Table of Contents
Advertisement
10
273
This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0"
for the specified destination IP addresses.
SYN attack rate limiting is implemented after the security suite rules are applied to
the packets. The ACL and QoS rules are not applied to those packets.
Since the hardware rate limiting counts bytes, it is assumed that the size of "SYN"
packets is short.
Example
The following example attempts to rate limit DoS SYN attacks on a port. It fails
because security suite is enabled globally and not per interface.
switchxxxxxx(config)#
switchxxxxxx(config)#
switchxxxxxx(config-if)#
To perform this command, DoS Prevention must be enabled in the per-interface mode.
10.8 security-suite enable
To enable the security suite feature, use the security-suite enable Global
Configuration mode command. This feature supports protection against various
types of attacks.
When this command is used, hardware resources are reserved. These hardware
resources are released when the no security-suite enable command is entered.
The security-suite feature can be enabled in one of the following ways:
•
Global-rules-only—This enables the feature globally but per-interface
features are not enabled.
•
All (no keyword)—The feature is enabled globally and per-interface.
To disable the security suite feature, use the no form of this command.
When security-suite is enabled, you can specify the types of protection required.
The following commands can be used:
•
show security-suite configuration
•
show security-suite configuration
•
show security-suite configuration
security-suite enable global-rules-only
interface gi11
security-suite dos syn-attack 199 any /10
Cisco Sx350 Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands
Advertisement
Table of Contents
