Configuring Port-based Automatic Local Attack Defense
Context
When a protocol is enabled, the switch automatically assigns a queue to the protocol packets and a default CAR value for the queue. If a port receives many packets of a protocol and sends the packets to the CPU, the other ports send the packets of this protocol to the CPU at a low speed or fail to send the packets to the CPU. This affects services.
- The rate of such protocol packets received on a port exceeds 75% of the default CAR value.
- The rate of such protocol packets received on the two ports that have received the most packets of this type exceeds 85% of the default CAR value.
This function ensures that other ports can normally send protocol packets to the CPU.
Automatic local attack defense is automatically enabled on a port that encounters MAC address flapping, which takes the punishment action on the threshold-crossing protocol packets received on the port.
Procedure
- Run system-view
The system view is displayed.
- Run cpu-defend policy policy-name
The attack defense policy view is displayed.
- Run undo auto-port-defend protocol { arp-request | dhcp | multicast | ospf | nd | vrrp } disable
Port-based automatic local attack defense is enabled.
By default, port-based automatic local attack defense is enabled.
You can run this command in the Admin-VS only, and the configuration takes effect for all VSs.
The CE12800E that has ED-E, EG-E, and EGA-E series cards installed supports only the arp-request parameter.
- Run commit
The configuration is committed.
