< Home

car (attack defense policy view)

Function

The car command sets the rate limit for packets sent to the CPU.

The undo car command restores the default rate limit for packets sent to the CPU.

By default, the CIR value for user-defined flows is 64 kbit/s. You can run the display cpu-defend configuration command to check the CAR values for protocol packets.

Format

car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ]

undo car { packet-type packet-type | user-defined-flow flow-id }

Parameters

Parameter Description Value

packet-type packet-type

Specifies the type of packets.

The supported packet type depends on the device.

user-defined-flow flow-id

Specifies the ID of the user-defined flow.

NOTE:

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this parameter.

The value is an integer that ranges from 1 to 8.

cir cir-value

Specifies the committed information rate (CIR).
The value is an integer.
  • The value of packet-type packet-type varies according to packet types. The value range can be displayed after you press ? following the command.
  • The value of user-defined-flow flow-id ranges from 8 to 4096, in kbit/s.
NOTE:

The minimum value that can take effect for different models may be greater than the configurable minimum value. If the configured value is smaller than the minimum value that can take effect, the minimum value that can take effect will be used. You can run the display cpu-defend applied command to view the value that actually takes effect.

cbs cbs-value

Specifies the committed burst size (CBS).
The value is an integer.
  • The value of packet-type packet-type varies according to packet types. The value range can be displayed after you press ? following the command. If the cbs is not set, the default cbs-value is 188 times the cir-value.
  • The value of user-defined-flow flow-id ranges from 10000 to 800000, in bytes.

    If the cbs is not set, the default cbs-value is 188 times the cir-value.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The switch has default CAR values for each type of protocol packet. You can adjust CAR values for specified types of protocol packets based on services and network environment.

After an attack defense policy is created, you can limit the rate of protocol packets using the policy:
  • Reduce the CAR values in the following situation: When a network undergoes an attack, reduce the CAR values of the corresponding protocol, to reduce impact on the system CPU.
  • Increase the CAR values in the following situation: When service traffic volume on the network increases, a large number of protocol packets need to be sent to the CPU. Increase the CAR values of the corresponding protocols to meet service requirements.

Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.

For the S5720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5730-HI, and S6720-HI, the device limits the rate of some protocol packets in pps mode. That is, the actual CPCAR value is the number of packets allowed to pass per second, which is calculated as follows:

CIR value x 1024/(8 x Packet length)

For example, if the CIR value of https-syn packets is set to 64 kbit/s, 40 https-syn packets are allowed to pass per second. The number 40 is calculated as follows:

64 x 1024/(8 x 200) = 40.96 (rounded down to the integer 40)

The following table lists the types and lengths of packets that support rate limiting in pps mode.

Packet Type

Packet Length (Including Preamble and IFG)

nac-arp-reply, nac-arp-request, 8021x, 8021x-wireless, 8021x-start-wlan, 8021x-ident-wlan, 8021x-start, 8021x-ident, nac-nd

88

eap-key, capwap-other, capwap-ap-update, capwap-keepalive

100

capwap-association, capwap-smart-roam, capwap-disassoc, capwap-station, capwap-ac-roam-syn

120

hw-tacacs, wapi, capwap-rf-neighbor, capwap-regular-rep, capwap-ap-auth, capwap-license-mng, capwap-ac-auth

128

portal

152

wlan-not-capwap, https-syn

200

capwap-discov-bc, capwap-discov-uc

256

nac-dhcp

374

dhcp-server, capwap-echo, radius, nac-dhcpv6

400

https-other

500

sip

800

Precautions

If you run the deny command and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect.

When the actual and configured rates of packets sent to the CPU are large, the CPU usage may be high and the performance may deteriorate. In the worst situation, the stack breaks.

The S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI use the CAR values configured for FIB-hit packets to limit the rate of ND packets destined for the MAC address of the local switch, and limit rates of BPDU and CDP packets by using the CPCAR configured by the car packet-type bpdu-tunnel cir cir-value [ cbs cbs-value ] command.

Example

# Set the rate limit in the attack defense policy named test for ARP Reply packets: set the CIR value to 64 kbit/s and the CBS value to 33000 bytes.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] car packet-type arp-reply cir 64 cbs 33000
Warning: Improper parameter settings may affect stable operating of the system. Use this command under assistance of Huawei engineer
s. Continue? [Y/N]:y
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >