The protocol command configures a rule to accept or discard packets of a specified protocol or all protocols before the packets are sent to the CPU.
The undo protocol command deletes a configured rule.
By default, no rule is not configured.
protocol { { ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } | { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp | isis | pimsm } } { deny | permit }
undo protocol { { ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } | { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp | isis | pimsm } }
| Parameter | Description | Value |
|---|---|---|
| ipv6 |
Configures a rule for IPv6 packets. |
- |
| bgp4plus |
Configures a rule for BGP4+ packets. |
- |
| ftp |
Configures a rule for FTP packets. |
- |
| ospfv3 |
Configures a rule for OSPFv3 packets. |
- |
| ssh |
Configures a rule for SSH packets. |
- |
| telnet |
Configures a rule for Telnet packets. |
- |
| pimsm |
Configures a rule for PIM-SM packets. |
- |
| bgp |
Configures a rule for BGP packets. |
- |
| ldp |
Configures a rule for LDP packets. |
- |
| ospf |
Configures a rule for OSPF packets. |
- |
| rip |
Configures a rule for RIP packets. |
- |
| rsvp |
Configures a rule for RSVP packets. |
- |
| snmp |
Configures a rule for SNMP packets. |
- |
| tftp |
Configures a rule for TFTP packets. |
- |
| isis |
Configures a rule for IS-IS packets. |
- |
| deny |
Discards packets. |
- |
| permit |
Allows packets to be sent to the CPU. |
- |
Usage Scenario
To help the device defend against attacks or unauthorized logins initiated by sending protocol packets, management and service plane protection is used to prevent packets of a specified protocol or all protocols from being sent to the CPU. Using management and service plane protection improves device security and reliability and ensures normal network operation.
The protocol command is run in the interface-based policy view to configure a rule. The rule is used to accept or discard packets of a specified protocol or all protocols before the packets are sent to the CPU.Prerequisites
A policy has been created. An interface-based policy can be created as needed.
Configuration Impact
After the protocol command is run, the device will send packets to the CPU or discard them based on specified protocols after receiving the packets.
After a discard policy is configured for a specified protocol, protocol disconnections or user login failures may occur.Precautions
If no rule is configured for a policy, management and service plane protection or its policy does not take effect.
In VS mode, this command is supported only by the admin VS.
<HUAWEI> system-view [~HUAWEI] ma-defend interface-policy 7 [*HUAWEI-app-sec-interface-7] protocol snmp permit [*HUAWEI-app-sec-interface-7] quit [*HUAWEI] interface GigabitEthernet 0/1/20 [*HUAWEI-GigabitEthernet0/1/20] ma-defend-interface 7