No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Attack Defense

Configuring Local Attack Defense

Applicable Products and Versions

This example applies to the CE12800/CE6800/CE5800 V100R001C00 or later.

This example applies to the CE7800 V100R003C00 or later.

This example applies to the CE8800 V100R006C00 or later.

This example applies to the CE12800E V200R002C50 or later.

Networking Requirements

As shown in Figure 2-59, the users on Net1, Net2, and Net3 connect to the switch, and access the Internet through the Router. A large number of users connect to the Switch, so the Switch will receive many packets that need to be sent to the CPU. The CPU is prone to attacks.

  1. The administrator wants to monitor the CPU in real time and detect attacks to CPU in a timely manner. When receiving suspectable attack packets, the device immediately notifies the administrator so that the administrator can take measures to protect the CPU.
  2. User 1.1.1.3/32 on Net1 often initiates attacks, so the administrator wants to reject the access of the user.
Figure 2-59 Diagram for configuring local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the attack source tracing function, alarm for attack source tracing, and punishment measures so that the administrator can monitor the CPU in real time and take measures to protect the CPU.
  2. Add the users on Net1 to the blacklist.

Procedure

  1. Configure the rule for filtering packets sent to the CPU.

    # Define the ACL rules in which users on Net1 are specified. The ACL rules will be referenced by the blacklist.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] acl number 2001
    [~Switch-acl-basic-2001] rule permit source 1.1.1.3 0.0.0.0
    [*Switch-acl-basic-2001] commit
    [~Switch-acl-basic-2001] quit
    

  2. Configure an attack defense policy.

    # Create an attack defense policy.

    [~Switch] cpu-defend policy policy1

    # Configure attack source tracing.

    [*Switch-cpu-defend-policy-policy1] auto-defend enable

    # Enable the alarm function for attack source tracing.

    [*Switch-cpu-defend-policy-policy1] auto-defend alarm enable
    # Set the punishment action to discard.
    [*Switch-cpu-defend-policy-policy1] auto-defend action deny

    # Add the users on Net1 to the blacklist.

    [*Switch-cpu-defend-policy-policy1] blacklist 1 acl 2001

    # Set rate limit of ARP packets sent to the CPU.

    [*Switch-cpu-defend-policy-policy1] car packet-type arp pps 128
    [*Switch-cpu-defend-policy-policy1] commit
    [~Switch-cpu-defend-policy-policy1] quit
    NOTE:
    If the CAR value is too high (for example, two times the default value), the CPU usage will become high, affecting device performance.

  3. Apply the attack defense policy globally.

    [~Switch] cpu-defend-policy policy1
    [*Switch] commit

Verifying the Configuration

  1. Run the display cpu-defend policy policy1 command to view information about the attack defense policy.

    [~Switch] display cpu-defend policy policy1
    ----------------------------------------------                                  
    Name : policy1                                                                  
    Related slot : <1>                                                              
    Blacklist Status :                                                              
      Slot<1> : Successful                                                          
    Configuration :                                                                 
    Blacklist 1 ACL number : 2001                                                   
    Car packet-type arp(pps) : 128                                                  
    ---------------------------------------------- 

    Host 1.1.1.3/32 cannot ping the device.

  2. Run the display cpu-defend configuration all command to view rate limits on protocol packets.

    • CE5800 and CE6800

      [~Switch] display cpu-defend configuration all
      Car configurations on slot 1 :                                                  
      ---------------------------------------------------                             
      PacketType            Status      Car(pps)                                      
      ---------------------------------------------------                             
      aaa                   Enabled          384                                      
      arp                   Enabled          128                                      
      arp-miss              Enabled          512                                      
      bfd                   Enabled         1024                                      
      bgp                   Enabled         1024                                      
      bpdu-tunnel           Enabled          512                                      
      dhcp                  Enabled          512                                      
      dldp                  Disabled         384                                      
      fib-hit               Enabled          512                                      
      ftp                   Enabled          128                                      
      gmac                  Disabled         384                                      
      icmp                  Enabled          512                                      
      isis                  Disabled        1024                                      
      lacp                  Disabled         128                                      
      ldt                   Disabled         512                                      
      lldp                  Enabled          384                                      
      multicast             Enabled          512                                      
      nd                    Enabled         3072                                      
      ntp                   Enabled          128                                      
      ospf                  Disabled        1024                                      
      rip                   Disabled         512                                      
      smart-link            Disabled         128                                      
      snmp                  Enabled          256                                      
      stp                   Enabled          256                                      
      telnet                Enabled          256                                      
      trill                 Disabled        2048                                      
      trill-management      Disabled         512                                      
      ttl-expired           Enabled          256                                      
      udp-helper            Enabled          256                                      
      unknown-multicast     Disabled        1024                                      
      vrrp                  Disabled         256                                      
      ---------------------------------------------------                             
      Car all-packets (pps) : 5120                                                    
      --------------------------------------------------- 
    • CE12800

      [~Switch] display cpu-defend configuration all
      Car Configurations on slot 1 :                                                 
      ---------------------------------------------------                            
      Packet Type           Status      Car(pps)                                     
      ---------------------------------------------------                            
      aaa                   Enabled     384                                          
      arp                   Enabled     128                                          
      arp-miss              Enabled     512                                          
      bfd                   Enabled     1024                                         
      bgp                   Enabled     2048                                         
      dhcp                  Disabled    1024                                         
      dldp                  Disabled    512                                          
      fib-hit               Enabled     512                                          
      ftp                   Enabled     128                                          
      gmac                  Disabled    512                                          
      icmp                  Enabled     512                                          
      isis                  Disabled    2048                                         
      lacp                  Disabled    128                                          
      ldt                   Disabled    512                                          
      lldp                  Disabled    512                                          
      mpls                  Enabled     512                                          
      multicast             Enabled     512                                          
      ntp                   Enabled     128                                          
      ospf                  Enabled     2048                                         
      rip                   Enabled     1024                                         
      snmp                  Enabled     256                                          
      stp                   Disabled    256                                          
      telnet                Enabled     256                                          
      trill                 Disabled    2048                                         
      trill-management      Disabled    512                                          
      ttl-expired           Enabled     256                                          
      udp-helper            Enabled     256                                          
      unknown-multicast     Enabled     512                                          
      vrrp                  Enabled     512                                          
      ---------------------------------------------------                            
      Car all-packets (pps) : 5120                                                   
      ---------------------------------------------------  

Configuration File

#                                                                               
sysname Switch
#
cpu-defend policy policy1                                                       
 blacklist 1 acl 2001                                                           
 car packet-type arp pps 128                                                    
 auto-defend enable                                                             
 auto-defend action deny                                                        
 auto-defend alarm enable                                                       
 auto-defend trace-type source-mac source-ip                                    
 auto-defend protocol all                                                       
#
cpu-defend-policy policy1                                                       
#
acl number 2001                                                                 
 rule 5 permit source 1.1.1.3 0                                                 
#
return 
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 118367

Downloads: 7532

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next