New-NetIPsecDospSetting

Windows Server 2012 R2 and Windows 8.1

New-NetIPsecDospSetting

Creates an IPsec DoS protection setting and adds the setting to the target computer.

구문

Parameter Set: cim:CreateInstance0
New-NetIPsecDospSetting -Name <String> -PrivateInterfaceAliases <WildcardPattern[]> -PublicInterfaceAliases <WildcardPattern[]> [-AsJob] [-CimSession <CimSession[]> ] [-DefBlockExemptDscp <UInt16> ] [-DefBlockExemptRateLimitBytesPerSec <UInt32> ] [-EnabledKeyingModules <DospKeyModules> ] [-FilteringFlags <DospFlags> ] [-IcmpV6Dscp <UInt16> ] [-IcmpV6RateLimitBytesPerSec <UInt32> ] [-IpV6FilterExemptDscp <UInt32> ] [-IpV6FilterExemptRateLimitBytesPerSec <UInt32> ] [-IpV6IPsecAuthDscp <UInt16> ] [-IpV6IPsecAuthRateLimitBytesPerSec <UInt32> ] [-IpV6IPsecUnauthDscp <UInt32> ] [-IpV6IPsecUnauthPerIPRateLimitBytesPerSec <UInt32> ] [-IpV6IPsecUnauthRateLimitBytesPerSec <UInt32> ] [-MaxPerIPRateLimitQueues <UInt32> ] [-MaxStateEntries <UInt32> ] [-PerIPRateLimitQueueIdleTimeoutSeconds <UInt32> ] [-PrivateV6Address <String> ] [-PublicV6Address <String> ] [-StateIdleTimeoutSeconds <UInt32> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]




자세한 설명

The New-NetIPsecDospSetting cmdlet creates an IPsec DoS protection setting and adds it to the target computer.

The NetIPsecDospSetting configurations affect only IPv6-based connections that are protected by using Encapsulating Security Payload (ESP), and the IPsec negotiation traffic and ICMPv6 traffic that is required to establish those connections.

Architecturally, the computer on which IPsec Dosp is configured using this cmdlet is located on the network edge and is in the path for any native IPv6 traffic and IPv6 traffic encapsulated inside tunnels such as Teredo, 6to4, and IP-HTTPS. The computer can be the same computer as the Teredo relay, 6to4 gateway or relay, or IP-HTTPS server. In those cases, the IPsec DoS protection feature intercepts the forwarded packets after the packets are extracted from the tunnel. The only exception is that the IPsec DoS protection feature cannot be deployed on an IPsec gateway, because IPsec tunnel traffic bypasses the IPsec DoS protection feature. To protect an IPsec gateway, place the IPsec DoS protection feature on a separate computer that is between the Internet and the IPsec gateway.

By default, no interfaces are assigned to the IPsec DoS protection feature. At least one public interface using the PublicInterfaceAliases parameter and one internal interface using the PrivateInterfaceAliases parameter for the feature must be added to be operational. Those features that are not specified are assigned the default values. By default, AuthIP only is allowed to all internal addresses.

This cmdlet has no effect on existing IPsec connections; it only affects IPsec negotiation traffic that uses IKEv1, IKEv2 or AuthIP. ICMPv6 network traffic is always allowed to enable Teredo and other advanced network scenarios to work.

IPsec-protected traffic that is part of an established connection that uses ESP is always allowed, as long as the connection has not been idle for more than the number of seconds specified with the StateIdleTimeoutSeconds parameter. The DefBlockExemptRateLimitBytesPerSec, IcmpV6RateLimitBytesPerSec, IpV6FilterExemptRateLimitBytesPerSec, IpV6IPsecAuthRateLimitBytesPerSec, IpV6IPsecUnauthPerIPRateLimitBytesPerSec, and IpV6IPsecUnauthRateLimitBytesPerSec parameters limit the rate of inbound traffic of the specified type flowing from the public to the internal interface. You can specify an overall rate for all traffic of a specified type, or you can limit the rate of the specified traffic to a specified IP address.

Note: the following two prerequisite steps must be taken for this cmdlet to succeed.
-- Set-NetIpv4Protocol -CimSession $session -GroupForwardedFragments Enabled$sessionEnabled
-- Set-NetIpv6Protocol -CimSession $session -GroupForwardedFragments Enabled$sessionEnabled
-- New-NetIPsecDospSetting -CimSession $session -Name "Enforce IPsec DoS protection" -PublicInterfaceAliases $publicInterface -PrivateInterfaceAliases $privateInterface$session"Enforce IPsec DoS protection"$publicInterface$privateInterface

매개 변수

-AsJob

별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-CimSession<CimSession[]>

원격 세션에서 또는 원격 컴퓨터에서 cmdlet을 실행합니다. New-CimSession 또는 Get-CimSession cmdlet의 출력과 같은 컴퓨터 이름이나 세션 개체를 입력합니다. 기본값은 로컬 컴퓨터의 현재 세션입니다.


별칭

Session

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-DefBlockExemptDscp<UInt16>

Specifies the 6-bit value, specified as an integer from 1 to 63, that is placed in the differentiated services code point (DSCP) field of the IPv6 header when the traffic type matches traffic that is by default exempted from the default block behavior such as IPsec authenticated, IPsec unauthenticated, and ICMPv6 traffic. The DSCP value can be used in Quality of Service (QoS) implementations to prioritize network traffic and help ensure that less important network packets do not consume so much bandwidth that they interfere with the successful delivery of more important network packets.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 63, and Disabled. The default value is Disabled.
-- Disabled: This turns off DSCP marking for traffic that is by default exempted from the default block behavior. This includes IPsec authenticated, IPsec unauthenticated, and ICMPv6 traffic. This parameter is case-sensitive and requires Disabled to be specified using dot-notation.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-DefBlockExemptRateLimitBytesPerSec<UInt32>

Specifies the maximum rate at which IPsec authenticated, IPsec unauthenticated, and ICMPv6 inbound network traffic such as traffic that is by default exempted from the default block behavior is forwarded from the public interface to the internal interface.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 bytes per second.
The default value is 102400.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-EnabledKeyingModules<DospKeyModules>

Specifies the IPsec negotiation protocol, or keying module, to allow. The IPv6 address or subnet to which the specified IPsec negotiation protocol is allowed to be sent with the PrivateV6Address parameter can be optionally specified. By default, only IPsec negotiation traffic that uses AuthIP is allowed to all addresses.
ICMPv6 network traffic is always allowed to enable Teredo and other advanced network scenarios to work. The IPsec-protected traffic that is part of an established connection that uses ESP is always allowed, as long as the connection has not been idle for more than the number of seconds specified with the StateIdleTimeoutSeconds parameter.
이 매개 변수에 허용되는 값은 다음과 같습니다. None, IkeV1, IkeV2, or AuthIP.
The default value is AuthIP.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-FilteringFlags<DospFlags>

Specifies the action to take on network traffic that matches the Dosp setting address filters the public V6 address and the privateV6 address.
Only one filter can be applied to a specific address or subnet. If a second Dosp setting with the exact same address or subnet parameter is created, then an error is displayed. If an address matches more than one filter, then the most specific match is selected and the corresponding filter is applied. For example, 2006:2006::2 matches a filter with the prefix 2006:2006::2/128 more closely than a filter with the prefix 2006:2006::2/64.
이 매개 변수에 허용되는 값은 다음과 같습니다.
-- None: IPsec DoS protection feature drops all IPv4 traffic, and all non-IPsec IPv6 traffic (except ICMPv6) that is forwarded between a public interface and an internal interface.
-- DisableDefaultBlock: IPsec DoS protection feature blocks no traffic.
-- FilterBlock: Specifies that network traffic that matches the Dosp setting address filters using the PublicV6Address and PrivateV6Address parameters is blocked even if it is IPsec-protected.
-- FilterExempt: Specifies that IPv6 network traffic that matches the Dosp setting address filters using the PublicV6Address and PrivateV6Address parameters does not have to be IPsec-protected to be allowed through.
The default value is None.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IcmpV6Dscp<UInt16>

Specifies that ICMPv6 protocol traffic is assigned the given DSCP value.
This parameter specifies the 6-bit value, specified as an integer from 1 to 63, that is placed in the DSCP field of the IPv6 header, when the traffic type matches ICMPv6 protocol traffic. The DSCP value can be used in Quality of Service (QoS) implementations to prioritize network traffic and help ensure that less important network packets do not consume so much bandwidth that the packets interfere with the successful delivery of more important network packets.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 63, and Disabled.
The default value is Disabled.
-- Disabled: Turns off DSCP marking for ICMPv6 protocol traffic. This parameter is case-sensitive and requires Disabled to be specified using dot-notation.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IcmpV6RateLimitBytesPerSec<UInt32>

Specifies the maximum rate at which ICMPv6 inbound network traffic is forwarded from the public to the internal interface.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 bytes per second.
The default value is 10240.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IpV6FilterExemptDscp<UInt32>

Specifies that IPv6 traffic with an IP address that is exempted by using an address filter is assigned the given DSCP value.
To specify that the IPv6 network traffic that matches the Dosp setting address filters using the PublicV6Address and PrivateV6Address parameters does not have to be IPsec-protected to be allowed through set the FilteringFlags parameter to the filter exempt value.
This parameter specifies the 6-bit value, specified as an integer from 1 to 63, that is placed in the DSCP field of the IPv6 header when the traffic type matches the exempted address filter traffic. The DSCP value can be used in Quality of Service (QoS) implementations to prioritize network traffic and help ensure that less important network packets do not consume so much bandwidth that they interfere with the successful delivery of more important network packets.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 63, and Disabled.
The default value is Disabled.
-- Disabled: Turns off DSCP marking for traffic from the specified address filter, specified with the PrivateV6Address or PublicV6Address parameter. This parameter is case-sensitive and requires Disabled to be specified using dot-notation.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IpV6FilterExemptRateLimitBytesPerSec<UInt32>

Specifies the maximum rate at which inbound IPv6 network traffic, that is exempted by using an address filter, is forwarded from the public to the internal interface.
To specify that the IPv6 network traffic that matches the Dosp setting address filters using the PublicV6Address and PrivateV6Address parameters does not have to be IPsec-protected to be allowed through set the FilteringFlags parameter to the filter exempt value.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 bytes per second.
The default value is 102400.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IpV6IPsecAuthDscp<UInt16>

Specifies that authenticated IPv6 IPsec-protected traffic is assigned the given DSCP value.
This parameter specifies the 6-bit value, specified as an integer from 1 to 63, that is placed in the DSCP field of the IPv6 header, when the traffic type matches authenticated IPv6 IPsec-protected traffic. The DSCP value can be used in Quality of Service (QoS) implementations to prioritize network traffic and help ensure that less important network packets do not consume so much bandwidth that they interfere with the successful delivery of more important network packets.
The default value is Disabled.
-- Disabled: Turns off DSCP marking for authenticated IPv6 IPsec-protected traffic. This parameter is case-sensitive and requires Disabled to be specified using dot-notation.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IpV6IPsecAuthRateLimitBytesPerSec<UInt32>

Specifies the maximum rate at which authenticated IPv6 IPsec-protected inbound traffic is forwarded from the public to the internal interface.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 bytes per second.
The default value is 0, which disables the rate limit for this traffic.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IpV6IPsecUnauthDscp<UInt32>

Specifies that unauthenticated IPv6 IPsec-protected traffic is assigned the given DSCP value.
This parameter specifies the 6-bit value, specified as an integer from 1 to 63, that is placed in the DSCP field of the IPv6 header when the traffic type matches unauthenticated IPv6 IPsec-protected traffic. The DSCP value can be used in Quality of Service (QoS) implementations to prioritize network traffic and help ensure that less important network packets do not consume so much bandwidth that they interfere with the successful delivery of more important network packets.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 63, and Disabled.
The default value is Disabled.
-- Disabled: Turns off DSCP marking for unauthenticated IPv6 IPsec-protected traffic. This parameter is case-sensitive and requires Disabled to be specified using dot-notation.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IpV6IPsecUnauthPerIPRateLimitBytesPerSec<UInt32>

Specifies the maximum rate at which unauthenticated IPv6 IPsec-protected inbound traffic is forwarded from the public to the internal interface.
If a per IP address rate limit is defined, then it is used instead of the global rate limit using the IpV6IPsecUnauthRateLimitBytesPerSec parameter. To rate limit on a per IP address basis, configure the number of per IP queues to support this by using the MaxPerIPRateLimitQueues parameter.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 bytes per second.
The default value is 10240.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-IpV6IPsecUnauthRateLimitBytesPerSec<UInt32>

Specifies the maximum rate at which unauthenticated IPv6 IPsec-protected inbound traffic is forwarded from the public to the internal interface. This rate limit is applied on a per IP address basis, instead of network-wide.
If a per IP address rate limit is defined using the IpV6IPsecUnauthPerIPRateLimitBytesPerSec parameter, then it is used instead of the global rate limit. To rate limit on a per IP address basis, configure the number of per IP queues to support this by using the MaxPerIPRateLimitQueues parameter.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 bytes per second.
The default value is 10240.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-MaxPerIPRateLimitQueues<UInt32>

When using rate limits on unauthenticated traffic, this value specifies the maximum number of queues that can be used to hold traffic while it is delivered at the configured rate.
The per IP address rate limit is defined with the IpV6IPsecUnauthPerIPRateLimitBytesPerSec parameter.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 queues.
The default value is 50000.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-MaxStateEntries<UInt32>

Specifies the maximum number of connections that the IPsec DoS protection feature can track at one time.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 sessions.
The default value is 75000.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-Name<String>

Specifies the unique identifier of the Dosp configuration setting. This parameter is mandatory.


별칭

없음

필수 여부

true

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-PerIPRateLimitQueueIdleTimeoutSeconds<UInt32>

Specifies, when using rate limits on unauthenticated traffic on a per IP address basis, the timeout in seconds that the connection can be idle before the IPsec DoS protection feature treats the connection as stale and stops tracking the state.
The per IP address rate limit is defined with the IpV6IPsecUnauthPerIPRateLimitBytesPerSec parameter.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 seconds.
The default value is 360, or six minutes.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-PrivateInterfaceAliases<WildcardPattern[]>

Adds the specified interface to the IPsec DoS protection configuration as an internal interface.
At least one public interface using the PublicInterfaceAliases parameter and one internal interface using the PrivateInterfaceAliases parameter for the Dosp setting must be set to be operational.


별칭

없음

필수 여부

true

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-PrivateV6Address<String>

Specifies the internal IPsec address or subnet that matches the Dosp address filter.
This parameter adds a filter that either blocks or allows via exempting the network traffic that is not IPv6 and IPsec-protected from the specified public address or subnet using the PublicV6Address parameter to the specified internal address or subnet using this parameter. This behavior, referring to blocking or exempting, is specified with the FilteringFlags parameter.
Only one filter can be applied to a specific address or subnet. If a second rule with the exact same address or subnet parameter is created, then an error is displayed. If an address matches more than one filter, then the most specific match is selected and the corresponding filter is applied. For example, 2006:2006::2 matches a filter with the prefix 2006:2006::2/128 more closely than a filter with the prefix 2006:2006::2/64. If both the PublicV6Address parameter and this parameter are specified, then the Dosp rule treats the parameter values as a logical AND operator. Traffic matches the rule if it comes from an address with the specified public prefix and the traffic is destined for an address with the specified internal prefix.
Network traffic of the specified protocol as specified using the EnabledKeyingModules parameter that is sent from an address or subnet not on the list is dropped. To specify a subnet, include the forward slash (/) followed by the number of digits that represent the network identifier.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-PublicInterfaceAliases<WildcardPattern[]>

Adds the specified interface to the IPsec DoS protection configuration as a public interface.
At least one public interface using the PublicInterfaceAliases parameter and one internal interface using the PrivateInterfaceAliases parameter for the Dosp setting must be added to be operational.


별칭

없음

필수 여부

true

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-PublicV6Address<String>

Specifies the external IPsec address or subnet that matches the Dosp address filter.
This parameter adds a filter that either blocks or allows via exempting the network traffic that is not IPv6 and IPsec-protected from the specified public address or subnet using this parameter to the specified internal address or subnet using the PrivateV6Address parameter. This behavior, referring to blocking or exempting, is specified with the FilteringFlags parameter.
Only one filter can be applied to a specific address or subnet. If a second rule with the exact same address or subnet parameter is created, then an error is displayed. If an address matches more than one filter, then the most specific match is selected and the corresponding filter is applied. For example, 2006:2006::2 matches a filter with the prefix 2006:2006::2/128 more closely than a filter with the prefix 2006:2006::2/64. If both this parameter and thePrivateV6Address parameter are specified, then the Dosp rule treats the parameter values as a logical AND operator. Traffic matches the rule if it comes from an address with the specified public prefix and the traffic is destined for an address with the specified internal prefix.
Network traffic of the specified protocol as specified using the EnabledKeyingModules parameter that is sent from an address or subnet not on the list is dropped. To specify a subnet, include the forward slash (/) followed by the number of digits that represent the network identifier.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-StateIdleTimeoutSeconds<UInt32>

Specifies the number of seconds that an IPsec session can be idle before the IPsec DoS protection feature stops considering it to be a valid IPsec-protected connection that is allowed by the feature. After the specified number of seconds, the IPsec session is considered stale, and traffic that is part of the session is no longer allowed through the feature by default.
이 매개 변수에 허용되는 값은 다음과 같습니다. 1 through 4,294,967,295 seconds.
The default value is 360, or six minutes.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-ThrottleLimit<Int32>

이 cmdlet을 실행하도록 설정할 수 있는 최대 동시 작업 수를 지정합니다. 이 매개 변수가 생략되거나 값 0이 입력되면 Windows PowerShell®은 컴퓨터에서 실행 중인 CIM cmdlet의 수에 따라 cmdlet에 대한 최적의 제한 한도를 계산합니다. 제한 한도는 현재 cmdlet에만 적용되며 세션이나 컴퓨터에는 적용되지 않습니다.


별칭

없음

필수 여부

false

위치

named

기본값

없음

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-Confirm

cmdlet을 실행하기 전에 확인 메시지가 표시됩니다.


필수 여부

false

위치

named

기본값

false

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

-WhatIf

cmdlet이 실행될 경우 결과 동작을 표시합니다. cmdlet이 실행되지 않습니다.


필수 여부

false

위치

named

기본값

false

파이프라인 입력 적용 여부

false

와일드카드 문자 허용 여부

false

<CommonParameters>

이 cmdlet은 일반 매개 변수 -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer 및 -OutVariable을 지원합니다. 자세한 내용은 다음을 참조하세요. about_CommonParameters(http://go.microsoft.com/fwlink/p/?LinkID=113216).

입력

입력 유형은 cmdlet에 파이프할 수 있는 개체의 유형입니다.

  • None

출력

출력 유형은 cmdlet이 내보내는 개체의 유형입니다.

  • Microsoft.Management.Infrastructure.CimInstance#root\StandardCimv2\NetIPsecDospSetting[]

    Microsoft.Management.Infrastructure.CimInstance 개체는 WMI(Windows Management Instrumentation) 개체를 표시하는 래퍼 클래스입니다. 파운드 기호(#) 뒤에 오는 경로는 기본 WMI 개체의 네임스페이스 및 클래스 이름을 제공합니다.


예제

EXAMPLE 1

This example adds the public and internal network adapters as interfaces of the IPsec DoS protection feature.


PS C:\> New-NetIPsecDospSetting –Name PubNet-CorpNet -PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet

EXAMPLE 2

This example enables IKEv1 negotiation traffic to all IPv6 addresses.


PS C:\> New-NetIPsecDospSetting –Name IKEv1-PubNet-CorpNet –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet –EnabledKeyingModules IKEv1

EXAMPLE 3

This example enables IKEv1 negotiation traffic to a single IPv6 addresses.


PS C:\> New-NetIPsecDospSetting –Name "IKEv1-PubNet-CorpNet-3ff3:401d:1f00:baa::1" –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet –EnabledKeyingModules IKEv1 –Privatev6Address 3ff3:401d:1f00:baa::1

EXAMPLE 4

This example blocks all network traffic, even IPsec-protected traffic from the specified public IPv6 subnet.


PS C:\> New-NetIPsecDospSetting –Name "Block-3ffe:401d:1f00::/64-PubNet-CorpNet" –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -FilteringFlags FilterBlock –Publicv6Address 3ff3:401d:1f00:baa::1

EXAMPLE 5

This example marks all unauthenticated IPsec traffic with the value of 10.


PS C:\> New-NetIPsecDospSetting –Name PubNet-CorpNet-Unauth10 –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -IpV6IPsecUnauthDscp 10

EXAMPLE 6

This example limits all IPsec unauthenticated network traffic to 2048 bytes per second.


PS C:\> New-NetIPsecDospSetting –Name PubNet-CorpNet –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -IpV6IPsecUnauthRateLimitBytesPerSec 2048

EXAMPLE 7

This example configures the IPsec DoS protection feature to stop tracking a connection after it is idle for 480 seconds, and to track a maximum of 100,000 connections.


PS C:\> New-NetIPsecDospSetting –Name PubNet-CorpNet –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -StateIdleTimeoutSeconds 480 –MaxStateEntries 100000

관련 항목

커뮤니티 추가 항목

추가
표시: