Configuring Security
Configuring DoS Protection
Cisco 220 Series Smart Switches Administration Guide Release 1.1.0.x 217
16
STEP 4 Click Apply. The DoS protection and IP gratuitous ARP protection are enabled or
disabled on the port, and the Running Configuration is updated.
Configuring SYN Protection
The network ports might be used by hackers to attack the switch in a SYN attack,
which consumes TCP resources (buffers) and CPU power.
Because the CPU is protected using SCT, TCP traffic to the CPU is limited.
However, if one or more ports are attacked with a high rate of SYN packets, the
CPU receives only the attacker packets, which creates a Denial of Service (DoS).
When using the SYN protection feature, the CPU counts the SYN packets
ingressing from each network port to the CPU per second.
If the number is higher than the specific, user-defined threshold, a deny SYN with
MAC-to-me rule is applied on the port. This rule is unbound from the port every
user-defined interval (SYN Protection Period).
To configure the SYN Protection settings:
STEP 1 Click Security > Denial of Service > SYN Protection.
The SYN Protection Interface Table displays the following information:
• Interface—Shows the port ID.
• Current State—Shows whether the SYN Protection feature is enabled or
disabled on the port.
• Last Attack—Shows the time of the last SYN flood attack detected on the
port.
STEP 2 Enter the global SYN Protection parameters:
• Block SYN-RST Packets—Check Enable to enable the feature. All TCP
packets with both SYN and RST flags are dropped on the ports that enabled
DoS protection.
• Block SYN-FIN Packets—Check Enable to enable the feature. All TCP
packets with both SYN and FIN flags are dropped on the ports that enabled
DoS protection.
• SYN Protection Mode—Select one of the following protection modes:
- Disable—The feature is disabled on the port.
To Next Page
Loading...
Need help?
General
