Configuring an IPv6 MPAC Policy

An IPv6 Management Plane Access Control (MPAC) policy can be configured to filter IPv6 packets destined for the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run service-security policy ipv6 security-policy-name

    An IPv6 MPAC policy is created, and the IPv6 MPAC policy view is displayed.

  3. Add a rule to the IPv6 MPAC policy.

    Table 1 Rules for an IPv6 MPAC policy

    Protocol Type

    Command

    Remarks

    TCP or UDP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv6-address { source-ipv6-prefix-length | 0 } | any } ] | [ destination-ip { destination-ipv6-address { destination-ipv6-prefix-length | 0 } | any } ] ] *

    -

    BGP, DHCP-C, DHCP-R, FTP, IP, LDP, LSP ping, NTP, OSPF, PIM, RIP, RSVP, SNMP, SSH, Telnet, or TFTP

    rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { ip-protocol-number | bgp | dhcp-c | dhcp-r | ftp | ip | ldp | lsp-ping | ntp | ospf | pim | rip | rsvp | snmp | ssh | telnet | tftp } [ [ source-ip { source-ipv6-address { source-ipv6-prefix-length | 0 } | any } ] | [ destination-ip { destination-ipv6-address { destination-ipv6-prefix-length | 0 } | any } ] ] *

    -

    Any protocol

    rule [ rule-id ] [ name rule-name ] { deny | permit } protocol any

    Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.

    SRH

    rule [ rule-id ] [ name rule-name ] { permit | deny } ipv6-ext-header source-routing-typer srh

    -

  4. (Optional) Run step step

    The step is configured for rules in the MPAC policy.

  5. (Optional) Run description text

    The description is configured for the MPAC policy.

  6. Run quit

    Return to the system view.

  7. Apply an IPv6 MPAC policy.

    • Apply an IPv6 MPAC policy globally.

      Run service-security global-binding ipv6 security-policy-name

      An MPAC policy is applied globally.

    • Apply an IPv6 MPAC policy to an interface.

      1. Run interface interface-type interface-number

        The interface view is displayed.

      2. Run service-security binding ipv6 security-policy-name

        The MPAC policy is applied to the interface.

    The MPAC policies on a sub-interface, interface, or configured globally are listed in descending order of priorities. When different MPAC policies are applied globally, to an interface, and to a sub-interface, the MPAC policy on the sub-interface takes effect preferentially, and then the MPAC policy on the interface, and then the MPAC policy applied globally.

  8. Run commit

    The configuration is committed.

Parent Topic: Configuring MPAC
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >