Got it

CPU defend

Latest reply: Sep 28, 2018 18:20:41 2517 2 0 0 0

This post refers to CPU defend. Please have a look at the information displayed below.


The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.

The undo cpu-defend policy command deletes an attack defense policy.

By default, the default attack defense policy exists on the device and is applied to the device.

The default attack defense policy cannot be deleted or modified.



Usage scenario

A large number of packets including attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, its usage becomes high and its performance deteriorates.

The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.



The device supports a maximum of 13 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to the device.

The default attack defense policy cannot be deleted or modified. The other 12 policies can be created, modified, and deleted.


# Create an attack defense policy named test.

<HUAWEI> system-view
cpu-defend policy test


cpu-defend trap drop-packet

Usage scenario

To protect the CPU, a switch limits the rate of protocol packets sent to the CPU based on the CPCAR. If the rate of protocol packets exceeds the CPCAR, excess protocol packets are dropped, which may affect the corresponding service. To quickly detect packet loss caused by exceeding the CPCAR, you can use this command to enable alarm reporting for this event. After this function is enabled, the switch checks at 10-minute intervals for packet loss caused by CPCAR. If the switch finds that the number of dropped packets of a protocol increases, the switch reports a packet loss alarm.



# Enable alarm reporting for packet loss caused by CPCAR exceeding.

<HUAWEI> system-view
cpu-defend trap drop-packet



Checking whether network attacks exist


Run the display cpu-defend statistics command to check statistics about packets sent to the CPU.

According to the statistics, determine whether many protocol packets have been discarded because the CPU is too busy to process them. Then, run the reset cpu-defend statistics command to clear the statistics. After several seconds, run the display cpu-defend statistics command again to re-check the statistics.


If packets of a protocol are numerous, determine whether this is a normal phenomenon based on the networking. If this is abnormal, a protocol packet attack occurs.


<HUAWEI> reset cpu-defend statistics
display cpu-defend statistics all
Statistics on slot 2:
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)
arp-miss            0            0             0               0
arp-request         40800        35768         600             52600
bgp                 0            0             0               0


If the live network has no possibility to produce so many ARP request packets, the switch is under an ARP attack.

If the switch has a high CPU usage, do not increase the CPCAR value. Instead, find out the attack source.


  • x
  • convention:

Created Sep 28, 2018 16:57:38

Thanks a for sharing, the post is very clear and useful
View more
  • x
  • convention:

Created Sep 28, 2018 18:20:41

Good share mateCPU defend-2764587-1
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.