No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Disabling URPF for Specified Traffic

(Optional) Disabling URPF for Specified Traffic

Background

After URPF check is enabled on an interface, the device performs the URPF check on all the packets passing through the interface. To prevent the packets of a certain type from being discarded, you can disable URPF check for these packets. For example, if the device is configured to trust all the packets from a certain server, the device does not check these packets. If you need to disable URPF check, you can run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy. When the traffic policy is applied globally or applied to an interface, a board, or a VLAN, the device does not perform URPF check on the traffic that matches the traffic classifier rules.

NOTE:

The SA series cards (except LE0DX12XSA00 card) do not support this function.

Procedure

  1. Configure a traffic classifier.
    1. Run system-view

      The system view is displayed.

    2. Run traffic classifier classifier-name [ operator { and | or } ] [ precedence precedence-value ]

      A traffic classifier is created and the traffic classifier view is displayed, or an existing traffic classifier view is displayed.

      and is the logical operator between the rules in the traffic classifier, which means that:
      • If the traffic classifier contains ACL rules, packets match the traffic classifier only when they match one ACL rule and all the non-ACL rules.

      • If the traffic classifier does not contain any ACL rules, packets match the traffic classifier only when they match all the rules in the classifier.

      The logical operator or means that packets match the traffic classifier if they match one of the rules in the classifier.

      By default, the relationship between rules in a traffic classifier is OR.

    3. Configure matching rules according to the following table.
      NOTE:

      The if-match ip-precedence and if-match tcp commands are only valid for IPv4 packets.

      The LE1D2S04SEC0, LE1D2X32SEC0, and LE1D2H02QEC0 cards, and X series cards do not support traffic classifiers with advanced ACLs containing the ttl-expired field.

      When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the LE1D2S04SEC0, LE1D2X32SEC0, and LE1D2H02QEC0 cards, and X series cards do not support add-tag vlan-id vlan-id, remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-address learning disable.

      Matching Rule

      Command

      Remarks

      Outer VLAN ID or inner and outer VLAN IDs of QinQ packets

      if-match vlan-id start-vlan-id [ to end-vlan-id ] [ cvlan-id cvlan-id ]

      -

      Inner and outer VLAN IDs in QinQ packets

      if-match cvlan-id start-vlan-id [ to end-vlan-id ] [ vlan-id vlan-id ]

      -

      802.1p priority in VLAN packets

      if-match 8021p 8021p-value &<1-8>

      If you enter multiple 802.1p priority values in one command, a packet matches the traffic classifier if it matches any of the priorities, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      Inner 802.1p priority in QinQ packets

      if-match cvlan-8021p 8021p-value &<1-8>

      -

      Drop packet

      if-match discard

      A traffic classifier containing this matching rule can only be bound to traffic behaviors containing traffic statistics collection and flow mirroring actions.

      Double tags in QinQ packets

      if-match double-tag

      -

      EXP priority in MPLS packets

      if-match mpls-exp exp-value &<1-8>

      If you enter multiple MPLS EXP priority values in one command, a packet matches the traffic classifier if it matches any of the MPLS EXP priorities, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      SA cards of the S series, LE1D2S04SEC0 cards, LE1D2X32SEC0 cards, LE1D2H02QEC0 cards, and X series cards do not support matching of EXP priorities in MPLS packets.

      Destination MAC address

      if-match destination-mac mac-address [ [ mac-address-mask ] mac-address-mask ]

      -

      Source MAC address

      if-match source-mac mac-address [ [ mac-address-mask ] mac-address-mask ]

      -

      Protocol type field in the Ethernet frame header

      if-match l2-protocol { arp | ip | mpls | rarp | protocol-value }

      -

      All packets

      if-match any

      -

      DSCP priority in IP packets

      if-match [ ipv6 ] dscp dscp-value &<1-8>

      • If you enter multiple DSCP values in one command, a packet matches the traffic classifier if it matches any of the DSCP values, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      • If the relationship between rules in a traffic classifier is AND, the if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be used in the traffic classifier simultaneously.

      IP precedence in IP packets

      if-match ip-precedence ip-precedence-value &<1-8>
      • The if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be configured in a traffic classifier in which the relationship between rules is AND.

      • If you enter multiple IP precedence values in one command, a packet matches the traffic classifier if it matches any of the IP precedence values, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      Layer 3 protocol type

      if-match protocol { ip | ipv6 }

      -

      First Next Header field in the IPv6 packet header

      if-match ipv6 next-header header-number first-next-header

      The LE0MG24SA, LE0DX12XSA00, and LE0MG24CA cards of the S9300, and the LE0DX12XSA00 card of the S9300E do not support the routes whose prefix length ranges from 64 to 128.

      SYN Flag in the TCP packet

      if-match tcp syn-flag { syn-flag-value | ack | fin | psh | rst | syn | urg }

      -

      Inbound interface

      if-match inbound-interface interface-type interface-number

      A traffic policy containing this matching rule cannot be applied to the outbound direction or in the interface view.

      Outbound interface

      if-match outbound-interface interface-type interface-number

      A traffic policy containing this matching rule cannot be applied to the inbound direction on the LE1D2S04SEC0, LE1D2X32SEC0, and LE1D2H02QEC0 cards, and X series cards.

      The traffic policy containing this matching rule cannot be applied in the interface view.

      ACL rule

      if-match acl { acl-number | acl-name }
      • When an ACL is used to define a traffic classification rule, it is recommended that the ACL be configured first.
      • If an ACL in a traffic classifier defines multiple rules, a packet matches the ACL as long as it matches one of rules, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      ACL6 rule

      if-match ipv6 acl { acl-number | acl-name }

      Before specifying an ACL6 in a matching rule, configure the ACL6.

      Flow ID

      if-match flow-id flow-id

      The traffic classifier containing if-match flow-id and the traffic behavior containing remark flow-id must be bound to different traffic policies.

      The traffic policy containing if-match flow-id can only be applied to an interface, a VLAN, a card, or the system in the inbound direction.

      The LE1D2S04SEC0, LE1D2X32SEC0, and LE1D2H02QEC0 cards, X series cards, and SA cards of the S series do not support matching of flow IDs.

    4. Run quit

      Exit from the traffic classifier view.

  2. Configure a traffic behavior.
    1. Run traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed, or the view of an existing traffic behavior is displayed.

    2. Run ip urpf disable

      URPF check is disabled for the specified traffic.

      By default, URPF check disabling is not configured in a traffic behavior.

    3. Run quit

      Exit from the traffic behavior view.

    4. Run quit

      Exit from the system view.

  3. Configure a traffic policy.
    1. Run system-view

      The system view is displayed.

    2. Run traffic policy policy-name [ match-order { auto | config } ]

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

      If no matching order is specified when you create a traffic policy, the default matching order is config.

      After a traffic policy is applied, you cannot use the traffic policy command to modify the matching order of traffic classifiers in the traffic policy. To modify the matching order, delete the traffic policy, re-create a traffic policy, and specify the matching order.

      When creating a traffic policy, you can specify the matching order of matching rules in the traffic policy. The matching order can be either automatic order or configuration order:
      • Automatic order: Traffic classifiers are matched based on the priorities of their types. Traffic classifiers based on the following information are in descending order of priority: Layer 2 and IPv4 Layer 3 information, advanced ACL6 information, basic ACL6 information, Layer 2 information, IPv4 Layer 3 information, and user-defined ACL information. If data traffic matches multiple traffic classifiers, and the traffic behaviors conflict with each other, the traffic behavior corresponding to the highest priority rule takes effect.
      • Configuration order: Traffic classifiers are matched based on their priorities. The traffic classifier with the highest priority is matched first. A smaller priority value indicates a higher priority of a traffic classifier. If precedence-value is not specified, the system allocates a priority to the traffic classifier. The allocated priority value is [(max-precedence + 5) / 5] x 5, where max-precedence specifies the maximum priority of a traffic classifier. For details about the priority of a traffic classifier, refer to the traffic classifier command.
    3. Run classifier classifier-name behavior behavior-name

      A traffic behavior is bound to a traffic classifier in a traffic policy.

    4. Run quit

      Exit from the traffic policy view.

    5. Run quit

      Exit from the system view.

  4. Apply the traffic policy.
    • Applying a traffic policy to an interface
      1. Run system-view

        The system view is displayed.

      2. Run interface interface-type interface-number[.subinterface-number ]

        The interface view or sub-interface view is displayed.

        NOTE:
        • Only the E series, X series, F series cards, and SC series cards support Ethernet sub-interface configuration. For details about the cards, see Cards in the Hardware Description.

        • Only hybrid and trunk interfaces on the preceding series of cards support Ethernet sub-interface configuration.
        • After you run the undo portswitch command to switch Layer 2 interfaces on the preceding series of cards into Layer 3 interfaces, you can configure Ethernet sub-interfaces on the interfaces.

        • The SA series cards do not support Ethernet sub-interface configuration and cannot forward IP traffic to Ethernet sub-interfaces on other cards.

        • You are advised to add a member interface to an Eth-Trunk and then configure an Eth-Trunk sub-interface. The Eth-Trunk sub-interface can be successfully configured only when the card on which the member interface locates supports Ethernet sub-interface configuration.

      3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the interface or sub-interface.

        A traffic policy can only be applied to one direction on an interface but can be applied to different directions on different interfaces. After a traffic policy is applied to an interface, the system performs traffic policing for all the incoming or outgoing packets that match traffic classification rules on the interface.

        NOTE:
        • Sub-interfaces support only inbound.

        • It is not recommended that a traffic policy containing remark 8021p, remark cvlan-id, or remark vlan-id be used in the outbound direction of an untagged interface. Otherwise, the packet content may be incorrect.

        • On the LE0DX40SFC00 and LE1D2L02QFC0 cards, when an interface among interfaces 1-20 and an interface among interfaces 21-40 are added to the same Eth-Trunk or VLAN, the outgoing traffic rate of the Eth-Trunk or VLAN is limited by car. The outgoing traffic rate is 2 times the CAR value.

        • Applying traffic policies consumes ACL resources. If ACL resources are insufficient, some traffic policies will fail to be applied. One ACL is occupied for each interface to which the traffic policy is applied. When a traffic policy is applied to L VLANs on a device with N LPUs, L*N ACLs are occupied. When a traffic policy is applied globally on a device with N LPUs, N ACLs are occupied. For details about ACLs occupied by if-match rules, see Table 3 in "Licensing Requirements and Limitations for MQC" of MQC Configuration.

    • Applying a traffic policy to a VLAN
      1. Run system-view

        The system view is displayed.

      2. Run vlan vlan-id

        The VLAN view is displayed.

      3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the VLAN.

        Only one traffic policy can be applied to the inbound or outbound direction of a VLAN.

        The system applies traffic policing to the packets that belong to the VLAN and match traffic classification rules in the inbound or outbound direction. However, the traffic policy does not take effect for packets in VLAN 0.

    • Applying a traffic policy to a VLANIF interface
      1. Run system-view

        The system view is displayed.

      2. Run interface vlanif vlan-id

        The VLANIF interface view is displayed.

      3. Run traffic-policy policy-name inbound

        A traffic policy is applied to the VLANIF interface.

        Only one traffic policy can be applied to the inbound direction on a VLANIF interface, but a traffic policy can be applied to the inbound direction on different VLANIF interfaces.

        A traffic policy cannot be applied to a VLANIF interface corresponding to the super-VLAN or MUX VLAN.

        On the LE1D2S04SEC0, LE1D2X32SEC0, and LE1D2H02QEC0 cards, and X series cards, a traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, a traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

        On the LE1D2S04SEC0, LE1D2X32SEC0, and LE1D2H02QEC0 cards, and X series cards, a traffic policy that is applied to a VLANIF interface cannot contain a traffic classifier defining user-defined ACLs.

        NOTE:
        A traffic policy cannot be applied to a VLANIF interface when the bound traffic behavior of the traffic policy defines the following actions:
        • remark vlan-id
        • remark cvlan-id
        • add-tag vlan-id
        • remark 8021p
        • remark flow-id
        • mac-address learning disable
    • Applying a traffic policy to the system or an LPU
      1. Run system-view

        The system view is displayed.

      2. Run traffic-policy policy-name global { inbound | outbound } [ slot slot-id ]

        A traffic policy is applied to the system or an LPU.

        Only one traffic policy can be applied to the system or LPU in one direction. A traffic policy cannot be applied to the same direction in the system and on the LPU simultaneously.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 125609

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next