< Home

auto-port-defend whitelist

Function

The auto-port-defend whitelist command configures a whitelist for port attack defense.

The undo auto-port-defend whitelist command deletes a whitelist for port attack defense.

By default, no whitelist is configured for port attack defense. If any of the following conditions is met, however, the switch uses the condition as the whitelist matching rule, regardless of whether port attack defense is enabled. After port attack defense is enabled, the switch does not perform port attack defense for the packets matching such rules.
  • If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
  • If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.

For the preceding conditions, the switch supports a maximum of 16 whitelist matching rules based on source IP addresses and interfaces.

Format

auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }

undo auto-port-defend whitelist whitelist-number [ acl acl-number | interface interface-type interface-number ]

Parameters

Parameter Description Value

whitelist-number

Specifies the number of the whitelist configured for port attack defense.

The value is an integer that ranges from 1 to 16.

acl acl-number

Specifies the number of the ACL applied to the whitelist.

The value of acl-number is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs

interface interface-type interface-number

Specifies the type and number of the interface to which the whitelist is applied.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The port attack defense function is enabled by default on the device, so the device calculates protocol packet rates on all interfaces, and traces the source and limits the rate of attack packets. In some services, network-side interfaces need to receive a lot of valid protocol packets. You should add these interfaces or network nodes connecting to these interfaces to the whitelist. The device does not trace the source or limit the rate of protocol packets received by the interfaces in the whitelist.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

To define the whitelist using an ACL, you must create an ACL and configure rules for the ACL.

Before configuring an ACL whitelist for some protocols, ensure that the port attack defense function supports these protocols. Use the auto-port-defend protocol command to specify the protocols to which port attack defense is applied.

Example

# In the attack defense policy test, configure a whitelist that references an ACL. The ACL permits the packets from the users with IP addresses 10.1.1.1 and 10.1.1.2.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 acl 2000

# In the attack defense policy test, add interface GE0/0/1 to the whitelist for port attack defense.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 interface gigabitethernet 0/0/1
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >