how to calculate tcp syn and icmp rate-limit on internet lines

Unanswered Question
Oct 16th, 2009
User Badges:

Hi,

does anybody know if there exist recommended guidelines how to configure ios rate-limit (parameters bps, normal burst and max burst) for tcp syn and icmp packets on gigabit internet access lines?


Is there also any way to calculate average tcp syns of a given accumulated ip bandwith (e.g. 20Mb/s)?


Best Regards,

Thorsten

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 10/16/2009 - 00:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Thorsten,

I can answer for ICMP:

usually the rate-limit is placed with strict values so that you can allow a normal ping (still useful in troubleshooting).


you can use the expected RTT you see on ping results to calculate the icmp resulting rate.


In an activity I did some years ago I has allowed 256 kbps for ICMP traffic seeing it was enough.


For TCP syn I don't see a direct relation with offered BW.


A possible tool for defending servers from TCP syn may be TCP intercept.


in security command reference says default value for incomplete TCP sessions for triggering aggressive mode is 1100


see


http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_i3.html#wp1058428


or


http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1058428


see also config guide for TCP intercept


http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_tcp_intercpt_ps6350_TSD_Products_Configuration_Guide_Chapter.html


the limit is that it can load the router.


Hope to help

Giuseppe



Actions

This Discussion