No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Attack Defense

Configuring Local Attack Defense

This section describes the procedures for configuring local attack defense.

Configuring CPU Attack Defense

With the CPU attack defense function, the device limits the rate of packets sent to the CPU to protect the CPU.

Pre-configuration Tasks

Before configuring CPU attack defense, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Configuration Process

Before configuring CPU attack defense, create an attack defense policy first. The other tasks are performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied.

Creating an Attack Defense Policy

Context

Before configuring local attack defense in an attack defense policy, you must create an attack defense policy.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    An attack defense policy is created and the attack defense policy view is displayed.

    The device supports a maximum of 19 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to the device. The default attack defense policy cannot be deleted or modified. The other 18 policies can be created, modified and deleted.

  3. (Optional) Run:

    description text

    The description of the attack defense policy is configured.

    By default, no description is configured for an attack defense policy.

Configuring the Rate Limit for Packets Sent to the CPU

Context

The device applies different rate limits to packets of different types or discards packets of a specified type to protect the CPU.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Configure a rate limit for packets sent to the CPU.

    • Run:
      packet-type packet-type rate-limit rate-value { wired | wireless }

      The rate limit for packets sent to the CPU is set. Excess packets are discarded.

    • Run:
      deny packet-type packet-type { wired | wireless }

      The device is configured to discard packets of a specified type sent to the CPU. That is, the rate limit for packets sent to the CPU is 0.

    By default, the device applies the rate limit defined in the default attack defense policy to limit the packets sent to the CPU.

Setting the Priority for Packets of a Specified Protocol

Context

After an attack defense policy is created, set priorities of protocol packets in the attack defense policy so that packets with higher priorities are processed first.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    packet-type packet-type priority priority-level { wired | wireless }

    The priority for packets of a specified protocol sent to the CPU is set.

    By default, the priority defined in the default attack defense policy is used for packets of a specified protocol sent to the CPU.

Configuring ALP

Context

Active link protection (ALP) protects session-based application layer data, including data of SSH sessions, Telnet sessions, and FTP sessions to ensure uninterrupted services when attacks occur.

The rate limit for packets after ALP is enabled can be set in the attack defense policy view. The cpu-defend application-apperceive enable command enables the ALP function.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    application-apperceive packet-type { ssh | telnet | ftp } rate-limit rate-value

    The rate limit for SSH, Telnet, or FTP packets is set.

    By default, the rate limit for SSH packets, Telnet packets is 512 pps, and the rate limit for FTP packets is 1024 pps.

    NOTE:

    After ALP is configured for FTP packets, it also takes effect for TFTP packets.

  4. Run:

    quit

    Return to the system view.

  5. Run:

    cpu-defend application-apperceive [ ssh | telnet | ftp ] enable

    ALP is enabled.

    By default, ALP is enabled for SSH, Telnet, and FTP.

Configuring the Rate Limit for All Packets Sent to the CPU

Context

After an attack defense policy is created, set the rate limit for all packets sent to the CPU in the attack defense policy. The device uniformly limits the rate of packets with the same priority sent to the CPU and randomly discards the excess packets to protect the CPU.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    rate-limit all-packets pps pps-value

    The rate limit for all packets sent to the CPU is set.

    By default, the rate limit is 500pps.

Applying an Attack Defense Policy

Context

After an attack defense policy is created, you must apply the attack defense policy to the device in the system view. Otherwise, the attack defense policy does not take effect.

Only one attack defense policy can be applied to the device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend-policy policy-name

    The attack defense policy is applied.

Checking the Configuration

Procedure

  • Run the display cpu-defend policy [ policy-name ] command to check the attack defense policy.
  • Run the display cpu-defend statistics [ packet-type packet-type ] { wired | wireless } command to check statistics on packets sent to the CPU.
  • Run the display cpu-defend configuration [ packet-type packet-type ] { wired | wireless } command to check the rate limits for protocol packets sent to the CPU.

Configuring Attack Source Tracing

Attack source tracing enables the device to check attack packets sent to the CPU and notify the administrator by sending logs or alarms so that the administrator can take measures to defend against attacks.

Pre-configuration Tasks

Before configuring attack source tracing, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Configuration Process

To configure attack source tracing, you must create an attack defense policy. All other configuration tasks are optional and are not listed in sequence. You can configure them as required. After an attack defense policy is created, you must apply it at any time to make it take effect.

Creating an Attack Defense Policy

Context

Before configuring local attack defense in an attack defense policy, you must create an attack defense policy.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    An attack defense policy is created and the attack defense policy view is displayed.

    The device supports a maximum of 19 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to the device. The default attack defense policy cannot be deleted or modified. The other 18 policies can be created, modified and deleted.

  3. (Optional) Run:

    description text

    The description of the attack defense policy is configured.

    By default, no description is configured for an attack defense policy.

Configuring the Threshold for Attack Source Tracing

Context

A large number of attack packets may attack the CPUs of network devices. You can configure attack source tracing and set the alarm threshold for attack source tracing so that the device can analyze packets sent to the CPU. If the number of protocol packets sent from an attack source in a specified period exceeds the alarm threshold, the device sends logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks.

NOTE:

Attack source tracing may affect normal services if the number of protocol packets of these services exceeds the alarm threshold. In this situation, disable the attack source tracing function globally or for the corresponding protocol to recover the services.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend threshold threshold-value

    The checking threshold for attack source tracing is set.

    By default, the checking threshold for attack source tracing is 128 pps.

Configuring an Attack Source Tracing Mode

Context

After attack source tracing is enabled, the device uses a specified mode to trace attack sources. The device supports the following attack source tracing modes:
  • Source IP address-based tracing: defends against Layer 3 attack packets.
  • Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
  • Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend trace-type { source-ip | source-mac |  source-portvlan } * 

    The attack source tracing mode is specified.

    By default, the device traces attack sources based on source MAC addresses, source IP addresses, and source ports+VLANs.

Configuring the Types of Traced Packets

Context

When an attack occurs, the device traces packets of different types. Therefore, the administrator cannot identify the type of attack packets. You can flexibly specify the types of traced packets. The device traces the source of the specified packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Run:

    auto-defend protocol { all | { http | https | ftp | ssh | arp | capwap | dhcp | icmp | tcp  | telnet | ttl-expired } * }

    The type of traced packets is specified.

    By default, the device traces sources of Hyper Text Transport Protocol (HTTP), HTTP Secure (HTTPS), File Transfer Protocol (FTP), Secure Shell (SSH), Address Resolution Protocol (ARP), Control And Provisioning of Wireless Access Points (CAPWAP), Dynamic Host Configuration Protocol (DHCP), Internet Control Message Protocol (ICMP), Telnet, Transmission Control Protocol (TCP), and Time To Live-expired (TTL-expired) packets in attack source tracing.

Configuring the Alarm Function for Attack Source Tracing

Context

An attack source may send packets of a specified type to the device. After you enable the alarm function of attack source tracing and configure an alarm threshold, the device generates alarms when the number of packets sent in a specified period exceeds the threshold. This prevents the device from attacks.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Automatic attack source tracing is enabled.

    By default, automatic attack source tracing is disabled.

  4. Configure the alarm function for attack source tracing.
    1. Run:

      auto-defend alarm enable

      The alarm function for attack source tracing is enabled.

      By default, the alarm function for attack source tracing is disabled.

    2. Run:

      auto-defend alarm threshold threshold

      The alarm threshold for attack source tracing is set.

      By default, the alarm threshold for attack source tracing is 128 pps.

Configuring Attack Source Punishment

Context

After you configure the device to punish attack sources, the device discards packets sent from the attacker to prevent attacks.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run:

    auto-defend enable

    Attack source tracing is enabled.

    By default, attack source tracing is disabled.

  4. Run:

    auto-defend action deny [ timer time-length ]

    Attack source punishment is enabled.

    By default, attack source punishment is disabled.

Applying an Attack Defense Policy

Context

After an attack defense policy is created, you must apply the attack defense policy to the device in the system view. Otherwise, the attack defense policy does not take effect.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    cpu-defend-policy policy-name

    The attack defense policy is applied.

Checking the Configuration

Procedure

  • Run the display auto-defend attack-source [ detail ] command to check attack sources.
  • Run the display auto-defend configuration [ cpu-defend policy policy-name ] command to check the configuration of attack source tracing in an attack defense policy.
  • Run the display cpu-defend policy [ policy-name ] command to check the attack defense policy.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116811

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next