No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Defense Capabilities of the Forwarding Plane

Security Defense Capabilities of the Forwarding Plane

To ensure normal running of the CPU, the forwarding plane of ME60 ME devices provides the following security defense capabilities:
  • Access control list (ACL)
  • Unicast reverse path forwarding (URPF)
  • DHCP Snooping

ACLs

An ACL includes a series of ordinal rule groups. A rule contains the source address, destination address, and port number of a packet. An ACL classifies packets by using rules. When the rules are applied to a ME device, the ME device determines the packets to be received and rejected.

For example, ACLs can be configured to reject all Telnet access to the local server to allow emails to be sent to the local server using Simple Mail Transfer Protocol (SMTP).

Multiple rules can be defined in each ACL. Based on rule functions, ACLs are classified into interface ACLs, basic ACLs, advanced ACLs. An ACL is a set of matching options. You can select and configure an ACL based on services.

ACLs can be classified from different perspectives. See the following table.

Table 6-1 ACL classification

ACL Classification Basis

ACL Type

Whether to support IPv4 or IPv6

  • ACL4
  • ACL6

Functions of ACL rules

  • Interface ACLs: permit or reject packets to pass an interface. The ACL IDs range from 1000 to 1999. Therefore, 1000 interface ACLs are supported.
  • Basic ACLs: specify the source addresses of packets. The ACL IDs range from 2000 to 2999. Therefore, 1000 basic ACLs are supported.
  • Advanced ACLs: specify the quintuples of packets. A quintuple comprises the source address, destination address, protocol ID (TCP or User Datagram Protocol (UDP)), source port number, and destination port number.

    Advanced ACLs are classified into digital ACLs and name ACLs:

    • The IDs of digital ACLs range from 3000 to 3999. Therefore, 1000 digital advanced ACLs are supported.
    • The IDs of name ACLs range from 42768 to 75535. Therefore, 32768 name ACLs are supported.
  • MPLS ACLs: limit the Exp, Label, and TTL values of MPLS packets. The IDs of MPLS ACLs range from 10000 to 10999. Therefore, 1000 MPLS ACLs are supported.

The following table lists the filter options supported by the four ACL types classified based on ACL functions.

Table 6-2 Filter options supported by different ACLs

ACL Type

Supported Filter Option

Interface ACLs

Interface name: indicates the interface through which a packet is received. The word "any" indicates all interfaces.

Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured.

Basic ACLs

Source IP address: indicates the source address in an ACL. If no source address is configured, packets with any source addresses are allowed to pass.

Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured.

Advanced ACLs

Protocol type: indicates the type of a protocol represented by a name or digits. The value ranges from 1 to 255. When the protocol is represented by a name, the value can be gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp. Different parameters can be set for different protocols. Source and destination port numbers can be set only for TCP and UDP.

Source IP address: indicates the source address in an ACL. If no source address is configured, packets with any source addresses are allowed to pass.

Destination IP address: indicates the destination address in an ACL. If no destination address is configured, packets with any destination addresses are allowed to pass.

Source and destination ports: specifies the source and destination port numbers of UDP or TCP packets. They are effective only for TCP or UDP. If no source or destination port number is configured, TCP or UDP packets with any source or destination addresses are allowed to pass.

Differentiated services code point (DSCP): It refers to the most significant six bits of the type of service (ToS) field in IP headers. The value ranges from 0 to 63.

Fragment packet type: indicates whether an ACL is effective only for fragment packets except the first fragment packets. When this parameter is available, the ACL is effective only for fragment packets except the first fragment packets.

Priority: indicates that packets can be filtered based on the priority field (most significant three bits of the ToS field in IP headers). The value is a keyword or number. When the value is a number, the value is an integer ranging from 0 to 7.

TCP flag: indicates the value of the TCP flag. The value ranges from 0 to 63.

ToS: indicates that packets can be filtered based on the ToS field.

Internet Control Message Protocol (ICMP): ICMP packets can be filtered based on the name, type, and code of the ICMP packets. The option is effective only for ICMP. If the option is not configured, all ICMP packets are allowed to pass.

Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured.

MPLS ACL

Exp: indicates the Exp value of MPLS packets. If the Exp value is not configured, MPLS packets with all Exp values are allowed to pass.

Label: indicates the label value of MPLS packets. If the Label value is not configured, MPLS packets with all Label values are allowed to pass.

Time to live (TTL): indicates the TTL value of MPLS packets. If the TTL value is not configured, MPLS packets with all TTL values are allowed to pass.

URPF

The URPF works in strict mode or loose mode. A URPF-capable ME device queries forwarding information bases (FIBs) when Layer 3 IP packets arrive at the NP. If these packets take a local route, the ME device performs the URPF check before sending the packets to the control processor (CP). During the URPF check, whether the source IP addresses of packets are valid is checked based on the routing table.

The URPF can be set to work in strict mode or loose mode and supports matching of default routes:

  • In strict mode, if a packet matches a specific route and the inbound interface of the packet is the same as the outbound interface of the route, the packet is allowed to pass. Otherwise, the packet is discarded.
  • In loose mode, if a packet matches a specific route, the packet is allowed to pass. Otherwise, the packet is discarded. By default, matching of default routes is not performed unless configured.

Matching of default routes must work with strict URPF. When a packet matches a specific route or the default route and the inbound interface of the packet is the same as the outbound interface of the matched route, the packet is allowed to pass. Otherwise, the packet is discarded. Loose URPF and strict URPF are mutually exclusive.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7574

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next