Manualshelf

API Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4128F-ON/S4128T-ON
21222324252627282930
OS10(config-control-plane)# end
OS10# write memory
NOTE: Define necessary ACL rules before applying to the control plane.
Data plane rules
The data plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user
data. Apply these rules on border-filtering devices that connect internal networks to external networks, such as the Internet.
Forbid private source addresses from external networks
Rationale: Private IP addresses are meant to be used in internal networks, such as networks that connect workstations,
printers, DMZ, and so on. These IP addresses are not routed to the Internet which uses public IP addresses. A private IP address
originating from the Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a
source address that should reside on the internal network, and apply them on the interface that connect to an external network.
CAUTION: Verify that multicast is not in use before blocking an address range.
Configuration:
OS10(config)# ip access-list deny-private-external
OS10(config-ipv4-acl)# deny ip source-ip-address mask any log
OS10(config-ipv4-acl)# end
OS10# write memory
Forbid external source addresses on outbound traffic
Rationale: Ensure that the outbound traffic carries only valid internal addresses of the IP address range of your organization.
Configuration:
OS10(config)# ip access-list deny-source-external
OS10(config-ipv4-acl)# permit ip internal-ip-address mask any
OS10(config-ipv4-acl)# exit
OS10(config)# interface ethernet 1/1/1
OS10(conf-if-eth1/1/1)# ip access-group deny-source-external in
OS10(conf-if-eth1/1/1)# end
OS10# write memory
Neighbor authentication
Using authentication for routing protocols prevents unauthorized users from corrupting your routing table.
Configure BGP authentication if BGP is used
Rationale: Configure BGP, and secure the session with a password on both BGP peers. When you configure MD5
authentication between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on
every segment that is sent on the TCP connection.
Configuration:
OS10(conf-router-neighbor)# password {9 encrypted-password-string | password-string}
OS10(conf-router-neighbor)# end
OS10# write memory
9 encrypted-password-stringEnter 9 then the encrypted password.
password-stringEnter a password for authentication. A maximum of 128 characters.
View what BGP neighbor authentication is enabled
Use the following to view what BGP neighbor authentication is enabled on the system:
OS10# show running-configuration bgp
!
router bgp 100
22
OS10 security best practices