Perimeter Security

To prevent R5 from large ICMP packet floods, configure traffic policing. See Example 3-31.

Verify by doing large ICMP packet pings and regular ICMP pings from a host in VLAN-14 to 120.5.72.169. See Example 3-32.

For more information, see the following URL:

www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm

The traffic policing feature works with a token bucket mechanism. There are currently two types of token bucket algorithms: a single-token bucket algorithm and a two-token bucket algorithm.

A single-token bucket system is used when the violate-action option is not specified.

A two-token bucket system is used when the violate-action option is specified.

For more information on token bucket, see the following URL:

www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt4/qcfpolsh.htmf19 709

Example 3-31. Configuring Traffic Policing

!Snip from R5 config class-map match-any icmp-attack match access-group 111

policy-map police class icmp-attack police 8000 4000 6000 conform-action transmit exceed-action drop violate-action drop !

interface Ethernet0 ip address 120.5.72.169 255.255.255.248 ip access-group 101 in service-policy input police

access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip any any access-list 111 permit icmp any any

Example 3-32. Verify Traffic Policy Is Working

!To verify if Traffic Policy is working, do large ICMP packet pings from a host in !VLAN-14 to 120.5.72.169

Pinging 120.5.72.169 with 5000 bytes of data:

Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 12 0.5.72.169:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C "C

!Normal ping works fine. C:\>ping 120.5.72.169

Pinging 120.5.72.169 with 32 bytes of data:

Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253 Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253 Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253 Reply from 12 0.5.72.169: bytes=32 time<10ms TTL=253

Ping statistics for 12 0.5.72.169:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

r5#show policy-map interface Ethernet0

Service-policy input: police (1071)

Class-map: icmp-attack (match-any) (1073/2) 172 packets, 176056 bytes

5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 111 (1077)

172 packets, 176056 bytes 5 minute rate 0 bps police:

8000 bps, 4000 limit, 6000 extended limit conformed 78 packets, 53876 bytes; action: transmit exceeded 16 packets, 21776 bytes; action: drop violated 78 packets, 100404 bytes; action: drop conformed 0 bps, exceed 0 bps violate 0 bps

Class-map: class-default (match-any) (1081/0)

6 packets, 552 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any (1085)

r5#show access-lists 111 Extended IP access list 111

permit icmp any any (172 matches)

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment