Configuring Denial of Service Protection

Enable or disable DoS protection using the command:
enable dos-protect

disable dos-protect
After enabling DoS protection, the switch will count the packets handled by the CPU and periodically evaluate whether to send a notification and/or create an ACL (Access Control List) to block offending traffic.

You can configure a number of the values used by DoS protection if the default values are not appropriate for your situation.

The values that you can configure are:
- interval—How often, in seconds, the switch evaluates the DoS counter (default: 1 second)
- alert threshold—The number of packets received in an interval that will generate an ACL (default: 4000 packets)
- notify threshold—The number of packets received in an interval that will generate a notice (default: 3500 packets)
- ACL expiration time—The amount of time, in seconds, that the ACL will remain in place (default: 5 seconds)
Configure the interval at which the switch checks for DoS attacks using the command:
configure dos-protect interval seconds
Configure the alert threshold using the command:
configure dos-protect type l3-protect alert-threshold packets
Configure the notification threshold using the command:
configure dos-protect type l3-protect notify-threshold packets
Configure the ACL expiration time using the command:
configure dos-protect acl-expire seconds

Published March 2020prev | next