01-29-2007 02:55 AM - edited 03-05-2019 02:02 PM
Hello,
I saw on this configuration guide some DOS protection examples.
Examples of some rate-limiters on Catalyst6506:
mls rate-limit multicast ipv4 fib-miss 10000 10
mls rate-limit multicast ipv4 non-rpf 100 100
mls rate-limit unicast cef glean 20000 60
mls rate-limit unicast ip rpf-failure 100000 100
mls rate-limit unicast ip icmp unreachable no-route 100000 100
mls rate-limit unicast ip icmp unreachable acl-drop 100000 100
mls rate-limit unicast ip errors 100000 100
mls rate-limit all ttl-failure 70000 150
Question:
1.Are these examples recommended and tested to protect your network from DoS attack
whatever network design, network utilization you have? Or they are just examples?
2. If they are just examples, how can i find out or calculate rate-limiters for security for my real network? So that it cannot affect the important traffic
thanks
01-29-2007 04:19 PM
I haven't used the above mls commands. You can look into a feature called Storm-control which can limit unicast, broadcast and multicast on the interface. Below you can a link for storm-control feature:
Let me know if this helps,
Appreciate your rating,
Regards,
01-30-2007 02:15 AM
You said you hadn't use this features. Why?
Are these features useless? or something else?
thanks
01-30-2007 09:22 AM
Hello Leo,
I didn't say this configuration is useless. I usually try to use the storm control feature which can limit some types of DoS attacks.
The above are some DoS protections based on QoS. On thing to note that there is no standard configuration for QoS. What I mean is because different networks have different type of traffic it is very hard to say this typical configuration would work on all networks. This is because some networks maybe using multicast a lot and some other are not for example.
Therefore, after you apply the above commands you may still need to modify the limiting rates to be adequate with your network traffic type.
Hope this clarifies the issue,
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: