MES53xx, MES33xx, MES23xx Ethernet Switch Series 182
Table 5.210. DoS attack protection configuration commands
security-suite deny
martian-addresses
[reserved] {add | remove}
ip_address
Block frames with invalid (Martian) IP source addresses
(loopback, broadcast, multicast).
security-suite deny syn-fin
Drops tcp packets that have both SYN and FIN flags.
security-suite dos protect
{add | remove}
{stacheldraht |
-trojan}
Drop/allow certain types of traffic that is commonly used by
malware:
- stacheldraht - filter out TCP packets with source port 16660;
- invasor-trojan - filter out TCP packets with destination port
2140 and source port 1024;
- back-orifice-trojan - filter out UDP packets with destination
port 31337 and source port 1024.
Enable the security-suite command class.
Disable the security-suite command class.
Ethernet or port group interface configuration mode commands.
Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console (config-if)#
Table 5.211. Configuration commands for interface protection from DoS attacks.
security-suite deny
{fragmented | icmp | syn}
{add | remove} {any |
ip_address [mask]}
ip_address: IP address;
mask: mask in the form of
IP address or prefix
Creates a rule denying traffic that match the criteria.
- fragmented - fragmented packets;
- icmp - ICMP traffic;
- syn - syn packets.
no security-suite deny
{fragmented | icmp | syn}
security-suite dos
rate{any |
ip_address [mask]}
rate: (199..2000) packets
per second;
ip_address: IP address;
mask: mask in the form of
IP address or prefix
Specify a threshold for syn requests for a specific IP
address/network. All frames exceeding the threshold will be
dropped.
no security-suite dos
synattack {any |
ip_address [mask]}
Restore the default value.
11.5 Quality of Services (QoS)
All ports of the switch use the FIFO principles for queuing packets: first in - first out. This method
may cause some issues with high traffic conditions because the device will ignore all packets which are not
included into the FIFO queue buffer, i. e. such packets will be permanently lost. This can be solved by
organizing queues by traffic priority. The QoS mechanism (Quality of Service) implemented in the switches
allows organisation of 8 queues by packet priority depending on the type of transferred data.
11.5.1 QoS Configuration
Global configuration mode commands
Command line prompt in the global configuration mode is as follows:
console(config)#
To Next Page
Loading...
Need help?
General
