< Home

traffic-limit inbound (user access profile view)

Function

The traffic-limit inbound command configures the rate limit for incoming ARP and DHCP packets on an AS port.

The undo traffic-limit inbound command restores the default rate limit for incoming ARP and DHCP packets on an AS port.

By default, the forwarding rate of incoming ARP and DHCP packets on an AS port is not limited.

This command can only be executed on a parent switch.

Format

traffic-limit inbound { arp | dhcp } cir cir-value

undo traffic-limit inbound { arp | dhcp }

Parameters

Parameter Description Value

arp

Specifies the ARP packet.

-

dhcp

Specifies the DHCP packet.

-

cir cir-value

Specifies the committed information rate (CIR), which is the allowed average rate of traffic that can pass through.

The value is an integer that ranges from 8 to 128, in kbit/s.

Views

User access profile view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a user access profile is created, you can configure the rate limit for incoming ARP and DHCP packets on an AS port. After the user access profile is bound to the AS port, the following configuration is generated on the AS port:
#
 traffic-limit inbound acl 4999 cir cir-value pir pir-value cbs cbs-value pbs pbs-value
 traffic-statistic inbound acl 4999
 traffic-limit inbound acl 3999 cir cir-value pir pir-value cbs cbs-value pbs pbs-value
 traffic-statistic inbound acl 3999
#

Precautions

  • This command and the authentication command cannot be both run in the user access profile view.

  • Do not run the traffic-limit inbound dhcp and dhcp snooping enable (network enhanced profile view) commands simultaneously on the same port; otherwise, the traffic-limit inbound dhcp command does not take effect. On an AS of the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5720S-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5720I-SI, S5710-X-LI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, or S600-E model, running the dhcp snooping enable (network enhanced profile view) command on any port may cause the traffic-limit inbound dhcp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

  • Do not run the traffic-limit inbound arp and arp anti-attack check user-bind enable (network enhanced profile view) commands simultaneously on the same port. Otherwise, the traffic-limit inbound arp command may not take effect. On an AS of the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5720S-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5720I-SI, S5710-X-LI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, or S600-E model, running the arp anti-attack check user-bind enable (network enhanced profile view) command on any port may cause the traffic-limit inbound arp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

Example

# Set the rate limit for incoming ARP packets to 64 on an AS port.

<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] user-access-profile name profile_1
[HUAWEI-um-user-access-profile_1] traffic-limit inbound arp cir 64
Parent Topic: SVF Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >