Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-36
The following example shows the describing information included in the sent TRAP messages:
Host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was isolated.
When it fails to isolate the hardware due to a lack of memory or hardware resources, it
prompts:
%NFPP_ICMP_GUARD-4-ISOLATE_FAILED: Failed to isolate host <IP==1.1.1.1, M
AC= N/A,port=Gi4/1,VLAN=1>. (2009-07-01 13:00:00)
The following example shows the describing information included in the sent TRAP messages:
Failed to isolate host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1>.
Caution
When it fails to allocate the memory to the detected attackers, it prompts the
message like “
%NFPP_ICMP_GUARD-4-NO_MEMORY: Failed to alloc memory.”
to inform the administrator.
This section shows the administrator how to configure the host-based rate-limit and attack
detection in the nfpp configuration mode and in the interface configuration mode:
Command Function
DES-7200# configure terminal
Enter the global configuration mode.
DES-7200(config)# nfpp
Enter the nfpp configuration mode.
DES-7200(config-nfpp)# icmp-guard
rate-limit per-src-ip pps
Configure the icmp-guard rate-limit, ranging from 1 to
9999, the default value is the half of the port-based
global rate-limit.
per-src-ip: detect the hosts based on the source IP
address/VID/port;
DES-7200(config)# icmp-guard
attack-threshold per-src-ip pps
Configure the icmp-guard attack threshold, ranging
from 1 to 9999, and the default value is the source IP
address-based rate limit. When the ICMP packet
number sent from a host exceeds the attack
threshold, the attack is detected and ICMP-guard
isolates the host, records the message and sends the
TRAP packet.
per-src-ip: detect the hosts based on the source IP
address/VID/port;
DES-7200(config-nfpp)# end
Return to the privileged EXEC mode.
DES-7200# configure terminal
Enter the global configuration mode.