11-07-2009 12:36 PM - edited 03-06-2019 08:29 AM
heres my setup:
I have a ROUTED access layer switch and a user vlan that terminates on it. The default gateway for the users is the user-vlan interface on the switch.
The problem is that the users need to be treated as untrusted users. Their traffic needs to be firewalled, per se. We dont have a FW appliance, so we have to resort to ACLs.
the users will need access to a few servers on our server farm. That leaves us vulnerable to DoS attacks and hacking.
Now, we can block ICMP but we dont want to -- want it for t-shooting.
Is there a way to allow pings from the users to the servers BUT limit them so that they cannot launch a DoS attack?
Thanks
11-07-2009 01:27 PM
Hi Joe,
Here are a couple of white papers that may be useful to you.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
HTH
Reza
11-08-2009 06:27 AM
Hi, thanks...Theyre nice docs, but not really what I need...
Is it possible to allow icmp pings to traverse an interface (inbound), but only in a limited fashion? I know theres rate limiting, but, believe it or not, the 7600 does not support it...pretty amazed at that one.
Anyway, I dont even want that. I want to limit based on the number of packets. So, if someone pings a server with 10000 pings to create a DoS, i want the router to allow, say, 100, and block the rest.
Does this exist??
11-08-2009 06:58 AM
The 7600 supports rate limiting. See, for instance, the following document section: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1140968
It describes QoS rate limiting and appears to be just what you are asking about.
Hope this helps.
11-08-2009 07:20 AM
Thanks for that excellent doc. I am going to review it closely.
When i said the 7600 doe snot support rate limiting, i should have been more specific. It doesnt support interface-based rate limiting.
int te6/2
rate-limit bla bla bla.... That doesnt exist as an option.
Again, though, I am looking for a rate limiting mechanism that can operate on the PACKET level, not CIR or burst. In other words, allow 10 pings in a row from one source and kill the rest....or something like that...
Thanks
11-08-2009 07:09 AM
Hi,
Try VLAN based QoS. The below link will give you an idea of how to configure the same,
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801c8c4b.shtml
HTH,
Nagendra
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: