16-Security Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C Access Controllers Configuration Guides(R5447P04)-6W10016-Security Configuration Guide
18-Protocol packet rate limit configuration
Title Size Download
18-Protocol packet rate limit configuration 99.64 KB

Configuring protocol packet rate limit

About protocol packet rate limit

The protocol packet rate limit feature rate limits packets sent to the CPU, effectively preventing flood and DoS attacks.

The device supports the following protocol packet rate limit methods:

·     Protocol-based protocol packet rate limit—Limits the maximum transmission rate of protocol packets of a specific protocol. Excessive protocol packets are dropped.

·     Flow-based protocol packet rate limit—Identifies flows of a protocol by source IP or MAC address, and limits the maximum transmission rate per flow. Excessive protocol packets are dropped. This method collects traffic statistics by flow and protocol for traffic anomaly and user behavior monitoring.

Restrictions: Command and hardware compatibility

The WX1800H series, WX2500H series, MAK series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode.

Restrictions and guidelines: Protocol packet rate limit

You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit.

Procedure

1.     Enter system view.

system-view

2.     Enable packet rate limit.

In standalone mode:

anti-attack enable

In IRF mode:

anti-attack enable [ slot slot-number ]

By default, packet rate limit is disabled.

3.     Enable packet rate limit for a specific protocol or all protocols.

In standalone mode:

anti-attack protocol { all | protocol } enable

In IRF mode:

anti-attack protocol { all | protocol } enable [ slot slot-number ]

By default, packet rate limit is disabled for all protocols.

4.     (Optional.) Set the maximum transmission rate for a protocol.

In standalone mode:

anti-attack protocol protocol threshold rate-limit

In IRF mode:

anti-attack protocol protocol threshold rate-limit [ slot slot-number ]

The default settings vary by device model.

To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.

5.     Set the packet process priority for a protocol

In standalone mode:

anti-attack protocol protocol priority priority

In IRF mode:

anti-attack protocol protocol priority priority [ slot slot-number ]

The default settings vary by device model.

To display the default setting for a protocol, execute the undo anti-attack protocol priority and display anti-attack protocol commands in turn.

6.     Enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.

In standalone mode:

anti-attack protocol protocol flow-threshold flow-rate-limit

In IRF mode:

anti-attack protocol protocol flow-threshold flow-rate-limit [ slot slot-number ]

By default, flow-based packet rate limit is disabled for all protocols.

This step is required only for flow-based packet rate limit.

Display and maintenance commands for protocol packet rate limit

Use the display commands in any view.

 

Task

Command

Display protocol packet rate limit information.

In standalone mode:

display anti-attack protocol [ protocol ]

In IRF mode:

display anti-attack protocol [ protocol ] [ slot slot-number ]

 

Protocol packet rate limit configuration examples

Example: Configuring protocol-based protocol packet rate limit

Network configuration

Configure protocol packet rate limit for ARP on the AC. Set the maximum transmission rate to 1000 packets per second.

Figure 1 Network diagram

 

Procedure

# Enable packet rate limit.

<AC> system-view

[AC] anti-attack enable

# Enable packet rate limit for ARP.

[AC] anti-attack protocol arp enable

# Set the maximum transmission rate to 1000 packets per second for ARP.

[AC] anti-attack protocol arp threshold 1000

Verifying the configuration

# Display packet rate limit information about ARP after Client 1 and Client 2 are connected.

[AC] display anti-attack protocol arp

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

arp            enable      1        1000        0         17907     0

 

arp Flow-limit is not enable.

Example: Configuring flow-based protocol packet rate limit

Network configuration

Configure flow-based protocol packet rate limit for ARP on the AC. Set the maximum transmission rate per flow to 50 packets per second.

Figure 2 Network diagram

 

Procedure

# Enable packet rate limit.

<AC> system-view

[AC] anti-attack enable

# Enable packet rate limit for ARP.

[AC] anti-attack protocol arp enable

# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.

[AC] anti-attack protocol arp flow-threshold 50

Verifying the configuration

# Display packet rate limit information about ARP after Client 1 and Client 2 are connected.

[AC] display anti-attack protocol arp

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

arp            enable      1        1024        0         17907     0

FlowSource              FlowLimit(pps)    FlowRate(pps)   Passed    Dropped

00e0-fc12-7723          50                0               2         0

0011-e212-8801          50                0               17905     0

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网