Applying an ASPF policy to an interface
You can apply an ASPF policy to inspect incoming or outgoing traffic on an interface. ASPF compares the packets against session entries. If a packet does not match any session entries, ASPF creates a new session entry.
You can apply both ASPF and packet filter to implement packet filtering. For example, you can apply a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the outbound direction of the external interface. The application denies unsolicited access from the external network to the internal network and allows return packets from external to the internal network.
Check that a connection initiation packet and the corresponding return packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.
To apply an ASPF policy on an interface:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Apply an ASPF policy to the interface. | aspf apply policy aspf-policy-number { inbound | outbound } | By default, no ASPF policy is applied to the interface. |