Configuring User-Defined Flow Rules

This section describes how to configure customized traffic. You can perform traffic policing by matching a specified type of traffic with ACL rules.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run user-defined-flow flow-id acl { acl-number | name acl-name } [ prior ] Or Run user-defined-flow flow-id ipv6 acl { acl-number | name acl-name }

    A user-defined flow is configured. An address or port pool can be specified in an ACL rule, and the ACL rule can be delivered.

    • The address pool function can be delivered in the attack defense policy only when the cp-acl ip-pool enable command is configured.
    • The vpn-instance field in an ACL configured in an attack defense policy can be delivered and takes effect only when the cp-acl vpn-instance enable command is configured.
    • The ports in the port pool specified in a delivered ACL take effect based on the configuration order instead of the lexicographical order.
    • If the ACL rule in which both a port pool and a TTL range are specified is delivered, the TTL range does not take effect.
    • ACL rules with the neq parameter are not supported.
    • If the address pool function is not enabled, the ACL rule in which both address and port pools are specified cannot be delivered.

  4. (Optional) Run ipv6-enhance acl enable

    Some IPv6 packets to be sent to the CPU are matched against the ACL that contains a blacklist, whitelist, or user-defined flow.

  5. (Optional) Run cp-acl ip-pool enable

    The address pool function is enabled for an attack defense policy.

    Before enabling the address pool function for an attack defense policy, configure an address pool and bind the address pool to an ACL rule.

  6. (Optional) Run cp-acl vpn-instance enable

    The VPN field in the attack defense policy is configured to take effect.

  7. (Optional) Run acl ipv4-multicast-fib-miss enable

    Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  8. (Optional) Run acl dhcp-discover enable

    Enable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  9. Run commit

    The configuration is committed.

Parent Topic: Configuring the CAR
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >