所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

S1720, S2700, S5700, S6720 V200R012(C00&C20) 配置指南-安全

本文档介绍了安全的配置,具体包括ACL配置、本机防攻击配置、MFF配置、攻击防范配置、流量抑制及风暴控制配置、ARP安全配置、端口安全配置、DHCP Snooping配置、ND Snooping配置、PPPoE+配置、IPSG配置、SAVI配置、URPF配置、Keychain配置、MPAC配置、PKI配置、业务与管理隔离配置、安全风险查询配置
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置URPF功能示例

配置URPF功能示例

组网需求

图13-5所示,SwitchA通过GE0/0/3接口与ISP(Internet Service Provider)的路由器连接,GE0/0/1接口和GE0/0/2接口下接用户网络。管理员希望SwitchA能够防范源IP地址欺骗攻击,避免非法用户伪造源IP地址攻击合法用户。

图13-5  配置URPF功能组网图

说明:

该举例中SwitchA以S5720HI为例。

配置思路

  1. 配置S1、S2和SwitchA之间互通:
    1. 配置SwitchA的接口及IP地址。
    2. 配置S1的接口、IP地址及路由。
    3. 配置S2的接口、IP地址及路由。
  2. 在SwitchA配置URPF并进行功能验证:
    1. 在S1上配置流量统计。
    2. 查看S1上的流量统计信息。
    3. S2伪造源IP地址向S1发送请求。
    4. 查看S1上的流量统计信息。
    5. 在SwitchA上配置URPF功能。
    6. S2伪造源IP地址向S1发送请求。
    7. 查看S1上的流量统计信息。

操作步骤

  1. 配置S1、S2和SwitchA之间互通。

    # 配置SwitchA的接口及IP地址。

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 10 20
    [SwitchA] interface gigabitethernet 0/0/1
    [SwitchA-GigabitEthernet0/0/1] port link-type trunk
    [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
    [SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
    [SwitchA-GigabitEthernet0/0/1] quit
    [SwitchA] interface gigabitethernet 0/0/2
    [SwitchA-GigabitEthernet0/0/2] port link-type trunk
    [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
    [SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
    [SwitchA-GigabitEthernet0/0/2] quit
    [SwitchA] interface vlanif 10
    [SwitchA-Vlanif10] ip address 192.168.10.2 24
    [SwitchA-Vlanif10] quit
    [SwitchA] interface vlanif 20
    [SwitchA-Vlanif20] ip address 192.168.20.2 24
    [SwitchA-Vlanif20] quit

    # 配置S1的接口、IP地址及路由。

    <HUAWEI> system-view
    [HUAWEI] sysname S1
    [S1] vlan batch 10
    [S1] interface gigabitethernet 0/0/1
    [S1-GigabitEthernet0/0/1] port link-type trunk
    [S1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
    [S1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
    [S1-GigabitEthernet0/0/1] quit
    [S1] interface vlanif 10
    [S1-Vlanif10] ip address 192.168.10.1 24
    [S1-Vlanif10] quit
    [S1] ip route-static 192.168.20.0 24 192.168.10.2

    # 配置S2的接口、IP地址及路由。

    <HUAWEI> system-view
    [HUAWEI] sysname S2
    [S2] vlan batch 10
    [S2] interface gigabitethernet 0/0/1
    [S2-GigabitEthernet0/0/1] port link-type trunk
    [S2-GigabitEthernet0/0/1] port trunk allow-pass vlan 20
    [S2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
    [S2-GigabitEthernet0/0/1] quit
    [S2] interface vlanif 20
    [S2-Vlanif20] ip address 192.168.20.1 24
    [S2-Vlanif20] quit
    [S2] ip route-static 192.168.10.0 24 192.168.20.2

    # 检验S1、S2和SwitchA之间是否路由可达。此处S1能够ping通S2,表明三者之间已路由可达。

    [S1] ping 192.168.20.1 
      PING 192.168.20.1: 56  data bytes, press CTRL_C to break                                                                          
        Reply from 192.168.20.1: bytes=56 Sequence=1 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=2 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=3 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=4 ttl=253 time=1 ms                                                                  
        Reply from 192.168.20.1: bytes=56 Sequence=5 ttl=253 time=1 ms                                                                  
                                                                                                                                        
      --- 192.168.20.1 ping statistics ---                                                                                              
        5 packet(s) transmitted                                                                                                         
        5 packet(s) received                                                                                                            
        0.00% packet loss                                                                                                               
        round-trip min/avg/max = 1/1/1 ms                                                                                               

  2. 在SwitchA配置URPF并进行功能验证。

    # 在S1上配置流量统计。

    [S1] acl 3002
    [S1-acl-adv-3002] rule permit icmp source 192.168.10.3 0 destination 192.168.10.1 0   //匹配源IP地址为192.168.10.3,目的IP地址为192.168.10.1的ICMP报文
    [S1-acl-adv-3002] quit
    [S1] interface gigabitethernet 0/0/1
    [S1-GigabitEthernet0/0/1] traffic-statistic inbound acl 3002   //在GE0/0/1接口对匹配ACL 3002的报文进行流量统计
    [S1-GigabitEthernet0/0/1] quit

    # 查看S1上的初始流量统计信息,显示为空。

    [S1] display traffic-statistics interface GigabitEthernet 0/0/1 inbound
    ---------------------------------------------------------------------------
    Interface GigabitEthernet0/0/1
     ACL:3002 Rule:5
         matched:0 packets, passed:0 packets, dropped:0 packets

    # S2伪造源IP地址成向S1发送请求报文,此处以S2带源IP地址ping S1为例,S2未收到S1的响应报文。

    [S2] ping -a 192.168.10.3 192.168.10.2
    Warning: The specified source address is not a local address, the ping command will not check the network connection.               
      PING 192.168.10.2: 56  data bytes, press CTRL_C to break                                                                          
        Request time out                                                                                                                
        Request time out                                                                                                                
        Request time out                                                                                                                
        Request time out                                                                                                                
        Request time out                                                                                                                
                                                                                                                                        
      --- 192.168.10.2 ping statistics ---                                                                                              
        5 packet(s) transmitted                                                                                                         
        0 packet(s) received                                                                                                            
        100.00% packet loss                                                                                                             

    # 查看S1上的流量统计信息。从此次统计信息可以发现,S1已收到S2发送的请求报文,这种报文于S1而言就是攻击报文。

    [S1] display traffic-statistics interface GigabitEthernet 0/0/1 inbound
    ---------------------------------------------------------------------------
    Interface GigabitEthernet0/0/1
     ACL:3002 Rule:5
         matched:5 packets, passed:5 packets, dropped:0 packets

    # 在SwitchA上配置URPF功能。

    [SwitchA] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] urpf strict
    [Switch-GigabitEthernet0/0/2] quit

    # S2再次带源IP地址ping S1,S2仍旧未收到SwitchA的响应报文。

    [S2] ping -a 192.168.10.1 192.168.10.2
    Warning: The specified source address is not a local address, the ping command will not check the network connection.
      PING 192.168.10.2: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 192.168.10.2 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss

    # 此时在S1上查看流量统计信息,可以发现,由于SwitchA已配置URPF功能,将S2伪造的攻击报文丢弃,S1无法收到S2发送的请求报文。

    [S1] display traffic-statistics interface GigabitEthernet 0/0/1 inbound
    ---------------------------------------------------------------------------
    Interface GigabitEthernet0/0/1
     ACL:3002 Rule:5
         matched:5 packets, passed:5 packets, dropped:0 packets

配置文件

SwitchA的配置文件

#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
 ip address 192.168.10.2 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 20
 urpf strict
#
return

S1的配置文件

#
sysname S1
#
vlan batch 10
#
acl number 3002
 rule 5 permit icmp source 192.168.30.1 0 destination 192.168.10.1 0
#
interface Vlanif10
 ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10
 traffic-statistic inbound acl 3002
#
ip route-static 192.168.20.0 255.255.255.0 192.168.10.2
#
return

S2的配置文件

#
sysname S2
#
vlan batch 20
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 20
#
ip route-static 192.168.10.0 255.255.255.0 192.168.20.2
#
return
翻译
下载文档
更新时间:2018-12-24

文档编号:EDOC1100038434

浏览量:34212

下载量:974

平均得分:
本文档适用于这些产品
相关版本
相关文档
Share
上一页 下一页