Creating a Router

Add a router to associate with the AntiDDoS1820-N.

Prerequisites

  • The IP address of the router is known.
  • The ATIC can communicate with the router. The router can be accessed by the administrator over the network and can be pinged from the ATIC.

    If the device cannot be pinged, the "Network is unreachable" message is displayed during device creation.

Procedure

  1. Choose Defense > Network Settings > Devices.
  2. Click .

  3. In the Basic Information area, set the router name and IP address, and set Device Type to Route.
  4. Set flow parameters. For details about the parameters, see Table 1.

    Table 1 Description of flow parameters

    Parameter

    Description

    Recommended Value

    Flow source address ip

    IP address of the interface through which the source device sends traffic to the AntiDDoS1820-N.

    -

    Destination port number

    UDP port to which the source device sends traffic.

    9996

    Sample ratio model

    Currently, the sampling ratio can only be set manually.

    -

    Sampling rate

    Flow sampling ratio of the source device, which indicates one out of the specified number of packets is sampled.

    The value is an integer ranging from 1 to 65535.

    Template aging time

    NetFlow v9 and Netstream v9 do not have a fixed format. Therefore, data is parsed according to related definitions in the matching template. This parameter specifies the aging time of the template.

    -

  5. Set SNMP parameters.

    SNMP parameters are optional. If you do not set SNMP parameters, router monitoring and synchronization of router and AntiDDoS data on the ATIC may be affected.

    • When you select SNMPv2c, set read and write community names.

      Read community indicates the name of a read-only community. Write community indicates the name of a write-only community.

    • When you select SNMPv3, see parameter settings as shown in Table 2.
      • Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended.
      • When you select SNMPv3, do not configure several security levels for the same SNMPv3 user group to prevent authentication bypass vulnerability.
      • The Username, Environment name, Environment engine ID, Data encryption protocol, Data encryption password, Authentication protocol, Authentication password parameters are available only when the type is SNMPv3.
      Table 2 SNMPv3 template parameters

      Parameter

      Description

      Recommended Value

      Username

      User name used for accessing the source device.

      -

      Environment name

      Name of the environment engine.

      This parameter value is the same as the environment name on the source device or left blank.

      Environment engine ID

      Unique identifier of an SNMP engine. This ID is used together with the environment name to determine an environment that uniquely identifies an SNMP entity. The SNMP message packet is processed only when the environments of the sender terminal and the recipient terminal are the same; otherwise, the SNMP message packet will be discarded.

      Same as the environment engine ID on the source device.

      Authentication protocol

      Protocol used for verifying messages.

      The parameter value can be the HMACMD5 or HMACSHA protocol or no protocol. If the HMACMD5 or HMACSHA protocol is selected, you need to set the authentication password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

      You can select the authentication protocol as required.

      • HMACMD5 converts the character string in any order based on the hash algorithm and produces a 128-bit message digest, in integer format.

      • HMACSHA is more secure than HMACMD5. It produces 160-bit message digests for messages whose length does not exceed 264 bits.

      NOTE:

      Using HMAC-MD5 or no authentication protocol brings security risks. HMAC-SHA is more secure and therefore recommended.

      Authentication password

      If the authentication protocol is used when verifying messages, you need to set the authentication password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

      Data encryption protocol

      Encryption protocol used when encapsulating data.

      The parameter value can be the DES, AES128 or AES256 encryption protocol or no encryption. If the DES, AES128 or AES256 encryption protocol is selected, you need to set the encryption password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

      You can select the encryption protocol as required.

      • DES: It indicates the Data Encryption Standard (DES), which is an international encryption algorithm with the key length of 56 characters.
      • AES256: It indicates the Advanced Encryption Standard (AES256). There are three types of key lengths of 128 characters.
      • AES128: It indicates the Advanced Encryption Standard (AES128).
      NOTE:

      Using DES or no encryption protocol brings security risks. The more secure AES128 and AES256 data encryption protocols are recommended.

      Ensure that the ATIC and AntiDDoS have the same encryption protocol.

      Data encryption password

      If the encryption algorithm is used when encapsulating data, you need to set the data encryption password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

  6. Set SNMP OID customization parameters.

    SNMP monitoring nodes of different vendors may be different. Therefore, the monitoring node needs to be customized. Here, we customize the MIB nodes for monitoring the CPU and memory.

    If the SNMP OID is not specified, the CPU usage and memory usage of the router cannot be monitored in Performance Monitor.

  7. Click OK to add a router.

    The successfully added router is displayed on the Devices page.

  8. Configure the router interface filtering function.

    1. On the Devices page, click corresponding to the router. The Modify Management Protocol page is displayed.

    2. On the Modify Management Protocol page, click the Flow parameter tab and configure the interface filtering function.



      On the live network, the flow statistics collection function is enabled on router interfaces by default. The AntiDDoS1820-N may receive flows from multiple router interfaces. To prevent the AntiDDoS1820-N from repeatedly collecting traffic statistics, filter router interfaces so that the AntiDDoS1820-N receives flows from a specified interface. After the corresponding interface index is added in Inbound Interface Index or Outbound Interface Index, the AntiDDoS1820-N receives only the flows sent by the specified interface, which effectively prevents repeated traffic statistics collection. Set the interface index based on the actual conditions.

      Inbound Interface Index applies to the inbound defense scenario. Outbound Interface Index applies to the outbound defense scenario. Configure it based on the actual network deployment.

    3. Click Save Flow Source Configuration.

Result

While you are adding a router, the ATIC automatically synchronizes the router information. If the synchronization fails, perform operations as prompted and manually synchronize the router information to the ATIC.

Parent topic: Adding Devices
Copyright © Huawei Technologies Co., Ltd.