access trigger packet-limit

Function

The access trigger packet-limit command limits the rate at which repetitive ARP, IP, IPv6, and ND packets can be sent to the main control board to trigger users to go online, preventing excessive packets from causing high CPU usage on the main control board.

The undo access trigger packet-limit command restores the default configuration.

For the ARP/IP/IPv6/ND packets sent to the main control board, only one packet of a specific type can be sent for the same user within a period of 30 seconds by default.

This command is supported only on the NetEngine 8000 F1A.

Format

access trigger packet-limit packets-num time seconds

access trigger packet-limit packets-num time seconds all

undo access trigger packet-limit [ packets-num time seconds ]

undo access trigger packet-limit packets-num time seconds all

Parameters

Parameter	Description	Value
time seconds	Specifies a period.	The value is an integer ranging from 0 to 300, in seconds.
packet-limit packets-num	Specifies the number of packets. It is the number of packets that can be sent to the main control board in a period specified by seconds. The device discards excess packets.	The value is an integer ranging from 1 to 500.
all	Specifies all packets.	-

Parameter

Description

Value

time seconds

Specifies a period.

The value is an integer ranging from 0 to 300, in seconds.

packet-limit packets-num

Specifies the number of packets. It is the number of packets that can be sent to the main control board in a period specified by seconds. The device discards excess packets.

The value is an integer ranging from 1 to 500.

all

Specifies all packets.

Views

Slot view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
bras-control	write

Usage Guidelines

Usage Scenario

If the device is attacked by a large number of ARP/IP/IPv6/ND packets or unauthorized users repeatedly send ARP/IP/IPv6/ND packets to go online, the main control board 's CPU usage goes high. To configure a limit on the number of ARP/IP/IPv6/ND packets that can be sent to the main control board , run the access trigger packet-limit command so that the device discard packets that exceed the configured limit.

Precautions

In VS mode, this command is supported only by the admin VS.

Running the access trigger packet-limit packets-num time 0 command can always cancel the rate limit on repetitive ARP, IP, IPv6, and ND packets, irrespective of the value of packets-num.

You are not advised to cancel the limitation on the number of ARP, IP, IPv6, and ND packets sent to the main control board for triggering user access.

If the device is configured to send more than one ARP, IP, IPv6, or ND packet to the main control board for the same user within 30 seconds, the pressure on the system will be increased, causing the CPU usage to increase.

This command provides restriction based on users.

Example

# Configure the packet limit function on the board in slot 1 so that only one ARP, IP, IPv6, or ND packet of the same user is allowed to pass within one minute and extra packets are discarded.

<HUAWEI> system-view
[~HUAWEI] slot 1
[~HUAWEI-slot-1] access trigger packet-limit 1 time 60