9 dosattack-check icmpv6-size, 4 security feature example – Accton Technology ES4626 User Manual

108

Usage Guide:

To use this function you have to enable “dosattack-check icmp-attacking

enable” first

Example:

Set the max net length of the ICMPv4 data packet permitted by the switch to

100

Switch(Config)# dosattack-check icmp-attacking enable

Switch(Config)# dosattack-check icmpv4-size 100

2.6.3.9 dosattack-check icmpv6-size

Command:dosattack-check icmpv6-size

Function:

Configure the max net length of the ICMPv6 data packet permitted by the

switch

Parameter:

is the max net length of the ICMPv6 data packet permitted by the

switch

Default:

The value is 0x200 by default

Command Mode:Global Mode

Usage Guide:

To use this function you have to enable “dosattack-check icmp-attacking

enable” first

Example:

Set the max net length of the ICMPv6 data packet permitted by the switch to

100

Switch(Config)# dosattack-check icmp-attacking enable

Switch(Config)# dosattack-check icmpv6-size 100

2.6.4 Security Feature Example

Scenario:

The User has follows configuration requirements: the switch do not forward data

packet whose source IP address is equal to the destination address, and those whose

source port is equal to the destination port. Only the ping command with defaulted

options is allowed within the IPv4 network, namely the ICMP request packet can not be

fragmented and its net length is normally smaller than 100

Configuration procedure:

Switch(Config)# dosattack-check srcip-equal-dstip enable

Switch(Config)# dosattack-check srcport-equal-dstport enable

Switch(Config)# dosattack-check ipv4-first-fragment enable

Switch(Config)# dosattack-check icmp-attacking enable

Switch(Config)# dosattack-check icmpv4-size 100