User Guide

ManualsBrandsCisco Systems ManualsOtherEA6500

341

342

343

344

345

346

347

348

349

350

24-4

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Chapter 24 Configuring Denial of Service Protection

Configuring DoS Protection

QoS ACLs

Unlike Security ACLs, QoS ACLs can be used to limit the rate of traffic without denying access to all

the traffic in a flow.

When using QoS ACLs to limit the rate of packets, note the following information:

• The QoS ACL must specify the traffic flow to be rate-limited.

• When adding a QoS ACL to limit the rate of packets to an interface that already has a QoS ACL

configured, you must merge the rate-limiting ACL with the existing QoS ACL.

• QoS ACLs need to be configured on all external interfaces that require protection. Use the interface

range command to configure an ACL on multiple interfaces.

The following example shows how to use a QoS ACL to prevent a ping attack on a router. A QoS ACL is

configured and applied on all interfaces to limit the rate of incoming ICMP echo packets.

Router# show ip ospf neighbors

Neighbor ID Pri State Dead Time Address Interface

6.6.6.122 1 FULL/BDR 00:00:30 6.6.6.122 Vlan46

Router# show ip eigrp neighbors

IP-EIGRP neighbors for process 200

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 4.4.4.122 Vl44 11 00:06:07 4 200 0 6555

Router# ping attack starts

Router# show proc cpu | include CPU utilization

CPU utilization for five seconds: 99%/90%; one minute: 48%; five minutes: 25%

Router#

2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor

Down: Dead timer expired

Router# show ip eigrp neighbors

IP-EIGRP neighbors for process 200

Router#

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# access-list 199 permit icmp any any echo

Router(config)# class-map match-any icmp

Router(config-cmap)# match access-group 199

Router(config-cmap)# exit

Router(config)# policy-map icmp

Router(config-pmap)# class icmp

Router(config-pmap-c)# police 96000 16000 16000 conform-action transmit exceed-action drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

Router(config)# interface range g4/1 - 9

Router(config-if-range)# service-policy input icmp policy applied

Router(config-if-range)# end

2w0d: %SYS-5-CONFIG_I: Configured from console by console

2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from LOADING to FULL, Loading

Done

Router# show ip eigrp neighbors

IP-EIGRP neighbors for process 200

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 4.4.4.122 Vl44 13 00:00:48 8 200 0 6565

Router#