No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring an Advanced ACL to Defend Against Attacks

Example for Configuring an Advanced ACL to Defend Against Attacks

This section provides an example for configuring an advanced ACL to defend against attacks.

Networking Requirements

As shown in Figure 3-13, Device A, Device B, and Device C are access devices, whereas Device D, Device E, and Device F are core devices. The access devices connect to the core devices through 10 Gbit/s interfaces. Voice and 3G services run on the network. To control user access and ensure network and device security, security policies need to be configured on the access routers to prevent ICMP packet attacks. To achieve this purpose, configure an advanced ACL on Device A.

If the attacker (PC) attacks the network, Device A can use the configured advanced ACL to prevent the ICMP packet attacks.

Figure 3-13 Configuring an advanced ACL to defend against attacks
NOTE:

Interfaces 1 through 2 in this example are GE 0/1/0, GE 0/2/0, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Set passwords for users that log in to a device using the NMS and CLI to improve login security.

  2. Record all information about unsuccessful logins in a log file and output log information to the console interface for network administrators to check the login information.

  3. Configure an advanced ACL on Device A and apply the advanced ACL to QoS services to defend against ICMP packet attacks.

Data Preparation

To complete the configuration, you need the following data:

  • IP address of each interface

  • Password for users that log in to a device using the NMS and CLI

  • Number of the advanced ACL

Procedure

  1. Assign an IP address to each interface. For configuration details, see Configuration Files in this section.
  2. Set a password for users that log in to a device using the NMS and CLI.

    <DeviceA> system-view
    [~HUAWEI] sysname DeviceA
    [*HUAWEI] commit
    [~DeviceA] user-interface console 0
    [*DeviceA-ui-con0] shell
    [*DeviceA-ui-con0] authentication-mode password
    [*DeviceA-ui-con0] set authentication password cipher Huawei-123
    [*DeviceA-ui-con0] idle-timeout 30 0
    [*DeviceA-ui-con0] commit
    [~DeviceA-ui-con0] quit
    [~DeviceA] user-interface maximum-vty 15
    [*DeviceA] user-interface vty 5 14
    [*DeviceA-ui-vty5-14] shell
    [*DeviceA-ui-vty5-14] authentication-mode password
    [*DeviceA-ui-vty5-14] set authentication password cipher Huawei-123
    [*DeviceA-ui-vty5-14] idle-timeout 30 0
    [*DeviceA-ui-vty5-14] commit
    [~DeviceA-ui-vty5-14] quit
    

    The configurations of the other access devices are similar to the configuration of router A.

  3. Record all information about unsuccessful logins in a log file and output log information to the console interface.

    [~DeviceA] info-center enable
    [*DeviceA] info-center source default channel 9 log level warnings
    [*DeviceA] info-center logfile channel channel9
    [*DeviceA] commit
    [~DeviceA] quit
    <DeviceA> terminal logging

  4. Configure an advanced ACL on Device A and apply the advanced ACL to QoS services to defend against ICMP packet attacks.

    <DeviceA> system-view
    [~DeviceA] acl number 3001
    [*DeviceA-acl4-advance-3001] description anti-virus
    [*DeviceA-acl4-advance-3001] rule 5 deny icmp
    [*DeviceA-acl4-advance-3001] commit
    [~DeviceA-acl4-advance-3001] quit
    [~DeviceA] traffic classifier anti-virus
    [*DeviceA-classifier-anti-virus] if-match acl 3001
    [*DeviceA-classifier-anti-virus] commit
    [~DeviceA-classifier-anti-virus] quit
    [~DeviceA] traffic behavior anti-virus
    [*DeviceA-behavior-anti-virus] commit
    [~DeviceA-behavior-anti-virus] quit
    [~DeviceA] traffic policy anti-virus
    [*DeviceA-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus
    [*DeviceA-trafficpolicy-anti-virus] commit
    [~DeviceA-trafficpolicy-anti-virus] quit
    [~DeviceA] interface gigabitethernet 0/2/0
    [*DeviceA-GigabitEthernet0/2/0] traffic-policy anti-virus inbound
    [*DeviceA-GigabitEthernet0/2/0] commit
    [~DeviceA-GigabitEthernet0/2/0] traffic-policy anti-virus outbound
    [*DeviceA-GigabitEthernet0/2/0] commit

  5. Verify the configuration.

    # Ping Device A from the PC. The command output shows that the ping operation fails.

    c:\>ping 172.16.1.1
    
    Pinging 172.16.1.1 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 172.16.1.1:
        Pacets: Sent = 4, Received = 0, Lost = 4 <100% loss>,

    # Delete the advanced ACL on Device A. Then the command output shows that ping operation is successful.

    c:\>ping 172.16.1.1
    
    Pinging 172.16.1.1 with 32 bytes of data:
    Reply from 172.16.1.1: bytes=32 time<1ms TTL=128
    Reply from 172.16.1.1: bytes=32 time<1ms TTL=128
    Reply from 172.16.1.1: bytes=32 time<1ms TTL=128
    Reply from 172.16.1.1: bytes=32 time<1ms TTL=128
    
    Ping statistics for 172.16.1.1:
        Packets: Sent = 4, Received = 4, Lost = 0 <0% loss>,
    Approximate round trip times in mill-seconds:
        Minimum = 0ms, Maximum = 0 ms, Average = 0ms

Configuration Files

NOTE:

Only the configuration file of Device A is provided.

  • Device A configuration file

    #
     sysname DeviceA
    #
     info-center source default channel 9 log level warning
    #
    acl number 3001
     description anti-virus
     rule 5 deny icmp
    #
    traffic classifier anti-virus
     if-match acl 3001
    #
    traffic behavior anti-virus
    #
    traffic policy anti-virus
     classifier anti-virus behavior anti-virus
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     traffic-policy anti-virus inbound
     traffic-policy anti-virus outbound
    #
    user-interface maximum-vty 15
    user-interface con 0
     authentication-mode password
     set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
     idle-timeout 30 0
    user-interface vty 0 4
    user-interface vty 5 14
     set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
     idle-timeout 30 0
    user-interface vty 16 20
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 21449

Downloads: 48

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next