Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH 사용자 설명서
Chapter 17. Security
|
463
NETGEAR 8800 User Manual
The remainder of this section describes how to configure DoS protection, including alert
thresholds, notify thresholds, ACL expiration time, and so on.
thresholds, notify thresholds, ACL expiration time, and so on.
Configuring Denial of Service Protection
To enable or disable DoS protection, use the following commands:
enable dos-protect
disable dos-protect
After enabling DoS protection, the switch will count the packets handled by the CPU and
periodically evaluate whether to send a notification and/or create an ACL to block offending
traffic. You can configure a number of the values used by DoS protection if the default values
are not appropriate for your situation.
periodically evaluate whether to send a notification and/or create an ACL to block offending
traffic. You can configure a number of the values used by DoS protection if the default values
are not appropriate for your situation.
The values that you can configure are:
•
interval—How often, in seconds, the switch evaluates the DoS counter (default: 1
second)
•
alert threshold—The number of packets received in an interval that will generate an ACL
(default: 4000 packets)
•
notify threshold—The number of packets received in an interval that will generate a notice
(default: 3500 packets)
•
ACL expiration time—The amount of time, in seconds, that the ACL will remain in place
(default: 5 seconds)
To configure the interval at which the switch checks for DoS attacks, use the following
command:
command:
configure dos-protect interval <seconds>
To configure the alert threshold, use the following command:
configure dos-protect type l3-protect alert-threshold <packets>
To configure the notification threshold, use the following command:
configure dos-protect type l3-protect notify-threshold <packets>
To configure the ACL expiration time, use the following command:
configure dos-protect acl-expire <seconds>
Configuring Trusted Ports
Traffic from trusted ports will be ignored when DoS protect counts the packets to the CPU. If
we know that a machine connected to a certain port on the switch is a safe "trusted" machine,
and we know that we will not get a DoS attack from that machine, the port where this
machine is connected to can be configured as a trusted port, even though a large amount of
traffic is going through this port.
we know that a machine connected to a certain port on the switch is a safe "trusted" machine,
and we know that we will not get a DoS attack from that machine, the port where this
machine is connected to can be configured as a trusted port, even though a large amount of
traffic is going through this port.
To configure the trusted ports list, use the following command: