You perform the procedure in NSX-T Data Center to configure logging servers, enable logging for distributed and gateway firewall rules, and enable port binding for Spoofguard profile.

Procedure

  1. In a Web browser, log in to the NSX-T Manager for the management domain by using the user interface and go to Policy View.

    Setting

    Value

    URL

    https://sfo-m01-nsx01.sfo.rainpole.io

    User name​

    administrator@vsphere.local​

  2. NIST80053-VI-NET-CFG-01455 Create a Spoof Guard segment profile with port binding enabled.
    1. In a Web browser, log in as an administrator to the NSX-T Manager cluster for the management domain by using the user interface.
    2. In the upper-right corner, switch to the Policy tab.
    3. On the main navigation bar, click Networking.
    4. In the left pane, click Segments and click the Segment Profiles tab.
    5. Click Add Segment Profile > Spoof Guard.
    6. Enter name for the profile, enable Port Bindings, and click Save.
    7. Click the Segments tab.
    8. For the first segment, click the ellipses menu and click Edit.
    9. Under Segment profiles, from the Spoof guard drop-down menu, select the newly created Spoof Guard segment profile, click Save, and click Close editing.
    10. Repeat for the remaining configured segments.
  3. NIST80053-VI-NET-CFG-01460 Configure the Tier-0 gateway to use the maximum prefixes setting to protect against route table flooding and prefix de-aggregation attacks.
    1. On the main navigation bar, click Networking.
    2. In the left pane, click Tier-0 gateways.
    3. Expand the Tier-0 gateway to see its full configuration.
    4. Expand the BGP section and click the number for the BGP Neighbors.
    5. In the Set BGP neighbors dialog box, click the vertical ellipses menu and click Edit for the first neighbor.
    6. Click the number in the Route filter column.
    7. In the Set Route Filter dialog box, click the vertical ellipses menu and click Edit to configure the maximum routes value, specific to your environment.
    8. Repeat the step as needed to configure all neighbors with a maximum routes value.