Support User Manuals

D-Link DES-7200 Refrigerator User Manual

Open as PDF

of 1968

DES-7200 Configuration Guide Chapter 12 NFPP Configuration

12-68

Given the diversity of network protocols and the fact that different protocols may be used

under different user environment during sustainable development, DES-7200 devices have

provided the feature of Defined Guard to allow users to define guard against various attacks,

so as meet different attack protection needs.

12.9.1.1 Define-guard Policy

The administrator can define a guard policy in NFPP configuration mode. Defined Guard

requires that the user must configure packet type, rate-limiting threshold, attack threshold and

how to identify such basic information. The type of Defined Guard will only take effect after

configuring the basic information.

The user-defined packet type may include Ethernet link layer type (etype), source MAC

address (smac), destination MAC address (dmac), IPv4/v6 protocol number (protocol), source

IPv4/v6 address (sip), destination IPv4/v6 address (dip), source transport layer port (sport) and

destination transport layer port (dport).

Defined Guard must configure how to take classified statistics of the data rate of defined type

of packets, including source IP/VID/port based data rate statistics, source MAC/VID/port based

data rate statistics and port-based data rate statistics, or any combination thereof. You must

configure the corresponding rate-limiting threshold and attack threshold for these classes. The

class will only take effect after configuring the rate-limiting threshold and attack threshold for

such class.

Command Function

DES-7200#configure terminal

Enter global configuration mode.

DES-7200(config)#nfpp

Enter NFPP configuration mode.

DES-7200(config-nfpp)#define

name

Configure the name of defined guard type

DES-7200(config-nfpp-define)#

match [etype type] [ src-mac smac

[src-mac-mask smac_mask]]

[dst-mac dmac [dst-mac-mask

dst_mask]] [ protocol protocol ]

[ src-ip sip [src-ip-mask sip-mask]]

[ src-ipv6 sipv6 [src-ipv6-masklen

sipv6-masklen]] [dst-ip dip

[dst-ip-mask dip-mask]] [dst-ipv6

dipv6 [dst-ipv6-masklen

dipv6-masklen]][src-port sport]

[dst-port dport]

Configure the packet fields to be matched by

the defined guard type.

By default, src-mac-mask, dst-mac-mask,

src-ip-mask and dst-ip-mask are all 1, and

src-ipv6-masklen and dst-ipv6-masklen are

all 128.

Protocol will only take effect when etype is

ipv4 or ipv6; src-ip and dst-ip will only take

effect when etype is ipv4; src-ipv6 and

dst-ipv6 will only take effect when etype is

ipv6; src-port and dst-port will only take effect

when protocol is tcp or udp.

previous next