No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Applying Basic ACLs to SNMP to Filter NMSs

Example for Applying Basic ACLs to SNMP to Filter NMSs

Networking Requirements

As shown in Figure 1-14, two NMSs are available on the network to monitor network devices. The network size is small and the network has a high security level. Therefore, the administrator requires that only the trusted NMS (NMS2) manage network devices and the Switch use SNMPv1 to communicate with the NMS. Invalid NMSs cannot manage the Switch. According to service requirements, the administrator allows the NMS to manage only the objects except RMON, and the administrator should be able to locate and rectify faults quickly through the NMS.

Figure 1-14  Applying basic ACLs to SNMP to filter NMSs

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the SNMP version on the Switch to SNMPv1.

  2. Configure ACLs, MIB view, and community name to control the access rights of NMSs. The NMS2 can only manage the objects on Switch except RMON, and NMS1 cannot manage the Switch.

  3. Configure the trap host for the Switch to deliver traps generated on the Switch to NMS2. To help quickly identify faults according to trap messages and reduce useless traps, configure the Switch to send only the traps of the modules enabled by default.

  4. Configure NMS2.

Procedure

  1. Configure an IP address for the interface of Switch.

    <Quidway> system-view
    [Quidway] sysname Switch
    [Switch] vlan 100
    [Switch-vlan100] quit
    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 100
    [Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface vlanif 100
    [Switch-Vlanif100] ip address 10.1.2.1 24
    [Switch-Vlanif100] quit

  2. Configure routing function to ensure a reachable route between the Switch and NMS2.

    [Switch] ospf
    [Switch-ospf-1] area 0
    [Switch-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
    [Switch-ospf-1-area-0.0.0.0] quit
    [Switch-ospf-1] quit

  3. Set the SNMP version on the Switch to SNMPv1.

    [Switch] snmp-agent sys-info version v1

  4. Configure the access rights.

    # Configure an ACL that allows NMS2 to manage the Switch and prevents NMS1 from managing the Switch.

    [Switch] acl 2001
    [Switch-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0
    [Switch-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
    [Switch-acl-basic-2001] quit

    # Configure the MIB view to allow NMS2 to manage all MIB objects on the Switch except RMON objects.

    [Switch] snmp-agent mib-view excluded allextrmon 1.3.6.1.2.1.16

    # Configure a community name and reference the ACL and MIB view for the community.

    [Switch] snmp-agent community write adminnms2 mib-view allextrmon acl 2001

  5. Configure the trap host.

    [Switch] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname adminnms2 

  6. Configure NMS2.

    You must set a read-write community name for an NMS running SNMPv1. For details about the NMS configuration, see the manual of the NMS.

    NOTE:

    The authentication parameter configuration on the NMS must be the same as that on the Switch. Otherwise, the NMS cannot manage the Switch. If only the write community name is configured on the device, the read and write community names on the NMS must be the same as the write community name configured on the device.

  7. Verify the configuration.

    After completing the configuration, run the following commands to verify that the configurations have taken effect.

    # View the SNMP version.

    [Switch] display snmp-agent sys-info version
       SNMP version running in the system:                                          
               SNMPv1 SNMPv3 

    # View the configuration of the target host used to receive traps.

    [Switch] display snmp-agent target-host
    Target-host NO. 1                                                               
    -----------------------------------------------------------                     
      IP-address    : 10.1.1.2                                                       
      Source interface : - 
      VPN instance  : -                                                             
      Security name : %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
      Port          : 162                                                           
      Type          : trap                                                          
      Version       : v1                                                            
      Level         : No authentication and privacy                                 
      NMS type      : NMS                                                           
      With ext-vb   : No                                                            
    ----------------------------------------------------------- 

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 100
#
acl number 2001
 rule 5 permit source 10.1.1.2 0
 rule 6 deny source 10.1.1.1 0
#                                                                               
interface Vlanif100                                                             
 ip address 10.1.2.1 255.255.255.0                                               
#
interface GigabitEthernet1/0/1
 port hybrid pvid vlan 100                                                      
 port hybrid untagged vlan 100     
#
ospf 1
 area 0.0.0.0
  network 10.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view allextrmon acl 2001
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
snmp-agent mib-view excluded allextrmon rmon 
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 125828

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next