Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples
This topic provides several configuration examples of local attack defense, including networking requirements and configuration roadmaps.
Example for Configuring Local Attack Defense
Networking Requirements
As shown in Figure 12-29, users from different LANs connect to the Internet through the Switch Module. The Switch Module is connected to a large number of users, and receives many packets sent to the CPU. In this case, the CPU of the Switch Module may be attacked by packets.
- The administrator needs to know about the CPU status in real time and check whether the CPU is attacked. When potential attacks occur, the device sends alarms to the administrator to protect the CPU.
- Users on Net1 are forbidden to access the network because they often attack the CPU.
- The CPU usage occupied by ARP Request packets is reduced because attackers may send a large number of ARP Request packets to deteriorate CPU performance.
Configuration Roadmap
The configuration roadmap is as follows:
- Attack source tracing provides traffic analysis and statistics, attack source identification and alarm function. Enable attack source tracing and its alarm function, and configure attack source punishment. In this way, the administrator can know about the CPU status in real time and prevent potential attacks.
- Add users on Net1 to the blacklist to prevent users on Net1 from accessing the network.
- Configure the rate limit for ARP Request packets sent to the CPU to reduce the CPU usage occupied by ARP Request packets.
Procedure
- Configure a rule for filtering packets sent to the CPU.
# Define an ACL rule.
<HUAWEI> system-view [~HUAWEI] sysname Switch
[*HUAWEI] commit [~Switch] acl number 2001 [*Switch-acl4-basic-2001] rule permit source 1.1.1.0 0.0.0.255 [*Switch-acl4-basic-2001] quit
- Configure an attack defense policy.
# Create an attack defense policy.
[*Switch] cpu-defend policy test1# Enable attack source tracing.
[*Switch-cpu-defend-policy-test1] auto-defend enable# Enable the alarm function for attack source tracing.
[*Switch-cpu-defend-policy-test1] auto-defend alarm enable# Configure the attack source punishment as discard.[*Switch-cpu-defend-policy-test1] auto-defend action deny# Configure a blacklist.
[*Switch-cpu-defend-policy-test1] blacklist 1 acl 2001# Configure the rate limit for ARP packets sent to the CPU.
[*Switch-cpu-defend-policy-test1] car packet-type arp pps 128 [*Switch-cpu-defend-policy-test1] quit
- Apply the attack defense policy globally.
[*Switch] cpu-defend-policy test1 [*Switch] commit [~Switch] quit
- Verify the configuration.
# View information about the configured attack defense policy.
<Switch> display cpu-defend policy test1 ============================================== Policy name: test1 Policy applys on slot: <1> Car packet-type arp(pps) : 128 Blacklist status: ---------------------------------------------- Slot Blacklist State ACL ACLIPv6 ---------------------------------------------- 1 1 Successful 2001 -- ==============================================
# View the CAR configuration.<Switch> display cpu-defend configuration all Car configurations on slot 1 : --------------------------------------------------- PacketType Status Car(pps) --------------------------------------------------- aaa Enabled 384 arp Enabled 128 arp-miss Enabled 512 bfd Enabled 1024 bgp Enabled 1024 bpdu-tunnel Enabled 512 dhcp Enabled 512 dldp Disabled 384 efm Disabled 512 fcoe Disabled 1280 fib-hit Enabled 512 ftp Enabled 128 gmac Disabled 384 gre Disabled 256 icmp Enabled 512 isis Disabled 1024 lacp Disabled 128 ldt Disabled 512 lldp Enabled 384 multicast Enabled 512 nd Enabled 3072 ntp Enabled 128 ospf Disabled 1024 rip Disabled 512 smart-link Disabled 128 snmp Enabled 256 stp Enabled 256 telnet Enabled 256 trill Enabled 2048 trill-management Enabled 512 ttl-expired Enabled 256 udp-helper Disabled 256 unknown-multicast Enabled 1024 vrrp Disabled 256 --------------------------------------------------- Car all-packets (pps) : 5120 ---------------------------------------------------
Configuration Files
Configuration file of Switch
# sysname Switch # cpu-defend policy test1 blacklist 1 acl 2001 car packet-type arp pps 128 auto-defend enable auto-defend action deny auto-defend alarm enable auto-defend trace-type source-mac source-ip auto-defend protocol all # cpu-defend-policy test1 # acl number 2001 rule 5 permit source 1.1.1.0 0.0.0.255 # return
Previous
