Prohibiting specified interfaces from receiving NTP packets


Prohibit a specified interface from receiving NTP packets as follows:
1. Run the system-view command to access the system view.
2. Run the interface interface-type interface-number command to enter the interface view.
3. Run the following commands:
The ntp-service in-interface disable command prohibits the firewall interface from receiving NTP IPv4 packets.
The ntp-service ipv6 in-interface disable command prohibits the firewall interface from receiving NTP IPv6 packets.

Other related questions:
What is the meaning of PACKET_LENGTH_WRON in the NTP log of the AR router
NTP/4/PACKET_LENGTH_WRON G(l)[500]:The received NTP packet is longer than or shorter than a valid packet. This log is generated when the AR receives NTP packets in which the packet length is not in the range of 32 to 68. If this log does not need to be displayed, run the info-center filter-id bymodule-alias CFM CFM_LOG command in the system view.

How can I disable a trunk interface on a CE switch from receiving packets from a VLAN
You can run the undo port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-40> | all } command in the interface view to delete trunk interfaces from a VLAN. In this way, packets from the VLAN will be denied passage through trunk interfaces. # Configure 10GE1/0/1 to reject packets from VLAN 1. system-view [~HUAWEI] interface 10ge 1/0/1 [~HUAWEI-10GE1/0/1] port link-type trunk [*HUAWEI-10GE1/0/1] undo port trunk allow-pass vlan 1 [*HUAWEI-10GE1/0/1] commit

Prevent OSPF interfaces on S series switches from sending and receiving protocol packets
To prevent local OSPF routing information from being obtained by devices on other networks and prevent the local S series switch from receiving routing update information advertised by other devices on the same network, run the silent-interface command in the OSPF process view to forbid an OSPF interface on the local switch from sending and receiving OSPF packets. By default, an interface is allowed to receive OSPF packets. Disabling interfaces from receiving and sending OSPF packets is a method of preventing routing loops. After an OSPF interface is prevented from sending and receiving OSPF packets, the interface can still advertise its direct routes. Hello packets on the interface, however, cannot be forwarded. Therefore, no neighbor relationship can be established on the interface. This enhances the networking adaptability of OSPF and reduces system resource consumption. For example, disable VLANIF 200 from sending and receiving OSPF packets as follows: [HUAWEI] ospf 100 [HUAWEI-ospf-100] silent-interface vlanif 200

Prohibiting the extranet from pinging the intranet on the USG6000
Add a security policy to prohibit ICMP packets from the extranet to the intranet.

Prohibit DHCP broadcast packets on S series switch
ACL rules can be configured on S series switches (except S1700 switches) to deny DHCP broadcast packets on specified interfaces. For example, you can deny DHCP broadcast packets on GE0/0/1 as follows: 1. Create advanced ACL 3001 and configure a rule to deny DHCP broadcast packets. [Huawei] acl 3001 [Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to deny DHCP broadcast packets. [Huawei-acl-adv-3001] quit 2. Configure the traffic classifier tc1 to classify packets that match ACL 3001. [Huawei] traffic classifier tc1 [Huawei-classifier-tc1] if-match acl 3001 [Huawei-classifier-tc1] quit 3. Configure the traffic behavior tb1 to deny packets. [Huawei] traffic behavior tb1 [Huawei-behavior-tb1] deny [Huawei-behavior-tb1] quit 4. Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy. [Huawei] traffic policy tp1 [Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1 [Huawei-trafficpolicy-tp1] quit 5. Apply the traffic policy to GE0/0/1. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Huawei-GigabitEthernet0/0/1] quit

