Internet Control Message Protocol (ICMP) Filtering Configuration on the 300 Series Managed Switches

Objective

Internet Control Message Protocol (ICMP) is a network layer protocol used to report and notify errors and for network discovery. There are many attacks that can be performed on a network with ICMP. For example, an ICMP flood Denial of Service (DoS) attack is an attack that exploits ICMP protocol vulnerabilities and incorrect network configuration. ICMP Filtering is a solution to prevent these types of attacks to the network. You can configure the switch to filter the IP addresses or ports that you want to block ICMP packets from. This article explains how to configure ICMP Filtering on the 300 Series Managed Switches.

Applicable Devices

• SF/SG 300 Series Managed Switches

Software Version

• 1.3.0.62

Enable Denial of Service Level Prevention

In order to apply ICMP Filtering, you must first make sure that the switch is in the correct Denial of Service level prevention. This section explains how to enable the correct prevention level on the 300 Series Managed Switches.

Step 1. Log in to the web configuration utility and choose Security > Denial of Service Prevention > Security Suite Settings. The Security Suite Settings page opens:

Step 2. In the DoS Prevention field, there are three levels of prevention. Click the System-Level and Interface-Level Prevention radio button. This level allows you to configure ICMP Filtering.

Step 3. Click Apply to save your configuration.

ICMP Filtering Configuration

This section explains how to configure ICMP Filtering on the 300 Series Managed Switches.

Step 1. Log in to the web configuration utility and choose Security > Denial of Service Prevention > ICMP Filtering. The ICMP Filtering page opens:

Step 2.Click Add. The Add ICMP Filtering window appears.

Step 3. In the Interface field, click the radio button of one of the available interface options:

• Port — Allows you to choose the port you wish to filter ICMP packets from.

• LAG — Allows you to choose the LAG you wish to filter ICMP packets from. LAG groups multiple ports into a single logical port.

Step 4. In the IP Address field, click the radio button of one of the available options to define the IP address/addresses to filter ICMP packets from:

• User Defined — User defined ICMP packet sources.

• All addresses — All  range of IP address  ICMP packet sources.

Step 5 In the Network Mask field, click the radio button of one of the available options to enter the network mask of the IP address configured in Step 4:

• Mask — Subnet mask in dot format, for example, 255.255.255.0.

• Prefix Length — Subnet mask in slash format, for example, \24.

Step 6. Click Apply to save your configuration.

The image below depicts the changes after the configuration:

Step 7. (Optional) To delete an ICMP filter, check the check box of the ICMP filter you wish to delete in the ICMP Filtering Table and then click Delete.