This documentation is for an older version of the software. If you are using the current version of Cumulus Linux, this content may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Configuring Hardware-enabled DDOS Protection

This configuration option is only available for Trident, Trident II, and Tomahawk chipsets.

Configure Persistent DDOS Protection

  1. Open the /etc/cumulus/datapath/traffic.conf file in a text editor.

  2. Enable DOS prevention checks by changing the following value to true, and save the file:

    # To turn on/off Denial of Service (DOS) prevention checks
    dos_enable = true
    
  3. Open the /etc/bcm.d/datapath/datapath.conf or /etc/mlx/datapath/datapath.conf file in a text editor.

  4. Set the following checks to true, and save the file:

    # Enabling/disabling Denial of service (DOS) prevetion checks
    # To change the default configuration:
    # enable/disable the individual DOS checks.
    dos.sip_eq_dip = true
    dos.smac_eq_dmac = true
    dos.tcp_hdr_partial = true
    dos.tcp_syn_frag = true
    dos.tcp_ports_eq = true
    dos.tcp_flags_syn_fin = true
    dos.tcp_flags_fup_seq0 = true
    dos.tcp_offset1 = true
    dos.tcp_ctrl0_seq0 = true
    dos.udp_ports_eq = true
    dos.icmp_frag = true
    dos.icmpv4_length = true
    dos.icmpv6_length = true
    dos.ipv6_min_frag = true
    
  5. Restart switchd to enable DOS protection:

    cumulus@switch:~$ sudo systemctl restart switchd.service