Denial of Service Protection
ExtremeWare XOS 11.3 Concepts Guide
321
Configuring Denial of Service Protection
To enable or disable DoS protection, use the following commands:
enable dos-protect
disable dos-protect
After enabling DoS protection, the switch will count the packets handled by the CPU and periodically
evaluate whether to send a notification and/or create an ACL to block offending traffic. You can
configure a number of the values used by DoS protection if the default values are not appropriate for
your situation. The values that you can configure are:
● interval—How often, in seconds, the switch evaluates the DoS counter (default: 1 second)
● alert threshold—The number of packets received in an interval that will generate an ACL (default:
4000 packets)
● notify threshold—The number of packets received in an interval that will generate a notice (default:
3500 packets)
● ACL expiration time—The amount of time, in seconds, that the ACL will remain in place (default: 5
seconds)
To configure the interval at which the switch checks for DoS attacks, use the following command:
configure dos-protect interval <seconds>
To configure the alert threshold, use the following command:
configure dos-protect type l3-protec
t alert-threshold <packets>
To configure the notification threshold, use the following command:
configure dos-protect type l3-protec
t notify-threshold <packets>
To configure the ACL expiration time, use the following command:
configure dos-protect acl-expire <seconds>
Configuring Trusted Ports
Traffic from trusted ports will be ignored when DoS protect counts the packets to the CPU. If we know
that a machine connected to a certain port on the switch is a safe "trusted" machine, and we know that
we will not get a DoS attack from that machine, the port where this machine is connected to can be
configured as a trusted port, even though a large amount of traffic is going through this port.
To configure the trusted ports list, use the following command:
configure dos-protect trusted-ports [p
orts [<ports> | all] | add-ports [<po
rts-to-add>
| all] | delete-ports [<ports-to-delete> | all] ]
Displaying DoS Protection Settings
To display the DoS protection settings, use the following command:
show dos-protect {detail}
To Next Page
Loading...
Need help?
General
