Icmp Rate-Limiting - HP ProCurve 5308XL-48G Supplementary Manual

This is in keeping with the typical use of ACLs as a security mechanism. If the automatic denial
property is not wanted, the ACL should end with an ACE statement permitting ANY. To assist in
writing and editing ACLs, the ACL file can be edited externally and downloaded into the 5300.
Note: Filtering of the packets takes places only if an ACL is specified for the static VLAN, if not,
no packet filtering happens, which is the default.
A typical use for standard ACLs is to allow a single end node on one subnet access to a server
on another subnet, while denying all other ends nodes on the first subnet similar access. An
example of this situation would be an human resource representative getting access to a
personnel database on another subnet, while keeping all other end nodes from accessing this
same database. Similarly, a Standard ACL could be used to deny access of an entire subnet to
anywhere in the corporate network other than out to the Internet.
Extended ACLs can be used as filters for application traffic that uses fixed TCP/UDP port
numbers. For example, an Extended ACL can be set up to only allow traffic from a particular
subnet access to the email servers on another subnet. Or an extended ACL could deny any
traffic destined for custom applications (those applications using port numbers above 1024).
The ACL functionality of the ProCurve 5300xl Switch Series supports ACL logging. When logging
is specified in a particular ACE, an entry is made in the log when that ACE results in an explicitly
denied packet. Logging of permitted packets is not supported. The 5300 ACL logging is primarily
useful for troubleshooting.
ACLs, being a Layer 3 service in the 5300, are only executed for packets that are routed,
crossing a VLAN/router boundary. They have no effect on packets that are being switched in a
Layer 2 environment.
ACLs for the ProCurve 5300xl Switch Series are flexible and can be used to create sophisticated
filters. Before implementing ACLs, ACL details should be consulted in the ProCurve 5300xl
Switch Series documentation located at:
section.
Static Filters
Static filtering can be used to provide security and/or bandwidth control within the network.
When a static filter is defined it can be applied to any or all ports on the switch. The following
three types of static filters can be defined:
•
Source port: Packets coming from a particular port can be dropped. Source port filters can be
used to isolate ports from each other and allow communication only to uplinks, for example.
Ports that can use a particular source port filter must be in the same VLAN as the source port.
Up to 78 source port filters can be defined on the chassis
•
Multicast MAC address: If an IGMP group is active in the address range of a static multicast
filter, IGMP takes precedence. Once the IGMP group becomes inactive, the static multicast
filter takes effect. Up to 16 multicast address filters can be defined
•
Protocol type: up to 7 protocol filters. Protocols that apply to the protocol filter are:
•
AppleTalk
•
DEC LAT
•
NetBEUI
These filters are done in hardware; there is no performance penalty when using them.

ICMP Rate-Limiting

In IP networks, ICMP messages are generated in response to either inquires or requests from
routing and diagnostic functions. These messages are directed to the applications originating
the inquiries. In unusual situations, if the messages are generated rapidly with the intent of
overloading network circuits, they can threaten network availability. This problem is visible in
denial-of-service (DoS) attacks or other malicious behaviors where a worm or virus overloads
the network with ICMP messages to an extant where no other traffic can get through. (ICMP
messages themselves can also be misused as virus carriers).
In ProCurve 5300xl Switch Series, the amount of bandwidth that may be utilized for inbound
ICMP traffic can be controlled by ICMP Rate-Limiting method. This feature allows users to
restrict ICMP traffic to levels that permit necessary ICMP functions, but throttle additional traffic
that may be due to worms or viruses (reducing their speed and effect). In addition, this
preserves inbound port bandwidth for non-ICMP traffic.
http://www.procurve.com
•
ARP
•
IP
•
IPX
under the Technical Support
•
SNA
20