No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Attack Defense

Configuring Local Attack Defense

This section describes the procedures for configuring local attack defense.

Configuring CPU Attack Defense

With the CPU attack defense function, the device limits the rate of packets sent to the CPU to protect the CPU.

Pre-configuration Tasks

Before configuring CPU attack defense, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
  • Configuring an ACL for blacklist if necessary
Configuration Process

Before configuring CPU attack defense, create an attack defense policy first. The other tasks are performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied.

Creating an Attack Defense Policy

Context

Before configuring local attack defense in an attack defense policy, you must create an attack defense policy.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    An attack defense policy is created and the attack defense policy view is displayed.

    The device supports a maximum of 17 attack defense policies, including the devicename-default attack defense policy. The devicename-default attack defense policy is generated in the system by default and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified. The other 16 policies can be created, modified and deleted.

  3. (Optional) Run:

    description text

    The description of the attack defense policy is configured.

    By default, no description is configured for an attack defense policy.

  4. Run:

    commit

    The configuration is committed.

Configuring a Blacklist

Context

A blacklist is a group of users with the specific characteristics. You can apply an ACL to a blacklist to add users with the specific characteristics to the blacklist. The device discards packets from users in the blacklist.

If the destination or dscp parameter is specified in the blacklist that references an advanced ACL6, the blacklist is invalid.

NOTE:

You are advised not to use the blacklist containing the ACL that defines the VPN instance.

It is not recommended that you specify the neq parameter in the source-port and destination-port rules of advanced ACL6 referenced by a blacklist.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    blacklist blacklist-id acl { acl-number | ipv6 acl6-number } 

    A blacklist is created.

    A maximum of eight blacklists can be configured on the device.

    The ACL applied to a blacklist can be a basic ACL, an advanced ACL, a basic ACL6, an advanced ACL6, or a Layer 2 ACL. For details on how to create an ACL, see ACL Configuration.

    By default, no blacklist is configured on the device.

    NOTE:

    The blacklists are restored in the ascending order of blacklist IDs (blacklist-id).

  4. Run:

    commit

    The configuration is committed.

Configuring a Rule for Sending Packets to the CPU

Context

To reduce the number of packets sent to the CPU and prevent different types of packets from affecting each other, the switch limits the rate of packets sent to the CPU in different mode, including the rate limit for protocol packets and rate limit for all packets on an interface. The priority of the rate limit for protocol packets is higher than the rate limit for all packets on an interface. When both the rate limiting methods are configured, the device uses the minimum value to limit the packet rate.

NOTE:

The default CAR value is recommended.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring a rule for sending packets to the CPU

    Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

    You can configure the rate limit on protocol packets and rate limit for all packets on an interface in the attack defense policy view.

    • Configuring the rate limit for protocol packets

      The action to be performed on protocol packets sent to the CPU can be car or deny. When you configure the action to be performed on packets of the same protocol, the latest configuration takes effect.

      • Run:

        car packet-type packet-type pps pps-value

        The CAR value for packets sent to the CPU is set and the threshold is set.

      • Run:

        deny packet-type packet-type 

        The action taken for the packets sent to the CPU is set to deny.

      By default, the rate of packets sent to the CPU is limited using the rate limit in the default policy. You can run the display cpu-defend configuration command to check the CAR values of packets.

    • Setting the interface-based rate limit

      Run:

      car all-packets pps packets

      The number of packets sent from CPU interfaces to the CPU within a certain period is limited.

      By default, a maximum of 5120 packets can be sent to the CPU of the device per second. However, the CX111&CX915 switch module GE switching plane and CX110 switch module GE switching plane sends a maximum of 2000 packets to the CPU per second.

      NOTE:

      The car all-packets pps command is required only when the current CAR configuration cannot reduce the high CPU usage.

  3. Run:

    commit

    The configuration is committed.

Applying an Attack Defense Policy

Context

After an attack defense policy is created, you must apply the attack defense policy to the device in the system view. Otherwise, the attack defense policy does not take effect.

Only one attack defense policy can be applied to the device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend-policy policy-name [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ]

    The attack defense policy is applied.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display cpu-defend policy [ policy-name ] command to check the attack defense policy.
  • Run the display cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id } command to check statistics on packets sent to the CPU.
  • Run the display cpu-defend rate [ packet-type packet-type ] { all | slot slot-id } command to check the rate limit of protocol packets sent to the CPU.
  • Run the display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id } command to check the CAR configuration for protocol packets sent to the CPU.

Configuring Attack Source Tracing

Attack source tracing enables the device to check attack packets sent to the CPU and notify the administrator by sending logs or alarms so that the administrator can take measures to defend against attacks.

Pre-configuration Tasks

Before configuring attack source tracing, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Configuration Process

To configure attack source tracing, you must create an attack defense policy. All other configuration tasks are optional and are not listed in sequence. You can configure them as required. After an attack defense policy is created, you must apply it at any time to make it take effect.

Creating an Attack Defense Policy

Context

Before configuring local attack defense in an attack defense policy, you must create an attack defense policy.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    An attack defense policy is created and the attack defense policy view is displayed.

    The device supports a maximum of 17 attack defense policies, including the devicename-default attack defense policy. The devicename-default attack defense policy is generated in the system by default and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified. The other 16 policies can be created, modified and deleted.

  3. (Optional) Run:

    description text

    The description of the attack defense policy is configured.

    By default, no description is configured for an attack defense policy.

  4. Run:

    commit

    The configuration is committed.

Configuring the Threshold for Attack Source Tracing

Context

A large number of attack packets may attack the CPUs of network devices. You can configure attack source tracing and set the alarm threshold for attack source tracing so that the device can analyze packets sent to the CPU. If the number of protocol packets sent from an attack source in a specified period exceeds the alarm threshold, the device sends logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend threshold threshold

    The checking threshold for attack source tracing is set.

    By default, the checking threshold for attack source tracing is 128 pps.

  5. Run:

    commit

    The configuration is committed.

Setting the Packet Sampling Ratio for Attack Source Tracing

Context

Attack source tracing samples packets to identify attacks. Errors may occur in attack packet identification or packet rate calculation. A proper packet sampling ratio reduces errors. A small sampling ratio makes the attack source tracing result accurate, but increases CPU usage.

For example, when the sampling ratio is set to 1, every packet is sampled. The attack source tracing result is accurate, but the CPU usage is high because every packet is resolved. If the sampling ratio is set to a proper value, the attack source tracing result is accurate and CPU usage keeps in a normal range. You can set a proper value based on the requirements of attack source tracing precision and CPU usage.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend attack-packet sample sample-value

    The sampling ratio for attack source tracing is set.

    By default, the packet sampling ratio is 8.

  5. Run:

    commit

    The configuration is committed.

Configuring an Attack Source Tracing Mode

Context

After attack source tracing is enabled, the device uses a specified mode to trace attack sources. The device supports the following attack source tracing modes:
  • Source IP address-based tracing: defends against Layer 3 attack packets.
  • Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
  • Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend trace-type { source-ip | source-mac |  source-portvlan }* 

    The attack source tracing mode is specified.

    By default, the attack source tracing modes based on source MAC addresses and source IP addresses are supported.

  5. Run:

    commit

    The configuration is committed.

Configuring the Types of Traced Packets

Context

When an attack occurs, the device traces packets of different types. Therefore, the administrator cannot identify the type of attack packets. You can flexibly specify the types of traced packets. The device traces the source of the specified packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend protocol { all | { arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | ttl-expired } * }

    The type of traced packets is specified.

    By default, the device traces sources of Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), DHCPv6, Internet Control Message Protocol (ICMP), ICMPv6, Multicast Listener Discovery Protocol (MLD), Neighbor Discovery Protocol (ND), Internet Group Management Protocol (IGMP), and Time To Live-expired (TTL-expired) packets in attack source tracing.

  5. Run:

    commit

    The configuration is committed.

Configuring a Whitelist for Attack Source Tracing

Context

Attack source tracing helps locate and punish sources of denial of service (DoS) attacks. If some users do not need to be traced regardless of whether an attack occurs, configure a whitelist for the users.

NOTE:
  • Before referencing an ACL in a whitelist, create the ACL and configure rules.

  • If the ACL referenced by the whitelist specifies some protocols, ensure that packets of these protocols can be traced. If a specified protocol is not supported by attack source tracing, you can run the auto-defend protocol command to configure attack source tracing to support the protocol.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend whitelist whitelist-number { acl { acl-number | ipv6 acl6-number }  | interface interface-type interface-number }

    A whitelist is configured.

    By default, no whitelist is configured.

  5. Run:

    commit

    The configuration is committed.

Configuring the Alarm Function for Attack Source Tracing

Context

An attack source may send packets of a specified type to the device. After you enable the alarm function of attack source tracing and configure an alarm threshold, the device generates alarms when the number of packets sent in a specified period exceeds the threshold. This prevents the device from attacks.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Configure the alarm function for attack source tracing.
    1. Run:

      auto-defend alarm enable

      The alarm function for attack source tracing is enabled.

      By default, the alarm function for attack source tracing is disabled.

    2. Run:

      auto-defend alarm threshold threshold

      The alarm threshold for attack source tracing is set.

      By default, the alarm threshold for attack source tracing is 128 pps.

  5. Run:

    commit

    The configuration is committed.

Configuring Attack Source Punishment

Context

After attack source punishment is enabled, the device identifies the attack source and then discards packets from the attack source or error downs the interface that receives the packets, preventing the device from being attacked.

If the device error downs the interface that receives the attack packets, services of authorized users on the interface are interrupted. Exercise caution when you configure the device to shut down the interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Attack source tracing is enabled.

    By default, attack source tracing is disabled.

  4. Run:

    auto-defend action { deny [ timeout time-length ] | error-down }

    Attack source punishment is enabled and a punishment is configured.

    By default, attack source punishment is disabled.

    NOTE:

    The device does not trace the source of users in the whitelist.

  5. Run:

    commit

    The configuration is committed.

Applying an Attack Defense Policy

Context

After an attack defense policy is created, you must apply the attack defense policy to the device in the system view. Otherwise, the attack defense policy does not take effect.

Only one attack defense policy can be applied to the device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend-policy policy-name [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ]

    The attack defense policy is applied.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display auto-defend attack-source [ slot slot-id ] command to check attack sources.
  • Run the display cpu-defend policy [ policy-name ] command to check the attack defense policy.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59393

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next