protocol(Global management service plane defense view)

Function

The protocol command configures a rule to accept or discard packets of a specified protocol or all protocols before the packets are sent to the CPU.

The undo protocol command deletes a configured rule.

By default, no rule is not configured.

Format

protocol { { ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } | { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp | isis | pimsm } } { deny | permit }

undo protocol { { ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } | { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp | isis | pimsm } }

Parameters

Parameter Description Value
ipv6

Configures a rule for IPv6 packets.

-
bgp4plus

Configures a rule for BGP4+ packets.

-
ftp

Configures a rule for FTP packets.

-
ospfv3

Configures a rule for OSPFv3 packets.

-
ssh

Configures a rule for SSH packets.

-
telnet

Configures a rule for Telnet packets.

-
pimsm

Configures a rule for PIM-SM packets.

-
bgp

Configures a rule for BGP packets.

-
ldp

Configures a rule for SSH packets.

-
ospf

Configures a rule for OSPF packets.

-
rip

Configures a rule for RIP packets.

-
rsvp

Configures a rule for RSVP packets.

-
snmp

Configures a rule for SNMP packets.

-
tftp

Configures a rule for TFTP packets.

-
isis

Configures a rule for IS-IS packets.

-
deny

Discards packets.

-
permit

Allows packets to be sent to the CPU.

-

Views

Global management service plane defense view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
hostdefend write

Usage Guidelines

Usage Scenario

To help the device defend against attacks or unauthorized logins initiated by sending protocol packets, management and service plane protection is used to prevent packets of a specified protocol or all protocols from being sent to the CPU. Using management and service plane protection improves device security and reliability and ensures normal network operation.

The protocol command is run in the global policy view to configure a rule. The rule is used to accept or discard packets of a specified protocol or all protocols before the packets are sent to the CPU.

Prerequisites

A policy has been created. A global policy can be created as needed.

Configuration Impact

After the protocol command is run, the device will send packets to the CPU or discard them based on specified protocols after receiving the packets.

After a discard policy is configured for a specified protocol, protocol disconnections or user login failures may occur.

Precautions

If no rule is configured for a policy, management and service plane protection or its policy does not take effect.

In VS mode, this command is supported only by the admin VS.

Example

# Create a global policy, configure its rule to discard FTP packets, and apply this policy to the device.
<HUAWEI> system-view
[~HUAWEI] ma-defend global-policy
[*HUAWEI-app-sec-global] protocol ftp deny
[*HUAWEI-app-sec-global] enable
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >