Cisco Cisco ASR 5000
Firewall-and-NAT Policy Configuration Mode Commands
firewall dos-protection ▀
Command Line Interface Reference, StarOS Release 18 ▄
5107
tcp-syn
: Enables protection against TCP Syn Flood attack.
udp
: Enables protection against UDP Flood attack.
ftp-bounce
Enables protection against FTP Bounce attacks.
ip-sweep { icmp | tcp-syn | udp }
Enables protection against IP Sweep attacks in the downlink direction.
icmp
: Enables protection against ICMP IP Sweep attack.
tcp-syn
: Enables protection against TCP Syn IP Sweep attack.
udp
: Enables protection against UDP IP Sweep attack.
IP Sweep attacks are also detected in the uplink direction. The
firewall dos-protection ip-sweep
command must be configured in the ACS Configuration mode. The configuration values for packet limit and
sampling interval are common for both uplink and downlink.
sampling interval are common for both uplink and downlink.
ip-unaligned-timestamp
Enables protection against IP Unaligned Timestamp attacks.
ipv6-dst-options [ invalid-options | unknown-options ]
Drops IPv6 packets containing the IPv6 destination options header.
The following options are specified in the Destination Options extension header:
The following options are specified in the Destination Options extension header:
The Tunnel Encapsulation Limit (option type: 0x04) is a destination option defined in RFC 2473.
The Home Address option (option type: 0xC9) is part of Mobile IP processing defined in RFC 3775.
This option is only valid as a Destination Option.
The NSAP Address option (option type: 0xC3) is assigned as a Destination Option by RFC 1888 and
deprecated (reclassified as historic) by RFC 4048.
invalid-options
: Drops IPv6 packets containing invalid IPv6 destination options.
The following values are invalid in a Destination Options extension header option type field. Packets
with these options in a Destination Options header will be dropped.
with these options in a Destination Options header will be dropped.
Value 0xC2, Jumbo Payload
Value 0x05, Router Alert
Value 0x06, Quick start
Value 0x07, CALIPSO
unknown-options
: Drops IPv6 packets containing unknown IPv6 destination options.
ipv6-extension-hdrs [ limit extension_limit ]
Default: 8
Limits the number of IPv6 extension headers in an IPv6 packet. An IPv6 packet can contain zero or more
extension headers.
Firewall will not fully parse packets with unknown extension headers as the extension header format is
unspecified. Under such cases, the transport protocol will be considered as unknown. Packets with invalid
length field in the extension headers and packets with next header 0x01 (ICMPv4) will be dropped. IPv6 uses
ICMPv6 of type 0x3A.
Limits the number of IPv6 extension headers in an IPv6 packet. An IPv6 packet can contain zero or more
extension headers.
Firewall will not fully parse packets with unknown extension headers as the extension header format is
unspecified. Under such cases, the transport protocol will be considered as unknown. Packets with invalid
length field in the extension headers and packets with next header 0x01 (ICMPv4) will be dropped. IPv6 uses
ICMPv6 of type 0x3A.
extension_limit
must be an integer from 0 through 4294967295.