The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Internet Control Message Protocol (ICMP) is a network layer protocol used to report and notify errors and for network discovery. There are many attacks that can be performed on a network with ICMP. For example, an ICMP flood Denial of Service (DoS) attack is an attack that exploits ICMP protocol vulnerabilities and incorrect network configuration. ICMP Filtering is a solution to prevent these types of attacks to the network. You can configure the switch to filter the IP addresses or ports that you want to block ICMP packets from. This article explains how to configure ICMP Filtering on the 300 Series Managed Switches.
• SF/SG 300 Series Managed Switches
In order to apply ICMP Filtering, you must first make sure that the switch is in the correct Denial of Service level prevention. This section explains how to enable the correct prevention level on the 300 Series Managed Switches.
Step 1. Log in to the web configuration utility and choose Security > Denial of Service Prevention > Security Suite Settings. The Security Suite Settings page opens:
Step 2. In the DoS Prevention field, there are three levels of prevention. Click the System-Level and Interface-Level Prevention radio button. This level allows you to configure ICMP Filtering.
Step 3. Click Apply to save your configuration.
This section explains how to configure ICMP Filtering on the 300 Series Managed Switches.
Step 1. Log in to the web configuration utility and choose Security > Denial of Service Prevention > ICMP Filtering. The ICMP Filtering page opens:
Step 2.Click Add. The Add ICMP Filtering window appears.
Step 3. In the Interface field, click the radio button of one of the available interface options:
• Port — Allows you to choose the port you wish to filter ICMP packets from.
• LAG — Allows you to choose the LAG you wish to filter ICMP packets from. LAG groups multiple ports into a single logical port.
Step 4. In the IP Address field, click the radio button of one of the available options to define the IP address/addresses to filter ICMP packets from:
• User Defined — User defined ICMP packet sources.
• All addresses — All range of IP address ICMP packet sources.
Step 5 In the Network Mask field, click the radio button of one of the available options to enter the network mask of the IP address configured in Step 4:
• Mask — Subnet mask in dot format, for example, 255.255.255.0.
• Prefix Length — Subnet mask in slash format, for example, \24.
Step 6. Click Apply to save your configuration.
The image below depicts the changes after the configuration:
Step 7. (Optional) To delete an ICMP filter, check the check box of the ICMP filter you wish to delete in the ICMP Filtering Table and then click Delete.