No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides examples for configuring intrusion prevention.

Example for Configuring Intrusion Prevention

Networking Requirements

An enterprise deploys a WLAN network so that users on the intranet can access the web server on the Internet, as shown in Figure 26-43. The enterprise needs to configure intrusion prevention on the central AP to protect intranet users against attacks, such as attacks from websites with malicious codes, when they access the web server on the Internet.

Figure 26-43  Networking diagram for configuring intrusion prevention

Configuration Roadmap
  1. Configure basic WLAN services.
  2. Configure an intrusion prevention profile profile_ips_pc to protect intranet users. Configure signature filters to meet security requirements.
  3. Configure an attack defense profile defence_1 and bind the intrusion prevention profile profile_ips_pc to it.
  4. Configure a VAP profile and bind the attack defense profile to it to make the intrusion prevention function take effect.

Procedure

  1. Configure basic WLAN services. For details, see Example for Configuring an Agile Distributed WLAN.
  2. Enable the security engine.

    [AP] defence engine enable
    

  3. Configure intrusion prevention profile profile_ips_pc to protect intranet users.

    [AP] profile type ips name profile_ips_pc
    [AP-profile-ips-profile_ips_pc] description profile for intranet users
    [AP-profile-ips-profile_ips_pc] collect-attack-evidence enable
    Warning: Succeeded in configuring attack evidence collection for the IPS functio
    n. The function is used for fault locating. This function may deteriorate system
     performance. Exercise caution before using the function.                       
    Attack evidences can be collected only when a log storage device with sufficient
     storage space is available.                                                    
    After all required attack evidences are collected, disable the function.        
    Our company alone is unable to transfer or process the communication contents or
     personal data.  You are advised to enable the related functions based on the ap
    plicable laws and regulations in terms of purpose and scope of usage. When the c
    ommunication contents or personal data are being transferred or processed,  you 
    are obliged to take considerable measures to ensure that these contents are full
    y protected. Continue? [Y/N]: y 
    [AP-profile-ips-profile_ips_pc] signature-set name filter1
    [AP-profile-ips-profile_ips_pc-sigset-filter1] target client
    [AP-profile-ips-profile_ips_pc-sigset-filter1] severity high
    [AP-profile-ips-profile_ips_pc-sigset-filter1] protocol HTTP
    [AP-profile-ips-profile_ips_pc-sigset-filter1] quit
    [AP-profile-ips-profile_ips_pc] quit
    

  4. The configuration is committed.

    [AP] engine configuration commit
    

  5. Configure attack defense profile defence_1 and bind profile_ips_pc to it.

    [AP] defence-profile name defence_1
    [AP-defence-profile-defence_1] profile type ips profile_ips_pc
    [AP-defence-profile-defence_1] quit
    

  6. Bind defence_1 to the VAP profile.

    [AP] wlan
    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] defence-profile defence_1
    [AP-wlan-vap-prof-wlan-vap] quit
    

  7. Verify the configuration.

    Run the display profile type ips name profile_ips_pc command on the central AP to check configuration information about the intrusion prevention configuration file.

    [AP-wlan-view] display profile type ips name profile_ips_pc
       IPS Profile Configurations:                                                    
     ----------------------------------------------------------------------         
     Name                              : profile_ips_pc                             
     Description                       : profile for intranet users                 
     Referenced                        : 1                                          
     State                             : committed                                  
     AttackEvidenceCollection          : enable                                     
                                                                                    
     SignatureSet                      : filter1                                    
       Target                          : client                                     
       Severity                        : high                                       
       OS                              : N/A                                        
       Protocol                        : HTTP                                       
       Category                        : N/A                                        
       Action                          : default                                    
       Application                     : N/A                                        
                                                                                    
     Exception:                                                                     
     ID       Action                                        Name                    
     ----------------------------------------------------------------------         
    
     DNS Protocol Check:                                                            
                                                                                    
     HTTP Protocol Check:                                                  
     ----------------------------------------------------------------------    

Configuration Files

Central AP configuration file

#
 defence engine enable
 sysname AP
#
profile type ips name profile_ips_pc 
 description profile for intranet users 
 collect-attack-evidence enable 
 signature-set name filter1 
  target client 
  severity high 
  protocol HTTP 
#   
vlan batch 100 to 101
#
dhcp enable
#
defence-profile name defence_1                                                  
  profile type ips profile_ips_pc  
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 101
#
management-vlan 100
#
wlan
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
   service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  defence-profile defence_1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 1 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 119045

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next