No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring URPF

Example for Configuring URPF

Networking Requirements

In Figure 14-5, SwitchA is connected to the Internet Service Provider (ISP) router through GE1/0/3 and connected to user networks through GE1/0/1 and GE1/0/2. The administrator requires that SwitchA defend against source IP address spoofing attacks to prevent unauthorized users from forging source IP addresses to attack authorized users.

Figure 14-5  Networking diagram of URPF configuration

NOTE:

The following uses the X1E card on SwitchA as an example.

Configuration Roadmap

  1. Configure S1 and S2 to communicate with SwitchA:
    1. Configure the interface and IP address of SwitchA.
    2. Configure the interface, IP address, and route of S1.
    3. Configure the interface, IP address, and route of S2.
  2. Configure URPF on SwitchA and verify the function:
    1. Configure traffic statistics collection on S1.
    2. View traffic statistics collected on S1.
    3. Forge the source IP address of a packet on S2 and send the request packet to S1.
    4. View traffic statistics collected on S1.
    5. Configure URPF on SwitchA.
    6. Forge the source IP address of a packet on S2 and send the request packet to S1.
    7. View traffic statistics collected on S1.

Procedure

  1. Configure S1 and S2 to communicate with SwitchA.

    # Configure the interface and IP address of SwitchA.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 10 20
    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port link-type trunk
    [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
    [SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface gigabitethernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] port link-type trunk
    [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
    [SwitchA-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
    [SwitchA-GigabitEthernet1/0/2] quit
    [SwitchA] interface vlanif 10
    [SwitchA-Vlanif10] ip address 192.168.10.2 24
    [SwitchA-Vlanif10] quit
    [SwitchA] interface vlanif 20
    [SwitchA-Vlanif20] ip address 192.168.20.2 24
    [SwitchA-Vlanif20] quit

    # Configure the interface, IP address, and route of S1.

    <HUAWEI> system-view
    [HUAWEI] sysname S1
    [S1] vlan batch 10
    [S1] interface gigabitethernet 0/0/1
    [S1-GigabitEthernet0/0/1] port link-type trunk
    [S1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
    [S1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
    [S1-GigabitEthernet0/0/1] quit
    [S1] interface vlanif 10
    [S1-Vlanif10] ip address 192.168.10.1 24
    [S1-Vlanif10] quit
    [S1] ip route-static 192.168.20.0 24 192.168.10.2

    # Configure the interface, IP address, and route of S2.

    <HUAWEI> system-view
    [HUAWEI] sysname S2
    [S2] vlan batch 10
    [S2] interface gigabitethernet 0/0/1
    [S2-GigabitEthernet0/0/1] port link-type trunk
    [S2-GigabitEthernet0/0/1] port trunk allow-pass vlan 20
    [S2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
    [S2-GigabitEthernet0/0/1] quit
    [S2] interface vlanif 20
    [S2-Vlanif20] ip address 192.168.20.1 24
    [S2-Vlanif20] quit
    [S2] ip route-static 192.168.10.0 24 192.168.20.2

    # Check whether there are reachable routes among S1, S2, and SwitchA. If S1 can successfully ping S2, there are reachable routes among S1, S2, and SwitchA.

    [S1] ping 192.168.20.1 
      PING 192.168.20.1: 56  data bytes, press CTRL_C to break                                                                          
        Reply from 192.168.20.1: bytes=56 Sequence=1 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=2 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=3 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=4 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=5 ttl=253 time=1 ms                                                                  
                                                                                                                                        
      --- 192.168.20.1 ping statistics ---                                                                                              
        5 packet(s) transmitted                                                                                                         
        5 packet(s) received                                                                                                            
        0.00% packet loss                                                                                                               
        round-trip min/avg/max = 1/1/1 ms                                                                                               

  2. Configure URPF on SwitchA and verify the function.

    # Configure traffic statistics collection on S1.

    [S1] acl 3002
    [S1-acl-adv-3002] rule permit icmp source 192.168.10.3 0 destination 192.168.10.1 0   //Matches ICMP packets with the source IP address of 192.168.10.3 and destination IP address of 192.168.10.1.
    [S1-acl-adv-3002] quit
    [S1] interface gigabitethernet 0/0/1
    [S1-GigabitEthernet0/0/1] traffic-statistic inbound acl 3002   //Collects statistics about packets that match ACL 3002 on GE0/0/1.
    [S1-GigabitEthernet0/0/1] quit

    # View initial traffic statistics collected on S1, and no information is displayed.

    [S1] display traffic-statistics interface GigabitEthernet 0/0/1 inbound
    ---------------------------------------------------------------------------
    Interface GigabitEthernet0/0/1
     ACL:3002 Rule:5
         matched:0 packets, passed:0 packets, dropped:0 packets

    # Forge the source IP address of a packet on S2 and send the request packet to S1. In this example, S2 pings S1 with a specified source IP address, but does not receive any response packet from S1.

    [S2] ping -a 192.168.10.3 192.168.10.2
    Warning: The specified source address is not a local address, the ping command will not check the network connection.               
      PING 192.168.10.2: 56  data bytes, press CTRL_C to break                                                                          
        Request time out                                                                                                                
        Request time out                                                                                                                
        Request time out                                                                                                                
        Request time out                                                                                                                
        Request time out                                                                                                                
                                                                                                                                        
      --- 192.168.10.2 ping statistics ---                                                                                              
        5 packet(s) transmitted                                                                                                         
        0 packet(s) received                                                                                                            
        100.00% packet loss                                                                                                             

    # View traffic statistics collected on S1. The statistics show that S1 has received request packets from S2, which is attack packets for S1.

    [S1] display traffic-statistics interface GigabitEthernet 0/0/1 inbound
    ---------------------------------------------------------------------------
    Interface GigabitEthernet0/0/1
     ACL:3002 Rule:5
         matched:5 packets, passed:5 packets, dropped:0 packets

    # Configure URPF on SwitchA.

    [SwitchA] interface gigabitethernet 1/0/2
    [Switch-GigabitEthernet1/0/2] urpf strict
    [Switch-GigabitEthernet1/0/2] quit

    # S2 pings S1 with a specified source IP address again, but does not receive any response packet from SwitchA.

    [S2] ping -a 192.168.10.1 192.168.10.2
    Warning: The specified source address is not a local address, the ping command will not check the network connection.
      PING 192.168.10.2: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 192.168.10.2 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss

    # View traffic statistics collected on S1. You can find that attack packets forged on S2 are discarded because URPF is configured on SwitchA. As a result, S1 cannot receive request packets sent by S2.

    [S1] display traffic-statistics interface GigabitEthernet 0/0/1 inbound
    ---------------------------------------------------------------------------
    Interface GigabitEthernet0/0/1
     ACL:3002 Rule:5
         matched:5 packets, passed:5 packets, dropped:0 packets

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
 ip address 192.168.10.2 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 20
 urpf strict
#
return

S1 configuration file

#
sysname S1
#
vlan batch 10
#
acl number 3002
 rule 5 permit icmp source 192.168.30.1 0 destination 192.168.10.1 0
#
interface Vlanif10
 ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10
 traffic-statistic inbound acl 3002
#
ip route-static 192.168.20.0 255.255.255.0 192.168.10.2
#
return

S2 configuration file

#
sysname S2
#
vlan batch 20
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 20
#
ip route-static 192.168.10.0 255.255.255.0 192.168.20.2
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 142492

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next