IOS-router(config)#access-list 190 deny icmp any any echo ?
dscp Match packets with given dscp value
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
precedence Match packets with given precedence value
time-range Specify a time-range
tos Match packets with given TOS value
I don't see any support for the criteria you wish to match on.
You might want to focus on rate-limiting ICMP (Control Plane Policing, Management Plane Policing), and denying ICMP fragments (perhaps all fragments):
deny tcp any any log fragments
deny udp any any log fragments
deny icmp any any log fragments
If you have implemented IPS, there is bound to be a signature to address unusually large ICMP echo requests (although larger than 100 bytes). Depending on your platform, maybe you have the option of constructing your own signature.
If you were using the Flexible Packet Matching (FPM) feature, that might give you the versatility to match with the specific criteria desired.
First of all, rate-limit only gives me limiting the frequency (or total bw) of the ICMP - but users will still able to ping with high payload and keep choking my network/server.
Currently in my inside network (of more than 20 sites) we are allowing only echo, echo-reply, packet-too-big and time-exceeded ICMP messages.
Yes I have IPS (4255) where I am getting huge Large_ICMP Alert mainly in my Inside Network (Its in Promiscous Mode). This signatures fires when payload is more than 1024 Bytes. Thats why I need to limit the payload.
Now - I can create a new ICMP signature but I really wonder of what action should I can apply if the signature fires. Is it possible - whether I can apply TCP_RESET type of things?? Would appreciate if you can help me out - of what sort of action can I apply??
FPM is new feature to me. I will check it and then may come to you.
Many Thanks again for your suggestion and information.
I have checked my IPS and try to create Signatures with ICMP. But I wonder what Event Action should I apply. My one is in Promicous mode. Can u pls help me out - give us an idea/doc how can I drop the offending traffic.
... suggests that Policy Based Routing could be used to match (and perhaps route to a Null interface) ICMP packets of a specific length:
" Match Clauses-Defining the Criteria
The IP standard or extended ACLs can be used to establish the match criteria. The standard IP access lists can be used to specify the match criteria for source address; extended access lists can be used to specify the match criteria based on application, protocol type, TOS, and precedence.
The match clause feature has been extended to include matching packet length between specified minimum and maximum values. The network administrator can then use the match length as the criterion that distinguishes ....."
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :