< Home

anti-ddos np-rule first-packet-check enable

Function

The anti-ddos np-rule first-packet-check enable command enables the first-packet discarding function for SYN packets on the hardware chip.

The undo anti-ddos np-rule first-packet-check enable command disables the first-packet discarding function for SYN packets on the hardware chip.

Format

anti-ddos np-rule first-packet-check enable

undo anti-ddos np-rule first-packet-check enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Only the USG6610E/6620E, USG6630E/6650E, USG6635E/6655E support this command.

For USG6680E and USG6712E/6716E:
  • In versions earlier than V600R007C20SPC200, device support this command.
  • V600R007C20SPC200 and later versions, device batches are distinguished by BomID Version (which can be checked using the display version command), whose BomID Version is earlier than 003 and whose device BOM numbers does not contain "-001" support this command.

By default, the first-packet discarding function for SYN packets on the hardware chip is disabled.

The first-packet discarding function configured using the anti-ddos first-packet-check command is performed on the CPU. To reduce the CPU load, some models support the first-packet discarding process on the hardware chip.

The first-packet discarding function on the hardware chip takes effect only after the first-packet discarding function of the CPU (anti-ddos first-packet-check) and the hardware-based defense function (anti-ddos hardware defend enable) are enabled.

Example

# Enable the first-packet discarding function for SYN packets on the hardware chip.

<sysname> system-view
[sysname] anti-ddos first-packet-check syn
[sysname] anti-ddos hardware defend enable
[sysname] anti-ddos np-rule first-packet-check enable
Parent Topic: DDoS Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >