Huawei Quidway S9300 Configuration Manual page 202

5 Source IP Attack Defense Configuration
l
l
l
The S9300 provides two binding mechanisms:
l
l
IP Source Trail
l
l
l
URPF
URPF only functions at the inbound interface of the S9300. If URPF is enabled on an interface,
the URPF check is conducted to packets received by the interface.
The S9300 supports two kinds of URPF check modes: strict check and loose check.
l
5-4
IP+VLAN
IP+MAC+VLAN
...
NOTE
IP addresses here include IPv4 addresses and IPv6 addresses. That is, after the IP Source Guard feature is
enabled, the S9300 checks both the source IPv4 addresses and source IPv6 addresses of IP packets from
users.
After the DHCP snooping function is enabled for DHCP users, the binding table is
dynamically generated for the DHCP users.
When users use static IP addresses, you need to configure the binding table by running
commands.
NOTE
For the configurations of DHCP snooping, see
NOTE
Currently, only IPv4 addresses can be traced when the IP Source Trail feature is enabled on the S9300.
The IP source trail feature of the S9300 is based on the destination IP addresses.
The IP Source Trail feature is configured according to the IP address of the attacked user.
The CPU of the LPU collects statistics about packets with the user IP address as the
destination address. Such information is regularly sent to the CPU of the main control board
or available when required by the main control board.
Querying statistics about the IP Source Trail is supported globally.
The global query of the statistics provides the brief mode and detailed mode:
In brief mode, information about the source address, source interface, total traffic (the
–
number of bytes and packets), and the average rate (bbp and pps) of the traffic in a period
of time is exported.
In detailed mode, information about the current rate of the traffic, the maximum rate,
–
and the start time and end time of the traffic (the query time is displayed if the traffic
does not end when the traffic is queried) is exported besides the information exported
in brief mode.
Querying statistics about the IP Source Trail based on board is supported.
When the statistics are queried based on board, the main control board finds the cached
statistics result according to the destination IP address and displays records from the
specified board in brief mode.
Strict check: The source addresses of packets must exist in the FIB table of the S9300.
Packets can be forwarded only when the outbound interface is the same as the inbound
interface of the packets. Otherwise, packets are dropped.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
3 DHCP Snooping Configuration.
Issue 06 (2010–01–08)