No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides IP performance configurations including the networking requirements, networking diagram, configuration roadmap, and configuration procedures.

Example for Configuring the System to Discard Specified ICMP Packets

Networking Requirements

As shown in Figure 6-41, switch A functions as a convergence device. In the downlink direction, switch A connects to the user network through a DSLAM device, individual users, and enterprise users. Attackers on the user network may launch attacks with a large number of ICMP packets with the TTL being 1, or with options, increasing the traffic burden and degrading device performance. To solve the preceding problems, configure switch A to discard ICMP packets with the TTL being 1, and with options, and disable switch A from receiving ICMP Echo Request packets.

Figure 6-41 Networking diagram for configuring ICMP attack defense

Configuration Roadmap

Configure switch A to discard ICMP packets as follows:
  • Configure switch A to discard ICMP packets with the TTL being 1.
  • Configure switch A to discard ICMP packets with options.
  • Disables Switch A from receiving ICMP Echo Request packets.

Procedure

  1. Configure VLANs that each interface belongs to.

    # Configure SwitchA.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] vlan batch 100
    [*SwitchA] interface 10ge 1/17/1
    [*SwitchA-10GE1/17/1] port link-type trunk
    [*SwitchA-10GE1/17/1] port trunk allow-pass vlan 100
    [*SwitchA-10GE1/17/1] quit
    [*SwitchA] commit
    

    # Configure SwitchC.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchC
    [*HUAWEI] commit
    [~SwitchC] vlan batch 100
    [*SwitchC] interface 10ge 1/17/1
    [*SwitchC-10GE1/17/1] port link-type trunk
    [*SwitchC-10GE1/17/1] port trunk allow-pass vlan 100
    [*SwitchC-10GE1/17/1] quit
    [*SwitchC] commit
    

  2. Configure IP addresses for VLANIF interfaces.

    # Configure IP addresses for interfaces on SwitchA.

    [~SwitchA] interface vlanif 100
    [*SwitchA-Vlanif100] ip address 1.1.1.2 24
    [*SwitchA-Vlanif100] quit
    [*SwitchA] commit
    

    # Configure IP addresses for interfaces on SwitchC.

    [~SwitchC] interface vlanif 100
    [*SwitchC-Vlanif100] ip address 1.1.1.1 24
    [*SwitchC-Vlanif100] quit
    [*SwitchC] commit
    

  3. Configure switch A to discard specified ICMP packets.

    # Configure switch A to discard ICMP packets with the TTL being 1.

    [~SwitchA] icmp ttl-exceeded drop all
    [*SwitchA] commit
    

    # Configure switch A to discard ICMP packets with options.

    [~SwitchA] icmp with-options drop all
    [*SwitchA] commit

    # Disables the SwitchA to receive ICMP Echo Request packets

    [~SwitchA] icmp name echo receive disable
    [*SwitchA] commit

  4. Verify the configuration.

    # Ping SwitchA on the network segment 1.1.1.2 from SwitchC. Then, there's no Reply packet from SwitchA.

    [~SwitchC] ping -r 1.1.1.2
    PING 1.1.1.2: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 1.1.1.2 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss

Configuration Files

  • Configuration file of switch A

    #
    sysname SwitchA
    #
    vlan batch 100
    #
    icmp name echo receive disable
    icmp ttl-exceeded drop slot 1
    icmp with-options drop slot 1
    #
    interface Vlanif100
     ip address 1.1.1.2 255.255.255.0  
    #
    interface 10GE1/17/1 
     port link-type trunk 
     port trunk allow-pass vlan 100
    #
    return
  • Configuration file of switch C

    #
    sysname SwitchC
    #
    vlan batch 100
    #
    interface Vlanif100
     ip address 1.1.1.1 255.255.255.0
    #
    interface 10GE1/17/1 
     port link-type trunk 
     port trunk allow-pass vlan 100
    #
    return
Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 61600

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next