Security Configuration Suggestion

Network Security Suggestion

To protect network devices' CPU against attacks and ensure that users can use network resources properly, user control traffic and data traffic need to be limited. It is recommended that the traffic be limited on network edges, that is, on APs.

Control traffic limiting: ARP, ND, and IGMP flood attack detection is enabled on an AP by default. The rate thresholds for ARP, ND, and IGMP flood attack detection are 5 pps, 16 pps, and 4 pps, respectively. You are not advised to change the default values. When service traffic is heavy on a network, the values can be increased properly. However, it is recommended that the values be increased by no more than 100%.
# Set the rate threshold for ARP flood attack detection to 10 pps. (This function is supported only by V200R010.)
```
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack arp-flood sta-rate-threshold 10
```
Data traffic limiting: The rate limit of upstream and downstream packets for each STA or all STAs associated with a VAP is configured in a traffic profile on an AP.
# Set the rate limit of upstream packets to 1 Mbit/s for each STA associated with the VAP that has the traffic profile p1.
```
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name p1
[HUAWEI-wlan-traffic-prof-p1] rate-limit client up 1024
```

Different suggestions are provided for X series cards and non-X series cards of ACs.

The user-level rate limiting function is recommended for X series cards and is enabled by default. Supported packet types include ARP Request, ARP Reply, ND, DHCP Request, DHCPv6 Request, and 802.1X. By default, the user-level rate limit is 10 pps. You can adjust the rate limit for a specified STA.
# Set the rate limit threshold for the STA with MAC address 000a-000b-000c to 20 pps.
```
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20
```
The attack source tracing function is recommended for non-X series cards and is enabled by default. If the number of protocol packets of normal services exceeds the specified checking threshold and an attack source punishment action is configured, the attack source tracing function may affect these normal services. You can attempt to disable the attack source tracing function or disable this function for corresponding protocols to restore the services.
# Configure the device to discard packets from the identified source every 10 seconds.
```
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
```
# Delete IGMP and TTL-expired packets from the list of traced packets.
```
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired
```

ICMP Fast Reply Is Recommended

Ping is a common method for checking network connectivity. However, a large number of ICMP packets affect device performance, reducing the number of wireless users supported by the AC. The ICMP fast reply function is enabled on a switch by default. Keep this function enabled, unless otherwise required.

CAPWAP Tunnel Encryption Is Not Recommended

The parent and an AS transmit management packets through a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel. To ensure tunnel confidentiality and security, you can use Datagram Transport Layer Security (DTLS) to encrypt packets transmitted in the CAPWAP tunnel. DTLS encryption, however, degrades AC performance. It is recommended that DTLS encryption be disabled in scenarios without high security requirements or special customer requirements.