The deception decoy-network command configures a bait network segment.
The undo deception decoy-network command deletes a bait network segment.
By default, no bait network segment is configured on the switch.
deception decoy-network id id-number destination ip-address [ mask ] [ destination-port port &<1-20> ] [ vpn-instance vpn-instance-name ]
undo deception decoy-network { all | id id-number }
| Parameter | Description | Value |
|---|---|---|
| id id-number | Specifies the ID of a bait network segment. |
The value is an integer in the range from 1 to 50. |
| destination ip-address [ mask ] |
|
The value is in dotted decimal notation. |
| destination-port port | Specifies the destination TCP port number. NOTE:
If this parameter is specified, traffic will be lured immediately if this TCP port is scanned or the IP address corresponding to the TCP port is scanned. |
The value is an integer in the range from 1 to 65535. |
| vpn-instance vpn-instance-name | Specifies the VPN instance for the bait network segment. |
The VPN instance must be an existing one on the device. |
| all | Specifies all bait network segments. |
- |
Usage Scenario
After a bait network segment is configured, the switch does not detect whether the IP addresses on the bait network segment are online. If an IP address or TCP port on the bait network segment is scanned, the switch lures the scanning traffic to the Decoy for further attack detection. Therefore, you can add some idle IP addresses to the bait network segment.
Precautions
A bait network segment cannot contain the device management address and any network segment (0.0.0.0). Otherwise, the devices cannot be managed remotely.