3 security feature example, Ecurity, Eature – PLANET WGSW-50040 User Manual

28-3

28.2.5 Prevent ICMP Fragment Attack Function Configuration

Task Sequence

1. Enable the prevent ICMP fragment attack function

2. Configure the max permitted ICMPv4 net load length

3. Configure the max permitted ICMPv6 net load length

Command

Explanation

Global Mode

[no] dosattack-check icmp-attacking

enable

Enable/disable the prevent ICMP fragment

attack function.

dosattack-check icmpv4-size <size>

Configure the max permitted ICMPv4 net load

length. This command has not effect when

used separately, the user have to enable the

dosattack-check icmp-attacking enable.

dosattack-check icmpv6-size <size>

Configure the max permitted ICMPv6 net load

length. This command has not effect when

used separately, the user have to enable the

dosattack-check icmp-attacking enable.

28.3 Security Feature Example

Scenario:

The User has follows configuration requirements: the switch do not forward data packet whose source IP

address is equal to the destination address, and those whose source port is equal to the destination port. Only

the ping command with defaulted options is allowed within the IPv4 network, namely the ICMP request packet

can not be fragmented and its net length is normally smaller than 100.

Configuration procedure:

Switch(config)# dosattack-check srcip-equal-dstip enable

Switch(config)# dosattack-check srcport-equal-dstport enable

Switch(config)# dosattack-check ipv4-first-fragment enable

Switch(config)# dosattack-check icmp-attacking enable

Switch(config)# dosattack-check icmpV4-size 100