Re: CiscoSG350 switch - No syslog messages found

Yasmeen · ‎04-20-2021

Hi,

I have configured below commands in cisco SG350 switch for DOS prevention, but after get SYN Attack in switch ports i am not getting SYSlog messages like below one

01-Jan-2012 05:29:46: A TCP SYN Attack was identified on port gi1

01-Jan-2012 05:29:46: A TCP SYN Attack was identified on port gi1. TCP SYN
traffic destined to the local system is automatically blocked for 100
seconds.

the above logs are not found also when i check the show commands there also not showing SYN blocked Ports,

DOS#show security-suite syn protection
Protection Mode: Block
Threshold: 80
Recovery: 60

Interface Operational Last Attack
Name Status
----------- ------------- ---------------------------------------------

Attacked port not showing,

The below commands i configured for DOS Prevention,

DOS(config)#security-suite enable

DOS(config)#security-suite dos protection mode block

DOS(config)#interface range GigabitEthernet1 - 48

DOS(config-if-range)#switchport mode access

DOS(config-if-range)#switchport access vlan 3

DOS(config-if-range)#security-suite syn protection mode Block

DOS(config-if-range)#security-suite dos syn-attack 199 any

How do i get the Logs that my port Attacked by SYN ?

Pls share me the Commands.

Thanks,

Regards,

Yasmeen Shaul Hameed.

balaji.bandi · ‎04-20-2021

check what kind of Logging enabled :

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-350-series-managed-switches/smb5275-configure-log-aggregation-settings-on-an-sx350-series-manage.html

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb1076-security-suite-settings-on-300-series-managed-switches.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yasmeen · ‎04-20-2021

Hi Balaji

I Have done above link enabled above link mentioned Options but i am not seeing below type of notification after SYN Attack in Switch Port

switchxxxxxx# show security-suite syn protection
Protection Mode: Block
Threshold: 40 Packets Per Second
Period: 100 Seconds
-------------------------------------------------------------------------------------------------
Interface Name Current Status Last Attack

There is no block port showing in Interface Name, Current Status and Last Attack

But my switch port got Attacked by SYN Flood

In Show Security syn protection command nothing showing

balaji.bandi · ‎04-20-2021

Do you see any attacks after you enabled . may be thinking after that you do not have any syn attacks, so it was not showing, so try to make any test device to attack simulation on the interface you can see the logs ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yasmeen · ‎04-21-2021

Yes I have run the below command to test the SYN Attack in one Switch Port,

hping3 -c 10000 -d 128 -S -w 64 -p 8000 --flood --rand -source 192.168.1.1

after run this command we didn't see any SYSLOG messages in that Particular port

switchxxxxxx# show security-suite syn protection
Protection Mode: Block
Threshold: 40 Packets Per Second
Period: 100 Seconds
-------------------------------------------------------------------------------------------------
Interface Name Current Status Last Attack

The interface is blank no information. while i run the Show commands