Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 19

Loopback rules, Data plane rules

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 19 highlights

Loopback rules Lookback interfaces are virtual interfaces and unlike physical interfaces, loopback interfaces do not go down unless they are manually removed. This property provides security and consistency for device identification and stability. Configure a loopback interface Rationale: Configure a loopback interface which can be used for system multiple services. Configuration: OS10(config)# interface loopback 0 OS10(config)# exit OS10# write memory Remove multiple loopback interfaces Rationale: Ensure that there is not more than one loopback interface configured. Configuration: OS10(config)# no interface loopback loopback-instance OS10(config)# exit OS10# write memory Bind AAA services to a loopback interface Rationale: AAA services are bound to a loopback interface so that the AAA services are not interrupted. Configuration: OS10(config)# ip tacacs source-interface loopback 0 OS10(config)# exit OS10# write memory Bind the NTP service to a loopback interface Rationale: The NTP service is bound to a loopback interface so that the AAA services are not interrupted. Configuration: OS10(config)# ntp source loopback 0 OS10(config)# exit OS10# write memory Configure Control Plane Policing Rationale: Use control-plane ACLs to selectively restrict packets that are destined to the CPU, hence preventing flooding and DoS attacks. Configuration: OS10# configure terminal OS10(config)# control-plane OS10(config-control-plane)# ip access-group acl_name in OS10(config-control-plane)# end OS10# write memory NOTE: Define necessary ACL rules before applying to the control plane. Data plane rules The data plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user data. Apply these rules on border-filtering devices that connect internal networks to external networks, such as the Internet. Forbid private source addresses from external networks Rationale: Private IP addresses are meant to be used in internal networks, such as networks that connect workstations, printers, DMZ, and so on. These IP addresses are not routed to the Internet which uses public IP addresses. A private IP address originating from the OS10 security best practices 19

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Loopback rules
Lookback interfaces are virtual interfaces and unlike physical interfaces, loopback interfaces do not go down unless they are manually
removed. This property provides security and consistency for device identification and stability.
Configure a loopback interface
Rationale
: Configure a loopback interface which can be used for system multiple services.
Configuration
:
OS10(config)# interface loopback 0
OS10(config)# exit
OS10# write memory
Remove multiple loopback interfaces
Rationale
: Ensure that there is not more than one loopback interface configured.
Configuration
:
OS10(config)# no interface loopback
loopback-instance
OS10(config)# exit
OS10# write memory
Bind AAA services to a loopback interface
Rationale
: AAA services are bound to a loopback interface so that the AAA services are not interrupted.
Configuration
:
OS10(config)# ip tacacs source-interface loopback 0
OS10(config)# exit
OS10# write memory
Bind the NTP service to a loopback interface
Rationale
: The NTP service is bound to a loopback interface so that the AAA services are not interrupted.
Configuration
:
OS10(config)# ntp source loopback 0
OS10(config)# exit
OS10# write memory
Configure Control Plane Policing
Rationale
: Use control-plane ACLs to selectively restrict packets that are destined to the CPU, hence preventing flooding and DoS
attacks.
Configuration
:
OS10# configure terminal
OS10(config)# control-plane
OS10(config-control-plane)# ip access-group acl_name in
OS10(config-control-plane)# end
OS10# write memory
NOTE:
Define necessary ACL rules before applying to the control plane.
Data plane rules
The data plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user data. Apply
these rules on border-filtering devices that connect internal networks to external networks, such as the Internet.
Forbid private source addresses from external networks
Rationale
: Private IP addresses are meant to be used in internal networks, such as networks that connect workstations, printers, DMZ,
and so on. These IP addresses are not routed to the Internet which uses public IP addresses. A private IP address originating from the
OS10 security best practices
19