【Introduction】
【Contents】
Overview
The blacklist function of CPU attack defense, instead of traffic policies, is typically recommended for restricting user access because of the following facts: The Control Plane Committed Access Rate (CPCAR) function is enabled on S series switches by default. For some switches, CPCAR takes precedence over traffic policies; therefore, the packets sent to a switch's CPU cannot be discarded using any traffic policy, and users can still access the switch.
This document describes the symptoms of the failures to restrict user access through traffic policies, analyzes the causes, and provides the solutions.
Symptoms
Scenario: Prohibiting PCs from Accessing an S Series Switch
As shown in Figure 1-1, PC1 and PC2 are added to VLAN 10, and PC3 and PC4 are added to VLAN 20; Layer 2 switches are connected to SwitchA for Layer 2 transparent transmission, and VLANIF 10 and VLANIF 20 are configured on SwitchA. All terminals can communicate with each other.
Figure 1-1 Prohibiting PCs from accessing an S series switch
It is required that PC1 can access all terminals (such as PC2) in VLAN 10 but cannot access terminals (such as PC3 and PC4) in other VLANs or switches (such as SwitchA).
After a traffic policy is configured on SwitchA as follows, terminals in VLAN 10 cannot access terminals in VLAN 20, but can ping SwitchA, failing to meet the requirement.
# acl number 3001 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.3 0 # traffic classifier c1 operator or precedence 5 if-match acl 3001 # traffic behavior b1 deny# traffic policy p1 match-order config classifier c1 behavior b1 # interface GE0/0/1 traffic-policy p1 inbound #
Cause Analysis
When a user accesses a switch, the user's PC sends a packet with the destination IP address being the switch address. After receiving this packet, the switch sends it to the CPU for processing. By default, the switch rate-limits the packets sent to the CPU by applying the CPCAR function to these packets.
In the preceding example, all packets that match ACL 3001 are sent to the switch's CPU for processing, and the CPCAR function rate-limits these packets. However, according the traffic policy p1, the deny action needs to be taken for these packets. In this case, the deny action in the traffic policy p1 conflicts with the rate limiting action.
Packets sent to the CPU match traffic classification rules in a traffic policy. When CPCAR conflicts with a traffic policy, only the one with a higher priority takes effect. In other words, if the priority of CPCAR on a switch is higher than that of a traffic policy, the problems described in scenario 1 and scenario 2 occur.
Solution
To prevent traffic policies from a failure to take effect due to a conflict, you are advised to configure the blacklist function of CPU attack defense to restrict user access. The switch supports the flexible blacklist setting through ACLs.
Both the blacklist and CPCAR are functions of the CPU attack defense feature. By default, the CPCAR function is enabled on the switch. If the blacklist function is also configured, the switch first rate-limits packets sent to the CPU based on the CPCAR value, then checks whether the packets match the blacklist, and discards the packets that match the blacklist.
Therefore, if you want to solve the problem that the PC can still ping the switch, configure the blacklist function as follows.
Scenario: Prohibiting PCs from Accessing an S Series Switch
Figure 1-3 Prohibiting PCs from accessing an S series switch
PC1 and PC2 are added to VLAN 10, and PC3 and PC4 are added to VLAN 20; Layer 2 switches are connected to SwitchA for Layer 2 transparent transmission, and VLANIF 10 and VLANIF 20 are configured on SwitchA. All terminals can communicate with each other.
It is required that PC1 can access all terminals (such as PC2) in VLAN 10 but cannot access terminals (such as PC3 and PC4) in other VLANs or switches (such as SwitchA). To achieve this, you can configure SwitchA as follows:
# acl number 3001 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.3 0 # cpu-defend policy test blacklist 1 acl 3001 # cpu-defend-policy test global #
More Scenarios and details please click Here
Newest TechNotes
How to Install a License for a Stack System of S Series Switches
Why Does the S5700 Fail to Restrict User Access Through a Traffic Policy
Troubleshooting the Fault that Users Fail to Access Intranet Servers
Troubleshooting Failures to Log In to the Web System of AR Routers
How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
