华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
带外网管
管理口绑定VPN
配置思路
管理网口和管理用Loopback接口绑定特定的管理VPN,业务口配置其他的VPN。业务口的VPN和管理VPN不能互访。
数据准备
无
操作步骤
创建管理VPN
<HUAWEI> system-view [~HUAWEI] ip vpn-instance management [*HUAWEI-vpn-instance-management] ipv4-family [*HUAWEI-vpn-instance-management] commit [~HUAWEI-vpn-instance-management-af-ipv4] quit [~HUAWEI-vpn-instance-management] display this # ip vpn-instance management ipv4-family # return [~HUAWEI-vpn-instance-management] quit
- 在管理接口和管理用Loopback接口绑定VPN
[~HUAWEI] interface GigabitEthernet0/1/0 [~HUAWEI-GigabitEthernet0/1/0] ip binding vpn-instance management [*HUAWEI-GigabitEthernet0/1/0] commit [~HUAWEI-GigabitEthernet0/1/0] quit [~HUAWEI] interface LoopBack0 [~HUAWEI-LoopBack0] ip binding vpn-instance management [*HUAWEI-LoopBack0] commit [~HUAWEI-LoopBack0] quit
- 在管理接口和管理用Loopback接口下配置IP地址
[~HUAWEI] interface GigabitEthernet0/1/0 [~HUAWEI-GigabitEthernet0/1/0] ip address 10.10.11.100 24 [*HUAWEI-GigabitEthernet0/1/0] commit [~HUAWEI-GigabitEthernet0/1/0] display this # interface GigabitEthernet0/1/0 undo shutdown ip binding vpn-instance management ip address 10.10.11.100 255.255.255.0 # [~HUAWEI] interface LoopBack0 [~HUAWEI-LoopBack0] ip address 1.1.1.1 32 [*HUAWEI-LoopBack0] commit [~HUAWEI-LoopBack0] display this # interface LoopBack0 ip binding vpn-instance management ip address 1.1.1.1 255.255.255.255 # return [~HUAWEI-LoopBack0] quit
- 可以通过查看路由表检验管理平面路由是否与控制平面路由隔离
[~HUAWEI] display ip routing-table Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 2 Routes : 2 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 [~HUAWEI] display ip routing-table vpn-instance management Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------ Routing Tables: management Destinations : 3 Routes : 3 Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0 10.10.11.0/24 Direct 0 0 D 10.10.11.100 GigabitEthernet0/1/0 10.10.11.100/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/1/0
- 也可以通过ping的方式来查看路由是否隔离
<HUAWEI> ping 10.10.11.100 PING 10.10.11.100: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.10.11.100 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 10.00% packet loss <HUAWEI> ping –vpn-instance management 10.10.11.100 PING 10.10.11.100: 56 data bytes, press CTRL_C to break Reply from 10.10.11.100: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.10.11.100: bytes=56 Sequence=2 ttl=255 time=30 ms Reply from 10.10.11.100: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 10.10.11.100: bytes=56 Sequence=4 ttl=255 time=30 ms Reply from 10.10.11.100: bytes=56 Sequence=5 ttl=255 time=30 ms --- 10.10.11.100 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/20/30 ms
通过Ma-defend禁止从业务面上送管理协议报文
组网需求
为了保证只从管理网口接收管理协议报文,可以禁止从业务面上送管理协议报文。
配置思路
采用如下的配置思路,禁止从业务面接收管理协议报文:
系统视图下,创建全局的ma-defend策略,禁止上送管理协议。
- 查看配置结果以及丢弃报文计数。
- 创建全局的ma-defend策略,禁止从业务面上送ftp、snmp、ssh、telnet、tftp管理协议。
[~HUAWEI] ma-defend global-policy [*HUAWEI-app-sec-global] protocol ftp deny [*HUAWEI-app-sec-global] protocol snmp deny [*HUAWEI-app-sec-global] protocol ssh deny [*HUAWEI-app-sec-global] protocol telnet deny [*HUAWEI-app-sec-global] protocol tftp deny [*HUAWEI-app-sec-global] enable [*HUAWEI-app-sec-global] commit [~HUAWEI-app-sec-global] quit
- 查看配置结果
[~HUAWEI] display ma-defend global-policy MA-defend policy type: global-policy ---------------------------------------------------- The global-policy is enabled -------------------------------------------------- protocol rule -------------------------------------------------- FTP deny SSH deny SNMP deny TELNET deny TFTP deny
- 查看是否所有业务口均不能上送管理协议,管理协议均被丢弃(可以查看统计计数),如下:
[~HUAWEI] display cpu-defend ma-defend statistics Slot/Intf Attack-Type Total-Packets Passed-Packets Dropped-Packets ------------------------------------------------------------------------------- 3 MA-Defend 100 0 100 ------------------------------------------------------------------------------- FTP SERVER 100 0 100
通过MPAC禁止从业务面上送管理协议报文
组网需求
为了保证只从管理网口接收管理协议报文,可以禁止从业务面上送管理协议报文。
配置思路
创建两个MPAC策略视图,一个用于全局绑定,一个用于接口绑定。全局绑定的策略模板配置禁止上送管理协议报文管理协议的rule。接口绑定的策略配置允许特定管理协议上送的rule,其他管理协议配置为禁止上送。可以采用如下的配置思路:
- 系统视图下,创建MPAC策略视图global,以及interface。
- Global视图配置禁止管理协议上送的rule,interface视图配置允管理协议上送的rule。
- 将MPAC global策略全局绑定,将interface策略绑定到管理网口GE0/0/0。
- 查看配置结果以及丢弃报文计数。
- 系统视图下,创建MPAC策略视图global,以及interface
[~HUAWEI] service-security policy ipv4 global [*HUAWEI-service-sec-global] commit [~HUAWEI] service-security policy ipv4 interface [*HUAWEI-service-sec-interface] commit
- global视图配置禁止上送ftp、snmp、ssh、telnet、tftp管理协议的rule,interface视图配置允许上送ftp、snmp、ssh、telnet、tftp管理协议的rule
[*HUAWEI-service-sec-global] rule deny protocol ftp [*HUAWEI-service-sec-global] rule deny protocol snmp [*HUAWEI-service-sec-global] rule deny protocol ssh [*HUAWEI-service-sec-global] rule deny protocol telnet [*HUAWEI-service-sec-global] rule deny protocol tftp [*HUAWEI-service-sec-global] commit [~HUAWEI-service-sec-global] quit [*HUAWEI-service-sec-interface] rule permit protocol ftp [*HUAWEI-service-sec-interface] rule permit protocol snmp [*HUAWEI-service-sec-interface] rule permit protocol ssh [*HUAWEI-service-sec-interface] rule permit protocol telnet [*HUAWEI-service-sec-interface] rule permit protocol tftp [*HUAWEI-service-sec-interface] commit [~HUAWEI-service-sec-interface] quit
- 将interface策略绑定到管理网口GE0/0/0,将MPAC global策略全局绑定
[~HUAWEI] interface GigabitEthernet 0/0/0 [*HUAWEI-GigabitEthernet0/0/0] service-security binding ipv4 interface [*HUAWEI-GigabitEthernet0/0/0] commit [~HUAWEI-GigabitEthernet 0/0/0] quit [*HUAWEI] service-security global-binding ipv4 global [*HUAWEI] commit
- 查看配置结果
[~HUAWEI] display service-security binding ipv4 Configured : Global Policy Name: global Interface : GigabitEthernet0/0/0 Policy Name: interface [~HUAWEI] display service-security policy ipv4 Policy Name : global Step : 5 rule 5 deny protocol ftp rule 10 deny protocol snmp rule 15 deny protocol ssh rule 20 deny protocol tftp rule 25 deny protocol telnet Policy Name : interface Step : 5 rule 5 permit protocol ftp rule 10 permit protocol snmp rule 15 permit protocol ssh rule 20 permit protocol tftp rule 25 permit protocol telnet
- 查看是否所有业务口均不能上送管理协议,管理协议均被丢弃(可以查看统计计数),如下所示:
[~HUAWEI] display service-security statistics ipv4 Policy Name : global Step : 5 rule 5 deny protocol ftp (9 times matched) rule 10 deny protocol snmp (0 times matched) rule 15 deny protocol ssh (0 times matched) rule 20 deny protocol tftp (0 times matched) rule 25 deny protocol telnet (15 times matched) Policy Name : interface Step : 5 rule 5 permit protocol ftp (74 times matched) rule 10 permit protocol snmp (0 times matched) rule 15 permit protocol ssh (0 times matched) rule 20 permit protocol tftp (0 times matched) rule 25 permit protocol telnet (237 times matched)
说明: 如果只配置全局策略,并且全局策略不允许管理协议通过,则会导致设备托管。为了防止设备托管,应该先配置某些口上允许管理协议通过,而且要保证这些接口是UP。
