No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring URPF

Example for Configuring URPF

By configuring flow-based URPF, you can prevent packets of certain types from starting source address spoofing attacks.

Networking Requirements

In this example, URPF is enabled on the inbound interface of the ISP. As shown in Figure 7-6, Device A ( the client device) and Device B (the ISP device) are directly connected. URPF is enabled on GE 0/1/0 of Device B. Configure the URPF strict check on Device B and set the packet whose source IP address matches with ACL 2010 to pass the check at any time. Enable URPF on GE 0/1/0 of router A, configure the URPF strict check, and enable the default route match.

Figure 7-6 Configuring URPF
NOTE:
  • The configurations in this example are performed on Device A and Device B. HUAWEI NE20E-S2 can function as Device A and Device B.
  • Interface1 in this example is GE 0/1/0.



Device Name

Interface Name

Interface IP Address

Interface MAC Address

Device A

GE 0/1/0

172.19.139.1/24

-

Device B

GE 0/1/0

172.19.139.2/24

-

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a traffic policy on the ISP router to allow traffic from a certain network segment to pass the URPF check.

  2. Configure an IP address for the interface on Device A and enable URPF on the interface.

Data Preparation

To configure URPF, you need the following data:

  • IP addresses of interfaces

  • Network segment that can pass the URPF check

Procedure

  1. Configure Device B.

    # Configure ACL 2010, allowing the traffic from the network segment 10.1.1.0/24 to pass the URPF check.

    <routerB> system-view
    [~routerB] acl number 2010
    [*routerB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255
    [*routerB-acl-basic-2010] commit
    [~routerB-acl-basic-2010] quit

    # Configure traffic classifiers and define matching rules based on ACL numbers.

    [~routerB] traffic classifier classifier1
    [*routerB-classifier-classifier1] if-match acl 2010
    [*routerB-classifier-classifier1] commit
    [~routerB-classifier-classifier1] quit

    # Define a traffic behavior and configure URPF.

    [~routerB] traffic behavior behavior1
    [*routerB-behavior-behavior1] ip urpf strict
    [*routerB-behavior-behavior1] commit
    [~routerB-behavior-behavior1] quit

    # Define traffic policies and associate traffic classes and traffic behaviors.

    [~routerB] traffic policy policy1
    [*routerB-trafficpolicy-policy1] classifier classifier1 behavior behavior1
    [*routerB-trafficpolicy-policy1] commit
    [~routerB-trafficpolicy-policy1] quit

    # Apply the traffic policy to the interface.

    [~routerB] interface gigabitethernet 0/1/0
    [~routerB-GigabitEthernet0/1/0] undo shutdown
    [*routerB-GigabitEthernet0/1/0] ip address 172.19.139.2 255.255.255.252
    [*routerB-GigabitEthernet0/1/0] traffic-policy policy1 inbound
    [*routerB-GigabitEthernet0/1/0] commit

  2. Configure Device A

    # Configure GE 0/1/0.

    <routerA> system-view
    [~routerA] interface gigabitethernet 0/1/0
    [~routerA-GigabitEthernet0/1/0] undo shutdown
    [*routerA-GigabitEthernet0/1/0] ip address 172.19.139.1 255.255.255.252

    # Enable URPF on GE 0/1/0, set the URPF check mode to strict, and enable default route match.

    [*routerA-GigabitEthernet0/1/0] ip urpf strict allow-default
    [*routerA-GigabitEthernet0/1/0] commit

Configuration Files

  • Device A configuration file

    #
     sysname routerA
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 172.19.139.1 255.255.255.252
     ip urpf strict allow-default
    #
    return
  • Device B configuration file

    #
     sysname routerB
    #
    acl number 2010
     rule 5 permit source 10.1.1.0 0.0.0.255
    # 
    traffic classifier classifier1 operator or
     if-match acl 2010
    #
    traffic behavior behavior1
     ip urpf strict
    #
    traffic policy policy1
     classifier classifier1 behavior behavior1
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 172.19.139.2 255.255.255.252
     traffic-policy policy1 inbound
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19571

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next