Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
0
Helpful
0
Replies

DoS Protection with rate policer on the edge interface

WiKiD
Level 1
Level 1

‎05-25-2020 07:51 AM

Dear all,

Scenario:

Rate Limit ingress traffic as a DoS protection for Customer Subnet´s

 

ISP-------- gig0/0 ISR Router----Customer Subnet´s

 

Router ISR 4300 Series IOS XE with gigabitethernet connection to ISP Router.

Rate-limit ingress traffic to 2 Mbit´s for IPv4 and IPv6 subnet´s on ISR 4300 Series.

 

Theory:

2 ACL´s one for IPv4 and the other for IPv6.

 

ip access-list extended 101

permit ip any x.x.x.x (to IPv4 subnet) 0.0.0.15

 

ipv6 access-list IPv6-subnet

permit ip any Ipv6 address(to IPv6 prefix

 

2 class-map´s one to match Ipv4 traffic and the other for Ipv6

 

class-map IPv4

match access-group 101

 

class-map IPv6

match access-group name IPv6-subnet

 

 

 

policy-map RATE-LIMIT

class IPv4

police 2000000 conform-action transmit exceed-action drop

class IPv6

police 2000000 conform-action transmit exceed-action drop

 

 

Interface gigabitethernet 0/0

service-policy input RATE-LIMIT

 

Is there some error in reasoning or is this solution ok ?

Any hint or advice would be great.

 

Thank you all.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents