Configuring DoS Protection
QoS ACLs
Unlike Security ACLs, QoS ACLs can be used to limit the rate of traffic without denying access to all
the traffic in a flow.
When using QoS ACLs to limit the rate of packets, note the following information:
•
•
•
The following example shows how to use a QoS ACL to prevent a ping attack on a router. A QoS ACL is
configured and applied on all interfaces to limit the rate of incoming ICMP echo packets.
Router# show ip ospf neighbors
Neighbor ID
6.6.6.122
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H
0
Router#
Router# show proc cpu | include CPU utilization
CPU utilization for five seconds: 99%/90%; one minute: 48%; five minutes: 25%
Router#
2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor
Down: Dead timer expired
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
Router#
Router# configure terminal
Enter configuration commands, one per line.
Router(config)# access-list 199 permit icmp any any echo
Router(config)# class-map match-any icmp
Router(config-cmap)# match access-group
Router(config-cmap)# exit
Router(config)# policy-map icmp
Router(config-pmap)# class icmp
Router(config-pmap-c)# police 96000 16000 16000 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface range g4/1 - 9
Router(config-if-range)# service-policy input icmp
Router(config-if-range)# end
2w0d: %SYS-5-CONFIG_I: Configured from console by console
2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from LOADING to FULL, Loading
Done
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H
0
Router#
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
24-4
The QoS ACL must specify the traffic flow to be rate-limited.
When adding a QoS ACL to limit the rate of packets to an interface that already has a QoS ACL
configured, you must merge the rate-limiting ACL with the existing QoS ACL.
QoS ACLs need to be configured on all external interfaces that require protection. Use the interface
range command to configure an ACL on multiple interfaces.
Pri
State
1
FULL/BDR
Address
4.4.4.122
Address
4.4.4.122
Dead Time
Address
00:00:30
6.6.6.122
Interface
Hold Uptime
(sec)
Vl44
11 00:06:07
End with CNTL/Z.
199
Interface
Hold Uptime
(sec)
Vl44
13 00:00:48
Chapter 24
Configuring Denial of Service Protection
Interface
Vlan46
SRTT
RTO
Q
Seq Type
(ms)
Cnt Num
4
200
0
6555
ping attack starts
policy applied
SRTT
RTO
Q
Seq Type
(ms)
Cnt Num
8
200
0
6565
78-14099-04