Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Time range configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Public key management
- 06-PKI configuration
- 07-IPsec configuration
- 08-SSH configuration
- 09-SSL configuration
- 10-Session management
- 11-Connection limit configuration
- 12-Attack detection and prevention configuration
- 13-IP source guard configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-ASPF configuration
- 17-Crypto engine configuration
- 18-Protocol packet rate limit configuration
- 19-DPI engine configuration
- 20-APR configuration
- 21-URL filtering configuration
- 22-Bandwidth management configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-Protocol packet rate limit configuration | 99.57 KB |
Contents
Configuring protocol packet rate limit
About protocol packet rate limit
Restrictions: Hardware compatibility with protocol packet rate limit
Restrictions and guidelines: Protocol packet rate limit
Display and maintenance commands for protocol packet rate limit
Protocol packet rate limit configuration examples
Example: Configuring protocol-based protocol packet rate limit
Example: Configuring flow-based protocol packet rate limit
Configuring protocol packet rate limit
About protocol packet rate limit
The protocol packet rate limit feature rate limits packets sent to the CPU, effectively preventing flood and DoS attacks.
The device supports the following protocol packet rate limit methods:
· Protocol-based protocol packet rate limit—Limits the maximum transmission rate of protocol packets of a specific protocol. Excessive protocol packets are dropped.
· Flow-based protocol packet rate limit—Identifies flows of a protocol by source IP or MAC address, and limits the maximum transmission rate per flow. Excessive protocol packets are dropped. This method collects traffic statistics by flow and protocol for traffic anomaly and user behavior monitoring.
Restrictions: Hardware compatibility with protocol packet rate limit
|
Hardware series |
Model |
Product code |
Protocol packet rate limit compatibility |
|
WBC series |
WBC560 WBC580 G2-Standard Edition WBC580 G2-Healthcare Edition |
EWP-WBC560 EWP-WBC580-G2-BASE EWP-WBC580-G2-HOSP |
No |
|
Access controller modules |
LSQM1WBCZ720X LSUM1WBCZ720XRT |
LSQM1WBCZ720X LSUM1WBCZ720XRT |
Yes |
Restrictions and guidelines: Protocol packet rate limit
You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit.
Procedure
1. Enter system view.
system-view
2. Enable packet rate limit.
anti-attack enable
By default, packet rate limit is disabled.
3. Enable packet rate limit for a specific protocol or all protocols.
anti-attack protocol { all | protocol } enable
By default, packet rate limit is disabled for all protocols.
4. (Optional.) Set the maximum transmission rate for a protocol.
anti-attack protocol protocol threshold rate-limit
The default settings vary by device model.
To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.
5. Enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.
anti-attack protocol protocol flow-threshold flow-rate-limit
By default, flow-based packet rate limit is disabled for all protocols.
This step is required only for flow-based packet rate limit.
Display and maintenance commands for protocol packet rate limit
Use the display commands in any view.
|
Task |
Command |
|
Display protocol packet rate limit information. |
display anti-attack protocol [ protocol ] |
Protocol packet rate limit configuration examples
Example: Configuring protocol-based protocol packet rate limit
Network configuration
Configure protocol packet rate limit for ARP on the AC. Set the maximum transmission rate to 1000 packets per second.
Procedure
# Enable packet rate limit.
<AC> system-view
[AC] anti-attack enable
# Enable packet rate limit for ARP.
[AC] anti-attack protocol arp enable
# Set the maximum transmission rate to 1000 packets per second for ARP.
[AC] anti-attack protocol arp threshold 1000
Verifying the configuration
# Display packet rate limit information about ARP after Client 1 and Client 2 are connected.
[AC] display anti-attack protocol arp
Anti-attack statistics
Protocol anti-attack Limit(pps) Rate(pps) Passed Dropped
arp enable 1000 0 17907 0
arp Flow-limit is not enable.
Example: Configuring flow-based protocol packet rate limit
Network configuration
Configure flow-based protocol packet rate limit for ARP on the AC. Set the maximum transmission rate per flow to 50 packets per second.
Figure 2 Network diagram
Procedure
# Enable packet rate limit.
<AC> system-view
[AC] anti-attack enable
# Enable packet rate limit for ARP.
[AC] anti-attack protocol arp enable
# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.
[AC] anti-attack protocol arp flow-threshold 50
Verifying the configuration
# Display packet rate limit information about ARP after Client 1 and Client 2 are connected.
[AC] display anti-attack protocol arp
Anti-attack statistics
Protocol anti-attack Limit(pps) Rate(pps) Passed Dropped
arp enable 1024 0 17907 0
FlowSource FlowLimit(pps) FlowRate(pps) Passed Dropped
00e0-fc12-7723 50 0 2 0
0011-e212-8801 50 0 17905 0
