Why Does the S5700 Fail to Restrict User Access Through a Traffic Policy?
Overview
The blacklist function of CPU attack defense, instead of traffic policies, is typically recommended for restricting user access because of the following facts: The Control Plane Committed Access Rate (CPCAR) function is enabled on S series switches by default. For some switches, CPCAR takes precedence over traffic policies; therefore, the packets sent to a switch's CPU cannot be discarded using any traffic policy, and users can still access the switch.
This document describes the symptoms of the failures to restrict user access through traffic policies, analyzes the causes, and provides the solutions.
Prerequisites
This document uses Huawei S5700 series switches running V200R021C00 as an example. The working principle and configuration may vary according to the device model and software version. For details, see the corresponding product documentation.
Symptoms
Scenario 1: Prohibiting PCs from Accessing an S Series Switch
As shown in Figure 1-1, PC1 and PC2 are added to VLAN 10, and PC3 and PC4 are added to VLAN 20; Layer 2 switches are connected to SwitchA for Layer 2 transparent transmission, and VLANIF 10 and VLANIF 20 are configured on SwitchA. All terminals can communicate with each other.
It is required that PC1 can access all terminals (such as PC2) in VLAN 10 but cannot access terminals (such as PC3 and PC4) in other VLANs or switches (such as SwitchA).
# acl number 3001 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.3 0 # traffic classifier c1 operator or precedence 5 if-match acl 3001 # traffic behavior b1 deny # traffic policy p1 match-order config classifier c1 behavior b1 # interface GE0/0/1 traffic-policy p1 inbound #
Scenario 2: Allowing Only One VLANIF Interface Address of a Switch to Be Used as the Management Address
As shown in Figure 1-2, SwitchA has multiple VLANIF interfaces, such as VLANIF 10 and VLANIF 20. It is required that only the IP address 192.168.10.3 of VLANIF 10 be used as the management address for Telnet login.
# acl number 3001 rule 5 permit tcp destination 192.168.20.3 0 destination-port eq telnet # traffic classifier c1 operator or precedence 5 if-match acl 3001 # traffic behavior b1 deny # traffic policy p1 match-order config classifier c1 behavior b1 # interface GE0/0/1 traffic-policy p1 inbound #
Cause Analysis
When a user accesses a switch, the user's PC sends a packet with the destination IP address being the switch address. After receiving this packet, the switch sends it to the CPU for processing. By default, the switch rate-limits the packets sent to the CPU by applying the CPCAR function to these packets.
In the preceding example, all packets that match ACL 3001 are sent to the switch's CPU for processing, and the CPCAR function rate-limits these packets. However, according the traffic policy p1, the deny action needs to be taken for these packets. In this case, the deny action in the traffic policy p1 conflicts with the rate limiting action.
Packets sent to the CPU match traffic classification rules in a traffic policy. When CPCAR conflicts with a traffic policy, only the one with a higher priority takes effect. In other words, if the priority of CPCAR on a switch is higher than that of a traffic policy, the problems described in scenario 1 and scenario 2 occur.
For S5700 series switches running V200R021C00, Table 1-1 lists the priorities of CPCAR and a traffic policy.
Model |
Priority Order |
|---|---|
S5720-LI, S5720S-LI, S5720I-SI, and S5736-S |
A traffic policy takes precedence over CPCAR. For ARP packets to be sent to the CPU in the DHCP and NAC authentication services, CPCAR takes precedence over a traffic policy. |
S5735-L-I, S5735-L1, S5735-L, S5735S-L1, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5731-H, S5731-H-K, S5731S-H, S5731-S, S5731S-S, S5732-H, and S5732-H-K |
CPCAR takes precedence over a traffic policy. |
For the priorities of CPCAR and a traffic policy on other device models and software versions, see "Licensing Requirements and Limitations for Local Attack Defense" under "Local Attack Defense Configuration" in the Configuration Guide - Security.
Solution
To prevent traffic policies from a failure to take effect due to a conflict, you are advised to configure the blacklist function of CPU attack defense to restrict user access. The switch supports the flexible blacklist setting through ACLs.
Both the blacklist and CPCAR are functions of the CPU attack defense feature. By default, the CPCAR function is enabled on the switch. If the blacklist function is also configured, the switch first rate-limits packets sent to the CPU based on the CPCAR value, then checks whether the packets match the blacklist, and discards the packets that match the blacklist.
Therefore, if you want to solve the problem that the PC can still ping the switch, configure the blacklist function as follows.
- Packets matching an ACL that is applied to a blacklist are discarded, regardless of whether the ACL contains a permit or deny rule.
- If an ACL has no rule, the blacklist that references the ACL does not take effect.
- For the S5731-H, S5731-H-K, S5731-S, S5731S-H, S5731S-S, S5732-H, and S5732-H-K, after the fast ICMP reply function is enabled, ping detection cannot be blocked using the blacklist. The reason is as follows: After fast ICMP reply is enabled, the ICMP Echo Request packets received on an interface of the switch are not sent to the protocol stack for processing by the CPU. Instead, the packets are directly processed by the interface.
Scenario 1: Prohibiting PCs from Accessing an S Series Switch
PC1 and PC2 are added to VLAN 10, and PC3 and PC4 are added to VLAN 20; Layer 2 switches are connected to SwitchA for Layer 2 transparent transmission, and VLANIF 10 and VLANIF 20 are configured on SwitchA. All terminals can communicate with each other.
# acl number 3001 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.3 0 # cpu-defend policy test blacklist 1 acl 3001 # cpu-defend-policy test global #
Scenario 2: Allowing Only One VLANIF Interface Address of a Switch to Be Used as the Management Address
# acl number 3001 rule 5 permit tcp destination 192.168.20.3 0 destination-port eq telnet # cpu-defend policy test blacklist 1 acl 3001 # cpu-defend-policy test global #