Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

Firewall Interface Commands

16-132 Configuring Security

no ip firewall ip-options {loose-source-route | strict-source-route | record-

route | time-stamp | other | all} {in | out | both}

Default

IPoptionsarenotallowedinboundandoutbound.

Mode

Interfaceconfiguration:XSR(config-if<xx>)#

Example

ThefollowingexamplesetsloosesourceroutingonbothincomingandoutgoingpacketsatF2:

XSR(config-if<F2>)#ip firewall ip-op loose-source-route both

ip firewall sync-attack-protect

TheSYNCattackmonitor/blockerisolatesahostthatgeneratesafloodofSYNCpacketstothe

XSR’sfirewallandblockstrafficfromthatspecifichost,whileallowingdatapacketstopass.

Syntax

ip firewall sync-attack-protect {block-host | check-host | sync-queue} threshold

[threshold]

Syntax of the “no” Form

Thenoformofthiscommanddisablesthefunction:

no ip firewall sync-attack-protect {block-host | check-host | sync-queue}

threshold

Mode

Interfaceconfiguration:XSR(config-if<xx>)#

block-host

Blockhostwhensyncpacketrateexceedsthisvalue(syncpackets/sec).The

XSRcanblockupto20hostsatanygiventime.Whenblocked,allsyncpackets

toandframeshostaredropped,whileotherpacketsareallowedtogo

through.XSRautomaticallyunblockhostwhenthesyncpacketrate

ofthehost

dropstozerofor25seconds.

Thresholdrangeis10‐5,000,defaultis100

check-host

StartstomonitorsyncpacketrateofeachhostofaClassCsubnetifthesync

packetrateofthesubnetexceedsthisvalue.TheXSRcanmonitorupto3,000

classCsubnets.

Thresholdrangeis10‐5,000,defaultis100

sync-queue

Initiatessyncattackprotectionwhensyncbacklogqueueexceedsthisvalue.

Rangeis50to5,000,defaultis500.

threshold

Thelimitinwhichtheaboveparametersareenabled.

previous next