Hidden security problems on the core switch

The hidden Huawei distributor  security problems about the core switch, and some problems that should be paid attention to, as a core switch which can support information 500 above large enterprise applications for enterprise level switch switch.

In the actual network environment, with the development of computerperformance, in a growing trend of attacks the network switches, routers and other equipment such as computer and more serious, affecting more and more fierce. The main equipment switches as LAN information exchange, especially the core, the aggregation switch carries data flow high, in burst data or attack,extremely easy to cause the heavy load or downtime phenomenon.

As far as possible in order to inhibit the effect of reducing the attack, loadswitch, LAN and stable operation, the core switch manufacturers use somesecurity technology on the switch, network management personnel should according to different equipment models, effectively enable and configurethese techniques, purifying the LAN environment.

In this paper, Quidway series switch Huawei Company 3COM as an example,two introduces you to the security technology and configuration methods. Hereyou will learn the broadcast storm control technology, MAC address controltechnology, DHCP control technology and ACL technology.

The broadcast storm control technology

Network interface card or other damage, loop, human disturbance, hacking tools, the spread of the virus, may cause broadcast storm, the switch willbroadcast the frame a forwarded to each port, which will greatly consumebandwidth and hardware resources. Through the broadcast storm set Ethernet port or VLAN inhibitory ratio, thereby suppressing the broadcast storm, avoid network congestion.

1 broadcast storm suppression ratio

You can use the following command to limit the broadcast traffic port allows thesize, when the broadcast traffic over the values set by the user, the system will be discarded to broadcast traffic, the flow ratio of broadcast of down to a reasonable range, the linear velocity maximum percentage of broadcast trafficport as a parameter.

The percentage of smaller, representation allows broadcast traffic through thesmaller. When the percentage is 100, said the port was not broadcast stormsuppression. By default, allowing the broadcast traffic through to 100%, that is not to suppress broadcast traffic. The following configuration in the Ethernet port.

2 for the VLAN specified broadcast storm suppression ratio

Similarly, you can use the following command set the VLAN allowed by the size of the broadcast traffic. By default, no broadcast suppression system of all VLAN, max-ratio value is 100%.

MAC address control technology

Ethernet switch can use MAC address learning function to obtain the networkdevices connected to a port of the network MAC address. For the MAC address to the message, the Ethernet switch can directly use the hardware forwarding. If the MAC address table is too large, may result in a decrease of the forwarding performance of the core switch.

MAC attacks using tools to generate spoofed MAC address, the fast fill switch MAC table, MAC table is filled, the switch will in broadcasting mode processingthrough the switch to flood flow message, sent to all the interface, then the attacker can use sniffer tool to obtain network information.

The TRUNK interface will flow to all the interface and the adjacent switch, will cause the switch load is too large, slow network and packet loss, even paralysis. You can set the maximum can through the MAC port address number, MAC address aging time, to inhibit MAC attack.

Lock the port here refers to set the maximum number of learning MAC addressof Ethernet port. The maximum number of addresses using the command mac-address max-mac-count on the Ethernet port port settings to learn, to learn the MAC address table item will and the corresponding port binding.

If the host long time an MAC address corresponding to the Internet or not has been removed, it still occupied port on a MAC address table item, thereby causing the MAC address in the 5 outside the MAC address of the host will not online. At this point you can port corresponding to the MAC address tableaging time by setting the lock, so do not go long time host the corresponding MAC address table item aging, so that the host can access other. By default, a lock port corresponding to the MAC address table aging time is 1 hours.

In order to make the configuration of the DHCP Relay VLAN in a fixed IP address by legal user can address validity checking safety properties of DHCPstatic address table, need to use this command to add an IP address and MAC address corresponding relation to a fixed IP address for user.

If there is another illegal user configured with a static IP address conflict, thestatic IP address the legitimate users of fixed IP address, the core switchexecuting DHCP Relay function, we can identify the illegal user, Huawei Switch and refused toIP and MAC address illegal user binding request.