search

What is the maximum number of worksheets that can be recovered using the Undo command?

1 Jahrs vor
Kommentare: 0
Ansichten: 47

auto-defend attack-packet sample

Function

The auto-defend attack-packet sample command sets the packet sampling ratio for attack source tracing.

Show

The undo auto-defend attack-packet sample command restores the default packet sampling ratio.

By default, the packet sampling ratio is 8. That is, one packet is sampled in every 8 packets.

Format

auto-defend attack-packet sample sample-value

undo auto-defend attack-packet sample

Parameters

ParameterDescriptionValue
sample-value Specifies the packet sampling ratio for attack source tracing. The value is an integer that ranges from 1 to 1024.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack source tracing samples packets to identify attacks. Errors may occur in attack packet identification or packet rate calculation. A proper packet sampling ratio can reduce errors. A small sampling ratio makes the attack source tracing result accurate, but increases CPU usage. For example, when the sampling ratio is set to 1, every packet is sampled. The attack source tracing result is accurate, but the CPU usage is high because every packet is resolved.

The auto-defend attack-packet sample command sets the sampling ratio. You can set a proper value based on the requirements of attack source tracing precision and CPU usage.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

When a smaller attack source tracing threshold is used, the sampling ratio has greater impact on the attack source tracing result.

Example

# Set the sampling ratio for attack source tracing in the attack defense policy named test to 2.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend attack-packet sample 2

auto-defend enable

Function

The auto-defend enable command enables automatic attack source tracing.

The undo auto-defend enable command disables automatic attack source tracing.

By default, attack source tracing is disabled.

Format

auto-defend enable

undo auto-defend enable

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of attack packets may attack the device CPU. Attack source tracing enables the device to trace attack sources and send logs or alarms to notify the administrator so that the administrator can take measures to defend against the attacks. By default, logs are sent to notify the administrator if attack source tracing is enabled.

After automatic attack source tracing is enabled, the device traces the source of the specified packets sent to the CPU. The packet type can be set using the auto-defend protocol command.

Precautions

  • Attack source tracing configured in an attack defense policy takes effect only when the attack defense policy is applied in the system view.
  • After the auto-defend enable command is run, the following three commands are configured by default:
    • auto-defend alarm enable
    • auto-defend trace-type source-mac source-ip
    • auto-defend protocol all

  • After the attack source tracing function for ICMP packets is enabled on the device, the fast ICMP reply function does not take effect.

Example

# Enable attack source tracing in the attack defense policy named test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable

auto-defend action

Function

The auto-defend action command enables attack source punish function and specifies a punish action.

The undo auto-defend action command disables the attack source punish function.

By default, the attack source punish function is disabled.

Format

auto-defend action { deny [ timeout time-length ] | error-down }

undo auto-defend action [ deny [ timeout time-length ] | error-down ]

Parameters

ParameterDescriptionValue

deny

Discards packets sent from an attack source.

-

timeout time-length

Specifies the period during which packets sent from an identified attack source are discarded.

The value ranges from 1 to 86400, in seconds. The default value is 300.

error-down

Shuts down an interface that receives attack packets.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend action command is applied to taking attack source punish actions. The device discards the packets sent from the identified source or Error-Down the interface receiving attack packets.

The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend action command multiple times, only the latest configuration takes effect.

After the auto-defend action is set to deny, the device discards packets when being attacked. The configuration result can be verified using the display auto-defend attack-source command.

The device does not take punish actions on attack sources of whitelist users.

If the device Error-Down the interface that receives the attack packets, services of authorized users on the interface are interrupted. Exercise caution when you configure the device to shut down the interface.

Follow-up Procedure

When an interface enters the Error-Down state, it is recommended that you identify the attack source and remove the attack first, and then recover the interface status.

An interface in Error-Down state can be recovered using either of the following methods:

  • Manual recovery (after an Error-Down event occurs):

    If a few interfaces need to be recovered, run the shutdown and undo shutdown commands in the interface view. Alternatively, run the restart command in the interface view to restart the interfaces.

  • Automatic recovery (before an Error-Down event occurs):

    If a large number of interfaces need to be recovered, manual recovery is time consuming and some interfaces may be omitted. To avoid this problem, you can run the error-down auto-recovery cause auto-defend interval command in the system view to enable automatic interface recovery and set the recovery delay time. You can run the display error-down recovery command to view information about automatic interface recovery.

    This method does not take effect on interfaces that are already in Error-Down state. It is effective only on interfaces that enter the Error-Down state after this configuration is complete.

Example

# Configure the device to discard packets from the identified source every 10 seconds.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend action deny timeout 10

auto-defend alarm enable

Function

The auto-defend alarm enable command enables the event reporting function for attack source tracing.

The undo auto-defend alarm enable command disables the event reporting function for attack source tracing.

By default, the event reporting function for attack source tracing is enabled.

Format

auto-defend alarm enable

undo auto-defend alarm enable

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Follow-up Procedure

Run the auto-defend alarm threshold command to set the event reporting threshold for attack source tracing.

Example

# Enable the event reporting function in the attack defense policy test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend alarm enable

auto-defend alarm threshold

Function

The auto-defend alarm threshold command sets the event reporting threshold for attack source tracing.

The undo auto-defend alarm threshold command restores the default event reporting threshold for attack source tracing.

By default, the event reporting threshold for attack source tracing is 128 pps.

Format

auto-defend alarm threshold threshold

undo auto-defend alarm threshold

Parameters

ParameterDescriptionValue
threshold Specifies the event reporting threshold for attack source tracing. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the number of packets of a specified protocol from an attack source exceeds the threshold in a specified period, the device reports an event to the administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command, and the alarm source tracing function has been enabled using the auto-defend alarm enable command.

Precautions

If you run the auto-defend alarm threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.

Example

# Set the event reporting threshold for attack source tracing in the attack defense policy named test to 300 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend alarm enable
[*HUAWEI-cpu-defend-policy-test] auto-defend alarm threshold 300

auto-defend protocol

Function

The auto-defend protocol command specifies the types of protocol packets that the device monitors in attack source tracing.

The undo auto-defend protocol command deletes specified types of protocol packets that the device monitors in attack source tracing.

By default, the device traces sources of ARP, DHCP, DHCPv6, ICMP, ICMPv6, ND, IGMP, and TTL-expired packets in attack source tracing.

Format

auto-defend protocol { all | { arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | ttl-expired } * }

undo auto-defend protocol { arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp | mld | nd | ttl-expired } *

CE5880EI and CE6880EI do not support the mld parameter.

Parameters

Parameter

Description

Value

all

Configures the device to trace sources of ARP, DHCP, DHCPv6, ICMP, ICMPv6, MLD, ND, IGMP, and TTL-expired packets in attack source tracing.

-

arp

Adds Address Resolution Protocol (ARP) packets to the list of traced packets or deletes ARP packets from the list.

NOTE:

Attack source tracing does not take effect on ARP unicast packets.

-

dhcp

Adds Dynamic Host Configuration Protocol (DHCP) packets to the list of traced packets or deletes DHCP packets from the list.

-

dhcpv6

Adds DHCPv6 packets to the list of traced packets or deletes DHCPv6 packets from the list.

-

icmp

Adds Internet Control Message Protocol (ICMP) packets to the list of traced packets or deletes ICMP packets from the list.

-

icmpv6

Adds ICMPv6 packets to the list of traced packets or deletes ICMPv6 packets from the list.

-

igmp

Adds Internet Group Management Protocol (IGMP) packets to the list of traced packets or deletes IGMP packets from the list.

-

mld

Adds Multicast Listener Discovery Protocol (MLD) packets to the list of traced packets or deletes MLD packets from the list.

-

nd

Adds Neighbor Discovery Protocol (ND) packets to the list of traced packets or deletes ND packets from the list.

-

ttl-expired

Adds the packets with TTL or hop limit value being 1 to the traced packet list or deletes the packets with TTL or hop limit value being 1 from the list.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic analysis, attack source identification, and taking attack source punish actions. The auto-defend protocol command is applied to the packet parsing phase. When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If a packet type is specified, when the device is attacked and the attack source is traced, you can run the display auto-defend attack-source command to view attack source information.

Example

# Delete IGMP and TTL-expired packets from the list of traced packets.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired

auto-defend threshold

Function

The auto-defend threshold command sets the checking threshold for attack source tracing.

The undo auto-defend threshold command restores the default checking threshold for attack source tracing.

By default, the checking threshold for attack source tracing is 128 pps.

Format

auto-defend threshold threshold

undo auto-defend threshold

Parameters

ParameterDescriptionValue
threshold Specifies the checking threshold for attack source tracing. The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack source tracing is enabled, you can set the checking threshold for attack source tracing. When the number of sent protocol packets from an attack source in a specified period exceeds the checking threshold, the device traces and logs the attack source.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend threshold command in the same attack defense policy view multiple times, only the latest configuration takes effect.

After the auto-defend enable command is executed, the device traces the attack source based on the default threshold even if the auto-defend threshold command is not used.

Example

# Set the checking threshold for attack source tracing in the attack defense policy named test to 200 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend threshold 200

auto-defend trace-type

Function

The auto-defend trace-type command configures an attack source tracing mode.

The undo auto-defend trace-type command deletes an attack source tracing mode.

By default, attack source tracing is based on source MAC addresses and source IP addresses.

Format

auto-defend trace-type { source-mac | source-ip | source-portvlan } *

undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *

Parameters

ParameterDescriptionValue
source-mac Configures attack source tracing based on source MAC addresses so that the device classifies and collects statistics based on the source MAC address and identifies the attack source. -
source-ip Configures attack source tracing based on source IP addresses so that the device classifies and collects statistics based on the source IP address and identifies the attack source. -
source-portvlan Configures attack source tracing based on source ports+VLANs so that the device classifies and collects statistics based on the source port and VLAN and identifies the attack source. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling attack source tracing, you can specify one or more attack source tracing modes. The device then uses the specified modes to trace attack sources.

The device supports the following attack source tracing modes:

  • Source IP address-based tracing: defends against Layer 3 attack packets.
  • Source MAC address-based tracing: defends against Layer 2 attack packets with a fixed source MAC address.
  • Source port+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

After the attack source tracing function is enabled on the device, you can run the display auto-defend attack-source command to view attack source tracing information if an attack occurs.

If the attack source tracing function is enabled by using the auto-defend enable command, you cannot run the undo auto-defend trace-type source-mac source-ip source-portvlan command to delete all source tracing modes.

Example

# Configure attack source tracing based on source MAC addresses.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend trace-type source-mac

auto-defend whitelist

Function

The auto-defend whitelist command configures a whitelist for attack source tracing. The device does not trace the source of users in the whitelist.

The undo auto-defend whitelist command deletes a whitelist for attack source tracing.

By default, no whitelist is configured.

Format

auto-defend whitelist whitelist-number { acl { acl-number | ipv6 acl6-number } | interface interface-type interface-number }

undo auto-defend whitelist whitelist-number

Parameters

ParameterDescriptionValue
whitelist-number Specifies the number of a whitelist. The value is an integer that ranges from 1 to 32.
acl acl-number Specifies the number of an ACL referenced by a whitelist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs
acl ipv6 acl6-number Specifies the number of an ACL6 referenced by a whitelist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACL6s
  • 3000 to 3999: advanced ACL6s
interface interface-type interface-number Specifies the interface to which the whitelist is applied.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack source tracing helps locate and punish sources of denial of service (DoS) attacks. If some users do not need to be traced regardless of whether an attack occurs, run the auto-defend whitelist command to configure a whitelist for users.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

Before referencing an ACL in a whitelist, create the ACL and configure rules.

If the ACL referenced by the whitelist specifies some protocols, ensure that packets of these protocols can be traced. If a specified protocol is not supported by attack source tracing, you can run the auto-defend protocol command to configure attack source tracing to support the protocol.

Example

# Add source IP addresses 10.1.1.1 and 10.1.1.2 to the whitelist for attack source tracing.

<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.1 0
[*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.2 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-defend enable
[*HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000

auto-port-defend protocol disable

Function

The auto-port-defend protocol disable command disables the port-based automatic local attack defense function.

The undo auto-port-defend protocol disable command enables the port-based automatic local attack defense function.

By default, port-based automatic local attack defense is enabled.

Format

auto-port-defend protocol { arp-request | dhcp | multicast | ospf | nd | vrrp } disable

undo auto-port-defend protocol { arp-request | dhcp | multicast | ospf | nd | vrrp } disable

The CE5880EI and CE6880EI support only the arp-request parameter.

Parameters

Parameter

Description

Value

arp-request

Specifies ARP Request packets.

-

dhcp

Specifies DHCP packets.

-

multicast

Specifies multicast packets.

-

ospf

Specifies OSPF packets.

-

nd

Specifies ND packets.

-

vrrp

Specifies VRRP packets.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a protocol is enabled, the switch automatically assigns a queue to packets of the specific protocol and a default CAR value for the queue. If a port receives many packets of a protocol and sends the packets to the CPU, the other ports on the switch send packets of this protocol to the CPU at a low speed or fail to send the packets to the CPU, affecting services. You can enable port-based automatic local attack defense to resolve the problem. When the number of protocol packets received by a port exceeds 75% of the default CAR value or the sum of the top two quantities of protocol packets received on two ports exceeds 85% of the default CAR value, the protocol packets received by the ports are sent to a queue with a smaller CAR value. This prevents impacts on the sending of protocol packets on other normal ports.

Precautions

After ARP rate limiting is enabled on all ports, port-based automatic local attack defense for ARP packets does not take effect.

In scenarios where port-based automatic local attack defense has been triggered on fewer than two ports where MAC address flapping occurred, if MAC address flapping occurs on another port, port-based automatic local attack defense will be also triggered on this port. In this case, all protocol packets received by this port will be placed into a queue with a smaller CAR value. After the MAC address flapping issue is resolved on this port, port-based automatic local defense will no longer be triggered.

Port-based automatic local attack defense takes effect only on the move ports (interfaces to which MAC addresses flap) of the local device.

After the NS multicast suppression function is enabled, port-based automatic local defense does not take effect for ND proxy response packets and NS multicast-to-unicast packets.

On the CE6870EI and CE6875EI, port-based automatic local attack defense is triggered for VRRP packets when the rate of VRRP packets discarded within the last 1 minute exceeds three times of the CAR value of VRRP packets and other basic conditions are met.

The port-based automatic local attack defense function checks only the ARP packets with destination MAC addresses being broadcast MAC addresses, OSPF packets with destination MAC addresses being multicast MAC addresses, VRRP packets with destination MAC addresses being multicast MAC addresses, and ND packets with destination MAC addresses starting with 0x3333.

On each switch, port-based automatic local attack defense takes effect only on a maximum of two ports.

Example

# In the attack defense policy view, disable port-based automatic local attack defense for ARP Request packets.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] auto-port-defend protocol arp-request disable

blacklist

Function

The blacklist command configures a blacklist.

The undo blacklist command deletes a blacklist.

By default, no blacklist is configured.

Format

blacklist blacklist-id acl { acl-number | ipv6 acl6-number } [ interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> ] [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> ]

undo blacklist blacklist-id [ acl { acl-number | ipv6 acl6-number } [ interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> ] [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> ] ]

Parameters

Parameter

Description

Value

blacklist-id

Specifies the ID of a blacklist.

The value is an integer that ranges from 1 to 8.

acl acl-number

Specifies the number of an ACL referenced by a blacklist.

The value is an integer that ranges from 2000 to 4999 or from 23000 to 23999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs
  • 23000 to 23999: ARP-based ACLs

    NOTE:

    The CE6870EI and CE6875EI do not support ARP-based ACLs.

interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8>

Specifies the numbers of interfaces in the blacklist.

  • interface-type specifies the interface type.

  • interface-number1 specifies the first interface number.

  • interface-number2 specifies the last interface number.

interface-number2 must be greater than interface-number1.

vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>

Specifies the VLAN IDs in the blacklist.

  • vlan-id1 specifies the first VLAN ID.

  • vlan-id2 specifies the last VLAN ID.

vlan-id2 must be greater than or equal to vlan-id1. They together determine a VLAN range.

acl ipv6 acl6-number

Specifies the number of an ACL6 referenced by a blacklist.

The value is an integer that ranges from 2000 to 3999.

  • 2000 to 2999: basic ACL6s
  • 3000 to 3999: advanced ACL6s

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To defend against malicious packet attacks, the device uses ACLs to add users with the specific characteristic into a blacklist and discards these users' CPU-bound packets.

A maximum of eight blacklists can be configured in an attack defense policy on the device.

The blacklists are restored in the ascending order of blacklist IDs (blacklist-id).

When an ACL rule in which the protocol type is set to TCP or UDP is applied to a blacklist, only 24 port number ranges can be configured.

When a blacklist references an ACL that matches the source IP address against unicast addresses or references a basic ACL with no matching rule configured, the blacklist does not take effect on the packets forwarded by the CE6870EI and CE6875EI.

For the CE6870EI and CE6875EI, the blacklist function does not take effect on the STP, LDT, LLDP, CDP, DLDP, LACP, DAD, EFM, VBST, GVRP, CFM, BPDU, and M-LAG packets, as well as the FCoE packets carrying VLAN information and the GRE packets whose size exceeds a specific value (configurable using the MTU command).

For the CE6870EI and CE6875EI, if the forwarded packets match the blacklist that references a Layer 2 ACL, the packets are discarded and are not controlled by the filter.

Prerequisites

An ACL has been created using the acl command.

Example

# Specify ACL 2001 as the rule referenced by blacklist 2.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] blacklist 2 acl 2001

car (attack defense policy view)

Function

The car command sets the rate limit for packets sent to the CPU.

The undo car command restores the default rate limit for packets sent to the CPU.

By default, You can run the display cpu-defend configuration command to check the rate limit for protocol packets.

Format

car packet-type packet-type pps pps-value

undo car packet-type packet-type

Parameters

ParameterDescriptionValue

packet-type packet-type

Specifies the type of packets.

When a packet type is specified, the CAR value takes effect on this type of packets and these packets are put into an independent queue.

The supported packet type depends on the device.

For example:

  • mtu: indicates packets whose sizes exceed the MTU value.
  • ttl-expired: indicates packets with both the TTL value and hop limit set to 1.
  • fib-hit: indicates packets with the destination IP address being the local address.
  • common: indicates a special queue. When queue resources are insufficient and rate limiting is configured for other packets, these packets will be delivered to the common queue.

NOTE:

For BFD packets, this command does not take effect on the CE6875EI.

pps pps-value

Specifies the rate limit.

The value is an integer that ranges from 10 to 10000 in pps. The value for the different packets maybe different.

NOTE:

If you do not set CPCAR for VRRP packets on a CE6870EI and CE6875EI, the CPCAR value for VRRP packets is dynamically changed along with the change of the number of VRRP groups. If you set a CPCAR value for VRRP packets, the CPCAR value for VRRP packets is fixed.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The switch has default CAR values for each type of protocol packet. You can adjust CAR values for specified types of protocol packets based on services and network environment.

After an attack defense policy is created, you can limit the rate of protocol packets using the policy:

  • Reduce the CAR values in the following situation: When a network undergoes an attack, reduce the CAR values of the corresponding protocol, to reduce impact on the system CPU.
  • Increase the CAR values in the following situation: When service traffic volume on the network increases, a large number of protocol packets need to be sent to the CPU. Increase the CAR values of the corresponding protocols to meet service requirements.

Precautions

If both the deny and car commands are run for a specified type of packets, the command configured later takes effect.

Example

# Configure the CAR in the attack defense policy named test and set the rate limit of ARP packets to 6400 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] car packet-type arp pps 6400

car enp

Function

The car enp command sets the rate limit for packets in enhanced mode.

The undo car enp command restores the default rate limit for packets in enhanced mode.

You can run the display cpu-defend configuration enp command to view the default rate limit of packets in enhanced mode.

This command is available only for the CE6875EI.

Format

car enp packet-type packet-type pps pps-value

undo car enp packet-type packet-type

Parameters

ParameterDescriptionValue

packet-type packet-type

Specifies the type of packets.

The supported packet type depends on the device.

pps pps-value

Specifies the rate limit.

The value is an integer that ranges from 10 to 100000, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, the device can limit the rate of packets in either of the following modes:

  • Non-enhanced mode: The device uses the CPU to limit the rate of packets, which greatly affects CPU performance.
  • Enhanced mode: The device uses a built-in chip to limit the rate of packets, which therefore does not affect CPU performance and is not affected by other packets sent to the CPU, improving performance of corresponding features.

You can run the car enp command to enable the switch to limit the rate of packets in enhanced mode.

Precautions

If both the deny enp and car enp commands are run for a specified type of packets, the command configured later takes effect.

Example

# Set the rate limit of BFD packets in enhanced mode to 6400 pps. 

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] car enp packet-type bfd pps 6400

car all-packets pps

Function

The car all-packets pps command limits the number of packets sent to the CPU per second.

The undo car all-packets pps command restores the default maximum number of packets sent to the CPU per second.

By default, a maximum of 5120 packets can be sent to the CPU of the device per second. However, the CE5810EI, CE5850HI, CE5855EI send a maximum of 2048 packets to the CPU per second.

Format

car all-packets pps packets

undo car all-packets

Parameters

ParameterDescriptionValue

pps packets

Specifies the maximum number of packets that are sent to the CPU per second.

The value is an integer that ranges from 1000 to 100000, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a large number of packets are sent to the CPU, CPU performance deteriorates. The device limits the number of packets sent to the CPU per second to protect the CPU. The device provides 2-level CAR:

  1. Level-1 CAR: limits the number of packets based on packet types using the car command
  2. Level-2 CAR: limits the number of all packets sent to the CPU regardless of the protocol types or queues. This function is configured using the car all-packets pps command.

The car all-packets pps command is applicable to the scenario where burst packets are sent to the CPU. The maximum number of packets sent to the CPU specified using the car all-packets pps command must be smaller than that specified by level-1 CAR; otherwise, the car all-packets pps command takes no effect.

Precautions

If you run the car all-packets pps command in the same attack defense policy view multiple times, only the latest configuration takes effect.

The car all-packets pps command is required only when the current CAR configuration cannot reduce CPU loads. This is because when the CAR value of a queue is reduced, a smaller number of packets are sent to the CPU, and the CPU usage decreases accordingly. However, when there are many types of protocol packets, the CPU usage may still be high.

When the actual and configured rates of packets sent to the CPU are large, the CPU usage may be high and the performance may deteriorate. In the worst situation, the device breaks.

Example

# Configure the attack defense policy named test to limit the rate of packets sent to the CPU to 5000 pps.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] car all-packets pps 5000

cpu-defend local-host anti-attack enable

Function

The cpu-defend local-host anti-attack enable command enables host attack defense.

The undo cpu-defend local-host anti-attack enable command disables host attack defense.

By default, host attack defense is disabled.

Format

cpu-defend local-host anti-attack enable

undo cpu-defend local-host anti-attack enable

Default Level

2: Configuration level

Usage Guidelines

After the ssh server acl, telnet server acl, ftp server acl, or snmp-agent acl command is configured, a switch forwards SSH, Telnet, FTP, or SNMP packets to the CPU and matches these packets against software ACLs. When host attack defense is enabled, the switch matches these packets against hardware ACLs. If packets match an ACL with a deny action, the switch directly discards the packets and will no longer forward such packets to the CPU.

Example

# Enable host attack defense.

<HUAWEI> system-view
[~HUAWEI] cpu-defend local-host anti-attack enable

cpu-defend policy

Function

The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.

The undo cpu-defend policy command deletes an attack defense policy.

By default, the devicename-default attack defense policy exists on the device and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified.

Format

cpu-defend policy policy-name

undo cpu-defend policy policy-name

Parameters

ParameterDescriptionValue

policy-name

Specifies the name of an attack defense policy.

The value is a string of 1 to 31 case-sensitive characters without spaces. The string cannot contain the following characters: > $ |. The value cannot start with the underscore (_). When double quotation marks are used around the string, spaces are allowed in the string.

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A large number of packets including malicious attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.

Precautions

The device supports a maximum of 17 attack defense policies, including the devicename-default attack defense policy. The devicename-default attack defense policy is generated in the system by default and is applied to the device. The devicename-default attack defense policy cannot be deleted or modified. The other 16 policies can be created, modified, and deleted.

CE5880EI, CE6870EI, CE6875EI and CE6880EI support a maximum of 49 attack defense policies, including the devicename-default attack defense policy. By default, the devicename-default attack defense policy is applied to the device and cannot be deleted or modified. The other 48 policies can be modified or deleted.

The configuration in a user-defined attack defense policy overrides the configuration in the devicename-default attack defense policy.

The car all-packets pps command is required only when the current CAR configuration cannot reduce CPU loads.

When the devicename-default attack defense policy is used, protocol packets sent to the CPU are limited based on the default CIR value.

Example

# Create an attack defense policy named test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test]

cpu-defend-policy

Function

The cpu-defend-policy command applies an attack defense policy.

The undo cpu-defend-policy command cancels the application of an attack defense policy.

By default, the devicename-default attack defense policy is applied to the switch.

Format

cpu-defend-policy policy-name [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ]

undo cpu-defend-policy [ slot slot-id | batch slot { slot-id1 [ to slot-id2 ] } &<1-12> ]

Parameters

ParameterDescriptionValue

policy-name

Specifies the name of an attack defense policy.

The attack defense policy must already exist.

slot slot-id

Indicates that the attack defense policy is applied locally. slot-id specifies the slot ID of the LPU. If slot slot-id is not specified, the attack defense policy is applied on all LPUs.

-

batch slot { slot-id1 [ to slot-id2 ] } &<1-12>

Specifies the slots to which the attack defense policy is applied.

  • slot-id1 indicates the start slot ID to which the attack defense policy is applied.

  • slot-id2 indicates the end slot ID to which the attack defense policy is applied.

    slot-id2 must be greater than or equivalent to slot-id1. The slot-id2 and slot-id1 parameters determine a slot range.

  • If the to slot-id2 parameter is not specified, the attack defense policy is only applied to slot slot-id1.

-

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An attack defense policy takes effect only when it is applied to the device and only one attack defense policy can be applied to the device.

Prerequisites

An attack defense policy has been created by using the cpu-defend policy command.

Example

# Apply the attack defense policy named test to all devices.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] quit
[*HUAWEI] cpu-defend-policy test

# Apply the attack defense policy named test to the LPU in slot 3.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] quit
[*HUAWEI] cpu-defend-policy test slot 3

cpu-defend-policy statistics enable

Function

The cpu-defend-policy statistics enable command enables the function of collecting statistics about an attack defense policy.

The undo cpu-defend-policy statistics enable command disables the function of collecting statistics about an attack defense policy.

By default, the function of collecting statistics about an attack defense policy is disabled.

Only the CE6870EI and CE6875EI support this command.

Format

cpu-defend-policy statistics enable

undo cpu-defend-policy statistics enable

Default Level

2: Configuration level

Usage Guidelines

After blacklist or filter is configured, enable the function of collecting statistics about the attack defense policy, and then run the display cpu-defend { blacklist | filter } statistics [ slot slot-id ] command to view statistics about packets sent to the CPU based on blacklist or filter.

Example

# Enable the function of collecting statistics about an attack defense policy.

<HUAWEI> system-view
[~HUAWEI] cpu-defend-policy statistics enable

deny

Function

The deny command configures the device to discard packets sent to the CPU.

The undo deny command restores the default action taken for the packets sent to the CPU.

By default, the device does not discard packets sent to the CPU. Instead, the device limits the rate of packets sent to the CPU using the default rate. You can check the rate limit of each type of packets using the display cpu-defend configuration command.

Format

deny packet-type packet-type

undo deny packet-type packet-type

Parameters

ParameterDescriptionValue

packet-type packet-type

Specifies the type of the packet to be discarded.

The supported packet type depends on the device.

NOTE:

For BFD packets, this command does not take effect on the CE6875EI.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, if the device receives attack packets of a specified type or a large number of packets sent to the CPU, run the deny command to configure the device to discard packets of the specified type sent to the CPU.

Precautions

If you run the deny command, and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect. After the undo deny command is executed, the default action for packets sent to the CPU is restored.

Example

# Configure the drop action taken for ARP packets to be sent to the CPU in the attack defense policy test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] deny packet-type arp

deny enp

Function

The deny enp command configures the device to discard packets in enhanced mode.

The undo deny enp command restores the default action that the device takes on packets in enhanced mode.

By default, the device does not discard packets, and uses the default value of the devicename-default policy to limit the rate of packets. You can run the display cpu-defend configuration enp command to view the rate limit of packets.

This command is available only for the CE6875EI.

Format

deny enp packet-type packet-type

undo deny enp packet-type packet-type

Parameters

ParameterDescriptionValue

packet-type packet-type

Specifies the protocol type of discarded packets.

The supported packet type depends on the device.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an attack defense policy is created, the device can discard packets in either of the following modes:

  • Non-enhanced mode: The device uses the CPU to discard packets, which greatly affects CPU performance.
  • Enhanced mode: The device uses a built-in chip to discard packets, which therefore does not affect CPU performance and is not affected by other packets sent to the CPU, improving performance of corresponding features.

If the device receives attack packets or many normal packets of a certain protocol type, you can run the deny enp command to configure the device to discard packets in enhanced mode.

Precautions

If both the deny enp and car enp commands are run for a specified type of packets, the command configured later takes effect. After the undo deny enp command is run, the device restores the default action on packets in enhanced mode.

Example

# Configure the device to discard BFD packets in enhanced mode. 

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] deny enp packet-type bfd

description (attack defense policy view)

Function

The description command configures the description of an attack defense policy.

The undo description command deletes the description of an attack defense policy.

By default, no description is configured for an attack defense policy.

Format

description text

undo description

Parameters

ParameterDescriptionValue
text Specifies the content of a description. It is a string of 1 to 63 case-sensitive characters with spaces.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The description command configures the description of an attack defense policy, for example, the usage or application scenario of the attack defense policy. The description is used to differentiate attack defense policies.

Precautions

If you run the description command in the same attack defense policy view multiple times, only the latest configuration takes effect.

Example

# Configure the description defend_arp_attack for the attack defense policy named test.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test 
[*HUAWEI-cpu-defend-policy-test] description defend_arp_attack

display auto-defend attack-source

Function

The display auto-defend attack-source command displays the attack sources.

Format

display auto-defend attack-source [ statistics ] [ slot slot-id ]

Parameters

Parameter

Description

Value

statistics

Displays statistics on attack sources.

NOTE:

Only the CE6870EI and CE6875EI support this parameter.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

To learn the attack source information after attack source tracing is configured, you can run the display auto-defend attack-source command.

In a stack, the attack source list is saved only on the master switch. The display auto-defend attack-source command displays only the attack source list on the master switch (except CE6870EI and CE6875EI).

Example

# Display the attack source list.

<HUAWEI> display auto-defend attack-source
  Attack Source User Table on Slot 1 :                            
  -------------------------------------------------------------------------                                                         
  MAC Address      Interface       PacketType    VLAN:Outer/Inner      Total                                                               
  -------------------------------------------------------------------------                                                         
  0000-c102-0102   10GE1/0/1       ICMP          1000/                 4832                
  -------------------------------------------------------------------------                                                         
  Total: 1                         
  Attack Source IP Table on Slot 1 :                                      
  -------------------------------------------------------------------------                                                         
  IP Address      PacketType    Total                                                               
  -------------------------------------------------------------------------                                                         
  10.1.1.2        ICMP          1144                                                                
  -------------------------------------------------------------------------                                                         
  Total: 1                         
  Attack Source Port Table on Slot 1 :                        
  -------------------------------------------------------------------------                                                         
  Interface       VLAN:Outer/Inner     PacketType     Total                                                               
  -------------------------------------------------------------------------                                                         
  10GE1/0/1       1000/--              ICMP            4832    
  -------------------------------------------------------------------------                                                         
  Total: 1

Table 16-68 Description of the display auto-defend attack-source command output

Item

Description

Attack Source User Table on Slot 1

Information about attack sources on the device, which is distinguished according to the attack user.

MAC Address

MAC address of the user.

Interface

Interface name.

PacketType

Packet type.

VLAN:Outer/Inner

ID of the VLAN that an interface belongs to. Outer indicates the outer VLAN ID and Inner indicates the inner VLAN ID.

Total

Total number of packets.

Total: 1

Total number of attackers.

Attack Source IP Table on Slot 1

Information about attack sources on the LPU, which is distinguished according to attacked source IP addresses.

IP Address

IP address of a user.

Attack Source Port Table on Slot 1

Information about attack sources on the LPU, which is distinguished according to attacked source port.

# Display statistics on attack sources. 

<HUAWEI> display auto-defend attack-source statistics slot 1
2019-11-28 19:38:47.361                                                                                                             
---------------------------------------------------------------------------------                                                   
CPU defend policy ge                                                                                                                
Slot1                                                                                                                             
---------------------------------------------------------------------------------                                                   
  Last time the deny action takes effect: 2019-11-28 19:22:00                                                                       
  Protocol: ARP                                                                                                                     
  Source-MAC: 1-1-1 
  Dropped Packets              83548625, Dropped Bytes                10694889728                                                   
---------------------------------------------------------------------------------

Table 16-69 Description of the display auto-defend attack-source statistics command output

Item

Description

Last time the deny action takes effect

Last time the deny action takes effect.

-- indicates that the deny action does not take effect.

Protocol

Protocol type of attack packets.

Source-MAC

MAC address of a user.

Dropped Packets

Number of discarded packets.

Dropped Bytes

Number of discarded bytes.

display cpu-defend auto-port-defend

Function

The display cpu-defend auto-port-defend command displays information about the interfaces to which port-based automatic local attack defense is applied and statistics about the protocol packets sent to the CPU.

Format

display cpu-defend auto-port-defend [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Specifies a slot ID.

The value depends on the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

If port-based automatic local attack defense is applied and protocol packets on an interface are moved to a queue with a small CAR value and sent to the CPU, you can run this command to view the interface information and statistics about the protocol packets.

Example

# Display information about the interfaces to which port-based automatic local attack defense is applied and statistics about the protocol packets sent to the CPU.

<HUAWEI> display cpu-defend auto-port-defend
Port info on slot 1 :                                                                                                               
--------------------------------------------------------------------------------                                                    
PacketType          Port                                                                                                          
--------------------------------------------------------------------------------                                                    
arp-request         10GE/1/0/1                                                                                               
dhcp                10GE/1/0/1                                                                                                
igmp                10GE/1/0/1                                                                                               
ospf                10GE/1/0/1                                                                                                
--------------------------------------------------------------------------------                                                    
Port queue info on slot 1 :                                                                                                         
--------------------------------------------------------------------------------                                                    
PacketType          QueueName                                                                                                       
--------------------------------------------------------------------------------                                                    
arp-request         queue one                                                                                                       
dhcp                queue one                                                                                                       
igmp                queue one                                                                                                       
ospf                queue two                                                                                                            
--------------------------------------------------------------------------------                                                    
Statistics(packets) on slot 1 :                                                                                                     
--------------------------------------------------------------------------------                                                    
QueueName                Total Passed        Total Dropped   Last Dropping Time                                                     
                    Last 5 Min Passed   Last 5 Min Dropped                                                                          
--------------------------------------------------------------------------------                                                    
queue one                    39413185          12950486396   2017-08-07 15:50                                                       
                               575126            250926259                                                                          
queue two                    28905966            142484581   2017-08-07 15:50                                                       
                               332073              1174817                                                                          
--------------------------------------------------------------------------------

Table 16-70 Description of the display cpu-defend auto-port-defend command output

Item

Description

Port info on slot 1

Information about interfaces in slot 1.

PacketType

Packet type.

Port

Name of an interface.

Statistics(packets) on slot 1

Packet statistics in slot 1.

Total Passed

Total number of forwarded packets.

Last 5 Min Passed

Number of packets forwarded in the last 5 minutes.

Total Dropped

Total number of discarded packets.

Last 5 Min Dropped

Number of packets discarded in the last 5 minutes.

Last Dropping Time

Last time when a packet is discarded.

Port queue info on slot 1

Information about queues in slot 1.

QueueName

Name of a queue.

NOTE:

When port-based automatic local attack defense is configured for one or two types of packets, the queue name is displayed as the type of protocol packets (for example, arp-request). When this function is configured for more than two types of packets, all packets are distributed to shared queues. The names of shared queues such as queue one and queue two are displayed. The packets that are previously not delivered to shared queues will also be switched to the shared queues.

display cpu-defend configuration

Function

The display cpu-defend configuration command displays CAR configurations.

Format

display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

all

Indicates all devices.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend configuration command to view the rate limit of protocol packets sent to the CPU. By default, the rate limit of protocol packets in the devicename-default policy is displayed.

Example

# Display the CAR configurations of all devices.

<HUAWEI> display cpu-defend configuration all
Car configurations on slot 1 :                                                 
---------------------------------------------------                            
PacketType            Status      Car(pps)                                     
---------------------------------------------------                            
8021x                 Disabled         512 
aaa                   Enabled          384                                     
arp                   Enabled          128                                     
arp-miss              Enabled          512                                     
bfd                   Enabled         1024                                     
bgp                   Enabled         1024                                     
bpdu-tunnel           Enabled          512                                     
dhcp                  Enabled          512(*)                                     
......
---------------------------------------------------                            
*: The packet is accessed through the common queue.
Car all-packets (pps) : 5120                                                   
---------------------------------------------------

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 16-71 Description of the display cpu-defend configuration command output

Item

Description

Car configurations on slot 1

CAR configurations on the device.

PacketType

Packet type.

Status

Protocol packet status.

  • Enabled: indicates that the protocol is enabled.
  • Disabled: indicates that the protocol is disabled.

When the protocol is disabled, the device cannot limit the rate of packets.

Car(pps)

Rate limit for packets, in pps. To set the rate limit for packets, run the car command.

In the command output, 512(*) indicates that the default queue resources are used up for the protocol packets and the system automatically sends the packets to the common queue for scheduling and rate limiting.

Car all-packets (pps)

Rate limit for packets sent to the CPU. To set the rate limit for packets sent to the CPU, run the car all-packets pps command.

display cpu-defend configuration enp

Function

The display cpu-defend configuration enp command displays the configuration of packet rate limiting in enhanced mode.

This command is available only for the CE6875EI.

Format

display cpu-defend configuration enp packet-type packet-type { all | slot slot-id }

Parameters

Parameter

Description

Value

packet-type packet-type

Displays the configuration of the specified packet type.

The value depends on the packet types supported by the device.

all

Displays the configuration on all devices.

-

slot slot-id

Specifies the stack ID of the switch.

The value must be set according to the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend configuration enp command to view the configuration of packet rate limiting in enhanced mode.

Example

# Display the configuration of packet rate limiting in enhanced mode. (CE6875EI)

<HUAWEI> display cpu-defend configuration enp packet-type bfd all
Car configurations on slot 1 :                                                                                                      
---------------------------------------------------                                                                                 
PacketType            Status      Car(pps)                                                                                          
---------------------------------------------------                                                                                 
bfd                   Disabled       40000                                                                                          
---------------------------------------------------

Table 16-72 Description of the display cpu-defend configuration enp command output

Item

Description

PacketType

Packet type.

Status

Protocol packet status.

  • Enabled: indicates that the protocol is enabled.
  • Disabled: indicates that the protocol is disabled.

When the protocol is disabled, the device cannot limit the rate of packets.

Car(pps)

Committed Access Rate (CAR), in pps. To set the CAR value, run the car enp command.

display cpu-defend local-host anti-attack

Function

The display cpu-defend local-host anti-attack command displays statistics about the packets matching hardware ACLs after host attack defense is enabled.

Format

display cpu-defend local-host anti-attack [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Specifies the stack ID of the device.

The value depends on the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

After host attack defense is enabled, you can run the display cpu-defend local-host anti-attack command to view statistics about the packets matching hardware ACLs.

Example

# Display statistics about the packets matching hardware ACLs (on the CE5880EI, CE6870EI, CE6875EI and CE6880EI) after host attack defense is enabled.

<HUAWEI> display cpu-defend local-host anti-attack
ACL resource on slot 1                                                                                                            
----------------------------------------------                                                                                      
Protocol       State           ACL                                                                                                  
----------------------------------------------                                                                                      
SSH            Successful     3000                                                                                                  
----------------------------------------------                                                                                      
                                                                                                                                    
SSH Statistics on slot 1                                                                                                          
--------------------------------------------------------------------------------                                                    
  rule 10 deny tcp                                                                                                                  
  Dropped Packets                     0, Dropped Bytes                         0                                                    
--------------------------------------------------------------------------------

# Display statistics about the packets matching hardware ACLs (on a switch except the CE5880EI, CE6870EI, CE6875EI and CE6880EI) after host attack defense is enabled.

<HUAWEI> display cpu-defend local-host anti-attack
ACL resource on slot 1                                                                                                              
----------------------------------------------                                                                                      
Protocol       State           ACL                                                                                                  
----------------------------------------------                                                                                      
SSH            Failed(1)      2000                                                                                                  
----------------------------------------------                                                                                      
Fail reason:                                                                                                                        
(1): The ACL resource is not enough.                                                                                                
----------------------------------------------

Table 16-73 Description of the display cpu-defend local-host anti-attack command output

Item

Description

ACL resource on slot 1

ACL resources in a specified slot.

Protocol

Protocol of packets.

State

ACL delivery state:

  • Failed(n): An ACL fails to be delivered.
  • Successful: An ACL is delivered successfully.

ACL

Type of an ACL.

Fail reason

Reason of ACL delivery failure:

  • (1): The ACL resource is not enough.
  • (2): The snoop resource is not enough.
  • (3): Some fields in the ACL rule referenced are not supported.
  • (4): The internal error. (You are advised to contact technical support if this error occurs.)
  • (5): The numbers of ACL rules exceed the limit.

SSH Statistics on slot 1

Statistics about a specified type of packets in a slot.

rule 10 deny tcp

ACL rule.

Dropped Packets

Number of discarded packets.

Dropped Bytes

Number of discarded bytes.

Failed to apply the ACL.

ACL application failure.

NOTE:

This item is displayed only when an ACL fails to be delivered.

display cpu-defend policy

Function

The display cpu-defend policy command displays the attack defense policy configuration.

Format

display cpu-defend policy [ policy-name ]

Parameters

Parameter

Description

Value

policy-name

Displays the configuration of a specified attack defense policy.

  • If policy-name is specified, information about the specified attack defense policy is displayed.
  • If policy-name is not specified, information about all attack defense policies is displayed.

The attack defense policy must already exist.

Default Level

1: Monitoring level

Usage Guidelines

After an attack defense policy is created, you can run the display cpu-defend policy command to view the stack ID that the attack defense policy is applied to and configurations of the attack defense policy.

Example

# Display information about all attack defense policies.

<HUAWEI> display cpu-defend policy test1
==============================================
Policy name: test1          
Policy applys on slot: <1>   
Car packet-type bfd(pps) : 128      
Blacklist status:               
----------------------------------------------  
Slot    Blacklist State       ACL    ACLIPv6
----------------------------------------------   
1       1         Successful  2001   -- 
----------------------------------------------
Fail reason:      
(3): Some fields in the ACL rule referenced are not supported. 
==============================================

Table 16-74 Description of the display cpu-defend policy command output

Item

Description

Policy name

Name of an attack defense policy. To configure an attack defense policy, run the cpu-defend policy command.

Policy applys on slot

Stack ID that an attack defense policy is applied to.

Car packet-type bfd(pps)

CAR value of BFD packets. To set the CAR value for BFD packets, run the car command.

Blacklist status

Whether the device is delivered to the blacklist.

Slot

Number of the slot.

Blacklist

Number of the blacklist. To configure a blacklist, run the blacklist command.

State

Whether the device is delivered to the blacklist.

  • Failed(n): The device fails to be delivered to the blacklist.
  • Successful: The device is successfully delivered to the blacklist.
  • Processing: The ACL is being processed.
  • --: The ACL rule is not applied to this device.

ACL

Number of an ACL defined in blacklist or filter.

ACLIPv6

Number of an ACL6 defined in blacklist or filter.

Fail reason

The reason why a blacklist or filter cannot be delivered.

  • (1): The ACL resource is not enough. (The ACL resources on the device are insufficient.)
  • (2): The snoop resource is not enough. (The snoop resources on the device are insufficient.)
  • (3): Some fields in the ACL rule referenced are not supported. (The ACL referenced contains the packet matching fields not supported by the device.)
  • (4): The internal error. (An internal error occurs. Contact technical support personnel.)
  • (5): The numbers of ACL rules exceed the limit. (The number of ACL rules to be delivered exceeds the upper limit.)

display cpu-defend rate

Function

The display cpu-defend rate command displays the rate of sending protocol packets to the CPU.

Format

display cpu-defend rate [ packet-type packet-type ] { all | slot slot-id }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies a packet type.

The supported packet type depends on the device.

all

Indicates all switches in a stack if stack is enabled, or the switch itself if stack is disabled.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend rate command to view the rate of sending protocol packets to the CPU when checking the configuration of an attack defense policy. In this way, you can determine which type of protocols may attack the CPU based on the rate.

To ensure normal operation of other services and protect the CPU, the rate of incremental protocol packets is calculated only in a specified period after you run the display cpu-defend rate command and displayed on the terminal. After you run this command, a message is displayed to wait for a while.

Example

# Display the rate of ARP packets sent from the device to the CPU.

<HUAWEI> display cpu-defend rate packet-type arp slot 1
Info: Please wait for a moment...            
Rate(PPS) on slot 1 :                   
---------------------------------------------------------------             
PacketType                         Passed              Dropped             
---------------------------------------------------------------              
arp                                     0                    0    
---------------------------------------------------------------

Table 16-75 Description of the display cpu-defend rate command output

Item

Description

PacketType

Packet type.

Passed

Number of forwarded packets within one second.

Dropped

Number of discarded packets within one second.

display cpu-defend rate enp

Function

The display cpu-defend rate enp command displays the rate of packets for which rate limiting in enhanced mode is performed.

This command is available only for the CE6875EI.

Format

display cpu-defend rate enp packet-type packet-type { all | slot slot-id }

Parameters

Parameter

Description

Value

packet-type packet-type

Specifies the type of packets.

The supported packet type depends on the device.

all

Displays the rate of packets sent from all the switches in a stack to the CPU if stacking is enabled, or displays the rate of packets sent from the local switch to the CPU if stacking is disabled.

-

slot slot-id

Specifies the stack ID of the switch.

The value must be set according to the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

You can run the display cpu-defend rate enp command to view the rate of packets for which rate limiting in enhanced mode is performed when checking configurations of an attack defense policy.

Example

# Display the rate of packets for which rate limiting in enhanced mode is performed. (CE6875EI)

<HUAWEI> display cpu-defend rate enp packet-type bfd all
Info: Please wait for a moment...                                                                                                   
Rate(PPS) on slot 1 :                                                                                                             
---------------------------------------------------------------                                                                     
PacketType                         Passed              Dropped                                                                      
---------------------------------------------------------------                                                                     
bfd                                     0                    0                                                                      
---------------------------------------------------------------

Table 16-76 Description of the display cpu-defend rate enp command output

Item

Description

PacketType

Packet type.

Passed

Number of packets forwarded within 1 second.

Dropped

Number of packets discarded within 1 second.

display cpu-defend statistics

Function

The display cpu-defend statistics command displays statistics on packets sent to the CPU.

Format

  • Switches except for CE5880EI, CE6870EI, CE6875EI, and CE6880EI:

    display cpu-defend statistics [ history ] [ packet-type packet-type ] { all | slot slot-id }

  • CE5880EI, CE6870EI, CE6875EI, and CE6880EI:

    display cpu-defend statistics [ history ] [ packet-type packet-type ] { all | slot slot-id }

    display cpu-defend { blacklist | filter } statistics [ slot slot-id ]

Parameters

Parameter

Description

Value

packet-type packet-type

Displays statistics on the specified type of protocol packets. packet-type specifies the packet type.

  • If packet-type is specified, statistics on the specified type of protocol packets are displayed.
  • If packet-type is not specified, statistics on all protocol packets are displayed.

The supported packet type depends on the device.

history

Displays statistics on discarded protocol packets. A maximum of 36 protocol packet discarding records are displayed for each protocol.

-

all

This parameter indicates all switches in a stack if stacking is enabled, or the switch itself if stack is disabled.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

blacklist

Displays statistics about packets discarded by blacklists.

-

filter

Displays statistics about packets discarded by filters.

-

Default Level

1: Monitoring level

Usage Guidelines

The display cpu-defend statistics command displays statistics on packets sent to the CPU, including the number of forwarded and discarded packets. This helps the network administrator configure attack defense policies.

In versions earlier than V200R003C00 of CE6870EI and CE6875EI switches, after blacklist or filter is configured, you can directly run the display cpu-defend { blacklist | filter } statistics [ slot slot-id ] command to view statistics about packets sent to the CPU based on blacklist or filter. When the system software is upgraded to V200R003C00 and later versions, after blacklist or filter is configured, you must run the cpu-defend-policy statistics enable command first, and then run the display cpu-defend { blacklist | filter } statistics [ slot slot-id ] command to view statistics about packets sent to the CPU based on blacklist or filter.

Example

# Display all CAR statistics on the devices.

<HUAWEI> display cpu-defend statistics all
Statistics(packets) on slot 1 :
--------------------------------------------------------------------------------
PacketType               Total Passed        Total Dropped   Last Dropping Time
                    Last 5 Min Passed   Last 5 Min Dropped
--------------------------------------------------------------------------------
8021x                               0                    0   -
                                    0                    0
aaa                                 0                    0   -
                                    0                    0
arp                                 0                    0   -
                                    0                    0
arp-miss                            0                    0   -
                                    0                    0
bfd                                 0                    0   -
                                    0                    0
bgp                                 0                    0   -
                                    0                    0
bpdu-tunnel                         0                    0   -
                                    0                    0
common                              0                    0   -                                     0                    0   
dhcp                                0                    0   -
                                    0                    0
dldp                                0                    0   -
                                    0                    0 
......
--------------------------------------------------------------------------------

The preceding information is an example. The displayed packet type depends on the actual situation.

Table 16-77 Description of the display cpu-defend statistics command output

Item

Description

PacketType

Packet type.

Total Passed

Total number of forwarded packets.

Last 5 Min Passed

Number of packets forwarded in the last 5 minutes.

Total Dropped

Total number of discarded packets.

Last 5 Min Dropped

Number of packets discarded in the last 5 minutes.

Last Dropping Time

Last packet discarding time.

# Display statistics on historical packets from slot 1 to the CPU.

<HUAWEI> display cpu-defend statistics history slot 1                          
Statistics(packets) on slot 1 :                                                                                                     
--------------------------------------------------------------------------------                                                    
PacketType  Time Period                            Passed               Dropped                                                     
--------------------------------------------------------------------------------                                                    
arp         2014-10-23 13:00~2014-10-23 15:01       75305                127170                                                     
arp         2014-10-23 15:01~2014-10-23 17:01       76095                128925                                                     
dhcp        2014-10-23 19:01~2014-10-23 19:51       32131                  3722                                                     
telnet      2014-10-23 19:01~2014-10-23 19:51       26807                 18442                                                     
--------------------------------------------------------------------------------

Table 16-78 Description of the display cpu-defend statistics history command output

Item

Description

PacketType

Packet type.

Time Period

Time range in which packet statistics are collected.

Passed

Number of passed packets.

Dropped

Number of discarded packets.

display cpu-defend statistics enp

Function

The display cpu-defend statistics enp command displays statistics about packets for which rate limiting in enhanced mode is performed.

This command is available only for the CE6875EI.

Format

display cpu-defend statistics [ history ] enp packet-type packet-type { all | slot slot-id }

Parameters

Parameter

Description

Value

history

Displays historical packet statistics.

-

packet-type packet-type

Displays statistics about the specified type of packets.

The supported packet type depends on the device.

all

Displays packet statistics about all the member switches in a stack if stacking is enabled or on the local switch if stacking is disabled.

-

slot slot-id

Specifies the stack ID of the switch.

The value must be set according to the device configuration.

Default Level

1: Monitoring level

Usage Guidelines

The display cpu-defend statistics enp command displays packet statistics, including the number of forwarded and discarded packets. The information helps the network administrator configure attack defense policies.

Example

# Display statistics about BFD packets for which rate limiting in enhanced mode is performed. (CE6875EI)

<HUAWEI> display cpu-defend statistics enp packet-type bfd all
Statistics(packets) on slot 2 :                                                                                                     
--------------------------------------------------------------------------------                                                    
PacketType               Total Passed        Total Dropped   Last Dropping Time                                                     
                    Last 5 Min Passed   Last 5 Min Dropped                                                                          
--------------------------------------------------------------------------------                                                    
bfd                                 0                    0   -                                                                      
                                    0                    0                                                                          
--------------------------------------------------------------------------------

Table 16-79 Description of the display cpu-defend statistics enp command output

Item

Description

PacketType

Packet type.

Total Passed

Total number of forwarded packets.

Last 5 Min Passed

Number of forwarded packets in the last 5 minutes.

Total Dropped

Total number of discarded packets.

Last 5 Min Dropped

Number of discarded packets in the last 5 minutes.

Last Dropping Time

Last time when a packet is discarded.

display fei security table cpcar

Function

The display fei security table cpcar command displays CPCAR-related entries in the CPU-Defend function.

Format

display fei security table cpcar [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

  • The value is 1 when stacking is not configured.
  • The value is a stack ID if stacking is configured.

The value depends on the device configuration.

Default Level

1: Monitoring level

Example

# Display CPCAR-related entries.

<HUAWEI> display fei security table cpcar
Cpu-defend Protocol CPCAR-table:                                                                                                    
----------------------------------------------------------------------                                                              
slot 1                                                                                                                              
PacketType                            CAR    Queue   RealCar SoftQueue                                                              
----------------------------------------------------------------------                                                              
STACK                                2048        0      2048         0                                                              
IPS                                  4096        1      4096         1                                                              
IPS-PROTOCOL                         2048        2      2048         2                                                              
RSV                                   512        3       512         3                                                              
RSV                                   128        4       128         4                                                              
RSV                                   128        5       128         5                                                              
RSV                                   128        6       128         6                                                              
RSV                                   128        7       128         7                                                              
DEFAULT                               128        8       128         8                                                              
RSV                                   128        9       128         9                                                              
MACLEARN                              256       10       256        10                                                              
STACKTEMP                             128       11       128        11                                                              
ND-DAD                                512       12       512        12                                                              
……

Table 16-80 Description of the display fei security table cpcar command output

Item

Description

Cpu-defend Protocol CPCAR-table

CPCAR table used for CPU attack defense.

slot

  • For a stand-alone switch, this field has a fixed value of 1.
  • For a stack, the value is the stack ID.

PacketType

The supported packet type depends on the device.

CAR

CPCAR value of packets configured.

Queue

Queue where packets are delivered to the chip.

NOTE:

If a protocol is disabled or rate limit is performed for all the protocol packets, the "--" is displayed for the queue.

RealCar

CPCAR value of packets delivered to the chip.

SoftQueue

Queue where packets are located.

NOTE:

If a protocol is disabled or rate limit is performed for all the protocol packets, the "--" is displayed for the queue.

display fei security table cpcar-linkup

Function

The display fei security table cpcar-linkup command displays CPCAR-related entries during protocol connection establishment in the CPU-Defend function.

Format

display fei security table cpcar-linkup [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id Specifies a slot ID. The value depends on the device configuration.

Default Level

1: Monitoring level

Example

# Display CPCAR-related entries during protocol connection establishment.

<HUAWEI> display fei security table cpcar-linkup
Linkup Information on slot 3:                                                                                                       
--------------------------------------------------------------------------------                                                    
PacketType  Car(pps)  Source Address                                 Source Port                                                    
                      Destination Address                       Destination Port                                                    
--------------------------------------------------------------------------------                                                    
FTP             1536  1.1.1.1                                         4294967295                                                    
                      2.2.2.2                                         4294967295                                                    
Telnet          1536  3.3.3.3                                              65163                                                    
                      4.4.4.4                                                 23                                                    
--------------------------------------------------------------------------------

Table 16-81 Description of the display fei security table cpcar-linkup command output

ItemDescription
Linkup Information on slot 3 Protocol connection setup information in the specified slot.
PacketType The supported packet type depends on the device.
Car(pps) CAR value.
Source Address Source address.
Destination Address Destination address.
Source Port Source port.
Destination Port Destination port.

filter

Function

The filter command configures a filter.

The undo filter command deletes a filter.

By default, no filter is available on a device.

Format

filter packet-type arp acl acl-number

undo filter packet-type arp [ acl acl-number ]

filter packet-type { icmp | igmp | ospf | dhcp } acl acl-number

undo filter packet-type { icmp | igmp | ospf | dhcp } [ acl acl-number ]

filter packet-type { icmpv6 | ospfv3 | dhcpv6 } acl ipv6 acl6-number

undo filter packet-type { icmpv6 | ospfv3 | dhcpv6 } [ acl ipv6 acl6-number ]

filter packet-type { snmp | dns | ftp | telnet | ssh | bgp } acl { acl-number | ipv6 acl6-number }

undo filter packet-type { snmp | dns | ftp | telnet | ssh | bgp } [ acl { acl-number | ipv6 acl6-number } ]

Parameters

Parameter

Description

Value

packet-type arp

Indicates that the protocol type is ARP.

NOTE:

CE6870EI and CE6875EI do not support the protocol type.

-

packet-type { icmp | igmp | ospf | dhcp }

Specifies the protocol type:

  • ICMP

  • IGMP

  • OSPF

  • DHCP

-

packet-type { icmpv6 | ospfv3 | dhcpv6 }

Specifies the protocol type:

  • ICMPv6

  • OSPFv3

  • DHCPv6

-

packet-type { snmp | dns | ftp | telnet | ssh | bgp }

Specifies the protocol type:

  • SNMP

  • DNS

  • FTP

  • Telnet

  • SSH

  • BGP

-

acl acl-number

Specifies the ACL matching the filter.

The value of acl-number is an integer that ranges from 2000 to 3999 or 23000 to 23999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 23000 to 23999: ARP-based ACLs

    NOTE:

    The ARP protocol only supports the ARP-based ACL. Other protocols support basic ACLs and advanced ACLs.

acl ipv6 acl6-number

Specifies the ACL6 matching the filter.

The value of acl6-number is an integer that ranges from 2000 to 3999.

  • 2000 to 2999: basic ACL6s
  • 3000 to 3999: advanced ACL6s

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

If a user sends attack packets to the device, you can specify the characteristics of these packets in an ACL and apply the ACL to the filter. When the packets from this user reach the device, the device permits or discards the packets based on the ACL rule.

A protocol in a filter can only be bound to one ACL or IPv6 ACL. If you bind multiple ACLs or IPv6 ACLs to a filter, only the last one takes effect.

When the protocols specified in the filter and ACL are different, the device selects the protocol specified in the filter. For example, if a filter is configured to filter the DHCP protocol (UDP packets), while the protocol parameter in the ACL is set to TCP, the device still filters the DHCP protocol.

Example

# Apply ACL 3001 to the filter.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy test
[*HUAWEI-cpu-defend-policy-test] filter packet-type icmp acl 3001

reset auto-defend attack-source

Function

The reset auto-defend attack-source command clears information about attack sources.

Format

reset auto-defend attack-source [ statistics ] [ slot slot-id ]

Only the CE6870EI and CE6875EI support statistics parameter.

Parameters

ParameterDescriptionValue

statistics

Clears statistics on attack sources.

-

slot slot-id

  • The value is 1 if no stack is configured.
  • This parameter specifies the stack ID if stacking is enabled.

If slot slot-id is not specified, information about attack sources on all devices is cleared.

The value must be set according to the device configuration.

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view the latest attack source information on the device, run the reset auto-defend attack-source command to delete the existing attack source information, wait for a period, and run the display auto-defend attack-source command.

Precautions

After the reset auto-defend attack-source command is run, information about attack sources is cleared and cannot be restored.

Example

# Delete existing attack source information on the device.

<HUAWEI> reset auto-defend attack-source

reset auto-defend attack-source trace-type

Function

The reset auto-defend attack-source trace-type command clears the counter of packets traced after attack source tracing based on source MAC addresses, source IP addresses, or source ports+VLANs is configured.

Format

reset auto-defend attack-source trace-type { source-mac [ mac-address ] | source-ip [ ip-address | ipv6-address ] | source-portvlan [ interface interface-type interface-number vlan vlan-id [ inner-vlan inner-vlan-id ] ] } * [ slot slot-id ]

Parameters

ParameterDescriptionValue

source-mac [ mac-address ]

Clears the counter of packets traced after attack source tracing based on source MAC addresses is configured.

If mac-address is specified, the counter of traced packets sent from the specified MAC address is cleared.

The value of mac-address is in H-H-H format. An H contains 1 to 4 hexadecimal numbers.

source-ip [ ip-address | ipv6-address ]

Clears the counter of packets traced after attack source tracing based on source IP addresses is configured.

If ip-address is specified, the counter of traced packets sent from the specified IP address is cleared.

If ipv6-address is specified, the counter of traced packets sent from the specified IPv6 address is cleared.

The value of ip-address is in dotted decimal notation. The value of ipv6-address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

source-portvlan [ interface interface-type interface-number vlan vlan-id [ inner-vlan inner-vlan-id ] ]

Clears the counter of packets traced after attack source tracing based on source ports+VLANs is configured.

If a port or VLAN is specified, the counter of traced packets sent from the specified port or VLAN is cleared.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

  • vlan vlan-id specifies the ID of the VLAN.

  • inner-vlan inner-vlan-id specifies the inner VLAN ID in a QinQ packet.

vlan-id is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command. inner-vlan-id is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view information about attack sources in a specified period, run the reset auto-defend attack-source trace-type command to clear existing information about attack sources and run the display auto-defend attack-source command.

Precautions

After the reset auto-defend attack-source trace-type command is run, information about attack sources is cleared and cannot be restored.

Example

# Clear the counter of traced packets sent from IP address 10.1.1.1.

<HUAWEI> reset auto-defend attack-source trace-type source-ip 10.1.1.1

reset cpu-defend statistics

Function

The reset cpu-defend statistics command clears statistics on packets sent to the CPU.

Format

  • Switches except for the CE5880EI, CE6870EI, CE6875EI and CE6880EI:

    reset cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id }

  • CE5880EI, CE6870EI, CE6875EI, CE6880EI:

    reset cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id }

    reset cpu-defend { blacklist | filter } statistics [ slot slot-id ]

Parameters

ParameterDescriptionValue

packet-type packet-type

Specifies the protocol type of packets. packet-type specifies the packet type.

  • If packet-type packet-type is specified, the statistics on the specified type of protocol packets are cleared.
  • If packet-type packet-type is not specified, the statistics on all protocol packets are cleared.

The supported packet type depends on the device.

NOTE:

For BFD packets, this command does not take effect on the CE6875EI.

all

This parameter indicates all switches in a stack if stacking is enabled, or the switch itself if stack is disabled.

-

slot slot-id

Specifies the stack ID of the device.

The value must be set according to the device configuration.

blacklist

Clears blacklist-based packet statistics.

-

filter

Clears filter-based packet statistics.

-

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view statistics on the packets sent to the CPU in a specified period, run the reset cpu-defend statistics command to clear existing statistics and run the display cpu-defend statistics command.

Precautions

The deleted packet statistics cannot be restored.

Example

# Clear statistics on BGP packets on the board in slot 1.

<HUAWEI> reset cpu-defend statistics packet-type bgp slot 1

reset cpu-defend statistics enp

Function

The reset cpu-defend statistics enp command clears statistics about packets for which rate limiting in enhanced mode is performed.

This command is available only for the CE6875EI.

Format

reset cpu-defend statistics enp packet-type packet-type { all | slot slot-id }

Parameters

ParameterDescriptionValue

packet-type packet-type

Specifies the protocol type of packets.

The supported packet type depends on the device.

all

Specifies all the switches in a stack if stacking is enabled or the local switch if stacking is disabled.

-

slot slot-id

Specifies the stack ID of the switch.

The value must be set according to the device configuration.

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view statistics about the packet rate limited by the switch within a specified period, run the reset cpu-defend statistics enp command to clear existing statistics and run the display cpu-defend statistics enp command to display new statistics.

Precautions

After the reset cpu-defend statistics enp command is run, packet statistics will be cleared and cannot be restored.

Example

# Clear statistics about BFD packets for which rate limiting in enhanced mode is performed. (CE6875EI)

<HUAWEI> reset cpu-defend statistics enp packet-type bfd all

  • auto-defend attack-packet sample
  • auto-defend enable
  • auto-defend action
  • auto-defend alarm enable
  • auto-defend alarm threshold
  • auto-defend protocol
  • auto-defend threshold
  • auto-defend trace-type
  • auto-defend whitelist
  • auto-port-defend protocol disable
  • blacklist
  • car (attack defense policy view)
  • car enp
  • car all-packets pps
  • cpu-defend local-host anti-attack enable
  • cpu-defend policy
  • cpu-defend-policy
  • cpu-defend-policy statistics enable
  • deny
  • deny enp
  • description (attack defense policy view)
  • display auto-defend attack-source
  • display cpu-defend auto-port-defend
  • display cpu-defend configuration
  • display cpu-defend configuration enp
  • display cpu-defend local-host anti-attack
  • display cpu-defend policy
  • display cpu-defend rate
  • display cpu-defend rate enp
  • display cpu-defend statistics
  • display cpu-defend statistics enp
  • display fei security table cpcar
  • display fei security table cpcar-linkup
  • filter
  • reset auto-defend attack-source
  • reset auto-defend attack-source trace-type
  • reset cpu-defend statistics
  • reset cpu-defend statistics enp

What is the maximum number of worksheets that can be deleted using the undo command?

It is possible to undo and redo up to the last 16 consecutive actions. Every time you use the Undo feature, those actions that you undo are placed in the Redo category.

What is the maximum number of sheets in Excel?

Worksheet and workbook specifications and limits.

How many times can you undo in Excel?

Excel and all other Office programs have a default undo/redo maximum of 100 actions. However, you can change this by adding an entry in the Microsoft Windows registry.

Is there a way to remove more than 100 actions in Excel?

How To Undo Or Redo Multiple Actions.
Press the small down arrow to the right of the undo button in the Quick Access Toolbar..
Move your cursor down the list of previous actions until you've highlighted all the actions you want to undo then left click to perform the undo..

maximum number worksheets recovered undo command

zusammenhängende Posts

What is expressed as the number of horizontal pixels by the number of vertical pixels?
What is expressed as the number of horizontal pixels by the number of vertical pixels?

Identify the world war i battle that involved the largest number of american soldiers.
Identify the world war i battle that involved the largest number of american soldiers.

What term relates to the number of layers and number of direct reports found in an organization?
What term relates to the number of layers and number of direct reports found in an organization?

For the usps domestic shipping, what is the maximum thickness (in inches) for a letter?
For the usps domestic shipping, what is the maximum thickness (in inches) for a letter?

What is the maximum memory that can be recognized by a windows 32-bit operating system?
What is the maximum memory that can be recognized by a windows 32-bit operating system?

What is the result of the sum of a set of scores divided by the total number of scores?
What is the result of the sum of a set of scores divided by the total number of scores?

It refers to the number of ways the event can occur divided by the number of total outcomes
It refers to the number of ways the event can occur divided by the number of total outcomes

What is the probability of either flipping heads on a coin or rolling an odd number on a 6 sided die?
What is the probability of either flipping heads on a coin or rolling an odd number on a 6 sided die?

Calculate the compound interest amount P 650000 interest 8.25 and number of years 6 years
Calculate the compound interest amount P 650000 interest 8.25 and number of years 6 years

The number of years for an amount of money to increase by 200% at 16% simple interest is?
The number of years for an amount of money to increase by 200% at 16% simple interest is?

Werbung

NEUESTEN NACHRICHTEN

Which incentive plans are specifically designed to promote group performance
1 Jahrs vor . durch ContaminatedSeizure
According to the flsa, which individual is most likely a nonexempt employee?
1 Jahrs vor . durch CurledParadox
Reactive and protective behaviors designed to avoid action, blame, or change are termed ________.
1 Jahrs vor . durch ArchitecturalJogging
The machiavellian personality is characterized by the will to manipulate and the desire for power.
1 Jahrs vor . durch SubstantiveCholera
Ist ein mann in brunn gefallen noten
1 Jahrs vor . durch High-poweredAbundance
Which of the following biometric authentication systems is the most accepted by users?
1 Jahrs vor . durch ConcomitantHomeland
Was ist der Unterschied zwischen Hanf und CBD?
1 Jahrs vor . durch IllustratedSolicitation
Wie viele noten braucht man für eine zeugnisnote sachsen-anhalt
1 Jahrs vor . durch HalfwayMeantime
Wie fühlt man sich wenn man schwanger ist am anfang
1 Jahrs vor . durch UptownLineage
Kann man Basaltemperatur auch tagsüber Messen?
1 Jahrs vor . durch FlashyDismissal

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrjpkoptzhhiitth
Urheberrechte © © 2024 defrojeostern Inc.