DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-70
Caution
The name of defined guard type cannot be repeated. The field
and value to be matched cannot be completely same or be same
with the guard type of arp, icmp, dhcp, ip, or dhcpv6. When the
configured type is repeated, the system will prompt configuration
failure.
When the match type and value of defined guard are completely
the same with the existing defined guard type, the following
prompting message will be displayed: "%ERROR: the match
type and value are the same with define name (name of the
existing defined guard type)", indicating that the configuration
has failed.
When protocol has been configured for the match field but etype
is neither IPv4 or IPv6, the following prompting message will be
displayed: ”%ERROR:protocol is valid only when etype is IPv4
(0x0800) or IPv6 (0x86dd).”
When src-ip and dst-ip have been configured for the match field
but etype is not IPv4, the following prompting message will be
displayed: ”%ERROR:IP address is valid only when etype is
IPv4 (0x0800).”
When src-ipv6 and dst-ipv6 have been configured for the match
field but etype is not IPv6, the following prompting message will
be displayed: ”%ERROR:IPv6 address is valid only when
etype is IPv6 (0x86dd).”
When src-port and dst-port have been configured for the match
field but protocol is not TCP or UDP, the following prompting
message will be displayed: ”%ERROR:Port is valid only when
protocol is TCP (6) or UDP (17).”
12.9.1.2 Common Define-guard Policy
The following table shows the guard policies corresponding to certain commonly used network
protocols. The corresponding rate-limiting threshold and attack threshold can meet the needs
in most application scenarios. The network administrator shall configure effective rate-limiting
threshold and attack threshold according to the actual application scenario.
Protocol match policy per-src-ip policy
per-src-mac
policy per-port
RIP etype 0x0800
protocol 17
dst-port
520
rate-limit 100
attatch-threshold
150
Not applicable rate-limit 300
attatch-threshold
500