display cpu-defend policy
Function
The display cpu-defend policy command displays information about a specified attack defense policy.
Usage Guidelines
Usage Scenario
You can run the display cpu-defend policy command to view information about the user-defined attack defense policy.
Prerequisites
The attack defense policy, whose information is to be viewed, must be a configured one.
In VS mode, this command is supported only by the admin VS.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display cpu-defend policy 1
Number : 1
Description :
Related slot : <1>
Configuration :
Whitelist Configuration :
Whitelist enable : open
Whitelist ACL number : 0
Whitelist : CIR(4000) CBS(40000) Fixed-packet-length(128)
Whitelist priority : middle
Whitelist alarm enable : close
Whitelist alarm : threshold(1000000) interval(3600) speed-threshold(300)
Whitelist BGP : CIR(4000) CBS(600000) Fixed-packet-length(128)
Whitelist LDP : CIR(4000) CBS(600000) Fixed-packet-length(128)
Whitelist OSPF : CIR(4000) CBS(600000) Fixed-packet-length(128)
Whitelist RADIUS : CIR(1500) CBS(600000) Fixed-packet-length(128)
Whitelist RSVP : CIR(4000) CBS(600000) Fixed-packet-length(128)
Whitelist ISIS : CIR(5000) CBS(600000) Fixed-packet-length(128)
Whitelist IPV6 ACL number : 0
Whitelist IPV6 : CIR(4000) CBS(600000) Fixed-packet-length(128)
Whitelist IPV6 priority : default
Whitelist IPV6 alarm enable : open
Whitelist IPV6 alarm : threshold(30000) interval(600) speed-threshold(300)
Whitelist BGPv6 : CIR(4000) CBS(600000) Fixed-packet-length(128)
Whitelist OSPFv3 : CIR(4000) CBS(600000) Fixed-packet-length(128)
Blacklist Configuration :
Blacklist enable : open
Blacklist ACL number : 0
Blacklist IPV6 ACL number : 0
Blacklist : CIR(1) CBS(1000) Fixed-packet-length(128)
Blacklist priority : middle
Blacklist alarm enable : close
Blacklist alarm : threshold(1000000) interval(3600)
ARP Configuration :
Outbound ARP check enable : open
Total packet Configuration :
Total packet car speed : high
Total packet alarm enable : close
Total packet alarm : threshold(1000000) interval(3600)
Process-sequence : tcpsyn-flood fragment-flood dynamic-link-protection management-acl whitelist blacklist user-defined-flow
Dynamic link protection Configuration :
Dynamic link protection enable : open
Application apperceive Configuration :
Application apperceive enable : open
Default Action: Min-to-cp
Application apperceive alarm enable : open
Application apperceive alarm : threshold(1000000) interval(3600) speed-threshold(300)
MA-Defend Configuration :
MA-Defend alarm enable : open
MA-Defend alarm : threshold(1000000) interval(3600)
Source Trace Data Configuration :
Source Trace enable : open
Source Trace Type enable :
car: open
urpf: open
tcpip-defend: open
ma-defend: open
application-apperceive: open
totalcar: open
Source Trace Sample : 100
Source Trace IPv4 Packet Length : 64
Source Trace IPv6 Packet Length : 96
URPF Configuration :
URPF model : close
allow default route: close
URPF alarm enable : open
URPF alarm : threshold(30000) interval(600) speed-threshold(300)
TCPIP-Defend Configuration :
Abnormal Packet Defend : open
Udp Packet Defend : open
Tcpsyn Flood Defend : open
Tcpsyn : CIR(1500) CBS(15000) Fixed-packet-length(128)
Tcpsyn priority : middle
fragment-flood Defend : open
Ip fragment : CIR(3000) CBS(30000) Fixed-packet-length(128)
Ip fragment priority : middle
TCPIP alarm enable : open
TCPIP alarm : threshold(1000000) interval(3600) speed-threshold(300)
User-defined-flow Configuration :
User-defined-flow's alarm default configuration :
alarm enable : open, alarm value : threshold(30000) interval(600) speed-threshold(300)
User-defined-flow 1 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 2 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 3 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 4 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 5 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 6 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 7 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 8 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 9 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 10 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 11 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 12 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 13 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 14 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 15 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 16 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 17 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 18 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 19 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 20 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 21 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 22 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 23 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 24 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 25 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 26 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 27 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 28 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 29 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 30 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 31 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 32 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 33 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 34 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 35 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 36 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 37 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 38 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 39 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 40 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 41 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 42 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 43 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 44 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 45 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 46 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 47 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 48 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 49 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 50 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 51 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 52 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 53 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 54 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 55 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 56 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 57 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 58 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 59 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 60 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 61 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 62 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 63 : CIR(2000) CBS(20000) Fixed-packet-length(128)
User-defined-flow 64 : CIR(2000) CBS(20000) Fixed-packet-length(128)
Car Configuration :
All the supported cpcar's alarm default configuration :
alarm enable : open, alarm value : threshold(30000) interval(600) speed-threshold(300)
Car isis: Min-packet-length(512)
Car arp: CIR(32)
Enhance Configuration :
IPv6 enhance acl enable : close
Ttl-expired-loop Configuration :
Ttl-expired-loop alarm enable : open
Ttl-expired-loop alarm : threshold(10) interval(60)
Acl Enable Configuration :
Acl ipv4-multicast-fib-miss enable : close
Cp-Acl-IP-Pool Configuration :
Cp-acl ip-pool enable : close
Management-Acl Configuration :
Management acl enable : open
| Item | Description |
|---|---|
| Number | Number of an attack defense policy. |
| Description | Description of the attack defense policy. |
| Related slot | interface board to which the attack defense policy is applied. |
| Configuration | Configurations of attack defense policy 8. |
| Whitelist Configuration | Configurations of the whitelist. |
| Whitelist enable | Whether the whitelist is enabled. |
| Whitelist ACL number | Number of the ACL rule for joining the whitelist. |
| Whitelist | CAR configurations of the IPv4 whitelist for packets, except packets of the following IPv4 protocols. |
| Whitelist priority | Sending priority of the whitelist. |
| Whitelist alarm enable | Whether the whitelist alarm is enabled. |
| Whitelist alarm | Alarm threshold and checking interval for the whitelist. |
| Whitelist BGP | CAR rule defined by the BGP whitelist. |
| Whitelist LDP | CAR rule defined by the LDP whitelist. |
| Whitelist OSPF | CAR rule defined by the OSPF whitelist. |
| Whitelist RADIUS | CAR rule defined by the RADIUS whitelist. |
| Whitelist RSVP | CAR rule defined by the RSVP whitelist. |
| Whitelist ISIS | CAR rule defined by the IS-IS whitelist. |
| Whitelist IPV6 ACL number | Number of the ACL rule added to the IPv6 whitelist. |
| Whitelist IPV6 | CAR configurations of the IPv6 whitelist for packets, except packets of the following IPv6 protocols. |
| Whitelist IPV6 priority | Priority of sending the packets matching the IPv6 whitelist to the CPU. |
| Whitelist IPV6 alarm enable | Whether the alarm function is enabled for the IPv6 whitelist. |
| Whitelist IPV6 alarm | Alarm threshold and check interval configured for the IPv6 whitelist. |
| Whitelist BGPv6 | CAR rule defined by the BGPv6 whitelist. |
| Whitelist OSPFv3 | CAR rule defined by the OSPFv3 whitelist. |
| alarm enable | Alarm enable. |
| Blacklist Configuration | Configurations of the blacklist. |
| Blacklist enable | Whether the blacklist is enabled. |
| Blacklist ACL number | Number of the ACL rule for joining the blacklist. |
| Blacklist IPV6 ACL number | Number of the ACL rule added to the IPv6 blacklist. |
| Blacklist | CAR configurations of the blacklist. |
| Blacklist priority | Sending priority of the blacklist. |
| Blacklist alarm enable | Whether the blacklist alarm is enabled. |
| Blacklist alarm | Alarm threshold and checking interval for the blacklist. |
| Total packet Configuration | Configurations of packets to be sent to the CPU. |
| Total packet car speed | Total rate for sending the packets to the CPU. |
| Total packet alarm enable | Whether the alarm for sending packets to the CPU is enabled. |
| Total packet alarm | Alarm threshold and checking interval for all packets to be sent to the CPU. |
| car | Whether CAR is enabled. |
| Process-sequence | Matching sequence of packets to be sent to the CPU. |
| Cp-acl ip-pool enable | Enabled status of the ACL IP address pool. |
| Application apperceive Configuration | Configurations of application layer association. |
| Application apperceive enable | Whether application layer association is enabled. |
| Application apperceive alarm enable | Whether the alarm for application layer association is enabled. |
| Application apperceive alarm | Alarm threshold and checking interval for application layer association. |
| Default Action | Default mode of application layer association to process packets to be sent to the CPU. |
| MA-Defend Configuration | Configurations of management and application. |
| MA-Defend alarm enable | Whether the alarm for management and application is enabled. |
| MA-Defend alarm | Alarm threshold and checking interval for management and application. |
| Source Trace Data Configuration | Configurations of attack source tracing. |
| Source Trace enable | Whether attack source tracing is enabled. |
| Source Trace Type enable | Type of enabled attack source tracing. |
| Source Trace Sample | Sampling ratio for packets that record attack source tracing. |
| Source Trace IPv4 Packet Length | Length of the IPv4 packet that records attack source tracing. |
| Source Trace IPv6 Packet Length | Length of the IPv6 packet that records attack source tracing. |
| IPv6 enhance acl enable | Enabled status of enhanced ACLs for IPv6 attack defense. |
| URPF Configuration | URPF configurations. |
| URPF model | URPF mode. |
| URPF alarm enable | Whether the alarm function is enabled for URPF. |
| URPF alarm | URPF alarm configurations. |
| allow default route | Whether URPF allows default route match. |
| TCPIP-Defend Configuration | Configurations of TCP/IP attack defense. |
| Abnormal Packet Defend | Whether defense against malformed packets is enabled. |
| Udp Packet Defend | Whether defense against UDP packets is enabled. |
| Tcpsyn Flood Defend | Whether defense against syn flood packets is enabled. |
| Tcpsyn | Whether the alarm for defense against syn flood packets is enabled. |
| Tcpsyn priority | Sending priority of packets that match the syn rule. |
| Ip fragment | CAR rule for defense against IP packet fragments. |
| Ip fragment priority | Sending priority of packets that match the IP packet fragment rule. |
| TCPIP alarm enable | Whether the alarm for TCP/IP attack defense is enabled. |
| TCPIP alarm | Alarm threshold and checking interval for TCP/IP attack defense. |
| User-defined-flow Configuration | Configurations of the user-defined flow. |
| User-defined-flow 1 | User defined flow 1. |
| User-defined-flow 2 | User defined flow 2. |
| User-defined-flow 3 | User defined flow 3. |
| User-defined-flow 4 | User defined flow 4. |
| User-defined-flow 5 | User defined flow 5. |
| User-defined-flow 6 | User defined flow 6. |
| User-defined-flow 7 | User defined flow 7. |
| User-defined-flow 8 | User defined flow 8. |
| User-defined-flow 9 | User defined flow 9. |
| User-defined-flow 10 | User defined flow 10. |
| User-defined-flow 11 | User defined flow 11. |
| User-defined-flow 12 | User defined flow 12. |
| User-defined-flow 13 | User defined flow 13. |
| User-defined-flow 14 | User defined flow 14. |
| User-defined-flow 15 | User defined flow 15. |
| User-defined-flow 16 | User defined flow 16. |
| User-defined-flow 17 | User defined flow 17. |
| User-defined-flow 18 | User defined flow 18. |
| User-defined-flow 19 | User defined flow 19. |
| User-defined-flow 20 | User defined flow 20. |
| User-defined-flow 21 | User defined flow 21. |
| User-defined-flow 22 | User defined flow 22. |
| User-defined-flow 23 | User defined flow 23. |
| User-defined-flow 24 | User defined flow 24. |
| User-defined-flow 25 | User defined flow 25. |
| User-defined-flow 26 | User defined flow 26. |
| User-defined-flow 27 | User defined flow 27. |
| User-defined-flow 28 | User defined flow 28. |
| User-defined-flow 29 | User defined flow 29. |
| User-defined-flow 30 | User defined flow 30. |
| User-defined-flow 31 | User defined flow 31. |
| User-defined-flow 32 | User defined flow 32. |
| User-defined-flow 33 | User-defined flow 33. |
| User-defined-flow 34 | User-defined flow 34. |
| User-defined-flow 35 | User-defined flow 35. |
| User-defined-flow 36 | User-defined flow 36. |
| User-defined-flow 37 | User-defined flow 37. |
| User-defined-flow 38 | User-defined flow 38. |
| User-defined-flow 39 | User-defined flow 39. |
| User-defined-flow 40 | User-defined flow 40. |
| User-defined-flow 41 | User-defined flow 41. |
| User-defined-flow 42 | User-defined flow 42. |
| User-defined-flow 43 | User-defined flow 43. |
| User-defined-flow 44 | User-defined flow 44. |
| User-defined-flow 45 | User-defined flow 45. |
| User-defined-flow 46 | User-defined flow 46. |
| User-defined-flow 47 | User-defined flow 47. |
| User-defined-flow 48 | User-defined flow 48. |
| User-defined-flow 49 | User-defined flow 49. |
| User-defined-flow 50 | User-defined flow 50. |
| User-defined-flow 51 | User-defined flow 51. |
| User-defined-flow 52 | User-defined flow 52. |
| User-defined-flow 53 | User-defined flow 53. |
| User-defined-flow 54 | User-defined flow 54. |
| User-defined-flow 55 | User-defined flow 55. |
| User-defined-flow 56 | User-defined flow 56. |
| User-defined-flow 57 | User-defined flow 57. |
| User-defined-flow 58 | User-defined flow 58. |
| User-defined-flow 59 | User-defined flow 59. |
| User-defined-flow 60 | User-defined flow 60. |
| User-defined-flow 61 | User-defined flow 61. |
| User-defined-flow 62 | User-defined flow 62. |
| User-defined-flow 63 | User-defined flow 63. |
| User-defined-flow 64 | User-defined flow 64. |
| User-defined-flow's alarm default configuration | User-defined-flow's alarm default configuration. |
| Car Configuration | Configurations of CAR. |
| Car isis | Car isis. |
| Car arp | Car arp. |
| All the supported cpcar's alarm default configuration | All the supported cpcar's alarm default configuration. |
| Ttl-expired-loop alarm enable | Enabled status of the TTL timeout loop detection alarm function. |
| Ttl-expired-loop alarm | TTL timeout loop detection alarm threshold and interval at which the detection is implemented. |
| Ttl-expired-loop Configuration | Ttl-expired-loop Configuration. |
| Acl Enable Configuration | ACL enabling configurations. |
| Acl ipv4-multicast-fib-miss enable | Whether the function of matching IPv4 MFIB-MISS packets against ACL rules is enabled. |
| Management-Acl Configuration | Configuration of the management protocol ACL delivering function. |
| Management acl enable | Status of the management protocol ACL delivering function. |
| Dynamic link protection Configuration | Configuration of the dynamic link protection function. |
| Dynamic link protection enable | Status of the dynamic link protection function. |
| Fragment-flood Defend | Whether defense against packet fragments is enabled. |
| Cp-Acl-IP-Pool Configuration | ACL-based address pool configuration. |
| ARP Configuration | ARP configurations. |
| Outbound ARP check enable | Whether checking downlink ARP packets is enabled. |
| Enhance Configuration | Enhance Configuration. |
| urpf | Whether URPF is enabled. |
| tcpip-defend | Whether TCP/IP attack defense is enabled. |
| ma-defend | Whether the management and application function is enabled. |
| application-apperceive | Whether application layer association is enabled. |
| totalcar | Status of total CAR attack source tracing. |