Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-65
12.8.3 Port-based
rate-limit and
attack detection
You can configure the ND-guard rate-limit and attack threshold on the port. The rate-limit value
must be less than the attack threshold value. When the ND packet rate on a port exceeds the
limit, the ND packets are dropped. When the ND packet rate on a port exceeds the attack
threshold limit, the CLI prompts and the TRAP packets are sent.
ND Snooping divides the port into the untrusted port and the trusted port, which connect to the
host and the gateway respectively. The rate-limit threshold for the trusted port shall be higher
than the one for the untrusted port because the traffic for the trusted port is generally higher
than the one for the untrusted port. With the ND Snooping enabled, the ND Snooping
advertises the ND-guard to set the rate-limit threshold and the attack threshold of the ND
packets on the trusted port as 800pps and 900pps respectively.
For the rate-limit threshold configured by the ND Snooping and the one configured by the
administrator, the latter configured threshold value overwrites the former configured one.
When the administrator saves the settings, the rate-limit threshold configured by the ND
Snooping saved into the configuration file.
It prompts the following message when the NS-NA DoS attack was detected on a port:
%NFPP_ND_GUARD-4-PORT_ATTACKED: NS-NA DoS attack was detected on port Gi4/1.
(2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet :
NS-NA DoS attack was detected on port Gi4/1.
It prompts the following message when the RS DoS attack was detected on a port:
%NFPP_ND_GUARD-4-PORT_ATTACKED: RS DoS attack was detected on port Gi4/1.
(2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet :
RS DoS attack was detected on port Gi4/1.
It prompts the following message when the RA-REDIRECT DoS attack was detected on a
port:
%NFPP_ND_GUARD-4-PORT_ATTACKED: RA-REDIRECT DoS attack was detected on
port Gi4/1. (2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet :