Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
3
Helpful
7
Replies

How to control burst packet and it's source?

johnyoon75
Level 1
Level 1

‎11-05-2004 02:00 AM

Hi.

I'm curious about burst packet and it's source.

Think about it.

Many traces and pings enter my router.

So i want to know which PC flood these packets.

I tried to find on cisco.com

hence, i find some option about that.

But the thing is, i'm not sure about that.

The option is below.

access-list 101 permit ip any any packet-to-big log-input

Is is possible to block burst packet?

Labels:
0 Helpful
7 Replies 7

ozgur.guler
Level 1
Level 1

‎11-05-2004 03:17 AM

you can block big packets by

matching the packet size in a route-map.

route-map x

match lenth [min packet length] [max packet length]

set interface null 0

HTH

johnyoon75
Level 1
Level 1
In response to ozgur.guler

‎11-05-2004 03:30 AM

Thank you for helping.

I have another question.

How can i know which source(PC) happen symtom?

Is it possible to log source...?

0 Helpful

johnyoon75
Level 1
Level 1
In response to ozgur.guler

‎11-05-2004 03:34 AM

I don't want to block.

If i block the source, Many people compaint to me...

0 Helpful

ozgur.guler
Level 1
Level 1
In response to johnyoon75

‎11-05-2004 03:53 AM

Here is one solution....

match big packets and forward them to a loopback interface on your router with PBR.

use ip accounting output, on that new loopback interface.

what will happen is that ,

packets matched with PBR will be forwarded to that loopback interface. and then packets will come back and go to their final destination via routing while incrementing the accounting counters.

route-map x

match length min max

set interface lo 110

int lo 110

ip add 1.1.1.1 255.255.255.0

ip accounting output

Ozgur

0 Helpful

johnyoon75
Level 1
Level 1
In response to ozgur.guler

‎11-05-2004 04:26 AM

Thank you for helping.

I got a very good informaion. because of you.

Thank you very much.

Can i ask a question one more?

I have a syslog server.

As you know, all error message in rouer send to syslog server.

If it could be possible, i want to send message to syslog server.

If i use method as you told me, i can't see the message in syslog server...

How can i solve this probelm...?

in my opinion...may be use access-list with log option...

Regard.

John

0 Helpful

ozgur.guler
Level 1
Level 1
In response to johnyoon75

‎11-05-2004 05:25 AM

John,

instead of seeing the accounting output, you want to see the sources of big sized packets in your syslog messages.

so here comes the second method to achieve that.

forget about the PBR and the loopback for a while...

in order to generate syslog messages via acls there should be a way of matching these packets with acls. but there is no way to match packet length with an acl. so what we can do is, mark the packets ingress -to have something to match with acl - and use that to match with an acl, and so to generate logs while packets are leaving the router.

Example...

u can use,

class-map x

match packet length min max

!

policy-map mark

class-map x

set ip precedence 4

and apply this ingress to the ingress interface.

then create an acl like

access-l 100 permit ip a a precedence 4 log

access-l 100 permit ip a a

apply this to out interfaces

ip access-group 100 out

you will see your packets are marked and logged.

Ozgur

0 Helpful

mrmozaffari
Level 1
Level 1

‎11-05-2004 12:22 PM

if its trace or pings then its icmp packets

so its better to deny them

access-list 110 deny icmp any any

aceess-list 110 permit ip any any

and then apply it to an interface incoming

example:

ip access-group 110 in

0 Helpful
Customers Also Viewed These Support Documents