•
•
It is recommended to always enable protection against unregistered ip-protocols.
It is recommended to enable logging of the protection mechanism against network attacks.
7.6.2 Configuration example
Objective:
Configure the protection mechanism against network attacks in accordance with the recommendations.
Solution:
Enable protection against ip spoofing and logging of the protection mechanism:
esr(config)# ip firewall screen spy-blocking spoofing
esr(config)# loggingfirewall screen spy-blocking spoofing
Enable protection against TCP packets with incorrectly set flags and logging of the protection mechanism:
esr(config)# ip firewall screen spy-blocking syn-fin
esr(config)# loggingfirewall screen spy-blocking syn-fin
esr(config)# ip firewall screen spy-blocking fin-no-ack
esr(config)# loggingfirewall screen spy-blocking fin-no-ack
esr(config)# ip firewall screen spy-blocking tcp-no-flag
esr(config)# loggingfirewall screen spy-blocking tcp-no-flag
esr(config)# ip firewall screen spy-blocking tcp-all-flags
esr(config)# logging firewall screen spy-blocking tcp-all-flags
Enable protection against fragmented ICMP packets and protection mechanism logging:
esr(config)# ip firewall screen suspicious-packets icmp-fragment
esr(config)# loggingfirewall screen suspicious-packets icmp-fragment
Enable protection against large ICMP packets and logging of the protection mechanism:
esr(config)# ip firewall screen suspicious-packets large-icmp
esr(config)# logging firewall screen suspicious-packets large-icmp
Enable protection against unregistered ip-protocols and logging protection mechanism:
esr(config)# ip firewall screen suspicious-packets unknown-protocols
esr(config)# logging firewall screen suspicious-packets unknown-protocols
To Next Page
Loading...
