No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


E9000 Server V100R001 User Guide 24

This document describes the overview, functions, structure, installation, and configuration methods of the E9000.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Switch Module

Switch Module

Device Security

Hierarchical Command Protection

Switch modules authenticate users when they are logging in to switch modules in Telnet mode from an Ethernet port. Only authenticated users can configure and maintain switch modules.

Switch modules use hierarchical protection mode for commands, and define four command levels in ascending order: visit level, monitoring level, configuration level, and management level. Users are also classified into four levels accordingly. Users can use only commands at levels the same as or lower than their own levels, effectively controlling user rights.

Switch modules support mapping between command levels and user levels to implement fine-grained user level management.

Remote SSH Login

Switch modules support SSH. On networks without security assurance, SSH provides security guarantees and authentication functions for user logins and defends against multiple attacks.

SNMP Encrypted Authentication

Switch modules support SNMPv3 encrypted authentication. When switch modules are managed by the network management system (NMS) over SNMP, the encrypted authentication mode of the User-based Security Model (USM) can be used to guarantee the security of switch modules.


Switch modules support Authentication, Authorization and Accounting (AAA). With hierarchical command protection and AAA, switch modules can authenticate and authorize login users, and authenticate NMS users. The AAA mechanism enables switch modules to prevent unauthorized user logins.

CPU Attack Defense

Switch modules can filter protocol packets and management packets that are sent to the CPU based on the protocol ID, port number, or a combination of the port number and VLAN ID. This protects CPU channels from denial-of-service (DoS) attacks and prevents congestion.

Service Security

VLAN Assignment

Switch modules support the division of a LAN into multiple VLANs. Devices in different VLANs cannot communicate with each other directly. This function isolates broadcast domains and improves information security.

MAC Address Learning Limit on Interfaces

On a specified interface of the switch module, the maximum number of MAC address entries that this interface can learn can be configured. This prevents hackers from initiating source MAC address attacks over this interface and protects MAC address entries of the entire switch module from being used up.

Blackhole MAC Address Entry

Switch modules support blackhole MAC address entries. When receiving a packet, the switch module compares the source or destination MAC address of this packet with blackhole MAC address entries. If the source or destination MAC address of this packet is a blackhole MAC address entry, the switch module discards this packet.

Upon detecting that packets with a specific MAC address are aggressive, users can set a blackhole MAC address entry to filter out packets with this MAC address and defend against attacks.

MAC Address Table Lookup

To improve interface security, switch modules support MAC address table lookup based on VLAN IDs and MAC addresses. The network administrator can add static entries to the MAC address table. A static entry defines the mapping between a MAC address and an interface. In this way, devices with specific MAC addresses are bound to interfaces, defending switch modules against attacks from packets with forged MAC addresses.

Port Isolation

Port isolation prevents ports on the same switch module from transferring Layer 2 packets between each other. A switch module supports unidirectional and bidirectional port isolation. Port isolation ensures user network safety, helps construct cost-effective and intelligent community networks, effectively controls unnecessary broadcast packets, and increases the network throughput.

Packet Filtering

Packet filtering is used to filter out invalid or unwanted packets.

Switch modules can filter out packets based on user-defined rules. For example, switch modules check whether the MAC address, IP address, port number, and VLAN ID of a packet comply with the rules. Packet filtering does not check the session status or analyze data. This method effectively controls the packets that pass through switch modules.

Updated: 2019-08-30

Document ID: EDOC1000015897

Views: 95320

Downloads: 5262

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next