核心层设备安全
配置CPU防攻击功能
<HUAWEI> system-view
[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] cpu-defend policy test //创建防攻击策略,并进入防攻击策略视图
[HUAWEI-cpu-defend-policy-test] car packet-type http cir 120 //配置协议未建立连接时报文的CPCAR值
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type http cir 120 //配置协议连接建立时协议报文的CPCAR值
[HUAWEI-cpu-defend-policy-test] deny packet-type icmp //配置对上送CPU的报文动作为丢弃
[HUAWEI-cpu-defend-policy-test] blacklist 1 acl 2001 //配置CPU防攻击黑名单
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend application-apperceive enable //使能全局动态链路保护功能
[HUAWEI] cpu-defend application-apperceive http enable //使能协议报文的动态链路保护功能
配置攻击溯源功能
<HUAWEI> system-view
[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] cpu-defend policy test //创建防攻击策略,并进入防攻击策略视图
[HUAWEI-cpu-defend-policy-test] auto-defend enable //使能攻击溯源功能
[HUAWEI-cpu-defend-policy-test] auto-defend alarm enable //使能攻击溯源事件上报功能
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //配置攻击溯源白名单
[HUAWEI-cpu-defend-policy-test] auto-defend action deny //使能攻击溯源的惩罚功能,并指定惩罚措施
配置端口防攻击功能
<HUAWEI> system-view
[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] cpu-defend policy test //创建防攻击策略,并进入防攻击策略视图
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable //使能端口防攻击功能
[HUAWEI-cpu-defend-policy-test] auto-port-defend alarm enable //使能端口防攻击事件上报功能
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //配置端口防攻击白名单
配置用户级限速功能
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car enable //使能用户级限速功能
配置ARP报文限速功能
<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable //使能全局ARP报文限速功能
[HUAWEI] arp speed-limit source-mac 0001-0001-0001 maximum 20 //配置根据源MAC地址进行ARP报文限速的限速值
[HUAWEI] arp speed-limit source-ip 10.1.1.1 maximum 20 //配置根据源IP地址进行ARP报文限速的限速值
配置ARP Miss消息限速功能
<HUAWEI> system-view
[HUAWEI] arp-miss anti-attack rate-limit enable //使能全局ARP Miss报文限速功能
[HUAWEI] arp-miss speed-limit source-mac 0001-0001-0001 maximum 20 //配置根据源MAC地址 进行ARP Miss报文限速的限速值
[HUAWEI] arp-miss speed-limit source-ip 10.1.1.1 maximum 20 //配置根据源IP地址进行ARP Miss报文限速的限速值
配置临时ARP表项的老化功能
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 3 //配置临时ARP表项的老化时间
配置禁止过路ARP报文上送CPU功能
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp optimized-passby enable //配置禁止过路ARP报文上送CPU
配置ARP优化应答功能
<HUAWEI> system-view
[HUAWEI] arp optimized-reply disable //使能ARP优化应答功能
配置ARP表项严格学习功能
<HUAWEI> system-view
[HUAWEI] arp learning strict //使能全局ARP表项严格学习功能
[HUAWEI] quit
配置ARP表项限制功能
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20 //配置限制接口能够学习到的最大动态ARP表项数目
配置禁止接口学习ARP表项功能
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp learning disable //配置禁止接口学习动态ARP表项
配置ARP表项固化功能
<HUAWEI> system-view
[HUAWEI] arp anti-attack entry-check fixed-mac enable //使能全局的ARP表项固化功能
配置ARP防网关冲突功能
<HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable //使能ARP防网关冲突攻击功能
配置ARP网关保护功能
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp trust source 10.1.1.1 //使能ARP网关保护功能
配置发送ARP免费报文功能
<HUAWEI> system-view
[HUAWEI] arp gratuitous-arp send enable //使能发送免费ARP报文的功能
[HUAWEI] arp gratuitous-arp send interval 60 //使能发送免费ARP报文的时间间隔
配置ARP报文内MAC地址一致性检查功能
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac //使能ARP报文内MAC地址 一致性检查功能
配置ARP报文合法性检查功能
<HUAWEI> system-view
[HUAWEI] arp anti-attack packet-check ip dst-mac sender-mac //使能ARP报文合法性检查功能
配置DHCP触发ARP学习功能
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp learning dhcp-trigger //使能DHCP触发ARP学习功能
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
曹少卿的Blog!
喜欢就支持一下吧
打赏
微信
支付宝
微信
支付宝