Configuring the Whitelist for Port Attack Defense

Procedure

1. Run system-view

   The system view is displayed.

2. Run cpu-defend policy policy-name

   The attack defense policy view is displayed.

3. Run auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }

   The whitelist is configured.

   A maximum of 16 whitelists can be configured on the device.

   The ACL referenced by a whitelist can be a basic ACL, an advanced ACL, or a Layer 2 ACL. For details about ACL configuration, see ACL Configuration.

   By default, no whitelist is configured for port attack defense. If any of the following conditions is met, however, the switch uses the condition as the whitelist matching rule, regardless of whether port attack defense is enabled. After port attack defense is enabled, the switch does not perform port attack defense for the packets matching such rules.

   • If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
   • If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.

   For the preceding conditions, the switch supports a maximum of 16 whitelist matching rules based on source IP addresses and interfaces.

   

   All the packets matching an ACL referenced by a whitelist are considered to be valid packets regardless of whether the ACL rule is permit or deny.

   If an ACL has no rule, the whitelist that references the ACL does not take effect.