Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 325

Advertising
background image

For example, to set threshold values for ICMP packets targeted at the router, enter the following
command in global CONFIG mode.

device(config)#ip icmp burst-normal 5000 burst-max 10000 lockup 300

For a ICX 7750 device, enter the following command in global CONFIG mode.

device(config)#ip icmp attack-rate burst-normal 2500 burst-max 3450 lockup 50

To set threshold values for ICMP packets received on interface 3/11, enter the following commands.

device(config)#interface ethernet 3/11

device(config-if-e1000-3/11)#ip icmp burst-normal 5000 burst-max 10000 lockup 300

To set threshold values for ICMP packets received on interface 3/11 for a ICX 7750 device, enter the
following commands.

device(config)#interface ethernet 3/11

device(config-if-e1000-3/11)#ip icmp attack-rate burst-normal 5000 burst-max 10000

lockup 300

For Layer 3 router code, if the interface is part of a VLAN that has a router VE, you must configure
ICMP attack protection at the VE level. Otherwise, you can configure this feature at the interface level
as shown in the previous example. When ICMP attack protection is configured at the VE level, it will
apply to routed traffic only. It will not affect switched traffic.

NOTE
You must configure VLAN information for the port before configuring ICMP attack protection. You
cannot change the VLAN configuration for a port on which ICMP attack protection is enabled.

To set threshold values for ICMP packets received on VE 31, enter commands such as the following.

device(config)#interface ve 31

device(config-vif-31)#ip icmp burst-normal 5000 burst-max 10000 lockup 300

To set threshold values for ICMP packets received on VE 31 for a ICX 7750 device, enter commands
such as the following.

device(config)#interface ve 31

device(config-vif-31)#ip icmp attack-rate burst-normal 5000 burst-max 10000 lockup 300

Syntax: [no] ip icmp attack-rate burst-normal value burst-max value lockup seconds

The attack-rate parameter is specific to ICX 7750 and has no associated value.

The burst-normal value parameter can be from 1 through 100,000 packets per second.

The burst-max value paramter can be from 1 through 100,000 packets per second.

The lockup seconds parameter can be from 1 through 10,000 seconds.

This command is supported on Ethernet and Layer 3 interfaces.

NOTE
For ICX 7750, the units of "burst-normal" and "burst-max" values are Kbps.

The number of incoming ICMP packets per second is measured and compared to the threshold values
as follows:

DoS Attack Protection

FastIron Ethernet Switch Security Configuration Guide

325

53-1003088-03

Advertising
Popular Brands
Popular manuals