Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to calculate tcp syn and icmp rate-limit on internet lines

Hi,

does anybody know if there exist recommended guidelines how to configure ios rate-limit (parameters bps, normal burst and max burst) for tcp syn and icmp packets on gigabit internet access lines?

Is there also any way to calculate average tcp syns of a given accumulated ip bandwith (e.g. 20Mb/s)?

Best Regards,

Thorsten

2 REPLIES
Hall of Fame Super Silver

Re: how to calculate tcp syn and icmp rate-limit on internet lin

Hello Thorsten,

I can answer for ICMP:

usually the rate-limit is placed with strict values so that you can allow a normal ping (still useful in troubleshooting).

you can use the expected RTT you see on ping results to calculate the icmp resulting rate.

In an activity I did some years ago I has allowed 256 kbps for ICMP traffic seeing it was enough.

For TCP syn I don't see a direct relation with offered BW.

A possible tool for defending servers from TCP syn may be TCP intercept.

in security command reference says default value for incomplete TCP sessions for triggering aggressive mode is 1100

see

http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_i3.html#wp1058428

or

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1058428

see also config guide for TCP intercept

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_tcp_intercpt_ps6350_TSD_Products_Configuration_Guide_Chapter.html

the limit is that it can load the router.

Hope to help

Giuseppe

Cisco Employee

Re: how to calculate tcp syn and icmp rate-limit on internet lin

206
Views
0
Helpful
2
Replies
CreatePlease login to create content