Protocol Packets Are Not Sent to the CPU

Protocol packets are not sent to the CPU after CPU attack defense is configured.

Possible causes are as follows:

A blacklist has been configured or a rule is configured to discard the specified protocol packets.
The CPU is attacked by invalid packets.

Check whether a rule has been configured to discard protocol packets on the device.
1. Run the display this command in the system view to check the configured attack defense policy.
2. Run the display cpu-defend policy [ policy-name ] command to check whether a blacklist, or rule is configured in an attack defense policy to discard protocol packets.
  - If a blacklist is configured, run the display acl command to check whether protocol packets match the rules in the blacklist. If protocol packets match the rules, adjust the rules as required. Otherwise, go to the next step.
  - If the action taken on the protocol packets sent to the CPU is deny, run the car command in the attack defense policy view to set the rate limit.
  - If no blacklist is configured, and the action taken on the protocol packets sent to the CPU is not deny, go to step 2.
Check statistics for packets sent to the CPU.
Run the display cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ] command to check statistics on packets sent to the CPU. If a large number of protocol packets are being discarded, check whether these packets are invalid attack packets using the attack source tracing function. If they are invalid attack packets, use the configured blacklist or traffic policy to prevent these packets from being sent to the CPU.