No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Local Attack Defense

Example for Configuring Local Attack Defense

Networking Requirements

As shown in Figure 8-2, users on different LANs access the Internet through RouterA. To locate attacks on RouterA, attack source tracing needs to be configured to trace the attack source. The following situations occur:

  • A user on Net1 frequently initiates attacks to RouterA.
  • The attacker sends a large number of ARP Request packets, degrading CPU performance.
  • The administrator needs to upload files to RouterA using FTP. An FTP connection between the administrator's host and RouterA needs to be set up.
  • Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process dhcp-client packets sent to the CPU.
  • The Telnet server is not enabled on the RouterA, whereas RouterA often receives a large number of Telnet packets.

Configurations need to be performed on RouterA to solve the preceding problems.

Figure 8-2  Networking diagram for configuring local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a blacklist and add attackers on Net1 to the blacklist to prevent users on Net1 from accessing the network.
  2. Configure the rate limit for ARP Request packets sent to the CPU to ensure that the CPU can process normal services.
  3. Configure active link protection (ALP) for FTP so that file data can be transmitted between the administrator's host and RouterA.
  4. Configure a high priority for dhcp-client packets so that RouterA first processes dhcp-client packets sent to the CPU.
  5. Disable the Telnet server on the RouterA so that RouterA discards all received Telnet packets.

Procedure

  1. Configure an ACL to be referenced by the blacklist.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] acl number 4001
    [RouterA-acl-L2-4001] rule 5 permit source-mac 0001-c0a8-0102
    [RouterA-acl-L2-4001] quit
    

  2. Create an attack defense policy.

    [RouterA] cpu-defend policy devicesafety
    

  3. Configure the alarm threshold for attack source tracing.

    [RouterA-cpu-defend-policy-devicesafety] auto-defend enable
    [RouterA-cpu-defend-policy-devicesafety] auto-defend threshold 50

  4. Configure a blacklist.

    [RouterA-cpu-defend-policy-devicesafety] blacklist 1 acl 4001
    

  5. Configure the rate limit for ARP Request packets sent to the CPU.

    [RouterA-cpu-defend-policy-devicesafety] packet-type arp-request rate-limit 64
    

  6. Configure the rate limit for FTP packets after ALP is enabled.

    [RouterA-cpu-defend-policy-devicesafety] application-apperceive packet-type ftp rate-limit 2000
    

  7. Set the priority of dhcp-client packets.

    [RouterA-cpu-defend-policy-devicesafety] packet-type dhcp-client priority 3
    [RouterA-cpu-defend-policy-devicesafety] quit

  8. Apply the attack defense policy.

    # Enable ALP for FTP.

    [RouterA] cpu-defend application-apperceive ftp enable

    # Apply the attack defense policy to the main control board.

    [RouterA] cpu-defend-policy devicesafety

  9. Disable the Telnet server.

    [RouterA] undo telnet server enable
    NOTE:

    You do not need to disable application layer association. The Router discards all received Telnet packets after the Telnet server is disabled on the Router.

  10. Verify the configuration.

    # View information about the configured attack defense policy.

    [RouterA] display cpu-defend policy devicesafety
     Related slot : <0>                                                             
     BlackList Status :                                                             
       Slot<0> : Success                                                            
     Configuration :                                                                
       Blacklist 1 ACL number : 4001                                                
       Packet-type arp-request rate-limit : 64(pps)                               
       Packet-type dhcp-client priority : 3 
       Rate-limit all-packets : 2000(pps)(default)                                          
       Application-apperceive packet-type ftp : 2000(pps)                           
       Application-apperceive packet-type tftp : 2000(pps) 
    

    # View the rate limit configuration on the main control board. You can see that application layer association for Telnet is configured successfully and the rate limit for ARP Request packets sent to the CPU and the priority for dhcp-client packets are set successfully.

    <Huawei> display cpu-defend configuration sru
    Rate configurations on main board.                                              
    -----------------------------------------------------------------               
    Packet-type              Status        Rate-limit(PPS)  Priority                
    -----------------------------------------------------------------               
    8021X                     Disabled          160             2                   
    arp-miss                  Enabled            64             2                   
    arp-reply                 Enabled           128             2                   
    arp-request               Enabled            64             2                   
    bfd                       Disabled          512             4                   
    bgp                       Enabled           256             3                   
    bgp4plus                  Enabled           256             3                   
    capwap                    Enabled           512             1
    dhcp-client               Enabled           128             3                   
    ......
    telnet-server             Disabled          128             4                   
    ttl-expired               Enabled           256             1                   
    udp-helper                Disabled           32             2                   
    unknown-multicast         Enabled           128             1                   
    unknown-packet            Enabled           256             1                   
    voice                     Enabled           256             4                   
    vrrp                      Disabled          256             3                   
    wapi                      Enabled          1024             2
    x25                       Enabled          4096             1 
    -----------------------------------------------------------------    

    # The log about attack source tracing of Net1 indicates that attack source tracing has taken effect.

    Dec 18 2010 09:55:50-05:13 device %%01SECE/4/USER_ATTACK(l)[0]:User attack 
    occurred.(Slot=MPU, SourceAttackInterface=Ethernet2/0/1, OuterVlan/
    InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per     
    second)      
    

    # View the statistics on packets sent to the SRU. The discarded packets indicate that the rate limit is set for ARP Request packets.

    <Huawei> display cpu-defend statistics
    -----------------------------------------------------------------------         
    Packet Type               Pass Packets        Drop Packets                      
    -----------------------------------------------------------------------         
    8021X                                0                   0                      
    arp-miss                             5                   0                      
    arp-reply                         8090                   0                      
    arp-request                    1446576              127773                      
    bfd                                  0                   0                      
    bgp                                  0                   0                      
    bgp4plus                             0                   0                      
    dhcp-client                        879                   0                      
    dhcp-server                          0                   0                      
    dhcpv6-reply                         0                   0                      
    dhcpv6-request                       0                   0                      
    dns                                  4                   0                      
    fib-hit                              0                   0                      
    fr                                   0                   0
    ftp-client                           0                   0                      
    ftp-server                           0                   0                      
    ......
    udp-helper                           0                   0                      
    unknown-multicast                    0                   0                      
    unknown-packet                   66146                   0                      
    voice                                0                   0                      
    vrrp                                 0                   0                      
    ---------------------------------------------------------------------

Configuration Files

Configuration files on RouterA

#
sysname RouterA
#
acl number 4001
 rule 5 permit source-mac 0001-c0a8-0102
#
cpu-defend policy devicesafety                                                  
 blacklist 1 acl 4001                                                           
 packet-type arp-request rate-limit 64                                          
 packet-type dhcp-client priority 3                                             
 application-apperceive packet-type ftp rate-limit 2000                         
 auto-defend enable                                                             
 auto-defend threshold 50  
#
 cpu-defend-policy devicesafety
# 
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126139

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next