No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Local Attack Defense

Example for Configuring Local Attack Defense

Networking Requirements

As shown in Figure 3-6, users on different network segments access the Internet through the Switch. Because a large number of users connect to the Switch, the Switch's CPU will receive a lot of protocol packets. If attackers send a lot of malicious attack packets to the Switch, CPU usage will increase to affect services. The network administrator has the following requirements:

  • The network administrator wants to monitor CPU status. When the CPU is attacked, the Switch can promptly notify the administrator and take measures to protect the CPU.
  • When the Switch receives a lot of ARP Request packets, the CPU usage of the Switch greatly increases. The administrator wants to reduce CPU usage to avoid impacting services.
  • Users on Net1 often initiate attacks, so the administrator wants to reject access by Net1 users.
  • Users on Net2 are fixed authorized users, so the administrator wants to increase the priority of packets from Net2 users.
  • Users on Net3 always change, so the administrator wants to limit the rate of packets from Net3 users to prevent attacks.
  • The administrator wants to upload files to the Switch through FTP, so data transmission between the administrator's computer and the Switch must be reliable and stable.
Figure 3-6  Networking diagram of local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure attack source tracing, alarms, and punish function so that the device can send an alarm to the administrator when detecting an attack source and automatically take punish actions.
  2. Add Net2 users to the whitelist to exclude them from attack source tracing analysis and punishment.
  3. Set the protocol rate threshold so that the Switch can limit the rate of protocol packets based on ports and record a log. (Port attack defense is enabled by default, so it does not need to be enabled again.)
  4. Set the CPCAR for ARP Request packets to limit the rate of ARP Request packets sent to the CPU. This reduces the impact of ARP Request packets on the CPU.
  5. Add Net1 users to the blacklist to reject their access.
  6. Add Net2 users to the whitelist to increase the priority of packets from Net2 users.
  7. Configure a user-defined flow for Net3 users and set the access rate for the flow to 5 Mbit/s to prevent attacks initiated from Net3.
  8. Set the rate limit for the FTP packets sent to the CPU to ensure reliability and stability of data transmission between the administrator's computer and the Switch. (ALP is enabled for FTP by default, so it does not need to be enabled again.)

Procedure

  1. Configure the rule for filtering packets sent to the CPU.

    # Define ACL rules.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] acl number 2001
    [Switch-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
    [Switch-acl-basic-2001] quit
    [Switch] acl number 2002
    [Switch-acl-basic-2002] rule permit source 10.2.2.0 0.0.0.255
    [Switch-acl-basic-2002] quit
    [Switch] acl number 2003
    [Switch-acl-basic-2003] rule permit source 10.3.3.0 0.0.0.255
    [Switch-acl-basic-2003] quit
    

  2. Configure an attack defense policy.

    # Create an attack defense policy.

    [Switch] cpu-defend policy policy1

    # Configure attack source tracing.

    [Switch-cpu-defend-policy-policy1] auto-defend enable

    # Enable the alarm function for attack source tracing.

    [Switch-cpu-defend-policy-policy1] auto-defend alarm enable

    # Configure a whitelist for attack source tracing.

    NOTE:

    Add the IP addresses of valid servers, interconnected interfaces, and IP address of network management device to the whitelist.

    [Switch-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2002
    # Set the punish action to discard.
    NOTE:

    Before configuring the punish action, ensure that the device is undergoing an attack; otherwise, the punish action may discard a lot of valid protocol packets.

    [Switch-cpu-defend-policy-policy1] auto-defend action deny
    # Set the rate threshold to 40 pps. (Port attack defense is enabled by default, so it does not need to be enabled again.)
    [Switch-cpu-defend-policy-policy1] auto-port-defend protocol arp-request threshold 40
    # Add the network-side interface GE1/0/0 to the whitelist so that the CPU can promptly process the packets from the network-side interface.
    [Switch-cpu-defend-policy-policy1] auto-port-defend whitelist 1 interface gigabitethernet 1/0/0

    # Set the CPCAR of ARP Request packets to 120 kbit/s.

    [Switch-cpu-defend-policy-policy1] car packet-type arp-request cir 120
    Warning: Improper parameter settings may affect stable operating of the system. Use this command under assistance of Huawei engineers. Continue? [Y/N]:y

    # Configure the blacklist for CPU attack defense.

    [Switch-cpu-defend-policy-policy1] blacklist 1 acl 2001
    # Configure the whitelist for CPU attack defense.
    [Switch-cpu-defend-policy-policy1] whitelist 1 acl 2002
    # Configure a user-defined flow.
    [Switch-cpu-defend-policy-policy1] user-defined-flow 1 acl 2003
    # Set the rate limit rule for the user-defined flow.
    [Switch-cpu-defend-policy-policy1] car user-defined-flow 1 cir 4000
    Warning: Improper parameter settings may affect stable operating of the system. Use this command under assistance of Huawei engineers. Continue? [Y/N]:y
    # Set the CIR of FTP packets sent to the CPU to 5000 kbit/s.
    [Switch-cpu-defend-policy-policy1] linkup-car packet-type ftp cir 5000
    [Switch-cpu-defend-policy-policy1] quit

  3. Apply the attack defense policy.

    # Apply the attack defense policy to the MPU.

    [Switch] cpu-defend-policy policy1
    

    # Apply the attack defense policy to LPU 1.

    [Switch] slot 1
    [Switch-slot-1] cpu-defend-policy policy1
    [Switch-slot-1] quit
    [Switch] quit
    

  4. Verify the configuration.

    # Display the configuration of attack source tracing.

    <Switch> display auto-defend configuration
     ----------------------------------------------------------------------------   
     Name  : policy1
     Related slot : <1,8>
     auto-defend                      : enable
     auto-defend attack-packet sample : 5
     auto-defend threshold            : 60 (pps)
     auto-defend alarm                : enable
     auto-defend trace-type           : source-mac source-ip 
     auto-defend protocol             : arp icmp dhcp igmp tcp telnet 8021x nd dhcpv6 mld icmpv6   
     auto-defend action               : deny (Expired time : 300 s)
     auto-defend whitelist 1          : acl number 2002
     ----------------------------------------------------------------------------   
    NOTE:

    In this example, the MPU slot is slot 8. The actual slot ID may be different.

    # Display the configuration of port attack defense in slot 1.

    <Switch> display auto-port-defend configuration slot 1
    ----------------------------------------------------------------------------
     Name  : policy1
     Related slot : <1>
     Auto-port-defend                       : enable
     Auto-port-defend sample                : 5
     Auto-port-defend aging-time            : 300 second(s)
     Auto-port-defend arp-request threshold : 40 pps(enable)
     Auto-port-defend arp-reply threshold   : 30 pps(enable)
     Auto-port-defend dhcp threshold        : 30 pps(enable)
     Auto-port-defend icmp threshold        : 30 pps(enable)
     Auto-port-defend igmp threshold        : 60 pps(enable)                        
     Auto-port-defend ip-fragment threshold : 30 pps(enable)
     Auto-port-defend alarm                 : disable
    ----------------------------------------------------------------------------
    # Display the configuration of the attack defense policy.
    <Switch> display cpu-defend policy policy1
     Related slot : <1,8>                                                         
     WhiteList&BlackList&UserDefinedFlow Status :                                   
       Slot<1> : Success                                                            
       Slot<8> : Success         
     Configuration :                                                                
       Whitelist 1 ACL number : 2002                                                
       Blacklist 1 ACL number : 2001                                                
       User-defined-flow 1 ACL number : 2003                                        
       Car user-defined-flow 1 : CIR(4000)  CBS(752000)                             
       Car packet-type arp-request : CIR(120)  CBS(22560)                           
       Linkup-car packet-type  ftp : CIR(5000)  CBS(940000)
    # Display the CPCAR setting.
    <Switch> display cpu-defend configuration all
    Car configurations on mainboard.                                                
    ----------------------------------------------------------------------          
    Packet Name         Status     Cir(Kbps)   Cbs(Byte)  Queue  Port-Type          
    ----------------------------------------------------------------------          
    ......
    arp-request         Enabled          120       22560      3         NA
    ......
    ----------------------------------------------------------------------          
    Car configurations on slot 1.                                                 
    ----------------------------------------------------------------------          
    Packet Name         Status     Cir(Kbps)   Cbs(Byte)  Queue  Port-Type          
    ----------------------------------------------------------------------          
    ......
    arp-request         Enabled          120       22560      3        UNI
    ......
    ----------------------------------------------------------------------         
    ......
    

Configuration Files

Switch configuration file

#
sysname Switch
#
acl number 2001
 rule 5 permit source 10.1.1.0 0.0.0.255
acl number 2002
 rule 5 permit source 10.2.2.0 0.0.0.255
acl number 2003
 rule 5 permit source 10.3.3.0 0.0.0.255
#
cpu-defend policy policy1                                                         
 whitelist 1 acl 2002                                                           
 blacklist 1 acl 2001                                                           
 user-defined-flow 1 acl 2003                                                   
 car user-defined-flow 1 cir 4000 cbs 752000                                    
 car packet-type arp-request cir 120 cbs 22560                                  
 linkup-car packet-type ftp cir 5000 cbs 940000                                 
 auto-defend alarm enable
 auto-defend action deny     
 auto-defend whitelist 1 acl 2002
 auto-port-defend protocol arp-request threshold 40  
 auto-port-defend whitelist 1 interface GigabitEthernet1/0/0  
#
slot 1
 cpu-defend-policy policy1
#
cpu-defend-policy policy1
# 
return 

Related Content

Videos

Configure Attack Source Tracing

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 146599

Downloads: 79

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next