DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-26
12.4.7 Port-based
rate-limit and
attack detection
You can configure the ip-guard rate limt and attack threshold on the port. The rate limit value
must be less than the attack threshold value. When the IP packet rate on a port exceeds the
limit, the IP packets are dropped. When the IP packet rate on a port exceeds the attack
threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the IP DoS attack was detected on a port:
%NFPP_IP_GUARD-4-PORT_ATTACKED: IP DoS attack was detected on port Gi4/1.
(2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet :
IP DoS attack was detected on port Gi4/1.
This section shows the administrator how to configure the port-based rate-limit and attack
detection in the nfpp configuration mode and in the interface configuration mode:
Command Function
DES-7200# configure terminal
Enter the global configuration mode.
DES-7200(config)# nfpp
Enter the nfpp configuration mode.
DES-7200(config)# ip-guard rate-limit
per-port pps
Configure the ip-guard rate-limit of the IP packet on
the port, ranging from 1 to 9999, 100 by default.
DES-7200(config)# ip-guard
attack-threshold per-port pps
Configure the ip-guard attack threshold, ranging from
1 to 9999, 200 by default. When the IP packet
number on a port exceeds the attack threshold, the
CLI prompts and the TRAP packets are sent.
DES-7200(config-nfpp)# end
Return to the privileged EXEC mode.
DES-7200# configure terminal
Enter the global configuration mode.
DES-7200(config)# interface
interface-name
Enter the interface configuration mode.
DES-7200(config-if)#nfpp ip-guard policy
per-port rate-limit-pps attack-threshold-pps
Configure the rate-limit and attack threshold on the
specified interface.
rate-limit-pps: set the rate-limit threshold. The valid
range is 1-9999 and by default, it adopts the global
rate-limit threshold value.
attack-threshold-pps: set the attack threshold. The
valid range is 1-9999 and by default, it adopts the
global attack threshold value.