No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for Traffic Suppression and Storm Control

Licensing Requirements and Limitations for Traffic Suppression and Storm Control

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Traffic suppression and storm control are basic features of a switch and are not under license control.

Version Requirements

Table 9-1 Products and minimum versions supporting traffic suppression and storm control

Product Model

Minimum Version Required

CE8860EI

V100R006C00

CE8861EI

V200R005C10

CE8868EI

V200R005C10

CE8850-32CQ-EI

V200R002C50

CE8850-64CQ-EI

V200R005C00

CE7850EI

V100R003C00

CE7855EI

V200R001C00

CE6810EI

V100R003C00

CE6810-48S4Q-LI/CE6810-48S-LI

V100R003C10

CE6810-32T16S4Q-LI/CE6810-24S2Q-LI

V100R005C10

CE6850EI

V100R001C00

CE6850-48S6Q-HI

V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/CE6851HI

V100R005C10

CE6855HI

V200R001C00

CE6856HI

V200R002C50

CE6857EI

V200R005C10

CE6860EI

V200R002C50

CE6865EI

V200R005C00

CE6870-24S6CQ-EI/CE6870-48S6CQ-EI

V200R001C00

CE6870-48T6CQ-EI

V200R002C50

CE6875EI

V200R003C00

CE6880EI

V200R002C50

CE5810EI

V100R002C00

CE5850EI

V100R001C00

CE5850HI

V100R003C00

CE5855EI

V100R005C10

CE5880EI

V200R005C10

Feature Limitations

Features Supported by the Device

Table 9-2 describes the traffic suppression and storm control supported by the device.

Table 9-2 Features supported by the device

View

Traffic Suppression and Storm Control Supported by the Device

Interface view

  • Traffic suppression for broadcast packets, multicast packets, unknown unicast packets, and all unicast packets
  • Storm control for broadcast packets, multicast packets, and unicast packets
  • Traffic suppression for ICMP packets

VLAN view

Traffic suppression for broadcast packets, multicast packets, and unknown unicast packets

Difference Between Traffic Suppression and Storm Control

Traffic suppression and storm control prevent broadcast storms caused by broadcast packets, multicast packets, and unknown unicast packets. However, they use different modes to control traffic:

  • In traffic suppression, rate thresholds are configured for three types of incoming packets on interfaces. The system discards the traffic exceeding the threshold and forwards the traffic within the threshold. In this way, the system limits the traffic rate in an acceptable range. In addition, traffic suppression supports blocking outgoing packets on interfaces.
  • In the storm control function, you can configure thresholds for three types of incoming packets on an interface. When the traffic rate exceeds a threshold and storm control actions are configured, the device shuts down the interface or blocks the packets.
  • For the incoming packets of the same type on an interface, only either of the traffic suppression or storm control can be configured.

  • On an interface, traffic suppression can be configured for either unicast traffic or unknown unicast traffic.

  • Storm control configured on an Eth-Trunk takes effect only on its member interfaces, and only the pps mode is supported. Storm control for unknown unicast packets cannot be configured on an Eth-Trunk and its member interfaces.
  • The threshold for broadcast, multicast, or unknown unicast suppression that takes effect may be different from that configured on a VXLAN tunnel termination device in a BD view.
  • In an SVF using distributed forwarding mode, traffic suppression cannot be configured for unknown unicast traffic on the Fabric interfaces.

  • For CE6870EI and CE6875EI switches, the traffic suppression configured in the BD view takes effect on the incoming packets in a tunnel.
  • Traffic suppression and storm control take effect only on Layer 2 traffic.
  • The CE6870EI and CE6875EI supports the traffic suppression configuration on Eth-Trunks, but not Eth-Trunk member interfaces.

  • In an SVF system of fixed switches using centralized or hybrid forwarding, traffic suppression or storm control on unknown unicast packets cannot be configured.
  • For the CE5880EI, CE6870EI, CE6875EI, and CE6880EI, when traffic suppression is configured in both the VLAN and BD views, the configuration in the BD view takes effect. For other switches, the configuration in the VLAN view takes effect.
  • Storm control does not take effect on jumbo frames.
  • When an interface enters the Error Down state due to storm control, the interface will not recover if you restart the corresponding card before the interface automatically recovers.
  • On a VXLAN network, storm control on the CE5880EI and CE6880EI does not take effect on broadcast and multicast packets.
  • For switches except the CE5880EI and CE6880EI, storm control does not take effect on VXLAN packets.
  • For switches except the CE6870EI and CE6875EI, If the rate limit in bit/s is set for a type of packets on an interface, the rate limit in pps cannot be set for other types of packets on the same interface. In a similar manner, if the rate limit in pps is set for a type of packets on an interface, the rate limit in bit/s cannot be set for other types of packets on the same interface.
  • If the fast ICMP reply function is enabled on a device, the traffic suppression function does not take effect for ICMP packets.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 22893

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next