[c-nsp] shaping > 128 mbps - asr9k

Aaron aaron1 at gvtc.com
Wed Nov 13 15:15:07 EST 2013 

Thanks.  I'm trying to slow down ddos attacks that use legitimate udp ports,
do I really want to police my friendly udp traffic right along with my
attack udp traffic?  The line of thinking that I was running with was to
merely slow down the udp traffic, not drop it completely.  Basically, I'm
getting ddos udp attacks in the realm of 2 and 3 gbps up to 2 hours in
duration.  This is killing my distribution networks feed at 1 gbps rates.  I
wanted to slow down (shape) udp on an on-going basis, so as to slow down the
momentary udp attacks.  Thoughts?

Aaron

-----Original Message-----
From: Lars Eidsheim [mailto:lhe at intellit.no] 
Sent: Wednesday, November 13, 2013 7:36 AM
To: Aaron; 'Oliver Boehmer (oboehmer)'; cisco-nsp at puck.nether.net
Subject: SV: [c-nsp] shaping > 128 mbps - asr9k

Do you need to use shaping? If not you can use a policer,

Example:

policy-map from-internet-child
 class udp-attack
  police rate 500 mbps
 !
 class class-default
 !
 end-policy-map

Mvh

Lars Eidsheim
iNTELLiT


-----Opprinnelig melding-----
Fra: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] På vegne av Aaron
Sendt: 12. november 2013 22:00
Til: 'Oliver Boehmer (oboehmer)'; cisco-nsp at puck.nether.net
Emne: Re: [c-nsp] shaping > 128 mbps - asr9k

policy-map from-internet-child
 class udp-attack
  shape average 600 mbps
 !
 class class-default
 !
 end-policy-map


-----Original Message-----
From: Aaron [mailto:aaron1 at gvtc.com]
Sent: Tuesday, November 12, 2013 2:58 PM
To: 'Oliver Boehmer (oboehmer)'; 'cisco-nsp at puck.nether.net'
Subject: RE: [c-nsp] shaping > 128 mbps - asr9k


(here's the uncommitted (failing) config... basically I want to shape
inbound UDP to 600 mbps.  please show me how to accomplish that.)

RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#show config

policy-map from-internet-parent
 class class-default
  service-policy from-internet-child
  shape average 1 gbps
 !
 end-policy-map
!
interface GigabitEthernet0/0/0/5
 service-policy input from-internet-parent !
end

RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#commi

% Failed to commit one or more configuration items during a pseudo-atomic
operation. All changes made have been reverted. Please issue 'show
configuration failed' from this session to view the errors

RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#show config failed

!! SEMANTIC ERRORS: This configuration was rejected by !! the system due to
semantic errors. The individual !! errors with each failed configuration
command can be !! found below.

interface GigabitEthernet0/0/0/5
 service-policy input from-internet-parent !!% 'prm_ezhal' detected the
'warning' condition 'Cannot support child/flat shape rate > 128Mbps'
!
end

RP/0/RSP0/CPU0:eng-lab-9k-1(config-pmap-c)#do sh run class-map

class-map match-all udp-attack
 match protocol udp
 end-class-map
!




-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
Sent: Tuesday, November 12, 2013 2:23 PM
To: Aaron; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] shaping > 128 mbps - asr9k



>Anyone know how to accomplish shaping traffic at a rate greater than
>128 mbps ?
>
>When I apply the policy-map/class-map to an interface it fails with 
>this message.
>
>'Cannot support child/flat shape rate > 128Mbps'

can you please share the configuration you are trying to apply, including
policy-maps and where you want to apply this?

        oli

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This email has been scanned and secured by Intellit

This communication is for use by the intended recipient and contains
information that may be privileged, confidential and exempt from disclosure
or copyrighted under applicable law. If you are not the intended recipient,
you are hereby formally notified that any dissemination, use, copying or
distribution of this e-mail, in whole or in part, is strictly prohibited.
Please notify the sender by return e-mail and delete this e-mail from your
system.

More information about the cisco-nsp mailing list