API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Loopback rules
Lookback interfaces are virtual interfaces and unlike physical interfaces, loopback interfaces do not go down unless they are
manually removed. This property provides security and consistency for device identification and stability.
Configure a loopback interface
Rationale: Configure a loopback interface which can be used for system multiple services.
Configuration:
OS10(config)# interface loopback 0
OS10(config)# exit
OS10# write memory
Remove multiple loopback interfaces
Rationale: Ensure that there is not more than one loopback interface configured.
Configuration:
OS10(config)# no interface loopback loopback-instance
OS10(config)# exit
OS10# write memory
Bind AAA services to a loopback interface
Rationale: AAA services are bound to a loopback interface so that the AAA services are not interrupted.
Configuration:
OS10(config)# ip tacacs source-interface loopback 0
OS10(config)# exit
OS10# write memory
Bind the NTP service to a loopback interface
Rationale: The NTP service is bound to a loopback interface so that the AAA services are not interrupted.
Configuration:
OS10(config)# ntp source loopback 0
OS10(config)# exit
OS10# write memory
Configure Control Plane Policing
Rationale: Use control-plane ACLs to selectively restrict packets that are destined to the CPU, hence preventing flooding and
DoS attacks.
Configuration:
OS10# configure terminal
OS10(config)# control-plane
OS10(config-control-plane)# ip access-group acl_name in
OS10(config-control-plane)# end
OS10# write memory
NOTE: Define necessary ACL rules before applying to the control plane.
Data plane rules
The data plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user
data. Apply these rules on border-filtering devices that connect internal networks to external networks, such as the Internet.
Forbid private source addresses from external networks
Rationale: Private IP addresses are meant to be used in internal networks, such as networks that connect workstations,
printers, DMZ, and so on. These IP addresses are not routed to the Internet which uses public IP addresses. A private IP address
OS10 security best practices
21