Cisco 7604 Configuration Manual page 527
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 36
Configuring Denial of Service Protection
•
Security ACLs and VACLs
If the network is under a DoS attack, ACLs can be an efficient method for dropping the DoS packets
before they reach the intended target. Use security ACLs if an attack is detected from a particular host.
In this example, the host 10.1.1.10 and all traffic from that host is denied:
Router(config)# access-list 101 deny ip host 10.1.1.10 any
Router(config)# access-list 101 permit ip any any
Security ACLs also protect against the spoofing of addresses. For example, assume that a source
address A is on the inside of a network and a router interface that is pointing to the Internet. You can
apply an inbound ACL on the router Internet interface that denies all addresses with a source of A (the
inside address). This action stops attacks where the attackers spoof inside source addresses. When the
packet arrives at the router interface, it matches on that ACL and drops the packet before it causes
damage.
When the Cisco 7600 series router is used with a Cisco Intrusion Detection Module (CIDM), you can
dynamically install the security ACL as a response to the detection of the attack by the sensing engine.
VACLs are a security enforcement tool based on Layer 2, Layer 3, and Layer 4 information. The result
of a VACL lookup against a packet can be a permit, a deny, a permit and capture, or a redirect. When
you associate a VACL with a particular VLAN, all traffic must be permitted by the VACL before the
traffic is allowed into the VLAN. VACLs are enforced in hardware, so there is no performance penalty
for applying VACLs to a VLAN on the Cisco 7600 series routers.
OL-4266-08
Hardware-Based Rate Limiters on the PFC3, page 36-15
Ingress-Egress ACL Bridged Packets (Unicast Only), page 36-15
–
uRPF Check Failure, page 36-16
–
TTL Failure, page 36-16
–
ICMP Unreachable (Unicast Only), page 36-17
–
FIB (CEF) Receive Cases (Unicast Only), page 36-17
–
FIB Glean (Unicast Only), page 36-17
–
Layer 3 Security Features (Unicast Only), page 36-18
–
ICMP Redirect (Unicast Only), page 36-18
–
VACL Log (Unicast Only), page 36-18
–
MTU Failure, page 36-18
–
–
Layer 2 PDU, page 36-19
Layer 2 Protocol Tunneling, page 36-19
–
–
IP Errors, page 36-19
Layer 2 Multicast IGMP Snooping, page 36-19
–
IPv4 Multicast, page 36-19
–
IPv6 Multicast, page 36-20
–
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding How DoS Protection Works
36-11
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
