No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Basic ACL in URPF to Prevent Source IP Address Spoofing Attacks

Example for Configuring a Basic ACL in URPF to Prevent Source IP Address Spoofing Attacks

Networking Requirements

In Figure 5-16, Eth1/0/1 of the Router is connected to PC1 and PC2, and Eth2/0/1 is connected to the upstream router. To prevent source address spoofing attacks, the administrator configures URPF in strict mode on Eth1/0/1 and Eth2/0/1. In addition, the administrator expects the Router to perform URPF checks only on the packets from PC2 (10.0.0.3).

Figure 5-16  Using basic ACLs to exclude valid packets from URPF check

Configuration Roadmap

The following configurations are performed on the Router. The configuration roadmap is as follows:

  1. Configure ACL-based URPF on Eth1/0/1 to perform URPF check only on the packets from PC2.
  2. Configure URPF check mode on Eth2/0/1 to prevent source address spoofing attacks.

Procedure

  1. Configure ACL-based URPF on Eth1/0/1 to perform URPF check only on the packets from PC2.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] interface ethernet 1/0/1
    [Router-Ethernet1/0/1] ip address 10.0.0.1 24
    [Router-Ethernet1/0/1] urpf strict acl 2001
    [Router-Ethernet1/0/1] quit
    [Router] acl number 2001
    [Router-acl-basic-2001] rule permit source 10.0.0.3 0.0.0.255
    [Router-acl-basic-2001] quit
    

  2. Configure URPF check on Eth2/0/1.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] ip address 10.0.1.1 24
    [Router-Ethernet2/0/1] urpf strict
    [Router-Ethernet2/0/1] quit

  3. Verify the configuration.

    # Check the configuration of ACL rules.

    [Router] display acl 2001
    Basic ACL 2001, 1 rule                                                          
    Acl's step is 5                                                                 
     rule 5 permit source 10.0.0.0 0.0.0.255                                        
      

    # Check URPF configuration on Eth1/0/1.

    [Router] interface ethernet 1/0/1
    [Router-Ethernet1/0/1] display this
    #                                                                               
    interface Ethernet1/0/1                                                         
     ip address 10.0.0.1 255.255.255.0                                             
     urpf strict acl 2001                                                           
    #                                                                               
    return 

    # Check URPF configuration on Eth2/0/1.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] display this
    #                                                                               
    interface Ethernet2/0/1                                                         
     ip address 10.0.1.1 255.255.255.0                                              
     urpf strict                                                                    
    #                                                                               
    return 

Configuration Files

Router configuration file

#
 sysname Router
#                                                                               
acl number 2001                                                                 
 rule 5 permit source 10.0.0.0 0.0.0.255 
#                                                                               
interface Ethernet1/0/1                                                         
 ip address 10.0.0.1 255.255.255.0                                              
 urpf strict acl 2001                                                           
#                                                                               
interface Ethernet2/0/1                                                         
 ip address 10.0.1.1 255.255.255.0                                              
 urpf strict
#
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 119514

Downloads: 221

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next