No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R012C00 NETCONF YANG API Reference

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local Attack Defense

Local Attack Defense

This section describes the configuration model of local attack defense and provides examples of XML packets.

Data Model

The data model file for local attack defense is huawei-cpu-traffic-security.yang.

Table 2-253  Local attack defense configuration

Object

Description

Value

Remarks

/huawei-traffic:attack-user/input/slot

Displays attack source information of a specified slot.

The value depends on the switch configuration.

NA

/huawei-traffic:portattack-user/input/slot

Displays attack source tracing information on the interfaces in the specified slot.

The value depends on the switch configuration.

NA

/huawei-traffic:defend/policy/policy-list/name

Indicates the name of an attack defense policy.

The value is a string of 1 to 32 case-sensitive characters.

NA

/huawei-traffic:defend/policy/policy-list/auto-port-defend/enable

Indicates whether port attack defense is enabled.

The value is of the Boolean type:
  • true: Port attack defense is enabled.
  • false: Port attack defense is disabled.

By default, port attack defense is enabled.

To avoid conflicts, ensure that the configurations of other auto-port-defend nodes are deleted if auto-port-defend/enable is set to false.

/huawei-traffic:defend/policy/policy-list/auto-port-defend/alarm

Indicates whether the function of reporting port attack defense events is enabled.

The value is of the Boolean type:
  • true: The function of reporting port attack defense events is enabled.
  • false: The function of reporting port attack defense events is disabled.

By default, the function of reporting port attack defense events is disabled.

NA

/huawei-traffic:defend/policy/policy-list/auto-port-defend/sample

Indicates the protocol packet sampling ratio for port attack defense.

The value is an integer that ranges from 1 to 1024.

NA

/huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/whitelist-id

Indicates the ID of the whitelist for port attack defense.

The value is an integer that ranges from 1 to 32.

NA

/huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/acl

Indicates the number of the ACL applied to the whitelist for port attack defense.

The value is an integer that ranges from 2000 to 3999.

This node cannot be configured simultaneously with the node /huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/interface-name.

/huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/interface-name

Indicates the interface to which the whitelist for port attack defense is applied.

The value is a string in the format of interface type + interface number, for example, GigabitEthernet0/0/1.

NA

/huawei-traffic:defend/policy/policy-list/auto-port-defend/aging-time

Indicates the aging time for port attack defense.

The value is an integer that ranges from 30 to 86400, and must be a multiple of 10.

NA

/huawei-traffic:defend/policy/policy-list/auto-port-defend/protocol/protocol-port-type-list/protocol-port-type

Indicates the protocols to which port attack defense is applied.

The value is of the enumerated type:
  • arpreply
  • arprequest
  • dhcp
  • icmp
  • igmp
  • ip-fragment

NA

/huawei-traffic:defend/policy/policy-list/auto-port-defend/protocol/protocol-port-type-list/threshold

Indicates the protocol packet rate threshold for port attack defense.

The value is an integer that ranges from 1 to 65535.

NA

/huawei-traffic:defend/policy/policy-list/auto-defend/enable

Indicates whether the attack source tracing function is enabled.

The value is of the Boolean type:
  • true: The attack source tracing function is enabled.
  • false: The attack source tracing function is disabled.

By default, attack source tracing is enabled.

To avoid conflicts, ensure that the configurations of other auto-defend nodes are deleted if auto-defend/enable is set to false.

/huawei-traffic:defend/policy/policy-list/auto-defend/threshold

Indicates the checking threshold and event reporting threshold for attack source tracing.

The value is an integer that ranges from 1 to 65535.

NA

/huawei-traffic:defend/policy/policy-list/auto-defend/alarm

Indicats whether the function for reporting attack source tracing events is enabled.

The value is of the Boolean type:
  • true: The function for reporting attack source tracing events is enabled.
  • false: The function for reporting attack source tracing events is disabled.

By default, the function for reporting attack source tracing events is disabled.

NA

/huawei-traffic:defend/policy/policy-list/auto-defend/sample

Indicates the packet sampling ratio for attack source tracing.

The value is an integer that ranges from 1 to 1024.

NA

/huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/whitelist-id

Indicates the ID of a whitelist for attack source tracing.

The value is an integer that ranges from 1 to 32.

NA

/huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/interface-name

Indicates the interface to which the whitelist for attack source tracing is applied.

The value is a string in the format of interface type + interface number, for example, GigabitEthernet0/0/1.

NA

/huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/acl

Indicates the number of the ACL applied to the whitelist for attack source tracing.

The value is an integer that ranges from 2000 to 3999.

This node cannot be configured simultaneously with the node /huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/interface-name.

/huawei-traffic:defend/policy/policy-list/auto-defend/action

Indicates the punish action taken on the attack source.

The value is of the enumerated type:
  • deny: Packets from an attack source are discarded.
  • error-down: The interface receiving attack packets is set to the Error-Down state.

NA

/huawei-traffic:defend/policy/policy-list/auto-defend/recover-timer

Indicates the period during which packets sent from an attack source are discarded.

The value is an integer that ranges from 1 to 86400.

When this node is configured, the node /huawei-traffic:defend/policy/policy-list/auto-defend/action must be set to deny.

/huawei-traffic:defend/policy/policy-list/auto-defend/protocol-list/protocol

Indicates the type of traced packets.

The value is of the enumerated type:
  • eap
  • arp
  • dhcp
  • dhcpv6
  • icmp
  • icmpv6
  • igmp
  • mld
  • nd
  • tcp
  • telnet
  • ttl-expired
  • udp

The value eap indicates 802.1X. If this value eap is configured, 802.1X packets are traced on the switch.

/huawei-traffic:defend/policy/policy-list/auto-defend/trace-type

Indicates attack source tracing mode.

The value is of the enumerated type:
  • ip: attack source tracing based on source IP addresses
  • mac: attack source tracing based on source MAC addresses
  • portvlan: attack source tracing based on source ports and VLANs

NA

/huawei-traffic:defend/policy/policy-list/apply-list/applied-type

Indicates the mode in which an attack defense policy is applied.

The value is of the enumerated type:
  • all: The attack defense policy is applied to all cards.

When the value of this node is set to slot, the node /huawei-traffic:defend/policy/policy-list/apply-list/slot is mandatory.

/huawei-traffic:defend/errordown-recover-timer

Indicates the period of time after which an interface that is shut down due to auto-defend protection can automatically go up.

The value is an integer that ranges from 30 to 86400, in seconds.

NA

Configuring Port Attack Defense

This section provides a sample of configuring port attack defense using the edit-config method.

Table 2-254  Configuring port attack defense

Operation

XPATH

edit-config

  • /huawei-traffic:defend/policy/policy-list/name
  • /huawei-traffic:defend/policy/policy-list/apply-list/applied-type
  • /huawei-traffic:defend/policy/policy-list/auto-port-defend/enable
  • /huawei-traffic:defend/policy/policy-list/auto-port-defend/protocol/protocol-port-type-list/protocol-port-type
Data requirement: configuring port attack defense

Item

Data

Description

Name of the attack defense policy

test

The name of the attack defense policy is test.

Whether port attack defense is enabled

true

Port attack defense is enabled.

Policy application mode

all

The attack defense policy test is applied to all cards of a device.

Protocols to which port attack defense is applied.

dhcp

Port attack defense is applied to DHCP packets.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="6" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-traffic:defend xmlns:hw-traffic="urn:huawei:params:xml:ns:yang:huawei-traffic">
        <hw-traffic:policy>
          <hw-traffic:policy-list>
            <hw-traffic:name>test</hw-traffic:name>
            <hw-traffic:auto-port-defend>
              <hw-traffic:enable>true</hw-traffic:enable>
              <hw-traffic:protocol>
                <hw-traffic:protocol-port-type-list>
                  <hw-traffic:protocol-port-type>dhcp</hw-traffic:protocol-port-type>
                </hw-traffic:protocol-port-type-list>
              </hw-traffic:protocol>
            </hw-traffic:auto-port-defend>
            <hw-traffic:apply-list>
              <hw-traffic:applied-type>all</hw-traffic:applied-type>
            </hw-traffic:apply-list>
          </hw-traffic:policy-list>
        </hw-traffic:policy>
      </hw-traffic:defend>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Whitelist for Attack Source Tracing

This section provides a sample of configuring a whitelist for attack source tracing using the edit-config method.

Table 2-255  Configuring a whitelist for attack source tracing

Operation

XPATH

edit-config

  • /huawei-traffic:defend/policy/policy-list/name
  • /huawei-traffic:defend/policy/policy-list/auto-defend/enable
  • /huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/whitelist-id
  • /huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/acl
Data requirement 1: configuring a whitelist for attack source tracing

Item

Data

Description

Name of the attack defense policy

test

The name of the attack defense policy is test.

Whether attack source tracing is enabled

true

Attack source tracing is enabled.

Whitelist ID

5

The whitelist ID for attack source tracing is 5.

Number of the ACL applied to the whitelist for attack source tracing

3001

ACL 3001 is applied to the whitelist for attack source tracing.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="8" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-traffic:defend xmlns:hw-traffic="urn:huawei:params:xml:ns:yang:huawei-traffic">
        <hw-traffic:policy>
          <hw-traffic:policy-list>
            <hw-traffic:name>test</hw-traffic:name>
            <hw-traffic:auto-defend>
              <hw-traffic:enable>true</hw-traffic:enable>
              <hw-traffic:whitelist>
                <hw-traffic:whitelist-id-list>
                  <hw-traffic:whitelist-id>5</hw-traffic:whitelist-id>
                  <hw-traffic:acl>3001</hw-traffic:acl>
                </hw-traffic:whitelist-id-list>
              </hw-traffic:whitelist>
            </hw-traffic:auto-defend>
          </hw-traffic:policy-list>
        </hw-traffic:policy>
      </hw-traffic:defend>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Data requirement 2: querying attack source information

Item

Data

Description

Query attack source information

0

Query attack source information of the slot 0.

Query source tracing information

0

Query source tracing information of interfaces in the slot 0.

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1e50634f-2b46-11e8-8554-e04c4a198245">
  <hw-traffic:attack-user xmlns:hw-traffic="urn:huawei:params:xml:ns:yang:huawei-traffic">
    <hw-traffic:slot>0</hw-traffic:slot>
  </hw-traffic:attack-user>
</rpc>

Response Example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1e50634f-2b46-11e8-8554-e04c4a198245">
  <result>
    <attack-user>
      <user>
        <trace-type>mac</trace-type>
      </user>
      <user>
        <trace-type>ip</trace-type>
      </user>
    </attack-user>
  </result>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="4c26fa70-2b49-11e8-a720-e04c4a198245">
  <rpc-error xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-app-tag>1</error-app-tag>
    <error-path/>
    <error-message>The configuration/operation does not support.</error-message>
  </rpc-error>
</rpc-reply>
Translation
Download
Updated: 2018-09-01

Document ID: EDOC1100037962

Views: 6283

Downloads: 8

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next