No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Access Control Based on Trusted Paths

Access Control Based on Trusted Paths

The openness of IP networks determines that anyone can access or attack the target host as long as routes are reachable.

For a host, the path along which packets access its client is fixed, especially at the edge of a network.

For a telecommunication network, the topology of the neighboring NEs connecting to a ME device is determined at the network planning stage and rarely modified during network operation.

Based on the preceding assumptions, a trusted-path-based access control policy can be configured on the ME device to improve network security.

Figure 7-6 Reverse-path forwarding model of unicast reverse path forwarding (URPF)

For detailed information, see Configuring URPF in the ME60 Configuration Guide - Security

  • Configuring URPF on an Interface

  • Configuring Flow-based URPF

Unicast reverse path forwarding (URPF) is deployed to determine whether the source IP address of a packet is valid. If the path of the packet is inconsistent with the path learned by URPF, the packet is discarded. URPF helps to prevent network attacks based on spoofed IP source addresses.

Example for Configuring URPF

Networking Requirements

This example describes how to enable URPF at the Internet service provider (ISP) entry point. In Figure 7-7, ME device A of the customer directly connects to the ISP ME device B. URPF must be enabled on the interface GE1/0/0 of ME device B. The strict URPF check is required. Packets whose source IP addresses are contained in ACL 2010 can pass the strict URPF check in all conditions. URPF must be enabled on the interface GE1/0/0 of ME device A. The strict URPF check is required, and the default route matching must be enabled.

Figure 7-7 Networking diagram for configuring URPF
NOTE:

The configurations in this example are performed on Device A and Device B. ME device can function as Device A and Device B.



Device Name Interface IP Address
Device A GE1/0/0 1.1.1.1/30
Device B GE1/0/0 1.1.1.2/30
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a traffic policy on the ISP ME device B to allow the traffic in the specified network segment to pass the URPF check.
  2. Configure an IP address for the interface GE1/0/0 of ME device A of the client and enable URPF.
Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces
  • IP addresses in the network segment that passes the URPF check
Procedure
  1. Configure ME device B.

    # Configure ACL 2010 to allow the traffic in the network segment 10.1.1.0/24 to pass the URPF check.

    <DeviceB> system-view
    [~DeviceB] acl number 2010
    [~DeviceB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255
    [~DeviceB-acl-basic-2010] commit
    [~DeviceB-acl-basic-2010] quit
    

    # Configure a traffic classifier and define the ACL-based matching rule.

    [~DeviceB] traffic classifier classifier1
    [~DeviceB-classifier-classifier1] if-match acl 2010
    [~DeviceB-classifier-classifier1] commit
    [~DeviceB-classifier-classifier1] quit
    

    # Define a traffic behavior and configure URPF.

    [~DeviceB] traffic behavior behavior1
    [~DeviceB-behavior-behavior1] ip urpf strict
    [~DeviceB-behavior-behavior1] commit
    [~DeviceB-behavior-behavior1] quit
    

    # Define a traffic policy to associate the traffic classifier with the traffic behavior.

    [~DeviceB] traffic policy policy1
    [~DeviceB-trafficpolicy-policy1] classifier classifier1 behavior behavior1
    [~DeviceB-trafficpolicy-policy1] commit
    [~DeviceB-trafficpolicy-policy1] quit
    

    # Apply the traffic policy to the interface.

    [~DeviceB] interface gigabitethernet 1/0/0
    [~DeviceB-GigabitEthernet1/0/0] undo shutdown
    [~DeviceB-GigabitEthernet1/0/0] ip address 1.1.1.2 255.255.255.252
    [~DeviceB-GigabitEthernet1/0/0] traffic-policy policy1 inbound
    [~DeviceB-GigabitEthernet1/0/0] commit
    
  2. # Configure ME device A.

    # Configure the interface GE1/0/0.

    <DeviceA> system-view
    [~DeviceA] interface gigabitethernet 1/0/0
    [~DeviceA-GigabitEthernet1/0/0] undo shutdown
    [~DeviceA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.252
    [~DeviceA-GigabitEthernet1/0/0] commit
    

    # Enable URPF on the interface GE1/0/0. The strict URPF check is required and the default route matching must be enabled.

    [~DeviceA-GigabitEthernet1/0/0] ip urpf strict allow-default
    [~DeviceA-GigabitEthernet1/0/0] commit
Configuration Files
  • Configuration file of ME device A
#
 sysname DeviceA
#
interface GigabitEthernet1/0/0
 undoshutdown
 ip address 1.1.1.1 255.255.255.252
 ip urpf strict allow-default
#
return
  • Configuration file of ME device B
#
 sysname DeviceB
#
acl number 2010
 rule 5 permit source 10.1.1.0 0.0.0.255
# 
traffic classifier classifier1 operator or
 if-match acl 2010
#
traffic behavior behavior1
 ip urpf strict
#
traffic policy policy1
 classifier classifier1 behavior behavior1
#
interface GigabitEthernet1/0/0
 undoshutdown
 ip address 1.1.1.2 255.255.255.252
 traffic-policy policy1 inbound
#
 return
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 8170

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next