User Guide

ManualsBrandsCisco Systems ManualsOtherEA6500

341

342

343

344

345

346

347

348

349

350

24-3

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Chapter 24 Configuring Denial of Service Protection

Configuring DoS Protection

When using security ACLs to drop DoS packets, note the following information:

• The security ACL must specify the traffic flow to be dropped.

• When adding a security ACL to block DoS packets to an interface that already has a security ACL

configured, you must merge the DoS security ACL with the existing security ACL.

• Security ACLs need to be configured on all external interfaces that require protection. Use the

interface range command to configure a security ACL on multiple interfaces.

The following example shows how a security ACL is used to drop DoS packets:

Router# clear mls ip mod 9

Router# show mls ip mod 9

Displaying Netflow entries in module 9

DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr

--------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

199.1.1.1 199.2.1.1 0 :0 :0 0 : 0

1843 84778 2 02:30:17 L3 - Dynamic

199.2.1.1 199.1.1.1 0 :0 :0 0 : 0

2742416 126151136 2 02:30:17 L3 - Dynamic traffic flow identified

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# no access-list 199

Router(config)# access-list 199 deny ip host 199.1.1.1 any

Router(config)# access-list 199 permit ip any any

Router(config)# interface g9/1

Router(config-if)# ip access 199 in security ACL applied

Router(config-if)# end

Router#

1w6d: %SYS-5-CONFIG_I: Configured from console by console

Router# clear mls ip mod 9

Router# show mls ip mod 9

Displaying Netflow entries in module 9

DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr

--------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

199.1.1.1 199.2.1.1 0 :0 :0 0 : 0

1542 70932 2 02:31:56 L3 - Dynamic

199.2.1.1 199.1.1.1 0 :0 :0 0 : 0

0 0 2 02:31:56 L3 - Dynamic hardware-forwarded

traffic stopped

Extended IP access list 199

deny ip host 199.1.1.1 any (100 matches)

permit ip any any

Router# show access-list 199

Extended IP access list 199

deny ip host 199.1.1.1 any (103 matches rate limiting at 0.5 pps

permit ip any any

Router #