Configuring Campus Intranet Security

Access layer (access switch)

• Configuring storm control
• Configuring DHCP snooping
• Configuring IPSG
• Configuring DAI
• Configuring port isolation

1. Create an interface security profile in which security functions such as storm control can be enabled.
2. Create an interface object group, and add the physical interfaces to which the interface security profile is to be delivered to the interface object group.
3. Apply the interface security profile to the interface object group.
   NOTE:

   • When configuring DHCP snooping, you need to configure the physical interface on the DHCP server as a trusted interface.
   • When creating a fabric, you can enable storm control for the fabric.
   • When creating a VN, you can enable DHCP snooping on the user gateway in the VN.
   • If the connection type "terminal" is selected for a port during access management configuration for the fabric, the port isolation function is automatically configured on the port.

Access layer (WLAN air interface security)

• Configuring WIDS and WIPS
• Configuring spectrum analysis
• Configuring attack detection

Log in to the web system or CLI of the WAC to configure these functions.

Access layer (WLAN terminal access security)

Configuring security policies

Log in to the web system or CLI of the WAC to configure security policies. For details, see "Configuring WLAN Services" in WLAN Configuration (Distributed Gateway) and WLAN Configuration (Centralized Gateway).

Access layer (WLAN service security)

Configuring DTLS encryption

Log in to the web system or CLI of the WAC to configure DTLS encryption.

Aggregation layer

• If terminals are connected to the aggregation switch, perform security settings by referring to configuration at the access layer (access switch).
• If the aggregation switch functions as the user gateway or authentication point, perform security settings by referring to configuration at the core layer.

Core layer

• Configuring defense against CPU attacks
• Configuring attack source tracing
• Configuring port attack defense
• Configuring user-level rate limiting
• Enabling optimized ARP reply

To ensure that the CPU can process and respond to normal services, CPU protection functions are configured on the core switch by default. To adjust the parameters of these functions, you can run commands on the core switch. You are advised to perform the operations under the guidance of professional technical personnel.