Huawei Quidway S3700 Series Configuration Manual page 205

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
l
l
Procedure
Step 1 Configure the rule for filtering packets to be sent to the CPU.
# Define ACL rules.
<Quidway> system-view
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
[Quidway-acl-basic-2001] quit
Step 2 Create an attack defense policy.
# Create an attack defense policy and configure the blacklist.
[Quidway] cpu-defend policy test1
[Quidway-cpu-defend-policy-test1] blacklist 1 acl 2001
Step 3 Configure the rule for sending packets to the CPU.
# Set the CIR for ARP Request packets.
[Quidway-cpu-defend-policy-test1] car packet-type arp-request cir 128
# Set the CIR for sending FTP packets to the CPU when FTP connections are set up.
[Quidway-cpu-defend-policy-test1] link-car packet-type ftp cir 128
[Quidway-cpu-defend-policy-test1] quit
Step 4 Apply the attack defense policy.
[Quidway] cpu-defend-policy test1 global
Step 5 Verify the configuration.
# View information about the configured attack defense policy.
<Quidway> display cpu-defend policy test1
Related slot : <0>
Issue 01 (2011-07-15)
Configure the ACL and define rules for filtering the packets to be sent to the CPU.
Create an attack defense policy and configure the whitelist, blacklist, and user-defined flow.
Configure the rule for sending packets to the CPU.
Apply the attack defense policy.
Name of the attack defense policy
IDs of the blacklist
ACL rule and number
Rate of sending ARP Requests packets to the CPU
Rate limit of sending FTP packets to the CPU when FTP connection is set up
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6 Local Attack Defense Configuration
192