No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring TCAM ACL Customization

Example for Configuring TCAM ACL Customization

Networking Requirements

TCAM ACL customization is often configured on a stand-alone device.

Configuration Roadmap

The configuration roadmap is as follows:
  1. Enable TCAM ACL customization.
  2. Create a TCAM ACL customization profile and configure TCAM ACL customization groups in the profile.
  3. Bind TCAM ACL customization groups to services.
    NOTE:
    Service names in this example are used for reference only. The service names vary according to different device models.
  4. Apply the TCAM ACL customization profile globally.
  5. Configure services.

Procedure

  1. Enable TCAM ACL customization.

    <HUAWEI> system-view
    [*HUAWEI] sysname switch 
    [~HUAWEI] commit
    [~Switch] system tcam acl
    [*Switch] commit
    

  2. Configure a TCAM ACL customization profile and apply the TCAM ACL customization profile globally.

    # Create a TCAM ACL customization profile named template1, configure TCAM ACL customization groups, and configure the mapping between matching rules, actions, services, and groups.

    [~Switch] system tcam acl template template1
    [*Switch-tcam-acl-template1] commit
    [~Switch-tcam-acl-template1] group cpcar precedence 0                                                        
    [*Switch-tcam-acl-template1-group-cpcar] match ethernet destination-mac                                   
    [*Switch-tcam-acl-template1-group-cpcar] match ipv6 source-ip-high protocol ttl                                              
    [*Switch-tcam-acl-template1-group-cpcar] match tcp destination-port source-port                                              
    [*Switch-tcam-acl-template1-group-cpcar] match forwarding destination-interface                                              
    [*Switch-tcam-acl-template1-group-cpcar] match udf ipv4-head 0 1                                                             
    [*Switch-tcam-acl-template1-group-cpcar] action deny snoop redirect interface flow                                           
    [*Switch-tcam-acl-template1-group-cpcar] quit
    [*Switch-tcam-acl-template1] group CpcarTerminated precedence 2
    [*Switch-tcam-acl-template1-group-CpcarTerminated] match ip protocol                                                         
    [*Switch-tcam-acl-template1-group-CpcarTerminated] match udf ipv4-head 9 1 udf ipv4-head negative 2 2 udf ipv4-head 22 2              
    [*Switch-tcam-acl-template1-group-CpcarTerminated] action deny snoop redirect flow                                           
    [*Switch-tcam-acl-template1-group-CpcarTerminated] quit                                                                          
    [*Switch-tcam-acl-template1] group CpCarTermV6 precedence 7                                                             
    [*Switch-tcam-acl-template1-group-CpCarTermV6] match udf ipv4-head 6 1 udf l2-head 42 2                                      
    [*Switch-tcam-acl-template1-group-CpCarTermV6] action snoop
    [*Switch-tcam-acl-template1-group-CpCarTermV6] quit                                                                        
    [*Switch-tcam-acl-template1] group NEWQOSCAR precedence 9                                                        
    [*Switch-tcam-acl-template1-group-NEWQOSCAR] match forwarding source-interface                                               
    [*Switch-tcam-acl-template1-group-NEWQOSCAR] action car statistics 
    [*Switch-tcam-acl-template1-group-NEWQOSCAR] quit                                                                
    [*Switch-tcam-acl-template1] group MQCNEWV6 precedence 11                                                           
    [*Switch-tcam-acl-template1-group-MQCNEWV6] match ipv6 source-ip-high protocol tos                                            
    [*Switch-tcam-acl-template1-group-MQCNEWV6] match forwarding vsi                                                             
    [*Switch-tcam-acl-template1-group-MQCNEWV6] action statistics remark local-precedence
    [*Switch-tcam-acl-template1-group-MQCNEWV6] quit                                              
    [*Switch-tcam-acl-template1] group TUNNELSTAT precedence 13                                                          
    [*Switch-tcam-acl-template1-group-TUNNELSTAT] match forwarding vsi                                                           
    [*Switch-tcam-acl-template1-group-TUNNELSTAT] action statistics
    [*Switch-tcam-acl-template1-group-TUNNELSTAT] quit                                                                     
    [*Switch-tcam-acl-template1] service cpcar-terminatedv4 group CpcarTerminated                                      
    [*Switch-tcam-acl-template1] service cpcar-terminatedv6 group CpCarTermV6                                                     
    [*Switch-tcam-acl-template1] service cpcar6 group cpcar                                                                       
    [*Switch-tcam-acl-template1] service qos-car group NEWQOSCAR                                                                  
    [*Switch-tcam-acl-template1] service trafficpolicy6-l3 group MQCNEWV6                                                         
    [*Switch-tcam-acl-template1] service vlan-statistics group TUNNELSTAT
    [*Switch-tcam-acl-template1] quit
    [*Switch] system tcam acl template template1 all
    [*Switch] commit

  3. Add interfaces to VLANs and create VLANIF interfaces.

    # Configure 10GE4/0/20, 10GE4/0/22, 10GE4/0/24, and 10GE4/0/26 as trunk interfaces, and add 10GE4/0/20 to VLAN 2000, 10GE4/0/22 to VLAN 2001 and VLAN 3010, 10GE4/0/24 to VLAN 3011, and 10GE4/0/26 to VLAN 3012.

    [~Switch] vlan batch  2000 2001 3010 to 3012
    [*Switch] commit
    [~Switch] interface 10ge 4/0/20 
    [~Switch-10GE4/0/20] port link-type trunk 
    [*Switch-10GE4/0/20] port trunk allow-pass vlan 2000 
    [*Switch-10GE4/0/20] undo port trunk allow-pass vlan 1
    [*Switch-10GE4/0/20] quit
    [*Switch] interface 10ge 4/0/22 
    [*Switch-10GE4/0/22] port link-type trunk 
    [*Switch-10GE4/0/22] port trunk allow-pass vlan 3010 2001
    [*Switch-10GE4/0/22] undo port trunk allow-pass vlan 1
    [*Switch-10GE4/0/22] quit 
    [*Switch] interface 10ge 4/0/24 
    [*Switch-10GE4/0/24] port link-type trunk 
    [*Switch-10GE4/0/24] port trunk allow-pass vlan 3011 
    [*Switch-10GE4/0/24] undo port trunk allow-pass vlan 1
    [*Switch-10GE4/0/24] quit
    [*Switch] interface 10ge 4/0/26 
    [*Switch-10GE4/0/26] port link-type trunk 
    [*Switch-10GE4/0/26] port trunk allow-pass vlan 3012 
    [*Switch-10GE4/0/26] undo port trunk allow-pass vlan 1
    [*Switch-10GE4/0/26] quit
    [*Switch] commit

    # Create VLANIF interfaces 3010, 3011, and 3012 and assign IP addresses to them.

    [~Switch] interface vlanif 3010                                                                                        
    [*Switch-Vlanif3010] ip address 192.168.0.1 24                                                                              
    [*Switch-Vlanif3010] quit
    [*Switch] interface vlanif 3011                                                                                   
    [*Switch-Vlanif3011] ip address 192.168.1.1 24   
    [*Switch-Vlanif3011] quit  
    [*Switch] interface vlanif 3012                                                                                          
    [*Switch-Vlanif3012] ip address 192.168.2.1 24 
    [*Switch-Vlanif3012] quit
    [*Switch] commit 

    # Create VLANIF interfaces 2000 and 2001 and assign IPv6 addresses to them.

    [~Switch] interface vlanif 2000                                                                                           
    [*Switch-Vlanif2000] ipv6 enable   
    [*Switch-Vlanif2000] ipv6 address FC00::100 64                                                                                
    [*Switch-Vlanif2000] quit  
    [*Switch] interface vlanif 2001 
    [*Switch-Vlanif2001] ipv6 enable     
    [*Switch-Vlanif2001] ipv6 address FC00::101 64 
    [*Switch-Vlanif2001] quit           
    [*Switch] commit

    # Configure routes.

    [~Switch] ospf 1                                                                                                           
    [*Switch-ospf-1] area 1
    [*Switch-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
    [*Switch-ospf-1-area-0.0.0.1] network 192.168.2.0 0.0.0.255
    [*Switch-ospf-1-area-0.0.0.1] network 192.168.3.0 0.0.0.255
    [*Switch-ospf-1-area-0.0.0.1] quit
    [*Switch-ospf-1] quit
    [*Switch] commit

  4. Configure traffic policies.

    # Create traffic classifiers c6 and c7, traffic behaviors b6 and b7, and traffic policies p6 and p7, and bind the traffic classifiers and traffic behaviors to traffic policies.

    [~Switch] traffic classifier c6                                                                                                
    [*Switch-classifier-c6] if-match ipv6 dscp af11
    [*Switch-classifier-c6] quit                                                                             
    [*Switch] traffic behavior b6                                                                                        
    [*Switch-behavior-b6] remark local-precedence af4                                                                           
    [*Switch-behavior-b6] quit                                                                                                    
    [*Switch] traffic policy p6                                                                                                  
    [*Switch-trafficpolicy-p6] classifier c6 behavior b6 
    [*Switch-trafficpolicy-p6] quit 
    [*Switch] acl ipv6 3000 
    [*Switch-acl6-advance-3000] rule 5 permit ipv6 source FC00::100 64 dscp 12                          
    [*Switch-acl6-advance-3000] quit
    [*Switch] traffic classifier c7  
    [*Switch-classifier-c7] if-match ipv6 acl 3000  
    [*Switch-classifier-c7] quit                                 
    [*Switch] traffic behavior b7                                                                                        
    [*Switch-behavior-b7] statistics enable 
    [*Switch-behavior-b7] quit
    [*Switch] traffic policy p7                                                                                                
    [*Switch-trafficpolicy-p7] classifier c7 behavior b7  
    [*Switch-trafficpolicy-p7] quit
    [*Switch] commit

    # Apply traffic policies p6 and p7 to VLAN 2000 and VLAN 2001.

    [~Switch] vlan 2000                                                                                                         
    [~Switch-vlan2000] traffic-policy p6 inbound  
    [*Switch-vlan2000] quit                                                                                                       
    [*Switch] vlan 2001                                                                                                          
    [*Switch-vlan2001] traffic-policy p7 inbound                                                                                  
    [*Switch-vlan2001] commit
    [~Switch-vlan2001] quit

  5. Configure the QoS CAR service. Create a QoS profile named qoscar1 on the switch and apply the profile to an interface.

    [~Switch] qos car qoscar1 cir 300 mbps                                                                                     
    [~Switch] interface 10GE 4/0/22                                                                                               
    [~Switch-10GE4/0/22] qos car inbound qoscar1                                                                               
    [*Switch-10GE4/0/22] commit
    [~Switch-10GE4/0/22] quit

  6. Configure the traffic statistics collection service in a VLAN. Configure traffic statistics collection in VLAN 2000 on the switch.

    [~Switch] vlan 2000                                                                                                             
    [~Switch-vlan2000] statistics enable                                                                                 
    [*Switch-vlan2000] commit
    [~Switch-vlan2000] quit

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18737

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next