DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-37
Command Function
DES-7200(config)# interface
interface-name
Enter the interface configuration mode.
DES-7200(config-if)#nfpp icmp-guard p
olicy per-src-ip rate-limit-pps attack-thres
hold-pps
Configure the rate-limit and attack threshold on the
specified interface.
rate-limit-pps: set the rate-limit threshold. The valid
range is 1-9999 and by default, it adopts the global
rate-limit threshold value.
attack-threshold-pps: set the attack threshold. The
valid range is 1-9999 and by default, it adopts the
global attack threshold value.
per-src-ip: to detect the hosts based on the source
IP/VID/port;
DES-7200(config-nfpp)# end
Return to the privileged EXEC mode.
DES-7200(config-if)# show nfpp
icmp-guard summary
Show the parameter settings.
DES-7200# copy running-config
startup-config
Save the configurations.
12.5.7 Port-based
rate-limit and
attack detection
You can configure the icmp-guard rate limt and attack threshold on the port. The rate limit
value must be less than the attack threshold value. When the ICMP packet rate on a port
exceeds the limit, the ICMP packets are dropped. When the ICMP packet rate on a port
exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the ICMP DoS attack was detected on a port:
%NFPP_ICMP_GUARD-4-PORT_ATTACKED: ICMP DoS attack was detected on port Gi4/1.
(2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet :
ICMP DoS attack was detected on port Gi4/1.
This section shows the administrator how to configure the port-based rate-limit and attack
detection in the nfpp configuration mode and in the interface configuration mode:
Command Function