No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Service

CloudEngine 8800, 7800, 6800, and 5800 V200R003C00

This document describes the configurations of IP Service, including IP address, ARP, DHCP, DNS, IP performance optimization, IPv6, DHCPv6, and IPv6 DNS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the System to Discard Specified ICMP Packets

Example for Configuring the System to Discard Specified ICMP Packets

Networking Requirements

As shown in Figure 6-1, switch A functions as a convergence device. In the downlink direction, switch A connects to the user network through a DSLAM device, individual users, and enterprise users. Attackers on the user network may launch attacks with a large number of ICMP packets with the TTL being 1, or with options, increasing the traffic burden and degrading device performance. To solve the preceding problems, configure switch A to discard ICMP packets with the TTL being 1, and with options, and disable switch A from receiving ICMP Echo Request packets.

Figure 6-1 Networking diagram for configuring ICMP attack defense

Configuration Roadmap

Configure switch A to discard ICMP packets as follows:
  • Configure switch A to discard ICMP packets with the TTL being 1.
  • Configure switch A to discard ICMP packets with options.
  • Disables Switch A from receiving ICMP Echo Request packets.

Procedure

  1. Configure VLANs that each interface belongs to.

    # Configure SwitchA.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] vlan batch 100
    [*SwitchA] interface 10ge 1/0/1
    [*SwitchA-10GE1/0/1] port link-type trunk
    [*SwitchA-10GE1/0/1] port trunk allow-pass vlan 100
    [*SwitchA-10GE1/0/1] quit
    [*SwitchA] commit
    

    # Configure SwitchC.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchC
    [*HUAWEI] commit
    [~SwitchC] vlan batch 100
    [*SwitchC] interface 10ge 1/0/1
    [*SwitchC-10GE1/0/1] port link-type trunk
    [*SwitchC-10GE1/0/1] port trunk allow-pass vlan 100
    [*SwitchC-10GE1/0/1] quit
    [*SwitchC] commit
    

  2. Configure IP addresses for VLANIF interfaces.

    # Configure IP addresses for interfaces on SwitchA.

    [~SwitchA] interface vlanif 100
    [*SwitchA-Vlanif100] ip address 10.1.1.2 24
    [*SwitchA-Vlanif100] quit
    [*SwitchA] commit
    

    # Configure IP addresses for interfaces on SwitchC.

    [~SwitchC] interface vlanif 100
    [*SwitchC-Vlanif100] ip address 10.1.1.1 24
    [*SwitchC-Vlanif100] quit
    [*SwitchC] commit
    

  3. Configure switch A to discard specified ICMP packets.

    # Configure switch A to discard ICMP packets with the TTL being 1.

    [~SwitchA] icmp ttl-exceeded drop all
    [*SwitchA] commit
    

    # Configure switch A to discard ICMP packets with options.

    [~SwitchA] icmp with-options drop all
    [*SwitchA] commit

    # Disables the SwitchA to receive ICMP Echo Request packets

    [~SwitchA] icmp name echo receive disable
    [*SwitchA] commit

  4. Verify the configuration.

    # Ping SwitchA on the network segment 10.1.1.2 from SwitchC. Then, there's no Reply packet from SwitchA.

    [~SwitchC] ping -r 10.1.1.2
    PING 10.1.1.2: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 10.1.1.2 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss

Configuration Files

  • Configuration file of switch A

    #
    sysname SwitchA
    #
    vlan batch 100
    #
    icmp name echo receive disable
    icmp ttl-exceeded drop slot 1
    icmp with-options drop slot 1
    #
    interface Vlanif100
     ip address 10.1.1.2 255.255.255.0  
    #
    interface 10GE1/0/1 
     port link-type trunk 
     port trunk allow-pass vlan 100
    #
    return
  • Configuration file of switch C

    #
    sysname SwitchC
    #
    vlan batch 100
    #
    interface Vlanif100
     ip address 10.1.1.1 255.255.255.0
    #
    interface 10GE1/0/1 
     port link-type trunk 
     port trunk allow-pass vlan 100
    #
    return
Translation
Download
Updated: 2019-05-08

Document ID: EDOC1100004354

Views: 69445

Downloads: 147

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next