Table of Contents
Advertisement
Configuring Security
Configuring DoS Protection
STEP 4
STEP 1
STEP 2
Cisco 220 Series Smart Plus Switches Administration Guide Release 1.0.0.x
Click Apply. The DoS protection and IP gratuitous ARP protection are enabled or
disabled on the port, and the Running Configuration is updated.
Configuring SYN Protection
The network ports might be used by hackers to attack the switch in a SYN attack,
which consumes TCP resources (buffers) and CPU power.
Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if
one or more ports are attacked with a high rate of SYN packets, the CPU receives
only the attacker packets, thus creating Denial-of-Service.
When using the SYN protection feature, the CPU counts the SYN packets
ingressing from each network port to the CPU per second.
If the number is higher than the specific, user-defined threshold, a deny SYN with
MAC-to-me rule is applied on the port. This rule is unbound from the port every
user-defined interval (SYN Protection Period).
To configure the SYN Protection settings:
Click Security > Denial of Service > SYN Protection.
The SYN Protection Interface Table displays the following information:
•
Interface—Shows the port ID.
•
Current State—Shows whether the SYN Protection feature is enabled or
disabled on the port.
•
Last Attack—Shows the time of the last SYN flood attack detected on the
port.
Enter the global SYN Protection parameters:
•
Block SYN-RST Packets—Check Enable to enable the feature. All TCP
packets with both SYN and RST flags are token action.
•
Block SYN-FIN Packets—Check Enable to enable the feature. All TCP
packets with both SYN and FIN flags are dropped on all ports.
•
SYN Protection Mode—Select one of the following protection modes:
-
Disable—The feature is disabled on the port.
16
208
Advertisement
Table of Contents
