4.7 Configuration Examples................................................................................................................................4-21

4.7.1 Example for Configuring ARP Security Functions..............................................................................4-22

4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks..........................4-25

5 Source IP Attack Defense Configuration..............................................................................5-1

5.1 Overview of IP Source Guard.........................................................................................................................5-2

5.2 IP Source Guard Features Supported by the S9300........................................................................................5-3

5.3 Configuring IP Source Guard..........................................................................................................................5-5

5.3.1 Establishing the Configuration Task......................................................................................................5-5

5.3.2 (Optional) Configuring a Static User Binding Entry............................................................................. 5-5

5.3.3 Enabling IP Source Guard......................................................................................................................5-6

5.3.4 Configuring the Check Items of IP Packets...........................................................................................5-6

5.3.5 Checking the Configuration...................................................................................................................5-7

5.4 Configuring IP Source Trail............................................................................................................................5-8

5.4.1 Establishing the Configuration Task......................................................................................................5-8

5.4.2 Configuring IP Source Trail Based on the Destination IP Address.......................................................5-9

5.4.3 Checking the Configuration...................................................................................................................5-9

5.5 Configuring URPF........................................................................................................................................5-10

5.5.1 Establishing the Configuration Task....................................................................................................5-10

5.5.2 Enabling URPF....................................................................................................................................5-10

5.5.3 Setting the URPF Check Mode on an Interface...................................................................................5-11

5.5.4 (Optional) Disabling URPF for the Specified Traffic..........................................................................5-12

5.5.5 Checking the Configuration.................................................................................................................5-12

5.6 Maintaining Source IP Attack Defense.........................................................................................................5-13

5.6.1 Clearing the Statistics on IP Source Trail............................................................................................5-13

5.7 Configuration Examples................................................................................................................................5-13

5.7.1 Example for Configuring IP Source Guard..........................................................................................5-14

5.7.2 Example for Configuring IP Source Trail............................................................................................5-15

5.7.3 Example for Configuring URPF..........................................................................................................5-17

6 Local Attack Defense Configuration......................................................................................6-1

6.1 Overview of Local Attack Defense.................................................................................................................6-2

6.2 Local Attack Defense Features Supported by the S9300................................................................................6-2

6.3 Configuring the Attack Defense Policy.......................................................................................................... 6-3

6.3.1 Establishing the Configuration Task......................................................................................................6-3

6.3.2 Creating an Attack Defense Policy........................................................................................................ 6-4

6.3.3 Configuring the Whitelist.......................................................................................................................6-4

6.3.4 Configuring the Blacklist.......................................................................................................................6-4

6.3.5 Configuring User-Defined Flows...........................................................................................................6-5

6.3.6 Configuring the Rule for Sending Packets to the CPU..........................................................................6-6

6.3.7 Applying the Attack Defense Policy......................................................................................................6-6

6.3.8 Checking the Configuration...................................................................................................................6-7

Huawei Proprietary and Confidential

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

Issue 06 (2010-01-08)

Table of Contents