car(Attack defense policy view)

Function

The car command configures the Committed Access Rate (CAR) function for packets.

The undo car command deletes the configuration.

By default, you can run the display cpu-defend car information default command to view the default CAR parameters of various packets.

Format

car { tcpsyn | fragment } { cbs cbs-value | cir cir-value | min-packet-length min-packet-value } ^*

car { user-defined-flow flow-id | index index } { cbs cbs-value | cir cir-value | min-packet-length min-packet-value } ^*

car whitelist-v6 [ bgpv6 | ospfv3 ] { cbs cbs-value | cir cir-value | min-packet-length min-packet-value } ^*

car { blacklist | whitelist [ bgp | ldp | ospf | radius | rsvp | isis ] } { cbs cbs-value | cir cir-value | min-packet-length min-packet-value } ^*

car { 802.1ag | arp | bfd | bgp | bpdu | dhcp | dns-client | ftp-client | ftp-server | hwtacacs | icmp | igmp | isis | lacp | ldp | lspping | msdp | ntp | ospf | pim | radius | rip | rsvp | snmp | ssh-client | ssh-server | telnet-client | telnet-server | tftp | vrrp | ipv4-fib-miss | ipv4-multicast-fib-miss | ipv4-ttl-expire | ipv6-ttl-expire | ipv6-fib-miss | ipv6-nd-miss | mpls-arp-miss | mpls-ttl-expire | arp-miss | lldp | syslog | bgpv6 | ospfv3 | ftpv6-server | ftpv6-client | tftpv6-client | icmpv6 | dnsv6 | pimv6 | sshv6-server | telnetv6-client | telnetv6-server | eapol | netstream | snmpv6 | dhcpv6 | ra | mld | rs | ns | na | web-auth-server | atm-inarp | diameter | openflow | unicast-vrrp | soft-gre | traffic-behavior-log | icmp-broadcast-address-echo | mka | pcep | vrrpv6 | radiusv6 | hwtacacsv6 | lsppingv6 | syslogv6 | web-auth-serverv6 } { cir cir-value | cbs cbs-value } ^*

undo car { blacklist | whitelist [ bgp | ldp | ospf | radius | rsvp | isis ] }

undo car whitelist-v6 [ bgpv6 | ospfv3 ]

undo car { tcpsyn | fragment }

undo car { user-defined-flow flow-id | index index }

undo car { 802.1ag | arp | bfd | bgp | bpdu | dhcp | dns-client | ftp-client | ftp-server | hwtacacs | icmp | igmp | isis | lacp | ldp | lspping | msdp | ntp | ospf | pim | radius | rip | rsvp | snmp | ssh-client | ssh-server | telnet-client | telnet-server | tftp | vrrp | ipv4-fib-miss | ipv4-multicast-fib-miss | ipv4-ttl-expire | ipv6-ttl-expire | ipv6-fib-miss | ipv6-nd-miss | mpls-arp-miss | mpls-ttl-expire | arp-miss | lldp | syslog | bgpv6 | ospfv3 | ftpv6-server | ftpv6-client | tftpv6-client | icmpv6 | dnsv6 | pimv6 | sshv6-server | telnetv6-client | telnetv6-server | eapol | netstream | snmpv6 | dhcpv6 | ra | mld | rs | ns | na | web-auth-server | atm-inarp | diameter | openflow | unicast-vrrp | soft-gre | traffic-behavior-log | icmp-broadcast-address-echo | mka | pcep | vrrpv6 | radiusv6 | hwtacacsv6 | lsppingv6 | syslogv6 | web-auth-serverv6 }

Parameters

Parameter	Description	Value
cir cir-value	Specifies the committed information rate (CIR).	The value is an integer that ranges from 0 to 1000000, in kbit/s.
cbs cbs-value	Specifies the committed burst size (CBS).	The value is an integer that ranges from 0 to 9000000, in bytes.
min-packet-length min-packet-value	Specifies the minimum packet length for compensation.	The value is an integer that ranges from 64 to 9600, in bytes. The default value is 128.
user-defined-flow flow-id	Specifies the number of a user-defined flow.	The value is an integer that ranges from 1 to 64.
index index	Specifies the packet index.	The value is an integer that ranges from 35 to 1658.
blacklist	Specifies a blacklist.	-

Views

Attack defense policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
cpu-defend	write

Usage Guidelines

Usage Scenario

When a large number of users access a router and the CPU of the router is vulnerable to packet attacks or needs to process a lot of packets, you need to configure the CAR function. The CAR function is used to filter out illegal packets and limit the rate and bandwidth for sending packets to the CPU, ensuring that the CPU processes services normally.

If a large number of ping packets need to be sent or received, the bandwidth for protocol packets may not meet the requirement. As a result, packets are discarded. In this situation, the CIR and CBS must be re-configured for protocol packets. The following formulas are recommended:

CIR = Packet length (bytes)/Interval at which packets are sent (ms)
CBS = 10 x CIR

Precautions

In VS mode, this command is supported only by the admin VS.

The range of CAR channels that support min-packet-length is limited.

For the protocol name channel, only the RADIUS, Portal, Web, and Diameter CAR channels support min-packet-length.

For protocol index channels, only five CAR channels (index: 36, 101, 282, 290, and 1106) support min-packet-length.

The CAR channel that does not support min-packet-length retains the min-packet-length configuration command to support configuration restoration.

When a blacklist or whitelist user-defined flow is bound to an ACL, consider the impact on the bound ACL when configuring the CAR value.

Example

# Configure the CAR function in attack defense policy 8. Set the CIR of the protocol packets with the packet index being 36 to 100 kbit/s, the CBS to 3300 bytes.

<HUAWEI> system-view
[~HUAWEI] cpu-defend policy 8
[*HUAWEI-cpu-defend-policy-8] car index 36 cir 100 cbs 3300