3com 8807 Betriebsanweisung
230
C
HAPTER
25: 802.1
X
C
ONFIGURATION
Packet Attack
Prevention
Configuration
Prevention
Configuration
With the expansion of Internet scale and the increase of Internet users, the
possibility that networking equipment gets attacked is increasing. Specific to some
typical attack modes, the Switch 8800 Family series switches provides a series of
schemes of preventing attacks against packets to protect the networking
equipment against attacked from IP, ARP, 802.1x and unknown multicast packets.
possibility that networking equipment gets attacked is increasing. Specific to some
typical attack modes, the Switch 8800 Family series switches provides a series of
schemes of preventing attacks against packets to protect the networking
equipment against attacked from IP, ARP, 802.1x and unknown multicast packets.
■
IP Packet attack: It refers to such a situation that the Switch 8800 Family switch
receives too many IP packets whose destination addresses and VLAN interface
addresses are within the same network segment, while the corresponding
forwarding entries do not exist on the switch. Such packets will be delivered to
the CPU for processing. They occupy lots of CPU resources, and even affect the
forwarding of normal packets.
receives too many IP packets whose destination addresses and VLAN interface
addresses are within the same network segment, while the corresponding
forwarding entries do not exist on the switch. Such packets will be delivered to
the CPU for processing. They occupy lots of CPU resources, and even affect the
forwarding of normal packets.
■
ARP packet attack: It refers to such a situation that the Switch 8800 Family
switch receives a large number of ARP request packets with the same or similar
source MAC addresses. These packets affect the normal ARP learning.
switch receives a large number of ARP request packets with the same or similar
source MAC addresses. These packets affect the normal ARP learning.
■
802.1x packet attack: It refers to such a situation that the Switch 8800 Family
switch receives a large number of 8021.x authentication packets with the same
or similar source MAC addresses. These packets largely occupy the CPU
resources.
switch receives a large number of 8021.x authentication packets with the same
or similar source MAC addresses. These packets largely occupy the CPU
resources.
Perform the following configuration in system view.
By default, IP packet attack prevention is enabled while ARP packet attack
prevention and dot1x packet attack prevention are disabled by default.
prevention and dot1x packet attack prevention are disabled by default.
802.1x Configuration
Example
Example
Network requirements
As shown in Figure 59, the workstation of a user is connected to the port Ethernet
3/1/1 of the Switch.
3/1/1 of the Switch.
The switch administrator will enable 802.1x on all the ports to authenticate the
supplicants so as to control their access to the Internet. The access control mode is
configured as based on the MAC address
supplicants so as to control their access to the Internet. The access control mode is
configured as based on the MAC address
All the supplicants belong to the default domain 3Com163.net, which can contain
up to 30 users. RADIUS authentication is performed first. If there is no response
from the RADIUS server, local authentication will be performed. For accounting, if
the RADIUS server fails to account, the user will be disconnected. In addition,
up to 30 users. RADIUS authentication is performed first. If there is no response
from the RADIUS server, local authentication will be performed. For accounting, if
the RADIUS server fails to account, the user will be disconnected. In addition,
Enable the error/event/packet/all debugging
of 802.1x
of 802.1x
debugging dot1x { error | event | packet |
all }
all }
Disable the error/event/packet/all debugging
of 802.1x.
of 802.1x.
undo debugging dot1x { error | event |
packet | all }
packet | all }
Table 195 Display and debug 802.1x
Operation Command
Table 196 Enable/disable packet attack prevention
Operation
Command
Enable/Disable packet attack prevention
anti-attack { arp | dot1x | ip } { disable |
enable }
enable }