< Home

auto-defend trace-type

Function

The auto-defend trace-type command configures an attack source tracing mode.

The undo auto-defend trace-type command deletes an attack source tracing mode.

By default, attack source tracing is based on source IP addresses and source MAC addresses.

Format

auto-defend trace-type { source-mac | source-ip | source-portvlan } *

undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *

Parameters

Parameter Description Value

source-mac

Configures attack source tracing based on source MAC addresses so that the device classifies and collects statistics based on the source MAC address and identifies the attack source.

-

source-ip

Configures attack source tracing based on source IP addresses so that the device classifies and collects statistics based on the source IP address and identifies the attack source.

-

source-portvlan

Configures attack source tracing based on source ports+VLANs so that the device classifies and collects statistics based on the source port and VLAN and identifies the attack source.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling attack source tracing, you can specify one or more attack source tracing modes. The device then uses the specified modes to trace attack sources.

The device supports the following attack source tracing modes:

  • Source IP address-based tracing: defends against Layer 3 attack packets.
  • Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
  • Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

In VXLAN scenarios, the source port+VLAN based tracing mode is not supported. In addition, for the S6720-EI and S6720S-EI, the source IP address-based tracing mode is not supported.

Table 1 lists the attack source tracing modes supported for different types of packets.

Table 1 Attack source tracing modes supported for different types of packets

Packet Type

Attack Source Tracing Mode

802.1X

Based on source MAC addresses and based on source ports+VLANs

ARP, DHCP, IGMP, ND, DHCPv6, MLDv6

Based on source MAC addresses, based on IP addresses, and based on source ports+VLANs

ICMP, TTL-expired, Telnet, TCP, UDP, UDPv6

Based on source IP addresses and based on source ports+VLANs

If you run this command multiple times, only the latest configuration takes effect.

A switch supports different numbers if attack source tracing modes for different protocol packets. For details, see the default modes described above.

After the attack source tracing function is enabled on the device, you can run the display auto-defend attack-source command to view attack source tracing information if an attack occurs.

When the attack source tracing mode is source-ip and action is error-down, if multiple interfaces receive the attack packets with the same source IP address and the packet rate exceeds the threshold, the switch shuts down only one interface, and then checks packet rate again. If the packet rate is still higher than the threshold, the switch shuts down another interface. The switch repeats the operations until the packet rate falls below the threshold.

Example

# Configure attack source tracing based on source MAC addresses.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend trace-type source-ip source-portvlan
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >