319
Chapter 31 Commands for Security
Feature
31.1 dosattack-check srcip-equal-dstip enable
Command: [no] dosattack-check srcip-equal-dstip enable
Function: Enable the function by which the switch checks if the source IP address is
equal to the destination IP address; the ―no‖ form of this command disables this function.
Parameter: None
Default: Disable the function by which the switch checks if the source IP address is equal
to the destination IP address.
Command Mode: Global Mode
Usage Guide: By enabling this function, data packet whose source IP address is equal to
its destination address will be dropped
Example: Drop the data packet whose source IP address is equal to its destination
address
Switch(config)# dosattack-check srcip-equal-dstip enable
31.2 dosattack-check tcp-flags enable
Command: [no] dosattack-check tcp-flags enable
Function: Enable the function by which the switch will check the unauthorized TCP label
function; the ―no‖ form of this command will disable this function.
Parameter: None
Default: This function disable on the switch by default
Command Mode: Global Mode
Usage Guide: With this function enabled, the switch will be able to drop follow four data
packets containing unauthorized TCP label: SYN=1 while source port is smaller than
1024;TCP label positions are all 0 while its serial No. =0;FIN=1,URG=1,PSH=1 and the
TCP serial No.=0;SYN=1 and FIN=1. This function can be used associating the
―dosattack-check ipv4-first-fragment enable‖ command.
Example: Drop one or more types of above four packet types.
Switch(config)# dosattack-check tcp-flags enable
To Next Page
Loading...
