Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH 사용자 설명서
464
|
Chapter 17. Security
NETGEAR 8800 User Manual
configure dos-protect trusted-ports [ports [<ports> | all] | add-ports
[<ports-to-add> | all] | delete-ports [<ports-to-delete> | all] ]
Displaying DoS Protection Settings
To display the DoS protection settings, use the following command:
show dos-protect {detail}
Protocol Anomaly Protection
The NETGEAR chipsets contain built-in hardware protocol checkers that support port
security features for security applications, such as stateless DoS protection. The protocol
checkers allow users to drop the packets based on the following conditions, which are
checked for ingress packets prior to the L2/L3 entry table:
security features for security applications, such as stateless DoS protection. The protocol
checkers allow users to drop the packets based on the following conditions, which are
checked for ingress packets prior to the L2/L3 entry table:
•
SIP = DIP for IPv4/IPv6 packets.
•
TCP_SYN Flag = 0 for Ipv4/Ipv6 packets
•
TCP Packets with control flags = 0 and sequence number = 0 for Ipv4/Ipv6 packets
•
TCP Packets with FIN, URG & PSH bits set & seq. number = 0 for Ipv4/Ipv6 packets
•
TCP Packets with SYN & FIN bits are set for Ipv4/Ipv6 packets
•
TCP Source Port number = TCP Destination Port number for Ipv4/Ipv6 packets
•
First TCP fragment does not have the full TCP header (less than 20bytes) for Ipv4/Ipv6
packets
•
TCP header has fragment offset value as 1 for Ipv4/Ipv6 packets
•
UDP Source Port number = UDP Destination Port number for Ipv4/Ipv6 packets
•
CMP ping packets payload is larger than programmed value of ICMP max size for
Ipv4/Ipv6 packets
•
Fragmented ICMP packets for Ipv4/Ipv6 packets
The protocol anomaly detection security functionality is supported by a set of
anomaly-protection
anomaly-protection
enable
,
disable
,
configure
,
clear
, and show CLI commands. For further
details, see the chapter on security commands in the NETGEAR 8800 Chassis Switch CLI
Manual.
Manual.
Flood Rate Limitation
Flood rate limitation, or storm control, is used to minimize the network impact of ingress
flooding traffic. You can configure ports to accept a specified rate of packets per second.
When that rate is exceeded, the port blocks traffic and drops subsequent packets until the
traffic again drops below the configured rate.
flooding traffic. You can configure ports to accept a specified rate of packets per second.
When that rate is exceeded, the port blocks traffic and drops subsequent packets until the
traffic again drops below the configured rate.
To configure the rate limit, use the following command:
configure ports <port_list> rate-limit flood [broadcast | multicast |
unknown-destmac] [no-limit | <pps>]