ip icmp attack-rate
-
- Last UpdatedNov 11, 2022
- 2 minutes read
Configures the device to drop ICMP packets when an excessive packet rate is encountered.
No threshold values for ICMP packets are configured. It is recommended to configure ICMP protection for any switch vulnerable to these attacks.
burst-normalthreshold-value | Configures the allowable rate for packets received in normal burst mode. Valid values are from 20 through 10,000,000 Kbps.
|
burst-maxmax-value | Specifies the maximum packet rate in burst mode. Valid values are 20 through 10,000,000 Kbps.
|
lockuptime | Configures the lockup period in seconds. Valid values are from 1 through 10,000 seconds.
|
Global configuration mode
Interface configuration sub-mode
VLAN configuration sub-mode
You can configure the device to drop ICMP packets when excessive number of packets are encountered as is the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP packets that are targeted at the router itself or that pass through an interface, and drop them when the thresholds are exceeded.
The no form of the command removes the configured threshold values.
The following example sets threshold values for ICMP packets targeted at the router.
device(config)# ip icmp attack-rate burst-normal 2000 burst-max 2500 lockup 300The following example sets threshold values for ICMP packets received on interface 3/1/1.
device(config)# interface ethernet 3/1/1
device(config-if-e1000-3/1/1)# ip icmp attack-rate burst-normal 2000 burst-max 2500 lockup 300
The following example sets the threshold value for ICMP packets received on interfaces that are members of VLAN 22.
device(config)# interface vlan 22
device(config-vlan-22)# ip icmp attack-rate burst-normal 2000 burst-max 2500 lockup 300