Ip Source Guard Features Supported By The S9300; Figure 5-2 Diagram Of The Urpf Function - Huawei Quidway S9300 Configuration Manual
Terabit routing switch
Hide thumbs
Also See for Quidway S9300:
- Configuration manual - network management (630 pages) ,
- Configuration manual (603 pages) ,
- Configuration manual - multicast (262 pages)
Table of Contents
Advertisement
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
the attack sources, the attack sources are judged according to traffic statistics that are collected
based on the destination IP address (victim), source IP address, and inbound interface of packets.
The main process of the IP Source Trail function is as follows:
1.
2.
3.
URPF
Unicast Reverse Path Forwarding (URPF) is mainly used to prevent network attacks by blocking
packets from bogus source addresses.
As shown in
send a request to S9300-B. S9300-B sends a packet to the real source address 2.1.1.1 to respond
to the request. In this way, S9300-A attacks S9300-B and S9300-C by sending the illegal packet.
Figure 5-2 Diagram of the URPF function
1.1.1.1/24
S9300-A
When a packet is sent to a URPF-enabled interface, URPF obtains the source address and
inbound interface of the packet. URPF searches for the entry corresponding to the source address
in the forwarding table. If the enry is found, URPF checks whether the outbound interface is the
same as the inbound interface of the packets. If the actual inbound interface is different from the
inbound interface found in the forwarding table, the packet is discarded. In this way, URPF can
protect the network against vicious attacks initiated by modifying the source address.
5.2 IP Source Guard Features Supported by the S9300
This section describes how the IP Source Guard feature is supported in the S9300.
IP Source Guard
The IP Source Guard feature is used to check the IP packets according to the binding table,
including source IP addresses, source MAC addresses, and VLAN. In addition, the S9300 can
check IP packets based on:
l
Issue 06 (2010–01–08)
After confirming that a user is attacked, configure the IP Source Trail function based on
the IP address of the user.
The CPU of the LPU collects statistics about packets with the destination address being the
victim IP address. Such information is regularly sent to the CPU of the main control board
or available upon the request of the main control board.
The main control board confirms the attack source based on the received statistics. The
administrator configures the ACL on the interface directly connected to the possible attack
source and set the ACL action to deny.
Figure
5-2, S9300-A forges the packets with the source address being 2.1.1.1 and
2.1.1.1/24
Source address
IP+MAC
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5 Source IP Attack Defense Configuration
S9300-B
2.1.1.1/24
S9300-C
5-3
Advertisement
Chapters
Table of Contents
