Configuring Denial of Service Protection
-
Enable or disable DoS protection using the command:
enable dos-protectdisable dos-protect
After enabling DoS protection, the switch will count the packets handled by the CPU and periodically evaluate whether to send a notification and/or create an ACL to block offending traffic.
You can configure a number of the values used by DoS protection if the default values are not appropriate for your situation.
The values that you can configure are:
- interval—How often, in seconds, the switch evaluates the DoS counter (default: 1 second)
- alert threshold—The number of packets received in an interval that will generate an ACL (default: 4000 packets)
- notify threshold—The number of packets received in an interval that will generate a notice (default: 3500 packets)
- ACL expiration time—The amount of time, in seconds, that the ACL will remain in place (default: 5 seconds)
-
Configure the interval at which the switch checks for DoS
attacks using the command:
configure dos-protect interval seconds
-
Configure the alert threshold using the command:
configure dos-protect type l3-protect alert-threshold packets
-
Configure the notification threshold using the
command:
configure dos-protect type l3-protect notify-threshold packets
-
Configure the ACL expiration time using the command:
configure dos-protect acl-expire seconds