No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring MPAC

Configuring MPAC

Management Plane Access Control (MPAC) policies can be applied to sub-interfaces, to interfaces, or globally to filter packets destined for the CPU.

Usage Scenario

MPAC can be configured to filter packets destined for the CPU, thereby helping protect network devices against Denial of Service (DoS) attacks.

Pre-configuration Tasks

Before configuring MPAC, configure link layer protocol parameters and IP addresses for interfaces to ensure that the link layer protocol on the interfaces is in the Up state.

Configuration Procedures

You can choose one or more configuration tasks (excluding "Checking the Configuration" ) as required.

Configuring an IPv4 MPAC Policy

An IPv4 Management Plane Access Control (MPAC) policy can be configured to filter IPv4 packets destined for the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run service-security policy ipv4 security-policy-name

    An IPv4 MPAC policy is created, and the IPv4 MPAC policy view is displayed.

  3. Add a rule to the IPv4 MPAC policy. See the following table.

    Table 16-1 Rules for an IPv4 MPAC policy

    Protocol Type

    Command

    Remarks

    TCP or UDP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *

    -

    BGP, Dynamic Host Configuration Protocol-C(DHCP-C), Dynamic Host Configuration Protocol-R(DHCP-R), FTP, IP, LDP, LSP ping, NTP, OSPF, PIM, RIP, RSVP, SNMP, SSH, Telnet, TFTP, or IGMP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { ip-protocol-number | bgp | dhcp-c | dhcp-r | ftp | ip | ldp | lsp-ping | ntp | ospf | pim | rip | rsvp | snmp | ssh | telnet | tftp | igmp } [ [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *

    -

    IS-IS or any other protocol

    rule [ rule-id ] [ name rule-name ] { deny | permit } protocol { any | isis }

    Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.

  4. (Optional) Run step step

    The step is configured for rules in the MPAC policy.

  5. (Optional) Run description text

    The description is configured for the MPAC policy.

  6. Run quit

    Return to the system view.

  7. Apply an IPv4 MPAC policy.

    • Apply an IPv4 MPAC policy globally.

      Run service-security global-binding ipv4 security-policy-name

      An MPAC policy is applied globally.

    • Apply an IPv4 MPAC policy to an interface.

      1. Run interface interface-type interface-number

        The interface view is displayed.

      2. Run service-security binding ipv4 security-policy-name

        The MPAC policy is applied to the interface.

    NOTE:
    The MPAC policies on a sub-interface, interface, or configured globally are listed in descending order of priorities. When different MPAC policies are applied globally, to an interface, and to a sub-interface, the MPAC policy on the sub-interface takes effect preferentially, and then the MPAC policy on the interface, and then the MPAC policy applied globally.

  8. Run commit

    The configuration is committed.

Configuring an IPv6 MPAC Policy

An IPv6 Management Plane Access Control (MPAC) policy can be configured to filter IPv6 packets destined for the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run service-security policy ipv6 security-policy-name

    An IPv6 MPAC policy is created, and the IPv6 MPAC policy view is displayed.

  3. Add a rule to the IPv6 MPAC policy.

    Table 16-2 Rules for an IPv6 MPAC policy

    Protocol Type

    Command

    Remarks

    TCP or UDP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv6-address { source-ipv6-prefix-length | 0 } | any } ] | [ destination-ip { destination-ipv6-address { destination-ipv6-prefix-length | 0 } | any } ] ] *

    -

    BGP, DHCP-C, DHCP-R, FTP, IP, LDP, LSP ping, NTP, OSPF, PIM, RIP, RSVP, SNMP, SSH, Telnet, or TFTP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { ip-protocol-number | bgp | dhcp-c | dhcp-r | ftp | ip | ldp | lsp-ping | ntp | ospf | pim | rip | rsvp | snmp | ssh | telnet | tftp } [ [ source-ip { source-ipv6-address { source-ipv6-prefix-length | 0 } | any } ] | [ destination-ip { destination-ipv6-address { destination-ipv6-prefix-length | 0 } | any } ] ] *

    -

    Any protocol

    rule [ rule-id ] [ name rule-name ] { deny | permit } protocol any

    Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.

    SRH

    rule [ rule-id ] [ name rule-name ] { permit | deny } ipv6-ext-header source-routing-typer srh

    -

  4. (Optional) Run step step

    The step is configured for rules in the MPAC policy.

  5. (Optional) Run description text

    The description is configured for the MPAC policy.

  6. Run quit

    Return to the system view.

  7. Apply an IPv6 MPAC policy.

    • Apply an IPv6 MPAC policy globally.

      Run service-security global-binding ipv6 security-policy-name

      An MPAC policy is applied globally.

    • Apply an IPv6 MPAC policy to an interface.

      1. Run interface interface-type interface-number

        The interface view is displayed.

      2. Run service-security binding ipv6 security-policy-name

        The MPAC policy is applied to the interface.

    NOTE:
    The MPAC policies on a sub-interface, interface, or configured globally are listed in descending order of priorities. When different MPAC policies are applied globally, to an interface, and to a sub-interface, the MPAC policy on the sub-interface takes effect preferentially, and then the MPAC policy on the interface, and then the MPAC policy applied globally.

  8. Run commit

    The configuration is committed.

Verifying the MPAC Configuration

After configuring the Management Plane Access Control (MPAC) policy, check the configurations.

Prerequisites

An MPAC policy has been configured.

Procedure

  • Run the display service-security policy { ipv4 | ipv6 } [ security-policy-name [ slot slot-id ] ] command to check information about all MPAC policies.
  • Run the display service-security binding { ipv4 | ipv6 } [ interface interface-type interface-number [ slot slot-id ] ] command to check information about MPAC policies on interfaces.
  • Run the display service-security statistics { ipv4 | ipv6 } [ security-policy-name ] command to check statistics about all matched MPAC rules.

Example

Run the display service-security policy ipv4 [ security-policy-name [ slot slot-id ] ] command to view information about all IPv4 MPAC policies.

<HUAWEI> display service-security policy ipv4
Policy Name : A1                                                                
Step        : 5                                                                 
                                                                                
Policy Name : a1                                                                
Step        : 5                                                                 

Policy Name : huawei                                                            
Step        : 5                                                                 
 rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000              
 rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255                       
                                                                                
Policy Name : huawei1                                                           
Step        : 5                                                                 
                                                                                
Policy Name : huawei1#                                                          
Step        : 5        

Run the display service-security binding ipv4 [ interface interface-type interface-number [ slot slot-id ] ] command to view information about IPv4 MPAC policies on interfaces.

<HUAWEI> display service-security binding ipv4
Configured  : Global
Policy Name : huawei

Interface  : GigabitEthernet0/1/0
Policy Name: A1

Run the display service-security statistics ipv4 [ security-policy-name ] command to view information about all matched IPv4 MPAC rules.

<HUAWEI> display service-security statistics ipv4
Policy Name : A1
Step        : 5

Policy Name : huawei
Step        : 5
 rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000 (10 times matched)
 rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255 (1 times matched)

Policy Name : huawei1
Step        : 5
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20313

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next