No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the SAVI Function in a DHCPv6-Only Scenario

Example for Configuring the SAVI Function in a DHCPv6-Only Scenario

Networking Requirements

As shown in Figure 13-1, SwitchA functions as an access device to connect to hosts in an enterprise department. Many hosts exist in the department. To manage IPv6 addresses efficiently, all hosts in the department obtain IPv6 addresses using DHCPv6. If an attacker sends a large number of invalid DHCPv6 protocol packets or invalid IPv6 data packets, communication of authorized users may be interrupted, and user accounts and passwords may be embezzled. To prevent these problems, the administrator wants to configure SwitchA to defend against invalid DHCPv6 protocol packets and invalid IPv6 data packets (with invalid source addresses) and provides users with stable services on a secure network.

Figure 13-1  Networking diagram for configuring the SAVI function in a DHCPv6-Only scenario

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure DHCPv6 snooping so that bindings between address and ports can be generated for validity of the source addresses in DHCPv6 protocol packets and IPv6 data packets.

  2. Enable the SAVI function so that the device can check the validity of the source addresses in DHCPv6 protocol packets based on the DHCPv6 snooping binding entries and filter out invalid packets.

  3. Enable IP source guard so that the device can check the validity of the source addresses in IPv6 data packets based on the DHCPv6 snooping binding entries and filter out invalid packets.

Procedure

  1. Enable the SAVI function.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] savi enable

  2. Create VLAN 2.

    [SwitchA] vlan batch 2
    

  3. Add GE1/0/1, GE1/0/2, and GE2/0/1 to VLAN 2.

    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port link-type access
    [SwitchA-GigabitEthernet1/0/1] port default vlan 2
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface gigabitethernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] port link-type access
    [SwitchA-GigabitEthernet1/0/2] port default vlan 2
    [SwitchA-GigabitEthernet1/0/2] quit
    [SwitchA] interface gigabitethernet 2/0/1
    [SwitchA-GigabitEthernet2/0/1] port link-type trunk
    [SwitchA-GigabitEthernet2/0/1] port trunk allow-pass vlan 2
    [SwitchA-GigabitEthernet2/0/1] quit

  4. Configure DHCPv6 snooping.

    # Enable DHCPv6 snooping globally.

    [SwitchA] dhcp enable
    [SwitchA] dhcp snooping enable
    

    # Enable DHCPv6 snooping for VLAN 2.

    [SwitchA] vlan 2
    [SwitchA-vlan2] dhcp snooping enable

    # Enable DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table in VLAN 2.

    [SwitchA-vlan2] dhcp snooping check dhcp-request enable
    [SwitchA-vlan2] quit
    

    # Configure GE2/0/1 connecting to the DHCP server as a trusted interface.

    [SwitchA] interface gigabitethernet 2/0/1
    [SwitchA-GigabitEthernet2/0/1] dhcp snooping trusted
    [SwitchA-GigabitEthernet2/0/1] quit
    

  5. Enable IP source guard for VLAN 2.

    [SwitchA] vlan 2
    [SwitchA-vlan2] ip source check user-bind enable
    [SwitchA-vlan2] quit
    

  6. Verify the configuration.

    # Run the display this command in the system view to verify that the SAVI function and DHCPv6 snooping are enabled globally.
    [SwitchA] display this
    ...
    #                                                                               
    dhcp enable                                                                     
    #                                                                               
    dhcp snooping enable                                                            
    #                                                                               
    savi enable
    #
    ...
    
    # Run the display this command in the VLAN view. The command output shows that DHCPv6 snooping, DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table, and IP source guard have been enabled in VLAN 2.
    [SwitchA] vlan 2
    [SwitchA-vlan2] display this
    #                                                                               
    vlan 2                                                                          
     dhcp snooping enable                                                           
     dhcp snooping check dhcp-request enable     
     ip source check user-bind enable 
    #     
    return                
    
    [SwitchA-vlan2] quit
    
    # Run the display this command in the interface view to verify that GE2/0/1 connecting to the DHCP server are configured as a trusted interface.
    [SwitchA] interface gigabitethernet 2/0/1
    [SwitchA-GigabitEthernet2/0/1] display this
    #                                                                               
    interface GigabitEthernet2/0/1                                                  
     port link-type trunk                                                           
     port trunk allow-pass vlan 2                                                   
     dhcp snooping trusted                                                            
    #                                                                               
    return             
    

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#                                                                               
vlan batch 2
#
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                            
#                                                                               
savi enable
#
vlan 2                                                                          
 dhcp snooping enable                                                            
 dhcp snooping check dhcp-request enable     
 ip source check user-bind enable 
#   
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 2
#   
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 2
#
interface GigabitEthernet2/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 2                                                   
 dhcp snooping trusted                                                            
#   
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 137019

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next