A malicious user accesses a switch using changed multicast addresses over invalid multicast channels. As a result, a large number of invalid entries are created on the switch and use system resources, and normal users cannot use services.
An attack is launched using query packets, and the multicast switch port on a switch receives traffic from all multicast groups. As a result, a large amount of traffic is sent through this port, which consumes a lot of bandwidth.
To defend against the preceding attacks, configure the following security policies on a switch:
Run the group-policy command to configure a group policy to specify the multicast groups (multicast source groups) that can access a VLAN or interface to prevent malicious users from using invalid multicast channels to access the switch.
Configure a multicast group policy.
Configure a multicast group policy in the VLAN or Virtual Switching Instance (VSI) view based on service deployment conditions (Internet Protocol Television (IPTV) multicast group address range recommended).
<HUAWEI> system-view [HUAWEI] acl number 2000 [HUAWEI-acl-basic-2000] rule permit source 225.0.0.0 0.0.0.255 [HUAWEI-acl-basic-2000] quit [HUAWEI] igmp-snooping enable [HUAWEI] vlan 2 [HUAWEI-vlan2] igmp-snooping enable [HUAWEI-vlan2] igmp-snooping group-policy 2000
Configure a CAC limit in the VLAN, VSI, or interface view.
Set the maximum number of multicast groups in VSI company1 to 1000.
<HUAWEI> system-view [HUAWEI] mpls l2vpn [HUAWEI] vsi company1 [HUAWEI-vsi-company1] l2-multicast limit max-entry 1000
Disable the switch port learning function.
Disable the switch port learning function in the VLAN, VSI, or interface view.
Disable the switch port learning function of GE0/0/1 in VLAN 10.
<HUAWEI> system-view [HUAWEI] igmp-snooping enable [HUAWEI] vlan 10 [HUAWEI-vlan10] igmp-snooping enable [HUAWEI-vlan10] quit [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] undo igmp-snooping router-learning vlan 10