Example for Configuring TCAM ACL Customization

CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

About This Document
AAA Configuration
- Overview of AAA
- Understanding AAA
- Application Scenarios for AAA
- Licensing Requirements and Limitations for AAA
- Summary of AAA Configuration Tasks
- Configuring Local Authentication and Authorization
- Configuring RADIUS AAA
- Configuring HWTACACS AAA
- Clearing AAA Statistics
- Configuration Examples for AAA
  - Example for Configuring RADIUS Authentication and Accounting
  - Example for Configuring HWTACACS Authentication, Accounting, and Authorization
- Troubleshooting AAA
  - An AAA Local User Cannot Be Created Due to Incorrect Password Setting
802.1x Authentication Configuration
- Understanding 802.1x Authentication
- Application Scenarios for 802.1x Authentication
- Licensing Requirements and Limitations for 802.1x Authentication
- Default Settings for 802.1x Authentication
- Configuring 802.1x Authentication
- Maintaining 802.1x Authentication
  - Clearing Statistics on 802.1x Authentication Packets
  - Forcing Users Offline
- Configuration Examples for 802.1x Authentication
  - Example for Configuring 802.1x Authentication to Control Users' Internal Access
ACL Configuration
- Overview of ACLs
- Understanding ACLs
- Application Scenarios for ACLs
- Licensing Requirements and Limitations for ACLs
- Default Settings for ACLs
- Configuring a Basic ACL
- Configuring an Advanced ACL
- Configuring a Layer 2 ACL
- Configuring a User-defined ACL
- Configuring an ARP-based ACL
- Configuring a Basic ACL6
- Configuring an Advanced ACL6
- Maintaining an ACL
  - Clearing ACL Statistics
  - Checking ACL Resource Usages
- Configuration Examples for ACLs
- ACL FAQ
  - Which Packets Cannot Be Filtered by the ACL Used by a Traffic Policy?
TCAM ACL Customization Configuration
- Overview of TCAM ACL Customization
- Licensing Requirements and Limitations for TCAM ACL Customization
- Configuring TCAM ACL Customization
  - Enabling TCAM ACL Customization
  - Configuring the TCAM ACL Customization Function for Services
- Displaying Information about a TCAM ACL Customization Profile or Preset Profile
- Configuration Examples for TCAM ACL Customization
  - Example for Configuring TCAM ACL Customization
Microsegmentation Configuration
- Overview of Microsegmentation
- Understanding Microsegmentation
- Application Scenarios for Microsegmentation
- Licensing Requirements and Limitations for Microsegmentation
- Configuring Microsegmentation
- Maintaining Microsegmentation
  - Checking Microsegmentation Statistics
  - Clearing Microsegmentation Statistics
- Configuration Examples for Microsegmentation
  - Example for Configuring IP Address-based Microsegmentation
Local Attack Defense Configuration
- Overview of Local Attack Defense
- Licensing Requirements and Limitations for Local Attack Defense
- Default Settings for Local Attack Defense
- Configuring CPU Attack Defense
- Configuring Attack Source Tracing
- Maintaining Local Attack Defense
- Configuration Examples for Local Attack Defense
  - Example for Configuring Local Attack Defense
- Troubleshooting Local Attack Defense
MFF Configuration
- Overview of MFF
- Understanding MFF
- Application Scenarios for MFF
- Licensing Requirements and Limitations for MFF
- Configuring MFF
- Configuration Examples for MFF
  - Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection
- Troubleshooting MFF
  - Users Fail to Access the Internet After MFF Is Configured
Attack Defense Configuration
- Overview of Attack Defense
- Understanding Attack Defense
- Application Scenarios for Attack Defense
- Licensing Requirements and Limitations for Attack Defense
- Default Settings for Attack Defense
- Configuring Defense Against Malformed Packet Attacks
- Configuring Defense Against Packet Fragment Attacks
- Configuring Defense Against Flood Attacks
- Clearing Attack Defense Statistics
- Configuration Examples for Attack Defense
  - Example for Configuring Attack Defense
Traffic Suppression and Storm Control Configuration
- Overview of Traffic Suppression and Storm Control
- Understanding Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Application Scenarios for Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Licensing Requirements and Limitations for Traffic Suppression and Storm Control
- Default Settings for Traffic Suppression and Storm Control
- Configuring Traffic Suppression
- Configuring Storm Control
- Configuration Examples for Traffic Suppression and Storm Control
  - Example for Configuring Traffic Suppression
  - Example for Configuring Storm Control
ARP Security Configuration
- Overview of ARP Security
- Understanding ARP Security
- Application Scenarios for ARP Security
  - Defense Against ARP Flood Attacks
  - Defense Against ARP Spoofing Attacks
- Licensing Requirements and Limitations for ARP Security
- Default Settings for ARP Security
- Configuring Defense Against ARP Flood Attacks
- Configuring Defense Against ARP Spoofing Attacks
- Maintaining ARP Security
- Configuration Examples for ARP Security
  - Example for Configuring ARP Security Functions
  - Example for Configuring Defense Against ARP MITM Attacks
Port Security Configuration
- Overview of Port Security
- Understanding Port Security
- Application Scenarios for Port Security
- Licensing Requirements and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Configuration Examples for Port Security
  - Example for Configuring Port Security
MACsec Configuration
- Overview of MACsec
- Understanding MACsec
- Application Scenarios for MACsec
- Default Configuration
- Licensing Requirements and Limitations for MACsec
- Configuring MACsec
- Maintaining MACsec
  - Displaying MACsec Statistics
  - Clearing MACsec Statistics
- Configuration Examples for MACsec
  - Example for Configuring Point-to-Point MACsec
DHCP Snooping Configuration
- Overview of DHCP Snooping
- Understanding DHCP Snooping
  - DHCP Snooping Fundamentals
  - Option 82 Supported by DHCP Snooping
- Application Scenarios for DHCP Snooping
- Licensing Requirements and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring Basic Functions of DHCP Snooping
- Configuring DHCP Snooping Attack Defense
- Inserting the Option 82 Field in a DHCP Message
- Maintaining DHCP Snooping
- Configuration Examples for DHCP Snooping
  - Example for Configuring DHCP Snooping Attack Defense
- Troubleshooting DHCP Snooping
  - DHCP Clients Cannot Go Online Due to DHCP Snooping
IPSG Configuration
- Overview of IPSG
- Licensing Requirements and Limitations for IPSG
- Default Settings for IPSG
- Configuring IPSG
- Maintaining IPSG
  - Checking Statistics on Discarded IP Packets
  - Clearing Statistics on Discarded IP Packets
- Configuration Examples for IPSG
  - Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries
URPF Configuration
- Overview of URPF
- Understanding URPF
- Application Scenarios for URPF
- Licensing Requirements and Limitations for URPF
- Default Settings for URPF
- Configuring URPF
- Configuration Examples for URPF
  - Example for Configuring URPF (CE12800)
  - Example for Configuring URPF (CE12800E)
SSL Configuration
- Overview of SSL
- Understanding SSL
- Application Scenarios for SSL
  - Application of SSL in Information Center
- Licensing Requirements and Limitations for SSL
- Configuring SSL
  - Configuring an SSL Policy
  - Applying an SSL Policy
- Configuration Examples for SSL
  - Example for Outputting SSL-Encrypted Logs to a Log Host
Keychain Configuration
- Overview of Keychains
- Understanding Keychains
- Application Scenarios for Keychains
- Licensing Requirements and Limitations for Keychain
- Configuring a Keychain
- Configuration Examples for Keychains
  - Example for Applying the Keychain to RIP
  - Example for Applying the Keychain to BGP
FIPS Configuration
- Overview of FIPS
- Configuring the FIPS Mode
Separating the Management Port from the Service Plane
Checking Security Risks
Setting the System Master Key

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Example for Configuring TCAM ACL Customization

Networking Requirements

TCAM ACL customization is often configured on a stand-alone device.

Configuration Roadmap

The configuration roadmap is as follows:

Enable TCAM ACL customization.
Create a TCAM ACL customization profile and configure TCAM ACL customization groups in the profile.
Bind TCAM ACL customization groups to services.

Service names in this example are used for reference only. The service names vary according to different device models.
Apply the TCAM ACL customization profile globally.
Configure services.

Procedure

Enable TCAM ACL customization.

<HUAWEI> system-view
[*HUAWEI] sysname switch 
[~HUAWEI] commit
[~Switch] system tcam acl
[*Switch] commit

Configure a TCAM ACL customization profile and apply the TCAM ACL customization profile globally.

# Create a TCAM ACL customization profile named template1, configure TCAM ACL customization groups, and configure the mapping between matching rules, actions, services, and groups.

[~Switch] system tcam acl template template1
[*Switch-tcam-acl-template1] commit
[~Switch-tcam-acl-template1] group cpcar precedence 0                                                        
[*Switch-tcam-acl-template1-group-cpcar] match ethernet destination-mac                                   
[*Switch-tcam-acl-template1-group-cpcar] match ipv6 source-ip-high protocol ttl                                              
[*Switch-tcam-acl-template1-group-cpcar] match tcp destination-port source-port                                              
[*Switch-tcam-acl-template1-group-cpcar] match forwarding destination-interface                                              
[*Switch-tcam-acl-template1-group-cpcar] match udf ipv4-head 0 1                                                             
[*Switch-tcam-acl-template1-group-cpcar] action deny snoop redirect interface flow                                           
[*Switch-tcam-acl-template1-group-cpcar] quit
[*Switch-tcam-acl-template1] group CpcarTerminated precedence 2
[*Switch-tcam-acl-template1-group-CpcarTerminated] match ip protocol                                                         
[*Switch-tcam-acl-template1-group-CpcarTerminated] match udf ipv4-head 9 1 udf ipv4-head negative 2 2 udf ipv4-head 22 2              
[*Switch-tcam-acl-template1-group-CpcarTerminated] action deny snoop redirect flow                                           
[*Switch-tcam-acl-template1-group-CpcarTerminated] quit                                                                          
[*Switch-tcam-acl-template1] group CpCarTermV6 precedence 7                                                             
[*Switch-tcam-acl-template1-group-CpCarTermV6] match udf ipv4-head 6 1 udf l2-head 42 2                                      
[*Switch-tcam-acl-template1-group-CpCarTermV6] action snoop
[*Switch-tcam-acl-template1-group-CpCarTermV6] quit                                                                        
[*Switch-tcam-acl-template1] group NEWQOSCAR precedence 9                                                        
[*Switch-tcam-acl-template1-group-NEWQOSCAR] match forwarding source-interface                                               
[*Switch-tcam-acl-template1-group-NEWQOSCAR] action car statistics 
[*Switch-tcam-acl-template1-group-NEWQOSCAR] quit                                                                
[*Switch-tcam-acl-template1] group MQCNEWV6 precedence 11                                                           
[*Switch-tcam-acl-template1-group-MQCNEWV6] match ipv6 source-ip-high protocol tos                                            
[*Switch-tcam-acl-template1-group-MQCNEWV6] match forwarding vsi                                                             
[*Switch-tcam-acl-template1-group-MQCNEWV6] action statistics remark local-precedence
[*Switch-tcam-acl-template1-group-MQCNEWV6] quit                                              
[*Switch-tcam-acl-template1] group TUNNELSTAT precedence 13                                                          
[*Switch-tcam-acl-template1-group-TUNNELSTAT] match forwarding vsi                                                           
[*Switch-tcam-acl-template1-group-TUNNELSTAT] action statistics
[*Switch-tcam-acl-template1-group-TUNNELSTAT] quit                                                                     
[*Switch-tcam-acl-template1] service cpcar-terminatedv4 group CpcarTerminated                                      
[*Switch-tcam-acl-template1] service cpcar-terminatedv6 group CpCarTermV6                                                     
[*Switch-tcam-acl-template1] service cpcar6 group cpcar                                                                       
[*Switch-tcam-acl-template1] service qos-car group NEWQOSCAR                                                                  
[*Switch-tcam-acl-template1] service trafficpolicy6-l3 group MQCNEWV6                                                         
[*Switch-tcam-acl-template1] service vlan-statistics group TUNNELSTAT
[*Switch-tcam-acl-template1] quit
[*Switch] system tcam acl template template1 all
[*Switch] commit

Add interfaces to VLANs and create VLANIF interfaces.

# Configure 10GE4/0/20, 10GE4/0/22, 10GE4/0/24, and 10GE4/0/26 as trunk interfaces, and add 10GE4/0/20 to VLAN 2000, 10GE4/0/22 to VLAN 2001 and VLAN 3010, 10GE4/0/24 to VLAN 3011, and 10GE4/0/26 to VLAN 3012.

[~Switch] vlan batch  2000 2001 3010 to 3012
[*Switch] commit
[~Switch] interface 10ge 4/0/20 
[~Switch-10GE4/0/20] port link-type trunk 
[*Switch-10GE4/0/20] port trunk allow-pass vlan 2000 
[*Switch-10GE4/0/20] undo port trunk allow-pass vlan 1
[*Switch-10GE4/0/20] quit
[*Switch] interface 10ge 4/0/22 
[*Switch-10GE4/0/22] port link-type trunk 
[*Switch-10GE4/0/22] port trunk allow-pass vlan 3010 2001
[*Switch-10GE4/0/22] undo port trunk allow-pass vlan 1
[*Switch-10GE4/0/22] quit 
[*Switch] interface 10ge 4/0/24 
[*Switch-10GE4/0/24] port link-type trunk 
[*Switch-10GE4/0/24] port trunk allow-pass vlan 3011 
[*Switch-10GE4/0/24] undo port trunk allow-pass vlan 1
[*Switch-10GE4/0/24] quit
[*Switch] interface 10ge 4/0/26 
[*Switch-10GE4/0/26] port link-type trunk 
[*Switch-10GE4/0/26] port trunk allow-pass vlan 3012 
[*Switch-10GE4/0/26] undo port trunk allow-pass vlan 1
[*Switch-10GE4/0/26] quit
[*Switch] commit

# Create VLANIF interfaces 3010, 3011, and 3012 and assign IP addresses to them.

[~Switch] interface vlanif 3010                                                                                        
[*Switch-Vlanif3010] ip address 192.168.0.1 24                                                                              
[*Switch-Vlanif3010] quit
[*Switch] interface vlanif 3011                                                                                   
[*Switch-Vlanif3011] ip address 192.168.1.1 24   
[*Switch-Vlanif3011] quit  
[*Switch] interface vlanif 3012                                                                                          
[*Switch-Vlanif3012] ip address 192.168.2.1 24 
[*Switch-Vlanif3012] quit
[*Switch] commit

# Create VLANIF interfaces 2000 and 2001 and assign IPv6 addresses to them.

[~Switch] interface vlanif 2000                                                                                           
[*Switch-Vlanif2000] ipv6 enable   
[*Switch-Vlanif2000] ipv6 address FC00::100 64                                                                                
[*Switch-Vlanif2000] quit  
[*Switch] interface vlanif 2001 
[*Switch-Vlanif2001] ipv6 enable     
[*Switch-Vlanif2001] ipv6 address FC00::101 64 
[*Switch-Vlanif2001] quit           
[*Switch] commit

# Configure routes.

[~Switch] ospf 1                                                                                                           
[*Switch-ospf-1] area 1
[*Switch-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[*Switch-ospf-1-area-0.0.0.1] network 192.168.2.0 0.0.0.255
[*Switch-ospf-1-area-0.0.0.1] network 192.168.3.0 0.0.0.255
[*Switch-ospf-1-area-0.0.0.1] quit
[*Switch-ospf-1] quit
[*Switch] commit

Configure traffic policies.

# Create traffic classifiers c6 and c7, traffic behaviors b6 and b7, and traffic policies p6 and p7, and bind the traffic classifiers and traffic behaviors to traffic policies.

[~Switch] traffic classifier c6                                                                                                
[*Switch-classifier-c6] if-match ipv6 dscp af11
[*Switch-classifier-c6] quit                                                                             
[*Switch] traffic behavior b6                                                                                        
[*Switch-behavior-b6] remark local-precedence af4                                                                           
[*Switch-behavior-b6] quit                                                                                                    
[*Switch] traffic policy p6                                                                                                  
[*Switch-trafficpolicy-p6] classifier c6 behavior b6 
[*Switch-trafficpolicy-p6] quit 
[*Switch] acl ipv6 3000 
[*Switch-acl6-advance-3000] rule 5 permit ipv6 source FC00::100 64 dscp 12                          
[*Switch-acl6-advance-3000] quit
[*Switch] traffic classifier c7  
[*Switch-classifier-c7] if-match ipv6 acl 3000  
[*Switch-classifier-c7] quit                                 
[*Switch] traffic behavior b7                                                                                        
[*Switch-behavior-b7] statistics enable 
[*Switch-behavior-b7] quit
[*Switch] traffic policy p7                                                                                                
[*Switch-trafficpolicy-p7] classifier c7 behavior b7  
[*Switch-trafficpolicy-p7] quit
[*Switch] commit

# Apply traffic policies p6 and p7 to VLAN 2000 and VLAN 2001.

[~Switch] vlan 2000                                                                                                         
[~Switch-vlan2000] traffic-policy p6 inbound  
[*Switch-vlan2000] quit                                                                                                       
[*Switch] vlan 2001                                                                                                          
[*Switch-vlan2001] traffic-policy p7 inbound                                                                                  
[*Switch-vlan2001] commit
[~Switch-vlan2001] quit

Configure the QoS CAR service. Create a QoS profile named qoscar1 on the switch and apply the profile to an interface.

[~Switch] qos car qoscar1 cir 300 mbps                                                                                     
[~Switch] interface 10GE 4/0/22                                                                                               
[~Switch-10GE4/0/22] qos car inbound qoscar1                                                                               
[*Switch-10GE4/0/22] commit
[~Switch-10GE4/0/22] quit

Configure the traffic statistics collection service in a VLAN. Configure traffic statistics collection in VLAN 2000 on the switch.

[~Switch] vlan 2000                                                                                                             
[~Switch-vlan2000] statistics enable                                                                                 
[*Switch-vlan2000] commit
[~Switch-vlan2000] quit

Translation

简体中文

Download

Updated: 2021-09-17

Document ID: EDOC1100075347

Downloads: 100

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Networking Requirements

Configuration Roadmap

Procedure

Related Version

Related Documents

Digital Signature File