Vswitch Security Protection Technology

In the actual network environment, with the continuous improvement of computer performance, attacks against switches, routers, or other computers in the network become more and more serious, and the impact becomes more and more severe. As the main device for LAN information exchange, switches, especially the core and aggregation switches, carry extremely high data traffic. In case of sudden abnormal data or attacks, they are prone to overload or downtime. In order to minimize the impact of attacks, reduce the load on switches, and ensure stable LAN operation, the switch manufacturer applies some security protection technologies on switches. network administrators should, according to different device models, enable and configure these technologies effectively to purify the LAN environment. This article takes the Quidway series vswitches of Huawei 3COM as an example to introduce you to common security protection technologies and configuration methods in two phases. You will learn about broadcast storm control, MAC address control, DHCP control, and ACL.

Broadcast Storm Control Technology
Damage to NICs or other network interfaces, loops, damage to human interference, hacker tools, and virus transmission may cause a broadcast storm. The switch forwards a large number of broadcast frames to each port, this greatly consumes link bandwidth and hardware resources. You can set an Ethernet port or VLAN's broadcast storm suppression ratio to effectively suppress broadcast storms and avoid network congestion.

1. broadcast storm Suppression Ratio
You can use the following command to limit the amount of broadcast traffic allowed on the port. When the broadcast traffic exceeds the value set by the user, the system discards the broadcast traffic, this reduces the proportion of broadcast traffic to a reasonable range. The parameter uses the line speed percentage of the maximum broadcast traffic on the port as the parameter. The smaller the percentage, the smaller the broadcast traffic that can be passed. When the percentage is 100, it indicates that broadcast storm suppression is not performed on the port. By default, the allowed broadcast traffic is 100%, that is, the broadcast traffic is not blocked. Configure the following in the Ethernet port view:
Broadcast-suppression ratio

2. Specify the broadcast storm suppression ratio for the VLAN
Similarly, you can use the following command to set the size of the broadcast traffic allowed by a VLAN. By default, all VLANs of the system do not suppress broadcast storms, that is, the max-ratio value is 100%.
　　
MAC address Control Technology
An Ethernet switch can use the MAC address learning function to obtain the MAC addresses of network devices connected to a port. For packets sent to these MAC addresses, the Ethernet switch can directly use hardware forwarding. If the MAC address table is too large, the forwarding performance of the Ethernet switch may decrease. MAC attacks use tools to generate spoofed MAC addresses and quickly fill up the MAC table of the switch. After the MAC table is filled up, the switch processes packets sent through the switch in broadcast mode, the traffic is sent to all interfaces in a flood manner. Attackers can use various sniffing tools to obtain network information. The traffic on the TRUNK interface will also be sent to all interfaces and adjacent switches, resulting in excessive load on the switch, slow network, packet loss, and even paralysis. You can suppress MAC attacks by setting the maximum number of MAC addresses and the aging time of MAC addresses on the port.

1. Set the maximum number of MAC addresses that can be learned
By setting the maximum number of MAC addresses learned from the Ethernet port, you can control the number of entries in the MAC address table maintained by the Ethernet switch. If the value set by the user is count, when the number of MAC addresses learned from the port reaches count, the port will no longer learn the MAC address. By default, the vswitch has no limit on the maximum number of MAC addresses that can be learned from the port.
Configure the following in the Ethernet port view:
Mac-address max-mac-count

2. Set the system MAC address aging time
Setting an appropriate aging time can effectively enable MAC address aging. The aging time set by the user is too long or too short, which may cause the Ethernet switch to broadcast a large number of data packets that cannot find the destination MAC address, affecting the operation performance of the switch. If the aging time set by the user is too long, the Ethernet switch may save many outdated MAC address table items, thus exhausting the MAC address table resources. As a result, the switch cannot update the MAC address table according to network changes. If the aging time set by the user is too short, the Ethernet switch may delete valid MAC address table items. In general, we recommend that you use the default value of the aging time age of 300 seconds.
In the system view, configure mac-address timer {aging age | no-aging}
　　
The no-aging parameter indicates that the MAC address table is not aging.

3. Set the aging time of the MAC address table
The locking port here refers to the Ethernet port with the maximum number of MAC addresses learned. After you use the mac-address max-mac-count command on the Ethernet port to set the maximum number of addresses that can be learned by the port, the learned MAC address table items will be bound to the corresponding port. If the host corresponding to a MAC address does not access the Internet for a long time or has been removed, it still occupies a MAC address table entry on the port, as a result, hosts outside the five MAC addresses cannot access the Internet. In this case, you can set the aging time of the MAC address table corresponding to the locked port to aging the MAC address table items of hosts that do not access the Internet for a long time, so that other hosts can access the Internet. By default, the aging time of the MAC address table corresponding to the locked port is 1 hour.

Perform the following configuration in the System View:
Lock-port mac-aging {age-time | no-age}
DHCP Control Technology
DHCP Server can automatically set network parameters such as IP address, mask, gateway, DNS, and WINS for users to solve client location changes (such as hosts or wireless networks) and when the number of clients exceeds the allocated IP address, user settings are simplified and management efficiency is improved. However, in the use of DHCP management, problems such as DHCP Server impersonating, Dos attacks against DHCP Server, and network address conflicts caused by random IP addresses.

1. DHCP Relay technology for layer-3 switches
The early DHCP protocol only applies when the DHCP Client and Server are in the same subnet and cannot work across network segments. Therefore, to achieve Dynamic Host Configuration, you need to set a DHCP Server for each subnet, which is obviously economic. The introduction of DHCP Relay solves this problem: DHCP clients in the LAN can communicate with DHCP servers in other subnets through DHCP Relay to obtain valid IP addresses. In this way, DHCP clients on multiple networks can use the same DHCP Server, which saves both costs and facilitates centralized management. DHCP Relay configurations include:

(1) configure the IP address
To improve reliability, you can set the master and slave DHCP servers in one CIDR block. The master and slave DHCP servers constitute a DHCP Server group. You can use the following command to specify the IP addresses of the active and standby DHCP servers.
Perform the following configuration in the System View:
Dhcp-server groupNo ip ipaddress1 [ipaddress2]

(2) configure the group corresponding to the VLAN Interface
Perform the following configurations in the VLAN Interface View:
Dhcp-server groupNo

(3) enable/disable DHCP security features on VLAN interfaces
Enabling DHCP security features on VLAN interfaces will enable the check of the legality of user addresses under VLAN interfaces, so that users can configure IP addresses without authorization to disturb network order and cooperate with DHCP Server, quickly and accurately locates viruses or interference sources.
Perform the following configurations in the VLAN Interface View:
Address-check enable

(4) Configure user address table items
To enable users with valid fixed IP addresses in VLAN configured with DHCP Relay to pass the address legality check of DHCP security features, you need to use this command to add a static address table entry that corresponds to an IP address and a MAC address to a user with a fixed IP address. If another illegal user configures a static IP address and the static IP address conflicts with a valid user's fixed IP address, the Ethernet switch that executes the DHCP Relay function can identify the illegal user, and rejects the Binding Request between the IP address of an invalid user and the MAC address.
Perform the following configuration in the System View:
Dhcp-security static ip_address mac_address

2. Other address management technologies
On a L2 Switch, the DHCP-Snooping security mechanism allows you to set a port to a trusted port or a untrusted port to allow users to obtain an IP address through a valid DHCP server. The trusted port is used to connect the port of the DHCP server or other switches, and the port is not used to connect to the user or network. The untrusted port discards the DHCPACK and DHCPOFF packets returned by the DHCP server. The trusted port forwards the DHCP packets normally, so that the user can obtain the correct IP address.

(1) enable/disable DHCP-Snooping.
By default, the DHCP-Snooping function of the Ethernet switch is disabled.
In the system view, perform the following configurations to enable DHCP-Snooping:
Dhcp-snooping

(2) configure the port as a trusted Port
By default, the vswitch ports are untrusted ports.
Configure the following in the Ethernet port view:
Dhcp-snooping trust

(3) configuring VLAN interfaces to obtain IP addresses through DHCP
Perform the following configurations in the VLAN Interface View:
Ip address dhcp-alloc

(4) Access Management Configuration-Configure port/IP Address/MAC Address binding
You can bind the Port, IP address, and MAC address by using the following command. Port + IP, Port + MAC, Port + IP + MAC, and IP + MAC binding modes are supported, this method can prevent unauthorized mobile devices, MAC address abuse attacks, and IP address theft attacks. However, this method has a huge workload.
ACL (Access Control List) Technology
To filter packets that pass through network devices, you need to configure a series of matching rules to identify the objects to be filtered. Only after a specific object is identified can a network device allow or prohibit the passing of corresponding packets according to a preset policy. The Access Control List (ACL) is used to implement these functions. The ACL classifies data packets based on a series of matching conditions, including the source address, destination address, and port number of the data packet. The ACL is applied to the global or port of the switch. The switch checks the data packet based on the conditions specified in the ACL, and determines whether to forward or discard the data packet. The access control list can be divided into the following types.

Basic Access Control List: Rules are formulated based on layer-3 source IP addresses to analyze and process data packets.

Advanced Access Control List: based on the source IP address, destination IP address, used TCP or UDP port number, packet priority, and other data packet attributes, the classification rules are formulated to process the data packets accordingly. The Advanced Access Control List supports analysis and processing Of three packet priorities: TOS (Type Of Service) priority, IP priority, and DSCP priority.

L2 Access Control List: Rules are formulated based on the source MAC address, source vlan id, L2 protocol type, L2 receiving port, L2 forwarding port, and target MAC address, process the data accordingly.

User-Defined Access Control List: matches any byte of the first 80 bytes of the layer-2 data frame according to the user's definition, and processes the data packets accordingly. Correct use of the User-Defined Access Control List requires you to have a deep understanding of the structure of L2 data frames.

The access control list is widely used in network devices. The following steps are recommended to configure and enable the access control list. The first two steps do not need to be configured. The default value is used.

(1) configure the time period
In the system view