Virus Throttling (5300xl Switches Only)
General Configuration Guidelines
General Configuration Guidelines
As stated earlier, connection-rate filtering is triggered only by routed, inbound
traffic generating a relatively high number of new IP connection requests from
the same host. Thus, for the switch to apply connection-rate filters, IP routing
and multiple VLANs with member ports must first be configured.
For a network that is relatively attack-free:
1. Enable notify-only mode on the ports you want to monitor.
2. Set global sensitivity to low.
3. Use clear arp to clear the arp cache.
4. If SNMP trap receivers are available in your network, use the snmp-server
command to configure the switch to send SNMP traps.
5. Monitor the Event Log or (if configured) the available SNMP trap receivers
to identify hosts exhibiting high connection rates.
6. Check any hosts that exhibit relatively high connection rate behavior to
determine whether malicious code or legitimate use is the cause of the
behavior.
7. Hosts demonstrating high, but legitimate connection rates, such as heavily
used servers, may trigger a connection-rate filter. Configure connection
rate ACLs to create policy exceptions for trusted hosts. (Exceptions can
be configured for these criteria:
• A single source host or group of source hosts
• A source subnet
• Either of the above with TCP or UDP criteria
(For more on connection rate ACLs, refer to “Application Options” on
page 3-6.)
8. Increase the sensitivity to Medium and repeat steps 6 and 7.
Note On networks that are relatively infection-free, sensitivity levels above Medium
are not recommended.)
9. (Optional.) Enable throttle or block mode on the monitored ports.
3-9
To Next Page
Loading...
