cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
9
Helpful
5
Replies

Protecting the Network

visitor68
Level 5
Level 5

heres my setup:

I have a ROUTED access layer switch and a user vlan that terminates on it. The default gateway for the users is the user-vlan interface on the switch.

The problem is that the users need to be treated as untrusted users. Their traffic needs to be firewalled, per se. We dont have a FW appliance, so we have to resort to ACLs.

the users will need access to a few servers on our server farm. That leaves us vulnerable to DoS attacks and hacking.

Now, we can block ICMP but we dont want to -- want it for t-shooting.

Is there a way to allow pings from the users to the servers BUT limit them so that they cannot launch a DoS attack?

Thanks

5 Replies 5

Hi, thanks...Theyre nice docs, but not really what I need...

Is it possible to allow icmp pings to traverse an interface (inbound), but only in a limited fashion? I know theres rate limiting, but, believe it or not, the 7600 does not support it...pretty amazed at that one.

Anyway, I dont even want that. I want to limit based on the number of packets. So, if someone pings a server with 10000 pings to create a DoS, i want the router to allow, say, 100, and block the rest.

Does this exist??

The 7600 supports rate limiting. See, for instance, the following document section: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1140968

It describes QoS rate limiting and appears to be just what you are asking about.

Hope this helps.

Thanks for that excellent doc. I am going to review it closely.

When i said the 7600 doe snot support rate limiting, i should have been more specific. It doesnt support interface-based rate limiting.

int te6/2

rate-limit bla bla bla.... That doesnt exist as an option.

Again, though, I am looking for a rate limiting mechanism that can operate on the PACKET level, not CIR or burst. In other words, allow 10 pings in a row from one source and kill the rest....or something like that...

Thanks

Hi,

Try VLAN based QoS. The below link will give you an idea of how to configure the same,

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801c8c4b.shtml

HTH,

Nagendra