Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring Dos Attack Protection on Catalyst6500

Hello,

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080435872.html

I saw on this configuration guide some DOS protection examples.

Examples of some rate-limiters on Catalyst6506:

mls rate-limit multicast ipv4 fib-miss 10000 10

mls rate-limit multicast ipv4 non-rpf 100 100

mls rate-limit unicast cef glean 20000 60

mls rate-limit unicast ip rpf-failure 100000 100

mls rate-limit unicast ip icmp unreachable no-route 100000 100

mls rate-limit unicast ip icmp unreachable acl-drop 100000 100

mls rate-limit unicast ip errors 100000 100

mls rate-limit all ttl-failure 70000 150

Question:

1.Are these examples recommended and tested to protect your network from DoS attack

whatever network design, network utilization you have? Or they are just examples?

2. If they are just examples, how can i find out or calculate rate-limiters for security for my real network? So that it cannot affect the important traffic

thanks

3 REPLIES
Silver

Re: Configuring Dos Attack Protection on Catalyst6500

I haven't used the above mls commands. You can look into a feature called Storm-control which can limit unicast, broadcast and multicast on the interface. Below you can a link for storm-control feature:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a9f.html

Let me know if this helps,

Appreciate your rating,

Regards,

New Member

Re: Configuring Dos Attack Protection on Catalyst6500

You said you hadn't use this features. Why?

Are these features useless? or something else?

thanks

Silver

Re: Configuring Dos Attack Protection on Catalyst6500

Hello Leo,

I didn't say this configuration is useless. I usually try to use the storm control feature which can limit some types of DoS attacks.

The above are some DoS protections based on QoS. On thing to note that there is no standard configuration for QoS. What I mean is because different networks have different type of traffic it is very hard to say this typical configuration would work on all networks. This is because some networks maybe using multicast a lot and some other are not for example.

Therefore, after you apply the above commands you may still need to modify the limiting rates to be adequate with your network traffic type.

Hope this clarifies the issue,

Regards,

165
Views
0
Helpful
3
Replies