No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local Attack Defense Configuration Commands

Local Attack Defense Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

auto-defend attack-packet sample

Function

The auto-defend attack-packet sample command sets the packet sampling ratio for attack source tracing.

The undo auto-defend attack-packet sample command restores the default packet sampling ratio.

By default, the packet sampling ratio is 5. That is, one packet is sampled in every 5 packets.

Format

auto-defend attack-packet sample sample-value

undo auto-defend attack-packet sample

Parameters

Parameter Description Value
sample-value Specifies the packet sampling ratio for attack source tracing. The value is an integer that ranges from 1 to 1024.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack source tracing samples packets to identify attacks. Errors may occur in attack packet identification or packet rate calculation. A proper packet sampling ratio can reduce errors. A small sampling ratio makes the attack source tracing result accurate, but increases CPU usage. For example, when the sampling ratio is set to 1, every packet is sampled. The attack source tracing result is accurate, but the CPU usage is high because every packet is resolved.

The auto-defend attack-packet sample command sets the sampling ratio. You can set a proper value based on the requirements of attack source tracing precision and CPU usage.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

When a smaller attack source tracing threshold is used, the sampling ratio has greater impact on the attack source tracing result.

Example

# Set the sampling ratio for attack source tracing in the attack defense policy named test to 2.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend attack-packet sample 2

auto-defend enable

Function

The auto-defend enable command enables automatic attack source tracing.

The undo auto-defend enable command disables automatic attack source tracing.

By default, attack source tracing is enabled.

Format

auto-defend enable

undo auto-defend enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of attack packets may attack the device CPU. Attack source tracing enables the device to trace attack sources and send logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks. By default, logs are sent to notify the administrator if attack source tracing is enabled.

After automatic attack source tracing is enabled, the device traces the source of the specified packets sent to the CPU. The packet type can be set using the auto-defend protocol command.

Precautions

Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy is applied in the system view or slot view.

If the system software of a switch in a version earlier than V200R009C00 is upgraded to V200R009C00 or later version, an undo auto-defend enable configuration is automatically generated.

Example

# Enable attack source tracing in the attack defense policy named test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
Related Topics

auto-defend action

Function

The auto-defend action command enables attack source punish function and specifies a punish action.

The undo auto-defend action command disables the attack source punish function.

By default, the attack source punish function is disabled.

Format

auto-defend action { deny [ timer time-length ] | error-down }

undo auto-defend action

Parameters

Parameter Description Value
deny Discards packets sent from an attack source. -
timer time-length Specifies the period during which packets sent from an identified attack source are discarded. The value ranges from 1 to 86400, in seconds. The default value is 300.
error-down Shuts down an interface that receives attack packets. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend action command is applied to taking attack source punish actions. The device discards the packets sent from the identified source or shuts down the interface receiving attack packets.

NOTE:

If the auto-defend action is set to shutdown, run the error-down auto-recovery cause auto-defend interval interval-value command to set a recovery delay before the device is attacked. This command is invalid for the interface in error-down state.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend action command multiple times, only the latest configuration takes effect.

After the auto-defend action is set to deny, the device discards packets when being attacked. The configuration result can be verified using the display auto-defend attack-source command.

The device does not take punish actions on attack sources of whitelist users.

If the device shuts down the interface that receives the attack packets, services of authorized users on the interface are interrupted. Exercise caution when you configure the device to shut down the interface.

Example

# Configure the device to discard packets from the identified source every 10 seconds.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
Info: This configuration may cause packet loss.

auto-defend alarm enable

Function

The auto-defend alarm enable command enables the event reporting function for attack source tracing.

The undo auto-defend alarm enable command disables the event reporting function for attack source tracing.

By default, the event reporting function for attack source tracing is disabled.

Format

auto-defend alarm enable

undo auto-defend alarm enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Follow-up Procedure

Run the auto-defend threshold command to set the event reporting threshold for attack source tracing.

Example

# Enable the event reporting function in the attack defense policy test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend alarm enable

auto-defend protocol

Function

The auto-defend protocol command specifies the types of protocol packets that the device monitors in attack source tracing.

The undo auto-defend protocol command deletes specified types of protocol packets that the device monitors in attack source tracing.

By default, the device traces sources of 8021X, ARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, MLD, ND, TCP, Telnet in attack source tracing.

Format

auto-defend protocol { all | { 8021x | arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | tcp | telnet | ttl-expired | udp }* }

undo auto-defend protocol { 8021x | arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | tcp | telnet | ttl-expired | udp }*

Parameters

Parameter

Description

Value

all

Configures the device to trace sources of 8021X, ARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, MLD, ND, TCP, Telnet, TTL-expired, and UDP packets in attack source tracing.

-

8021x

Adds 8021X packets to the list of traced packets or deletes 8021X packets from the list.

-

arp

Adds Address Resolution Protocol (ARP) packets to the list of traced packets or deletes ARP packets from the list.

-

dhcp

Adds Dynamic Host Configuration Protocol (DHCP) packets to the list of traced packets or deletes DHCP packets from the list.

-

dhcpv6

Adds Dynamic Host Configuration Protocol for IPv6 (DHCPv6) packets to the list of traced packets or deletes DHCPv6 packets from the list.

-

icmp

Adds Internet Control Message Protocol (ICMP) packets to the list of traced packets or deletes ICMP packets from the list.

-

icmpv6

Adds Internet Control Message Protocol for IPv6 (ICMPv6) packets to the list of traced packets or deletes ICMPv6 packets from the list.

-

igmp

Adds Internet Group Management Protocol (IGMP) packets to the list of traced packets or deletes IGMP packets from the list.

-

mld

Adds Internet Group Management Protocol (MLD) packets to the list of traced packets or deletes MLD packets from the list.

-

nd

Adds Internet Group Management Protocol (ND) packets to the list of traced packets or deletes ND packets from the list.

-

tcp

Adds Transmission Control Protocol (TCP) packets to the list of traced packets or deletes TCP packets from the list.

-

telnet

Adds Telnet packets to the list of traced packets or deletes Telnet packets from the list.

-

ttl-expired

Adds packets with the TTL value of 1 to the list of traced packets or deletes these packets from the list.

-

udp

Adds User Datagram Protocol (UDP) packets to the list of traced packets or deletes UDP packets from the list.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend protocol command is applied to the packet parsing phase. When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

  • If you run this command multiple times, only the latest configuration takes effect.
  • If a packet type is specified, when the device is attacked and the attack source is traced, you can run the display auto-defend attack-source command to view attack source information.
  • When attack source tracing is applied to ICMPv6 packets, the function takes effect on only the ICMPv6 packets of which the destination IPv6 addresses are local interface addresses.

Example

# Delete IGMP and TTL-expired packets from the list of traced packets.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired

auto-defend threshold

Function

The auto-defend threshold command sets the checking threshold and event reporting threshold for attack source tracing.

The undo auto-defend threshold command restores the default checking threshold and event reporting threshold for attack source tracing.

By default, the checking threshold and event reporting threshold for attack source tracing is 60 pps.

Format

auto-defend threshold threshold

undo auto-defend threshold

Parameters

Parameter Description Value
threshold Specifies the checking threshold and event reporting threshold for attack source tracing. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack source tracing is enabled, you can set the checking threshold and event reporting threshold for attack source tracing. When the number of sent protocol packets from an attack source in a specified period exceeds the checking threshold, the device traces and logs the attack source.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.

After the auto-defend enable command is executed, the device traces the attack source based on the default threshold even if the auto-defend threshold command is not used.

Example

# Set the checking threshold and event reporting threshold for attack source tracing in the attack defense policy named test to 200 pps.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend threshold 200

auto-defend trace-type

Function

The auto-defend trace-type command configures an attack source tracing mode.

The undo auto-defend trace-type command deletes an attack source tracing mode.

By default, attack source tracing is based on source IP addresses and source MAC addresses.

Format

auto-defend trace-type { source-mac | source-ip | source-portvlan } *

undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *

Parameters

Parameter Description Value
source-mac Configures attack source tracing based on source MAC addresses so that the device classifies and collects statistics based on the source MAC address and identifies the attack source. -
source-ip Configures attack source tracing based on source IP addresses so that the device classifies and collects statistics based on the source IP address and identifies the attack source. -
source-portvlan Configures attack source tracing based on source ports+VLANs so that the device classifies and collects statistics based on the source port and VLAN and identifies the attack source. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling attack source tracing, you can specify one or more attack source tracing modes. The device then uses the specified modes to trace attack sources.

The device supports the following attack source tracing modes:

  • Source IP address-based tracing: defends against Layer 3 attack packets.
  • Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
  • Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

In VXLAN scenarios, the source port+VLAN based tracing mode is not supported. In addition, if the tunnel-side interface resides on the ET1D2X48SEC0 card, the source IP address-based tracing mode is not supported.

Table 14-23 lists the attack source tracing modes supported for different types of packets.

Table 14-23  Attack source tracing modes supported for different types of packets

Packet Type

Attack Source Tracing Mode

802.1X

Based on source MAC addresses and based on source ports+VLANs

ARP, DHCP, IGMP, ND, DHCPv6, MLDv6

Based on source MAC addresses, based on IP addresses, and based on source ports+VLANs

ICMP, TTL-expired, Telnet, TCP, UDP

Based on source IP addresses and based on source ports+VLANs

If you run this command multiple times, only the latest configuration takes effect.

A switch supports different numbers if attack source tracing modes for different protocol packets. For details, see the default modes described above.

After the attack source tracing function is enabled on the device, you can run the display auto-defend attack-source command to view attack source tracing information if an attack occurs.

When the attack source tracing mode is source-ip and action is error-down, if multiple interfaces receive the attack packets with the same source IP address and the packet rate exceeds the threshold, the switch shuts down only one interface, and then checks packet rate again. If the packet rate is still higher than the threshold, the switch shuts down another interface. The switch repeats the operations until the packet rate falls below the threshold.

Example

# Configure attack source tracing based on source MAC addresses.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend trace-type source-ip source-portvlan

auto-defend whitelist

Function

The auto-defend whitelist command configures an attack source tracing whitelist. The switch does not trace the source of users in the whitelist.

The undo auto-defend whitelist command deletes an attack source tracing whitelist.

By default, no whitelist is configured for attack source tracing. If any of the following conditions is met, however, the switch uses the condition as the whitelist matching rule, regardless of whether attack source tracing is enabled. After attack source tracing is enabled, the switch does not perform attack source tracing for the packets matching such rules.

  • If an application uses the TCP protocol and has set up a TCP connection with the switch, the switch will not consider TCP packets with the matching source IP address as attack packets. If no TCP packets match a source IP address within 1 hour, the rule that specifies this source IP address will be aged out.
  • If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
  • If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.

For the preceding conditions, the switch supports a maximum of 16 whitelist matching rules based on source IP addresses and interfaces, and a maximum of 8 whitelist matching rules based on source IP addresses of TCP packets.

Format

auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }

undo auto-defend whitelist whitelist-number [ acl acl-number | interface interface-type interface-number ]

Parameters

Parameter Description Value
whitelist-number Specifies the number of a whitelist. The value is an integer that ranges from 1 to 32.
acl acl-number Specifies the number of an ACL referenced by a whitelist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs
interface interface-type interface-number Specifies the interface to which the whitelist is applied.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack source tracing helps locate and punish sources of denial of service (DoS) attacks. If some users do not need to be traced regardless of whether an attack occurs, run the auto-defend whitelist command to configure a whitelist for users.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

Before referencing an ACL in a whitelist, create the ACL and configure rules.

If the ACL referenced by the whitelist specifies some protocols, ensure that packets of these protocols can be traced. You can run the display auto-defend configuration command to view the protocols supported by attack source tracing. If a protocol is not supported by attack source tracing, you can run the auto-defend protocol command to configure attack source tracing to support the protocol.

Example

# Add source IP addresses 10.1.1.1 and 10.1.1.2 to the attack source tracing whitelist.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000

auto-port-defend aging-time

Function

The auto-port-defend aging-time command configures the aging time for port attack defense.

The undo auto-port-defend aging-time command restores the default aging time for port attack defense.

By default, the aging time for port attack defense is 300 seconds.

Format

auto-port-defend aging-time time

undo auto-port-defend aging-time [ time ]

Parameters

Parameter Description Value
aging-time time Specifies the aging time for port attack defense. The value is an integer that ranges from 30 to 86400, and must be a multiple of 10. The unit is second.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a device with port attack defense function enabled detects an attack on a port, the device traces the source and limits the rate of the attack packets on the port within the aging time (T seconds). When the aging time expires, the device calculates the protocol packet rate on the port again. If the rate is still above the protocol rate threshold, the device keeps tracing the source and limits the rate of the attack packets; otherwise, the device stops the operations.

If the aging time is too short, the device frequently starts packet rate detection on ports, which consumes CPU resources. If the aging time is too long, protocol packets cannot be promptly processed by the CPU, which affects services. Therefore, you need to run the auto-port-defend aging-time command to set an appropriate aging time according to the CPU usage and service status.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

If you run the auto-port-defend aging-time command multiple times in the same attack defense policy view, only the latest configuration takes effect.

Example

# Set the aging time in the attack defense policy test view to 350 seconds.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend aging-time 350

auto-port-defend alarm enable

Function

The auto-port-defend alarm enable command enables the report of port attack defense events.

The undo auto-port-defend alarm enable command disables the report of port attack defense events.

By default, port attack defense events are not reported.

Format

auto-port-defend alarm enable

undo auto-port-defend alarm enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a port undergoes a DoS attack, the malicious attack packets sent from this port to the CPU occupy bandwidth. As a result, the CPU cannot process the protocol packets sent from other ports, and services are interrupted. In this situation, you can enable the report of port attack defense events. When the rate of protocol packets on a port exceeds the check threshold, the switch reports an event to notify the network administrator, so that the administrator can promptly take measures to protect the switch.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Follow-up Procedure

Run the auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } threshold threshold command to set the threshold for protocol packet check in port attack defense.

Example

# Enable the report of port attack defense events in the attack defense policy test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend alarm enable

auto-port-defend enable

Function

The auto-port-defend enable command enables the port attack defense function.

The undo auto-port-defend enable command disables the port attack defense function.

By default, the port attack defense function is enabled.

Format

auto-port-defend enable

undo auto-port-defend enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker initiates a DoS attack on a port, the malicious attack packets sent from this port to the CPU occupy bandwidth. As a result, the CPU cannot process the protocol packets sent from other ports, and services are interrupted.

The port attack defense function effectively limits the number of packets sent to the CPU, and prevents DoS attacks aiming at the CPU.

This function is enabled by default. If the number of packets received by a port within one second exceeds the protocol rate threshold, the device considers that an attack occurs on the port. Then the device traces the source and limits the rate of attack packets, and records an attack log to avoid impact on other ports.

Precautions

After the port attack defense function is enabled in an attack defense policy, the attack defense policy must be applied in the system view or slot view.

Example

# Enable the port attack defense function in the attack defense policy test view.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
Related Topics

auto-port-defend protocol

Function

The auto-port-defend protocol command specifies the types of protocol packets to which port attack defense is applied.

The undo auto-port-defend protocol command cancels port attack defense for certain types of protocol packets.

By default, port attack defense is applicable to ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets.

Format

auto-port-defend protocol { all | { arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } * }

undo auto-port-defend protocol { arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } *

Parameters

Parameter

Description

Value

all

Applies port attack defense to ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets.

-

arp-request

Applies port attack defense to ARP Request packets or cancels port attack defense for ARP Request packets.

-

arp-reply

Applies port attack defense to ARP Reply packets or cancels port attack defense for ARP Reply packets.

-

dhcp

Applies port attack defense to DHCP packets or cancels port attack defense for DHCP packets.

-

icmp

Applies port attack defense to ICMP packets or cancels port attack defense for ICMP packets.

-

igmp

Applies port attack defense to IGMP packets or cancels port attack defense for IGMP packets.

-

ip-fragment

Applies port attack defense to IP fragment packets or cancels port attack defense for IP fragment packets.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device calculates the rate of all protocol packets, including ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets, received by a port, and traces the source and limits the rate of attack packets. If the packets exceeding protocol rate threshold contain only a few attack packets, you can run the undo auto-port-defend protocol command to cancel port attack defense for unneeded protocol types. If the device limits the rate of too many protocols, services are affected.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

If you run this command multiple times in the same attack defense policy view, only the latest configuration takes effect.

After port attack defense is applied to a type of protocol packets, the display auto-port-defend attack-source command can display the attack source tracing information if the port is attacked by the specified protocol packets.

Example

# In the attack defense policy test, cancel port attack defense for ARP Reply packets.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-port-defend protocol arp-reply

auto-port-defend protocol threshold

Function

The auto-port-defend protocol threshold command sets the protocol packet rate threshold for port attack defense.

The undo auto-port-defend protocol threshold command restores the default protocol packet rate threshold for port attack defense.

The following table lists the default rate thresholds for different protocols.

Packet Type

Rate Threshold

arp-request

60 pps for an LPU and 120 pps for a main control unit

arp-reply

60 pps for an LPU and 120 pps for a main control unit

dhcp

60 pps for an LPU and 120 pps for a main control unit

icmp

60 pps for an LPU and 120 pps for a main control unit

igmp

60 pps for an LPU and 120 pps for a main control unit

ip-fragment

30 pps

Format

auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } threshold threshold

undo auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } threshold [ threshold ]

Parameters

Parameter Description Value
all

Sets the rate thresholds for ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets.

-
arp-request Specifies the rate threshold for ARP Request packets. -
arp-reply Specifies the rate threshold for ARP Reply packets. -
dhcp Specifies the rate threshold for DHCP packets. -
icmp Specifies the rate threshold for ICMP packets. -
igmp Specifies the rate threshold for IGMP packets. -
ip-fragment Specifies the rate threshold for IP fragment packets. -
threshold threshold Specifies the protocol rate threshold. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port attack defense is enabled on a port, the device calculates the rate of affected protocol packets received by the port. If the packet rate exceeds the protocol rate threshold, the device considers that an attack occurs. Then the device traces the source and limits the rate of attack packets on the port, and records a log. The device moves the packets within the protocol rate limit (CPCAR in attack defense policies) to the low-priority queue, and then sends them to the CPU. The device discards the excess packets.

You need to set an appropriate rate threshold for port attack defense according to service requirements. If the CPU fails to process many protocol packets promptly after port attack defense is enabled, set a large packet rate threshold. If the CPU is busy processing the packets of a protocol, set a small rate threshold for this protocol to avoid impact on other services.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

If you run the auto-port-defend protocol threshold command multiple times in the same attack defense policy view, only the latest configuration takes effect.

Example

# In the attack defense policy test, set the rate threshold for ARP Request packets to 40 pps.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend protocol arp-request threshold 40

auto-port-defend sample

Function

The auto-port-defend sample command sets the protocol packet sampling ratio for port attack defense.

The undo auto-port-defend sample command restores the default protocol packet sampling ratio for port attack defense.

By default, the protocol packet sampling ratio for port attack defense is 5. That is, one packet is sampled when every 5 packets are received.

Format

auto-port-defend sample sample-value

undo auto-port-defend sample [ sample-value ]

Parameters

Parameter Description Value
sample sample-value Specifies the protocol packet sampling ratio for port attack defense. The value is an integer that ranges from 1 to 1024.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device with port attack defense enabled identifies attacks by analyzing sampled packets. There may be errors in attack packet identification or packet rate calculation. Errors influence the attack defense effect. An appropriate sampling ratio helps you control attack defense accuracy.

A small sampling ratio improves attack defense accuracy, but consumes more CPU resources. When the sampling ratio is set to 1, the device analyzes every packet. The attack packets can be detected quickly, but CPU usage becomes high and services are affected. Therefore, make a balance between the attack defense requirement and CPU usage to decide a sampling ratio.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

If the protocol packet rate threshold for port attack defense is set to a small value, the attack identification error caused by packet sampling ratio is large.

Example

# Set the protocol packet sampling ratio to 4 in the attack defense policy test view.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend sample 4

auto-port-defend whitelist

Function

The auto-port-defend whitelist command configures a whitelist for port attack defense.

The undo auto-port-defend whitelist command deletes a whitelist for port attack defense.

By default, no whitelist is configured for port attack defense. After a port is configured as a DHCP trusted port using the dhcp snooping trusted command, the device will not perform attack defense operations on the DHCP packets received by this port, regardless of whether port attack defense is enabled on this port.

Format

auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }

undo auto-port-defend whitelist whitelist-number [ acl acl-number | interface interface-type interface-number ]

Parameters

Parameter Description Value
whitelist-number Specifies the number of the whitelist configured for port attack defense. The value is an integer that ranges from 1 to 32.
acl acl-number Specifies the number of the ACL applied to the whitelist.

The value of acl-number is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs
interface interface-type interface-number Specifies the type and number of the interface to which the whitelist is applied.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The port attack defense function is enabled by default on the device, so the device calculates protocol packet rates on all interfaces, and traces the source and limits the rate of attack packets. In some services, network-side interfaces need to receive a lot of valid protocol packets. You should add these interfaces or network nodes connecting to these interfaces to the whitelist. The device does not trace the source or limit the rate of protocol packets received by the interfaces in the whitelist.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

To define the whitelist using an ACL, you must create an ACL and configure rules for the ACL.

Before configuring an ACL whitelist for some protocols, ensure that the port attack defense function supports these protocols. Use the auto-port-defend protocol command to specify the protocols to which port attack defense is applied.

Example

# In the attack defense policy test, configure a whitelist that references an ACL. The ACL permits the packets from the users with IP addresses 10.1.1.1 and 10.1.1.2.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 acl 2000

# In the attack defense policy test, add interface GE1/0/1 to the whitelist for port attack defense.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 interface gigabitethernet 1/0/1

blacklist

Function

The blacklist command configures a blacklist.

The undo blacklist command deletes a blacklist.

By default, no blacklist is configured.

Format

IPv4 blacklist:

blacklist blacklist-id acl acl-number1

undo blacklist blacklist-id

IPv6 blacklist:

blacklist blacklist-id acl ipv6 acl-number2

undo blacklist blacklist-id

Parameters

Parameter

Description

Value

blacklist-id

Specifies the ID of a blacklist.

The value is an integer that ranges from 1 to 8.

acl acl-number1

Specifies the number of an Access Control List (ACL) referenced by a blacklist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs

acl ipv6 acl-number2

Specifies the ACL matching the IPv6 blacklist.

The value of acl-number2 is an integer that ranges from 3000 to 3999.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

To defend against malicious packet attacks, the device uses ACLs to add users with the specific characteristic into a blacklist and discards the packets from the users in the blacklist.

An attack defense policy can contain a maximum of eight blacklists (including IPv4 and IPv6 blacklists).

For X series cards, the discarded packet statistics collected by the display cpu-defend statistics command do not contain the statistics on the packets sent from blacklisted users. For other cards, packets sent from blacklisted users are discarded after traffic statistics are collected; therefore, you can run the display cpu-defend statistics command to view statistics on the packets sent from blacklisted users.

Example

# Specify ACL 2001 as the rule of blacklist 2.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] blacklist 2 acl 2001
Info: This configuration may cause packet loss.

# Apply ACL 3001 to IPv6 blacklist 3.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] blacklist 3 acl ipv6 3001
Info: This configuration may cause packet loss.

car (attack defense policy view)

Function

The car command sets the rate limit for packets sent to the CPU.

The undo car command restores the default rate limit for packets sent to the CPU.

By default, the CIR value for user-defined flows is 64 kbit/s. You can run the display cpu-defend configuration command to check the CAR values for protocol packets.

Format

car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ]

undo car { packet-type packet-type | user-defined-flow flow-id }

Parameters

Parameter Description Value
packet-type packet-type Specifies the type of packets. The supported packet type depends on the device.
user-defined-flow flow-id

Specifies the ID of the user-defined flow.

The value is an integer that ranges from 1 to 8.
cir cir-value Specifies the committed information rate (CIR).
The value is an integer.
  • The value of packet-type packet-type varies according to packet types. The value range can be displayed after you press ? following the command.
  • The value of user-defined-flow flow-id ranges from 8 to 4096, in kbit/s.
cbs cbs-value Specifies the committed burst size (CBS).
The value is an integer.
  • The value of packet-type packet-type varies according to packet types. The value range can be displayed after you press ? following the command.
  • The value of user-defined-flow flow-id ranges from 10000 to 800000, in bytes.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The switch has default CAR values for each type of protocol packet. You can adjust CAR values for specified types of protocol packets based on services and network environment.

After an attack defense policy is created, you can limit the rate of protocol packets using the policy:
  • Reduce the CAR values in the following situation: When a network undergoes an attack, reduce the CAR values of the corresponding protocol, to reduce impact on the system CPU.
  • Increase the CAR values in the following situation: When service traffic volume on the network increases, a large number of protocol packets need to be sent to the CPU. Increase the CAR values of the corresponding protocols to meet service requirements.

Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.

For MPUs and X series cards, the device limits the rate of some protocol packets in pps mode. That is, the actual CPCAR value is the number of packets allowed to pass per second, which is calculated as follows:

CIR value x 1024/(8 x Packet length)

For example, if the CIR value of 802.1X packets is set to 64 kbit/s, 40 802.1X packets are allowed to pass per second. The number 40 is calculated as follows:

64 x 1024/(8 x 200) = 40.96 (rounded down to the integer 40)

The following table lists the types and lengths of packets that support rate limiting in pps mode.

Packet Length (Including Preamble and IFG) Packet Type
88 nac-arp-reply , nac-arp-request, 8021x, 8021x-wireless, 8021x-start-wlan, 8021x-ident-wlan, 8021x-start, 8021x-ident, nac-nd
100 eap-key, capwap-other, capwap-ap-update, capwap-keepalive
120 capwap-association, capwap-smart-roam, capwap-disassoc
128 hw-tacacs, wapi, capwap-rf-neighbor, capwap-regular-rep, capwap-ap-auth, capwap-license-mng, capwap-ac-auth
152 portal
200 wlan-not-capwap
256 capwap-discov-bc, capwap-discov-uc
374 nac-dhcp
400 dhcp-server, capwap-echo, radius, nac-dhcpv6
800 sip

Precautions

If you run the deny command and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect.

NOTE:

When the actual and configured rates of packets sent to the CPU are large, the CPU usage may be high and the performance may deteriorate. In the worst situation, the CSS breaks.

Example

# Set the rate limit in the attack defense policy named test for ARP Reply packets: set the CIR value to 64 kbit/s and the CBS value to 33000 bytes.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] car packet-type arp-reply cir 64 cbs 33000
Warning: Improper parameter settings may affect stable operating of the system. Use this command under assistance of Huawei engineer
s. Continue? [Y/N]:y 

cpu-defend application-apperceive enable

Function

The cpu-defend application-apperceive enable command enables active link protection (ALP). After the ALP is enabled, the CAR values of protocol packets set using linkup-car can take effect.

The undo cpu-defend application-apperceive enable command disables ALP.

By default, ALP is enabled on FTP, HTTP, HTTPS, SSH, TELNET, and TFTP packets and disabled on BGP and OSPF packets.

Format

cpu-defend application-apperceive [ bgp | ftp | http | https | ospf | ssh | telnet | tftp ] enable

undo cpu-defend application-apperceive [ bgp | ftp | http | https | ospf | ssh | telnet | tftp ] enable

NOTE:

Only the V200R013C00SPC500 version supports the http parameter.

Parameters

Parameter Description Value
bgp Enables ALP on BGP packets. -
ftp Enables ALP on FTP packets. -
http Enables ALP on HTTP packets. -
https Enables ALP on HTTPS packets. -
ospf Enables ALP on OSPF packets. -
ssh Enables ALP on SSH packets. -
telnet Enables ALP on TELNET packets. -
tftp Enables ALP on TFTP packets. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The default CAR value of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET protocol is small. When a switch uses these protocols to transfer files or set up connections with other hosts or devices, the number of protocol packets sharply increases in a short period. When the packet rate exceeds the limit, the protocol packets are dropped. The switch may also undergo attacks of other protocols. This affects data transmission and causes service interruption.

You can run the cpu-defend application-apperceive command to enable ALP, ensuring normal operation of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET services when attacks occur. When a connection is set up, the switch sends packets at the rate of the CPCAR value configured using the linkup-car command. The CPCAR value can be set as required.

Precautions

To enable the ALP function for a certain protocol, run the cpu-defend application-apperceive enable command to enable ALP globally. For example, before enabling ALP for the TFTP protocol, run the cpu-defend application-apperceive enable command, and then the cpu-defend application-apperceive tftp enable command to make the configuration take effect.

Before running the linkup-car command, you are advised to run the display cpu-defend configuration command to check the CIR value supported by the current protocol or displayed CIR value.

Example

# Enable ALP on BGP packets and set the CIR value to 256 kbit/s.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type bgp cir 256
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend application-apperceive enable
[HUAWEI] cpu-defend application-apperceive bgp enable

cpu-defend dynamic-car enable

Function

The cpu-defend dynamic-car enable command enables a switch to dynamically adjust the default CIR value for protocol packets.

The undo cpu-defend dynamic-car enable command disables a switch from dynamically adjusting the default CIR value for protocol packets.

By default, dynamic adjustment of the default CIR value is enabled globally, but the switch is disabled from dynamically adjusting the default CIR value for OSPF and ARP protocol packets.

Format

cpu-defend dynamic-car [ ospf | arp ] enable

undo cpu-defend dynamic-car [ ospf | arp ] enable

Parameters

Parameter Description Value
ospf Enables the switch to dynamically adjust the default CIR value for OSPF protocol packets. -
arp Enables the switch to dynamically adjust the default CIR value for ARP protocol packets. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A fixed default CIR value may not adapt to dynamic requirements on rate limiting for protocol packets. The cpu-defend dynamic-car enable command enables a switch to dynamically adjust the default CIR value for protocol packets.

If the default CIR value for a protocol has never been changed, the switch dynamically adjusts the default CIR value for the protocol packets based on service scale (for example, number of dynamic ARP entries) and CPU usage to meet various service requirements. For details, see Table 14-24, Table 14-25, and Table 14-26.

Table 14-24  Default CPCAR adjustment for ARP packets
Number of ARP Entries Adjusted CPCAR
Fewer than or equal to 512 Unchanged
More than 512 and fewer than or equal to 1024 128 kbit/s on the MPU and LPU (remain unchanged if the default CIR on the MPU and LPU is larger than 128 kbit/s)
More than 1024 and fewer than or equal to 3072 256 kbit/s on the MPU and LPU
More than 3072 and fewer than or equal to 4096 512 kbit/s on the MPU and LPU
More than 4096 768 kbit/s on the MPU and 512 kbit/s on the LPU
Table 14-25  Default CPCAR adjustment for OSPF packets
Number of OSPF Links (Number of OSPF Neighbors x Number of LSAs) Adjusted CPCAR
Fewer than or equal to 350000 Unchanged. 512 kbit/s on the MPU and 256 kbit/s on the LPU
More than 350000 and fewer than or equal to 420000 768 kbit/s on the MPU and 384 kbit/s on the LPU
More than 420000 1024 kbit/s on the MPU and 512 kbit/s on the LPU
Table 14-26  Default CPCAR adjustment for OSPF hello packets
Number of OSPF Links (Number of OSPF Neighbors) Adjusted CPCAR
Fewer than or equal to 64 Unchanged.
More than 64 and fewer than or equal to 128 256 kbit/s on the MPU and 128 kbit/s on the LPU
More than 128 and fewer than or equal to 256 512 kbit/s on the MPU and 256 kbit/s on the LPU
More than 256 and fewer than or equal to 384 768 kbit/s on the MPU and 384 kbit/s on the LPU
More than 384 1024 kbit/s on the MPU and 512 kbit/s on the LPU
NOTE:

When the number of entries increases, the CPCAR value is dynamically increased. When the CPU usage is between 70% to 98%, the dynamic CPCAR adjustment stops. If the CPU usage is greater than 98%, the default CPCAR value is used.

If ospf and arp are not specified, the switch is globally enabled to dynamically adjust the default CIR value of a protocol packet.

Precautions

The switch dynamically adjusts the default CIR value for OSPF or ARP protocol packets only when the function is enabled globally and on OSPF or ARP protocol packets.

The default CIR value dynamically adjusted only takes effect when the CIR value of the protocol packet is not manually changed.

After the default CPCAR setting is modified for OSPF, only the CIR value for OSPF and OSPF hello packets is adjusted.

After the default CPCAR setting is modified for ARP, only the CIR value for ARP reply, Unicast ARP request, and ARP request packets is adjusted.

Example

# Enable the switch to dynamically adjust the default CIR value for ARP protocol packets.

<HUAWEI> system-view
[HUAWEI] cpu-defend dynamic-car enable
[HUAWEI] cpu-defend dynamic-car arp enable 

cpu-defend host-car

Function

The cpu-defend host-car command specifies the packet type to which the user-level rate limiting is applied.

By default, the user-level rate limiting can apply to ARP Request, ARP Reply, ND, DHCP Request, DHCPv6 Request, and 8021x packets, but does not apply to IGMP and HTTPS-SYN packets.

NOTE:

Only the X series LPUs support this command.

Format

cpu-defend host-car { { arp | dhcp-request | dhcpv6-request | igmp | nd | 8021x | https-syn } * | all }

Parameters

Parameter Description Value
arp Applies user-level rate limiting to ARP packets. -
dhcp-request Applies user-level rate limiting to DHCP Request packets. -
dhcpv6-request Applies user-level rate limiting to DHCPv6 Request packets. -
igmp Applies user-level rate limiting to IGMP packets. -
nd Applies user-level rate limiting to ND packets. -
8021x Applies user-level rate limiting to 8021x packets. -
https-syn Applies user-level rate limiting to HTTPS-SYN packets. -
all Applies user-level rate limiting to ARP, DHCP Request, DHCPv6 Request, IGMP, ND, 8021x, and HTTPS-SYN packets. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the switch limits the rates of the ARP, ND, DHCP Request, DHCPv6 Request, and 8021x packets received from user MAC addresses, including wired and wireless users, and discards excessive packets when the packet rates exceed the rate limit. If you need to limit the rate of only IGMP and HTTPS-SYN packets or packets of the specified types, specify the packet type.

Precautions

  • Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
  • If the command is run multiple times, the user-level rate limiting applies to the packet type specified in the last command. For example, if the command specifying ARP and DHCP Request packets is run, and then the cpu-defend host-car arp command is run, the user-level rate limiting applies to only ARP packets.
  • After the cpu-defend host-car all command is run, the configuration file displays cpu-defend host-car 8021x arp dhcp-request dhcpv6-request https-syn igmp nd.

Example

# Apply user-level rate limiting to ARP, DHCP Request, DHCPv6 Request, IGMP, and ND packets.

<HUAWEI> system-view
[HUAWEI] cpu-defend host-car arp dhcp-request dhcpv6-request igmp nd

cpu-defend host-car enable

Function

The cpu-defend host-car enable command enables the user-level rate limiting.

The undo cpu-defend host-car enable command disables the user-level rate limiting.

By default, the user-level rate limiting is enabled.

NOTE:

Only the X series LPUs support this command.

Format

cpu-defend host-car enable

undo cpu-defend host-car enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

User-side hosts are prone to virus attacks. Infected hosts may send a large number of protocol packets to network devices, causing a high CPU usage and degraded performance on the devices and affecting services. You can configure the user-level rate limiting to resolve this problem. User-level rate limiting identifies users by user MAC addresses and limits the rates of specified packets (ARP, ND, DHCP Request, DHCPv6 Request, IGMP, 802.1X, and HTTPS-SYN packets) for both wired and wireless users. By default, the threshold for each user MAC address is 10 pps.

The user-level rate limiting is more precise than CPCAR (based on card) and port attack defense (based on interface) because it is user-specific and has little impact on online users.

Precautions

  • It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.

  • In the user-level rate limiting, the system performs a hash calculation for the source MAC addresses of specified packets, and places the packets into different buckets. Therefore, multiple users may share the rate limit. When traffic volume is heavy, packets may be dropped. If you confirm that these users are authorized, run the cpu-defend host-car mac-address mac-address command to increase the rate threshold for the specified MAC addresses.

Example

# Disable the user-level rate limiting.

<HUAWEI> system-view
[HUAWEI] undo cpu-defend host-car enable

cpu-defend host-car pps

Function

The cpu-defend host-car pps command sets the rate limit for the user-level rate limiting.

The undo cpu-defend host-car command restores the default rate limit for the user-level rate limiting.

By default, the rate limit for the user-level rate limiting is 10 pps.

NOTE:

Only the X series LPUs support this command.

Format

cpu-defend host-car [ mac-address mac-address | car-id car-id ] pps pps-value

undo cpu-defend host-car { mac-address mac-address | car-id car-id }

Parameters

Parameter Description Value
mac-address mac-address Sets the rate limit for the specified MAC address. -
car-id car-id Sets the rate limit for the specified bucket. The value is an integer that ranges from 0 to 8191.
pps pps-value Indicates the rate limit. The value is an integer that ranges from 1 to 128.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

User-level rate limiting identifies users by user MAC addresses and limits the rates of specified packets (ARP, ND, DHCP Request, DHCPv6 Request, IGMP, 802.1X, and HTTPS-SYN packets) for both wired and wireless users. By default, the user-level rate limit is 10 pps. You can set a rate limit based on user.

Precautions

  • Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
  • If the rate limit is too high, attacks cannot be prevented and CPU may be overloaded.
  • If both the cpu-defend host-car mac-address mac-address pps pps-value and cpu-defend host-car pps pps-value commands are run, the rate limit for the specified MAC address is determined by the former command, and the rate limit for other MAC addresses is determined by the latter command.
  • The user-level rate limiting performs a hash calculation for the source MAC addresses of specified packets, and places the packets into different buckets. When two user MAC addresses are mapped to the same bucket index, the two users share the same rate limit (in pps mode). If the two users modify the rate limit for the bucket simultaneously, the setting will be overwritten. To avoid this situation, the rate limit for the specified MAC address cannot be set upon hash conflict.
  • When the cpu-defend host-car mac-address mac-address pps pps-value and cpu-defend host-car pps pps-value commands are run to configure the rate limit for multiple MAC addresses, the settings are displayed in the alphabetic order in the configuration file.

Example

# Set the rate limit for MAC address 000a-000b-000c to 20 pps.

<HUAWEI> system-view
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20

cpu-defend policy

Function

The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.

The undo cpu-defend policy command deletes an attack defense policy.

By default, the default attack defense policy exists on the device and is applied to all boards. The default attack defense policy cannot be deleted or modified.

Format

cpu-defend policy policy-name

undo cpu-defend policy policy-name

Parameters

Parameter Description Value
policy-name Specifies the name of an attack defense policy. The value is a string of 1 to 31 case-insensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of packets including malicious attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.

Precautions

The device supports a maximum of 33 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to all boards. The default attack defense policy cannot be deleted or modified. The other 32 policies can be created, modified, and deleted.

The configuration in a user-defined attack defense policy overrides the configuration in the default attack defense policy. If no parameter is set in the user-defined attack defense policy, the configuration in the default attack defense policy is used.

When the default attack defense policy is used, protocol packets sent to the CPU and user-defined flows are limited based on the default CIR value.

Example

# Create an attack defense policy named test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] 

cpu-defend-policy

Function

The cpu-defend-policy command applies an attack defense policy.

The undo cpu-defend-policy command cancels the application of an attack defense policy.

By default, the default attack defense policy is applied to all cards.

Format

System view

cpu-defend-policy policy-name [ global ]

undo cpu-defend-policy [ policy-name ] [ global ]

Slot view

cpu-defend-policy policy-name

undo cpu-defend-policy [ policy-name ]

Parameters

Parameter Description Value
policy-name global Applies an attack defense policy to all LPUs. The attack defense policy must already exist.
policy-name

System view: applies an attack defense policy to a main control board.

Slot view: applies an attack defense policy to an LPU.

The attack defense policy must already exist.

Views

System view, slot view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The packets destined for the CPU can be directly sent to the main control board, or sent to the main control board through LPUs. Therefore, attack defense policies must be configured on both the main control board and LPUs.

Before applying attack defense policies, check attack information on the main control board and LPUs, for example, source IP addresses of attack packets and attack packet types. If the attack information on the main control board and LPUs is consistent, apply the same attack defense policy to the main control board and LPUs; otherwise, apply different policies to them.

For example, if all attack packets received by the main control board and LPUs are sent from source IP address 10.1.1.0, configure an attack defense policy to block packets from this IP address and apply this policy to the main control board and LPUs. If the main control board is attacked by ARP Request packets but the LPUs are attacked by DHCP packets, configure two attack defense policies to block ARP Request and DHCP packets respectively and apply the policies to the main control board and LPUs separately.
  1. Apply an attack defense policy to a main control board.
  2. Apply an attack defense policy to LPUs.
    • If all LPUs process the same service, apply an attack defense policy to all LPUs.
    • If LPUs process different services, apply an attack defense policy to a specified LPU.

Prerequisites

An attack defense policy has been created by using the cpu-defend policy command.

Precautions

  • When the cpu-defend-policy command is executed in the system view, if global is not specified, the attack defense policy is applied to the MPU; if global is specified, the attack defense policy is applied to all LPUs.
  • When the cpu-defend-policy command is executed in the slot view, you cannot specify global. The attack defense policy is applied to the LPU in the slot.

If the parameters such as the threshold and sampling ratio are specified in attack defense policies, the parameter values set for the main control board must be larger than those set for LPUs.

If an attack defense policy is applied to an LPU, the blacklist, whitelist, and user-defined flow take effect for only the packets destined for CPUs of LPUs. If an attack defense policy is applied to the main control board, the blacklist, whitelist, and user-defined flow take effect for only the packets destined for CPUs of the main control boards.

Only one attack defense policy can be applied to a card.

Example

# Apply the attack defense policy named test to the main control board.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend-policy test
# Apply the attack defense policy named test to all cards.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend-policy test global
# Apply the attack defense policy named test to the LPU in slot 3.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] slot 3
[HUAWEI-slot-3] cpu-defend-policy test
Related Topics

cpu-defend trap drop-packet

Function

The cpu-defend trap drop-packet command enables alarm reporting for packet loss caused by CPCAR exceeding.

The undo cpu-defend trap drop-packet command restores the default configuration.

By default, the system does not report alarms for packet loss caused by CPCAR exceeding.

Format

cpu-defend trap drop-packet

undo cpu-defend trap drop-packet

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To protect the CPU, a switch limits the rate of protocol packets sent to the CPU based on the CPCAR. If the rate of protocol packets exceeds the CPCAR, excess protocol packets are dropped. As a result, the corresponding service may not run normally. To quickly detect packet loss caused by CPCAR exceeding, you can use this command to enable alarm reporting for this event. After this function is enabled, the switch checks for packet loss caused by CPCAR at 10-minute intervals. If the switch finds that the number of dropped packets of a protocol increases, the switch reports a packet loss alarm.

Precautions

After this alarm reporting function is enabled, the switch reports packet loss alarms based on protocol types. That is, if the rates of packets of multiple protocols exceed the CPCAR values set for these protocols, the switch reports an alarm for each protocol.

Example

# Enable alarm reporting for packet loss caused by CPCAR exceeding.

<HUAWEI> system-view
[HUAWEI] cpu-defend trap drop-packet

deny

Function

The deny command configures the device to discard packets sent to the CPU.

The undo deny command restores the default action taken for the packets sent to the CPU.

By default, the device does not discard packets sent to the CPU. Instead, the device limits the rate of packets sent to the CPU and user-defined flows using the default rate. You can check the CAR values of each type of packets using the display cpu-defend configuration command.

Format

deny { packet-type packet-type | user-defined-flow flow-id }

undo deny { packet-type packet-type | user-defined-flow flow-id }

Parameters

Parameter Description Value
packet-type packet-type Specifies the type of the packet to be discarded. The supported packet type depends on the device.
user-defined-flow flow-id Specifies the ID of the user-defined flow to be discarded. The value is an integer that ranges from 1 to 8.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, if the device receives attack packets of a specified type or a large number of packets sent to the CPU, run the deny command to configure the device to discard packets of the specified type sent to the CPU.

Precautions

If you run the deny command, and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect. After the undo deny command is executed, the default action for packets sent to the CPU is restored, that is, CIR and CBS actions are performed.

Example

# Configure the drop action taken for ARP Reply packets to be sent to the CPU in the attack defense policy test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] deny packet-type arp-reply

description (attack defense policy view)

Function

The description command configures the description of an attack defense policy.

The undo description command deletes the description of an attack defense policy.

By default, no description is configured for an attack defense policy.

Format

description text

undo description

Parameters

Parameter Description Value
text Specifies the content of a description. It is a string of 1 to 63 case-sensitive characters with spaces.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The description command configures the description of an attack defense policy, for example, the usage or application scenario of the attack defense policy. The description is used to differentiate attack defense policies.

Precautions

If you run the description command in the same attack defense policy view multiple times, only the latest configuration takes effect.

Example

# Configure the description defend_arp_attack for the attack defense policy named test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] description defend_arp_attack
Related Topics

display auto-defend attack-source

Function

The display auto-defend attack-source command displays the attack sources.

Format

display auto-defend attack-source [ history [ begin begin-date begin-time ] [ slot slot-id ] | [ slot slot-id ] [ detail ] ]

Parameters

Parameter

Description

Value

history

Displays the history attack source information.

If history is not specified, all existing attack source information is displayed.

-

begin begin-date begin-time

Specifies the start time.

begin-date is in the format YYYY/MM/DD.

begin-time is in the format HH:MM:SS.

The value of YYYY/MM/DD ranges from 2000/1/1 to 2099/12/31. The value of HH:MM:SS ranges from 00:00:00 to 23:59:59.

slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.

detail

Displays detailed information about the attack sources, including the type of attack packets. If detail is not specified, brief information about the attack sources is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display auto-defend attack-source command displays the attack sources.

If slot slot-id is not specified, information about attack sources on the MPU is displayed.

Example

# Display the attack source list on the MPU.

<HUAWEI> display auto-defend attack-source
  Attack Source User Table (MPU):
  -----------------------------------------------------------------------------
  MacAddress       InterfaceName               Vlan:Outer/Inner    TotalPackets
  -----------------------------------------------------------------------------
  0000-c103-0102   GigabitEthernet1/0/1        100                 1395
  -----------------------------------------------------------------------------
  Total: 1

  Attack Source Port Table (MPU):
  ------------------------------------------------------------
  InterfaceName               Vlan:Outer/Inner    TotalPackets
  ------------------------------------------------------------
  GigabitEthernet1/0/1        100                 605
  ------------------------------------------------------------
  Total: 1

  Attack Source IP Table (MPU):
  ----------------------------------------------------------------------
  IPAddress                                     TotalPackets
  ----------------------------------------------------------------------
  2:2:2:2:2:2:2:2                                1395
  ----------------------------------------------------------------------
  Total: 1

# Display detailed information about the attack source list.

<HUAWEI> display auto-defend attack-source detail
  Attack Source User Table (MPU):
  ----------------------------------------------------
  MAC Address                    0000-c103-0102
  Interface                      GigabitEthernet1/0/1
  VLAN: Outer/Inner              100
     ARP:                        1580
  Total                          1580
  ----------------------------------------------------
  Total: 1

  Attack Source Port Table (MPU):
  ----------------------------------------------------
  Interface                      GigabitEthernet1/0/1
  VLAN: Outer/Inner              100
     ARP:                        790
  Total                          790
  ----------------------------------------------------
  Total: 1

  Attack Source IP Table (MPU):
  ---------------------------------------------------------------------------
  IP address                     2:2:2:2:2:2:2:2
     ARP:                        1580
  Total                          1580
   ---------------------------------------------------------------------------
  Total: 1

# Display information about attack sources on the LPU in slot 1.

<HUAWEI> display auto-defend attack-source slot 1
  Attack Source User Table (slot 1):
  -----------------------------------------------------------------------------
  MacAddress       InterfaceName               Vlan:Outer/Inner    TotalPackets
  -----------------------------------------------------------------------------
  0000-c103-0102   GigabitEthernet1/0/1        100                 1395
  -----------------------------------------------------------------------------
  Total: 1

  Attack Source Port Table (slot 1):
  ------------------------------------------------------------
  InterfaceName               Vlan:Outer/Inner    TotalPackets
  ------------------------------------------------------------
  GigabitEthernet1/0/1        100                 605
  ------------------------------------------------------------
  Total: 1

  Attack Source IP Table (slot 1):
  ----------------------------------------------------------------------
  IPAddress                                     TotalPackets
  ----------------------------------------------------------------------
  2:2:2:2:2:2:2:2                                1395
  ----------------------------------------------------------------------
  Total: 1
Table 14-27  Description of the display auto-defend attack-source command output

Item

Description

Attack Source User Table (MPU)

Source tracing information of MPU, which is distinguished according to the attack user.

Slot X indicates information about attack sources on the interface card in slot X.

Attack Source Port Table (MPU)

Source tracing information of MPU, which is distinguished according to the attacked interface.

Slot X indicates information about attack sources on the interface card in slot X.

NOTE:

The device does not support attack source tracing based on source interfaces and VLANs for Layer 3 Ethernet interfaces. Therefore, this field does not contain the attack source tracing information of Layer 3 Ethernet interfaces.

Attack Source IP Table (MPU)

Source tracing information of MPU, which is distinguished according to the attacked interface.

Slot X indicates information about attack sources on the interface card in slot X.

IPAddress

User IP address.

MacAddress

MAC address of the user.

InterfaceName

Name of the interface that initiates the attack.

Interface

Name of the interface that initiates the attack.

Vlan:Outer/Inner

ID of the VLAN that an interface belongs to. Outer indicates the outer VLAN ID and Inner indicates the inner VLAN ID.

NOTE:

This field displays - for the attack source tracing entries of Layer 3 Ethernet interfaces.

TotalPackets

Total number of packets received by the device.

# Display history attack source information.
<HUAWEI> display auto-defend attack-source history

  S : start time
  E : end time

  Attack History User Table (MPU):
  ------------------------------------------------------------------------------
  AttackTime            MacAddress     IFName         Vlan:O/I  Protocol    PPS
  ------------------------------------------------------------------------------
  S:2016-09-08 07:36:15 0000-c103-0102 GE1/0/0        100      ARP          40
  E:-
  ------------------------------------------------------------------------------
  Total: 1

  Attack History Port Table (MPU):
  ---------------------------------------------------------------
  AttackTime            IFName         Vlan:O/I  Protocol    PPS
  ---------------------------------------------------------------
  S:2016-09-08 07:36:37 GE1/0/0        100      ARP          40
  E:-
  ---------------------------------------------------------------
  Total: 1

  Attack History IP Table (MPU):
  ----------------------------------------------------------------------------
  AttackTime            IPAddress                                 Protocol
  PPS
  ----------------------------------------------------------------------------
  S:2016-09-08 07:36:15 2:2:2:2:2:2:2:2                           ARP
  E:-
  40
  ----------------------------------------------------------------------------
  Total: 1
Table 14-28  Description of the display auto-defend attack-source history command output

Item

Description

Attack History User Table (MPU)

Information about attack sources on the main control board, which is distinguished according to attackers.

Attack History Port Table (MPU)

Information about attack sources on the main control board, which is distinguished according to attacked interfaces.

Attack History IP Table (MPU)

Information about attack sources on the main control board, which is distinguished according to attacked source IP addresses.

AttackTime

Attack time.
  • S indicates start time.
  • E indicates end time. If the attack is not ended when you display history attack source information, this field displays -.

MacAddress

User MAC address.

IPAddress

User IP address.

IFName

Name of the interface that initiates the attack.

Vlan:O/I

ID of the VLAN that an interface belongs to. The value O indicates the outer VLAN ID and the value I indicates the inner VLAN ID.

Protocol

Attack type.

PPS

Highest rate of attack packets.

display auto-defend configuration

Function

The display auto-defend configuration command displays the attack source tracing configuration.

Format

display auto-defend configuration [ cpu-defend policy policy-name | slot slot-id | mcu ]

Parameters

Parameter

Description

Value

cpu-defend policy policy-name

Displays the attack source tracing configuration of a specified attack defense policy.

The value is a string of 1 to 31 case-sensitive characters without spaces.

slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.

mcu

Indicates the main control board.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After attack source tracing is configured in an attack defense policy, you can run the display auto-defend configuration command to view the attack source tracing configuration.

Example

# Display the attack source tracing configuration.

<HUAWEI> display auto-defend configuration slot 1
 ----------------------------------------------------------------------------
 Name  : test
 Related slot : <1>
 auto-defend                      : enable
 auto-defend attack-packet sample : 5
 auto-defend threshold            : 60 (pps)
 auto-defend alarm                : enable
 auto-defend trace-type           : source-mac source-ip
 auto-defend protocol             : arp icmp dhcp igmp tcp telnet 8021x nd dhcpv6 mld icmpv6
 auto-defend action               : deny (Expired time : 300 s)
 auto-defend whitelist 1          : acl number 2002
 ----------------------------------------------------------------------------
Table 14-29  Description of the display auto-defend configuration command output

Item

Description

Name

Name of an attack defense policy.

Related slot

ID of the slot to which the attack defense policy is applied.

auto-defend

Whether attack source tracing is enabled. To enable attack source tracing, run the auto-defend enable command.

auto-defend attack-packet sample

Packet sampling ratio for attack source tracing. To set the packet sampling ratio for attack source tracing, run the auto-defend attack-packet sample command.

auto-defend threshold

Checking threshold for attack source tracing. To set the checking threshold for attack source tracing, run the auto-defend threshold command.

auto-defend alarm

Whether the alarm function for attack source tracing is enabled. To enable the alarm function for attack source tracing, run the auto-defend alarm enable command.

auto-defend trace-type

Attack source tracing mode:
  • source-mac: indicates attack source tracing based on source MAC addresses.
  • source-ip: indicates attack source tracing based on source IP addresses.
  • source-portvlan: indicates attack source tracing based on source ports+VLANs.
To configure the attack source tracing mode, run the auto-defend trace-type command.

auto-defend protocol

Type of traced packets. To specify the types of protocol packets that the device monitors in attack source tracing, run the auto-defend protocol command.

auto-defend action

Action taken on the attack source. The value can be:
  • deny (Expired time: 300s): indicates that the device discards all attack packets in 300s.
  • error-down: indicates that the inbound interfaces of attack packets are shut down.
To configure the punish action, run the auto-defend action command.

auto-defend whitelist 1

Whitelist for attack source tracing. For related commands, see auto-defend whitelist.

display auto-defend whitelist

Function

The display auto-defend whitelist command displays information about the attack source tracing whitelist.

Format

display auto-defend whitelist { slot slot-id | mcu }

Parameters

Parameter

Description

Value

slot slot-id

Displays information about the attack source tracing whitelist in a specified slot.

Set the value according to the device configuration.

mcu

Displays information about the attack source tracing whitelist on the main control unit.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the whitelist for attack source tracing is configured or when you locate faults on network, run the display auto-defend whitelist command to verify whitelist information. If no whitelist is configured, the command displays no whitelist information.

Example

# Display information about the attack source tracing whitelist on the card in slot 1.

<HUAWEI> display auto-defend whitelist slot 1
  Protocol       Interface                 IP                   ACL      Status
-------------------------------------------------------------------------------
    DHCP          GE0/0/1                  --                   --        auto
    DHCP          GE0/0/2                  --                   --        auto
Table 14-30  Description of the display auto-defend whitelist command output

Item

Description

Protocol Protocol type of the packets excluded from attack source tracing.
Interface Interface on which inbound packets are excluded from attack source tracing.
IP Source IP address of the packets excluded from attack source tracing. If not source IP address is specified in the whitelist rule, this field displays --.
ACL ACL number specified in a manually configured whitelist rule. If the whitelist rule is automatically delivered, this field displays --.
Status Type of the whitelist rule, which can be:
  • auto: An automatically delivered whitelist rule is triggered by services.
  • manual: You can run the auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number } command in the attack defense policy view to manually configure an attack source tracing whitelist.

display auto-port-defend attack-source

Function

The display auto-port-defend attack-source command displays source tracing information on interfaces.

Format

display auto-port-defend attack-source [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays source tracing information on the interfaces in the specified slot.

If slot slot-id is not specified, the source tracing information on the interfaces of the MPU is displayed.

The value depends on the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The source tracing information helps you locate attack sources.

Example

# Display the source tracing information on the interfaces of MPU.

<HUAWEI> display auto-port-defend attack-source
Attack source table on MPU:
Total : 1
--------------------------------------------------------------------------------                                                    
Interface     VLAN Protocol     Expire(s)   PacketRate(pps)  LastAttackTime                                                         
--------------------------------------------------------------------------------
GE1/0/1     NA   arp-request  297        12               2013-07-06 17:36:54
--------------------------------------------------------------------------------
Table 14-31  Description of the display auto-defend attack-source command output

Item

Description

Attack source table on MPU

Source tracing information on the interfaces of MPU.

Total

Number of source tracing records.

Interface

Name of the attacked interface.

VLAN

VLAN ID in attack packets.

If the device does not support checking on VLAN IDs in attack packets, this field displays NA.

Protocol

Attack packet type.

Expire(s)

Remaining time of the aging time for port attack defense.

NOTE:

If the Expire(s) field of an entry displays 0, this entry will be deleted after a certain period (a maximum of 10 seconds).

PacketRate(pps)

Rate of the last received attack packet.

LastAttackTime

Time when the last attack packet is received.

display auto-port-defend configuration

Function

The display auto-port-defend configuration command displays the configuration of port attack defense.

Format

display auto-port-defend configuration [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays the configuration of port attack defense on the interfaces in a specified slot.

If slot slot-id is not specified, the port attack defense configuration on the interfaces of the MPU is displayed.

The value depends on the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view the configuration of port attack defense, use this command.

Example

# Display the configuration of port attack defense on the LPU in slot 1.

<HUAWEI> display auto-port-defend configuration slot 1
--------------------------------------------------------------------------------
 Name  : test                                                                
 Related slot : 1                                                             
 Auto-port-defend                       : enable                                
 Auto-port-defend sample                : 5                                     
 Auto-port-defend aging-time            : 300 second(s)                         
 Auto-port-defend arp-request threshold : 50 pps(enable)                        
 Auto-port-defend arp-reply threshold   : 50 pps(enable)                        
 Auto-port-defend dhcp threshold        : 50 pps(enable)                        
 Auto-port-defend icmp threshold        : 50 pps(enable)                        
 Auto-port-defend igmp threshold        : 50 pps(enable)                        
 Auto-port-defend ip-fragment threshold : 50 pps(enable)                        
 Auto-port-defend alarm                 : disable
--------------------------------------------------------------------------------
Table 14-32  Description of the display auto-port-defend configuration command output

Item

Description

Name

Name of an attack defense policy.

Related slot

ID of the slot to which the attack defense policy is applied.

Auto-port-defend

Whether port attack defense is enabled.

To enable the port attack defense function, run the auto-port-defend enable command.

Auto-port-defend sample

Sampling ratio for protocol packets.

To set this parameter, run the auto-port-defend sample command.

Auto-port-defend aging-time

Aging time for port attack defense.

To set this parameter, run the auto-port-defend aging-time command.

Auto-port-defend arp-request threshold

Whether port attack defense is applied to ARP Request packets and rate threshold.

To set this parameter, run the auto-port-defend protocol arp-request and auto-port-defend protocol arp-request threshold threshold commands.

Auto-port-defend arp-reply threshold

Whether port attack defense is applied to ARP Reply packets and rate threshold.

To set this parameter, run the auto-port-defend protocol arp-reply and auto-port-defend protocol arp-reply threshold threshold commands.

Auto-port-defend dhcp threshold

Whether port attack defense is applied to DHCP packets and rate threshold.

To set this parameter, run the auto-port-defend protocol dhcp and auto-port-defend protocol dhcp threshold threshold commands.

Auto-port-defend icmp threshold

Whether port attack defense is applied to ICMP packets and rate threshold.

To set this parameter, run the auto-port-defend protocol icmp and auto-port-defend protocol icmp threshold threshold commands.

Auto-port-defend igmp threshold

Whether port attack defense is applied to IGMP packets and rate threshold.

To set this parameter, run the auto-port-defend protocol igmp and auto-port-defend protocol igmp threshold threshold commands.

Auto-port-defend ip-fragment threshold

Whether port attack defense is applied to IP fragments and rate threshold.

To set this parameter, run the auto-port-defend protocol ip-fragment and auto-port-defend protocol ip-fragment threshold threshold commands.

Auto-port-defend alarm

Whether the report of port attack defense events is enabled.

To set this parameter, run the auto-port-defend alarm enable command.

display auto-port-defend statistics

Function

The display auto-port-defend statistics command displays packet statistics about port attack defense.

Format

display auto-port-defend statistics [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays packet statistics in the specified slot.

If slot slot-id is not specified, the packet statistics on the MPU are displayed.

The value depends on the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view statistics about the packets discarded and accepted in the port attack defense service. The statistics help you understand protocol packet processing status and promptly adjust the attack defense policy.

Packet statistics on port attack defense are irrelevant to whether the port attack defense function is enabled on the MPU and LPUs. If port attack defense is disabled on ports of the MPU and LPUs generate port attack defense entries, packet statistics on port attack defense are collected on the ports of the MPU. If port attack defense is disabled on ports of LPUs and the MPU generate port attack defense entries, packet statistics on port attack defense are collected on the ports of LPUs.

Example

# Display packet statistics on the interfaces of the MPU.

<HUAWEI> display auto-port-defend statistics
Statistics on MPU:                                                                                                                  
--------------------------------------------------------------------------------                                                    
Protocol     Vlan Queue Cir(Kbps)  Pass(Packet/Byte)  Drop(Packet/Byte)                                                             
--------------------------------------------------------------------------------                                                    
icmp         NA   2     256        23095              3                                                                             
                                   NA                 NA                                                                            
--------------------------------------------------------------------------------  
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

By default, the package function of ARP packets is enabled. To collect statistics about ARP packets on MPU interfaces where port attack defense is configured, disable the package function of ARP packets by running the arp message-cache disable command.

Table 14-33  Description of the display auto-port-defend statistics command output

Item

Description

Statistics on MPU

Packet statistics on the interfaces of the MPU.

Protocol

Attack packet type.

Vlan

VLAN ID in attack packets.

If the device does not support checking VLAN IDs in attack packets, this field displays NA.

Queue

Queue from which attack packets are sent.

Cir(Kbps)

Protocol rate limit (CPCAR in attack defense policies). To configure a CIR value, run the car packet-type packet-type cir cir-value command in the attack defense policy view.

Pass(Packet/Byte)

Number and bytes of attack packets that pass through the device.

The value 23095 indicates the number of accepted packets. The value NA indicates that the card does not support statistics collection by byte.

Drop(Packet/Byte)

Number and bytes of attack packets discarded by the device.

The value 3 indicates the number of discarded packets. The value NA indicates that the card does not support statistics collection by byte.

display auto-port-defend whitelist

Function

The display auto-port-defend whitelist command displays information about the interface attack defense whitelist.

Format

display auto-port-defend whitelist [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

  • Specifies a slot ID if stacking is not configured.
  • Specifies a stack ID in a stack.

Specifies a slot ID.

Set the value according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the whitelist for port attack defense is configured or when you locate faults on network, run the display auto-port-defend whitelist command to verify whitelist information. If no whitelist is configured, the command displays no whitelist information.

Example

# Display information about the interface attack defense whitelist.

<HUAWEI> display auto-port-defend whitelist slot 1
  Protocol       Interface                 IP                   ACL      Status
-------------------------------------------------------------------------------
    --            Eth-Trunk0               --                   --        auto
    --            GE0/0/1                  --                   --       manual
    --              --                     --                  2000      manual
Table 14-34  Description of the display auto-port-defend whitelist command output

Item

Description

Protocol Protocol type of packets free from the interface attack defense action. If no packet protocol type is specified in the whitelist rule, this field displays --.
Interface Interface free from the attack defense action. If the whitelist is configured based on ACL rules, this field displays --.
IP Source IP address of packets free from the interface attack defense action. If the whitelist is configured based on interfaces or automatically delivered, this field displays --.
ACL ACL number specified in a manually configured whitelist rule.
Status Type of the whitelist rule, which can be:
  • auto: An automatically delivered whitelist rule is triggered by services.
  • manual: You can run the auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number } command in the attack defense policy view to configure a whitelist for port attack defense.

display cpu-defend applied

Function

The display cpu-defend applied command displays the actual CAR values for the protocol packets delivered to the chip.

Format

display cpu-defend applied [ packet-type packet-type ] { mcu | slot slot-id | all }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

mcu

Indicates the main control board.

-

slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.

all

Indicates all boards, including main control boards and LPUs.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The actual CAR values may be different from the configured CAR values. The possible causes are as follows:

  • The CIR value specified in the car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ] command is a consecutive range. However, the actual CIR value is discrete, depending on chip granularity. For example, if the CIR value range is set to 65 to 128 with the granularity 64 kbit/s, the actual CIR value may be 64 or 128, which depends on product models.

  • The configured CIR value exceeds the chip capacity and the upper threshold. For example, the CIR value is set to 10000, but the chip does not support CIR value 1000. Then the actual CIR value cannot reach 10000.

You can run the display cpu-defend applied command to view the actual CAR values for protocol packets.

NOTE:

When too much output information is to be displayed, specify the begin, exclude, or include parameter to display only the required information.

Example

# Display the actual CAR values for ARP Request messages sent from the board in slot 1.

<HUAWEI> display cpu-defend applied packet-type arp-request slot 1
Applied Car on slot 1:                                                          
------------------------------------------------------------------------------- 
Packet Type         Cir(Kbps)    Cbs(Byte) Applied Cir(Kbps) Applied Cbs(Byte)  
------------------------------------------------------------------------------- 
arp-request                65        10000               128             10000  
------------------------------------------------------------------------------- 
Table 14-35  Description of the display cpu-defend applied command output

Item

Description

Applied Car on slot 1

CAR value for protocol packets sent by a specified slot.

Packet Type

Packet type.

Cir(Kbps)

Configured committed information rate (CIR), in kbit/s. To set the CIR value, run the car (attack defense policy view) and linkup-car commands.

Cbs(Byte)

Configured committed burst size (CBS) value, in bytes. To set the CBS value, run the car (attack defense policy view) and linkup-car commands.

Applied Cir(Kbps)

Actual CIR value on the chip, in kbit/s.

Applied Cbs(Byte)

Actual CBS value on the chip, in bytes.

display cpu-defend configuration

Function

The display cpu-defend configuration command displays CAR configurations.

Format

display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id | mcu }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

all

Indicates all boards, including main control boards and LPUs.

-

slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.

mcu

Indicates the main control board.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend configuration command to view the rate limit of protocol packets sent to the CPU. By default, the rate limit of protocol packets in the default policy is displayed.

Example

# Display the CAR configurations of all boards.
<HUAWEI> display cpu-defend configuration all
Car configurations on mainboard.                                                
----------------------------------------------------------------------          
Packet Name         Status     Cir(Kbps)   Cbs(Byte)  Queue  Port-Type          
----------------------------------------------------------------------          
8021x               Enabled          256       32000      3        NA          
arp-mff             Enabled          128       16000      3        NA          
arp-miss            Enabled          128       16000      3        NA          
arp-reply           Enabled          128       16000      3        NA          
arp-request         Enabled          128       16000      3        NA          
bfd                 Enabled          512       64000      5        NA          
bgp                 Enabled          512       64000      5        NA          
bgp4plus            Enabled          128       16000      5        NA          
bpdu-tunnel         Enabled          512       64000      5        NA          
......
----------------------------------------------------------------------

Linkup Information: 
-------------------------------------------------------------------------------- 
Packet Name : ftp 
Cir(Kbps)/Cbs(Byte) : 4096/770048 
SIP(SMAC) : 10.1.2.1     
DIP(DMAC) : 10.1.3.1       
Port(S/C) : 42372/22
--------------------------------------------------------------------------------
Car configurations on slot 2.                                                   
----------------------------------------------------------------------          
Packet Name         Status     Cir(Kbps)   Cbs(Byte)  Queue  Port-Type          
----------------------------------------------------------------------          
8021x               Disabled         256       32000      3        NA          
arp-mff             Disabled          64       10000      3        NA          
arp-miss            Enabled          128       16000      3        NA          
arp-reply           Enabled           64       10000      3        UNI          
arp-request         Enabled           64       10000      3        UNI          
bfd                 Disabled         256       32000      5        NNI          
bgp                 Disabled         256       32000      5        NA          
bgp4plus            Disabled         128       32000      5        NA          
bpdu-tunnel         Disabled         128       16000      5        NA          
...
----------------------------------------------------------------------

Linkup Information: 
-------------------------------------------------------------------------------- 
Packet Name : ftp 
Cir(Kbps)/Cbs(Byte) : 4096/770048 
SIP(SMAC) : 10.1.2.1     
DIP(DMAC) : 10.1.3.1       
Port(S/C) : 42372/22
--------------------------------------------------------------------------------
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 14-36  Description of the display cpu-defend configuration command output

Item

Description

Car configurations on mainboard

CAR configurations on the main control board.

Car configurations on slot 2

CAR configurations on slot 2.

Packet Name

Packet type.

Status

Protocol packet status:
  • Enabled
  • Disabled

Cir(Kbps)

Committed Information Rate (CIR), in kbit/s. To set the CIR value, run the car (attack defense policy view) and linkup-car commands.

Cbs(Byte)

Committed burst size (CBS), in bytes. To configure the CBS value, run the car (attack defense policy view) and linkup-car commands.

Queue

Queue that protocol packets are sent to.

Port-Type

Port type. The value can be UNI, NNI, or ENI. To configure the port type, run the port type and port-type commands.

Linkup Information

Information about the protocol connection.
NOTE:

This information is displayed only when association of protocols is triggered.

SIP(SMAC)

Source IP address or source MAC address.

DIP(DMAC)

Destination IP address or destination MAC address.

Port(S/C)

Source/Destination port number.

display cpu-defend dynamic-car history-record

Function

The display cpu-defend dynamic-car history-record command displays historical records on dynamic adjustment of the default CIR value of protocol packets.

Format

display cpu-defend dynamic-car history-record

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the default CIR value is set, you can run this command to view the historical records of adjusting the CPCAR value of protocol packets from 64 kbit/s to a specific value.

The granularity of each adjustment is 128 kbit/s on MPUs and 64 kbit/s on LPUs. If the default CPCAR value is greater than 64 kbit/s, the adjustments from 64 kbit/s to the default CPCAR value are only recorded but do not take effect.

Example

# Display the historical records on dynamic adjustment of the default CIR value of protocol packets.

<HUAWEI> display cpu-defend dynamic-car history-record
 Global status : Enable                                                         
 -------------------------------------------------------------------------------
 Time                 Protocol    Packet-type     Slot  CIR(Kbps)   Status      
 -------------------------------------------------------------------------------
 2012-08-24 11:28:10  arp         arp-reply       0     128         Success                                                         
 2012-08-24 11:28:08  arp         arp-request     0     128         Success                                                         
 2012-08-24 11:27:37  arp         arp-reply       0     64          Success                                                         
 2012-08-24 11:27:37  arp         arp-request     0     64          Success   
-------------------------------------------------------------------------------
Table 14-37  Description of the display cpu-defend dynamic-car history-record command output

Item

Description

Global status

The device is enabled to dynamically adjust the default CIR value of protocol packets.

To enable the device to dynamically adjust the default CIR value of protocol packets, run the cpu-defend dynamic-car enable command.

Time

Timestamps of the default CIR value of protocol packets that is dynamically adjusted.

Protocol

Protocol name. To configure a protocol, run the cpu-defend dynamic-car [ ospf | arp ] command.

Packet-type

Packet type.

Slot

ID of the slot where the default CIR value is dynamically adjusted.

CIR(Kbps)

Dynamically adjusted default CIR value, in kbit/s. If the default CIR value restores to the original default CIR value, NA is displayed.

NOTE:

When the rate of sending packets to the CPU is too large, the CPU becomes overloaded. The device restores the original default CIR value for protocol packets and this field is displayed as NA.

Status

Result of dynamic adjustment. The value can be:
  • success: indicates that the adjustment succeeds.
  • fail: indicates that the adjustment fails.
  • conflict: indicates that the adjusted default CIR value conflicts the configured CIR value. The CIR value configured by users takes effect.

display cpu-defend host-car statistics

Function

The display cpu-defend host-car statistics command displays the number of packets discarded in user-level rate limiting.

NOTE:

Only the X series LPUs support this command.

Format

display cpu-defend host-car [ mac-address mac-address ] statistics [ slot slot-id ]

Parameters

Parameter Description Value
mac-address mac-address Indicates the number of discarded packets from the specified MAC address. -
slot slot-id Indicates the number of packets discarded by the specified card. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To view the number of packets discarded in the user-level rate limiting, run this command.

Precautions

  • Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
  • If the number of discarded packets is 0, the index is not displayed.

Example

# Display the number of packets discarded in the user-level rate limiting.

<HUAWEI> display cpu-defend host-car statistics
slot 0                                                                                                                              
car-id                              car-drop                                                                                        
--------------------------------------------                                                                                        
3192                                  740385                                                                                        
3347                                       7                                                                                        
4133                                  529474                                                                                        
4471                                  529477                                                                                        
5075                                  529476                                                                                        
5836                                  529474                                                                                        
6046                                 1001218
Table 14-38  Description of the display cpu-defend host-car statistics command output

Item

Description

slot

Slot ID.

car-id

Bucket ID for rate limiting.

car-drop

Number of dropped packets whose rate exceeds the CAR. To configure the CAR value, run the cpu-defend host-car [ mac-address mac-address | car-id car-id ] pps pps-value command.

display cpu-defend policy

Function

The display cpu-defend policy command displays the attack defense policy configuration.

Format

display cpu-defend policy [ policy-name ]

Parameters

Parameter

Description

Value

policy-name

Displays the configuration of a specified attack defense policy.

  • If policy-name is specified, information about the specified attack defense policy is displayed.
  • If policy-name is not specified, information about all attack defense policies is displayed.

The attack defense policy must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After an attack defense policy is created, you can run the display cpu-defend policy command to view the board that the attack defense policy is applied to and configurations of the attack defense policy.

Example

# Display information about all attack defense policies.

<HUAWEI> display cpu-defend policy 
  ----------------------------------------------------------------              
 Name  : default                                                                
 Related slot : <4-6>                                                           
 user-defined-flow default car Configuration : CIR(64)  CBS(10000)              
  ----------------------------------------------------------------              
 Name  : test1                                                                   
 Related slot : <3>                                                             
 user-defined-flow default car Configuration : CIR(64)  CBS(10000)              
  ----------------------------------------------------------------              
 Name  : test                                                                  
 Description : defend_arp_attack   
 Related slot : <2,8>                                                           
 user-defined-flow default car Configuration : CIR(64)  CBS(10000)   

# Display information about the attack defense policy named test.

<HUAWEI> display cpu-defend policy test
 Description : defend_arp_attack         
 Related slot : <2,8>                                                           
 WhiteList&Blacklist&UserDefineFlow Status :                                    
   Slot<2> : Success                                                            
   Slot<8> : Success                                                            
 Configuration :                                                                
   Whitelist 1 ACL number : 2002                                                
   Blacklist 1 ACL number : 2001                                                
   User-defined-flow 1 ACL number : 2003                                        
   Car user-defined-flow 1 : CIR(5000)  CBS(940000)                             
   Car packet-type arp-request : CIR(128)  CBS(24064)                           
   Deny packet-type arp-reply                                                   
   Port-type eni packet-type arp-request   
   Linkup-car packet-type  ftp : CIR(5000)  CBS(940000)                         
Table 14-39  Description of the display cpu-defend policy command output

Item

Description

Name

Name of an attack defense policy. To configure an attack defense policy, run the cpu-defend policy command.

Description

Description of an attack defense policy. To configure a description for an attack defense policy, run the description (attack defense policy view) command.

Related slot

Board that an attack defense policy is applied to.

user-defined-flow default car Configuration

Default configuration of a user-defined flow. To set the default configuration of a user-defined flow, run the car (attack defense policy view) command.

WhiteList&Blacklist&UserDefineFlow Status

Status of the whitelist, blacklist, and user-defined flow.

Slot<2> : Success

A whitelist, blacklist, and user-defined flow have been successfully configured on the board in slot 2.

Whitelist 1 ACL number

Number of an ACL defined in whitelist 1. To configure a whitelist, run the whitelist command.

Blacklist 1 ACL number

Number of an ACL defined in blacklist 1. To configure a blacklist, run the blacklist command.

User-defined-flow 1 ACL number

Number of an ACL defined in user-defined flow 1. To configure a user-defined flow, run the user-defined-flow command.

Car user-defined-flow 1

CIR values of user-defined flow 1. To set the CIR values of user-defined flow 1, run the car (attack defense policy view) command.

Car packet-type arp-request

CIR values of ARP Request packets. To set the CIR values for ARP Request packets, run the car (attack defense policy view) command.

Deny packet-type arp-reply

ARP Reply packets are discarded. To configure the device to discard ARP Reply packets, run the deny command.

Port-type eni packet-type arp-request

ARP Request packets are sent to the CPU through ENI ports. To enable the ENI ports to send ARP Request packets to the CPU, run the port type and port-type commands.

Linkup-car packet-type ftp

CIR values of FTP packets after an FTP connection is set up. To set the CIR values of FTP packets after an FTP connection is set up, run the linkup-car and cpu-defend application-apperceive enable commands.

Car all-packets pps

Rate limit for packets sent to the CPU of the MPU or an LPU.

display cpu-defend port-type

Function

The display cpu-defend port-type command displays physical interfaces of Network-to-Network Interface (NNI), User-to-Network Interface (UNI), and Enhanced Network Interface (ENI) types.

Format

display cpu-defend port-type slot slot-id

Parameters

Parameter Description Value
slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After specifying interfaces types for sending protocol packets using the port type { uni | eni | nni } and port-type { uni | eni | nni } packet-type type commands, you can run the display cpu-defend port-type command to view types of interfaces on the device.

Example

# Display interface types on the LPU in slot 1.

<HUAWEI> display cpu-defend port-type slot 1
 Uni Port :GigabitEthernet1/0/2,                                                                          
 Eni Port :GigabitEthernet1/0/1,Eth-Trunk120,                                                             
 Nni Port :GigabitEthernet1/0/0,GigabitEthernet1/0/4-47,
Table 14-40  Description of the display cpu-defend port-type command output

Item

Description

Uni Port

The interface is a user-side interface on the device.

Eni Port

The interface is an interface connected to another switch or user.

Nni Port

The interface is a network-side interface on the device.

Related Topics

display cpu-defend rate

Function

The display cpu-defend rate command displays the rate of sending protocol packets to the CPU.

Format

display cpu-defend rate [ packet-type packet-type ] { all | mcu | slot slot-id }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

all

Indicates all boards, including main control boards and LPUs.

-

mcu

Indicates the main control board.

-

slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend rate command to view the rate of sending protocol packets to the CPU when checking the configuration of an attack defense policy. In this way, you can determine which type of protocols may attack the CPU based on the rate.

NOTE:

To ensure normal operation of other services and protect the CPU, the rate of incremental protocol packets is calculated only in a specified period after you run the display cpu-defend rate command and displayed on the terminal. After you run this command, a message is displayed to wait for a while.

Example

# Display the rate of ARP Reply packets sent from the LPU in slot 1 to the CPU.

<HUAWEI> display cpu-defend rate packet-type arp-reply slot 1
Info: Please wait for a moment....
Cpu-defend rate on slot 1:
-------------------------------------------------------------------------------
Packet Type           Pass(bps)    Drop(bps)       Pass(pps)       Drop(pps)
-------------------------------------------------------------------------------
arp-reply                 49504        86496              91             159
-------------------------------------------------------------------------------
# Display the rate of protocol packets sent from the MPU to the CPU.
<HUAWEI> display cpu-defend rate mcu 
Info: Please wait for a moment....                                              
Cpu-defend rate on mainboard:                                                   
------------------------------------------------------------------------------- 
Packet Type           Pass(bps)    Drop(bps)       Pass(pps)       Drop(pps)    
------------------------------------------------------------------------------- 
8021X                         0            0               0               0    
arp-miss                      0            0               0               0    
arp-reply                     0            0               0               0    
arp-request                   0            0               0               0    
bfd                           0            0               0               0    
bgp                           0            0               0               0    
bgp4plus                      0            0               0               0    
dhcp-client                   0            0               0               0    
dhcp-server                   0            0               0               0    
dhcpv6-reply                  0            0               0               0    
dhcpv6-request                0            0               0               0    
dldp                          0            0               0               0    
......
------------------------------------------------------------------------------- 
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 14-41  Description of the display cpu-defend rate command output

Item

Description

Packet Type

Packet type.

Pass(bps)

Number of forwarded bits within one second.

Drop(bps)

Number of discarded bits within one second.

Pass(pps)

Number of forwarded packets within one second.

Drop(pps)

Number of discarded packets within one second.

display cpu-defend statistics

Function

The display cpu-defend statistics command displays statistics about packets sent to the CPU.

Format

display cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id | mcu }

Parameters

Parameter

Description

Value

packet-type packet-type

Displays statistics about the specified type of protocol packets sent to the CPU. packet-type specifies the packet type.

  • If packet-type is specified, statistics about the specified type of protocol packets sent to the CPUare displayed.
  • If packet-type is not specified, statistics about all protocol packets are sent to the CPU displayed.

The supported packet type depends on the device.

all

Displays statistics about packets sent to the CPU on all cards, including main control boards and LPUs.

-

slot slot-id

Displays statistics about packets sent to the CPU on the card in the specified slot.

The value must be set according to the device configuration.

mcu

Displays statistics about packets sent to the CPU on the main control board.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The display cpu-defend statistics command displays statistics about packets sent to the CPU, including forwarded and discarded packets. This helps network administrators configure attack defense policies.

Precautions

When MFF, VPLS, or NAC is enabled on the switch, the MPU also counts the ARP Reply packets when limiting the rate of ARP Request packets or collecting statistics about ARP Request packets.

Example

# Display statistics about packets sent to the CPU on the card in slot 1.

<HUAWEI> display cpu-defend statistics slot 1
 Statistics on slot 1:
--------------------------------------------------------------------------------
Packet Type          Pass(Packet/Byte)   Drop(Packet/Byte)  Last-dropping-time
--------------------------------------------------------------------------------
8021x                                0                   0  -
                                     0                   0
arp-mff                              0                   0  -
                                     0                   0
arp-miss                             0                   0  -
                                     0                   0
arp-reply                            0                   0  -
                                     0                   0
arp-request                          0                   0  -
......
# Display statistics about packets sent to the CPU on the main control board.
<HUAWEI> display cpu-defend statistics mcu
 Statistics on mainboard:
--------------------------------------------------------------------------------                                                    
Packet Type          Pass(Packet/Byte)   Drop(Packet/Byte)  Last-dropping-time                                                      
--------------------------------------------------------------------------------                                                    
8021x                                0                   0  -                                                                       
                                    NA                  NA                                                                          
8021x-ident                          0                   0  -                                                                       
                                    NA                  NA                                                                          
8021x-ident-wlan                     0                   0  -                                                                       
                                     0                   0                                                                          
8021x-start                          0                   0  -                                                                       
                                    NA                  NA                                                                          
8021x-start-wlan                     0                   0  -                                                                       
                                     0                   0                                                                          
8021x-wireless                       0                   0  -                                                                       
                                     0                   0                                                                          
arp-miss                             0                   0  -                                                                       
                                     0                   0                                                                          
arp-reply                          969                   0  -                                                                       
                                    NA                  NA                                                                          
arp-request                     177791                   0  -                                                                       
                                    NA                  NA                                                                          
asdp                                 0                   0  -                                                                       
                                     0                   0                                                                          
bfd                                  0                   0  -                                                                       
                                     0                   0                                                                          
bgp                                  0                   0  -                                                                       
                                     0                   0                                                                          
bgp4plus                             0                   0  -                                                                       
                                     0                   0                                                                          
bpdu-tunnel                          0                   0  -                                                                       
                                     0                   0                                                                          
capwap-ap-auth                       0                   0  -                                                                       
                                     0                   0                                                                          
capwap-association                   0                   0  -                                                                       
                                     0                   0                                                                          
capwap-disassoc                      0                   0  -                                                                       
                                     0                   0                                                                          
capwap-discov-bc                     0                   0  -                                                                       
                                    NA                  NA                                                                          
capwap-discov-uc                     0                   0  -                                                                       
                                     0                   0                                                                          
......
# Display CAR statistics about ARP Reply packets of the card in slot 1.
<HUAWEI> display cpu-defend statistics packet-type arp-reply slot 1
 Statistics on slot 1:
--------------------------------------------------------------------------------
Packet Type          Pass(Packet/Byte)   Drop(Packet/Byte)  Last-dropping-time  
--------------------------------------------------------------------------------
arp-reply                      3625354          5612376421  2013-09-26 12:05:37
                             377036776          583687147k
--------------------------------------------------------------------------------
 Linkup statistics on slot 1:  
--------------------------------------------------------------------------------
Packet Type          Pass(Packet/Byte)   Drop(Packet/Byte)  Last-dropping-time  
--------------------------------------------------------------------------------
telnet                               0                   0  -                   
                                     0                   0                      
--------------------------------------------------------------------------------
NOTE:

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 14-42  Description of the display cpu-defend statistics command output

Item

Description

Statistics on slot 1

CAR statistics about protocol packets sent to the CPU by a specified card.

Statistics on mainboard

CAR statistics about protocol packets sent to the CPU by a main control board.

NOTE:

When a switch is configured with X series cards, statistics about both ARP Miss messages and ND Miss messages on the main control board are combined into the arp-miss field.

Linkup statistics on slot 1

CAR statistics about protocol packets sent to the CPU collected when the protocol connection is established.

Packet Type

Packet type.

Pass(Packet/Byte)

Number of forwarded packets or bytes.

Drop(Packet/Byte)

Number of discarded packets or bytes.

NOTE:

When the length exceeds 11 digits, the end of the value is displayed as k, indicating that the value is multiplied by 1000. When the length exceeds 14 digits, the end of the value is displayed as m, indicating that the value is multiplied by 1000000. When the length exceeds 17 digits, the end of the value is displayed as g, indicating that the value is multiplied by 1000000000.

Last-dropping-time

Last time statistics about dropped packets were collected.

display snmp-agent trap feature-name securitytrap all

Function

The display snmp-agent trap feature-name securitytrap all command displays the status of all traps on the security module.

Format

display snmp-agent trap feature-name securitytrap all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name securitytrap all command to check the status of all traps of security. You can use the snmp-agent trap enable feature-name securitytrap command to enable the trap function of security.

Prerequisites

SNMP has been enabled. See snmp-agent.

Example

# Display all the traps of the security module.

<HUAWEI>display snmp-agent trap feature-name securitytrap all
------------------------------------------------------------------------------
Feature name: SECURITYTRAP
Trap number : 28
------------------------------------------------------------------------------
Trap name                       Default switch status   Current switch status
hwStrackUserInfo                on                      on
hwStrackIfVlanInfo              on                      on
hwStrackSrcIpInfo               on                      on
hwXQoSStormControlTrap          on                      on
hwXQoSStormControlTrapExt       on                      on
hwARPSGatewayConflict           on                      on
hwARPSEntryCheck                on                      on
hwARPSPacketCheck               on                      on
hwARPSDaiDropALarm              on                      on
hwARPGlobalSpeedLimitALarm      on                      on
hwARPIfSpeedLimitALarm          on                      on
hwARPVlanSpeedLimitALarm        on                      on
hwARPMissGlobalSpeedLimitALarm  on                      on
hwARPMissIfSpeedLimitALarm      on                      on
hwARPMissVlanSpeedLimitALarm    on                      on
hwARPSIPSpeedLimitALarm         on                      on
hwARPSMACSpeedLimitALarm        on                      on
hwARPMissSIPSpeedLimitALarm     on                      on
hwArpIfRateLimitBlockALarm      on                      on
hwIPSGDropALarm                 on                      on
hwICMPGlobalDropALarm           on                      on
hwICMPIfDropALarm               on                      on
hwStrackDenyPacket              on                      on
hwStrackErrorDown               on                      on
hwDefendCpcarDropPkt            on                      on
hwMACsecFailNotify              on                      on
hwStrackPortAtk                 on                      on
hwStrackUserAbnormal            on                      on
hwOlcStartAlarm                 on                      on                      
hwOlcStopAlarm                  on                      on
Table 14-43  Description of the display snmp-agent trap feature-name securitytrap all command output

Item

Description

Feature name

Name of the module that the trap belongs to.

Trap number

Number of traps.

Trap name

Trap name. The ACL module uses the following Huawei-property traps:

  • hwStrackUserInfo: sent when attack source tracing detects a user-based attack.

  • hwStrackIfVlanInfo: sent when attack source tracing detects an attack initiated from an interface.

  • hwStrackSrcIpInfo: sent when attack source tracing detects a source IP address-based attack.

  • hwXQoSStormControlTrap: sent when storm control detects a port status change.

  • hwXQoSStormControlTrapExt: sent when the interface state machine changes.

  • hwARPSGatewayConflict: sent when the device receives an ARP packet of which the source IP address is the same as gateway IP address.

  • hwARPSEntryCheck: sent when the device detects an attack packet used to modify an ARP entry.

  • hwARPSPacketCheck: sent when the device detects an invalid ARP packet.

  • hwARPSDaiDropALarm: sent when the number of ARP packets discarded by DAI reaches the alarm threshold.

  • hwARPGlobalSpeedLimitALarm: sent when the rate of ARP packets received by the device reaches the alarm threshold.

  • hwARPIfSpeedLimitALarm: sent when the rate of ARP packets received by an interface reaches the alarm threshold.

  • hwARPVlanSpeedLimitALarm: sent when the rate of ARP packets in a VLAN reaches the alarm threshold.

  • hwARPMissGlobalSpeedLimitALarm: sent when the rate of ARP Miss messages on the device exceeds the threshold and the number of discarded ARP Miss messages exceeds the alarm threshold.

  • hwARPMissIfSpeedLimitALarm: sent when the rate of ARP Miss messages on an interface reaches the alarm threshold.

  • hwARPMissVlanSpeedLimitALarm: sent when the rate of ARP Miss messages in a VLAN exceeds the threshold and the number of discarded ARP Miss messages exceeds the alarm threshold.

  • hwARPSIPSpeedLimitALarm: sent when the rate of ARP packets from a source IP address exceeds the alarm threshold.

  • hwARPSMACSpeedLimitALarm: sent when the rate of ARP packets from a source MAC address exceeds the alarm threshold.

  • hwARPMissSIPSpeedLimitALarm: sent when the rate of ARP Miss messages from a source IP address exceeds the alarm threshold.

  • hwArpIfRateLimitBlockALarm: sent when the rate of ARP packets received by the device exceeds the threshold and ARP packets are discarded on interfaces within block period.

  • hwIPSGDropALarm: sent when the number of IP packets discarded by IPSG reaches the alarm threshold.

  • hwICMPGlobalDropALarm: sent when the rate of global ICMP packets reaches the alarm threshold.

  • hwICMPIfDropALarm: sent when the rate of ICMP packets on an interface reaches the alarm threshold.

  • hwStrackDenyPacket: sent when the device detects an attack source and discards the packets from this attack source.

  • hwStrackErrorDown: sent when the device detects an attack source and sets the port status of the attack source to error-down.

  • hwDefendCpcarDropPkt: sent when packets are dropped because the rate of protocol packets sent to the CPU exceeds the CPCAR value.
  • hwMACsecFailNotify: sent when MACsec configuration on an interface is invalid.
  • hwStrackPortAtk: sent when an interface is attacked by protocol packets and port attack defense is started.
  • hwStrackUserAbnormal: sent when the rate of packets received by an LPU exceeds the normal rate.

Default switch status

Default status of the trap function:
  • on: indicates that the trap function is enabled by default.

  • off: indicates that the trap function is disabled by default.

Current switch status

Status of the trap function:

  • on: indicates that the trap function is enabled.

  • off: indicates that the trap function is disabled.

host-car disable

Function

The host-car disable command disables user-level rate limiting on interfaces.

The undo host-car disable command enables user-level rate limiting on interfaces.

By default, user-level rate limiting is enabled on all interfaces.

NOTE:

Only the X series LPUs support this command.

Format

host-car disable

undo host-car disable

Parameters

None

Views

GE interface view, XGE interface view, and 40GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the switch performs user-level rate limiting on the users connecting to all interfaces. If you are sure that the users connecting to an interface are secure, you can disable user-level rate limiting on this interface.

Precautions

  • Management interfaces do not support this command.
  • Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
  • After user-level rate limiting is disabled on an interface, the switch does not limit the rate of packets received from the specified user MAC address and cannot protect the interface against attacks. In addition, the packets of the same type sent from other users may be affected.

Example

# Disable user-level rate limiting on the interface.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] host-car disable 

linkup-car

Function

The linkup-car command sets the CPCAR value for packets of a protocol connection, including the Committed Information Rate (CIR) and Committed Burst Size (CBS).

The undo linkup-car command restores the default CPCAR rate limit.

By default, the CIR and CBS for sending packets of BGP and OSPF connections on the LPU are 512 kbit/s and 64000 bytes; the CIR and CBS for sending packets of FTP, HTTP, HTTPS, SSH, TELNET, and TFTP connections on the LPU are 2048 kbit/s and 256000 bytes.

By default, the CIR and CBS for sending packets of BGP and OSPF connections on the MPU are 512 kbit/s and 64000 bytes respectively; the CIR and CBS for sending packets of FTP, HTTP, HTTPS, SSH, TELNET, and TFTP connections on the MPU are 4096 kbit/s and 770048 bytes respectively.

Format

linkup-car packet-type { bgp | ftp | http | https | ospf | ssh | telnet | tftp } cir cir-value [ cbs cbs-value ]

undo linkup-car packet-type { bgp | ftp | http | https | ospf | ssh | telnet | tftp }

NOTE:

Only the V200R013C00SPC500 version supports the http parameter.

Parameters

Parameter

Description

Value

bgp

Indicates that the protocol type is BGP.

-

ftp

Indicates that the protocol type is FTP.

-

http

Indicates that the protocol type is HTTP.

-

https

Indicates that the protocol type is HTTPS.

-

ospf

Indicates the protocol type is OSPF.

-

ssh

Indicates the protocol type is SSH.

-

telnet

Indicates the protocol type is TELNET.

-

tftp

Indicates the protocol type is TFTP.

-

cir cir-value

Specifies the CIR value.

The value is an integer that ranges from 64 to 4294967295, in kbit/s.

cbs cbs-value

Specifies the CBS value.

The value is an integer that ranges from 10000 to 4294967295, in bytes.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The default CPCAR value of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET protocol is small. When a switch uses these protocols to transfer files or set up connections with other hosts or devices, the number of protocol packets sharply increases in a short period. When the packet rate exceeds the limit, the protocol packets are dropped. The switch may also undergo attacks of other protocols. This affects data transmission and causes service interruption.

You can run the cpu-defend application-apperceive command to enable active link protection, ensuring normal operation of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET services when attacks occur. When a connection is set up, the switch sends packets at the rate of the CPCAR value configured using the linkup-car command. The CPCAR value can be set as required.

Follow-up Procedure

Run the cpu-defend application-apperceive bgp enable command or cpu-defend application-apperceive ospf enable common to enable ALP to enable the rate limit set using the linkup-car command. By default, ALP is enabled on FTP, HTTP, HTTPS, TFTP, SSH, and TELNET packets and disabled on BGP and OSPF packets.

Precautions

You are advised to run the display cpu-defend configuration command to check the CIR value supported by the protocol being used before running the linkup-car command to set the rate limit.

BGP and OSPF are disabled when the configuration is initialized. You can set the rate limit using the car command before the protocols are enabled and the linkup-car command after connections are set up and ALP is enabled.

Example

# Set the CIR and CBS for sending packets of FTP connections to 1000 kbit/s and 100000 bytes.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type ftp cir 1000 cbs 100000

port type

Function

The port type command configures the interface type. The interface type can be Network-to-Network Interface (NNI), User-to-Network Interface (UNI), or Enhanced Network Interface (ENI).

The undo port type command cancels the configuration.

By default, the interface type is NNI.

NOTE:

This command is not supported by X series cards.

Format

port type { uni | eni | nni }

undo port type

Parameters

Parameter Description Value
uni

Indicates that the interface is a user-side interface on the device.

-
eni

Indicates that the interface is connected to another switch or user.

An ENI supports all protocols that are supported by an UNI.

-
nni

Indicates that the interface is a network-side interface on the device.

An NNI supports all protocol packets.

-

Views

40GE interface view, 100GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Generally, protocol packets that can be sent to the CPU are controlled by an ACL. If protocol packets are sent to the device (or board), packets received by interfaces cannot be differentiated.

If an interface is attacked and the user disables the board to send packets, packets cannot be sent from other interfaces on the board, affecting communications of the device. If an interface is attacked and the user does not disable the board to send packets, attack packets occupy resources and valid packets cannot be sent.

For example, OSPF is enabled on an interface and OSPF packets are sent to the board. If a non-OSPF interface is attacked, attack packets will occupy resources and valid OSPF packets cannot be forwarded. As a result, OSPF negotiation becomes slow or fails.

The port type command specifies the interface types according to the interface location. Interfaces of different types support different protocols and send only the packets of the supported protocols to the CPU. This reduces the workload of the CPU and provides flexible ways to protect the CPU.

Precautions

If you run the port type command multiple times, only the latest configuration takes effect.

Follow-up Procedure

This command differentiates packets from different types of interfaces so that the attack packets are denied and valid packets are forwarded. If an attack occurs, you can run the deny command to discard packets of a specified type or run the car (attack defense policy view) command to limit the rate of a specified type of protocol packets.

If the interfaces on X series cards are included in an Eth-Trunk, the port type { uni | eni } command is invalid to the Eth-Trunk.

Example

# Configure GE1/0/0 as an NNI.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/0
[HUAWEI-GigabitEthernet1/0/0] port type nni

port-type

Function

The port-type command maps interfaces to protocol types. The type can be User-to-Network Interface (UNI), Enhanced Network Interface (ENI), or Network-to-Network Interface (NNI).

The undo port-type command cancels the configuration.

By default, the type of interface sending protocol packets to the CPU is displayed using the display cpu-defend configuration command.

NOTE:

This command is not supported by X series cards.

The XGE interface connected to ACU2 does not support this function.

The XGE interface connected to ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 does not support this function.

Format

port-type { uni | eni | nni } packet-type packet-type

undo port-type [ uni | eni | nni ] packet-type packet-type

Parameters

Parameter Description Value
uni

Indicates that the interface is a user-side interface on the device.

-
eni

Indicates that the interface is connected to another switch or user.

An ENI supports all protocols that are supported by an UNI.

-
nni

Indicates that the interface is a network-side interface on the device.

An NNI supports all protocol packets.

-
packet-type packet-type

Specifies the protocol supported by an interface type.

A protocol is mapped to only one interface type.

The supported packet type depends on the device.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Generally, protocol packets that can be sent to the CPU are controlled by an ACL. If protocol packets are sent to the device (or board), packets received by interfaces cannot be differentiated.

If an interface is attacked and the user disables the board to send packets, packets cannot be sent from other interfaces on the board, affecting communications of the device. If an interface is attacked and the user does not disable the board to send packets, attack packets occupy resources and valid packets cannot be sent.

The port-type command maps interfaces to protocol types. The port type command specifies the interface types according to port locations. By using the two commands, the interfaces send only the packets of the supported protocols. This reduces the workload of CPU and provides ways to flexibly protect the CPU.

NOTE:

Protocol packets are not supported by the UNI, ENI, or NNI interfaces. These protocol packets are sent to the CPU for processing from any interface on the device (board).

Procedure

After you run the port type command to configure interface types, run the port-type command to specify the protocols supported by the interfaces and the method to process the protocol packets.

Precautions

If you run the port-type command multiple times, only the latest configuration takes effect because a protocol is mapped to only one interface type.

Follow-up Procedure

This command differentiates packets from different types of interfaces so that the attack packets are denied and valid packets are forwarded. If an attack occurs, you can run the deny command to discard a specified type of packets. When receiving packets of the type, the interfaces discard these packets. You can also run the car (attack defense policy view) command to limit the rate of attack packets of a specified type.

Example

# Configure UNI interfaces to send ARP Reply packets to the CPU.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] port-type uni packet-type arp-reply
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend-policy test global

reset auto-defend attack-source

Function

The reset auto-defend attack-source command clears information about attack sources.

Format

reset auto-defend attack-source [ history ] [ slot slot-id ]

Parameters

Parameter Description Value
history

Deletes history attack source information.

If history is not specified, all existing attack source information is deleted.

-
slot slot-id

Specifies a slot ID.

If slot slot-id is not specified, information about attack sources on the main control board is cleared.
The value must be set according to the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To view the latest attack source information on the device, run the reset auto-defend attack-source command to delete the existing attack source information, wait for a period, and run the display auto-defend attack-source command.

To delete history attack source information, run the reset auto-defend attack-source history command.

Precautions

After the reset auto-defend attack-source command is run, information about attack sources is cleared and cannot be restored.

Example

# Delete existing attack source information on the device.

<HUAWEI> system-view
[HUAWEI] reset auto-defend attack-source

reset auto-defend attack-source trace-type

Function

The reset auto-defend attack-source trace-type command clears the counter of packets traced after attack source tracing based on source MAC addresses, source IP addresses, or source ports+VLANs is configured.

Format

reset auto-defend attack-source trace-type { source-mac [ mac-address ] | source-ip [ ipv4-address | ipv6 ipv6-address ] | source-portvlan [ interface interface-type interface-number vlan-id vlan-id [ cvlan-id cvlan-id ] ] } [ slot slot-id | mcu ]

Parameters

Parameter Description Value
source-mac [ mac-address ]

Clears the counter of packets traced after attack source tracing based on source MAC addresses is configured.

If mac-address is specified, the counter of traced packets sent from the specified MAC address is cleared.

The value of mac-address is in H-H-H format. An H contains 1 to 4 hexadecimal numbers.
source-ip [ ipv4-address | ipv6 ipv6-address ]

Clears the counter of packets traced after attack source tracing based on source IP addresses is configured.

If an ip-address is specified, the counter of traced packets sent from the specified IP address is cleared.

  • ipv4-address specifies the IPv4 address of an interface.
  • ipv6 ipv6-address specifies the IPv6 address of an interface.
  • The value of ipv4-address is in dotted decimal notation.
  • The value of ipv6-address is in format X:X:X:X:X:X:X:X. The total length is 128 bit, which is divided into eight groups. The 16 bits of each group are represented by four hexadecimal characters.
source-portvlan [ interface interface-type interface-number vlan-id vlan-id [ cvlan-id cvlan-id ] ]

Clears the counter of packets traced after attack source tracing based on source ports+VLANs is configured.

If a port or VLAN is specified, the counter of traced packets sent from the specified port or VLAN is cleared.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

  • vlan-id vlan-id specifies the ID of the VLAN.

  • cvlan-id cvlan-id specifies the inner VLAN ID in a QinQ packet.

vlan-id is an integer that ranges from 1 to 4094. cvlan-id is an integer that ranges from 1 to 4094.
slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.
mcu

Indicates the main control board.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To view information about attack sources in a specified period, run the reset auto-defend attack-source command to clear existing information about attack sources and run the display auto-defend attack-source command. However, the reset auto-defend attack-source clears information about all attack sources. You can run the reset auto-defend attack-source trace-type command to clear information about specified attack sources.

Precautions

After the reset auto-defend attack-source trace-type command is run, information about attack sources is cleared and cannot be restored.

Example

# Clear the counter of traced packets sent from IP address 10.1.1.1.

<HUAWEI> system-view
[HUAWEI] reset auto-defend attack-source trace-type source-ip 10.1.1.1

reset auto-port-defend statistics

Function

The reset auto-port-defend statistics command deletes packet statistics on port attack defense.

Format

reset auto-port-defend statistics [ all | slot slot-id ]

Parameters

Parameter Description Value
all

Deletes packet statistics of port attack defense on all MPUs and LPUs.

If all or slot slot-id is not specified, the packet statistics on the interfaces of the MPU are deleted.

-
slot slot-id

Deletes packet statistics of port attack defense on the interfaces in a specified slot.

The value depends on the device configuration.

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before viewing packet statistics of port attack defense in a certain period, delete existing packet statistics, and then run the display auto-port-defend statistics command to collect the latest statistics.

Precautions

The deleted packet statistics cannot be restored.

Example

# Delete packet statistics on the interfaces of the MPU.

<HUAWEI> reset auto-port-defend statistics

reset cpu-defend dynamic-car history-record

Function

The reset cpu-defend dynamic-car history-record command clears history records on dynamic adjustment of the default CIR value of protocol packets.

Format

reset cpu-defend dynamic-car history-record

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run the reset cpu-defend dynamic-car history-record command to clear the previous records and run the display cpu-defend dynamic-car history-record command to view the history records on dynamic adjustment of the default CIR value of protocol packets in a specified period.

Precautions

The reset cpu-defend dynamic-car history-record command clears history records on dynamic adjustment of the default CIR value of protocol packets and the records cannot be restored.

Example

# Clear the history records on dynamic adjustment of the default CIR value of protocol packets.

<HUAWEI> reset cpu-defend dynamic-car history-record

reset cpu-defend host-car statistics

Function

The reset cpu-defend host-car statistics command clears packet statistics in the user-level rate limiting.

NOTE:

Only the X series LPUs support this command.

Format

reset cpu-defend host-car [ mac-address mac-address ] statistics [ slot slot-id ]

Parameters

Parameter Description Value
mac-address mac-address Clears statistics on the packets from the specified MAC address. -
slot slot-id Clears packet statistics on the specified card. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Before viewing the latest packet statistics in the user-level rate limiting, run this command to clear existing packet statistics.

Packet statistics cannot be restored after they are deleted. Exercise caution when you use the command.

Example

# Clear packet statistics in user-level rate limiting.

<HUAWEI> reset cpu-defend host-car statistics

reset cpu-defend statistics

Function

The reset cpu-defend statistics command clears statistics on packets sent to the CPU.

Format

reset cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id | mcu }

Parameters

Parameter Description Value
packet-type packet-type

Specifies the protocol type of packets. packet-type specifies the packet type.

  • If packet-type packet-type is specified, the statistics on the specified type of protocol packets are cleared.
  • If packet-type packet-type is not specified, the statistics on all protocol packets are cleared.
The supported packet type depends on the device.
all

Indicates all boards, including main control boards and LPUs.

If all and slot are not specified, the CAR statistics on the MPU are cleared.

-
slot slot-id

Specifies a slot ID.

The value must be set according to the device configuration.
mcu Indicates the main control board. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To view statistics on the packets sent to the CPU in a specified period, run the reset cpu-defend statistics command to clear existing statistics and run the display cpu-defend statistics command.

Precautions

The deleted packet statistics cannot be restored.

Example

# Clear statistics on BGP packets sent to the CPU on the board in slot 3.

<HUAWEI> reset cpu-defend statistics packet-type bgp slot 3

slot

Function

The slot command displays the slot view.

Format

slot slot-id

Parameters

Parameter Description Value
slot-id Specifies a slot ID. The value must be set according to the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the slot view is displayed, run the cpu-defend-policy command to bind an attack defense policy to the slot.

Example

# Enter the slot view.

<HUAWEI> system-view
[HUAWEI] slot 1
[HUAWEI-slot-1]
Related Topics

snmp-agent trap enable feature-name securitytrap

Function

The snmp-agent trap enable feature-name securitytrap command enables the trap function for the security module.

The undo snmp-agent trap enable feature-name securitytrap command disables the trap function for the security module.

By default, the trap function is enabled for the security module.

Format

snmp-agent trap enable feature-name securitytrap [ trap-name { hwarpglobalspeedlimitalarm | hwarpifratelimitblockalarm | hwarpifspeedlimitalarm | hwarpmissglobalspeedlimitalarm | hwarpmissifspeedlimitalarm | hwarpmisssipspeedlimitalarm | hwarpmissvlanspeedlimitalarm | hwarpsdaidropalarm | hwarpsentrycheck | hwarpsgatewayconflict | hwarpsipspeedlimitalarm | hwarpsmacspeedlimitalarm | hwarpspacketcheck | hwarpvlanspeedlimitalarm | hwdefendcpcardroppkt | hwicmpglobaldropalarm | hwicmpifdropalarm | hwipsgdropalarm | hwmacsecfailnotify | hwstrackdenypacket | hwstrackerrordown | hwstrackifvlaninfo | hwstrackportatk | hwstracksrcipinfo | hwstrackuserabnormal | hwstrackuserinfo | hwxqosstormcontroltrap | hwxqosstormcontroltrapext } ]

undo snmp-agent trap enable feature-name securitytrap [ trap-name { hwarpglobalspeedlimitalarm | hwarpifratelimitblockalarm | hwarpifspeedlimitalarm | hwarpmissglobalspeedlimitalarm | hwarpmissifspeedlimitalarm | hwarpmisssipspeedlimitalarm | hwarpmissvlanspeedlimitalarm | hwarpsdaidropalarm | hwarpsentrycheck | hwarpsgatewayconflict | hwarpsipspeedlimitalarm | hwarpsmacspeedlimitalarm | hwarpspacketcheck | hwarpvlanspeedlimitalarm | hwdefendcpcardroppkt | hwicmpglobaldropalarm | hwicmpifdropalarm | hwipsgdropalarm | hwmacsecfailnotify | hwstrackdenypacket | hwstrackerrordown | hwstrackifvlaninfo | hwstrackportatk | hwstracksrcipinfo | hwstrackuserabnormal | hwstrackuserinfo | hwxqosstormcontroltrap | hwxqosstormcontroltrapext } ]

Parameters

Parameter

Description

Value

trap-name

Enables or disables the trap function for the specified event.

-

hwarpglobalspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP packets received by the device reaches the alarm threshold.

-

hwarpifratelimitblockalarm

Enables the Huawei-property trap sent when the rate of ARP packets received by the device exceeds the threshold and ARP packets are discarded on interfaces within block period.

-

hwarpifspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP packets received by an interface reaches the alarm threshold.

-

hwarpmissglobalspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP Miss messages on the device exceeds the threshold and the number of discarded ARP Miss messages exceeds the alarm threshold.

-

hwarpmissifspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP Miss messages on an interface reaches the alarm threshold.

-

hwarpmisssipspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP Miss messages from a source IP address exceeds the alarm threshold.

-

hwarpmissvlanspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP Miss messages in a VLAN exceeds the threshold and the number of discarded ARP Miss messages exceeds the alarm threshold.

-

hwarpsdaidropalarm

Enables the Huawei-property trap sent when the number of ARP packets discarded by DAI reaches the alarm threshold.

-

hwarpsentrycheck

Enables the Huawei-property trap sent when the device detects an attack packet used to modify an ARP entry.

-

hwarpsgatewayconflict

Enables the Huawei-property trap sent when the device receives an ARP packet of which the source IP address is the same as gateway IP address.

-

hwarpsipspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP packets from a source IP address exceeds the alarm threshold.

-

hwarpsmacspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP packets from a source MAC address exceeds the alarm threshold.

-

hwarpspacketcheck

Enables the Huawei-property trap sent when the device detects an invalid ARP packet.

-

hwarpvlanspeedlimitalarm

Enables the Huawei-property trap sent when the rate of ARP packets in a VLAN reaches the alarm threshold.

-

hwdefendcpcardroppkt

Enables the Huawei-property trap sent when packets are dropped because the rate of protocol packets sent to the CPU exceeds the CPCAR value.

-

hwicmpglobaldropalarm

Enables the Huawei-property trap sent when the rate of global ICMP packets reaches the alarm threshold.

-

hwicmpifdropalarm

Enables the Huawei-property trap sent when the rate of ICMP packets on an interface reaches the alarm threshold.

-

hwipsgdropalarm

Enables the Huawei-property trap sent when the number of IP packets discarded by IPSG reaches the alarm threshold.

-

hwmacsecfailnotify

Enables the Huawei-property trap sent when MACsec configuration on an interface is invalid.

-

hwstrackdenypacket

Enables the Huawei-property trap sent when the device detects an attack source and discards the packets from this attack source.

-

hwstrackerrordown

Enables the Huawei-property trap sent when the device detects an attack source and sets the port status of the attack source to error-down.

-

hwstrackifvlaninfo

Enables the Huawei-property trap sent when attack source tracing detects an attack initiated from an interface.

-

hwstrackportatk

Enables the Huawei-property trap sent when an interface is attacked by protocol packets and port attack defense is started.

-

hwstracksrcipinfo

Enables the Huawei-property trap sent when attack source tracing detects a source IP address-based attack.

-

hwstrackuserabnormal

Enables the Huawei-property trap sent when the rate of packets received by an LPU exceeds the normal rate.

-

hwstrackuserinfo

Enables the Huawei-property trap sent when attack source tracing detects a user-based attack.

-

hwxqosstormcontroltrap

Enables the Huawei-property trap sent when storm control detects a port status change.

-

hwxqosstormcontroltrapext

Enables the Huawei-property trap sent when the interface state machine changes.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example

# Enable the hwStrackUserInfo trap of the security module.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name securitytrap trap-name hwStrackUserInfo

user-defined-flow

Function

The user-defined-flow command configures a user-defined flow.

The undo user-defined-flow command deletes a user-defined flow.

By default, no user-defined flow is configured.

Format

user-defined-flow flow-id acl acl-number

undo user-defined-flow flow-id

Parameters

Parameter

Description

Value

flow-id

Specifies the ID of the user-defined flow.

The value is an integer that ranges from 1 to 8.

acl acl-number

Specifies the number of an Access Control List (ACL). The ACL referenced by a user-defined flow on the device can be a basic ACL, an advanced ACL, or a Layer 2 ACL.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When unknown attacks occur on the network, you can run the user-defined-flow command to bind an ACL rule with a user-defined flow. Then you can run the car user-defined-flow flow-id cir cir-value [ cbs cbs-value ] command to limit the rate of flows with the specific characteristic or run the deny user-defined-flow flow-id command to discard these flows.

Precautions

If an ACL containing the deny action is applied to the user-defined flow, packets matching the ACL are discarded.

Example

# Specify ACL 2001 as the rule of user-defined flow 2.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] user-defined-flow 2 acl 2001

whitelist

Function

The whitelist command configures a whitelist.

The undo whitelist command deletes a whitelist.

By default, no whitelist is configured.

Format

whitelist whitelist-id acl acl-number

undo whitelist whitelist-id

Parameters

Parameter

Description

Value

whitelist-id

Specifies the ID of a whitelist.

The value is an integer that ranges from 1 to 8.

acl acl-number

Specifies the number of an Access Control List (ACL). The ACL referenced by a whitelist on the device can be a basic ACL, an advanced ACL, or a Layer 2 ACL.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can create a whitelist and add users with specified characteristic to the whitelist. The device processes packets sent from users in the whitelist first. You can set the attributes of the whitelist flexibly by defining ACL rules.

A maximum of 8 whitelists can be configured in an attack defense policy on the device.

Precautions

If an ACL containing the deny action is applied to the whitelist, packets sent from users in the whitelist are discarded.

For X series cards, the packets from users in the whitelist are preferentially sent to the CPU at a high rate, and the display cpu-defend statistics command cannot collect statistics on these packets.

Example

# Specify ACL 2002 as the rule of whitelist 2.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] whitelist 2 acl 2002
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 127367

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next