Security configurations are used to prevent an SVF system against various attacks. Common attacks in a campus network include attacks on the control plane and forwarding plane. Table 1 lists attack types and their impacts on the campus network.
Attack Type |
Attack Subtype |
Impact |
|---|---|---|
Attack on the control plane |
ARP attack with fixed source MAC address |
The CPU usage of the parent becomes high, and traffic of some users is interrupted. |
ARP attack with fixed source IP address |
||
ARP attack from bogus gateways |
A large number of gateway collision alarms will be generated on the parent. |
|
ARP spoofing gateway attack |
Users cannot access the network. |
|
ARP flooding attack |
Users cannot learn ARP entries and even cannot access the network. |
|
Bogus DHCP server attack |
Users cannot obtain expected IP addresses. |
|
DHCP flooding attack |
When terminals are not authenticated, users cannot obtain IP addresses. |
|
Attack on the forwarding plane |
ARP Miss attack with fixed source IP address |
The parent has a high CPU usage and cannot learn ARP entries. |
IP packet attack with the device IP address as destination IP address |
The CPU usage of the parent becomes high. Packet loss occurs or traffic forwarding is interrupted when the parent pings the gateway. The parent responds slowly during a Telnet login to the parent. Unicast IP packets of protocols such as BGP and LDP cannot be processed in a timely manner, preventing these protocols from working normally. |
|
DDoS attack |
Uplink ports are congested, and user traffic is interrupted. |
In an SVF system, ASs are connected to terminals, and AS ports are directly connected to terminals. By default, some device security measures have been deployed in an SVF system. For example, packet rate limiting has been configured in the inbound or outbound direction of AS ports. You can also run commands to perform security configurations on the ports to which terminals are connected.
Table 2 lists attack defense methods and recommendations.
Attack Type |
Attack Subtype |
Attack Defense Method Used When Terminals Need to Be Authenticated | Attack Defense Method Used When Terminals Do Not Need to Be Authenticated | ||
|---|---|---|---|---|---|
Wired Terminal Access |
Wireless Terminal Access |
Wired Terminal Access |
Wireless Terminal Access |
||
Attack on the control plane |
ARP attack with fixed source MAC address |
Automatic defense against ARP packet attacks has been supported. |
Configure attack defense policies on APs. |
Configure ARP packet rate limiting on AS ports. |
Configure attack defense policies on APs. |
ARP attack with fixed source IP address |
|||||
ARP attack from bogus gateways |
Configure the ARP gateway anti-collision function on the parent. |
||||
ARP spoofing gateway attack |
Set the forwarding mode to centralized forwarding. |
||||
ARP flooding attack |
The ARP anti-flooding function is automatically enabled in the outbound direction of ASs. Therefore, ARP flooding attacks can only affect attacked ASs. Configure rate limiting for incoming ARP packets on AS ports to which terminals are connected after attack sources are identified. |
||||
Bogus DHCP server attack |
None |
Configure DHCP snooping on ASs. |
Configure DHCP snooping on APs. |
||
DHCP flooding attack |
The DHCP anti-flooding function is automatically enabled in the outbound direction of ASs. Therefore, ARP flooding attacks can only affect attacked ASs. Configure rate limiting for incoming DHCP packets on AS ports to which terminals are connected after attack sources are identified. |
||||
Attack on the forwarding plane |
ARP Miss attack with fixed source IP address |
Configure rate limiting for ARP Miss packets on the parent to limit the packets based on the source IP address. |
|||
IP packet attack with the device IP address as destination IP address |
Configure a blacklist on the parent. |
||||
DDoS attack |
Configure rate limiting, broadcast, multicast, and unknown unicast traffic suppression on ports. |
||||