< Home

auto-port-defend enable

Function

The auto-port-defend enable command enables the port attack defense function.

The undo auto-port-defend enable command disables the port attack defense function.

By default, the port attack defense function is enabled.

Format

auto-port-defend enable

undo auto-port-defend enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker initiates a DoS attack on a port, the malicious attack packets sent from this port to the CPU occupy bandwidth. As a result, the CPU cannot process the protocol packets sent from other ports, and services are interrupted.

The port attack defense function effectively limits the number of packets sent to the CPU, and prevents DoS attacks aiming at the CPU.

This function is enabled by default. If the number of packets received by a port within one second exceeds the protocol rate threshold, the device considers that an attack occurs on the port. Then the device traces the source and limits the rate of attack packets, and records an attack log to avoid impact on other ports.

Precautions

After the port attack defense function is enabled in an attack defense policy, the attack defense policy must be applied in the system view.

Example

# Enable the port attack defense function in the attack defense policy test view.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >