Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Firewall filter between P...

Firewall filter between PPPoE access-users

Created: Sep 10, 2020 13:06:35Latest reply: Jan 10, 2021 17:49:44 1098 9 4 0 2
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hello all,


The router BRAS is a Huawei NE40 or NE8000.


Consider the following scenario:


pic1


When a malicious users is generating an attack to external networks, we can apply a traffic-policy at the WAN interface, and drop the offending traffic. This is a quite simple and usual.


But with this second scenario, when a malicious user is generating an attack to internal users:


pic2


What are the best options to block this traffic?

AdvancedACL

Like (4) Dislike (0) Favorite(2) Share Report
Previous: WinPCap is missing while installing eNSP on Windows 10
Next: Difference of O_ASE and ASE ospf routes
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Sep 11, 2020 01:51:03

Posted by rganacim at 2020-09-10 14:51Hello @chenhui,  All the users are normal PPPoE dialer user. In the first scenario, I configured a ...

Yes, there is traffic-policy command that could be configure under the BAS interface view, but it's a value-added service. Kindly refer https://support.huawei.com/hedex/hdx.do?docid=EDOC1100136152&id=EN-US_CLIREF_0249155327&lang=en

View more
  • x
  • convention:

rganacim
rganacim Created Sep 11, 2020 12:04:10 (0) (0)
Could you confirm if I need the NetEngine40E DAA Function License (LCR5DAA00) to run those commands?
I ask it because the command traffic-policy isn't available inside bas layer2 in a NE40E V800R011C10.  
All Answers
(0) (0)
2#
DDSN
DDSN Admin Created Sep 10, 2020 13:08:55

Hi rganacimm,
Please wait patiently. Our engineers are looking for answers to your questions.
View more
  • x
  • convention:
(0) (0)
3#
chenhui
chenhui Admin Created Sep 10, 2020 13:47:20

Hi,
Is the malicious users a normal PPPoE dialer user? For the first scenario, what you configured in the traffic-policy to drop the offending traffic? Just limit the bandwidth of the attacker?
View more
  • x
  • convention:
(0) (0)
4#
LuizPuppin
LuizPuppin HCIE Author Created Sep 10, 2020 14:06:20

@chenhui In the first scenario, we can drop ports like TCP25, UDP445, UDP134, and more. But internal clients continue to be vulnerable to internal attackers.

View more
  • x
  • convention:
(0) (0)
5#
rganacim
rganacim Created Sep 10, 2020 14:51:09

Posted by chenhui at 2020-09-10 13:47 Hi,Is the malicious users a normal PPPoE dialer user? For the first scenario, what you configured in ...

Hello @chenhui,


All the users are normal PPPoE dialer user.

In the first scenario, I configured acl+behavior+traffic-policy and applied it to the interface. It just works as expected and drop the offending traffic.


But as @LuizPuppin said, in the second scenario, we don't have an interface to apply the traffic-policy. In another vendors, like Cisco and Juniper, its possible to attach a traffic-policy to the "virtual-template", and in that point we can filter traffic like that malicious.


Does Huawei provide some way to filter this malicious traffic coming from a PPPoE User and going to another PPPoE user in the same box?


View more
  • x
  • convention:
(0) (0)
6#
chenhui
chenhui Admin Created Sep 11, 2020 01:51:03

Posted by rganacim at 2020-09-10 14:51Hello @chenhui,  All the users are normal PPPoE dialer user. In the first scenario, I configured a ...

Yes, there is traffic-policy command that could be configure under the BAS interface view, but it's a value-added service. Kindly refer https://support.huawei.com/hedex/hdx.do?docid=EDOC1100136152&id=EN-US_CLIREF_0249155327&lang=en

View more
  • x
  • convention:

rganacim
rganacim Created Sep 11, 2020 12:04:10 (0) (0)
Could you confirm if I need the NetEngine40E DAA Function License (LCR5DAA00) to run those commands?
I ask it because the command traffic-policy isn't available inside bas layer2 in a NE40E V800R011C10.  
(0) (0)
7#
chenhui
chenhui Admin Created Sep 14, 2020 07:02:58

Hi rganacim,
The LCR5DAA00 controls the DAA function. And the documentation describes that the command 'traffic-policy(bas interface view)' requires the BAS interface to be configured as a Layer 2 or Layer 3 leased line interface.
You can find at https://support.huawei.com/hedex/hdx.do?docid=EDOC1100109721&id=EN-US_CLIREF_0172386036&lang=en
I'm not sure if this will be the switch that the command available or not.
View more
  • x
  • convention:
(0) (0)
8#
paoladr
paoladr Created Sep 15, 2020 00:05:22

very useful
View more
  • x
  • convention:
(0) (0)
9#
futurework
futurework Created Jan 10, 2021 17:49:44

good
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.