3com 8807 User Guide
Configuring IP Address
75
configure static ARP entries that have only IP addresses. The switch will
automatically fill the MAC address in the ARP mapping entries so that only users
configured with static ARP entries can have access to the network.
automatically fill the MAC address in the ARP mapping entries so that only users
configured with static ARP entries can have access to the network.
IP address protection configuration
The tasks of IP address protection configuration include:
■
Configuring auto-fill ARP address
■
Enabling IP address protection
c
CAUTION:
■
The MAC address auto filling function is enabled only when the IP address
protection function is enabled on the interface.
protection function is enabled on the interface.
■
Once after the initial auto filling of ARP address, the user-configured static ARP
entry becomes a normal static ARP entry and cannot be filled again.
entry becomes a normal static ARP entry and cannot be filled again.
Configuring Whether
the Switch Sends
Unreachable Packets
When receiving an IP packet whose TTL is 1, the switch sends an unreachable
packet to the sending end. However, if an attacker continuously sends IP packets
whose TTLs are less than or equal to 1 to the switch, the switch keeps sending
unreachable packets to the attacker. In this case, the switch CPU is under attack.
packet to the sending end. However, if an attacker continuously sends IP packets
whose TTLs are less than or equal to 1 to the switch, the switch keeps sending
unreachable packets to the attacker. In this case, the switch CPU is under attack.
When receiving an IP packet whose TTL is less than or equal to 1, the switch sends
the ICMP packet "time exceeded" to the network management system instead of
sending an unreachable packet to the sending end, thus avoiding attack on the
CPU.
the ICMP packet "time exceeded" to the network management system instead of
sending an unreachable packet to the sending end, thus avoiding attack on the
CPU.
Table 55 Configure IP address protection
Operation
Command
Description
Enter system view
system-view
-
Configure auto-fill ARP
address
address
arp static ip-address
Optional
Enter VLAN interface view
interface Vlan-interface
vlan-id
vlan-id
-
Enable IP address protection
ip-protect enable
By default, the IP address
protection function is disabled
on VLAN interface
protection function is disabled
on VLAN interface
View the IP address protection
status of the current VLAN
interface
status of the current VLAN
interface
display this
You can carry out the display
this command in any view
this command in any view
Table 56 Configure whether the switch sends unreachable packets
Operation
Command
Description
Enter system view
system-view
-
Configure that the switch
sends the ICMP message
"time exceeded" to the
network management system
when the switch receives an IP
packet whose TTL is less than
or equal to 1
sends the ICMP message
"time exceeded" to the
network management system
when the switch receives an IP
packet whose TTL is less than
or equal to 1
ip icmp-time-exceed enable
By default, the switch sends
the ICMP message "time
exceeded" to the network
management system
the ICMP message "time
exceeded" to the network
management system