R0106-HP MSR Router Series Security Command Reference(V7)
616
Related commands
• dns-flood action
• dns-flood detect
• dns-flood detect non-specific
exempt acl
Use exempt acl to configure attack detection exemption.
Use undo exempt acl to restore the default.
Syntax
exempt acl [ ipv6 ] { acl-number | name acl-name }
undo exempt acl [ ipv6 ]
Default
Attack defense exemption is not configured. The attack defense policy applies to all incoming packets.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL. Do not specify this keyword if you specify an IPv4 ACL.
acl-number: Specifies an ACL by its number:
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The attack defense policy uses the ACL to identify exempted packets. The policy does not check the
packets permitted by the ACL . You can configure the ACL to identify packets from trusted servers. The
exemption feature reduces the false alarm rate and improves packet processing efficiency.
If the specified ACL does not exist or contains no rule, attack detection exemption does not take effect.
Examples
# C o n f i g u r e a n AC L t o p e r m i t p a c k e t s s o u rc e d f ro m 1.1.1.1.
<Sysname> system-view
[Sysname] acl number 2001 name acl_1
[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-basic-2001] quit
# Configure attack detection exemption for packets matching the ACL.
[Sysname] attack-defense policy atk-policy-1
[attack-defense-policy-atk-policy-1] exempt acl name acl_1