Manualsbrain.com
  1. Manuales
  2. Marcas
  3. Cisco Systems
  4. EA6500
  5. Manual De Usuario

Cisco Systems EA6500 Manual De Usuario

Descargar
Página de 570
 
24-4
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 24      Configuring Denial of Service Protection
Configuring DoS Protection
QoS ACLs
Unlike Security ACLs, QoS ACLs can be used to limit the rate of traffic without denying access to all 
the traffic in a flow. 
When using QoS ACLs to limit the rate of packets, note the following information:
  •
The QoS ACL must specify the traffic flow to be rate-limited.
  •
When adding a QoS ACL to limit the rate of packets to an interface that already has a QoS ACL 
configured, you must merge the rate-limiting ACL with the existing QoS ACL.
  •
QoS ACLs need to be configured on all external interfaces that require protection. Use the interface 
range command to configure an ACL on multiple interfaces.
The following example shows how to use a QoS ACL to prevent a ping attack on a router. A QoS ACL is 
configured and applied on all interfaces to limit the rate of incoming ICMP echo packets.
Router# show ip ospf neighbors
Neighbor ID     Pri   State           Dead Time   Address         Interface
6.6.6.122         1   FULL/BDR        00:00:30    6.6.6.122       Vlan46
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H   Address                 Interface   Hold Uptime   SRTT   RTO  Q  Seq Type
                                        (sec)         (ms)       Cnt Num
0   4.4.4.122               Vl44          11 00:06:07    4   200  0  6555   
Router#                                                             ping attack starts
Router# show proc cpu | include CPU utilization
CPU utilization for five seconds: 99%/90%; one minute: 48%; five minutes: 25%
Router#
2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor 
Down: Dead timer expired
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
Router#
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# access-list 199 permit icmp any any echo 
Router(config)# class-map match-any icmp
Router(config-cmap)# match access-group  199
Router(config-cmap)# exit
Router(config)# policy-map icmp
Router(config-pmap)# class icmp
Router(config-pmap-c)# police 96000 16000 16000 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface range g4/1 - 9 
Router(config-if-range)# service-policy input icmp                   policy applied
Router(config-if-range)# end
2w0d: %SYS-5-CONFIG_I: Configured from console by console
2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from LOADING to FULL, Loading 
Done
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H   Address                 Interface   Hold Uptime   SRTT   RTO  Q  Seq Type
                                        (sec)         (ms)       Cnt Num
0   4.4.4.122               Vl44          13 00:00:48    8   200  0  6565   
Router#