No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local Attack Defense Configuration Commands

Local Attack Defense Configuration Commands

auto-defend attack-packet sample

Function

The auto-defend attack-packet sample command sets the packet sampling ratio for attack source tracing.

The undo auto-defend attack-packet sample command restores the default packet sampling ratio.

By default, the packet sampling ratio is 8. That is, one packet is sampled in every 8 packets.

Format

auto-defend attack-packet sample sample-value

undo auto-defend attack-packet sample

Parameters

Parameter Description Value
sample-value Specifies the packet sampling ratio for attack source tracing. The value is an integer that ranges from 1 to 1024.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack source tracing samples packets to identify attacks. Errors may occur in attack packet identification or packet rate calculation. A proper packet sampling ratio can reduce errors. A small sampling ratio makes the attack source tracing result accurate, but increases CPU usage. For example, when the sampling ratio is set to 1, every packet is sampled. The attack source tracing result is accurate, but the CPU usage is high because every packet is resolved.

The auto-defend attack-packet sample command sets the sampling ratio. You can set a proper value based on the requirements of attack source tracing precision and CPU usage.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

When a smaller attack source tracing threshold is used, the sampling ratio has greater impact on the attack source tracing result.

Example

# Set the sampling ratio for attack source tracing in the attack defense policy named test to 2.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend attack-packet sample 2

auto-defend enable

Function

The auto-defend enable command enables automatic attack source tracing.

The undo auto-defend enable command disables automatic attack source tracing.

By default, attack source tracing is disabled.

Format

auto-defend enable

undo auto-defend enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of attack packets may attack the device CPU. Attack source tracing enables the device to trace attack sources and send logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks. By default, logs are sent to notify the administrator if attack source tracing is enabled.

After automatic attack source tracing is enabled, the device traces the source of the specified packets sent to the CPU. The packet type can be set using the auto-defend protocol command.

Precautions

  • Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy is applied in the system view.
  • After the attack source tracing function for ICMP packets is enabled on the device, the fast ICMP reply function does not take effect.

Example

# Enable attack source tracing in the attack defense policy named test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
Related Topics

auto-defend action

Function

The auto-defend action command enables attack source punish function and specifies a punish action.

The undo auto-defend action command disables the attack source punish function.

By default, the attack source punish function is disabled.

Format

auto-defend action { deny [ timeout time-length ] | error-down }

undo auto-defend action [ deny [ timeout time-length ] | error-down ]

Parameters

Parameter Description Value
deny Discards packets sent from an attack source. -
timeout time-length Specifies the period during which packets sent from an identified attack source are discarded. The value ranges from 1 to 86400, in seconds. The default value is 300.
error-down Shuts down an interface that receives attack packets. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend action command is applied to taking attack source punish actions. The device discards the packets sent from the identified source or Error-Down the interface receiving attack packets.

The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend action command multiple times, only the latest configuration takes effect.

After the auto-defend action is set to deny, the device discards packets when being attacked. The configuration result can be verified using the display auto-defend attack-source command.

The device does not take punish actions on attack sources of whitelist users.

If the device Error-Down the interface that receives the attack packets, services of authorized users on the interface are interrupted. Exercise caution when you configure the device to shut down the interface.

Postrequisite

When an interface enters the Error-Down state, it is recommended that you identify the attack source and remove the attack first, and then recover the interface status.

An interface in Error-Down state can be recovered using either of the following methods:
  • Manual recovery (after an Error-Down event occurs):

    If a few interfaces need to be recovered, run the shutdown and undo shutdown commands in the interface view. Alternatively, run the restart command in the interface view to restart the interfaces.

  • Automatic recovery (before an Error-Down event occurs):

    If a large number of interfaces need to be recovered, manual recovery is time consuming and some interfaces may be omitted. To avoid this problem, you can run the error-down auto-recovery cause auto-defend interval command in the system view to enable automatic interface recovery and set the recovery delay time. You can run the display error-down recovery command to view information about automatic interface recovery.

    NOTE:

    This method does not take effect on interfaces that are already in Error-Down state. It is effective only on interfaces that enter the Error-Down state after this configuration is complete.

Example

# Configure the device to discard packets from the identified source every 10 seconds.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend action deny timeout 10

auto-defend alarm enable

Function

The auto-defend alarm enable command enables the event reporting function for attack source tracing.

The undo auto-defend alarm enable command disables the event reporting function for attack source tracing.

By default, the event reporting function for attack source tracing is enabled.

Format

auto-defend alarm enable

undo auto-defend alarm enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Follow-up Procedure

Run the auto-defend alarm threshold command to set the event reporting threshold for attack source tracing.

Example

# Enable the event reporting function in the attack defense policy test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend alarm enable

auto-defend alarm threshold

Function

The auto-defend alarm threshold command sets the event reporting threshold for attack source tracing.

The undo auto-defend alarm threshold command restores the default event reporting threshold for attack source tracing.

By default, the event reporting threshold for attack source tracing is 128 pps.

Format

auto-defend alarm threshold threshold

undo auto-defend alarm threshold

Parameters

Parameter Description Value
threshold Specifies the event reporting threshold for attack source tracing. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command, and the alarm source tracing function has been enabled using the auto-defend alarm enable command.

Precautions

If you run the auto-defend alarm threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.

Example

# Set the event reporting threshold for attack source tracing in the attack defense policy named test to 300 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend alarm enable
[*HUAWEI-cpu-defend-policy-test] auto-defend alarm threshold 300

auto-defend protocol

Function

The auto-defend protocol command specifies the types of protocol packets that the device monitors in attack source tracing.

The undo auto-defend protocol command deletes specified types of protocol packets that the device monitors in attack source tracing.

By default, the device traces sources of ARP, DHCP, DHCPv6, ICMP, ICMPv6, MLD, ND, IGMP, and TTL-expired packets in attack source tracing.

Format

auto-defend protocol { all | { arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | ttl-expired } * }

undo auto-defend protocol { arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | ttl-expired } *

NOTE:
CE6880EI does not support the mld parameter.

Parameters

Parameter

Description

Value

all

Configures the device to trace sources of ARP, DHCP, DHCPv6, ICMP, ICMPv6, MLD, ND, IGMP, and TTL-expired packets in attack source tracing.

-

arp

Adds Address Resolution Protocol (ARP) packets to the list of traced packets or deletes ARP packets from the list.

NOTE:
Attack source tracing does not take effect on ARP unicast packets.

-

dhcp

Adds Dynamic Host Configuration Protocol (DHCP) packets to the list of traced packets or deletes DHCP packets from the list.

-

dhcpv6

Adds DHCPv6 packets to the list of traced packets or deletes DHCPv6 packets from the list.

-

icmp

Adds Internet Control Message Protocol (ICMP) packets to the list of traced packets or deletes ICMP packets from the list.

-

icmpv6

Adds ICMPv6 packets to the list of traced packets or deletes ICMPv6 packets from the list.

-

igmp

Adds Internet Group Management Protocol (IGMP) packets to the list of traced packets or deletes IGMP packets from the list.

-

mld

Adds Multicast Listener Discovery Protocol (MLD) packets to the list of traced packets or deletes MLD packets from the list.

-

nd

Adds Neighbor Discovery Protocol (ND) packets to the list of traced packets or deletes ND packets from the list.

-

ttl-expired

Adds the packets with TTL or hop limit value being 1 to the traced packet list or deletes the packets with TTL or hop limit value being 1 from the list.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend protocol command is applied to the packet parsing phase. When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If a packet type is specified, when the device is attacked and the attack source is traced, you can run the display auto-defend attack-source command to view attack source information.

Example

# Delete IGMP and TTL-expired packets from the list of traced packets.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired

auto-defend threshold

Function

The auto-defend threshold command sets the checking threshold for attack source tracing.

The undo auto-defend threshold command restores the default checking threshold for attack source tracing.

By default, the checking threshold for attack source tracing is 128 pps.

Format

auto-defend threshold threshold

undo auto-defend threshold

Parameters

Parameter Description Value
threshold Specifies the checking threshold for attack source tracing. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack source tracing is enabled, you can set the checking threshold for attack source tracing. When the number of sent protocol packets from an attack source in a specified period exceeds the checking threshold, the device traces and logs the attack source.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.

After the auto-defend enable command is executed, the device traces the attack source based on the default threshold even if the auto-defend threshold command is not used.

Example

# Set the checking threshold for attack source tracing in the attack defense policy named test to 200 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend threshold 200

auto-defend trace-type

Function

The auto-defend trace-type command configures an attack source tracing mode.

The undo auto-defend trace-type command deletes an attack source tracing mode.

By default, attack source tracing is based on source MAC addresses and source IP addresses.

Format

auto-defend trace-type { source-mac | source-ip | source-portvlan } *

undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *

Parameters

Parameter Description Value
source-mac Configures attack source tracing based on source MAC addresses so that the device classifies and collects statistics based on the source MAC address and identifies the attack source. -
source-ip Configures attack source tracing based on source IP addresses so that the device classifies and collects statistics based on the source IP address and identifies the attack source. -
source-portvlan Configures attack source tracing based on source ports+VLANs so that the device classifies and collects statistics based on the source port and VLAN and identifies the attack source. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling attack source tracing, you can specify one or more attack source tracing modes. The device then uses the specified modes to trace attack sources.

The device supports the following attack source tracing modes:

  • Source IP address-based tracing: defends against Layer 3 attack packets.
  • Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
  • Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

After the attack source tracing function is enabled on the device, you can run the display auto-defend attack-source command to view attack source tracing information if an attack occurs.

If the attack source tracing function is enabled by using the auto-defend enable command, you cannot run the undo auto-defend trace-type source-mac source-ip source-portvlan command to delete all source tracing modes.

Example

# Configure attack source tracing based on source MAC addresses.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend trace-type source-mac

auto-defend whitelist

Function

The auto-defend whitelist command configures a whitelist for attack source tracing. The device does not trace the source of users in the whitelist.

The undo auto-defend whitelist command deletes a whitelist for attack source tracing.

By default, no whitelist is configured.

Format

auto-defend whitelist whitelist-number { acl { acl-number | ipv6 acl6-number } | interface interface-type interface-number }

undo auto-defend whitelist whitelist-number

Parameters

Parameter Description Value
whitelist-number Specifies the number of a whitelist. The value is an integer that ranges from 1 to 32.
acl acl-number Specifies the number of an ACL referenced by a whitelist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs
acl ipv6 acl6-number Specifies the number of an ACL6 referenced by a whitelist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACL6s
  • 3000 to 3999: advanced ACL6s
interface interface-type interface-number Specifies the interface to which the whitelist is applied.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack source tracing helps locate and punish sources of denial of service (DoS) attacks. If some users do not need to be traced regardless of whether an attack occurs, run the auto-defend whitelist command to configure a whitelist for users.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

Before referencing an ACL in a whitelist, create the ACL and configure rules.

If the ACL referenced by the whitelist specifies some protocols, ensure that packets of these protocols can be traced. If a specified protocol is not supported by attack source tracing, you can run the auto-defend protocol command to configure attack source tracing to support the protocol.

Example

# Add source IP addresses 10.1.1.1 and 10.1.1.2 to the whitelist for attack source tracing.

<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.1 0
[*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.2 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000

auto-port-defend protocol disable

Function

The auto-port-defend protocol disable command disables the port-based automatic local attack defense.

The undo auto-port-defend protocol disable command enables the port-based automatic local attack defense.

By default, port-based automatic local attack defense is enabled.

Format

auto-port-defend protocol { arp-request | dhcp | multicast | ospf } disable

undo auto-port-defend protocol { arp-request | dhcp | multicast | ospf } disable

NOTE:

The CE6880EI supports only the arp-request parameter.

Parameters

Parameter

Description

Value

arp-request

Indicates that the packet type is ARP Request.

-

dhcp

Indicates that the packet type is DHCP.

-

multicast

Indicates that the packet type is Multicast.

-

ospf

Indicates that the packet type is OSPF.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a protocol is enabled, the switch automatically assigns a queue to the protocol packets and a default CAR value for the queue. If a port receives many packets of a protocol and sends the packets to the CPU, the other ports send the packets of this protocol to the CPU at a low speed or fail to send the packets to the CPU. This affects services.

After port-based automatic local attack defense is enabled, the switch moves the packets of this protocol to a queue with a small CAR value in either of the following situations:
  • The rate of such protocol packets received on a port exceeds 75% of the default CAR value.
  • The rate of such protocol packets received on the two ports that have received the most packets of this type exceeds 85% of the default CAR value.

This function ensures that other ports can normally send protocol packets to the CPU.

Precautions

After ARP rate limiting is enabled on all interfaces, port-based automatic local attack defense for ARP does not take effect.

Example

# In the attack defense policy view, disable port-based automatic local attack defense for ARP Request packets.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-port-defend protocol arp-request disable

blacklist

Function

The blacklist command configures a blacklist.

The undo blacklist command deletes a blacklist.

By default, no blacklist is configured.

Format

blacklist blacklist-id acl { acl-number | ipv6 acl6-number } [ interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> ] [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> ]

undo blacklist blacklist-id [ acl { acl-number | ipv6 acl6-number } [ interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> ] [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> ] ]

Parameters

Parameter

Description

Value

blacklist-id

Specifies the ID of a blacklist.

The value is an integer that ranges from 1 to 8.

acl acl-number

Specifies the number of an Access Control List (ACL) referenced by a blacklist.

The value is an integer that ranges from 2000 to 4999 or from 23000 to 23999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs
  • 23000 to 23999: ARP-based ACLs
interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8>
Specifies the numbers of interfaces in the blacklist.
  • interface-type specifies the interface type.

  • interface-number1 specifies the first interface number.

  • interface-number2 specifies the last interface number.

The value of interface-number2 must be larger than the value of interface-number1.

vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>
Specifies the VLAN IDs in the blacklist.
  • vlan-id1 specifies the first VLAN ID.

  • vlan-id2 specifies the last VLAN ID.

The value of vlan-id2 must be equivalent to or larger than the value of vlan-id1. The vlan-id1 and vlan-id2 parameters determine a VLAN range.

acl ipv6 acl6-number Specifies the number of an ACL6 referenced by a blacklist.

The value is an integer that ranges from 2000 to 3999.

  • 2000 to 2999: basic ACL6s
  • 3000 to 3999: advanced ACL6s

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

To defend against malicious packet attacks, the device uses ACLs to add users with the specific characteristic into a blacklist and discards the packets from the users in the blacklist.

A maximum of 8 blacklists can be configured in an attack defense policy on the device.

NOTE:

The blacklists are restored in the ascending order of blacklist IDs (blacklist-id).

When an ACL rule in which the protocol type is set to TCP or UDP is applied to a blacklist, only 24 port number ranges can be configured.

When a blacklist references an ACL that matches the source IP address against unicast addresses or references a basic ACL with no matching rule configured, the blacklist does not take effect on the packets forwarded by the CE6870EI.

For the CE6870EI, the blacklist function does not take effect on the STP, LDT, LLDP, CDP, DLDP, LACP, DAD, EFM, VBST, GVRP, CFM, BPDU, and M-LAG packets, as well as the FCoE packets carrying VLAN information and oversize GRE packets (configurable using the MTU command).

Example

# Specify ACL 2001 as the rule of blacklist 2.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] blacklist 2 acl 2001

car (attack defense policy view)

Function

The car command sets the rate limit for packets sent to the CPU.

The undo car command restores the default rate limit for packets sent to the CPU.

By default, the rate limit for protocol packets ranges from 32 pps to 5120 pps. You can run the display cpu-defend configuration command to check the rate limit.

Format

car packet-type packet-type pps pps-value

undo car packet-type packet-type

Parameters

Parameter Description Value
packet-type packet-type Specifies the type of packets.

When a packet type is specified, the CAR value takes effect on this type of packets and these packets are put into an independent queue.

The supported packet type depends on the device.
For example:
  • mtu: indicates packets whose sizes exceed the MTU value.
  • ttl-expired: indicates packets with both the TTL value and hop limit set to 1.
  • fib-hit: indicates packets with the destination IP address being the local address.
  • common: indicates a special queue. When queue resources are insufficient and rate limiting is configured for other packets, these packets will be delivered to the common queue.
pps pps-value Specifies the rate limit. The value is an integer that ranges from 10 to 100,00, in pps. The value for the different packets maybe different.
NOTE:
If you do not set CPCAR for VRRP packets on a CE6870EI, the CPCAR value for VRRP packets is dynamically changed along with the change of the number of VRRP groups. If you set a CPCAR value for VRRP packets, the CPCAR value for VRRP packets is fixed.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The switch has default CAR values for each type of protocol packet. You can adjust CAR values for specified types of protocol packets based on services and network environment.

After an attack defense policy is created, you can limit the rate of protocol packets using the policy:
  • Reduce the CAR values in the following situation: When a network undergoes an attack, reduce the CAR values of the corresponding protocol, to reduce impact on the system CPU.
  • Increase the CAR values in the following situation: When service traffic volume on the network increases, a large number of protocol packets need to be sent to the CPU. Increase the CAR values of the corresponding protocols to meet service requirements.

Precautions

If both the deny and car commands are run for a specified type of packets, the command configured later takes effect.

Example

# Configure the CAR in the attack defense policy named test and set the rate limit of ARP packets to 6400 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] car packet-type arp pps 6400

car all-packets pps

Function

The car all-packets pps command limits the number of packets sent to the CPU per second.

The undo car all-packets pps command restores the default maximum number of packets sent to the CPU per second.

By default, a maximum of 5120 packets can be sent to the CPU of the device per second. However, the CE5810EI, CE5850HI, and CE5855EI sends a maximum of 2048 packets to the CPU per second.

Format

car all-packets pps packets

undo car all-packets

Parameters

Parameter Description Value
pps packets Specifies the maximum number of packets that are sent to the CPU per second. The value is an integer that ranges from 1000 to 100000, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a large number of packets are sent to the CPU, CPU performance deteriorates. The device limits the number of packets sent to the CPU per second to protect the CPU. The device provides 2-level CAR:
  1. Level-1 CAR: limits the number of packets based on packet types using the car command
  2. Level-2 CAR: limits the number of all packets sent to the CPU regardless of the protocol types or queues. This function is configured using the car all-packets pps command.

The car all-packets pps command is applicable to the scenario where burst packets are sent to the CPU. The maximum number of packets sent to the CPU specified using the car all-packets pps command must be smaller than that specified by level-1 CAR; otherwise, the car all-packets pps command takes no effect.

Precautions

If you run the car all-packets pps command in the same attack defense policy view multiple times, only the latest configuration takes effect.

The car all-packets pps command is required only when the current CAR configuration cannot reduce the high CPU usage.

When the actual and configured rates of packets sent to the CPU are large, the CPU usage may be high and the performance may deteriorate. In the worst situation, the device breaks.

Example

# Configure the attack defense policy named test to limit the rate of packets sent to the CPU to 5000 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] car all-packets pps 5000

cpu-defend local-host anti-attack enable

Function

The cpu-defend local-host anti-attack enable command enables host attack defense.

The undo cpu-defend local-host anti-attack enable command disables host attack defense.

By default, host attack defense is disabled.

Format

cpu-defend local-host anti-attack enable

undo cpu-defend local-host anti-attack enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the ssh server acl, telnet server acl, ftp server acl, or snmp-agent acl command is configured, a switch forwards SSH, Telnet, FTP, or SNMP packets to the CPU and matches these packets against software ACLs. When host attack defense is enabled, the switch matches these packets against hardware ACLs. If packets match an ACL with a deny action, the switch directly discards the packets and will no longer forward such packets to the CPU.

Example

# Enable host attack defense.

<HUAWEI> system-view
[~HUAWEI] cpu-defend local-host anti-attack enable

cpu-defend policy

Function

The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.

The undo cpu-defend policy command deletes an attack defense policy.

By default, the devicename-default attack defense policy exists on the device and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified.

Format

cpu-defend policy policy-name

undo cpu-defend policy policy-name

Parameters

Parameter Description Value
policy-name Specifies the name of an attack defense policy. The value is a string of 1 to 31 case-sensitive characters without spaces. The string cannot contain the following characters: > $ | . The value cannot start with the underscore (_). When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of packets including malicious attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.

Precautions

The device supports a maximum of 17 attack defense policies, including the devicename-default attack defense policy. The devicename-default attack defense policy is generated in the system by default and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified. The other 16 policies can be created, modified, and deleted.
NOTE:

CE6870EI and CE6880EI support a maximum of 49 attack defense policies, including the devicename-default attack defense policy. By default, the devicename-default attack defense policy is applied to the device and cannot be deleted or modified. The other 48 policies can be modified or deleted.

The configuration in a user-defined attack defense policy overrides the configuration in the devicename-default attack defense policy. If no parameter is set in the user-defined attack defense policy, the configuration in the devicename-default attack defense policy is used.

When the devicename-default attack defense policy is used, protocol packets sent to the CPU are limited based on the default CIR value.

Example

# Create an attack defense policy named test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] 

cpu-defend-policy

Function

The cpu-defend-policy command applies an attack defense policy.

The undo cpu-defend-policy command cancels the application of an attack defense policy.

By default, the devicename-default attack defense policy is applied to the switch.

Format

cpu-defend-policy policy-name [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ]

undo cpu-defend-policy [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ]

Parameters

Parameter Description Value
policy-name Specifies the name of an attack defense policy. The attack defense policy must already exist.
slot slot-id Indicates that the attack defense policy is applied locally. slot-id specifies the slot ID of the LPU. If slot slot-id is not specified, the attack defense policy is applied on all LPUs. -
batch slot { slot-id1 [ to slot-id2 ] } &<1-12> Specifies the slots to which the attack defense policy is applied.
  • slot-id1 indicates the start slot ID to which the attack defense policy is applied.
  • slot-id2 indicates the end slot ID to which the attack defense policy is applied.

    slot-id2 must be greater than or equivalent to slot-id1. The slot-id2 and slot-id1 parameters determine a slot range.

  • If the to slot-id2 parameter is not specified, the attack defense policy is only applied to slot slot-id1.
-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An attack defense policy takes effect only when it is applied to the device and only one attack defense policy can be applied to the device.

Prerequisites

An attack defense policy has been created by using the cpu-defend policy command.

Example

# Apply the attack defense policy named test to all devices.
<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] quit
[*HUAWEI] cpu-defend-policy test
# Apply the attack defense policy named test to the LPU in slot 3.
<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] quit
[*HUAWEI] cpu-defend-policy test slot 3
Related Topics

deny

Function

The deny command configures the device to discard packets sent to the CPU.

The undo deny command restores the default action taken for the packets sent to the CPU.

By default, the device does not discard packets sent to the CPU. Instead, the device limits the rate of packets sent to the CPU using the default rate. You can check the rate limit of each type of packets using the display cpu-defend configuration command.

Format

deny packet-type packet-type

undo deny packet-type packet-type

Parameters

Parameter Description Value
packet-type packet-type Specifies the type of the packet to be discarded. The supported packet type depends on the device.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, if the device receives attack packets of a specified type or a large number of packets sent to the CPU, run the deny command to configure the device to discard packets of the specified type sent to the CPU.

Precautions

If you run the deny command, and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect. After the undo deny command is executed, the default action for packets sent to the CPU is restored.

Example

# Configure the drop action taken for ARP packets to be sent to the CPU in the attack defense policy test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] deny packet-type arp

description (attack defense policy view)

Function

The description command configures the description of an attack defense policy.

The undo description command deletes the description of an attack defense policy.

By default, no description is configured for an attack defense policy.

Format

description text

undo description

Parameters

Parameter Description Value
text Specifies the content of a description. It is a string of 1 to 63 case-sensitive characters with spaces.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The description command configures the description of an attack defense policy, for example, the usage or application scenario of the attack defense policy. The description is used to differentiate attack defense policies.

Precautions

If you run the description command in the same attack defense policy view multiple times, only the latest configuration takes effect.

Example

# Configure the description defend_arp_attack for the attack defense policy named test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] description defend_arp_attack
Related Topics

display auto-defend attack-source

Function

The display auto-defend attack-source command displays the attack sources.

Format

display auto-defend attack-source [ statistics ] [ slot slot-id ]

Parameters

Parameter

Description

Value

statistics

Displays statistics on attack sources.

NOTE:

Only the CE6870EI supports this parameter.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display auto-defend attack-source command displays the attack source list.

In a stack, the attack source list is saved only on the master switch. The display auto-defend attack-source command displays only the attack source list on the master switch. (except CE6870EI)

Example

# Display the attack source list.

<HUAWEI> display auto-defend attack-source
  Attack Source User Table on Slot 1 :                            
  -------------------------------------------------------------------------                                                         
  MAC Address      Interface       PacketType    VLAN:Outer/Inner      Total                                                               
  -------------------------------------------------------------------------                                                         
  0000-c102-0102   10GE1/0/1       ICMP          1000/                 4832                
  -------------------------------------------------------------------------                                                         
  Total: 1                         
  Attack Source IP Table on Slot 1 :                                      
  -------------------------------------------------------------------------                                                         
  IP Address      PacketType    Total                                                               
  -------------------------------------------------------------------------                                                         
  10.1.1.2        ICMP          1144                                                                
  -------------------------------------------------------------------------                                                         
  Total: 1                         
  Attack Source Port Table on Slot 1 :                        
  -------------------------------------------------------------------------                                                         
  Interface       VLAN:Outer/Inner     PacketType     Total                                                               
  -------------------------------------------------------------------------                                                         
  10GE1/0/1       1000/--              ICMP            4832    
  -------------------------------------------------------------------------                                                         
  Total: 1                         
Table 16-56  Description of the display auto-defend attack-source command output

Item

Description

Attack Source User Table on Slot 1

Information about attack sources on the device, which is distinguished according to the attack user.

MAC Address

MAC address of the user.

Interface

Interface name.

PacketType

Packet type.

VLAN:Outer/Inner

ID of the VLAN that an interface belongs to. Outer indicates the outer VLAN ID and Inner indicates the inner VLAN ID.

Total

Total number of packets.

Total: 1

Total number of attackers.

Attack Source IP Table on Slot 1

Information about attack sources on the LPU, which is distinguished according to attacked source IP addresses.

IP Address

IP address of a user.

Attack Source Port Table on Slot 1

Information about attack sources on the LPU, which is distinguished according to attacked source port.

display cpu-defend auto-port-defend

Function

Run the display cpu-defend auto-port-defend command to check information about the port to which port-based automatic local attack defense is applied and statistics on the protocol packets sent to the CPU.

Format

display cpu-defend auto-port-defend [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Specifies a slot ID.

The value depends on the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If the protocol packets on a port are moved to a queue with a small CAR value and sent to the CPU, run this command to view the port information and statistics about the protocol packets.

Example

# Check information about the port to which port-based automatic local attack defense is applied and statistics on the protocol packets sent to the CPU.
<HUAWEI> display cpu-defend auto-port-defend
Port info on slot 1 :                                                                                                               
--------------------------------------------------------------------------------                                                    
PacketType          Port                                                                                                          
--------------------------------------------------------------------------------                                                    
arp-request         10GE/1/0/1                                                                                               
dhcp                10GE/1/0/1                                                                                                
igmp                10GE/1/0/1                                                                                               
ospf                10GE/1/0/1                                                                                                
--------------------------------------------------------------------------------                                                    
Port queue info on slot 1 :                                                                                                         
--------------------------------------------------------------------------------                                                    
PacketType          QueueName                                                                                                       
--------------------------------------------------------------------------------                                                    
arp-request         queue one                                                                                                       
dhcp                queue one                                                                                                       
igmp                queue one                                                                                                       
ospf                queue two                                                                                                            
--------------------------------------------------------------------------------                                                    
Statistics(packets) on slot 1 :                                                                                                     
--------------------------------------------------------------------------------                                                    
QueueName                Total Passed        Total Dropped   Last Dropping Time                                                     
                    Last 5 Min Passed   Last 5 Min Dropped                                                                          
--------------------------------------------------------------------------------                                                    
queue one                    39413185          12950486396   2017-08-07 15:50                                                       
                               575126            250926259                                                                          
queue two                    28905966            142484581   2017-08-07 15:50                                                       
                               332073              1174817                                                                          
--------------------------------------------------------------------------------
Table 16-57  Description of the display cpu-defend auto-port-defend command output

Item

Description

Port info on slot 1

Information about interfaces in slot 1.

PacketType

Packet type.

Port

Interface name.

Statistics(packets) on slot 1

Packet statistics in slot 1.

Total Passed

Total number of passing packets.

Last 5 Min Passed

Number of packets passing in the last five minutes.

Total Dropped

Total number of dropped packets.

Last 5 Min Dropped

Number of packets dropped in the last five minutes.

Last Dropping Time

Last packet drop time.

Port queue info on slot 1

Information about queues in slot 1.

QueueName

Name of a queue.
NOTE:

When port-based automatic local attack defense is configured for one or two types of packets, the type of protocol packets (for example, arp-request) is displayed as the queue name. When this function is configured for more than two types of packets, all packets are delivered to shared queues. The names of shared queues such as queue one and queue two are displayed. The packets that are not previously delivered to shared queues will also be switched to the shared queues.

display cpu-defend configuration

Function

The display cpu-defend configuration command displays CAR configurations.

Format

display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

all

Indicates all devices.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend configuration command to view the rate limit of protocol packets sent to the CPU. By default, the rate limit of protocol packets in the devicename-default policy is displayed.

Example

# Display the CAR configurations of all devices.
<HUAWEI> display cpu-defend configuration all
Car configurations on slot 1 :                                                 
---------------------------------------------------                            
PacketType            Status      Car(pps)                                     
---------------------------------------------------                            
8021x                 Disabled         512 
aaa                   Enabled          384                                     
arp                   Enabled          128                                     
arp-miss              Enabled          512                                     
bfd                   Enabled         1024                                     
bgp                   Enabled         1024                                     
bpdu-tunnel           Enabled          512                                     
dhcp                  Enabled          512(*)                                     
......
---------------------------------------------------                            
*: The packet is accessed through the common queue.
Car all-packets (pps) : 5120                                                   
---------------------------------------------------  
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 16-58  Description of the display cpu-defend configuration command output

Item

Description

Car configurations on slot 1

CAR configurations on the device.

PacketType

Packet type.

Status

Protocol packet status.
  • Enabled: indicates that the protocol is enabled.
  • Disabled: indicates that the protocol is disabled.

When the protocol is disabled, the device cannot limit the rate of packets.

Car(pps)

Rate limit for packets, in pps. To set the rate limit for packets, run the car (attack defense policy view) command.

In the command output, 512(*) indicates that the default queue resources are used up for the protocol packets and the system automatically sends the packets to the common queue for scheduling and rate limiting.

Car all-packets (pps)

Rate limit for packets sent to the CPU. To set the rate limit for packets sent to the CPU, run the car all-packets pps command.

display cpu-defend local-host anti-attack

Function

The display cpu-defend local-host anti-attack command displays statistics about the packets matching hardware ACLs after host attack defense is enabled.

Format

display cpu-defend local-host anti-attack [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Specifies the stack ID of the device.

The value depends on the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After host attack defense is enabled, you can run the display cpu-defend local-host anti-attack command to view statistics about the packets matching hardware ACLs.

Example

# Display statistics about the packets matching hardware ACLs (on the CE6870EI and CE6880EI) after host attack defense is enabled.
<HUAWEI> display cpu-defend local-host anti-attack
ACL resource on slot 1                                                                                                            
----------------------------------------------                                                                                      
Protocol       State           ACL                                                                                                  
----------------------------------------------                                                                                      
SSH            Successful     3000                                                                                                  
----------------------------------------------                                                                                      
                                                                                                                                    
SSH Statistics on slot 1                                                                                                          
--------------------------------------------------------------------------------                                                    
  rule 10 deny tcp                                                                                                                  
  Dropped Packets                     0, Dropped Bytes                         0                                                    
-------------------------------------------------------------------------------- 
# Display statistics about the packets matching hardware ACLs (on a switch except the CE6870EI and CE6880EI) after host attack defense is enabled.
<HUAWEI> display cpu-defend local-host anti-attack
ACL resource on slot 1                                                                                                              
----------------------------------------------                                                                                      
Protocol       State           ACL                                                                                                  
----------------------------------------------                                                                                      
SSH            Failed(1)      2000                                                                                                  
----------------------------------------------                                                                                      
Fail reason:                                                                                                                        
(1): The ACL resource is not enough.                                                                                                
----------------------------------------------                                                                                      
Table 16-59  Description of the display cpu-defend local-host anti-attack command output

Item

Description

ACL resource on slot 1

ACL resources in a specified slot.

Protocol

Protocol of packets.

State

ACL delivery state:
  • Failed(n): An ACL fails to be delivered.
  • Successful: An ACL is delivered successfully.

ACL

Type of an ACL.

Fail reason

Reason of ACL delivery failure:
  • (1): The ACL resource is not enough.
  • (2): The snoop resource is not enough.
  • (3): Some fields in the ACL rule referenced are not supported.
  • (4): The internal error. (You are advised to contact technical support if this error occurs.)
  • (5): The numbers of ACL rules exceed the limit.

SSH Statistics on slot 1

Statistics about a specified type of packets in a slot.

rule 10 deny tcp

ACL rule.

Dropped Packets

Number of discarded packets.

Dropped Bytes

Number of discarded bytes.

Failed to apply the ACL.

ACL application failure.

NOTE:
This item is displayed only when an ACL fails to be delivered.

display cpu-defend policy

Function

The display cpu-defend policy command displays the attack defense policy configuration.

Format

display cpu-defend policy [ policy-name ]

Parameters

Parameter

Description

Value

policy-name

Displays the configuration of a specified attack defense policy.

  • If policy-name is specified, information about the specified attack defense policy is displayed.
  • If policy-name is not specified, information about all attack defense policies is displayed.

The attack defense policy must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After an attack defense policy is created, you can run the display cpu-defend policy command to view the stack ID that the attack defense policy is applied to and configurations of the attack defense policy.

Example

# Display information about all attack defense policies.

<HUAWEI> display cpu-defend policy test1
==============================================
Policy name: test1          
Policy applys on slot: <1>   
Car packet-type bfd(pps) : 128      
Blacklist status:               
----------------------------------------------  
Slot    Blacklist State       ACL    ACLIPv6
----------------------------------------------   
1       1         Successful  2001   -- 
----------------------------------------------
Fail reason:      
(3): Some fields in the ACL rule referenced are not supported. 
==============================================    
Table 16-60  Description of the display cpu-defend policy command output

Item

Description

Policy name

Name of an attack defense policy. To configure an attack defense policy, run the cpu-defend policy command.

Policy applys on slot

Board that an attack defense policy is applied to.

Car packet-type bfd(pps)

CAR value of BFD packets. To set the CAR value for BFD packets, run the car (attack defense policy view) command.

Blacklist status

Whether the device is delivered to the blacklist.

Slot

Number of the slot.

Blacklist

Number of the blacklist. To configure a blacklist, run the blacklist command.

State

Whether the device is delivered to the blacklist.
  • Failed(n): The device fails to be delivered to the blacklist.
  • Successful: The device is successfully delivered to the blacklist.
  • Processing: The ACL is being processed.
  • --: The ACL rule is not applied to this device.

ACL

Number of an ACL defined in blacklist. To configure a blacklist, run the blacklist command.

ACLIPv6

Number of an ACL6 defined in blacklist. To configure a blacklist, run the blacklist command.

Fail reason

The reason why a blacklist cannot be delivered.
  • (1): The ACL resource is not enough. (The ACL resources on the device are insufficient.)
  • (2): The snoop resource is not enough. (The snoop resources on the device are insufficient.)
  • (3): Some fields in the ACL rule referenced are not supported. (The ACL referenced contains the packet matching fields not supported by the device.)
  • (4): The internal error. (An internal error occurs. Contact technical support personnel.)

display cpu-defend rate

Function

The display cpu-defend rate command displays the rate of sending protocol packets to the CPU.

Format

display cpu-defend rate [ packet-type packet-type ] { all | slot slot-id }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

all

Indicates all switches in a stack if stack is enabled, or the switch itself if stack is disabled.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend rate command to view the rate of sending protocol packets to the CPU when checking the configuration of an attack defense policy. In this way, you can determine which type of protocols may attack the CPU based on the rate.

NOTE:

To ensure normal operation of other services and protect the CPU, the rate of incremental protocol packets is calculated only in a specified period after you run the display cpu-defend rate command and displayed on the terminal. After you run this command, a message is displayed to wait for a while.

Example

# Display the rate of ARP packets sent from the device to the CPU.

<HUAWEI> display cpu-defend rate packet-type arp slot 1
Info: Please wait for a moment...            
Rate(PPS) on slot 1 :                   
---------------------------------------------------------------             
PacketType                         Passed              Dropped             
---------------------------------------------------------------              
arp                                     0                    0    
--------------------------------------------------------------- 
Table 16-61  Description of the display cpu-defend rate command output

Item

Description

PacketType

Packet type.

Passed

Number of forwarded packets within one second.

Dropped

Number of discarded packets within one second.

display cpu-defend statistics

Function

The display cpu-defend statistics command displays statistics on packets sent to the CPU.

Format

  • Switches except for CE6870EI and CE6880EI:

    display cpu-defend statistics [ history ] [ packet-type packet-type ] { all | slot slot-id }

  • CE6870EI and CE6880EI:

    display cpu-defend statistics [ history ] [ packet-type packet-type ] { all | slot slot-id }

    display cpu-defend { blacklist | filter } statistics [ slot slot-id ]

Parameters

Parameter

Description

Value

packet-type packet-type

Displays statistics on the specified type of protocol packets. packet-type specifies the packet type.

  • If packet-type is specified, statistics on the specified type of protocol packets are displayed.
  • If packet-type is not specified, statistics on all protocol packets are displayed.

The supported packet type depends on the device.

history

Displays statistics on discarded protocol packets. A maximum of 36 protocol packet discarding records are displayed for each protocol.

-

all

This parameter indicates all switches in a stack if stacking is enabled, or the switch itself if stack is disabled.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

blacklist

Displays packet statistics based on blacklists.

-

filter

Displays packet statistics based on filters.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display cpu-defend statistics command displays statistics on packets sent to the CPU, including the number of forwarded and discarded packets. This helps the network administrator configure attack defense policies.

Example

# Display all CAR statistics on the devices.
<HUAWEI> display cpu-defend statistics all
Statistics(packets) on slot 1 :
--------------------------------------------------------------------------------
PacketType               Total Passed        Total Dropped   Last Dropping Time
                    Last 5 Min Passed   Last 5 Min Dropped
--------------------------------------------------------------------------------
8021x                               0                    0   -
                                    0                    0
aaa                                 0                    0   -
                                    0                    0
arp                                 0                    0   -
                                    0                    0
arp-miss                            0                    0   -
                                    0                    0
bfd                                 0                    0   -
                                    0                    0
bgp                                 0                    0   -
                                    0                    0
bpdu-tunnel                         0                    0   -
                                    0                    0
common                              0                    0   -
                                    0                    0   
dhcp                                0                    0   -
                                    0                    0
dldp                                0                    0   -
                                    0                    0 
......
--------------------------------------------------------------------------------
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 16-62  Description of the display cpu-defend statistics command output

Item

Description

PacketType

Packet type.

Total Passed

Total number of forwarded packets.

Last 5 Min Passed

Number of packets forwarded in the last 5 minutes.

Total Dropped

Total number of discarded packets.

Last 5 Min Dropped

Number of packets discarded in the last 5 minutes.

Last Dropping Time

Last packet discarding time.

# Display statistics on historical packets from slot 1 to the CPU.
<HUAWEI> display cpu-defend statistics history slot 1                          
Statistics(packets) on slot 1 :                                                                                                     
--------------------------------------------------------------------------------                                                    
PacketType  Time Period                            Passed               Dropped                                                     
--------------------------------------------------------------------------------                                                    
arp         2014-10-23 13:00~2014-10-23 15:01       75305                127170                                                     
arp         2014-10-23 15:01~2014-10-23 17:01       76095                128925                                                     
dhcp        2014-10-23 19:01~2014-10-23 19:51       32131                  3722                                                     
telnet      2014-10-23 19:01~2014-10-23 19:51       26807                 18442                                                     
--------------------------------------------------------------------------------
Table 16-63  Description of the display cpu-defend statistics history command output

Item

Description

PacketType

Packet type.

Time Period

Time range in which packet statistics are collected.

Passed

Number of passed packets.

Dropped

Number of discarded packets.

display snmp-agent trap feature-name securitytrap all

Function

The display snmp-agent trap feature-name securitytrap all command displays the status of all trap messages about the attack source tracing module.

Format

display snmp-agent trap feature-name securitytrap all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display snmp-agent trap feature-name securitytrap all command to view the status of all trap messages about the attack source tracing module.

Example

# Display the status of all trap messages about the attack source tracing module.

<HUAWEI> display snmp-agent trap feature-name securitytrap all
------------------------------------------------------------------------------  
Feature name: SECURITYTRAP                                                              
Trap number : 3                                                                 
------------------------------------------------------------------------------  
Trap name                      Default switch status   Current switch status    
hwStrackIfVlanInfo             on                      on                       
hwStrackIpInfo                 on                      on                       
hwStrackUserInfo               on                      on                       
Table 16-64  Description of the display snmp-agent trap feature-name securitytrap all command output

Item

Description

Feature name

Name of the module to which a trap message belongs.

Trap number

Number of trap messages.

Trap name

Name of a trap message. The attack tracing module supports the following trap messages:

  • hwStrackIfVlanInfo: enables the trap function for attack source tracing based on source interfaces and VLANs.
  • hwStrackIpInfo: enables the trap function for attack source tracing based on source IP addresses.
  • hwStrackUserInfo: enables the trap function for attack source tracing based on source MAC addresses.

Default switch status

Status of the default trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status

Status of the current trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

filter

Function

The filter command configures a filter.

The undo filter command deletes a filter.

By default, no filter is available on a device.

Format

filter packet-type arp acl acl-number

undo filter packet-type arp [ acl acl-number ]

filter packet-type { icmp | igmp | ospf | dhcp } acl acl-number

undo filter packet-type { icmp | igmp | ospf | dhcp } [ acl acl-number ]

filter packet-type { icmpv6 | ospfv3 | dhcpv6 } acl ipv6 acl6-number

undo filter packet-type { icmpv6 | ospfv3 | dhcpv6 } [ acl ipv6 acl6-number ]

filter packet-type { snmp | dns | ftp | telnet | ssh | bgp } acl { acl-number | ipv6 acl6-number }

undo filter packet-type { snmp | dns | ftp | telnet | ssh | bgp } [ acl { acl-number | ipv6 acl6-number } ]

Parameters

Parameter

Description

Value

packet-type arp

Indicates that the protocol type is ARP.

NOTE:

CE6870EI does not support the protocol type.

-

packet-type { icmp | igmp | ospf | dhcp }

Specifies the protocol type:
  • ICMP

  • IGMP

  • OSPF

  • DHCP

-

packet-type { icmpv6 | ospfv3 | dhcpv6 }

Specifies the protocol type:
  • ICMPv6

  • OSPFv3

  • DHCPv6

-

packet-type { snmp | dns | ftp | telnet | ssh | bgp }

Specifies the protocol type:
  • SNMP

  • DNS

  • FTP

  • Telnet

  • SSH

  • BGP

-

acl acl-number

Specifies the ACL matching the filter.

The value of acl-number is an integer that ranges from 2000 to 3999 or 23000 to 23999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 23000 to 23999: ARP-based ACLs
    NOTE:
    The ARP protocol only supports the ARP-based ACL. Other protocols support basic ACLs and advanced ACLs.
acl ipv6 acl6-number

Specifies the ACL6 matching the filter.

The value of acl6-number is an integer that ranges from 2000 to 3999.

  • 2000 to 2999: basic ACL6s
  • 3000 to 3999: advanced ACL6s

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

If a user sends attack packets to the device, you can specify the characteristics of these packets in an ACL and apply the ACL to the filter. When the packets from this user reach the device, the device permits or discards the packets based on the ACL rule.

NOTE:

A protocol in a filter can only be bound to one ACL or IPv6 ACL. If you bind multiple ACLs or IPv6 ACLs to a filter, only the last one takes effect.

When the protocols specified in the filter and ACL are different, the device selects the protocol specified in the filter. For example, if a filter is configured to filter the DHCP protocol (UDP packets), while the protocol parameter in the ACL is set to TCP, the device still filters the DHCP protocol.

Example

# Apply ACL 3001 to the filter.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] filter packet-type icmp acl 3001

reset auto-defend attack-source

Function

The reset auto-defend attack-source command clears information about attack sources.

Format

reset auto-defend attack-source [ statistics ] [ slot slot-id ]
NOTE:

Only the CE6870EI supports statistics parameter.

Parameters

Parameter Description Value
statistics

Clears statistics on attack sources.

-

slot slot-id
  • The value is 1 if no stack is configured.
  • This parameter specifies the stack ID if stacking is enabled.
If slot slot-id is not specified, information about attack sources on all devices is cleared.
The value must be set according to the device configuration.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view the latest attack source information on the device, run the reset auto-defend attack-source command to delete the existing attack source information, wait for a period, and run the display auto-defend attack-source command.

Precautions

After the reset auto-defend attack-source command is run, information about attack sources is cleared and cannot be restored.

Example

# Delete existing attack source information on the device.

<HUAWEI> reset auto-defend attack-source

reset auto-defend attack-source trace-type

Function

The reset auto-defend attack-source trace-type command clears the counter of packets traced after attack source tracing based on source MAC addresses, source IP addresses, or source ports+VLANs is configured.

Format

reset auto-defend attack-source trace-type { source-mac [ mac-address ] | source-ip [ ip-address | ipv6-address ] | source-portvlan [ interface interface-type interface-number vlan vlan-id [ inner-vlan inner-vlan-id ] ] } * [ slot slot-id ]

Parameters

Parameter Description Value
source-mac [ mac-address ]

Clears the counter of packets traced after attack source tracing based on source MAC addresses is configured.

If mac-address is specified, the counter of traced packets sent from the specified MAC address is cleared.

The value of mac-address is in H-H-H format. An H contains 1 to 4 hexadecimal numbers.
source-ip [ ip-address | ipv6-address ]

Clears the counter of packets traced after attack source tracing based on source IP addresses is configured.

If ip-address is specified, the counter of traced packets sent from the specified IP address is cleared.

If ipv6-address is specified, the counter of traced packets sent from the specified IPv6 address is cleared.

The value of ip-address is in dotted decimal notation.The value of ipv6-address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
source-portvlan [ interface interface-type interface-number vlan vlan-id [ inner-vlan inner-vlan-id ] ]

Clears the counter of packets traced after attack source tracing based on source ports+VLANs is configured.

If a port or VLAN is specified, the counter of traced packets sent from the specified port or VLAN is cleared.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

  • vlan vlan-id specifies the ID of the VLAN.

  • inner-vlan inner-vlan-id specifies the inner VLAN ID in a QinQ packet.

vlan-id is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command. inner-vlan-id is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.
slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view information about attack sources in a specified period, run the reset auto-defend attack-source trace-type command to clear existing information about attack sources and run the display auto-defend attack-source command.

Precautions

After the reset auto-defend attack-source trace-type command is run, information about attack sources is cleared and cannot be restored.

Example

# Clear the counter of traced packets sent from IP address 10.1.1.1.

<HUAWEI> reset auto-defend attack-source trace-type source-ip 10.1.1.1

reset cpu-defend statistics

Function

The reset cpu-defend statistics command clears statistics on packets sent to the CPU.

Format

  • Switches except for the CE6870EI and CE6880EI:

    reset cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id }

  • CE6870EI and CE6880EI:

    reset cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id }

    reset cpu-defend { blacklist | filter } statistics [ slot slot-id ]

Parameters

Parameter Description Value
packet-type packet-type

Specifies the protocol type of packets. packet-type specifies the packet type.

  • If packet-type packet-type is specified, the statistics on the specified type of protocol packets are cleared.
  • If packet-type packet-type is not specified, the statistics on all protocol packets are cleared.
The supported packet type depends on the device.
all

This parameter indicates all switches in a stack if stacking is enabled, or the switch itself if stack is disabled.

-
slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.
blacklist

Clears blacklist-based packet statistics.

-
filter

Clears filter-based packet statistics.

-

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view statistics on the packets sent to the CPU in a specified period, run the reset cpu-defend statistics command to clear existing statistics and run the display cpu-defend statistics command.

Precautions

The deleted packet statistics cannot be restored.

Example

# Clear statistics on BGP packets on the board in slot 1.

<HUAWEI> reset cpu-defend statistics packet-type bgp slot 1

snmp-agent trap enable feature-name securitytrap

Function

The snmp-agent trap enable feature-name securitytrap command enables the trap function for the attack source tracing module.

The undo snmp-agent trap enable feature-name securitytrap command disables the trap function for the attack source tracing module.

By default, the trap function is disabled for the attack source tracing module.

Format

snmp-agent trap enable feature-name securitytrap [ trap-name { hwstrackifvlaninfo | hwstrackipinfo | hwstrackuserinfo } ]

undo snmp-agent trap enable feature-name securitytrap [ trap-name { hwstrackifvlaninfo | hwstrackipinfo | hwstrackuserinfo } ]

Parameters

Parameter Description Value
trap-name

Enables the trap function for the specified event.

-
hwstrackifvlaninfo

Enables the trap function for attack source tracing based on source interfaces and VLANs.

-
hwstrackipinfo

Enables the trap function for attack source tracing based on source IP addresses.

-
hwstrackuserinfo

Enables the trap function for attack source tracing based on source MAC addresses.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

You can run the snmp-agent trap enable feature-name securitytrap command to enable the trap function for the attack source tracing module.

Example

# Enable the trap function for attack source tracing based on source MAC addresses.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable feature-name securitytrap trap-name hwstrackuserinfo
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 43632

Downloads: 330

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next