cp-rate-limit

Format

cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } vlan vlan-id-begin [ to vlan-id-end ] cir cir-value [ cbs cbs-value ] [ prior ]

cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } pe-vid pe-vlan-id ce-vid ce-vlan-id-begin [ to ce-vlan-id-end ] cir cir-value [ cbs cbs-value ] [ prior ]

cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } cir cir-value [ cbs cbs-value ] [ prior ]

undo cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } vlan vlan-id-begin [ to vlan-id-end ] [ cir cir-value [ cbs cbs-value ] ] [ prior ]

undo cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } pe-vid pe-vlan-id ce-vid ce-vlan-id-begin [ to ce-vlan-id-end ] [ cir cir-value [ cbs cbs-value ] ] [ prior ]

undo cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } [ cir cir-value [ cbs cbs-value ] ] [ prior ]

Parameters

Parameter	Description	Value
port	Restricts the rate at which an interface sends packets of a specific protocol to the CPU.	-
dhcp	Restricts the rate at which DHCP packets are sent to the CPU.	-
dhcpv6	Restricts the rate at which DHCPv6 packets are sent to the CPU.	-
icmp	Restricts the rate at which ICMP packets are sent to the CPU.	-
icmpv6	Restricts the rate at which ICMPv6 packets are sent to the CPU.	-
ldp-hello	Restricts the rate at which LDP-HELLO packets are sent to the CPU.	-
rsvp	Restricts the rate at which RSVP packets are sent to the CPU.	-
ospf	Restricts the rate at which OSPF packets are sent to the CPU.	-
rip	Restricts the rate at which RIP packets are sent to the CPU.	-
pim	Restricts the rate at which PIM packets are sent to the CPU.	-
isis	Restricts the rate at which ISIS packets are sent to the CPU.	-
vrrp	Restricts the rate at which VRRP packets are sent to the CPU.	-
ospfv3	Restricts the rate at which OSPFv3 packets are sent to the CPU.	-
ripng	Restricts the rate at which RIPng packets are sent to the CPU.	-
pimv6	Restricts the rate at which PIMv6 packets are sent to the CPU.	-
vrrpv6	Restricts the rate at which VRRPv6 packets are sent to the CPU.	-
vlan vlan-id-begin	Specify start VLAN ID value.	The value is an integer ranging from 1 to 4094.
to ce-vlan-id-end	Specific end ce-vid value.	The value is an integer ranging from 1 to 4094.
to vlan-id-end	Specifies the end inner VLAN tag value.	The value is an integer ranging from 1 to 4094.
cir cir-value	Specifies the committed information rate (CIR).	The value is an integer that ranges from 32 to 1000000, in packet/s. If an interface is configured with the port-vlan-car and igmp-vlan-car, it is recommended that the bandwidth of the port-vlan-car be greater than that of the igmp-vlan-car. If the bandwidth of the port-vlan-car is smaller than that of the igmp-vlan-car, the igmp-vlan-car configuration becomes invalid.
cbs cbs-value	Specifies the committed burst size (CBS), that is, the depth of the token bucket.	The value is an integer that ranges from 100 to 33554432, in bytes. It is recommended that the CBS is set to a value greater than 10 times the packet length. The default CBS value is equal to cir-value. The cbs-value that takes effect is at least 187 times the cir-value. If the configured cbs-value is less than 187 times the cir-value, the cbs-value that takes effect is 187 times the cir-value. If the configured cbs-value is greater than 187 times the cir-value, the configured cbs-value takes effect.
prior	Allows the set rate at which an interface sends packets of a specific protocol to the CPU to take precedence over the dynamic whitelist, whitelist, blacklist, and user-defined flow. If prior is not specified in the command, the set rate at which an interface sends packets of a specific protocol to the CPU has a lower priority than the dynamic whitelist, whitelist, blacklist, and user-defined flow.	-
pe-vid pe-vlan-id	Specific pe-vid value.	The value is an integer ranging from 1 to 4094.
ce-vid ce-vlan-id-begin	Specifies start ce-vid value.	The value is an integer ranging from 1 to 4094.

Views

Layer 2 100GE interface view, 100GE interface view, 10G LAN interface view, 10G WAN interface view, Layer 2 40GE interface view, 40GE interface view, Layer 2 Eth-Trunk interface view, Eth-Trunk interface view, Layer 2 GE interface view, GE optical interface view, GE electrical interface view, Global VE sub-interface view, VE sub-interface view, Sub-interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
soc	write

Usage Guidelines

Usage Scenario

When an access device is under attack, to protect its CPU against attacks, run the cp-rate-limit port command to configure port+VLAN-based CAR to restrict the rate at which packets are sent to the CPU.

Rate limiting does not apply to the following packets to be sent to the CPU:

Link Aggregation Control Protocol (LACP)
Bridge protocol data unit (BPDU)
Reverse Address Resolution Protocol (RARP)
CHDLC_KEEPALIVE
IPv6_Neighbor Advertisement (IPV6_NA)
Two-Way Active Measurement Protocol (TWAMP)
Data communication network (DCN)
PPP_LLDP
IPV6MC_PIM
IPv6_Router Advertisement (IPV6_RA)
IPv6_Router Solicitation (IPV6_RS)
Hierarchy VLAN Register Protocol (HVRP)
IPv4_Virtual eXtensible Local Area Network (IPV4_VXLAN)
IPv6_Neighbor Solicitation (IPV6_NS)

Configuration Impact

The rate at which specific packets on a specific port are sent to the CPU is restricted, with other packets not being affected.

Precautions

If the cp-rate-limit port and cp-rate-limit { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp } commands are configured on the same interface, the latest configuration overrides the previous configuration.
Interface VLAN CAR (cp-rate-limit) does not take effect if anyother/default VLAN matching is specified on an interface.
Interface VLAN CAR (configured using the cp-rate-limit command) and BAS are mutually exclusive.
-When the untagged or default encapsulation mode is configured forinterface, such asan Ethernet interface or its sub-interface or a GE interface or its sub-interface, the cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } cir cir-value [ cbs cbs-value ] [ prior ] command is supported.
-When the dot1q, untagged, or default encapsulation mode is configured forinterface, such asa dot1q VLAN tag termination sub-interface, global VE sub-interface, VE sub-interface, Layer 2 Ethernet interface, Layer 2 GE interface, Layer 2 Eth-Trunk interface, or EVC sub-interface, the cp-rate-limit { port | { dhcp | dhcpv6 | icmp | icmpv6 | ldp-hello | rsvp | ospf | rip | pim | isis | vrrp | ospfv3 | ripng | pimv6 | vrrpv6 } } vlan vlan-id-begin [ to vlan-id-end ] cir cir-value [ cbs cbs-value ] [ prior ] command is supported.
-When the QinQ, untagged, or default encapsulation mode is configured forinterface, such asa QinQ VLAN tag termination sub-interface, global VE sub-interface, VE sub-interface, or EVC sub-interface, thecp-rate-limit{port|{dhcp|dhcpv6|icmp|icmpv6|ldp-hello|rsvp|ospf|rip|pim|isis|vrrp|ospfv3|ripng|pimv6|vrrpv6}}pe-vid pe-vlan-id ce-vid ce-vlan-id-begin [to ce-vlan-id-end ]cir cir-value [cbs cbs-value ][prior]command is supported.

Example

# On GE 0/1/1.1, set the CIR of DHCP packets to be sent to the CPU to 1000 packet/s and the CBS to 2000 bytes.

<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/1.1
[*HUAWEI-GigabitEthernet0/1/1.1] cp-rate-limit dhcp cir 1000 cbs 2000