Local Attack Defense Configuration Commands
- Command Support
- auto-defend attack-packet sample
- auto-defend enable
- auto-defend action
- auto-defend alarm enable
- auto-defend protocol
- auto-defend threshold
- auto-defend trace-type
- auto-defend whitelist
- auto-port-defend aging-time
- auto-port-defend alarm enable
- auto-port-defend enable
- auto-port-defend protocol
- auto-port-defend protocol threshold
- auto-port-defend sample
- auto-port-defend whitelist
- blacklist
- car (attack defense policy view)
- cpu-defend application-apperceive enable
- cpu-defend dynamic-car enable
- cpu-defend host-car
- cpu-defend host-car enable
- cpu-defend host-car pps
- cpu-defend policy
- cpu-defend-policy
- cpu-defend trap drop-packet
- deny
- description (attack defense policy view)
- display auto-defend attack-source
- display auto-defend configuration
- display auto-defend whitelist
- display auto-port-defend attack-source
- display auto-port-defend configuration
- display auto-port-defend statistics
- display auto-port-defend whitelist
- display cpu-defend applied
- display cpu-defend configuration
- display cpu-defend dynamic-car history-record
- display cpu-defend host-car statistics
- display cpu-defend policy
- display cpu-defend port-type
- display cpu-defend rate
- display cpu-defend statistics
- display snmp-agent trap feature-name securitytrap all
- host-car disable
- linkup-car
- port type
- port-type
- reset auto-defend attack-source
- reset auto-defend attack-source trace-type
- reset auto-port-defend statistics
- reset cpu-defend dynamic-car history-record
- reset cpu-defend host-car statistics
- reset cpu-defend statistics
- slot
- snmp-agent trap enable feature-name securitytrap
- user-defined-flow
- whitelist
auto-defend attack-packet sample
Function
The auto-defend attack-packet sample command sets the packet sampling ratio for attack source tracing.
The undo auto-defend attack-packet sample command restores the default packet sampling ratio.
By default, the packet sampling ratio is 5. That is, one packet is sampled in every 5 packets.
Parameters
| Parameter | Description | Value |
|---|---|---|
| sample-value | Specifies the packet sampling ratio for attack source tracing. | The value is an integer that ranges from 1 to 1024. |
Usage Guidelines
Usage Scenario
Attack source tracing samples packets to identify attacks. Errors may occur in attack packet identification or packet rate calculation. A proper packet sampling ratio can reduce errors. A small sampling ratio makes the attack source tracing result accurate, but increases CPU usage. For example, when the sampling ratio is set to 1, every packet is sampled. The attack source tracing result is accurate, but the CPU usage is high because every packet is resolved.
The auto-defend attack-packet sample command sets the sampling ratio. You can set a proper value based on the requirements of attack source tracing precision and CPU usage.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
When a smaller attack source tracing threshold is used, the sampling ratio has greater impact on the attack source tracing result.
auto-defend enable
Function
The auto-defend enable command enables automatic attack source tracing.
The undo auto-defend enable command disables automatic attack source tracing.
By default, attack source tracing is enabled.
Usage Guidelines
Usage Scenario
A large number of attack packets may attack the device CPU. Attack source tracing enables the device to trace attack sources and send logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks. By default, logs are sent to notify the administrator if attack source tracing is enabled.
After automatic attack source tracing is enabled, the device traces the source of the specified packets sent to the CPU. The packet type can be set using the auto-defend protocol command.
Precautions
Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy is applied in the system view or slot view.
If the system software of a switch in a version earlier than V200R009C00 is upgraded to V200R009C00 or later version, an undo auto-defend enable configuration is automatically generated.
auto-defend action
Function
The auto-defend action command enables attack source punish function and specifies a punish action.
The undo auto-defend action command disables the attack source punish function.
By default, the attack source punish function is disabled.
Parameters
| Parameter | Description | Value |
|---|---|---|
| deny | Discards packets sent from an attack source. | - |
| timer time-length | Specifies the period during which packets sent from an identified attack source are discarded. | The value ranges from 1 to 86400, in seconds. The default value is 300. |
| error-down | Shuts down an interface that receives attack packets. | - |
Usage Guidelines
Usage Scenario
The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend action command is applied to taking attack source punish actions. The device discards the packets sent from the identified source or shuts down the interface receiving attack packets.
NOTE: If the auto-defend action is set to shutdown, run the error-down auto-recovery cause auto-defend interval interval-value command to set a recovery delay before the device is attacked. This command is invalid for the interface in error-down state.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
If you run the auto-defend action command multiple times, only the latest configuration takes effect.
After the auto-defend action is set to deny, the device discards packets when being attacked. The configuration result can be verified using the display auto-defend attack-source command.
The device does not take punish actions on attack sources of whitelist users.
If the device shuts down the interface that receives the attack packets, services of authorized users on the interface are interrupted. Exercise caution when you configure the device to shut down the interface.
Example
# Configure the device to discard packets from the identified source every 10 seconds.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-defend enable [HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10 Info: This configuration may cause packet loss.
auto-defend alarm enable
Function
The auto-defend alarm enable command enables the event reporting function for attack source tracing.
The undo auto-defend alarm enable command disables the event reporting function for attack source tracing.
By default, the event reporting function for attack source tracing is disabled.
Usage Guidelines
Usage Scenario
When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Follow-up Procedure
Run the auto-defend threshold command to set the event reporting threshold for attack source tracing.
auto-defend protocol
Function
The auto-defend protocol command specifies the types of protocol packets that the device monitors in attack source tracing.
The undo auto-defend protocol command deletes specified types of protocol packets that the device monitors in attack source tracing.
By default, the device traces sources of 8021X, ARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, MLD, ND, TCP, Telnet in attack source tracing.
Format
auto-defend protocol { all | { 8021x | arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | tcp | telnet | ttl-expired | udp }* }
undo auto-defend protocol { 8021x | arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | tcp | telnet | ttl-expired | udp }*
Parameters
Parameter |
Description |
Value |
|---|---|---|
all |
Configures the device to trace sources of 8021X, ARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, MLD, ND, TCP, Telnet, TTL-expired, and UDP packets in attack source tracing. |
- |
8021x |
Adds 8021X packets to the list of traced packets or deletes 8021X packets from the list. |
- |
arp |
Adds Address Resolution Protocol (ARP) packets to the list of traced packets or deletes ARP packets from the list. |
- |
dhcp |
Adds Dynamic Host Configuration Protocol (DHCP) packets to the list of traced packets or deletes DHCP packets from the list. |
- |
dhcpv6 |
Adds Dynamic Host Configuration Protocol for IPv6 (DHCPv6) packets to the list of traced packets or deletes DHCPv6 packets from the list. |
- |
icmp |
Adds Internet Control Message Protocol (ICMP) packets to the list of traced packets or deletes ICMP packets from the list. |
- |
icmpv6 |
Adds Internet Control Message Protocol for IPv6 (ICMPv6) packets to the list of traced packets or deletes ICMPv6 packets from the list. |
- |
igmp |
Adds Internet Group Management Protocol (IGMP) packets to the list of traced packets or deletes IGMP packets from the list. |
- |
mld |
Adds Internet Group Management Protocol (MLD) packets to the list of traced packets or deletes MLD packets from the list. |
- |
nd |
Adds Internet Group Management Protocol (ND) packets to the list of traced packets or deletes ND packets from the list. |
- |
tcp |
Adds Transmission Control Protocol (TCP) packets to the list of traced packets or deletes TCP packets from the list. |
- |
telnet |
Adds Telnet packets to the list of traced packets or deletes Telnet packets from the list. |
- |
ttl-expired |
Adds packets with the TTL value of 1 to the list of traced packets or deletes these packets from the list. |
- |
udp |
Adds User Datagram Protocol (UDP) packets to the list of traced packets or deletes UDP packets from the list. |
- |
Usage Guidelines
Usage Scenario
The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend protocol command is applied to the packet parsing phase. When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
- If you run this command multiple times, only the latest configuration takes effect.
- If a packet type is specified, when the device is attacked and the attack source is traced, you can run the display auto-defend attack-source command to view attack source information.
- When attack source tracing is applied to ICMPv6 packets, the function takes effect on only the ICMPv6 packets of which the destination IPv6 addresses are local interface addresses.
auto-defend threshold
Function
The auto-defend threshold command sets the checking threshold and event reporting threshold for attack source tracing.
The undo auto-defend threshold command restores the default checking threshold and event reporting threshold for attack source tracing.
By default, the checking threshold and event reporting threshold for attack source tracing is 60 pps.
Parameters
| Parameter | Description | Value |
|---|---|---|
| threshold | Specifies the checking threshold and event reporting threshold for attack source tracing. | The value is an integer that ranges from 1 to 65535, in pps. |
Usage Guidelines
Usage Scenario
After attack source tracing is enabled, you can set the checking threshold and event reporting threshold for attack source tracing. When the number of sent protocol packets from an attack source in a specified period exceeds the checking threshold, the device traces and logs the attack source.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
If you run the auto-defend threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.
After the auto-defend enable command is executed, the device traces the attack source based on the default threshold even if the auto-defend threshold command is not used.
Example
# Set the checking threshold and event reporting threshold for attack source tracing in the attack defense policy named test to 200 pps.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-defend enable [HUAWEI-cpu-defend-policy-test] auto-defend threshold 200
auto-defend trace-type
Function
The auto-defend trace-type command configures an attack source tracing mode.
The undo auto-defend trace-type command deletes an attack source tracing mode.
By default, attack source tracing is based on source IP addresses and source MAC addresses.
Format
auto-defend trace-type { source-mac | source-ip | source-portvlan } *
undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *
Parameters
| Parameter | Description | Value |
|---|---|---|
| source-mac | Configures attack source tracing based on source MAC addresses so that the device classifies and collects statistics based on the source MAC address and identifies the attack source. | - |
| source-ip | Configures attack source tracing based on source IP addresses so that the device classifies and collects statistics based on the source IP address and identifies the attack source. | - |
| source-portvlan | Configures attack source tracing based on source ports+VLANs so that the device classifies and collects statistics based on the source port and VLAN and identifies the attack source. | - |
Usage Guidelines
Usage Scenario
After enabling attack source tracing, you can specify one or more attack source tracing modes. The device then uses the specified modes to trace attack sources.
The device supports the following attack source tracing modes:
- Source IP address-based tracing: defends against Layer 3 attack packets.
- Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
- Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
In VXLAN scenarios, the source port+VLAN based tracing mode is not supported. In addition, if the tunnel-side interface resides on the ET1D2X48SEC0 card, the source IP address-based tracing mode is not supported.
Table 14-23 lists the attack source tracing modes supported for different types of packets.
Packet Type |
Attack Source Tracing Mode |
|---|---|
802.1X |
Based on source MAC addresses and based on source ports+VLANs |
ARP, DHCP, IGMP, ND, DHCPv6, MLDv6 |
Based on source MAC addresses, based on IP addresses, and based on source ports+VLANs |
ICMP, TTL-expired, Telnet, TCP, UDP |
Based on source IP addresses and based on source ports+VLANs |
If you run this command multiple times, only the latest configuration takes effect.
A switch supports different numbers if attack source tracing modes for different protocol packets. For details, see the default modes described above.
After the attack source tracing function is enabled on the device, you can run the display auto-defend attack-source command to view attack source tracing information if an attack occurs.
When the attack source tracing mode is source-ip and action is error-down, if multiple interfaces receive the attack packets with the same source IP address and the packet rate exceeds the threshold, the switch shuts down only one interface, and then checks packet rate again. If the packet rate is still higher than the threshold, the switch shuts down another interface. The switch repeats the operations until the packet rate falls below the threshold.
auto-defend whitelist
Function
The auto-defend whitelist command configures an attack source tracing whitelist. The switch does not trace the source of users in the whitelist.
The undo auto-defend whitelist command deletes an attack source tracing whitelist.
By default, no whitelist is configured for attack source tracing. If any of the following conditions is met, however, the switch uses the condition as the whitelist matching rule, regardless of whether attack source tracing is enabled. After attack source tracing is enabled, the switch does not perform attack source tracing for the packets matching such rules.
- If an application uses the TCP protocol and has set up a TCP connection with the switch, the switch will not consider TCP packets with the matching source IP address as attack packets. If no TCP packets match a source IP address within 1 hour, the rule that specifies this source IP address will be aged out.
- If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
- If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.
For the preceding conditions, the switch supports a maximum of 16 whitelist matching rules based on source IP addresses and interfaces, and a maximum of 8 whitelist matching rules based on source IP addresses of TCP packets.
Format
auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }
undo auto-defend whitelist whitelist-number [ acl acl-number | interface interface-type interface-number ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| whitelist-number | Specifies the number of a whitelist. | The value is an integer that ranges from 1 to 32. |
| acl acl-number | Specifies the number of an ACL referenced by a whitelist. | The value is an integer that ranges from 2000 to 4999.
|
| interface interface-type interface-number | Specifies the interface to which the whitelist is applied.
|
- |
Usage Guidelines
Usage Scenario
Attack source tracing helps locate and punish sources of denial of service (DoS) attacks. If some users do not need to be traced regardless of whether an attack occurs, run the auto-defend whitelist command to configure a whitelist for users.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
Before referencing an ACL in a whitelist, create the ACL and configure rules.
If the ACL referenced by the whitelist specifies some protocols, ensure that packets of these protocols can be traced. You can run the display auto-defend configuration command to view the protocols supported by attack source tracing. If a protocol is not supported by attack source tracing, you can run the auto-defend protocol command to configure attack source tracing to support the protocol.
Example
# Add source IP addresses 10.1.1.1 and 10.1.1.2 to the attack source tracing whitelist.
<HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0 [HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0 [HUAWEI-acl-basic-2000] quit [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-defend enable [HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000
auto-port-defend aging-time
Function
The auto-port-defend aging-time command configures the aging time for port attack defense.
The undo auto-port-defend aging-time command restores the default aging time for port attack defense.
By default, the aging time for port attack defense is 300 seconds.
Parameters
| Parameter | Description | Value |
|---|---|---|
| aging-time time | Specifies the aging time for port attack defense. | The value is an integer that ranges from 30 to 86400, and must be a multiple of 10. The unit is second. |
Usage Guidelines
Usage Scenario
After a device with port attack defense function enabled detects an attack on a port, the device traces the source and limits the rate of the attack packets on the port within the aging time (T seconds). When the aging time expires, the device calculates the protocol packet rate on the port again. If the rate is still above the protocol rate threshold, the device keeps tracing the source and limits the rate of the attack packets; otherwise, the device stops the operations.
If the aging time is too short, the device frequently starts packet rate detection on ports, which consumes CPU resources. If the aging time is too long, protocol packets cannot be promptly processed by the CPU, which affects services. Therefore, you need to run the auto-port-defend aging-time command to set an appropriate aging time according to the CPU usage and service status.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend enable command.
Precautions
If you run the auto-port-defend aging-time command multiple times in the same attack defense policy view, only the latest configuration takes effect.
auto-port-defend alarm enable
Function
The auto-port-defend alarm enable command enables the report of port attack defense events.
The undo auto-port-defend alarm enable command disables the report of port attack defense events.
By default, port attack defense events are not reported.
Usage Guidelines
Usage Scenario
If a port undergoes a DoS attack, the malicious attack packets sent from this port to the CPU occupy bandwidth. As a result, the CPU cannot process the protocol packets sent from other ports, and services are interrupted. In this situation, you can enable the report of port attack defense events. When the rate of protocol packets on a port exceeds the check threshold, the switch reports an event to notify the network administrator, so that the administrator can promptly take measures to protect the switch.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend enable command.
Follow-up Procedure
Run the auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } threshold threshold command to set the threshold for protocol packet check in port attack defense.
auto-port-defend enable
Function
The auto-port-defend enable command enables the port attack defense function.
The undo auto-port-defend enable command disables the port attack defense function.
By default, the port attack defense function is enabled.
Usage Guidelines
Usage Scenario
If an attacker initiates a DoS attack on a port, the malicious attack packets sent from this port to the CPU occupy bandwidth. As a result, the CPU cannot process the protocol packets sent from other ports, and services are interrupted.
The port attack defense function effectively limits the number of packets sent to the CPU, and prevents DoS attacks aiming at the CPU.
This function is enabled by default. If the number of packets received by a port within one second exceeds the protocol rate threshold, the device considers that an attack occurs on the port. Then the device traces the source and limits the rate of attack packets, and records an attack log to avoid impact on other ports.
Precautions
After the port attack defense function is enabled in an attack defense policy, the attack defense policy must be applied in the system view or slot view.
auto-port-defend protocol
Function
The auto-port-defend protocol command specifies the types of protocol packets to which port attack defense is applied.
The undo auto-port-defend protocol command cancels port attack defense for certain types of protocol packets.
By default, port attack defense is applicable to ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets.
Format
auto-port-defend protocol { all | { arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } * }
undo auto-port-defend protocol { arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } *
Parameters
Parameter |
Description |
Value |
|---|---|---|
all |
Applies port attack defense to ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets. |
- |
arp-request |
Applies port attack defense to ARP Request packets or cancels port attack defense for ARP Request packets. |
- |
arp-reply |
Applies port attack defense to ARP Reply packets or cancels port attack defense for ARP Reply packets. |
- |
dhcp |
Applies port attack defense to DHCP packets or cancels port attack defense for DHCP packets. |
- |
icmp |
Applies port attack defense to ICMP packets or cancels port attack defense for ICMP packets. |
- |
igmp |
Applies port attack defense to IGMP packets or cancels port attack defense for IGMP packets. |
- |
ip-fragment |
Applies port attack defense to IP fragment packets or cancels port attack defense for IP fragment packets. |
- |
Usage Guidelines
Usage Scenario
By default, the device calculates the rate of all protocol packets, including ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets, received by a port, and traces the source and limits the rate of attack packets. If the packets exceeding protocol rate threshold contain only a few attack packets, you can run the undo auto-port-defend protocol command to cancel port attack defense for unneeded protocol types. If the device limits the rate of too many protocols, services are affected.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend enable command.
Precautions
If you run this command multiple times in the same attack defense policy view, only the latest configuration takes effect.
After port attack defense is applied to a type of protocol packets, the display auto-port-defend attack-source command can display the attack source tracing information if the port is attacked by the specified protocol packets.
auto-port-defend protocol threshold
Function
The auto-port-defend protocol threshold command sets the protocol packet rate threshold for port attack defense.
The undo auto-port-defend protocol threshold command restores the default protocol packet rate threshold for port attack defense.
The following table lists the default rate thresholds for different protocols.
Packet Type |
Rate Threshold |
|---|---|
| arp-request | 60 pps for an LPU and 120 pps for a main control unit |
| arp-reply | 60 pps for an LPU and 120 pps for a main control unit |
| dhcp | 60 pps for an LPU and 120 pps for a main control unit |
| icmp | 60 pps for an LPU and 120 pps for a main control unit |
| igmp | 60 pps for an LPU and 120 pps for a main control unit |
| ip-fragment | 30 pps |
Format
auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } threshold threshold
undo auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } threshold [ threshold ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| all | Sets the rate thresholds for ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets. |
- |
| arp-request | Specifies the rate threshold for ARP Request packets. | - |
| arp-reply | Specifies the rate threshold for ARP Reply packets. | - |
| dhcp | Specifies the rate threshold for DHCP packets. | - |
| icmp | Specifies the rate threshold for ICMP packets. | - |
| igmp | Specifies the rate threshold for IGMP packets. | - |
| ip-fragment | Specifies the rate threshold for IP fragment packets. | - |
| threshold threshold | Specifies the protocol rate threshold. | The value is an integer that ranges from 1 to 65535, in pps. |
Usage Guidelines
Usage Scenario
After port attack defense is enabled on a port, the device calculates the rate of affected protocol packets received by the port. If the packet rate exceeds the protocol rate threshold, the device considers that an attack occurs. Then the device traces the source and limits the rate of attack packets on the port, and records a log. The device moves the packets within the protocol rate limit (CPCAR in attack defense policies) to the low-priority queue, and then sends them to the CPU. The device discards the excess packets.
You need to set an appropriate rate threshold for port attack defense according to service requirements. If the CPU fails to process many protocol packets promptly after port attack defense is enabled, set a large packet rate threshold. If the CPU is busy processing the packets of a protocol, set a small rate threshold for this protocol to avoid impact on other services.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend enable command.
Precautions
If you run the auto-port-defend protocol threshold command multiple times in the same attack defense policy view, only the latest configuration takes effect.
auto-port-defend sample
Function
The auto-port-defend sample command sets the protocol packet sampling ratio for port attack defense.
The undo auto-port-defend sample command restores the default protocol packet sampling ratio for port attack defense.
By default, the protocol packet sampling ratio for port attack defense is 5. That is, one packet is sampled when every 5 packets are received.
Parameters
| Parameter | Description | Value |
|---|---|---|
| sample sample-value | Specifies the protocol packet sampling ratio for port attack defense. | The value is an integer that ranges from 1 to 1024. |
Usage Guidelines
Usage Scenario
A device with port attack defense enabled identifies attacks by analyzing sampled packets. There may be errors in attack packet identification or packet rate calculation. Errors influence the attack defense effect. An appropriate sampling ratio helps you control attack defense accuracy.
A small sampling ratio improves attack defense accuracy, but consumes more CPU resources. When the sampling ratio is set to 1, the device analyzes every packet. The attack packets can be detected quickly, but CPU usage becomes high and services are affected. Therefore, make a balance between the attack defense requirement and CPU usage to decide a sampling ratio.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend enable command.
Precautions
If the protocol packet rate threshold for port attack defense is set to a small value, the attack identification error caused by packet sampling ratio is large.
auto-port-defend whitelist
Function
The auto-port-defend whitelist command configures a whitelist for port attack defense.
The undo auto-port-defend whitelist command deletes a whitelist for port attack defense.
By default, no whitelist is configured for port attack defense. After a port is configured as a DHCP trusted port using the dhcp snooping trusted command, the device will not perform attack defense operations on the DHCP packets received by this port, regardless of whether port attack defense is enabled on this port.
Format
auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }
undo auto-port-defend whitelist whitelist-number [ acl acl-number | interface interface-type interface-number ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| whitelist-number | Specifies the number of the whitelist configured for port attack defense. | The value is an integer that ranges from 1 to 32. |
| acl acl-number | Specifies the number of the ACL applied to the whitelist. | The value of acl-number is an integer that ranges from 2000 to 4999.
|
| interface interface-type interface-number | Specifies the type and number of the interface to which the whitelist is applied.
|
- |
Usage Guidelines
Usage Scenario
The port attack defense function is enabled by default on the device, so the device calculates protocol packet rates on all interfaces, and traces the source and limits the rate of attack packets. In some services, network-side interfaces need to receive a lot of valid protocol packets. You should add these interfaces or network nodes connecting to these interfaces to the whitelist. The device does not trace the source or limit the rate of protocol packets received by the interfaces in the whitelist.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend enable command.
Precautions
To define the whitelist using an ACL, you must create an ACL and configure rules for the ACL.
Before configuring an ACL whitelist for some protocols, ensure that the port attack defense function supports these protocols. Use the auto-port-defend protocol command to specify the protocols to which port attack defense is applied.
Example
# In the attack defense policy test, configure a whitelist that references an ACL. The ACL permits the packets from the users with IP addresses 10.1.1.1 and 10.1.1.2.
<HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0 [HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0 [HUAWEI-acl-basic-2000] quit [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-port-defend enable [HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 acl 2000
# In the attack defense policy test, add interface GE1/0/1 to the whitelist for port attack defense.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-port-defend enable [HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 interface gigabitethernet 1/0/1
blacklist
Function
The blacklist command configures a blacklist.
The undo blacklist command deletes a blacklist.
By default, no blacklist is configured.
Format
IPv4 blacklist:
blacklist blacklist-id acl acl-number1
undo blacklist blacklist-id
IPv6 blacklist:
blacklist blacklist-id acl ipv6 acl-number2
undo blacklist blacklist-id
Parameters
Parameter |
Description |
Value |
|---|---|---|
blacklist-id |
Specifies the ID of a blacklist. |
The value is an integer that ranges from 1 to 8. |
acl acl-number1 |
Specifies the number of an Access Control List (ACL) referenced by a blacklist. |
The value is an integer that ranges from 2000 to 4999.
|
acl ipv6 acl-number2 |
Specifies the ACL matching the IPv6 blacklist. |
The value of acl-number2 is an integer that ranges from 3000 to 3999. |
Usage Guidelines
To defend against malicious packet attacks, the device uses ACLs to add users with the specific characteristic into a blacklist and discards the packets from the users in the blacklist.
An attack defense policy can contain a maximum of eight blacklists (including IPv4 and IPv6 blacklists).
For X series cards, the discarded packet statistics collected by the display cpu-defend statistics command do not contain the statistics on the packets sent from blacklisted users. For other cards, packets sent from blacklisted users are discarded after traffic statistics are collected; therefore, you can run the display cpu-defend statistics command to view statistics on the packets sent from blacklisted users.
Example
# Specify ACL 2001 as the rule of blacklist 2.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] blacklist 2 acl 2001 Info: This configuration may cause packet loss.
# Apply ACL 3001 to IPv6 blacklist 3.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] blacklist 3 acl ipv6 3001 Info: This configuration may cause packet loss.
car (attack defense policy view)
Function
The car command sets the rate limit for packets sent to the CPU.
The undo car command restores the default rate limit for packets sent to the CPU.
By default, the CIR value for user-defined flows is 64 kbit/s. You can run the display cpu-defend configuration command to check the CAR values for protocol packets.
Format
car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ]
undo car { packet-type packet-type | user-defined-flow flow-id }
Parameters
| Parameter | Description | Value |
|---|---|---|
| packet-type packet-type | Specifies the type of packets. | The supported packet type depends on the device. |
| user-defined-flow flow-id | Specifies the ID of the user-defined flow. |
The value is an integer that ranges from 1 to 8. |
| cir cir-value | Specifies the committed information rate (CIR). | The value is an integer.
|
| cbs cbs-value | Specifies the committed burst size (CBS). | The value is an integer.
|
Usage Guidelines
Usage Scenario
The switch has default CAR values for each type of protocol packet. You can adjust CAR values for specified types of protocol packets based on services and network environment.
- Reduce the CAR values in the following situation: When a network undergoes an attack, reduce the CAR values of the corresponding protocol, to reduce impact on the system CPU.
- Increase the CAR values in the following situation: When service traffic volume on the network increases, a large number of protocol packets need to be sent to the CPU. Increase the CAR values of the corresponding protocols to meet service requirements.
Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.
For MPUs and X series cards, the device limits the rate of some protocol packets in pps mode. That is, the actual CPCAR value is the number of packets allowed to pass per second, which is calculated as follows:
CIR value x 1024/(8 x Packet length)
For example, if the CIR value of 802.1X packets is set to 64 kbit/s, 40 802.1X packets are allowed to pass per second. The number 40 is calculated as follows:
64 x 1024/(8 x 200) = 40.96 (rounded down to the integer 40)
The following table lists the types and lengths of packets that support rate limiting in pps mode.
| Packet Length (Including Preamble and IFG) | Packet Type |
|---|---|
| 88 | nac-arp-reply , nac-arp-request, 8021x, 8021x-wireless, 8021x-start-wlan, 8021x-ident-wlan, 8021x-start, 8021x-ident, nac-nd |
| 100 | eap-key, capwap-other, capwap-ap-update, capwap-keepalive |
| 120 | capwap-association, capwap-smart-roam, capwap-disassoc |
| 128 | hw-tacacs, wapi, capwap-rf-neighbor, capwap-regular-rep, capwap-ap-auth, capwap-license-mng, capwap-ac-auth |
| 152 | portal |
| 200 | wlan-not-capwap |
| 256 | capwap-discov-bc, capwap-discov-uc |
| 374 | nac-dhcp |
| 400 | dhcp-server, capwap-echo, radius, nac-dhcpv6 |
| 800 | sip |
Precautions
If you run the deny command and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect.
NOTE: When the actual and configured rates of packets sent to the CPU are large, the CPU usage may be high and the performance may deteriorate. In the worst situation, the CSS breaks.
Example
# Set the rate limit in the attack defense policy named test for ARP Reply packets: set the CIR value to 64 kbit/s and the CBS value to 33000 bytes.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] car packet-type arp-reply cir 64 cbs 33000 Warning: Improper parameter settings may affect stable operating of the system. Use this command under assistance of Huawei engineer s. Continue? [Y/N]:y
cpu-defend application-apperceive enable
Function
The cpu-defend application-apperceive enable command enables active link protection (ALP). After the ALP is enabled, the CAR values of protocol packets set using linkup-car can take effect.
The undo cpu-defend application-apperceive enable command disables ALP.
By default, ALP is enabled on FTP, HTTP, HTTPS, SSH, TELNET, and TFTP packets and disabled on BGP and OSPF packets.
Format
cpu-defend application-apperceive [ bgp | ftp | http | https | ospf | ssh | telnet | tftp ] enable
undo cpu-defend application-apperceive [ bgp | ftp | http | https | ospf | ssh | telnet | tftp ] enable
NOTE: Only the V200R013C00SPC500 version supports the http parameter.
Parameters
| Parameter | Description | Value |
|---|---|---|
| bgp | Enables ALP on BGP packets. | - |
| ftp | Enables ALP on FTP packets. | - |
| http | Enables ALP on HTTP packets. | - |
| https | Enables ALP on HTTPS packets. | - |
| ospf | Enables ALP on OSPF packets. | - |
| ssh | Enables ALP on SSH packets. | - |
| telnet | Enables ALP on TELNET packets. | - |
| tftp | Enables ALP on TFTP packets. | - |
Usage Guidelines
Usage Scenario
The default CAR value of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET protocol is small. When a switch uses these protocols to transfer files or set up connections with other hosts or devices, the number of protocol packets sharply increases in a short period. When the packet rate exceeds the limit, the protocol packets are dropped. The switch may also undergo attacks of other protocols. This affects data transmission and causes service interruption.
You can run the cpu-defend application-apperceive command to enable ALP, ensuring normal operation of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET services when attacks occur. When a connection is set up, the switch sends packets at the rate of the CPCAR value configured using the linkup-car command. The CPCAR value can be set as required.
Precautions
To enable the ALP function for a certain protocol, run the cpu-defend application-apperceive enable command to enable ALP globally. For example, before enabling ALP for the TFTP protocol, run the cpu-defend application-apperceive enable command, and then the cpu-defend application-apperceive tftp enable command to make the configuration take effect.
Before running the linkup-car command, you are advised to run the display cpu-defend configuration command to check the CIR value supported by the current protocol or displayed CIR value.
Example
# Enable ALP on BGP packets and set the CIR value to 256 kbit/s.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] linkup-car packet-type bgp cir 256 [HUAWEI-cpu-defend-policy-test] quit [HUAWEI] cpu-defend application-apperceive enable [HUAWEI] cpu-defend application-apperceive bgp enable
cpu-defend dynamic-car enable
Function
The cpu-defend dynamic-car enable command enables a switch to dynamically adjust the default CIR value for protocol packets.
The undo cpu-defend dynamic-car enable command disables a switch from dynamically adjusting the default CIR value for protocol packets.
By default, dynamic adjustment of the default CIR value is enabled globally, but the switch is disabled from dynamically adjusting the default CIR value for OSPF and ARP protocol packets.
Format
cpu-defend dynamic-car [ ospf | arp ] enable
undo cpu-defend dynamic-car [ ospf | arp ] enable
Parameters
| Parameter | Description | Value |
|---|---|---|
| ospf | Enables the switch to dynamically adjust the default CIR value for OSPF protocol packets. | - |
| arp | Enables the switch to dynamically adjust the default CIR value for ARP protocol packets. | - |
Usage Guidelines
Usage Scenario
A fixed default CIR value may not adapt to dynamic requirements on rate limiting for protocol packets. The cpu-defend dynamic-car enable command enables a switch to dynamically adjust the default CIR value for protocol packets.
If the default CIR value for a protocol has never been changed, the switch dynamically adjusts the default CIR value for the protocol packets based on service scale (for example, number of dynamic ARP entries) and CPU usage to meet various service requirements. For details, see Table 14-24, Table 14-25, and Table 14-26.
| Number of ARP Entries | Adjusted CPCAR |
|---|---|
| Fewer than or equal to 512 | Unchanged |
| More than 512 and fewer than or equal to 1024 | 128 kbit/s on the MPU and LPU (remain unchanged if the default CIR on the MPU and LPU is larger than 128 kbit/s) |
| More than 1024 and fewer than or equal to 3072 | 256 kbit/s on the MPU and LPU |
| More than 3072 and fewer than or equal to 4096 | 512 kbit/s on the MPU and LPU |
| More than 4096 | 768 kbit/s on the MPU and 512 kbit/s on the LPU |
| Number of OSPF Links (Number of OSPF Neighbors x Number of LSAs) | Adjusted CPCAR |
|---|---|
| Fewer than or equal to 350000 | Unchanged. 512 kbit/s on the MPU and 256 kbit/s on the LPU |
| More than 350000 and fewer than or equal to 420000 | 768 kbit/s on the MPU and 384 kbit/s on the LPU |
| More than 420000 | 1024 kbit/s on the MPU and 512 kbit/s on the LPU |
| Number of OSPF Links (Number of OSPF Neighbors) | Adjusted CPCAR |
|---|---|
| Fewer than or equal to 64 | Unchanged. |
| More than 64 and fewer than or equal to 128 | 256 kbit/s on the MPU and 128 kbit/s on the LPU |
| More than 128 and fewer than or equal to 256 | 512 kbit/s on the MPU and 256 kbit/s on the LPU |
| More than 256 and fewer than or equal to 384 | 768 kbit/s on the MPU and 384 kbit/s on the LPU |
| More than 384 | 1024 kbit/s on the MPU and 512 kbit/s on the LPU |
NOTE: When the number of entries increases, the CPCAR value is dynamically increased. When the CPU usage is between 70% to 98%, the dynamic CPCAR adjustment stops. If the CPU usage is greater than 98%, the default CPCAR value is used.
If ospf and arp are not specified, the switch is globally enabled to dynamically adjust the default CIR value of a protocol packet.
Precautions
The switch dynamically adjusts the default CIR value for OSPF or ARP protocol packets only when the function is enabled globally and on OSPF or ARP protocol packets.
The default CIR value dynamically adjusted only takes effect when the CIR value of the protocol packet is not manually changed.
After the default CPCAR setting is modified for OSPF, only the CIR value for OSPF and OSPF hello packets is adjusted.
After the default CPCAR setting is modified for ARP, only the CIR value for ARP reply, Unicast ARP request, and ARP request packets is adjusted.
cpu-defend host-car
Function
The cpu-defend host-car command specifies the packet type to which the user-level rate limiting is applied.
By default, the user-level rate limiting can apply to ARP Request, ARP Reply, ND, DHCP Request, DHCPv6 Request, and 8021x packets, but does not apply to IGMP and HTTPS-SYN packets.
NOTE: Only the X series LPUs support this command.
Format
cpu-defend host-car { { arp | dhcp-request | dhcpv6-request | igmp | nd | 8021x | https-syn } * | all }
Parameters
| Parameter | Description | Value |
|---|---|---|
| arp | Applies user-level rate limiting to ARP packets. | - |
| dhcp-request | Applies user-level rate limiting to DHCP Request packets. | - |
| dhcpv6-request | Applies user-level rate limiting to DHCPv6 Request packets. | - |
| igmp | Applies user-level rate limiting to IGMP packets. | - |
| nd | Applies user-level rate limiting to ND packets. | - |
| 8021x | Applies user-level rate limiting to 8021x packets. | - |
| https-syn | Applies user-level rate limiting to HTTPS-SYN packets. | - |
| all | Applies user-level rate limiting to ARP, DHCP Request, DHCPv6 Request, IGMP, ND, 8021x, and HTTPS-SYN packets. | - |
Usage Guidelines
Usage Scenario
By default, the switch limits the rates of the ARP, ND, DHCP Request, DHCPv6 Request, and 8021x packets received from user MAC addresses, including wired and wireless users, and discards excessive packets when the packet rates exceed the rate limit. If you need to limit the rate of only IGMP and HTTPS-SYN packets or packets of the specified types, specify the packet type.
Precautions
- Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
- If the command is run multiple times, the user-level rate limiting applies to the packet type specified in the last command. For example, if the command specifying ARP and DHCP Request packets is run, and then the cpu-defend host-car arp command is run, the user-level rate limiting applies to only ARP packets.
- After the cpu-defend host-car all command is run, the configuration file displays cpu-defend host-car 8021x arp dhcp-request dhcpv6-request https-syn igmp nd.
cpu-defend host-car enable
Usage Guidelines
Usage Scenario
User-side hosts are prone to virus attacks. Infected hosts may send a large number of protocol packets to network devices, causing a high CPU usage and degraded performance on the devices and affecting services. You can configure the user-level rate limiting to resolve this problem. User-level rate limiting identifies users by user MAC addresses and limits the rates of specified packets (ARP, ND, DHCP Request, DHCPv6 Request, IGMP, 802.1X, and HTTPS-SYN packets) for both wired and wireless users. By default, the threshold for each user MAC address is 10 pps.
The user-level rate limiting is more precise than CPCAR (based on card) and port attack defense (based on interface) because it is user-specific and has little impact on online users.
Precautions
It is recommended that you disable user-level rate limiting on the network-side interfaces of an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by default.
In the user-level rate limiting, the system performs a hash calculation for the source MAC addresses of specified packets, and places the packets into different buckets. Therefore, multiple users may share the rate limit. When traffic volume is heavy, packets may be dropped. If you confirm that these users are authorized, run the cpu-defend host-car mac-address mac-address command to increase the rate threshold for the specified MAC addresses.
cpu-defend host-car pps
Function
The cpu-defend host-car pps command sets the rate limit for the user-level rate limiting.
The undo cpu-defend host-car command restores the default rate limit for the user-level rate limiting.
By default, the rate limit for the user-level rate limiting is 10 pps.
NOTE: Only the X series LPUs support this command.
Format
cpu-defend host-car [ mac-address mac-address | car-id car-id ] pps pps-value
undo cpu-defend host-car { mac-address mac-address | car-id car-id }
Parameters
| Parameter | Description | Value |
|---|---|---|
| mac-address mac-address | Sets the rate limit for the specified MAC address. | - |
| car-id car-id | Sets the rate limit for the specified bucket. | The value is an integer that ranges from 0 to 8191. |
| pps pps-value | Indicates the rate limit. | The value is an integer that ranges from 1 to 128. |
Usage Guidelines
Usage Scenario
User-level rate limiting identifies users by user MAC addresses and limits the rates of specified packets (ARP, ND, DHCP Request, DHCPv6 Request, IGMP, 802.1X, and HTTPS-SYN packets) for both wired and wireless users. By default, the user-level rate limit is 10 pps. You can set a rate limit based on user.
Precautions
- Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
- If the rate limit is too high, attacks cannot be prevented and CPU may be overloaded.
- If both the cpu-defend host-car mac-address mac-address pps pps-value and cpu-defend host-car pps pps-value commands are run, the rate limit for the specified MAC address is determined by the former command, and the rate limit for other MAC addresses is determined by the latter command.
- The user-level rate limiting performs a hash calculation for the source MAC addresses of specified packets, and places the packets into different buckets. When two user MAC addresses are mapped to the same bucket index, the two users share the same rate limit (in pps mode). If the two users modify the rate limit for the bucket simultaneously, the setting will be overwritten. To avoid this situation, the rate limit for the specified MAC address cannot be set upon hash conflict.
- When the cpu-defend host-car mac-address mac-address pps pps-value and cpu-defend host-car pps pps-value commands are run to configure the rate limit for multiple MAC addresses, the settings are displayed in the alphabetic order in the configuration file.
cpu-defend policy
Function
The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.
The undo cpu-defend policy command deletes an attack defense policy.
By default, the default attack defense policy exists on the device and is applied to all boards. The default attack defense policy cannot be deleted or modified.
Parameters
| Parameter | Description | Value |
|---|---|---|
| policy-name | Specifies the name of an attack defense policy. | The value is a string of 1 to 31 case-insensitive characters without spaces. |
Usage Guidelines
Usage Scenario
A large number of packets including malicious attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.
Precautions
The device supports a maximum of 33 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to all boards. The default attack defense policy cannot be deleted or modified. The other 32 policies can be created, modified, and deleted.
The configuration in a user-defined attack defense policy overrides the configuration in the default attack defense policy. If no parameter is set in the user-defined attack defense policy, the configuration in the default attack defense policy is used.
When the default attack defense policy is used, protocol packets sent to the CPU and user-defined flows are limited based on the default CIR value.
cpu-defend-policy
Function
The cpu-defend-policy command applies an attack defense policy.
The undo cpu-defend-policy command cancels the application of an attack defense policy.
By default, the default attack defense policy is applied to all cards.
Format
System view
cpu-defend-policy policy-name [ global ]
undo cpu-defend-policy [ policy-name ] [ global ]
Slot view
cpu-defend-policy policy-name
undo cpu-defend-policy [ policy-name ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| policy-name global | Applies an attack defense policy to all LPUs. | The attack defense policy must already exist. |
| policy-name | System view: applies an attack defense policy to a main control board. Slot view: applies an attack defense policy to an LPU. |
The attack defense policy must already exist. |
Usage Guidelines
Usage Scenario
The packets destined for the CPU can be directly sent to the main control board, or sent to the main control board through LPUs. Therefore, attack defense policies must be configured on both the main control board and LPUs.
Before applying attack defense policies, check attack information on the main control board and LPUs, for example, source IP addresses of attack packets and attack packet types. If the attack information on the main control board and LPUs is consistent, apply the same attack defense policy to the main control board and LPUs; otherwise, apply different policies to them.
- Apply an attack defense policy to a main control board.
- Apply an attack defense policy to LPUs.
- If all LPUs process the same service, apply an attack defense policy to all LPUs.
- If LPUs process different services, apply an attack defense policy to a specified LPU.
Prerequisites
An attack defense policy has been created by using the cpu-defend policy command.
Precautions
- When the cpu-defend-policy command is executed in the system view, if global is not specified, the attack defense policy is applied to the MPU; if global is specified, the attack defense policy is applied to all LPUs.
- When the cpu-defend-policy command is executed in the slot view, you cannot specify global. The attack defense policy is applied to the LPU in the slot.
If the parameters such as the threshold and sampling ratio are specified in attack defense policies, the parameter values set for the main control board must be larger than those set for LPUs.
If an attack defense policy is applied to an LPU, the blacklist, whitelist, and user-defined flow take effect for only the packets destined for CPUs of LPUs. If an attack defense policy is applied to the main control board, the blacklist, whitelist, and user-defined flow take effect for only the packets destined for CPUs of the main control boards.
Only one attack defense policy can be applied to a card.
Example
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] quit [HUAWEI] cpu-defend-policy test
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] quit [HUAWEI] cpu-defend-policy test global
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] quit [HUAWEI] slot 3 [HUAWEI-slot-3] cpu-defend-policy test
cpu-defend trap drop-packet
Function
The cpu-defend trap drop-packet command enables alarm reporting for packet loss caused by CPCAR exceeding.
The undo cpu-defend trap drop-packet command restores the default configuration.
By default, the system does not report alarms for packet loss caused by CPCAR exceeding.
Usage Guidelines
Usage Scenario
To protect the CPU, a switch limits the rate of protocol packets sent to the CPU based on the CPCAR. If the rate of protocol packets exceeds the CPCAR, excess protocol packets are dropped. As a result, the corresponding service may not run normally. To quickly detect packet loss caused by CPCAR exceeding, you can use this command to enable alarm reporting for this event. After this function is enabled, the switch checks for packet loss caused by CPCAR at 10-minute intervals. If the switch finds that the number of dropped packets of a protocol increases, the switch reports a packet loss alarm.
Precautions
After this alarm reporting function is enabled, the switch reports packet loss alarms based on protocol types. That is, if the rates of packets of multiple protocols exceed the CPCAR values set for these protocols, the switch reports an alarm for each protocol.
deny
Function
The deny command configures the device to discard packets sent to the CPU.
The undo deny command restores the default action taken for the packets sent to the CPU.
By default, the device does not discard packets sent to the CPU. Instead, the device limits the rate of packets sent to the CPU and user-defined flows using the default rate. You can check the CAR values of each type of packets using the display cpu-defend configuration command.
Format
deny { packet-type packet-type | user-defined-flow flow-id }
undo deny { packet-type packet-type | user-defined-flow flow-id }
Parameters
| Parameter | Description | Value |
|---|---|---|
| packet-type packet-type | Specifies the type of the packet to be discarded. | The supported packet type depends on the device. |
| user-defined-flow flow-id | Specifies the ID of the user-defined flow to be discarded. | The value is an integer that ranges from 1 to 8. |
Usage Guidelines
Usage Scenario
After an attack defense policy is created, if the device receives attack packets of a specified type or a large number of packets sent to the CPU, run the deny command to configure the device to discard packets of the specified type sent to the CPU.
Precautions
If you run the deny command, and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect. After the undo deny command is executed, the default action for packets sent to the CPU is restored, that is, CIR and CBS actions are performed.
description (attack defense policy view)
Function
The description command configures the description of an attack defense policy.
The undo description command deletes the description of an attack defense policy.
By default, no description is configured for an attack defense policy.
Parameters
| Parameter | Description | Value |
|---|---|---|
| text | Specifies the content of a description. | It is a string of 1 to 63 case-sensitive characters with spaces. |
Usage Guidelines
Usage Scenario
The description command configures the description of an attack defense policy, for example, the usage or application scenario of the attack defense policy. The description is used to differentiate attack defense policies.
Precautions
If you run the description command in the same attack defense policy view multiple times, only the latest configuration takes effect.
display auto-defend attack-source
Format
display auto-defend attack-source [ history [ begin begin-date begin-time ] [ slot slot-id ] | [ slot slot-id ] [ detail ] ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
history |
Displays the history attack source information. If history is not specified, all existing attack source information is displayed. |
- |
begin begin-date begin-time |
Specifies the start time. |
begin-date is in the format YYYY/MM/DD. begin-time is in the format HH:MM:SS. The value of YYYY/MM/DD ranges from 2000/1/1 to 2099/12/31. The value of HH:MM:SS ranges from 00:00:00 to 23:59:59. |
slot slot-id |
Specifies a slot ID. |
The value must be set according to the device configuration. |
detail |
Displays detailed information about the attack sources, including the type of attack packets. If detail is not specified, brief information about the attack sources is displayed. |
- |
Usage Guidelines
The display auto-defend attack-source command displays the attack sources.
If slot slot-id is not specified, information about attack sources on the MPU is displayed.
Example
# Display the attack source list on the MPU.
<HUAWEI> display auto-defend attack-source Attack Source User Table (MPU): ----------------------------------------------------------------------------- MacAddress InterfaceName Vlan:Outer/Inner TotalPackets ----------------------------------------------------------------------------- 0000-c103-0102 GigabitEthernet1/0/1 100 1395 ----------------------------------------------------------------------------- Total: 1 Attack Source Port Table (MPU): ------------------------------------------------------------ InterfaceName Vlan:Outer/Inner TotalPackets ------------------------------------------------------------ GigabitEthernet1/0/1 100 605 ------------------------------------------------------------ Total: 1 Attack Source IP Table (MPU): ---------------------------------------------------------------------- IPAddress TotalPackets ---------------------------------------------------------------------- 2:2:2:2:2:2:2:2 1395 ---------------------------------------------------------------------- Total: 1
# Display detailed information about the attack source list.
<HUAWEI> display auto-defend attack-source detail Attack Source User Table (MPU): ---------------------------------------------------- MAC Address 0000-c103-0102 Interface GigabitEthernet1/0/1 VLAN: Outer/Inner 100 ARP: 1580 Total 1580 ---------------------------------------------------- Total: 1 Attack Source Port Table (MPU): ---------------------------------------------------- Interface GigabitEthernet1/0/1 VLAN: Outer/Inner 100 ARP: 790 Total 790 ---------------------------------------------------- Total: 1 Attack Source IP Table (MPU): --------------------------------------------------------------------------- IP address 2:2:2:2:2:2:2:2 ARP: 1580 Total 1580 --------------------------------------------------------------------------- Total: 1
# Display information about attack sources on the LPU in slot 1.
<HUAWEI> display auto-defend attack-source slot 1
Attack Source User Table (slot 1):
-----------------------------------------------------------------------------
MacAddress InterfaceName Vlan:Outer/Inner TotalPackets
-----------------------------------------------------------------------------
0000-c103-0102 GigabitEthernet1/0/1 100 1395
-----------------------------------------------------------------------------
Total: 1
Attack Source Port Table (slot 1):
------------------------------------------------------------
InterfaceName Vlan:Outer/Inner TotalPackets
------------------------------------------------------------
GigabitEthernet1/0/1 100 605
------------------------------------------------------------
Total: 1
Attack Source IP Table (slot 1):
----------------------------------------------------------------------
IPAddress TotalPackets
----------------------------------------------------------------------
2:2:2:2:2:2:2:2 1395
----------------------------------------------------------------------
Total: 1
Item |
Description |
|---|---|
Attack Source User Table (MPU) |
Source tracing information of MPU, which is distinguished according to the attack user. Slot X indicates information about attack sources on the interface card in slot X. |
Attack Source Port Table (MPU) |
Source tracing information of MPU, which is distinguished according to the attacked interface. Slot X indicates information about attack sources on the interface card in slot X. NOTE:
The device does not support attack source tracing based on source interfaces and VLANs for Layer 3 Ethernet interfaces. Therefore, this field does not contain the attack source tracing information of Layer 3 Ethernet interfaces. |
Attack Source IP Table (MPU) |
Source tracing information of MPU, which is distinguished according to the attacked interface. Slot X indicates information about attack sources on the interface card in slot X. |
IPAddress |
User IP address. |
MacAddress |
MAC address of the user. |
InterfaceName |
Name of the interface that initiates the attack. |
Interface |
Name of the interface that initiates the attack. |
Vlan:Outer/Inner |
ID of the VLAN that an interface belongs to. Outer indicates the outer VLAN ID and Inner indicates the inner VLAN ID. NOTE:
This field displays - for the attack source tracing entries of Layer 3 Ethernet interfaces. |
TotalPackets |
Total number of packets received by the device. |
<HUAWEI> display auto-defend attack-source history S : start time E : end time Attack History User Table (MPU): ------------------------------------------------------------------------------ AttackTime MacAddress IFName Vlan:O/I Protocol PPS ------------------------------------------------------------------------------ S:2016-09-08 07:36:15 0000-c103-0102 GE1/0/0 100 ARP 40 E:- ------------------------------------------------------------------------------ Total: 1 Attack History Port Table (MPU): --------------------------------------------------------------- AttackTime IFName Vlan:O/I Protocol PPS --------------------------------------------------------------- S:2016-09-08 07:36:37 GE1/0/0 100 ARP 40 E:- --------------------------------------------------------------- Total: 1 Attack History IP Table (MPU): ---------------------------------------------------------------------------- AttackTime IPAddress Protocol PPS ---------------------------------------------------------------------------- S:2016-09-08 07:36:15 2:2:2:2:2:2:2:2 ARP E:- 40 ---------------------------------------------------------------------------- Total: 1
Item |
Description |
|---|---|
Attack History User Table (MPU) |
Information about attack sources on the main control board, which is distinguished according to attackers. |
Attack History Port Table (MPU) |
Information about attack sources on the main control board, which is distinguished according to attacked interfaces. |
Attack History IP Table (MPU) |
Information about attack sources on the main control board, which is distinguished according to attacked source IP addresses. |
AttackTime |
Attack time.
|
MacAddress |
User MAC address. |
IPAddress |
User IP address. |
IFName |
Name of the interface that initiates the attack. |
Vlan:O/I |
ID of the VLAN that an interface belongs to. The value O indicates the outer VLAN ID and the value I indicates the inner VLAN ID. |
Protocol |
Attack type. |
PPS |
Highest rate of attack packets. |
display auto-defend configuration
Function
The display auto-defend configuration command displays the attack source tracing configuration.
Parameters
Parameter |
Description |
Value |
|---|---|---|
cpu-defend policy policy-name |
Displays the attack source tracing configuration of a specified attack defense policy. |
The value is a string of 1 to 31 case-sensitive characters without spaces. |
slot slot-id |
Specifies a slot ID. |
The value must be set according to the device configuration. |
mcu |
Indicates the main control board. |
- |
Usage Guidelines
After attack source tracing is configured in an attack defense policy, you can run the display auto-defend configuration command to view the attack source tracing configuration.
Example
# Display the attack source tracing configuration.
<HUAWEI> display auto-defend configuration slot 1
----------------------------------------------------------------------------
Name : test
Related slot : <1>
auto-defend : enable
auto-defend attack-packet sample : 5
auto-defend threshold : 60 (pps)
auto-defend alarm : enable
auto-defend trace-type : source-mac source-ip
auto-defend protocol : arp icmp dhcp igmp tcp telnet 8021x nd dhcpv6 mld icmpv6
auto-defend action : deny (Expired time : 300 s)
auto-defend whitelist 1 : acl number 2002
----------------------------------------------------------------------------
Item |
Description |
|---|---|
Name |
Name of an attack defense policy. |
Related slot |
ID of the slot to which the attack defense policy is applied. |
auto-defend |
Whether attack source tracing is enabled. To enable attack source tracing, run the auto-defend enable command. |
auto-defend attack-packet sample |
Packet sampling ratio for attack source tracing. To set the packet sampling ratio for attack source tracing, run the auto-defend attack-packet sample command. |
auto-defend threshold |
Checking threshold for attack source tracing. To set the checking threshold for attack source tracing, run the auto-defend threshold command. |
auto-defend alarm |
Whether the alarm function for attack source tracing is enabled. To enable the alarm function for attack source tracing, run the auto-defend alarm enable command. |
auto-defend trace-type |
Attack source tracing mode:
|
auto-defend protocol |
Type of traced packets. To specify the types of protocol packets that the device monitors in attack source tracing, run the auto-defend protocol command. |
auto-defend action |
Action taken on the attack source. The value can be:
|
auto-defend whitelist 1 |
Whitelist for attack source tracing. For related commands, see auto-defend whitelist. |
display auto-defend whitelist
Function
The display auto-defend whitelist command displays information about the attack source tracing whitelist.
Usage Guidelines
After the whitelist for attack source tracing is configured or when you locate faults on network, run the display auto-defend whitelist command to verify whitelist information. If no whitelist is configured, the command displays no whitelist information.
Example
# Display information about the attack source tracing whitelist on the card in slot 1.
<HUAWEI> display auto-defend whitelist slot 1 Protocol Interface IP ACL Status ------------------------------------------------------------------------------- DHCP GE0/0/1 -- -- auto DHCP GE0/0/2 -- -- auto
Item |
Description |
|---|---|
| Protocol | Protocol type of the packets excluded from attack source tracing. |
| Interface | Interface on which inbound packets are excluded from attack source tracing. |
| IP | Source IP address of the packets excluded from attack source tracing. If not source IP address is specified in the whitelist rule, this field displays --. |
| ACL | ACL number specified in a manually configured whitelist rule. If the whitelist rule is automatically delivered, this field displays --. |
| Status | Type of the whitelist rule, which can be:
|
display auto-port-defend attack-source
Function
The display auto-port-defend attack-source command displays source tracing information on interfaces.
Example
# Display the source tracing information on the interfaces of MPU.
<HUAWEI> display auto-port-defend attack-source Attack source table on MPU: Total : 1 -------------------------------------------------------------------------------- Interface VLAN Protocol Expire(s) PacketRate(pps) LastAttackTime -------------------------------------------------------------------------------- GE1/0/1 NA arp-request 297 12 2013-07-06 17:36:54 --------------------------------------------------------------------------------
Item |
Description |
|---|---|
Attack source table on MPU |
Source tracing information on the interfaces of MPU. |
Total |
Number of source tracing records. |
Interface |
Name of the attacked interface. |
VLAN |
VLAN ID in attack packets. If the device does not support checking on VLAN IDs in attack packets, this field displays NA. |
Protocol |
Attack packet type. |
Expire(s) |
Remaining time of the aging time for port attack defense. NOTE:
If the Expire(s) field of an entry displays 0, this entry will be deleted after a certain period (a maximum of 10 seconds). |
PacketRate(pps) |
Rate of the last received attack packet. |
LastAttackTime |
Time when the last attack packet is received. |
display auto-port-defend configuration
Function
The display auto-port-defend configuration command displays the configuration of port attack defense.
Example
# Display the configuration of port attack defense on the LPU in slot 1.
<HUAWEI> display auto-port-defend configuration slot 1 -------------------------------------------------------------------------------- Name : test Related slot : 1 Auto-port-defend : enable Auto-port-defend sample : 5 Auto-port-defend aging-time : 300 second(s) Auto-port-defend arp-request threshold : 50 pps(enable) Auto-port-defend arp-reply threshold : 50 pps(enable) Auto-port-defend dhcp threshold : 50 pps(enable) Auto-port-defend icmp threshold : 50 pps(enable) Auto-port-defend igmp threshold : 50 pps(enable) Auto-port-defend ip-fragment threshold : 50 pps(enable) Auto-port-defend alarm : disable --------------------------------------------------------------------------------
Item |
Description |
|---|---|
Name |
Name of an attack defense policy. |
Related slot |
ID of the slot to which the attack defense policy is applied. |
Auto-port-defend |
Whether port attack defense is enabled. To enable the port attack defense function, run the auto-port-defend enable command. |
Auto-port-defend sample |
Sampling ratio for protocol packets. To set this parameter, run the auto-port-defend sample command. |
Auto-port-defend aging-time |
Aging time for port attack defense. To set this parameter, run the auto-port-defend aging-time command. |
Auto-port-defend arp-request threshold |
Whether port attack defense is applied to ARP Request packets and rate threshold. To set this parameter, run the auto-port-defend protocol arp-request and auto-port-defend protocol arp-request threshold threshold commands. |
Auto-port-defend arp-reply threshold |
Whether port attack defense is applied to ARP Reply packets and rate threshold. To set this parameter, run the auto-port-defend protocol arp-reply and auto-port-defend protocol arp-reply threshold threshold commands. |
Auto-port-defend dhcp threshold |
Whether port attack defense is applied to DHCP packets and rate threshold. To set this parameter, run the auto-port-defend protocol dhcp and auto-port-defend protocol dhcp threshold threshold commands. |
Auto-port-defend icmp threshold |
Whether port attack defense is applied to ICMP packets and rate threshold. To set this parameter, run the auto-port-defend protocol icmp and auto-port-defend protocol icmp threshold threshold commands. |
Auto-port-defend igmp threshold |
Whether port attack defense is applied to IGMP packets and rate threshold. To set this parameter, run the auto-port-defend protocol igmp and auto-port-defend protocol igmp threshold threshold commands. |
Auto-port-defend ip-fragment threshold |
Whether port attack defense is applied to IP fragments and rate threshold. To set this parameter, run the auto-port-defend protocol ip-fragment and auto-port-defend protocol ip-fragment threshold threshold commands. |
Auto-port-defend alarm |
Whether the report of port attack defense events is enabled. To set this parameter, run the auto-port-defend alarm enable command. |
display auto-port-defend statistics
Function
The display auto-port-defend statistics command displays packet statistics about port attack defense.
Usage Guidelines
You can run this command to view statistics about the packets discarded and accepted in the port attack defense service. The statistics help you understand protocol packet processing status and promptly adjust the attack defense policy.
Packet statistics on port attack defense are irrelevant to whether the port attack defense function is enabled on the MPU and LPUs. If port attack defense is disabled on ports of the MPU and LPUs generate port attack defense entries, packet statistics on port attack defense are collected on the ports of the MPU. If port attack defense is disabled on ports of LPUs and the MPU generate port attack defense entries, packet statistics on port attack defense are collected on the ports of LPUs.
Example
# Display packet statistics on the interfaces of the MPU.
<HUAWEI> display auto-port-defend statistics
Statistics on MPU:
--------------------------------------------------------------------------------
Protocol Vlan Queue Cir(Kbps) Pass(Packet/Byte) Drop(Packet/Byte)
--------------------------------------------------------------------------------
icmp NA 2 256 23095 3
NA NA
--------------------------------------------------------------------------------
NOTE: The preceding information is an example. The displayed packet type depends on the actual situation.
By default, the package function of ARP packets is enabled. To collect statistics about ARP packets on MPU interfaces where port attack defense is configured, disable the package function of ARP packets by running the arp message-cache disable command.
Item |
Description |
|---|---|
Statistics on MPU |
Packet statistics on the interfaces of the MPU. |
Protocol |
Attack packet type. |
Vlan |
VLAN ID in attack packets. If the device does not support checking VLAN IDs in attack packets, this field displays NA. |
Queue |
Queue from which attack packets are sent. |
Cir(Kbps) |
Protocol rate limit (CPCAR in attack defense policies). To configure a CIR value, run the car packet-type packet-type cir cir-value command in the attack defense policy view. |
Pass(Packet/Byte) |
Number and bytes of attack packets that pass through the device. The value 23095 indicates the number of accepted packets. The value NA indicates that the card does not support statistics collection by byte. |
Drop(Packet/Byte) |
Number and bytes of attack packets discarded by the device. The value 3 indicates the number of discarded packets. The value NA indicates that the card does not support statistics collection by byte. |
display auto-port-defend whitelist
Function
The display auto-port-defend whitelist command displays information about the interface attack defense whitelist.
Usage Guidelines
After the whitelist for port attack defense is configured or when you locate faults on network, run the display auto-port-defend whitelist command to verify whitelist information. If no whitelist is configured, the command displays no whitelist information.
Example
# Display information about the interface attack defense whitelist.
<HUAWEI> display auto-port-defend whitelist slot 1 Protocol Interface IP ACL Status ------------------------------------------------------------------------------- -- Eth-Trunk0 -- -- auto -- GE0/0/1 -- -- manual -- -- -- 2000 manual
Item |
Description |
|---|---|
| Protocol | Protocol type of packets free from the interface attack defense action. If no packet protocol type is specified in the whitelist rule, this field displays --. |
| Interface | Interface free from the attack defense action. If the whitelist is configured based on ACL rules, this field displays --. |
| IP | Source IP address of packets free from the interface attack defense action. If the whitelist is configured based on interfaces or automatically delivered, this field displays --. |
| ACL | ACL number specified in a manually configured whitelist rule. |
| Status | Type of the whitelist rule, which can be:
|
display cpu-defend applied
Function
The display cpu-defend applied command displays the actual CAR values for the protocol packets delivered to the chip.
Parameters
Parameter |
Description |
Value |
|---|---|---|
packet-type packet-type |
Specifies a packet type. |
The supported packet type depends on the device. |
mcu |
Indicates the main control board. |
- |
slot slot-id |
Specifies a slot ID. |
The value must be set according to the device configuration. |
| all | Indicates all boards, including main control boards and LPUs. |
- |
Usage Guidelines
The actual CAR values may be different from the configured CAR values. The possible causes are as follows:
The CIR value specified in the car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ] command is a consecutive range. However, the actual CIR value is discrete, depending on chip granularity. For example, if the CIR value range is set to 65 to 128 with the granularity 64 kbit/s, the actual CIR value may be 64 or 128, which depends on product models.
The configured CIR value exceeds the chip capacity and the upper threshold. For example, the CIR value is set to 10000, but the chip does not support CIR value 1000. Then the actual CIR value cannot reach 10000.
You can run the display cpu-defend applied command to view the actual CAR values for protocol packets.
NOTE: When too much output information is to be displayed, specify the begin, exclude, or include parameter to display only the required information.
Example
# Display the actual CAR values for ARP Request messages sent from the board in slot 1.
<HUAWEI> display cpu-defend applied packet-type arp-request slot 1 Applied Car on slot 1: ------------------------------------------------------------------------------- Packet Type Cir(Kbps) Cbs(Byte) Applied Cir(Kbps) Applied Cbs(Byte) ------------------------------------------------------------------------------- arp-request 65 10000 128 10000 -------------------------------------------------------------------------------
Item |
Description |
|---|---|
| Applied Car on slot 1 | CAR value for protocol packets sent by a specified slot. |
Packet Type |
Packet type. |
Cir(Kbps) |
Configured committed information rate (CIR), in kbit/s. To set the CIR value, run the car (attack defense policy view) and linkup-car commands. |
Cbs(Byte) |
Configured committed burst size (CBS) value, in bytes. To set the CBS value, run the car (attack defense policy view) and linkup-car commands. |
Applied Cir(Kbps) |
Actual CIR value on the chip, in kbit/s. |
Applied Cbs(Byte) |
Actual CBS value on the chip, in bytes. |
display cpu-defend configuration
Parameters
Parameter |
Description |
Value |
|---|---|---|
packet-type packet-type |
Specifies a packet type. |
The supported packet type depends on the device. |
all |
Indicates all boards, including main control boards and LPUs. | - |
slot slot-id |
Specifies a slot ID. |
The value must be set according to the device configuration. |
mcu |
Indicates the main control board. |
- |
Usage Guidelines
You can run the display cpu-defend configuration command to view the rate limit of protocol packets sent to the CPU. By default, the rate limit of protocol packets in the default policy is displayed.
Example
<HUAWEI> display cpu-defend configuration all
Car configurations on mainboard.
----------------------------------------------------------------------
Packet Name Status Cir(Kbps) Cbs(Byte) Queue Port-Type
----------------------------------------------------------------------
8021x Enabled 256 32000 3 NA
arp-mff Enabled 128 16000 3 NA
arp-miss Enabled 128 16000 3 NA
arp-reply Enabled 128 16000 3 NA
arp-request Enabled 128 16000 3 NA
bfd Enabled 512 64000 5 NA
bgp Enabled 512 64000 5 NA
bgp4plus Enabled 128 16000 5 NA
bpdu-tunnel Enabled 512 64000 5 NA
......
----------------------------------------------------------------------
Linkup Information:
--------------------------------------------------------------------------------
Packet Name : ftp
Cir(Kbps)/Cbs(Byte) : 4096/770048
SIP(SMAC) : 10.1.2.1
DIP(DMAC) : 10.1.3.1
Port(S/C) : 42372/22
--------------------------------------------------------------------------------
Car configurations on slot 2.
----------------------------------------------------------------------
Packet Name Status Cir(Kbps) Cbs(Byte) Queue Port-Type
----------------------------------------------------------------------
8021x Disabled 256 32000 3 NA
arp-mff Disabled 64 10000 3 NA
arp-miss Enabled 128 16000 3 NA
arp-reply Enabled 64 10000 3 UNI
arp-request Enabled 64 10000 3 UNI
bfd Disabled 256 32000 5 NNI
bgp Disabled 256 32000 5 NA
bgp4plus Disabled 128 32000 5 NA
bpdu-tunnel Disabled 128 16000 5 NA
...
----------------------------------------------------------------------
Linkup Information:
--------------------------------------------------------------------------------
Packet Name : ftp
Cir(Kbps)/Cbs(Byte) : 4096/770048
SIP(SMAC) : 10.1.2.1
DIP(DMAC) : 10.1.3.1
Port(S/C) : 42372/22
--------------------------------------------------------------------------------
NOTE: The preceding information is an example. The displayed packet type depends on the actual situation.
Item |
Description |
|---|---|
Car configurations on mainboard |
CAR configurations on the main control board. |
Car configurations on slot 2 |
CAR configurations on slot 2. |
| Packet Name | Packet type. |
Status |
Protocol packet status:
|
Cir(Kbps) |
Committed Information Rate (CIR), in kbit/s. To set the CIR value, run the car (attack defense policy view) and linkup-car commands. |
Cbs(Byte) |
Committed burst size (CBS), in bytes. To configure the CBS value, run the car (attack defense policy view) and linkup-car commands. |
Queue |
Queue that protocol packets are sent to. |
Port-Type |
Port type. The value can be UNI, NNI, or ENI. To configure the port type, run the port type and port-type commands. |
Linkup Information |
Information about the protocol connection.
NOTE:
This information is displayed only when association of protocols is triggered. |
SIP(SMAC) |
Source IP address or source MAC address. |
DIP(DMAC) |
Destination IP address or destination MAC address. |
Port(S/C) |
Source/Destination port number. |
display cpu-defend dynamic-car history-record
Function
The display cpu-defend dynamic-car history-record command displays historical records on dynamic adjustment of the default CIR value of protocol packets.
Usage Guidelines
After the default CIR value is set, you can run this command to view the historical records of adjusting the CPCAR value of protocol packets from 64 kbit/s to a specific value.
The granularity of each adjustment is 128 kbit/s on MPUs and 64 kbit/s on LPUs. If the default CPCAR value is greater than 64 kbit/s, the adjustments from 64 kbit/s to the default CPCAR value are only recorded but do not take effect.
Example
# Display the historical records on dynamic adjustment of the default CIR value of protocol packets.
<HUAWEI> display cpu-defend dynamic-car history-record
Global status : Enable
-------------------------------------------------------------------------------
Time Protocol Packet-type Slot CIR(Kbps) Status
-------------------------------------------------------------------------------
2012-08-24 11:28:10 arp arp-reply 0 128 Success
2012-08-24 11:28:08 arp arp-request 0 128 Success
2012-08-24 11:27:37 arp arp-reply 0 64 Success
2012-08-24 11:27:37 arp arp-request 0 64 Success
-------------------------------------------------------------------------------
Item |
Description |
|---|---|
Global status |
The device is enabled to dynamically adjust the default CIR value of protocol packets. To enable the device to dynamically adjust the default CIR value of protocol packets, run the cpu-defend dynamic-car enable command. |
Time |
Timestamps of the default CIR value of protocol packets that is dynamically adjusted. |
Protocol |
Protocol name. To configure a protocol, run the cpu-defend dynamic-car [ ospf | arp ] command. |
Packet-type |
Packet type. |
Slot |
ID of the slot where the default CIR value is dynamically adjusted. |
CIR(Kbps) |
Dynamically adjusted default CIR value, in kbit/s. If the default CIR value restores to the original default CIR value, NA is displayed. NOTE:
When the rate of sending packets to the CPU is too large, the CPU becomes overloaded. The device restores the original default CIR value for protocol packets and this field is displayed as NA. |
Status |
Result of dynamic adjustment. The value can be:
|
display cpu-defend host-car statistics
Function
The display cpu-defend host-car statistics command displays the number of packets discarded in user-level rate limiting.
NOTE: Only the X series LPUs support this command.
Parameters
| Parameter | Description | Value |
|---|---|---|
| mac-address mac-address | Indicates the number of discarded packets from the specified MAC address. | - |
| slot slot-id | Indicates the number of packets discarded by the specified card. | - |
Usage Guidelines
Usage Scenario
To view the number of packets discarded in the user-level rate limiting, run this command.
Precautions
- Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
- If the number of discarded packets is 0, the index is not displayed.
Example
# Display the number of packets discarded in the user-level rate limiting.
<HUAWEI> display cpu-defend host-car statistics
slot 0
car-id car-drop
--------------------------------------------
3192 740385
3347 7
4133 529474
4471 529477
5075 529476
5836 529474
6046 1001218
Item |
Description |
|---|---|
slot |
Slot ID. |
car-id |
Bucket ID for rate limiting. |
car-drop |
Number of dropped packets whose rate exceeds the CAR. To configure the CAR value, run the cpu-defend host-car [ mac-address mac-address | car-id car-id ] pps pps-value command. |
display cpu-defend policy
Parameters
Parameter |
Description |
Value |
|---|---|---|
policy-name |
Displays the configuration of a specified attack defense policy.
|
The attack defense policy must already exist. |
Usage Guidelines
After an attack defense policy is created, you can run the display cpu-defend policy command to view the board that the attack defense policy is applied to and configurations of the attack defense policy.
Example
# Display information about all attack defense policies.
<HUAWEI> display cpu-defend policy
----------------------------------------------------------------
Name : default
Related slot : <4-6>
user-defined-flow default car Configuration : CIR(64) CBS(10000)
----------------------------------------------------------------
Name : test1
Related slot : <3>
user-defined-flow default car Configuration : CIR(64) CBS(10000)
----------------------------------------------------------------
Name : test
Description : defend_arp_attack
Related slot : <2,8>
user-defined-flow default car Configuration : CIR(64) CBS(10000)
# Display information about the attack defense policy named test.
<HUAWEI> display cpu-defend policy test
Description : defend_arp_attack
Related slot : <2,8>
WhiteList&Blacklist&UserDefineFlow Status :
Slot<2> : Success
Slot<8> : Success
Configuration :
Whitelist 1 ACL number : 2002
Blacklist 1 ACL number : 2001
User-defined-flow 1 ACL number : 2003
Car user-defined-flow 1 : CIR(5000) CBS(940000)
Car packet-type arp-request : CIR(128) CBS(24064)
Deny packet-type arp-reply
Port-type eni packet-type arp-request
Linkup-car packet-type ftp : CIR(5000) CBS(940000)
Item |
Description |
|---|---|
Name |
Name of an attack defense policy. To configure an attack defense policy, run the cpu-defend policy command. |
Description |
Description of an attack defense policy. To configure a description for an attack defense policy, run the description (attack defense policy view) command. |
Related slot |
Board that an attack defense policy is applied to. |
user-defined-flow default car Configuration |
Default configuration of a user-defined flow. To set the default configuration of a user-defined flow, run the car (attack defense policy view) command. |
WhiteList&Blacklist&UserDefineFlow Status |
Status of the whitelist, blacklist, and user-defined flow. |
Slot<2> : Success |
A whitelist, blacklist, and user-defined flow have been successfully configured on the board in slot 2. |
Whitelist 1 ACL number |
Number of an ACL defined in whitelist 1. To configure a whitelist, run the whitelist command. |
Blacklist 1 ACL number |
Number of an ACL defined in blacklist 1. To configure a blacklist, run the blacklist command. |
User-defined-flow 1 ACL number |
Number of an ACL defined in user-defined flow 1. To configure a user-defined flow, run the user-defined-flow command. |
Car user-defined-flow 1 |
CIR values of user-defined flow 1. To set the CIR values of user-defined flow 1, run the car (attack defense policy view) command. |
Car packet-type arp-request |
CIR values of ARP Request packets. To set the CIR values for ARP Request packets, run the car (attack defense policy view) command. |
Deny packet-type arp-reply |
ARP Reply packets are discarded. To configure the device to discard ARP Reply packets, run the deny command. |
Port-type eni packet-type arp-request |
ARP Request packets are sent to the CPU through ENI ports. To enable the ENI ports to send ARP Request packets to the CPU, run the port type and port-type commands. |
Linkup-car packet-type ftp |
CIR values of FTP packets after an FTP connection is set up. To set the CIR values of FTP packets after an FTP connection is set up, run the linkup-car and cpu-defend application-apperceive enable commands. |
Car all-packets pps |
Rate limit for packets sent to the CPU of the MPU or an LPU. |
display cpu-defend port-type
Function
The display cpu-defend port-type command displays physical interfaces of Network-to-Network Interface (NNI), User-to-Network Interface (UNI), and Enhanced Network Interface (ENI) types.
Parameters
| Parameter | Description | Value |
|---|---|---|
| slot slot-id | Specifies a slot ID. |
The value must be set according to the device configuration. |
display cpu-defend rate
Function
The display cpu-defend rate command displays the rate of sending protocol packets to the CPU.
Parameters
Parameter |
Description |
Value |
|---|---|---|
packet-type packet-type |
Specifies a packet type. |
The supported packet type depends on the device. |
| all | Indicates all boards, including main control boards and LPUs. |
- |
mcu |
Indicates the main control board. |
- |
slot slot-id |
Specifies a slot ID. |
The value must be set according to the device configuration. |
Usage Guidelines
You can run the display cpu-defend rate command to view the rate of sending protocol packets to the CPU when checking the configuration of an attack defense policy. In this way, you can determine which type of protocols may attack the CPU based on the rate.
NOTE: To ensure normal operation of other services and protect the CPU, the rate of incremental protocol packets is calculated only in a specified period after you run the display cpu-defend rate command and displayed on the terminal. After you run this command, a message is displayed to wait for a while.
Example
# Display the rate of ARP Reply packets sent from the LPU in slot 1 to the CPU.
<HUAWEI> display cpu-defend rate packet-type arp-reply slot 1 Info: Please wait for a moment.... Cpu-defend rate on slot 1: ------------------------------------------------------------------------------- Packet Type Pass(bps) Drop(bps) Pass(pps) Drop(pps) ------------------------------------------------------------------------------- arp-reply 49504 86496 91 159 -------------------------------------------------------------------------------
<HUAWEI> display cpu-defend rate mcu
Info: Please wait for a moment....
Cpu-defend rate on mainboard:
-------------------------------------------------------------------------------
Packet Type Pass(bps) Drop(bps) Pass(pps) Drop(pps)
-------------------------------------------------------------------------------
8021X 0 0 0 0
arp-miss 0 0 0 0
arp-reply 0 0 0 0
arp-request 0 0 0 0
bfd 0 0 0 0
bgp 0 0 0 0
bgp4plus 0 0 0 0
dhcp-client 0 0 0 0
dhcp-server 0 0 0 0
dhcpv6-reply 0 0 0 0
dhcpv6-request 0 0 0 0
dldp 0 0 0 0
......
-------------------------------------------------------------------------------
NOTE: The preceding information is an example. The displayed packet type depends on the actual situation.
Item |
Description |
|---|---|
Packet Type |
Packet type. |
Pass(bps) |
Number of forwarded bits within one second. |
Drop(bps) |
Number of discarded bits within one second. |
Pass(pps) |
Number of forwarded packets within one second. |
Drop(pps) |
Number of discarded packets within one second. |
display cpu-defend statistics
Function
The display cpu-defend statistics command displays statistics about packets sent to the CPU.
Parameters
Parameter |
Description |
Value |
|---|---|---|
packet-type packet-type |
Displays statistics about the specified type of protocol packets sent to the CPU. packet-type specifies the packet type.
|
The supported packet type depends on the device. |
| all | Displays statistics about packets sent to the CPU on all cards, including main control boards and LPUs. |
- |
slot slot-id |
Displays statistics about packets sent to the CPU on the card in the specified slot. |
The value must be set according to the device configuration. |
mcu |
Displays statistics about packets sent to the CPU on the main control board. |
- |
Usage Guidelines
Usage Scenario
The display cpu-defend statistics command displays statistics about packets sent to the CPU, including forwarded and discarded packets. This helps network administrators configure attack defense policies.
Precautions
When MFF, VPLS, or NAC is enabled on the switch, the MPU also counts the ARP Reply packets when limiting the rate of ARP Request packets or collecting statistics about ARP Request packets.
Example
# Display statistics about packets sent to the CPU on the card in slot 1.
<HUAWEI> display cpu-defend statistics slot 1
Statistics on slot 1:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
8021x 0 0 -
0 0
arp-mff 0 0 -
0 0
arp-miss 0 0 -
0 0
arp-reply 0 0 -
0 0
arp-request 0 0 -
......
<HUAWEI> display cpu-defend statistics mcu
Statistics on mainboard:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
8021x 0 0 -
NA NA
8021x-ident 0 0 -
NA NA
8021x-ident-wlan 0 0 -
0 0
8021x-start 0 0 -
NA NA
8021x-start-wlan 0 0 -
0 0
8021x-wireless 0 0 -
0 0
arp-miss 0 0 -
0 0
arp-reply 969 0 -
NA NA
arp-request 177791 0 -
NA NA
asdp 0 0 -
0 0
bfd 0 0 -
0 0
bgp 0 0 -
0 0
bgp4plus 0 0 -
0 0
bpdu-tunnel 0 0 -
0 0
capwap-ap-auth 0 0 -
0 0
capwap-association 0 0 -
0 0
capwap-disassoc 0 0 -
0 0
capwap-discov-bc 0 0 -
NA NA
capwap-discov-uc 0 0 -
0 0
......
<HUAWEI> display cpu-defend statistics packet-type arp-reply slot 1 Statistics on slot 1: -------------------------------------------------------------------------------- Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time -------------------------------------------------------------------------------- arp-reply 3625354 5612376421 2013-09-26 12:05:37 377036776 583687147k -------------------------------------------------------------------------------- Linkup statistics on slot 1: -------------------------------------------------------------------------------- Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time -------------------------------------------------------------------------------- telnet 0 0 - 0 0 --------------------------------------------------------------------------------
NOTE: The preceding information is an example. The displayed packet type depends on the actual situation.
Item |
Description |
|---|---|
Statistics on slot 1 |
CAR statistics about protocol packets sent to the CPU by a specified card. |
Statistics on mainboard |
CAR statistics about protocol packets sent to the CPU by a main control board. NOTE:
When a switch is configured with X series cards, statistics about both ARP Miss messages and ND Miss messages on the main control board are combined into the arp-miss field. |
Linkup statistics on slot 1 |
CAR statistics about protocol packets sent to the CPU collected when the protocol connection is established. |
Packet Type |
Packet type. |
Pass(Packet/Byte) |
Number of forwarded packets or bytes. |
Drop(Packet/Byte) |
Number of discarded packets or bytes. NOTE:
When the length exceeds 11 digits, the end of the value is displayed as k, indicating that the value is multiplied by 1000. When the length exceeds 14 digits, the end of the value is displayed as m, indicating that the value is multiplied by 1000000. When the length exceeds 17 digits, the end of the value is displayed as g, indicating that the value is multiplied by 1000000000. |
Last-dropping-time |
Last time statistics about dropped packets were collected. |
display snmp-agent trap feature-name securitytrap all
Function
The display snmp-agent trap feature-name securitytrap all command displays the status of all traps on the security module.
Usage Guidelines
Usage Scenario
After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name securitytrap all command to check the status of all traps of security. You can use the snmp-agent trap enable feature-name securitytrap command to enable the trap function of security.
Prerequisites
SNMP has been enabled. See snmp-agent.
Example
# Display all the traps of the security module.
<HUAWEI>display snmp-agent trap feature-name securitytrap all
------------------------------------------------------------------------------
Feature name: SECURITYTRAP
Trap number : 28
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwStrackUserInfo on on
hwStrackIfVlanInfo on on
hwStrackSrcIpInfo on on
hwXQoSStormControlTrap on on
hwXQoSStormControlTrapExt on on
hwARPSGatewayConflict on on
hwARPSEntryCheck on on
hwARPSPacketCheck on on
hwARPSDaiDropALarm on on
hwARPGlobalSpeedLimitALarm on on
hwARPIfSpeedLimitALarm on on
hwARPVlanSpeedLimitALarm on on
hwARPMissGlobalSpeedLimitALarm on on
hwARPMissIfSpeedLimitALarm on on
hwARPMissVlanSpeedLimitALarm on on
hwARPSIPSpeedLimitALarm on on
hwARPSMACSpeedLimitALarm on on
hwARPMissSIPSpeedLimitALarm on on
hwArpIfRateLimitBlockALarm on on
hwIPSGDropALarm on on
hwICMPGlobalDropALarm on on
hwICMPIfDropALarm on on
hwStrackDenyPacket on on
hwStrackErrorDown on on
hwDefendCpcarDropPkt on on
hwMACsecFailNotify on on
hwStrackPortAtk on on
hwStrackUserAbnormal on on
hwOlcStartAlarm on on
hwOlcStopAlarm on on
Item |
Description |
|---|---|
Feature name |
Name of the module that the trap belongs to. |
Trap number |
Number of traps. |
Trap name |
Trap name. The ACL module uses the following Huawei-property traps:
|
Default switch status |
Default status of the trap function:
|
Current switch status |
Status of the trap function:
|
host-car disable
Function
The host-car disable command disables user-level rate limiting on interfaces.
The undo host-car disable command enables user-level rate limiting on interfaces.
By default, user-level rate limiting is enabled on all interfaces.
NOTE: Only the X series LPUs support this command.
Usage Guidelines
Usage Scenario
By default, the switch performs user-level rate limiting on the users connecting to all interfaces. If you are sure that the users connecting to an interface are secure, you can disable user-level rate limiting on this interface.
Precautions
- Management interfaces do not support this command.
- Before using this command, run the cpu-defend host-car enable command to enable user-level rate limiting.
- After user-level rate limiting is disabled on an interface, the switch does not limit the rate of packets received from the specified user MAC address and cannot protect the interface against attacks. In addition, the packets of the same type sent from other users may be affected.
linkup-car
Function
The linkup-car command sets the CPCAR value for packets of a protocol connection, including the Committed Information Rate (CIR) and Committed Burst Size (CBS).
The undo linkup-car command restores the default CPCAR rate limit.
By default, the CIR and CBS for sending packets of BGP and OSPF connections on the LPU are 512 kbit/s and 64000 bytes; the CIR and CBS for sending packets of FTP, HTTP, HTTPS, SSH, TELNET, and TFTP connections on the LPU are 2048 kbit/s and 256000 bytes.
By default, the CIR and CBS for sending packets of BGP and OSPF connections on the MPU are 512 kbit/s and 64000 bytes respectively; the CIR and CBS for sending packets of FTP, HTTP, HTTPS, SSH, TELNET, and TFTP connections on the MPU are 4096 kbit/s and 770048 bytes respectively.
Format
linkup-car packet-type { bgp | ftp | http | https | ospf | ssh | telnet | tftp } cir cir-value [ cbs cbs-value ]
undo linkup-car packet-type { bgp | ftp | http | https | ospf | ssh | telnet | tftp }
NOTE: Only the V200R013C00SPC500 version supports the http parameter.
Parameters
Parameter |
Description |
Value |
|---|---|---|
bgp |
Indicates that the protocol type is BGP. |
- |
ftp |
Indicates that the protocol type is FTP. |
- |
http |
Indicates that the protocol type is HTTP. |
- |
https |
Indicates that the protocol type is HTTPS. |
- |
ospf |
Indicates the protocol type is OSPF. |
- |
ssh |
Indicates the protocol type is SSH. |
- |
telnet |
Indicates the protocol type is TELNET. |
- |
tftp |
Indicates the protocol type is TFTP. |
- |
cir cir-value |
Specifies the CIR value. |
The value is an integer that ranges from 64 to 4294967295, in kbit/s. |
cbs cbs-value |
Specifies the CBS value. |
The value is an integer that ranges from 10000 to 4294967295, in bytes. |
Usage Guidelines
Usage Scenario
The default CPCAR value of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET protocol is small. When a switch uses these protocols to transfer files or set up connections with other hosts or devices, the number of protocol packets sharply increases in a short period. When the packet rate exceeds the limit, the protocol packets are dropped. The switch may also undergo attacks of other protocols. This affects data transmission and causes service interruption.
You can run the cpu-defend application-apperceive command to enable active link protection, ensuring normal operation of BGP, FTP, HTTP, HTTPS, OSPF, SSH, TFTP, or TELNET services when attacks occur. When a connection is set up, the switch sends packets at the rate of the CPCAR value configured using the linkup-car command. The CPCAR value can be set as required.
Follow-up Procedure
Run the cpu-defend application-apperceive bgp enable command or cpu-defend application-apperceive ospf enable common to enable ALP to enable the rate limit set using the linkup-car command. By default, ALP is enabled on FTP, HTTP, HTTPS, TFTP, SSH, and TELNET packets and disabled on BGP and OSPF packets.
Precautions
You are advised to run the display cpu-defend configuration command to check the CIR value supported by the protocol being used before running the linkup-car command to set the rate limit.
BGP and OSPF are disabled when the configuration is initialized. You can set the rate limit using the car command before the protocols are enabled and the linkup-car command after connections are set up and ALP is enabled.
port type
Function
The port type command configures the interface type. The interface type can be Network-to-Network Interface (NNI), User-to-Network Interface (UNI), or Enhanced Network Interface (ENI).
The undo port type command cancels the configuration.
By default, the interface type is NNI.
NOTE: This command is not supported by X series cards.
Parameters
| Parameter | Description | Value |
|---|---|---|
| uni | Indicates that the interface is a user-side interface on the device. |
- |
| eni | Indicates that the interface is connected to another switch or user. An ENI supports all protocols that are supported by an UNI. |
- |
| nni | Indicates that the interface is a network-side interface on the device. An NNI supports all protocol packets. |
- |
Views
40GE interface view, 100GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view
Usage Guidelines
Usage Scenario
Generally, protocol packets that can be sent to the CPU are controlled by an ACL. If protocol packets are sent to the device (or board), packets received by interfaces cannot be differentiated.
If an interface is attacked and the user disables the board to send packets, packets cannot be sent from other interfaces on the board, affecting communications of the device. If an interface is attacked and the user does not disable the board to send packets, attack packets occupy resources and valid packets cannot be sent.
For example, OSPF is enabled on an interface and OSPF packets are sent to the board. If a non-OSPF interface is attacked, attack packets will occupy resources and valid OSPF packets cannot be forwarded. As a result, OSPF negotiation becomes slow or fails.
The port type command specifies the interface types according to the interface location. Interfaces of different types support different protocols and send only the packets of the supported protocols to the CPU. This reduces the workload of the CPU and provides flexible ways to protect the CPU.
Precautions
If you run the port type command multiple times, only the latest configuration takes effect.
Follow-up Procedure
This command differentiates packets from different types of interfaces so that the attack packets are denied and valid packets are forwarded. If an attack occurs, you can run the deny command to discard packets of a specified type or run the car (attack defense policy view) command to limit the rate of a specified type of protocol packets.
If the interfaces on X series cards are included in an Eth-Trunk, the port type { uni | eni } command is invalid to the Eth-Trunk.
port-type
Function
The port-type command maps interfaces to protocol types. The type can be User-to-Network Interface (UNI), Enhanced Network Interface (ENI), or Network-to-Network Interface (NNI).
The undo port-type command cancels the configuration.
By default, the type of interface sending protocol packets to the CPU is displayed using the display cpu-defend configuration command.
NOTE: This command is not supported by X series cards.
The XGE interface connected to ACU2 does not support this function.
The XGE interface connected to ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 does not support this function.
Format
port-type { uni | eni | nni } packet-type packet-type
undo port-type [ uni | eni | nni ] packet-type packet-type
Parameters
| Parameter | Description | Value |
|---|---|---|
| uni | Indicates that the interface is a user-side interface on the device. |
- |
| eni | Indicates that the interface is connected to another switch or user. An ENI supports all protocols that are supported by an UNI. |
- |
| nni | Indicates that the interface is a network-side interface on the device. An NNI supports all protocol packets. |
- |
| packet-type packet-type | Specifies the protocol supported by an interface type. A protocol is mapped to only one interface type. |
The supported packet type depends on the device. |
Usage Guidelines
Usage Scenario
Generally, protocol packets that can be sent to the CPU are controlled by an ACL. If protocol packets are sent to the device (or board), packets received by interfaces cannot be differentiated.
If an interface is attacked and the user disables the board to send packets, packets cannot be sent from other interfaces on the board, affecting communications of the device. If an interface is attacked and the user does not disable the board to send packets, attack packets occupy resources and valid packets cannot be sent.
The port-type command maps interfaces to protocol types. The port type command specifies the interface types according to port locations. By using the two commands, the interfaces send only the packets of the supported protocols. This reduces the workload of CPU and provides ways to flexibly protect the CPU.
NOTE: Protocol packets are not supported by the UNI, ENI, or NNI interfaces. These protocol packets are sent to the CPU for processing from any interface on the device (board).
Procedure
After you run the port type command to configure interface types, run the port-type command to specify the protocols supported by the interfaces and the method to process the protocol packets.
Precautions
If you run the port-type command multiple times, only the latest configuration takes effect because a protocol is mapped to only one interface type.
Follow-up Procedure
This command differentiates packets from different types of interfaces so that the attack packets are denied and valid packets are forwarded. If an attack occurs, you can run the deny command to discard a specified type of packets. When receiving packets of the type, the interfaces discard these packets. You can also run the car (attack defense policy view) command to limit the rate of attack packets of a specified type.
reset auto-defend attack-source
Parameters
| Parameter | Description | Value |
|---|---|---|
| history | Deletes history attack source information. If history is not specified, all existing attack source information is deleted. |
- |
| slot slot-id | Specifies a slot ID. If slot slot-id is not specified, information about attack sources on the main control board is cleared. |
The value must be set according to the device configuration. |
Usage Guidelines
Usage Scenario
To view the latest attack source information on the device, run the reset auto-defend attack-source command to delete the existing attack source information, wait for a period, and run the display auto-defend attack-source command.
To delete history attack source information, run the reset auto-defend attack-source history command.
Precautions
After the reset auto-defend attack-source command is run, information about attack sources is cleared and cannot be restored.
reset auto-defend attack-source trace-type
Function
The reset auto-defend attack-source trace-type command clears the counter of packets traced after attack source tracing based on source MAC addresses, source IP addresses, or source ports+VLANs is configured.
Format
reset auto-defend attack-source trace-type { source-mac [ mac-address ] | source-ip [ ipv4-address | ipv6 ipv6-address ] | source-portvlan [ interface interface-type interface-number vlan-id vlan-id [ cvlan-id cvlan-id ] ] } [ slot slot-id | mcu ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| source-mac [ mac-address ] | Clears the counter of packets traced after attack source tracing based on source MAC addresses is configured. If mac-address is specified, the counter of traced packets sent from the specified MAC address is cleared. |
The value of mac-address is in H-H-H format. An H contains 1 to 4 hexadecimal numbers. |
| source-ip [ ipv4-address | ipv6 ipv6-address ] | Clears the counter of packets traced after attack source tracing based on source IP addresses is configured. If an ip-address is specified, the counter of traced packets sent from the specified IP address is cleared.
|
|
| source-portvlan [ interface interface-type interface-number vlan-id vlan-id [ cvlan-id cvlan-id ] ] | Clears the counter of packets traced after attack source tracing based on source ports+VLANs is configured. If a port or VLAN is specified, the counter of traced packets sent from the specified port or VLAN is cleared.
|
vlan-id is an integer that ranges from 1 to 4094. cvlan-id is an integer that ranges from 1 to 4094. |
| slot slot-id | Specifies a slot ID. |
The value must be set according to the device configuration. |
| mcu | Indicates the main control board. |
- |
Usage Guidelines
Usage Scenario
To view information about attack sources in a specified period, run the reset auto-defend attack-source command to clear existing information about attack sources and run the display auto-defend attack-source command. However, the reset auto-defend attack-source clears information about all attack sources. You can run the reset auto-defend attack-source trace-type command to clear information about specified attack sources.
Precautions
After the reset auto-defend attack-source trace-type command is run, information about attack sources is cleared and cannot be restored.
reset auto-port-defend statistics
Function
The reset auto-port-defend statistics command deletes packet statistics on port attack defense.
Parameters
| Parameter | Description | Value |
|---|---|---|
| all | Deletes packet statistics of port attack defense on all MPUs and LPUs. If all or slot slot-id is not specified, the packet statistics on the interfaces of the MPU are deleted. |
- |
| slot slot-id | Deletes packet statistics of port attack defense on the interfaces in a specified slot. |
The value depends on the device configuration. |
Usage Guidelines
Usage Scenario
Before viewing packet statistics of port attack defense in a certain period, delete existing packet statistics, and then run the display auto-port-defend statistics command to collect the latest statistics.
Precautions
The deleted packet statistics cannot be restored.
reset cpu-defend dynamic-car history-record
Function
The reset cpu-defend dynamic-car history-record command clears history records on dynamic adjustment of the default CIR value of protocol packets.
Usage Guidelines
Usage Scenario
You can run the reset cpu-defend dynamic-car history-record command to clear the previous records and run the display cpu-defend dynamic-car history-record command to view the history records on dynamic adjustment of the default CIR value of protocol packets in a specified period.
Precautions
The reset cpu-defend dynamic-car history-record command clears history records on dynamic adjustment of the default CIR value of protocol packets and the records cannot be restored.
reset cpu-defend host-car statistics
Function
The reset cpu-defend host-car statistics command clears packet statistics in the user-level rate limiting.
NOTE: Only the X series LPUs support this command.
Parameters
| Parameter | Description | Value |
|---|---|---|
| mac-address mac-address | Clears statistics on the packets from the specified MAC address. | - |
| slot slot-id | Clears packet statistics on the specified card. | - |
reset cpu-defend statistics
Parameters
| Parameter | Description | Value |
|---|---|---|
| packet-type packet-type | Specifies the protocol type of packets. packet-type specifies the packet type.
|
The supported packet type depends on the device. |
| all | Indicates all boards, including main control boards and LPUs. If all and slot are not specified, the CAR statistics on the MPU are cleared. |
- |
| slot slot-id | Specifies a slot ID. |
The value must be set according to the device configuration. |
| mcu | Indicates the main control board. | - |
Usage Guidelines
Usage Scenario
To view statistics on the packets sent to the CPU in a specified period, run the reset cpu-defend statistics command to clear existing statistics and run the display cpu-defend statistics command.
Precautions
The deleted packet statistics cannot be restored.
slot
Parameters
| Parameter | Description | Value |
|---|---|---|
| slot-id | Specifies a slot ID. | The value must be set according to the device configuration. |
Usage Guidelines
After the slot view is displayed, run the cpu-defend-policy command to bind an attack defense policy to the slot.
snmp-agent trap enable feature-name securitytrap
Function
The snmp-agent trap enable feature-name securitytrap command enables the trap function for the security module.
The undo snmp-agent trap enable feature-name securitytrap command disables the trap function for the security module.
By default, the trap function is enabled for the security module.
Format
snmp-agent trap enable feature-name securitytrap [ trap-name { hwarpglobalspeedlimitalarm | hwarpifratelimitblockalarm | hwarpifspeedlimitalarm | hwarpmissglobalspeedlimitalarm | hwarpmissifspeedlimitalarm | hwarpmisssipspeedlimitalarm | hwarpmissvlanspeedlimitalarm | hwarpsdaidropalarm | hwarpsentrycheck | hwarpsgatewayconflict | hwarpsipspeedlimitalarm | hwarpsmacspeedlimitalarm | hwarpspacketcheck | hwarpvlanspeedlimitalarm | hwdefendcpcardroppkt | hwicmpglobaldropalarm | hwicmpifdropalarm | hwipsgdropalarm | hwmacsecfailnotify | hwstrackdenypacket | hwstrackerrordown | hwstrackifvlaninfo | hwstrackportatk | hwstracksrcipinfo | hwstrackuserabnormal | hwstrackuserinfo | hwxqosstormcontroltrap | hwxqosstormcontroltrapext } ]
undo snmp-agent trap enable feature-name securitytrap [ trap-name { hwarpglobalspeedlimitalarm | hwarpifratelimitblockalarm | hwarpifspeedlimitalarm | hwarpmissglobalspeedlimitalarm | hwarpmissifspeedlimitalarm | hwarpmisssipspeedlimitalarm | hwarpmissvlanspeedlimitalarm | hwarpsdaidropalarm | hwarpsentrycheck | hwarpsgatewayconflict | hwarpsipspeedlimitalarm | hwarpsmacspeedlimitalarm | hwarpspacketcheck | hwarpvlanspeedlimitalarm | hwdefendcpcardroppkt | hwicmpglobaldropalarm | hwicmpifdropalarm | hwipsgdropalarm | hwmacsecfailnotify | hwstrackdenypacket | hwstrackerrordown | hwstrackifvlaninfo | hwstrackportatk | hwstracksrcipinfo | hwstrackuserabnormal | hwstrackuserinfo | hwxqosstormcontroltrap | hwxqosstormcontroltrapext } ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
trap-name |
Enables or disables the trap function for the specified event. |
- |
hwarpglobalspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP packets received by the device reaches the alarm threshold. |
- |
hwarpifratelimitblockalarm |
Enables the Huawei-property trap sent when the rate of ARP packets received by the device exceeds the threshold and ARP packets are discarded on interfaces within block period. |
- |
hwarpifspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP packets received by an interface reaches the alarm threshold. |
- |
hwarpmissglobalspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP Miss messages on the device exceeds the threshold and the number of discarded ARP Miss messages exceeds the alarm threshold. |
- |
hwarpmissifspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP Miss messages on an interface reaches the alarm threshold. |
- |
hwarpmisssipspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP Miss messages from a source IP address exceeds the alarm threshold. |
- |
hwarpmissvlanspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP Miss messages in a VLAN exceeds the threshold and the number of discarded ARP Miss messages exceeds the alarm threshold. |
- |
hwarpsdaidropalarm |
Enables the Huawei-property trap sent when the number of ARP packets discarded by DAI reaches the alarm threshold. |
- |
hwarpsentrycheck |
Enables the Huawei-property trap sent when the device detects an attack packet used to modify an ARP entry. |
- |
hwarpsgatewayconflict |
Enables the Huawei-property trap sent when the device receives an ARP packet of which the source IP address is the same as gateway IP address. |
- |
hwarpsipspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP packets from a source IP address exceeds the alarm threshold. |
- |
hwarpsmacspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP packets from a source MAC address exceeds the alarm threshold. |
- |
hwarpspacketcheck |
Enables the Huawei-property trap sent when the device detects an invalid ARP packet. |
- |
hwarpvlanspeedlimitalarm |
Enables the Huawei-property trap sent when the rate of ARP packets in a VLAN reaches the alarm threshold. |
- |
hwdefendcpcardroppkt |
Enables the Huawei-property trap sent when packets are dropped because the rate of protocol packets sent to the CPU exceeds the CPCAR value. |
- |
hwicmpglobaldropalarm |
Enables the Huawei-property trap sent when the rate of global ICMP packets reaches the alarm threshold. |
- |
hwicmpifdropalarm |
Enables the Huawei-property trap sent when the rate of ICMP packets on an interface reaches the alarm threshold. |
- |
hwipsgdropalarm |
Enables the Huawei-property trap sent when the number of IP packets discarded by IPSG reaches the alarm threshold. |
- |
hwmacsecfailnotify |
Enables the Huawei-property trap sent when MACsec configuration on an interface is invalid. |
- |
hwstrackdenypacket |
Enables the Huawei-property trap sent when the device detects an attack source and discards the packets from this attack source. |
- |
hwstrackerrordown |
Enables the Huawei-property trap sent when the device detects an attack source and sets the port status of the attack source to error-down. |
- |
hwstrackifvlaninfo |
Enables the Huawei-property trap sent when attack source tracing detects an attack initiated from an interface. |
- |
hwstrackportatk |
Enables the Huawei-property trap sent when an interface is attacked by protocol packets and port attack defense is started. |
- |
hwstracksrcipinfo |
Enables the Huawei-property trap sent when attack source tracing detects a source IP address-based attack. |
- |
hwstrackuserabnormal |
Enables the Huawei-property trap sent when the rate of packets received by an LPU exceeds the normal rate. |
- |
hwstrackuserinfo |
Enables the Huawei-property trap sent when attack source tracing detects a user-based attack. |
- |
hwxqosstormcontroltrap |
Enables the Huawei-property trap sent when storm control detects a port status change. |
- |
hwxqosstormcontroltrapext |
Enables the Huawei-property trap sent when the interface state machine changes. |
- |
Usage Guidelines
When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.
user-defined-flow
Function
The user-defined-flow command configures a user-defined flow.
The undo user-defined-flow command deletes a user-defined flow.
By default, no user-defined flow is configured.
Parameters
Parameter |
Description |
Value |
|---|---|---|
flow-id |
Specifies the ID of the user-defined flow. |
The value is an integer that ranges from 1 to 8. |
acl acl-number |
Specifies the number of an Access Control List (ACL). The ACL referenced by a user-defined flow on the device can be a basic ACL, an advanced ACL, or a Layer 2 ACL. |
The value is an integer that ranges from 2000 to 4999.
|
Usage Guidelines
Usage Scenario
When unknown attacks occur on the network, you can run the user-defined-flow command to bind an ACL rule with a user-defined flow. Then you can run the car user-defined-flow flow-id cir cir-value [ cbs cbs-value ] command to limit the rate of flows with the specific characteristic or run the deny user-defined-flow flow-id command to discard these flows.
Precautions
If an ACL containing the deny action is applied to the user-defined flow, packets matching the ACL are discarded.
whitelist
Function
The whitelist command configures a whitelist.
The undo whitelist command deletes a whitelist.
By default, no whitelist is configured.
Parameters
Parameter |
Description |
Value |
|---|---|---|
whitelist-id |
Specifies the ID of a whitelist. |
The value is an integer that ranges from 1 to 8. |
acl acl-number |
Specifies the number of an Access Control List (ACL). The ACL referenced by a whitelist on the device can be a basic ACL, an advanced ACL, or a Layer 2 ACL. |
The value is an integer that ranges from 2000 to 4999.
|
Usage Guidelines
Usage Scenario
You can create a whitelist and add users with specified characteristic to the whitelist. The device processes packets sent from users in the whitelist first. You can set the attributes of the whitelist flexibly by defining ACL rules.
A maximum of 8 whitelists can be configured in an attack defense policy on the device.
Precautions
If an ACL containing the deny action is applied to the whitelist, packets sent from users in the whitelist are discarded.
For X series cards, the packets from users in the whitelist are preferentially sent to the CPU at a high rate, and the display cpu-defend statistics command cannot collect statistics on these packets.
Previous
