13.6. CPU Traffic Protect Commands

Command Purpose

Use this command to enable and enter into CPU traffic protect mode. Use the no form of this command to disable CPU traffic protect mode.

Prerequisites

Command Syntax

cpu-traffic-protect (arp|dhcp)

no cpu-traffic-protect (arp|dhcp)

Command Mode

Global Config

Default

None

Usage

When cpu-traffic-protect ARP is configured, blacklist mode is entered default. When cpu-traffic-protect DHCP is configured, CPU traffic protect DHCP at port level is enabled.

Examples

This example shows how to enable and enter into CPU traffic protect mode:

Switch# configure terminal
Switch(config)# cpu-traffic-protect arp
Switch(config-cpu-traffic-protect)#

Related Commands

N/A

Command Purpose

Use this command to enable attack trace. Use the no form of this command to disable attack trace.

Prerequisites

Command Syntax

trace enable

no trace enable

Command Mode

CPU traffic Protect Configuration

Default

None

Usage

None

Examples

This example shows how to enable attack trace:

Switch# configure terminal
Switch(config-cpu-traffic-protect)# trace enable

Related Commands

N/A

Command Purpose

Use this command to configure attack trace type. Use the no form of this command to set to the default type.

Prerequisites

Command Syntax

trace type (sender-ip|src-mac|target-ip|source-portvlan|src-interface)

no trace type

Command Mode

CPU traffic Protect Configuration

Default

Trace type default for ARP: SRC-MAC;

Trace type default for DHCP: SRC-interface.

Usage

Trace type of DHCP only supports SRC-interface, and ARP trace type includes all except SRC-interface.

Examples

This example shows how to configure attack trace type to sender-IP and target-IP:

Switch# configure terminal
Switch(config)# cpu-traffic-protect arp
Switch(config-cpu-traffic-protect)# trace type sender-ip target-ip

Related Commands

N/A

Command Purpose

Use this command to configure attack trace sample rate. Use the no form of this command to set sample to the default.

Prerequisites

Command Syntax

trace sample SAMPLE-RATE

no trace sample

Command Mode

CPU traiffic Protect Configuration

Default

Trace sample default for ARP: 8;

Trace sample default for DHCP: 1.

Usage

None

Examples

This example shows how to configure attack trace sample rate to 16:

Switch# configure terminal
Switch(config)# cpu-traffic-protect arp
Switch(config-cpu-traffic-protect)# trace sample 16

Related Commands

None

Command Purpose

Use this command to configure attack trace cheking threshold. Use the no form of this command to set threshold to the default.

Prerequisites

Command Syntax

trace threshold THRESHOLD

no trace threshold

Command Mode

CPU traiffic Protect Configuration

Default

Trace threshold default for ARP: 128;

Trace threshold default for DHCP: 64

Usage

None

Examples

This example shows how to configure attack trace cheking threshold to 10:

Switch# configure terminal
Switch(config)# cpu-traffic-protect arp
Switch(config-cpu-traffic-protect)# trace threshold 10

Related Commands

None

Command Purpose

Use this command to configure trace aging timeout. Use the no form of this command to set aging timeout to the default.

Prerequisites

Command Syntax

trace timeout AGING-TIMEOUT

no trace timeout

Command Mode

CPU traiffic Protect Configuration

Default

Trace timeout default for ARP: 300 s.

Usage

None

Examples

This example shows how to configure attack trace timeout to 400:

Switch# configure terminal
Switch(config)# cpu-traffic-protect arp
Switch(config-cpu-traffic-protect)# trace timeout 400

Related Commands

None

Command Purpose

Use this command to configure attack trace punish action. Use the no form of this command to set trace action to the default.

Prerequisites

Command Syntax

trace action deny (recover time RECOVER-TIME| )

no trace action

Command Mode

CPU traiffic Protect Configuration

Default

Recover time 300

Usage

Only used for cpu-traffic-protect DHCP, default is to deny DHCP packets and recover in 300s.

Examples

This example shows how to configure attack trace action recover time to 600:

Switch# configure terminal
Switch(config)# cpu-traffic-protect dhcp
Switch(config-cpu-traffic-protect)# trace action deny recover time 600

Related Commands

cpu-traffic-protect manual recover dhcp

Command Purpose

Use this command to configure trace protect delay-time. Use the no form of this command to set protect delay-time to the default.

Prerequisites

Command Syntax

trace protect delay-time DELAY-TIME

no trace delay-time

Command Mode

CPU traiffic Protect Configuration

Default

10

Usage

Only used for cpu-traffic-protect DHCP, represents continuously being attacked for how long time to enable CPU traffic protect DHCP.

Examples

This example shows how to configure attack protect delay-time to 15:

Switch# configure terminal
Switch(config)# cpu-traffic-protect arp
Switch(config-cpu-traffic-protect)# trace protect delay-time 15

Related Commands

None

Command Purpose

Use this command to configure ARP protect filter rules. Use the no form of this command to disable rules.

Prerequisites

Command Syntax

apply access-list NAME (mode (blacklist|whitelist(rate RATE| ))| )

no apply access-list ACL-NAME

Command Mode

CPU traiffic Protect Configuration

Default

Rate: 32 pps, Mode: blacklist.

Usage

The rate is calculated by using 64 Btyes packet.

Examples

This example shows how to configure ARP protect filter rules with access list 2 and enter into whitelist mode and the rate is 64 pps:

Switch# configure terminal
Switch(config)# cpu-traffic-protect arp
Switch(config-cpu-traffic-protect)# apply access-list 2 mode whitelist rate 64

Related Commands

None

Command Purpose

Use this command to manually recover DHCP protocol of interfaces being punished by CPU traffic protect.

Prerequisites

Command Syntax

cpu-traffic-protect manual recover dhcp (interface (IFPHYSICAL|IFAGG|IFVLAN)|all )

Command Mode

Privileged EXEC

Default

None

Usage

None

Examples

This example shows how to configure cpu-traffic-protect manual recover DHCP for interface eth-0-1:

Switch# cpu-traffic-protect manual recover dhcp interface eth-0-1

Related Commands

trace action

Command Purpose

Use this command to show the information table of interfaces being protected by CPU traffic and their recover time of DHCP protocol.

Prerequisites

Command Syntax

show cpu traffic-protect dhcp recover table

Command Mode

Privileged EXEC

Default

None

Usage

None

Examples

This example shows how to show CPU traffic-protect DHCP recover table:

Switch# show cpu traffic-protect dhcp recover table
Dhcp Recover State Table:
------------------------------------------------------------------------
Interface RecoverTime(s)
------------------------------------------------------------------------
eth-0-1 30
------------------------------------------------------------------------
Total: 1

Related Commands

trace protect delay-time

Command Purpose

Use this command to show the information of attack trace.

Prerequisites

Command Syntax

show cpu traffic-protect (arp|dhcp) trace (history| )

Command Mode

Privileged EXEC

Default

None

Usage

None

Examples

This example shows how to show the information of ARP attack trace:

Switch# show cpu traffic-protect arp trace
Attack Source User Table :
------------------------------------------------------------------------
MacAddress Interface Vlan:O/I AttackTime TotalPackets
------------------------------------------------------------------------
0000.0b00.0200 eth-0-3 - 2023-01-02 15:18:21 1712
------------------------------------------------------------------------
Total: 1
Attack Source Port Table :
------------------------------------------------------------------------
Interface Vlan:O/I AttackTime TotalPackets
------------------------------------------------------------------------
------------------------------------------------------------------------
Total: 0
Attack Sender IP Table :
------------------------------------------------------------------------
IPAddress AttackTime TotalPackets
------------------------------------------------------------------------
1.2.3.4 2023-01-02 15:21:24 184
------------------------------------------------------------------------
Total: 1
Attack Target IP Table :
------------------------------------------------------------------------
IPAddress AttackTime TotalPackets
------------------------------------------------------------------------
4.3.2.1 2023-01-02 15:21:24 184
------------------------------------------------------------------------
Total: 1

Related Commands

clear cpu traffic-protect trace

Command Purpose

Use this command to show the configure information of attack trace config.

Prerequisites

Command Syntax

show cpu traffic-protect (arp|dhcp) trace config

Command Mode

Privileged EXEC

Default

None

Usage

None

Examples

This example shows how to show the information of ARP attack trace config:

Switch# show cpu traffic-protect arp trace config
Trace arp configuration:
Reason :16
Enable :1
Mode :0x1
Sample :18
Threshold :35
Aging timeout :300

Related Commands

None

Command Purpose

Use this command to clear the history information of attack trace.

Prerequisites

Command Syntax

clear cpu traffic-protect (arp|dhcp) trace (history| )

Command Mode

Privileged EXEC

Default

None

Usage

None

Examples

This example shows how to clear the information of ARP attack history trace:

Switch# clear cpu traffic-protect arp trace history

Related Commands

None