10-16-2009 12:23 AM - edited 03-04-2019 06:23 AM
Hi,
does anybody know if there exist recommended guidelines how to configure ios rate-limit (parameters bps, normal burst and max burst) for tcp syn and icmp packets on gigabit internet access lines?
Is there also any way to calculate average tcp syns of a given accumulated ip bandwith (e.g. 20Mb/s)?
Best Regards,
Thorsten
10-16-2009 12:56 AM
Hello Thorsten,
I can answer for ICMP:
usually the rate-limit is placed with strict values so that you can allow a normal ping (still useful in troubleshooting).
you can use the expected RTT you see on ping results to calculate the icmp resulting rate.
In an activity I did some years ago I has allowed 256 kbps for ICMP traffic seeing it was enough.
For TCP syn I don't see a direct relation with offered BW.
A possible tool for defending servers from TCP syn may be TCP intercept.
in security command reference says default value for incomplete TCP sessions for triggering aggressive mode is 1100
see
http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_i3.html#wp1058428
or
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1058428
see also config guide for TCP intercept
the limit is that it can load the router.
Hope to help
Giuseppe
10-17-2009 09:19 AM
Hi Thorsten,
The following links may help:
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
HTH
Laurent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide