exempt acl

Use exempt acl to configure attack detection exemption.

Use undo exempt acl to restore the default.

Syntax

exempt acl [ ipv6 ] { acl-number | name acl-name }

undo exempt acl [ ipv6 ]

Default

Attack detection exemption is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not use this keyword.

acl-number: Specifies an ACL by its number:

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

The attack defense policy uses an ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The exemption feature reduces the false alarm rate and improves packet processing efficiency.

If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:

• Source IP address.

• Destination IP address.

• Source port.

• Destination port.

• Protocol.

• L3VPN instance.

• The fragment keyword for matching non-first fragments.

If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.

Examples

# Configure an ACL to permit packets sourced from 1.1.1.1. Configure attack detection exemption for packets matching the ACL in attack defense policy atk-policy-1.

<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] attack-defense policy atk-policy-1
[attack-defense-policy-atk-policy-1] exempt acl 2001

Related commands

attack-defense policy