A SERVICE OF

logo

Open as PDF
next previous
24-3
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 24 Configuring Denial of Service Protection
Configuring DoS Protection
When using security ACLs to drop DoS packets, note the following information:
The security ACL must specify the traffic flow to be dropped.
When adding a security ACL to block DoS packets to an interface that already has a security ACL
configured, you must merge the DoS security ACL with the existing security ACL.
Security ACLs need to be configured on all external interfaces that require protection. Use the
interface range command to configure a security ACL on multiple interfaces.
The following example shows how a security ACL is used to drop DoS packets:
Router# clear mls ip mod 9
Router# show mls ip mod 9
Displaying Netflow entries in module 9
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
199.1.1.1 199.2.1.1 0 :0 :0 0 : 0
1843 84778 2 02:30:17 L3 - Dynamic
199.2.1.1 199.1.1.1 0 :0 :0 0 : 0
2742416 126151136 2 02:30:17 L3 - Dynamic traffic flow identified
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no access-list 199
Router(config)# access-list 199 deny ip host 199.1.1.1 any
Router(config)# access-list 199 permit ip any any
Router(config)# interface g9/1
Router(config-if)# ip access 199 in security ACL applied
Router(config-if)# end
Router#
1w6d: %SYS-5-CONFIG_I: Configured from console by console
Router# clear mls ip mod 9
Router# show mls ip mod 9
Displaying Netflow entries in module 9
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
199.1.1.1 199.2.1.1 0 :0 :0 0 : 0
1542 70932 2 02:31:56 L3 - Dynamic
199.2.1.1 199.1.1.1 0 :0 :0 0 : 0
0 0 2 02:31:56 L3 - Dynamic hardware-forwarded
traffic stopped
Extended IP access list 199
deny ip host 199.1.1.1 any (100 matches)
permit ip any any
Router# show access-list 199
Extended IP access list 199
deny ip host 199.1.1.1 any (103 matches rate limiting at 0.5 pps
permit ip any any
Router #