No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 16800, 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Attack Defense

Configuring Local Attack Defense

Applicable Products and Versions

This example applies to all models and all versions.

Networking Requirements

As shown in Figure 2-63, the users on Net1, Net2, and Net3 connect to the switch, and access the Internet through the Router. A large number of users connect to the Switch, so the Switch will receive many packets that need to be sent to the CPU. The CPU is prone to attacks.

  1. The administrator wants to monitor the CPU in real time and detect attacks to CPU in a timely manner. When receiving suspectable attack packets, the device immediately notifies the administrator so that the administrator can take measures to protect the CPU.
  2. User 1.1.1.3/32 on Net1 often initiates attacks, so the administrator wants to reject the access of the user.
Figure 2-63 Diagram for configuring local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the attack source tracing function, alarm for attack source tracing, and punishment measures so that the administrator can monitor the CPU in real time and take measures to protect the CPU.
  2. Add the users on Net1 to the blacklist.

Procedure

  1. Configure the rule for filtering packets sent to the CPU.

    # Define the ACL rules in which users on Net1 are specified. The ACL rules will be referenced by the blacklist.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] acl number 2001
    [~Switch-acl-basic-2001] rule permit source 1.1.1.3 0.0.0.0
    [*Switch-acl-basic-2001] commit
    [~Switch-acl-basic-2001] quit

  2. Configure an attack defense policy.

    # Create an attack defense policy.

    [~Switch] cpu-defend policy policy1

    # Configure attack source tracing.

    [*Switch-cpu-defend-policy-policy1] auto-defend enable

    # Enable the alarm function for attack source tracing.

    [*Switch-cpu-defend-policy-policy1] auto-defend alarm enable
    # Set the punishment action to discard.
    [*Switch-cpu-defend-policy-policy1] auto-defend action deny

    # Add the users on Net1 to the blacklist.

    [*Switch-cpu-defend-policy-policy1] blacklist 1 acl 2001

    # Set rate limit of ARP packets sent to the CPU.

    [*Switch-cpu-defend-policy-policy1] car packet-type arp pps 128
    [*Switch-cpu-defend-policy-policy1] commit
    [~Switch-cpu-defend-policy-policy1] quit

    If the CAR value is too high (for example, two times the default value), the CPU usage will become high, affecting device performance.

  3. Apply the attack defense policy globally.

    [~Switch] cpu-defend-policy policy1
    [*Switch] commit

Verifying the Configuration

  1. Run the display cpu-defend policy policy1 command to view information about the attack defense policy.

    [~Switch] display cpu-defend policy policy1
    ==============================================                                                                                      
    Policy name: policy1                                                                                                                
    Policy applys on slot: <1>                                                                                                          
    Car packet-type arp(pps) : 128                                                                                                      
    Blacklist status:                                                                                                                   
    ----------------------------------------------                                                                                      
    Slot    Blacklist  State         ACL   ACLIPv6                                                                                      
    ----------------------------------------------                                                                                      
    1               1  Successful   2001        --                                                                                      
    ============================================== 

    Host 1.1.1.3/32 cannot ping the device.

  2. Run the display cpu-defend configuration all command to view rate limits on protocol packets.
    [~Switch] display cpu-defend configuration all
    Car configurations on slot 1 :                                                  
    ---------------------------------------------------                             
    PacketType            Status      Car(pps)                                      
    ---------------------------------------------------                             
    aaa                   Enabled          384                                      
    arp                   Enabled          128                                      
    arp-miss              Enabled          512                                      
    bfd                   Enabled         1024                                      
    bgp                   Enabled         1024    
    ……

Configuration File

#                                                                               
sysname Switch
#
cpu-defend policy policy1                                                       
 blacklist 1 acl 2001                                                           
 car packet-type arp pps 128                                                    
 auto-defend enable                                                             
 auto-defend action deny                                                        
 auto-defend alarm enable                                                       
 auto-defend trace-type source-mac source-ip                                    
 auto-defend protocol all                                                       
#
cpu-defend-policy policy1                                                       
#
acl number 2001                                                                 
 rule 5 permit source 1.1.1.3 0                                                 
#
return 
Download
Updated: 2020-01-07

Document ID: EDOC1000039339

Views: 178521

Downloads: 8167

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next