Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-31
Note
If the MAC address columm shows “-”, it means “the host is identified by the source IP
address”;
If the IP address columm shows “-”, it means “the host is identified by the source MAC
address”.
12.4.10.3 Showing the trusted host configuration
Command Function
DES-7200# show nfpp ip-guard
trusted-host
Show the trusted hosts.
For example,
DES-7200#show nfpp ip-guard trusted-host
IP address mask
--------- ------
1.1.1.0 255.255.255.0
1.1.2.0 255.255.255.0
Total:2 record(s)
12.5 ICMP-guard
12.5.1 ICMP-guard
Overview
The ICMP attack detection could be host-based or port-based. Host-based ICMP protocol is
used to diagnose the network trouble. Its basic principle is that the host sends an ICMP echo
request packet, and the router/switch sends an ICMP echo reply packet upon receiving the
ICMP echo request packet. The “ICMP flood” attack is that the attacker sends a large amount
of the ICMP echo request packets to the destination device, resulting in the consumption of the
CPU resources and the erroe of the device working. The workaround for the “ICMP flood”
attack: one one hand, you may configure the ICMP packet rate-limit; on the other hand, you
may detect and isolate the attack source.
ARP attack detection adopts the combination of source IP address/VID/port-based. For each
attack detection, you can configure the rate-limit threshold and warning threshold. The ICMP
packet will be dropped when the packet rate exceeds the rate-limit threshold. When the ICMP
packet rate exceeds the warning threshold, it will prompt the warning messages and send the
TRAP message. The host-based attack detection can isolate the attack source.
ICMP-guard configuration commands include:
Enabling icmp-guard