No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for Local Attack Defense

Licensing Requirements and Limitations for Local Attack Defense

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Configuration commands of local attack defense are available only after the S1720GW, S1720GWR, and S1720X have the license (WEB management to full management Electronic RTU License) loaded and activated and the switches are restarted. Configuration commands of local attack defense on other models are not under license control.

For details about how to apply for a license, see S Series Switch License Use Guide.

Version Requirements

Table 3-1  Products and versions supporting local attack defense

Product

Product Model

Software Version

S1700

S1720GFR

V200R006C10, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S1720GW and S1720GWR

V200R010C00, V200R011C00, V200R011C10

S1720GW-E and S1720GWR-E

V200R010C00, V200R011C00, V200R011C10

S1720X and S1720X-E

V200R011C00, V200R011C10

Other S1700 models

Models that cannot be configured using commands. For details about features and versions, see S1700 Documentation Bookshelf.

S2700

S2700SI

V100R005C01, V100R006(C00&C01&C03&C05)

S2700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S2710SI

V100R006(C03&C05)

S2720EI

V200R006C10, V200R009C00, V200R010C00, V200R011C10

S2750EI

V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S3700

S3700SI and S3700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S3700HI

V100R006C01, V200R001C00

S5700

S5700LI

V200R001C00, V200R002C00, V200R003(C00&C02&C10), V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5700S-LI

V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5710-C-LI

V200R001C00

S5710-X-LI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5700SI

V100R005C01, V100R006C00, V200R001C00, V200R002C00, V200R003C00, V200R005C00

S5700EI

V100R005C01, V100R006(C00&C01), V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02&C03)

S5710EI

V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)

S5720EI

V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5720LI and S5720S-LI

V200R010C00, V200R011C00, V200R011C10

S5720SI and S5720S-SI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5700HI

V100R006C01, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)

S5710HI

V200R003C00, V200R005(C00&C02&C03)

S5720HI

V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5730SI

V200R011C10

S5730S-EI

V200R011C10

S6700

S6700EI

V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02)

S6720LI and S6720S-LI

V200R011C00, V200R011C10

S6720SI and S6720S-SI

V200R011C00, V200R011C10

S6720EI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S6720S-EI

V200R009C00, V200R010C00, V200R011C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.

Feature Limitations

  • In V200R011C10 and earlier versions, the attack source tracing function does not take effect on IPv6 packets.

  • The user-level rate limiting is available in the S5720HI of V200R009 and later versions.
  • It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.

  • The packets destined for the local switch are sent to the CPU. After functions related to some protocols such as BGP, OSPF, and LACP are enabled, packets of these protocols are also sent to the CPU. If packets sent to the CPU match both CPCAR and a traffic classification rule in a traffic policy, but the actions to be taken conflict with each other, CPCAR or the traffic policy with a higher precedence takes effect. Table 3-2 describes the precedence between CPCAR and traffic policies.
    Table 3-2  Precedence between CPCAR and traffic policies
    Product Model Precedence Details

    S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E,S1720GW, S1720GWR, S1720X, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5720LI, S5720S-LI, S5700SI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5700EI, S3700, S2700EI, S5700HI, S6700EI, S5710EI, S5710HI, S2710SI

    Traffic policies take precedence over CPCAR.
    NOTE:
    For ARP packets to be sent to the CPU in the DHCP and NAC authentication services, CPCAR takes precedence over traffic policies.

    S6720EI, S5720EI, S5720HI, S6720S-EI

    CPCAR takes precedence over traffic policies.
    NOTE:
    On the S5720EI running V200R007, traffic policies take precedence over CPCAR. On the S5720EI running other versions, CPCAR takes precedence over traffic policies.
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 231121

Downloads: 746

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next