No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Traffic Suppression and Storm Control Configuration Commands

Traffic Suppression and Storm Control Configuration Commands

storm suppression broadcast (interface view)

Function

The storm suppression broadcast command sets the maximum traffic rate of broadcast packets that can pass through an interface.

The undo storm suppression broadcast command restores the default maximum traffic rate of broadcast packets that can pass through an interface.

By default, the rate of broadcast packets is suppressed by bandwidth percentage, and the percentage rate limit is 10%.

Format

  • Except CE6870EI:

    storm suppression broadcast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] | packets packets-per-second }

    undo storm suppression broadcast

  • CE6870EI:

    In the Eth-Trunk interface view:

    storm suppression broadcast cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

    undo storm suppression broadcast

    In the other interface view:

    storm suppression broadcast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] }

    undo storm suppression broadcast

Parameters

Parameter

Description

Value

percent-value

Specifies the percentage of bandwidth occupied by broadcast packets on an interface.

The value is an integer that ranges from 0 to 100.

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 0 to 100000000 in Kbit/s, from 0 to 100000 in Mbit/s, or from 0 to 100 in Gbit/s.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

packets packets-per-second

Specifies the number of packets transmitted per second.

The value is an integer that ranges from 0 to 148810000.

NOTE:

CE6870EI does not support this parameter.

Views

Eth-Trunk interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

NOTE:

Only the CE6870EI supports the Eth-Trunk interface view.

Default Level

2: Configuration level

Usage Guidelines

The accumulating broadcast packets on the network occupy more and more network resources. This affects normal operation of services on the network.

To prevent broadcast storms, you can use the storm suppression broadcast command to set the threshold of broadcast traffic that an interface allows to pass through. When the broadcast traffic rate reaches the rate limit, the system discards excess broadcast packets to control the traffic rate in a proper range.

Example

# Set the CIR of broadcast packets to 100 kbit/s and CBS to 18800 bytes on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression broadcast cir 100 cbs 18800

storm suppression broadcast access

Function

The storm suppression broadcast access command sets the maximum rate of broadcast packets on the user-side interface.

The undo storm suppression broadcast access command deletes the maximum rate of broadcast packets on the user-side interface.

By default, the maximum rate of broadcast packets on the user-side interface is not configured.

NOTE:
Only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6860EI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI support this command.

Format

storm suppression broadcast access cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

undo storm suppression broadcast

Parameters

Parameter

Description

Value

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 0 to 4294967295 in Kbit/s, from 0 to 4294967 in Mbit/s, or from 0 to 4294 in Gbit/s.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

Views

BD view

Default Level

2: Configuration level

Usage Guidelines

The accumulating broadcast packets on the network occupy more and more network resources. This affects normal operation of services on the network.

To limit the rate of broadcast packets on user-side interfaces, run this command. The packets exceeding the rate limit are discarded.

NOTE:
This command only limits the rate of broadcast packets on user-side interfaces. To limit the broadcast packet rates on both user-side and network-side interfaces, run the storm suppression broadcast command in the BD view. If both commands are run, the later one takes effect.

Example

# Set the CIR to 100 kbit/s and the CBS to 18800 bytes for the broadcast packets on the user-side interfaces in BD 10.
<HUAWEI> system-view
[~HUAWEI] bridge-domain 10
[*HUAWEI-bd10] storm suppression broadcast access cir 100 cbs 18800

storm suppression broadcast block outbound

Function

The storm suppression broadcast block outbound command blocks outgoing broadcast packets on an interface.

The undo storm suppression broadcast block outbound command unblocks outgoing broadcast packets on an interface.

By default, an interface does not block outgoing broadcast packets.

Format

storm suppression broadcast block outbound

undo storm suppression broadcast block outbound

Parameters

None

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Guidelines

After an interface receives a broadcast packet, it broadcasts the packet to all users in the same VLAN. This may cause information leak. For example, if an unauthorized user is connected to an interface in a VLAN, an unauthorized user obtains a host's address from broadcast packets and uses the address to attack the host. To prevent information leak, use the storm suppression broadcast block outbound command to block outgoing broadcast packets on an interface if users connected to the interface do not need to receive broadcast packets. For example, if users on an interface seldom change and require high security, you can use this command on the interface.

Precautions

The storm suppression broadcast block outbound command is applicable only to interfaces on which users do not need to receive broadcast packets. This command may affect network operations if it is used on an interface where users need to receive broadcast packets.

Traffic suppression can be configured for incoming and outgoing packets on an interface, and the configurations are independent of each other. On an interface, you can use the storm suppression broadcast command to limit the rate of incoming broadcast packets and use the storm suppression broadcast block outbound command to block outgoing broadcast packets.

Example

# Block outgoing broadcast packets on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression broadcast block outbound

storm suppression broadcast (VLAN or BD view)

Function

The storm suppression broadcast command sets the maximum traffic rate of broadcast packets that can pass through a VLAN or BD.

The undo storm suppression broadcast command restores the default maximum traffic rate of broadcast packets that can pass through a VLAN or BD.

By default, no rate limit is configured for broadcast packets in a VLAN or BD.

NOTE:
In the BD view, only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6860EI, CE6870EI, CE6880EI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI support this command.

Format

storm suppression broadcast cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

undo storm suppression broadcast

Parameters

Parameter

Description

Value

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 64 to 4294967295 in Kbit/s, from 1 to 4294967 in Mbit/s, or from 1 to 4294 in Gbit/s.
NOTE:
The minimum value in BD view is 0.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

Views

VLAN view, VLAN-Range view, BD view

Default Level

2: Configuration level

Usage Guidelines

The accumulating broadcast packets on the network occupy more and more network resources. This affects normal operation of services on the network.

To limit the rate of broadcast packets in a VLAN or BD, use the storm suppression broadcast command.

After you run the storm suppression broadcast command, the device limits the rate of broadcast packets based on the configured rate limit. If the rate limit is exceeded, the device discards excess broadcast packets.

NOTE:
When this command is run in the BD view, it limits the rate of broadcast packets on both user-side and network-side interfaces. To limit only the broadcast packet rate on user-side interfaces, run the storm suppression broadcast access command. If both commands are run, the later one takes effect.

Example

# Set the CIR to 100 kbit/s and the CBS to 18800 bytes for outgoing broadcast packets in VLAN2.
<HUAWEI> system-view
[~HUAWEI] vlan 2
[*HUAWEI-vlan2] storm suppression broadcast cir 100 cbs 18800

display snmp-agent trap feature-name fei_comm all

Function

The display snmp-agent trap feature-name fei_comm all command displays the status of all trap messages about the forwarding engine instance common module.

Format

display snmp-agent trap feature-name fei_comm all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display snmp-agent trap feature-name fei_comm all command to view the status of all trap messages about the forwarding engine instance common module.

Example

# Display the status of all trap messages about the forwarding engine instance common module.

<HUAWEI> display snmp-agent trap feature-name fei_comm all
------------------------------------------------------------------------------  
Feature name: FEI_COMM                                                          
Trap number : 2                                                                 
------------------------------------------------------------------------------  
Trap name                      Default switch status   Current switch status    
hwPortSecRcvIllegalMacAlarm    on                      on                       
hwXQoSStormControlTrap         on                      on     
Table 16-69  Description of the display snmp-agent trap feature-name fei_comm all command output

Item

Description

Feature name

Name of the module that a trap message belongs to.

Trap number

Number of trap messages.

Trap name

Name of a trap message. The forwarding engine instance common module supports the following trap messages:

  • hwPortSecRcvIllegalMacAlarm: enables the trap function for invalid MAC addresses is enabled after the number of secure MAC addresses reaches the maximum.
  • hwXQoSStormControlTrap: enables the trap function when the rate of broadcast, multicast, or unknown unicast packets exceeds the threshold.

Default switch status

Status of the default trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status

Status of the current trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

display storm control

Function

The display storm control command displays information about storm control on an interface.

Format

display storm control [ interface interface-type interface-number [ verbose ] ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the interface number.
-
verbose Displays details about storm control. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display information about storm control on 10GE1/0/1.

<HUAWEI> display storm control interface 10ge 1/0/1
--------------------------------------------------------------------------------                                                    
NOTE:                                                                                                                               
BC = Broadcast; MC = Multicast; UC = Unicast; UUC = Unknown Unicast                                                                 
Int = Interval value (unit: seconds)                                                                                                
--------------------------------------------------------------------------------                                                    
PortName     Type   MaxRate Mode Action    Punish-   Trap Log  Int Last                                                             
                                           Status                  Punish-Time                                                      
--------------------------------------------------------------------------------                                                    
10GE1/0/1    BC        2000 Pps  ErrorDown Normal    Off  On    90 --                                                               
10GE1/0/1    MC        2000 Pps  ErrorDown Normal    Off  On    90 --                                                               
10GE1/0/1    UC        2000 Pps  ErrorDown Normal    Off  On    90 --   
Table 16-70  Description of the display storm control command output

Item

Description

PortName

Interface name.

Type

Packet type.

  • BC: Broadcast packets
  • MC: Multicast packets
  • UC: Unicast packets
  • UUC: Unknown Unicast packets

MaxRate

Upper rate threshold.

Mode

Storm control mode.

  • Kbps: CIR in kbit/s

  • Pps: packets in pps

  • %: percentage in %

Action

Storm control action.
  • None: No action is configured.
  • Errordown: shuts down the interface.
  • Block: blocks packets.
  • Suppress: suppresses packets.
    NOTE:
    CE6870EI does not support suppress parameter.

Punish-Status

Status of the interface.
  • ErrorDown: When the rate of receiving packets is greater than the MaxRate and the storm control action is shutdown, the interface status is shutdown.
  • Normal: The interface normally forwards packets.
  • Block: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is block, the interface status is block.
  • Suppress: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is suppress, the interface status is suppress. That is, the packets exceeding the rate are discarded.
    NOTE:
    CE6870EI does not support suppress parameter.

Trap

Whether the alarm function for storm control is enabled.
  • on: The alarm function for storm control is enabled.
  • off: The alarm function for storm control is disabled.

Log

Whether the log function for storm control is enabled.
  • on: The log function for storm control is enabled.
  • off: The log function for storm control is disabled.

Int

Interval for detecting storms, in seconds. The default value is 5.

Last Punish-Time

Last time storm control is performed.

# Display details about storm control on 10GE1/0/1.
<HUAWEI> display storm control interface 10ge 1/0/1 verbose
Port Name         : 10GE1/0/1
 Type             : Unicast
 Minimum Rate     : 22(Pps)
 Maximum Rate     : 33(Pps)
 Action           : None
 Punish Status    : Normal
 Trap             : Off
 Log              : Off
 Interval         : 5(s)
 Last Punish Time : --
Table 16-71  Description of the display storm control interface 10ge 1/0/1 verbose command output

Item

Description

Port Name

Interface name.

Minimum Rate

Lower threshold. To set the lower threshold, run the storm control command.

Maximum Rate

Upper threshold. To set the upper threshold, run the storm control command.

Punish Status

Packet status on the interface.
  • ErrorDown: When the rate of receiving packets is greater than the MaxRate and the storm control action is shutdown, the interface status is shutdown.
  • Normal: The interface normally forwards packets.
  • Block: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is block, the interface status is block.
  • Suppress: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is suppress, the interface status is suppress. That is, the packets exceeding the rate are discarded.
    NOTE:
    CE6870EI does not support suppress parameter.
Interval

Storm detection interval, in seconds. To set the interval, run the storm control interval command.

Last Punish Time

Last time to perform the punish operation.

icmp rate-limit

Function

The icmp rate-limit command sets the rate threshold of ICMP packets.

The undo icmp rate-limit command restores the default rate threshold of ICMP packets.

By default, the rate threshold of ICMP packets is 1500 pps.

Format

icmp rate-limit [ interface interface-type interface-number1 [ to interface-number2 ] ] threshold threshold-value

undo icmp rate-limit { interface interface-type interface-number1 [ to interface-number2 ] | threshold }

Parameters

Parameter

Description

Value

interface interface-type interface-number1 to interface-number2

Specifies the type and number of an interface.
  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • to interface-number2 specifies the number of the last interface. The value of interface-number2 must be greater than the value of interface-number1. interface-number1 and interface-number2 specify the range of interfaces.

-

threshold threshold-value

Specifies the rate threshold of ICMP packets.

The value ranges from 0 to 5000, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Guidelines

A network often undergoes ICMP packet attacks. If a switch receives a large number of broadcast ICMP request packets on user-side interfaces, these packets are sent to the switch CPU for processing. Then the CPU usage becomes high, affecting other services on the switch. You can use the icmp rate-limit command to prevent the switch from being attacked by ICMP packets.

After the rate limit function is configured for ICMP packets on an interface, the system automatically discards excess ICMP packets when the number of ICMP packets sent by an interface every second exceeds the rate threshold.

Precautions

  • Before setting the rate threshold of ICMP packets, use the undo icmp rate-limit disable command to enable the rate limit function for ICMP packets.
  • If the fast ICMP reply function is enabled on a device, the traffic suppression function does not take effect for ICMP packets.

Example

# Set the rate threshold of ICMP packets on 10GE1/0/1 to 10GE1/0/4 to 20 pps.

<HUAWEI> system-view
[~HUAWEI] icmp rate-limit interface 10ge 1/0/1 to 1/0/4 threshold 20

icmp rate-limit disable

Function

The icmp rate-limit disable command disables the traffic suppression function for ICMP packets.

The undo icmp rate-limit disable command enables the traffic suppression function for ICMP packets.

By default, the traffic suppression function for ICMP packets rate is enabled.

Format

icmp rate-limit disable

undo icmp rate-limit disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Attackers may send a large number of ICMP packets to attack a network. If the device sends all the received ICMP packets to the CPU for processing, a lot of CPU usage resources are occupied and other services may be abnormal. To prevent ICMP packet attacks, you can configure the device to suppress ICMP packets.

Example

# Disable the function of limiting the ICMP packet rate.

<HUAWEI> system-view
[~HUAWEI] icmp rate-limit disable
Related Topics

storm suppression multicast (interface view)

Function

The storm suppression multicast command sets the maximum traffic volume of multicast packets that can pass through an interface.

The undo storm suppression multicast command restores the default maximum traffic rate of multicast packets that can pass through an interface.

By default, the rate of multicast packets is suppressed by bandwidth percentage, and the percentage rate limit is 100%.

Format

  • Except CE6870EI:

    storm suppression multicast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] | packets packets-per-second }

    undo storm suppression multicast

  • CE6870EI:

    In the Eth-Trunk interface view:

    storm suppression multicast cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

    undo storm suppression multicast

    In the other interface view:

    storm suppression multicast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] }

    undo storm suppression multicast

Parameters

Parameter

Description

Value

percent-value

Specifies the percentage of bandwidth occupied by multicast packets on an interface.

The value is an integer that ranges from 0 to 100.

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 0 to 100000000 in Kbit/s, from 0 to 100000 in Mbit/s, or from 0 to 100 in Gbit/s.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

packets packets-per-second

Specifies the number of packets transmitted per second.

The value is an integer that ranges from 0 to 148810000.

NOTE:

CE6870EI does not support this parameter.

Views

Eth-Trunk interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

NOTE:

Only the CE6870EI supports the Eth-Trunk interface view.

Default Level

2: Configuration level

Usage Guidelines

When an increasing number of multicast packets are transmitted on a network, more network resources are occupied and services are affected.

To prevent multicast storms, you can use the storm suppression multicast command to set the threshold of multicast traffic that an interface allows to pass through. When the multicast traffic volume exceeds the threshold, the system discards the excess multicast packets to control the traffic volume of multicast packets to a proper range.

Example

# Set the CIR of multicast packets to 100 kbit/s, CBS to 18800 bytes on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression multicast cir 100 cbs 18800

storm suppression multicast block outbound

Function

The storm suppression multicast block outbound command configures an interface to block outgoing multicast packets.

The undo storm suppression multicast block outbound command cancels the configuration.

By default, outgoing multicast packets are not blocked on an interface.

Format

storm suppression multicast block outbound

undo storm suppression multicast block outbound

Parameters

None

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an interface receives a multicast packet, the interface broadcasts the packet to all users in the same VLAN. This may cause information leak. For example, if an unauthorized user is connected to an interface in a VLAN, the unauthorized user obtains the host address in multicast packets by listening to multicast packets and uses the host address to attack the host. To prevent information leak, use the storm suppression multicast block outbound command to block outgoing multicast packets on an interface if users connected to the interface do not need to receive multicast packets.

Precautions

The storm suppression multicast block outbound command is applicable only to interfaces where users do not need to receive multicast packets. This command may affect network operations if it is used on an interface where users need to receive multicast packets.

Traffic suppression can be configured for incoming and outgoing packets on an interface, and the configurations are independent of each other. On an interface, you can use the storm suppression multicast command to limit the rate of incoming multicast packets and use the storm suppression multicast block outbound command to block outgoing multicast packets.

Example

# Block outgoing multicast packets on10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression multicast block outbound

storm suppression multicast (VLAN or BD view)

Function

The storm suppression multicast command sets the maximum traffic volume of multicast packets that can pass through a VLAN or BD.

The undo storm suppression multicast command cancels the configuration.

By default, multicast packets are not limited in a VLAN or BD.

NOTE:
In the BD view, only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6860EI, CE6870EI, CE6880EI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI support this command.

Format

storm suppression multicast cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

undo storm suppression multicast

Parameters

Parameter

Description

Value

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 64 to 4294967295 in Kbit/s, from 1 to 4294967 in Mbit/s, or from 1 to 4294 in Gbit/s.
NOTE:
The minimum value in BD view is 0.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the committed traffic that can pass through instantly.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

Views

VLAN view, VLAN-Range view, BD view

Default Level

2: Configuration level

Usage Guidelines

When an increasing number of multicast packets are transmitted on a network, more network resources are occupied and services are affected.

Run he storm suppression multicast command to limit multicast packets in a VLAN or BD.

After running the storm suppression multicast command, the device limits multicast packets in the specified VLAN or BD and excessive packets are discarded when the rate of packets exceeds the limit.

Example

# Set the CIR to 100 kbit/s and CBS to 18800 bytes for the multicast traffic that can pass through the VLAN2.
<HUAWEI> system-view
[~HUAWEI] vlan 2
[*HUAWEI-vlan2] storm suppression multicast cir 100 cbs 18800

snmp-agent trap enable feature-name fei_comm trap-name hwxqosstormcontroltrap

Function

The snmp-agent trap enable feature-name fei_comm trap-name hwxqosstormcontroltrap command enables the device to send traps when the rate of broadcast, multicast, and unknown unicast packets on an interface exceeds the threshold.

The undo snmp-agent trap enable feature-name fei_comm trap-name hwxqosstormcontroltrap command disables the device from sending traps when the rate of broadcast, multicast, and unknown unicast packets on an interface exceeds the threshold.

By default, the device sends traps when the rate of broadcast, multicast, and unknown unicast packets exceeds the threshold.

Format

snmp-agent trap enable feature-name fei_comm [ trap-name hwxqosstormcontroltrap ]

undo snmp-agent trap enable feature-name fei_comm [ trap-name hwxqosstormcontroltrap ]

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

To view the traps of the broadcast, multicast, and unknown unicast packets exceeding rate threshold on an interface, you can run the snmp-agent trap enable feature-name fei_comm trap-name hwxqosstormcontroltrap command.

Example

# Enable the trap function when the rate of broadcast, multicast, or unknown unicast packets exceeds the threshold.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable feature-name fei_comm trap-name hwxqosstormcontroltrap

storm control

Function

The storm control command enables storm control for broadcast packets, multicast packets, and unicast packets on an interface.

The undo storm control command disables storm control.

By default, storm control is disabled on interfaces.

Format

storm control { broadcast | multicast | unicast | unknown-unicast } min-rate percent min-rate-value max-rate percent max-rate-value

storm control { broadcast | multicast | unicast | unknown-unicast } min-rate kbps min-rate-value max-rate kbps max-rate-value

storm control { broadcast | multicast | unicast | unknown-unicast } min-rate min-rate-value max-rate max-rate-value

undo storm control { broadcast | multicast | unicast | unknown-unicast | all }

Parameters

Parameter Description Value
broadcast Enables storm control for broadcast packets. -
multicast Enables storm control for multicast packets. -
unicast Enables storm control for unicast packets. -
unknown-unicast Enables storm control for unknown unicast packets. -
min-rate percent min-rate-value Specifies the minimum bandwidth percentage for storm control. If the storm control action is set to block and the average bandwidth occupied by the packets received by an interface is smaller than this value within the storm detection interval, the interface is recovered to forward packets. The value is an integer that ranges from 1 to 100.
max-rate percent max-rate-value Specifies the maximum bandwidth percentage for storm control. When the average bandwidth occupied by the packets received on an interface is greater than this value within the storm detection interval, storm control is performed on the interface. The value is an integer that ranges from 1 to 100.
min-rate kbps min-rate-value Specifies the lower threshold for storm control. If the storm control action is set to block and the average rate of packets received by an interface is smaller than this value within the storm detection interval, the interface is recovered to forward packets. The value is an integer that ranges from 1 to 100000000, in kbps.
max-rate kbps max-rate-value Specifies the upper threshold for storm control. When the average rate of the packets received on an interface is greater than this value within the storm detection interval, storm control is performed on the interface. The value is an integer that ranges from 1 to 100000000, in kbps.
min-rate min-rate-value Specifies the lower threshold for storm control. If the storm control action is set to block and the average rate of packets received by an interface is smaller than this value within the storm detection interval, the interface is recovered to forward packets. The value is an integer that ranges from 1 to 148810000, in pps.
max-rate max-rate-value Specifies the upper threshold for storm control. When the average rate of the packets received on an interface is greater than this value within the storm detection interval, storm control is performed on the interface. The value is an integer that ranges from 1 to 148810000, in pps.
all Disables storm control for all the broadcast, multicast, unicast, and unknown unicast packets. -

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the average rate of receiving packets on an interface is greater than the value of max-rate-value, max-rate-value-cir, or max-rate-value-percent in storm detection, storm control is performed on the packets.
NOTE:
The storm detection interval can be set using the storm control interval command.

Precautions

You cannot configure storm control and traffic suppression simultaneously on an interface. For example, if you configure traffic suppression for broadcast packets on an interface, then you cannot configure storm control for broadcast packets simultaneously on the interface.

On an interface, storm control cannot be configured for both unicast and unknown unicast packets.

Example

# Enable storm control on the broadcast packets received by 10GE1/0/1. When the average rate of packets within the storm detection interval is higher than 8000 pps, storm control is performed. When the rate of packets received by an interface is smaller than 2000 pps and the storm control action is set to block, the interface is recovered to forward packets.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm control broadcast min-rate 2000 max-rate 8000

storm control action

Function

The storm control action sets the storm control action.

The undo storm control action command cancels the configuration.

By default, no storm control action is configured.

Format

storm control action { error-down | block | suppress }

undo storm control action

Parameters

Parameter

Description

Value

error-down

Indicates the storm control action is error-down.

-

block

Blocks packets.

-

suppress

Suppresses packets.

NOTE:
CE6870EI does not support suppress parameter.

-

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

In a storm detection interval, when the average rate of receiving broadcast packets, multicast packets, and unknown unicast packets is greater than the value of the specified upper threshold, the switch takes the action according to the configuration, including shutting down the interface, blocking packets, and suppressing packets.

The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off.

Generally, when attack packets exist, the average rate at which an interface receives broadcast, multicast, or unknown unicast packets is higher than the specified upper limit. In this situation, identify the attack source, remove the attack, and recover the interface status.

An interface in Error-Down state can be recovered using either of the following methods:
  • Manual recovery (after an Error-Down event occurs):

    If a few interfaces need to be recovered, run the shutdown and undo shutdown commands in the interface view. Alternatively, run the restart command in the interface view to restart the interfaces.

    NOTE:

    Alternatively, run the undo storm control action or undo storm control { broadcast | multicast | unicast | unknown-unicast | all } command in the interface view to recover the interface status. This method is not recommended.

  • Automatic recovery (before an Error-Down event occurs):

    If a large number of interfaces need to be recovered, manual recovery is time consuming and some interfaces may be omitted. To avoid this problem, run the error-down auto-recovery cause storm-control interval command in the system view to enable automatic interface recovery and set the recovery delay time. Run the display error-down recovery command to view information about automatic interface recovery.

    NOTE:

    This method does not take effect on interfaces that are already in Error-Down state. It is effective only on interfaces that enter the Error-Down state after this configuration is complete.

Example

# Configure the storm control action is error-down on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm control action error-down

storm control enable

Function

The storm control enable command enables the device to record logs or report traps during storm control.

The undo storm control enable command disables the device from recording logs or reporting traps during storm control.

By default, the device is disabled from recording logs or reporting traps.

Format

storm control enable { log | trap }

undo storm control enable { log | trap }

Parameters

Parameter

Description

Value

log

Enables the log recording function.

-

trap

Enables the trap reporting function.

-

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the trap reporting function during storm control on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge1/0/1
[~HUAWEI-10GE1/0/1] storm control enable trap

storm control interval

Function

The storm control interval command sets the storm detection interval.

The undo storm control interval command restores the default storm detection interval.

By default, the storm detection interval is 5s.

Format

storm control interval interval-value

undo storm control interval

Parameters

Parameter

Description

Value

interval-value

Specifies the storm detection interval.

The value is an integer that ranges from 1 to 180, in seconds. The default value is 5s.

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Before using the storm control interval command to set the storm detection interval, run the storm control command in the interface view to configure storm control. Otherwise, the storm detection interval does not take effect.

Example

# Configure storm control and set the storm detection interval to 10 seconds on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge1/0/1 
[~HUAWEI-10GE1/0/1] storm control interval 10

storm suppression alarm enable

Function

The storm suppression alarm enable command enables the device to report alarms when packets are lost due to traffic suppression.

The undo storm suppression alarm enable command disables the device from reporting alarms when packets are lost due to traffic suppression.

By default, the device does not report alarms when packets are lost due to traffic suppression.

NOTE:

Only the CE6870EI supports this command.

Alarms will not be reported if ICMP packets are lost due to traffic suppression.

Format

storm suppression alarm enable

undo storm suppression alarm enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can run the storm suppression alarm enable command to enable the device to report alarms when packets are lost due to traffic suppression.

Example

# Enable the device to report alarms when packets are lost due to traffic suppression.

<HUAWEI> system-view
[~HUAWEI] storm suppression alarm enable

storm suppression mac-address flapping

Function

The storm suppression mac-address flapping command configures the threshold for traffic suppression associated with MAC address flapping.

The undo storm suppression mac-address flapping command restores the default threshold for traffic suppression associated with MAC address flapping.

By default, the threshold for traffic suppression associated with MAC address flapping is a bandwidth percentage, and the percentage rate limit is 1%.

NOTE:

The CE6880EI does not support this command.

Format

storm suppression mac-address flapping cir cir-value [ gbps | mbps | kbps ] [ force ]

undo storm suppression mac-address flapping cir cir-value [ gbps | mbps | kbps ] [ force ]

Parameters

Parameter

Description

Value

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value is in the range of 64 to 100000000 in Kbit/s, 1 to 100000 in Mbit/s, or 1 to 100 in Gbit/s.

force

Forcibly forwards packets based on the threshold for traffic suppression associated with MAC address flapping.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the threshold for traffic suppression associated with MAC address flapping is a bandwidth percentage, and the percentage rate limit is 1%. You can run the storm suppression mac-address flapping command to configure the CIR for traffic suppression associated with MAC address flapping or enable the device to forcibly forward packets based on the threshold for traffic suppression associated with MAC address flapping.

Precautions
  • Traffic suppression associated with MAC address flapping does not take effect on peer-link ports.
  • When force is not specified in the storm suppression mac-address flapping command or this command is not configured, traffic suppression configured on interfaces takes effect in the event of MAC address flapping.
  • When force is specified, traffic suppression associated with MAC address flapping takes effect even if traffic suppression is also configured on interfaces.
  • When storm control is configured on interfaces, traffic suppression associated with MAC address flapping does not take effect no matter whether force is specified.
  • When the multicast function is enabled, traffic suppression associated with MAC address flapping does not take effect.

Example

# Set the threshold for traffic suppression associated with MAC address flapping to 100 Kbit/s.
<HUAWEI> system-view
[~HUAWEI] storm suppression mac-address flapping cir 100

storm suppression unknown-unicast (interface view)

Function

The storm suppression unknown-unicast command sets the maximum traffic volume of unknown unicast packets that can pass through an interface.

The undo storm suppression unknown-unicast command restores the default maximum traffic rate of unknown unicast packets that can pass through an interface.

By default, the rate of unknown unicast packets is suppressed by bandwidth percentage, and the percentage rate limit is 100%.

Format

  • Except CE6870EI:

    storm suppression unknown-unicast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] | packets packets-per-second }

    undo storm suppression unknown-unicast

  • CE6870EI:

    In the Eth-Trunk interface view:

    storm suppression unknown-unicast cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

    undo storm suppression unknown-unicast

    In the other interface view:

    storm suppression unknown-unicast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] }

    undo storm suppression unknown-unicast

Parameters

Parameter

Description

Value

percent-value

Specifies the percentage of bandwidth occupied by unknown-unicast packets on an interface.

The value is an integer that ranges from 0 to 100.

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 0 to 100000000 in Kbit/s, from 0 to 100000 in Mbit/s, or from 0 to 100 in Gbit/s.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

packets packets-per-second

Specifies the number of packets transmitted per second.

The value is an integer that ranges from 0 to 148810000.

NOTE:

CE6870EI does not support this parameter.

Views

Eth-Trunk interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

NOTE:

Only the CE6870EI supports the Eth-Trunk interface view.

Default Level

2: Configuration level

Usage Guidelines

When an increasing number of unknown multicast packets are transmitted on the network, more network resources are occupied and services are affected.

To prevent unknown-unicast storms, you can use the storm suppression unknown-unicast command to set the threshold of unicast traffic that an interface allows to pass through. When the unknown unicast traffic rate exceeds the rate limit, the system discards excess unknown unicast packets to control the traffic volume in a proper range.

Example

#Set the CIR of unknown unicast packets to 100 kbit/s, CBS to 18800 bytes on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression unknown-unicast cir 100 cbs 18800

storm suppression unknown-unicast block outbound

Function

The storm suppression unknown-unicast block outbound command configures an interface to block outgoing unknown unicast packets.

The undo storm suppression unknown-unicast block outbound command cancels the configuration.

By default, an interface does not block outgoing unknown unicast packets.

Format

storm suppression unknown-unicast block outbound

undo storm suppression unknown-unicast block outbound

Parameters

None

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view, fabric port view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an interface receives an unknown unicast packet, the interface broadcasts the packet to all users in the same VLAN. This may cause information leak. For example, if an unauthorized user is connected to an interface in a VLAN, the unauthorized user obtains a host's address from unknown unicast packets and uses the address to attack the host. To prevent information leak, use the storm suppression unknown-unicast block outbound command to block unknown unicast packets on an interface if users connected to the interface do not need to receive broadcast packets. For example, if users on an interface seldom change and require high security, you can use this command on the interface.

Precautions

The storm suppression unknown-unicast block outbound command is applicable only to interfaces where users do not need to receive unknown unicast packets. This command may affect network operations if it is used on an interface where users need to receive unknown packets.

Traffic suppression can be configured for incoming and outgoing packets on an interface, and the configurations are independent of each other. On an interface, use the storm suppression unknown-unicast command to limit the rate of incoming unknown unicast packets and the storm suppression unknown-unicast block outbound command to block outgoing unknown unicast packets.

Example

# Block outgoing multicast packets on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression unknown-unicast block outbound

storm suppression unknown-unicast (VLAN or BD view)

Function

The storm suppression unknown-unicast command sets the maximum traffic volume of unknown unicast packets that can pass through a VLAN or BD.

The undo storm suppression unknown-unicast command cancels the configuration.

By default, unknown unicast packets are not limited in a VLAN or BD.

NOTE:
In the BD view, only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6860EI, CE6870EI, CE6880EI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI support this command.

Format

storm suppression unknown-unicast cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

undo storm suppression unknown-unicast

Parameters

Parameter

Description

Value

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 64 to 4294967295 in Kbit/s, from 1 to 4294967 in Mbit/s, or from 1 to 4294 in Gbit/s.
NOTE:
The minimum value in BD view is 0.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the committed traffic that can pass through instantly.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

Views

VLAN view, VLAN-Range view , BD view

Default Level

2: Configuration level

Usage Guidelines

When an increasing number of unknown multicast packets are transmitted on the network, more network resources are occupied and services are affected.

Run the storm suppression unknown-unicast command to limit unknown unicast packets in a VLAN or BD.

After the storm suppression unknown-unicast command is executed, the device limits unknown unicast packets in the specified VLAN or BD and discards excess packets when the rate of the packets exceeds the limit.

Example

# Set the CIR to 100 kbit/s and the CBS to 18800 bytes for unknown unicast packets that can pass through VLAN2.
<HUAWEI> system-view
[~HUAWEI] vlan 2
[*HUAWEI-vlan2] storm suppression unknown-unicast cir 100 cbs 18800

storm suppression unicast (interface view)

Function

The storm suppression unicast command sets the maximum traffic volume of unicast and unknown-unicast packets that can pass through an interface.

undo storm suppression unicast command restores the default maximum traffic rate of unicast and unknown-unicast packets that can pass through an interface.

By default, the rate of unicast and unknown-unicast packets is suppressed by bandwidth percentage, and the percentage rate limit is 100%.

Format

  • Except CE6870EI:

    storm suppression unicast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] | packets packets-per-second }

    undo storm suppression unicast

  • CE6870EI:

    In the Eth-Trunk interface view:

    storm suppression unicast cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ]

    undo storm suppression unicast

    In the other interface view:

    storm suppression unicast { percent-value | cir cir-value [ gbps | mbps | kbps ] [ cbs cbs-value [ bytes | mbytes | kbytes ] ] }

    undo storm suppression unicast

Parameters

Parameter

Description

Value

percent-value

Specifies the percentage of bandwidth occupied by unicast packets on an interface.

The value is an integer that ranges from 0 to 100.

cir cir-value [ gbps | mbps | kbps ]

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer expressed in Gbit/s, Mbit/s, or Kbit/s. Kbit/s is used by default. The value ranges from 0 to 100000000 in Kbit/s, from 0 to 100000 in Mbit/s, or from 0 to 100 in Gbit/s.

cbs cbs-value [ bytes | mbytes | kbytes ]

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer expressed in bytes, Kbytes or Mbytes. bytes is used by default. The value ranges from 10000 to 4294967295 in bytes, from 10 to 4194303 in Kbytes, or from 1 to 4095 in Mbytes. The default CBS value is 188 times the CIR value.

packets packets-per-second

Specifies the number of packets transmitted per second.

The value is an integer that ranges from 0 to 148810000.

NOTE:

CE6870EI does not support this parameter.

Views

Eth-Trunk interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view

NOTE:

Only the CE6870EI supports the Eth-Trunk interface view.

Default Level

2: Configuration level

Usage Guidelines

When an increasing number of unicast and unknown-unicast packets are transmitted on the network, more network resources are occupied and services are affected.

To prevent unicast storms, you can use the storm suppression unicast command to set the threshold of unicast traffic that an interface allows to pass through. When the unicast and unknown-unicast packets traffic rate exceeds the rate limit, the system discards excess unicast and unknown-unicast packets to control the traffic volume in a proper range.

Example

#Set the CIR of unicast packets to 100 kbit/s, CBS to 18800 bytes on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression unicast cir 100 cbs 18800
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 52238

Downloads: 339

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next