No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Basic ACLs to Exclude Valid Packets from URPF Checks

Example for Using Basic ACLs to Exclude Valid Packets from URPF Checks

Networking Requirements

As shown in Figure 1-16, GE1/0/1 of the Switch is connected to users, and GE2/0/1 is connected to the upstream router. To prevent source address spoofing attacks, the administrator configures URPF in strict mode on GE1/0/1 and GE2/0/1. In addition, the administrator does not want the Switch to perform URPF checks on the packets sent by valid user PC1 (10.0.0.2).

Figure 1-16  Using basic ACLs to exclude valid packets from URPF check

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

  1. Configure URPF to prevent source address spoofing attacks.
  2. Configure a basic ACL and ACL-based traffic classifier to identify packets from IP address 10.0.0.2.
  3. Configure a traffic behavior to disable URPF checks for the specified packets, and then the device does not perform URPF checks on the packets from 10.0.0.2.
  4. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.

Procedure

  1. Configure the URPF function.

    # Enable the URPF function on LPUs.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] urpf slot 1
    Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
    [Switch] urpf slot 2
    Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
    

    # Configure the URPF mode on interfaces.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] urpf strict
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] urpf strict
    [Switch-GigabitEthernet2/0/1] quit

  2. Configure an ACL-based traffic classifier.

    # Define ACL rules.

    [Switch] acl 2000
    [Switch-acl-basic-2000] rule permit source 10.0.0.2 0
    [Switch-acl-basic-2000] quit

    # Configure the traffic classifier and define ACL rules.

    [Switch] traffic classifier tc1
    [Switch-classifier-tc1] if-match acl 2000
    [Switch-classifier-tc1] quit

  3. Configure a traffic behavior.

    # Define the traffic behavior and disable the URPF function in the traffic behavior view.

    [Switch] traffic behavior tb1
    [Switch-behavior-tb1] ip urpf disable
    [Switch-behavior-tb1] quit

  4. Configure a traffic policy.

    # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.

    [Switch] traffic policy tp1
    [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1
    [Switch-trafficpolicy-tp1] quit

    # Apply the traffic policy to GE1/0/1.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] traffic-policy tp1 inbound
    [Switch-GigabitEthernet1/0/1] quit

  5. Verify the configuration.

    # Check the configuration of ACL rules.

    [Switch] display acl 2000
    Basic ACL 2000, 1 rule
    Acl's step is 5
     rule 5 permit source 10.0.0.2 0  

    # Check the configuration of the traffic classifier.

    [Switch] display traffic classifier user-defined
      User Defined Classifier Information:
       Classifier: tc1
        Precedence: 5
        Operator: OR
        Rule(s) : if-match acl 2000
    
    Total classifier number is 1   

    # Check the configuration of the traffic policy.

    [Switch] display traffic policy user-defined tp1
      User Defined Traffic Policy Information:
      Policy: tp1                                                                   
       Classifier: tc1                                                              
        Operator: OR                                                                
         Behavior: tb1                                                              
          Permit
          Urpf switch: off  

Configuration Files

Switch configuration file

#
sysname Switch
#
urpf slot 1
urpf slot 2
#
acl number 2000
 rule 5 permit source 10.0.0.2 0 
#
traffic classifier tc1 operator or precedence 5  
 if-match acl 2000 
#
traffic behavior tb1
 permit
 ip urpf disable
#
traffic policy tp1 match-order config
 classifier tc1 behavior tb1
#
interface GigabitEthernet1/0/1
 traffic-policy tp1 inbound                      
 urpf strict 
#
interface GigabitEthernet2/0/1
 urpf strict  
#
return 
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 142182

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next