07-08-2015 09:28 AM - edited 03-05-2019 01:50 AM
All,
I am looking command for the ASR 1002 router to rate-limit ICMP attack on the WAN interface , one of the low end model router ISR , I can very well able to configure under the Serial interface , however on the ASR 1002 I am not seeing the rate limit command , can any help me with the command or configuration ,
below configuration for the ISR router , looking configuration for the ASR 1002 . please
interface Serial0/0/0:0
rate-limit output access-group 2020 128000 32000 32000 conform-action transmit exceed-action drop
access-list 2020 remark rate-limit ACL
access-list 2020 permit icmp any any echo-reply
07-08-2015 10:22 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
How about a police statement within a CBWFQ policy?
07-08-2015 10:28 AM
Hi Joseph,
No QOS on this router, I was going through cisco site I found below details , not sure it works for me
basic idea to stop internet attack icmp , hence rate limit . not sure below works for me , and df stands for ?.
Router(config)# ip icmp rate-limit unreachable df log 1100 12000
07-08-2015 10:47 AM
the df parameter is used to restrict the number of ICMP unreachable messages generated by the router when the fragmentation of the packet is needed and the DF bit in the IP packet header is set. (DF is the Do-Not-Fragment Bit)
along with this rate-limit command, i would also recommend to configure "ip verify unicast source reachable-via rx allow-self-ping" for protection against unwanted traffic
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
Hope this helps
07-17-2015 07:36 AM
thank you vinit,
Would be great , understanding on this command ,
Router(config)# ip icmp rate-limit unreachable df log 1100 12000
is it just logs to the console of the routerafter 12000 ms and packet hits 1100 , or it restricts to acknowledge ICMP or DOS attack on the router ??.
07-17-2015 10:37 AM
It will drop the packets as soon as the threshold is reached. In the above case, anything above 1100 packets will be dropped.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: