No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


FAQ-Introduction to NE5000E Attack Prevention Configuration

Publication Date:  2019-07-19 Views:  187 Downloads:  0

Issue Description

Give an introduction to NE5000E attack prevention configuration 

Alarm Information


Handling Process

1. The attack prevention configuration on the core NE5000E router on a provincial network is as follows:
acl number 3001
rule 5 permit tcp destination-port eq bgp
rule 10 permit tcp source-port gt bgp
rule 15 permit icmp icmp-type echo
rule 20 permit icmp icmp-type echo-reply
rule 25 permit ospf
rule 30 permit tcp destination-port eq 22
rule 35 permit tcp destination-port eq telnet
rule 40 permit udp destination-port eq snmp
rule 45 permit udp destination-port eq ntp
rule 50 permit udp source 0
rule 55 permit udp source 0
rule 60 permit tcp source-port eq ftp
rule 65 permit tcp source-port eq ftp-data
rule 70 permit icmp icmp-type ttl-exceeded
rule 75 permit udp destination-port eq tftp
rule 80 permit udp source-port eq tftp
rule 85 permit tcp source-port eq telnet
rule 90 permit tcp source-port eq tacacs
rule 95 permit udp destination-port eq 1985
rule 100 permit udp source-port eq 1985
rule 105 deny tcp
rule 110 deny udp
cpu-defend policy 15
whitelist acl 3001
At last, the configuration is delivered to each board.
2. Note that, for cpu-defend policy configuration, a policy id can be 4-10, 14-20, or 22-30, where:
policy id 4-10 indicates the attack prevention policy of the 2800 board. Currently, these IDs are not used on NE5000E routers. The 2800 chips are mainly used on the LPUA boards of NE80E/NE40E.
policy id 14-20 indicates the attack prevention policy of the 588 board, mainly used on the LPUB, LPUC, LPUE, and LPUI boards of NE5000E routers.
policy id 22-30 indicates the attack prevention policy of the Rainier board. This ID can be used only on the NETSTREAM board of an NE5000E router.

Root Cause