Use the IP source trail function on S series switches to quickly locate attack sources

S series fixed switches do not support this function. S series modular switches provide the ip source-trail command that enables the source IP address tracing function for the specified IP addresses. After this command is executed on a switch, the switch records statistics on the traffic destined for the specified addresses. A maximum of 32 IP addresses can be configured in the command.
For example, traffic on the host with IP address 10.0.0.1 is detected to be abnormal. You can enable the source IP address tracing function for 10.0.0.1, then check statistics on the traffic destined for the host, and quickly locate the attack source. The configuration is as follows:
[HUAWEI] ip source-trail ip-address 10.0.0.1
[HUAWEI] display ip source-trail ip-address 10.0.0.1
Destination Address: 10.0.0.1
SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s
-----------------------------------------------------------------------------------
10.1.0.2 GE3/0/23 85.971M 60.234K 1.356M 121
10.1.0.3 GE3/0/23 15.462M 10.852K 203.984K 17
10.1.0.4 GE3/0/23 14.785M 10.577K 204.601K 18
10.1.0.5 GE3/0/23 3.432M 6.557K 118.164K 28
10.1.0.6 GE3/0/23 2.541M 4.600K 34.257K 7
Based on statistics on the traffic destined for the host with IP address 10.0.0.1. The source IP address 10.1.0.2 has sent heavy traffic to the host, so attack source the host with IP address 10.1.0.2 is located. You can then configure an ACL on the switch to block the traffic from 10.1.0.2 to 10.0.0.1.

Scroll to top