Zone Based Firewall ASR1002

jackwikinski · ‎06-04-2012

Hi All,

We are trying to implement the ZBF on our router to assist us in limiting the intial impact of DDOS attacks.

We have configured the below and it appears that it's not working, as when un der attack the statistics don't increae.

Any assistance would be greatly appreciated:

parameter-map type inspect global

session total 99000

alert on

per-box tcp syn-flood limit 2000

per-box max-incomplete tcp 2000

per-box max-incomplete udp 500

per-box max-incomplete icmp 500

class-map type inspect match-any ddos-class

match protocol tcp

match protocol UDP

match protocol icmp

parameter-map type inspect global

policy-map type inspect ddos-fw

class type inspect ddos-class

inspect

class class-default

drop

zone security public

zone security private

zone-pair security public2private source public destination private

service-policy type inspect ddos-fw

int GigabitEthernet0/0/1

zone-member security public

int GigabitEthernet0/2/0

zone-member security private

Thanks.

Jack.

m1xed0s · ‎06-04-2012

Just curious, should u put the policy-map to the public2self zone-pair to limit DOS attack?

Henrik Grankvist · ‎06-04-2012

Shuai Yu: I guess it depends on what you are trying to achive, maybe they have a http-server of something...

jackwikiski: Your parameter-maps confuses me because they don't have a name? Or is it because they are global so you don't need a name?

Anyway, try this:

parameter-map type inspect ANTI-DDOS_PARMAP