Got it
Enterprise
Community Forums Switches
Attack

Attack

Created: Jan 13, 2019 09:04:47Latest reply: Jan 13, 2019 11:30:43 835 11 0 0
  Rewarded HiCoins: 0 (problem resolved)
display all floors #1

Hi,


<HUAWEI> system-view

[~HUAWEI] cpu-defend policy policy1  .

[*HUAWEI-cpu-defend-policy-policy1] auto-defend enable

[*HUAWEI-cpu-defend-policy-policy1] auto-defend trace-type source-ip source-mac   

[*HUAWEI-cpu-defend-policy-policy1] auto-defend protocol all 

[*HUAWEI-cpu-defend-policy-policy1] quit


[HUAWEI]cpu-defend-policy policy1

Info: Only car configuration can be activated on main control unit.  <<<<< i am getting this error while activating the policy


Kindly help




  • x
  • convention:

I have this problem too (0) Favorite(0) Share Report
Previous: OID for monitoring PSU status
Next: destination mac address in the arp request packet
Featured Answers

Recommended answer

(0) (0)
Mohamed_Mostafa
Created Jan 13, 2019 09:21:22 Helpful(0) Helpful(0)

Licensing Requirements and Limitations for Local Attack Defense

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Configuration commands of local attack defense are available only after the S1720GW, S1720GWR, and S1720X have the license (WEB management to full management Electronic RTU License) loaded and activated and the switches are restarted. Configuration commands of local attack defense on other models are not under license control.

For details about how to apply for a license, see Applying for Licenses in the S1720, S5700, and S6720 Series Switches License Usage Guide.

Version Requirements

Table 1 Products and versions supporting local attack defense

Product

Product Model

Software Version

S1700

S1720GFR

V200R006C10, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720GW and S1720GWR

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720GW-E and S1720GWR-E

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720X and S1720X-E

V200R011C00, V200R011C10, V200R012C00

Other S1700 models

Models that cannot be configured using commands. For details about features and versions, see S1700 Documentation Bookshelf.

S2700

S2700SI

V100R005C01, V100R006(C00&C01&C03&C05)

S2700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S2710SI

V100R006(C03&C05)

S2720EI

V200R006C10, V200R009C00, V200R010C00, V200R011C10, V200R012C00

S2750EI

V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S3700

S3700SI and S3700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S3700HI

V100R006C01, V200R001C00

S5700

S5700LI

V200R001C00, V200R002C00, V200R003(C00&C02&C10), V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5700S-LI

V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5710-C-LI

V200R001C00

S5710-X-LI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5700SI

V100R005C01, V100R006C00, V200R001C00, V200R002C00, V200R003C00, V200R005C00

S5700EI

V100R005C01, V100R006(C00&C01), V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02&C03)

S5710EI

V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)

S5720EI

V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720LI and S5720S-LI

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720SI and S5720S-SI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720I-SI

V200R012C00

S5700HI

V100R006C01, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)

S5710HI

V200R003C00, V200R005(C00&C02&C03)

S5720HI

V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5730HI

V200R012C00

S5730SI

V200R011C10, V200R012C00

S5730S-EI

V200R011C10, V200R012C00

S6700

S6700EI

V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02)

S6720LI and S6720S-LI

V200R011C00, V200R011C10, V200R012C00

S6720SI and S6720S-SI

V200R011C00, V200R011C10, V200R012C00

S6720EI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S6720S-EI

V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S6720HI

V200R012C00


Feature Limitations

  • In V200R011C10 and earlier versions, the attack source tracing function does not take effect on IPv6 packets.

  • The user-level rate limiting is available in the S6720HI, S5730HI and S5720HI of V200R009 and later versions.
  • When packets match both user-level rate limiting rules and user-defined flow rules, the rate of these packets is limited based on the smaller rate limit value.

  • It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.

  • S1720GFR, S2720, S2750, S5700SI, S5700LI, and S5700S-LI do not support the port attack defense function
View more
  • x
  • convention:
Network%20%26%20Security%20Engineer
All Answers
Mohamed_Mostafa
Mohamed_Mostafa Created Jan 13, 2019 09:09:30 Helpful(0) Helpful(0)

Dear ,
What is your device model and software version?
View more
  • x
  • convention:
Network%20%26%20Security%20Engineer
Batrick
Batrick Created Jan 13, 2019 09:09:59 Helpful(0) Helpful(0)

I think it is hardware limiting provide us with the model and version
View more
  • x
  • convention:
Skynet_india
Skynet_india Created Jan 13, 2019 09:11:21 Helpful(0) Helpful(0)

Posted by Mohamed_Mostafa at 2019-01-13 09:09 Dear ,What is your device model and software version?
hi

Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (S6720 V200R010C00SPC600)
Copyright (C) 2000-2016 HUAWEI TECH CO., LTD
HUAWEI S6720-30C-EI-24S-AC Routing Switch uptime is 0 week, 1 day, 15 hours, 7 minutes

ES5D2S26Q002 0(Master) : uptime is 0 week, 1 day, 15 hours, 6 minutes
DDR Memory Size : 2048 M bytes
FLASH Memory Size : 446 M bytes
Pcb Version : VER.B
BootROM Version : 020a.0001
BootLoad Version : 020a.0001
CPLD Version : 0108
Software Version : VRP (R) Software, Version 5.170 (V200R010C00SPC600)
PWR1 information
Pcb Version : PWR VER.A
FAN1 information
Pcb Version : NA
View more
  • x
  • convention:
Batrick
Batrick Created Jan 13, 2019 09:12:28 Helpful(0) Helpful(0)

yes it is hardware limiting refer to documentation .
View more
  • x
  • convention:
Abulaynain
Abulaynain Created Jan 13, 2019 09:15:20 Helpful(0) Helpful(0)

Posted by Batrick at 2019-01-13 03:12 yes it is hardware limiting refer to documentation .
Does that mean that the cpu defend policy accept only car configuration for this switch!!
View more
  • x
  • convention:
Batrick
Batrick Created Jan 13, 2019 09:16:53 Helpful(0) Helpful(0)

check the documentation and then we can talk
View more
  • x
  • convention:
Fathy
Fathy Created Jan 13, 2019 09:19:34 Helpful(0) Helpful(0)

this is informationail Notice that Policy can be applied to Main Board Board Only (MPU) .

please review Feature Limitations from Product Document according to your specific Model and version .

Below is a Sample for S7700 :

Licensing Requirements
Local attack defense is a basic feature of a switch and is not under license control.

Version Requirements
Table 1 Products and versions supporting local attack defense
Product

Product Model

Software Version

S7700
S7703, S7706 and S7712

V100R003C01, V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C10

S9700
S9703, S9706 and S9712

V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
In V200R009C00 and earlier versions, the attack source tracing function does not take effect on IPv6 packets.

The user-level rate limiting is available in the X series cards of V200R009 and later versions.
It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.

The packets destined for the local switch are sent to the CPU. After functions related to some protocols such as BGP, OSPF, and LACP are enabled, packets of these protocols are also sent to the CPU. If packets sent to the CPU match both CPCAR and a traffic classification rule in a traffic policy, but the actions to be taken conflict with each other, CPCAR takes effect.

https://support.huawei.com/hedex/pages/EDOC100017784331189655/05/EDOC100017784331189655/05/resources/dc/dc_s_cfg_LocalAttackDefense_notes.html?ft=0&fe=10&hib=11.4.13.4.2&id=dc_s_cfg_LocalAttackDefense_notes_2&text=Licensing%20Requirements%20and%20Limitations%20for%20Local%20Attack%20Defense&docid=EDOC1000177843
View more
  • x
  • convention:
Enterprise%20IP%20Datacom%20TAC%20Engineer%20%7C%7C%20HCIE%20R%26S%20No.9350
Mohamed_Mostafa
Mohamed_Mostafa Created Jan 13, 2019 09:21:22 Helpful(0) Helpful(0)

Licensing Requirements and Limitations for Local Attack Defense

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Configuration commands of local attack defense are available only after the S1720GW, S1720GWR, and S1720X have the license (WEB management to full management Electronic RTU License) loaded and activated and the switches are restarted. Configuration commands of local attack defense on other models are not under license control.

For details about how to apply for a license, see Applying for Licenses in the S1720, S5700, and S6720 Series Switches License Usage Guide.

Version Requirements

Table 1 Products and versions supporting local attack defense

Product

Product Model

Software Version

S1700

S1720GFR

V200R006C10, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720GW and S1720GWR

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720GW-E and S1720GWR-E

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S1720X and S1720X-E

V200R011C00, V200R011C10, V200R012C00

Other S1700 models

Models that cannot be configured using commands. For details about features and versions, see S1700 Documentation Bookshelf.

S2700

S2700SI

V100R005C01, V100R006(C00&C01&C03&C05)

S2700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S2710SI

V100R006(C03&C05)

S2720EI

V200R006C10, V200R009C00, V200R010C00, V200R011C10, V200R012C00

S2750EI

V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S3700

S3700SI and S3700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S3700HI

V100R006C01, V200R001C00

S5700

S5700LI

V200R001C00, V200R002C00, V200R003(C00&C02&C10), V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5700S-LI

V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5710-C-LI

V200R001C00

S5710-X-LI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5700SI

V100R005C01, V100R006C00, V200R001C00, V200R002C00, V200R003C00, V200R005C00

S5700EI

V100R005C01, V100R006(C00&C01), V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02&C03)

S5710EI

V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)

S5720EI

V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720LI and S5720S-LI

V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720SI and S5720S-SI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5720I-SI

V200R012C00

S5700HI

V100R006C01, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)

S5710HI

V200R003C00, V200R005(C00&C02&C03)

S5720HI

V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S5730HI

V200R012C00

S5730SI

V200R011C10, V200R012C00

S5730S-EI

V200R011C10, V200R012C00

S6700

S6700EI

V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02)

S6720LI and S6720S-LI

V200R011C00, V200R011C10, V200R012C00

S6720SI and S6720S-SI

V200R011C00, V200R011C10, V200R012C00

S6720EI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S6720S-EI

V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00

S6720HI

V200R012C00


Feature Limitations

  • In V200R011C10 and earlier versions, the attack source tracing function does not take effect on IPv6 packets.

  • The user-level rate limiting is available in the S6720HI, S5730HI and S5720HI of V200R009 and later versions.
  • When packets match both user-level rate limiting rules and user-defined flow rules, the rate of these packets is limited based on the smaller rate limit value.

  • It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.

  • S1720GFR, S2720, S2750, S5700SI, S5700LI, and S5700S-LI do not support the port attack defense function
View more
  • x
  • convention:
Network%20%26%20Security%20Engineer
Skynet_india
Skynet_india Created Jan 13, 2019 09:23:05 Helpful(0) Helpful(0)

Local attack defense is a basic feature of a switch and is not under license control.

View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.

APP

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.