No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CPCAR Values Are Inaccurate

CPCAR Values Are Inaccurate

Fault Description

CPCAR values are inaccurate after CPU attack defense is configured.

Common Causes

Possible causes are as follows:
  • CAR settings are incorrect.
  • A blacklist is configured on the device.
  • The CIR value of the user-defined flow is smaller than that of the protocol packets.

Procedure

  1. Run the display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id | mcu } command to check whether the cir value of the protocol packets can meet the requirement and check whether the LPU or MPU is installed correctly.

    • If the cir value of the protocol packets cannot meet the requirements, run the car command in the attack defense policy view to modify cir.
    • If the attack defense policy is applied to an incorrect LPU or main control board, run the cpu-defend-policy command to apply the attack defense policy to the correct LPU or main control board.
    • If the cir value is correct, go to step 2.

  2. Run the display this command in the system view or slot view to check the attack defense policy applied to the LPU or main control board, and run the display cpu-defend policy command in the attack defense policy view to check whether a blacklist has been configured.

    • If a blacklist has been configured, run the display this or display acl command in the ACL view to check the ACL referenced by the blacklist. If protocol packets match the ACL, modify the blacklist configuration.
    • If a blacklist has not been configured or protocol packets do not match the ACL, go to step 3.

  3. Run the display this command in the system view or slot view to check the attack defense policy applied to the LPU or main control board, and run the display cpu-defend policy command in the attack defense policy view to check whether a user-defined flow is configured.

    • If a user-defined flow is configured, check whether the action to be performed is deny or car.
    • Run the display acl { acl-number | all } command to check whether the rules in the user-defined flow match the protocol packets.
    • If the rules in the user-defined flow match the protocol packets and the action to be performed is deny, or the cir value is lower than the cir of the protocol packets, modify the action as car and adjust the cir values of the user-defined flow or of protocol packets as required. The cir value of the user-defined flow must be larger than that of the protocol packets.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 145822

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next