Deploying a DecoySensor

Procedure

1. Run system-view

   The system view is displayed.

2. Run deception

   The deception view is created and displayed.

3. Run deception decoy destination destination-ip [ source source-ip ] [ vpn-instance vpn-instance-name ] [ backup destination destination-ip [ source source-ip ] [ vpn-instance vpn-instance-name ] ]

   An IP address is configured for the Decoy.

4. Configure a detected network segment and a bait network segment, or at least one of them (otherwise, the deception function does not take effect).
   1. Run deception detect-network id id-number ip-address mask [ vpn-instance vpn-instance-name ]

      A detected network segment is configured.

      By default, no detected network segment is configured on the switch.

   2. Run deception decoy-network id id-number destination ip-address [ mask ] [ destination-port port &<1-20> ] [ vpn-instance vpn-instance-name ]

      A bait network segment is configured.

      By default, no bait network segment is configured on the switch.

5. (Optional) Run deception mode strict

   The strict deception mode is enabled.

   By default, the strict deception mode is disabled.

6. (Optional) Run deception arp-request rate rate-number

   The IP address scanning threshold is configured.

   By default, the IP address scanning threshold is 10 times per 10 seconds.

7. (Optional) Run deception syn-connect rate rate-number

   The TCP port scanning threshold is configured.

   By default, the TCP port scanning threshold is 100 times per second.

8. (Optional) Run deception whitelist id id-number { destination | source } ip-address [ mask ] [ vpn-instance vpn-instance-name ]

   The deception whitelist is configured.

   By default, no deception whitelist is configured on the switch.

9. (Optional) Run deception ip-state detect rate rate-number

   The frequency of scanning IP addresses by the switch is configured.

   By default, the switch scans IP addresses 30 times per second.

10. (Optional) Run deception mac-address aging-time aging-time

    The interval at which the switch sends an ARP broadcast packet is configured.

    By default, the switch sends an ARP broadcast packet at an interval of 290 seconds.

11. (Optional) Run deception dns-request rate rate-number

    The domain name scan threshold is configured.

    By default, the domain name scan threshold is 5 scans per second.

12. (Optional) Run deception dns enable

    The unknown-domain-name deception function is enabled.

    By default, the unknown-domain-name deception function is disabled.

13. (Optional) Run deception aci suffix

    An ACI suffix is configured.

    By default, the ACI suffix is aci.

14. (Optional) Run deception aci timeout timeout-value

    The aging time of ACI entries is configured.

    By default, the aging time of ACI entries is 60s. When a new DNS reply packet arrives, the corresponding ACI entry is updated.

15. (Optional) Run deception aci lack decoy

    The policy used in the case of a full ACI table to deceive is configured.

    By default, the policy used in the case of a full ACI table is permit.

16. (Optional) Run deception aci detect-network { id id-number | all } enable

    The Access Control Isolation (ACI) deception function is enabled.

    By default, the ACI deception function is disabled.

17. Run deception enable

    The deception function is enabled.

    By default, the deception function is disabled.