How to configure CP-CAR and extended CAR for anti-attack on the NE40E and the NE80E V300R003?
1. Basic configuration of CP-CAR
V300R003 controls packets sent to the CPU using the CAR anti-attack feature. Different from port-based CAR that limits the packet forwarding rate, anti-attack CAR limits the packets sent to the CPU. The anti-attack policy must be bound to the LPU in the slot view before it takes effect. By default, a CP-CAR policy is bound to each LPU.
car index 9 cir 1000 cbs 10000 min-packet-length 100
You can also run the display car information default 9 command to view how to configure the deny action.
deny index 9
You can run the display cpu-defend slot 7 car index 9 command to view the statistics of packets sent to the CPU. The discarded packets are not covered in the statistics.
2. Basic configuration of extended CAR
When ACLs are bound to extended CAR and the packets to be sent to the CPU match the ACL rules, the corresponding action of white list, black list, or the user defined flow is configured.
Anti-attack extended CAR currently support only Layer 3 IPv4 ACLs, ranging from No. 2000 to No. 3999.
[NE40E-47-acl-adv-3001]rule permit icmp
Bind ACLs to extended CAR.
[NE40E-47-cpu-defend-policy-4]whitelist acl 3001
[NE40E-47-cpu-defend-policy-4]blacklist acl 3002
[NE40E-47-cpu-defend-policy-4]user-defined-flow 1 3003
Run the display cpu-defend slot 7 car whitelist/blacklist/user-defined-flow 1 commands to view the statistics about the corresponding extended CAR.
Run the following command to configure the priority of extended CAR:
process-sequence whitelist blacklist user-defined-flow
When the ACLs bound to two of the three CAR actions have the same rule, packets, after matching the rule, are processed in the sequence defined in the preceding command. For example, the black list and white list are respectively bound to ACL 3001 and ACL 3002 that have the same rule, rule permit tcp. When the TCP packets match this rule, they will be included in the white list according to the sequence defined in the preceding command.