The hidden Huawei distributor security problems about the core switch, and some problems that should be paid attention
to, as a core switch which can support information 500 above large enterprise applications for enterprise level switch switch.
In the actual network environment, with the development of
computerperformance, in a growing trend of attacks the network switches, routers and other equipment such as computer and more serious, affecting more and more fierce. The main equipment switches as LAN information exchange, especially the core, the aggregation switch carries data flow high, in burst data or attack,extremely easy to cause the heavy load or downtime phenomenon.
As far as
possible in order to inhibit the
effect of reducing the attack, loadswitch, LAN and
stable operation, the core switch manufacturers use somesecurity technology on the switch, network management personnel should according to different equipment models, effectively enable and configurethese techniques, purifying the LAN environment.
In this
paper, Quidway series switch Huawei Company 3COM as an example,two introduces you to the security technology and configuration methods. Hereyou will learn the broadcast storm control technology, MAC address
controltechnology, DHCP control
technology and ACL technology.
The
broadcast storm control
technology
Network
interface card or other damage, loop, human disturbance, hacking tools, the spread of the virus, may cause broadcast storm, the switch willbroadcast the frame a forwarded
to each port, which will greatly consumebandwidth and hardware resources. Through the broadcast storm set Ethernet
port or VLAN inhibitory ratio, thereby suppressing the broadcast storm, avoid network congestion.
1 broadcast storm suppression ratio
You can use
the following command to limit
the broadcast traffic port allows
thesize, when the broadcast traffic over the
values set by the user, the
system will be discarded to broadcast
traffic, the flow ratio of broadcast of down
to a reasonable range, the linear velocity maximum percentage of broadcast trafficport as a parameter.
The
percentage of smaller, representation allows broadcast traffic through thesmaller. When the percentage is 100, said the port was not broadcast
stormsuppression. By default, allowing the broadcast traffic through to 100%, that is not to suppress broadcast traffic. The following configuration in the Ethernet port.
2 for the
VLAN specified broadcast storm suppression ratio
Similarly, you can use the following command set the VLAN allowed by the
size of the broadcast traffic. By default, no broadcast
suppression system of all VLAN, max-ratio value is 100%.
MAC address control technology
Ethernet
switch can use MAC address learning function to obtain the networkdevices
connected to a port of the network MAC address. For the MAC address to the message, the Ethernet switch can directly use the hardware forwarding. If the MAC address table is too large, may result in a decrease of the forwarding performance of the core switch.
MAC attacks using tools to generate spoofed MAC address, the fast fill switch
MAC table, MAC table is filled, the switch will in broadcasting mode processingthrough the switch to flood flow message, sent to all the interface, then the
attacker can use sniffer tool to obtain network information.
The TRUNK
interface will flow to all the interface and the adjacent switch, will cause the switch load is too large, slow network and packet loss, even paralysis. You can set the maximum can through the MAC port address number, MAC address aging time, to inhibit MAC attack.
Lock the port here refers to set the maximum number of learning MAC addressof Ethernet port. The maximum number of addresses using the command mac-address max-mac-count on the Ethernet port port settings to learn, to learn the MAC address table item will and
the corresponding port binding.
If the host long time an MAC address corresponding to the Internet or not has
been removed, it still occupied port on
a MAC address table item, thereby causing the MAC address in the 5 outside the MAC address of the host will not online. At this point you can port corresponding
to the MAC address tableaging
time by setting the lock, so do
not go long time host the
corresponding MAC address table
item aging, so that the host can
access other. By default, a lock port corresponding to the MAC address table aging time is 1 hours.
In order to
make the configuration of the
DHCP Relay VLAN in
a fixed IP address by legal user can address validity checking safety properties of DHCPstatic address table, need to use this command to add an IP address and MAC address corresponding relation to a fixed IP address for user.
If there is
another illegal user configured with a static IP address conflict, thestatic IP address the legitimate users of fixed IP address, the core switchexecuting DHCP Relay function, we can identify the illegal user, Huawei Switch and refused toIP and MAC address illegal user binding request.