Configuring attack detection exemption
The attack defense policy uses the ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted servers. The exemption feature reduces the false alarm rate and improves packet processing efficiency. For example, the attack defense policy identifies multicast packets with the same source addresses and different destination addresses as scanning attack packets (for example, OSPF or PIM packets). You can configure an ACL to exempt such packets from attack detection.
If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:
Source IP address.
Destination IP address.
Source port.
Destination port.
Protocol.
L3VPN instance.
The fragment keyword for matching non-first fragments.
To configure attack detection exemption:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter attack defense policy view. | attack-defense policy policy-name | N/A |
3. Configure attack detection exemption. | exempt acl [ ipv6 ] { acl-number | name acl-name } | By default, attack detection exemption is not configured. |