Table of Contents
Advertisement
Quality of Service (QoS) Commands
78-20269-01 Command Line Interface Reference Guide
•
tcp-port | any—Specifies the destination TCP port. The possible values are:
http, ftp-control, ftp-data, ssh, telnet, smtp, dns, tftp, ntp, snmp or port
number. Use any to specify all ports.
Default Configuration
Creation of TCP connections is allowed from all interfaces.
If the mask is not specified, it defaults to 255.255.255.255.
prefix-length
If the
is not specified, it defaults to 32.
Command Mode
Interface Configuration (Ethernet, Port-channel) mode
User Guidelines
For this command to work,
and for interfaces.
The blocking of TCP connection creation from an interface is done by discarding
ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0" for the specified
destination IP addresses and destination TCP ports.
Example
The following example attempts to block the creation of TCP connections from an
interface. It fails because security suite is enabled globally and not per interface.
Console(config)#
security-suite enable global-rules-only
Console(config)#
interface
Console(config-if)#
To perform this command, DoS Prevention must be enabled in the per-interface mode.
41.48 security-suite deny icmp
Use the security-suite deny icmp Interface Configuration (Ethernet, Port-channel)
mode command to discard ICMP echo requests from a specific interface (to
prevent attackers from knowing that the device is on the network).
Use the no form of this command to permit echo requests.
security-suite enable
gi1
security-suite deny syn add any /
must be enabled both globally
32
any
41
607
Advertisement
Table of Contents
