auto-port-defend protocol

Function

The auto-port-defend protocol command specifies the types of protocol packets to which port attack defense is applied.

The undo auto-port-defend protocol command cancels port attack defense for certain types of protocol packets.

By default, port attack defense is applicable to ARP Request, Unicast ARP Request packets, ARP Reply, DHCP, ICMP, IGMP, IP fragment, and ND packets.

Format

auto-port-defend protocol { all | { arp-request | arp-request-uc | arp-reply | dhcp | icmp | igmp | ip-fragment | nd } ^* }

undo auto-port-defend protocol { arp-request | arp-request-uc | arp-reply | dhcp | icmp | igmp | ip-fragment | nd } ^*

S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720I-SI, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support arp-request-uc parameter.
S2720-EI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720I-SI, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support icmp and ip-fragment parameter.
S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S do not support nd parameter.

Parameters

Parameter	Description	Value
all	Applies port attack defense to ARP Request, Unicast ARP request, ARP Reply, DHCP, ICMP, IGMP, IP fragment, and ND packets.	-
arp-request	Applies port attack defense to ARP Request packets or cancels port attack defense for ARP Request packets.	-
arp-request-uc	Applies port attack defense to Unicast ARP Request packets or cancels port attack defense for Unicast ARP request packets.	-
arp-reply	Applies port attack defense to ARP Reply packets or cancels port attack defense for ARP Reply packets.	-
dhcp	Applies port attack defense to DHCP packets or cancels port attack defense for DHCP packets.	-
icmp	Applies port attack defense to ICMP packets or cancels port attack defense for ICMP packets.	-
igmp	Applies port attack defense to IGMP packets or cancels port attack defense for IGMP packets.	-
ip-fragment	Applies port attack defense to IP fragment packets or cancels port attack defense for IP fragment packets.	-
nd	Applies port attack defense to ND packets or cancels port attack defense for ND packets.	-

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device calculates the rate of all protocol packets, including ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets, received by a port, and traces the source and limits the rate of attack packets. If the packets exceeding protocol rate threshold contain only a few attack packets, you can run the undo auto-port-defend protocol command to cancel port attack defense for unneeded protocol types. If the device limits the rate of too many protocols, services are affected.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

If you run this command multiple times in the same attack defense policy view, only the latest configuration takes effect.

After port attack defense is applied to a type of protocol packets, the display auto-port-defend attack-source command can display the attack source tracing information if the port is attacked by the specified protocol packets.

Example

# In the attack defense policy test, cancel port attack defense for ARP Reply packets.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-port-defend protocol arp-reply