Chapter 36
Configuring Denial of Service Protection
Router(config)# access-list 199 deny ip host 192.168.0.0 any
Router(config)# access-list 199 permit ip any any
Router(config)# interface g9/1
Router(config-if)# ip access 199 in
Router(config-if)# end
Router#
1w6d: %SYS-5-CONFIG_I: Configured from console by console
Router# clear mls ip mod 9
Router# show mls ip mod 9
Displaying Netflow entries in module 9
DstIP
--------------------------------------------------------------------
Pkts
---------------------------------------------------
192.168.0.0
1542
192.168.1.0
0
Extended IP access list 199
Router# show access-list 199
Extended IP access list 199
Router #
Security VACLs
Security virtual access lists (VACLs) are security-enforcement tools based on Layer 2, Layer 3, and
Layer 4 information. The result of a security VACL lookup against a packet can be a permit, a deny, a
permit and capture, or a redirect. When you associate a security VACL with a particular VLAN, all traffic
must be permitted by the security VACL before the traffic is allowed into the VLAN. Security VACLs
are enforced in hardware, so there is no performance penalty for applying security VACLs to a VLAN
on the Cisco 7600 series routers.
QoS ACLs
Unlike security ACLs, QoS ACLs can be used to limit the rate of traffic without denying access to all
the traffic in a flow.
This example shows how to use a QoS ACL to prevent a ping attack on a router. A QoS ACL is configured
and applied on all interfaces to limit the rate of incoming ICMP echo packets.
Router# show ip ospf neighbors
Neighbor ID
6.6.6.122
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H
0
Router#
Router# show proc cpu | include CPU utilization
CPU utilization for five seconds: 99%/90%; one minute: 48%; five minutes: 25%
Router#
2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor
Down: Dead timer expired
OL-4266-08
SrcIP
Bytes
Age
192.168.1.0 0
70932
2
192.168.0.0
0
2
deny ip host 192.168.0.0 any (100 matches)
permit ip any any
deny ip host 192.168.0.0 any (103 matches
permit ip any any
Pri
State
1
FULL/BDR
Address
4.4.4.122
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Prot:SrcPort:DstPort
LastSeen
Attributes
:0
:0
0
02:31:56
L3 - Dynamic
0
:0
:0
02:31:56
L3 - Dynamic
Dead Time
Address
00:00:30
6.6.6.122
Interface
Hold Uptime
(sec)
Vl44
11 00:06:07
Understanding How DoS Protection Works
<======== Note: security ACL applied
Src i/f:AdjPtr
: 0
0
: 0
<======== Note: hardware-forwarded
<======== Note: traffic stopped
Interface
Vlan46
SRTT
RTO
Q
Seq Type
(ms)
Cnt Num
4
200
0
6555
<======== Note: ping attack starts
36-3