Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP Storm

Is't possible to block ICMP strom generated by MSBLAST? I mean configure broadcast, multicast, or unicast storm control at ports. Is't possible to do it at Catalyst 2950?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ICMP Storm

Hi,

Cat2950 is layer 2 device. So it's impossible to configure ACL to block ICMP on it.

You can configure storm control on ports using

conf t

int fa 0/x

storm-control broadcast level 5.00 3.00

storm-control multicast level 5.00 3.00

storm-control unicast level 50 30

storm-control action trap

e.g.

This syntax is used in the latest IOS and filters broadcasts when they exceed 5% of interface bandwith, e.g.

Another syntax using the frame number per second was used in the older IOS versions.

See Command reference Guide http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12114ea1/2950cr/cli2.htm#1870446

for storm-control command details.

Regards,

Milan

3 REPLIES

Re: ICMP Storm

Hi,

Cat2950 is layer 2 device. So it's impossible to configure ACL to block ICMP on it.

You can configure storm control on ports using

conf t

int fa 0/x

storm-control broadcast level 5.00 3.00

storm-control multicast level 5.00 3.00

storm-control unicast level 50 30

storm-control action trap

e.g.

This syntax is used in the latest IOS and filters broadcasts when they exceed 5% of interface bandwith, e.g.

Another syntax using the frame number per second was used in the older IOS versions.

See Command reference Guide http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12114ea1/2950cr/cli2.htm#1870446

for storm-control command details.

Regards,

Milan

New Member

Re: ICMP Storm

Actually, the 2950s *are* capable of filtering based on L3 and L4 information. You could say they're L2-switches with L3+ intelligence.

The following would be a perfectly valid filter for the 2950:

access-list 101 permit tcp any 172.16.16.0 0.0.0.255 eq 23

However, it's true that you can't filter based on ICMP on that platform. And it's also true that you can't do storm control (or rate limiting) based on protocols.

-A

Re: ICMP Storm

Yes, you can configure an extended ACL on 2950.

BUT you can apply it only on the virtual management interface (int VLAN1, e.g.) and filter only the traffic targeted to the switch itself.

Another possibilities are some advanced QoS functions.

But it's impossible to filter the traffic passing through the switch based on L3 info, I'm afraid.

Regards,

Milan

394
Views
0
Helpful
3
Replies