Chapter 50 Security Feature Configuration
50.1 Introduction to Security Feature
Before introducing t he security features, we here first introduc e the DoS. The DoS is short for Denial of
Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will
drop normal user data packet due to non-stop processing the attacker's data packet, leading to the denial of
the servic e and worse can lead to leak of sensitive data of the server.
Security feature refers to applications such as protocol check which is for protecting the server from attacks
such as DoS. The protocol check allows the user to drop matched packets based on specified conditions. The
security features provide several simple and effective protections against Dos attacks while acting no
influence on the linear forwarding performance of the switch.
50.2 Security Feature Configuration
50.2.1 Prevent IP Spoofing Function Configuration Task
Sequence
1.Enable the IP spoofing function.
Global Mode
[no] dosattack-check srcip-equal-dstip
enable
50.2.2 Prevent TCP Unauthorized Label Attack Function
Configuration Task Sequence
1.Enable the anti TCP unauthorized label attack function
2.Enable Checking IP v4 fragment function
Global Mode
[no] dosattack-check tcp-flags enable
[no] dosattack-check
ipv4-first-fragment enable
Command
Command
Explanation
Enable/disable the function of checking if the
IP source address is the same as the
destination address.
Explanation
Enable/disable checking TCP label function
Enable/disable checking IP v4 fragment. This
command has no effect when used separately,
but if this function is not enabled, the switch will
not drop the IP v4 fragment packet containing
unauthorized TCP labels.
50-1