Feature Requirements |
Series |
Models |
|---|---|---|
"car { <protocol-name> | index <index> | whitelist | whitelist-v6 | blacklist | user-defined-flow <flow-id> } { cir <cir-value> | cbs <cbs-value> | min-packet-length <min-packet-length-value> } *", the range of <min-packet-length-value> that can be configured is 64-9600 (bytes). The range of valid min-packet-length-value is 64-8160 (bytes). You are advised to set a smallest packet compensation parameter properly. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
The priority fields (ToS, DSCP, and precedence) in an IPv6 CPU defense ACL do not take effect, and traffic is not matched against the priority fields. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
The Loopback-Detect/loop-detect principle cannot be used to detect a Layer 2 loop on a network that has a loop. Layer 2 loop detection and MAC flapping can be used as substitutes. The function is used to determine whether a link is reachable during the deployment phase. Disable the function after service cutover is complete to eliminate security risks. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
ACLs in local attack defense policies are not supported in the following scenarios: 1, A basic IPv4 rule that contains time-range configuration can be delivered but is not used to match packets. 2, A basic IPv6 rule that contains time-range configuration can be delivered but is not used to match packets. 3, An advanced IPv4 rule that contains time-range or packet-length configuration can be delivered but is not used to match packets. A rule with the protocol type being GRE can be delivered but is not used to match GRE packets. A rule with the operator for port numbers being neq (matching packets with the port number not equal to the specified port number) is not delivered. 4, An advanced IPv6 rule that contains time-range or packet-length configuration can be delivered but is not used to match packets. A rule with the operator for port numbers being neq (matching packets with the port number not equal to the specified port number) is not delivered. A rule with the protocol type being gre(47) or ipinip(4) is delivered but cannot match these types of protocol packets. If a packet unexpectedly matches an ACL, corresponding actions are implemented. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
When address pool-, port pool-, or port range-based rules are configured in a whitelist, blacklist, user-defined flow, or management protocol ACL, if the number of addresses or ports in the pool decreases or the port range is shortened, the rules with lower priorities become invalid temporarily. The number of rules that become temporarily invalid is determined by the number of deleted rules, and the traffic cannot match the rules. You are advised to plan services properly. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
To prevent Tracert packet attacks, the device performs very small CPCAR-based rate limiting for packets from UDP ports 33434 to 33678 by default. The bandwidth for sending packets from UDP ports 33434 to 33678 to the CPU is low, which may affect other services using these ports. You are advised not to use UDP ports 33434 to 33678 for services. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |