auto-defend attack-packet sampleFunctionThe auto-defend attack-packet sample command sets the packet sampling ratio for attack source tracing. Show
The undo auto-defend attack-packet sample command restores the default packet sampling ratio. By default, the packet sampling ratio is 8. That is, one packet is sampled in every 8 packets. Formatauto-defend attack-packet sample sample-value undo auto-defend attack-packet sample Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario Attack source tracing samples packets to identify attacks. Errors may occur in attack packet identification or packet rate calculation. A proper packet sampling ratio can reduce errors. A small sampling ratio makes the attack source tracing result accurate, but increases CPU usage. For example, when the sampling ratio is set to 1, every packet is sampled. The attack source tracing result is accurate, but the CPU usage is high because every packet is resolved. The auto-defend attack-packet sample command sets the sampling ratio. You can set a proper value based on the requirements of attack source tracing precision and CPU usage. Prerequisites Attack source tracing has been enabled using the auto-defend enable command. Precautions When a smaller attack source tracing threshold is used, the sampling ratio has greater impact on the attack source tracing result. Example# Set the sampling ratio for attack source tracing in the attack defense policy named test to 2. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] auto-defend attack-packet sample 2 auto-defend enable
FunctionThe auto-defend enable command enables automatic attack source tracing. The undo auto-defend enable command disables automatic attack source tracing. By default, attack source tracing is disabled. Formatauto-defend enable undo auto-defend enable ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario A large number of attack packets may attack the device CPU. Attack source tracing enables the device to trace attack sources and send logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks. By default, logs are sent to notify the administrator if attack source tracing is enabled. After automatic attack source tracing is enabled, the device traces the source of the specified packets sent to the CPU. The packet type can be set using the auto-defend protocol command. Precautions
Example# Enable attack source tracing in the attack defense policy named test. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable auto-defend actionFunctionThe auto-defend action command enables attack source punish function and specifies a punish action. The undo auto-defend action command disables the attack source punish function. By default, the attack source punish function is disabled. Formatauto-defend action { deny [ timeout time-length ] | error-down } undo auto-defend action [ deny [ timeout time-length ] | error-down ]
Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend action command is applied to taking attack source punish actions. The device discards the packets sent from the identified source or Error-Down the interface receiving attack packets. The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off. Prerequisites Attack source tracing has been enabled using the auto-defend enable command. Precautions If you run the auto-defend action command multiple times, only the latest configuration takes effect. After the auto-defend action is set to deny, the device discards packets when being attacked. The configuration result can be verified using the display auto-defend attack-source command. The device does not take punish actions on attack sources of whitelist users. If the device Error-Down the interface that receives the attack packets, services of authorized users on the interface are interrupted. Exercise caution when you configure the device to shut down the interface. Follow-up Procedure When an interface enters the Error-Down state, it is recommended that you identify the attack source and remove the attack first, and then recover the interface status. An interface in Error-Down state can be recovered using either of the following methods:
Example# Configure the device to discard packets from the identified source every 10 seconds. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] auto-defend action deny timeout 10 auto-defend alarm enableFunctionThe auto-defend alarm enable command enables the event reporting function for attack source tracing. The undo auto-defend alarm enable command disables the event reporting function for attack source tracing. By default, the event reporting function for attack source tracing is enabled. Formatauto-defend alarm enable undo auto-defend alarm enable ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device. Prerequisites Attack source tracing has been enabled using the auto-defend enable command. Follow-up Procedure Run the auto-defend alarm threshold command to set the event reporting threshold for attack source tracing. Example# Enable the event reporting function in the attack defense policy test. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] auto-defend alarm enable auto-defend alarm thresholdFunctionThe auto-defend alarm threshold command sets the event reporting threshold for attack source tracing. The undo auto-defend alarm threshold command restores the default event reporting threshold for attack source tracing. By default, the event reporting threshold for attack source tracing is 128 pps. Formatauto-defend alarm threshold threshold undo auto-defend alarm threshold Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device. Prerequisites Attack source tracing has been enabled using the auto-defend enable command, and the alarm source tracing function has been enabled using the auto-defend alarm enable command. Precautions If you run the auto-defend alarm threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect. Example# Set the event reporting threshold for attack source tracing in the attack defense policy named test to 300 pps. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] auto-defend alarm enable [*HUAWEI-cpu-defend-policy-test] auto-defend alarm threshold 300 auto-defend protocolFunctionThe auto-defend protocol command specifies the types of protocol packets that the device monitors in attack source tracing. The undo auto-defend protocol command deletes specified types of protocol packets that the device monitors in attack source tracing. By default, the device traces sources of ARP, DHCP, DHCPv6, ICMP, ICMPv6, ND, IGMP, and TTL-expired packets in attack source tracing. Formatauto-defend protocol { all | { arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | ttl-expired } * } undo auto-defend protocol { arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | ttl-expired } * CE5880EI and CE6880EI do not support the mld parameter. Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend protocol command is applied to the packet parsing phase. When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets. Prerequisites Attack source tracing has been enabled using the auto-defend enable command. Precautions If a packet type is specified, when the device is attacked and the attack source is traced, you can run the display auto-defend attack-source command to view attack source information. Example# Delete IGMP and TTL-expired packets from the list of traced packets. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired auto-defend thresholdFunctionThe auto-defend threshold command sets the checking threshold for attack source tracing. The undo auto-defend threshold command restores the default checking threshold for attack source tracing. By default, the checking threshold for attack source tracing is 128 pps. Formatauto-defend threshold threshold undo auto-defend threshold Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario After attack source tracing is enabled, you can set the checking threshold for attack source tracing. When the number of sent protocol packets from an attack source in a specified period exceeds the checking threshold, the device traces and logs the attack source. Prerequisites Attack source tracing has been enabled using the auto-defend enable command. Precautions If you run the auto-defend threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect. After the auto-defend enable command is executed, the device traces the attack source based on the default threshold even if the auto-defend threshold command is not used. Example# Set the checking threshold for attack source tracing in the attack defense policy named test to 200 pps. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] auto-defend threshold 200 auto-defend trace-typeFunctionThe auto-defend trace-type command configures an attack source tracing mode. The undo auto-defend trace-type command deletes an attack source tracing mode. By default, attack source tracing is based on source MAC addresses and source IP addresses. Formatauto-defend trace-type { source-mac | source-ip | source-portvlan } * undo auto-defend trace-type { source-mac | source-ip | source-portvlan } * Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario After enabling attack source tracing, you can specify one or more attack source tracing modes. The device then uses the specified modes to trace attack sources. The device supports the following attack source tracing modes:
Prerequisites Attack source tracing has been enabled using the auto-defend enable command. Precautions After the attack source tracing function is enabled on the device, you can run the display auto-defend attack-source command to view attack source tracing information if an attack occurs. If the attack source tracing function is enabled by using the auto-defend enable command, you cannot run the undo auto-defend trace-type source-mac source-ip source-portvlan command to delete all source tracing modes. Example# Configure attack source tracing based on source MAC addresses. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] auto-defend trace-type source-mac auto-defend whitelistFunctionThe auto-defend whitelist command configures a whitelist for attack source tracing. The device does not trace the source of users in the whitelist. The undo auto-defend whitelist command deletes a whitelist for attack source tracing. By default, no whitelist is configured. Formatauto-defend whitelist whitelist-number { acl { acl-number | ipv6 acl6-number } | interface interface-type interface-number } undo auto-defend whitelist whitelist-number Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario Attack source tracing helps locate and punish sources of denial of service (DoS) attacks. If some users do not need to be traced regardless of whether an attack occurs, run the auto-defend whitelist command to configure a whitelist for users. Prerequisites Attack source tracing has been enabled using the auto-defend enable command. Precautions Before referencing an ACL in a whitelist, create the ACL and configure rules. If the ACL referenced by the whitelist specifies some protocols, ensure that packets of these protocols can be traced. If a specified protocol is not supported by attack source tracing, you can run the auto-defend protocol command to configure attack source tracing to support the protocol. Example# Add source IP addresses 10.1.1.1 and 10.1.1.2 to the whitelist for attack source tracing. <HUAWEI> system-view [~HUAWEI] acl 2000 [*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.1 0 [*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.2 0 [*HUAWEI-acl4-basic-2000] quit [*HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-defend enable [*HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000 auto-port-defend protocol disableFunctionThe auto-port-defend protocol disable command disables the port-based automatic local attack defense function. The undo auto-port-defend protocol disable command enables the port-based automatic local attack defense function. By default, port-based automatic local attack defense is enabled. Formatauto-port-defend protocol { arp-request | dhcp | multicast | ospf | nd | vrrp } disable undo auto-port-defend protocol { arp-request | dhcp | multicast | ospf | nd | vrrp } disable The CE5880EI and CE6880EI support only the arp-request parameter. Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario When a protocol is enabled, the switch automatically assigns a queue to packets of the specific protocol and a default CAR value for the queue. If a port receives many packets of a protocol and sends the packets to the CPU, the other ports on the switch send packets of this protocol to the CPU at a low speed or fail to send the packets to the CPU, affecting services. You can enable port-based automatic local attack defense to resolve the problem. When the number of protocol packets received by a port exceeds 75% of the default CAR value or the sum of the top two quantities of protocol packets received on two ports exceeds 85% of the default CAR value, the protocol packets received by the ports are sent to a queue with a smaller CAR value. This prevents impacts on the sending of protocol packets on other normal ports. Precautions After ARP rate limiting is enabled on all ports, port-based automatic local attack defense for ARP packets does not take effect. In scenarios where port-based automatic local attack defense has been triggered on fewer than two ports where MAC address flapping occurred, if MAC address flapping occurs on another port, port-based automatic local attack defense will be also triggered on this port. In this case, all protocol packets received by this port will be placed into a queue with a smaller CAR value. After the MAC address flapping issue is resolved on this port, port-based automatic local defense will no longer be triggered. Port-based automatic local attack defense takes effect only on the move ports (interfaces to which MAC addresses flap) of the local device. After the NS multicast suppression function is enabled, port-based automatic local defense does not take effect for ND proxy response packets and NS multicast-to-unicast packets. On the CE6870EI and CE6875EI, port-based automatic local attack defense is triggered for VRRP packets when the rate of VRRP packets discarded within the last 1 minute exceeds three times of the CAR value of VRRP packets and other basic conditions are met. The port-based automatic local attack defense function checks only the ARP packets with destination MAC addresses being broadcast MAC addresses, OSPF packets with destination MAC addresses being multicast MAC addresses, VRRP packets with destination MAC addresses being multicast MAC addresses, and ND packets with destination MAC addresses starting with 0x3333. On each switch, port-based automatic local attack defense takes effect only on a maximum of two ports. Example# In the attack defense policy view, disable port-based automatic local attack defense for ARP Request packets. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] auto-port-defend protocol arp-request disable blacklistFunctionThe blacklist command configures a blacklist. The undo blacklist command deletes a blacklist. By default, no blacklist is configured. Formatblacklist blacklist-id acl { acl-number | ipv6 acl6-number } [ interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> ] [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> ] undo blacklist blacklist-id [ acl { acl-number | ipv6 acl6-number } [ interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> ] [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> ] ] Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario To defend against malicious packet attacks, the device uses ACLs to add users with the specific characteristic into a blacklist and discards these users' CPU-bound packets. A maximum of eight blacklists can be configured in an attack defense policy on the device. The blacklists are restored in the ascending order of blacklist IDs (blacklist-id). When an ACL rule in which the protocol type is set to TCP or UDP is applied to a blacklist, only 24 port number ranges can be configured. When a blacklist references an ACL that matches the source IP address against unicast addresses or references a basic ACL with no matching rule configured, the blacklist does not take effect on the packets forwarded by the CE6870EI and CE6875EI. For the CE6870EI and CE6875EI, the blacklist function does not take effect on the STP, LDT, LLDP, CDP, DLDP, LACP, DAD, EFM, VBST, GVRP, CFM, BPDU, and M-LAG packets, as well as the FCoE packets carrying VLAN information and the GRE packets whose size exceeds a specific value (configurable using the MTU command). For the CE6870EI and CE6875EI, if the forwarded packets match the blacklist that references a Layer 2 ACL, the packets are discarded and are not controlled by the filter. Prerequisites An ACL has been created using the acl command. Example# Specify ACL 2001 as the rule referenced by blacklist 2. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] blacklist 2 acl 2001 car (attack defense policy view)FunctionThe car command sets the rate limit for packets sent to the CPU. The undo car command restores the default rate limit for packets sent to the CPU. By default, You can run the display cpu-defend configuration command to check the rate limit for protocol packets. Formatcar packet-type packet-type pps pps-value undo car packet-type packet-type Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario The switch has default CAR values for each type of protocol packet. You can adjust CAR values for specified types of protocol packets based on services and network environment. After an attack defense policy is created, you can limit the rate of protocol packets using the policy:
Precautions If both the deny and car commands are run for a specified type of packets, the command configured later takes effect. Example# Configure the CAR in the attack defense policy named test and set the rate limit of ARP packets to 6400 pps. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] car packet-type arp pps 6400 car enpFunctionThe car enp command sets the rate limit for packets in enhanced mode. The undo car enp command restores the default rate limit for packets in enhanced mode. You can run the display cpu-defend configuration enp command to view the default rate limit of packets in enhanced mode. This command is available only for the CE6875EI. Formatcar enp packet-type packet-type pps pps-value undo car enp packet-type packet-type Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario After an attack defense policy is created, the device can limit the rate of packets in either of the following modes:
You can run the car enp command to enable the switch to limit the rate of packets in enhanced mode. Precautions If both the deny enp and car enp commands are run for a specified type of packets, the command configured later takes effect. Example# Set the rate limit of BFD packets in enhanced mode to 6400 pps. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] car enp packet-type bfd pps 6400 car all-packets ppsFunctionThe car all-packets pps command limits the number of packets sent to the CPU per second. The undo car all-packets pps command restores the default maximum number of packets sent to the CPU per second. By default, a maximum of 5120 packets can be sent to the CPU of the device per second. However, the CE5810EI, CE5850HI, CE5855EI send a maximum of 2048 packets to the CPU per second. Formatcar all-packets pps packets undo car all-packets Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario If a large number of packets are sent to the CPU, CPU performance deteriorates. The device limits the number of packets sent to the CPU per second to protect the CPU. The device provides 2-level CAR:
The car all-packets pps command is applicable to the scenario where burst packets are sent to the CPU. The maximum number of packets sent to the CPU specified using the car all-packets pps command must be smaller than that specified by level-1 CAR; otherwise, the car all-packets pps command takes no effect. Precautions If you run the car all-packets pps command in the same attack defense policy view multiple times, only the latest configuration takes effect. The car all-packets pps command is required only when the current CAR configuration cannot reduce CPU loads. This is because when the CAR value of a queue is reduced, a smaller number of packets are sent to the CPU, and the CPU usage decreases accordingly. However, when there are many types of protocol packets, the CPU usage may still be high. When the actual and configured rates of packets sent to the CPU are large, the CPU usage may be high and the performance may deteriorate. In the worst situation, the device breaks. Example# Configure the attack defense policy named test to limit the rate of packets sent to the CPU to 5000 pps. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] car all-packets pps 5000 cpu-defend local-host anti-attack enableFunctionThe cpu-defend local-host anti-attack enable command enables host attack defense. The undo cpu-defend local-host anti-attack enable command disables host attack defense. By default, host attack defense is disabled. Formatcpu-defend local-host anti-attack enable undo cpu-defend local-host anti-attack enable Default Level2: Configuration level Usage GuidelinesAfter the ssh server acl, telnet server acl, ftp server acl, or snmp-agent acl command is configured, a switch forwards SSH, Telnet, FTP, or SNMP packets to the CPU and matches these packets against software ACLs. When host attack defense is enabled, the switch matches these packets against hardware ACLs. If packets match an ACL with a deny action, the switch directly discards the packets and will no longer forward such packets to the CPU. Example# Enable host attack defense. <HUAWEI> system-view [~HUAWEI] cpu-defend local-host anti-attack enable cpu-defend policyFunctionThe cpu-defend policy command creates an attack defense policy and displays the attack defense policy view. The undo cpu-defend policy command deletes an attack defense policy. By default, the devicename-default attack defense policy exists on the device and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified. Formatcpu-defend policy policy-name undo cpu-defend policy policy-name Parameters
Default Level2: Configuration level Usage GuidelinesUsage Scenario A large number of packets including malicious attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy. Precautions The device supports a maximum of 17 attack defense policies, including the devicename-default attack defense policy. The devicename-default attack defense policy is generated in the system by default and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified. The other 16 policies can be created, modified, and deleted. CE5880EI, CE6870EI, CE6875EI and CE6880EI support a maximum of 49 attack defense policies, including the devicename-default attack defense policy. By default, the devicename-default attack defense policy is applied to the device and cannot be deleted or modified. The other 48 policies can be modified or deleted. The configuration in a user-defined attack defense policy overrides the configuration in the devicename-default attack defense policy. The car all-packets pps command is required only when the current CAR configuration cannot reduce CPU loads. When the devicename-default attack defense policy is used, protocol packets sent to the CPU are limited based on the default CIR value. Example# Create an attack defense policy named test. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] cpu-defend-policyFunctionThe cpu-defend-policy command applies an attack defense policy. The undo cpu-defend-policy command cancels the application of an attack defense policy. By default, the devicename-default attack defense policy is applied to the switch. Formatcpu-defend-policy policy-name [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ] undo cpu-defend-policy [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ] Parameters
Default Level2: Configuration level Usage GuidelinesUsage Scenario An attack defense policy takes effect only when it is applied to the device and only one attack defense policy can be applied to the device. Prerequisites An attack defense policy has been created by using the cpu-defend policy command. Example# Apply the attack defense policy named test to all devices. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] quit [*HUAWEI] cpu-defend-policy test # Apply the attack defense policy named test to the LPU in slot 3. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] quit [*HUAWEI] cpu-defend-policy test slot 3 cpu-defend-policy statistics enableFunctionThe cpu-defend-policy statistics enable command enables the function of collecting statistics about an attack defense policy. The undo cpu-defend-policy statistics enable command disables the function of collecting statistics about an attack defense policy. By default, the function of collecting statistics about an attack defense policy is disabled. Only the CE6870EI and CE6875EI support this command. Formatcpu-defend-policy statistics enable undo cpu-defend-policy statistics enable Default Level2: Configuration level Usage GuidelinesAfter blacklist or filter is configured, enable the function of collecting statistics about the attack defense policy, and then run the display cpu-defend { blacklist | filter } statistics [ slot slot-id ] command to view statistics about packets sent to the CPU based on blacklist or filter. Example# Enable the function of collecting statistics about an attack defense policy. <HUAWEI> system-view [~HUAWEI] cpu-defend-policy statistics enable denyFunctionThe deny command configures the device to discard packets sent to the CPU. The undo deny command restores the default action taken for the packets sent to the CPU. By default, the device does not discard packets sent to the CPU. Instead, the device limits the rate of packets sent to the CPU using the default rate. You can check the rate limit of each type of packets using the display cpu-defend configuration command. Formatdeny packet-type packet-type undo deny packet-type packet-type Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario After an attack defense policy is created, if the device receives attack packets of a specified type or a large number of packets sent to the CPU, run the deny command to configure the device to discard packets of the specified type sent to the CPU. Precautions If you run the deny command, and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect. After the undo deny command is executed, the default action for packets sent to the CPU is restored. Example# Configure the drop action taken for ARP packets to be sent to the CPU in the attack defense policy test. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] deny packet-type arp deny enpFunctionThe deny enp command configures the device to discard packets in enhanced mode. The undo deny enp command restores the default action that the device takes on packets in enhanced mode. By default, the device does not discard packets, and uses the default value of the devicename-default policy to limit the rate of packets. You can run the display cpu-defend configuration enp command to view the rate limit of packets. This command is available only for the CE6875EI. Formatdeny enp packet-type packet-type undo deny enp packet-type packet-type Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario After an attack defense policy is created, the device can discard packets in either of the following modes:
If the device receives attack packets or many normal packets of a certain protocol type, you can run the deny enp command to configure the device to discard packets in enhanced mode. Precautions If both the deny enp and car enp commands are run for a specified type of packets, the command configured later takes effect. After the undo deny enp command is run, the device restores the default action on packets in enhanced mode. Example# Configure the device to discard BFD packets in enhanced mode. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] deny enp packet-type bfd description (attack defense policy view)FunctionThe description command configures the description of an attack defense policy. The undo description command deletes the description of an attack defense policy. By default, no description is configured for an attack defense policy. Formatdescription text undo description Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesUsage Scenario The description command configures the description of an attack defense policy, for example, the usage or application scenario of the attack defense policy. The description is used to differentiate attack defense policies. Precautions If you run the description command in the same attack defense policy view multiple times, only the latest configuration takes effect. Example# Configure the description defend_arp_attack for the attack defense policy named test. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] description defend_arp_attack display auto-defend attack-sourceFunctionThe display auto-defend attack-source command displays the attack sources. Formatdisplay auto-defend attack-source [ statistics ] [ slot slot-id ] Parameters
Default Level1: Monitoring level Usage GuidelinesTo learn the attack source information after attack source tracing is configured, you can run the display auto-defend attack-source command. In a stack, the attack source list is saved only on the master switch. The display auto-defend attack-source command displays only the attack source list on the master switch (except CE6870EI and CE6875EI). Example# Display the attack source list. <HUAWEI> display auto-defend attack-source Attack Source User Table on Slot 1 : ------------------------------------------------------------------------- MAC Address Interface PacketType VLAN:Outer/Inner Total ------------------------------------------------------------------------- 0000-c102-0102 10GE1/0/1 ICMP 1000/ 4832 ------------------------------------------------------------------------- Total: 1 Attack Source IP Table on Slot 1 : ------------------------------------------------------------------------- IP Address PacketType Total ------------------------------------------------------------------------- 10.1.1.2 ICMP 1144 ------------------------------------------------------------------------- Total: 1 Attack Source Port Table on Slot 1 : ------------------------------------------------------------------------- Interface VLAN:Outer/Inner PacketType Total ------------------------------------------------------------------------- 10GE1/0/1 1000/-- ICMP 4832 ------------------------------------------------------------------------- Total: 1 Table 16-68 Description of the display auto-defend attack-source command output
# Display statistics on attack sources. <HUAWEI> display auto-defend attack-source statistics slot 1
2019-11-28 19:38:47.361
---------------------------------------------------------------------------------
CPU defend policy ge
Slot1
---------------------------------------------------------------------------------
Last time the deny action takes effect: 2019-11-28 19:22:00
Protocol: ARP
Source-MAC: 1-1-1
Dropped Packets 83548625, Dropped Bytes 10694889728
---------------------------------------------------------------------------------
Table 16-69 Description of the display auto-defend attack-source statistics command output
display cpu-defend auto-port-defendFunctionThe display cpu-defend auto-port-defend command displays information about the interfaces to which port-based automatic local attack defense is applied and statistics about the protocol packets sent to the CPU. Formatdisplay cpu-defend auto-port-defend [ slot slot-id ] Parameters
Default Level1: Monitoring level Usage GuidelinesIf port-based automatic local attack defense is applied and protocol packets on an interface are moved to a queue with a small CAR value and sent to the CPU, you can run this command to view the interface information and statistics about the protocol packets. Example# Display information about the interfaces to which port-based automatic local attack defense is applied and statistics about the protocol packets sent to the CPU. <HUAWEI> display cpu-defend auto-port-defend
Port info on slot 1 :
--------------------------------------------------------------------------------
PacketType Port
--------------------------------------------------------------------------------
arp-request 10GE/1/0/1
dhcp 10GE/1/0/1
igmp 10GE/1/0/1
ospf 10GE/1/0/1
--------------------------------------------------------------------------------
Port queue info on slot 1 :
--------------------------------------------------------------------------------
PacketType QueueName
--------------------------------------------------------------------------------
arp-request queue one
dhcp queue one
igmp queue one
ospf queue two
--------------------------------------------------------------------------------
Statistics(packets) on slot 1 :
--------------------------------------------------------------------------------
QueueName Total Passed Total Dropped Last Dropping Time
Last 5 Min Passed Last 5 Min Dropped
--------------------------------------------------------------------------------
queue one 39413185 12950486396 2017-08-07 15:50
575126 250926259
queue two 28905966 142484581 2017-08-07 15:50
332073 1174817
-------------------------------------------------------------------------------- Table 16-70 Description of the display cpu-defend auto-port-defend command output
display cpu-defend configurationFunctionThe display cpu-defend configuration command displays CAR configurations. Formatdisplay cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id } Parameters
Default Level1: Monitoring level Usage GuidelinesYou can run the display cpu-defend configuration command to view the rate limit of protocol packets sent to the CPU. By default, the rate limit of protocol packets in the devicename-default policy is displayed. Example# Display the CAR configurations of all devices. <HUAWEI> display cpu-defend configuration all Car configurations on slot 1 : --------------------------------------------------- PacketType Status Car(pps) --------------------------------------------------- 8021x Disabled 512 aaa Enabled 384 arp Enabled 128 arp-miss Enabled 512 bfd Enabled 1024 bgp Enabled 1024 bpdu-tunnel Enabled 512 dhcp Enabled 512(*) ...... --------------------------------------------------- *: The packet is accessed through the common queue. Car all-packets (pps) : 5120 --------------------------------------------------- The preceding information is an example. The displayed packet type depends on the actual situation. Table 16-71 Description of the display cpu-defend configuration command output
display cpu-defend configuration enpFunctionThe display cpu-defend configuration enp command displays the configuration of packet rate limiting in enhanced mode. This command is available only for the CE6875EI. Formatdisplay cpu-defend configuration enp packet-type packet-type { all | slot slot-id } Parameters
Default Level1: Monitoring level Usage GuidelinesYou can run the display cpu-defend configuration enp command to view the configuration of packet rate limiting in enhanced mode. Example# Display the configuration of packet rate limiting in enhanced mode. (CE6875EI) <HUAWEI> display cpu-defend configuration enp packet-type bfd all
Car configurations on slot 1 :
---------------------------------------------------
PacketType Status Car(pps)
---------------------------------------------------
bfd Disabled 40000
--------------------------------------------------- Table 16-72 Description of the display cpu-defend configuration enp command output
display cpu-defend local-host anti-attackFunctionThe display cpu-defend local-host anti-attack command displays statistics about the packets matching hardware ACLs after host attack defense is enabled. Formatdisplay cpu-defend local-host anti-attack [ slot slot-id ] Parameters
Default Level1: Monitoring level Usage GuidelinesAfter host attack defense is enabled, you can run the display cpu-defend local-host anti-attack command to view statistics about the packets matching hardware ACLs. Example# Display statistics about the packets matching hardware ACLs (on the CE5880EI, CE6870EI, CE6875EI and CE6880EI) after host attack defense is enabled. <HUAWEI> display cpu-defend local-host anti-attack
ACL resource on slot 1
----------------------------------------------
Protocol State ACL
----------------------------------------------
SSH Successful 3000
----------------------------------------------
SSH Statistics on slot 1
--------------------------------------------------------------------------------
rule 10 deny tcp
Dropped Packets 0, Dropped Bytes 0
-------------------------------------------------------------------------------- # Display statistics about the packets matching hardware ACLs (on a switch except the CE5880EI, CE6870EI, CE6875EI and CE6880EI) after host attack defense is enabled. <HUAWEI> display cpu-defend local-host anti-attack
ACL resource on slot 1
----------------------------------------------
Protocol State ACL
----------------------------------------------
SSH Failed(1) 2000
----------------------------------------------
Fail reason:
(1): The ACL resource is not enough.
----------------------------------------------
Table 16-73 Description of the display cpu-defend local-host anti-attack command output
display cpu-defend policyFunctionThe display cpu-defend policy command displays the attack defense policy configuration. Formatdisplay cpu-defend policy [ policy-name ] Parameters
Default Level1: Monitoring level Usage GuidelinesAfter an attack defense policy is created, you can run the display cpu-defend policy command to view the stack ID that the attack defense policy is applied to and configurations of the attack defense policy. Example# Display information about all attack defense policies. <HUAWEI> display cpu-defend policy test1 ============================================== Policy name: test1 Policy applys on slot: <1> Car packet-type bfd(pps) : 128 Blacklist status: ---------------------------------------------- Slot Blacklist State ACL ACLIPv6 ---------------------------------------------- 1 1 Successful 2001 -- ---------------------------------------------- Fail reason: (3): Some fields in the ACL rule referenced are not supported. ============================================== Table 16-74 Description of the display cpu-defend policy command output
display cpu-defend rateFunctionThe display cpu-defend rate command displays the rate of sending protocol packets to the CPU. Formatdisplay cpu-defend rate [ packet-type packet-type ] { all | slot slot-id } Parameters
Default Level1: Monitoring level Usage GuidelinesYou can run the display cpu-defend rate command to view the rate of sending protocol packets to the CPU when checking the configuration of an attack defense policy. In this way, you can determine which type of protocols may attack the CPU based on the rate. To ensure normal operation of other services and protect the CPU, the rate of incremental protocol packets is calculated only in a specified period after you run the display cpu-defend rate command and displayed on the terminal. After you run this command, a message is displayed to wait for a while. Example# Display the rate of ARP packets sent from the device to the CPU. <HUAWEI> display cpu-defend rate packet-type arp slot 1 Info: Please wait for a moment... Rate(PPS) on slot 1 : --------------------------------------------------------------- PacketType Passed Dropped --------------------------------------------------------------- arp 0 0 --------------------------------------------------------------- Table 16-75 Description of the display cpu-defend rate command output
display cpu-defend rate enpFunctionThe display cpu-defend rate enp command displays the rate of packets for which rate limiting in enhanced mode is performed. This command is available only for the CE6875EI. Formatdisplay cpu-defend rate enp packet-type packet-type { all | slot slot-id } Parameters
Default Level1: Monitoring level Usage GuidelinesYou can run the display cpu-defend rate enp command to view the rate of packets for which rate limiting in enhanced mode is performed when checking configurations of an attack defense policy. Example# Display the rate of packets for which rate limiting in enhanced mode is performed. (CE6875EI) <HUAWEI> display cpu-defend rate enp packet-type bfd all
Info: Please wait for a moment...
Rate(PPS) on slot 1 :
---------------------------------------------------------------
PacketType Passed Dropped
---------------------------------------------------------------
bfd 0 0
--------------------------------------------------------------- Table 16-76 Description of the display cpu-defend rate enp command output
display cpu-defend statisticsFunctionThe display cpu-defend statistics command displays statistics on packets sent to the CPU. Format
Parameters
Default Level1: Monitoring level Usage GuidelinesThe display cpu-defend statistics command displays statistics on packets sent to the CPU, including the number of forwarded and discarded packets. This helps the network administrator configure attack defense policies. In versions earlier than V200R003C00 of CE6870EI and CE6875EI switches, after blacklist or filter is configured, you can directly run the display cpu-defend { blacklist | filter } statistics [ slot slot-id ] command to view statistics about packets sent to the CPU based on blacklist or filter. When the system software is upgraded to V200R003C00 and later versions, after blacklist or filter is configured, you must run the cpu-defend-policy statistics enable command first, and then run the display cpu-defend { blacklist | filter } statistics [ slot slot-id ] command to view statistics about packets sent to the CPU based on blacklist or filter. Example# Display all CAR statistics on the devices. <HUAWEI> display cpu-defend statistics all Statistics(packets) on slot 1 : -------------------------------------------------------------------------------- PacketType Total Passed Total Dropped Last Dropping Time Last 5 Min Passed Last 5 Min Dropped -------------------------------------------------------------------------------- 8021x 0 0 - 0 0 aaa 0 0 - 0 0 arp 0 0 - 0 0 arp-miss 0 0 - 0 0 bfd 0 0 - 0 0 bgp 0 0 - 0 0 bpdu-tunnel 0 0 - 0 0 common 0 0 - 0 0 dhcp 0 0 - 0 0 dldp 0 0 - 0 0 ...... -------------------------------------------------------------------------------- The preceding information is an example. The displayed packet type depends on the actual situation. Table 16-77 Description of the display cpu-defend statistics command output
# Display statistics on historical packets from slot 1 to the CPU. <HUAWEI> display cpu-defend statistics history slot 1
Statistics(packets) on slot 1 :
--------------------------------------------------------------------------------
PacketType Time Period Passed Dropped
--------------------------------------------------------------------------------
arp 2014-10-23 13:00~2014-10-23 15:01 75305 127170
arp 2014-10-23 15:01~2014-10-23 17:01 76095 128925
dhcp 2014-10-23 19:01~2014-10-23 19:51 32131 3722
telnet 2014-10-23 19:01~2014-10-23 19:51 26807 18442
--------------------------------------------------------------------------------
Table 16-78 Description of the display cpu-defend statistics history command output
display cpu-defend statistics enpFunctionThe display cpu-defend statistics enp command displays statistics about packets for which rate limiting in enhanced mode is performed. This command is available only for the CE6875EI. Formatdisplay cpu-defend statistics [ history ] enp packet-type packet-type { all | slot slot-id } Parameters
Default Level1: Monitoring level Usage GuidelinesThe display cpu-defend statistics enp command displays packet statistics, including the number of forwarded and discarded packets. The information helps the network administrator configure attack defense policies. Example# Display statistics about BFD packets for which rate limiting in enhanced mode is performed. (CE6875EI) <HUAWEI> display cpu-defend statistics enp packet-type bfd all
Statistics(packets) on slot 2 :
--------------------------------------------------------------------------------
PacketType Total Passed Total Dropped Last Dropping Time
Last 5 Min Passed Last 5 Min Dropped
--------------------------------------------------------------------------------
bfd 0 0 -
0 0
-------------------------------------------------------------------------------- Table 16-79 Description of the display cpu-defend statistics enp command output
display fei security table cpcarFunctionThe display fei security table cpcar command displays CPCAR-related entries in the CPU-Defend function. Formatdisplay fei security table cpcar [ slot slot-id ] Parameters
Default Level1: Monitoring level Example# Display CPCAR-related entries. <HUAWEI> display fei security table cpcar
Cpu-defend Protocol CPCAR-table:
----------------------------------------------------------------------
slot 1
PacketType CAR Queue RealCar SoftQueue
----------------------------------------------------------------------
STACK 2048 0 2048 0
IPS 4096 1 4096 1
IPS-PROTOCOL 2048 2 2048 2
RSV 512 3 512 3
RSV 128 4 128 4
RSV 128 5 128 5
RSV 128 6 128 6
RSV 128 7 128 7
DEFAULT 128 8 128 8
RSV 128 9 128 9
MACLEARN 256 10 256 10
STACKTEMP 128 11 128 11
ND-DAD 512 12 512 12
…… Table 16-80 Description of the display fei security table cpcar command output
display fei security table cpcar-linkupFunctionThe display fei security table cpcar-linkup command displays CPCAR-related entries during protocol connection establishment in the CPU-Defend function. Formatdisplay fei security table cpcar-linkup [ slot slot-id ] Parameters
Default Level1: Monitoring level Example# Display CPCAR-related entries during protocol connection establishment. <HUAWEI> display fei security table cpcar-linkup
Linkup Information on slot 3:
--------------------------------------------------------------------------------
PacketType Car(pps) Source Address Source Port
Destination Address Destination Port
--------------------------------------------------------------------------------
FTP 1536 1.1.1.1 4294967295
2.2.2.2 4294967295
Telnet 1536 3.3.3.3 65163
4.4.4.4 23
-------------------------------------------------------------------------------- Table 16-81 Description of the display fei security table cpcar-linkup command output
filterFunctionThe filter command configures a filter. The undo filter command deletes a filter. By default, no filter is available on a device. Formatfilter packet-type arp acl acl-number undo filter packet-type arp [ acl acl-number ] filter packet-type { icmp | igmp | ospf | dhcp } acl acl-number undo filter packet-type { icmp | igmp | ospf | dhcp } [ acl acl-number ] filter packet-type { icmpv6 | ospfv3 | dhcpv6 } acl ipv6 acl6-number undo filter packet-type { icmpv6 | ospfv3 | dhcpv6 } [ acl ipv6 acl6-number ] filter packet-type { snmp | dns | ftp | telnet | ssh | bgp } acl { acl-number | ipv6 acl6-number } undo filter packet-type { snmp | dns | ftp | telnet | ssh | bgp } [ acl { acl-number | ipv6 acl6-number } ] Parameters
ViewsAttack defense policy view Default Level2: Configuration level Usage GuidelinesIf a user sends attack packets to the device, you can specify the characteristics of these packets in an ACL and apply the ACL to the filter. When the packets from this user reach the device, the device permits or discards the packets based on the ACL rule. A protocol in a filter can only be bound to one ACL or IPv6 ACL. If you bind multiple ACLs or IPv6 ACLs to a filter, only the last one takes effect. When the protocols specified in the filter and ACL are different, the device selects the protocol specified in the filter. For example, if a filter is configured to filter the DHCP protocol (UDP packets), while the protocol parameter in the ACL is set to TCP, the device still filters the DHCP protocol. Example# Apply ACL 3001 to the filter. <HUAWEI> system-view [~HUAWEI] cpu-defend policy test [*HUAWEI-cpu-defend-policy-test] filter packet-type icmp acl 3001 reset auto-defend attack-sourceFunctionThe reset auto-defend attack-source command clears information about attack sources. Formatreset auto-defend attack-source [ statistics ] [ slot slot-id ] Only the CE6870EI and CE6875EI support statistics parameter. Parameters
Default Level3: Management level Usage GuidelinesUsage Scenario To view the latest attack source information on the device, run the reset auto-defend attack-source command to delete the existing attack source information, wait for a period, and run the display auto-defend attack-source command. Precautions After the reset auto-defend attack-source command is run, information about attack sources is cleared and cannot be restored. Example# Delete existing attack source information on the device. <HUAWEI> reset auto-defend attack-source reset auto-defend attack-source trace-typeFunctionThe reset auto-defend attack-source trace-type command clears the counter of packets traced after attack source tracing based on source MAC addresses, source IP addresses, or source ports+VLANs is configured. Formatreset auto-defend attack-source trace-type { source-mac [ mac-address ] | source-ip [ ip-address | ipv6-address ] | source-portvlan [ interface interface-type interface-number vlan vlan-id [ inner-vlan inner-vlan-id ] ] } * [ slot slot-id ] Parameters
Default Level3: Management level Usage GuidelinesUsage Scenario To view information about attack sources in a specified period, run the reset auto-defend attack-source trace-type command to clear existing information about attack sources and run the display auto-defend attack-source command. Precautions After the reset auto-defend attack-source trace-type command is run, information about attack sources is cleared and cannot be restored. Example# Clear the counter of traced packets sent from IP address 10.1.1.1. <HUAWEI> reset auto-defend attack-source trace-type source-ip 10.1.1.1 reset cpu-defend statisticsFunctionThe reset cpu-defend statistics command clears statistics on packets sent to the CPU. Format
Parameters
Default Level3: Management level Usage GuidelinesUsage Scenario To view statistics on the packets sent to the CPU in a specified period, run the reset cpu-defend statistics command to clear existing statistics and run the display cpu-defend statistics command. Precautions The deleted packet statistics cannot be restored. Example# Clear statistics on BGP packets on the board in slot 1. <HUAWEI> reset cpu-defend statistics packet-type bgp slot 1 reset cpu-defend statistics enpFunctionThe reset cpu-defend statistics enp command clears statistics about packets for which rate limiting in enhanced mode is performed. This command is available only for the CE6875EI. Formatreset cpu-defend statistics enp packet-type packet-type { all | slot slot-id } Parameters
Default Level3: Management level Usage GuidelinesUsage Scenario To view statistics about the packet rate limited by the switch within a specified period, run the reset cpu-defend statistics enp command to clear existing statistics and run the display cpu-defend statistics enp command to display new statistics. Precautions After the reset cpu-defend statistics enp command is run, packet statistics will be cleared and cannot be restored. Example# Clear statistics about BFD packets for which rate limiting in enhanced mode is performed. (CE6875EI) <HUAWEI> reset cpu-defend statistics enp packet-type bfd all
What is the maximum number of worksheets that can be deleted using the undo command?It is possible to undo and redo up to the last 16 consecutive actions. Every time you use the Undo feature, those actions that you undo are placed in the Redo category.
What is the maximum number of sheets in Excel?Worksheet and workbook specifications and limits. How many times can you undo in Excel?Excel and all other Office programs have a default undo/redo maximum of 100 actions. However, you can change this by adding an entry in the Microsoft Windows registry.
Is there a way to remove more than 100 actions in Excel?How To Undo Or Redo Multiple Actions. Press the small down arrow to the right of the undo button in the Quick Access Toolbar.. Move your cursor down the list of previous actions until you've highlighted all the actions you want to undo then left click to perform the undo.. |