No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Traffic Suppression and Storm Control Configuration Commands

Traffic Suppression and Storm Control Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

broadcast-suppression (interface view)

Function

The broadcast-suppression command sets the maximum traffic rate of broadcast packets that can pass through an interface.

The undo broadcast-suppression command restores the default maximum traffic rate of broadcast packets that can pass through an interface.

By default, the rate of broadcast packets is suppressed by bandwidth percentage, and the percentage rate limit is 10%.

Format

broadcast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

undo broadcast-suppression

Parameters

Parameter

Description

Value

percent-value

Specifies the percentage of bandwidth occupied by broadcast packets on an interface.

If loopback detection is enabled on an interface, the interface rate is set by user. If loopback detection is not enabled on an interface, the interface rate is automatically negotiated. You can run the display this interface command in the interface view to check the interface rate (value of the Speed field).

The value is an integer. It ranges from 0 to 80 for 40GE interfaces and 0 to 100 for other types of interfaces.
NOTE:

When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when a 100GE interface is configured with a 40GE optical module, the value range is 0 to 80.

cir cir-value

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer, in kbit/s. The value range is as follows:
  • GE interface: 0 to 1000000
  • XGE interface: 0 to 10000000
  • 40GE interface: 0 to 33554431
  • 100GE interface: 0 to 100000000
  • Port group: 0 to 100000000
NOTE:

When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when an XGE interface is configured with a GE optical module, the value range is 0 to 1000000. Note that when a 100GE interface is configured with a 40GE optical module, the value range is 0 to 40000000.

cbs cbs-value

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer that ranges from 10000 to 4294967295, in bytes. By default, the CBS value is 188 times the CIR value.

packets packets-per-second

Specifies the number of packets transmitted per second.

The value is an integer and the value range is as follows:
  • GE interface: 0 to 1488100
  • XGE interface: 0 to 14881000
  • 40GE interface: 0 to 59524000
  • 100GE interface: 0 to 148810000
  • Port group: 0 to 148810000
NOTE:
  • For X series cards, if the configured value is less than 24, traffic suppression is performed based on 24. If the configured value is greater than or equal to 24, traffic suppression is performed based on the configured value.
  • When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when an XGE interface is configured with a GE optical module, the value range is 0 to 1488100.

Views

40GE interface view, 100GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Guidelines

The accumulating broadcast packets on the network occupy more and more network resources. This affects normal operation of services on the network.

To prevent broadcast storms, you can use the broadcast-suppression command to set the threshold of broadcast traffic that an interface allows to pass through. When the broadcast traffic rate reaches the rate limit, the system discards excess broadcast packets to control the traffic rate in a proper range.

Precautions

If the rate limit in bit/s is set for a type of packets on an interface, the rate limit in pps cannot be set for other types of packets on the same interface. In a similar manner, if the rate limit in pps is set for a type of packets on an interface, the rate limit in bit/s cannot be set for other types of packets on the same interface.

Setting the bandwidth percentage is the same as setting the rate limit in pps. Take an interface of 1 Gbit/s as an example. If the bandwidth percentage is set to 50%, the device converts the bandwidth percentage to rate limit in pps as follows: (1000 x (50/100) x 1000 x 1000)/(84 x 8). In the preceding formula, 84 is the average length of packets (including the 60-byte packet body, 20-byte frame spacing, and 4-byte check information), and 8 is the number of bits in a byte.

NOTE:

If a packet rate limit is configured for a type of packets on an interface, the percentage rate limit for other types of packets is converted into the packet rate limit.

Example

# Set the CIR of broadcast packets to 100 kbit/s and CBS to 18800 bytes on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] broadcast-suppression cir 100 cbs 18800

broadcast-suppression block outbound

Function

The broadcast-suppression block outbound command blocks outgoing broadcast packets on an interface.

The undo broadcast-suppression block outbound command unblocks outgoing broadcast packets on an interface.

By default, an interface does not block outgoing broadcast packets.

Format

broadcast-suppression block outbound

undo broadcast-suppression block outbound

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Guidelines

After an interface receives a broadcast packet, it broadcasts the packet to all users in the same VLAN. This may cause information leak. For example, if an unauthorized user is connected to an interface in a VLAN, an unauthorized user obtains a host's address from broadcast packets and uses the address to attack the host. To prevent information leak, use the broadcast-suppression block outbound command to block outgoing broadcast packets on an interface if users connected to the interface do not need to receive broadcast packets. For example, if users on an interface seldom change and require high security, you can use this command on the interface.

Precautions

The broadcast-suppression block outbound command is applicable only to interfaces on which users do not need to receive broadcast packets. This command will affect network operations if it is used on an interface where users need to receive broadcast packets.

Traffic suppression can be configured for incoming and outgoing packets on an interface, and the configurations are independent of each other. On an interface, you can use the broadcast-suppression command to limit the rate of incoming broadcast packets and use the broadcast-suppression block outbound command to block outgoing broadcast packets.

Example

# Block outgoing broadcast packets on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] broadcast-suppression block outbound

broadcast-suppression (VLAN view)

Function

The broadcast-suppression command applies a QoS CAR profile to a VLAN to police the uplink broadcast traffic of the VLAN.

The undo broadcast-suppression command deletes the QoS CAR profile applied to a VLAN.

Format

broadcast-suppression car-name [ share ]

undo broadcast-suppression

Parameters

Parameter

Description

Value

car-name

Specifies the name of a QoS CAR profile.

The value is a string of 1 to 31 characters.

share

Implements QoS CAR for all the outgoing packets for which the same QoS CAR profile is configured in a VLAN.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

The accumulating broadcast packets on the network occupy more and more network resources. This affects normal operation of services on the network.

To limit the rate of outgoing packets in a VLAN, use the broadcast-suppression command.

Broadcast packets are the packets with the destination MAC address FFFF-FFFF-FFFF.

If QoS CAR is configured both on an interface and in a VLAN,
  • On X series cards, the actual rate limit is the smaller CIR between the CIR in QoS CAR configured on the interface and the CIR in QoS CAR configured in the VLAN.
  • On other cards, QoS CAR configured on the interface takes effect.

QoS CAR configured on an interface takes precedence over QoS CAR configured in a VLAN. If QoS CAR is configured on an interface and in a VLAN, QoS CAR configured on the interface is used.

Example

# Apply QoS CAR profile qoscar1 to outgoing broadcast packets in VLAN 2.
<HUAWEI> system-view
[HUAWEI] qos car qoscar1 cir 10000 cbs 10240
[HUAWEI] vlan 2
[HUAWEI-vlan2] broadcast-suppression qoscar1

display flow-suppression interface

Function

The display flow-suppression interface command displays the traffic suppression configuration on an interface.

Format

display flow-suppression interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the interface number.
-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command can display the traffic suppression for broadcast, unknown multicast, and unknown unicast packets on the interface, including rate limiting mode and rate limit value.

Example

# Display the traffic suppression configuration on GE1/0/1.

<HUAWEI> display flow-suppression interface gigabitethernet 1/0/1
 storm type         rate mode   set rate value
-------------------------------------------------------------------------------
 unknown-unicast    percent     percent: 90%
 multicast          percent     percent: 90%
 broadcast          bps         cir: 1000(kbit/s), cbs: 188000(byte)
-------------------------------------------------------------------------------
Table 14-47  Description of the display flow-suppression interface command output

Item

Description

storm type

Traffic type. Broadcast traffic, unknown multicast traffic, and unknown unicast traffic can be suppressed.

rate mode

Type of the rate limit.
  • bps: cir mode
  • pps: packet mode
  • percent: percentage mode

set rate value

Configured rate limit. The rate can be set by the following commands:

cir

Committed information rate.

cbs

Committed burst size.

display storm-control

Function

The display storm-control command displays information about storm control on an interface.

Format

display storm-control [ interface interface-type interface-number ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the interface number.
-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command can display the storm control for broadcast, unknown multicast, and unknown unicast packets on the interface, such as packet mode, storm control action, and packet status.

Example

# Display information about storm control on GE1/0/1.

<HUAWEI> display storm-control interface gigabitethernet 1/0/1
PortName     Type      Rate      Mode Action   Punish-  Trap Log Int Last-      
                       (Min/Max)               Status                Punish-Time
--------------------------------------------------------------------------------
GE1/0/1      Multicast 1000      Pps  Block    Normal   Off  On  90  -
                       /2000
GE1/0/1      Broadcast 1000      Pps  Block    Normal   Off  On  90  -
                       /2000
GE1/0/1      Unicast   1000      Pps  Block    Normal   Off  On  90  -
                       /2000
Table 14-48  Description of the display storm-control command output

Item

Description

PortName

Interface name.

Type

Packet type.

  • Broadcast packets
  • Unknown Multicast packets
  • Unknown Unicast packets

To configure the type of packets on which storm control is performed, run the storm-control command.

Rate

  • Min: lower rate threshold

  • Max: upper rate threshold

To configure the rates, run the storm-control command.

Mode

Storm control mode.

  • Kbps: CIR in kbit/s

  • Pps: packets in pps

  • %: percentage in %

To configure the storm control mode, run the storm-control command.

Action

Storm control action.
  • Block: blocks packets.
  • Err-down: shuts down the interface.
  • None: No action is configured.

To configure a storm control action, run the storm-control action command.

Punish-Status

Status of the interface.
  • Block: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is block, the status of the interface is block.
  • Normal: Packets are normally forwarded.
  • Err-down: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is error-down, the status of the interface is error-down.

Trap

Whether the alarm function for storm control is enabled.
  • on: The alarm function for storm control is enabled.
  • off: The alarm function for storm control is disabled.

To configure the alarm function for storm control, run the storm-control enable trap command.

Log

Whether the log function for storm control is enabled.
  • on: The log function for storm control is enabled.
  • off: The log function for storm control is disabled.

To configure the log function for storm control, run the storm-control enable log command.

Int

Interval for detecting storms, in seconds. The default value is 5.

Last-Punish-Time

Last time storm control is performed.

icmp rate-limit

Function

The icmp rate-limit command sets the rate threshold of ICMP packets.

The undo icmp rate-limit command restores the default rate threshold of ICMP packets.

By default, the global rate limit of ICMP packets is 256 pps and the rate limit of ICMP packets on an interface is 192 pps.

Format

icmp rate-limit { total | interface interface-type interface-number1 [ to interface-number2 ] } threshold threshold-value

undo icmp rate-limit { total | interface interface-type interface-number1 [ to interface-number2 ] }

Parameters

Parameter

Description

Value

total

Specifies the total rate threshold in the system.

-

interface interface-type interface-number1 to interface-number2

Specifies the type and number of an interface.
  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • to interface-number2 specifies the number of the last interface. The value of interface-number2 must be greater than the value of interface-number1. interface-number1 and interface-number2 specify the range of interfaces.

-

threshold threshold-value

Specifies the rate threshold of ICMP packets.

The value ranges from 0 to 1000, in pps.
NOTE:
The value 0 indicates that the rate of ICMP packets is not limited.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Guidelines

A network often undergoes ICMP packet attacks. If a switch receives a large number of broadcast ICMP request packets on user-side interfaces, these packets are sent to the switch CPU for processing. Then the CPU usage becomes high, affecting other services on the switch. You can use the icmp rate-limit command to prevent the switch from being attacked by ICMP packets.

After the rate limit function is configured for ICMP packets on an interface, the system automatically discards excess ICMP packets when the number of ICMP packets sent by an interface every second exceeds the rate threshold.

Precautions

Before setting the rate threshold of ICMP packets, use the icmp rate-limit enable command to enable the rate limit function for ICMP packets.

Example

# Set the rate threshold of ICMP packets on GE1/0/1 to GE1/0/5 to 20 pps.

<HUAWEI> system-view
[HUAWEI] icmp rate-limit interface gigabitethernet 1/0/1 to 1/0/5 threshold 20

icmp rate-limit enable

Function

The icmp rate-limit enable command enables the traffic suppression function for ICMP packets.

The undo icmp rate-limit enable command disables the traffic suppression function for ICMP packets.

By default, the traffic suppression function for ICMP packets is disabled.

Format

icmp rate-limit enable

undo icmp rate-limit enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Attackers may send a large number of ICMP packets to attack a network. If the device sends all the received ICMP packets to the CPU for processing, a lot of CPU usage resources are occupied and other services may be abnormal. To prevent ICMP packet attacks, you can configure the device to suppress ICMP packets.

Before configuring traffic suppression for ICMP packets on an interface, run the undo icmp-reply fast command to disable the ICMP reply fast function.

Example

# Enable the traffic suppression function for ICMP packets.

<HUAWEI> system-view
[HUAWEI] icmp rate-limit enable
Related Topics

multicast-suppression (interface view)

Function

The multicast-suppression command sets the maximum traffic volume of unknown multicast packets that can pass through an interface.

The undo multicast-suppression allows all unknown multicast packets to pass.

By default, unknown multicast packets are not suppressed.

Format

multicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

undo multicast-suppression

Parameters

Parameter

Description

Value

percent-value

Specifies the percentage of bandwidth occupied by broadcast packets on an interface.

If loopback detection is enabled on an interface, the interface rate is set by user. If loopback detection is not enabled on an interface, the interface rate is automatically negotiated. You can run the display this interface command in the interface view to check the interface rate (value of the Speed field).

The value is an integer. It ranges from 0 to 80 for 40GE interfaces and 0 to 100 for other types of interfaces.
NOTE:

When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when a 100GE interface is configured with a 40GE optical module, the value range is 0 to 80.

cir cir-value

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer, in kbit/s. The value range is as follows:
  • GE interface: 0 to 1000000
  • XGE interface: 0 to 10000000
  • 40GE interface: 0 to 33554431
  • 100GE interface: 0 to 100000000
  • Port group: 0 to 100000000
NOTE:

When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when an XGE interface is configured with a GE optical module, the value range is 0 to 1000000. Note that when a 100GE interface is configured with a 40GE optical module, the value range is 0 to 40000000.

cbs cbs-value

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer that ranges from 10000 to 4294967295, in bytes. By default, the CBS value is 188 times the CIR value.

packets packets-per-second

Specifies the number of packets transmitted per second.

The value is an integer and the value range is as follows:
  • GE interface: 0 to 1488100
  • XGE interface: 0 to 14881000
  • 40GE interface: 0 to 59524000
  • 100GE interface: 0 to 148810000
  • Port group: 0 to 148810000
NOTE:
  • For X series cards, if the configured value is less than 24, traffic suppression is performed based on 24. If the configured value is greater than or equal to 24, traffic suppression is performed based on the configured value.
  • When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when an XGE interface is configured with a GE optical module, the value range is 0 to 1488100.

Views

40GE interface view, 100GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an increasing number of unknown multicast packets are transmitted on a network, more network resources are occupied and services are affected.

To prevent broadcast storms, you can use the multicast-suppression command to set the threshold of unknown multicast traffic that an interface allows to pass through. When the unknown multicast traffic volume exceeds the threshold, the system discards the excess unknown multicast packets to control the traffic volume of unknown multicast packets to a proper range.

Precautions

If the rate limit in bit/s is set for a type of packets on an interface, the rate limit in pps cannot be set for other types of packets on the same interface. In a similar manner, if the rate limit in pps is set for a type of packets on an interface, the rate limit in bit/s cannot be set for other types of packets on the same interface.

Setting the bandwidth percentage is the same as setting the rate limit in pps. Take an interface of 1 Gbit/s as an example. If the bandwidth percentage is set to 50%, the device converts the bandwidth percentage to rate limit in pps as follows: (1000 x (50/100) x 1000 x 1000)/(84 x 8). In the preceding formula, 84 is the average length of packets (including the 60-byte packet body, 20-byte frame spacing, and 4-byte check information), and 8 is the number of bits in a byte.

NOTE:

If a packet rate limit is configured for a type of packets on an interface, the percentage rate limit for other types of packets is converted into the packet rate limit.

Example

# Set the CIR of unknown multicast packets to 100 kbit/s, CBS to 18800 bytes on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] multicast-suppression cir 100 cbs 18800

multicast-suppression block outbound

Function

The multicast-suppression block outbound command configures an interface to block outgoing unknown multicast packets.

The undo multicast-suppression block outbound command cancels the configuration.

By default, outgoing unknown multicast packets are not blocked on an interface.

Format

multicast-suppression block outbound

undo multicast-suppression block outbound

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an interface receives an unknown multicast packet, the interface broadcasts the packet to all users in the same VLAN. This may cause information leak. For example, if an unauthorized user is connected to an interface in a VLAN, the unauthorized user obtains the host address in unknown multicast packets by listening to unknown multicast packets and uses the host address to attack the host. To prevent information leak, use the multicast-suppression block outbound command to block outgoing unknown multicast packets on an interface if users connected to the interface do not need to receive unknown multicast packets.

Precautions

The multicast-suppression block outbound command is applicable only to interfaces where users do not need to receive unknown multicast packets. This command will affect network operations if it is used on an interface where users need to receive unknown multicast packets.

Traffic suppression can be configured for incoming and outgoing packets on an interface, and the configurations are independent of each other. On an interface, you can use the multicast-suppression command to limit the rate of incoming unknown multicast packets and use the multicast-suppression block outbound command to block outgoing unknown multicast packets.

Example

# Block outgoing unknown multicast packets onGE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] multicast-suppression block outbound

multicast-suppression (VLAN view)

Function

The multicast-suppression command applies a QoS CAR profile to a VLAN and polices uplink unknown multicast traffic in the VLAN.

The undo multicast-suppression command deletes the QoS CAR profile from the VLAN.

By default, uplink unknown multicast packets are not limited in a VLAN.

Format

multicast-suppression car-name [ share ]

undo multicast-suppression

Parameters

Parameter

Description

Value

car-name

Specifies the name of a QoS CAR profile.

The value is a string of 1 to 31 characters.

share

Implements QoS CAR for all the outgoing packets for which the same QoS CAR profile is configured in a VLAN.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

When an increasing number of unknown multicast packets are transmitted on a network, more network resources are occupied and services are affected.

Run the multicast-suppression command to limit uplink unknown multicast packets in a VLAN.

If QoS CAR is configured both on an interface and in a VLAN,
  • On X series cards, the actual rate limit is the smaller CIR between the CIR in QoS CAR configured on the interface and the CIR in QoS CAR configured in the VLAN.
  • On other cards, QoS CAR configured on the interface takes effect.

Example

# Apply the QoS CAR profile qoscar1 to the unknown multicast packets received in VLAN2.
<HUAWEI> system-view
[HUAWEI] qos car qoscar1 cir 10000 cbs 10240
[HUAWEI] vlan 2
[HUAWEI-vlan2] multicast-suppression qoscar1

storm-control

Function

The storm-control command enables storm control for broadcast packets, unknown multicast packets, and unknown unicast packets on an interface.

The undo storm-control command disables storm control.

By default, storm control is disabled on interfaces.

Format

storm-control { broadcast | multicast | unicast } min-rate min-rate-value max-rate max-rate-value

storm-control { broadcast | multicast | unicast } min-rate cir min-rate-value-cir max-rate cir max-rate-value-cir

storm-control { broadcast | multicast | unicast } min-rate percent min-rate-value-percent max-rate percent max-rate-value-percent

undo storm-control { broadcast | multicast | unicast | all-packets }

Parameters

Parameter

Description

Value

broadcast

Enables storm control for broadcast packets.

-

multicast

Enables storm control for unknown multicast packets.

-

unicast

Enables storm control for unknown unicast packets.

-

min-rate min-rate-value

Specifies the lower threshold in packet rate limit mode. If the value of min-rate-value is specified, packets received by an interface are forwarded when the rate of receiving packets is smaller than the value of min-rate-value in storm detection.

The value is an integer, in pps. The value range is as follows:
  • GE interface: 1 to 1488100
  • XGE interface: 1 to 14881000
  • 40GE interface: 1 to 59524000
  • 100GE interface: 1 to 148810000
  • Port group: 1 to 148810000

min-rate cir min-rate-value-cir

Specifies the lower threshold in byte rate limit mode. If the value of min-rate-value-cir is specified, packets received by an interface are forwarded when the rate of receiving packets is smaller than the value of min-rate-value-cir in storm detection.

The value is an integer, in kbit/s. The value range is as follows:
  • GE interface: 1 to 1000000
  • XGE interface: 1 to 10000000
  • 40GE interface: 1 to 40000000
  • 100GE interface: 1 to 100000000
  • Port group: 1 to 100000000

    NOTE:

    The given value range for port groups is the maximum one. The actually delivered value range depends on the minimum value range allowed by member interfaces in a port group.

min-rate percent min-rate-value-percent

Specifies the lower threshold in percentage rate limit mode. If the value of min-rate-value-percent is specified, packets received by an interface are forwarded when the rate of receiving packets is lower than the value of min-rate-value-percent in storm detection.

The value is an integer, in percentage. The value ranges from 1 to 100.

max-rate max-rate-value

Specifies the upper threshold in packet rate limit mode. Storm control is performed on an interface when the rate of receiving packets on the interface is greater than the value of max-rate-value in storm detection.

The value is an integer, in pps. The value range is as follows:
  • GE interface: 1 to 1488100
  • XGE interface: 1 to 14881000
  • 40GE interface: 1 to 59524000
  • 100GE interface: 1 to 148810000
  • Port group: 1 to 148810000

    NOTE:

    The given value range for port groups is the maximum one. The actually delivered value range depends on the minimum value range allowed by member interfaces in a port group.

max-rate cir max-rate-value-cir

Specifies the upper threshold in byte rate limit mode. If the value of max-rate-value-cir is specified, storm control is performed on an interface when the rate of receiving packets on the interface is greater than the value of max-rate-value-cir in storm detection.

The value is an integer, in kbit/s. The value range is as follows:
  • GE interface: 1 to 1000000
  • XGE interface: 1 to 10000000
  • 40GE interface: 1 to 40000000
  • 100GE interface: 1 to 100000000
  • Port group: 1 to 100000000

    NOTE:

    The given value range for port groups is the maximum one. The actually delivered value range depends on the minimum value range allowed by member interfaces in a port group.

max-rate percent max-rate-value-percent

Specifies the upper threshold in percentage rate limit mode. If the value of max-rate-value-percent is specified, storm control is performed on an interface when the rate of receiving packets on the interface is greater than the value of max-rate-value-percent in storm detection.

The value is an integer, in percentage. The value ranges from 1 to 100.

all-packets

Disables storm control for all the broadcast packets, unknown multicast packets, and unknown unicast packets.

-

Views

40GE interface view, 100GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the average rate of receiving packets on an interface is greater than the value of max-rate-value, max-rate-value-cir, or max-rate-value-percent in storm detection, storm control is performed on the packets.
NOTE:
The storm detection interval can be set using the storm-control interval command.

Storm control actions include block and shutdown, which can be configured using the storm-control action command. If the action is block on an interface, packets on the interface are unblocked when the rate of receiving packets on the interface is smaller than the value of min-rate-value, min-rate-value-cir or min-rate-value-percent; if the action is shutdown on an interface, run the undo shutdown command to enable the interface.

Precautions

When detecting unicast packets, a switch does not distinguish unknown unicast packets from known unicast packets. The packet rate detected is the sum of the rates of unknown and known unicast packets. When the storm control action is block, the switch blocks only the unknown unicast packets. This rule also applies to multicast packets.

You cannot configure storm control and traffic suppression simultaneously on an interface. For example, if you configure traffic suppression for broadcast packets on an interface, then you cannot configure storm control for broadcast packets simultaneously on the interface.

After storm control is configured on an interface, the device does not check the VLAN IDs of packets when performing check on the packets. That is, the device performs storm control on all the packets no matter whether the VLANs of the packets are allowed by the interface.

For the S series cards, when the storm control mode is bytes or percentage, the switch calculates the packet rate in bytes or percentage using the packet length as 64 bytes and inter-frame gap as 20 bytes. If the packet length is not 64 bytes, the calculated packet rate may be inaccurate. Therefore, the pps mode is recommended for S series cards.

Example

# Perform storm control on broadcast packets received on GE1/0/1. In the storm detection interval, perform storm control on packets when the rate of receiving packets on an interface is greater than 8000 pps and forward packets when the rate of receiving packets on an interface is smaller than 5000 pps.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] storm-control broadcast min-rate 5000 max-rate 8000

storm-control action

Function

The storm-control action sets the storm control action to error-down or block.

The undo storm-control action command cancels the configuration.

By default, no storm control action is configured.

Format

storm-control action { block | error-down }

undo storm-control action

Parameters

Parameter

Description

Value

block

Blocks packets.

-

error-down

Shuts down an interface.

-

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

You can control data packets and prevent flooding by running the storm-control action command to configure a storm control action and the storm-control command to set the upper and lower thresholds.

In a storm detection interval, when the average rate of receiving broadcast packets, unknown multicast packets, and unknown unicast packets is greater than the value of the specified upper threshold, packets are blocked or the interface is shut down.

If the storm control action on an interface is block, the interface is restored when the traffic falls below the lower threshold.

If the storm control action is error-down, the interface can be recovered using either of the following methods:
  • Manual recovery (after an Error-Down event occurs):

    If a few interfaces need to be recovered, run the shutdown and undo shutdown commands in the interface view. Alternatively, run the restart command in the interface view to restart the interfaces.

  • Automatic recovery (before an Error-Down event occurs):

    If a large number of interfaces need to be recovered, manual recovery is time consuming and some interfaces may be omitted. To avoid this problem, run the error-down auto-recovery cause storm-control interval interval-value command in the system view to enable automatic interface recovery and set the recovery delay time. Run the display error-down recovery command to view information about automatic interface recovery.

    NOTE:

    This method does not take effect on interfaces that are already in Error-Down state. It is effective only on interfaces that enter the Error-Down state after this configuration is complete.

Precautions

When detecting unicast packets, a switch does not distinguish unknown unicast packets from known unicast packets. The packet rate detected is the sum of the rates of unknown and known unicast packets. When the storm control action is block, the switch blocks only the unknown unicast packets. This rule also applies to multicast packets.

Example

# Configure the storm control action is error-down on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] storm-control action error-down
Info: This configuration may cause port shutdown.

storm-control enable

Function

The storm-control enable command configures the system to record logs or report traps during storm control.

The undo storm-control enable command configures the system not to record logs or report traps during storm control.

By default, the system does not record logs or report traps.

Format

storm-control enable { log | trap }

undo storm-control enable { log | trap }

Parameters

Parameter

Description

Value

log

Enables the log function.

-

trap

Enables the trap function.

-

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

After storm control is configured, the switch monitors the broadcast, unknown multicast, and unknown unicast packets received on an interface. When the packet rate within a detection interval exceeds the upper limit, the switch executes the storm control action (block packets or shut down the interface) on the interface. This may affect services. You can configure the log or trap for storm control so that the administrator can quickly take actions to protect the switch.

  • After the logging function is enabled for storm control, the storm control log information is recorded in the STORMCTRL log of the SECE module.
  • After the trap function is enabled for storm control, the trap is SECE_1.3.6.1.4.1.2011.5.25.32.4.1.14.1 hwXQoSStormControlTrap.

Example

# Enable the trap reporting function during storm control on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] storm-control broadcast min-rate 3000 max-rate 5000
[HUAWEI-GigabitEthernet1/0/1] storm-control action block
[HUAWEI-GigabitEthernet1/0/1] storm-control enable trap

storm-control interval

Function

The storm-control interval command sets the storm detection interval.

The undo storm-control interval command restores the default storm detection interval.

By default, the storm detection interval is 5s.

Format

storm-control interval interval-value

undo storm-control interval

Parameters

Parameter

Description

Value

interval-value

Specifies the storm detection interval.

The value is an integer that ranges from 1 to 180, in seconds. The default value is 5s.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Before using the storm-control interval command to set the storm detection interval, run the storm-control command in the interface view to configure storm control. Otherwise, the storm detection interval does not take effect.

Example

# Configure storm control and set the storm detection interval to 10 seconds on GE1/0/1.Block broadcast packets when the rate of receiving broadcast packets is greater than 5000 pps and forward the packets when the rate of receiving broadcast packets is smaller than 3000 pps in 10 seconds.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] storm-control broadcast min-rate 3000 max-rate 5000
[HUAWEI-GigabitEthernet1/0/1] storm-control action block
[HUAWEI-GigabitEthernet1/0/1] storm-control interval 10

unicast-suppression (interface view)

Function

The unicast-suppression command sets the maximum traffic volume of unknown unicast packets that can pass through an interface.

The undo unicast-suppression allows all unknown unicast packets to pass.

By default, unknown unicast packets are not suppressed.

Format

unicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

undo unicast-suppression

Parameters

Parameter

Description

Value

percent-value

Specifies the percentage of bandwidth occupied by broadcast packets on an interface.

If loopback detection is enabled on an interface, the interface rate is set by user. If loopback detection is not enabled on an interface, the interface rate is automatically negotiated. You can run the display this interface command in the interface view to check the interface rate (value of the Speed field).

The value is an integer. It ranges from 0 to 80 for 40GE interfaces and 0 to 100 for other types of interfaces.
NOTE:

When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when a 100GE interface is configured with a 40GE optical module, the value range is 0 to 80.

cir cir-value

Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

The value is an integer, in kbit/s. The value range is as follows:
  • GE interface: 0 to 1000000
  • XGE interface: 0 to 10000000
  • 40GE interface: 0 to 33554431
  • 100GE interface: 0 to 100000000
  • Port group: 0 to 100000000
NOTE:

When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when an XGE interface is configured with a GE optical module, the value range is 0 to 1000000. Note that when a 100GE interface is configured with a 40GE optical module, the value range is 0 to 40000000.

cbs cbs-value

Specifies the committed burst size (CBS), which is the maximum size of traffic that can pass through.

The value is an integer that ranges from 10000 to 4294967295, in bytes. By default, the CBS value is 188 times the CIR value.

packets packets-per-second

Specifies the number of packets transmitted per second.

The value is an integer and the value range is as follows:
  • GE interface: 0 to 1488100
  • XGE interface: 0 to 14881000
  • 40GE interface: 0 to 59524000
  • 100GE interface: 0 to 148810000
  • Port group: 0 to 148810000
NOTE:
  • For X series cards, if the configured value is less than 24, traffic suppression is performed based on 24. If the configured value is greater than or equal to 24, traffic suppression is performed based on the configured value.
  • When an interface is configured with an optical module, the value range is determined by the rate of the optical module. For example, when an XGE interface is configured with a GE optical module, the value range is 0 to 1488100.

Views

40GE interface view, 100GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an increasing number of unknown unicast packets are transmitted on the network, more network resources are occupied and services are affected.

To prevent broadcast storms, you can use the unicast-suppression command to set the threshold of unicast traffic that an interface allows to pass through. When the unknown unicast traffic rate exceeds the rate limit, the system discards excess unknown unicast packets to control the traffic volume in a proper range.

Precautions

If the rate limit in bit/s is set for a type of packets on an interface, the rate limit in pps cannot be set for other types of packets on the same interface. In a similar manner, if the rate limit in pps is set for a type of packets on an interface, the rate limit in bit/s cannot be set for other types of packets on the same interface.

Setting the bandwidth percentage is the same as setting the rate limit in pps. Take an interface of 1 Gbit/s as an example. If the bandwidth percentage is set to 50%, the device converts the bandwidth percentage to rate limit in pps as follows: (1000 x (50/100) x 1000 x 1000)/(84 x 8). In the preceding formula, 84 is the average length of packets (including the 60-byte packet body, 20-byte frame spacing, and 4-byte check information), and 8 is the number of bits in a byte.

NOTE:

If a packet rate limit is configured for a type of packets on an interface, the percentage rate limit for other types of packets is converted into the packet rate limit.

Example

#Set the CIR of unknown unicast packets to 100 kbit/s, CBS to 18800 bytes on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] unicast-suppression cir 100 cbs 18800

unicast-suppression block outbound

Function

The unicast-suppression block outbound command configures an interface to block outgoing unknown unicast packets.

The undo unicast-suppression block outbound command cancels the configuration.

By default, an interface does not block outgoing unknown unicast packets.

Format

unicast-suppression block outbound

undo unicast-suppression block outbound

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an interface receives an unknown unicast packet, the interface broadcasts the packet to all users in the same VLAN. This may cause information leak. For example, if an unauthorized user is connected to an interface in a VLAN, the unauthorized user obtains a host's address from unknown unicast packets and uses the address to attack the host. To prevent information leak, use the unicast-suppression block outbound command to block unknown unicast packets on an interface if users connected to the interface do not need to receive broadcast packets. For example, if users on an interface seldom change and require high security, you can use this command on the interface.

Precautions

The unicast-suppression block outbound command is applicable only to interfaces where users do not need to receive unknown unicast packets. This command will affect network operations if it is used on an interface where users need to receive unknown packets.

Traffic suppression can be configured for incoming and outgoing packets on an interface, and the configurations are independent of each other. On an interface, use the unicast-suppression command to limit the rate of incoming unknown unicast packets and the unicast-suppression block outbound command to block outgoing unknown unicast packets.

Example

# Block outgoing multicast packets on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] unicast-suppression block outbound

unicast-suppression (VLAN view)

Function

The unicast-suppression command applies the QoS CAR profile to a VLAN and polices outgoing unknown unicast traffic in the VLAN.

The undo unicast-suppression command deletes the QoS CAR profile from a VLAN.

By default, uplink unknown unicast packets are not limited in a VLAN.

Format

unicast-suppression car-name [ share ]

undo unicast-suppression

Parameters

Parameter

Description

Value

car-name

Specifies the name of a QoS CAR profile.

The value is a string of 1 to 31 characters.

share

Implements QoS CAR for all the outgoing packets for which the same QoS CAR profile is configured in a VLAN.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

When an increasing number of unknown multicast packets are transmitted on the network, more network resources are occupied and services are affected.

Run the unicast-suppression command to limit uplink multicast packets in a VLAN.

If QoS CAR is configured both on an interface and in a VLAN,
  • On X series cards, the actual rate limit is the smaller CIR between the CIR in QoS CAR configured on the interface and the CIR in QoS CAR configured in the VLAN.
  • On other cards, QoS CAR configured on the interface takes effect.

Example

# Apply the QoS CAR profile qoscar1 to outgoing unknown unicast packets received in VLAN 2.
<HUAWEI> system-view 
[HUAWEI] qos car qoscar1 cir 10000 cbs 10240 
[HUAWEI] vlan 2 
[HUAWEI-vlan2] unicast-suppression qoscar1
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 127902

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next