Hello, everyone!
Today, I will finish explaining a new topic – GPON OLT basic operations. The is the last article. Now, I will explain device management security. Let’s get started.
As I said in the last article, there are three methods to prevent unauthorized access to the device, and these are:
enable and setting the firewall,
setting the ACL (Access Control List), and
setting access mode and network segment.
The firewall allows one type of traffic filtering. Packets with certain IP addresses go through the firewall, while other packets with IP addresses block it. They are not allowed further passage. Or these packets are then sent to another level of security check. The firewall is disabled by default. That's why you need to enable it. In general, this is where the further story ends, the firewall is discussed in detail in the next HCIP course, in the security chapter. Finally, the command to activate the firewall:
TEST(config)#firewall enable.
ACL is an abbreviation for Access Control List. The ACL determines which users or system processes are allowed to access the devices and which options for working on those devices are allowed. The ACL checks for incoming packets, or rather filters incoming packets. And based on the source address, destination address and packet port number it decides. There are different categories of ACL: basic ACL, advanced ACL, user-defined ACL, etc. As I said for the firewall, the details of the ACL are discussed in the next course.
The following commands are used to create an ACL - acl3000 (that is an Advanced ACL) and define packages that can (rule 5) and cannot (rule 10) access the device:
TEST(config)#acl3000
TEST(config)#rule 5 permit ip source 10.10.21.0 0.0.0.255 destination 10.10.20.1 0
TEST(config)#rule 10 deny ip source 10.10.21.10
The next commands are commands to enable the ACL in the in-bound and out-bound directions of the interface:
TEST(config)#interface vlanif4000
TEST(config-if-vlanif4000)#firewall packet-filter 3000 inbound
TEST(config)#interface meth0
TEST(config-if-meth0)#firewall packet-filter 3000 inbound
The following commands define access to the device over a specific protocol (such as SSH, telnet, or SNMP) and a specific set of IP addresses. One or more protocols may be enabled, and the device may be accessed by one or more other devices.
The command to add a protocol and range of access addresses is as follows:
TEST(config)#sysman ip-access telnet 10.10.21.1 10.100.21.2.
Command to view and verify this configuration:
TEST(config)#display sysman ip-access telnet.
This is the end of this article. I hope you learned something new!
Thank you!
