Default Settings for Local Attack Defense

CPU attack defense policy

CPU attack defense policy named default.

Blacklist

No blacklist

User-defined flow

No user-defined flow

Type of interfaces sending packets to the CPU

NNI

Type of interfaces sending protocol packets to the CPU

To check the type of interfaces sending protocol packets to the CPU, run the display cpu-defend configuration command.

CIR value

By default, the switch rate-limits packets based on the default rate limits in the default policy. To check the CIR value, run the display cpu-defend configuration command.

CPCAR value for BGP, BGP4PLUS, FTP, HTTP, HTTPS, IKE, IP-CLOUD, IPSec-ESP, ISIS, OSPF, OSPFv3, SSH, Telnet, and TFTP packets used when connections are set up

The default CPCAR values vary according to the protocol types of packets. For details, see Configuring a Rule for Sending Packets to the CPU.

ALP

By default, ALP is enabled on FTP, IPv6 FTP, HTTP, HTTPS, IP-CLOUD, IKE, IPSEC-ESP, SSH, TELNET, and TFTP packets and disabled on BGP, BGP4+, ISIS, OSPF, and OSPFv3 packets.

Attack defense policy

Attack defense policy named default.

Attack source tracing function

Enabled

Threshold for attack source tracing

60 pps

Packet sampling ratio for attack source tracing

5

Attack source tracing mode

Based on source IP addresses and source MAC addresses

Types of traced packets

By default, the device traces sources of 8021X, ARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, MLD, ND, TCP, TCPv6, Telnet in attack source tracing.

Whitelist

By default, no whitelist is configured for attack source tracing. If any of the following conditions is met, however, the switch uses the condition as the whitelist matching rule, regardless of whether attack source tracing is enabled. After attack source tracing is enabled, the switch does not perform attack source tracing for the packets matching such rules.

• If an application uses the TCP protocol and has set up a TCP connection with the switch, the switch will not consider TCP packets with the matching source IP address as attack packets. If no TCP packets match a source IP address within 1 hour, the rule that specifies this source IP address will be aged out.
• If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
• If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.

Alarm function for attack source tracing

Disabled

Alarm threshold for attack source tracing

60 pps

Punish function for attack source tracing

Disabled

Attack defense policy

Attack defense policy named default.

Port attack defense function

Enabled

Types of protocol packets to which port attack defense is applied

By default, port attack defense is applicable to ARP Request, Unicast ARP Request packets, ARP Reply, DHCP, ICMP, IGMP, IP fragment, and ND packets.

Rate threshold

The rate thresholds vary according to protocol types. For details, see Setting the Rate Threshold for Port Attack Defense.

Sampling ratio

5

Aging time

300 seconds

Alarm function

Disabled

Whitelist

User-level rate limiting function

Enabled

Packet types to which the user-level rate limiting applies

By default, the user-level rate limiting can apply to ARP Request, ARP Reply, ND, DHCP Request, DHCPv6 Request, and 8021x packets, but does not apply to IGMP and HTTPS-SYN packets.

User-level rate limit

10 pps

User-level rate limiting on interface

Enabled