Data Model
The data model file for local attack defense is huawei-cpu-traffic-security.yang.
Only S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the user-level rate limiting function.
Object |
Description |
Value |
Remarks |
|---|---|---|---|
/huawei-traffic:defend/host-car/enable |
Indicates whether user-level rate limiting is enabled. |
The value is of the Boolean type:
By default, user-level rate limiting is enabled. |
The value cannot be set to false if there are configurations on all related host-car nodes. |
/huawei-traffic:defend/host-car/protocol/protocol-typelist/protocol-type |
Indicates the packet types to which user-level rate limiting applies. |
The value is of the enumerated type:
By default, user-level rate limiting applies to the following types of packets: eap, arp, dhcp-request, dhcpv6-request, nd |
The value eap indicates 802.1X. If this value eap is configured, user-level rate limiting is applied to 802.1X packets on a switch. |
/huawei-traffic:defend/host-car/user/user-list/mac-address |
Indicates the MAC address for which a rate limit needs to be set. |
The value is in H-H-H format. |
You need to set a rate limit for the specified MAC address. |
/huawei-traffic:defend/host-car/user/user-list/threshold |
Indicates the rate limit for the specified MAC address. |
The value is an integer that ranges from 1 to 128. |
N/A |
/huawei-traffic:defend/host-car/threshold |
Indicates the user-level rate limit. |
The value is an integer that ranges from 1 to 128. By default, the user-level rate limit is 10 pps. |
N/A |
/ietf-interfaces:interfaces/interface/huawei-traffic:host-car/enable |
Indicates whether user-level rate limiting is enabled on an interface. |
The value is of the Boolean type:
By default, user-level rate limiting is enabled on an interface. |
N/A |
/huawei-traffic:attack-user/input/slot |
Displays attack source information of a specified slot. |
The value depends on the switch configuration. |
N/A |
/huawei-traffic:portattack-user/input/slot |
Displays attack source tracing information on the interfaces in the specified slot. |
The value depends on the switch configuration. |
N/A |
/huawei-traffic:defend/policy/policy-list/name |
Indicates the name of an attack defense policy. |
The value is a string of 1 to 32 case-sensitive characters. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/enable |
Indicates whether port attack defense is enabled. |
The value is of the Boolean type:
By default, port attack defense is enabled. |
To avoid conflicts, ensure that the configurations of other auto-port-defend nodes are deleted if auto-port-defend/enable is set to false. |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/alarm |
Indicates whether the function of reporting port attack defense events is enabled. |
The value is of the Boolean type:
By default, the function of reporting port attack defense events is disabled. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/sample |
Indicates the protocol packet sampling ratio for port attack defense. |
The value is an integer that ranges from 1 to 1024. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/whitelist-id |
Indicates the ID of the whitelist for port attack defense. |
The value is an integer that ranges from 1 to 32. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/acl |
Indicates the number of the ACL applied to the whitelist for port attack defense. |
The value is an integer that ranges from 2000 to 3999. |
This node cannot be configured simultaneously with the node /huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/interface-name. |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/whitelist/whitelist-id-list/interface-name |
Indicates the interface to which the whitelist for port attack defense is applied. |
The value is a string in the format of interface type + interface number, for example, GigabitEthernet0/0/1. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/aging-time |
Indicates the aging time for port attack defense. |
The value is an integer that ranges from 30 to 86400, and must be a multiple of 10. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/protocol/protocol-port-type-list/protocol-port-type |
Indicates the protocols to which port attack defense is applied. |
The value is of the enumerated type:
|
N/A |
/huawei-traffic:defend/policy/policy-list/auto-port-defend/protocol/protocol-port-type-list/threshold |
Indicates the protocol packet rate threshold for port attack defense. |
The value is an integer that ranges from 1 to 65535. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-defend/enable |
Indicates whether the attack source tracing function is enabled. |
The value is of the Boolean type:
By default, attack source tracing is enabled. |
To avoid conflicts, ensure that the configurations of other auto-defend nodes are deleted if auto-defend/enable is set to false. |
/huawei-traffic:defend/policy/policy-list/auto-defend/threshold |
Indicates the checking threshold and event reporting threshold for attack source tracing. |
The value is an integer that ranges from 1 to 65535. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-defend/alarm |
Indicates whether the function for reporting attack source tracing events is enabled. |
The value is of the Boolean type:
By default, the function for reporting attack source tracing events is disabled. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-defend/sample |
Indicates the packet sampling ratio for attack source tracing. |
The value is an integer that ranges from 1 to 1024. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/whitelist-id |
Indicates the ID of a whitelist for attack source tracing. |
The value is an integer that ranges from 1 to 32. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/interface-name |
Indicates the interface to which the whitelist for attack source tracing is applied. |
The value is a string in the format of interface type + interface number, for example, GigabitEthernet0/0/1. |
N/A |
/huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/acl |
Indicates the number of the ACL applied to the whitelist for attack source tracing. |
The value is an integer that ranges from 2000 to 3999. |
This node cannot be configured simultaneously with the node /huawei-traffic:defend/policy/policy-list/auto-defend/whitelist/whitelist-id-list/interface-name. |
/huawei-traffic:defend/policy/policy-list/auto-defend/action |
Indicates the punish action taken on the attack source. |
The value is of the enumerated type:
|
N/A |
/huawei-traffic:defend/policy/policy-list/auto-defend/recover-timer |
Indicates the period during which packets sent from an attack source are discarded. |
The value is an integer that ranges from 1 to 86400. |
When this node is configured, the node /huawei-traffic:defend/policy/policy-list/auto-defend/action must be set to deny. |
/huawei-traffic:defend/policy/policy-list/auto-defend/protocol-list/protocol |
Indicates the type of traced packets. |
The value is of the enumerated type:
|
The value eap indicates 802.1X. If this value eap is configured, 802.1X packets are traced on the switch. |
/huawei-traffic:defend/policy/policy-list/auto-defend/trace-type |
Indicates attack source tracing mode. |
The value is of the enumerated type:
|
N/A |
/huawei-traffic:defend/policy/policy-list/apply-list/applied-type |
Indicates the mode in which an attack defense policy is applied. |
The value is of the enumerated type:
|
Only stacking-capable devices support mainboard. |
/huawei-traffic:defend/errordown-recover-timer |
Indicates the period of time after which an interface that is shut down due to auto-defend protection can automatically go up. |
The value is an integer that ranges from 30 to 86400, in seconds. |
N/A |
/huawei-traffic:defend/policy/policy-list/car/packet/packet-type |
Specifies the type of CPU-forwarded protocol packets to be rate-limited or discarded. |
The value is of the enumerated type. For details about the supported protocol packet types, see Attack Defense Packet Types. The request cannot be delivered if an unsupported protocol packet type is configured. |
N/A |
/huawei-traffic:defend/policy/policy-list/car/packet/cir |
Specifies the CIR for protocol packets to be sent to the CPU. |
The value is an integer in the range from 8 to 4294967295, in kbit/s. The value range varies according to protocol packet types. |
This object cannot be configured together with the /huawei-traffic:defend/policy/policy-list/car/packet/deny object. |
/huawei-traffic:defend/policy/policy-list/car/packet/cbs |
Specifies the CBS for protocol packets to be sent to the CPU. |
The value is an integer in the range from 10000 to 4294967295, in bytes. The value range varies according to protocol packet types. |
Before configuring this object, configure the huawei-traffic:defend/policy/policy-list/car/packet/cir object first. |
/huawei-traffic:defend/policy/policy-list/car/packet/deny |
Sets the action for protocol packets to be sent to the CPU to deny. |
- |
This object cannot be configured together with the /huawei-traffic:defend/policy/policy-list/car/packet/cir object. |
/hw-traffic:defend/policy/policy-list/blacklist/blacklist-number |
Specifies the ID of a blacklist. |
The value is an integer that ranges from 1 to 8. |
N/A |
/hw-traffic:defend/policy/policy-list/blacklist/acl-number |
Specifies the number of an ACL matching the IPv6 blacklist. |
The value is an integer that ranges from 2000 to 4999.
|
N/A |