ids-response

Function

The ids-response command configures the path for the interference packets sent by the FW.

The undo ids-response command cancels the previous configuration.

Format

ids-response { interface interface-type interface-number [ destination-mac mac-address ] | destination-mac mac-address }

undo ids-response { interface | destination-mac }

Parameters

Parameter	Description	Value
interface interface-type interface-number	Specify the interface for sending interference packets.	-
destination-mac mac-address	Specify the destination MAC address of interference packets. If you do not set this address, the source MAC address of the source packets is used as the destination MAC address of interference packets.	The value is in the H-H-H format in which H represents four hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, interference packets are sent over the same route back, that is, through the interface used by the FW to receive mirrored packets.

When the FW is deployed in off-line mode, the function of sending interference packets applies to the following scenarios:

When the action of the security policy is allow and security policy references an antivirus or intrusion prevention profile, the function needs to be configured on the FW to block detected attacks or viruses.

The configuration takes effect only when the attack type is a TCP attack.
When the action of the security policy is block, the function can be used to configure the FW to block traffic.

Ensure that the interference packets are returned along the original path or the path from the interface for sending interference packets to the remote client/server is reachable.

The configuration of the function for sending interference packets is as follows:

If the interference packets are returned along the original path, the outbound interface of the packets does not need to be specified, and the FW sends feedback packets through the interface that receives mirrored traffic. This configuration mode applies only to Layer-2 switching.

The optical splitter cannot inject packets back. If you use an optical splitter to mirror packets to the FW, do not select return via the same interface.
If the interference packets are not returned along the original path, the outbound interface and next-hop MAC address need to be specified to send interference packets.
- If the remote interface of the outbound interface of the interference packets works at Layer 2, only the outbound interface of the interference packets needs to be specified, and the next-hop MAC address does not need to be specified.
- If the remote interface of the outbound interface of the interference packets works at Layer 3, the outbound interface and next-hop MAC address of the interference packets need to be specified. The next-hop MAC address is the MAC address of the remote interface.

Precautions

This command does not support WAN interfaces.

Example

Set the interface on the FW to send interference packets to GigabitEthernet 0/0/1.

<sysname> system-view
[sysname] ids-response interface GigabitEthernet 0/0/1