Configuring Triple Play Security with CLI



Similar documents
Network QoS Policies. In This Section XRS Quality of Service Guide Page 79

Security Technology White Paper

Teldat Router. ARP Proxy

LAB THREE STATIC ROUTING

Chapter 3 Security and Firewall Protection

- Basic Router Security -

Configuring Static IP for your Pace Devices

Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Configuring DHCP Snooping

Cisco AnyConnect Secure Mobility Solution Guide

Understanding and Configuring NAT Tech Note PAN-OS 4.1

HREP Series DVR DDNS Configuration Application Note

LAN TCP/IP and DHCP Setup

Application Description

AlliedWare Plus OS How To Use Web-authentication

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Firewall Examples. Using a firewall to control traffic in networks

Lab PC Network TCP/IP Configuration

Evaluation guide. Vyatta Quick Evaluation Guide

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Local Area Networks. LAN Security and local attacks. TDC 363 Winter 2008 John Kristoff - DePaul University 1

Configuring the Transparent or Routed Firewall

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Content Distribution Networks (CDN)

Cisco Configuring Commonly Used IP ACLs

Savvius Insight Initial Configuration

Configure Policy-based Routing

Securing Networks with PIX and ASA

Definition of firewall

Firewall Firewall August, 2003

1 PC to WX64 direction connection with crossover cable or hub/switch

Computer Networks I Laboratory Exercise 1

Chapter 7 Troubleshooting

NetFlow Subinterface Support

Lab Configuring Access Policies and DMZ Settings

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Application Assurance Stateful Firewall

BASIC ANALYSIS OF TCP/IP NETWORKS

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Network Traffic Analysis

Trouble shooting Guide <<<Field and NOC Engineer Perspective>>>

VLAN and QinQ Technology White Paper

Multi-Homing Dual WAN Firewall Router

First Steps to Using PacketShaper ISP

SSVP SIP School VoIP Professional Certification

Network Security. Topology. Spring This is the logical topology of the network environment used for testing.

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

Looking for Trouble: ICMP and IP Statistics to Watch

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

Southwest Arkansas Telephone Cooperative Network Management Practices

Firewalls. Chapter 3

Glossary SR Advanced Configuration Guide Page 2785

ReadyNAS Remote Troubleshooting Guide NETGEAR

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Chapter 4 Firewall Protection and Content Filtering

The Use of Mikrotik Router Boards With Radius Server for ISPs.

Proxy firewalls.

Chapter 1 Configuring Basic Connectivity

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

8 steps to protect your Cisco router

Sicurezza nelle reti

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

ICS 351: Today's plan

AlliedWare TM OS How To. Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks. Introduction. Related How To Notes

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Topic 7 DHCP and NAT. Networking BAsics.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

CMPT 471 Networking II

Using WhatsUp IP Address Manager 1.0

Chapter 15: Advanced Networks

Lab Conducting a Network Capture with Wireshark

The Trivial Cisco IP Phones Compromise

Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

7450 ESS OS System Management Guide. Software Version: 7450 ESS OS 10.0 R1 February 2012 Document Part Number: * *

Firewalls. Network Security. Firewalls Defined. Firewalls

Technical Support Information Belkin internal use only

Watson SHDSL Router Application Manual

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

idatafax Troubleshooting

Networking and High Availability

Trouble Shooting SiteManager to GateManager access via a corporate Intranet

MULTI WAN TECHNICAL OVERVIEW

BroadCloud PBX Customer Minimum Requirements

Non-intrusive, complete network protocol decoding with plain mnemonics in English

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

allow all such packets? While outgoing communications request information from a

How To Understand and Configure Your Network for IntraVUE

Websense Web Security Gateway: What to do when a Web site does not load as expected

Lab Configuring the PIX Firewall as a DHCP Server

Security Technology: Firewalls and VPNs

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

7750 SR OS OAM and Diagnostics Guide. Software Version: 7750 SR OS 9.0 r1 March 2011 Document Part Number: * *

Workstation ARP. Objective. Background / Preparation

estadium Project Lab 8: Wireless Mesh Network Setup with DD WRT

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

ExamPDF. Higher Quality,Better service!

Networking and High Availability

Transcription:

Triple Play Service Delivery Architecture Configuring Triple Play Security with CLI xvpls This section provides information to configure Residential Broadband Aggregation services using the command line interface. It is assumed that the reader is familiar with VPLS, IES and VPRN services. Topics in this section include: Common Configuration Tasks on page 662 Configuring Anti-Spoofing Filters on page 662 Configuring Triple Play Security features on page 663 Configuring ARP Handling on page 669 Configuring Web Portal Redirect on page 675 7750 SR OS Triple Play Guide Page 661

Configuring Triple Play Security with CLI Common Configuration Tasks Topics in this section are: Configuring Anti-Spoofing Filters on page 662 Configuring Triple Play Security features on page 663 Configuring MAC Pinning on page 663 Configuring MAC Protection on page 664 Configuring VPLS Redirect Policy on page 666 Configuring VPLS Redirect Policy on page 666 Configuring ARP Handling on page 669 Configuring Web Portal Redirect on page 675 Configuring Anti-Spoofing Filters Anti-spoofing filters are used to prevent malicious subscribers sending IP packets with a forged IP or MAC address, and thus mis-directing traffic. The anti-spoofing filter is populated from the DHCP lease state table, and DHCP snooping must be enabled on the SAP. There are three types of filters (MAC, IP and IP+MAC), one type is allowed per SAP. The following displays an IES service interface configuration with anti-spoofing. A:ALA-48>config>service>ies# info interface "test123" create address 10.10.42.41/24 local-proxy-arp proxy-arp policy-statement "ProxyARP" sap 1/1/7:0 create anti-spoof ip arp-populate dhcp lease-populate 1 A:ALA-48>config>service>ies# Page 662 7750 SR OS Triple Play Guide

Triple Play Service Delivery Architecture Configuring Triple Play Security features Topics in this section are: Configuring MAC Pinning on page 663 Configuring MAC Protection on page 664 Configuring VPLS Redirect Policy on page 666 Configuring VPLS Redirect Policy on page 666 Configuring MAC Pinning The following example displays a partial BSA configuration with MAC pinning enabled on a SAP: A:ALA-48>config>service# info vpls 800 customer 6001 create description "VPLS with residential split horizon for DSL" stp shutdown sap 2/1/4:100 split-horizon-group "DSL-group2" create description "SAP for RSHG" mac-pinning A:ALA-48>config>service# 7750 SR OS Triple Play Guide Page 663

Configuring Triple Play Security with CLI Configuring MAC Protection Preventing Access By Residential Subscribers Using Protected (Gateway) MAC Addresses The first step is to create a list of MAC addresses to be protected, the second step is to prevent access using these source addresses inside an SHG or a SAP. The following example displays a partial BSA configuration with some protected MAC addresses on any SAP created inside the SHG: A:ALA-48>config>service# info vpls 800 customer 6001 create split-horizon-group "mygroup" create restrict-protected-src description "VPLS with residential split horizon for DSL" mac-protect mac 00:00:17:FE:82:D8 mac 93:33:00:00:BF:92 A:ALA-48>config>service# Page 664 7750 SR OS Triple Play Guide

Triple Play Service Delivery Architecture Restricting Access By Residential Subscribers To a Small List Of Upstream MAC Addresses: The first step is to create a list of MAC addresses to be protected, the second step is to restrict access to these addresses only from an SHG or a SAP. (If the MAC address of an upstream server is not known, it can be discovered using e.g. the cpe-ping OAM tool.) The following example displays a partial BSA configuration with restricted access to some MAC addresses from a specified SAP (an unrestricted access from any other SAP within the VPLS): A:ALA-48>config>service# info vpls 800 customer 6001 create description "VPLS with restricted access on a SAP" mac-protect mac 00:00:17:FE:82:D8 mac 93:33:00:00:BF:92 sap 1/1/4:30 create restrict-unprotected-dst A:ALA-48>config>service# 7750 SR OS Triple Play Guide Page 665

Configuring Triple Play Security with CLI Configuring VPLS Redirect Policy Creating the Filter on page 667 Applying the Filter to a VPLS Service on page 668 Figure 40 displays an IP filter entry configuration for VPLS redirect policy. Alcatel BSA To DSLAM Alcatel BSA To DSLAM To BSR VPLS 10 To BSR VPLS 10 FSAP F SDP SDP 1/2/3:100 1/2/3:100 Customer Customer 1 SDP SDP 100:10 100:10 DSCP-0 DSCP-0 DSCP-0 DSCP-0 SAP SAP SAP SAP 1/1/1:100 1/1/1:100 1/1/2:100 1/1/2:100 DPI DPI OSSG083A OSSG083A Figure 40: VPLS Redirect Policy Example Information about defining and applying IP and MAC filters is described in the7750 SR OS Router Configuration Guide. Page 666 7750 SR OS Triple Play Guide

Triple Play Service Delivery Architecture Creating the Filter The following displays a redirect filter entry: A:ALA-A>config>filter# info ip-filter 10 default-action forward entry 10 match dscp be action forward next-hop sap 1/1/1:100 ip-filter 11 default-action forward entry 10 match dscp be dscp be action forward next-hop sap 1/1/2:100 --------------------------------------------- A:ALA-A>config>filter# 7750 SR OS Triple Play Guide Page 667

Configuring Triple Play Security with CLI Applying the Filter to a VPLS Service The following displays how the redirection filter configured above is assigned to the ingress SAP from the DSLAM, and the ingress SDP from the BSR: A:ALA-A>config>service>vpls# info vpls 10 customer 1 create description vpls10 sap 1/2/3:100 create ingress ip filter 10 sap 1/1/1:100 create sap 1/1/2:100 create mesh-sdp 100:10 create ingress ip filter 11 A:ALA-A>config>service>vpls# Page 668 7750 SR OS Triple Play Guide

Triple Play Service Delivery Architecture Configuring ARP Handling Topics in this section are: Configuring Proxy ARP on page 669 Configuring Local Proxy ARP on page 670 Configuring ARP Reply Agent in a VPLS Service on page 671 Configuring Automatic ARP Table Population in an IES or VPRN Interface on page 673 Configuring Proxy ARP The implementation of proxy ARP with support for local proxy ARP allows the 7750 SR to respond to ARP requests in the subnet assigned to an IES or VPRN interface. Configuring this command will allow multiple customers to share the same IP subnet. The following example displays an IES proxy ARP configuration: A:ALA-48>config>service>ies# info interface "test123" create address 10.10.42.41/24 local-proxy-arp proxy-arp-policy "ProxyARP" A:ALA-48>config>service>ies# 7750 SR OS Triple Play Guide Page 669

Configuring Triple Play Security with CLI Configuring Local Proxy ARP When local proxy ARP is enabled on an IP interface, the 7750 SR responds to all ARP requests for IP addresses belonging to the subnet with it's own MAC address, and forwards all traffic between hosts in that subnet. Local proxy ARP is disabled by default. Note: When local-proxy-arp is enabled under a IES or VPRN service, all ICMP redirects on the ports associated with the service are automatically blocked. This prevents users from learning each other's MAC address (from ICMP redirects). The following example displays a local proxy ARP IES configuration: A:ALA-A>config>service>ies# info interface "test" create shutdown address 10.10.36.2/24 local-proxy-arp A:ALA-A>config>service>ies# Page 670 7750 SR OS Triple Play Guide

Triple Play Service Delivery Architecture Configuring ARP Reply Agent in a VPLS Service When ARP reply agent is enabled, the 7750 SR will respond to ARP requests from the network, with information from the DHCP lease state table. In the upstream direction (towards the network), the ARP reply agent intercepts ARP requests on subscriber SAPs, and checks them against the DHCP lease state table. The purpose is to prevent a malicious subscriber spoofing ARP request or ARP reply messages and thus populating the upstream router's ARP table with incorrect entries. The following example displays a partial BSA configuration with ARP Reply Agent enabled on a SAP: A:ALA-48>config>service# info... vpls 800 customer 6001 create description "VPLS with ARP Reply Agent active" sap 2/1/4:100 split-horizon-group "DSL-group2" create arp-reply-agent sub-ident sap 3/1/4:200 split-horizon-group "DSL-group2" create arp-reply-agent sub-ident... A:ALA-48>config>service# 7750 SR OS Triple Play Guide Page 671

Configuring Triple Play Security with CLI Configuring Remote Proxy ARP The following example displays the IES configuration to enable remote proxy ARP: A:ALA-49>config>service>ies# info interface "test-1a" create address 10.10.26.3/24 remote-proxy-arp A:ALA-49>config>service>ies# Page 672 7750 SR OS Triple Play Guide

Triple Play Service Delivery Architecture Configuring Automatic ARP Table Population in an IES or VPRN Interface The following example displays the IES DHCP configuration to enable automatic population of the ARP table using snooped DHCP information on an IES or VPRN interface: A:ALA-1>config>service>ies>if# info arp-populate dhcp description "snooping_only" lease-populate 1 A:ALA-1>config>service>ies>if# A:ALA-1>config>service>vprn>if# info dhcp description "test" lease-populate 1 A:ALA-1>config>service>ies>if# 7750 SR OS Triple Play Guide Page 673

Configuring Triple Play Security with CLI Configuring CPU Protection CPU Protection can be used to protect the SR OS router in subscriber management scenarios. Refer to the SR OS System Management Guide for information about CPU Protection operation and configuration. Page 674 7750 SR OS Triple Play Guide

Triple Play Service Delivery Architecture Configuring Web Portal Redirect The generic CLI structure for defining and applying IP and MAC filters is described in the 7750 SR OS Router Configuration Guide. The following example displays an IP filter entry configuration for web-portal redirect: A:ALA-A>config>filter# info ip-filter 10 create description filter to forward DNS and web traffic to my portal; redirect all other web traffic to the portal and drop everything else default-action drop entry 10 create description allows DNS traffic match protocol 17 dst-port 53 action forward entry 20 create description allows web traffic destined to portal (IP address 10.0.0.1) match protocol 6 dst-port eq 80 dst-ip 10.0.0.1 action forward entry 30 description redirects all web traffic to portal match protocol 6 dst-port eq 80 action http-redirect http://www.myportal.com/defaultportal /login.cgi?ip=$ip&mac=$mac&orig_url=$url&usb=$sub A:ALA-A>config>filter# 7750 SR OS Triple Play Guide Page 675

Configuring Triple Play Security with CLI Filter entry 10 in the example output allows the customer to access DNS to get the IP address of the original website they are trying to view. Entry 20 allows HTTP packets destined to the captive portal itself to be forwarded. Note that the actual IP address (a.b.c.d) needs to be entered, not the DNS name ( www.myportal.com ). The IP address can be easily resolved from the 7750 SR CLI using the ping command. Entry 30 (which is the last option that does not drop the customer packets) checks for HTTP protocol and then starts the redirection process: The 7750 SR will intercept the HTTP GET from the subscriber and respond with an HTTP 302 (temporarily moved) with the URL configured in the filter entry. This URL can contain some variables, notably the customer IP and MAC addresses to allow the portal to create an entry for the customer. The original requested URL is also included to redirect the client site back to the original requested site when the process is done. The client will then close the connection with the original IP address and open a connection to the redirected server. Entry 20 will allow this connection. The following displays how the redirection filter configured above is assigned to an ingress SAP: A:ALA-A>config>service>vpls# info vpls 3 customer 6 create description "VPLS with web portal redirection filter applied" sap 2/1/5:0 create ingress filter ip 10 A:ALA-A>config>service>vpls# Page 676 7750 SR OS Triple Play Guide

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information