service-security binding
Function
The service-security binding command binds an MPAC policy to an interface.
The undo service-security binding command unbinds an MPAC policy from an interface.
By default, no MPAC policy is applied to an interface.
Format
service-security binding { ipv4 | ipv6 } security-policy-name
undo service-security binding { ipv4 | ipv6 }
The ipv6 parameter is not supported in the subinterface view.
Parameters
| Parameter | Description | Value |
|---|---|---|
ipv4 |
Binds an IPv4 MPAC policy to an interface. |
- |
ipv6 |
Binds an IPv6 MPAC policy to an interface. |
- |
security-policy-name |
Specifies the name of an MPAC policy. |
The value is a string of 1 to 31 case-sensitive characters without spaces. It must start with a letter. |
Views
Ethernet interface view, Ethernet sub-interface view, GE interface view, MultiGE interface view, MultiGE sub-interface view, GE sub-interface view, XGE interface view, 25GE interface view, XGE sub-interface view, 25GE sub-interface view, 40GE interface view, 40GE sub-interface view, 100GE interface view, 100GE sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view
Usage Guidelines
Usage Scenario
Some attackers may pose as authorized users to send protocol packets to network devices or control these devices. Such attacks affect network running. You can configure MPAC on network devices to allow the specified protocol packets to be sent to the CPUs or discard these packets, improving device security and reliability.
After an MPAC policy is created, run the service-security binding command to bind it to interfaces.
Prerequisites
An MPAC policy has been created using the service-security policy command.
Example
# Create an IPv4 MPAC policy and apply it to an interface.
<HUAWEI> system-view [HUAWEI] service-security policy ipv4 huawei [HUAWEI-service-sec-huawei] rule 5 permit protocol tcp source-port 1000 source-ip 127.1.1.1 0 [HUAWEI-service-sec-huawei] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] service-security binding ipv4 huawei
# Create an IPv6 MPAC policy and apply it to an interface.
<HUAWEI> system-view [HUAWEI] service-security policy ipv6 huawei1 [HUAWEI-service6-sec-huawei1] rule 10 deny protocol tcp [HUAWEI-service6-sec-huawei1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] service-security binding ipv6 huawei1