Attack

Created: Jan 13, 2019 17:04:47Latest reply: Jan 13, 2019 19:30:43 340 11 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Hi,


<HUAWEI> system-view

[~HUAWEI] cpu-defend policy policy1  .

[*HUAWEI-cpu-defend-policy-policy1] auto-defend enable

[*HUAWEI-cpu-defend-policy-policy1] auto-defend trace-type source-ip source-mac   

[*HUAWEI-cpu-defend-policy-policy1] auto-defend protocol all 

[*HUAWEI-cpu-defend-policy-policy1] quit


[HUAWEI]cpu-defend-policy policy1

Info: Only car configuration can be activated on main control unit.  <<<<< i am getting this error while activating the policy


Kindly help




  • x
  • convention:

Mohamed_Mostafa  Enthusiast Technician   Created Jan 13, 2019 17:21:22 Helpful(0) Helpful(0)

Licensing Requirements and Limitations for Local Attack Defense

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Configuration commands of local attack defense are available only after the S1720GW, S1720GWR, and S1720X have the license (WEB management to full management Electronic RTU License) loaded and activated and the switches are restarted. Configuration commands of local attack defense on other models are not under license control.

For details about how to apply for a license, see Applying for Licenses in the S1720, S5700, and S6720 Series Switches License Usage Guide.

Version Requirements

Table 1 Products and versions supporting local attack defense

Product

Product Model

Software Version

S1700

S1720GFR

V200R006C10, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720GW and S1720GWR

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720GW-E and S1720GWR-E

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720X and S1720X-E

V200R011C00, V200R011C10, V200R012C00

Other S1700 models

Models that cannot be configured using commands. For details about features and versions, see S1700 Documentation Bookshelf.

S2700

S2700SI

V100R005C01, V100R006(C00&C01&C03&C05)

S2700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S2710SI

V100R006(C03&C05)

S2720EI

V200R006C10, V200R009C00, V200R010C00, V200R011C10, V200R012C00

S2750EI

V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S3700

S3700SI and S3700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S3700HI

V100R006C01, V200R001C00

S5700

S5700LI

V200R001C00, V200R002C00, V200R003(C00&C02&C10), V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5700S-LI

V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5710-C-LI

V200R001C00

S5710-X-LI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5700SI

V100R005C01, V100R006C00, V200R001C00, V200R002C00, V200R003C00, V200R005C00

S5700EI

V100R005C01, V100R006(C00&C01), V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02&C03)

S5710EI

V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)

S5720EI

V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720LI and S5720S-LI

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720SI and S5720S-SI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720I-SI

V200R012C00

S5700HI

V100R006C01, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)

S5710HI

V200R003C00, V200R005(C00&C02&C03)

S5720HI

V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5730HI

V200R012C00

S5730SI

V200R011C10, V200R012C00

S5730S-EI

V200R011C10, V200R012C00

S6700

S6700EI

V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02)

S6720LI and S6720S-LI

V200R011C00, V200R011C10, V200R012C00

S6720SI and S6720S-SI

V200R011C00, V200R011C10, V200R012C00

S6720EI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S6720S-EI

V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S6720HI

V200R012C00


Feature Limitations

  • In V200R011C10 and earlier versions, the attack source tracing function does not take effect on IPv6 packets.

  • The user-level rate limiting is available in the S6720HI, S5730HI and S5720HI of V200R009 and later versions.
  • When packets match both user-level rate limiting rules and user-defined flow rules, the rate of these packets is limited based on the smaller rate limit value.
  • It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.

  • S1720GFR, S2720, S2750, S5700SI, S5700LI, and S5700S-LI do not support the port attack defense function
  • x
  • convention:

Network & Security Engineer
Mohamed_Mostafa  Enthusiast Technician   Created Jan 13, 2019 17:09:30 Helpful(0) Helpful(0)

Dear ,
What is your device model and software version?
  • x
  • convention:

Network & Security Engineer
Batrick     Created Jan 13, 2019 17:09:59 Helpful(0) Helpful(0)

I think it is hardware limiting provide us with the model and version
  • x
  • convention:

Skynet_india     Created Jan 13, 2019 17:11:21 Helpful(0) Helpful(0)

Posted by Mohamed_Mostafa at 2019-01-13 17:09 Dear ,What is your device model and software version?
hi

Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (S6720 V200R010C00SPC600)
Copyright (C) 2000-2016 HUAWEI TECH CO., LTD
HUAWEI S6720-30C-EI-24S-AC Routing Switch uptime is 0 week, 1 day, 15 hours, 7 minutes

ES5D2S26Q002 0(Master) : uptime is 0 week, 1 day, 15 hours, 6 minutes
DDR Memory Size : 2048 M bytes
FLASH Memory Size : 446 M bytes
Pcb Version : VER.B
BootROM Version : 020a.0001
BootLoad Version : 020a.0001
CPLD Version : 0108
Software Version : VRP (R) Software, Version 5.170 (V200R010C00SPC600)
PWR1 information
Pcb Version : PWR VER.A
FAN1 information
Pcb Version : NA
  • x
  • convention:

Batrick     Created Jan 13, 2019 17:12:28 Helpful(0) Helpful(0)

yes it is hardware limiting refer to documentation .
  • x
  • convention:

Abulaynain  Visitor   Created Jan 13, 2019 17:15:20 Helpful(0) Helpful(0)

Posted by Batrick at 2019-01-13 11:12 yes it is hardware limiting refer to documentation .
Does that mean that the cpu defend policy accept only car configuration for this switch!!
  • x
  • convention:

Batrick     Created Jan 13, 2019 17:16:53 Helpful(0) Helpful(0)

check the documentation and then we can talk
  • x
  • convention:

Fathy  Visitor   Created Jan 13, 2019 17:19:34 Helpful(0) Helpful(0)

this is informationail Notice that Policy can be applied to Main Board Board Only (MPU) .

please review Feature Limitations from Product Document according to your specific Model and version .

Below is a Sample for S7700 :

Licensing Requirements
Local attack defense is a basic feature of a switch and is not under license control.

Version Requirements
Table 1 Products and versions supporting local attack defense
Product

Product Model

Software Version

S7700
S7703, S7706 and S7712

V100R003C01, V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C10

S9700
S9703, S9706 and S9712

V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
In V200R009C00 and earlier versions, the attack source tracing function does not take effect on IPv6 packets.

The user-level rate limiting is available in the X series cards of V200R009 and later versions.
It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.

The packets destined for the local switch are sent to the CPU. After functions related to some protocols such as BGP, OSPF, and LACP are enabled, packets of these protocols are also sent to the CPU. If packets sent to the CPU match both CPCAR and a traffic classification rule in a traffic policy, but the actions to be taken conflict with each other, CPCAR takes effect.

https://support.huawei.com/hedex/pages/EDOC100017784331189655/05/EDOC100017784331189655/05/resources/dc/dc_s_cfg_LocalAttackDefense_notes.html?ft=0&fe=10&hib=11.4.13.4.2&id=dc_s_cfg_LocalAttackDefense_notes_2&text=Licensing%20Requirements%20and%20Limitations%20for%20Local%20Attack%20Defense&docid=EDOC1000177843
  • x
  • convention:

Skynet_india     Created Jan 13, 2019 17:23:05 Helpful(0) Helpful(0)

Local attack defense is a basic feature of a switch and is not under license control.

  • x
  • convention:

12
Back to list

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top