Controlling Management Access 225
Configuring DoS Information
Beginning in Privileged EXEC mode, use the following commands to specify
settings to help prevent DoS attacks on the switch.
show crypto certificate
mycertificate
View the SSL certificates of your switch.
show ip http server
secure status
Display the HTTPS server configuration.
show ip http server
status
Display the HTTP server configuration.
Command Purpose
configure Enter Global Configuration mode.
dos-control sipdip Enable Source IP Address = Destination IP Address
(SIP=DIP) Denial of Service protection.
If packets ingress with SIP=DIP, the packets is dropped if
the mode is enabled.
dos-control firstfrag
[
size
]
Enable Minimum TCP Header Size Denial of Service
protection, where
size
is the TCP header size. (Range: 0-
255).
dos-control tcpfrag Enable TCP Fragment Denial of Service protection.
If packets ingress having IP Fragment Offset equal to one
(1), the packets are dropped.
dos-control tcpflag Enable TCP Flag Denial of Service protections.
If packets ingress having TCP Flag SYN set and a source
port less than 1024, having TCP Control Flags set to 0 and
TCP Sequence Number set to 0, having TCP Flags FIN,
URG, and PSH set and TCP Sequence Number set to 0, or
having TCP Flags SYN and FIN both set, the packets are
dropped.
dos-control l4port Enable L4 Port Denial of Service protection.
If packets ingress having Source TCP/UDP Port Number
equal to Destination TCP/UDP Port Number, the packets
are dropped.
Command Purpose
To Next Page
Loading...
