No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Default Settings for Local Attack Defense

Default Settings for Local Attack Defense

Table 3-2, Table 3-3, Table 3-4, and Table 3-5 list the default settings for local attack defense. The default settings can be modified as required.

Table 3-2  Default settings for CPU attack defense
Parameter Default Setting
CPU attack defense policy CPU attack defense policy named default
Blacklist None
Whitelist None
User-defined flow None
Type of interfaces sending packets to the CPU NNI
Type of interfaces sending protocol packets to the CPU To check the type of interfaces sending protocol packets to the CPU, run the display cpu-defend configuration command.
CIR value By default, the device limits the rates of packets based on the default rate limits in the default policy. To check the CIR value, run the display cpu-defend configuration command.

CPCAR value for BGP , OSPF, FTP, HTTPS, SSH, TELNET, and TFTP packets used when connections are set up

  • By default, the CIR and CBS for sending packets of BGP and OSPF connections on the LPU are 512 kbit/s and 64,000 bytes; the CIR and CBS for sending packets of FTP, HTTPS, SSH, TELNET packets, and TFTP connections on the LPU are 2048 kbit/s and 256,000 bytes.

  • By default, the CIR and CBS for sending packets of BGP and OSPF connections on the MPU are 512 kbit/s and 64,000 bytes respectively; the CIR and CBS for sending packets of FTP, HTTPS, SSH, TELNET, and TFTP connections on the MPU are 4096 kbit/s and 770,048 bytes respectively.

ALP

By default, ALP is enabled on FTP, HTTPS, SSH, TELNET, and TFTP packets and disabled on BGP and OSPF packets.

Number of the queue to which protocol packets are sent To check the number of the queue to which protocol packets are sent, run the display cpu-defend configuration command.
Table 3-3  Default settings for attack source tracing
Parameter Default Setting
Attack defense policy Attack defense policy named default
Automatic attack source tracing

Enabled

Threshold for attack source tracing

60 pps

Packet sampling ratio for attack source tracing

5

Attack source tracing mode

Based on source IP addresses and source MAC addresses

Types of traced packets

8021X, ARP, DHCP, DHCPv6, ICMP, ICMPv6, MLD, ND, IGMP, TCP, and Telnet packets

Whitelist

By default, no whitelist is configured for attack source tracing. If any of the following conditions is met, however, the switch uses the condition as the whitelist matching rule, regardless of whether attack source tracing is enabled. After attack source tracing is enabled, the switch does not perform attack source tracing for the packets matching such rules.

  • If an application uses the TCP protocol and has set up a TCP connection with the switch, the switch will not consider TCP packets with the matching source IP address as attack packets. If no TCP packets match a source IP address within 1 hour, the rule that specifies this source IP address will be aged out.
  • If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
  • If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.
Alarm function for attack source tracing Disabled
Alarm threshold for attack source tracing 60 pps
Punish function for attack source tracing Disabled
Table 3-4  Default settings for port attack defense
Parameter Default Setting
Attack defense policy Attack defense policy named default
Port attack defense function Enabled
Types of protocol packets to which port attack defense is applied ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets
Rate threshold The rate thresholds vary according to protocol types. For details, see Setting the Rate Threshold for Port Attack Defense.
Sampling ratio 5
Aging time 300 seconds
Alarm function Disabled
Whitelist None
Table 3-5  Default settings for user-level rate limiting
Parameter Default Setting
User-level rate limiting Enabled
Packet types to which the user-level rate limiting applies ARP, ND, DHCP Request, DHCPv6 Request, and 8021x packets
User-level rate limit 10 pps
User-level rate limiting on interface Enabled
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178319

Views: 149946

Downloads: 82

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next