[c-nsp] Stop IP Fragmentation attck
Satish Patel
satish.txt at gmail.com
Tue Apr 26 13:50:58 EDT 2016
Lukas,
Thanks, I am looking configuration like if my Internet bandwidth usage
go 50% or (PPS go higher than average) i want to apply ACL to start
dropping Fragmentation packet. like juniper has following option. Does
cisco has config like following apply ACL base on criteria
firewall {
policer IP-FRAG-Policer {
filter-specific;
if-exceeding {
bandwidth-limit 8k;
burst-size-limit 1500;
}
then discard;
}
family inet {
filter DOS-Protect {
:
: /* Term ip-fragments-limit: Rate limit IP fragment packets. */
term ip-fragments-limit-1 {
from first-fragment;
then policer IP-FRAG-Policer;
} term ip-fragments-limit-2 {
from fragment-offset 64-65535;
then policer IP-FRAG-Policer;
}
:
:
}
}
}
On Tue, Apr 26, 2016 at 1:19 PM, Lukas Tribus <luky-37 at hotmail.com> wrote:
>> I am just looking some kind of 3rd option which can give us relief. I
>> just wanted to know what exactly ACL fragments option does?
>
> Roland already provided you a link to the ACL documentation specific
> to IP fragments.
>
> Do you have a specific question about that or do you just want us to
> read that document for you and then give you a brief summary?
>
>
>
More information about the cisco-nsp
mailing list