[c-nsp] Anyone who have set PBR against worm or dos?

Sukumar Subburayan sukumars at cisco.com
Fri Feb 23 16:21:36 EST 2007 

But, please note that we support only 'match ip address..'

Looks like Monty wants to use 'match length..' for worm protection.

'match length..' is not supported in HW on Sup2/Sup720.

Please see Cat6k Release notes at:

http://www.cisco.com/en/US/partner/products/hw/switches/ps708/prod_release_note09186a00801c8339.html#wp852286

sukumar


On Fri, 23 Feb 2007, rendo wrote:

> Just to share my experience, i have used pbr to re-route worm traffic to
> null0 interface since few years ago, and personally, i  prefer to use pbr
> rather than acl.
>
> I put pbr on catalyst 6500, the cpu load is much much lower than using
> access list.
>
> I don't know any other method to block worm traffic, so because pbr is
> consuming much lower cpu than acl, i'm still using it until now.
>
> -rendo-
>
>
>
> On 2/23/07, rendo <rendo.aw at gmail.com> wrote:
>>
>>
>> Just to share my experience, i have used pbr to re-route worm traffic to
>> null0 interface since few years ago, and personally, i  prefer to use pbr
>> rather than acl.
>>
>> I put pbr on catalyst 6500, the cpu load is much much lower than using
>> access list.
>>
>> I don't know any other method to block worm traffic, so because pbr is
>> consuming much lower cpu than acl, i'm still using it until now.
>>
>> -rendo-
>>
>>  On 2/23/07, Monty Ree <chulmin2 at hotmail.com> wrote:
>>
>>> Hello list.
>>>
>>> I have saw some cisco security documents against worm attack.
>>> It was named PBR and it would be great against worm or dos attack.
>>> because most packet size of the worms and dos attacks are same size.
>>>
>>> But I'm afraid that it cause lots of cpu load at my system or not.
>>> So is there anyone who have done PBR at your cisco equipment?
>>> My systems are C6509sup2 and C6509sup720 and the normal traffic is over
>>> 6-7G bps.
>>>
>>> The link which I saw is below.
>>> http://archives.neohapsis.com/archives/cisco/2003-q3/0010.html
>>>
>>> ----------------  example ---------------------------------
>>> access-list 199 permit icmp any any echo
>>> access-list 199 permit icmp any any echo-reply
>>>
>>> route-map nachi-worm permit 10
>>>      ! --- match ICMP echo requests and replies (type 0 & 8)
>>>      match ip address 199
>>>
>>>      ! --- match 92 bytes sized packets
>>>      match length 92 92
>>>
>>>      ! --- drop the packet
>>>      set interface Null0
>>>
>>>
>>>    interface <incoming-interface>
>>>      ! --- it is recommended to disable unreachables
>>>      no ip unreachables
>>>
>>>      ! --- if not using CEF, enabling ip route-cache flow is recommended
>>>      ip route-cache policy
>>>
>>>      ! --- apply Policy Based Routing to the interface
>>>      ip policy route-map nachi-worm
>>>
>>>
>>> Thanks for your time.
>>>
>>> _________________________________________________________________
>>> 보다 빠른 소식, 보다 빠른 정보, MSN 뉴스에서 확인하세요.
>>> http://news.msn.co.kr/
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list