Contents

Protocol packet rate limit commands· 1

anti-attack enable· 1

anti-attack protocol enable· 1

anti-attack protocol flow-threshold· 3

anti-attack protocol threshold· 4

display anti-attack protocol 5

 

Protocol packet rate limit commands

anti-attack enable

Use anti-attack enable to enable packet rate limit.

Use undo anti-attack enable to disable packet rate limit.

Syntax

anti-attack enable [ slot slot-number ]

undo anti-attack enable [ slot slot-number ]

Default

Packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables packet rate limit for all member devices.

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# Enable packet rate limit for a slot.

<Sysname> system-view

[Sysname] anti-attack enable slot 1

Related commands

anti-attack protocol enable

anti-attack protocol enable

Use anti-attack protocol enable to enable packet rate limit for protocols.

Use undo anti-attack protocol enable to disable packet rate limit for protocols.

Syntax

anti-attack protocol { all | protocol } enable [ slot slot-number ]

undo anti-attack protocol { all | protocol } enable [ slot slot-number ]

Default

Packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

all: Specifies all protocols.

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. Supported protocol values are shown in Table 1.

Table 1 Supported protocols

Protocol value	Description
acsei	ACSEI protocol packets
arp	ARP protocol packets
capwap_ctrl	CAPWAP control packets
capwap_ctrl_dis	CAPWAP discovery packets
capwap_data	CAPWAP data packets
dhcp	DHCP protocol packets
dot11_action	802.11 ACK packets
dot11_assoc	802.11 association request packets
dot11_auth	802.11 authentication packets
dot11_ctrl	Other types of 802.11 protocol packets
dot11_deauth	802.11 deauthentication packets
dot11_disassoc	802.11 disassociation request packets
dot11_null	802.11 null data packets
dot11_reassoc	802.11 reassociation request packets
dot1x	802.1X authentication packets
ethernet	Packets that are not identified as packets of specific protocols
http	HTTP protocol packets
https	HTTPS protocol packets
openflow	OpenFlow protocol packets
iactp	IACTP protocol packets
icmp	ICMP protocol packets
icmpv6_nd	ICMPv6 neighbor discovery protocol packets
icmpv6_other	ICMPv6 protocol packets except for neighbor discovery protocol packets
igmp	IGMP protocol packets
ip	IPv4 protocol packets
ipv6	IPv6 protocol packets
ntp	NTP protocol packets
portal	Portal protocol packets
radius	RADIUS protocol packets
snmp	SNMP protocol packets
tcp	TCP protocol packets
telnet	Telnet protocol packets
udp	UDP protocol packets
lacp	LACP protocol packets
vrrp	VRRP protocol packets

‌

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables the feature for all member devices.

Usage guidelines

To implement packet rate limit for a protocol, you must complete the following tasks:

·     Execute the anti-attack enable command to enable packet rate limit.

·     Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.

Examples

# Enable packet rate limit for ARP on a slot.

<Sysname> system-view

[Sysname] anti-attack protocol arp enable slot 1

Related commands

anti-attack enable

anti-attack protocol flow-threshold

Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.

Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.

Syntax

anti-attack protocol protocol flow-threshold flow-rate-limit [ slot slot-number ]

undo anti-attack protocol protocol flow-threshold [ slot slot-number ]

Default

Flow-based packet rate limit is disabled for all protocols.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables flow-based packet rate limit and sets the threshold for all member devices.

Usage guidelines

The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.

You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.

Examples

# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second on a slot.

<Sysname> system-view

[Sysname] anti-attack protocol arp flow-threshold 50 slot 1

anti-attack protocol threshold

Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.

Use undo anti-attack protocol threshold to restore the default for a protocol.

Syntax

anti-attack protocol protocol threshold rate-limit [ slot slot-number ]

undo anti-attack protocol protocol threshold [ slot slot-number ]

Default

The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.

Views

System view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.

rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the setting applies to all member devices.

Usage guidelines

Excessive packets are dropped.

Examples

# Set the maximum transmission rate to 1000 packets per second for ARP on a slot.

<Sysname> system-view

[Sysname] anti-attack protocol arp threshold 1000 slot 1

Related commands

display anti-attack protocol

display anti-attack protocol

Use display anti-attack protocol to display packet rate limit information about protocols.

Syntax

display anti-attack protocol [ protocol ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. If you do not specify a protocol, the command displays information about all protocols. For information about supported protocol values, see Table 1.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the command displays packet rate limit information for all member devices.

Examples

# Display packet rate limit information about all protocols on a slot. Only protocol-based protocol packet rate limit is enabled in this example.

<Sysname> display anti-attack protocol slot 1

Slot 1:

                        Anti-attack statistics

Protocol       anti-attack Limit(pps)  Rate(pps) Passed    Dropped

dot1x          disable     1024        0         0         0

dhcp           disable     2000        0         0         0

igmp           disable     1024        0         0         0

ntp            disable     512         0         0         0

arp            disable     20000       0         0         0

snmp           disable     1024        0         0         0

telnet         disable     1024        0         0         0

icmp           disable     1024        0         0         0

icmpv6_nd      disable     1024        0         0         0

icmpv6_other   disable     1024        0         0         0

iactp          disable     2560        0         0         0

acsei          disable     512         0         0         0

http           disable     1024        0         0         0

https          disable     1024        0         0         0

openflow       disable     1024        0         0         0

portal         disable     1024        0         0         0

udp            disable     2048        0         0         0

tcp            disable     1024        0         0         0

ip             disable     2560        0         0         0

ipv6           disable     512         0         0         0

ethernet       disable     512         0         0         0

radius         disable     2048        0         0         0

vrrp           disable     2048        0         0         0

capwap_ctrl    disable     5120        0         0         0

capwap_ctrl_disdisable     2048        0         0         0

capwap_data    disable     51200       0         0         0

dot11_auth     disable     512         0         0         0

dot11_assoc    disable     512         0         0         0

dot11_reassoc  disable     512         0         0         0

dot11_null     disable     1024        0         0         0

dot11_disassoc disable     512         0         0         0

dot11_deauth   disable     512         0         0         0

dot11_action   disable     512         0         0         0

dot11_ctrl     disable     512         0         0         0

lacp           disable     512         0         0         0

Table 2 Command output

Field	Description
Anti-attack	Status of protocol-based packet rate limit for the protocol: ·     Enabled—The feature is enabled. ·     Disabled—The feature is disabled.
Limit(pps)	Maximum packet transmission rate of the protocol, in packets per second.
Rate(pps)	Current packet transmission rate of the protocol, in packets per second.
Passed	Number of protocol packets sent to the CPU.
Dropped	Number of dropped protocol packets.

‌

# Display packet rate limit information about ARP on a slot. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.

<Sysname> display anti-attack protocol arp slot 1

Slot 1:

                        Anti-attack statistics

Protocol       anti-attack Limit(pps)  Rate(pps) Passed    Dropped

arp            enable      1024        0         17907     0

FlowSource              FlowLimit(pps)    FlowRate(pps)   Passed    Dropped

00e0-fc12-7723          1000              0               2         0

0011-e212-8801          1000              0               17905     0

Table 3 Command output

Field	Description
FlowSource	Source IP or MAC address of the flow.
FlowLimit(pps)	Maximum transmission rate for the flow, in packets per second.
FlowRate(pps)	Current transmission rate of the flow, in packets per second.

‌