Prevent Certain Types of DOS Attacks

Protect the switch against IP packets with illegal IP addresses such as loopback addresses or a source IP address of ones, or Class D or Class E addresses from being routed. The switch supports high-secure configurable flag.

About this task

Important

Important

After you enable this flag, the desired behavior (not routing source packets with an IP address of 255.255.255.255) applies to all ports that belong to the same port.

Important

Important

The setting to enable hsecure only takes effect for packets going to the CP; not to datapath traffic.

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...][slot/all][all]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Enable high-secure mode:

    high-secure [port {slot/port[/sub-port][-slot/port[/sub-port]][,...][slot/all][all]}] enable

Example

Switch:1> enable 
Switch:1# configure terminal 
Switch:1(config)# interface GigabitEthernet 1/16 
Switch:1(config-if)# high-secure enable 

Variable Definitions

The following table defines parameters for the high-secure command.

Variable

Value

port {slot/port[/sub-port][-slot/port[/sub-port]][,...][slot/all][all]}

Specifies the port on which you want to enable high-secure mode.

Identifies the slot and port in one of the following formats:
  • a single slot and port (slot/port)

  • a range of slots and ports (slot/port-slot/port)

  • a series of slots and ports (slot/port,slot/port,slot/port)

  • all ports on the same slot (slot/all)

  • all ports on the switch (all)

If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

enable

Enables the high-secure feature that blocks packets with illegal IP addresses. This flag is disabled by default. Use the no operator to remove this configuration. To configure this option to the default value, use the default operator with the command.