< Home

cpu-defend application-apperceive enable

Function

The cpu-defend application-apperceive enable command enables active link protection (ALP). After the ALP is enabled, the CAR values of protocol packets set using linkup-car can take effect.

The undo cpu-defend application-apperceive enable command disables ALP.

By default, ALP is enabled on FTP, IPv6 FTP, HTTP, HTTPS, IP-CLOUD, IKE, IPSEC-ESP, SSH, TELNET, and TFTP packets and disabled on BGP, BGP4+, ISIS, OSPF, and OSPFv3 packets.

Format

cpu-defend application-apperceive [ bgp | bgp4plus | ftp | ftpv6 | http | https | ike | ip-cloud | ipsec-esp | isis | ospf | ospfv3 | ssh | telnet | tftp ] enable

undo cpu-defend application-apperceive [ bgp | bgp4plus | ftp | ftpv6 | http | https | ike | ip-cloud | ipsec-esp | isis | ospf | ospfv3 | ssh | telnet | tftp ] enable

  • Only the S5720-EI, S5720-HI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the bgp parameter.
  • Only the S2720-EI, S5720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-EI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, and S6720-SI support the ike parameter.
  • Only the S2720-EI, S5720-EI, S5720-HI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ipsec-esp parameter.
  • Only the S2720-EI, S5720-EI, S5720-HI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720S-LI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ospf parameter.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the bgp4plus and isis parameter.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ospfv3 parameter.
  • Only the S5720-EI, S5720-HI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6720-EI, S6720-HI, S6720S-EI, S6720S-LI, S6720-LI, S6730-H, S6730S-H, S6720S-SI, and S6720-SI support the ip-cloud parameter.

Parameters

Parameter Description Value

bgp

Enables ALP on BGP packets.

-

bgp4plus

Enables ALP on BGP4+ packets.

-

ftp

Enables ALP on FTP packets.

-

ftpv6

Enables ALP on IPv6 FTP packets.

-

http

Enables ALP on HTTP packets.

-

https

Enables ALP on HTTPS packets.

-

ike

Enables ALP on IKE packets.

-

ip-cloud

Enables ALP on IP-CLOUD packets.

-

ipsec-esp

Enables ALP on IPSEC-ESP packets.

-

isis

Enables ALP on ISIS packets.

-

ospf

Enables ALP on OSPF packets.

-

ospfv3

Enables ALP on OSPFv3 packets.

-

ssh

Enables ALP on SSH packets.

-

telnet

Enables ALP on TELNET packets.

-

tftp

Enables ALP on TFTP packets.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The default CAR value of BGP, BGP4+, FTP, IPv6 FTP, HTTP, HTTPS, IP-CLOUD, ISIS, OSPFv3, OSPF, IKE, IPSEC-ESP, SSH, TFTP, or TELNET protocol is small. When a switch uses these protocols to transfer files or set up connections with other hosts or devices, the number of protocol packets sharply increases in a short period. When the packet rate exceeds the limit, the protocol packets are dropped. The switch may also undergo attacks of other protocols. This affects data transmission and causes service interruption.

You can run the cpu-defend application-apperceive command to enable ALP for above protocols, ensuring normal operation of these related services when attacks occur. When a connection is set up, the switch sends packets at the rate of the CPCAR value configured using the linkup-car command. The CPCAR value can be set as required.

Precautions

To enable the ALP function for a certain protocol, run the cpu-defend application-apperceive enable command to enable ALP globally. For example, before enabling ALP for the TFTP protocol, run the cpu-defend application-apperceive enable command, and then the cpu-defend application-apperceive tftp enable command to make the configuration take effect.

Example

# Enable ALP on BGP packets and set the CIR value to 256 kbit/s.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type bgp cir 256
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend application-apperceive enable
[HUAWEI] cpu-defend application-apperceive bgp enable
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >