No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring OSPF GTSM

Example for Configuring OSPF GTSM

This section describes how to configure OSPF GTSM to protect devices on an OSPF network against CPU utilization-based attacks.

Networking Requirements

As shown in Figure 5-1, OSPF runs on the routers and the GTSM is enabled on Device C.

The valid TTL ranges of the packets sent from each router to Device C are as follows:

  • Device A and Device E are the neighbors of Device C. The valid TTL range of the packets from Device A and Device E to Device C is 255.

  • The valid TTL ranges of the packets sent from Device B, Device D, and Device F to Device C are [254, 255], [253, 255], and [252, 255] respectively.

Figure 5-1 Configuring OSPF GTSM
NOTE:

Interface 1 and interface 2 in this example are GE 0/1/0 and GE 0/2/0, respectively.



Configuration Notes

None.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic OSPF functions.

  2. Enable the GTSM on each router and specify the valid TTL range of packets.

Data Preparation

To complete the configuration, you need the following data:

  • OSPF process ID of each router

  • Valid TTL range of the packets transmitted between the routers

Procedure

  1. Configure IP addresses for interfaces. The configuration details are not mentioned here.
  2. Configure the basic OSPF functions. The configuration details are not mentioned here.
  3. Configure the OSPF GTSM.

    # Configure the valid TTL range of the packet from Device C to other routers as [252, 255].

    [~DeviceC] ospf valid-ttl-hops 4
    [*DeviceC] commit

    # Configure the valid TTL range of the packets from Device A to Device C as [255, 255].

    [~DeviceA] ospf valid-ttl-hops 1
    [*DeviceA] commit

    # Configure the valid TTL range of the packets from Device B to Device C as [254, 255].

    [~DeviceB] ospf valid-ttl-hops 2
    [*DeviceB] commit

    # Configure the valid TTL range of the packets from Device D to Device C as [253, 255].

    [~DeviceD] ospf valid-ttl-hops 3
    [*DeviceD] commit

    # Configure the valid TTL range of the packets from Device E to Device C as [255, 255].

    [~DeviceE] ospf valid-ttl-hops 1
    [*DeviceE] commit

    # Configure the valid TTL range of the packets from Device F to Device C as [252, 255].

    [~DeviceF] ospf valid-ttl-hops 4
    [*DeviceF] commit

  4. Verify the configuration.

    # Check whether OSPF neighbor relationships between the routers are established normally. Take Device A as an example. You can view the status of the neighbor relationship is Full, that is, neighbors are established normally.

    [~DeviceA] display ospf peer
              OSPF Process 1 with Router ID 1.1.1.1
                      Neighbors
     Area 0.0.0.0 interface 192.168.0.1(GigabitEthernet0/1/0)'s neighbors
    Router ID: 2.2.2.2      Address: 192.168.0.2
    State: Full  Mode:Nbr is  Master  Priority: 1
       DR: None   BDR: None   MTU: 0
       Dead timer due in 36  sec
       Retrans timer interval: 5
       Neighbor is up for 00:15:04
       Authentication Sequence: [ 0 ]
                      Neighbors
     Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet0/2/0)'s neighbors
    Router ID: 3.3.3.3       Address: 192.168.1.2
    State: Full  Mode:Nbr is  Master  Priority: 1
       DR: None   BDR: None   MTU: 0
       Dead timer due in 39  sec
       Retrans timer interval: 5
       Neighbor is up for 00:07:32
       Authentication Sequence: [ 0 ]

    # Run the display gtsm statistics all command on Device C. You can view the statistics about the GTSM. If the default action that is performed on the packets is "pass" and all the packets are valid, no packet is dropped.

    <DeviceC> display gtsm statistics all
    GTSM Statistics Table
    ----------------------------------------------------------------
    SlotId  Protocol  Total Counters  Drop Counters  Pass Counters
    ----------------------------------------------------------------
     1      BGP       0               0              0
     1      BGPv6     0               0              0
     1      OSPF      0               0              0
     1      LDP       0               0              0
     1      OSPFv3    0               0              0 
     1      RIP       0               0              0 
     2      BGP       0               0              0
     2      BGPv6     0               0              0
     2      OSPF      0               0              0
     2      LDP       0               0              0
     2      OSPFv3    0               0              0 
     2      RIP       0               0              0 
     3      BGP       0               0              0
     3      BGPv6     0               0              0
     3      OSPF      0               0              0
     3      LDP       0               0              0
     3      OSPFv3    0               0              0 
     3      RIP       0               0              0 
     4      BGP       0               0              0
     4      BGPv6     0               0              0
     4      OSPF      0               0              0
     4      LDP       0               0              0
     4      OSPFv3    0               0              0 
     4      RIP       0               0              0 
     5      BGP       0               0              0
     5      BGPv6     0               0              0
     5      OSPF      0               0              0
     5      LDP       0               0              0
     5      OSPFv3    0               0              0 
     5      RIP       0               0              0 
     7      BGP       0               0              0
     7      BGPv6     0               0              0
     7      OSPF      0               0              0
     7      LDP       0               0              0
     7      OSPFv3    0               0              0 
     7      RIP       0               0              0 
    ----------------------------------------------------------------

    If the host PC simulates OSPF packets of Device A to attack Device C, the packets are dropped because the TTL value is not 255 when the packets reach Device C. In the GTSM statistics on Device C, the number of dropped packets also increases.

Configuration Files

  • Device A configuration file

    #
     sysname DeviceA
    #
    router id 1.1.1.1
    #
    interface GigabitEthernet0/1/0
     undo shutdown
    ip address 192.168.0.1 255.255.255.0
    #
    interface GigabitEthernet0/2/0
     undo shutdown
    ip address 192.168.1.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 192.168.0.0 0.0.0.255
     area 0.0.0.1
      network 192.168.1.0 0.0.0.255
    #
    ospf valid-ttl-hops 1
    #
    return
  • Device B configuration file

    #
     sysname DeviceB
    #
    router id 2.2.2.2
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 192.168.0.2 255.255.255.0
    #
    interface GigabitEthernet0/2/0
     undo shutdown
    ip address 192.168.2.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 192.168.0.0 0.0.0.255
     area 0.0.0.2
      network 192.168.2.0 0.0.0.255
    #
    ospf valid-ttl-hops 2
    #
    return
  • Device C configuration file

    #
     sysname DeviceC
    #
    router id 3.3.3.3
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 172.16.1.1 255.255.255.0
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 192.168.1.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.1
      network 192.168.1.0 0.0.0.255
      network 172.16.1.0 0.0.0.255
    #
    ospf valid-ttl-hops 4
    #
    return
  • Device configuration file

    #
     sysname DeviceD
    #
    router id 4.4.4.4
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 172.17.1.1 255.255.255.0
    #
    interface GigabitEthernet0/1/0
     undo shutdown
    ip address 192.168.2.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.2
      network 192.168.2.0 0.0.0.255
      network 172.17.1.0 0.0.0.255
    #
    ospf valid-ttl-hops 3
    #
    return
  • Device E configuration file

    #
     sysname DeviceE
    #
    router id 5.5.5.5
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 172.16.1.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.1
      network 172.16.1.0 0.0.0.255
    #
    ospf valid-ttl-hops 1
    #
    return
  • Device F configuration file

    #
     sysname DeviceF
    #
    router id 6.6.6.6
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 172.17.1.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.2
      network 172.17.1.0 0.0.0.255
    #
    ospf valid-ttl-hops 4
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19664

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next