No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring MPAC

Example for Configuring MPAC

Networking Requirements

An attacker with a known IP address is detected on an enterprise campus network shown in Figure 16-3. The attacker sends various TCP/IP packets to attack SwitchA, which may cause SwitchA to break down. To prevent the packets from the attacker from being sent to the CPU, configure an MPAC policy on SwitchA.

Figure 16-3  MPAC network diagram

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the IPv4 MPAC policy test on SwitchA.

  2. Apply the IPv4 MPAC policy test to SwitchA globally.

  3. Apply the IPv4 MPAC policy test to GE1/0/2.

Procedure

  1. Configure the IPv4 MPAC policy test on SwitchA.

    <Quidway> system-view
    [Quidway] sysname SwitchA
    [SwitchA] service-security policy ipv4 test
    [SwitchA-service-sec-test] rule 10 deny protocol ip source-ip 10.10.1.1 0
    [SwitchA-service-sec-test] step 10
    [SwitchA-service-sec-test] description rule 10 is deny ip packet which from 10.10.1.1
    [SwitchA-service-sec-test] quit

  2. Apply the IPv4 MPAC policy test to SwitchA globally.

    [SwitchA] service-security global-binding ipv4 test

  3. Apply the IPv4 MPAC policy test to GE1/0/2 of SwitchA.

    [SwitchA] interface GigabitEthernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] undo portswitch
    [SwitchA-GigabitEthernet1/0/2] service-security binding ipv4 test
    [SwitchA-GigabitEthernet1/0/2] quit

  4. Verify the configuration.

    Run the display service-security statistics command to check MPAC information and how many times the IPv4 MPAC rules are matched.

    [SwitchA] display service-security statistics ipv4 test
    Policy Name : test
    Description : rule 10 is deny ip packet which from 10.10.1.1
    Step        : 10
     rule 10 deny protocol ip source-ip 10.10.1.1 0 (10 times matched)  

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#
service-security global-binding ipv4 test
#
service-security policy ipv4 test
 description rule 10 is deny ip packet which from 10.10.1.1
 step 10
 rule 10 deny protocol ip source-ip 10.10.1.1 0
#
interface GigabitEthernet1/0/2
 undo portswitch
 service-security binding ipv4 test
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126777

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next