- Table of Contents
-
- 16-Security Command Reference
- 00-Preface
- 01-ACL commands
- 02-Time range commands
- 03-User profile commands
- 04-Password control commands
- 05-Public key management commands
- 06-PKI commands
- 07-IPsec commands
- 08-SSH commands
- 09-SSL commands
- 10-Session management commands
- 11-Connection limit commands
- 12-Attack detection and prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-ASPF commands
- 17-Protocol packet rate limit commands
- 18-Crypto engine commands
- 19-Object group commands
- Related Documents
-
Title | Size | Download |
---|---|---|
17-Protocol packet rate limit commands | 92.67 KB |
Contents
Protocol packet rate limit commands
anti-attack protocol flow-threshold
anti-attack protocol threshold
Protocol packet rate limit commands
anti-attack enable
Use anti-attack enable to enable packet rate limit.
Use undo anti-attack enable to disable packet rate limit.
Syntax
anti-attack enable [ slot slot-number ]
undo anti-attack enable [ slot slot-number ]
Default
Packet rate limit is disabled.
Views
System view
Predefined user roles
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables packet rate limit for all member devices.
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# Enable packet rate limit for a slot.
<Sysname> system-view
[Sysname] anti-attack enable slot 1
Related commands
anti-attack protocol enable
anti-attack protocol enable
Use anti-attack protocol enable to enable packet rate limit for protocols.
Use undo anti-attack protocol enable to disable packet rate limit for protocols.
Syntax
anti-attack protocol { all | protocol } enable [ slot slot-number ]
undo anti-attack protocol { all | protocol } enable [ slot slot-number ]
Default
Packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies all protocols.
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. Supported protocol values are shown in Table 1.
Protocol value |
Description |
acsei |
ACSEI protocol packets |
arp |
ARP protocol packets |
capwap_ctrl |
CAPWAP control packets |
capwap_ctrl_dis |
CAPWAP discovery packets |
capwap_data |
CAPWAP data packets |
dhcp |
DHCP protocol packets |
dot11_action |
802.11 ACK packets |
dot11_assoc |
802.11 association request packets |
dot11_auth |
802.11 authentication packets |
dot11_ctrl |
Other types of 802.11 protocol packets |
dot11_deauth |
802.11 deauthentication packets |
dot11_disassoc |
802.11 disassociation request packets |
dot11_null |
802.11 null data packets |
dot11_reassoc |
802.11 reassociation request packets |
dot1x |
802.1X authentication packets |
ethernet |
Packets that are not identified as packets of specific protocols |
http |
HTTP protocol packets |
https |
HTTPS protocol packets |
openflow |
OpenFlow protocol packets |
iactp |
IACTP protocol packets |
icmp |
ICMP protocol packets |
icmpv6_nd |
ICMPv6 neighbor discovery protocol packets |
icmpv6_other |
ICMPv6 protocol packets except for neighbor discovery protocol packets |
igmp |
IGMP protocol packets |
ip |
IPv4 protocol packets |
ipv6 |
IPv6 protocol packets |
ntp |
NTP protocol packets |
portal |
Portal protocol packets |
radius |
RADIUS protocol packets |
snmp |
SNMP protocol packets |
tcp |
TCP protocol packets |
telnet |
Telnet protocol packets |
udp |
UDP protocol packets |
lacp |
LACP protocol packets |
vrrp |
VRRP protocol packets |
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables the feature for all member devices.
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# Enable packet rate limit for ARP on a slot.
<Sysname> system-view
[Sysname] anti-attack protocol arp enable slot 1
Related commands
anti-attack enable
anti-attack protocol flow-threshold
Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.
Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.
Syntax
anti-attack protocol protocol flow-threshold flow-rate-limit [ slot slot-number ]
undo anti-attack protocol protocol flow-threshold [ slot slot-number ]
Default
Flow-based packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.
flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command enables flow-based packet rate limit and sets the threshold for all member devices.
Usage guidelines
The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.
You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.
Examples
# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second on a slot.
<Sysname> system-view
[Sysname] anti-attack protocol arp flow-threshold 50 slot 1
anti-attack protocol threshold
Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.
Use undo anti-attack protocol threshold to restore the default for a protocol.
Syntax
anti-attack protocol protocol threshold rate-limit [ slot slot-number ]
undo anti-attack protocol protocol threshold [ slot slot-number ]
Default
The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. For information about supported protocol values, see Table 1.
rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the setting applies to all member devices.
Usage guidelines
Excessive packets are dropped.
Examples
# Set the maximum transmission rate to 1000 packets per second for ARP on a slot.
<Sysname> system-view
[Sysname] anti-attack protocol arp threshold 1000 slot 1
Related commands
display anti-attack protocol
display anti-attack protocol
Use display anti-attack protocol to display packet rate limit information about protocols.
Syntax
display anti-attack protocol [ protocol ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
protocol: Specifies a protocol. This argument can be a case-insensitive string of 1 to 31 characters. If you do not specify a protocol, the command displays information about all protocols. For information about supported protocol values, see Table 1.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, the command displays packet rate limit information for all member devices.
Examples
# Display packet rate limit information about all protocols on a slot. Only protocol-based protocol packet rate limit is enabled in this example.
<Sysname> display anti-attack protocol slot 1
Slot 1:
Anti-attack statistics
Protocol anti-attack Limit(pps) Rate(pps) Passed Dropped
dot1x disable 1024 0 0 0
dhcp disable 2000 0 0 0
igmp disable 1024 0 0 0
ntp disable 512 0 0 0
arp disable 20000 0 0 0
snmp disable 1024 0 0 0
telnet disable 1024 0 0 0
icmp disable 1024 0 0 0
icmpv6_nd disable 1024 0 0 0
icmpv6_other disable 1024 0 0 0
iactp disable 2560 0 0 0
acsei disable 512 0 0 0
http disable 1024 0 0 0
https disable 1024 0 0 0
openflow disable 1024 0 0 0
portal disable 1024 0 0 0
udp disable 2048 0 0 0
tcp disable 1024 0 0 0
ip disable 2560 0 0 0
ipv6 disable 512 0 0 0
ethernet disable 512 0 0 0
radius disable 2048 0 0 0
vrrp disable 2048 0 0 0
capwap_ctrl disable 5120 0 0 0
capwap_ctrl_disdisable 2048 0 0 0
capwap_data disable 51200 0 0 0
dot11_auth disable 512 0 0 0
dot11_assoc disable 512 0 0 0
dot11_reassoc disable 512 0 0 0
dot11_null disable 1024 0 0 0
dot11_disassoc disable 512 0 0 0
dot11_deauth disable 512 0 0 0
dot11_action disable 512 0 0 0
dot11_ctrl disable 512 0 0 0
lacp disable 512 0 0 0
Table 2 Command output
Field |
Description |
Anti-attack |
Status of protocol-based packet rate limit for the protocol: · Enabled—The feature is enabled. · Disabled—The feature is disabled. |
Limit(pps) |
Maximum packet transmission rate of the protocol, in packets per second. |
Rate(pps) |
Current packet transmission rate of the protocol, in packets per second. |
Passed |
Number of protocol packets sent to the CPU. |
Dropped |
Number of dropped protocol packets. |
# Display packet rate limit information about ARP on a slot. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.
<Sysname> display anti-attack protocol arp slot 1
Slot 1:
Anti-attack statistics
Protocol anti-attack Limit(pps) Rate(pps) Passed Dropped
arp enable 1024 0 17907 0
FlowSource FlowLimit(pps) FlowRate(pps) Passed Dropped
00e0-fc12-7723 1000 0 2 0
0011-e212-8801 1000 0 17905 0
Table 3 Command output
Field |
Description |
FlowSource |
Source IP or MAC address of the flow. |
FlowLimit(pps) |
Maximum transmission rate for the flow, in packets per second. |
FlowRate(pps) |
Current transmission rate of the flow, in packets per second. |