No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Disabling URPF for Specified Traffic

(Optional) Disabling URPF for Specified Traffic

NOTE:

The CE6870EI and CE6875EI do not support this function.

Background

After URPF check is enabled on an interface, the device performs the URPF check on all the packets passing through the interface. To prevent the packets of a certain type from being discarded, you can disable URPF check for these packets. For example, if the device is configured to trust all the packets from a certain server, the device does not check these packets. If you need to disable URPF check, you can run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy. When the traffic policy is applied globally or applied to an interface, or a VLAN, the device does not perform URPF check on the traffic that matches the traffic classifier rules.

Procedure

  1. Configure a traffic classifier.
    1. Run traffic classifier classifier-name [ type { and | or } ]

      A traffic classifier is created and the traffic classifier view is displayed, or the view of an existing traffic classifier is displayed.

      and is the logical operator between the rules in a traffic classifier, which means that:
      • If a traffic classifier contains ACL rules, packets match the traffic classifier only if they match one ACL rule and all the non-ACL rules.

      • If a traffic classifier does not contain any ACL rules, packets match the traffic classifier only if they match all the rules in the classifier.

      The logical operator or means that packets match a traffic classifier if they match one or more rules in the classifier.

      By default, the relationship between rules in a traffic classifier is or.

    2. Run if-match

      Matching rules are defined for the traffic classifier.

      For details about matching rules in a traffic classifier, see "Configuring a Traffic Classifier" in "MQC Configuration" of the CloudEngine 8800, 7800, 6800, and 5800 Series SwitchesConfiguration Guide - QoS Configuration Guide.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Exit from the traffic classifier view.

  2. Configure a traffic behavior.
    1. Run traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed, or the view of an existing traffic behavior is displayed.

    2. Run ip urpf disable

      URPF check is disabled for the specified traffic.

      By default, URPF check disabling is not configured in a traffic behavior.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Exit from the traffic behavior view.

    5. Run quit

      Exit from the system view.

  3. Configure a traffic policy.
    1. Run system-view

      The system view is displayed.

    2. Run traffic policy policy-name

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

    3. Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      A traffic behavior is bound to a traffic classifier in the traffic policy.

    4. Run commit

      The configuration is committed.

    5. Run quit

      Exit from the traffic policy view.

    6. Run quit

      Exit from the system view.

  4. Apply the traffic policy.
    NOTE:

    For details about the configuration guidelines of applying traffic policies in different views on the CE switches excluding CE6870EI and CE6875EI, see Licensing Requirements and Limitations for MQC (CE Switches Excluding CE6870EI and CE6875EI).

    For switches excluding the CE5880EI and CE6880EI, run the display traffic-policy pre-state { global [ slot slot-id ] | interface { interface-type interface-number } | vlan vlan-id | bridge-domain bd-id } policy-name { inbound | outbound } command before committing the configuration to check the information about resources occupied by the traffic policy to be applied and determine whether the traffic policy can be successfully applied based on the information.

    • Applying a traffic policy to an interface
      1. Run system-view

        The system view is displayed.

      2. Run interface interface-type interface-number

        The interface view is displayed.

      3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the interface.

      4. Run commit

        The configuration is committed.

    • Applying a traffic policy to a VLAN
      1. Run system-view

        The system view is displayed.

      2. Run vlan vlan-id

        The VLAN view is displayed.

      3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the VLAN.

        The system applies traffic policing to the packets that belong to the VLAN and match traffic classification rules in the inbound or outbound direction.

      4. Run commit

        The configuration is committed.

    • Applying a traffic policy to the system
      1. Run system-view

        The system view is displayed.

      2. Run traffic-policy policy-name global [ slot slot-id ] { inbound | outbound }

        A traffic policy is applied to the system.

      3. Run commit

        The configuration is committed.

    • Applying a traffic policy in a VPN instance
      1. Run system-view

        The system view is displayed.

      2. (Optional) Run qos port-group group-id

        A QoS port group is created and the QoS port group view is displayed.

        NOTE:

        The CE5880EI and CE6880EI do not support the QoS interface group configuration.

      3. (Optional) Run group-member { interface-type interface-number1 [ to interface-type interface-number2 ] }

        The specified interfaces are added to the QoS interface group.

      4. (Optional) Run quit

        Exit from the QoS interface group view.

      5. Run ip vpn-instance vpn-instance-name

        A VPN instance is created and its view is displayed.

      6. Run traffic-policy policy-name inbound [ exclude qos port-group group-id ]

        A traffic policy is applied to the VPN instance.

      7. Run commit

        The configuration is committed.

    • Applying a traffic policy to a BD
      1. Run system-view

        The system view is displayed.

      2. Run bridge-domain bd-id

        The BD view is displayed.

      3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the BD.

      4. Run commit

        The configuration is committed.

    • Applying a traffic policy to a QoS group
      1. Run system-view

        The system view is displayed.

      2. Run qos group group-name

        The QoS group view is displayed.

      3. Run the following commands as required:

        • Run the group-member interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> command to add interfaces to the QoS group.

        • Run the group-member vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> command to add VLANs to the QoS group.

        • (For CE switches excluding the CE6870EI) Run the group-member ip source ip-address { mask | mask-length } command to add source IP addresses to the QoS group.

      4. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the QoS group.

      5. Run commit

        The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18477

Downloads: 61

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next