Here are the step by step configuration of implementing Access-Lists or ACL on Huawei routers such as NetEngine Series Routers utilizing the ip-pool and source-pool for simplicity and convenience. 1.Create ip-pool and source-pool acl ip-pool allowed_ip ip address 192.168.0.0 0.0.0.255 acl port-pool allowed_port eq 22 2. Create ACL acl number 88 description ACL88 rule 10 permit tcp source-pool allowed_ip destination-port-pool allowed_port rule 20 deny tcp destination-port-pool allowed_port rule 30 permit ip 3. Create traffic policy and apply ACL traffic classifier…
Tag: <span>ACL</span>
Here are the step by step configuration of implementing Access-Lists or ACL on Cisco routers such as ASR9000 running on IOS-XR, utilizing the object-group for simplicity and convenience. 1.Create object-group object-group network ipv4 allowed_ip 192.168.0.0/24 object-group port allowed_port eq ssh 2. Create ACL ipv4 access-list ACL88 10 permit tcp net-group allowed_ip any port-group allowed_port 20 deny tcp any any port-group allowed_port 30 permit ipv4 any any 3. Apply ACL interface Te0/0/0/0 ipv4 access-group ACL88 egress Verification: show object-group network ipv4…
PAT or Port Address Translation or also known as NAT Overloading is like a modified form of dynamic NAT where multiple inside local addresses are translated to single inside global IP address. It is the most popular form of NAT as the setup is the same what we use on our home connectivity as your Internet Service Provider (ISP) usually will only provide you 1 public IP to communicate with their internet router. Just remember the word many-to-one mapping. Objective:…
Here are the basic configuration on implementing different types of Network Address Translation (NAT) on Cisco Routers. Fig.1 Static NAT (1-to-1 Translation) (Objective: to translate PC-1 private IP of 192.168.0.2 to public IP 200.200.200.3) Configuration: Router1 Main Static NAT configuration: ip nat inside source static <Inside local IP> <Inside global IP> Sample Config: Router1(config)# ip nat inside source static 192.168.0.2 200.200.200.3 interface FastEthernet0/0 description Connection to PC-1 ip address 192.168.0.1 255.255.255.0 ip nat inside interface FastEthernet0/1 description Connection to Router2…
SSH Configuration Examples in Huawei Router Here are the configuration examples: whereas: 192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device) Enable the SSH service stelnet server enable 2. Configure key exchange algorithm ssh server key-exchange { dh_group_exchange_sha256 dh_group_exchange_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521 sm2_kep} 3. Configure encryption algorithm ssh server cipher { aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc } 4. Configure HMAC algorithm ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } 5.…
As mentioned from the previous post, Bogon prefixes or routes should never appear in the Internet routing table. Network Engineers should implement “Best Practices” in their network, that includes filtering of bogons as it maybe used in DDoS attacks or Spams. Refer to https://freenetworktutorials.com/ipv4-and-ipv6-bogon-address-list for more info. “Martians” bogons may changed occasionally so at least make sure private address mentioned in https://freenetworktutorials.com/ipv4-classful-and-reserved-addresses are filtered so it wont leak out into the Internet. Here is sample steps and configuration. 1. Create the Ingress…
One Comment