Chapter 24
Configuring Denial of Service Protection
When using security ACLs to drop DoS packets, note the following information:
The security ACL must specify the traffic flow to be dropped.
•
When adding a security ACL to block DoS packets to an interface that already has a security ACL
•
configured, you must merge the DoS security ACL with the existing security ACL.
Security ACLs need to be configured on all external interfaces that require protection. Use the
•
interface range command to configure a security ACL on multiple interfaces.
The following example shows how a security ACL is used to drop DoS packets:
Router# clear mls ip mod 9
Router# show mls ip mod 9
Displaying Netflow entries in module 9
DstIP
--------------------------------------------------------------------
Pkts
---------------------------------------------------
199.1.1.1
1843
199.2.1.1
2742416
Router# configure terminal
Enter configuration commands, one per line.
Router(config)# no access-list 199
Router(config)# access-list 199 deny ip host 199.1.1.1 any
Router(config)# access-list 199 permit ip any any
Router(config)# interface g9/1
Router(config-if)# ip access 199 in
Router(config-if)# end
Router#
1w6d: %SYS-5-CONFIG_I: Configured from console by console
Router# clear mls ip mod 9
Router# show mls ip mod 9
Displaying Netflow entries in module 9
DstIP
--------------------------------------------------------------------
Pkts
---------------------------------------------------
199.1.1.1
1542
199.2.1.1
0
Extended IP access list 199
deny ip host 199.1.1.1 any (100 matches)
permit ip any any
Router# show access-list 199
Extended IP access list 199
deny ip host 199.1.1.1 any (103 matches
permit ip any any
Router #
78-14099-04
SrcIP
Prot:SrcPort:DstPort
Bytes
Age
LastSeen
199.2.1.1
0
84778
2
02:30:17
199.1.1.1
0
126151136
2
02:30:17
SrcIP
Prot:SrcPort:DstPort
Bytes
Age
LastSeen
199.2.1.1
0
70932
2
02:31:56
199.1.1.1
0
0
2
02:31:56
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
Src i/f:AdjPtr
Attributes
:0
:0
0
: 0
L3 - Dynamic
:0
:0
0
: 0
L3 - Dynamic
End with CNTL/Z.
Src i/f:AdjPtr
Attributes
:0
:0
0
: 0
L3 - Dynamic
:0
:0
0
: 0
L3 - Dynamic
Configuring DoS Protection
traffic flow identified
security ACL applied
hardware-forwarded
traffic stopped
rate limiting at 0.5 pps
24-3