No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Application Layer Association

Configuring Application Layer Association

This section describes how to configure association between the application layer and lower layers.

Usage Scenario

There are various application protocols on the router, but not all of them are used in actual networking. To save CPU resources and defend against attacks, unnecessary application protocol packets are not sent to the CPU for processing.

To save router resources, you can configure application layer association to have only packets of the enabled protocol be sent to the CPU for processing. The packets of the disabled protocol are sent to the CPU at a minimum bandwidth by default.

When application layer association and protocols are enabled, packets are sent to the CPU at the default bandwidth; when application layer association is enabled but protocols are disabled, packets are sent to the CPU at a minimum bandwidth or simply dropped. When application layer association is disabled, protocols are not associated. In this case, packets are sent to the CPU at the default bandwidth regardless of whether the protocols are enabled.

This feature is supported only on the Admin-VS.

Pre-configuration Tasks

Before configuring application layer association, configure parameters of the link layer protocol and IP addresses for interfaces and ensure that the link layer protocol on the interfaces is Up.

Configuration Procedure

Figure 8-4 Flowchart for configuring application layer association

Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These features take effect after the attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    An attack defense policy is created.

  3. (Optional) Run description text

    The description of the attack defense policy is configured.

  4. Run commit

    The configuration is committed.

Follow-up Procedure

You must run the cpu-defend-policy command on the interface board to apply the attack defense policy to the interface board. In this manner, the configured attack defense policy can take effect.

Setting the Mode of Processing the Packets Sent to the CPU

This section describes the default mode of handling protocol packets when association between the application layer and lower layers is enabled whereas no upper layer protocol is enabled.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    An attack defense policy is created and the attack defense view is displayed.

  3. Run application-apperceive default-action { drop | min-to-cp }

    The default mode of processing the packets to be sent to the CPU through application layer association is set. The default mode can be drop or min-to-cp.

    The advantage of the min-to-cp mode is that when a certain protocol for application layer association is disabled because of attack, you can gather information about the attack through attack source tracing. If the default mode is set to drop, the possibility of being attacked is reduced, but the attack source may be untraceable. You can select either mode as required.

  4. Run commit

    The configuration is committed.

Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the interface board.

Context

The NE20E defines a default attack defense policy. This policy cannot be modified or deleted. When the NE20E starts, this policy is automatically applied to the interface board. Configurations in the policy are default configurations of each feature. To apply a specified attack defense policy to the interface board, you need to run the cpu-defend-policy policy-number command on the interface board to bind the policy to be applied to the interface board. If the cpu-defend-policy policy-number command is not used, the default attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run cpu-defend-policy policy-number

    The attack defense policy is applied to the interface board.

    You must apply the attack defense policy to the interface board; otherwise, the policy does not take effect.

    The attack defense policy specified by policy-number must be a configured one. Otherwise, the policy cannot be applied.

  4. Run commit

    The configuration is committed.

Verifying the Application Layer Association Configuration

Procedure

  1. Run the display application-apperceive [ slot slot-id ] command to view information about application layer association.
  2. Run the display cpu-defend application-apperceive statistics [ slot slot-id ] command to view information about the packets discarded by application layer association.

Example

After application layer association takes effect, running the display application-apperceive slot 1 command, you can view information about application layer association on interface board1.
<HUAWEI> display application-apperceive slot 1
------------------------------
  Slot               : 1
  Application Switch : Open
  Default Action     : Min-to-cp
  ------------------------------
  ProtocolName    ProtocolState  
  ------------------------------
  FTP SERVER          Open
  SSH SERVER          Open
  SNMP                Open
  TELNET SERVER       Open
  TFTP                Open
  BGP                 Open
  LDP                 Open
  RSVP                Open
  OSPF                Open
  RIP                 Open
  MSDP                Open
  PIM                 Open
  IGMP                Open
  ISIS                Open
  FTP CLIENT          Open
  TELNET CLIENT       Open
  SSH CLIENT          Open
  NTP                 Open
  RADIUS              Open
  HWTACACS            Open
  LSPPING             Open
  ICMP                Close
  VRRP                Open
  DHCP                Open
  BFD                 Open
  DNS CLIENT          Close
  802.1AG             Close
  IPFPM               Close
  SYSLOG              Close
  UNICAST VRRP        Close
  WEB_AUTH_SERVER     Close
  DIAMETER            Close
  OPENFLOW            Close
  TELNETV6SERVER      Open                                                      
  TELNETV6CLIENT      Close                                                     
  SSHV6SERVER         Close                                                     
  FTPV6CLIENT         Close                                                     
  FTPV6SERVER         Close                                                     
  BGPV6               Close                                                     
  OSPFV3              Close                                                     
  ICMPV6              Close                                                     
  PIMV6               Close 
  LACP                Close
  IGPMU               Close
  DNSV6               Close
  WEB_AUTH_SERVER     Close
  ------------------------------
After application layer association takes effect, running the display cpu-defend application-apperceive statistics slot 1 command, you can view information about the packets discarded by application layer association on interface board 1.
<HUAWEI> display cpu-defend application-apperceive statistics slot 1
Slot/Intf Attack-Type              Total-Packets  Passed-Packets Dropped-Packets
--------------------------------------------------------------------------------                                                    
1         Application-Apperceive             363             363               0                                                    
--------------------------------------------------------------------------------                                                    
          SYSLOG                               0               0               0                                                    
          WEB AUTH SERVER                      0               0               0                                                    
          DIAMETER                             0               0               0                                                    
          OPENFLOW                             0               0               0                                                    
          DNS CLIENT                           0               0               0                                                    
          TELNET CLIENT                        0               0               0                                                    
          SSH CLIENT                           0               0               0                                                    
          8021AG                               0               0               0                                                    
          IPFPM                                0               0               0                                                    
          FTP CLIENT                           0               0               0                                                    
          BFD                                 11              11               0                                                    
          IGPMU                                4               4               0                                                    
          BGPV6                                0               0               0                                                    
          FTPV6SERVER                          0               0               0                                                    
          PIMV6                                0               0               0                                                    
          SSHV6SERVER                          0               0               0                                                    
          TELNETV6CLIENT                       0               0               0                                                    
          OSPFV3                               0               0               0                                                    
          DNSV6                                0               0               0                                                    
          ICMPV6                               0               0               0                                                    
          FTPV6CLIENT                          0               0               0                                                    
          TELNETV6SERVER                       0               0               0                                                    
          VRRP                                 0               0               0                                                    
          LSPPING                              0               0               0                                                    
          BGP                                 16              16               0                                                    
          LDP                                 45              45               0                                                    
          RSVP                                10              10               0                                                    
          OSPF                                11              11               0                                                    
          TFTP                                 0               0               0                                                    
          SNMP                                 0               0               0                                                    
          TELNET SERVER                        0               0               0                                                    
          FTP SERVER                           0               0               0                                                    
          SSH SERVER                           0               0               0                                                    
          IGMP                                 0               0               0                                                    
          RIP                                  0               0               0                                                    
          ICMP                               262             262               0                                                    
          NTP                                  0               0               0                                                    
          RADIUS                               0               0               0                                                    
          HWTACACS                             0               0               0                                                    
          ISIS                                 8               8               0                                                    
          LACP                                 0               0               0                                                    
          PIM                                  0               0               0                                                    
          DHCP                                 0               0               0                                                    
          MSDP                                 0               0               0                                                    
--------------------------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20493

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next