登录安全
配置aaa认证登录即可
|
|
本机防攻击
|
|
配置攻击溯源并进行防御
|
|
攻击防范
|
|
-
TCP SYN泛洪攻击防范
[HUAWEIDGHWFutureMatrix] anti-attack fragment car cir 8000
-
UDP泛洪攻击防范
[HUAWEIDGHWFutureMatrix] anti-attack tcp-syn car cir 8000
-
ICMP泛洪攻击防范
[HUAWEIDGHWFutureMatrix] anti-attack udp-flood enable
流量抑制/风暴控制
-
流量抑制
1 2 3 4 5 6
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] interface gigabitethernet 1/0/1 [HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] broadcast-suppression 30 [HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] multicast-suppression 30 [HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] unicast-suppression 30 [HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] quit
-
风暴控制
1 2 3 4 5
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] interface gigabitethernet 1/0/1 [HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] storm-control broadcast min-rate 5000 max-rate 8000 [HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] storm-control action error-down [HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] storm-control enable trap
ARP安全
-
表固化
1 2
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] arp anti-attack entry-check fixed-all enable //可以在全局和VLANIF接口下配置,请根据需要选择
-
防网关攻击
1 2
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] arp anti-attack gateway-duplicate enable
-
发送免费报文
1 2 3
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] interface vlanif 10 [HUAWEIDGHWFutureMatrix-Vlanif10] arp gratuitous-arp send enable //可以在全局和VLANIF接口下配置,请根据需要选择
-
ARP报文合法性检测
1 2
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] arp anti-attack packet-check sender-mac
-
配置指定接口最多可以学习到的ARP表项数量。
1 2 3
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] interface vlanif 100 [HUAWEIDGHWFutureMatrix-Vlanif100] arp-limit maximum 20
-
ARP速率抑制
1 2
<HUAWEIDGHWFutureMatrix> system-view [HUAWEIDGHWFutureMatrix] arp speed-limit source-ip maximum 50