No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This topic provides several configuration examples of local attack defense, including networking requirements and configuration roadmaps.

Example for Configuring Local Attack Defense

Networking Requirements

As shown in Figure 12-29, users from different LANs connect to the Internet through the Switch Module. The Switch Module is connected to a large number of users, and receives many packets sent to the CPU. In this case, the CPU of the Switch Module may be attacked by packets.

  • The administrator needs to know about the CPU status in real time and check whether the CPU is attacked. When potential attacks occur, the device sends alarms to the administrator to protect the CPU.
  • Users on Net1 are forbidden to access the network because they often attack the CPU.
  • The CPU usage occupied by ARP Request packets is reduced because attackers may send a large number of ARP Request packets to deteriorate CPU performance.
Figure 12-29 Networking diagram for configuring local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Attack source tracing provides traffic analysis and statistics, attack source identification and alarm function. Enable attack source tracing and its alarm function, and configure attack source punishment. In this way, the administrator can know about the CPU status in real time and prevent potential attacks.
  2. Add users on Net1 to the blacklist to prevent users on Net1 from accessing the network.
  3. Configure the rate limit for ARP Request packets sent to the CPU to reduce the CPU usage occupied by ARP Request packets.

Procedure

  1. Configure a rule for filtering packets sent to the CPU.

    # Define an ACL rule.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    
    [*HUAWEI] commit
    [~Switch] acl number 2001
    [*Switch-acl4-basic-2001] rule permit source 1.1.1.0 0.0.0.255
    [*Switch-acl4-basic-2001] quit
    

  2. Configure an attack defense policy.

    # Create an attack defense policy.

    [*Switch] cpu-defend policy test1

    # Enable attack source tracing.

    [*Switch-cpu-defend-policy-test1] auto-defend enable

    # Enable the alarm function for attack source tracing.

    [*Switch-cpu-defend-policy-test1] auto-defend alarm enable
    # Configure the attack source punishment as discard.
    [*Switch-cpu-defend-policy-test1] auto-defend action deny

    # Configure a blacklist.

    [*Switch-cpu-defend-policy-test1] blacklist 1 acl 2001

    # Configure the rate limit for ARP packets sent to the CPU.

    [*Switch-cpu-defend-policy-test1] car packet-type arp pps 128
    [*Switch-cpu-defend-policy-test1] quit
    

  3. Apply the attack defense policy globally.

    [*Switch] cpu-defend-policy test1
    [*Switch] commit
    [~Switch] quit
    

  4. Verify the configuration.

    # View information about the configured attack defense policy.
    <Switch> display cpu-defend policy test1
    ==============================================
    Policy name: test1
    Policy applys on slot: <1>
    Car packet-type arp(pps) : 128
    Blacklist status:
    ----------------------------------------------
    Slot    Blacklist State       ACL    ACLIPv6
    ----------------------------------------------
    1       1         Successful  2001   --
    ==============================================    
    # View the CAR configuration.
    <Switch> display cpu-defend configuration all
    Car configurations on slot 1 :                                                  
    ---------------------------------------------------                             
    PacketType            Status      Car(pps)                                      
    ---------------------------------------------------                             
    aaa                   Enabled          384                                      
    arp                   Enabled          128                                      
    arp-miss              Enabled          512                                      
    bfd                   Enabled         1024                                      
    bgp                   Enabled         1024                                      
    bpdu-tunnel           Enabled          512                                      
    dhcp                  Enabled          512                                      
    dldp                  Disabled         384                                      
    efm                   Disabled         512 
    fcoe                  Disabled        1280                                      
    fib-hit               Enabled          512                                      
    ftp                   Enabled          128                                      
    gmac                  Disabled         384                                      
    gre                   Disabled         256
    icmp                  Enabled          512                                      
    isis                  Disabled        1024                                      
    lacp                  Disabled         128                                      
    ldt                   Disabled         512                                      
    lldp                  Enabled          384                                      
    multicast             Enabled          512                                      
    nd                    Enabled         3072                                      
    ntp                   Enabled          128                                      
    ospf                  Disabled        1024                                      
    rip                   Disabled         512                                      
    smart-link            Disabled         128                                      
    snmp                  Enabled          256                                      
    stp                   Enabled          256                                      
    telnet                Enabled          256                                      
    trill                 Enabled         2048                                      
    trill-management      Enabled          512                                      
    ttl-expired           Enabled          256                                      
    udp-helper            Disabled         256                                      
    unknown-multicast     Enabled         1024                                      
    vrrp                  Disabled         256                                      
    ---------------------------------------------------                             
    Car all-packets (pps) : 5120                                                    
    ---------------------------------------------------   

Configuration Files

Configuration file of Switch

#
sysname Switch
#                                                                               
cpu-defend policy test1                                                         
 blacklist 1 acl 2001                                                           
 car packet-type arp pps 128                                                    
 auto-defend enable                                                             
 auto-defend action deny                                                        
 auto-defend alarm enable                                                       
 auto-defend trace-type source-mac source-ip                    
 auto-defend protocol all                                                       
#   
cpu-defend-policy test1
#
acl number 2001
 rule 5 permit source 1.1.1.0 0.0.0.255
# 
return 
Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 61061

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next