[c-nsp] rate-limit icmp packets

Collins Richard, SLC SBS ITO (SHA) rich.collins at SIEMENS.COM
Tue Jul 26 23:07:30 EDT 2005


Your configuration should work.  You could apply the rate-limit input
access-group 113 but have exceed-action transmit initially.

Then by periodically looking at show interface xx rate-limit you can see the
icmp traffic patterns, what is within the CIR (i.e. 8000) and what exceeds.
You have
to clear counters from time to time.  Once you get an idea for a reasonable
CIR you can change exceed-action drop.

To see the characteristics of the icmp packets it might be more effective to
"debug ip packet 113" than log-input.

Maybe someone else has a better idea.

Rich

------------------------------

Message: 4
Date: Mon, 25 Jul 2005 16:45:20 eet
From: "Security" <security at cytanet.com.cy>
Subject: [c-nsp] rate-limit icmp packets
To: cisco-nsp at puck.nether.net
Message-ID: <42e4ecf0.6625.0 at cytanet.com.cy>
Content-Type: text/plain; charset="iso-8859-1"

Hello all

I need to rate limit icmp echo and echo reply packets on my interfaces. Any
suggestion on how to do this? Can I do this on asynchronoys interfaces
(Interfaces for PSTN/ISDN connections) also? How can I measure ICMP traffic
undern normal network conditions so as to apply the correct rate limit?

I used the following format for asynchronous Interfaces 
rate-limit input access-group 113 8000 1500 2000 conform-action transmit
exceed-action drop
Extended IP access list 113
    permit icmp any any echo log-input
    permit icmp any any echo-reply log-input

Is this OK?

Thanks for your support

Regards


------------------------------

Thanks,

Steve




More information about the cisco-nsp mailing list