ECS4660-28F_Management Guide-R03
Table Of Contents
- About This Guide
- Contents
- Figures
- Tables
- Getting Started
- Web Configuration
- Using the Web Interface
- Basic Management Tasks
- Displaying System Information
- Displaying Hardware/Software Versions
- Configuring Support for Jumbo Frames
- Displaying Bridge Extension Capabilities
- Managing System Files
- Setting the System Clock
- Configuring the Console Port
- Configuring Telnet Settings
- Displaying CPU Utilization
- Displaying Memory Utilization
- Resetting the System
- Interface Configuration
- VLAN Configuration
- Address Table Settings
- Spanning Tree Algorithm
- Congestion Control
- Class of Service
- Layer 2 Queue Settings
- Layer 3/4 Priority Settings
- Setting Priority Processing to IP Precedence/DSCP or CoS
- Mapping Ingress DSCP Values to Internal DSCP Values
- Mapping CoS Priorities to Internal DSCP Values
- Mapping Internal DSCP Values to Egress CoS Values
- Mapping IP Precedence Values to Internal DSCP Values
- Mapping IP Port Priority to Internal DSCP Values
- Quality of Service
- VoIP Traffic Configuration
- Security Measures
- AAA Authorization and Accounting
- Configuring User Accounts
- Web Authentication
- Network Access (MAC Address Authentication)
- Configuring HTTPS
- Configuring the Secure Shell
- Access Control Lists
- Setting a Time Range
- Showing TCAM Utilization
- Setting the ACL Name and Type
- Configuring a Standard IPv4 ACL
- Configuring an Extended IPv4 ACL
- Configuring a Standard IPv6 ACL
- Configuring an Extended IPv6 ACL
- Configuring a MAC ACL
- Configuring an ARP ACL
- Binding a Port to an Access Control List
- Showing ACL Hardware Counters
- ARP Inspection
- Filtering IP Addresses for Management Access
- Configuring Port Security
- Configuring 802.1X Port Authentication
- DoS Protection
- IPv4 Source Guard
- IPv6 Source Guard
- DHCP Snooping
- Basic Administration Protocols
- Configuring Event Logging
- Link Layer Discovery Protocol
- Simple Network Management Protocol
- Configuring Global Settings for SNMP
- Setting the Local Engine ID
- Specifying a Remote Engine ID
- Setting SNMPv3 Views
- Configuring SNMPv3 Groups
- Setting Community Access Strings
- Configuring Local SNMPv3 Users
- Configuring Remote SNMPv3 Users
- Specifying Trap Managers
- Creating SNMP Notification Logs
- Showing SNMP Statistics
- Remote Monitoring
- Switch Clustering
- Ethernet Ring Protection Switching
- Connectivity Fault Management
- Configuring Global Settings for CFM
- Configuring Interfaces for CFM
- Configuring CFM Maintenance Domains
- Configuring CFM Maintenance Associations
- Configuring Maintenance End Points
- Configuring Remote Maintenance End Points
- Transmitting Link Trace Messages
- Transmitting Loop Back Messages
- Transmitting Delay-Measure Requests
- Displaying Local MEPs
- Displaying Details for Local MEPs
- Displaying Local MIPs
- Displaying Remote MEPs
- Displaying Details for Remote MEPs
- Displaying the Link Trace Cache
- Displaying Fault Notification Settings
- Displaying Continuity Check Errors
- OAM Configuration
- PTP Configuration
- Multicast Filtering
- Overview
- IGMP Protocol
- Layer 2 IGMP (Snooping and Query for IPv4)
- Configuring IGMP Snooping and Query Parameters
- Specifying Static Interfaces for an IPv4 Multicast Router
- Assigning Interfaces to IPv4 Multicast Services
- Setting IGMP Snooping Status per Interface
- Filtering IGMP Query Packets and Multicast Data
- Displaying Multicast Groups Discovered by IGMP Snooping
- Displaying IGMP Snooping Statistics
- Filtering and Throttling IGMP Groups
- MLD Snooping (Snooping and Query for IPv6)
- Layer 3 IGMP (Query used with Multicast Routing)
- Multicast VLAN Registration for IPv4
- Multicast VLAN Registration for IPv6
- IP Configuration
- IP Services
- General IP Routing
- Configuring Router Redundancy
- Unicast Routing
- Overview
- Configuring the Routing Information Protocol
- Configuring General Protocol Settings
- Clearing Entries from the Routing Table
- Specifying Network Interfaces
- Specifying Passive Interfaces
- Specifying Static Neighbors
- Configuring Route Redistribution
- Specifying an Administrative Distance
- Configuring Network Interfaces for RIP
- Displaying RIP Interface Settings
- Displaying Peer Router Information
- Resetting RIP Statistics
- Configuring the Open Shortest Path First Protocol (Version 2)
- Defining Network Areas Based on Addresses
- Configuring General Protocol Settings
- Displaying Administrative Settings and Statistics
- Adding an NSSA or Stub
- Configuring NSSA Settings
- Configuring Stub Settings
- Displaying Information on NSSA and Stub Areas
- Configuring Area Ranges (Route Summarization for ABRs)
- Redistributing External Routes
- Configuring Summary Addresses (for External AS Routes)
- Configuring OSPF Interfaces
- Configuring Virtual Links
- Displaying Link State Database Information
- Displaying Information on Neighboring Routers
- Multicast Routing
- Command Line Interface
- Using the Command Line Interface
- General Commands
- System Management Commands
- Device Designation
- Banner Information
- System Status
- Fan Control
- Frame Size
- File Management
- Line
- Event Logging
- SMTP Alerts
- Time
- Time Range
- Precision Time Protocol
- ptp adjust
- ptp domain-number
- ptp e-latency
- ptp in-latency
- ptp mode
- ptp priority1
- ptp priority2
- ptp announce- receipt-timeout
- ptp delay- mechanism
- ptp log-announce- interval
- ptp log-min-delay- request-interval
- ptp log-min-pdelay- request-interval
- ptp log-sync-interval
- ptp port-enable
- ptp transport
- ptp port-release
- show ptp configuration
- show ptp foreign-master
- show ptp information
- Synchronous Ethernet
- Switch Clustering
- SNMP Commands
- Remote Monitoring Commands
- Flow Sampling Commands
- Authentication Commands
- User Accounts
- Authentication Sequence
- RADIUS Client
- TACACS+ Client
- AAA
- Web Server
- Telnet Server
- Secure Shell
- 802.1X Port Authentication
- Management IP Filter
- PPPoE Intermediate Agent
- pppoe intermediate-agent
- pppoe intermediate-agent format-type
- pppoe intermediate-agent port-enable
- pppoe intermediate-agent port-format-type
- pppoe intermediate-agent trust
- pppoe intermediate-agent vendor-tag strip
- clear pppoe intermediate-agent statistics
- show pppoe intermediate-agent info
- show pppoe intermediate-agent statistics
- General Security Measures
- Port Security
- Network Access (MAC Address Authentication)
- network-access aging
- network-access mac-filter
- mac-authentication reauth-time
- network-access dynamic-qos
- network-access dynamic-vlan
- network-access guest-vlan
- network-access link-detection
- network-access link-detection link-down
- network-access link-detection link-up
- network-access link-detection link-up-down
- network-access max-mac-count
- network-access mode mac-authentication
- network-access port-mac-filter
- mac-authentication intrusion-action
- mac-authentication max-mac-count
- clear network-access
- show network-access
- show network-access mac-address-table
- show network-access mac-filter
- Web Authentication
- DHCPv4 Snooping
- ip dhcp snooping
- ip dhcp snooping information option
- ip dhcp snooping information policy
- ip dhcp snooping verify mac-address
- ip dhcp snooping vlan
- ip dhcp snooping information option circuit-id
- ip dhcp snooping trust
- clear ip dhcp snooping binding
- clear ip dhcp snooping database flash
- ip dhcp snooping database flash
- show ip dhcp snooping
- show ip dhcp snooping binding
- DHCPv6 Snooping
- IPv4 Source Guard
- IPv6 Source Guard
- ARP Inspection
- ip arp inspection
- ip arp inspection filter
- ip arp inspection log-buffer logs
- ip arp inspection validate
- ip arp inspection vlan
- ip arp inspection limit
- ip arp inspection trust
- show ip arp inspection configuration
- show ip arp inspection interface
- show ip arp inspection log
- show ip arp inspection statistics
- show ip arp inspection vlan
- Denial of Service Protection
- Configuring Port-based Traffic Segmentation
- Access Control Lists
- Interface Commands
- Link Aggregation Commands
- Port Mirroring Commands
- Congestion Control Commands
- Rate Limit Commands
- Storm Control Commands
- Automatic Traffic Control Commands
- Threshold Commands
- SNMP Trap Commands
- snmp-server enable port-traps atc broadcast-alarm- clear
- snmp-server enable port-traps atc broadcast-alarm-fire
- snmp-server enable port-traps atc broadcast-control- apply
- snmp-server enable port-traps atc broadcast-control- release
- snmp-server enable port-traps atc multicast-alarm- clear
- snmp-server enable port-traps atc multicast-alarm-fire
- snmp-server enable port-traps atc multicast-control- apply
- snmp-server enable port-traps atc multicast-control- release
- ATC Display Commands
- Loopback Detection Commands
- UniDirectional Link Detection Commands
- Address Table Commands
- Spanning Tree Commands
- spanning-tree
- spanning-tree forward-time
- spanning-tree hello-time
- spanning-tree max-age
- spanning-tree mode
- spanning-tree pathcost method
- spanning-tree priority
- spanning-tree mst configuration
- spanning-tree system-bpdu- flooding
- spanning-tree transmission-limit
- max-hops
- mst priority
- mst vlan
- name
- revision
- spanning-tree bpdu-filter
- spanning-tree bpdu-guard
- spanning-tree cost
- spanning-tree edge-port
- spanning-tree link-type
- spanning-tree loopback-detection
- spanning-tree loopback-detection action
- spanning-tree loopback-detection release-mode
- spanning-tree loopback-detection trap
- spanning-tree mst cost
- spanning-tree mst port-priority
- spanning-tree port-bpdu-flooding
- spanning-tree port-priority
- spanning-tree root-guard
- spanning-tree spanning-disabled
- spanning-tree tc-prop-stop
- spanning-tree loopback-detection release
- spanning-tree protocol-migration
- show spanning-tree
- show spanning-tree mst configuration
- ERPS Commands
- VLAN Commands
- GVRP and Bridge Extension Commands
- Editing VLAN Groups
- Configuring VLAN Interfaces
- Displaying VLAN Information
- Configuring IEEE 802.1Q Tunneling
- Configuring L2CP Tunneling
- Configuring VLAN Translation
- Configuring Private VLANs
- Configuring Protocol-based VLANs
- Configuring IP Subnet VLANs
- Configuring MAC Based VLANs
- Configuring Voice VLANs
- Class of Service Commands
- Priority Commands (Layer 2)
- Priority Commands (Layer 3 and 4)
- qos map cos-dscp
- qos map default- drop-precedence
- qos map dscp-cos
- qos map dscp-mutation
- qos map ip-port-dscp
- qos map ip-prec-dscp
- qos map phb-queue
- qos map trust-mode
- show qos map cos-dscp
- show qos map dscp-cos
- show qos map dscp-mutation
- show qos map ip-port-dscp
- show qos map ip-prec-dscp
- show qos map phb-queue
- show qos map trust-mode
- Quality of Service Commands
- Multicast Filtering Commands
- IGMP Snooping
- ip igmp snooping
- ip igmp snooping priority
- ip igmp snooping proxy-reporting
- ip igmp snooping querier
- ip igmp snooping router-alert-option- check
- ip igmp snooping router-port- expire-time
- ip igmp snooping tcn-flood
- ip igmp snooping tcn-query-solicit
- ip igmp snooping unregistered-data- flood
- ip igmp snooping unsolicited-report- interval
- ip igmp snooping version
- ip igmp snooping version-exclusive
- ip igmp snooping vlan general-query- suppression
- ip igmp snooping vlan immediate- leave
- ip igmp snooping vlan last-memb- query-count
- ip igmp snooping vlan last-memb- query-intvl
- ip igmp snooping vlan mrd
- ip igmp snooping vlan proxy-address
- ip igmp snooping vlan query-interval
- ip igmp snooping vlan query-resp- intvl
- ip igmp snooping vlan static
- show ip igmp snooping
- show ip igmp snooping group
- show ip igmp snooping statistics
- Static Multicast Routing
- IGMP Filtering and Throttling
- ip igmp filter (Global Configuration)
- ip igmp profile
- permit, deny
- range
- ip igmp authentication
- ip igmp filter (Interface Configuration)
- ip igmp max-groups
- ip igmp max-groups action
- ip igmp query-drop
- ip multicast-data-drop
- show ip igmp authentication
- show ip igmp filter
- show ip igmp profile
- show ip igmp query-drop
- show ip igmp throttle interface
- show ip multicast-data-drop
- MLD Snooping
- ipv6 mld snooping
- ipv6 mld snooping querier
- ipv6 mld snooping query-interval
- ipv6 mld snooping query-max- response-time
- ipv6 mld snooping robustness
- ipv6 mld snooping router-port- expire-time
- ipv6 mld snooping unknown-multicast mode
- ipv6 mld snooping version
- ipv6 mld snooping vlan mrouter
- ipv6 mld snooping vlan static
- ipv6 mld snooping vlan immediate- leave
- show ipv6 mld snooping
- show ipv6 mld snooping group
- show ipv6 mld snooping group source-list
- show ipv6 mld snooping mrouter
- MLD Filtering and Throttling
- MVR for IPv4
- mvr
- mvr associated-profile
- mvr domain
- mvr profile
- mvr proxy-query-interval
- mvr priority
- mvr proxy-switching
- mvr robustness-value
- mvr source-port-mode dynamic
- mvr upstream-source-ip
- mvr vlan
- mvr immediate-leave
- mvr type
- mvr vlan group
- show mvr
- show mvr associated-profile
- show mvr interface
- show mvr members
- show mvr profile
- show mvr statistics
- MVR for IPv6
- mvr6 associated-profile
- mvr6 domain
- mvr6 profile
- mvr6 proxy-query-interval
- mvr6 proxy-switching
- mvr6 robustness-value
- mvr6 source-port-mode dynamic
- mvr6 upstream-source-ip
- mvr6 vlan
- mvr6 immediate-leave
- mvr6 type
- mvr6 vlan group
- clear mvr6 groups
- clear mvr6 statistics
- show mvr6
- show mvr6 associated-profile
- show mvr6 interface
- show mvr6 members
- show mvr6 profile
- show mvr6 statistics
- IGMP (Layer 3)
- IGMP Proxy Routing
- MLD (Layer 3)
- MLD Proxy Routing
- IGMP Snooping
- LLDP Commands
- lldp
- lldp holdtime-multiplier
- lldp med-fast-start-count
- lldp notification-interval
- lldp refresh-interval
- lldp reinit-delay
- lldp tx-delay
- lldp admin-status
- lldp basic-tlv management-ip- address
- lldp basic-tlv port-description
- lldp basic-tlv system-capabilities
- lldp basic-tlv system-description
- lldp basic-tlv system-name
- lldp dot1-tlv proto-ident
- lldp dot1-tlv proto-vid
- lldp dot1-tlv pvid
- lldp dot1-tlv vlan-name
- lldp dot3-tlv link-agg
- lldp dot3-tlv mac-phy
- lldp dot3-tlv max-frame
- lldp med-location civic-addr
- lldp med-notification
- lldp med-tlv inventory
- lldp med-tlv location
- lldp med-tlv med-cap
- lldp med-tlv network-policy
- lldp notification
- show lldp config
- show lldp info local-device
- show lldp info remote-device
- show lldp info statistics
- CFM Commands
- Defining CFM Structures
- ethernet cfm ais level
- ethernet cfm ais ma
- ethernet cfm ais period
- ethernet cfm ais suppress alarm
- ethernet cfm domain
- ethernet cfm enable
- ma index name
- ma index name-format
- ethernet cfm mep
- ethernet cfm port-enable
- clear ethernet cfm ais mpid
- show ethernet cfm configuration
- show ethernet cfm md
- show ethernet cfm ma
- show ethernet cfm maintenance-points local
- show ethernet cfm maintenance-points local detail mep
- show ethernet cfm maintenance-points remote detail
- Continuity Check Operations
- Cross Check Operations
- Link Trace Operations
- Loopback Operations
- Fault Generator Operations
- Delay Measure Operations
- Defining CFM Structures
- OAM Commands
- efm oam
- efm oam critical-link-event
- efm oam link-monitor frame
- efm oam link-monitor frame threshold
- efm oam link-monitor frame window
- efm oam mode
- clear efm oam counters
- clear efm oam event-log
- efm oam remote-loopback
- efm oam remote-loopback test
- show efm oam counters interface
- show efm oam event-log interface
- show efm oam remote-loopback interface
- show efm oam status interface
- show efm oam status remote interface
- Domain Name Service Commands
- DHCP Commands
- IP Interface Commands
- IPv4 Interface
- IPv6 Interface
- Interface Address Configuration and Utilities
- Neighbor Discovery
- ipv6 hop-limit
- ipv6 neighbor
- ipv6 nd dad attempts
- ipv6 nd managed- config-flag
- ipv6 nd other-config-flag
- ipv6 nd ns-interval
- ipv6 nd raguard
- ipv6 nd reachable-time
- ipv6 nd prefix
- ipv6 nd ra interval
- ipv6 nd ra lifetime
- ipv6 nd ra router-preference
- ipv6 nd ra suppress
- clear ipv6 neighbors
- show ipv6 nd raguard
- show ipv6 neighbors
- IPv6 to IPv4 Tunnels
- ND Snooping
- ipv6 nd snooping
- ipv6 nd snooping auto-detect
- ipv6 nd snooping auto-detect retransmit count
- ipv6 nd snooping auto-detect retransmit interval
- ipv6 nd snooping prefix timeout
- ipv6 nd snooping max-binding
- ipv6 nd snooping trust
- clear ipv6 nd snooping binding
- clear ipv6 nd snooping prefix
- show ipv6 nd snooping
- show ipv6 nd snooping binding
- show ipv6 nd snooping prefix
- VRRP Commands
- IP Routing Commands
- Global Routing Configuration
- Routing Information Protocol (RIP)
- router rip
- default-information originate
- default-metric
- distance
- maximum-prefix
- neighbor
- network
- passive-interface
- redistribute
- timers basic
- version
- ip rip authentication mode
- ip rip authentication string
- ip rip receive version
- ip rip receive-packet
- ip rip send version
- ip rip send-packet
- ip rip split-horizon
- clear ip rip route
- show ip protocols rip
- show ip rip
- Open Shortest Path First (OSPFv2)
- Open Shortest Path First (OSPFv3)
- Border Gateway Protocol (BGPv4)
- BGP Overview
- External and Internal BGP
- BGP Routing Basics
- Internal BGP Scalability
- Route Flap Dampening
- BGP Command List
- General Configuration
- router bgp
- ip as-path access-list
- ip community-list
- ip extcommunity-list
- ip prefix-list
- aggregate-address
- bgp client-to-client reflection
- bgp cluster-id
- bgp confederation identifier
- bgp confederation peer
- bgp dampening
- bgp enforce-first-as
- bgp fast-external- failover
- bgp log-neighbor- changes
- bgp network import-check
- bgp router-id
- bgp scan-time
- network
- redistribute
- timers bgp
- clear ip bgp
- clear ip bgp dampening
- Route Metrics and Selection
- Neighbor Configuration
- neighbor activate
- neighbor advertisement- interval
- neighbor allowas-in
- neighbor attribute-unchanged
- neighbor capability dynamic
- neighbor capability orf prefix-list
- neighbor default-originate
- neighbor description
- neighbor distribute-list
- neighbor dont- capability-negotiate
- neighbor ebgp-multihop
- neighbor enforce-multihop
- neighbor filter-list
- neighbor interface
- neighbor maximum-prefix
- neighbor next-hop-self
- neighbor override-capability
- neighbor passive
- neighbor peer-group (Creating)
- neighbor peer-group (Group Members)
- neighbor port
- neighbor prefix-list
- neighbor remote-as
- neighbor remove-private-as
- neighbor route-map
- neighbor route-reflector-client
- neighbor route-server-client
- neighbor send-community
- neighbor shutdown
- neighbor soft- reconfiguration inbound
- neighbor strict- capability-match
- neighbor timers
- neighbor timers connect
- neighbor unsuppress-map
- neighbor update-source
- neighbor weight
- Display Information
- show ip bgp
- show ip bgp attribute-info
- show ip bgp cidr-ony
- show ip bgp community
- show ip bgp community-info
- show ip bgp community-list
- show ip bgp dampening
- show ip bgp filter-list
- show ip bgp neighbors
- show ip bgp paths
- show ip bgp prefix-list
- show ip bgp regexp
- show ip bgp route-map
- show ip bgp scan
- show ip bgp summary
- show ip community-list
- show ip extcommunity-list
- show ip prefix-list
- show ip prefix-list detail
- show ip prefix-list summary
- General Configuration
- Policy-based Routing for BGP
- route-map
- call
- continue
- description
- match as-path
- match community
- match extcommunity
- match ip address
- match ip next-hop
- match ip route-source
- match metric
- match origin
- match pathlimit as
- match peer
- on-match
- set aggregator as
- set as-path
- set atomic-aggregate
- set comm-list delete
- set community
- set extcommunity
- set ip next-hop
- set local-preference
- set metric
- set origin
- set originator-id
- set pathlimit ttl
- set weight
- show route-map
- Multicast Routing Commands
- Appendices
- Glossary
- Command List
- Index
C
HAPTER
29
| General Security Measures
Denial of Service Protection
– 1154 –
EXAMPLE
Console#show ip arp inspection vlan 1
VLAN ID DAI Status ACL Name ACL Status
-------- --------------- -------------------- --------------------
1 disabled sales static
Console#
DENIAL OF SERVICE PROTECTION
A denial-of-service attack (DoS attack) is an attempt to block the services
provided by a computer or network resource. This kind of attack tries to
prevent an Internet site or service from functioning efficiently or at all. In
general, DoS attacks are implemented by either forcing the target to reset,
to consume most of its resources so that it can no longer provide its
intended service, or to obstruct the communication media between the
intended users and the target so that they can no longer communicate
adequately.
This section describes commands used to protect against DoS attacks.
dos-protection land This command protects against DoS LAND (Local Area Network Denial)
attacks in which hackers send spoofed-IP packets where the source and
destination address are the same, thereby causing the target to reply to
itself continuously. Use the no form to disable this feature.
SYNTAX
[no] dos-protection land
DEFAULT SETTING
Enabled
COMMAND MODE
Global Configuration
Table 124: DoS Protection Commands
Command Function Mode
dos-protection land Protects against DoS LAND attacks GC
dos-protection tcp-null-scan Protects against DoS TCP-null-scan attacks GC
dos-protection tcp-syn-fin-scan Protects against DoS TCP-SYN/FIN-scan attacks GC
dos-protection tcp-xmas-scan Protects against DoS TCP-XMAS-scan attacks GC
show dos-protection Shows the configuration settings for DoS
protection
PE