107
Command Mode:
Global Mode
Usage Guide:
By enabling this function, data packet whose source IP address is equal
to its destination address will be dropped
Example:
Drop the data packet whose source IP address is equal to its destination
address
Switch(Config)#
dosattack-check srcip-equal-dstip enable
2.6.3.2 dosattack-check ipv4-first-fragment enable
Command: [no] dosattack-check ipv4-first-fragment enable
Function:
Enable the function by which the switch checks the first fragment packet of
IPv4; the “no” form of this command disables this function.
Parameter:
None
Command Mode:
Global Mode
Usage Guide:
This command has no effect when used separately. It should be used
associating
dosattack-check tcp-flags enable
or
dosattack-check
srcport-equal-dstport enable
command.
Example:
Drop the IPv4 fragment or non-fragment data packet whose source port is
equal to its destination port.
Switch(Config)# dosattack-check ipv4-first-fragment enable
Switch(Config)# dosattack-check srcport-equal-dstport enable
2.6.3.3 dosattack-check tcp-flags enable
Command: [no] dosattack-check tcp-flags enable
Function:
Enable the function by which the switch will check the unauthorized TCP label
function; the “no” form of this command will disable this function.
Parameter:
None
Default:
This function disable on the switch by default
Command Mode:
Global Mode
Usage Guide:
With this function enabled, the switch will be able to drop follow four data
packets containing unauthorized TCP label: SYN=1 while source port is smaller than
1024;TCP label positions are all 0 while its serial No. =0;FIN=1,URG=1,PSH=1 and the
TCP serial No.=0;SYN=1 and FIN=1. This function can be used associating the
“dosattack-check ipv4-first-fragment enable” command
Example:
Drop one or more types of above four packet types.
Switch(Config)#
dosattack-check tcp-flags enable
2.6.3.4 dosattack-check srcport-equal-dstport enable
Command: dosattack-check srcport-equal-dstport enable