- Table of Contents
-
- 16-Security Command Reference
- 00-Preface
- 01-ACL commands
- 02-APR commands
- 03-ARP attack protection commands
- 04-ASPF commands
- 05-IP source guard commands
- 06-IPsec commands
- 07-ND attack defense commands
- 08-Password control commands
- 09-PKI commands
- 10-SSH commands
- 11-SSL commands
- 12-SSL VPN commands
- 13-URL filtering commands
- 14-User profile commands
- 15-Bandwidth management commands
- 16-Public key management commands
- 17-Attack detection and prevention commands
- 18-Session management commands
- 19-Connection limit commands
- 20-Crypto engine commands
- 21-Time range commands
- 22-Protocol packet rate limit commands
- 23-DPI engine commands
- Related Documents
-
Title | Size | Download |
---|---|---|
22-Protocol packet rate limit commands | 104.10 KB |
Contents
Protocol packet rate limit commands
anti-attack protocol flow-threshold
anti-attack protocol threshold
Protocol packet rate limit commands
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode.
anti-attack enable
Use anti-attack enable to enable packet rate limit.
Use undo anti-attack enable to disable packet rate limit.
Syntax
In standalone mode:
anti-attack enable
undo anti-attack enable
In IRF mode:
anti-attack enable [ slot slot-number ]
undo anti-attack enable [ slot slot-number ]
Default
Packet rate limit is disabled.
Views
System view
Predefined user roles
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables packet rate limit for all member devices. (In IRF mode.)
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# (In standalone mode.) Enable packet rate limit.
<Sysname> system-view
[Sysname] anti-attack enable
# (In IRF mode.) Enable packet rate limit for a slot.
<Sysname> system-view
[Sysname] anti-attack enable slot 1
Related commands
anti-attack protocol enable
anti-attack protocol enable
Use anti-attack protocol enable to enable packet rate limit for protocols.
Use undo anti-attack protocol enable to disable packet rate limit for protocols.
Syntax
In standalone mode:
anti-attack protocol { all | protocol } enable
undo anti-attack protocol { all | protocol } enable
In IRF mode:
anti-attack protocol { all | protocol } enable [ slot slot-number ]
undo anti-attack protocol { all | protocol } enable [ slot slot-number ]
Default
Packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies all protocols.
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. Supported protocol values are shown in Table 1.
Protocol value |
Description |
acsei |
ACSEI protocol packets |
arp |
ARP protocol packets |
capwap_ctrl |
CAPWAP control packets |
capwap_data |
CAPWAP data packets |
dhcp |
DHCP protocol packets |
dot11_action |
802.11 ACK packets |
dot11_assoc |
802.11 association request packets |
dot11_auth |
802.11 authentication packets |
dot11_ctrl |
Other types of 802.11 protocol packets |
dot11_deauth |
802.11 deauthentication packets |
dot11_disassoc |
802.11 disassociation request packets |
dot11_null |
802.11 null data packets |
dot11_reassoc |
802.11 reassociation request packets |
dot1x |
802.1X authentication packets |
ethernet |
Packets that are not identified as packets of specific protocols |
http |
HTTP protocol packets |
iactp |
IACTP protocol packets |
icmp |
ICMP protocol packets |
icmpv6_nd |
ICMPv6 neighbor discovery protocol packets |
icmpv6_other |
ICMPv6 protocol packets except for neighbor discovery protocol packets |
igmp |
IGMP protocol packets |
ip |
IPv4 protocol packets |
ipv6 |
IPv6 protocol packets |
ntp |
NTP protocol packets |
portal_syn |
Portal redirect packets |
radius |
RADIUS protocol packets |
snmp |
SNMP protocol packets |
tcp |
TCP protocol packets |
telnet |
Telnet protocol packets |
udp |
UDP protocol packets |
vrrp |
VRRP protocol packets |
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables the feature for all member devices. (In IRF mode.)
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# (In standalone mode.) Enable packet rate limit for ARP.
<Sysname> system-view
[Sysname] anti-attack protocol arp enable
# (In IRF mode.) Enable packet rate limit for ARP on a slot.
<Sysname> system-view
[Sysname] anti-attack protocol arp enable slot 1
Related commands
anti-attack enable
anti-attack protocol flow-threshold
Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.
Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.
Syntax
In standalone mode:
anti-attack protocol protocol flow-threshold flow-rate-limit
undo anti-attack protocol protocol flow-threshold
In IRF mode:
anti-attack protocol protocol flow-threshold flow-rate-limit [ slot slot-number ]
undo anti-attack protocol protocol flow-threshold [ slot slot-number ]
Default
Flow-based packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.
flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables flow-based packet rate limit and sets the threshold for all member devices. (In IRF mode.)
Usage guidelines
The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.
You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.
Examples
# (In standalone mode.) Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.
<Sysname> system-view
[Sysname] anti-attack protocol arp flow-threshold 50
# (In IRF mode.) Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second on a slot.
<Sysname> system-view
[Sysname] anti-attack protocol arp flow-threshold 50 slot 1
anti-attack protocol priority
Use anti-attack protocol priority to set the packet process priority for a protocol.
Use undo anti-attack protocol priority to restore the default.
Syntax
In standalone mode:
anti-attack protocol protocol priority priority
undo anti-attack protocol protocol priority
In IRF mode:
anti-attack protocol protocol priority priority [ slot slot-number ]
undo anti-attack protocol protocol priority [ slot slot-number ]
Default
The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol priority and display anti-attack protocol commands in turn.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.
priority: Specifies the packet process priority for the protocol, in the range of 0 to 4. A smaller value represents a higher priority.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the setting applies to all member devices. (In IRF mode.)
Usage guidelines
When the maximum transmission rate is reached, the device determines packets to be dropped by priority. Packets of the lowest priority are dropped first.
Examples
# (In standalone mode.) Set the packet process priority to 0 for ARP.
<Sysname> system-view
[Sysname] anti-attack protocol arp priority 0
# (In IRF mode.) Set the packet process priority to 0 for ARP on a slot.
<Sysname> system-view
[Sysname] anti-attack protocol arp priority 0 slot 1
anti-attack protocol threshold
Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.
Use undo anti-attack protocol threshold to restore the default for a protocol.
Syntax
In standalone mode:
anti-attack protocol protocol threshold rate-limit
undo anti-attack protocol protocol threshold
In IRF mode:
anti-attack protocol protocol threshold rate-limit [ slot slot-number ]
undo anti-attack protocol protocol threshold [ slot slot-number ]
Default
The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.
rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the setting applies to all member devices. (In IRF mode.)
Usage guidelines
Excessive packets are dropped.
Examples
# (In standalone mode.) Set the maximum transmission rate to 1000 packets per second for ARP.
<Sysname> system-view
[Sysname] anti-attack protocol arp threshold 1000
# (In IRF mode.) Set the maximum transmission rate to 1000 packets per second for ARP on a slot.
<Sysname> system-view
[Sysname] anti-attack protocol arp threshold 1000 slot 1
Related commands
display anti-attack protocol
display anti-attack protocol
Use display anti-attack protocol to display packet rate limit information about protocols.
Syntax
In standalone mode:
display anti-attack protocol [ protocol ]
In IRF mode:
display anti-attack protocol [ protocol ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. If you do not specify a protocol, the command displays information about all protocols. For information about supported protocol values, see Table 1.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the command displays packet rate limit information for all member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display packet rate limit information about all protocols. Only protocol-based protocol packet rate limit is enabled in this example.
<Sysname> display anti-attack protocol
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
dot1x enable 1 1024 0 0 0
dhcp enable 2 2000 0 0 0
igmp enable 2 1024 0 0 0
ntp enable 2 256 0 0 0
arp enable 1 1024 0 17907 0
snmp enable 0 1024 0 0 0
telnet enable 0 100 0 0 0
icmp enable 0 20 0 0 0
icmpv6_nd enable 0 1024 0 0 0
icmpv6_other enable 0 1024 0 0 0
iactp enable 1 2560 0 0 0
acsei enable 2 128 0 0 0
http enable 1 1024 0 0 0
https enable 1 1024 0 0 0
openflow enable 1 1024 0 0 0
portal enable 1 1024 0 0 0
udp enable 2 20 0 0 0
tcp enable 2 1 0 0 0
ip enable 4 2560 0 0 0
ipv6 enable 2 128 0 0 0
ethernet enable 2 128 0 0 0
radius enable 1 2048 0 0 0
vrrp enable 1 2048 0 0 0
capwap_ctrl enable 1 2048 0 0 0
capwap_data enable 1 2048 0 0 0
dot11_auth enable 1 256 0 0 0
dot11_assoc enable 1 256 0 0 0
dot11_reassoc enable 1 256 0 0 0
dot11_null enable 1 1024 0 0 0
dot11_disassoc enable 1 256 0 0 0
dot11_deauth enable 1 256 0 0 0
dot11_action enable 1 256 0 0 0
dot11_ctrl enable 1 512 0 0 0
portal_syn enable 1 1024 0 0 0
lacp enable 1 256 0 0 0
# (In IRF mode.) Display packet rate limit information about all protocols on a slot. Only protocol-based protocol packet rate limit is enabled in this example.
<Sysname> display anti-attack protocol slot 1
Slot 1:
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
dot1x enable 1 1024 0 0 0
dhcp enable 2 2000 0 0 0
igmp enable 2 1024 0 0 0
ntp enable 2 256 0 0 0
arp enable 1 1024 0 17907 0
snmp enable 0 1024 0 0 0
telnet enable 0 100 0 0 0
icmp enable 0 20 0 0 0
icmpv6_nd enable 0 1024 0 0 0
icmpv6_other enable 0 1024 0 0 0
iactp enable 1 2560 0 0 0
acsei enable 2 128 0 0 0
http enable 1 1024 0 0 0
https enable 1 1024 0 0 0
openflow enable 1 1024 0 0 0
portal enable 1 1024 0 0 0
udp enable 2 20 0 0 0
tcp enable 2 1 0 0 0
ip enable 4 2560 0 0 0
ipv6 enable 2 128 0 0 0
ethernet enable 2 128 0 0 0
radius enable 1 2048 0 0 0
vrrp enable 1 2048 0 0 0
capwap_ctrl enable 1 2048 0 0 0
capwap_data enable 1 2048 0 0 0
dot11_auth enable 1 256 0 0 0
dot11_assoc enable 1 256 0 0 0
dot11_reassoc enable 1 256 0 0 0
dot11_null enable 1 1024 0 0 0
dot11_disassoc enable 1 256 0 0 0
dot11_deauth enable 1 256 0 0 0
dot11_action enable 1 256 0 0 0
dot11_ctrl enable 1 512 0 0 0
portal_syn enable 1 1024 0 0 0
lacp enable 1 256 0 0 0
Table 2 Command output
Field |
Description |
Anti-attack |
Status of protocol-based packet rate limit for the protocol: · Enabled—The feature is enabled. · Disabled—The feature is disabled. |
Priority |
Packet processing priority of the protocol. A smaller value represents a higher priority. |
Limit(pps) |
Maximum packet transmission rate of the protocol, in packets per second. |
Rate(pps) |
Current packet transmission rate of the protocol, in packets per second. |
Passed |
Number of protocol packets sent to the CPU. |
Dropped |
Number of dropped protocol packets. |
# (In standalone mode.) Display packet rate limit information about ARP. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.
<Sysname> display anti-attack protocol arp
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
arp enable 1 1024 0 17907 0
FlowSource FlowLimit(pps) FlowRate(pps) Passed Dropped
00e0-fc12-7723 1000 0 2 0
0011-e212-8801 1000 0 17905 0
# (In IRF mode.) Display packet rate limit information about ARP on a slot. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.
<Sysname> display anti-attack protocol arp slot 1
Slot 1:
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
arp enable 1 1024 0 17907 0
FlowSource FlowLimit(pps) FlowRate(pps) Passed Dropped
00e0-fc12-7723 1000 0 2 0
0011-e212-8801 1000 0 17905 0
Table 3 Command output
Field |
Description |
FlowSource |
Source IP or MAC address of the flow. |
FlowLimit(pps) |
Maximum transmission rate for the flow, in packets per second. |
FlowRate(pps) |
Current transmission rate of the flow, in packets per second. |