How to configure NFPP on Ruijie Switch?
You can configure NFPP on Ruijie Switch as follows:1. Networking requirements:
The core device is connected to 3000 users. One port supports a maximum of 200 users. The access switch supports a maximum of 200 users. Each port supports a maximum of 6 users. To prevent unauthorized attacks from occupying switch CPU resources, you need to adjust NFPP parameters to prevent attacks.
2. Networking topology:
data/attachment/forum/202308/15/110144ymbuz0hdgtgnmbhz.png
3. configuration points:
1)Adjust NFPP function parameters on the access switch as required. DAI function is enabled on the access switch, ARP packets sent from the gateway to the access switch need to be sent to the CPU for processing. To prevent normal ARP packets from being discarded by NFPP, disable the NFPP function on the upper interface. And enlarge the CPP speed limit of the access switch (The default speed limit of 180PPS is small in DAI scenario).
2)Adjust the port-based rate limiting/attack detection parameters of NFPP on the core switch based on the number of core users
3)To avoid excessive logs generated by NFPP, run commands to adjust the LOG printing rate
4. Configuration procedure:
Access switch configuration:
1)Configure the anti-ARP spoofing function on the switch
Ruijie>en
Ruijie#config ter
Ruijie#configure terminal
Ruijie(config)#vlan 10
Ruijie(config-vlan)#exit
Ruijie(config)#ip arp inspection vlan 10
Ruijie(config)#ip dhcp snooping
Ruijie(config)#interface gigabitEthernet 0/25
Ruijie(config-if-GigabitEthernet 0/25)#switchport mode trunk
Ruijie(config-if-GigabitEthernet 0/25)#ip dhcp snooping trust
Ruijie(config-if-GigabitEthernet 0/25)#ip arp inspection trust
Ruijie(config-if-GigabitEthernet 0/25)#exit
Ruijie(config)#interface range fastEthernet 0/1-24
Ruijie(config-if-range)#switchport access vlan 10
Ruijie(config-if-range)#end
Ruijie#
2) Function configuration of NFPP:
Global NFPP configuration
The NFPP function is enabled on the default switch. You do not need to adjust the parameters of Layer 2 switches. You only need to disable NFPP on the upper connection port.
As a Ruijie(config)#cpu-protect type arp pps 500, CPP does not need to be adjusted if DAI is not used.
The global NFPP parameters are as follows
Ruijie(config-nfpp)#log-buffer entries 1024 ------> Set the NFPP log cache to 1024 entries (default: 256)
Ruijie(config-nfpp)#log-buffer logs 1 interval 300 ------> To avoid generating too many logs for NFPP, Set the threshold for printing the same log information to 300 seconds
Ruijie(config-nfpp)#exit
Ruijie(config)#
2) NFPP configuration of the interface
To prevent a large number of normal packets (especially ARP request or response packets from the gateway) from being mistaken for attack packets by the access switch and discarded. As a result, downstream users can not obtain the ARP information of the gateway and can not access the Internet. You need to disable the NFPP function of the upper interface
Ruijie(config)#int g0/25
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp arp-guard enable ------> Disable the ARP-guard function on an interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcp-guard enable ------> Disable the dhcp-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcpv6-guard enable ------> Disable the dhcpv6-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets from the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp icmp-guard enable ------> Disable the icmp-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets from the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp ip-guard enable ------> Disable the ip-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets from the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp nd-guard enable ------> Disable the nd-guard function on an interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#exit
Ruijie(config)#
Core switch NFPP configuration:
Only the following adjustments can be made:
Ruijie(config)#nfpp
Ruijie(config-nfpp)#arp-guard attack-threshold per-port 800 ------> Set the number of attacks threshold for each port to 800. If the number exceeds this threshold, discard and print attack logs
Ruijie(config-nfpp)#arp-guard rate-limit per-port 500 ------> Enable 500 ARP packets per second for each port. Redundant arp packets are discarded. (The default limit is 100.)
Ruijie(config-nfpp)#log-buffer entries 1024 ------> Set the NFPP log cache to 1024 entries (default: 256).
Ruijie(config-nfpp)#log-buffer logs 1 interval 300 ------> Adjust the log print frequency to 300S once
Ruijie(config-nfpp)#exit
Ruijie(config)#
If hardware isolation needs to be enabled, increase the rate limiting and attack detection thresholds to prevent miscalculations.
Note:
You are not advised to enable the isolation function. On an aggregation device, if frequent user attacks result in CPU90% or more, isolate the hardware and enlarge the current attack detection threshold to prevent miscalculations. Do not enable NFPP hardware isolation on the access device because isolation will cause these aggressive users to lose access to the Internet.
Ruijie(config)#nfpp ------> Enter the NFPP configuration mode
Ruijie(config-nfpp)#arp-guard isolate-period 600 ------> isolate users when the ARP attack threshold is exceeded. Set the isolation period to 600 seconds
Ruijie(config-nfpp)#arp-guard attack-threshold per-src-mac 30 ------> Set the attack threshold for each mac to 30. If the switch detects that the number of ARP packets sent per mac is greater than 30, The switch adds the user to the ARP attack table and isolates the user by hardware. (Hardware isolation is not implemented by default. You can set the isolation time to isolate the user. The default attack threshold per MAC is 8)
Ruijie(config-nfpp)#arp-guard attack-threshold per-src-ip 30 ------> Set the attack threshold for each IP address to 30. If the switch detects that more than 30 ARP packets are sent from each IP address, The switch adds the user to the ARP attack table and isolates the user by hardware. (Hardware isolation is not implemented by default. You can set the isolation time to isolate the user. The default attack threshold per IP is 8)
Ruijie(config-nfpp)#arp-guard rate-limit per-src-mac 20 ------> Limit 20 ARP packets per mac per second. Redundant arp packets are discarded. (Default limit is 4)
Ruijie(config-nfpp)#arp-guard rate-limit per-src-ip 20 ------> Limit 29 ARP packets per second for each IP address. Redundant arp packets will be discarded. (Default limit is 4)
Ruijie(config-nfpp)#ip-guard attack-threshold per-src-ip 80 ------> Set the IP attack threshold to 80 PCS per ip
Ruijie(config-nfpp)#ip-guard isolate-period 600 ------> isolate users when the IP attack threshold is exceeded. Set the isolation period to 600 seconds
5. functional verification
1) Check the global configuration of ARP-guard. (The threshold varies according to the software version.)
data/attachment/forum/202308/15/110216rq73897trslmtc3e.png
2)View the ARP-guard scanning table:
data/attachment/forum/202308/15/110227imu5ek0oh9ck4qzv.png
3)View the users isolated by ARP-guard:
data/attachment/forum/202308/15/110232wzq93e8y3s379s96.png
4)View the user in the log buffer
data/attachment/forum/202308/15/110237z8jzjjrjsj2f9asb.png
6. This section describes common NFPP log information
1)*Dec 26 13:37:10:%NFPP_ARP_GUARD-4-SCAN: Host<IP=1.1.1.1,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was detected.(2012-12-26 13:00:04)
A. The time in the last parentheses of the log content is the time when the scan is detected and the event is generated, but the time when the log is printed is the first timestamp of the entry;
b. This log indicates an alarm that the arp-guard rate-limit of per-src-mac/per-src-ip detection conditions exceeds the threshold, including MAC address information, port information, and vlan information.
c. This log is only a reminder function and is not isolated. When the number of virtual drives on the gateway device is large, such similar logs may be reported frequently. If the application is affected or the information is abnormal (for example, the ip address reported does not exist), possible attacks and spoofing should be considered
d. Run " show nfpp arp-guard scan/hosts" command to view records of users exceeding the alarm waterline and attack waterline.
2)*Dec 26 13:46:10:%NFPP_ARP_GUARD-4-SCAN_TABLE_FULL: ARP scan table is full.
a. Only the latest 256 entries are saved in the ARP scan table. When the ARP scan table is full, the system prints a log to notify the administrator. No operation is required on the log.
b. The scan table is just a place where nfpp logs are stored. If the table is full, the new log overwrites the old log.
c. Run the clear nfpp log command to clear logs in the dedicated buffer without affecting the storage of other logs.
d. You can reduce the printing frequency by adjusting the buffer of the NFPP log buffer and adjusting the printing time value:
Ruijie(config)#nfpp
Ruijie(config-nfpp)#log-buffer entries 1024 ------> Set the capacity of NFPP log cache to 1024
Ruijie(config-nfpp)#log-buffer logs 1 interval 300 ------> To avoid generating too many logs for NFPP, Set the threshold for printing the same log information to 300 seconds
3)*Dec 26 13:55:10:%NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was detected.(2012-12-26 13:43:04)
a.The device detected the event of arp attack log records, based on per-src-mac attack waterline reached the alarm value, the device recorded the MAC, port, vlan information of the user.
b.this information is also only as a reminder. It will not do hardware isolation, but more than the scan threshold value of the part of the message will be discarded by the device, protecting the cpu.
c.If the detected information contains all legitimate users and the possibility of attack is not confirmed by the administrator, then it is necessary to consider whether it is a case of large number of users or whether the traffic is relatively large, and at this time it may be necessary to consider adjusting the parameters inside the arp-guard to reasonable values.
d.Run "show nfpp arp-guard scan/hosts" command to view the specific alarm waterline and the user records of the attack waterline.
4)*Dec 26 14:19:10:%NFPP_ARP_GUARD-4-ISOLATED:Host <IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was isolated.(2012-12-26 14:19:0)
a. The administrator configures hardware isolation. The user is isolated during the isolate-period period. During this period, any packets sent by the user are discarded by the hardware and are not sent to the cpu.
b. Run "show nfpp arp-guard hosts" command to view isolated users. If no asterisk is marked with an asterisk (*), the isolated users are successfully isolated.
5)*Dec 26 14:23:10:%NFPP_ARP_GUARD-4-ISOLATE_FAILED: Failed to isolate host <IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1>.(2012-12-26 14:22:50)
a. When hardware isolation failure (usually due to insufficient memory or hardware resources), the log message is printed
b. The hardware isolation function will consume slice resources. Each user occupies one ACE, the total number of 254 hardware isolation of the whole machine, can not be adjusted
Pages:
[1]