Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Packet filter configuration
- 03-Time range configuration
- 04-User profile configuration
- 05-Password control configuration
- 06-Keychain configuration
- 07-Public key management
- 08-PKI configuration
- 09-IPsec configuration
- 10-IKE configuration
- 11-IKEv2 configuration
- 12-SSH configuration
- 13-SSL configuration
- 14-SSL VPN configuration
- 15-Session management
- 16-Connection limit configuration
- 17-Attack detection and prevention configuration
- 18-IP-based attack prevention configuration
- 19-IP source guard configuration
- 20-ARP attack protection configuration
- 21-ND attack defense configuration
- 22-Protocol packet rate limit configuration
- 23-Security policy configuration
- 24-Object group configuration
- 25-ASPF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 22-Protocol packet rate limit configuration | 103.01 KB |
Contents
Configuring protocol packet rate limit
About protocol packet rate limit
Restrictions and guidelines: Protocol packet rate limit
Verifying and maintaining protocol packet rate limit
Protocol packet rate limit configuration examples
Example: Configuring protocol-based protocol packet rate limit
Example: Configuring flow-based protocol packet rate limit
Configuring protocol packet rate limit
About protocol packet rate limit
The protocol packet rate limit feature rate limits packets sent to the CPU, effectively preventing flood and DoS attacks.
The device supports the following protocol packet rate limit methods:
· Protocol-based protocol packet rate limit—Limits the maximum transmission rate of protocol packets of a specific protocol. Excessive protocol packets are dropped.
· Flow-based protocol packet rate limit—Identifies flows of a protocol by source IP or MAC address, and limits the maximum transmission rate per flow. Excessive protocol packets are dropped. This method collects traffic statistics by flow and protocol for traffic anomaly and user behavior monitoring.
Restrictions and guidelines: Protocol packet rate limit
You can configure both protocol-based and flow-based protocol packet rate limit for the same protocol. The device first performs flow-based protocol packet rate limit and then performs protocol-based packet rate limit.
Procedure
1. Enter system view.
system-view
2. Enable packet rate limit.
anti-attack enable
By default, packet rate limit is disabled.
3. Enable packet rate limit for a specific protocol or all protocols.
anti-attack protocol { all | protocol } enable
By default, packet rate limit is disabled for all protocols.
4. (Optional.) Set the maximum transmission rate for a protocol.
anti-attack protocol protocol threshold rate-limit
The default settings vary by device model.
To display the default setting for a protocol, execute the undo anti-attack protocol threshold and display anti-attack protocol commands in turn.
5. Enable flow-based packet rate limit for a protocol and set the maximum transmission rate per flow.
anti-attack protocol protocol flow-threshold flow-rate-limit
By default, flow-based packet rate limit is disabled for all protocols.
This step is required only for flow-based packet rate limit.
Verifying and maintaining protocol packet rate limit
To display protocol packet rate limit information, execute the following command in any view:
display anti-attack protocol [ protocol ]
Protocol packet rate limit configuration examples
Example: Configuring protocol-based protocol packet rate limit
Network configuration
Configure protocol packet rate limit for ARP on the AC. Set the maximum transmission rate to 1000 packets per second.
Procedure
# Enable packet rate limit.
<AC> system-view
[AC] anti-attack enable
# Enable packet rate limit for ARP.
[AC] anti-attack protocol arp enable
# Set the maximum transmission rate to 1000 packets per second for ARP.
[AC] anti-attack protocol arp threshold 1000
Verifying the configuration
# Display packet rate limit information about ARP after Client 1 and Client 2 are connected.
[AC] display anti-attack protocol arp
Slot 1:
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
arp enable 1 1000 0 17907 0
arp Flow-limit is not enable.
Example: Configuring flow-based protocol packet rate limit
Network configuration
Configure flow-based protocol packet rate limit for ARP on the AC. Set the maximum transmission rate per flow to 50 packets per second.
Figure 2 Network diagram
Procedure
# Enable packet rate limit.
<AC> system-view
[AC] anti-attack enable
# Enable packet rate limit for ARP.
[AC] anti-attack protocol arp enable
# Enable flow-based packet rate limit for ARP and set the maximum transmission rate per flow to 50 packets per second.
[AC] anti-attack protocol arp flow-threshold 50
Verifying the configuration
# Display packet rate limit information about ARP after Client 1 and Client 2 are connected.
[AC] display anti-attack protocol arp
Slot 1:
Anti-attack statistics
Protocol anti-attack Priority Limit(pps) Rate(pps) Passed Dropped
arp enable 1 1024 0 17907 0
FlowSource FlowLimit(pps) FlowRate(pps) Passed Dropped
00e0-fc12-7723 50 0 2 0
0011-e212-8801 50 0 17905 0
