Choose any of these login options:

Example for Configuring Local Attack Defense

Example for configuring local attack defense for Huawei routers to all versions.

Networking Requirements
As shown in Figure 1, users on different LANs access the Internet through Router A. To locate attacks on Router A, attack source tracing needs to be configured to trace the attack source. The following situations occur:

  • A user on network segment Net1 frequently initiates attacks to Router A.
  • The attacker sends a large number of ARP Request packets, degrading CPU performance.
  • The administrator needs to upload files to Router A using FTP. However, no FTP connection has been set up between the administrator's host and Router A.
  • Most LAN users obtain IP addresses through DHCP, whereas Router A does not first process DHCP client packets sent to the CPU.
Configurations should be performed on Router A to solve the preceding problems.
NOTE:
This section provides only the configuration procedures related to local attack defense. For details about routing configurations, see the Configuration Guide - IP Routing.
Figure 1 Networking diagram of attack defense policy configurations

Procedure
1. Configure the router, such as AR3200.
#
acl number 4001 //Configure the ACL to be referenced by the blacklist of local attack defense.
 rule 5 permit source-mac 0001-c0a8-0102
#
cpu-defend policy devicesafety //Create a local attack defense policy.
 auto-defend enable  //Enable the attack source tracing capability.
 auto-defend threshold 50  //Set the attack source tracing threshold to 50 pps.
 blacklist 1 acl 4001 //Specify the blacklist.
 packet-type arp-request rate-limit 64 //Set the rate limit for ARP request packets sent to the CPU to 64 pps.
 application-apperceive packet-type ftp rate-limit 2000  //Set the rate limit for FTP packets to 2000 pps.
 packet-type dhcp-client priority 3  //Set the priority of the DHCP-client packets sent to the CPU to 3.
#
 cpu-defend-policy devicesafety  //Apply the attack defense policy to the MPU.
#
return
2. Verify the configuration.
Run the display cpu-defend policy command on router A to view information about the attack defense policy.
Run the display cpu-defend configuration command on router A to view rate limit on protocol packets.

More related:
Example for Configuring the Netstream Function to Account User Traffic 
 
Example for Configuring the SNMP Function to Implement Communication Between the Device and the NMS 
 
Example for Connecting Intranet Users to the Internet in NAT Address Pool Mode
 
Example for Connecting Intranet Users to the Internet in Easy IP Mode 
 
Example for Configuring the Device as a PPPoE Client to Connect Users to the Internet 
 



share on: Share it! Tweet it! Stumble it! Digg it! Email it!  |  Permalink  |  lookafterpp in Huawei router | Comment on this
Reader Comments

Post a Comment
Author:
Email:
(Optional)
  
lookafterpp
Reputation: 0 (0%)
Member Since:  Jul 2013
Last activity: 5/13/15, 6:05 pm