< Home

linkup-car

Function

The linkup-car command sets the CPCAR value for packets of a protocol connection, including the Committed Information Rate (CIR) and Committed Burst Size (CBS).

The undo linkup-car command restores the default CPCAR rate limit.

Table 1 lists the default CIR and CBS values for the setup of BGP, BGP4+, FTP, IPv6 FTP, HTTP, HTTPS, IKE, IPSEC-ESP, ISIS, OSPF, OSPFv3, SSH, TELNET, and TFTP connections; the CIR and CBS for sending packets of IP-CLOUD connections are 2048 kbit/s and 385024 bytes respectively.

Format

linkup-car packet-type { bgp | bgp4plus | ftp | ftpv6 | http | https | ike | ip-cloud | ipsec-esp | isis | ospf | ospfv3 | ssh | telnet | tftp } cir cir-value [ cbs cbs-value ]

undo linkup-car packet-type { bgp | bgp4plus | ftp | ftpv6 | http | https | ike | ip-cloud | ipsec-esp | isis | ospf | ospfv3 | ssh | telnet | tftp }

  • Only the S5720-EI, S5720-HI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the bgp parameter.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the https parameter.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the bgp4plus and isis parameter.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ospfv3 parameter.
  • Only the S2720-EI, S5720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-EI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, and S6720-SI support the ike parameter.
  • Only the S2720-EI, S5720-EI, S5720-HI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ipsec-esp parameter.
  • Only the S2720-EI, S5720-EI, S5720-HI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720S-LI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ospf parameter.
  • Only the S5720-EI, S5720-HI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6720-EI, S6720-HI, S6720S-EI, S6720S-LI, S6720-LI, S6730-H, S6730S-H, S6720S-SI, and S6720-SI support the ip-cloud parameter.

Parameters

Parameter

Description

Value

bgp

Indicates that the protocol type is BGP.

-

bgp4plus

Indicates that the protocol type is BGP4+.

-

ftp

Indicates that the protocol type is FTP.

-

ftpv6

Indicates that the protocol type is IPv6 FTP.

-

http

Indicates that the protocol type is HTTP.

-

https

Indicates that the protocol type is HTTPS.

-

ike

Indicates that the protocol type is IKE. This parameter does not take effect in non-NAT scenarios.

-

ip-cloud

Indicates that the protocol type is IP-CLOUD.

-

ipsec-esp

Indicates that the protocol type is IPSEC-ESP. ipsec-esp specified in the linkup-car command indicates the type of the protocol used by IPsec EVPN, and ipsec-esp specified in the car command indicates the type of the protocol used by OSPFv3.

-

isis

Indicates that the protocol type is ISIS.

-

ospf

Indicates the protocol type is OSPF.

-

ospfv3

Indicates the protocol type is OSPFv3.

-

ssh

Indicates the protocol type is SSH.

-

telnet

Indicates the protocol type is TELNET.

-

tftp

Indicates the protocol type is TFTP.

-

cir cir-value

Specifies the CIR value.

The value is an integer that ranges from 64 to 65535, in kbit/s.

cbs cbs-value

Specifies the CBS value.

The value is an integer that ranges from 10000 to 4294967295, in bytes. If the cbs is not set, the default cbs-value is 188 times the cir-value.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The default CPCAR value of BGP, BGP4+, FTP, IPv6 FTP, HTTP, HTTPS, IP-CLOUD, ISIS, OSPFv3, OSPF, IKE, IPSEC-ESP, SSH, TFTP, or TELNET protocol is small. When a switch uses these protocols to transfer files or set up connections with other hosts or devices, the number of protocol packets sharply increases in a short period. When the packet rate exceeds the limit, the protocol packets are dropped. The switch may also undergo attacks of other protocols. This affects data transmission and causes service interruption.

You can run the cpu-defend application-apperceive command to enable active link protection, ensuring normal operation of these protocols related services when attacks occur. When a connection is set up, the switch sends packets at the rate of the CPCAR value configured using the linkup-car command. The CPCAR value can be set as required.

Follow-up Procedure

Run the cpu-defend application-apperceive enable command to enable ALP to enable the rate limit set using the linkup-car command. By default, ALP is enabled on FTP, IPv6 FTP, HTTP, IP-CLOUD, HTTPS, IKE, IPSEC-ESP, TFTP, SSH, and TELNET packets and disabled on BGP, BGP4+, ISIS, OSPF, and OSPFv3 packets.

Precautions

You are advised to run the display cpu-defend configuration command to check the CIR value supported by the protocol being used before running the linkup-car command to set the rate limit.

BGP, BGP4+, ISIS, OSPF, and OSPFv3 are disabled when the configuration is initialized. You can set the rate limit using the car command before the protocols are enabled and the linkup-car command after connections are set up and ALP is enabled.

You can set a shared CPCAR value for packets of FTP, IPv6 FTP, SSH, TFTP connections on S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI. For example, the linkup-car packet-type ftp cir cir-value [ cbs cbs-value ] command specifies the CPCAR value for FTP packets when an FTP connection is set up, and also specifies the CPCAR value for packets of IPv6 FTP, SSH, TFTP connections.

Table 1 Default CIR and CBS values

Product

CIR

CBS

S5720-LI, S5720S-LI, S6720-LI, S6720S-LI
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 1024 kbit/s
  • IKE: 64 kbit/s
  • IPSEC-ESP: 320 kbit/s
  • OSPF: 512 kbit/s
  • Telnet: 64 kbit/s
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 192512 bytes
  • IKE: 12032 bytes
  • IPSEC-ESP: 60160 bytes
  • OSPF: 96256 bytes
  • Telnet: 12032 bytes

S5720-SI, S5720I-SI, S5720S-SI
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 1024 kbit/s
  • IKE: 64 kbit/s
  • IPSEC-ESP: 320 kbit/s
  • Telnet: 64 kbit/s
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 192512 bytes
  • IKE: 12032 bytes
  • IPSEC-ESP: 60160 bytes
  • Telnet: 12032 bytes

S5735-L, S5735S-L, S5735S-L-M
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 1536kbit/s
  • IKE: 64kbit/s
  • IPSEC-ESP: 800kbit/s
  • OSPF: 512kbit/s
  • TELNET: 64kbit/s
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 288768bytes
  • IKE: 12032bytes
  • IPSEC-ESP: 150400bytes
  • OSPF: 96256bytes
  • TELNET: 12032bytes

S5735-S, S5735S-S, S5735-S-I
  • BGP: 1024kbit/s
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 1536kbit/s
  • IKE: 64kbit/s
  • IPSEC-ESP: 800kbit/s
  • OSPF: 512kbit/s
  • TELNET: 64kbit/s
  • BGP: 192512bytes
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 288768bytes
  • IKE: 12032bytes
  • IPSEC-ESP: 150400bytes
  • OSPF: 96256bytes
  • TELNET: 12032bytes

S2720-EI
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 1024 kbit/s
  • IKE: 64 kbit/s
  • IPSEC-ESP: 320 kbit/s
  • OSPF: 512 kbit/s
  • Telnet: 64 kbit/s
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 192512 bytes
  • IKE: 12032 bytes
  • IPSEC-ESP: 60160 bytes
  • OSPF: 96256 bytes
  • Telnet: 12032 bytes

S5730-SI, S5730S-EI, S6720-SI, S6720S-SI
  • BGP: 1024 kbit/s
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 1536 kbit/s
  • IKE: 64 kbit/s
  • IPSEC-ESP: 4096 kbit/s
  • OSPF: 512 kbit/s
  • Telnet: 64 kbit/s
  • BGP: 192512 bytes
  • FTP, IPv6 FTP, HTTP, SSH, TFTP: 288768 bytes
  • IKE: 12032 bytes
  • IPSEC-ESP: 770048 bytes
  • OSPF: 96256 bytes
  • Telnet: 12032 bytes

S5720-EI, S6720-EI, S6720S-EI
  • BGP: 1024 kbit/s
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 1536 kbit/s
  • IKE: 64 kbit/s
  • IPSEC-ESP: 4096 kbit/s
  • BGP4+, ISIS, OSPF, OSPFv3: 512 kbit/s
  • Telnet: 64 kbit/s
  • BGP: 192512 bytes
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 288768 bytes
  • IKE: 12032 bytes
  • IPSEC-ESP: 770048 bytes
  • BGP4+, ISIS, OSPF, OSPFv3: 96256 bytes
  • Telnet: 12032 bytes

S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S
  • BGP: 1024kbit/s
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 1536kbit/s
  • IPSEC-ESP: 800kbit/s
  • BGP4+, ISIS, OSPF, OSPFv3: 512kbit/s
  • TELNET: 64kbit/s
  • BGP: 192512bytes
  • FTP, IPv6 FTP, HTTP, HTTPS, SSH, TFTP: 288768bytes
  • IPSEC-ESP: 150400bytes
  • BGP4+, ISIS, OSPF, OSPFv3: 96256bytes
  • TELNET: 12032bytes

Example

# Set the CIR and CBS for sending packets of FTP connections to 1000 kbit/s and 100000 bytes.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type ftp cir 1000 cbs 100000
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >