Protecting the Network

Unanswered Question
Nov 7th, 2009
User Badges:

heres my setup:

I have a ROUTED access layer switch and a user vlan that terminates on it. The default gateway for the users is the user-vlan interface on the switch.

The problem is that the users need to be treated as untrusted users. Their traffic needs to be firewalled, per se. We dont have a FW appliance, so we have to resort to ACLs.

the users will need access to a few servers on our server farm. That leaves us vulnerable to DoS attacks and hacking.

Now, we can block ICMP but we dont want to -- want it for t-shooting.

Is there a way to allow pings from the users to the servers BUT limit them so that they cannot launch a DoS attack?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
ex-engineer Sun, 11/08/2009 - 06:27
User Badges:

Hi, thanks...Theyre nice docs, but not really what I need...

Is it possible to allow icmp pings to traverse an interface (inbound), but only in a limited fashion? I know theres rate limiting, but, believe it or not, the 7600 does not support it...pretty amazed at that one.

Anyway, I dont even want that. I want to limit based on the number of packets. So, if someone pings a server with 10000 pings to create a DoS, i want the router to allow, say, 100, and block the rest.

Does this exist??

Marvin Rhoads Sun, 11/08/2009 - 06:58
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

The 7600 supports rate limiting. See, for instance, the following document section:

It describes QoS rate limiting and appears to be just what you are asking about.

Hope this helps.

ex-engineer Sun, 11/08/2009 - 07:20
User Badges:

Thanks for that excellent doc. I am going to review it closely.

When i said the 7600 doe snot support rate limiting, i should have been more specific. It doesnt support interface-based rate limiting.

int te6/2

rate-limit bla bla bla.... That doesnt exist as an option.

Again, though, I am looking for a rate limiting mechanism that can operate on the PACKET level, not CIR or burst. In other words, allow 10 pings in a row from one source and kill the rest....or something like that...



This Discussion