Security-Suite Deny Icmp - Cisco 300 Series Cli Manual
Stackable managed switches
Hide thumbs
Also See for 300 Series:
- Cli manual (899 pages) ,
- Administration manual (586 pages) ,
- Quick start manual (72 pages)
Table of Contents
Advertisement
Denial of Service (DoS) Commands
OL-32830-01 Command Line Interface Reference Guide
User Guidelines
For this command to work,
both globally and for interfaces.
Example
The following example attempts to discard IP fragmented packets from an
interface.
switchxxxxxx(config)#
switchxxxxxx(config)#
switchxxxxxx(config-if)#
To perform this command, DoS Prevention must be enabled in the per-interface mode.
16.2 security-suite deny icmp
To discard ICMP echo requests from a specific interface (to prevent attackers from
knowing that the device is on the network), use the security-suite deny icmp
Interface (Ethernet, Port Channel) Configuration mode command.
To permit echo requests, use the no form of this command.
Syntax
security-suite deny icmp
{ip-address | any} {mask | /prefix-length}]}
no security-suite deny icmp
Parameters
•
ip-address | any—Specifies the destination IP address. Use any to specify
all IP addresses.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address
prefix. The prefix length must be preceded by a forward slash (/).
Default Configuration
Echo requests are allowed from all interfaces.
show security-suite configuration
security-suite enable global-rules-only
interface gi11
security-suite deny fragmented add any /32
{[add {ip-address | any} {mask | /prefix-length}] | [remove
16
must be enabled
364
Advertisement
Table of Contents
