[c-nsp] Under attack, need help with ACL....
Rodney Dunn
rodunn at cisco.com
Wed Nov 3 12:34:56 EST 2004
The rate limiting is per source address from what
I remember.
There is an enhancement request on the table
to provide more notification to users when
packets are being rate limited (SNMP, syslog,
show command) and to break out the reasons.
You can turn it off if you want:
no ip icmp rate-limit unreachable
That's why you see a traceroute that looks like
this:
Router#tr 1.1.1.2
Type escape sequence to abort.
Tracing the route to 1.1.1.2
1 1.1.1.2 4 msec * 0 msec
Router#!now turn it off on the target router
Router#tr 1.1.1.2
Type escape sequence to abort.
Tracing the route to 1.1.1.2
1 1.1.1.2 4 msec 0 msec 0 msec
http://www.cisco.com/en/US/tech/tk364/tk871/technologies_tech_note09186a00801ae32a.shtml
Rodney
On Wed, Nov 03, 2004 at 07:06:28AM +0200, Pekka Savola wrote:
> On Tue, 2 Nov 2004, Rodney Dunn wrote:
> > 101_(config)#ip icmp rate-limit unreachable ?
> > <1-4294967295> Once per milliseconds
> > DF code 4, fragmentation needed and DF set
> >
> > default is one per 500 msec.
>
> That would be really stupid if that was the case (e.g., breaks
> traceroutes) Don't you have some kind of token bucket?
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the cisco-nsp
mailing list