SYN Rate Protection on 300 Series Managed Switches

Available Languages

Download Options

PDF (194.1 KB)
View with Adobe Reader on a variety of devices
ePub (233.7 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (114.3 KB)
View on Kindle device or Kindle app on multiple devices

Updated:December 13, 2018

Document ID:SMB1119

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

SYN Rate Protection on 300 Series Managed Switches

Objective

Denial of Service (DOS) prevention is a network technology that increases network security. SYN rate protection is a DOS prevention feature that limits the number of SYN packets that a port or LAG can receive. This is used to prevent SYN floods on a network. SYN floods are a type of DOS attack that occurs when an attacker sends multiple SYN request packets to a network. This overloads the resources of the network which makes the network unresponsive to actual traffic.

To utilize this feature, DoS Prevention must be enabled to System-Level and Interface-Level Prevention on the Security Suite Settings page. Refer to the article Security Suite Settings on 300 Series Managed Switches for more information.

This article explains how to configure and apply a SYN rate limit to an interface on the 300 Series Managed Switches.

Applicable Devices

• SF/SG 300 Series Managed Switches

Software Version

• v1.2.7.76

SYN Rate Protection

Step 1. Log in to the web configuration utility and choose Security > Denial of Service Prevention > SYN Rate Protection. The SYN Rate Protection page opens:

Step 2. Click Add to add SYN Rate Protection. The Add SYN Rate Protection window appears.

Step 3. Click the radio button that corresponds with the desired interface in the Interface field.

• Port — From the Port drop-down list choose the port that the SYN rate protection will apply to.

• LAG — From the LAG drop-down list choose the LAG that the SYN rate protection will apply to.

Step 4. Click the radio button that corresponds to the desired IPv4 address in the IP address field. Packets from these IP addresses will be limited by SYN rate protection.

• User Defined — Enter an IPv4 address.

• All addresses — All IPv4 addresses apply.

Step 5. Click the radio button that corresponds to the desired network mask in the Network Mask field.

• Mask — Enter the network mask in IP address format. This will define the subnet mask for the IP address.

• Prefix Length — Enter the prefix length (integer in the range of 0 to 32). This will define the subnet mask by prefix length for the IP address.

Step 6. Enter a value in the SYN Rate Limit field. This is the maximum number of SYN packets the interface can receive per second.

Step 7. Click Apply. The SYN Rate Limit is applied to the interface.

Revision History

Revision	Publish Date	Comments
1.0	13-Dec-2018	Initial Release

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)