No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Applying an Attack Defense Policy

Applying an Attack Defense Policy

Context

As shown in Figure 3-5, packets destined for the CPU can be sent to main control board directly or through LPUs. Consequently, attack defense policies must be configured on both the main control board and the LPUs.

Figure 3-5  Path of packets sent to the CPU

Before applying attack defense policies, check attack information on the main control board and LPUs, for example, source IP addresses of attack packets and attack packet types. If the attack information on the main control board and LPUs is consistent, apply the same attack defense policy to the main control board and LPUs; otherwise, apply different policies to them.

For example, if all attack packets received by the main control board and LPUs are sent from source IP address 10.1.1.0, configure an attack defense policy to block packets from this IP address and apply this policy to the main control board and the LPUs. If the main control board is attacked by ARP Request packets but the LPUs are attacked by DHCP packets, configure two attack defense policies to block ARP Request and DHCP packets and apply the policies to the main control board and the LPUs separately.
NOTE:

If the parameters such as the threshold and sampling ratio are specified in attack defense policies, the parameter values set for the main control board must be larger than those set for LPUs.

  1. Apply an attack defense policy to a main control board.
  2. Apply an attack defense policy to LPUs.
    • If all LPUs process the same service, apply an attack defense policy to all LPUs.
    • If LPUs process different services, apply an attack defense policy to the specified LPU.

Procedure

  • Apply an attack defense policy to a main control board.

    1. Run the system-view command to enter the system view.
    2. Run the cpu-defend-policy policy-name1 command to apply an attack defense policy.

  • Apply an attack defense policy to all LPUs or a specified LPU.

    NOTE:

    If an attack defense policy has been applied to all LPUs, it cannot be applied to a specified LPU. Conversely, if an attack defense policy has been applied to a specified LPU, it cannot be applied to all LPUs.

    • If all LPUs process the same service, apply an attack defense policy to all LPUs.

      Run the cpu-defend-policy policy-name2 global command to apply an attack defense policy.

    • If LPUs process different services, apply an attack defense policy to a specified LPU.
      1. Run the slot slot-id command to enter the slot view.
      2. Run the cpu-defend-policy policy-name2 command to apply an attack defense policy.

        An attack defense policy applied to a slot view takes effect only for the LPU in this slot.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 145189

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next