Security-Suite Deny Icmp - Cisco 300 Series Cli Manual

Small business 300 series managed switches command line interface guide release 1.3

Hide thumbs Also See for 300 Series:

Table of Contents

tcp-port | any—Specifies the destination TCP port. The possible values are:

http, ftp-control, ftp-data, ssh, telnet, smtp, dns, tftp, ntp, snmp or port

number. Use any to specify all ports.

Default Configuration

Creation of TCP connections is allowed from all interfaces.

If the mask is not specified, it defaults to 255.255.255.255.

prefix-length

is not specified, it defaults to 32.

Command Mode

Interface Configuration (Ethernet, Port-channel) mode

User Guidelines

For this command to work,

and for interfaces.

The blocking of TCP connection creation from an interface is done by discarding

ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0" for the specified

destination IP addresses and destination TCP ports.

The following example attempts to block the creation of TCP connections from an

interface. It fails because security suite is enabled globally and not per interface.

switchxxxxxx(config)#

switchxxxxxx(config-if)#

To perform this command, DoS Prevention must be enabled in the per-interface mode.

security-suite deny icmp

Use the security-suite deny icmp Interface Configuration (Ethernet, Port-channel)

mode command to discard ICMP echo requests from a specific interface (to

prevent attackers from knowing that the device is on the network).

Use the no form of this command to permit echo requests.

security-suite enable

security-suite enable global-rules-only

security-suite deny syn add any /

78-21075-01 Command Line Interface Reference Guide

Denial of Service (DoS) Commands

must be enabled both globally