网络工程

华为交换机必要安全配置

登录安全

配置aaa认证登录即可

1
2
3
4
5
6
7

<HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] user-interface console 0
[HUAWEIDGHWFutureMatrix-ui-console0] authentication-mode aaa
[HUAWEIDGHWFutureMatrix-ui-console0] quit
[HUAWEIDGHWFutureMatrix] aaa
[HUAWEIDGHWFutureMatrix-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[HUAWEIDGHWFutureMatrix-aaa] local-user admin1234 service-type terminal telnet [Console 和 Telnet]

本机防攻击

1
2
3
4
5
6
7

<HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] cpu-defend policy 1
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] car packet-type icmp cir 64
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] deny packet-type ttl-expired
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] quit
[HUAWEIDGHWFutureMatrix] cpu-defend-policy 1 global
[HUAWEIDGHWFutureMatrix] cpu-defend-policy 1

配置攻击溯源并进行防御

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

<HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] cpu-defend policy 1
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] auto-defend enable
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] auto-defend attack-packet sample 5
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] auto-defend threshold 50
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] auto-defend trace-type source-ip source-mac source-portvlan
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] auto-defend protocol arp
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] auto-defend action deny timer 300
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] auto-defend whitelist 1 interface gigabitethernet 1/0/0
[HUAWEIDGHWFutureMatrix-cpu-defend-policy-1] quit
[HUAWEIDGHWFutureMatrix] cpu-defend-policy 1 global
[HUAWEIDGHWFutureMatrix] cpu-defend-policy 1

攻击防范

1
2

<HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] anti-attack fragment enable

  • TCP SYN泛洪攻击防范

    [HUAWEIDGHWFutureMatrix] anti-attack fragment car cir 8000

  • UDP泛洪攻击防范

    [HUAWEIDGHWFutureMatrix] anti-attack tcp-syn car cir 8000

  • ICMP泛洪攻击防范

    [HUAWEIDGHWFutureMatrix] anti-attack udp-flood enable

流量抑制/风暴控制

  • 流量抑制

    1
2
3
4
5
6

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] interface gigabitethernet 1/0/1
[HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] broadcast-suppression 30
[HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] multicast-suppression 30
[HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] unicast-suppression 30
[HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] quit

  • 风暴控制

    1
2
3
4
5

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] interface gigabitethernet 1/0/1
[HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] storm-control broadcast min-rate 5000 max-rate 8000
[HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] storm-control action error-down
[HUAWEIDGHWFutureMatrix-GigabitEthernet1/0/1] storm-control enable trap

ARP安全

  • 表固化

    1
2

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] arp anti-attack entry-check fixed-all enable  //可以在全局和VLANIF接口下配置,请根据需要选择

  • 防网关攻击

    1
2

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] arp anti-attack gateway-duplicate enable

  • 发送免费报文

    1
2
3

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] interface vlanif 10  
[HUAWEIDGHWFutureMatrix-Vlanif10]  arp gratuitous-arp send enable  //可以在全局和VLANIF接口下配置,请根据需要选择

  • ARP报文合法性检测

    1
2

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] arp anti-attack packet-check sender-mac

  • 配置指定接口最多可以学习到的ARP表项数量。

    1
2
3

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] interface vlanif 100
[HUAWEIDGHWFutureMatrix-Vlanif100] arp-limit maximum 20

  • ARP速率抑制

    1
2

    <HUAWEIDGHWFutureMatrix> system-view
[HUAWEIDGHWFutureMatrix] arp speed-limit source-ip maximum 50