Contents

Protocol packet rate limit commands· 1

anti-attack enable· 1

anti-attack protocol enable· 1

anti-attack protocol flow-threshold· 2

anti-attack protocol priority· 3

anti-attack protocol threshold· 3

display anti-attack protocol 4

 

Protocol packet rate limit commands

anti-attack enable

Use anti-attack enable to enable packet rate limit.

Use undo anti-attack enable to disable packet rate limit.

Syntax

anti-attack enable

undo anti-attack enable

Default

Packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# Enable packet rate limit.

<Sysname> system-view

[Sysname] anti-attack enable

Related commands

anti-attack protocol enable

anti-attack protocol enable

Use anti-attack protocol enable to enable packet rate limit for protocols.

Use undo anti-attack protocol enable to disable packet rate limit for protocols.

Syntax

anti-attack protocol { all | protocol } enable

undo anti-attack protocol { all | protocol } enable

Default

Packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

all: Specifies all protocols.

protocol: Specifies a protocol.

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# Enable packet rate limit for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp enable

Related commands

anti-attack enable

anti-attack protocol flow-threshold

Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.

Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.

Syntax

anti-attack protocol protocol flow-threshold flow-rate-limit

undo anti-attack protocol protocol flow-threshold

Default

Flow-based packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol.

flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.

Usage guidelines

The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.

You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.

Examples

# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.

<Sysname> system-view

[Sysname] anti-attack protocol arp flow-threshold 50

anti-attack protocol priority

Use anti-attack protocol priority to set the packet process priority for a protocol.

Use undo anti-attack protocol priority to restore the default.

Syntax

anti-attack protocol protocol priority priority

undo anti-attack protocol protocol priority

Default

The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol priority and display anti-attack protocol commands in turn.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol.

priority: Specifies the packet process priority for the protocol, in the range of 0 to 4. A smaller value represents a higher priority.

Usage guidelines

When the maximum transmission rate is reached, the device determines packets to be dropped by priority. Packets of the lowest priority are dropped first.

Examples

# Set the packet process priority to 0 for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp priority 0

anti-attack protocol threshold

Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.

Use undo anti-attack protocol threshold to restore the default for a protocol.

Syntax

anti-attack protocol protocol threshold rate-limit

undo anti-attack protocol protocol threshold

Default

The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol.

rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.

Usage guidelines

Excessive packets are dropped.

Examples

# Set the maximum transmission rate to 1000 packets per second for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp threshold 1000

Related commands

display anti-attack protocol

display anti-attack protocol

Use display anti-attack protocol to display packet rate limit information about protocols.

Syntax

display anti-attack protocol [ protocol ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

protocol: Specifies a protocol.

Examples

# Display packet rate limit information about all protocols. Only protocol-based protocol packet rate limit is enabled in this example.

<Sysname> display anti-attack protocol

                        Anti-attack statistics

Protocol            anti-attack    Priority Limit(pps)  Rate(pps) Passed    Dropped

dot1x               disable        1        1024        0         0         0

dhcp                disable        2        2000        0         0         0

dhcpv6              disable        2        2000        0         0         0

igmp                disable        2        1024        0         0         0

ntp                 disable        2        256         0         0         0

arp                 disable        1        1024        0         0         0

snmp                disable        0        1024        0         0         0

telnet              disable        0        1024        0         0         0

icmp                disable        0        1024        0         0         0

icmpv6_nd           disable        0        1024        0         0         0

icmpv6_other        disable        0        1024        0         0         0

iadtp               disable        1        2560        0         0         0

acsei               disable        2        128         0         0         0

http                disable        1        1024        0         0         0

https               disable        1        1024        0         0         0

openflow            disable        1        1024        0         0         0

portal              disable        1        1024        0         0         0

udp                 disable        2        2048        0         0         0

tcp                 disable        2        1024        0         0         0

ip                  disable        2        2560        0         0         0

ipv6                disable        2        128         0         0         0

ethernet            disable        2        128         0         0         0

radius              disable        1        2048        0         0         0

vrrp                disable        1        2048        0         0         0

capwap_ctrl         disable        1        2048        0         0         0

capwap_ctrl_dis     disable        1        2048        0         0         0

capwap_data         disable        1        2048        0         0         0

dot11_auth          disable        1        256         0         0         0

dot11_assoc         disable        1        256         0         0         0

dot11_reassoc       disable        1        256         0         0         0

dot11_null          disable        1        1024        0         0         0

dot11_disassoc      disable        1        256         0         0         0

dot11_deauth        disable        1        256         0         0         0

dot11_action        disable        1        256         0         0         0

dot11_ctrl          disable        1        512         0         0         0

lacp                disable        1        256         0         0         0

Table 1 Command output

Field	Description
Anti-attack	Status of protocol-based packet rate limit for the protocol: ·     Enabled—The feature is enabled. ·     Disabled—The feature is disabled.
Priority	Packet processing priority of the protocol. A smaller value represents a higher priority.
Limit(pps)	Maximum packet transmission rate of the protocol, in packets per second.
Rate(pps)	Current packet transmission rate of the protocol, in packets per second.
Passed	Number of protocol packets sent to the CPU.
Dropped	Number of dropped protocol packets.

 

# Display packet rate limit information about ARP. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.

<Sysname> display anti-attack protocol arp

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

arp            enable      1        1024        0         17907     0

FlowSource              FlowLimit(pps)    FlowRate(pps)   Passed    Dropped

00e0-fc12-7723          1000              0               2         0

0011-e212-8801          1000              0               17905     0

Table 2 Command output

Field	Description
FlowSource	Source IP or MAC address of the flow.
FlowLimit(pps)	Maximum transmission rate for the flow, in packets per second.
FlowRate(pps)	Current transmission rate of the flow, in packets per second.