On Tue, Oct 29, 2002 at 01:24:11PM -0800, Dan Lockwood wrote:
Would anyone be willing to post an operational example of CAR for ICMP. I would like to see what others are doing to combat the problem.
Dan
rate-limit input access-group 2000 1536000 200000 200000 conform-action transmit exceed-action drop access-list 2000 permit icmp any any echo access-list 2000 permit icmp any any echo-reply POS0/1 <peer interface> Input matches: access-group 2000 params: 1536000 bps, 200000 limit, 200000 extended limit conformed 96374566 packets, 19474M bytes; action: transmit exceeded 16609350 packets, 1446M bytes; action: drop last packet: 28ms ago, current burst: 0 bytes last cleared 7w5d ago, conformed 33230 bps, exceeded 2467 bps POS0/2 <peer interface> Input matches: access-group 2000 params: 1536000 bps, 200000 limit, 200000 extended limit conformed 37773899 packets, 6325M bytes; action: transmit exceeded 5222953 packets, 399165438 bytes; action: drop last packet: 52ms ago, current burst: 0 bytes last cleared 7w5d ago, conformed 10794 bps, exceeded 681 bps As you can see by looking at your 'current burst' information, you can find out if there is an active attack/exceeding. These rates are typically quite low as you can see. - Jared