Showing posts with label S6700. Show all posts
Showing posts with label S6700. Show all posts

Thursday, June 30, 2016

After receiving an ICMP Request packet, a switch does not send it to the ICMP protocol stack but directly returns an ICMP Reply message. This process is called fast ICMPM reply. Switches cannot accurately calculate the delay or jitter of ping packets that require high real-time performance. The protocol stack adds the sending and receiving timestamps to ping packets. The packets need to enqueue frequently between the protocol stack and hardware. This task switching cannot ensure real-time performance of timestamps. In versions earlier than V100R006, fast ICMP reply is a common task. When a switch processes a large volume of service traffic, the reply delay is long due to task switching. In V100R006 and later versions, fast ICMP reply is a super task with a high priority. In most cases, the reply delay is about 1 ms. The actual delay depends on the CPU usage and is shorter than 100 ms. NOTE: By default, box switches have fast ICMP reply enabled in all versions.

The default aging time of ARP entries is 20 minutes. You can run the arp expire-time command to change the aging time.
You can also change the number of ARP probes by running the arp detect-times command. The default number of ARP probes is 3.
When the aging time of an ARP entry expires, the device sends a probe packet to the corresponding IP address every 5 seconds. If the device does not receive any response after the specified number of probes, it deletes the ARP entry.
For example, the aging time of ARP entries is set to 60s and the number of ARP probes is set to 6.
After 60s since an ARP entry is generated, the device sends an ARP probe every 5s. If the device does not receive any response after sending six probes, it deletes the ARP entry. Therefore, the actual aging time of the ARP entry is (60 + 6 x 5) = 90s.
NOTE:
For V100R002 version, the S2700/S3700/S5700/S6700 supports the 1/2 probe time and 3/4 probe time. The numbers of probes on the two time points are both 3 and cannot be changed. For example, if the aging time is 20 minutes (1200s) and the number of ARP probes is 6, the SS2700/S3700/S5700/S6700 sends three ARP probes at an interval of 5s after 10 minutes. After 15 minutes, the S2700/S3700/S5700/S6700 also sends three ARP probes at an interval of 5s. After 20 minutes, the S2700/S3700/S5700/S6700 sends six ARP probes at an interval of 5s. If the S2700/S3700/S5700/S6700 does not receive any response, it deletes the ARP entry.


More blog:

Why Automatical configuration backup cannot work on S5700

Posted by at No comments:
Labels: , , ,

Wednesday, April 13, 2016

What Is the Working Temperature of the Switch? S2700

S2700

The temperature range of the S2700 is as follows:
  • Operating temperature:
    • S2710-52P-PWR-SI and S2700-52P-PWR-EI: 0°C to +50°C
    • Others: -5°C to +50°C
  • Storage temperature: -40°C to +70°C

S3700

The temperature range of the S3700-SI and S3700-EI is as follows:
  • Operating temperature: 0°C to +50°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S3700-HI is as follows:
  • Operating temperature: -5°C to +55°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
NOTE:
  • When the altitude is between 1800 m and 5000 m, the operating temperature reduces 1°C every time the altitude increases 220 m.

S5700

The temperature range of the S5710-C-LI, S5700-SI and S5700-EI is as follows:
  • Operating temperature: 0°C to +50°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S5700-LI, S5700S-LI, and S5710-EI is as follows:
  • Operating temperature:
    • The operating temperature of the S5700-10P-PWR-LI-AC, S5700-28X-LI-24S-AC, S5700-28X-LI-24S-DC, S5701-28X-LI-24S-AC, S5700-52X-LI-48CS-AC, S5700S-28X-LI-AC, S5700S-52X-LI-AC, and S5700-10P-LI-AC is 0°C to +45°C at an altitude between 0 m and 1800 m.
    • Others: 0°C to +50°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
The temperature range of the S5700-HI is as follows:
  • Operating temperature: -5°C to +55°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S5710-X-LI, S5720-SI, S5720S-SI, S5720-EI, S5710-HI, and S5720-HI is as follows:
  • Operating temperature: 0°C to +45°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
NOTE:
  • When the S5700-HI has the 40 km or longer transmission distance SFP+ module installed, the operating temperature range is -5°C to +50°C.
  • When the altitude is between 1800 m and 5000 m, the operating temperature reduces 1°C every time the altitude increases 220 m.

S6700

The temperature range of the S6700-EI is as follows:
  • Operating temperature: -5°C to +50°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S6720-EI is as follows:
  • Operating temperature: 0°C to +45°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
NOTE:
When the S6700-EI has the 40 km or longer transmission distance SFP+ module installed, the operating temperature range is -5°C to +45°C.
When the altitude is between 1800 m and 5000 m, the operating temperature reduces 1°C every time the altitude increases 220 m.

Temperature Display

The display environment command (changed into display temperaturein V200R005 and later versions) displays the monitoring temperature, which is the highest temperature in the device but not the actual ambient temperature.
If no alarm is generated, the device is working normally and the temperature is within the allowed range.
NOTE:
You can run the temperature threshold command to set the threshold for the alarm temperature. You can run the display environment command (changed into display temperaturein V200R005 and later versions) to view the threshold for the alarm temperature and the current temperature.
Posted by at No comments:
Labels: , , ,

Wednesday, March 30, 2016

ARP Security Configuration Commands


This paper mainly introduces the ARP security in the S2750&S5700&S6700 series switch above the settings.
Prevent equipment performance and business impact due to improper ARP settings.
The software version of the switch used in the experiment is V200R003C00 .
This article is just to select the most important part of the ARP security, more, more detailed information, please refer to the equipment to help documentation.

arp-limit
Function
The arp-limit command sets the maximum number of ARP entries that an interface can dynamically learn.
The undo arp-limit command deletes the maximum number of ARP entries that an interface can dynamically learn.
By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.
Format
Ethernet interface view, 40GE interface view, GE interface view, GE sub-interface view, XGE interface view, XGE sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, port group view
arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum
undo arp-limit vlan vlan-id1 [ to vlan-id2 ]
VLANIF interface view
arp-limit maximum maximum
undo arp-limit
Parameters
Parameter
Description
Value
vlan vlan-id1 [ to vlan-id2 ]
Specifies the ID of a VLAN from which the maximum number of ARP entries an interface can dynamically learn is limited. This parameter is available only for Layer 2 interfaces.
Where,
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1. vlan-id1 and vlan-id2 specify a range of VLANs. If to vlan-id2 is not specified, the device limits the maximum number of ARP entries an interface dynamically learns from the VLAN vlan-id1. If to vlan-id2 is specified, the device limits the maximum number of ARP entries an interface dynamically learns from each VLAN from vlan-id1 to vlan-id2.
The values of vlan-id1 and vlan-id2 are integers that range from 1 to 4094.
maximum maximum
Specifies the maximum number of ARP entries that an interface can dynamically learn.
The value is an integer that ranges The value ranges from 1 to 2048 for the S5700SI, from 1 to 8192 for the S5700EI, from 1 to 16384 for the S5700HI and S5710HI, from 1 to 16384 for the S5710EI, from 1 to 256 for the S2750, S5700LI, and S5700S-LI, and from 1 to 8192 for the S6700.
Views
Ethernet interface view, 40GE interface view, GE interface view, GE sub-interface view, XGE interface view, XGE sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, port group view, VLANIF interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.
Precautions
If the number of ARP entries learned by an interface exceeds the maximum number, the device neither learns new ARP entries nor clears the learned ARP entries. Instead, the device asks users to delete the excess ARP entries.
Example
# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-limit maximum 20
# Configure that GE0/0/1 can dynamically learn a maximum of 20 ARP entries corresponding to VLAN 10.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20
arp anti-attack rate-limit enable
Function
The arp anti-attack rate-limit enable command enables rate limit on ARP packets.
The undo arp anti-attack rate-limit enable command disables rate limit on ARP packets.
By default, rate limit on ARP packet is disabled.
Product
Support
S2750
Not Supported
S5700
Supported (excluding S5700LI and S5700S-LI)
S6700
Supported
Format
arp anti-attack rate-limit enable
undo arp anti-attack rate-limit enable
Parameters
None
Views
System view, VLAN view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.
You can run the arp anti-attack rate-limit enable command to enable rate limit on ARP packets. When the rate of ARP packets exceeds the limit, excess ARP packets are discarded. To set the rate limit and rate limit duration of ARP packets, run the arp anti-attack rate-limit command.
Example
# Enable rate limit on ARP packets globally.
<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable
arp anti-attack rate-limit
Function
The arp anti-attack rate-limit command sets the maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface, enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit on an interface.
The undo arp anti-attack rate-limit command restores the default maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.
By default, a maximum of 100 ARP packets are allowed to pass in 1 second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.
Product
Support
S2750
Not Supported
S5700
Supported (excluding S5700LI and S5700S-LI)
S6700
Supported
Format
System view, VLAN view
arp anti-attack rate-limit packet packet-number [ interval interval-value ]
undo arp anti-attack rate-limit
Interface view
arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ]*
undo arp anti-attack rate-limit
Parameters
Parameter
Description
Value
packet packet-number
Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limit duration.
The value is an integer that ranges from 1 to 16384. The default value is 100.
interval interval-value
Specifies the rate limit duration of ARP packets.
The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.
block-timer timer
Specifies the duration for blocking ARP packets.
The value is an integer that ranges from 5 to 864000, in seconds.
Views
System view, VLAN view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface. In the rate limit duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.
If the parameter block-timer timer is specified, the device discards all ARP packets received in the duration specified by timer.
Prerequisites
Rate limit on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.
Precautions
If the maximum rate and rate limit duration are configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.
If the maximum rate and rate limit duration are set globally or on an interface at the same time, the configurations on an interface and globally take effect in descending order of priority.
NOTE:
The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, only when the number of ARP packets sent to the CPU exceeds the limit, the device discards subsequent ARP packets on the interface.
Example
# Configure GE0/0/1 to allow 200 ARP packet to pass through in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60


More blog:

U2000V100R006C02SPC301 Installation Introduction_Part 1

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)