Got it

Security deployment

Created: Jan 21, 2020 04:05:18Latest reply: Jan 21, 2020 04:10:17 151 1 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello team,

Can you give me some advice on the security deployment of the S switch? 

Thank you very much!


  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Jan 21, 2020 04:10:17

Hi Sprout,

The following are some common configuration examples for your reference.

1. MAC security deployment (deployment at the access layer)

[interface view] port-security enable   //changing learned MAC addresses to secure dynamic MAC addresses

[interface view] port-security max-mac-num 1    // Configuring the Maximum Number of Secure MAC Addresses Learned on an Interface

 [interface view] port-security mac-address stick   // Converting secure dynamic MAC addresses into sticky MAC addresses to ensure that the data is not lost after the board is restarted.

2. Configure attack source tracing

[Quidway]cpu-defend policy test

[Quidway]car packet-type arp-request cir 256 cbs 48128   // Set this parameter based on the site requirements.

[Quidway]car packet-type arp-reply cir 256 cbs 48128

[Quidway]deny packet-type ttl-expired  // Discards packets with TTL of 1 sent to the CPU.

[Quidway -cpu-defend-policy-test]auto-defend enable

[Quidway -cpu-defend-policy-test]auto-defend threshold 60

[Quidway -cpu-defend-policy-test]auto-defend alarm enable

 [Quidway -cpu-defend-policy-test ] undo auto-defend  trace-type  source-portvlan

[Quidway -cpu-defend-policy-test] auto-defend action deny

[Quidway -cpu-defend-policy-test] auto-defend whitelist 1 acl/interface    // Prevention of mispunishment

[Quidway -cpu-defend-policy-test]auto-port-defend whitelist 1 acl/interface    // Prevention of mispunishment

[Quidway]cpu-defend-policy test global    // Applied to LPUs

[Quidway]cpu-defend-policy test    // Applied to the control board

[Quidway]auto-defend action deny timer 10

3. ARP security

ARP security functions include anti-ARP spoofing, anti-ARP gateway conflict attack, ARP packet suppression, and ARP Miss suppression.

[Quidway] arp anti-attack entry-check fixed-mac enable

[Quidway] arp anti-attack gateway-duplicate enable

[Quidway] arp-miss speed-limit source-ip maximum 20

[Quidway] arp-miss speed-limit source-mac maximum 20

[vlanif view] arp-fake expire-time 10     // Set the timeout period of temporary ARP entries on an interface to 10 seconds.

[interfac view] arp validate source-mac destination-mac     // Enable validity check

4. Enable defense against malformed packet attacks

 [Quidway]anti-attack abnormal enable

5. Enable defense against packet fragment attacks

[Quidway] anti-attack fragment enable


Any further questions, let us know!

View more
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created Jan 21, 2020 04:10:17

Hi Sprout,

The following are some common configuration examples for your reference.

1. MAC security deployment (deployment at the access layer)

[interface view] port-security enable   //changing learned MAC addresses to secure dynamic MAC addresses

[interface view] port-security max-mac-num 1    // Configuring the Maximum Number of Secure MAC Addresses Learned on an Interface

 [interface view] port-security mac-address stick   // Converting secure dynamic MAC addresses into sticky MAC addresses to ensure that the data is not lost after the board is restarted.

2. Configure attack source tracing

[Quidway]cpu-defend policy test

[Quidway]car packet-type arp-request cir 256 cbs 48128   // Set this parameter based on the site requirements.

[Quidway]car packet-type arp-reply cir 256 cbs 48128

[Quidway]deny packet-type ttl-expired  // Discards packets with TTL of 1 sent to the CPU.

[Quidway -cpu-defend-policy-test]auto-defend enable

[Quidway -cpu-defend-policy-test]auto-defend threshold 60

[Quidway -cpu-defend-policy-test]auto-defend alarm enable

 [Quidway -cpu-defend-policy-test ] undo auto-defend  trace-type  source-portvlan

[Quidway -cpu-defend-policy-test] auto-defend action deny

[Quidway -cpu-defend-policy-test] auto-defend whitelist 1 acl/interface    // Prevention of mispunishment

[Quidway -cpu-defend-policy-test]auto-port-defend whitelist 1 acl/interface    // Prevention of mispunishment

[Quidway]cpu-defend-policy test global    // Applied to LPUs

[Quidway]cpu-defend-policy test    // Applied to the control board

[Quidway]auto-defend action deny timer 10

3. ARP security

ARP security functions include anti-ARP spoofing, anti-ARP gateway conflict attack, ARP packet suppression, and ARP Miss suppression.

[Quidway] arp anti-attack entry-check fixed-mac enable

[Quidway] arp anti-attack gateway-duplicate enable

[Quidway] arp-miss speed-limit source-ip maximum 20

[Quidway] arp-miss speed-limit source-mac maximum 20

[vlanif view] arp-fake expire-time 10     // Set the timeout period of temporary ARP entries on an interface to 10 seconds.

[interfac view] arp validate source-mac destination-mac     // Enable validity check

4. Enable defense against malformed packet attacks

 [Quidway]anti-attack abnormal enable

5. Enable defense against packet fragment attacks

[Quidway] anti-attack fragment enable


Any further questions, let us know!

View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.