Cisco 350 Series Administration Manual page 516

Security
Denial of Service Prevention
STEP 4
STEP 1
STEP 2
STEP 3
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
• IPv4 Address—Enter the IP address for which the filter is defined, or select All
Addresses.
• Network Mask—Enter the network mask for which the filter is enabled in IP address
format. Enter one of the following:
- Mask—Network mask in dotted decimal format.
- Prefix Length—Enter the prefix of the IP address to define the range of IP addresses
for which Denial of Service prevention is enabled.
• TCP Port—Select the destination TCP port being filtered:
- Known ports—Select a port from the list.
- User Defined—Enter a port number.
- All ports—Select to indicate that all ports are filtered.
Click Apply. The SYN filter is defined, and the Running Configuration file is updated.
SYN Rate Protection
The SYN Rate Protection page enables limiting the number of SYN packets received on the
ingress port. This can mitigate the effect of a SYN flood against servers, by rate limiting the
number of new connections opened to handle packets.
To define SYN rate protection:
Click Security > Denial of Service Prevention > SYN Rate Protection.
This page appears the SYN rate protection currently defined per interface.
Click Add.
Enter the parameters.
• Interface—Select the interface on which the rate protection is being defined.
• IP Address—Enter the IP address for which the SYN rate protection is defined or select
All Addresses. If you enter the IP address, enter either the mask or prefix length.
• Network Mask—Select the format for the subnet mask for the source IP address, and
enter a value in one of the field:
- Mask—Select the subnet to which the source IP address belongs and enter the
subnet mask in dotted decimal format.
17
373