Login
- Table of Contents
-
- 16-Security Command Reference
- 00-Preface
- 01-ACL commands
- 02-Time range commands
- 03-User profile commands
- 04-Password control commands
- 05-Public key management commands
- 06-PKI commands
- 07-IPsec commands
- 08-SSH commands
- 09-SSL commands
- 10-Session management commands
- 11-Connection limit commands
- 12-Attack detection and prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-ASPF commands
- 17-Crypto engine commands
- 18-Protocol packet rate limit commands
- 19-DPI engine commands
- 20-APR commands
- 21-URL filtering commands
- 22-Bandwidth management commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-Protocol packet rate limit commands | 91.20 KB |
Contents
Protocol packet rate limit commands
anti-attack protocol flow-threshold
anti-attack protocol threshold
Protocol packet rate limit commands
The following compatibility matrix shows the support of hardware platforms for protocol packet rate limit:
|
Hardware series |
Model |
Product code |
Protocol packet rate limit compatibility |
|
WBC series |
WBC560 WBC580 G2-Standard Edition WBC580 G2-Healthcare Edition |
EWP-WBC560 EWP-WBC580-G2-BASE EWP-WBC580-G2-HOSP |
No |
|
Access controller modules |
LSQM1WBCZ720X LSUM1WBCZ720XRT |
LSQM1WBCZ720X LSUM1WBCZ720XRT |
Yes |
anti-attack enable
Use anti-attack enable to enable packet rate limit.
Use undo anti-attack enable to disable packet rate limit.
Syntax
anti-attack enable
undo anti-attack enable
Default
Packet rate limit is disabled.
Views
System view
Predefined user roles
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# Enable packet rate limit.
<Sysname> system-view
[Sysname] anti-attack enable
Related commands
anti-attack protocol enable
anti-attack protocol enable
Use anti-attack protocol enable to enable packet rate limit for protocols.
Use undo anti-attack protocol enable to disable packet rate limit for protocols.
Syntax
anti-attack protocol { all | protocol } enable
undo anti-attack protocol { all | protocol } enable
Default
Packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies all protocols.
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. Supported protocol values are shown in Table 1.
|
Protocol value |
Description |
|
acsei |
ACSEI protocol packets |
|
arp |
ARP protocol packets |
|
capwap_ctrl |
CAPWAP control packets |
|
capwap_data |
CAPWAP data packets |
|
dhcp |
DHCP protocol packets |
|
dot11_action |
802.11 ACK packets |
|
dot11_assoc |
802.11 association request packets |
|
dot11_auth |
802.11 authentication packets |
|
dot11_ctrl |
Other types of 802.11 protocol packets |
|
dot11_deauth |
802.11 deauthentication packets |
|
dot11_disassoc |
802.11 disassociation request packets |
|
dot11_null |
802.11 null data packets |
|
dot11_reassoc |
802.11 reassociation request packets |
|
dot1x |
802.1X authentication packets |
|
ethernet |
Packets that are not identified as packets of specific protocols |
|
http |
HTTP protocol packets |
|
iactp |
IACTP protocol packets |
|
icmp |
ICMP protocol packets |
|
icmpv6_nd |
ICMPv6 neighbor discovery protocol packets |
|
icmpv6_other |
ICMPv6 protocol packets except for neighbor discovery protocol packets |
|
igmp |
IGMP protocol packets |
|
ip |
IPv4 protocol packets |
|
ipv6 |
IPv6 protocol packets |
|
ntp |
NTP protocol packets |
|
portal_syn |
Portal redirect packets |
|
radius |
RADIUS protocol packets |
|
snmp |
SNMP protocol packets |
|
tcp |
TCP protocol packets |
|
telnet |
Telnet protocol packets |
|
udp |
UDP protocol packets |
|
vrrp |
VRRP protocol packets |
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# Enable packet rate limit for ARP.
<Sysname> system-view
[Sysname] anti-attack protocol arp enable
Related commands
anti-attack enable
anti-attack protocol flow-threshold
Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.
Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.
Syntax
anti-attack protocol protocol flow-threshold flow-rate-limit
undo anti-attack protocol protocol flow-threshold
Default
Flow-based packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.
flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.
Usage guidelines
The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.
You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.
Examples
# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.
<Sysname> system-view
[Sysname] anti-attack protocol arp flow-threshold 50
anti-attack protocol threshold
Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.
Use undo anti-attack protocol threshold to restore the default for a protocol.
Syntax
anti-attack protocol protocol threshold rate-limit
undo anti-attack protocol protocol threshold
Default
The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.
rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.
Usage guidelines
Excessive packets are dropped.
Examples
# Set the maximum transmission rate to 1000 packets per second for ARP.
<Sysname> system-view
[Sysname] anti-attack protocol arp threshold 1000
Related commands
display anti-attack protocol
display anti-attack protocol
Use display anti-attack protocol to display packet rate limit information about protocols.
Syntax
display anti-attack protocol [ protocol ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. If you do not specify a protocol, the command displays information about all protocols. For information about supported protocol values, see Table 1.
Examples
# Display packet rate limit information about all protocols. Only protocol-based protocol packet rate limit is enabled in this example.
<Sysname> display anti-attack protocol
Anti-attack statistics
Protocol anti-attack Limit(pps) Rate(pps) Passed Dropped
dot1x disable 1024 0 0 0
dhcp disable 2000 0 0 0
igmp disable 1024 0 0 0
ntp disable 512 0 0 0
arp disable 20000 0 0 0
snmp disable 1024 0 0 0
telnet disable 1024 0 0 0
icmp disable 1024 0 0 0
icmpv6_nd disable 1024 0 0 0
icmpv6_other disable 1024 0 0 0
iactp disable 2560 0 0 0
acsei disable 512 0 0 0
http disable 1024 0 0 0
https disable 1024 0 0 0
openflow disable 1024 0 0 0
portal disable 1024 0 0 0
udp disable 2048 0 0 0
tcp disable 1024 0 0 0
ip disable 2560 0 0 0
ipv6 disable 512 0 0 0
ethernet disable 512 0 0 0
radius disable 2048 0 0 0
vrrp disable 2048 0 0 0
capwap_ctrl disable 5120 0 0 0
capwap_ctrl_disdisable 2048 0 0 0
capwap_data disable 51200 0 0 0
dot11_auth disable 512 0 0 0
dot11_assoc disable 512 0 0 0
dot11_reassoc disable 512 0 0 0
dot11_null disable 1024 0 0 0
dot11_disassoc disable 512 0 0 0
dot11_deauth disable 512 0 0 0
dot11_action disable 512 0 0 0
dot11_ctrl disable 512 0 0 0
lacp disable 512 0 0 0
Table 2 Command output
|
Field |
Description |
|
Anti-attack |
Status of protocol-based packet rate limit for the protocol: · Enabled—The feature is enabled. · Disabled—The feature is disabled. |
|
Limit(pps) |
Maximum packet transmission rate of the protocol, in packets per second. |
|
Rate(pps) |
Current packet transmission rate of the protocol, in packets per second. |
|
Passed |
Number of protocol packets sent to the CPU. |
|
Dropped |
Number of dropped protocol packets. |
# Display packet rate limit information about ARP. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.
<Sysname> display anti-attack protocol arp
Anti-attack statistics
Protocol anti-attack Limit(pps) Rate(pps) Passed Dropped
arp enable 1024 0 17907 0
FlowSource FlowLimit(pps) FlowRate(pps) Passed Dropped
00e0-fc12-7723 1000 0 2 0
0011-e212-8801 1000 0 17905 0
Table 3 Command output
|
Field |
Description |
|
FlowSource |
Source IP or MAC address of the flow. |
|
FlowLimit(pps) |
Maximum transmission rate for the flow, in packets per second. |
|
FlowRate(pps) |
Current transmission rate of the flow, in packets per second. |
