To prevent R5 from large ICMP packet floods, configure traffic policing. See Example 3-31.
Verify by doing large ICMP packet pings and regular ICMP pings from a host in VLAN-14 to 18.104.22.168. See Example 3-32.
For more information, see the following URL:
The traffic policing feature works with a token bucket mechanism. There are currently two types of token bucket algorithms: a single-token bucket algorithm and a two-token bucket algorithm.
A single-token bucket system is used when the violate-action option is not specified.
A two-token bucket system is used when the violate-action option is specified.
For more information on token bucket, see the following URL:
Example 3-31. Configuring Traffic Policing
!Snip from R5 config class-map match-any icmp-attack match access-group 111
policy-map police class icmp-attack police 8000 4000 6000 conform-action transmit exceed-action drop violate-action drop !
interface Ethernet0 ip address 22.214.171.124 255.255.255.248 ip access-group 101 in service-policy input police
access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 126.96.36.199 188.8.131.52 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip any any access-list 111 permit icmp any any
Example 3-32. Verify Traffic Policy Is Working
!To verify if Traffic Policy is working, do large ICMP packet pings from a host in !VLAN-14 to 184.108.40.206
Pinging 220.127.116.11 with 5000 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 12 0.5.72.169:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C "C
!Normal ping works fine. C:\>ping 18.104.22.168
Pinging 22.214.171.124 with 32 bytes of data:
Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253 Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253 Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253 Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253
Ping statistics for 12 0.5.72.169:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
r5#show policy-map interface Ethernet0
Service-policy input: police (1071)
Class-map: icmp-attack (match-any) (1073/2) 172 packets, 176056 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 111 (1077)
172 packets, 176056 bytes 5 minute rate 0 bps police:
8000 bps, 4000 limit, 6000 extended limit conformed 78 packets, 53876 bytes; action: transmit exceeded 16 packets, 21776 bytes; action: drop violated 78 packets, 100404 bytes; action: drop conformed 0 bps, exceed 0 bps violate 0 bps
Class-map: class-default (match-any) (1081/0)
6 packets, 552 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any (1085)
r5#show access-lists 111 Extended IP access list 111
permit icmp any any (172 matches)
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.