< Home

port-type

Function

The port-type command maps interfaces to protocol types. The type can be User-to-Network Interface (UNI), Enhanced Network Interface (ENI), or Network-to-Network Interface (NNI).

The undo port-type command cancels the configuration.

By default, the type of interface sending protocol packets to the CPU is displayed using the display cpu-defend configuration command.

Only the S5720-EI, S6720S-EI, and S6720-EI support this command.

Format

port-type { uni | eni | nni } packet-type packet-type

undo port-type [ uni | eni | nni ] packet-type packet-type

Parameters

Parameter Description Value
uni

Indicates that the interface is a user-side interface on the device.

 -
eni

Indicates that the interface is connected to another switch or user.

An ENI supports all protocols that are supported by an UNI.

 -
nni

Indicates that the interface is a network-side interface on the device.

An NNI supports all protocol packets.

 -
packet-type packet-type

Specifies the protocol supported by an interface type.

A protocol is mapped to only one interface type.

 The supported packet type depends on the device.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Generally, protocol packets that can be sent to the CPU are controlled by an ACL. If protocol packets are sent to the device, packets received by interfaces cannot be differentiated.

If an interface is attacked and the user disables the device to send packets, packets cannot be sent from other interfaces, affecting communications of the device. If an interface is attacked and the user does not disable the device to send packets, attack packets occupy resources and valid packets cannot be sent.

The port-type command maps interfaces to protocol types. The port type command specifies the interface types according to port locations. By using the two commands, the interfaces send only the packets of the supported protocols. This reduces the workload of CPU and provides ways to flexibly protect the CPU.

Protocol packets are not supported by the UNI, ENI, or NNI interfaces. These protocol packets are sent to the CPU for processing from any interface on the device.

Procedure

After you run the port type command to configure interface types, run the port-type command to specify the protocols supported by the interfaces and the method to process the protocol packets.

Precautions

If you run the port-type command multiple times, only the latest configuration takes effect because a protocol is mapped to only one interface type.

Follow-up Procedure

This command differentiates packets from different types of interfaces so that the attack packets are denied and valid packets are forwarded. If an attack occurs, you can run the deny command to discard a specified type of packets. When receiving packets of the type, the interfaces discard these packets. You can also run the car command to limit the rate of attack packets of a specified type.

Example

# Configure UNI interfaces to send ARP Reply packets to the CPU.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] port-type uni packet-type arp-reply
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend-policy test global
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >