Login
- Table of Contents
-
- 16-Security Command Reference
- 00-Preface
- 01-ACL commands
- 02-Packet filter commands
- 03-Time range commands
- 04-User profile commands
- 05-Password control commands
- 06-Keychain commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-IKE commands
- 11-IKEv2 commands
- 12-SSH commands
- 13-SSL commands
- 14-SSL VPN commands
- 15-Session management commands
- 16-Connection limit commands
- 17-Attack detection and prevention commands
- 18-IP-based attack prevention commands
- 19-IP source guard commands
- 20-ARP attack protection commands
- 21-ND attack defense commands
- 22-Protocol packet rate limit commands
- 23-Security policy commands
- 24-Object group commands
- 25-ASPF commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 22-Protocol packet rate limit commands | 95.85 KB |
Contents
Protocol packet rate limit commands
anti-attack protocol flow-threshold
anti-attack protocol threshold
Protocol packet rate limit commands
anti-attack enable
Use anti-attack enable to enable packet rate limit.
Use undo anti-attack enable to disable packet rate limit.
Syntax
anti-attack enable
undo anti-attack enable
Default
Packet rate limit is disabled.
Views
System view
Predefined user roles
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# Enable packet rate limit.
<Sysname> system-view
[Sysname] anti-attack enable
Slot 1:
Anti-attack enable globally
Related commands
anti-attack protocol enable
anti-attack protocol enable
Use anti-attack protocol enable to enable packet rate limit for protocols.
Use undo anti-attack protocol enable to disable packet rate limit for protocols.
Syntax
anti-attack protocol { all | protocol } enable
undo anti-attack protocol { all | protocol } enable
Default
Packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies all protocols.
protocol: Specifies a protocol.
Usage guidelines
To implement packet rate limit for a protocol, you must complete the following tasks:
· Execute the anti-attack enable command to enable packet rate limit.
· Execute the anti-attack protocol enable command to enable packet rate limit for the protocol.
Examples
# Enable packet rate limit for ARP.
<Sysname> system-view
[Sysname] anti-attack protocol arp enable
Slot 1:
arp protocol enable
Related commands
anti-attack enable
anti-attack protocol flow-threshold
Use anti-attack protocol flow-threshold to enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.
Use undo anti-attack protocol flow-threshold to disable flow-based packet rate limit for a protocol.
Syntax
anti-attack protocol protocol flow-threshold flow-rate-limit
undo anti-attack protocol protocol flow-threshold
Default
Flow-based packet rate limit is disabled for all protocols.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol.
flow-rate-limit: Specifies the maximum transmission rate per flow for the protocol in packets per second. The value range is 0 to 102400.
Usage guidelines
The device identifies flows of a protocol by source IP or MAC address. Protocol packets that are sourced from the same IP address or MAC address belong to the same flow.
You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit. Excessive protocol packets are dropped.
Examples
# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.
<Sysname> system-view
[Sysname] anti-attack protocol arp flow-threshold 50
Slot 1:
arp protocol flow-Threshold is 50
anti-attack protocol threshold
Use anti-attack protocol threshold to set the maximum transmission rate for a protocol.
Use undo anti-attack protocol threshold to restore the default for a protocol.
Syntax
anti-attack protocol protocol threshold rate-limit
undo anti-attack protocol protocol threshold
Default
The default settings vary by device model. To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.
Views
System view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol.
rate-limit: Specifies the maximum transmission rate for the protocol in packets per second. The value range is 0 to 102400.
Usage guidelines
Excessive packets are dropped.
Examples
# Set the maximum transmission rate to 1000 packets per second for ARP.
<Sysname> system-view
[Sysname] anti-attack protocol arp threshold 1000
Slot 1:
arp protocol Threshold is 1000
Related commands
display anti-attack protocol
display anti-attack protocol
Use display anti-attack protocol to display packet rate limit information about protocols.
Syntax
display anti-attack protocol [ protocol ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
protocol: Specifies a protocol. If you do not specify a protocol, the command displays information about all protocols.
Examples
# Display packet rate limit information about all protocols. Only protocol-based protocol packet rate limit is enabled in this example.
<Sysname> display anti-attack protocol
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
dot1x disable 1 1024 0 0 0
dhcp disable 2 2000 0 0 0
dhcpv6 disable 2 2000 0 0 0
igmp disable 2 1024 0 0 0
ntp disable 2 256 0 0 0
arp disable 1 1024 0 0 0
snmp disable 0 1024 0 0 0
telnet disable 0 1024 0 0 0
icmp disable 0 1024 0 0 0
icmpv6_nd disable 0 1024 0 0 0
icmpv6_other disable 0 1024 0 0 0
iadtp disable 1 2560 0 0 0
acsei disable 2 128 0 0 0
http disable 1 1024 0 0 0
https disable 1 1024 0 0 0
openflow disable 1 1024 0 0 0
portal disable 1 1024 0 0 0
udp disable 2 2048 0 0 0
tcp disable 2 1024 0 0 0
ip disable 2 2560 0 0 0
ipv6 disable 2 128 0 0 0
ethernet disable 2 128 0 0 0
radius disable 1 2048 0 0 0
vrrp disable 1 2048 0 0 0
capwap_ctrl disable 1 2048 0 0 0
capwap_ctrl_dis disable 1 2048 0 0 0
capwap_data disable 1 2048 0 0 0
dot11_auth disable 1 256 0 0 0
dot11_assoc disable 1 256 0 0 0
dot11_reassoc disable 1 256 0 0 0
dot11_null disable 1 1024 0 0 0
dot11_disassoc disable 1 256 0 0 0
dot11_deauth disable 1 256 0 0 0
dot11_action disable 1 256 0 0 0
dot11_ctrl disable 1 512 0 0 0
lacp disable 1 256 0 0 0
Table 1 Command output
|
Field |
Description |
|
Anti-attack |
Status of protocol-based packet rate limit for the protocol: · Enabled—The feature is enabled. · Disabled—The feature is disabled. |
|
Priority |
This field is not supported in the current software version. Packet processing priority of the protocol. A smaller value represents a higher priority. |
|
Limit(pps) |
Maximum packet transmission rate of the protocol, in packets per second. |
|
Rate(pps) |
Current packet transmission rate of the protocol, in packets per second. |
|
Passed |
Number of protocol packets sent to the CPU. |
|
Dropped |
Number of dropped protocol packets. |
# Display packet rate limit information about ARP. Both protocol-based protocol packet rate limit and flow-based protocol packet rate limit are enabled in this example.
<Sysname> display anti-attack protocol arp
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
arp enable 1 1024 0 17907 0
FlowSource FlowLimit(pps) FlowRate(pps) Passed Dropped
00e0-fc12-7723 1000 0 2 0
0011-e212-8801 1000 0 17905 0
Table 2 Command output
|
Field |
Description |
|
FlowSource |
Source IP or MAC address of the flow. |
|
FlowLimit(pps) |
Maximum transmission rate for the flow, in packets per second. |
|
FlowRate(pps) |
Current transmission rate of the flow, in packets per second. |
