No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPv4 MPAC Policy

Configuring an IPv4 MPAC Policy

An IPv4 Management Plane Access Control (MPAC) policy can be configured to filter IPv4 packets destined for the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run service-security policy ipv4 security-policy-name

    An IPv4 MPAC policy is created, and the IPv4 MPAC policy view is displayed.

  3. Add a rule to the IPv4 MPAC policy. See the following table.

    Table 7-4 Rules for an IPv4 MPAC policy

    Protocol Type

    Command

    Remarks

    TCP or UDP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *

    -

    BGP, Dynamic Host Configuration Protocol-C(DHCP-C), Dynamic Host Configuration Protocol-R(DHCP-R), FTP, IP, LDP, LSP ping, NTP, OSPF, PIM, RIP, RSVP, SNMP, SSH, Telnet, TFTP, or IGMP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { ip-protocol-number | bgp | dhcp-c | dhcp-r | ftp | ip | ldp | lsp-ping | ntp | ospf | pim | rip | rsvp | snmp | ssh | telnet | tftp | igmp } [ [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *

    -

    IS-IS or any other protocol

    rule [ rule-id ] [ name rule-name ] { deny | permit } protocol { any | isis }

    Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.

  4. (Optional) Run step step

    The step is configured for rules in the MPAC policy.

  5. (Optional) Run description text

    The description is configured for the MPAC policy.

  6. Run quit

    Return to the system view.

  7. Apply an IPv4 MPAC policy.

    • Apply an IPv4 MPAC policy globally.

      Run service-security global-binding ipv4 security-policy-name

      An MPAC policy is applied globally.

    • Apply an IPv4 MPAC policy to an interface.

      1. Run interface interface-type interface-number

        The interface view is displayed.

      2. Run service-security binding ipv4 security-policy-name

        The MPAC policy is applied to the interface.

    NOTE:
    The MPAC policies on a sub-interface, interface, or configured globally are listed in descending order of priorities. When different MPAC policies are applied globally, to an interface, and to a sub-interface, the MPAC policy on the sub-interface takes effect preferentially, and then the MPAC policy on the interface, and then the MPAC policy applied globally.

  8. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 8030

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next