Configuring IPv6 MPAC Policy

Context

Malicious attack packets will make a network busy, increase CPU usage of network devices, and form a DoS attack. To protect the CPU, configure an MPAC policy that controls the packets to be sent to the CPU.

Procedure

Run system-view
The system view is displayed.
Run service-security policy ipv6 security-policy-name
An IPv6 MPAC policy is created and its view is displayed.

By default, no IPv6 MPAC policy exists on a device.

Add a rule to the IPv6 MPAC policy:

**Table 1** IPv6 MPAC rules
Protocol	Command	Remarks
TCP, UDP	rule [ rule-id ] { permit \| deny } protocol { tcp \| tcp-protocol-number \| udp \| udp-protocol-number } [ [ source-port source-port-number ] \| [ destination-port destination-port-number ] \| [ source-ip { source-ipv6-address source-ipv6-prefix-length \| source-ipv6-address/prefix-length \| any } ] \| [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length \| destination-ipv6-address/prefix-length \| any } ] ] ^*	-
BGP, OSPF, RIP, DHCP-C, DHCP-R, FTP, LDP, LSP-PING, NTP, RSVP, SNMP, SSH, Telnet, TFTP, IP	rule [ rule-id ] { permit \| deny } protocol { protocol-number \| ftp \| ssh \| snmp \| telnet \| tftp \| bgp \| ldp \| rsvp \| ospf \| rip \| ntp \| lsp-ping \| dhcp-c \| dhcp-r \| ip } [ [ source-ip { source-ipv6-address source-ipv6-prefix-length \| source-ipv6-address/prefix-length \| any } ] \| [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length \| destination-ipv6-address/prefix-length \| any } ] ] ^*	-
Any protocol	rule [ rule-id ] { deny \| permit } protocol any	Exercise caution when using the rule [ rule-id ] deny protocol any command. If this command is executed in the system view, no protocol packets can be sent to the CPU, causing the device to be out of management.

By default, no rule exists in an IPv6 MPAC policy.

(Optional) Run step step
The step between two MPAC rule IDs is set.

By default, the step between two MPAC rule IDs is 5.
(Optional) Run description text
The description of the MPAC policy is configured.

By default, an MPAC policy does not have a description.
Run quit
Return to the system view.
Apply the IPv6 MPAC policy.
- Apply the IPv6 MPAC policy globally:
  
  Run the service-security global-binding ipv6 security-policy-name command.
  
  By default, no MPAC policy is globally applied.
- Apply the IPv6 MPAC policy to an interface:
  1. Run the interface interface-type interface-number command to display an interface view or a subinterface view.
  2. (Optional) On an Ethernet interface, run undo portswitch
    
    The interface is switched to Layer 3 mode.
    
    By default, an Ethernet interface works in Layer 2 mode.
    
    Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
  3. Run the service-security binding ipv6 security-policy-name command to apply the IPv6 MPAC policy to the interface.
    
    By default, no MPAC policy is applied to an interface.
The MPAC policies on a subinterface, interface, or configured globally are in descending order of priority. That is, when different MPAC policies are applied globally, to an interface, and to a subinterface, the MPAC policy on the subinterface takes effect preferentially, and then the MPAC policy on the interface, and then the MPAC policy applied globally.