only the control plane of the control board. The forwarding plane works in
load-sharing mode and still forwards services.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 164
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Procedure
Automatic switchover: It is automatically triggered by the system.
Manual switchover:
a. Run the display data sync state command to query the data synchronization status.
If the data is not fully synchronized, the system will restart in an automatic active/standby
switchover or forced active/standby switchover.
b. After the data is fully synchronized, run the system switch-over command to
perform active/standby switchover.
----End
4.2.1.12 Suggestions on Clearing Data After Device Retirement
Maintenance Suggestions
During device retirement, you can use the data clearing function in the BIOS menu to perform
low-level formatting on the flash memory to ensure that the data on the device is completely
cleared.
This feature is available in V100R20C00 and later versions.
Procedure
1. Use a serial cable to connect the CON port on the device to a serial port on a PC. Then,
log in to the device through the serial port.
2. Restart the system. During the system startup, press D within 3 seconds when "Press <D>
key to stop auto-boot" is displayed to enter the BIOS menu.
3. Enter debugmode and press Enter to access the main menu.
4. Select 4 to access the authentication switch menu.
5. Enter ClearUserData and press Enter. Then clear user data as prompted.
4.2.2 Services Layer Security
4.2.2.1 File Transfer Suggestions
During maintenance, you can choose one of TFTP, FTP, and SFTP to transfer a device
upgrade file, data backup file, or performance statistics file. SFTP is recommended as it is
more secure.
Context
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 165
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
TFTP and FTP have security risks due to protocol limitations. You are advised to use SFTP.
The device can function as a TFTP, FTP, or SFTP client. Differences among these file transfer
protocols are as follows:
TFTP is based on UDP, which does not require authentication of the user name and
password and uses the plain text for file transfer. It is easy to use but has poor security,
and is therefore not recommended.
FTP is a TCP-based file transfer protocol. It uses user name+password authentication
and transmits files in plain text. It is efficient and widely used but has poor security, and
is therefore not recommended.
SFTP is based on TCP and uses the SSH secure channel. It supports user name+password
authentication, uses ciphertext transmission, and supports multiple encryption algorithms
such as 3DES and AES. AES has higher security and is recommended.
The 3DES algorithm has security risks. Exercise caution when using it.
An SFTP client supports identity authentication on the SFTP server to prevent
connection to a spoofed SFTP server. To use this function, you need to configure the
public key of the SFTP server on the device, and then enable the SFTP client to
authenticate the SFTP server. You are advised to enable the function for an SFTP client
to authenticate the SFTP server.
The SFTP port can be configured. If the SFTP server does not use port 22, run the ssh sftp set command
on the device to change the port to be the same as that on the SFTP server.
Procedure
Step 1 Run the rsa peer-public-key command to configure the public key of the SFTP server.
Step 2 Run the ssh sftp peer-public-key command to configure the mapping between the IP address
and public key of the SFTP server.
Step 3 Run the ssh sftp peer-public-key authentication command to enable the SFTP client to
authenticate the SFTP server.
----End
4.2.2.2 Service Port Maintenance Suggestions
Access devices support multiple management protocols, and many service ports are enabled
in the system. You are advised to disable unnecessary service ports based on service
requirements to enhance system security.
Context
Table 4-1 lists default settings of service ports.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 166
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Telnet and Telnetv6 have security risks due to protocol limitations. If these services are not
used, you are advised to disable the corresponding service ports.
Table 4-1 Default settings of service ports
Service Description Default Setting
telnet Telnet service port Versions earlier than V100R019C10:
enabled
V100R019C10 and later versions:
disabled
dhcp-relay DHCP relay service Versions earlier than V100R020C00:
port enabled
V100R020C00 and later versions:
disabled
dhcpv6-relay DHCPv6 relay Versions earlier than V100R020C00:
service port enabled
V100R020C00 and later versions:
disabled
ntp NTP service port Enabled
ntp6 NTP IPv6 service Disabled
port
snmp SNMP service port Enabled
ftp-client FTP client service ----: The current network service is not
port available, and no port or status information
is displayed.
sftp-client SFTP client service ----: The current network service is not
port available, and no port or status information
is displayed.
ipdr IPDR service port Enabled
twamp TWAMP service Enabled
port
ssh SSH service port Enabled
radius RADIUS service Enabled (By default, the port number is
port ----, that is, no port is allocated.)
trace Trace service port Disabled
netconf NETCONF service Disabled
port
telnetv6 Telnet IPv6 service Disabled
port
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 167
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Service Description Default Setting
snmpv6 SNMP IPv6 service Disabled
port
sshv6 SSH IPv6 service Disabled
port
web-proxy Web-proxy service Disabled
portal Portal service port Disabled
(Added in
V100R021C00)
Procedure
Step 1 Run the display sysman service state command to query the status of the service ports of the
device.
Step 2 Run the sysman service command to disable services that are not required.
----End
Exception Handling
If management service ports are disabled and the device fails to be managed, you need to use
a local serial port to log in to the device to query and change the management service port
status.
4.2.2.3 Maintenance Suggestions on the Server Source Interface and Source
IP Address
Access devices support multiple server protocols. Each server protocol requires a specific
local IP address to receive packets. You are advised to specify a local IP address for each
server protocol based on service requirements and network planning.
Context
For the IPv4 protocol, you need to bind a Layer 3 interface to it. The system uses the
primary IP address of the Layer 3 interface as the local source IP address of the server
protocol. An IPv6 address can be directly bound to the IPv6 protocol. If no source
interface or source IP address is bound, the system does not enable the corresponding
service.
Telnet has security risks due to protocol limitations. You are advised to use SSH.
The following table lists the server protocols that need to be bound with source interfaces or
source IP addresses.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 168
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Table 4-2 Server protocols that need to be bound with source interfaces or source IP addresses
Service Description Source Interface or
Source IP Address Type
ancp-proxy ANCP-proxy service IPv4
ipdr IPDR service IPv4
netconf NETCONF service IPv4 or IPv6
snmp SNMP service IPv4 or IPv6
ssh SSH service IPv4 or IPv6
telnet Telnet service IPv4 or IPv6
trace Trace service IPv4
twamp TWAMP service IPv4
web-proxy Web proxy service IPv4 or IPv6
portal Portal service IPv4
(Added in V100R021C00)
Procedure
Step 1 Run the sysman server source command to bind a source interface or source IP address to a
server protocol.
----End
4.2.2.4 Security Isolation of the Management Plane
Maintenance Suggestions
The system supports security management isolation on the user side. Specifically, a user-side
port cannot manage the system. The system can be managed from the network side after an
inband management channel is configured.
In inband management mode, use ACL rules or VLANs to separate management channel data
from service channel data.
Procedure
Step 1 Create a management VLAN, create a VLANIF interface, and enter the VLANIF mode.
Step 2 Set the IP address of the inband NMS interface.
Step 3 Configure the firewall.
Step 4 Configure firewall packet filtering rules for service VLANs other than the management
VLAN.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 169
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Step 5 Run the sysman server source command to bind the server protocol to the source interface of
the management VLAN.
----End
4.2.2.5 Maintenance Suggestions on Type B Dual-homing Synchronization
Maintenance Suggestions
If type B dual-homing protection is not required, disable type B dual-homing protection
synchronization.
When you need to use Type B dual-homing synchronization, enable Type B dual-homing
synchronization and configure the key for Type B dual-homing synchronization.
Configuring the synchronization key requires that the peer key of the source device be the
same as the local key of the target device. Two OLTs are source and target devices mutually
and their keys must be correct. For example, type B dual-homing protection is set up between
OLT 1 and OLT 2. The peer key of OLT 1 must be the same as the local key of OLT 2 and the
peer key of OLT 2 must be the same as the local key of OLT 1.
To ensure network security, change the key for synchronization periodically. During the
change, data is incorrect; however, it will be retransmitted and services are not affected.
Procedure
Step 1 Run the display dual-parenting global-config command to query the type B dual-homing
synchronization switch.
Step 2 Run the dual-parenting sync command to configure the type B dual-homing synchronization
switch.
Step 3 Run the dual-parenting local-node command to configure the local key.
Step 4 Run the dual-parenting peer-node command to configure the peer key.
Step 5 Run the display dual-parenting peer-node command to query the connection status of the
dual-homing nodes.
Step 6 Run the display protect-group command to query the handshake status of the type B
dual-homing protection group.
----End
Exception Handling
If the connection status of the dual-homing nodes is normal but the handshake status is
abnormal, the keys may be inconsistent. In this case, you need to reconfigure the keys.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 170
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
4.2.3 Applications Layer Security
4.2.3.1 Suggestions on Anti-DoS Attack
Maintenance Suggestions
The system supports anti-DoS attack. If a user continuously sends excessive control packets,
the system determines that DoS attack occurs, adds the user to the blacklist, and generates a
DoS attack event.
You need to notice the DoS attack events reported by the system and query the blacklist
periodically. A port added to the blacklist may belong to a malicious user or the user terminal
may be faulty or infected by viruses. The specific cause needs to be found by further
checking.
Procedure
Step 1 Run the display security dos-blacklist command to query the blacklist to locate the port
encountering the DoS attack.
Step 2 Check with the user whose port is added to the blacklist and eliminate the DoS attack
according to the specific cause.
1. If the user is a malicious user, take measures to stop the user from initiating the DoS
attack. If necessary, you can delete service configurations such as the traffic stream of
the port to stop the attack.
2. If the user terminal is fault, replace it with a functional one.
Step 3 Run the display security dos-blacklist command to query the blacklist to confirm that the
DoS attack will not occur.
----End
Exception Handling
After a DoS attack is eliminated, the port will be deleted from the blacklist after several
minutes. Therefore, you need to observe for a period of time to confirm that the port is deleted
from the blacklist.
4.2.3.2 Suggestions on MAC Address Filtering
Maintenance Suggestions
MAC address filtering means that the access device checks the source or destination MAC
address carried in user packets and filters packets with specified MAC addresses.
The MAC address of a network device may change due to device replacement and
maintenance. If the MAC address of a network device changes, MAC address filtering entries
must be maintained in time. Specifically, replace the original MAC address with the new
MAC address to be filtered.
Procedure
Step 1 Run the undo security mac-filter command to delete the original MAC address.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 171
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Step 2 Run the security mac-filter command to add the new MAC address to the filtering list.
----End
4.2.3.3 Suggestions on Anti-MAC Spoofing Attacks
Maintenance Suggestions
Anti-MAC spoofing is a common MAC address security measure when users dynamically
obtain IP addresses in PPPoE, DHCP, DHCPv6, or StateLess Address AutoConfiguration
(SLAAC) mode. The anti-MAC spoofing feature consists of dynamic source MAC address
binding and dynamic source MAC address filtering.
You need to pay special attention to the MAC spoofing events reported by the system. If a
MAC spoofing event is reported for a user, the user may be a malicious user or the user
terminal may be faulty or infected with viruses. The specific cause needs to be found by
further checking.
Procedure
When the static MAC address of a user changes:
a. Run the undo mac-address static command to delete the old static MAC address.
b. Run the mac-address static command to add the new static MAC address.
When the dynamic MAC address of a user changes:
a. Run the security anti-macspoofing enable command to enable the anti-MAC
spoofing function globally.
b. The VLAN-level anti-MAC spoofing function is disabled by default. To enable or
disable the VLAN-level anti-MAC spoofing, configure the switch in the VLAN
service profile and then bind a VLAN to the service profile. You can also run the
security anti-macspoofing vlan command to enable or disable the
anti-MAC-spoofing function for a discrete VLAN.
When the system receives a MAC spoofing event:
a. Check the user of the physical port or service port generating the MAC spoofing
event and eliminate MAC spoofing according to the specific cause.
If the user is a malicious user, take measures to stop the user from initiating
MAC spoofing. If necessary, you can delete service configurations such as the
traffic stream of the port to stop the attack.
If the user terminal is fault, replace it with a functional one.
If the user terminal is infected with viruses, scan for and remove the viruses.
b. Run the display security conflict statistic command to query the statistics of the
packets with MAC address conflict to confirm that the MAC spoofing attack does
not occur on the physical port any more.
c. Run the display security conflict log command to query the logs of the packets
with MAC address conflict to confirm that the MAC spoofing attack does not occur
on the service port any more.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 172
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Exception Handling
The MAC spoofing alarm supports suppression. When a user continuously initiates
MAC spoofing attacks, the MAC spoofing event is not reported again within about one
hour after the first MAC spoofing event is reported. Therefore, you need to query the
statistics and logs of packets with MAC address conflict to confirm that the MAC
spoofing attack does not occur any more.
For directly forwarded packets, the system records statistics of packets with MAC
address conflict but does not generate MAC address conflict logs. For protocol packets
to be processed, the system generates MAC address conflict logs but does not record the
statistics of packets with MAC address conflict. Different MAC spoofing events are
generated for these two types of packets. Therefore, it can be confirmed that a MAC
spoofing attack does not occur any more only when both the statistics and logs of
packets with MAC address conflict do not increase any more.
4.2.3.4 Suggestions on Anti-MAC Duplicate Attacks
Maintenance Suggestions
Anti-MAC duplicate is a security measure for anti-MAC spoofing. You need to pay special
attention to the MAC address learning conflict event reported by the system. If a MAC
address learning conflict event is reported for a user, the user may be a malicious user or the
user terminal may be faulty or infected with viruses. The specific cause needs to be found by
further checking.
Procedure
Step 1 Check the user of port generating the event and eliminate MAC spoofing according to the
specific cause.
1. If the user is a malicious user, take measures to stop the user from initiating MAC
spoofing. If necessary, you can delete service configurations such as the traffic stream of
the port to stop the attack.
2. If the user terminal is fault, replace it with a functional one.
3. If the user terminal is infected with viruses, scan for and remove the viruses.
Step 2 Wait for 60 minutes and ensure that the port does not report the MAC address learning
conflict event any more.
----End
Exception Handling
The MAC address learning conflict event supports suppression. When a user continuously
initiates MAC spoofing attacks, the MAC address learning conflict event will not be reported
again within about 60 minutes after the first MAC address learning conflict event is reported.
Therefore, you need to observe for a period of time to check whether the port does not
generate the MAC address learning conflict event any more.
4.2.3.5 Suggestions on Anti-IP Spoofing Attacks
Maintenance Suggestions
Anti-IP spoofing is implemented through dynamic or static IP address binding.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 173
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
In static IP address binding mode, you need to manually configure static IP addresses for
users. The IP address of a user may change because of device replacement or
maintenance. If the IP address of a user changes, you need to maintain the static IP
address in time. Specifically, delete the original static IP address and add the new static
IP address.
In dynamic IP address binding mode, an IP address is dynamically issued to a user
during DHCP dialup. When a user goes offline, the IP address binding is deleted.
You need to pay special attention to the IP spoofing events reported by the system. If an IP
spoofing event is reported for a user, the user may be a malicious user or the user terminal
may be faulty or infected with viruses. The specific cause needs to be found by further
checking.
This maintenance suggestion is applicable to both IPv4 and IPv6 networks.
Procedure
When the static IP address of a user changes:
a. Run the undo bind ip command to unbind the original static IP address.
b. Run the bind ip command to bind a new static IP address.
Enable the dynamic anti-IP spoofing function.
a. Run the security anti-ipspoofing enable command to enable the anti-IP spoofing
function globally.
b. The VLAN-level anti-IP spoofing function is enabled by default. To modify the
VLAN-level anti-IP spoofing function, you need to configure a VLAN service
profile and then bind the VLAN to the service profile.
When the system receives an IP spoofing event:
a. Check the user of the physical port or service port generating the IP spoofing event
and eliminate IP spoofing according to the specific cause.
If the user is a malicious user, take measures to stop the user from initiating IP
spoofing. If necessary, you can delete service configurations such as the traffic
stream of the port to stop the attack.
If the user terminal is fault, replace it with a functional one.
If the user terminal is infected with viruses, scan for and remove the viruses.
b. Run the display security conflict statistic command to query the statistics of the
packets with IP address conflict to confirm that the IP spoofing attack does not
occur on the physical port any more.
c. Run the display security conflict log command to query the logs of the packets
with IP address conflict to confirm that the IP spoofing attack does not occur on the
service port any more.
----End
Exception Handling
The IP spoofing event supports suppression. When a user continuously initiates IP
spoofing attacks, the IP spoofing event is not reported again within about one hour after
the first IP spoofing event is reported. Therefore, you need to query the statistics and logs
of packets with IP address conflict to confirm that IP spoofing does not occur any more.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 174
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
For directly forwarded packets, the system records statistics of packets with IP address
conflict but does not generate IP address conflict logs. For protocol packets to be
processed, the system generates IP address conflict logs but does not record the statistics
of packets with IP address conflict. Different IP spoofing events are generated for these
two types of packets. Therefore, it can be confirmed that an IP spoofing attack does not
occur any more only when both the statistics and logs of packets with IP address conflict
do not increase any more.
4.2.3.6 Maintenance Suggestions on ONU Authentication Failures
Maintenance Suggestions
The OLT determines whether an ONU is valid and can go online based on the authentication
information about the ONU. If an ONU fails the authentication, it cannot carry services.
The possible causes of an ONU authentication failure are as follows:
1. The ONU fails to be automatically discovered due to authentication information conflict.
2. The ONU fails the authentication because of unmatched authentication information.
Authentication information conflicts can be detected only when auto-find is enabled on the PON port
and auto-find conflict detection is enabled on the OLT.
Procedure
Step 1 If an ONU is connected to an OLT and is powered on, but the OLT does not receive an
auto-find alarm, run the display port ont-register-info command to check whether an ONU
with authentication information conflict exists on the specified port, or run the display alarm
history command to query the corresponding authentication conflict alarm.
Step 2 After an ONU is connected to an OLT and powered on, if the OLT receives an auto-find
alarm and the ONU information can be queried by running the display ont autofind
command, you can run the display ont info command to query the online status and
configuration status of the ONU. If the ONU online or configuration status is abnormal, run
the display port ont-register-info command to query the ONU authentication result on a
specified port.
Step 3 Eliminate ONU authentication information conflicts or mismatches.
If an authentication information conflict occurs, confirm that the ONU is valid, and replace
the conflict ONU or correct its authentication information.
----End
4.2.3.7 Maintenance Suggestions on Continuous-Mode ONUs
Maintenance Suggestions
The system supports rogue ONU detection. Rogue ONUs include various types. Currently, the
system supports only the detection of continuous-mode rogue ONTs. When the services of
multiple users on a PON port are affected, interrupted, or even go offline, or ONUs cannot go
online, you can use this function to determine whether the fault is caused by a rogue ONU.
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 175
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
Procedure
Step 1 If ONUs connected to a port go offline in batches or services are affected, run the display
port state command to check whether a rogue ONU exists on the port. Then, run the display
alarm history command to query the rogue ONU alarm or the batch ONT offline alarm on a
port to check whether a rogue ONU exists.
If a rogue ONU alarm is generated on the port and one or more ONU offline alarms are
generated on the port or the user reports a fault, you need to further locate the fault.
If a rogue ONU alarm is generated on a port but no ONU offline alarm is generated on
the port and no user reports any fault, the rogue ONU alarm may be a false alarm. You
can run the anti-rogueont manual-check command to perform manual detection.
Step 2 Remotely identify the possible rogue ONU on a port.
If automatic rogue ONU detection is disabled, run the anti-rogueont manual-detect
command to enable rogue ONU detection and run the display rogueont command to
query the detection result to identify the rogue ONU.
If automatic rogue ONU detection is enabled, run the display rogueont command to
query the rogue ONUs under the corresponding port.
Step 3 Remotely isolate a rogue ONU to recover the services of other ONUs on the port.
If automatic rogue ONU detection is disabled, run the xpon rogueont isolate command
to isolate the rogue ONU to recover the services of other ONUs or users under the same
port, and then run the display ont info command to check the isolation status of the
rogue ONU. Finally, check whether the services of the affected users are recovered by
observing the online status of other ONUs connected to the same port.
If automatic rogue ONU detection is enabled, the system can automatically isolate a
detected rogue ONU. In this case, you can run the display ont info command to check
the isolation status of the rogue ONU and check whether affected services are recovered
by observing the online status of other ONUs connected to the same port.
If affected services on the port are not recovered or ONUs on the port fail to go online
after the rogue ONU is isolated, you need to visit the site with a power meter, and
connect the fibers of the ONUs on the GPON port to the power meter one by one. If the
power meter shows that the upstream direction of an ONU has continuous lights, the
ONU is a rogue ONU.
Step 4 Rectify the ONU fault on the site. Generally, a rogue ONU is caused by a hardware fault on
the optical module of a terminal. Therefore, the fault can be rectified only onsite.
For a pluggable optical module, replace the optical module on the ONU PON port. For
an unpluggable optical module, replace the ONU.
If the ONU has been isolated by the OLT, run the xpon rogueont restore command to
cancel the isolation of the ONU and allow the ONU to reconnect to the OLT after the
ONU or optical module is replaced. Observe the online status of the other ONUs on the
port to determine whether the fault is eliminated.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 176
SmartAX MA5800
Security Hardening and Maintenance Guide 4 Security Maintenance
4.2.3.8 Maintenance Suggestions on User-Side Ring Networks
Maintenance Suggestions
If a ring network occurs on the user side, downstream packets sent to a user are looped back
to the access device, leading to problems such as broadcast storm and MAC address flapping
and affecting services of the access device. After you run the ring check enable command to
enable the ring check function on the user side, the device checks whether a ring network
exists on the user side. If a ring network exists, the device automatically blocks the user port
where the ring network exists and reports a ring network event on the user side.
You need to pay attention to this event in time and take corresponding measures to eliminate
the user-side ring network.
Procedure
Step 1 Use the NMS or run the display event history command to check whether the historical
records contain unprocessed user-side ring network events.
Step 2 Recommend the user of the port generating the event to check the network to eliminate the
ring network.
Step 3 Manually activate the user-side port if the interval for automatically activating the user-side
ring network is not set. It is recommended that you run the ring check resume-interval
command to set the interval for automatically activating the user-side port after the port is
manually activated.
Step 4 Wait for a period of time to check whether services on the port are recovered and whether the
user-side ring network event disappears.
----End
Issue 08 (2024-03-30) Copyright © Huawei Technologies Co., Ltd. 177
You might also like
- Simple Humanoid Walking and Dancing Robot Arduino100% (1)Simple Humanoid Walking and Dancing Robot Arduino12 pages
- Huawei ONT Web Page Reference 09 (Enterprise)100% (1)Huawei ONT Web Page Reference 09 (Enterprise)1,452 pages
- Huawei Series Ethernet Switches Alarm Handling S2750&5700&6700 PDFNo ratings yetHuawei Series Ethernet Switches Alarm Handling S2750&5700&6700 PDF946 pages
- Huawei MA5616 Service Configuration Document50% (2)Huawei MA5616 Service Configuration Document11 pages
- FONST 4000 Intelligent OTN Equipment Product Description (Version F)No ratings yetFONST 4000 Intelligent OTN Equipment Product Description (Version F)442 pages
- MA5600T&MA5603T&MA5608T Hardware Description 23No ratings yetMA5600T&MA5603T&MA5608T Hardware Description 23973 pages
- MA5800 Security Hardening and Maintenance Guide 06No ratings yetMA5800 Security Hardening and Maintenance Guide 06113 pages
- GTU-Paper-Analysis PDF All 20052019034157PMNo ratings yetGTU-Paper-Analysis PDF All 20052019034157PM11 pages
- Ma5612configurationguidev800r308c0004 120820003950 Phpapp02100% (1)Ma5612configurationguidev800r308c0004 120820003950 Phpapp02488 pages
- Topic IV Hand Sketched Schematic DiagramNo ratings yetTopic IV Hand Sketched Schematic Diagram23 pages
- MA5800 Product Documentation and ConfigurationNo ratings yetMA5800 Product Documentation and Configuration748 pages
- How To Quickly Configure The OLT Huawei MA5608T With ONT Huawei100% (2)How To Quickly Configure The OLT Huawei MA5608T With ONT Huawei5 pages
- OSN 7500 II V200R011C02 Product Overview 03No ratings yetOSN 7500 II V200R011C02 Product Overview 03146 pages
- English 5 Q2 Mod6 Types of Viewing Materials LSerranoNo ratings yetEnglish 5 Q2 Mod6 Types of Viewing Materials LSerrano15 pages
- OceanStor 2000, 5000, and 6000 V3 Series V300R006 Parts ReplacementNo ratings yetOceanStor 2000, 5000, and 6000 V3 Series V300R006 Parts Replacement280 pages
- DPtech FW1000 Series Application Firewall User Manual v5.0No ratings yetDPtech FW1000 Series Application Firewall User Manual v5.0415 pages
- 3he09527aaaa - v1 - 7210 Sas M, T, X, r6 Oam ANo ratings yet3he09527aaaa - v1 - 7210 Sas M, T, X, r6 Oam A342 pages
- ALCOMA ALxxF Class Carrier Radio DescriptionNo ratings yetALCOMA ALxxF Class Carrier Radio Description91 pages
- 3hh13800daaatqzza20 - v1 - r6.5 System Description For 7362 Isam DFSFNo ratings yet3hh13800daaatqzza20 - v1 - r6.5 System Description For 7362 Isam DFSF270 pages
- FTTX Solution Configuration Guide (V100R007 - 02) PDFNo ratings yetFTTX Solution Configuration Guide (V100R007 - 02) PDF411 pages
- RH2288H V3 Server V100R003 User Guide 18No ratings yetRH2288H V3 Server V100R003 User Guide 18302 pages
- Configuring OLT QinQ VLANs and Service PortsNo ratings yetConfiguring OLT QinQ VLANs and Service Ports2 pages
- MA5600&MA5603 V300R003C05 Configuration Guide 09No ratings yetMA5600&MA5603 V300R003C05 Configuration Guide 09384 pages
- MTS9304A-HX10B1, MTS9300A-XA10B1 Telecom Power User ManualNo ratings yetMTS9304A-HX10B1, MTS9300A-XA10B1 Telecom Power User Manual86 pages
- Pipex: Summary: This Project Is The Discovery in Detail and by Programming of A UNIX Mechanism That You Already KnowNo ratings yetPipex: Summary: This Project Is The Discovery in Detail and by Programming of A UNIX Mechanism That You Already Know8 pages
- Server-Side Programming: Java Servlets: Web Technologies A Computer Science PerspectiveNo ratings yetServer-Side Programming: Java Servlets: Web Technologies A Computer Science Perspective115 pages
- Turbo HD DVR V3.4.83 - Build170526 Release Notes - ExternalNo ratings yetTurbo HD DVR V3.4.83 - Build170526 Release Notes - External2 pages
- 2014 Smart Card cloner User's Manual V3.0: 1、Equipment introductionNo ratings yet2014 Smart Card cloner User's Manual V3.0: 1、Equipment introduction2 pages
- Huawei MA5680T/MA5683T/MA5608T GPON Board H805GPFD Hardware DescriptionNo ratings yetHuawei MA5680T/MA5683T/MA5608T GPON Board H805GPFD Hardware Description6 pages
- GPON Multicast-MVR Configuration and TroubleshootingNo ratings yetGPON Multicast-MVR Configuration and Troubleshooting16 pages
- GPON Huawei OLT Basic Troubleshooting CommandsNo ratings yetGPON Huawei OLT Basic Troubleshooting Commands23 pages
- MA5616 Service Configuration For HSI+IPTV (ADSL)No ratings yetMA5616 Service Configuration For HSI+IPTV (ADSL)88 pages
- OG For MA5600T or MA5603T NE Management - (V100R002C01 - 03)No ratings yetOG For MA5600T or MA5603T NE Management - (V100R002C01 - 03)505 pages
- Assignment-1 1. Print 'Hello World' in Java.: Sybca-Div-2-Java Avani Joshi ROLL NO:-102No ratings yetAssignment-1 1. Print 'Hello World' in Java.: Sybca-Div-2-Java Avani Joshi ROLL NO:-10222 pages
- Jordan Zain Account Common Engineering Program Fixed Network-Outdoor Microwavenot Involving Idu Install, Concrete Floor (With Base) NewsceneNo ratings yetJordan Zain Account Common Engineering Program Fixed Network-Outdoor Microwavenot Involving Idu Install, Concrete Floor (With Base) Newscene44 pages
- Bridging ONT + HGW Network Scenario (GPON/XG-PON/XGS-PON Networking)No ratings yetBridging ONT + HGW Network Scenario (GPON/XG-PON/XGS-PON Networking)30 pages
- Huawei SmartAX MA5600T Series OLT Brochure PDFNo ratings yetHuawei SmartAX MA5600T Series OLT Brochure PDF4 pages
- MobaXterm 10.64.17.44nso-Antel-Lab 20220721 130329No ratings yetMobaXterm 10.64.17.44nso-Antel-Lab 20220721 13032914 pages
- HUAWEI OptiX RTN 980 SDHPDH Radio Link Microwave Transmission System EquipmentNo ratings yetHUAWEI OptiX RTN 980 SDHPDH Radio Link Microwave Transmission System Equipment7 pages
- Huawei OLT MA5608T Power Board H801MPWD Hardware DescriptionNo ratings yetHuawei OLT MA5608T Power Board H801MPWD Hardware Description7 pages
- Smartax Ma5620 and Smartax Ma5626: AppearanceNo ratings yetSmartax Ma5620 and Smartax Ma5626: Appearance2 pages
