Licensing Requirements and Limitations for Deception

The deception function needs to be used together with the Decoy.

Deception is a basic feature of a switch and is not under license control.

Only the following switch models support deception:

S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

You are advised to deploy DecoySensors on access switches.
There must be reachable routes between switches and the Decoy.
If a firewall is deployed between switches and the Decoy, you need to enable UDP ports 11514 and 10514 on the firewall.
The following configurations must be performed on the switch. Otherwise, the deception function does not take effect.
- VLANIF interfaces are configured to send ARP packets destined for other devices to the CPU using the undo arp optimized-passby enable command.
- The optimized ARP reply function is disabled using the arp optimized-reply disable command.
- At least one of the detection network segment and the bait network segment must be configured.
The switch can only detect scanning of IP addresses on the same network segment as the primary IP address of the VLANIF interface.
A switch cannot use the virtual IP address of a VRRP group or the IP address of the management network interface to connect to a Decoy.
A bait network segment cannot contain the device management address and any network segment (0.0.0.0). Otherwise, the devices cannot be managed remotely.
To enable the Agile Controller-Campus to deliver associated policies to switches, configure the free mobility function on the switches and ensure that the switches can communicate with the Agile Controller-Campus.