[c-nsp] shaping > 128 mbps - asr9k
Aaron
aaron1 at gvtc.com
Wed Nov 13 15:15:07 EST 2013
Thanks. I'm trying to slow down ddos attacks that use legitimate udp ports,
do I really want to police my friendly udp traffic right along with my
attack udp traffic? The line of thinking that I was running with was to
merely slow down the udp traffic, not drop it completely. Basically, I'm
getting ddos udp attacks in the realm of 2 and 3 gbps up to 2 hours in
duration. This is killing my distribution networks feed at 1 gbps rates. I
wanted to slow down (shape) udp on an on-going basis, so as to slow down the
momentary udp attacks. Thoughts?
Aaron
-----Original Message-----
From: Lars Eidsheim [mailto:lhe at intellit.no]
Sent: Wednesday, November 13, 2013 7:36 AM
To: Aaron; 'Oliver Boehmer (oboehmer)'; cisco-nsp at puck.nether.net
Subject: SV: [c-nsp] shaping > 128 mbps - asr9k
Do you need to use shaping? If not you can use a policer,
Example:
policy-map from-internet-child
class udp-attack
police rate 500 mbps
!
class class-default
!
end-policy-map
Mvh
Lars Eidsheim
iNTELLiT
-----Opprinnelig melding-----
Fra: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] På vegne av Aaron
Sendt: 12. november 2013 22:00
Til: 'Oliver Boehmer (oboehmer)'; cisco-nsp at puck.nether.net
Emne: Re: [c-nsp] shaping > 128 mbps - asr9k
policy-map from-internet-child
class udp-attack
shape average 600 mbps
!
class class-default
!
end-policy-map
-----Original Message-----
From: Aaron [mailto:aaron1 at gvtc.com]
Sent: Tuesday, November 12, 2013 2:58 PM
To: 'Oliver Boehmer (oboehmer)'; 'cisco-nsp at puck.nether.net'
Subject: RE: [c-nsp] shaping > 128 mbps - asr9k
(here's the uncommitted (failing) config... basically I want to shape
inbound UDP to 600 mbps. please show me how to accomplish that.)
RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#show config
policy-map from-internet-parent
class class-default
service-policy from-internet-child
shape average 1 gbps
!
end-policy-map
!
interface GigabitEthernet0/0/0/5
service-policy input from-internet-parent !
end
RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#commi
% Failed to commit one or more configuration items during a pseudo-atomic
operation. All changes made have been reverted. Please issue 'show
configuration failed' from this session to view the errors
RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#show config failed
!! SEMANTIC ERRORS: This configuration was rejected by !! the system due to
semantic errors. The individual !! errors with each failed configuration
command can be !! found below.
interface GigabitEthernet0/0/0/5
service-policy input from-internet-parent !!% 'prm_ezhal' detected the
'warning' condition 'Cannot support child/flat shape rate > 128Mbps'
!
end
RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#do sh run class-map
class-map match-all udp-attack
match protocol udp
end-class-map
!
-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
Sent: Tuesday, November 12, 2013 2:23 PM
To: Aaron; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] shaping > 128 mbps - asr9k
>Anyone know how to accomplish shaping traffic at a rate greater than
>128 mbps ?
>
>When I apply the policy-map/class-map to an interface it fails with
>this message.
>
>'Cannot support child/flat shape rate > 128Mbps'
can you please share the configuration you are trying to apply, including
policy-maps and where you want to apply this?
oli
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
This email has been scanned and secured by Intellit
This communication is for use by the intended recipient and contains
information that may be privileged, confidential and exempt from disclosure
or copyrighted under applicable law. If you are not the intended recipient,
you are hereby formally notified that any dissemination, use, copying or
distribution of this e-mail, in whole or in part, is strictly prohibited.
Please notify the sender by return e-mail and delete this e-mail from your
system.
More information about the cisco-nsp
mailing list