Prevent Icmp Fragment Attack Function Configuration Task Sequence; Security Feature Example - Planet Networking & Communication WGSW-50040 Configuration Manual

28.2.5 Prevent ICMP Fragment Attack Function Configuration
Task Sequence
1. Enable the prevent ICMP fragment attack function
2. Configure the max permitted ICMPv4 net load length
3. Configure the max permitted ICMPv6 net load length
Global Mode
[no] dosattack-check icmp-attacking
enable
dosattack-check icmpv4-size <size>
dosattack-check icmpv6-size <size>

28.3 Security Feature Example

Scenario:
The User has follows configuration requirements: the switch do not forward data packet whose source IP
address is equal to the destination address, and those whose source port is equal to the destination port. Only
the ping command with defaulted options is allowed within the IPv4 network, namely the ICMP request packet
can not be fragmented and its net length is normally smaller than 100.
Configuration procedure:
Switch(config)# dosattack-check srcip-equal-dstip enable
Switch(config)# dosattack-check srcport-equal-dstport enable
Switch(config)# dosattack-check ipv4-first-fragment enable
Switch(config)# dosattack-check icmp-attacking enable
Switch(config)# dosattack-check icmpV4-size 100
Command Explanation
Enable/disable the prevent ICMP fragment
attack function.
Configure the max permitted ICMPv4 net load
length. This command has not effect when
used separately, the user have to enable the
dosattack-check icmp-attacking enable.
Configure the max permitted ICMPv6 net load
length. This command has not effect when
used separately, the user have to enable the
dosattack-check icmp-attacking enable.
28-3