接入層設(shè)備安全配置案例

接入層作為園區(qū)網(wǎng)絡(luò)的邊界，為各種終端接入網(wǎng)絡(luò)，需要防止非法的終端和用戶進(jìn)入網(wǎng)絡(luò)。此外，接入層設(shè)備還承載二層流量轉(zhuǎn)發(fā)的功能，需要對(duì)二層流量的轉(zhuǎn)發(fā)行為進(jìn)行控制。

配置案例

• 配置流量抑制功能案例

  [HUAWEI]?suppression?mode?by-bits???????????????????????????????????????//配置全局流量抑制模式
[HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?broadcast-suppression?cir?1000????????????//配置接口入方向的未知廣播流量抑制
[HUAWEI-GigabitEthernet0/0/1]?multicast-suppression?cir?1000????????????//配置接口入方向的未知組播流量抑制
[HUAWEI-GigabitEthernet0/0/1]?unicast-suppression?cri?1000??????????????//配置接口入方向的未知單播流量抑制
[HUAWEI-GigabitEthernet0/0/1]?broadcast-suppression?block?outbound??????//配置阻斷接口出方向的廣播流量
[HUAWEI-GigabitEthernet0/0/1]?multicast-suppression?block?outbound??????//配置阻斷接口出方向的組播流量
[HUAWEI-GigabitEthernet0/0/1]?unicast-suppression?block?outbound????????//配置阻斷接口出方向的單播流量

• 配置風(fēng)暴控制功能案例

  [HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?storm-control?broadcast?min-rate?1000?max-rate?2000?????//配置廣播風(fēng)暴控制
[HUAWEI-GigabitEthernet0/0/1]?storm-control?multicast?min-rate?1000?max-rate?2000?????//配置未知組播風(fēng)暴控制
[HUAWEI-GigabitEthernet0/0/1]?storm-control?unicast?min-rate?1000?max-rate?2000???????//配置未知單播風(fēng)暴控制
[HUAWEI-GigabitEthernet0/0/1]?storm-control?action?block?????????????????????????????//配置風(fēng)暴控制的動(dòng)作
[HUAWEI-GigabitEthernet0/0/1]?storm-control?enable?log???????????????????????????????//使能風(fēng)暴控制時(shí)記錄日志的功能
[HUAWEI-GigabitEthernet0/0/1]?storm-control?interval?90???????????????????????????????//配置風(fēng)暴控制的檢測(cè)時(shí)間間隔


• 配置DHCP Snooping功能案例
  

  [HUAWEI]?dhcp?enable?????????????????????????????????//使能DHCP功能
[HUAWEI]?dhcp?snooping?enable????????????????????????//使能全局DHCP?Snooping功能
[HUAWEI]?interface?gigabitethernet?0/0/1?????????????//進(jìn)入用戶側(cè)接口
[HUAWEI-GigabitEthernet0/0/1]?dhcp?snooping?enable???//使能DHCP?Snooping功能
[HUAWEI-GigabitEthernet0/0/1]?quit
[HUAWEI]?interface?gigabitethernet?0/0/2?????????????//進(jìn)入直接或間接連接DHCP服務(wù)器的接口
[HUAWEI-GigabitEthernet0/0/2]?dhcp?snooping?trusted??//配置該接口為信任接口


• 配置IPSG功能案例
  

  配置基于靜態(tài)綁定表的IPSG功能案例。
  

  [HUAWEI]?user-bind?static?ip-address?10.0.0.1?mac-address?00e0-fc01-0001?????//創(chuàng)建靜態(tài)綁定表項(xiàng)
[HUAWEI]?user-bind?static?ip-address?10.0.0.11?mac-address?00e0-fc02-0002????//創(chuàng)建靜態(tài)綁定表項(xiàng)
[HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?ip?source?check?user-bind?enable???????????????//使能IP報(bào)文檢查功能
[HUAWEI-GigabitEthernet0/0/1]?ip?source?check?user-bind?alarm?enable?????????//使能IP報(bào)文檢查告警功能
[HUAWEI-GigabitEthernet0/0/1]?ip?source?check?user-bind?alarm?threshold?100??//配置IP報(bào)文檢查告警閾值




  配置基于DHCP Snooping動(dòng)態(tài)綁定表的IPSG功能案例，配置前需要配置DHCP Snooping功能并生成DHCP Snooping動(dòng)態(tài)綁定表。

  [HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?ip?source?check?user-bind?enable?????????????????//使能IP報(bào)文檢查功能
[HUAWEI-GigabitEthernet0/0/1]?ip?source?check?user-bind?alarm?enable???????????//使能IP報(bào)文檢查告警功能
[HUAWEI-GigabitEthernet0/0/1]?ip?source?check?user-bind?alarm?threshold?100?????//配置IP報(bào)文檢查告警閾值


• 配置ND Snooping功能案例

  [HUAWEI]?nd?snooping?enable??????????????????????????//使能全局ND?Snooping功能
[HUAWEI]?interface?gigabitethernet?0/0/1?????????????//進(jìn)入用戶側(cè)接口
[HUAWEI-GigabitEthernet0/0/1]?nd?snooping?enable?????//使能ND?Snooping功能
[HUAWEI-GigabitEthernet0/0/1]?quit
[HUAWEI]?interface?gigabitethernet?0/0/2?????????????//進(jìn)入直接或間接連接網(wǎng)關(guān)的接口
[HUAWEI-GigabitEthernet0/0/2]?nd?snooping?trusted????//配置該接口為信任接口

• 配置DAI功能案例

  配置前需要配置DHCP Snooping功能并生成DHCP Snooping動(dòng)態(tài)綁定表或手動(dòng)添加靜態(tài)綁定表。
  

  [HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?arp?anti-attack?check?user-bind?enable??????????????????????//使能動(dòng)態(tài)ARP檢測(cè)功能
[HUAWEI-GigabitEthernet0/0/1]?arp?anti-attack?check?user-bind?check-item?ip-address???????//配置ARP報(bào)文綁定表匹配檢查時(shí)只檢查IP地址
[HUAWEI-GigabitEthernet0/0/1]?arp?anti-attack?check?user-bind?alarm?enable????????????????//使能動(dòng)態(tài)ARP檢測(cè)丟棄報(bào)文告警功能
[HUAWEI-GigabitEthernet0/0/1]?arp?anti-attack?check?user-bind?alarm?threshold?100?????????//配置動(dòng)態(tài)ARP檢測(cè)丟棄報(bào)文告警閾值


• 配置端口安全功能案例
  如果接入用戶變動(dòng)比較頻繁，可以通過(guò)端口安全把動(dòng)態(tài)MAC地址轉(zhuǎn)換為安全動(dòng)態(tài)MAC地址。這樣可以在用戶變動(dòng)時(shí)，及時(shí)清除綁定的MAC地址表項(xiàng)。
  

  [HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?port-security?enable??????????????????????//使能端口安全功能
[HUAWEI-GigabitEthernet0/0/1]?port-security?max-mac-num?1???????????????//配置端口安全MAC地址學(xué)習(xí)限制數(shù)
[HUAWEI-GigabitEthernet0/0/1]?port-security?protect-action?restrict?????//配置端口安全保護(hù)動(dòng)作
[HUAWEI-GigabitEthernet0/0/1]?port-security?aging-time?100??????????????//配置端口安全動(dòng)態(tài)MAC地址的老化時(shí)間


  如果接入用戶變動(dòng)較少，可以通過(guò)端口安全把動(dòng)態(tài)MAC地址轉(zhuǎn)換為Sticky MAC地址。這樣在保存配置重啟后，綁定的MAC地址表項(xiàng)不會(huì)丟失。
  

  [HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?port-security?enable??????????????????????//使能端口安全功能
[HUAWEI-GigabitEthernet0/0/1]?port-security?mac-address?sticky??????????//使能接口Sticky?MAC功能
[HUAWEI-GigabitEthernet0/0/1]?port-security?max-mac-num?1???????????????//配置端口安全MAC地址學(xué)習(xí)限制數(shù)
[HUAWEI-GigabitEthernet0/0/1]?port-security?protect-action?restrict?????//配置端口安全保護(hù)動(dòng)作


  如果接入用戶變動(dòng)較少，且數(shù)量較少的情況下，可以通過(guò)配置為安全靜態(tài)MAC地址，實(shí)現(xiàn)MAC地址表項(xiàng)的綁定。
  

  [HUAWEI]?port-security?static-flapping?protect??????????????????????????//使能靜態(tài)MAC地址漂移的檢測(cè)功能
[HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?port-security?enable??????????????????????//使能端口安全功能
[HUAWEI-GigabitEthernet0/0/1]?port-security?max-mac-num?1???????????????//配置端口安全MAC地址學(xué)習(xí)限制數(shù)
[HUAWEI-GigabitEthernet0/0/1]?port-security?protect-action?restrict?????//配置端口安全保護(hù)動(dòng)作


• 配置端口隔離功能案例
  

  [HUAWEI]?interface?gigabitethernet?0/0/1
[HUAWEI-GigabitEthernet0/0/1]?port-isolate?enable?????????????????????????//配置該接口的端口隔離功能