icmp-rate-limit

Description                                                    Configure ICMP rate limiting, to protect against denial-of-service (DoS) attacks.

Syntax                                                                  [no] icmp-rate-limit normal-rate lockup max-rate lockup-time

Parameter

Description

normal-rate

Maximum number of ICMP packets allowed per second. If the ACOS device receives more than the normal rate of ICMP packets, the excess packets are dropped until the next one-sec­ond interval begins. The normal rate can be 1-65535 packets per second.

lockup max-rate

Maximum number of ICMP packets allowed per second before the ACOS device locks up ICMP traffic. When ICMP traffic is locked up, all ICMP packets are dropped until the lockup expires. The maximum rate can be 1-65535 packets per second. The maximum rate must be larger than the normal rate.

lockup-time

Number of seconds for which the ACOS device drops all ICMP traffic, after the maximum rate is exceeded. The lockup time can be 1-16383 seconds.

Default                                                                None

Mode                                                                   Configuration mode

Usage                                                                  This command configures ICMP rate limiting globally for all traffic to or through the ACOS device. To configure ICMP rate limiting on individual Ethernet interfaces, see the icmp-rate-limit command in the “Config Commands: Interface” chapter in the Network Config­uration Guide. To configure it in a virtual server template, see “slb template virtual-server” on page 259. If you configure ICMP rate limiting filters at more than one of these levels, all filters are applicable.

Specifying a maximum rate (lockup rate) and lockup time is optional. If you do not specify them, lockup does not occur.

Log messages are generated only if the lockup option is used and lockup occurs. Otherwise, the ICMP rate-limiting counters are still incremented but log messages are not generated.

Example                                                            The following command globally configures ICMP rate limiting to allow up to 2048 ICMP packets per second, and to lock up all ICMP traffic for 10 seconds if the rate exceeds 3000 ICMP packets per second:

ACOS(config)#icmp-rate-limit 2048 lockup 3000 10

Table of Contents

Index

Glossary

-Search-

Back