No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Resource Mode of the Extended ACL Entry Space

Configuring the Resource Mode of the Extended ACL Entry Space

Context

A core device processes a large number of services and therefore maintains many MAC address entries, FIB entries, and ACL entries. However, the number of entries supported by the device is limited. If these entries cannot meet service requirements, the service processing efficiency degrades. An LPU can use an extended entry space to increase the number of supported entries. The resource mode of the extended entry space specifies the type of entries to be extended, including MAC address entries, ACL entries, and FIB entries.

Procedure

  1. (Optional) Run display resource-assign configuration

    The configuration of the resource mode in the extended entry space is displayed.

  2. Run system-view

    The system view is displayed.

  3. Run assign resource-mode slot slot-id mode mode

    The resource mode of the extended entry space of an LPU is configured. The resource mode determines the specifications of the MAC address entries, ACL entries, and FIB entries stored in the entry space.

    By default, see the following specification list for default specifications of different LPU series.

    NOTE:
    • Only the BC, ED, EE, EC, and X (except X1L and X2L) series LPUs support this command.

    • For different LPUs' support for this command, see the following specification list.

    • After setting the resource mode for extended entry register space of an LPU, save the configuration and reset the LPU for the configuration to take effect.

    • For an X2E or X2H series LPU, set the acl mode to dual-ipv4-ipv6 before configuring this command.
    • In enhanced-ipv4 or ipv4-ipv6 resource mode, LE2D2X48SEC0 LPUs do not support redirection to low-priority next hops.
    • In enhanced-arp resource mode, LE2D2X48SEC0 LPUs do not support MPLS.

    • In 128k-arp resource mode, EE series LPUs do not support MPLS.

    • After the resource mode is set to limiting-mac on the LE1D2X32SEC0, LE1D2H02QEC0, and X2S series, the LE1D2X32SEC0, LE1D2H02QEC0, and X2S series cannot function as an authentication point for user access.
    The following table lists the entry space specifications obtained by different LPU series when the resource mode for extended entry register space is configured. In the table,
    • K indicates 1024, for example, 32K indicates 32 x 1024.
    • Default indicates the default LPU mode, for example, enhanced-mac (Default).
    • Share indicates that the current specification shares resources with another specification, for example, 128000 (shared with FIB6).
    • 64-bit indicates IPv6 entries with the mask length less than or equal to 64 bits, for example: (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit.
    • 128-bit indicates IPv6 entries with the mask length longer than 64 bits, for example: (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit.
    • BC/EC series (excluding the LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and LE2D2X48SEC0)

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      Close All

      32K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      enhanced-mac (Default)

      128K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      enhanced-ipv4

      32K

      128K

      8K

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      mac-acl

      64K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 16K L2 ACL

      1K IPv4 or 256 IPv6

      3K

      ipv4-acl

      32K

      64K

      8K

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 16K IPv4 ACL

      1K IPv4 or 256 IPv6

      3K

      enhanced-ipv6

      32K

      16K

      64K

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      ipv6-acl

      32K

      16K IPv4 or 8K IPv6

      16376

      16376

      4000

      (6K IPv4 or 3K IPv6) + 32K IPv6 ACL

      1K IPv4 or 256 IPv6

      3K

      ipv4-nac

      32K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 32K IPv4 ACL

      1K IPv4 or 256 IPv6

      3K

      l2-acl

      32K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 32K L2 ACL

      1K IPv4 or 256 IPv6

      3K

      ipv4-ipv6 (2:1)

      32K

      64K IPv4 + 32K IPv6

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      ipv4-ipv6 (6:1)

      32K

      96K IPv4 + 16K IPv6

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      ipv4-ipv6 (2:3)

      32K

      32k IPv4 + 48K IPv6

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      mac-ipv4

      64K

      64K

      8K

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

    • ED Series

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      Close All

      32K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      enhanced-mac (Default)

      512K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      enhanced-ipv4

      32K

      512K

      8K

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      mac-acl

      256K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 64K L2 ACL

      1K IPv4 or 256 IPv6

      3K

      ipv4-acl

      32K

      256K

      8K

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 64K IPv4 ACL

      1K IPv4 or 256 IPv6

      3K

      enhanced-ipv6

      32K

      16K

      256K

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      ipv6-acl

      32K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 64K IPv6 ACL

      1K IPv4 or 256 IPv6

      3K

      ipv4-nac

      32K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 64K IPv4 ACL

      1K IPv4 or 256 IPv6

      3K

      l2-acl

      32K

      16K IPv4 or 8K IPv6

      16376

      8K

      4000

      (6K IPv4 or 3K IPv6) + 64K L2 ACL

      1K IPv4 or 256 IPv6

      3K

      ipv4-ipv6 (2:1)

      32K

      256K IPv4 + 128K IPv6

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      ipv4-ipv6 (6:1)

      32K

      384K IPv4 + 64K IPv6

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      ipv4-ipv6 (2:3)

      32K

      128K IPv4 + 192K IPv6

      16376

      16376

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

      mac-ipv4

      256K

      256K

      8K

      16376

      8K

      4000

      6K IPv4 or 3K IPv6

      1K IPv4 or 256 IPv6

      3K

    • EE Series

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      enhanced-mac

      688K

      (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit

      64K

      64K

      4000

      (6K IPv4 or 3K IPv6) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

      enhanced-ipv4

      176K

      512K

      7K

      64K

      64K

      4000

      (6K IPv4 or 3K IPv6) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

      enhanced-ipv6

      256K

      16K

      256K

      64K

      64K

      4000

      (6K IPv4 or 3K IPv6) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

      ipv6-acl

      96K

      (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit

      64K

      64K

      4000

      ((6K IPv4 or 3K IPv6) + 64K IPv6 ACL) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

      ipv4-acl

      96K

      (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit

      64K

      64K

      4000

      ((6K IPv4 or 3K IPv6) + 128K IPv4 ACL) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

      enhanced-arp

      NOTE:

      The S9300 does not support this mode.

      144K

      256K

      128K

      64K

      64K

      4000

      (6K IPv4 or 3K IPv6) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

      128k-arp

      144K

      256K

      128K

      128000

      64K

      4000

      (6K IPv4 or 3K IPv6) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

      ipv4-ipv6-acl (Default)

      160K

      256K

      64K

      64K

      64K

      4000

      ((6K IPv4 or 3K IPv6) + 32K IPv4 ACL) * 2

      (1K IPv4 or 512 IPv6) * 2

      3K

    • LE1D2S04SEC0, X1C, and X1E series

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      enhanced-mac

      1M

      128K

      16K

      256000

      16K

      128000

      See the specifications in acl-mode.

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      ipv4-ipv6 (2:1)

      256K

      Default: 256K

      Max: 512K

      Default: 128K

      Max: 256K

      256000

      128000 (shared with FIB6)

      128000

      See the specifications in acl-mode.

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      enhanced-ipv4 (Default)

      256K

      Default: 256K

      Max: 1024K

      16K

      256000

      16K

      128000

      See the specifications in acl-mode.

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      enhanced-ipv6

      128K

      16K

      Default: 128K

      Max: 464K

      16K

      256000 (shared with FIB6)

      4K

      See the specifications in acl-mode.

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      2m-ipv4

      128K

      Default: 256K

      Max: 2M

      128K

      256000

      16K

      32K

      See the specifications in acl-mode.

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      3m-ipv4

      128K

      Default: 256K

      Max: 3072000

      16K

      128K

      16K

      4K

      See the specifications in acl-mode.

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K
    • LE2D2X48SEC0

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      Close All (Default)

      96K

      (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit

      48K

      48K

      4000

      3K IPv4 or 1.5K IPv6

      1K IPv4 or 512 IPv6

      3K

      enhanced-mac

      288K

      (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit

      16K

      8K

      4000

      3K IPv4 or 1.5K IPv6

      1K IPv4 or 512 IPv6

      3K

      enhanced-ipv4

      32K

      128K

      80K (64-bit) (shared with IPv4)

      16K

      8K

      4000

      3K IPv4 or 1.5K IPv6

      1K IPv4 or 512 IPv6

      3K

      ipv4-ipv6 (6:1)

      32K

      64K

      10K (10K 64-bit or 10K 128-bit)

      16K

      8K

      4000

      3K IPv4 or 1.5K IPv6

      1K IPv4 or 512 IPv6

      3K

      enhanced-arp

      96K

      (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit

      128000

      64000

      4000

      3K IPv4 or 1.5K IPv6

      1K IPv4 or 512 IPv6

      3K

    • LE1D2X32SEC0, LE1D2H02QEC0, and X2S series

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      enhanced-arp (default)

      64K

      64K (Min 16K, Other Share)

      22K (Min 4K, Other Share)

      64K (Share with FIBv4)

      22K (Share with FIBv6)

      32K (Min 4K, Other Share)

      2K

      6K (IPv4&IPv6) (shared ingress/egress)

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      enhanced-mac

      128K

      16K

      8K

      16K (Share with FIBv4)

      8K (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      enhanced-ipv4

      16K

      128K

      4K

      16K (Share with FIBv4)

      4K (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      enhanced-ipv6

      16K

      8K

      32K

      8K (Share with FIBv4)

      32K (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      limiting-mac

      256000

      512 (Share with FIBv6/ND/ARP)

      32 (Share with FIBv4/ND/ARP)

      512 (Share with FIBv4/FIBv6/ND)

      32 (Share with FIBv4/FIBv6/ARP)

      256

      32

      6K(IPv4&IPv6) (shared ingress/egress)

      0

    • X2E series

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      enhanced-arp (default)

      150K

      256K (Share)

      126K (Share)

      256000 (Share)

      126K (Share)

      32K (Share)

      22K (IPv4) or 8K(IPv6) (shared ingress/egress)

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      enhanced-mac

      384K

      16K

      8K

      16K (Share with FIBv4)

      8K (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      enhanced-ipv4

      16K

      256K

      32K

      256000 (Share with FIBv4)

      32K (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      enhanced-ipv6

      16K

      128K

      128K

      64K (Share with FIBv4)

      128000 (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      mac-acl

      64K

      64K

      4K

      64K (Share with FIBv4)

      4K (Share with FIBv6)

      4K

      2K

      128K (largest, different with acl-mode)

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K
    • X2H series

      Mode

      Specification

      MAC

      FIBv4

      FIBv6

      ARP

      ND

      Multicast IPv4

      Multicast IPv6

      ACL (Ingress)

      ACL (Egress)

      Number of NAC Users

      enhanced-arp (default)

      150K

      Default: 256K

      Max: 1024K

      (Share)

      Default: 128K

      Max: 510K

      (Share)

      256000 (Share)

      128000 (Share)

      32K (Share)

      38K (IPv4) or 16K (IPv6) (shared ingress/egress)

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      enhanced-mac

      1152K

      16K

      8K

      16K (Share with FIBv4)

      8K (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      enhanced-ipv4

      16K

      Default: 256K

      Max: 1024K

      32K

      256000 (Share with FIBv4)

      32K (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      enhanced-ipv6

      16K

      128K

      Default: 128K

      Max: 512K

      64K (Share with FIBv4)

      128000 (Share with FIBv6)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      8K

      mac-acl

      64K

      64K

      4K

      64K (Share with FIBv4)

      4K (Share with FIBv6)

      4K

      2K

      256K (largest, different with acl-mode)

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

      mac-fib

      384K

      Default: 256K

      Max: 768K

      (Share)

      Default: 128K

      Max: 382K

      (Share)

      256000 (Share)

      128000 (Share)

      4K

      4K

      6K (IPv4&IPv6) (shared ingress/egress)

      • S9300 series switches equipped with SRUH, SRUK, or SRUE main control units: 16K
      • S9300X: 16K
      • other devices: 8K

  4. (Optional) Run assign acl-mode slot slot-id mode { dual-ipv4-ipv6 | ipv4 | l2 | l2-ipv4 | l2-ipv6 }

    The ACL resource allocation mode is configured for an LPU.

    By default, the ACL resource allocation mode is dual-ipv4-ipv6.

    NOTE:
    • Only the X series LPUs support this command.

    • X2E and X2H series cards support this command only after the resource mode is set to mac-acl using the assign resource-mode command.

    • After configuring the ACL resource allocation mode, reset the LPU for the configuration to take effect.

    Table 1-28  ACL specifications in different resource allocation modes (X1E/X1C series cards)
    Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
    dual-ipv4-ipv6 20K 20K 8K 8K 20K 20K(IPv4)+8K(IPv6)
    l2-ipv4 36K 36K 0 0 36K 36K
    l2-ipv6 0 0 16K 16K 16K 16K
    ipv4 64K 0 0 0 0 64K
    l2 0 0 0 0 64K 64K
    Table 1-29  ACL specifications in different resource allocation modes (X2E series cards)
    Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
    dual-ipv4-ipv6 38K 38K 16K 16K 38K 38K(IPv4)+16K(IPv6)
    l2-ipv4 70K 70K 0 0 70K 70K
    l2-ipv6 0 0 32K 32K 32K 32K
    ipv4 128K 0 0 0 0 128K
    l2 0 0 0 0 128K 128K
    Table 1-30  ACL specifications in different resource allocation modes (X2H series cards)
    Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
    dual-ipv4-ipv6 70K 70K 32K 32K 70K 70K(IPv4)+32K(IPv6)
    l2-ipv4 134K 134K 0 0 134K 134K
    l2-ipv6 0 0 64K 64K 64K 64K
    ipv4 256K 0 0 0 0 256K
    l2 0 0 0 0 256K 256K

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 130383

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next