cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1564
Views
0
Helpful
5
Replies
Highlighted
Beginner

ASR 1002 , rate limit ICMP reply for internet attack on the WAN interface

All,

 

I am looking command for the ASR 1002 router to rate-limit ICMP attack on the WAN interface , one of the low end model router  ISR , I can very well able to configure under the Serial interface , however on the ASR 1002 I am not seeing the rate limit command , can any help me with the command or configuration ,

 

below configuration for the ISR router , looking configuration for the ASR 1002 . please

interface Serial0/0/0:0

rate-limit output access-group 2020 128000 32000 32000 conform-action transmit exceed-action drop

 

access-list 2020 remark rate-limit ACL
access-list 2020 permit icmp any any echo-reply

5 REPLIES 5
Highlighted
VIP Expert

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

How about a police statement within a CBWFQ policy?

Highlighted
Beginner

 

 

Hi Joseph,

No QOS on this router, I was going through cisco site I found  below details , not sure it works for me

 

basic idea to stop internet attack icmp , hence rate limit .  not sure below works for me , and  df stands for ?.

Router(config)# ip icmp rate-limit unreachable df log 1100 12000
Highlighted
Cisco Employee

the df parameter is used to

the df parameter is used to restrict the number of ICMP unreachable messages generated by the router when the fragmentation of the packet is needed and the DF bit in the IP packet header is set. (DF is the Do-Not-Fragment Bit)

along with this rate-limit command, i would also recommend to configure "ip verify unicast source reachable-via rx allow-self-ping" for protection against unwanted traffic

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Hope this helps

 

Thanks
--Vinit
Beginner

thank you vinit,

thank you vinit,

Would be great , understanding on this command  ,

 

Router(config)# ip icmp rate-limit unreachable df log 1100 12000

is it just logs to the console of the routerafter 12000 ms and packet hits 1100 , or it restricts to acknowledge  ICMP or DOS attack on the router ??. 

Highlighted
Cisco Employee

It will drop the packets as

It will drop the packets as soon as the threshold is reached. In the above case, anything above 1100 packets will be dropped.

Thanks
--Vinit
CreatePlease to create content