Contents

Protocol packet rate limit commands· 1

anti-attack enable· 1

anti-attack protocol enable· 1

anti-attack protocol flow-threshold· 3

anti-attack protocol priority· 4

anti-attack protocol threshold· 4

display anti-attack protocol 5

 

Protocol packet rate limit commands

 

anti-attack enable

Use anti-attack enable to enable packet rate limit.

Use undo anti-attack enable to disable packet rate limit.

Syntax

anti-attack enable

undo anti-attack enable

Default

Packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# Enable packet rate limit.

<Sysname> system-view

[Sysname] anti-attack enable

Related commands

anti-attack protocol enable

anti-attack protocol enable

Use anti-attack protocol enable to enable packet rate limit for protocols.

Use undo anti-attack protocol enable to disable packet rate limit for protocols.

Syntax

anti-attack protocol { all | protocol } enable

undo anti-attack protocol { all | protocol } enable

Default

Packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

all: Specifies all protocols.

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. Supported protocol values are shown in Table 1.

Table 1 Supported protocols

Protocol value	Description
acsei	ACSEI protocol packets
arp	ARP protocol packets
capwap_ctrl	CAPWAP control packets
capwap_data	CAPWAP data packets
dhcp	DHCP protocol packets
dot11_action	802.11 ACK packets
dot11_assoc	802.11 association request packets
dot11_auth	802.11 authentication packets
dot11_ctrl	Other types of 802.11 protocol packets
dot11_deauth	802.11 deauthentication packets
dot11_disassoc	802.11 disassociation request packets
dot11_null	802.11 null data packets
dot11_reassoc	802.11 reassociation request packets
dot1x	802.1X authentication packets
ethernet	Packets that are not identified as packets of specific protocols
http	HTTP protocol packets
iactp	IACTP protocol packets
icmp	ICMP protocol packets
icmpv6_nd	ICMPv6 neighbor discovery protocol packets
icmpv6_other	ICMPv6 protocol packets except for neighbor discovery protocol packets
igmp	IGMP protocol packets
ip	IPv4 protocol packets
ipv6	IPv6 protocol packets
ntp	NTP protocol packets
portal_syn	Portal redirect packets
radius	RADIUS protocol packets
snmp	SNMP protocol packets
tcp	TCP protocol packets
telnet	Telnet protocol packets
udp	UDP protocol packets
vrrp	VRRP protocol packets

 

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# Enable packet rate limit for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp enable

Related commands

anti-attack enable

anti-attack protocol flow-threshold

Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.

Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.

Syntax

anti-attack protocol protocol flow-threshold flow-rate-limit

undo anti-attack protocol protocol flow-threshold

Default

Flow-based packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.

Usage guidelines

The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.

You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.

Examples

# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.

<Sysname> system-view

[Sysname] anti-attack protocol arp flow-threshold 50

anti-attack protocol priority

Use anti-attack protocol priority to set the packet process priority for a protocol.

Use undo anti-attack protocol priority to restore the default.

Syntax

anti-attack protocol protocol priority priority

undo anti-attack protocol protocol priority

Default

The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol priority and display anti-attack protocol commands in turn.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

priority: Specifies the packet process priority for the protocol, in the range of 0 to 4. A smaller value represents a higher priority.

Usage guidelines

When the maximum transmission rate is reached, the device determines packets to be dropped by priority. Packets of the lowest priority are dropped first.

Examples

# Set the packet process priority to 0 for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp priority 0

anti-attack protocol threshold

Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.

Use undo anti-attack protocol threshold to restore the default for a protocol.

Syntax

anti-attack protocol protocol threshold rate-limit

undo anti-attack protocol protocol threshold

Default

The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.

Usage guidelines

Excessive packets are dropped.

Examples

# Set the maximum transmission rate to 1000 packets per second for ARP.

<Sysname> system-view

[Sysname] anti-attack protocol arp threshold 1000

Related commands

display anti-attack protocol

display anti-attack protocol

Use display anti-attack protocol to display packet rate limit information about protocols.

Syntax

display anti-attack protocol [ protocol ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. If you do not specify a protocol, the command displays information about all protocols. For information about supported protocol values, see Table 1.

Examples

# Display packet rate limit information about all protocols. Only protocol-based protocol packet rate limit is enabled in this example.

<Sysname> display anti-attack protocol

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

dot1x          enable      1        1024        0         0         0

dhcp           enable      2        2000        0         0         0

igmp           enable      2        1024        0         0         0

ntp            enable      2        256         0         0         0

arp            enable      1        1024        0         17907     0

snmp           enable      0        1024        0         0         0

telnet         enable      0        100         0         0         0

icmp           enable      0        20          0         0         0

icmpv6_nd      enable      0        1024        0         0         0

icmpv6_other   enable      0        1024        0         0         0

iactp          enable      1        2560        0         0         0

acsei          enable      2        128         0         0         0

http           enable      1        1024        0         0         0

https          enable      1        1024        0         0         0

openflow       enable      1        1024        0         0         0

portal         enable      1        1024        0         0         0

udp            enable      2        20          0         0         0

tcp            enable      2        1           0         0         0

ip             enable      4        2560        0         0         0

ipv6           enable      2        128         0         0         0

ethernet       enable      2        128         0         0         0

radius         enable      1        2048        0         0         0

vrrp           enable      1        2048        0         0         0

capwap_ctrl    enable      1        2048        0         0         0

capwap_data    enable      1        2048        0         0         0

dot11_auth     enable      1        256         0         0         0

dot11_assoc    enable      1        256         0         0         0

dot11_reassoc  enable      1        256         0         0         0

dot11_null     enable      1        1024        0         0         0

dot11_disassoc enable      1        256         0         0         0

dot11_deauth   enable      1        256         0         0         0

dot11_action   enable      1        256         0         0         0

dot11_ctrl     enable      1        512         0         0         0

portal_syn     enable      1        1024        0         0         0

lacp           enable      1        256         0         0         0

Table 2 Command output

Field	Description
Anti-attack	Status of protocol-based packet rate limit for the protocol: ·     Enabled—The feature is enabled. ·     Disabled—The feature is disabled.
Priority	Packet processing priority of the protocol. A smaller value represents a higher priority.
Limit(pps)	Maximum packet transmission rate of the protocol, in packets per second.
Rate(pps)	Current packet transmission rate of the protocol, in packets per second.
Passed	Number of protocol packets sent to the CPU.
Dropped	Number of dropped protocol packets.

 

# Display packet rate limit information about ARP. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.

<Sysname> display anti-attack protocol arp

                        Anti-attack statistics

Protocol       anti-attack Priority Limit(pps)  Rate(pps) Passed    Dropped

arp            enable      1        1024        0         17907     0

FlowSource              FlowLimit(pps)    FlowRate(pps)   Passed    Dropped

00e0-fc12-7723          1000              0               2         0

0011-e212-8801          1000              0               17905     0

Table 3 Command output

Field	Description
FlowSource	Source IP or MAC address of the flow.
FlowLimit(pps)	Maximum transmission rate for the flow, in packets per second.
FlowRate(pps)	Current transmission rate of the flow, in packets per second.