KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

181

182

183

184

185

186

187

188

189

190

inquiries. In unusual situations, if the messages are generated rapidly with the intent of overloading

network circuits, they can threaten network availability. This problem is visible in denial-of-service

(DoS) attacks or other malicious behaviors where a worm or virus overloads the network with ICMP

messages to an extent where no other traffic can get through. (ICMP messages themselves can

also be misused as virus carriers.) Such malicious misuses of ICMP can include a high number of

ping packets that mimic a valid source IP address and an invalid destination IP address (spoofed

pings), and a high number of response messages (such as Destination Unreachable error messages)

generated by the network.

ICMP rate-limiting provides a method for limiting the amount of bandwidth that may be used for

inbound ICMP traffic on a switch port or trunk. This feature allows users to restrict ICMP traffic to

percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be

caused by worms or viruses (reducing their spread and effect.) In addition, ICMP rate-limiting

preserves inbound port bandwidth for non-ICMP traffic.

CAUTION: This feature should not be used to remove all ICMP traffic from a network. ICMP is

necessary for routing, diagnostic, and error responses in an IP network. ICMP rate-limiting is

primarily used for throttling worm or virus-like behavior and should normally be configured to allow

one to five percent of available inbound bandwidth (at 10 Mbps or 100 Mbps speeds) or 100 to

10,000 kbps (1Gbps or 10 Gbps speeds) to be used for ICMP traffic.

NOTE: ICMP rate-limiting does not throttle non-ICMP traffic. In cases where you want to throttle

both ICMP traffic and all other inbound traffic on a given interface, you can separately configure

both ICMP rate-limiting and all-traffic rate-limiting.

Beginning with software release K.12.xx or later, the all-traffic rate-limiting command (rate-limit

all) and the ICMP rate-limiting command (rate-limit icmp) operate differently:

• All-traffic rate-limiting applies to both inbound and outbound traffic and can be specified either

in terms of a percentage of total bandwidth or in terms of bits per second;

• ICMP rate-limiting applies only to inbound traffic and can be specified as only a percentage

of total bandwidth.

ICMP rate-limiting is not supported on meshed ports. (Rate-limiting can reduce the efficiency of

paths through a mesh domain.)

Guidelines for configuring ICMP rate-limiting

Apply ICMP rate-limiting on all connected interfaces on the switch to effectively throttle excessive

ICMP messaging from any source. Figure 84 (page 188) shows an example of how to configure

this for a small to mid-sized campus though similar rate-limit thresholds are applicable to other

network environments. On edge interfaces, where ICMP traffic should be minimal, a threshold of

1% of available bandwidth should be sufficient for most applications. On core interfaces, such as

switch-to-switch and switch-to-router, a maximum threshold of 5% should be sufficient for normal

ICMP traffic. ("Normal" ICMP traffic levels should be the maximums that occur when the network

is rebooting.)

ICMP rate-limiting 187