Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2285
Views
0
Helpful
5
Replies

ASR 1002 , rate limit ICMP reply for internet attack on the WAN interface

lerner cisco
Level 1
Level 1

‎07-08-2015 09:28 AM - edited ‎03-05-2019 01:50 AM

All,

 

I am looking command for the ASR 1002 router to rate-limit ICMP attack on the WAN interface , one of the low end model router  ISR , I can very well able to configure under the Serial interface , however on the ASR 1002 I am not seeing the rate limit command , can any help me with the command or configuration ,

 

below configuration for the ISR router , looking configuration for the ASR 1002 . please

interface Serial0/0/0:0

rate-limit output access-group 2020 128000 32000 32000 conform-action transmit exceed-action drop

 

access-list 2020 remark rate-limit ACL
access-list 2020 permit icmp any any echo-reply

Labels:
0 Helpful
5 Replies 5

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-08-2015 10:22 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

How about a police statement within a CBWFQ policy?

0 Helpful

lerner cisco
Level 1
Level 1
In response to Joseph W. Doherty

‎07-08-2015 10:28 AM

 

Hi Joseph,

No QOS on this router, I was going through cisco site I found  below details , not sure it works for me

 

basic idea to stop internet attack icmp , hence rate limit .  not sure below works for me , and  df stands for ?.

Router(config)# ip icmp rate-limit unreachable df log 1100 12000
0 Helpful

Vinit Jain
Cisco Employee
Cisco Employee
In response to lerner cisco

‎07-08-2015 10:47 AM

the df parameter is used to restrict the number of ICMP unreachable messages generated by the router when the fragmentation of the packet is needed and the DF bit in the IP packet header is set. (DF is the Do-Not-Fragment Bit)

along with this rate-limit command, i would also recommend to configure "ip verify unicast source reachable-via rx allow-self-ping" for protection against unwanted traffic

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Hope this helps

 

Thanks
--Vinit
0 Helpful

lerner cisco
Level 1
Level 1
In response to Vinit Jain

‎07-17-2015 07:36 AM

thank you vinit,

Would be great , understanding on this command  ,

 

Router(config)# ip icmp rate-limit unreachable df log 1100 12000

is it just logs to the console of the routerafter 12000 ms and packet hits 1100 , or it restricts to acknowledge  ICMP or DOS attack on the router ??. 

0 Helpful

Vinit Jain
Cisco Employee
Cisco Employee
In response to lerner cisco

‎07-17-2015 10:37 AM

It will drop the packets as soon as the threshold is reached. In the above case, anything above 1100 packets will be dropped.

Thanks
--Vinit
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card