Denial of Service (DoS) Commands
OL-32830-01 Command Line Interface Reference Guide 364
16
User Guidelines
For this command to work, show security-suite configuration must be enabled
both globally and for interfaces.
Example
The following example attempts to discard IP fragmented packets from an
interface.
switchxxxxxx(config)#
security-suite enable global-rules-only
switchxxxxxx(config)#
interface gi11
switchxxxxxx(config-if)#
security-suite deny fragmented add any /32
To perform this command, DoS Prevention must be enabled in the per-interface mode.
16.2 security-suite deny icmp
To discard ICMP echo requests from a specific interface (to prevent attackers from
knowing that the device is on the network), use the security-suite deny icmp
Interface (Ethernet, Port Channel) Configuration mode command.
To permit echo requests, use the no form of this command.
Syntax
security-suite deny icmp
{[add {ip-address | any} {mask | /prefix-length}] | [remove
{ip-address | any} {mask | /prefix-length}]}
no security-suite deny icmp
Parameters
• ip-address | any—Specifies the destination IP address. Use any to specify
all IP addresses.
• mask—Specifies the network mask of the IP address.
• prefix-length—Specifies the number of bits that comprise the IP address
prefix. The prefix length must be preceded by a forward slash (/).
Default Configuration
Echo requests are allowed from all interfaces.
To Next Page
Loading...
Need help?
General
