36-4
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
Understanding How DoS Protection Works
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
Router#
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# access-list 199 permit icmp any any echo
Router(config)# class-map match-any icmp
Router(config-cmap)# match access-group 199
Router(config-cmap)# exit
Router(config)# policy-map icmp
Router(config-pmap)# class icmp
Router(config-pmap-c)# police 96000 16000 16000 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface range g4/1 - 9
Router(config-if-range)# service-policy input icmp <======== Note: policy applied
Router(config-if-range)# end
2w0d: %SYS-5-CONFIG_I: Configured from console by console
2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from LOADING to FULL, Loading
Done
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
0 4.4.4.122 Vl44 13 00:00:48 8 200 0 6565
Router#
FIB Rate Limiting
Note The PFC2 CPU rate limiters are off by default.
The forwarding information base (FIB) rate-limiting feature allows all packets that require software
processing to be rate limited.
This example shows traffic destined for a nonexistent host address on a locally connected subnet.
Normally, the ARP request would result in an ARP reply and the installation of a FIB adjacency for this
traffic. However, the adjacency in the FIB for the destination subnet would continue to receive traffic
that would be forwarded for software processing. By applying rate-limiting to this traffic, the rate of
traffic forwarded for software processing can be limited to a manageable amount.
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
0 4.4.4.122 Vl44 11 00:00:26 8 200 0 6534
Router# show ip ospf neighbors
Neighbor ID Pri State Dead Time Address Interface
6.6.6.122 1 FULL/BDR 00:00:36 6.6.6.122 Vlan46
Router# <===================== Note: attack starts
Router# show arp | include 199.2.250.250
Internet 199.2.250.250 0 Incomplete ARPA
Router#
1w6d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor Down: Dead
timer expired
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
Router#
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
To Next Page
Loading...
Need help?
General
