No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Flow-based URPF

Configuring Flow-based URPF

By configuring flow-based URPF, you can perform URPF check for flows of certain types on an interface. In this manner, you can prevent the packets of these types from starting source address spoofing attacks.

Usage Scenario

To prevent network attacks based on source address spoofing, you need to configure URPF and check whether the source address of the packets matches the inbound interface. If the source IP address matches the inbound interface, the source IP address is considered as legal and the packet is allowed to pass; otherwise, the source IP address is considered as a pseudo one and the packet is discarded.

If you need to prevent flows of certain types from starting source address spoofing attacks, you need to configure flow-based URPF.

Pre-configuration Tasks

Parameters of the link layer protocol and IP addresses have been configured for the interfaces and the link layer protocol on the interfaces is Up.

Configuration Procedure

Figure 7-5 Flowchart for configuring flow-based URPF

Configuring Traffic Classifiers

You need to define traffic classifiers when configuring traffic classification. Traffic classifiers can be defined on the basis of the ACL, IP precedence, protocol type, MAC address, and protocol address.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run traffic classifier classifier-name [ operator { and | or } ]

    The traffic classifier is defined and the traffic classifier view is displayed.

    classifier-name defined by users cannot be the one pre-defined by the system. The system-defined classifier, however, can be used when users define traffic policies. For details on traffic classification, see the HUAWEI NE20E-S2 Universal Service Router Configuration Guide - QoS.

  3. Configure the traffic classifier as required.

    • Run the if-match 8021p 8021p-code command to define a matching rule to classify traffic based on the 802.1p priority in a VLAN packet.
    • Run the if-match [ ipv6 ] acl { acl-number | name acl-name command to define matching ACL rules.
    • Run the if-match [ ipv6 ] any command to define rules that match all packets.
    • Run the if-match destination-mac mac-address command to define a matching rule to classify traffic based on the destination MAC address.
    • Run the if-match ipv6 destination-address ipv6-address prefix-length command to define a matching rule to classify traffic based on the IPv6 destination address.
    • Run the if-match [ ipv6 ] dscp dscp-value command to define a matching rule to classify traffic based on the DSCP value.
    • Run the if-match mpls-exp exp-value command to define a matching rule to classify traffic based on the value of the MPLS EXP field.
    • Run the if-match ip-precedence ip-precedence command to define a matching rule to classify traffic based on IP precedence.
    • Run the if-match source-mac mac-address command to define a matching rule to classify traffic based on the source address.
    • Run the if-match tcp syn-flag { tcpflag-value [ mask tcpflag-mask ] | bit-match { established | fin | syn | rst | psh | ack | urg | ece | cwr | ns } } command to define a matching rule to classify traffic based on the IPv4 TCP flag value.

    You can select one or several matching rules in step 3 as required.

  4. Run commit

    The configuration is committed.

Configuring Traffic Behaviors

When the routes between the interface under URPF check and the source address of the packet are symmetrical, you need to adopt URPF check in strict mode; Otherwise, you need to adopt URPF check in loose mode.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run traffic behavior behavior-name

    A traffic behavior is defined and the traffic behavior view is displayed.

    behavior-name defined by users cannot be the one pre-defined by the system. The system-defined behavior, however, can be used when users define traffic policies. For details on traffic behaviors, see HUAWEI NE20E-S2 Universal Service Router Configuration Guide - QoS.

  3. Run ip urpf { loose | strict } [ allow-default ]

    URPF is enabled.

  4. Run commit

    The configuration is committed.

Configuring a Traffic Policy

After being classified, the traffic must be associated with the traffic behavior. In this manner, a traffic policy can be formed.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run traffic policy policy-name

    A traffic policy is defined and the traffic policy view is displayed.

    policy-name defined by users cannot be the one pre-defined by the system. For details on traffic policies, see HUAWEI NE20E-S2 Universal Service Router Configuration Guide - QoS.

  3. Run classifier classifier-name behavior behavior-name

    The traffic behavior is specified for the specified traffic class in the traffic policy.

    NOTE:

    Traffic of the same class cannot match two traffic behaviors at the same time.

  4. Run commit

    The configuration is committed.

Applying the Traffic Policy

After being formed, the traffic policy must be applied on the interface. The configured traffic behaviors take effect only after the traffic passing through the interface matches the traffic classification rule.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run traffic-policy policy-name { inbound | outbound } [ all-layer | link-layer | mpls-layer ]

    The traffic policy is applied to the interface.

  4. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25520

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next