Licensing Requirements and Limitations for Local Attack Defense
This section describes licensing requirements and limitations for local attack defense.
Involved Network Elements
Other network elements are not required.
Licensing Requirements
Local attack defense is a basic function of the switch, and as such is controlled by the license for basic software functions. The license for basic software functions has been loaded and activated before delivery. You do not need to manually activate it.
Version Requirements
Product Model |
Minimum Version Required |
|---|---|
CE12804/CE12808/CE12812 |
V100R001C00 |
CE12816 |
V100R003C00 |
CE12804S/CE12808S |
V100R005C00 |
CE12804E/CE12808E/CE12816E |
V200R002C50 |
For details about the mapping between software versions and switch models, see the Hardware Query Tool.
Software version evolution: V100R001C00 -> V100R002C00 -> V100R003C00 -> V100R003C10 -> V100R005C00 -> V100R005C10 -> V100R006C00 -> V200R001C00 -> V200R002C50 -> V200R003C00 -> V200R005C00 -> V200R005C10 -> V200R019C00 -> V200R019C10
Feature Limitations
- In V200R002C50 and later versions, attack source tracing does not take effect on OSPF and OSPFv3 packets when it is configured for TTL-expired packets and the punishment action is set to deny.
- In V200R005C10 and earlier versions, when TTL-expired packets are configured as traced packets and the punishment action is set to deny, you need to configure an attack source tracing whitelist for BGP packets. In versions later than V200R005C10, attack source tracing does not take effect on BGP packets when TTL-expired packets are configured as traced packets and the punishment action is set to deny.
After the attack source tracing function for ICMP packets is enabled on the device, the fast ICMP reply function does not take effect.
On the CE12800E configured with ED-E, EG-E, or EGA-E series cards, NetStream sampling can only be performed using chips. In this mode, sampled packets are not sent to the CPU for processing.
- On other models:
- The card sends sampled packets to the CPU for processing since V200R001C00. When the CPU usage of the card exceeds 65%, the card decreases the CAR value of sampled packets sent to the CPU to 1000 pps. As a result, some sampled packets to be sent to the CPU are discarded, decreasing the NetStream sampling ratio. When the CPU usage falls below 65%, the card increases the CAR value of sampled packets by 500 pps every 20 seconds until the CAR value is restored to the original setting.
- The FD-X, CE-L36CQ-FD, CE-L36CQ-FG, CE-L36CQ-FD1, CE-L36CQ-SD, CE-L36LQ-FD, CE-L24LQ-FD, CE-L16CQ-FD, CE-L12CQ-FD, CE-L48XS-FG, CE-L08CF-FG1, and CE-L48XS-FD1 cards support NetStream sampling in enhanced mode. In this mode, sampled packets are not sent to the CPU for processing.
- Since V200R001C00, the card sends sampled packets to the CPU for processing. When the CPU usage of the card exceeds 65%, the card decreases the CAR value of sampled packets sent to the CPU to 1000 pps. As a result, some sampled packets to be sent to the CPU are discarded, decreasing the sFlow sampling ratio. When the CPU usage falls below 65%, the card increases the CAR value of sampled packets by 500 pps every 20 seconds until the CAR value is restored to the original setting.
- The CE-L36CQ-FD, CE-L36CQ-FG, CE-L36CQ-FD1, CE-L36CQ-SD, CE-L36LQ-FD, CE-L24LQ-FD, CE-L16CQ-FD, CE-L12CQ-FD, CE-L48XS-FG, CE-L08CF-FG1, and CE-L48XS-FD1 cards support sFlow sampling in enhanced mode. In this mode, sampled packets are not sent to the CPU for processing.
- Starting from V200R003C00, on the CE12800, if EFM and LACP are enabled simultaneously, EFM and LACP packets are collected to the EFM queue. If EFM and LACP are enabled respectively, EFM and LACP packets are collected to each queue. If EFM and LACP are enabled simultaneously, you can run the display cpu-defend statistics packet-type efm all command to view packet statistics. If packet loss occurs, you can run the car packet-type efm pps pps-value command to increase the CAR value of the queue.