[c-nsp] Rate-limiting ARPs

Amol Sapkal amolsapkal at gmail.com
Wed Sep 13 06:22:27 EDT 2006 

Try this:


class-map match-any LIMIT-ARP
 match protocol arp

Then,

policy-map ARP1 (or any name)
 class LIMIT-ARP
 police 4000 2000 2000 conform-action transmit exceed-action drop
violate-action dorp

(use whatever values you seem ok with, for above police statement)

Apply this policy as an output policy on the interface.


HTH,
Amol


On 9/13/06, Ed Butler <ed.butler at rapidswitch.com> wrote:
> I am trying to find out how to rate limit the generation of ARPs by a
> gateway.
>
> Example scenario:
>
> ==================================================
> 123.234.123.1/24 is a Cisco gateway connected to the Internet
>
> An Internet host sends a UDP packet to 123.234.123.99
>
> 123.234.123.1 generates an ARP for the .99 IP address, but no one
> answers it so it is down as "Incomplete"
>
> An Internet host sends another UDP packet to 123.234.123.99
>
> 123.234.123.1 generates another ARP request
> ==================================================
>
> >From what I can see, there is nothing that prevents this behaviour from
> causing a DOS by flooding a subnet with ARP requests. What I'd like to
> do is for the Cisco gateway (a 3750 in this instance) to remember it
> sent an ARP request for the .99 IP address, and rate limit itself to
> sending 1 every second or similar.
>
> Is there any way of achieving this? Any fault with what I am suggesting?
>
> Regards,
>
> Ed Butler
> RapidSwitch Ltd
> DDI: 020 7106 0731
>
> RapidSwitch Ltd, 5th Floor, Sovereign House, 227 Marsh Wall, London, E14
> 9SD
>
> This email message is intended only for the addressee(s) and contains
> information that may be confidential and/or copyright.  If you are not
> the intended recipient please notify the sender by reply email and
> immediately delete this email. Use, disclosure or reproduction of this
> email by anyone other than the intended recipient(s) is strictly
> prohibited. No representation is made that this email or any attachments
> are free of viruses. Virus scanning is recommended and is the
> responsibility of the recipient.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------

More information about the cisco-nsp mailing list