How to configure Huawei switches

Example for Configuring Local Attack Defense

Applicability

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1, users on different LANs access the Internet through Router A. To locate attacks on Router A, attack source tracing needs to be configured to trace the attack source. The following situations occur:

A user on network segment Net1 frequently initiates attacks to Router A.

The attacker sends a large number of ARP Request packets, degrading CPU performance.

The administrator needs to upload files to Router A using FTP. However, no FTP connection has been set up between the administrator's host and Router A.

Most LAN users obtain IP addresses through DHCP, whereas Router A does not first process DHCP client packets sent to the CPU.

Configurations should be performed on Router A to solve the preceding problems.NOTE:

This section provides only the configuration procedures related to local attack defense. For details about routing configurations, see the Configuration Guide - IP Routing.Figure 1 Networking diagram of attack defense policy configurations

Procedure

1. Configure the router.

#

acl number 4001 //Configure the ACL to be referenced by the blacklist of local attack defense. rule 5 permit source-mac 0001-c0a8-0102

#

cpu-defend policy devicesafety //Create a local attack defense policy. auto-defend enable //Enable the attack source tracing capability. auto-defend threshold 50 //Set the attack source tracing threshold to 50 pps. blacklist 1 acl 4001 //Specify the blacklist. packet-type arp-request rate-limit 64 //Set the rate limit for ARP request packets sent to the CPU to 64 pps. application-apperceive packet-type ftp rate-limit 2000 //Set the rate limit for FTP packets to 2000 pps. packet-type dhcp-client priority 3 //Set the priority of the DHCP-client packets sent to the CPU to 3.

#

cpu-defend-policy devicesafety //Apply the attack defense policy to the MPU.#

return2. Verify the configuration. Run the display cpu-defend policy command on router A to view information about the attack defense policy.

Run the display cpu-defend configuration command on router A to view rate limit on protocol packets.More related:Example for Configuring the SNMP Function to Implement Communication Between the Device and the NMS Example for Connecting Intranet Users to the Internet in Easy IP Mode Example for Configuring the Device as a PPPoE Client to Connect Users to the InternetHow to Configure the PPPoE Client on Huawei AR1200? Example for Connecting Intranet Users to the Internet in NAT Address Pool Mode More Huawei products and Reviews you can visit: http://www.huanetwork.com/blog

Huanetwork.com is a world leading Huawei networking products distributor, we wholesale original new Huawei networking equipments, includingHuawei switches,Huawei routers, Huaweisymantec security products, Huawei IAD, Huawei SFP and other Huawei networking products. Our customers include telecom operators, Huawei resellers, ISP and system integrators. Right now most of our sales are contributed by regular customers.In Huanetwork Lab, also we have Huawei OLT, MDU, DSLAM and switch for customer do remote testing, any potential customer are welcome to login to our lab. If you need a total Huawei FTTx solution or Huawei ADSL solution for your network, also you may feel free to contact us.Our website: http://www.huanetwork.comTelephone:+852-30501940Email:sales@huanetwork.comAddress:23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong

PAGE 1