Cisco Cisco ASR 5700
ACS Configuration Mode Commands
▀ firewall dos-protection ip-sweep
▄ Command Line Interface Reference, StarOS Release 17
474
packet limit packet_limit
Specifies the maximum number of packets allowed during a sampling interval for uplink and downlink.
packet_limit
must be an integer from 1 through 4294967295.
Default: 1000 packets per sampling interval for all protocols.
downlink-server-limit server_limit
Specifies the number of internet hosts that can be blocked in the uplink and downlink direction.
server_limit
must be an integer from 2 through 999.
Default: 100
inactivity-timeout inactivity_timeout
Specifies the inactivity timeout period for uplink and downlink, in seconds. This allows flooding traffic if the
destination is inactive for more than the configured period.
destination is inactive for more than the configured period.
inactivity_timeout
must be an integer from 1 through 4294967295.
Default: 300 seconds
sample-interval interval
Specifies the IP Sweep sample interval, in seconds. The maximum sampling-interval configurable is 60
seconds.
seconds.
interval
must be an integer from 1 through 60.
Default: 1 second
Usage
Use this command to enable or disable IP Sweep Protection in the uplink direction for mobile subscribers and
internet hosts on a per protocol basis. The purpose of the Uplink IP Sweep protection is to check whether a
particular source IP address is generating more flows per sample interval than is permitted. If so, the first
packets that come after the maximum packet limit during the particular time interval will be dropped.
IP Sweep attacks are also detected in the downlink direction. The
internet hosts on a per protocol basis. The purpose of the Uplink IP Sweep protection is to check whether a
particular source IP address is generating more flows per sample interval than is permitted. If so, the first
packets that come after the maximum packet limit during the particular time interval will be dropped.
IP Sweep attacks are also detected in the downlink direction. The
firewall dos-protection ip-sweep
command must be configured in the FW-and-NAT Policy Configuration mode. The configuration values for
packet limit and sampling interval are common for both uplink and downlink.
packet limit and sampling interval are common for both uplink and downlink.
Example
The following command enables ICMP uplink protection for all servers with packet limit set to
30
:
firewall dos-protection ip-sweep icmp protect-servers all packet limit 30