Preventing certain types of DOS attacks
Protect the switch against IP packets with illegal IP addresses such as loopback addresses or a source IP address of ones, or Class D or Class E addresses from being routed. The switch supports high-secure configurable flag.
About this task
Important
After you enable this flag, the desired behavior (not routing source packets with an IP address of 255.255.255.255) applies to all ports that belong to the same port.
Important
The setting to enable hsecure only takes effect for packets going to the CP; not to datapath traffic.
Procedure
-
Enter GigabitEthernet Interface
Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
Note
If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.
Example
Switch:1> enable Switch:1# configure terminal Switch:1(config)# interface GigabitEthernet 1/16 Switch:1(config-if)# high-secure enable
Variable Definitions
The following table defines parameters for the high-secure command.
|
Variable |
Value |
|---|---|
|
port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} |
Specifies the port on which you want to enable high-secure mode. Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. |
|
enable |
Enables the high-secure feature that blocks packets with illegal IP addresses. This flag is disabled by default. Use the no operator to remove this configuration. To configure this option to the default value, use the default operator with the command. |