S1700, S2720, S5700, and S6700 V200R019C10 Command Reference
auto-port-defend whitelist
Function
The auto-port-defend whitelist command configures a whitelist for port attack defense.
The undo auto-port-defend whitelist command deletes a whitelist for port attack defense.
- If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
- If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.
For the preceding conditions, the switch supports a maximum of 16 whitelist matching rules based on source IP addresses and interfaces.
Format
auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }
undo auto-port-defend whitelist whitelist-number [ acl acl-number | interface interface-type interface-number ]
Parameters
Parameter | Description | Value |
---|---|---|
whitelist-number |
Specifies the number of the whitelist configured for port attack defense. |
The value is an integer that ranges from 1 to 16. |
acl acl-number |
Specifies the number of the ACL applied to the whitelist. |
The value of acl-number is an integer that ranges from 2000 to 4999.
|
interface interface-type interface-number |
Specifies the type and number of the interface to which the whitelist is applied.
|
- |
Usage Guidelines
Usage Scenario
The port attack defense function is enabled by default on the device, so the device calculates protocol packet rates on all interfaces, and traces the source and limits the rate of attack packets. In some services, network-side interfaces need to receive a lot of valid protocol packets. You should add these interfaces or network nodes connecting to these interfaces to the whitelist. The device does not trace the source or limit the rate of protocol packets received by the interfaces in the whitelist.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend enable command.
Precautions
To define the whitelist using an ACL, you must create an ACL and configure rules for the ACL.
Before configuring an ACL whitelist for some protocols, ensure that the port attack defense function supports these protocols. Use the auto-port-defend protocol command to specify the protocols to which port attack defense is applied.
Example
# In the attack defense policy test, configure a whitelist that references an ACL. The ACL permits the packets from the users with IP addresses 10.1.1.1 and 10.1.1.2.
<HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0 [HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0 [HUAWEI-acl-basic-2000] quit [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-port-defend enable [HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 acl 2000
# In the attack defense policy test, add interface GE0/0/1 to the whitelist for port attack defense.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-port-defend enable [HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 interface gigabitethernet 0/0/1