Home > Cisco > Switch > Cisco Sg3008 Manual

Cisco Sg3008 Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Sg3008 Manual. The Cisco manuals for Switch are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 401

    Page 401 Security Denial of Service Prevention 364 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 -User Defined—Enter a port number. -All Por ts—Select to indicate that all ports are filtered. STEP 4Click Apply. The SYN filter is defined, and the Running Configuration file is updated. SYN Rate Protection The SYN Rate Protection page enables limiting the number of SYN packets received on the ingress port. This can mitigate the effect of a SYN flood... 
    Security
Denial of Service Prevention
364 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
-User Defined—Enter a port number.
-All Por ts—Select to indicate that all ports are filtered.
STEP  4Click Apply. The SYN filter is defined, and the Running Configuration file is 
updated.
SYN Rate Protection
The SYN Rate Protection page enables limiting the number of SYN packets 
received on the ingress port. This can mitigate the effect of a SYN flood...

    Page 402

    Page 402 Security Denial of Service Prevention Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 365 18 STEP 4Click Apply. The SYN rate protection is defined, and the Running Configuration is updated. ICMP Filtering The ICMP Filtering page enables the blocking of ICMP packets from certain sources. This can reduce the load on the network in case of an ICMP attack. To define ICMP filtering: STEP 1Click Security > Denial of Service Prevention > ICMP Filtering.... 
    Security
Denial of Service Prevention
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  365
18
 
STEP  4Click Apply. The SYN rate protection is defined, and the Running Configuration is 
updated.
ICMP Filtering
The ICMP Filtering page enables the blocking of ICMP packets from certain 
sources. This can reduce the load on the network in case of an ICMP attack.
To define ICMP filtering:
STEP 1Click Security > Denial of Service Prevention > ICMP Filtering....

    Page 403

    Page 403 Security DHCP Snooping 366 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Interface—Select the interface on which the IP fragmentation is being defined. •IP Address—Enter an IP network from which the fragmented IP packets is filtered or select All Addresses to block IP fragmented packets from all addresses. If you enter the IP address, enter either the mask or prefix length. •Network Mask—Select the format for the subnet mask for the source IP... 
    Security
DHCP Snooping
366 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Interface—Select the interface on which the IP fragmentation is being 
defined.
•IP Address—Enter an IP network from which the fragmented IP packets is 
filtered or select All Addresses to block IP fragmented packets from all 
addresses. If you enter the IP address, enter either the mask or prefix length.
•Network Mask—Select the format for the subnet mask for the source IP...

    Page 404

    Page 404 Security IP Source Guard Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 367 18 •DHCP Snooping must be globally enabled in order to enable IP Source Guard on an interface. •IP source guard can be active on an interface only if: -DHCP Snooping is enabled on at least one of the ports VLANs -The interface is DHCP untrusted. All packets on trusted ports are for warded. •If a port is DHCP trusted, filtering of static IP addresses can be configured,... 
    Security
IP Source Guard
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  367
18
 
•DHCP Snooping must be globally enabled in order to enable IP Source 
Guard on an interface.
•IP source guard can be active on an interface only if:
-DHCP Snooping is enabled on at least one of the ports VLANs
-The interface is DHCP untrusted. All packets on trusted ports are 
for warded.
•If a port is DHCP trusted, filtering of static IP addresses can be configured,...

    Page 405

    Page 405 Security IP Source Guard 368 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 Configuring IP Source Guard Work Flow To configure IP Source Guard: STEP 1Enable DHCP Snooping in the IP Configuration > DHCP > Properties page or in the Security > DHCP Snooping > Properties page. STEP 2Define the VLANs on which DHCP Snooping is enabled in the IP Configuration > DHCP > Interface Settings page. STEP 3Configure interfaces as trusted or untrusted in the... 
    Security
IP Source Guard
368 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
Configuring IP Source Guard Work Flow
To configure IP Source Guard:
STEP 1Enable DHCP Snooping in the IP Configuration > DHCP > Properties page or in the 
Security > DHCP Snooping > Properties page.
STEP  2Define the VLANs on which DHCP Snooping is enabled in the IP Configuration > 
DHCP > Interface Settings page.
STEP  3Configure interfaces as trusted or untrusted in the...

    Page 406

    Page 406 Security IP Source Guard Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 369 18 STEP 1Click Security > IP Source Guard > Interface Settings. STEP 2Select port/LAG from the Filter field and click Go. The ports/LAGs on this unit are displayed along with the following: •IP Source Guard —Indicates whether IP Source Guard is enabled on the port. •DHCP Snooping Trusted Interface—Indicates whether this is a DHCP trusted interface. STEP 3Select the... 
    Security
IP Source Guard
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  369
18
 
STEP 1Click Security > IP Source Guard > Interface Settings.
STEP  2Select port/LAG from the Filter field and click Go. The ports/LAGs on this unit are 
displayed along with the following:
•IP Source Guard —Indicates whether IP Source Guard is enabled on the 
port.
•DHCP Snooping Trusted Interface—Indicates whether this is a DHCP trusted 
interface. 
STEP  3Select the...

    Page 407

    Page 407 Security ARP Inspection 370 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 The entries in the Binding database are displayed: •VLAN ID—VLAN on which packet is expected. •MAC Address—MAC address to be matched. •IP Address—IP address to be matched. •Interface—Interface on which packet is expected. •Status—Displays whether interface is active. •Type—Displays whether entry is dynamic or static. •Reason—If the interface is not active, displays the... 
    Security
ARP Inspection
370 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
The entries in the Binding database are displayed:
•VLAN ID—VLAN on which packet is expected.
•MAC Address—MAC address to be matched.
•IP Address—IP address to be matched.
•Interface—Interface on which packet is expected.
•Status—Displays whether interface is active.
•Type—Displays whether entry is dynamic or static.
•Reason—If the interface is not active, displays the...

    Page 408

    Page 408 Security ARP Inspection Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 371 18 The following shows an example of ARP cache poisoning. ARP Cache Poisoning Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate with Host B at the IP layer, it broadcasts an... 
    Security
ARP Inspection
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  371
18
 
The following shows an example of ARP cache poisoning.
ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which 
are on the same subnet. Their IP, MAC addresses are shown in parentheses; for 
example, Host A uses IP address IA and MAC address MA. When Host A needs to 
communicate with Host B at the IP layer, it broadcasts an...

    Page 409

    Page 409 Security ARP Inspection 372 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Trusted — Packets are not inspected. •Untrusted —Packets are inspected as described above. ARP inspection is performed only on untrusted interfaces. ARP packets that are received on the trusted interface are simply forwarded. Upon packet arrival on untrusted interfaces the following logic is implemented: •Search the ARP access control rules for the packets IP/MAC... 
    Security
ARP Inspection
372 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Trusted — Packets are not inspected.
•Untrusted —Packets are inspected as described above.
ARP inspection is performed only on untrusted interfaces. ARP packets that are 
received on the trusted interface are simply forwarded.
Upon packet arrival on untrusted interfaces the following logic is implemented:
•Search the ARP access control rules for the packets IP/MAC...

    Page 410

    Page 410 Security ARP Inspection Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 373 18 Interaction Between ARP Inspection and DHCP Snooping If DHCP Snooping is enabled, ARP Inspection uses the DHCP Snooping Binding database in addition to the ARP access control rules. If DHCP Snooping is not enabled, only the ARP access control rules are used. ARP Defaults The following table describes the ARP defaults: ARP Inspection Work Flow To configure ARP... 
    Security
ARP Inspection
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  373
18
 
Interaction Between ARP Inspection and DHCP Snooping
If DHCP Snooping is enabled, ARP Inspection uses the DHCP Snooping Binding 
database in addition to the ARP access control rules. If DHCP Snooping is not 
enabled, only the ARP access control rules are used.
ARP Defaults
The following table describes the ARP defaults:
ARP Inspection Work Flow
To configure ARP...
    Start reading Cisco Sg3008 Manual

    Related Manuals for Cisco Sg3008 Manual

    All Cisco manuals