No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for Local Attack Defense

Licensing Requirements and Limitations for Local Attack Defense

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Local attack defense is a basic feature of a switch and is not under license control.

Version Requirements

Table 6-1 Products and minimum versions supporting local attack defense

Product

Minimum Version Required

CE8860EI

V100R006C00

CE8861EI

V200R005C10

CE8868EI

V200R005C10

CE8850-32CQ-EI

V200R002C50

CE8850-64CQ-EI

V200R005C00

CE7850EI

V100R003C00

CE7855EI

V200R001C00

CE6810EI

V100R003C00

CE6810-48S4Q-LI/CE6810-48S-LI

V100R003C10

CE6810-32T16S4Q-LI/CE6810-24S2Q-LI

V100R005C10

CE6850EI

V100R001C00

CE6850-48S6Q-HI

V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/CE6851HI

V100R005C10

CE6855HI

V200R001C00

CE6856HI

V200R002C50

CE6857EI

V200R005C10

CE6860EI

V200R002C50

CE6865EI

V200R005C00

CE6870-24S6CQ-EI/CE6870-48S6CQ-EI

V200R001C00

CE6870-48T6CQ-EI

V200R002C50

CE6875EI

V200R003C00

CE6880EI

V200R002C50

CE5810EI

V100R002C00

CE5850EI

V100R001C00

CE5850HI

V100R003C00

CE5855EI

V100R005C10

CE5880EI

V200R005C10

Feature Limitations

  • In V200R002C50 and later versions, attack source tracing does not take effect on OSPF and OSPFv3 packets when it is configured for TTL-expired packets and the punishment action is set to deny.
  • In V200R005C10 and earlier versions, when TTL-expired packets are configured as traced packets and the punishment action is set to deny, you need to configure an attack source tracing whitelist for BGP packets. In versions later than V200R005C10, attack source tracing does not
  • After ARP rate limiting is enabled on all interfaces, port-based automatic local attack defense for ARP does not take effect.
  • After the attack source tracing function for ICMP packets is enabled on the device, the fast ICMP reply function does not take effect.

  • On the CE6880EI and CE5880EI, NetStream sampling can only be performed in enhanced mode. In this mode, sampled packets are not sent to the CPU for processing.
  • On other models:
    • Since V200R001C00, the device sends sampled packets to the CPU for processing. When the CPU usage of the device exceeds 65%, the device decreases the CAR value of sampled packets sent to the CPU to 1000 pps. As a result, some sampled packets to be sent to the CPU are discarded, decreasing the NetStream sampling ratio. When the CPU usage falls below 65%, the switch increases the CAR value of sampled packets by 500 pps every 20 seconds until the CAR value is restored to the original setting.
    • On the CE8868EI, CE8861EI, CE8850-64CQ-EI, CE6875EI, CE6865EI, and CE6857EI, NetStream sampling can be performed in enhanced mode. In this mode, sampled packets are not sent to the CPU for processing.
  • On the CE6875EI, flow sampling can be performed in enhanced mode. In this mode, sampled packets are not sent to the CPU for processing.
  • On a CE switch except CE6875EI, since V200R001C00, the switch sends sampled packets to the CPU for processing. When the CPU usage of the device exceeds 65%, the switch decreases the CAR value of sampled packets sent to the CPU to 1000 pps. As a result, some sampled packets to be sent to the CPU are discarded, decreasing the flow sampling ratio. When the CPU usage falls below 65%, the switch increases the CAR value of sampled packets by 500 pps every 20 seconds until the CAR value is restored to the original setting.
  • Starting from V200R003C00, on CE6870EI and CE6875EI switches, if EFM and LACP are enabled simultaneously, EFM and LACP packets are collected to the EFM queue. If EFM and LACP are enabled respectively, EFM and LACP packets are collected to each queue. If EFM and LACP are enabled simultaneously, you can run the display cpu-defend statistics packet-type efm all command to view packet statistics. If packet loss occurs, you can run the car packet-type ecmp pps pps-value command to increase the CAR value of the queue.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 20485

Downloads: 88

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next