A new box for fun 🙂
Thanks to my colleagues I have opportunity to test Huawei Secospace USG6300.
A rental period is not long, so let’s start from the beginning.
Configure IP address of firewall’s interface and assign it to trust zone:
[USG6300]interface GigabitEthernet 0/0/7 [USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24 [USG6300]firewall zone trust [USG6300-zone-trust]add interface GigabitEthernet 0/0/7
Let’s look at a typical configuration of HWTACACS server on Huawei device:
# hwtacacs-server template labnario hwtacacs-server authentication 172.16.10.1 hwtacacs-server authorization 172.16.10.1 hwtacacs-server accounting 172.16.10.1 hwtacacs-server source-ip 172.16.10.10 hwtacacs-server shared-key cipher %$%$;XioR#N`7=~][vLDTr2S(2.#%$%$ undo hwtacacs-server user-name domain-included # aaa authentication-scheme hwtacacs authentication-mode hwtacacs local authorization-scheme hwtacacs authorization-mode hwtacacs local accounting-scheme hwtacacs accounting-mode hwtacacs domain default_admin authentication-scheme hwtacacs accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server labnario local-user labnario password cipher %$%$'3N&Y#>c>Ibb;f:!o4mW(7#h%$%$ local-user labnario privilege level 15 local-user labnario service-type telnet terminal ssh ftp # user-interface vty 0 4 authentication-mode aaa
How to protect Huawei switches against ARP flood attack?
DoS attack is an attempt to make a network resources unavailable to its intended users. There are several different types of DoS attacks, but most of them rely on spoofing and flooding techniques. Some of these attacks can be hard to defend against, because DoS packets may look exactly like normal packets.
One common method of attack involves saturating the target device with a flood of request packets, so that this device cannot respond to a legitimate traffic or responds so slowly, as to be unavailable.
Attackers often use ARP protocol to attack network devices, because it is easy to use and has no security mechanisms built in. Flooding a network device with ARP request packets can lead to insufficient CPU resources to process other services, when processing a large number of ARP packets. To protect the device, ARP rate limiting mechanism can be used. On Huawei switches this feature can be implemented in the following ways:
The first what a device has to do is to check if the ACL exists. If it does, the device matches packets against rules, according to the rule ID. We can configure rule IDs manually or they are automatically allocated. In case of automatically allocated rules, there is a certain space between two rule IDs. The size of the space depends on ACL step. By default it is 5 but we can change it by command. In this manner, we can add a rule before the first rule or between rules. ACL rules are displayed in ascending order of rule IDs, not in the order of configuration.
ACL rules can be arranged in two modes: configuration and auto.
In the configuration mode (default mode), we decide which rule should be first, which second and so on and so forth. In this mode, the device matches rules in ascending order of rule IDs. Anytime we can configure an additional rule with smaller rule ID. In such case, later configured rule may be matched earlier. We make such a decision, not the system.
In the auto mode, unlike in the configuration mode, the system automatically allocates rule IDs. We don’t have possibility to specify rule ID. The most precise rule is placed at the beginning of ACL.
When can we use it?
If you want to recall how to configure GRE, just look at GRE on Huawei routers.
You can return to IPSec configuration, reading IPSec on Huawei AR router.
Today, I’m going to put them together and try to configure GRE over IPSec.
Based on the topology below, configure IP adresses and OSPF protocol to ensure connectivity between all routers (omitted here).
Configure tunnel interface on labnario_1 and labnario_3:
[labnario_1]interface Tunnel0/0/0 [labnario_1-Tunnel0/0/0] ip address 10.0.0.1 255.255.255.0 [labnario_1-Tunnel0/0/0] tunnel-protocol gre [labnario_1-Tunnel0/0/0] source 150.0.0.1 [labnario_1-Tunnel0/0/0] destination 160.0.0.1
Labnario Huawei From Scratch