No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Local Attack Defense

Example for Configuring Local Attack Defense

Networking Requirements

As shown in Figure 6-3, users on different network segments connect to the Internet through the Switch. The Switch is connected to a large number of users, and receives many packets sent to the CPU. The CPU of the Switch is prone to attacks.

  • The administrator needs to know about the CPU status in real time and check whether the CPU is attacked. When a suspicious attack occurs, the device sends an alarm to the administrator.
  • Users on Net1 are not allowed to access the Internet because they often initiate attacks.
  • The CPU usage occupied by ARP Request packets is reduced because attackers may send a large number of ARP Request packets to deteriorate CPU performance.
Figure 6-3 Networking diagram for configuring local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Attack source tracing provides traffic analysis and statistics collection, attack source identification and alarm function. Enable attack source tracing and its alarm function, and configure attack source punish actions. In this way, the administrator can know about the CPU status in real time and prevent potential attacks.
  2. Add users on Net1 to the blacklist to prevent them from accessing the network.
  3. Configure a rate limit for ARP Request packets sent to the CPU to reduce the CPU usage occupied by ARP Request packets.

Procedure

  1. Configure a rule for filtering packets sent to the CPU.

    # Define an ACL rule.

    <HUAWEI> system-view
[~HUAWEI] sysname Switch
    [*HUAWEI] commit
[~Switch] acl number 2001
[*Switch-acl4-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[*Switch-acl4-basic-2001] quit

  2. Configure an attack defense policy.

    # Create an attack defense policy.

    [*Switch] cpu-defend policy test1

    # Enable attack source tracing.

    [*Switch-cpu-defend-policy-test1] auto-defend enable

    # Enable the alarm function for attack source tracing.

    [*Switch-cpu-defend-policy-test1] auto-defend alarm enable
    # Configure the attack source punish action as discard.
    [*Switch-cpu-defend-policy-test1] auto-defend action deny

    # Configure a blacklist.

    [*Switch-cpu-defend-policy-test1] blacklist 1 acl 2001

    # Configure a rate limit for ARP packets sent to the CPU.

    [*Switch-cpu-defend-policy-test1] car packet-type arp pps 128
[*Switch-cpu-defend-policy-test1] quit

  3. Apply the attack defense policy globally.

    [*Switch] cpu-defend-policy test1
[*Switch] commit
[~Switch] quit

  4. Verify the configuration.

    # View information about the configured attack defense policy.
    <Switch> display cpu-defend policy test1
==============================================
Policy name: test1
Policy applys on slot: <3, 4>
Car packet-type arp(pps) : 128
Blacklist status:
----------------------------------------------
Slot    Blacklist State       ACL    ACLIPv6
----------------------------------------------
3       1         Successful  2001   --
4       1         Successful  2001   --
==============================================
    # View the CAR configuration.
    <Switch> display cpu-defend configuration all
Car configurations on slot 1 :                                                  
---------------------------------------------------                             
PacketType            Status      Car(pps)                                      
---------------------------------------------------                             
8021x                 Disabled         512 
aaa                   Enabled          384                                      
arp                   Enabled          128                                      
arp-miss              Enabled          512                                      
……

Configuration Files

Configuration file of switch

#
sysname Switch
#                                                                               
cpu-defend policy test1                                                         
 blacklist 1 acl 2001                                                           
 car packet-type arp pps 128                                                    
 auto-defend enable                                                             
 auto-defend action deny                                                        
 auto-defend alarm enable                                                       
 auto-defend trace-type source-mac source-ip                    
 auto-defend protocol all                                                       
#   
cpu-defend-policy test1
#
acl number 2001
 rule 5 permit source 10.1.1.0 0.0.0.255
# 
return
Translation
简体中文
Download
Updated: 2021-09-17

Document ID: EDOC1100075347

Views: 235051

Downloads: 100

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :