![background image](http://html.mh-extra.com/html/cisco/sce-1000-and/sce-1000-and_configuration-manual_64496103.webp)
5-9
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 5 Configuring the Management Interface and Security
Configuring Management Interface Security
How to Disable Automatic Fail-Over Mode
Step 1
From the SCE(config if)# prompt, type
no auto-fail-over
and press
Enter
.
Configuring Management Interface Security
•
Configuring the IP Fragment Filter, page 5-9
•
Configuring the Permitted and Not-permitted IP Address Monitor, page 5-10
•
Monitoring Management Interface IP Filtering, page 5-11
Management security is defined as the capability of the SCE platform to cope with malicious
management conditions that might lead to global service failure. Resiliency to attacks on the
management port includes the following features:
•
The SCE platform remains stable during flooding attack.
•
The number of TCP/IP stack control protocol vulnerabilities is minimized.
•
The availability of reporting capabilities on attacks on the management port.
There are two parallel security mechanisms:
•
Automatic security mechanism — monitors the TCP/IP stack rate at 200 msec intervals and throttles
the rate from the device if necessary.
This mechanism always functions and is not user-configurable.
•
User-configurable security mechanism — accomplished via two IP filters at user-configurable
intervals:
–
IP fragment filter — Drops all IP fragment packets
–
IP filter monitor — Measures the rate of accepted and dropped packets for both permitted and
not-permitted IP addresses.
Configuring the IP Fragment Filter
•
Options, page 5-9
•
How to Enable the IP Fragment Filter, page 5-10
•
How to Disable the IP Fragment Filter, page 5-10
Options
The following options are available:
•
enable/disable
— Enable or disable IP fragment filtering
–
Default — disable