cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
344
Views
0
Helpful
5
Replies

ASR 9000 ACL packet length match

Hi all!

I want to match ipv4 packens by packet length on ASR 9000. Is it possible? I can't find this option in 5.3.4.

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

Hi,Couple things,FlowSpec is

Hi,

Couple things,
FlowSpec is great for reactive DDoS mitigation as it allows you to enforce edge policies from a central point and it’s much more  granular than classical RTBH.
However it has number of drawbacks that limit it’s deployment to reactive filtering.
1)    Current implementations of FlowSpec do not allow you to specify interface for which the policy is intended so the box has to apply the policy to all interfaces. Yes you can disable FS per interface (I suggest you do so on core-facing interfaces) but all the remaining interfaces enabled for FS will install the filter and thus are subject to ~25% performance hit for all traffic passing through these interfaces (the performance hit is actually per NPU so if an NPU is hosting 3 10GE ports even if one of them is enabled for FlowSpec the other two ports are affected.
2)    Order of individual FlowSpec filters/rules can not be dictated and it is determined automatically (most specific rules go first).

So FlowSpec has great potential especially when joined with IPS i.e.  Intrusion Detection System generating flow spec rules to redirect specific traffic to scrubbing centre.

But for proactive DDoS protection (always-on rules) you are better off with conventional filtering methods (for now).
Regarding your deployment I’d also advise you to rate-limit rather than drop completely.
e.g even if the DNS/NTP packet is really big it might be legit, but if you encounter a stream of 1Gbps of such packets it’s time to rate-limit.  

adam
 

adam
5 REPLIES 5
Participant

Hi

Hi

 

match packet length was introduced in 5.2.0

 

(config)#class-map test

(config-cmap)#match packet length ?

  <0-65535>   Enter IP Packet length

  <0-65535>-  Lower limit of the packet length to match.

  ipv4        IPV4 Packet Length

  ipv6        IPV6 Packet Length

 

adam

adam

I want to match packets by

I want to match packets by length in ACL to filter some DDoS attacks.

On Nexus platform I can do this.

Or the only way is policing and dropping matched packets?

Cisco Employee

Hi Vladimir,

Hi Vladimir,

you should consider Flowspec then, it will be an easy way to disseminate your anti-DDoS rules.

Cheers,

N.

Highlighted
Cisco Employee

Agree with Nicolas re

Agree with Nicolas re flowspec. Natively the ASR9k matching/filtering on pkt length with an ACL is supported on Tomahawk Linecards (aka 400/800/1.2T LCs) starting from first half of next year - Release 6.2.2.

Regards

Eddie. 

Participant

Hi,Couple things,FlowSpec is

Hi,

Couple things,
FlowSpec is great for reactive DDoS mitigation as it allows you to enforce edge policies from a central point and it’s much more  granular than classical RTBH.
However it has number of drawbacks that limit it’s deployment to reactive filtering.
1)    Current implementations of FlowSpec do not allow you to specify interface for which the policy is intended so the box has to apply the policy to all interfaces. Yes you can disable FS per interface (I suggest you do so on core-facing interfaces) but all the remaining interfaces enabled for FS will install the filter and thus are subject to ~25% performance hit for all traffic passing through these interfaces (the performance hit is actually per NPU so if an NPU is hosting 3 10GE ports even if one of them is enabled for FlowSpec the other two ports are affected.
2)    Order of individual FlowSpec filters/rules can not be dictated and it is determined automatically (most specific rules go first).

So FlowSpec has great potential especially when joined with IPS i.e.  Intrusion Detection System generating flow spec rules to redirect specific traffic to scrubbing centre.

But for proactive DDoS protection (always-on rules) you are better off with conventional filtering methods (for now).
Regarding your deployment I’d also advise you to rate-limit rather than drop completely.
e.g even if the DNS/NTP packet is really big it might be legit, but if you encounter a stream of 1Gbps of such packets it’s time to rate-limit.  

adam
 

adam
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards