No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring VLAN CAR

Configuring VLAN CAR

When an access device is under attack, you can configure VLAN CAR to restrict the rate at which specific packets are sent to the CPU to protect the CPU against attacks.

Usage Scenario

When an access device is under attack, you can configure port+VLAN-based CAR to restrict the rate at which packets are sent to the CPU to protect the CPU against attacks.

Prerequisites

None

Procedure

  1. Run the system-view command to enter the system view.
  2. Run the interface interface-type interface-number command to enter the interface view.
  3. Perform one of the following operations as required:

    • On an Ethernet interface, Ethernet sub-interface, GE interface, GE sub-interface, Eth-Trunk interface, or Eth-Trunk sub-interface, POS interface, IP-Trunk interface, and EVC sub-interface on which packets are encapsulated in untag or default mode, run the cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 }* } cir cir-value [ cbs cbs-value ] command to set the rate at which ICMP/DHCP/DHCPv6/ICMPv6 packets are sent to the CPU.

    • On a sub-interface for dot1q VLAN tag termination, and EVC sub-interface on which packets are encapsulated in dot1q, untag or default mode, run the cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 } } vlan vlan-id-begin [to vlan-id-end ] cir cir-value [ cbs cbs-value ] command to set the rate at which ICMP/DHCP/DHCPv6/ICMPv6 packets are sent to the CPU.

    • On a sub-interface for QinQ VLAN tag termination, and EVC sub-interface on which packets are encapsulated in QinQ, untag or default mode, run the cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 } } pe-vid pe-vid ce-vid ce-vid-begin [ to ce-vid-end ] cir-value [ cbs cbs-value ] command to set the rate at which ICMP/DHCP/DHCPv6/ICMPv6 packets are sent to the CPU.

Checking the Configurations

After configuring VLAN CAR, check the configurations.

Run the display cp-rate-limit command to check statistics about all protocol packets or specific protocol packets that attack an interface.

<HUAWEI> display cp-rate-limit port slot 1 verbose
[Slot 1]
Interface:               GigabitEthernet0/1/1.1
PeVid(Vid):              100
CeVid:                   200
ProtocolType:            Port
PassBytes(byte):         1391816
PassByteRate(kbps):      200
DropBytes(byte):         5827014740
DropByteRate(kbps):      838529
PassPackets(packet):     13384
PassPacketRate(pps):     240
DropPackets(packet):     56028990
DropPacketRate(pps):     1007848
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20301

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next