Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1408
Views
0
Helpful
5
Replies

ASR 9000 ACL packet length match

Go to solution
Vladimir Pysarenco
Level 1
Level 1

‎12-12-2016 12:47 AM

Hi all!

I want to match ipv4 packens by packet length on ASR 9000. Is it possible? I can't find this option in 5.3.4.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Adam Vitkovsky
Level 3
Level 3
In response to Eddie Chami

‎12-12-2016 10:47 AM

Hi,

Couple things,
FlowSpec is great for reactive DDoS mitigation as it allows you to enforce edge policies from a central point and it’s much more  granular than classical RTBH.
However it has number of drawbacks that limit it’s deployment to reactive filtering.
1)    Current implementations of FlowSpec do not allow you to specify interface for which the policy is intended so the box has to apply the policy to all interfaces. Yes you can disable FS per interface (I suggest you do so on core-facing interfaces) but all the remaining interfaces enabled for FS will install the filter and thus are subject to ~25% performance hit for all traffic passing through these interfaces (the performance hit is actually per NPU so if an NPU is hosting 3 10GE ports even if one of them is enabled for FlowSpec the other two ports are affected.
2)    Order of individual FlowSpec filters/rules can not be dictated and it is determined automatically (most specific rules go first).

So FlowSpec has great potential especially when joined with IPS i.e.  Intrusion Detection System generating flow spec rules to redirect specific traffic to scrubbing centre.

But for proactive DDoS protection (always-on rules) you are better off with conventional filtering methods (for now).
Regarding your deployment I’d also advise you to rate-limit rather than drop completely.
e.g even if the DNS/NTP packet is really big it might be legit, but if you encounter a stream of 1Gbps of such packets it’s time to rate-limit.  

adam
 

adam

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Adam Vitkovsky
Level 3
Level 3

‎12-12-2016 06:26 AM

Hi

 

match packet length was introduced in 5.2.0

 

(config)#class-map test

(config-cmap)#match packet length ?

  <0-65535>   Enter IP Packet length

  <0-65535>-  Lower limit of the packet length to match.

  ipv4        IPV4 Packet Length

  ipv6        IPV6 Packet Length

 

adam

adam
0 Helpful

Go to solution
Vladimir Pysarenco
Level 1
Level 1
In response to Adam Vitkovsky

‎12-12-2016 06:39 AM

I want to match packets by length in ACL to filter some DDoS attacks.

On Nexus platform I can do this.

Or the only way is policing and dropping matched packets?

0 Helpful

Go to solution
Nicolas Fevrier
Cisco Employee
Cisco Employee
In response to Vladimir Pysarenco

‎12-12-2016 07:04 AM

Hi Vladimir,

you should consider Flowspec then, it will be an easy way to disseminate your anti-DDoS rules.

Cheers,

N.

0 Helpful

Go to solution
Eddie Chami
Cisco Employee
Cisco Employee
In response to Nicolas Fevrier

‎12-12-2016 08:51 AM

Agree with Nicolas re flowspec. Natively the ASR9k matching/filtering on pkt length with an ACL is supported on Tomahawk Linecards (aka 400/800/1.2T LCs) starting from first half of next year - Release 6.2.2.

Regards

Eddie. 

0 Helpful

Go to solution
Adam Vitkovsky
Level 3
Level 3
In response to Eddie Chami

‎12-12-2016 10:47 AM

Hi,

Couple things,
FlowSpec is great for reactive DDoS mitigation as it allows you to enforce edge policies from a central point and it’s much more  granular than classical RTBH.
However it has number of drawbacks that limit it’s deployment to reactive filtering.
1)    Current implementations of FlowSpec do not allow you to specify interface for which the policy is intended so the box has to apply the policy to all interfaces. Yes you can disable FS per interface (I suggest you do so on core-facing interfaces) but all the remaining interfaces enabled for FS will install the filter and thus are subject to ~25% performance hit for all traffic passing through these interfaces (the performance hit is actually per NPU so if an NPU is hosting 3 10GE ports even if one of them is enabled for FlowSpec the other two ports are affected.
2)    Order of individual FlowSpec filters/rules can not be dictated and it is determined automatically (most specific rules go first).

So FlowSpec has great potential especially when joined with IPS i.e.  Intrusion Detection System generating flow spec rules to redirect specific traffic to scrubbing centre.

But for proactive DDoS protection (always-on rules) you are better off with conventional filtering methods (for now).
Regarding your deployment I’d also advise you to rate-limit rather than drop completely.
e.g even if the DNS/NTP packet is really big it might be legit, but if you encounter a stream of 1Gbps of such packets it’s time to rate-limit.  

adam
 

adam
0 Helpful
Customers Also Viewed These Support Documents