Configures the device to drop ICMP packets when an excessive packet rate is encountered.

ip icmp attack-rateburst-normalthreshold-valueburst-maxmax-valuelockuptime
no ip icmp attack-rateburst-normalthreshold-valueburst-maxmax-valuelockuptime

No threshold values for ICMP packets are configured. It is recommended to configure ICMP protection for any switch vulnerable to these attacks.

burst-normalthreshold-value
Configures the allowable rate for packets received in normal burst mode. Valid values are from 20 through 10,000,000 Kbps.
burst-maxmax-value
Specifies the maximum packet rate in burst mode. Valid values are 20 through 10,000,000 Kbps.
lockuptime
Configures the lockup period in seconds. Valid values are from 1 through 10,000 seconds.

Global configuration mode

Interface configuration sub-mode

VLAN configuration sub-mode

You can configure the device to drop ICMP packets when excessive number of packets are encountered as is the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP packets that are targeted at the router itself or that pass through an interface, and drop them when the thresholds are exceeded.

The no form of the command removes the configured threshold values.

The following example sets threshold values for ICMP packets targeted at the router.

device(config)# ip icmp attack-rate burst-normal 2000 burst-max 2500 lockup 300

The following example sets threshold values for ICMP packets received on interface 3/1/1.

device(config)# interface ethernet 3/1/1
device(config-if-e1000-3/1/1)# ip icmp attack-rate burst-normal 2000 burst-max 2500 lockup 300

The following example sets the threshold value for ICMP packets received on interfaces that are members of VLAN 22.

device(config)# interface vlan 22
device(config-vlan-22)# ip icmp attack-rate burst-normal 2000 burst-max 2500 lockup 300