The deny command configures the device to discard packets sent to the CPU.
The undo deny command restores the default action taken for the packets sent to the CPU.
By default, the device does not discard packets sent to the CPU. Instead, the device limits the rate of packets sent to the CPU and user-defined flows using the default rate. You can check the CAR values of each type of packets using the display cpu-defend configuration command.
deny { packet-type packet-type | user-defined-flow flow-id }
undo deny { packet-type packet-type | user-defined-flow flow-id }
| Parameter | Description | Value |
|---|---|---|
packet-type packet-type |
Specifies the type of the packet to be discarded. |
The supported packet type depends on the device. |
user-defined-flow flow-id |
Specifies the ID of the user-defined flow to be discarded. NOTE:
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this parameter. |
The value is an integer that ranges from 1 to 8. |
Usage Scenario
After an attack defense policy is created, if the device receives attack packets of a specified type or a large number of packets sent to the CPU, run the deny command to configure the device to discard packets of the specified type sent to the CPU.
Precautions
If you run the deny command, and then the car command, the car command takes effect; if you run the car command, and then the deny command, the deny command takes effect. After the undo deny command is executed, the default action for packets sent to the CPU is restored, that is, CIR and CBS actions are performed.
To configure the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, switch to discard BPDU, CDP, LNP, and VCMP packets, run the deny packet-type bpdu-tunnel command.