Cisco Systems EA6500 Manual De Usuario

C H A P T E R

24-1

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Configuring Denial of Service Protection

This chapter contains information on how to protect your system against Denial of Service (DoS)
attacks. The information covered in this chapter is unique to the Catalyst 6500 series switches, and it
supplements the network security information and procedures in the

“Configuring Network Security”

this publication as well as the network security information and procedures in these publications:

•

Cisco IOS Security Configuration Guide, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm

•

Cisco IOS Security Command Reference, Release 12.2, at this URL

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm

This chapter consists of these sections:

•

DoS Protection Overview, page 24-1

•

Configuring DoS Protection, page 24-2

DoS Protection Overview

The DoS protection available on the Catalyst 6500 series switch provides support against two types of
DoS attack scenarios:

•

Data-packet processing that starves routing-protocol processing may result in DoS attacks such as the
following:

–

Routing peer loss due to hello timeouts

–

HSRP peer loss due to hello timeouts

–

Rrouting protocol slow convergence

•

Data packets congesting a CPU inband datapath may result in DoS attacks such as the following:

–

Routing peer loss due to hello packet drops

–

HSRP peer loss due to hello packet drops

Note

DoS protection used at the local router may not prevent peer loss caused by data-packet congestion on
the external link.