Security-Suite Deny Martian-Addresses - Cisco 300 Series Cli Manual

Small business 300 series managed switches command line interface guide release 1.3

Table of Contents

Denial of Service (DoS) Commands

78-21075-01 Command Line Interface Reference Guide

User Guidelines

For this command to work,

and for interfaces.

This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0"

for the specified destination IP addresses.

SYN attack rate limiting is implemented after the security suite rules are applied to

the packets. The ACL and QoS rules are not applied to those packets.

Since the hardware rate limiting counts bytes, it is assumed that the size of "SYN"

packets is short.

The following example attempts to rate limit DoS SYN attacks on a port. It fails

because security suite is enabled globally and not per interface.

switchxxxxxx(config)#

switchxxxxxx(config-if)#

To perform this command, DoS Prevention must be enabled in the per-interface mode.

security-suite deny martian-addresses

Use the security-suite deny martian-addresses Global Configuration mode

command to deny packets containing system-reserved IP addresses or

user-defined IP addresses.

security-suite deny martian-addresses

remove {ip-address {mask | /prefix-length}}

security-suite deny martian-addresses

system-reserved IP addresses, see tables below)

no security-suite deny martian-addresses (This command removes addresses

reserved by security-suite deny martian-addresses

/prefix-length}} | remove {ip-address {mask | /prefix-length}},

entries added by the user. The user can remove a specific entry by using remove

ip-address {mask | /prefix-length}

security-suite enable

security-suite enable global-rules-only

security-suite dos syn-attack

{add {ip-address {mask | /prefix-length}} |

reserved {add | remove} (

must be enabled both globally

Add/remove user-specified IP

{add {ip-address {mask |

and removes all