< Home

deception aci timeout

Function

The deception aci timeout command sets the aging time of ACI entries.

The undo deception aci timeout command restores the default aging time of ACI entries.

By default, the aging time of ACI entries is 60s. When a new DNS reply packet arrives, the corresponding ACI entry is updated.

Format

deception aci timeout timeout-value

undo deception aci timeout

Parameters

Parameter Description Value
timeout-value

Specifies the aging time of ACI entries.

The value is an integer ranging from 10 to 300, in seconds.

Views

Deception view

Default Level

2: Configuration level

Usage Guidelines

The DecoySensor replaces the TTL in the DNS reply packet with the aging time configured in this command. The DNS TTL is the cache time of the DNS entries recorded by the terminal. After the time expires, the terminal initiates a DNS request again. After receiving the DNS reply packet, the DecoySensor updates the aging time of the corresponding ACI entry to ensure that the DNS entry recorded by the terminal and the ACI entry on the DecoySensor are aged or updated at the same time.

The ACI table is space-limited. If there are a large number of intranet DNS requests and the ACI table cannot store new mappings, traffic will be deceived or permitted based on the configuration of the deception aci lack decoy command. You can run the deception aci timeout command to set a shorter aging time for ACI entries.

If the intranet access is stable and there is a small number of DNS requests, you can set a longer aging time of ACI entries for better performance.

Example

# Set the aging time of ACI entries to 100s.

<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception aci timeout 100
Parent Topic: Network Deception Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >