No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MPAC Configuration Commands

MPAC Configuration Commands

Command Support

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support MPAC.

description (MPAC policy)

Function

The description command configures the description for an MPAC policy.

The undo description command deletes the description of an MPAC policy.

By default, an MPAC policy does not have a description.

Format

description text

undo description

Parameters

Parameter Description Value
text Specifies the description of an MPAC policy. The value is a string of 1 to 255 case-sensitive characters with spaces supported.

Views

MPAC policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To configure description for a created MPAC policy, use the description command. The descriptions facilitate MPAC policy management on the device.

Prerequisites

An MPAC policy has been created using the service-security policy command.

Example

# Configure a description for an MPAC policy.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 huawei
[HUAWEI-service-sec-huawei] description SwitchA-GE0/0/1 to SwitchB-GE0/0/1

display service-security binding

Function

The display service-security binding command displays the MPAC policies bound to an interface or bound globally.

Format

display service-security binding { ipv4 | ipv6 } [ interface interface-type interface-number ]

Parameters

Parameter Description Value
ipv4 Indicates the IPv4 MPAC policy. -
ipv6 Indicates the IPv6 MPAC policy. -
interface interface-type interface-number Indicates the interface to which MPAC policies are bound. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To check information about bound MPAC policies, run this command.

The display service-security binding { ipv4 | ipv6 } command displays all MPAC policies bound to interfaces and bound globally.

The display service-security binding { ipv4 | ipv6 } interface interface-type interface-number command displays the MPAC policies bound to a specified interface.

Example

# Display all IPv4 MPAC policies bound on the device.

<HUAWEI> display service-security binding ipv4
Configured  : Global
Policy Name : huawei

Interface  : GigabitEthernet0/0/1
Policy Name: A1

Interface  : Eth-Trunk1
Policy Name: A2

# Display the IPv4 MPAC policies bound to GE0/0/1.

<HUAWEI> display service-security binding ipv4 interface GigabitEthernet 0/0/1
Interface  : GigabitEthernet0/0/1
Policy Name: A1
Table 14-74  Description of the display service-security binding command output

Item

Description

Configured

The MPAC policy bound globally. This field has a fixed value of Global. If no MPAC policy is bound globally, this field is not displayed.

Interface

Interface to which MPAC policies are bound.

Policy Name

Name of an MPAC policy.

display service-security policy

Function

The display service-security policy command displays MPAC policy configurations.

Format

display service-security policy { ipv4 | ipv6 } [ security-policy-name ]

Parameters

Parameter Description Value
ipv4 Displays the specified IPv4 MPAC policy. -
ipv6 Displays the specified IPv6 MPAC policy. -
security-policy-name Specifies the name of an MPAC policy to be displayed. The value is a string of 1 to 31 case-sensitive characters without spaces. It must start with a letter.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

An MPAC policy protects device security by controlling the packets destined for the CPUs.

To check the MPAC rules, step, and description configured on a device, run the display service-security policy command.

Example

# Display all IPv4 MPAC policy configurations on a device.

<HUAWEI> display service-security policy ipv4
Policy Name : A1                                                                
Step        : 5                                                                 
                                                                                
Policy Name : huawei                                                            
Description : RouterA-GE1/0/1 to ROUTERB-GE1/0/1                                
Step        : 5                                                                 
 rule 5 permit protocol udp source-port 3503                                    

# Display the configuration of the IPv4 MPAC policy huawei.

<HUAWEI> display service-security policy ipv4 huawei
Policy Name : huawei
Step        : 5
 rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000
 rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255
Table 14-75  Description of the display service-security policy command output

Item

Description

Policy Name

Name of an MPAC policy.

Description

Description of an MPAC policy.

Step

Step between two MPAC rule IDs.

rule

MPAC rules.

display service-security statistics

Function

The display service-security statistics command displaysstatistics about matched rules in MPAC policies.

Format

display service-security statistics { ipv4 | ipv6 } [ security-policy-name ]

Parameters

Parameter Description Value
ipv4 Displays statistics about matched rules in IPv4 MPAC policy. -
ipv6 Displays statistics about matched rules in IPv6 MPAC policy. -
security-policy-name Indicates the name of an MPAC policy. The value is a string of 1 to 31 case-sensitive characters without spaces. It must start with a letter.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

An MPAC policy protects device security by controlling the packets destined for the CPUs.

The display service-security statistics command displays MPAC policy information and how many times MPAC rules are matched.

Example

# Display statistics about matched rules in all IPv4 MPAC policies.

<HUAWEI> display service-security statistics ipv4
Policy Name : A1
Step        : 5

Policy Name : beijing
Description : mpac policy for ipv4    
Step        : 2
 rule 2 permit protocol any (0 times matched)
 rule 4 deny protocol any (0 times matched)
 rule 6 permit protocol bgp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (1 times matched)
 rule 12 permit protocol ftp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 14 permit protocol ip source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 16 permit protocol ldp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 20 permit protocol ntp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 22 permit protocol ospf source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
 rule 24 permit protocol rip source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 26 permit protocol rsvp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
 rule 28 permit protocol snmp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
 rule 30 permit protocol ssh source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 32 permit protocol tcp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 34 permit protocol telnet source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
 rule 36 permit protocol tftp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
 rule 38 permit protocol udp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)

Policy Name : huawei
Step        : 5
 rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000 (10 times matched)
 rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255 (1 times matched)

# Display statistics about matched rules in the IPv4 MPAC policy named huawei.

<HUAWEI> display service-security statistics ipv4 huawei
Policy Name : huawei
Step        : 5
 rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000 (10 times matched)
 rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255 (1 times matched) 
Table 14-76  Description of the display service-security statistics command output

Item

Description

Policy Name

Name of an MPAC policy.

Description

Description of an MPAC policy.

Step

Step between two MPAC rule IDs.

rule

MPAC rules.

(0 times matched)

Number of times the MPAC rules are matched.

reset service-security counters

Function

The reset service-security counters command deletes MPAC policy statistics.

Format

reset service-security counters { ipv4 | ipv6 } [ security-policy-name ]

Parameters

Parameter Description Value
ipv4 Deletes IPv4 MPAC policy statistics. -
ipv6 Deletes IPv6 MPAC policy statistics. -
security-policy-name Specifies the name of an MPAC policy to be deleted. The value is a string of 1 to 31 case-sensitive characters without spaces. It must start with a letter.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If excess MPAC policy statistics are generated on a device and you want to view new MPAC information, run the reset service-security counters to delete the existing statistics first.

With the security-policy-name parameter specified, you can delete statistics about the specified IPv4 or IPv6 MPAC policy. Without the security-policy-name parameter specified, you can delete statistics about all IPv4 or IPv6 MPAC policies.

Precautions

All existing MPAC policy statistics will be deleted after this command is executed.

Example

# Delete statistics about the IPv4 MPAC policy huawei.

<HUAWEI> reset service-security counters ipv4 huawei

rule (MPAC policy)

Function

The rule command adds a rule to the MPAC policy view.

The undo rule command deletes a rule or some configurations from the MPAC policy view.

By default, an MPAC policy does not have a rule.

Format

rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp | telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip } [ [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *

rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *

rule [ rule-id ] { deny | permit } protocol { any | isis }

rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp | telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip } [ [ source-ip { source-ipv6-address source-ipv6-prefix-length | source-ipv6-address/prefix-length | any } ] | [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length | destination-ipv6-address/prefix-length | any } ] ] *

rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv6-address source-ipv6-prefix-length | source-ipv6-address/prefix-length | any } ] | [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length | destination-ipv6-address/prefix-length | any } ] ] *

undo rule rule-id [ source-ip | destination-ip | source-port | destination-port ] *

Parameters

Parameter

Description

Value

rule-id Indicates the MPAC rule ID. The value is an integer that ranges from 0 to 4294967294.
deny Prevents protocol packets matching the rules from being sent to the CPU. -
permit Allows the protocol packets matching the rules to be sent to the CPU. -
protocol Specifies the protocol name or number. -
tcp Indicates the Transmission Control Protocol (TCP). -
tcp-protocol-number Indicates the TCP protocol number. It has a fixed value of 6.
udp Indicates the User Datagram Protocol (UDP). -
udp-protocol-number Indicates the UDP protocol number. It has a fixed value of 17.
source-port source-port-number Specifies the source port number of protocol packets. The value is an integer that ranges from 1 to 65535.
destination-port destination-port-number Specifies the destination port number of protocol packets. The value is an integer that ranges from 1 to 65535.
protocol-number Specifies a protocol number. The value is an integer that ranges from 1 to 255.
ftp Indicates the File Transfer Protocol (FTP). -
ssh Indicates the Secure Shell (SSH) protocol. -
snmp Indicates the Simple Network Management Protocol (SNMP). -
telnet Indicates the Telnet protocol. -
tftp Indicates the Trivial File Transfer Protocol (TFTP). -
bgp Indicates the Border Gateway Protocol (BGP). -
ldp Indicates the Label Distribution Protocol (LDP). -
rsvp Indicates the Resource Reservation Protocol (RSVP). -
ospf Indicates the Open Shortest Path First (OSPF) protocol. -
rip Indicates the Routing Information Protocol (RIP). -
ntp Indicates the Network Time Protocol (NTP). -
lsp-ping Indicates the Label Switched Path (LSP)-PING protocol. -
dhcp-c Indicates the Dynamic Host Configuration Protocol-C (DHCP-C) protocol. -
dhcp-r Indicates the DHCP-R protocol. -
ip Indicates the Internet Protocol (IP). -
source-ip Indicates the source address of protocol packets. -
source-ipv4-address Specifies a source IPv4 address. The value is in dotted decimal notation.
source-ipv4-mask | 0

Specifies the mask of the source IPv4 address. The protocol packets from the specified subnet are allowed to be sent to the CPU or discarded.

0 Specifies the source host name. The protocol packets from the specified host are allowed to be sent to the CPU or discarded.

The value is in dotted decimal notation.
destination-ip Indicates the destination address of protocol packets. -
destination-ipv4-address Specifies a destination IPv4 address. The value is in dotted decimal notation.
destination-ipv4-mask | 0

Specifies the mask of the destination IPv4 address. The protocol packets destined for the specified subnet are allowed to be sent to the CPU or discarded.

0 Specifies the destination host name. The protocol packets destined for the specified host are allowed to be sent to the CPU or discarded.

The value is in dotted decimal notation.
any Indicates any IP address. -
isis Indicates the Intermediate System to Intermediate System (IS-IS) protocol. -
source-ipv6-address Specifies a source IPv6 address. The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
source-ipv6-prefix-length Specifies the prefix length of a source IPv6 address. The value is an integer that ranges from 1 to 128.
source-ipv6-address/prefix-length Specifies the source IPv6 address and prefix length. The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X/M. M is an integer that ranges from 1 to 128.
destination-ipv6-address Specifies a destination IPv6 address. The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
destination-ipv6-prefix-length Specifies the prefix length of a destination IPv6 address. The value is an integer that ranges from 1 to 128.
destination-ipv6-address/prefix-length Specifies the destination IPv6 address and prefix length. The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X/M. M is an integer that ranges from 1 to 128.

Views

MPAC policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To match specific users or packets, run the rule command with the protocol name or five packet attributes specified.

The MPAC matching rules for TCP/UDP are described in Table 14-77.
Table 14-77  Description of the MPAC matching rules for TCP/UDP

Protocol

TCP/UDP

Description

FTP

TCP

The source/destination port number is 21.

SSH

TCP

The source/destination port number is 22.

Telnet

TCP

The source/destination port number is 23.

BGP

TCP

The source/destination port number is 179.

LDP

TCP/UDP

TCP: The source/destination port number is 646.

UDP: The destination port number is 646.

DHCP-R

UDP

IPv4: The destination port number is 67.

IPv6: The destination port number is 547.

DHCP-C

UDP

IPv4: The destination port number is 68.

IPv6: The destination port number is 546.

NTP

UDP

The destination port number is 123.

SNMP

UDP

The destination port number is 161.

RIP

UDP

IPv4: The destination port number is 520.

IPv6: The destination port number is 521.

LSP-PING

UDP

The source/destination port number is 3503.

Prerequisites

An MPAC policy has been created using the service-security policy command.

Precautions

  • The MPAC rules configured in the service6-sec policy view do not support ISIS.
  • Exercise caution when using the rule [ rule-id ] deny protocol any command. If this command is executed in the system view, no protocol packets can be sent to the CPU, causing the device to be out of management.
  • If a whitelist is configured for an MPAC IPv6 policy, run the rule permit protocol 58 command to allow ICMPv6 packets to pass.

Example

# Add a rule to an MPAC policy.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 huawei
[HUAWEI-service-sec-huawei] rule 5 permit protocol udp source-port 3503 destination-ip 127.0.0.1 255.255.255.255

service-security binding

Function

The service-security binding command binds an MPAC policy to an interface.

The undo service-security binding command unbinds an MPAC policy from an interface.

By default, no MPAC policy is applied to an interface.

Format

service-security binding { ipv4 | ipv6 } security-policy-name

undo service-security binding { ipv4 | ipv6 }

NOTE:
The ipv6 parameter is not supported in the subinterface view.

Parameters

Parameter Description Value
ipv4 Binds an IPv4 MPAC policy to an interface. -
ipv6 Binds an IPv6 MPAC policy to an interface. -
security-policy-name Specifies the name of an MPAC policy. The value is a string of 1 to 31 case-sensitive characters without spaces. It must start with a letter.

Views

Ethernet interface view, Ethernet subinterface view, GE interface view, GE subinterface view, XGE interface view, XGE subinterface view, 40GE interface view, 40GE subinterface view, Eth-Trunk interface view, Eth-Trunk subinterface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some attackers may pose as authorized users to send protocol packets to network devices or control these devices. Such attacks affect network running. You can configure MPAC on network devices to allow the specified protocol packets to be sent to the CPUs or discard these packets, improving device security and reliability.

After an MPAC policy is created, run the service-security binding command to bind it to interfaces.

Prerequisites

An MPAC policy has been created using the service-security policy command.

Example

# Create an IPv4 MPAC policy and apply it to an interface.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 huawei
[HUAWEI-service-sec-huawei] rule 5 permit protocol tcp source-port 1000 source-ip 127.1.1.1 0
[HUAWEI-service-sec-huawei] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] service-security binding ipv4 huawei

# Create an IPv6 MPAC policy and apply it to an interface.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv6 huawei1
[HUAWEI-service6-sec-huawei1] rule 10 deny protocol tcp
[HUAWEI-service6-sec-huawei1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] service-security binding ipv6 huawei1

service-security global-binding

Function

The service-security global-binding command binds an MPAC policy to a device globally.

The undo service-security global-binding command unbinds an MPAC policy from a device.

By default, no MPAC policy is globally applied.

Format

service-security global-binding { ipv4 | ipv6 } security-policy-name

undo service-security global-binding { ipv4 | ipv6 }

Parameters

Parameter Description Value
ipv4 Binds an IPv4 MPAC policy to a device globally. -
ipv6 Binds an IPv6 MPAC policy to a device globally. -
security-policy-name Specifies the name of an MPAC policy to be bound. The value is a string of 1 to 31 case-sensitive characters without spaces. It must start with a letter.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some attackers may pose as authorized users to send protocol packets to network devices or control these devices. Such attacks affect network running. You can configure MPAC on network devices to allow the specified protocol packets to be sent to the CPUs or discard these packets, improving device security and reliability.

After an MPAC policy is created, run the service-security global-binding command to bind it to a device globally.

Prerequisites

An MPAC policy has been created using the service-security policy command.

Example

# Create an IPv4 MPAC policy and apply it to a device globally.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 huawei
[HUAWEI-service-sec-huawei] rule 5 permit protocol tcp source-port 1000 source-ip 127.1.1.1 0
[HUAWEI-service-sec-huawei] quit
[HUAWEI] service-security global-binding ipv4 huawei

# Create an IPv6 MPAC policy and apply it to a device globally.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv6 huawei1
[HUAWEI-service6-sec-huawei1] rule 10 deny protocol tcp
[HUAWEI-service6-sec-huawei1] quit
[HUAWEI] service-security global-binding ipv6 huawei1

service-security policy

Function

The service-security policy command creates an MPAC policy and displays its view.

The undo service-security policy command deletes an MPAC policy.

By default, no MPAC policy exists on a device.

Format

service-security policy { ipv4 | ipv6 } security-policy-name

undo service-security policy { ipv4 | ipv6 } [ security-policy-name ]

Parameters

Parameter Description Value
ipv4 Creates an IPv4 MPAC policy and displays its view. -
ipv6 Creates an IPv6 MPAC policy and displays its view. -
security-policy-name Specifies the name of an MPAC policy. The value is a string of 1 to 31 case-sensitive characters without spaces. It must start with a letter.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Some attackers may pose as authorized users to send protocol packets to network devices or control these devices. Such attacks affect network running. You can configure MPAC on network devices to allow the specified protocol packets to be sent to the CPUs or discard these packets, improving device security and reliability.

Example

# Create an IPv4 MPAC policy.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 huawei
[HUAWEI-service-sec-huawei]

# Create an IPv6 MPAC policy.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv6 huawei1
[HUAWEI-service6-sec-huawei1]

step (MPAC policy)

Function

The step command sets the step between two MPAC rule IDs.

The undo step command restores the default step between MPAC rule IDs.

By default, the step between two MPAC rule IDs is 5.

Format

step step-value

undo step

Parameters

Parameter Description Value
step-value Specifies the step between two MPAC rule IDs. The value is an integer that ranges from 1 to 20.

Views

MPAC policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A step is an increment between neighboring MPAC rule IDs automatically allocated by the system. For example, if the step is 5, the system allocates MPAC rules with IDs 5, 10, 15, 20...

To allow insertion of new rules, set a step for MPAC rule IDs by using the step command.

Prerequisites

MPAC policies have been created using the service-security policy command.

Configuration Impact

After you set a step, all the rule IDs in the MPAC policy are re-arranged using the new step.

Precautions

Setting the step only changes rule IDs, but will not change the rule priorities.

Example

# Set the step for MPAC rule IDs to 10.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 huawei
[HUAWEI-service-sec-huawei] step 10
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 42692

Downloads: 1107

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next