ECS4660-28F_Management Guide-R03
Table Of Contents
- About This Guide
- Contents
- Figures
- Tables
- Getting Started
- Web Configuration
- Using the Web Interface
- Basic Management Tasks
- Displaying System Information
- Displaying Hardware/Software Versions
- Configuring Support for Jumbo Frames
- Displaying Bridge Extension Capabilities
- Managing System Files
- Setting the System Clock
- Configuring the Console Port
- Configuring Telnet Settings
- Displaying CPU Utilization
- Displaying Memory Utilization
- Resetting the System
- Interface Configuration
- VLAN Configuration
- Address Table Settings
- Spanning Tree Algorithm
- Congestion Control
- Class of Service
- Layer 2 Queue Settings
- Layer 3/4 Priority Settings
- Setting Priority Processing to IP Precedence/DSCP or CoS
- Mapping Ingress DSCP Values to Internal DSCP Values
- Mapping CoS Priorities to Internal DSCP Values
- Mapping Internal DSCP Values to Egress CoS Values
- Mapping IP Precedence Values to Internal DSCP Values
- Mapping IP Port Priority to Internal DSCP Values
- Quality of Service
- VoIP Traffic Configuration
- Security Measures
- AAA Authorization and Accounting
- Configuring User Accounts
- Web Authentication
- Network Access (MAC Address Authentication)
- Configuring HTTPS
- Configuring the Secure Shell
- Access Control Lists
- Setting a Time Range
- Showing TCAM Utilization
- Setting the ACL Name and Type
- Configuring a Standard IPv4 ACL
- Configuring an Extended IPv4 ACL
- Configuring a Standard IPv6 ACL
- Configuring an Extended IPv6 ACL
- Configuring a MAC ACL
- Configuring an ARP ACL
- Binding a Port to an Access Control List
- Showing ACL Hardware Counters
- ARP Inspection
- Filtering IP Addresses for Management Access
- Configuring Port Security
- Configuring 802.1X Port Authentication
- DoS Protection
- IPv4 Source Guard
- IPv6 Source Guard
- DHCP Snooping
- Basic Administration Protocols
- Configuring Event Logging
- Link Layer Discovery Protocol
- Simple Network Management Protocol
- Configuring Global Settings for SNMP
- Setting the Local Engine ID
- Specifying a Remote Engine ID
- Setting SNMPv3 Views
- Configuring SNMPv3 Groups
- Setting Community Access Strings
- Configuring Local SNMPv3 Users
- Configuring Remote SNMPv3 Users
- Specifying Trap Managers
- Creating SNMP Notification Logs
- Showing SNMP Statistics
- Remote Monitoring
- Switch Clustering
- Ethernet Ring Protection Switching
- Connectivity Fault Management
- Configuring Global Settings for CFM
- Configuring Interfaces for CFM
- Configuring CFM Maintenance Domains
- Configuring CFM Maintenance Associations
- Configuring Maintenance End Points
- Configuring Remote Maintenance End Points
- Transmitting Link Trace Messages
- Transmitting Loop Back Messages
- Transmitting Delay-Measure Requests
- Displaying Local MEPs
- Displaying Details for Local MEPs
- Displaying Local MIPs
- Displaying Remote MEPs
- Displaying Details for Remote MEPs
- Displaying the Link Trace Cache
- Displaying Fault Notification Settings
- Displaying Continuity Check Errors
- OAM Configuration
- PTP Configuration
- Multicast Filtering
- Overview
- IGMP Protocol
- Layer 2 IGMP (Snooping and Query for IPv4)
- Configuring IGMP Snooping and Query Parameters
- Specifying Static Interfaces for an IPv4 Multicast Router
- Assigning Interfaces to IPv4 Multicast Services
- Setting IGMP Snooping Status per Interface
- Filtering IGMP Query Packets and Multicast Data
- Displaying Multicast Groups Discovered by IGMP Snooping
- Displaying IGMP Snooping Statistics
- Filtering and Throttling IGMP Groups
- MLD Snooping (Snooping and Query for IPv6)
- Layer 3 IGMP (Query used with Multicast Routing)
- Multicast VLAN Registration for IPv4
- Multicast VLAN Registration for IPv6
- IP Configuration
- IP Services
- General IP Routing
- Configuring Router Redundancy
- Unicast Routing
- Overview
- Configuring the Routing Information Protocol
- Configuring General Protocol Settings
- Clearing Entries from the Routing Table
- Specifying Network Interfaces
- Specifying Passive Interfaces
- Specifying Static Neighbors
- Configuring Route Redistribution
- Specifying an Administrative Distance
- Configuring Network Interfaces for RIP
- Displaying RIP Interface Settings
- Displaying Peer Router Information
- Resetting RIP Statistics
- Configuring the Open Shortest Path First Protocol (Version 2)
- Defining Network Areas Based on Addresses
- Configuring General Protocol Settings
- Displaying Administrative Settings and Statistics
- Adding an NSSA or Stub
- Configuring NSSA Settings
- Configuring Stub Settings
- Displaying Information on NSSA and Stub Areas
- Configuring Area Ranges (Route Summarization for ABRs)
- Redistributing External Routes
- Configuring Summary Addresses (for External AS Routes)
- Configuring OSPF Interfaces
- Configuring Virtual Links
- Displaying Link State Database Information
- Displaying Information on Neighboring Routers
- Multicast Routing
- Command Line Interface
- Using the Command Line Interface
- General Commands
- System Management Commands
- Device Designation
- Banner Information
- System Status
- Fan Control
- Frame Size
- File Management
- Line
- Event Logging
- SMTP Alerts
- Time
- Time Range
- Precision Time Protocol
- ptp adjust
- ptp domain-number
- ptp e-latency
- ptp in-latency
- ptp mode
- ptp priority1
- ptp priority2
- ptp announce- receipt-timeout
- ptp delay- mechanism
- ptp log-announce- interval
- ptp log-min-delay- request-interval
- ptp log-min-pdelay- request-interval
- ptp log-sync-interval
- ptp port-enable
- ptp transport
- ptp port-release
- show ptp configuration
- show ptp foreign-master
- show ptp information
- Synchronous Ethernet
- Switch Clustering
- SNMP Commands
- Remote Monitoring Commands
- Flow Sampling Commands
- Authentication Commands
- User Accounts
- Authentication Sequence
- RADIUS Client
- TACACS+ Client
- AAA
- Web Server
- Telnet Server
- Secure Shell
- 802.1X Port Authentication
- Management IP Filter
- PPPoE Intermediate Agent
- pppoe intermediate-agent
- pppoe intermediate-agent format-type
- pppoe intermediate-agent port-enable
- pppoe intermediate-agent port-format-type
- pppoe intermediate-agent trust
- pppoe intermediate-agent vendor-tag strip
- clear pppoe intermediate-agent statistics
- show pppoe intermediate-agent info
- show pppoe intermediate-agent statistics
- General Security Measures
- Port Security
- Network Access (MAC Address Authentication)
- network-access aging
- network-access mac-filter
- mac-authentication reauth-time
- network-access dynamic-qos
- network-access dynamic-vlan
- network-access guest-vlan
- network-access link-detection
- network-access link-detection link-down
- network-access link-detection link-up
- network-access link-detection link-up-down
- network-access max-mac-count
- network-access mode mac-authentication
- network-access port-mac-filter
- mac-authentication intrusion-action
- mac-authentication max-mac-count
- clear network-access
- show network-access
- show network-access mac-address-table
- show network-access mac-filter
- Web Authentication
- DHCPv4 Snooping
- ip dhcp snooping
- ip dhcp snooping information option
- ip dhcp snooping information policy
- ip dhcp snooping verify mac-address
- ip dhcp snooping vlan
- ip dhcp snooping information option circuit-id
- ip dhcp snooping trust
- clear ip dhcp snooping binding
- clear ip dhcp snooping database flash
- ip dhcp snooping database flash
- show ip dhcp snooping
- show ip dhcp snooping binding
- DHCPv6 Snooping
- IPv4 Source Guard
- IPv6 Source Guard
- ARP Inspection
- ip arp inspection
- ip arp inspection filter
- ip arp inspection log-buffer logs
- ip arp inspection validate
- ip arp inspection vlan
- ip arp inspection limit
- ip arp inspection trust
- show ip arp inspection configuration
- show ip arp inspection interface
- show ip arp inspection log
- show ip arp inspection statistics
- show ip arp inspection vlan
- Denial of Service Protection
- Configuring Port-based Traffic Segmentation
- Access Control Lists
- Interface Commands
- Link Aggregation Commands
- Port Mirroring Commands
- Congestion Control Commands
- Rate Limit Commands
- Storm Control Commands
- Automatic Traffic Control Commands
- Threshold Commands
- SNMP Trap Commands
- snmp-server enable port-traps atc broadcast-alarm- clear
- snmp-server enable port-traps atc broadcast-alarm-fire
- snmp-server enable port-traps atc broadcast-control- apply
- snmp-server enable port-traps atc broadcast-control- release
- snmp-server enable port-traps atc multicast-alarm- clear
- snmp-server enable port-traps atc multicast-alarm-fire
- snmp-server enable port-traps atc multicast-control- apply
- snmp-server enable port-traps atc multicast-control- release
- ATC Display Commands
- Loopback Detection Commands
- UniDirectional Link Detection Commands
- Address Table Commands
- Spanning Tree Commands
- spanning-tree
- spanning-tree forward-time
- spanning-tree hello-time
- spanning-tree max-age
- spanning-tree mode
- spanning-tree pathcost method
- spanning-tree priority
- spanning-tree mst configuration
- spanning-tree system-bpdu- flooding
- spanning-tree transmission-limit
- max-hops
- mst priority
- mst vlan
- name
- revision
- spanning-tree bpdu-filter
- spanning-tree bpdu-guard
- spanning-tree cost
- spanning-tree edge-port
- spanning-tree link-type
- spanning-tree loopback-detection
- spanning-tree loopback-detection action
- spanning-tree loopback-detection release-mode
- spanning-tree loopback-detection trap
- spanning-tree mst cost
- spanning-tree mst port-priority
- spanning-tree port-bpdu-flooding
- spanning-tree port-priority
- spanning-tree root-guard
- spanning-tree spanning-disabled
- spanning-tree tc-prop-stop
- spanning-tree loopback-detection release
- spanning-tree protocol-migration
- show spanning-tree
- show spanning-tree mst configuration
- ERPS Commands
- VLAN Commands
- GVRP and Bridge Extension Commands
- Editing VLAN Groups
- Configuring VLAN Interfaces
- Displaying VLAN Information
- Configuring IEEE 802.1Q Tunneling
- Configuring L2CP Tunneling
- Configuring VLAN Translation
- Configuring Private VLANs
- Configuring Protocol-based VLANs
- Configuring IP Subnet VLANs
- Configuring MAC Based VLANs
- Configuring Voice VLANs
- Class of Service Commands
- Priority Commands (Layer 2)
- Priority Commands (Layer 3 and 4)
- qos map cos-dscp
- qos map default- drop-precedence
- qos map dscp-cos
- qos map dscp-mutation
- qos map ip-port-dscp
- qos map ip-prec-dscp
- qos map phb-queue
- qos map trust-mode
- show qos map cos-dscp
- show qos map dscp-cos
- show qos map dscp-mutation
- show qos map ip-port-dscp
- show qos map ip-prec-dscp
- show qos map phb-queue
- show qos map trust-mode
- Quality of Service Commands
- Multicast Filtering Commands
- IGMP Snooping
- ip igmp snooping
- ip igmp snooping priority
- ip igmp snooping proxy-reporting
- ip igmp snooping querier
- ip igmp snooping router-alert-option- check
- ip igmp snooping router-port- expire-time
- ip igmp snooping tcn-flood
- ip igmp snooping tcn-query-solicit
- ip igmp snooping unregistered-data- flood
- ip igmp snooping unsolicited-report- interval
- ip igmp snooping version
- ip igmp snooping version-exclusive
- ip igmp snooping vlan general-query- suppression
- ip igmp snooping vlan immediate- leave
- ip igmp snooping vlan last-memb- query-count
- ip igmp snooping vlan last-memb- query-intvl
- ip igmp snooping vlan mrd
- ip igmp snooping vlan proxy-address
- ip igmp snooping vlan query-interval
- ip igmp snooping vlan query-resp- intvl
- ip igmp snooping vlan static
- show ip igmp snooping
- show ip igmp snooping group
- show ip igmp snooping statistics
- Static Multicast Routing
- IGMP Filtering and Throttling
- ip igmp filter (Global Configuration)
- ip igmp profile
- permit, deny
- range
- ip igmp authentication
- ip igmp filter (Interface Configuration)
- ip igmp max-groups
- ip igmp max-groups action
- ip igmp query-drop
- ip multicast-data-drop
- show ip igmp authentication
- show ip igmp filter
- show ip igmp profile
- show ip igmp query-drop
- show ip igmp throttle interface
- show ip multicast-data-drop
- MLD Snooping
- ipv6 mld snooping
- ipv6 mld snooping querier
- ipv6 mld snooping query-interval
- ipv6 mld snooping query-max- response-time
- ipv6 mld snooping robustness
- ipv6 mld snooping router-port- expire-time
- ipv6 mld snooping unknown-multicast mode
- ipv6 mld snooping version
- ipv6 mld snooping vlan mrouter
- ipv6 mld snooping vlan static
- ipv6 mld snooping vlan immediate- leave
- show ipv6 mld snooping
- show ipv6 mld snooping group
- show ipv6 mld snooping group source-list
- show ipv6 mld snooping mrouter
- MLD Filtering and Throttling
- MVR for IPv4
- mvr
- mvr associated-profile
- mvr domain
- mvr profile
- mvr proxy-query-interval
- mvr priority
- mvr proxy-switching
- mvr robustness-value
- mvr source-port-mode dynamic
- mvr upstream-source-ip
- mvr vlan
- mvr immediate-leave
- mvr type
- mvr vlan group
- show mvr
- show mvr associated-profile
- show mvr interface
- show mvr members
- show mvr profile
- show mvr statistics
- MVR for IPv6
- mvr6 associated-profile
- mvr6 domain
- mvr6 profile
- mvr6 proxy-query-interval
- mvr6 proxy-switching
- mvr6 robustness-value
- mvr6 source-port-mode dynamic
- mvr6 upstream-source-ip
- mvr6 vlan
- mvr6 immediate-leave
- mvr6 type
- mvr6 vlan group
- clear mvr6 groups
- clear mvr6 statistics
- show mvr6
- show mvr6 associated-profile
- show mvr6 interface
- show mvr6 members
- show mvr6 profile
- show mvr6 statistics
- IGMP (Layer 3)
- IGMP Proxy Routing
- MLD (Layer 3)
- MLD Proxy Routing
- IGMP Snooping
- LLDP Commands
- lldp
- lldp holdtime-multiplier
- lldp med-fast-start-count
- lldp notification-interval
- lldp refresh-interval
- lldp reinit-delay
- lldp tx-delay
- lldp admin-status
- lldp basic-tlv management-ip- address
- lldp basic-tlv port-description
- lldp basic-tlv system-capabilities
- lldp basic-tlv system-description
- lldp basic-tlv system-name
- lldp dot1-tlv proto-ident
- lldp dot1-tlv proto-vid
- lldp dot1-tlv pvid
- lldp dot1-tlv vlan-name
- lldp dot3-tlv link-agg
- lldp dot3-tlv mac-phy
- lldp dot3-tlv max-frame
- lldp med-location civic-addr
- lldp med-notification
- lldp med-tlv inventory
- lldp med-tlv location
- lldp med-tlv med-cap
- lldp med-tlv network-policy
- lldp notification
- show lldp config
- show lldp info local-device
- show lldp info remote-device
- show lldp info statistics
- CFM Commands
- Defining CFM Structures
- ethernet cfm ais level
- ethernet cfm ais ma
- ethernet cfm ais period
- ethernet cfm ais suppress alarm
- ethernet cfm domain
- ethernet cfm enable
- ma index name
- ma index name-format
- ethernet cfm mep
- ethernet cfm port-enable
- clear ethernet cfm ais mpid
- show ethernet cfm configuration
- show ethernet cfm md
- show ethernet cfm ma
- show ethernet cfm maintenance-points local
- show ethernet cfm maintenance-points local detail mep
- show ethernet cfm maintenance-points remote detail
- Continuity Check Operations
- Cross Check Operations
- Link Trace Operations
- Loopback Operations
- Fault Generator Operations
- Delay Measure Operations
- Defining CFM Structures
- OAM Commands
- efm oam
- efm oam critical-link-event
- efm oam link-monitor frame
- efm oam link-monitor frame threshold
- efm oam link-monitor frame window
- efm oam mode
- clear efm oam counters
- clear efm oam event-log
- efm oam remote-loopback
- efm oam remote-loopback test
- show efm oam counters interface
- show efm oam event-log interface
- show efm oam remote-loopback interface
- show efm oam status interface
- show efm oam status remote interface
- Domain Name Service Commands
- DHCP Commands
- IP Interface Commands
- IPv4 Interface
- IPv6 Interface
- Interface Address Configuration and Utilities
- Neighbor Discovery
- ipv6 hop-limit
- ipv6 neighbor
- ipv6 nd dad attempts
- ipv6 nd managed- config-flag
- ipv6 nd other-config-flag
- ipv6 nd ns-interval
- ipv6 nd raguard
- ipv6 nd reachable-time
- ipv6 nd prefix
- ipv6 nd ra interval
- ipv6 nd ra lifetime
- ipv6 nd ra router-preference
- ipv6 nd ra suppress
- clear ipv6 neighbors
- show ipv6 nd raguard
- show ipv6 neighbors
- IPv6 to IPv4 Tunnels
- ND Snooping
- ipv6 nd snooping
- ipv6 nd snooping auto-detect
- ipv6 nd snooping auto-detect retransmit count
- ipv6 nd snooping auto-detect retransmit interval
- ipv6 nd snooping prefix timeout
- ipv6 nd snooping max-binding
- ipv6 nd snooping trust
- clear ipv6 nd snooping binding
- clear ipv6 nd snooping prefix
- show ipv6 nd snooping
- show ipv6 nd snooping binding
- show ipv6 nd snooping prefix
- VRRP Commands
- IP Routing Commands
- Global Routing Configuration
- Routing Information Protocol (RIP)
- router rip
- default-information originate
- default-metric
- distance
- maximum-prefix
- neighbor
- network
- passive-interface
- redistribute
- timers basic
- version
- ip rip authentication mode
- ip rip authentication string
- ip rip receive version
- ip rip receive-packet
- ip rip send version
- ip rip send-packet
- ip rip split-horizon
- clear ip rip route
- show ip protocols rip
- show ip rip
- Open Shortest Path First (OSPFv2)
- Open Shortest Path First (OSPFv3)
- Border Gateway Protocol (BGPv4)
- BGP Overview
- External and Internal BGP
- BGP Routing Basics
- Internal BGP Scalability
- Route Flap Dampening
- BGP Command List
- General Configuration
- router bgp
- ip as-path access-list
- ip community-list
- ip extcommunity-list
- ip prefix-list
- aggregate-address
- bgp client-to-client reflection
- bgp cluster-id
- bgp confederation identifier
- bgp confederation peer
- bgp dampening
- bgp enforce-first-as
- bgp fast-external- failover
- bgp log-neighbor- changes
- bgp network import-check
- bgp router-id
- bgp scan-time
- network
- redistribute
- timers bgp
- clear ip bgp
- clear ip bgp dampening
- Route Metrics and Selection
- Neighbor Configuration
- neighbor activate
- neighbor advertisement- interval
- neighbor allowas-in
- neighbor attribute-unchanged
- neighbor capability dynamic
- neighbor capability orf prefix-list
- neighbor default-originate
- neighbor description
- neighbor distribute-list
- neighbor dont- capability-negotiate
- neighbor ebgp-multihop
- neighbor enforce-multihop
- neighbor filter-list
- neighbor interface
- neighbor maximum-prefix
- neighbor next-hop-self
- neighbor override-capability
- neighbor passive
- neighbor peer-group (Creating)
- neighbor peer-group (Group Members)
- neighbor port
- neighbor prefix-list
- neighbor remote-as
- neighbor remove-private-as
- neighbor route-map
- neighbor route-reflector-client
- neighbor route-server-client
- neighbor send-community
- neighbor shutdown
- neighbor soft- reconfiguration inbound
- neighbor strict- capability-match
- neighbor timers
- neighbor timers connect
- neighbor unsuppress-map
- neighbor update-source
- neighbor weight
- Display Information
- show ip bgp
- show ip bgp attribute-info
- show ip bgp cidr-ony
- show ip bgp community
- show ip bgp community-info
- show ip bgp community-list
- show ip bgp dampening
- show ip bgp filter-list
- show ip bgp neighbors
- show ip bgp paths
- show ip bgp prefix-list
- show ip bgp regexp
- show ip bgp route-map
- show ip bgp scan
- show ip bgp summary
- show ip community-list
- show ip extcommunity-list
- show ip prefix-list
- show ip prefix-list detail
- show ip prefix-list summary
- General Configuration
- Policy-based Routing for BGP
- route-map
- call
- continue
- description
- match as-path
- match community
- match extcommunity
- match ip address
- match ip next-hop
- match ip route-source
- match metric
- match origin
- match pathlimit as
- match peer
- on-match
- set aggregator as
- set as-path
- set atomic-aggregate
- set comm-list delete
- set community
- set extcommunity
- set ip next-hop
- set local-preference
- set metric
- set origin
- set originator-id
- set pathlimit ttl
- set weight
- show route-map
- Multicast Routing Commands
- Appendices
- Glossary
- Command List
- Index
C
HAPTER
29
| General Security Measures
Denial of Service Protection
– 1156 –
dos-protection
tcp-xmas-scan
This command protects against DoS TCP-xmas-scan in which a so-called
TCP XMAS scan message is used to identify listening TCP ports. This scan
uses a series of strangely configured TCP packets which contain a sequence
number of 0 and the URG, PSH and FIN flags. If the target's TCP port is
closed, the target replies with a TCP RST packet. If the target TCP port is
open, it simply discards the TCP XMAS scan. Use the no form to disable
this feature.
SYNTAX
[no] dos-protection tcp-xmas-scan
DEFAULT SETTING
Enabled
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#dos-protection tcp-xmas-scan
Console(config)#
show
dos-protection
This command shows the configuration settings for the DoS protection
commands.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show dos-protection
Global DoS Protections:
LAND Attack : Enabled
TCP Null Scan : Enabled
TCP SYN/FIN Scan : Enabled
TCP XMAS Scan : Enabled
Console#