S600-E V200R019C10 Configuration Guide - Security

This document describes the configurations of Security, including ACL, Local Attack Defense, MFF, Attack Defense, Traffic Suppression and Storm Control, ARP Security, Port Security, DHCP Snooping, ND Snooping, IPv6 RA Guard, PPPoE+, IPSG, SAVI, PKI, OLC, Separating the Management Plane from the Service Plane, and Security Risks.

Summary of Local Attack Defense Configuration Tasks

Table 3-5 lists the tasks for configuring local attack defense.

Table 3-5 Local attack defense configuration tasks

Scenario	Tasks
Configuring CPU Attack Defense	When configuring CPU attack defense, create an attack defense policy first. The other tasks can be performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied. Creating an Attack Defense Policy Configuring a Blacklist Configuring a Rule for Sending Packets to the CPU Applying an Attack Defense Policy
Configuring Attack Source Tracing	When configuring attack source tracing, create an attack defense policy first and enable the attack source tracing function (enabled by default). The other tasks can be performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied. Creating an Attack Defense Policy Enabling Attack Source Tracing Configuring the Threshold for Attack Source Tracing Setting the Packet Sampling Ratio for Attack Source Tracing Configuring an Attack Source Tracing Mode Configuring the Types of Traced Packets Configuring a Whitelist for Attack Source Tracing Configuring Event Reporting Function Configuring Attack Source Punish Actions Applying an Attack Defense Policy
Configuring Port Attack Defense	When configuring port attack defense, create an attack defense policy first and enable the port attack defense function (enabled by default). The other tasks can be performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied. Creating an Attack Defense Policy Enabling Port Attack Defense Specifying the Protocols to Which Port Attack Defense Is Applied Setting the Rate Threshold for Port Attack Defense Setting the Sampling Ratio for Port Attack Defense Setting the Aging Time for Port Attack Defense Configuring the Whitelist for Port Attack Defense Configuring the Report of Port Attack Defense Events Applying an Attack Defense Policy

Scenario

Tasks

When configuring CPU attack defense, create an attack defense policy first. The other tasks can be performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied.

Creating an Attack Defense Policy

Configuring a Blacklist

Configuring a Rule for Sending Packets to the CPU

Applying an Attack Defense Policy

Configuring Attack Source Tracing

When configuring attack source tracing, create an attack defense policy first and enable the attack source tracing function (enabled by default). The other tasks can be performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied.

Creating an Attack Defense Policy

Enabling Attack Source Tracing

Configuring the Threshold for Attack Source Tracing

Setting the Packet Sampling Ratio for Attack Source Tracing

Configuring an Attack Source Tracing Mode

Configuring the Types of Traced Packets

Configuring a Whitelist for Attack Source Tracing

Configuring Event Reporting Function

Configuring Attack Source Punish Actions

Applying an Attack Defense Policy

Configuring Port Attack Defense

When configuring port attack defense, create an attack defense policy first and enable the port attack defense function (enabled by default). The other tasks can be performed in any sequence and can be selected as required. An attack defense policy takes effect only after it is applied to an object. There is no limitation on when the attack defense policy is applied.

Creating an Attack Defense Policy

Enabling Port Attack Defense

Specifying the Protocols to Which Port Attack Defense Is Applied

Setting the Rate Threshold for Port Attack Defense

Setting the Sampling Ratio for Port Attack Defense

Setting the Aging Time for Port Attack Defense

Configuring the Whitelist for Port Attack Defense

Configuring the Report of Port Attack Defense Events

Applying an Attack Defense Policy

Translation

Favorite

Download