nat flow-defend
Function
The nat flow-defend command sets the rate at which the first packet is sent to create a flow on a service board.
The undo nat flow-defend command restores the default rate at which the first packet is sent to create a flow on a service board.
By default, the rates at which the first forward, fragment, and reverse packets are sent to create a flow are 68 kbit/s, 20 kbit/s, and 9 kbit/s.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| forward |
Indicates the first user-to-network packet used to create a flow. |
- |
| reverse |
Indicates the first network-to-user packet used to create a flow. |
- |
| fragment |
Indicates the first fragment used to create a flow. |
- |
| rate rate-number |
Specifies the rate at which packets are sent. |
The value is an integer ranging from 0 to 3000, in kpps. Value 0 indicates traffic is not allowed to pass. |
| slot slot-id |
Specifies the slot ID of a service board. |
The value is a string of 1 to 15 case-sensitive characters, spaces not supported. |
Usage Guidelines
Usage Scenario
To set the rate at which the first packet is sent to create a flow on a service board, run the nat flow-defend command. The command helps prevent first-packet-based attacks from consuming a large number of CPU resources, which minimizes the impact on services. The rates at which the first user-to-network packet, the first fragment, and the first network-to-user packet are sent can be flexibly set.
Precautions
In VS mode, this command is supported only by the admin VS.