No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Local Attack Defense

Example for Configuring Local Attack Defense

Networking Requirements

As shown in Figure 6-3, users on different network segments connect to the Internet through the Switch. The Switch is connected to a large number of users, and receives many packets sent to the CPU. The CPU of the Switch is prone to attacks.

  • The administrator needs to know about the CPU status in real time and check whether the CPU is attacked. When a suspicious attack occurs, the device sends an alarm to the administrator.
  • Users on Net1 are not allowed to access the Internet because they often initiate attacks.
  • The CPU usage occupied by ARP Request packets is reduced because attackers may send a large number of ARP Request packets to deteriorate CPU performance.
Figure 6-3 Networking diagram for configuring local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Attack source tracing provides traffic analysis and statistics collection, attack source identification and alarm function. Enable attack source tracing and its alarm function, and configure attack source punish actions. In this way, the administrator can know about the CPU status in real time and prevent potential attacks.
  2. Add users on Net1 to the blacklist to prevent them from accessing the network.
  3. Configure a rate limit for ARP Request packets sent to the CPU to reduce the CPU usage occupied by ARP Request packets.

Procedure

  1. Configure a rule for filtering packets sent to the CPU.

    # Define an ACL rule.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    
    [*HUAWEI] commit
    [~Switch] acl number 2001
    [*Switch-acl4-basic-2001] rule permit source 10.1.1.0 0.0.0.255
    [*Switch-acl4-basic-2001] quit
    

  2. Configure an attack defense policy.

    # Create an attack defense policy.

    [*Switch] cpu-defend policy test1

    # Enable attack source tracing.

    [*Switch-cpu-defend-policy-test1] auto-defend enable

    # Enable the alarm function for attack source tracing.

    [*Switch-cpu-defend-policy-test1] auto-defend alarm enable
    # Configure the attack source punish action as discard.
    [*Switch-cpu-defend-policy-test1] auto-defend action deny

    # Configure a blacklist.

    [*Switch-cpu-defend-policy-test1] blacklist 1 acl 2001

    # Configure a rate limit for ARP packets sent to the CPU.

    [*Switch-cpu-defend-policy-test1] car packet-type arp pps 128
    [*Switch-cpu-defend-policy-test1] quit
    

  3. Apply the attack defense policy globally.

    [*Switch] cpu-defend-policy test1
    [*Switch] commit
    [~Switch] quit
    

  4. Verify the configuration.

    # View information about the configured attack defense policy.
    <Switch> display cpu-defend policy test1
    ==============================================
    Policy name: test1
    Policy applys on slot: <1>
    Car packet-type arp(pps) : 128
    Blacklist status:
    ----------------------------------------------
    Slot    Blacklist State       ACL    ACLIPv6
    ----------------------------------------------
    1       1         Successful  2001   --
    ==============================================    
    # View the CAR configuration.
    <Switch> display cpu-defend configuration all
    Car configurations on slot 1 :                                                  
    ---------------------------------------------------                             
    PacketType            Status      Car(pps)                                      
    ---------------------------------------------------                             
    8021x                 Disabled         512 
    aaa                   Enabled          384                                      
    arp                   Enabled          128                                      
    arp-miss              Enabled          512                                      
    bfd                   Enabled         1024                                      
    bgp                   Enabled         1024                                      
    bpdu-tunnel           Enabled          512                                      
    dhcp                  Enabled          512                                      
    dldp                  Disabled         384                                      
    dns                   Disabled          32 
    efm                   Disabled         512 
    erps                  Disabled         128  
    fcoe                  Disabled        1280                                      
    fib-hit               Enabled          512                                      
    ftp                   Enabled          128                                      
    gmac                  Disabled         384                                      
    gre                   Disabled         256
    icmp                  Enabled          512                                      
    isis                  Disabled        1024                                      
    lacp                  Disabled         128                                      
    ldt                   Disabled         512                                      
    lldp                  Enabled          384                                      
    mtu                   Enabled          256 
    multicast             Enabled          512                                      
    nd                    Enabled         3072                                      
    ntp                   Enabled          128                                      
    ospf                  Disabled        1024                                      
    rip                   Disabled         512                                      
    smart-link            Disabled         128                                      
    snmp                  Enabled          256                                      
    stp                   Enabled          256                                      
    telnet                Enabled          256                                      
    trill                 Enabled         2048                                      
    trill-management      Enabled          512                                      
    ttl-expired           Enabled          256                                      
    udp-helper            Disabled         256                                      
    unknown-multicast     Enabled         1024                                      
    vrrp                  Disabled         256                                      
    ---------------------------------------------------                             
    Car all-packets (pps) : 5120                                                    
    ---------------------------------------------------   

Configuration Files

Configuration file of switch

#
sysname Switch
#                                                                               
cpu-defend policy test1                                                         
 blacklist 1 acl 2001                                                           
 car packet-type arp pps 128                                                    
 auto-defend enable                                                             
 auto-defend action deny                                                        
 auto-defend alarm enable                                                       
 auto-defend trace-type source-mac source-ip                    
 auto-defend protocol all                                                       
#   
cpu-defend-policy test1
#
acl number 2001
 rule 5 permit source 10.1.1.0 0.0.0.255
# 
return 
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18631

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next