After port attack defense is enabled on a port, the device calculates the rate of affected protocol packets received by the port. If the packet rate exceeds the threshold, the device considers that an attack occurs. Then the device traces the source and limits the rate of attack packets on the port, and records a log. The device moves the packets within the protocol rate limit to a low-priority queue waiting for CPU processing and discards the excess packets. Port Attack Defense(The protocol rate limit is the CPCAR in an attack defense policy. For description about CPCAR, see Configuring a Rule for Sending Packets to the CPU.)
You need to set an appropriate rate threshold for port attack defense according to service requirements. If the CPU fails to process many protocol packets promptly after port attack defense is enabled, set a large packet rate threshold. If the CPU is busy processing the packets of a protocol, set a small rate threshold for this protocol to avoid impact on other services.
The system view is displayed.
The attack defense policy view is displayed.
The protocol rate threshold for port attack defense is set.
The following table lists the default protocol rate thresholds for different protocols.
Packet Type |
Rate Threshold |
|---|---|
arp-request |
60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models |
arp-request-uc |
60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI |
arp-reply |
60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models |
dhcp |
60 pps for the S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models |
icmp |
120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 60 pps for other switch models |
igmp |
120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 60 pps for other switch models |
ip-fragment |
30 pps |
nd |
60 pps for the S5720-EI, S6720S-EI, and S6720-EI, 120 pps for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI, and 30 pps for other switch models |