auto-port-defend protocol threshold

Function

The auto-port-defend protocol threshold command sets the protocol packet rate threshold for port attack defense.

The undo auto-port-defend protocol threshold command restores the default protocol packet rate threshold for port attack defense.

The following table lists the default rate thresholds for different protocols.

Choose Columns...

Packet Type	Rate Threshold
arp-request	60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models
arp-request-uc	60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI
arp-reply	60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models
dhcp	60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models
icmp	120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 60 pps for other switch models
igmp	120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 60 pps for other switch models
ip-fragment	30 pps
nd	60 pps for the S5720-EI, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models

Format

auto-port-defend protocol { all | arp-request | arp-request-uc | arp-reply | dhcp | icmp | igmp | ip-fragment | nd } threshold threshold

undo auto-port-defend protocol { all | arp-request | arp-request-uc | arp-reply | dhcp | icmp | igmp | ip-fragment | nd } threshold [ threshold ]

S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720I-SI, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support arp-request-uc parameter.
S2720-EI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720I-SI, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support icmp and ip-fragment parameter.
S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S do not support nd parameter.

Parameters

Parameter	Description	Value
all	Sets the rate thresholds for ARP Request, Unicast ARP Request, ARP Reply, DHCP, ICMP, IGMP, IP fragment, and ND packets.	-
arp-request	Specifies the rate threshold for ARP Request packets.	-
arp-request-uc	Specifies the rate threshold for Unicast ARP request packets.	-
arp-reply	Specifies the rate threshold for ARP Reply packets.	-
dhcp	Specifies the rate threshold for DHCP packets.	-
icmp	Specifies the rate threshold for ICMP packets.	-
igmp	Specifies the rate threshold for IGMP packets.	-
ip-fragment	Specifies the rate threshold for IP fragment packets.	-
nd	Specifies the rate threshold for ND packets.	-
threshold threshold	Specifies the protocol rate threshold.	The value is an integer that ranges from 1 to 65535, in pps.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port attack defense is enabled on a port, the device calculates the rate of affected protocol packets received by the port. If the packet rate exceeds the protocol rate threshold, the device considers that an attack occurs. Then the device traces the source and limits the rate of attack packets on the port, and records a log. The device moves the packets within the protocol rate limit (CPCAR in attack defense policies) to the low-priority queue, and then sends them to the CPU.Port Attack Defense The device discards the excess packets.

You need to set an appropriate rate threshold for port attack defense according to service requirements. If the CPU fails to process many protocol packets promptly after port attack defense is enabled, set a large packet rate threshold. If the CPU is busy processing the packets of a protocol, set a small rate threshold for this protocol to avoid impact on other services.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend enable command.

Precautions

If you run the auto-port-defend protocol threshold command multiple times in the same attack defense policy view, only the latest configuration takes effect.

Example

# In the attack defense policy test, set the rate threshold for ARP Request packets to 40 pps.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend protocol arp-request threshold 40