No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local Attack Defense Configuration Commands

Local Attack Defense Configuration Commands

NOTE:
  • AR510 series supports CPCAR only, the other devices do not support local attack defense.

application-apperceive

Function

The application-apperceive command sets the rate limit for Secure Shell (SSH), Telecommunication Network Protocol (Telnet), Secure Shell Version 6 (SSHv6), Telecommunication Network Protocol Version 6 (Telnetv6), Hypertext Transfer Protocol (HTTP), Border Gateway Protocol (BGP), or File Transfer Protocol (FTP) packets after active link protection (ALP) is enabled.

The undo application-apperceive command restores the default rate limit for SSH, Telnet, SSHv6, Telnetv6, HTTP, BGP, or FTP packets.

By default, the rate limit for SSH packets, Telnet packets, SSHv6 packets, Telnetv6 packets, HTTP packets, BGP packets is 512 pps, and the rate limit for FTP packets is 1024 pps.

Format

application-apperceive packet-type { ssh | telnet | sshv6 | telnetv6 | bgp | ftp | http } rate-limit rate-value

undo application-apperceive packet-type { ssh | telnet | sshv6 | telnetv6 | bgp | ftp | http }

Parameters

Parameter

Description

Value

packet-type { ssh | telnet | sshv6 | telnetv6 | bgp | ftp | http }

Specifies a packet type.

  • ssh: Indicates that the protocol type is SSH.

  • telnet: Indicates that the protocol type is Telnet.

  • sshv6: Indicates that the protocol type is SSHv6.

  • telnetv6: Indicates that the protocol type is Telnetv6.

  • bgp: Indicates that the protocol type is BGP.

  • ftp: Indicates that the protocol type is FTP.

    NOTE:

    If ftp is specified, the rate limit for FTP packets also takes effect for TFTP packets.

  • http: Indicates that the protocol type is HTTP.

-

rate-limit rate-value

Specifies the rate limit of protocol packets.

The value is an integer that ranges from 64 to 32768, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The default rate limit for application protocol packets such as FTP packets is low. To transmit these packets at a higher rate, run the application-apperceive command.

Precautions

If you run the application-apperceive command with the same protocol type specified in the same attack defense policy view multiple times, only the latest configuration takes effect.

This command takes effect only when active link protection is enabled by the cpu-defend application-apperceive enable command.

Example

# Set the rate limit for FTP packets in the attack defense policy mypolicy to 1260 pps after ALP is enabled.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] application-apperceive packet-type ftp rate-limit 1260

auto-defend enable

Function

The auto-defend enable command enables automatic attack source tracing.

The undo auto-defend enable command disables automatic attack source tracing.

By default, attack source tracing is disabled.

Format

auto-defend enable

undo auto-defend enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of attack packets may attack the device CPU. Attack source tracing enables the device to trace attack sources and send logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks. By default, logs are sent to notify the administrator if attack source tracing is enabled.

After automatic attack source tracing is enabled, the device traces the source of the specified packets sent to the CPU. The packet type can be set using the auto-defend protocol command.

Precautions

Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy is applied in the system view.

Example

# Enable attack source tracing in the attack defense policy named test.

<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] auto-defend enable
Related Topics

auto-defend action

Function

The auto-defend action command configures the device to discard packets sent from attack sources.

The undo auto-defend action command configures the device not to discard packets sent from attack sources.

By default, the device does not discard packets sent from attack sources.

Format

auto-defend action deny [ timer time-length ]

undo auto-defend action

Parameters

Parameter

Description

Value

deny

Configures the device to discard packets sent from an attack source.

-

timer time-length

Specifies the duration in which the device discards packets sent from an attack source.

The value is an integer that ranges from 5 to 86400, in seconds.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend action command is applied to taking attack source punish actions. The device discards the packets sent from the identified source.

The auto-defend action command configures the device to punish attack sources. When the device detects an attacker, it discards packets sent from the attack source. This protects the device against attacks.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

The device takes punish actions on an attack source during the duration specified by timer time-length. When the duration expires, the device stops discarding packets sent from this attack source. If the attack source continues attacking the device, the device starts to discard packets sent from this attack source again.

Example

# Configure the device to discard packets sent from an attack source, and set the duration to 20000 seconds.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] auto-defend enable
[Huawei-cpu-defend-policy-mypolicy] auto-defend action deny timer 20000

auto-defend alarm enable

Function

The auto-defend alarm enable command enables the event reporting function for attack source tracing.

The undo auto-defend alarm enable command disables the event reporting function for attack source tracing.

By default, the event reporting function for attack source tracing is disabled.

Format

auto-defend alarm enable

undo auto-defend alarm enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Follow-up Procedure

Run the auto-defend alarm threshold command to set the event reporting threshold for attack source tracing.

Example

# Enable the event reporting function in the attack defense policy test.

<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] auto-defend enable
[Huawei-cpu-defend-policy-test] auto-defend alarm enable

auto-defend alarm threshold

Function

The auto-defend alarm threshold command sets the event reporting threshold for attack source tracing.

The undo auto-defend alarm threshold command restores the default event reporting threshold for attack source tracing.

By default, the event reporting threshold for attack source tracing is 128 pps.

Format

auto-defend alarm threshold threshold

undo auto-defend alarm threshold

Parameters

Parameter Description Value
threshold Specifies the event reporting threshold for attack source tracing. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command, and the alarm source tracing function has been enabled using the auto-defend alarm enable command.

Precautions

If you run the auto-defend alarm threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.

Example

# Set the event reporting threshold for attack source tracing in the attack defense policy named test to 300 pps.

<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] auto-defend enable
[Huawei-cpu-defend-policy-test] auto-defend alarm enable
[Huawei-cpu-defend-policy-test] auto-defend alarm threshold 300

auto-defend protocol

Function

The auto-defend protocol command specifies the types of protocol packets that the device monitors in attack source tracing.

The undo auto-defend protocol command deletes specified types of protocol packets that the device monitors in attack source tracing.

By default, the device traces sources of ARP, DHCP, ICMP, IGMP, Telnet, TCP, and TTL-expired packets in attack source tracing.

Format

auto-defend protocol { all | { arp | dhcp | icmp | igmp | tcp | telnet | ttl-expired } * }

undo auto-defend protocol { arp | dhcp | icmp | igmp | tcp | telnet | ttl-expired } *

Parameters

Parameter

Description

Value

all

Configures the device to trace sources of ARP, DHCP, ICMP, IGMP, Telnet, TCP, and TTL-expired packets in attack source tracing.

-

arp

Adds Address Resolution Protocol (ARP) packets to the list of traced packets or deletes ARP packets from the list.

-

dhcp

Adds Dynamic Host Configuration Protocol (DHCP) packets to the list of traced packets or deletes DHCP packets from the list.

-

icmp

Adds Internet Control Message Protocol (ICMP) packets to the list of traced packets or deletes ICMP packets from the list.

-

igmp

Adds Internet Group Management Protocol (IGMP) packets to the list of traced packets or deletes IGMP packets from the list.

-

tcp

Adds Transmission Control Protocol (TCP) packets to the list of traced packets or deletes TCP packets from the list.

-

telnet

Adds Telnet packets to the list of traced packets or deletes Telnet packets from the list.

-

ttl-expired

Adds packets with the TTL value of 1 to the list of traced packets or deletes these packets from the list.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend protocol command is applied to the packet parsing phase. When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend protocol command multiple times, multiple packet types are specified.

If a packet type is specified, when the device is attacked and the attack source is traced, you can run the display auto-defend attack-source command to view attack source information.

Example

# Delete IGMP and TTL-expired packets from the list of traced packets.

<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] auto-defend enable
[Huawei-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired

auto-defend threshold

Function

The auto-defend threshold command sets the checking thresholdfor attack source tracing.

The undo auto-defend threshold command restores the default checking threshold for attack source tracing.

By default, the checking threshold for attack source tracing is 128 pps.

Format

auto-defend threshold threshold

undo auto-defend threshold

Parameters

Parameter Description Value
threshold Specifies the checking threshold for attack source tracing. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack source tracing is enabled, you can set the checking threshold for attack source tracing. When the number of sent protocol packets from an attack source in a specified period exceeds the checking threshold, the device traces and logs the attack source.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.

After the auto-defend enable command is executed, the device traces the attack source based on the default threshold and logs the attack source even if the auto-defend threshold command is not used.

Example

# Set the checking threshold for attack source tracing in the attack defense policy named test to 200 pps.

<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] auto-defend enable
[Huawei-cpu-defend-policy-test] auto-defend threshold 200

auto-defend trace-type

Function

The auto-defend trace-type command configures an attack source tracing mode.

The undo auto-defend trace-type command deletes an attack source tracing mode.

By default, attack source tracing is based on source MAC addresses, source IP addresses, and source ports+VLANs.

Format

auto-defend trace-type { source-mac | source-ip | source-portvlan } *

undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *

Parameters

Parameter Description Value
source-mac Configures attack source tracing based on source MAC addresses so that the device classifies and collects statistics based on the source MAC address and identifies the attack source. -
source-ip Configures attack source tracing based on source IP addresses so that the device classifies and collects statistics based on the source IP address and identifies the attack source. -
source-portvlan Configures attack source tracing based on source ports+VLANs so that the device classifies and collects statistics based on the source port and VLAN and identifies the attack source. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling attack source tracing, you can specify one or more attack source tracing modes. The device then uses the specified modes to trace attack sources.

The device supports the following attack source tracing modes:

  • Source IP address-based tracing: defends against Layer 3 attack packets.
  • Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
  • Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend trace-type command multiple times, multiple attack source tracing modes are specified.

After the attack source tracing function is enabled on the device, you can run the display auto-defend attack-source command to view attack source tracing information if an attack occurs.

By default, the device traces attack sources based on source MAC addresses, source IP addresses, and source ports+VLANs. To cancel an attack source tracing mode, run the undo auto-defend trace-type command.

Example

# Configure attack source tracing based on source MAC addresses.

<Huawei> system-view
[Huawei] cpu-defend policy test 
[Huawei-cpu-defend-policy-test] auto-defend enable
[Huawei-cpu-defend-policy-test] undo auto-defend trace-type source-ip source-portvlan

blacklist

Function

The blacklist command configures a blacklist.

The undo blacklist command deletes a blacklist.

By default, no blacklist is configured.

Format

blacklist blacklist-id acl acl-number

undo blacklist blacklist-id

Parameters

Parameter

Description

Value

blacklist-id

Specifies the ID of a blacklist.

The value is an integer that ranges from 1 to 8.

acl acl-number

Specifies the number of an Access Control List (ACL) referenced by a blacklist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To defend against malicious packet attacks, the device uses ACLs to add users with the specific characteristic into a blacklist and discards the packets from the users in the blacklist.

A maximum of 8 blacklists can be configured in an attack defense policy on the device.

Precautions

If multiple blacklists need to be configured in an attack defense policy: Layer 2 ACLs and basic ACLs cannot be used together in these blacklists. Layer 2 ACLs and advanced ACLs cannot be used together in these blacklists. Basic ACLs, advanced ACLs, and Layer 2 ACLs cannot be used together in these blacklists. For example:
  • For example, three blacklists are configured in the attack defense policy mypolicyA: blacklist1, blacklist2, and blacklist3. If blacklist1 uses a basic ACL, blacklist2 and blacklist3 can use only basic ACLs or advanced ACLs but not Layer 2 ACLs.

  • For example, three blacklists are configured in the attack defense policy mypolicyB: blacklist1, blacklist2, and blacklist3. If blacklist1 uses a Layer 2 ACL, blacklist2 and blacklist3 can use only Layer 2 ACLs.

Example

# Specify ACL 2001 as the rule of blacklist 2.

<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] blacklist 2 acl 2001

cpu-defend application-apperceive enable

Function

The cpu-defend application-apperceive enable command enables active link protection (ALP).

The undo cpu-defend application-apperceive enable command disables ALP.

By default, ALP is enabled for SSH, Telnet, SSHv6, Telnetv6, FTP, BGP, and HTTP.

Format

cpu-defend application-apperceive [ ssh | telnet | sshv6 | telnetv6 | bgp | ftp | http ] enable

undo cpu-defend application-apperceive [ ssh | telnet | sshv6 | telnetv6 | bgp | ftp | http ] enable

Parameters

Parameter

Description

Value

ssh

Indicates that the protocol type is SSH.

-

telnet

Indicates that the protocol type is Telnet.

-

sshv6

Indicates that the protocol type is SSHv6.

-

telnetv6

Indicates that the protocol type is Telnetv6.

-

bgp

Indicates that the protocol type is BGP.

-

ftp

Indicates that the protocol type is FTP.

NOTE:

If ftp is specified, ALP for FTP packets also takes effect for TFTP packets.

-

http

Indicates that the protocol type is HTTP.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ALP protects session-based application layer data, including data of SSH sessions, Telnet sessions, SSHv6 Session, Telnetv6 Session, HTTP sessions, FTP sessions, and BGP sessions to ensure uninterrupted services when attacks occur.

  • When the device communicates with another host or device using FTP, burst traffic of FTP packets occurs. As a result, burst traffic is discarded because it exceeds the rate limit after ALP is enabled on the device or services are interrupted because other FTP packets attack the device.

  • When the device attempts to establish a BGP, an HTTP, a SSH, a Telnet, a SSHv6, or a Telnetv6 connection with another host or device, burst traffic of BGP, HTTP, SSH, Telnet, SSHv6, or Telnetv6 packets occurs. As a result, burst traffic is discarded because it exceeds the rate limit after ALP is enabled on the device or a BGP, an HTTP, a SSH, a Telnet, a SSHv6, or a Telnetv6 connection fails to be established because other BGP, HTTP, SSH, Telnet, SSHv6, or Telnetv6 packets attack the device.

When the device detects setup of a SSH session, a Telnet session, a SSHv6 session, Telnetv6 session, an HTTP session, a BGP session, or an FTP session, ALP is enabled to protect the session. The packets matching characteristics of the session are sent at a high rate; therefore, reliability and stability of session-related services are ensured.

Follow-up Procedure

Run the cpu-defend-policy command on an LPU to apply the attack defense policy. Then the device protects data flows using the rate limit specified in the active link protection function.

Example

# Enable ALP so that the rate limit after ALP is enabled in the attack defense policy mypolicy on the main control board takes effect.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] application-apperceive packet-type ftp rate-limit 12600
[Huawei-cpu-defend-policy-mypolicy] quit
[Huawei] cpu-defend application-apperceive enable
[Huawei] cpu-defend-policy mypolicy

cpu-defend policy

Function

The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.

The undo cpu-defend policy command deletes an attack defense policy.

By default, the default attack defense policy exists on the device and is applied to all boards. The default attack defense policy cannot be deleted or modified.

Format

cpu-defend policy policy-name

undo cpu-defend policy policy-name

Parameters

Parameter Description Value
policy-name Specifies the name of an attack defense policy. The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of packets including malicious attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.

Precautions

The device supports a maximum of 19 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to all boards. The default attack defense policy cannot be deleted or modified. The other 18 policies can be created, modified, and deleted.

The configuration in a user-defined attack defense policy overrides the configuration in the default attack defense policy. If no parameter is set in the user-defined attack defense policy, the configuration in the default attack defense policy is used.

Example

# Create an attack defense policy named test.

<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] 

cpu-defend-policy

Function

The cpu-defend-policy command applies an attack defense policy.

The undo cpu-defend-policy command cancels the application of an attack defense policy.

By default, the default attack defense policy is applied to all cards.

Format

cpu-defend-policy policy-name [ global | slot slot-id ]

undo cpu-defend-policy [ global | slot slot-id ]

Parameters

Parameter

Description

Value

policy-name

Specifies the name of an attack defense policy.

The value is a string of 1 to 31 case-sensitive characters without spaces.

global

Indicates that the attack defense policy is applied globally. If global is specified, the attack defense policy is applied to all interface cards.

-

slot slot-id

Indicates that the attack defense policy is applied locally. slot-id specifies the slot ID of the LPU. If slot is specified, the attack defense policy is applied to specified interface cards.

NOTE:

If either global or slot is specified, the attack defense policy is applied on the main control board.

Set slot-id according to the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An attack defense policy takes effect only when it is applied to a board and only one attack defense policy can be applied to a board.

Prerequisites

An attack defense policy has been created by using the cpu-defend policy command.

Precautions

If an attack defense policy has been applied to an LPU in a specified slot, you must run the undo cpu-defend-policy slot slot-id command to unbind the attack defense policy from the LPU so that you can run the cpu-defend-policy policy-name global command to apply the attack defense policy to all LPUs.

Example

# Apply the attack defense policy named test to the main control board.
<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] quit
[Huawei] cpu-defend-policy test
# Apply the attack defense policy named test to all cards.
<Huawei> system-view
[Huawei] cpu-defend policy test
[Huawei-cpu-defend-policy-test] quit
[Huawei] cpu-defend-policy test global
Related Topics

deny

Function

The deny command configures the device to discard packets sent to the CPU.

The undo deny command restores the default action taken for the packets sent to the CPU.

By default, the device does not discard packets sent to the CPU. Instead, the device limits the rate of packets sent to the CPU using the default rate. You can check the rate limit of each type of packets using the display cpu-defend configuration command.

Format

deny packet-type packet-type

undo deny packet-type packet-type

Parameters

Parameter Description Value
packet-type packet-type Specifies the type of the packet to be discarded. The supported packet type depends on the device.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, if the device receives attack packets of a specified type or a large number of packets sent to the CPU, run the deny command to configure the device to discard packets of the specified type sent to the CPU.

Precautions

After the deny command is executed, the packet-type command cannot take effect. After the undo deny command is executed, you can run the packet-type command to set the rate limit for the packets sent to the CPU.

Example

# Configure the drop action taken for ARP Reply packets to be sent to the CPU in the attack defense policy test.

<Huawei> system-view
[Huawei] cpu-defend policy test 
[Huawei-cpu-defend-policy-test] deny packet-type arp-reply

description (attack defense policy view)

Function

The description command configures the description of an attack defense policy.

The undo description command deletes the description of an attack defense policy.

By default, no description is configured for an attack defense policy.

Format

description text

undo description

Parameters

Parameter Description Value
text Specifies the content of a description. It is a string of 1 to 63 case-sensitive characters with spaces.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The description command configures the description of an attack defense policy, for example, the usage or application scenario of the attack defense policy. The description is used to differentiate attack defense policies.

Precautions

If you run the description command in the same attack defense policy view multiple times, only the latest configuration takes effect.

Example

# Configure the description defend_arp_attack for the attack defense policy named test.

<Huawei> system-view
[Huawei] cpu-defend policy test 
[Huawei-cpu-defend-policy-test] description defend_arp_attack
Related Topics

display auto-defend attack-source

Function

The display auto-defend attack-source command displays the attack sources on the SRU.

Format

display auto-defend attack-source [ detail ]

Parameters

Parameter

Description

Value

detail

Displays detailed information about the attack sources on the SRU, including the type of attack packets. If detail is not specified, brief information about the attack sources on the SRU is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display auto-defend attack-source command displays the attack source list.

Example

# Display the attack source list on the SRU.

<Huawei> display auto-defend attack-source
  Attack Source User Table:
  -------------------------------------------------------------------------
      MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL  
  -------------------------------------------------------------------------
  0000-0000-0023       Ethernet2/0/0         199/299            1264     
  -------------------------------------------------------------------------
  Total: 1

  Attack Source Port Table:
  -----------------------------------------------------
    InterfaceName        Vlan:Outer/Inner       TOTAL   
  -----------------------------------------------------
  Ethernet2/0/0              199/299            1264    
  -----------------------------------------------------
  Total: 1

  Attack Source IP Table:
  -------------------------------------
  IPAddress        TOTAL Packets  
  -------------------------------------
  10.105.105.2     256     
  -------------------------------------
  Total: 1

# Display detailed information about the attack source list.

<Huawei> display auto-defend attack-source detail
 Attack Source User Table:
  ----------------------------------------------------
  MAC Address                    0000-0000-0023      
  Interface                      Ethernet2/0/0
  VLAN: Outer/Inner              199/299                
      ARP:                       256     
  Total                          256                 
  ----------------------------------------------------
  Total: 1

  Attack Source Port Table:
  -----------------------------------------------------
    InterfaceName        Vlan:Outer/Inner       TOTAL   
  -----------------------------------------------------
  Ethernet2/0/0             199/299             256    
  -----------------------------------------------------
  Total: 1

  Attack Source IP Table:
  ----------------------------------------------------
  IP address                     10.105.105.2       
      ARP:                       256     
  Total                          256                 
  ----------------------------------------------------
  Total: 1
Table 14-84  Description of the display auto-defend attack-source command output

Item

Description

Attack Source User Table

Information about attack sources on the SRU, which is distinguished according to the attack user.

Attack Source Port Table

Information about attack sources on the SRU. The attack source information is distinguished according to the attacked interface.

Attack Source IP Table

Information about attack sources on the SRU. The attack source information is distinguished according to the attacked interface.

MacAddress

MAC address of the user.

InterfaceName

Interface name.

Vlan:Outer/Inner

ID of the VLAN that an interface belongs to. Outer indicates the outer VLAN ID and Inner indicates the inner VLAN ID.

TOTAL

Total number of packets.

IPAddress

IP address of a user.

TOTAL Packets

Total number of packets.

display auto-defend configuration

Function

The display auto-defend configuration command displays the attack source tracing configuration.

Format

display auto-defend configuration [ cpu-defend policy policy-name ]

Parameters

Parameter

Description

Value

cpu-defend policy policy-name

Displays the attack source tracing configuration of a specified attack defense policy.

  • If this parameter is specified, the configuration of the specified attack defense policy is displayed.
  • If this parameter is not specified, the configurations of all attack defense policies are displayed.

The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After attack source tracing is configured in an attack defense policy, you can run the display auto-defend configuration command to view the attack source tracing configuration.

Example

# Display the configurations of all attack defense policies.

<Huawei> display auto-defend configuration
 -----------------------------------------------------------------------        
 Name  : mypolicy                                                                   
 Related slot : <0>                                                             
 auto-defend                 : enable                                           
 auto-defend threshold       : 200 (pps)                                        
 auto-defend alarm           : enable                                           
 auto-defend alarm threshold : 2000 (pps)                                       
 -----------------------------------------------------------------------        
 Name  : mypolicy1                                                                  
 Related slot : <>                                                              
 auto-defend                 : enable                                           
 auto-defend threshold       : 128 (pps)                                        
 -----------------------------------------------------------------------
Table 14-85  Description of the display auto-defend configuration command output

Item

Description

Name

Name of an attack defense policy.

Related slot

ID of the slot to which the attack defense policy is applied.

auto-defend

Whether attack source tracing is enabled. To enable attack source tracing, run the auto-defend enable command.

auto-defend threshold

Checking threshold for attack source tracing. To set the checking threshold for attack source tracing, run the auto-defend threshold command.

auto-defend alarm

Whether the alarm function for attack source tracing is enabled. To enable the alarm function for attack source tracing, run the auto-defend alarm enable command.

auto-defend alarm threshold

Alarm threshold for attack source tracing. To set the alarm threshold for attack source tracing, run the auto-defend alarm threshold command.

display cpu-defend configuration

Function

The display cpu-defend configuration command displays rate limits for protocol packets.

Format

display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id | sru }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

all

Indicates all boards, including main control boards and LPUs.

-

slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.

sru

Indicates the main control board. If sru is specified, the rate limit configuration on the SRU is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend configuration command to view the rate limit of protocol packets sent to the CPU. By default, the rate limit of protocol packets in the default policy is displayed.

Example

# Display rate limit configuration about protocol packets sent to the SRU.

<Huawei> display cpu-defend configuration sru
Rate configurations on main board.                                              
-----------------------------------------------------------------               
Packet-type              Status        Rate-limit(PPS)  Priority                
-----------------------------------------------------------------               
8021X                     Disabled          160             2                   
arp-miss                  Enabled            64             2                   
arp-reply                 Enabled           128             2                   
arp-request               Enabled           128             2                   
bfd                       Disabled          512             4                   
bgp                       Enabled           256             3                   
......
-----------------------------------------------------------------    
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 14-86  Description of the display cpu-defend configuration command output

Item

Description

Packet-type

Packet type.

Status

Protocol packet status.

Rate-limit(PPS)

Rate limit for packets, in pps.

To set the rate limit for packets, run the packet-type command.

Priority

Priority of the protocol type.

To set the priority of the protocol type, run the packet-type priority command.

display cpu-defend policy

Function

The display cpu-defend policy command displays the attack defense policy configuration.

Format

display cpu-defend policy [ policy-name ]

Parameters

Parameter

Description

Value

policy-name

Displays the configuration of a specified attack defense policy.

  • If policy-name is specified, information about the specified attack defense policy is displayed.
  • If policy-name is not specified, information about all attack defense policies is displayed.

The attack defense policy must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After an attack defense policy is created, you can run the display cpu-defend policy command to view the board that the attack defense policy is applied to and configurations of the attack defense policy.

Example

# Display information about the attack defense policy named mypolicy.

<Huawei> display cpu-defend policy mypolicy
 Related slot : <0>                                                             
 BlackList Status :                                                             
   Slot<0> : Success                                                            
 Configuration :                                                                
   Blacklist 1 ACL number : 2001                                                
   Packet-type arp-reply rate-limit : 1260(pps)                                 
   Packet-type arp-reply priority : 3                                           
   Rate-limit all-packets : 12600(pps)                                          
   Application-apperceive packet-type ftp : 1260(pps)                           
   Application-apperceive packet-type tftp : 1260(pps)    
Table 14-87  Description of the display cpu-defend policy command output

Item

Description

Related slot

Board to which the attack defense policy is applied.

BlackList Status

Status of a blacklist.

Slot<0> : Success

A blacklist is successfully configured on the LPU in slot 0.

Blacklist 1 ACL number

Number of an ACL defined in blacklist 1.

To configure a blacklist, run the blacklist command.

Packet-type arp-reply rate-limit

Rate limit for ARP Reply packets.

To set the rate limit for ARP Reply packets, run the packet-type command.

Packet-type arp-reply priority

Priority of ARP Reply packets.

To set the priority of ARP Reply packets, run the packet-type priority command.

Rate-limit all-packets

Rate limit for all packets sent to the CPU.

To set the rate limit for all packets sent to the CPU, run the rate-limit all-packets command.

Application-apperceive packet-type ftp

Rate limit for FTP packets after ALP is enabled.

To set the rate limit for FTP packets after ALP is enabled, run the application-apperceive command.

display cpu-defend rate-adaption statistics

Function

The display cpu-defend rate-adaption statistics command displays packet statistics after CPCAR values are dynamically adjusted.

Format

display cpu-defend rate-adaption statistics [ packet-type packet-type ]

Parameters

Parameter Description Value
packet-type packet-type

Displays statistics on the specified type of protocol packets.

  • If packet-type is specified, statistics on the specified type of protocol packets are displayed.
  • If packet-type is not specified, statistics on all protocol packets are displayed.

The supported packet types depend on the device model.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view packet statistics after CPCAR values are dynamically adjusted, run this command. The displayed packet statistics, including protocol types, rate of passed packets, rate of discarded packets, and packet rate limit, help you configure attack defense policies.

Example

# Display packet statistics after CPCAR values are dynamically adjusted.

<Huawei> display cpu-defend rate-adaption statistics
--------------------------------------------------------------------------------                                                    
Packet Type                       Pass                Loss          Rate-limit                                                      
                                  (pps)               (pps)            (pps)                                                        
--------------------------------------------------------------------------------  
8021X                                0                   0              128                                                         
arp-miss                             0                   0               64                                                         
arp-reply                            0                   0              128                                                         
arp-request                          0                   0              128                                                         
bfd                                  0                   0              512                                                         
bgp                                  0                   0              256
……
------------------------------------------------------------------------------------------------

Table 14-88  Description of the display cpu-defend rate-adaption statistics command output

Item

Description

Packet Type

Packet type.

Pass

Rate of passed packets, in pps.

Loss

Rate of discarded packets, in pps.

Rate-limit(PPS)

Packet rate limit, in pps.

display cpu-defend statistics

Function

The display cpu-defend statistics command displays statistics on packets sent to the CPU.

Format

display cpu-defend statistics [ packet-type packet-type ]

Parameters

Parameter

Description

Value

packet-type packet-type

Displays statistics on the specified type of protocol packets. packet-type specifies the packet type.

  • If packet-type is specified, statistics on the specified type of protocol packets are displayed.
  • If packet-type is not specified, statistics on all protocol packets are displayed.

The supported packet type depends on the device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display cpu-defend statistics command displays statistics on packets sent to the CPU, including the number of forwarded and discarded packets. This helps the network administrator configure attack defense policies.

Example

# Display the statistics on packets sent to the main control board.
<Huawei> display cpu-defend statistics
-----------------------------------------------------------------------         
Packet Type               Pass Packets        Drop Packets                      
-----------------------------------------------------------------------         
8021X                                0                   0                      
arp-miss                             5                   0                      
arp-reply                         8090                   0                      
arp-request                    1446576              127773                      
bfd                                  0                   0                      
bgp                                  0                   0                      
bgp4plus                             0                   0                      
dhcp-client                        879                   0                      
dhcp-server                          0                   0                      
dhcpv6-reply                         0                   0                      
dhcpv6-request                       0                   0                      
dlsw                                 0                   0 
dns                                  4                   0                      
fib-hit                              0                   0                      
ftp-client                           0                   0                      
ftp-server                           0                   0                      
fw-dns                               0                   0                      
fw-ftp                               0                   0                      
fw-http                              0                   0                      
fw-rtsp                              0                   0                      
fw-sip                               0                   0                      
gre-keepalive                        0                   0                      
gvrp                                 0                   0                      
hdlc                                 0                   0                      
http-client                          0                   0                      
http-server                          0                   0                      
hw-tacacs                            0                   0                      
icmp                                59                   0                      
icmpv6                             224                   0                      
igmp                               539                   0                      
ip-option                            0                   0                      
ipsec-ike                            0                   0                      
ipsec-isa                            0                   0                      
ipsec-osa                            0                   0                      
isis                             70252                   0                      
isisv6                               0                   0                      
l2tp                                 0                   0                      
lacp                                 0                   0                      
lldp                                 0                   0                      
ldp                                  0                   0                      
nd                                 358                   0                      
nd-miss                              0                   0                      
nhrp                                 0                   0
ntp                                  0                   0                      
ospf                                 0                   0                      
ospfv3                               0                   0                      
pim                                  0                   0                      
ppp                                  0                   0                      
pppoe                                0                   0                      
radius                               0                   0                      
rip                              11306                   0                      
ripng                             7385                   0                      
snmp                                 0                   0                      
ssh-client                           0                   0                      
ssh-server                           0                   0                      
sslvpn                               0                   0                      
stp                                  0                   0                      
tcp                                 15                   0                      
telnet-client                    81476                   0                      
telnet-server                        0                   0                      
ttl-expired                          0                   0                      
udp-helper                           0                   0                      
unknown-multicast                    0                   0                      
unknown-packet                   66146                   0                      
voice                                0                   0                      
vrrp                                 0                   0                      
---------------------------------------------------------------------
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 14-89  Description of the display cpu-defend statistics command output

Item

Description

Packet Type

Packet type.

Pass Packets

Number of forwarded packets.

Drop Packets

Number of discarded packets.

packet-type

Function

The packet-type command sets the rate limit for packets sent to the CPU.

The undo packet-type command restores the default rate limit for packets sent to the CPU.

By default, the default rate limit in the default attack defense policy is used to limit the packets sent to the CPU.

Format

packet-type packet-type rate-limit rate-value

undo packet-type packet-type rate-limit

Parameters

Parameter

Description

Value

packet-type

Specifies the protocol type.

The supported packet type depends on the device.

rate-limit rate-value

Specifies the rate limit of protocol packets.

The value is an integer that ranges from 1 to 32768, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, if the device receives attack packets of a specified protocol or a large number of packets sent to the CPU, configure rate limit for the protocol packets in the attack defense policy. The device then limits the rate of these packets to protect the CPU.

By default, the device applies the rate limit defined in the default attack defense policy to protocol packets. You can also create an attack defense policy and run the packet-type command to set the rate limit of protocol packets. The configured rate limit overrides the default rate limit defined in the default attack defense policy.

Prerequisites

An attack defense policy has been created using the cpu-defend policy command.

Precautions

If you run the packet-type command with the same value of packet-type in the same attack defense policy view multiple times, only the latest configuration takes effect.

If the packet-type and deny commands are executed on the same type of protocol packets, the deny command takes effect.

Example

# Set the rate limit for ARP Reply packets to 1260 pps in the attack defense policy named mypolicy.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy 
[Huawei-cpu-defend-policy-mypolicy] packet-type arp-reply rate-limit 1260

packet-type priority

Function

The packet-type priority command sets a priority of protocol packets sent to the CPU.

The undo packet-type command restores the default priority for protocol packets sent to the CPU. The default priority is defined in the default attack defense policy.

By default, the priority defined in the default attack defense policy is used.

Format

packet-type packet-type priority priority-level

undo packet-type packet-type priority

Parameters

Parameter

Description

Value

packet-type

Sets a priority for packets of a specified protocol.

The supported packet type depends on the device.

priority priority-level

Specifies the priority.

The value is an integer that ranges from 1 to 4. A larger value indicates a higher priority.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, set priorities of protocol packets in the attack defense policy so that packets with higher priorities are processed first.

By default, the priority of packets of a specified protocol type is set based on the default policy.

Precautions

If you run the packet-type priority command in the same attack defense policy view multiple times, only the latest configuration takes effect.

You can create an attack defense policy and set the priority of packets of the specified protocol type using the packet-type priority command. The configured priority overrides the priority in the default policy.

The priority of protocol packets sent to the CPU configured in an attack defense policy takes effect only when the attack defense policy is applied to the main control board.

Example

# Set the priority of ARP Reply packets to 3 in the attack defense policy named mypolicy.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy 
[Huawei-cpu-defend-policy-mypolicy] packet-type arp-reply priority 3

rate-adaption adjust-period

Function

The rate-adaption adjust-period command sets the interval for checking the CPU usage.

The undo rate-adaption adjust-period command restores the default interval for checking the CPU usage.

By default, the interval for checking CPU usage is 30 seconds.

Format

rate-adaption adjust-period period-value

undo rate-adaption adjust-period

Parameters

Parameter Description Value
period-value Specifies the interval for checking CPU usage.

The value is an integer that ranges from 30 to 180, in seconds.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

If the CPU usage changes frequently, the device frequently adjusts CPCAR values, causing unstable traffic. To avoid this problem, run the rate-adaption adjust-period command to adjust the interval for checking CPU usage. Generally, use the default interval.

Example

# Set the interval for checking CPU usage to 50 seconds.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] rate-adaption adjust-period 50
Related Topics

rate-adaption adjust-step

Function

The rate-adaption adjust-step command sets the dynamic CPCAR adjustment step.

The undo rate-adaption adjust-step command restores the default dynamic CPCAR adjustment step.

By default, the dynamic CPCAR adjustment step is 20%.

Format

rate-adaption adjust-step step-value

undo rate-adaption adjust-step

Parameters

Parameter Description Value
step-value Specifies the percentage value of dynamic CPCAR adjustment step.

For example, if the adjustment step is 30% and the current CPCAR value is 1000 pps, the device reduces the CPCAR value to 700 pps when CPU usage reaches the upper threshold.

The value is an integer that ranges from 1 to 100.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

After dynamic CPCAR adjustment is enabled, the device checks the CPU usage at intervals. When the device detects that the CPU usage exceeds the upper threshold (set by the rate-adaption cpu-usage threshold command), and reduces the CPCAR value based on the step set by the rate-adaption adjust-step command to reduce CPU usage. Generally, the default step value can be used.

Example

# Set the dynamic CPCAR adjustment step to 40%.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] rate-adaption adjust-step 40

rate-adaption cpu-usage threshold

Function

The rate-adaption cpu-usage threshold command sets the CPU usage thresholds. When the CPU usage of a device exceeds the upper threshold or falls below the lower threshold, the device adjusts the CPCAR values.

The undo rate-adaption cpu-usage threshold command restores the default CPU usage thresholds.

By default, the lower threshold is 65% and the upper threshold is 85%.

Format

rate-adaption cpu-usage threshold low low-value high high-value

undo rate-adaption cpu-usage threshold

Parameters

Parameter Description Value
low low-value

Specifies the lower CPU usage threshold.

When the CPU usage of a device falls below the lower threshold, the device sets the CPCAR value to the default value or a manually set value.

The value is an integer that ranges from 1 to 99.

high high-value

Specifies the higher CPU usage threshold.

When the CPU usage of a device exceeds the upper threshold, the device reduces the CPCAR value based on the step set by the rate-adaption adjust-step command.

The value is an integer that ranges from low-value +1 to 100.

The value of high-value must be larger than the value of low-value.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

After dynamic CPCAR adjustment is configured, the device checks CPU usage to determine whether an attack occurs. When the CPU usage exceeds the upper threshold, the device reduces the CPCAR value based on the step set by the rate-adaption adjust-step command to reduce CPU load. When the CPU usage of a device falls below the lower threshold, the device sets the CPCAR value to the default value or a manually set value.

Example

# Set the CPU usage thresholds for dynamic CPCAR adjustment.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] rate-adaption cpu-usage threshold low 40 high 90

rate-adaption enable

Function

The rate-adaption enable command enables dynamic CPCAR adjustment.

The undo rate-adaption enable command disables dynamic CPCAR adjustment.

By default, dynamic CPCAR adjustment is disabled.

Format

rate-adaption enable

undo rate-adaption enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When CPCAR values are manually set, a device cannot immediately control the rate of packets sent to the CPU when undergoing an attack. As a result, the CPU usage exceeds the acceptable range and CPU performance degrades.

After dynamic CPCAR adjustment is configured, the device periodically checks CPU usage, and automatically adjusts CPCAR values of protocol packets when the CPU usage exceeds the specified upper threshold, reducing impact on the CPU.

Precautions

After dynamic CPCAR adjustment is enabled, the CPCAR values set using the packet-type command become invalid.

Example

# Enable dynamic CPCAR adjustment.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] rate-adaption enable

rate-adaption exception packet-type

Function

The rate-adaption exception packet-type command specifies the types of protocol packets for which the CPCAR values cannot be dynamically adjusted.

The undo rate-adaption exception packet-type command cancels the types of protocol packets for which the CPCAR values cannot be dynamically adjusted.

By default, the CPCAR values for all protocol packets are dynamically adjusted.

Format

rate-adaption exception packet-type packet-type

undo rate-adaption exception packet-type packet-type

Parameters

Parameter Description Value
packet-type Specifies the protocol type. The supported packet type depends on the device.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent certain protocol packets from being affected by dynamic CPCAR adjustment, for example, Telnet packets, you can run the rate-adaption exception packet-type command to specify the protected protocol packets. After this command is executed, dynamic CPCAR adjustment does not take effect for the protected protocol packets and you can specify rate limits for these packets by using the packet-type command.

Precautions

A maximum of eight types of protected protocol packets can be specified.

Example

# Set the types of protocol packets for which the CPCAR values cannot be dynamically adjusted.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy
[Huawei-cpu-defend-policy-mypolicy] rate-adaption exception packet-type icmp

rate-limit all-packets

Function

The rate-limit all-packets command sets the rate limit for all packets sent to the CPU.

The undo rate-limit all-packets command restores the default rate limit for all packets sent to the CPU.

By default, the rate limit for all packets sent to the CPU is 1000 pps.

Format

rate-limit all-packets pps pps-value

undo rate-limit all-packets pps

Parameters

Parameter

Description

Value

pps pps-value

Specifies the rate limit for all packets sent to the CPU.

The value is an integer that ranges from 500 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, you can limit the rate of all packet sent to the CPU in the attack defense policy. The device randomly discards packets that exceed the rate limit to ensure CPU security.

Precautions

If you run the rate-limit all-packets command in the same attack defense policy view multiple times, only the latest configuration takes effect.

The priority of protocol packets sent to the CPU configured in an attack defense policy takes effect only when the attack defense policy is applied to the main control board.

Example

# Set the rate limit for all packets sent to the CPU to 12600 pps in the attack defense policy named mypolicy.

<Huawei> system-view
[Huawei] cpu-defend policy mypolicy 
[Huawei-cpu-defend-policy-mypolicy] rate-limit all-packets pps 12600

reset auto-defend attack-source

Function

The reset auto-defend attack-source command clears information about attack sources.

Format

reset auto-defend attack-source

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To view the latest attack source information on the device, run the reset auto-defend attack-source command to delete the existing attack source information, wait for a period, and run the display auto-defend attack-source command.

Precautions

After the reset auto-defend attack-source command is run, information about attack sources is cleared and cannot be restored.

Example

# Delete existing attack source information on the device.

<Huawei> reset auto-defend attack-source

reset cpu-defend statistics

Function

The reset cpu-defend statistics command clears statistics on packets sent to the CPU.

Format

reset cpu-defend statistics [ packet-type packet-type ]

Parameters

Parameter Description Value
packet-type packet-type

Specifies the protocol type of packets. packet-type specifies the packet type.

  • If packet-type packet-type is specified, the statistics on the specified type of protocol packets are cleared.
  • If packet-type packet-type is not specified, the statistics on all protocol packets are cleared.
The supported packet type depends on the device.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To view statistics on the packets sent to the CPU in a specified period, run the reset cpu-defend statistics command to clear existing statistics and run the display cpu-defend statistics command.

Precautions

The deleted packet statistics cannot be restored.

Example

# Clear statistics on BGP packets on the main control board.

<Huawei> reset cpu-defend statistics packet-type bgp
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 89772

Downloads: 122

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next