To enable specific Denial of Service (DoS) protections in security suite, use the security-suite dos Global Configuration mode command.

To disable specific DoS protections, use the no form of this command.

Syntax

security-suite dos {daeqsa-deny | icmp-frag-pkts-deny | icmpv4-ping-max-check | icmpv6-ping-max-check | ipv6-min-frag-size-check | land-deny | nullscan-deny | pod-deny | smurf-deny | syn-sport|1024-deny | synfin-deny | synrst-deny | tcp-frag-off-min-check | tcpblat-deny | tcphdr-min-check | udpblat-deny | xma-deny}

security-suite dos icmp-ping-max-length MAX_LEN

security-suite dos ipv6-min-frag-size-length MIN_LEN

security-suite dos smurf-netmask MASK

security-suite dos tcphdr-min-length HDR_MIN_LEN

no security-suite dos {daeqsa-deny | icmp-frag-pkts-deny | icmpv4-ping-max-check | icmpv6-ping-max-check | ipv6-min-frag-size-check | land-deny | nullscan-deny | pod-deny | smurf-deny | syn-sport|1024-deny | synfin-deny | synrst-deny | tcp-frag-off-min-check | tcpblat-deny | tcphdr-min-check | udpblat-deny | xma-deny}

Parameters

daeqsa-deny—Drops the packets if the destination MAC address equals to the source MAC address.

icmp-frag-pkts-deny—Drops the fragmented ICMP packets.

icmpv4-ping-max-check—Checks the maximum size of ICMPv4 ping packets and drops the packets larger than the maximum packet size.

icmpv6-ping-max-check—Checks the maximum size of ICMPv6 ping packets and drops the packets larger than the maximum packet size.

ipv6-min-frag-size-check—Checks the minimum size of IPv6 fragments and drops the packets smaller than the minimum size.

land-deny—Drops the packets if the source IP address equals to the destination IP address.

nullscan-deny—Drops the packets with NULL scan.

pod-deny—Avoids ping of death attack.

smurf-deny—Avoids smurf attack.

syn-sportl1024-deny—Drops SYN packets with sport less than 1024.

synfin-deny—Drops the packets with SYN and FIN bits set.

synrst-deny—Drops the packets with SYN and RST bits set.

tcp-frag-off-min-check—Drops the TCP fragment packets with offset equals to one.

tcpblat-deny—Drops TCP fragment packets with offset equals to one.

tcphdr-min-check—Checks the minimum TCP header and drops the TCP packets with the header smaller than the minimum size.

udpblat-deny—Drops the packets if the source UDP port equals to the destination UDP port.

xma-deny—Drops the packets if the sequence number is zero, and the FIN, URG and PSH bits are set.

icmp-ping-max-length MAX_LEN—Specifies the maximum size of the ICMPv4/ICMPv6 ping packets. (Range: 0 to 65535 bytes)

ipv6-min-frag-size-length MIN_LEN—Specifies the minimum size of IPv6 fragments. (Range: 0 to 65535 bytes)

smurf-netmask MASK—Specifies the netmask of smurf attack. (Netmask length range: 0 to 32 bytes)

tcphdr-min-length HDR_MIN_LEN—Specifies the minimum TCP header length. (Range: 0 to 31 bytes)

Default Configuration

All types of DoS protection are enabled in security suit by default.

The default parameters are:

• The maximum size of ICMP ping packets is 512 bytes.

• The minimum size of IPv6 fragments is 1240 bytes.

• The Smurf netmask length is 0 bytes.

• The minimum TCP header length is 20 bytes.

Command Mode

Global Configuration mode

Example

The following example enables checking the minimum size of IPv6 fragments and sets the minimum fragment size to 1000 bytes:

switchxxxxxx(config)# security-suite dos ipv6-min-frag-size-check
switchxxxxxx(config)# security-suite dos ipv6-min-frag-size-length 1000

To enable DoS protections on an interface, use the security-suite dos Interface Configuration (Ethernet) mode command.

To disable DoS protections on an interface, use the no form of this command.

Syntax

security-suite dos

no security-suite dos

Parameters

N/A

Default Configuration

Disabled

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi6
switchxxxxxx(config-if)# security-suit dos

To enable gratuitous ARP protection on an interface, use the security-suite ip gratuitous-arps Interface Configuration (Ethernet) mode command.

To disable this feature on an interface, use the no form of this command.

Syntax

security-suite dos ip gratuitous-arps

no security-suite dos ip gratuitous-arps

Parameters

N/A

Default Configuration

Disabled

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi10
switchxxxxxx(config-if)# security-suit dos ip gratuitous-arps

To show the DoS protection configuration, use the show security-suite dos Privileged EXEC Mode command.

Syntax

show security-suite dos

Parameters

N/A

Command Mode

Privileged EXEC Mode

Example

switchxxxxxx# show security-suite dos
  Type                      | State (Length)
----------------------------+---------------------------------
  DMAC equal to SMAC        | enabled
  Land (DIP = SIP)          | enabled
  UDP Blat (DPORT = SPORT)  | enabled
  TCP Blat (DPORT = SPORT)  | enabled
  POD (Ping of Death)       | enabled
  IPv6 Min Fragment Size    | enabled  (1000 Bytes)
  ICMP Fragment Packets     | enabled
  IPv4 Ping Max Packet Size | enabled  (512 Bytes)
  IPv6 Ping Max Packet Size | enabled  (512 Bytes)
  Smurf Attack              | enabled  (Netmask Length: 0)
  TCP Min Header Length     | enabled  (20 Bytes)
  TCP Syn (SPORT < 1024)    | enabled
  Null Scan Attack          | enabled
  X-Mas Scan Attack         | enabled
  TCP SYN-FIN Attack        | enabled
  TCP SYN-RST Attack        | enabled
  TCP Fragment (Offset = 1) | enabled

To show the DoS protection and gratuitous ARP protection status per interface, use the show security-suite dos interfaces Privileged EXEC Mode command.

Syntax

show security-suite dos interfaces interface-id

Parameters

interface-id—An interface ID or a list of interface IDs.

Command Mode

Privileged EXEC Mode

Example

switchxxxxxx# show security-suite interface gi1-3
  Port    | DoS Protection | Gratuitous-ARP
----------+----------------+----------------
     gi1  |    enabled     |    enabled
     gi2  |    disabled    |    disabled
     gi3  |    disabled    |    disabled