No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Storm Control

Configuring Storm Control

Context

Excess broadcast, multicast, or unicast packets have great impact on network devices. To limit the rate of these packets, configure storm control on the interface that receives these packets.

Pre-configuration Tasks

Before configuring the storm control function, configure link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run any of the following commands to storm control for the broadcast, multicast, and unicast packets on the interface.
    • storm control { broadcast | multicast | unicast | unknown-unicast } min-rate percent min-rate-value max-rate percent max-rate-value
    • storm control { broadcast | multicast | unicast | unknown-unicast } min-rate kbps min-rate-value max-rate kbps max-rate-value
    • storm control { broadcast | multicast | unicast | unknown-unicast } min-rate min-rate-value max-rate max-rate-value

    NOTE:

    In an SVF using centralized or hybrid forwarding mode, storm control cannot be configured for unknown unicast traffic on the interfaces of leaf switches.

  4. Set the storm control action.
    • Run the storm control action { error-down | block | suppress } command.

    NOTE:
    • The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off.

    • CE6870EI and CE6875EI do not support suppress parameter.

  5. (Optional) Run storm control enable { log | trap }

    The function of recording logs or reporting traps during storm control is enabled.

  6. (Optional) Run storm control interval interval-value

    The storm detection interval is set.

  7. Run commit

    The configuration is committed.

Verifying the Configuration

Run the display storm control [ interface interface-type interface-number [ verbose ] ] command to check the storm control configuration on an interface.

Follow-up Procedure

Generally, when attack packets exist, the average rate at which an interface receives broadcast, multicast, or unknown unicast packets is higher than the specified upper limit. In this situation, identify the attack source, remove the attack, and recover the interface status.

An interface in Error-Down state can be recovered using either of the following methods:
  • Manual recovery (after an Error-Down event occurs):

    If a few interfaces need to be recovered, run the shutdown and undo shutdown commands in the interface view. Alternatively, run the restart command in the interface view to restart the interfaces.

    NOTE:

    Alternatively, run the undo storm control action or undo storm control { broadcast | multicast | unicast | unknown-unicast | all } command in the interface view to recover the interface status. This method is not recommended.

  • Automatic recovery (before an Error-Down event occurs):

    If a large number of interfaces need to be recovered, manual recovery is time consuming and some interfaces may be omitted. To avoid this problem, run the error-down auto-recovery cause storm-control interval command in the system view to enable automatic interface recovery and set the recovery delay time. Run the display error-down recovery command to view information about automatic interface recovery.

    NOTE:

    This method does not take effect on interfaces that are already in Error-Down state. It is effective only on interfaces that enter the Error-Down state after this configuration is complete.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23071

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next