Configuring a Whitelist

This section describes how to configure a whitelist. Secure packets that match ACL rules can be added to the whitelist and then provided with higher bandwidth.

Prerequisites

The ACL bound to the whitelist must be a configured one. You cannot bind a non-existing ACL to the whitelist. When the ACL is bound to the whitelist, all the packets that match the ACL rules are added to the whitelist automatically. The whitelist function must be enabled. Otherwise, the self-defined whitelist does not take effect although you can configure a self-defined whitelist.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run whitelist [ ipv6 ] acl { acl-number | name acl-name }

    The whitelist is configured.

    The packets generated by Active Link Protection (ALP) is dynamically added to the whitelist.

    A self-defined whitelist can be bound to only one ACL. If you bind a self-defined whitelist to several ACLs, only the latest configuration takes effect. An address or port pool can be specified in an ACL rule, and the ACL rule can be delivered.

    • The address pool function can be delivered in the attack defense policy only when the cp-acl ip-pool enable command is configured.
    • The vpn-instance field in an ACL configured in an attack defense policy can be delivered and takes effect only when the cp-acl vpn-instance enable command is configured.
    • The ports in the port pool specified in a delivered ACL take effect based on the configuration order instead of the lexicographical order.
    • If the ACL rule in which both a port pool and a TTL range are specified is delivered, the TTL range does not take effect.
    • ACL rules with the neq parameter are not supported.
    • If the address pool function is not enabled, the ACL rule in which both address and port pools are specified cannot be delivered.

  4. (Optional) Run ipv6-enhance acl enable

    Some IPv6 packets to be sent to the CPU are matched against the ACL that contains a blacklist, whitelist, or user-defined flow.

  5. (Optional) Run cp-acl ip-pool enable

    The address pool function is enabled for an attack defense policy.

    Before enabling the address pool function for an attack defense policy, configure an address pool and bind the address pool to an ACL rule.

  6. (Optional) Run cp-acl vpn-instance enable

    The VPN field in the attack defense policy is configured to take effect.

  7. (Optional) Run acl ipv4-multicast-fib-miss enable

    Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  8. (Optional) Run acl dhcp-discover enable

    Enable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  9. Run commit

    The configuration is committed.

Parent Topic: Configuring the CAR
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >