Campus Internal Network Security
This section describes deployment suggestions and configuration examples of internal network security policies in terms of device login security, security at different network layers, and wireless service security. You can deploy functions based on service requirements.
Deployment Roadmap
Function |
Description |
Application Scenario |
|---|---|---|
Local device login through the console port |
You need to configure an authentication mode and a user level for the console user interface. |
You want to log in to the device through the console port while improving local login security. |
Remote device login using STelnet |
You need to configure a protocol type, an authentication mode, and a user level for the VTY user interface. |
You want to remotely log in to the device while ensuring remote login security, especially on an insecure network through SSH. |
Function |
Description |
Application Scenario |
Deployment Location |
Default Setting |
|---|---|---|---|---|
Traffic suppression |
Discards or blocks broadcast, unknown multicast, or unknown unicast packets when their rate exceeds the specified threshold. |
You are advised to configure this function on internal connection interfaces of a network to reduce network-wide service impact of broadcast storms caused by loops. |
Downlink interface or VLAN |
|
Storm control |
Blocks or disables interfaces for broadcast, unknown multicast, or unknown unicast packets when their rate exceeds the specified threshold. |
On a tree network with a downstream user network, you are advised to configure this function to prevent storms on the user network from spreading over the entire network. |
Downlink interface |
Disabled |
DHCP snooping |
Enables a DHCP snooping-enabled device to exchange valid DHCP packets with a DHCP server through the trusted interface and generate DHCP snooping binding entries, check DHCP packets received from the untrusted interface, and discard the DHCP packets against the binding entries. |
When a host obtains an IP address through DHCP, you are advised to configure this function on the upper-layer access device of the DHCP client to ensure that the DHCP client obtains the IP address from a valid DHCP server. This prevents bogus DHCP server attacks, bogus DHCP packet attacks, and DHCP flood attacks. |
Downlink interface or VLAN NOTE:
An uplink interface directly or indirectly connected to a DHCP server is configured as a trusted interface. |
Disabled |
IP Source Guard (IPSG) |
Checks IP packets against a static binding table, DHCP snooping binding table, or ND snooping binding table, and enables the device to discard the IP packets that do not match the binding table. |
When a host obtains an IP address through DHCP or uses a static IP address, you are advised to configure this function on the access device directly connected to users to prevent unauthorized hosts from forging IP address of authorized hosts or changing the IP addresses to attack the network. |
Downlink interface or VLAN |
Disabled |
ND snooping |
Checks neighbor discovery (ND) packets by using neighbor solicitation (NS) packets in the duplicate address detection (DAD) process based on ND snooping binding entries, and enables the device to discard the ND packets that do not match the binding entries. |
If no DHCPv6 server is deployed on the network and hosts obtain IPv6 addresses only through stateless address autoconfiguration, you are advised to configure this function to prevent address spoofing attacks and RA attacks. |
Downlink interface or VLAN |
Disabled |
Dynamic ARP inspection (DAI) |
Checks ARP packets against DHCP snooping binding entries and enables the device to discard the ARP packets that do not match the binding entries. |
To prevent man-in-the-middle attacks by forging ARP packets and theft of data between communication parties, you are advised to configure this function. |
Downlink interface or VLAN |
Disabled |
Port security |
Changes the dynamic MAC addresses learned on an interface into secure MAC addresses to prevent unauthorized users from communicating with switches using the interface. |
To enhance host access security, you are advised to configure this function to limit the number of access hosts or prevent attacks initiated by bogus hosts through other interfaces. |
Downlink interface |
Disabled |
Port isolation |
Adds interfaces to an isolation group and configures the isolation mode and unidirectional or bidirectional isolation. |
To implement Layer 2 isolation or both Layer 2 and Layer 3 isolation between interfaces in the same VLAN, you are advised to configure this function. |
Downlink interface |
Disabled |
Suggestion |
Description |
|---|---|
If a core device functions as the user gateway and an aggregation device connects to multiple access devices for Layer 2 forwarding of service traffic, you only need to configure port isolation. |
Port isolation allows terminals connected to different access devices to communicate with each other at Layer 2. |
If an aggregation device functions as the user gateway, you can deploy security policies by referring to security policy deployment for core devices. |
- |
If an aggregation device connect to terminals, you can deploy security policies by referring to security policy deployment for access devices. |
- |
Dimension |
Function |
Description |
Application Scenario |
Default Setting |
|---|---|---|---|---|
CPU security (Local attack defense) |
CPU attack defense |
Limits the number of packets sent to the CPU within a specified period of time to protect the CPU. |
If a large number of packets are sent to the CPU or malicious packet attacks occur, the CPU usage becomes high and the performance deteriorates, affecting other services. In this case, you are advised to configure local attack defense. |
Enabled |
Attack source tracing |
Finds the source user address or interface of the attack packets and sends logs or alarms to the administrator, instructing the administrator to take measures based on configurations to defend against the attack. |
Enabled |
||
Port attack defense |
Traces the source and limits the rate of packets if the packet rate exceeds the threshold, preventing a failure to send packets from normal ports to the CPU, as protocol packets from attacked ports may exhaust the bandwidth. |
Enabled |
||
User-level rate limiting |
Rate-limits packets sent from specified users to the CPU based on MAC addresses, protecting other users from an attack initiated by one user. |
Enabled |
||
ARP security (Defense against ARP flood attacks) |
Rate limiting on ARP packets |
Prevents the CPU from being overloaded when a device is busy with a large number of ARP packets. |
|
|
Rate limiting on ARP Miss messages |
Prevents a device from processing a large number of packets that contain unresolvable destination IP addresses and generating a large number of ARP Miss messages. |
|
||
Temporary ARP entry aging |
Reduces the frequency of triggering ARP Miss messages. |
Aging time of temporary ARP entries: 3s |
||
Prohibiting the device from sending ARP packets destined for other devices to the CPU |
Enables the device to directly forward ARP packets destined for other devices without sending them to the CPU, improving the device's capability of defending against ARP flood attacks. |
Enabled |
||
Optimized ARP reply |
Enables the standby or slave switch in a stack to directly return an ARP Reply packet when receiving an ARP Request packet of which the destination IP address is the local interface address, improving the stack's capability of defending against ARP flood attacks. |
Enabled |
||
Strict ARP learning |
Enables the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent, preventing ARP entry resources from being fully occupied by invalid ARP entries of a large number of ARP attack packets. |
Disabled |
||
ARP entry limiting |
Limits the maximum number of dynamic ARP entries that can be learned on an interface, preventing ARP entries from being consumed by ARP attack packets sent by a host connected to the interface. |
The maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device. |
||
Disabling ARP learning on an interface |
Prevents ARP entries from being consumed by ARP attack packets by a host connected to the interface. |
Enabled |
||
ARP security (Defense against ARP spoofing attacks) |
Fixed ARP |
Disables the device from updating an entry, or enables the device to update only part of the entry or send a unicast ARP Request packet to check the validity of the ARP packet that triggers the entry update when the device learns an ARP entry for the first time, ensuring that valid ARP entries are not replaced by attackers using forged ARP packets. |
|
Enabled |
ARP gateway anti-collision |
Prevents users from forging a gateway address to send ARP packets and modifying ARP entries of other users on the network. |
|
Disabled |
|
ARP gateway protection |
Protects a gateway address, preventing users from forging the gateway address to send ARP packets and modifying ARP entries of other users on the network. |
|
Disabled |
|
Gratuitous ARP packet sending |
Allows the device used as the gateway to periodically send ARP Request packets whose destination IP address is the device IP address to update the gateway MAC address in ARP entries, ensuring that packets of authorized users are forwarded to the gateway and preventing hackers from intercepting these packets. |
|
Disabled |
|
MAC address consistency check in an ARP packet |
Prevents attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. |
|
Disabled |
|
ARP packet validity check |
Enables the device to filter out packets with invalid MAC addresses or IP addresses. |
Disabled |
||
Strict ARP learning |
Enables the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent, preventing ARP entry resources from being fully occupied by invalid ARP entries of a large number of ARP attack packets. |
Disabled |
||
ARP learning triggered by DHCP |
Enables the device to generate ARP entries based on the received DHCP ACK packets, preventing the aging and learning of many ARP entries from impacting the device performance and the network when many DHCP users connect to a network device. |
|
Disabled |
Function |
Description |
Application Scenario |
Default Setting |
|---|---|---|---|
Wireless Intrusion Detection System (WIDS) and Wireless Intrusion Prevention System (WIPS) |
|
To protect enterprises and users against unauthorized access from wireless networks and detect unauthorized users or APs, you are advised to configure this function. |
|
Security policy |
Authenticates STAs and encrypts user packets through WLAN security policies, including open system authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1X, WAPI-PSK, and WAPI-certificate. |
To ensure security of wireless users, you are advised to configure this function to implement link authentication during wireless link establishment, wireless user access authentication, and service data encryption for wireless users. |
Open system authentication |
STA blacklist and whitelist |
Enables the device to configure a blacklist or whitelist to manage the access of STAs. |
You are advised to configure this function to control access of wireless users, ensuring that authorized users can access the WLAN and preventing unauthorized users from forcibly accessing the WLAN. |
Disabled |
User isolation on a VAP |
Prevents packets of users on a VAP from being forwarded to each other. |
To allow users on the same VAP to isolate with each other at Layer 2 and communicate at Layer 3 and improve communication security, you are advised to configure this function. |
Disabled |
Port isolation |
Adds interfaces to an isolation group and configures the isolation mode and unidirectional or bidirectional isolation. |
To allow WLAN users on different APs in the same VLAN to communicate at Layer 2 and improve communication security, you are advised to configure this function on the switch connected to APs. |
Disabled |
Example for Configuring Device Login Security
You can locally log in to a device through the console port or remotely log in using STelnet.
Configuring Security for Local Device Login Through the Console Port
Logging in to a switch through the console port (also called serial port) is a basic login mode and forms the basis of other login modes such as Telnet and STelnet. Once an attacker accesses the console port on a switch, the switch is exposed to the attacker, causing security risks. You can configure the authentication mode, user authentication information, and user level for the console user interface to ensure security of switch login through the console port.
Deployment Precautions
If you configure the console user interface after login through the console port, the configuration takes effect at your next login.
To ensure device security, you are required to change the default password upon the first login and change the password periodically.
Procedure
- Configure an authentication mode for the console user interface.
<HUAWEI> system-view [HUAWEI] user-interface console 0 //Enter the console user interface view. [HUAWEI-console0] authentication-mode aaa //Set AAA authentication for the console user interface. The default authentication mode is AAA. [HUAWEI-console0] quit
- Configure authentication information and user level for the console user interface.
[HUAWEI] aaa [HUAWEI-aaa] local-user admin123 password irreversible-cipher YsHsjx_202206 //Create the local user admin123 and set the login password to YsHsjx_202206. [HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user admin123 to 15. Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y [HUAWEI-aaa] local-user admin123 service-type terminal //Set the access type of local user admin123 to terminal user, that is, console user.
- Connect to the switch through the console port and enter the user name and password as prompted to log in to the switch. (In this example, the user name is admin123 and the password is YsHsjx_202206.)
Login authentication Username:admin123 Password: <HUAWEI>
Configuring Security for Remote Device Login Using STelnet
You can remotely log in to a switch using Telnet and STelnet. Telnet poses security risks. However, STelnet, based on the SSH protocol, implements secure remote login on insecure networks and provides powerful authentication functions to ensure information security and protect switches against attacks, such as IP spoofing attacks.
Deployment Precautions
- Before configuring STelnet login, ensure that the PC and the switch are routable to each other.
- STelnet V2 is more secure than STelnet V1, and is therefore recommended.
- Ensure that the user terminal has SSH server login software installed before configuring STelnet login. This example uses the third-party software PuTTY as the SSH server login software.
- STelnet login requires virtual type terminal (VTY) user interfaces to support SSH. Therefore, the VTY user interfaces must use AAA authentication.
For device security purposes, change the password periodically.
Procedure
- Configure a protocol type, an authentication mode, and a user level for the VTY user interface.
[HUAWEI] user-interface vty 0 4 [HUAWEI-ui-vty0-4] authentication-mode aaa //Configure AAA authentication for the VTY user interface. [HUAWEI-ui-vty0-4] protocol inbound ssh //Configure the VTY user interface to support SSH. By default, SSH is used. [HUAWEI-ui-vty0-4] user privilege level 15 //Set the level of the VTY user interface to 15. [HUAWEI-ui-vty0-4] quit
- Enable the STelnet server function and create an SSH user.
[HUAWEI] stelnet server enable //Enable the STelnet server function on the switch. [HUAWEI] ssh user admin123 //Create SSH user admin123. [HUAWEI] ssh user admin123 service-type stelnet //Set the service mode of the SSH user to STelnet.
- Configure an authentication mode for the SSH user.
# Set the authentication mode for the SSH user to password.
To use password authentication, create a local user with the same name as the SSH user in the AAA view.
[HUAWEI] ssh user admin123 authentication-type password //Configure password authentication for the SSH user. [HUAWEI] aaa [HUAWEI-aaa] local-user admin123 password irreversible-cipher YsHsjx_202206 //Create a local user with the same user name as the SSH user and set a login password for the local user. [HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user to 15. [HUAWEI-aaa] local-user admin123 service-type ssh //Set the service type of the local user to SSH. [HUAWEI-aaa] quit# Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The following uses ECC authentication as an example. Steps for configuring RSA and DSA authentication are similar to those for configuring ECC authentication.)
To use RSA, DSA, or ECC authentication, you need to configure the public key of the SSH client on the SSH server. When the SSH client connects to the SSH server, the SSH client passes the authentication if the private key of the client matches the configured public key. For details about the public key on the client, see the help document of the SSH client software.
[HUAWEI] ssh user admin123 authentication-type ecc //Configure ECC authentication for the SSH user. [HUAWEI] ecc peer-public-key key01 encoding-type pem //Configure the encoding format of ECC public key key01 and enter the ECC public key view. Enter "ECC public key" view, return system view with "peer-public-key end". [HUAWEI-ecc-public-key] public-key-code begin //Enter the public key editing view. Enter "ECC key code" view, return last view with "public-key-code end". [HUAWEI-dsa-key-code] 308188 //Copy the public key of the client, which is a hexadecimal character string. [HUAWEI-dsa-key-code] 028180 [HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB [HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F [HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B [HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 [HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 [HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 [HUAWEI-ecc-key-code] 171896FB 1FFC38CD [HUAWEI-ecc-key-code] 0203 [HUAWEI-ecc-key-code] 010001 [HUAWEI-ecc-key-code] public-key-code end //Return to the public key view. [HUAWEI-ecc-public-key] peer-public-key end //Return to the system view. [HUAWEI] ssh user admin123 assign ecc-key key01 //Assign an existing public key key01 to user admin123.
- Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] ecc local-key-pair create Info: The key name will be: HUAWEI_Host_ECC. Info: The key modulus can be any one of the following: 256, 384, 521. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=521]:521 Info: Generating keys.......... Info: Succeeded in creating the ECC host keys.
- Log in to the switch through STelnet.
On the PC, connect to the SSH server through password authentication.
Log in to the switch using PuTTY, enter the switch's IP address, and select the SSH protocol.
Click Open. Enter the user name and password as prompted and press Enter to log in to the SSH server. (The following information is for reference only.)
login as: admin123 Sent username "admin123" admin123@10.10.10.20's password: Info: The max number of VTY users is 8, and the number of current VTY users on line is 5. The current login time is 2018-12-22 09:35:28+00:00. <HUAWEI>
Example for Configuring Access Device Security
As the border of the campus network, access devices need to prevent unauthorized users and terminals from accessing the network. In addition, the access devices need to control Layer 2 traffic forwarding.
Table 2-111 describes the security policy deployment suggestions for access devices. You can configure functions based on service requirements.
Configuration Examples
- Configure traffic suppression.
<HUAWEI> system-view [HUAWEI] suppression mode by-bits //Configure the global traffic suppression mode. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] broadcast-suppression cir 1000 //Configure suppression of unknown broadcast traffic in the inbound direction of the interface. [HUAWEI-GigabitEthernet0/0/1] multicast-suppression cir 1000 //Configure suppression of unknown multicast traffic in the inbound direction of the interface. [HUAWEI-GigabitEthernet0/0/1] unicast-suppression cri 1000 //Configure suppression of unknown unicast traffic in the inbound direction of the interface. [HUAWEI-GigabitEthernet0/0/1] broadcast-suppression block outbound //Block outgoing broadcast traffic on the interface. [HUAWEI-GigabitEthernet0/0/1] multicast-suppression block outbound //Block outgoing multicast traffic on the interface. [HUAWEI-GigabitEthernet0/0/1] unicast-suppression block outbound //Block outgoing unicast traffic on the interface.
- Configure storm control.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] storm-control broadcast min-rate 1000 max-rate 2000 //Configure storm control for broadcast packets. [HUAWEI-GigabitEthernet0/0/1] storm-control multicast min-rate 1000 max-rate 2000 //Configure storm control for unknown multicast packets. [HUAWEI-GigabitEthernet0/0/1] storm-control unicast min-rate 1000 max-rate 2000 //Configure storm control for unknown unicast packets. [HUAWEI-GigabitEthernet0/0/1] storm-control action block //Configure the action for storm control. [HUAWEI-GigabitEthernet0/0/1] storm-control enable log //Configure the system to record logs during storm control. [HUAWEI-GigabitEthernet0/0/1] storm-control interval 90 //Configure the interval for detecting storms.
- Configure DHCP snooping.
<HUAWEI> system-view [HUAWEI] dhcp enable //Enable DHCP. [HUAWEI] dhcp snooping enable //Enable DHCP snooping globally. [HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface. [HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable //Enable DHCP snooping. [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly connected to the DHCP server. [HUAWEI-GigabitEthernet0/0/2] dhcp snooping trusted //Configure the interface as a trusted interface.
- Configure IPSG.# Configure IPSG against static binding entries.
<HUAWEI> system-view [HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 00e0-fc01-0001 //Create a static binding entry. [HUAWEI] user-bind static ip-address 10.0.0.11 mac-address 00e0-fc02-0002 //Create a static binding entry. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet check. [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm function of IP packet check. [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm threshold for IP packet check.
# Configure IPSG against dynamic DHCP snooping binding entries. Before the configuration, you need to configure DHCP snooping and generate dynamic DHCP snooping binding entries.<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet check. [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm function of IP packet check. [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm threshold for IP packet check.
- Configure ND snooping.
<HUAWEI> system-view [HUAWEI] nd snooping enable //Enable ND snooping globally. [HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface. [HUAWEI-GigabitEthernet0/0/1] nd snooping enable //Enable ND snooping. [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly connected to the gateway. [HUAWEI-GigabitEthernet0/0/2] nd snooping trusted //Configure the interface as a trusted interface.
- Configure DAI.Before the configuration, you need to configure DHCP snooping and generate dynamic DHCP snooping binding entries or manually configure static DHCP snooping binding entries.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable //Enable DAI. [HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ip-address //Configure the device to check only IP addresses in ARP packets based on binding entries. [HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable //Enable the alarm function for ARP packets discarded by DAI. [HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 100 //Set the alarm threshold for ARP packets discarded by DAI.
- Configure port security.
# If access users frequently change locations, you can configure port security to change dynamic MAC addresses to secure dynamic MAC addresses. This ensures that bound MAC address entries are deleted immediately after users change locations.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security. [HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum number of secure MAC addresses that can be learned on the interface. [HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for port security protection. [HUAWEI-GigabitEthernet0/0/1] port-security aging-time 100 //Set the aging time of secure dynamic MAC addresses on the interface.
# If access users seldom change locations, you can configure port security to change dynamic MAC addresses to sticky MAC addresses. This ensures that bound MAC address entries are not lost after a device resets.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security. [HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky //Enable the sticky MAC function on the interface. [HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum number of secure MAC addresses that can be learned on the interface. [HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for port security protection.
# If there are only a few access users and they seldom change locations, you can configure secure static MAC addresses.<HUAWEI> system-view [HUAWEI] port-security static-flapping protect //Enable static MAC address flapping detection. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security. [HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum number of secure MAC addresses that can be learned on the interface. [HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for port security protection.
- Configure port isolation.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Enable port isolation.
Example for Configuring Core Device Security
Core devices are located at the key position of the network, and the security of the core devices is critical. When a core device is configured as a centralized authentication point, the CPU performance must meet requirements of processing protocol packets when a large number of users access the network. When a core device is configured as a gateway, ARP security must be considered.
Table 2-113 describes the security policy deployment suggestions for core devices. You can configure functions based on service requirements.
Configuration Examples
- Configure CPU attack defense.
<HUAWEI> system-view [HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255 [HUAWEI-acl-basic-2001] quit [HUAWEI] cpu-defend policy test //Create an attack defense policy and enter the attack defense policy view. [HUAWEI-cpu-defend-policy-test] car packet-type http cir 120 //Set the CPCAR value for packets when no protocol connection is established. [HUAWEI-cpu-defend-policy-test] linkup-car packet-type http cir 120 //Set the CPCAR value for packets of a specified protocol upon the establishment of the protocol connection. [HUAWEI-cpu-defend-policy-test] deny packet-type icmp //Set the action for packets sent to the CPU to deny. [HUAWEI-cpu-defend-policy-test] blacklist 1 acl 2001 //Configure the blacklist for CPU attack defense. [HUAWEI-cpu-defend-policy-test] quit [HUAWEI] cpu-defend application-apperceive enable //Enable dynamic link protection globally. [HUAWEI] cpu-defend application-apperceive http enable //Enable dynamic link protection for protocol packets.
- Configure attack source tracing.
<HUAWEI> system-view [HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255 [HUAWEI-acl-basic-2001] quit [HUAWEI] cpu-defend policy test //Create an attack defense policy and enter the attack defense policy view. [HUAWEI-cpu-defend-policy-test] auto-defend enable //Enable attack source tracing. [HUAWEI-cpu-defend-policy-test] auto-defend alarm enable //Enable the event reporting function for attack source tracing. [HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //Configure a whitelist for attack source tracing. [HUAWEI-cpu-defend-policy-test] auto-defend action deny //Enable the punishment function of attack source tracing and specify the punishment action for attack packets.
- Configure port attack defense.
<HUAWEI> system-view [HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255 [HUAWEI-acl-basic-2001] quit [HUAWEI] cpu-defend policy test //Create an attack defense policy and enter the attack defense policy view. [HUAWEI-cpu-defend-policy-test] auto-port-defend enable //Enable port attack defense. [HUAWEI-cpu-defend-policy-test] auto-port-defend alarm enable //Enable the function of reporting port attack defense events. [HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //Configure a whitelist for attack source tracing.
- Configure user-level rate limiting.
<HUAWEI> system-view [HUAWEI] cpu-defend host-car enable //Enable user-level rate limiting.
- Configure rate limiting on ARP packets.
<HUAWEI> system-view [HUAWEI] arp anti-attack rate-limit enable //Enable rate limiting on ARP packets globally. [HUAWEI] arp speed-limit source-mac 00e0-fc01-0001 maximum 20 //Set the maximum rate of ARP packets based on source MAC addresses. [HUAWEI] arp speed-limit source-ip 10.1.1.1 maximum 20 //Set the maximum rate of ARP packets based on source IP addresses.
- Configure rate limiting on ARP Miss messages.
<HUAWEI> system-view [HUAWEI] arp-miss anti-attack rate-limit enable //Enable rate limiting on ARP Miss messages globally. [HUAWEI] arp-miss speed-limit source-mac 00e0-fc01-0001 maximum 20 //Set the maximum rate of ARP Miss messages based on source MAC addresses. [HUAWEI] arp-miss speed-limit source-ip 10.1.1.1 maximum 20 //Set the maximum rate of ARP Miss messages based on source IP addresses.
- Configure the aging time of temporary ARP entries.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 3 //Set the aging time of temporary ARP entries.
- Configure the device not to send ARP packets destined for other devices to the CPU.
<HUAWEI> system-view [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] arp optimized-passby enable //Configure the device not to send ARP packets destined for other devices to the CPU.
- Configure optimized ARP reply.
<HUAWEI> system-view [HUAWEI] undo arp optimized-reply disable //Enable optimized ARP reply.
- Configure strict ARP learning.
<HUAWEI> system-view [HUAWEI] arp learning strict //Enable strict ARP learning globally. [HUAWEI] quit
- Configure ARP entry limiting.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20 //Configure the maximum number of dynamic ARP entries that the interface can learn.
- Disable ARP learning on an interface.
<HUAWEI> system-view [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] arp learning disable //Disable the interface from learning dynamic ARP entries.
- Configure ARP entry fixing.
<HUAWEI> system-view [HUAWEI] arp anti-attack entry-check fixed-mac enable //Enable ARP entry fixing globally.
- Configure ARP gateway anti-collision.
<HUAWEI> system-view [HUAWEI] arp anti-attack gateway-duplicate enable //Enable ARP gateway anti-collision.
- Configure ARP gateway protection.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp trust source 10.1.1.1 //Enable ARP gateway protection.
- Configure gratuitous ARP packet sending.
<HUAWEI> system-view [HUAWEI] arp gratuitous-arp send enable //Enable the device to send gratuitous ARP packets. [HUAWEI] arp gratuitous-arp send interval 60 //Set the interval for sending gratuitous ARP packets.
- Configure MAC address consistency check in an ARP packet.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac //Enable MAC address consistency check in an ARP packet.
- Configure ARP packet validity check.
<HUAWEI> system-view [HUAWEI] arp anti-attack packet-check ip dst-mac sender-mac //Enable ARP packet validity check.
- Configure ARP learning triggered by DHCP.
<HUAWEI> system-view [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] arp learning dhcp-trigger //Enable ARP learning triggered by DHCP.
Example for Configuring Wireless Service Security
Intrusion devices and attack users can be detected and contained to ensure the border security of wireless networks. In addition, the validity and security of user access need to be authenticated to ensure the security of user wireless service data.
Table 2-114 describes the security policy deployment suggestions for wireless services. You can configure functions based on service requirements.
Configuration Examples
- Configure WIDS and WIPS functions.# Configure device detection and containment.
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] radio 0 [Huawei-wlan-radio-0/0] wids device detect enable //Enable device detection. [Huawei-wlan-radio-0/0] wids contain enable //Enable device containment. [Huawei-wlan-radio-0/0] quit [Huawei-wlan-ap-0] quit [Huawei-wlan-view] wids-profile name wlan-wids //Create a WIDS profile. [Huawei-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap //Set the containment mode against rogue or interference devices. [Huawei-wlan-wids-prof-wlan-wids] quit [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] wids-profile wlan-wids //Bind a WIDS profile to an AP.
# Configure attack detection and dynamic blacklist functions.<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] radio 0 [Huawei-wlan-radio-0/0] wids attack detect enable all //Enable attack detection. [Huawei-wlan-radio-0/0] quit [Huawei-wlan-ap-0] quit [Huawei-wlan-view] wids-profile name wlan-wids //Create a WIDS profile. [Huawei-wlan-wids-prof-wlan-wids] dynamic-blacklist enable //Enable the dynamic blacklist function. [Huawei-wlan-wids-prof-wlan-wids] quit [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] wids-profile wlan-wids //Bind a WIDS profile to an AP.
- Configure security policies.WLAN security policies are configured in security profiles, and only one security policy can be configured in a security profile. You can create multiple security profiles with different security policies and apply the profiles to different VAPs as required. The following uses WPA2-PSK-AES as an example.
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] security-profile name wlan-security //Create a security profile. [HUAWEI-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes //Set the security policy to WPA2-PSK-AES. [HUAWEI-wlan-sec-prof-wlan-security] quit [Huawei-wlan-view] vap-profile name vap1 //Create a VAP profile. [HUAWEI-wlan-vap-prof-vap1] security-profile wlan-security //Bind a security profile to a VAP profile. - Configure STA blacklist and whitelist.
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] sta-whitelist-profile name sta-whitelist //Create a STA whitelist profile. [Huawei-wlan-whitelist-prof-sta-whitelist] sta-mac 0001-0001-0001 //Add the MAC address of a STA to the whitelist. [Huawei-wlan-whitelist-prof-sta-whitelist] quit [Huawei-wlan-view] sta-blacklist-profile name sta-blacklist //Create a STA blacklist profile. [Huawei-wlan-blacklist-prof-sta-blacklist] sta-mac 0002-0002-0002 //Add the MAC address of a STA to the blacklist.
- Configure user isolation on a VAP.
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] traffic-profile name traff1 //Create a traffic profile. [HUAWEI-wlan-traffic-prof-traff1] user-isolate l2 //Configure user isolation. Warning: Enabling user isolation may interrupt services. Are you sure you want to continue? [Y/N]:y [HUAWEI-wlan-traffic-prof-traff1] quit [Huawei-wlan-view] vap-profile name vap1 //Create a VAP profile. [HUAWEI-wlan-vap-prof-vap1] traffic-profile traff1 //Bind a traffic profile to a VAP profile.
- Configure port isolation.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Configure port isolation.