Configuration Examples; Example For Configuring An Attack Defense Policy - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 On S3700EI and S3700SIrun:
reset auto-defend attack-source
The statistics about the attack source are cleared.
----End

6.6 Configuration Examples

This section provides several configuration examples of attack defense policy.

6.6.1 Example for Configuring an Attack Defense Policy

This section provides an example of configuring an attack defense policy, including the
configuration of ACL, attack defense policy, the rule for sending packets to the CPU and
application of the attack defense policy.
Networking Requirements
As shown in
the Switch. The Switch is connected to a large number of users, and receives many packets to
be sent to the CPU. In this case, the CPU of the Switch may be attacked by packets directing at
the CPU. To protect the CPU and enable the Switch to process services normally, you need to
configure local attack defense.
You need to configure the following attack defense features on the Switch:
l
l
l
Figure 6-1 Networking diagram for configuring the attack defense policy
Net1: 1.1.1.0/24
Net2: 2.2.2.0/24
Net3: 3.3.3.0/24
Issue 01 (2011-07-15)
Figure 6-1, three local user networks net1, net2 and net3 access the Internet through
Users on net1 often attack the network and are added to the blacklist. In this manner, they
cannot access the network.
Set the CAR for sending ARP Request packets to the CPU to prevent attacks of ARP
Request packets.
Set the CIR for sending FTP packets to the CPU when FTP connections are set up.
Ethernet0/0/1
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
GE0/0/1
Switch
6 Local Attack Defense Configuration
Internet
191