Table of Contents
Advertisement
10
269
Syntax
security-suite deny syn {
/prefix-length}] |
[remove {tcp-port | any} {ip-address | any} {mask | /prefix-length}]}
no security-suite deny syn
Parameters
•
ip-address | any—Specifies the destination IP address. Use any to specify
all IP addresses.
•
mask— Specifies the network mask of the destination IP address.
•
prefix-length—Specifies the number of bits that comprise the destination IP
address prefix. The prefix length must be preceded by a forward slash (/).
•
tcp-port | any—Specifies the destination TCP port. The possible values are:
http, ftp-control, ftp-data, ssh, telnet, smtp, or port number. Use any to
specify all ports.
Default Configuration
Creation of TCP connections is allowed from all interfaces.
If the mask is not specified, it defaults to 255.255.255.255.
prefix-length
If the
is not specified, it defaults to 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
For this command to work,
both globally and for interfaces.
The blocking of TCP connection creation from an interface is done by discarding
ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0" for the specified
destination IP addresses and destination TCP ports.
Example
The following example attempts to block the creation of TCP connections from an
interface. It fails because security suite is enabled globally and not per interface.
[add {tcp-port | any} {ip-address | any} {mask |
show security-suite configuration
Cisco Sx350 Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands
must be enabled
Advertisement
Table of Contents
