No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Setting the Rate Threshold for Port Attack Defense

Setting the Rate Threshold for Port Attack Defense

Context

After port attack defense is enabled on a port, the device calculates the rate of affected protocol packets received by the port. If the packet rate exceeds the threshold, the device considers that an attack occurs. Then the device traces the source and limits the rate of attack packets on the port, and records a log. The device moves the packets within the protocol rate limit to a low-priority queue waiting for CPU processing and discards the excess packets. (The protocol rate limit is the CPCAR in an attack defense policy. For description about CPCAR, see Configuring a Rule for Sending Packets to the CPU.)

You need to set an appropriate rate threshold for port attack defense according to service requirements. If the CPU fails to process many protocol packets promptly after port attack defense is enabled, set a large packet rate threshold. If the CPU is busy processing the packets of a protocol, set a small rate threshold for this protocol to avoid impact on other services.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Run auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } threshold threshold

    The protocol rate threshold for port attack defense is set.

    The following table lists the default protocol rate thresholds for different protocols.

    Packet Type

    Rate Threshold

    arp-request

    60 pps for the S5720EI, S6720S-EI, and S6720EI, 120 pps for the S5720HI, and 30 pps for other switch models

    arp-reply

    60 pps for the S5720EI, S6720S-EI, and S6720EI, 120 pps for the S5720HI, and 30 pps for other switch models

    dhcp

    60 pps for the S5720EI, S6720S-EI, and S6720EI, 120 pps for the S5720HI, and 30 pps for other switch models

    icmp

    120 pps for the S5720HI and 60 pps for other switch models

    igmp

    120 pps for the S5720HI and 60 pps for other switch models

    ip-fragment

    30 pps

Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 232254

Downloads: 747

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next