摘要
阐述推荐配置CPU防攻击特性的黑名单功能,进行用户访问限制,而不是通过配置流策略限制用户访问。这是因为华为S系列交换机具有CPCAR功能,其中部分华为系列交换机的CPCAR功能优先级高于流策略。因此,无法通过配置流策略丢弃上送交换机CPU的报文。在某种应用场景下,导致用户在交换机上配置流策略后仍然可以访问交换机。探讨无法通过流策略限制用户访问的现象描述和故障原因,并给出了相应的解决办法。
This paper expounds that it is recommended to configure the blacklist function of CPU anti attack feature to restrict user access, rather than restricting user access by configuring flow policy. This is because Huawei S-Series switches have the CPCAR function, and the CPCAR function of some Huawei series switches has priority over the flow policy. Therefore, the messages sent to the switch CPU cannot be discarded by configuring the flow policy. In some application scenarios, users can still access the switch after configuring the flow policy on the switch. It discusses the phenomenon description and failure cause analysis of the inability to restrict user access through flow policy, and gives the corresponding solutions.
作者
王井丰
高峰
谷金宇
刘晋翰
赵俊哲
WANG Jingfeng;GAO Feng;GU Jinyu;LIU Jinhan;ZHAO Junzhe(PLA 63850,Jilin,137001,China)
出处
《电子技术(上海)》
2022年第8期34-37,共4页
Electronic Technology
