Configuration Guide NFPP Configuration
Sending the IP packets to the inexistent destination IP address at the
high-rate: for the layer-3 device, the packets are directly forwarded by the
switching chip without the consumption of the CPU resources if the
destination IP address exists. While if the destination IP address is
inexistent, the ARP request packets are sent from the CPU to ask for the
corresponding MAC address for the destination IP address when the IP
packets are sent to the CPU. It consumes the CPU resources if many IP
packets are sent to the CPU. The workaround for this attack: one one hand,
you may configure the IP packet rate-limit; on the other hand, you may
detect and isolate the attack source.
The IP attack detection could be host-based or port-based. Host-based ARP
attack detection adopts the combination of source IP address/VID/port-based.
For each attack detection, you can configure the rate-limit threshold and
warning threshold. The IP packet will be dropped when the packet rate exceeds
the rate-limit threshold. When the ARP packet rate exceeds the warning
threshold, it will prompt the warning messages and send the TRAP message.
The host-based attack detection can isolate the attack source.
It is worth mentioning that the IP-guard is for the attack of the IP
packets with the destination IP address not the host IP address.
For the IP packet with the destination IP address the host IP
address, use the CPP(CPU Protect Policy) to limit the rate.
The IP-guard is supported in the layer-3 switches only.
With the ip-guard enabled on the interface and the non-0 isolated period
configured, it isolates the hosts attacked by the IP packets.
IP-guard configuration commands include:
Enabling ip-guard
Configuring the isolated time
Configuring the monitored time
Configuring the monitored host limit
Host-based rate-limit and attack detection
Port-based rate-limit and attack detection
Configuring trusted host
Showing related ip-guard information
Enabling IP-guard
You can enable ip-guard in the nfpp configuration mode or in the interface
configuration mode. By default, the ip-guard is enabled.
To Next Page
Loading...
