No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the CAR

Configuring the CAR

This section describes how to configure the CAR.

Usage Scenario

When a large number of users access the router, a lot of packets need be sent to the CPU for processing. In such a case, the router is prone to be attacked. To protect the router from being attacked, you need to configure the CAR on the router.

This feature is supported only on the Admin-VS.

Pre-configuration Tasks

Before configuring the CAR, connect interfaces and set the physical parameters of the interfaces and ensure that their physical layer status is Up.

Configuration Procedure

Figure 8-3 Flowchart for configuring CAR

Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These features take effect after the attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    An attack defense policy is created.

  3. (Optional) Run description text

    The description of the attack defense policy is configured.

  4. Run commit

    The configuration is committed.

Follow-up Procedure

You must run the cpu-defend-policy command on the interface board to apply the attack defense policy to the interface board. In this manner, the configured attack defense policy can take effect.

Configuring a Whitelist

This section describes how to configure a whitelist. Secure packets that match ACL rules can be added to the whitelist and then provided with higher bandwidth.

Prerequisites

The ACL bound to the whitelist must be a configured one. You cannot bind a non-existing ACL to the whitelist. When the ACL is bound to the whitelist, all the packets that match the ACL rules are added to the whitelist automatically. The whitelist function must be enabled. Otherwise, the self-defined whitelist does not take effect although you can configure a self-defined whitelist.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run whitelist [ ipv6 ] acl acl-number

    The whitelist is configured.

    The packets generated by Active Link Protection (ALP) is dynamically added to the whitelist.

    A self-defined whitelist can be bound to only one ACL. If you bind a self-defined whitelist to several ACLs, only the latest configuration takes effect. An address or port pool can be specified in an ACL rule, and the ACL rule can be delivered.

    NOTE:
    • The address pool function can be delivered in the attack defense policy only when the cp-acl ip-pool enable command is configured.
    • The vpn-instance field in an ACL configured in an attack defense policy can be delivered and takes effect only when the cp-acl vpn-instance enable command is configured.
    • The ports in the port pool specified in a delivered ACL take effect based on the configuration order instead of the lexicographical order.
    • If the ACL rule in which both a port pool and a TTL range are specified is delivered, the TTL range does not take effect.
    • ACL rules with the neq parameter are not supported.
    • If the address pool function is not enabled, the ACL rule in which both address and port pools are specified cannot be delivered.

  4. Optional: Run ipv6-enhance acl enable

    Some IPv6 packets to be sent to the CPU are matched against the ACL that contains a blacklist, whitelist, or user-defined flow.

  5. Optional: Run cp-acl ip-pool enable

    The address pool function is enabled for an attack defense policy.

    NOTE:
    Before enabling the address pool function for an attack defense policy, configure an address pool and bind the address pool to an ACL rule.

  6. Optional: Run cp-acl vpn-instance enable

    The VPN field in the attack defense policy is configured to take effect.

  7. Optional: Run acl ipv4-multicast-fib-miss enable

    Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  8. Optional: Run acl dhcp-discover disable

    Disable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  9. Run commit

    The configuration is committed.

Configuring a Blacklist

This section describes how to configure a blacklist. Insecure packets that match ACL rules can be added to the blacklist and then provided with lower bandwidth.

Prerequisites

The ACL bound to the blacklist must be a configured one. You can bind a non-existing ACL to the blacklist. When the ACL is bound to the blacklist, all the packets that match the ACL rules are added to the blacklist automatically. The blacklist function must be enabled. Otherwise, the self-defined blacklist does not take effect although you can configure a self-defined blacklist.

Context

If you determine that certain packets cannot be sent to the CPU or are invalid, you can add them to the blacklist by setting ACL rules. In this manner, you can discard these packets. All the users in the blacklist need to be manually configured. There is no default user in the blacklist.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run blacklist [ ipv6 ] acl acl-number

    A self-defined blacklist is created.

    A self-define blacklist can be bound to only one ACL. If you bind a self-define blacklist to several ACLs, only the latest configuration takes effect. An address or port pool can be specified in an ACL rule, and the ACL rule can be delivered.

    NOTE:
    • The address pool function can be delivered in the attack defense policy only when the cp-acl ip-pool enable command is configured.
    • The vpn-instance field in an ACL configured in an attack defense policy can be delivered and takes effect only when the cp-acl vpn-instance enable command is configured.
    • The ports in the port pool specified in a delivered ACL take effect based on the configuration order instead of the lexicographical order.
    • If the ACL rule in which both a port pool and a TTL range are specified is delivered, the TTL range does not take effect.
    • ACL rules with the neq parameter are not supported.
    • If the address pool function is not enabled, the ACL rule in which both address and port pools are specified cannot be delivered.

  4. Optional: Run ipv6-enhance acl enable

    Some IPv6 packets to be sent to the CPU are matched against the ACL that contains a blacklist, whitelist, or user-defined flow.

  5. Optional: Run cp-acl ip-pool enable

    The address pool function is enabled for an attack defense policy.

    NOTE:
    Before enabling the address pool function for an attack defense policy, configure an address pool and bind the address pool to an ACL rule.

  6. Optional: Run cp-acl vpn-instance enable

    The VPN field in the attack defense policy is configured to take effect.

  7. Optional: Run acl ipv4-multicast-fib-miss enable

    Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  8. Optional: Run acl dhcp-discover disable

    Disable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  9. Run commit

    The configuration is committed.

Configuring User-Defined Flow Rules

This section describes how to configure customized traffic. You can perform traffic policing by matching a specified type of traffic with ACL rules.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run user-defined-flow flow-id acl acl-number [ prior ] user-defined-flow flow-id ipv6 acl acl-number

    Or Run

    A user-defined flow is configured. An address or port pool can be specified in an ACL rule, and the ACL rule can be delivered.

    NOTE:
    • The address pool function can be delivered in the attack defense policy only when the cp-acl ip-pool enable command is configured.
    • The vpn-instance field in an ACL configured in an attack defense policy can be delivered and takes effect only when the cp-acl vpn-instance enable command is configured.
    • The ports in the port pool specified in a delivered ACL take effect based on the configuration order instead of the lexicographical order.
    • If the ACL rule in which both a port pool and a TTL range are specified is delivered, the TTL range does not take effect.
    • ACL rules with the neq parameter are not supported.
    • If the address pool function is not enabled, the ACL rule in which both address and port pools are specified cannot be delivered.

  4. Optional: Run ipv6-enhance acl enable

    Some IPv6 packets to be sent to the CPU are matched against the ACL that contains a blacklist, whitelist, or user-defined flow.

  5. Optional: Run cp-acl ip-pool enable

    The address pool function is enabled for an attack defense policy.

    NOTE:
    Before enabling the address pool function for an attack defense policy, configure an address pool and bind the address pool to an ACL rule.

  6. Optional: Run cp-acl vpn-instance enable

    The VPN field in the attack defense policy is configured to take effect.

  7. Optional: Run acl ipv4-multicast-fib-miss enable

    Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  8. Optional: Run acl dhcp-discover disable

    Disable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  9. Run commit

    The configuration is committed.

Configuring the Packet Matching Order

After the packets to be sent to the CPU pass the GTSM check, set the matching sequence of packets: TCPSYN packets, packet fragments, dynamic link protection, whitelist, blacklist, and user-defined flow.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run process-sequence { fragment-flood tcpsyn-flood dynamic-link-protection whitelist blacklist user-defined-flow management-acl } * or process-sequence{ whitelist blacklist user-defined-flow } *

    The matching sequence of packets to be sent to the CPU is set: TCPSYN packets, packet fragments, dynamic link protection, management protocol ACL, whitelist, blacklist, and user-defined flow.

    NOTE:

    The parameters in the command are mandatory. You can specify them as required.

  4. Run commit

    The configuration is committed.

Configuring the CAR

This section describes how to configure the CAR. Traffic policing prevents packets to be sent to the CPU from causing higher CPU usage to affect normal services.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run car { protocol-name | index index | whitelist | whitelist-v6 | blacklist | tcpsyn | fragment | user-defined-flow flow-id } { cir cir-value | cbs cbs-value | min-packet-length min-packet-length-value } *

    The packet CAR is set.

  4. Run car total-packet { high | low | middle | total-packet-rate }

    The rate of sending packets to the CPU is set.

  5. Run commit

    The configuration is committed.

Configuring the Packet Sending Priority

This section describes how to prioritize packets to be sent to the CPU. Sending higher-priority packets preferentially can protect the CPU when the queues are full of packets to be sent to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run priority { protocol-name | index index | whitelist | whitelist-v6 | blacklist | tcpsyn | fragment | user-defined-flow flow-id } { high | middle | low | be | af1 | af2 | af3 | af4 | ef | cs6 }

    The packet sending priority is set.

  4. Run commit

    The configuration is committed.

(Optional) Configuring TM Three-Level Scheduling for Upstream Packets

After you deploy traffic management (TM) three-level scheduling on the TM module to implement traffic policing, the device limits the rate at which host packets are sent to the CPU. The deployment protects the device against attacks and ensures system stability.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run protocol-group scheduling enable

    TM three-level scheduling is enabled.

  4. Run commit

    The configuration is committed.

Configuring the Bandwidth and Weight of the Packets to Be Sent to the CPU in Protocol Groups

When a large number of packets are sent to the CPU, you can configure the CIR, PIR, and weight of the packets to be sent to the CPU in protocol groups to allow the packets in specific protocol groups to be rapidly processed.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run protocol-group { whitelist | user-defined-flow | management | route-protocol | multicast | arp | mpls | access-user | link-layer | network-layer } { cir cir-value | pir pir-value | weight weight-value } *

    The CIR, PIR, andweight of the packets to be sent to the CPU in specific protocol groups are set.

  4. Run commit

    The configuration is committed.

Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the interface board.

Context

The NE20E defines a default attack defense policy. This policy cannot be modified or deleted. When the NE20E starts, this policy is automatically applied to the interface board. Configurations in the policy are default configurations of each feature. To apply a specified attack defense policy to the interface board, you need to run the cpu-defend-policy policy-number command on the interface board to bind the policy to be applied to the interface board. If the cpu-defend-policy policy-number command is not used, the default attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run cpu-defend-policy policy-number

    The attack defense policy is applied to the interface board.

    You must apply the attack defense policy to the interface board; otherwise, the policy does not take effect.

    The attack defense policy specified by policy-number must be a configured one. Otherwise, the policy cannot be applied.

  4. Run commit

    The configuration is committed.

Verifying the CAR Configuration

By running display commands, you can view the configured CAR functions.

Procedure

  1. Run the display cpu-defend policy policy-number command to check the rules for filtering the packets to be sent to the CPU.
  2. Run the display cpu-defend { all | application-apperceive | tcpip-defend | total-packet | urpf } statistics [ slot slot-id ] command to check statistics about the packets that are discarded because of the CAR.
  3. Run the display cpu-defend protocol-group { whitelist | user-defined-flow | management | route-protocol | multicast | arp | mpls | access-user | link-layer | network-layer | all } configuration slot slot-id command to check the bandwidth and weight of the packets to be sent to the CPU in protocol groups.
  4. Run the display cpu-defend protocol-group { whitelist | user-defined-flow | management | route-protocol | multicast | arp | mpls | access-user | link-layer | network-layer | all } statistics slot slot-id command to check statistics about the packets to be sent to the CPU in protocol groups.

Example

After the configuration, you can run the display cpu-defend policy policy-number command to view the rules for filtering the packets to be sent to the CPU.

For example, you can run the display cpu-defend policy 8 command to view the filtering rules of policy 8.

<HUAWEI> display cpu-defend policy 8
 Number : 8                                                                     
 Description :                                                                  
 Related slot : <1>                                                             
 Configuration :                                                                
                                                                                
 Whitelist Configuration :                                                      
 Whitelist enable : open                                                        
 Whitelist ACL number : 0                                                       
 Whitelist : CIR(4000)    CBS(40000)  Min-packet-length(128)                    
 Whitelist priority : middle                                                    
 Whitelist alarm enable : close                                                 
 Whitelist alarm : threshold(1000000) interval(3600) speed-threshold(300)       
 Whitelist IPV6 ACL number : 0
 Whitelist IPV6 : CIR(4000)    CBS(600000)  Min-packet-length(128)        
 Whitelist IPV6 priority : default
 Whitelist IPV6 alarm enable : open 
 Whitelist IPV6 alarm : threshold(30000) interval(600) speed-threshold(300) 
 Blacklist Configuration :                                                      
 Blacklist enable : open                                                        
 Blacklist ACL number : 0                                                       
 Blacklist IPV6 ACL number : 0
 Blacklist : CIR(1)       CBS(1000)   Min-packet-length(128)                    
 Blacklist priority : middle                                                    
 Blacklist alarm enable : close                                                 
 Blacklist alarm : threshold(1000000) interval(3600)                            
                                                                                
 ARP Configuration :                                                            
 Outbound ARP check enable : open                                               
                                                                                
 Total packet Configuration :                                                   
 Total packet car speed : high                                                  
 Total packet alarm enable : close                                              
 Total packet alarm : threshold(1000000) interval(3600)                         
 Process-sequence : tcpsyn-flood fragment-flood dynamic-link-protection management-acl whitelist blacklist user-defined-flow                       
                                                                                
 Dynamic link protection Configuration : 
 Dynamic link protection enable : open

 Application apperceive Configuration :                                         
 Application apperceive enable : open                                           
 Default Action: Min-to-cp                                                      
 Application apperceive alarm enable : open                                     
 Application apperceive alarm : threshold(1000000) interval(3600) speed-threshold(300)  
                                                                                
 MA-Defend Configuration :                                                      
 MA-Defend alarm enable : open                                                  
 MA-Defend alarm : threshold(1000000) interval(3600)                            
                                                                                
 Source Trace Data Configuration :                                              
 Source Trace enable : open                                                     
 Source Trace Type enable :                                                     
 car: open                                                                      
 urpf: open   
 tcpip-defend: open                                                             
 ma-defend: open                                                                
 application-apperceive: open                                                   
 totalcar: open 
 Source Trace Sample : 100                                                      
 Source Trace IPv4 Packet Length : 64                                               
 Source Trace IPv6 Packet Length : 96
                                                                                
 URPF Configuration :
 URPF model : close
 allow default route: close 
 URPF alarm enable : open   
 URPF alarm : threshold(30000) interval(600) speed-threshold(300)

 TCPIP-Defend Configuration : 
 Abnormal Packet Defend : open                                                  
 Udp Packet Defend : open                                                       
 Tcpsyn Flood Defend : open                                                     
 Tcpsyn : CIR(1500)    CBS(15000)  Min-packet-length(128)                       
 Tcpsyn priority : middle                                                       
 fragment-flood Defend : open                                                   
 Ip fragment : CIR(3000)    CBS(30000)  Min-packet-length(128)                  
 Ip fragment priority : middle                                                  
 TCPIP alarm enable : open                                                      
 TCPIP alarm : threshold(1000000) interval(3600) speed-threshold(300)           
                                                                                
 User-defined-flow Configuration :                                             
 User-defined-flow's alarm default configuration :                                  
 alarm enable : open, alarm value : threshold(30000) interval(600) speed-threshold(300) 
 User-defined-flow  1 : CIR(2000)    CBS(20000)  Min-packet-length(128)       
 User-defined-flow  2 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow  3 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow  4 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow  5 : CIR(2000)    CBS(20000)  Min-packet-length(128)      
 User-defined-flow  6 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow  7 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow  8 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow  9 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow 10 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow 11 : CIR(2000)    CBS(20000)  Min-packet-length(128)       
 User-defined-flow 12 : CIR(2000)    CBS(20000)  Min-packet-length(128)        
 User-defined-flow 13 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow 14 : CIR(2000)    CBS(20000)  Min-packet-length(128)      
 User-defined-flow 15 : CIR(2000)    CBS(20000)  Min-packet-length(128)      
 User-defined-flow 16 : CIR(2000)    CBS(20000)  Min-packet-length(128)     
 User-defined-flow 17 : CIR(2000)    CBS(20000)  Min-packet-length(128)      
 User-defined-flow 18 : CIR(2000)    CBS(20000)  Min-packet-length(128)   
 User-defined-flow 19 : CIR(2000)    CBS(20000)  Min-packet-length(128)       
 User-defined-flow 20 : CIR(2000)    CBS(20000)  Min-packet-length(128)          
 User-defined-flow 21 : CIR(2000)    CBS(20000)  Min-packet-length(128)          
 User-defined-flow 22 : CIR(2000)    CBS(20000)  Min-packet-length(128)          
 User-defined-flow 23 : CIR(2000)    CBS(20000)  Min-packet-length(128)      
 User-defined-flow 24 : CIR(2000)    CBS(20000)  Min-packet-length(128)          
 User-defined-flow 25 : CIR(2000)    CBS(20000)  Min-packet-length(128)   
 User-defined-flow 26 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 27 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 28 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 29 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 30 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 31 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 32 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 33 : CIR(2000)    CBS(20000)  Min-packet-length(128)         
 User-defined-flow 34 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 35 : CIR(2000)    CBS(20000)  Min-packet-length(128)  
 User-defined-flow 36 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 37 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 38 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 39 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 40 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 41 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 42 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 43 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 44 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 45 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 46 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 47 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 48 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 49 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 50 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 51 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 52 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 53 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 54 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 55 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 56 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 57 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 58 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 59 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 60 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 61 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 62 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 63 : CIR(2000)    CBS(20000)  Min-packet-length(128)
 User-defined-flow 64 : CIR(2000)    CBS(20000)  Min-packet-length(128)

 Car Configuration :
 All the supported cpcar's alarm default configuration :
 alarm enable : open, alarm value : threshold(30000) interval(600) speed-threshold(300)
 Car isis: Min-packet-length(512)
 Car arp: CIR(32) 


 Enhance Configuration :
 IPv6 enhance acl enable : close

 Ttl-expired-loop Configuration :                                              
 Ttl-expired-loop alarm enable : open                                          
 Ttl-expired-loop alarm : threshold(10) interval(60)                           

 Acl Enable Configuration :                                                    
 Acl ipv4-multicast-fib-miss enable : close                                    

 Cp-Acl-IP-Pool Configuration :                                                
 Cp-acl ip-pool enable : close                                                

 Management-Acl Configuration : 
 Management acl enable : open

After the configuration, you can run the display cpu-defend car { blacklist | index index | protocol | user-defined-flow flow-id | whitelist-v6 | whitelist } statistics [ slot slot-id ] command, or the display cpu-defend car whitelist { bgp | ldp | ospf | radius } statistics [ slot slot-id ] command to view statistics about the packets that are discarded because of the CAR.

For example, you can run the display cpu-defend car blacklist statistics slot 1 command to view statistics about the packets that are discarded by the blacklist on interface board 1.
<HUAWEI> display cpu-defend car blacklist statistics slot 1
 Slot               : 1
 Application switch : Open
 Default Action     : Min-to-cp
--------------------------------------------
 Blacklist
 Protocol switch: N/A
 Packet information:
  Passed packet(s)  : 0
  Dropped packet(s) : 0
  Peak drop rate    : 1075395    pps     2014-07-08 19:49:47
   Last drop rate    : 1008235    pps     2014-07-08 19:51:47
 Configuration information:
  Configged CIR : 1         kbps       Actual CIR in NP : 0         kbps
  Configged CBS : 1000      bytes      Actual CBS in NP : 960       bytes
  Priority : low
  Min-packet-length : 128

After the configuration, you can run the display cpu-defend protocol-group { whitelist | user-defined-flow | management | route-protocol | multicast | arp | mpls | access-user | link-layer | network-layer | all } configuration slot slot-id command to view the bandwidth and weight of the packets to be sent to the CPU in protocol groups.

For example, you can run the display cpu-defend protocol-group all configuration slot 1 command to view the bandwidth and and weight of the packets to be sent to the CPU in all protocol groups on the interface board in slot 1.

<HUAWEI> display cpu-defend protocol-group all configuration slot 1
Slot  : 1
C:Configured information
D:Default information
---------------------------------------------------------------------
Protocol-group   Cir(C/D)       Pir(C/D)     Weight(C/D)                
                 (Unit:kbit/s)   (Unit:kbit/s)  
---------------------------------------------------------------------
whitelist         512/1024         512/1024       50/90
management        256/512          256/512        30/5
route-protocol    128/256          512/1024       20/5
---------------------------------------------------------------------

After the configuration, you can run the display cpu-defend protocol-group { whitelist | user-defined-flow | management | route-protocol | multicast | arp | mpls | access-user | link-layer | network-layer | all } statistics slot slot-id command to view statistics about the packets to be sent to the CPU in protocol groups.

For example, you can run the display cpu-defend protocol-group all statistics slot 1 command to view statistics about the packets to be sent to the CPU in all protocol groups on the interface board in slot 1.
<HUAWEI> display cpu-defend protocol-group all statistics slot 1
Slot    : 1
------------------------------------------------------------
Protocol-group             Passed-Packets      Dropped-Packets
------------------------------------------------------------
whitelist                    2000                      100
management                   500                        0
Route-protocol               1000                       50
------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 26037

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next