DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-19
VLAN interface IP address MAC address timestamp
---- -------- ---------- ----------- ----------
1 Gi0/1 N/A 0000.0000.0001 2008-01-23 16:23:10
Total:1 record(s)
12.4 IP-guard
12.4.1 IP-guard
Overview
As is known to all, many hacker attacks and the network virus invasions begin with the network
scanning. To this end, a large amount of the scanning packets take up the network bandwidth,
leading to the abnormal network communication.
DES-7200 Layer-3 device provides the IP-guard function to prevent the attacks from the
hacker and the virus such as “Blaster”, reducing the CPU burden of the layer-3 devices.
There are two types of the IP packet attack:
Scanning the destination IP address change: not only consumes the
network bandwidth and increases the device burden, but also is a prelude
of the hacker attack.
Sending the IP packets to the inexistent destination IP address at the
high-rate: for the layer-3 device, the packets are directly forwarded by the
switching chip without the consumption of the CPU resources if the
destination IP address exists. While if the destination IP address is
inexistent, the ARP request packets are sent from the CPU to ask for the
corresponding MAC address for the destination IP address when the IP
packets are sent to the CPU. It consumes the CPU resources if many IP
packets are sent to the CPU. The workaround for this attack: one one hand,
you may configure the IP packet rate-limit; on the other hand, you may
detect and isolate the attack source.
The IP attack detection could be host-based or port-based. Host-based ARP attack detection
adopts the combination of source IP address/VID/port-based. For each attack detection, you
can configure the rate-limit threshold and warning threshold. The IP packet will be dropped
when the packet rate exceeds the rate-limit threshold. When the ARP packet rate exceeds the
warning threshold, it will prompt the warning messages and send the TRAP message. The
host-based attack detection can isolate the attack source.