16-Security Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10416-Security Command Reference
22-Protocol packet rate limit commands
Title Size Download
22-Protocol packet rate limit commands 104.10 KB

Protocol packet rate limit commands

The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode.

anti-attack enable

Use anti-attack enable to enable packet rate limit.

Use undo anti-attack enable to disable packet rate limit.

Syntax

In standalone mode:

anti-attack enable

undo anti-attack enable

In IRF mode:

anti-attack enable [ slot slot-number ]

undo anti-attack enable [ slot slot-number ]

Default

Packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables packet rate limit for all member devices. (In IRF mode.)

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# (In standalone mode.) Enable packet rate limit.

<Sysname> system-view

[Sysname] anti-attack enable

# (In IRF mode.) Enable packet rate limit for a slot.

<Sysname> system-view

[Sysname] anti-attack enable slot 1

Related commands

anti-attack protocol enable

anti-attack protocol enable

Use anti-attack protocol enable to enable packet rate limit for protocols.

Use undo anti-attack protocol enable to disable packet rate limit for protocols.

Syntax

In standalone mode:

anti-attack protocol { all | protocol } enable

undo anti-attack protocol { all | protocol } enable

In IRF mode:

anti-attack protocol { all | protocol } enable [ slot slot-number ]

undo anti-attack protocol { all | protocol } enable [ slot slot-number ]

Default

Packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

all: Specifies all protocols.

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. Supported protocol values are shown in Table 1.

Table 1 Supported protocols

Protocol value

Description

acsei

ACSEI protocol packets

arp

ARP protocol packets

capwap_ctrl

CAPWAP control packets

capwap_data

CAPWAP data packets

dhcp

DHCP protocol packets

dot11_action

802.11 ACK packets

dot11_assoc

802.11 association request packets

dot11_auth

802.11 authentication packets

dot11_ctrl

Other types of 802.11 protocol packets

dot11_deauth

802.11 deauthentication packets

dot11_disassoc

802.11 disassociation request packets

dot11_null

802.11 null data packets

dot11_reassoc

802.11 reassociation request packets

dot1x

802.1X authentication packets

ethernet

Packets that are not identified as packets of specific protocols

http

HTTP protocol packets

iactp

IACTP protocol packets

icmp

ICMP protocol packets

icmpv6_nd

ICMPv6 neighbor discovery protocol packets

icmpv6_other

ICMPv6 protocol packets except for neighbor discovery protocol packets

igmp

IGMP protocol packets

ip

IPv4 protocol packets

ipv6

IPv6 protocol packets

ntp

NTP protocol packets

portal_syn

Portal redirect packets

radius

RADIUS protocol packets

snmp

SNMP protocol packets

tcp

TCP protocol packets

telnet

Telnet protocol packets

udp

UDP protocol packets

vrrp

VRRP protocol packets

 

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables the feature for all member devices. (In IRF mode.)

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# (In standalone mode.) Enable packet rate limit for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp enable

# (In IRF mode.) Enable packet rate limit for ARP on a slot.

<Sysname> system-view

[Sysname] anti-attack protocol arp enable slot 1

Related commands

anti-attack enable

anti-attack protocol flow-threshold

Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.

Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.

Syntax

In standalone mode:

anti-attack protocol protocol flow-threshold flow-rate-limit

undo anti-attack protocol protocol flow-threshold

In IRF mode:

anti-attack protocol protocol flow-threshold flow-rate-limit [ slot slot-number ]

undo anti-attack protocol protocol flow-threshold [ slot slot-number ]

Default

Flow-based packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables flow-based packet rate limit and sets the threshold for all member devices. (In IRF mode.)

Usage guidelines

The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.

You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.

Examples

# (In standalone mode.) Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.

<Sysname> system-view

[Sysname] anti-attack protocol arp flow-threshold 50

# (In IRF mode.) Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second on a slot.

<Sysname> system-view

[Sysname] anti-attack protocol arp flow-threshold 50 slot 1

anti-attack protocol priority

Use anti-attack protocol priority to set the packet process priority for a protocol.

Use undo anti-attack protocol priority to restore the default.

Syntax

In standalone mode:

anti-attack protocol protocol priority priority

undo anti-attack protocol protocol priority

In IRF mode:

anti-attack protocol protocol priority priority [ slot slot-number ]

undo anti-attack protocol protocol priority [ slot slot-number ]

Default

The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol priority and display anti-attack protocol commands in turn.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

priority: Specifies the packet process priority for the protocol, in the range of 0 to 4. A smaller value represents a higher priority.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the setting applies to all member devices. (In IRF mode.)

Usage guidelines

When the maximum transmission rate is reached, the device determines packets to be dropped by priority. Packets of the lowest priority are dropped first.

Examples

# (In standalone mode.) Set the packet process priority to 0 for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp priority 0

# (In IRF mode.) Set the packet process priority to 0 for ARP on a slot.

<Sysname> system-view

[Sysname] anti-attack protocol arp priority 0 slot 1

anti-attack protocol threshold

Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.

Use undo anti-attack protocol threshold to restore the default for a protocol.

Syntax

In standalone mode:

anti-attack protocol protocol threshold rate-limit

undo anti-attack protocol protocol threshold

In IRF mode:

anti-attack protocol protocol threshold rate-limit [ slot slot-number ]

undo anti-attack protocol protocol threshold [ slot slot-number ]

Default

The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the setting applies to all member devices. (In IRF mode.)

Usage guidelines

Excessive packets are dropped.

Examples

# (In standalone mode.) Set the maximum transmission rate to 1000 packets per second for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp threshold 1000

# (In IRF mode.) Set the maximum transmission rate to 1000 packets per second for ARP on a slot.

<Sysname> system-view

[Sysname] anti-attack protocol arp threshold 1000 slot 1

Related commands

display anti-attack protocol

display anti-attack protocol

Use display anti-attack protocol to display packet rate limit information about protocols.

Syntax

In standalone mode:

display anti-attack protocol [ protocol ]

In IRF mode:

display anti-attack protocol [ protocol ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. If you do not specify a protocol, the command displays information about all protocols. For information about supported protocol values, see Table 1.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the command displays packet rate limit information for all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display packet rate limit information about all protocols. Only protocol-based protocol packet rate limit is enabled in this example.

<Sysname> display anti-attack protocol

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

dot1x          enable      1        1024        0         0         0

dhcp           enable      2        2000        0         0         0

igmp           enable      2        1024        0         0         0

ntp            enable      2        256         0         0         0

arp            enable      1        1024        0         17907     0

snmp           enable      0        1024        0         0         0

telnet         enable      0        100         0         0         0

icmp           enable      0        20          0         0         0

icmpv6_nd      enable      0        1024        0         0         0

icmpv6_other   enable      0        1024        0         0         0

iactp          enable      1        2560        0         0         0

acsei          enable      2        128         0         0         0

http           enable      1        1024        0         0         0

https          enable      1        1024        0         0         0

openflow       enable      1        1024        0         0         0

portal         enable      1        1024        0         0         0

udp            enable      2        20          0         0         0

tcp            enable      2        1           0         0         0

ip             enable      4        2560        0         0         0

ipv6           enable      2        128         0         0         0

ethernet       enable      2        128         0         0         0

radius         enable      1        2048        0         0         0

vrrp           enable      1        2048        0         0         0

capwap_ctrl    enable      1        2048        0         0         0

capwap_data    enable      1        2048        0         0         0

dot11_auth     enable      1        256         0         0         0

dot11_assoc    enable      1        256         0         0         0

dot11_reassoc  enable      1        256         0         0         0

dot11_null     enable      1        1024        0         0         0

dot11_disassoc enable      1        256         0         0         0

dot11_deauth   enable      1        256         0         0         0

dot11_action   enable      1        256         0         0         0

dot11_ctrl     enable      1        512         0         0         0

portal_syn     enable      1        1024        0         0         0

lacp           enable      1        256         0         0         0

# (In IRF mode.) Display packet rate limit information about all protocols on a slot. Only protocol-based protocol packet rate limit is enabled in this example.

<Sysname> display anti-attack protocol slot 1

Slot 1:

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

dot1x          enable      1        1024        0         0         0

dhcp           enable      2        2000        0         0         0

igmp           enable      2        1024        0         0         0

ntp            enable      2        256         0         0         0

arp            enable      1        1024        0         17907     0

snmp           enable      0        1024        0         0         0

telnet         enable      0        100         0         0         0

icmp           enable      0        20          0         0         0

icmpv6_nd      enable      0        1024        0         0         0

icmpv6_other   enable      0        1024        0         0         0

iactp          enable      1        2560        0         0         0

acsei          enable      2        128         0         0         0

http           enable      1        1024        0         0         0

https          enable      1        1024        0         0         0

openflow       enable      1        1024        0         0         0

portal         enable      1        1024        0         0         0

udp            enable      2        20          0         0         0

tcp            enable      2        1           0         0         0

ip             enable      4        2560        0         0         0

ipv6           enable      2        128         0         0         0

ethernet       enable      2        128         0         0         0

radius         enable      1        2048        0         0         0

vrrp           enable      1        2048        0         0         0

capwap_ctrl    enable      1        2048        0         0         0

capwap_data    enable      1        2048        0         0         0

dot11_auth     enable      1        256         0         0         0

dot11_assoc    enable      1        256         0         0         0

dot11_reassoc  enable      1        256         0         0         0

dot11_null     enable      1        1024        0         0         0

dot11_disassoc enable      1        256         0         0         0

dot11_deauth   enable      1        256         0         0         0

dot11_action   enable      1        256         0         0         0

dot11_ctrl     enable      1        512         0         0         0

portal_syn     enable      1        1024        0         0         0

lacp           enable      1        256         0         0         0

Table 2 Command output

Field

Description

Anti-attack

Status of protocol-based packet rate limit for the protocol:

·     EnabledThe feature is enabled.

·     DisabledThe feature is disabled.

Priority

Packet processing priority of the protocol. A smaller value represents a higher priority.

Limit(pps)

Maximum packet transmission rate of the protocol, in packets per second.

Rate(pps)

Current packet transmission rate of the protocol, in packets per second.

Passed

Number of protocol packets sent to the CPU.

Dropped

Number of dropped protocol packets.

 

# (In standalone mode.) Display packet rate limit information about ARP. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.

<Sysname> display anti-attack protocol arp

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

arp            enable      1        1024        0         17907     0

FlowSource              FlowLimit(pps)    FlowRate(pps)   Passed    Dropped

00e0-fc12-7723          1000              0               2         0

0011-e212-8801          1000              0               17905     0

# (In IRF mode.) Display packet rate limit information about ARP on a slot. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.

<Sysname> display anti-attack protocol arp slot 1

Slot 1:

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

arp            enable      1        1024        0         17907     0

FlowSource              FlowLimit(pps)    FlowRate(pps)   Passed    Dropped

00e0-fc12-7723          1000              0               2         0

0011-e212-8801          1000              0               17905     0

Table 3 Command output

Field

Description

FlowSource

Source IP or MAC address of the flow.

FlowLimit(pps)

Maximum transmission rate for the flow, in packets per second.

FlowRate(pps)

Current transmission rate of the flow, in packets per second.