No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring an ARP-Based ACL to Defend Against ARP Attacks

Example for Configuring an ARP-Based ACL to Defend Against ARP Attacks

Networking Requirements

HostA, HostB, and HostC on a LAN communicate with the Internet through the gateway SwitchB, as shown in Figure 3-7. After HostA, HostB, and HostC exchange ARP packets after going online, the hosts and SwitchB generate the corresponding ARP entries. If an attacker initiates an attack through HostC by sending bogus ARP packets in the broadcast domain, SwitchB will modify its ARP entry. In this case, the attacker can easily obtain information about HostA and HostB or prevent HostA and HostB from accessing the Internet.

Therefore, if HostC is detected to be a potential attacker, configure an ARP-based ACL on SwitchB to discard the ARP packets sent from HostC to SwitchB.

Figure 3-7 Configuring ARP-based ACL to defend against ARP attacks

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure ARP-based ACL rules.

  2. Configure a traffic classifier.

  3. Configure a traffic behavior.

  4. Configure the traffic policy and apply the traffic policy to the related interface.

Procedure

  1. Configure ARP-based ACL rules.

    # Create ARP-based ACL 23000 on SwitchB and add rules to the ACL to match the following packets:
    • ARP request packets with source IP address 10.1.1.3/24 and source MAC address 3-3-3
    • ARP reply packets with destination IP address 10.1.1.3/24 and destination MAC address 3-3-3
    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] acl 23000
    [*SwitchB-acl-arp-23000] rule permit request source-ip 10.1.1.3 24 source-mac 3-3-3
    [*SwitchB-acl-arp-23000] rule permit reply destination-ip 10.1.1.3 24 destination-mac 3-3-3
    [*SwitchB-acl-arp-23000] quit
    [*SwitchB] commit

  2. Configure a traffic classifier.

    # Create the traffic classifier c1 on SwitchB to match ACL 23000.

    [~SwitchB] traffic classifier c1
    [*SwitchB-classifier-c1] if-match acl 23000
    [*SwitchB-classifier-c1] quit
    [*SwitchB] commit

  3. Configure a traffic behavior.

    # Create the traffic behavior b1 on SwitchB and set the action to deny.

    [~SwitchB] traffic behavior b1
    [*SwitchB-behavior-b1] deny
    [*SwitchB-behavior-b1] quit
    [*SwitchB] commit

  4. Configure a traffic policy and apply the traffic policy to the inbound direction on 10GE1/0/1.

    # Create the traffic policy p1 on SwitchB, and bind the traffic classifier and traffic behavior to the traffic policy.

    [~SwitchB] traffic policy p1
    [*SwitchB-policy-p1] classifier c1 behavior b1
    [*SwitchB-policy-p1] quit
    [*SwitchB] commit

    # Apply the traffic policy p1 to the inbound direction on 10GE1/0/1.

    [~SwitchB] interface 10ge 1/0/1
    [~SwitchB-10GE1/0/1] traffic-policy p1 inbound
    [*SwitchB-10GE1/0/1] quit
    [*SwitchB] commit
    [~SwitchB] quit

  5. Verify the configuration.

    # View the ARP-based ACL configuration.
    <SwitchB> display acl 23000
    ARP ACL 23000, 2 rules
    ACL's step is 5
     rule 5 permit request source-ip 10.1.1.0 0.0.0.255 source-mac 0003-0003-0003 (0 times matched)
     rule 10 permit reply destination-ip 10.1.1.0 0.0.0.255 destination-mac 0003-0003-0003 (0 times matched)
    # View the traffic classifier configuration.
    <SwitchB> display traffic classifier c1
      Traffic Classifier Information:
        Classifier: c1
          Type: OR
          Rule(s):
            if-match acl 23000
    # View the traffic policy configuration.
    <SwitchB> display traffic policy p1
      Traffic Policy Information:
        Policy: p1
          Classifier: c1
            Type: OR
          Behavior: b1
            Deny

Configuration Files

NOTE:

Only the configuration file on SwitchB is provided here.

# SwitchB configuration file

#
sysname SwitchB
#
acl number 23000
 rule 5 permit request source-ip 10.1.1.0 0.0.0.255 source-mac 0003-0003-0003   
 rule 10 permit reply destination-ip 10.1.1.0 0.0.0.255 destination-mac 0003-0003-0003
# 
traffic classifier c1 type or
 if-match acl 23000
#
traffic behavior b1
 deny
#
traffic policy p1
 classifier c1 behavior b1 precedence 5 
#
interface 10GE1/0/1
 traffic-policy p1 inbound
#
return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18987

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next