hit counter script

Security-Suite Enable - Cisco 300 Series Cli Manual

Stackable managed switches
Hide thumbs Also See for 300 Series:
Table of Contents

Advertisement

Denial of Service (DoS) Commands
OL-32830-01 Command Line Interface Reference Guide
This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0"
for the specified destination IP addresses.
SYN attack rate limiting is implemented after the security suite rules are applied to
the packets. The ACL and QoS rules are not applied to those packets.
Since the hardware rate limiting counts bytes, it is assumed that the size of "SYN"
packets is short.
Example
The following example attempts to rate limit DoS SYN attacks on a port. It fails
because security suite is enabled globally and not per interface.
switchxxxxxx(config)#
switchxxxxxx(config)#
switchxxxxxx(config-if)#
To perform this command, DoS Prevention must be enabled in the per-interface mode.

16.8 security-suite enable

To enable the security suite feature, use the security-suite enable Global
Configuration mode command. This feature supports protection against various
types of attacks.
When this command is used, hardware resources are reserved. These hardware
resources are released when the no security-suite enable command is entered.
The security-suite feature can be enabled in one of the following ways:
Global-rules-only—This enables the feature globally but per-interface
features are not enabled.
All (no keyword)—The feature is enabled globally and per-interface.
To disable the security suite feature, use the no form of this command.
When security-suite is enabled, you can specify the types of protection required.
The following commands can be used:
show security-suite configuration
show security-suite configuration
show security-suite configuration
security-suite enable global-rules-only
interface gi11
security-suite dos syn-attack 199 any /10
16
372

Advertisement

Table of Contents
loading

Table of Contents