< Home

Licensing Requirements and Limitations for Local Attack Defense

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Local attack defense is a basic feature of a switch and is not under license control.

Feature Support in V200R019C10

All models of S2720, S5700, and S6700 series switches support Local Attack Defense.

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

  • In V200R011C10 and earlier versions, the attack source tracing function does not take effect on IPv6 packets.

  • When packets match both user-level rate limiting rules and user-defined flow rules, the rate of these packets is limited based on the smaller rate limit value.
  • S2720, S2750, S5700-SI, S5700-LI, and S5700S-LI do not support the port attack defense function.

  • For the S6720-EI and S6720S-EI, when the local attack defense function is enabled on gateways in a VXLAN scenario, the ARP unicast packets received by the tunnel-side interfaces are processed as ARP Reply packets, and the received ARP broadcast packets are processed as ARP Request packets.

  • The packets destined for the local switch are sent to the CPU. After functions related to some protocols such as BGP, OSPF, and LACP are enabled, packets of these protocols are also sent to the CPU. If packets sent to the CPU match both CPCAR and a traffic classification rule in a traffic policy, but the actions to be taken conflict with each other, CPCAR or the traffic policy with a higher precedence takes effect. Table 1 describes the precedence between CPCAR and traffic policies.
    Table 1 Precedence between CPCAR and traffic policies

    Product Model

    Precedence Details

    S2700-EI, S2710-SI, S2720-EI, S2750-EI, S3700, S5700-LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700-SI, S5700-EI, S5710-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-HI, S5710-HI, S5730-SI, S5730S-EI, S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI

    Traffic policies take precedence over CPCAR.

    NOTE:

    For ARP packets to be sent to the CPU in the DHCP and NAC authentication services, CPCAR takes precedence over traffic policies.

    S6720-EI, S6720S-EI, S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S

    CPCAR takes precedence over traffic policies.

    NOTE:

    On the S5720-EI running V200R007, traffic policies take precedence over CPCAR. On the S5720-EI running other versions, CPCAR takes precedence over traffic policies.
Parent Topic: Local Attack Defense Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >