No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - System Management 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - System Management
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Improving DCN Security

Improving DCN Security

To improve DCN security, you can configure SSL authentication and an alarm threshold for the number of NEs connected to the GNE and optimize DCN routes.

Usage Scenario

You can improve DCN security through the following methods:
  • Configure an alarm threshold for the number of NEs connected to the GNE to prevent the GNE from being overloaded with NEs. When the number of NEs connected to the GNE reaches the alarm threshold, the GNE will send a trap to its interworking NMSs.
  • Configure Secure Sockets Layer SSL authentication and OSPF interface authentication.
  • Configure OSPF parameters as required to optimize DCN routes.
  • Adjust the forwarding priority of DCN packets as required to improve network stability.
  • Configure an ACL-based DCN policy to be used to filter DCN packets.

Pre-configuration Tasks

Before configuring related functions to improve DCN security, enable DCN globally.

Configuration Procedures

Perform one or more of the following configurations as required.

Configuring an Alarm Threshold for the Number of NEs Connected to a GNE

To prevent a GNE from being overloaded with NEs, configure an alarm threshold for the number of NEs connected to the GNE. When the number of NEs connected to the GNE reaches the alarm threshold, the GNE will send a trap to its interworking NMSs.

Background Information

On a DCN, NMSs use GNEs to manage all common NEs. To prevent a GNE from being overloaded with NEs, configure an alarm threshold for the number of NEs connected to the GNE. When the number of NEs connected to the GNE reaches the alarm threshold, the GNE will send a trap to its interworking NMSs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dcn

    The DCN view is displayed.

  3. Run ne-number alarm threshold threshold

    An alarm threshold is configured for the number of NEs connected to the GNE.

  4. Run commit

    The configuration is committed.

Configuring SSL Authentication on a GNE

After Secure Sockets Layer (SSL) authentication is configured on a GNE, the GNE can communicate with its interworking NMSs only when the exchanged packets are authenticated.

Prerequisites

Before configuring DCN SSL functions, configure an SSL policy and load a digital certificate. For detailed configuration procedure, see Configuring and Binding an SSL Policy.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dcn

    The DCN view is displayed.

  3. Run bind ssl-policy ssl-policy-name

    An SSL policy is bound to DCN.

    NOTE:

    Load the certificate of the SSL policy to be bound to the NMSs and GNE, so DCN can use the certificate to implement SSL handshake authentication after the SSL policy is bound to DCN.

  4. Run connect-mode { normal | security | both }

    A connection mode is specified for the GNE to set up connections with NMSs.

    • normal: indicates that SSL encryption is not applied to the TCP connection.

    • security: indicates that SSL encryption is applied to the TCP connection.

    • both: indicates that both normal and security are supported.

  5. Run ssl verify-mode { single | dual }

    The SSL authentication mode is configured.

    • single: indicates that SSL authentication applies only to the GNE.

    • dual: indicates that SSL authentication applies both to the GNE and NMS.

  6. (Optional) Run ssl-auth-fail threshold-alarm report-times report-times

    An alarm generation threshold is set for the number of SSL authentication failures within 60s.

  7. Run commit

    The configuration is submitted.

Configuring OSPF Interface Authentication

A DCN runs OSPF and supports packet authentication. After an authentication mode is specified, NEs accept only the OSPF packets that have been authenticated. If packets fail to be authenticated, neighbor relationships cannot be established.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dcn (interface view) or dcn mode vlan

    DCN is enabled on the interface or sub-interface 4094.

  4. Run any of the following commands:

    • To configure simple authentication, run the dcn ospf authentication-mode simple [ [ plain ] simple-plain-text | cipher simple-cipher-text ] command.

      NOTE:
      • The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters.

      • For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.

    • To configure Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) authentication, run the dcn ospf authentication-mode { { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ] } command.

      NOTE:

      For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 and HMAC-MD5 algorithm is recommended.

    • To configure null authentication, run the dcn ospf authentication-mode null command. In null authentication mode, OSPF packets are not authenticated.

    OSPF interfaces on the same network segment must have the same authentication mode and password.

    By default, area authentication is not configured for OSPF. Configuring area authentication is recommended to ensure system security.

  5. Run commit

    The configuration is committed.

Optimizing DCN Routes

To improve DCN performance, configure OSPF functions.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dcn (interface view) or dcn mode vlan

    DCN is enabled on the interface or sub-interface 4094.

  4. Perform one or more of the following operations to configure OSPF functions.

    • Run dcn ospf timer hello interval

      An interval at which hello packets are sent is configured.

    • Run dcn ospf timer retransmit interval

      An interval at which an LSA packet is retransmitted to the neighboring router is set.

    • Run dcn ospf trans-delay interval

      An LSA transmission delay is set on the interface.

    • Run dcn ospf timer dead interval

      The dead interval is set for a neighboring router.

      If an interface does not receive Hello packets from an OSPF neighbor within the specified interval, the interface considers the neighbor Down. This interval is called an OSPF neighbor dead interval.

    • Run dcn ospf timer poll interval

      The interval at which hello packets for polling are sent by an NBMA interface is set.

  5. Run commit

    The configuration is committed.

Configuring a Forwarding Priority for DCN Packets

If DCN packets are carried by IP packets, the forwarding priority of the DCN packets is lower than other packets. In this scenario, configure a forwarding priority, based on which a GNE forwards the DCN packets.

Context

Packets have protocol priorities, based on which they are transmitted. On a DCN network, you can configure a forwarding priority for DCN packets as follows:

  • If service packet transmission must be ensured, reduce the forwarding priority of DCN packets to be lower than that of service packets, which prevents service packet loss.

  • If service packet transmission requirement is not high, increase the forwarding priority of DCN packets to be higher than that of service packets, which ensures the communication between NEs and between each NE and the NMS.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dcn

    The DCN view is displayed.

  3. Run data-packet priority priority

    A protocol priority is configured for DCN packets.

  4. Run commit

    The configuration is committed.

Configuring an ACL-based DCN Policy

An ACL-based DCN policy can be used to filter DCN packets. The DCN packets that fail to match the ACL rule are discarded, improving DCN network security.

Prerequisites

Before configuring an ACL-based DCN policy, complete either of the following tasks:

  • Create a basic ACL using the acl (basic ACL) command and configure a rule for the ACL using the rule command in the basic ACL view.
  • Create an advanced ACL using the acl (advanced ACL) command and configure a rule for the ACL using the rule command in the advanced ACL view.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dcn

    The DCN view is displayed.

  3. Run packet-policy { acl-name acl-name | basic-number | adv-number }

    An ACL-based DCN policy is configured.

    A basic or an advanced ACL can be specified in the command. ACLs numbered 2000 to 2999 are basic ACLs; ACLs numbered 3000 to 3999 are advanced ACLs.

  4. Run commit

    The configuration is committed.

Disabling Fast DCN Session Restart Triggered by DCN PPPoE Terminate Packets

Disabling fast DCN session restart triggered by DCN PPPoE Terminate packets prevents such packets from being used to launch an attack, which improves device reliability.

Background

DCN PPPoE Terminate packets are used to instruct a peer end to fast restart a DCN session. Due to the lack of an authentication mechanism in DCN, if DCN PPPoE Terminate packets are used to launch an attack, devices fail to be managed by the NMS. To address this problem, disable fast DCN session restart triggered by DCN PPPoE Terminate packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dcn

    The DCN view is displayed.

  3. Run fast-terminate disable

    Fast DCN session restart triggered by DCN PPPoE Terminate packets is disabled.

  4. Run commit

    The configuration is committed.

Configuring Encryption for the Channel Between a GNE and an NE

To prevent malicious attacks and improve security, configure encryption for the channel between the specified GNE and NE.

Context

If the DCN channel between a GNE and an NE is not encrypted, the channel is prone to attacks. To improve security, configure encryption for the channel.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dcn

    The DCN view is displayed.

  3. Run dcn encrypt neid neid authkey auth-key

    Encryption is configured for the channel to the NE with a specified NEID.

  4. Run commit

    The configuration is committed.

Checking the Configurations

After configuring channel encryption, check the configurations.

Run the display dcn encrypt channel [ neid neid ] command to check the status of the encrypted channel.

<HUAWEI> display dcn encrypt channel
 Total Number: 2
-------------------------------------
 NEID             STATE              
-------------------------------------
 0x123123         INIT               
 0x123456         INIT               
-------------------------------------

Verifying the DCN Security Configuration

After configuring related functions to improve DCN security, verify the configuration.

Prerequisites

Related functions to improve DCN security have been configured on all NEs.

Procedure

  • Run the display this command to check configurations that improve DCN security.
  • Run the display dcn brief command to check configurations of the GNE.

Example

Run the display this command to check the configured alarm threshold for the number of NEs managed by the GNE and SSL authentication information.

[~HUAWEI] display this
#                                                                               
!The DCN function implements the capability of plug-and-play for this device.
!A NE IP address based on the unique NE ID is automatically generated in VPN
!of DCN. It is recommended that the NE IP address be changed to the planned 
!one by running the ne-ip X.X.X.X <MASK>command after the device being online.
dcn                                                                             
 ne-number alarm threshold 300                                                  
 connect-mode security                                                          
 ssl verify-mode dual                                                           
 bind ssl-policy huawei2012                                                 
#                                                                               
return

Run the display this command to check configuration of OSPF interface authentication.

[~HUAWEI-interface GigabitEthernet0/1/0] display this
#                                                                               
 undo shutdown                                                                  
 dcn                                                                            
 dcn ospf authentication-mode hmac-sha256                                       
#                                                                               
return

Run the display this command to check configuration of DCN route optimization.

[~HUAWEI-interface GigabitEthernet0/1/0] display this
#                                                                               
 undo shutdown                                                                  
 dcn                                                                            
 dcn ospf timer hello 200                                                       
 dcn ospf timer dead 400                                                        
 dcn ospf timer poll 200                                                        
 dcn ospf timer retransmit 200                                                  
 dcn ospf trans-delay 20                                                        
#                                                                               
return               
Run the display dcn brief command to view configurations of the GNE.
<HUAWEI> display dcn brief
------------------------------------------------
 NE-ID:               0x10008
 NE-IP:               128.1.0.8
 Mask:                255.255.0.0
 DCN-Interface:       LoopBack2047
 Auto-Report:         Enable
------------------------------------------------
Run the display this command in the DCN view to check the disabling configurations of the DCN fast termination negotiation status.
[~HUAWEI-dcn] display this
#                                                                               
!The DCN function implements the capability of plug-and-play for this device.
!A NE IP address based on the unique NE ID is automatically generated in VPN
!of DCN. It is recommended that the NE IP address be changed to the planned 
!one by running the ne-ip X.X.X.X <MASK>command after the device being online.
dcn                                                                             
 bandwidth ethernet 1024                                                        
 bandwidth pos 1024                                                             
 bandwidth serial 192                                                           
 fast-terminate disable                                                         
#                                                                               
return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055400

Views: 16137

Downloads: 26

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next