access-list 175 permit icmp any any int bleh/bleh rate-limit input access-group 175 128000 8000 8000 conform-action transmit exceed-action drop rate-limit output access-group 175 128000 8000 8000 conform-action transmit exceed-action drop
I agree, the above isn't all that hard.
However, I'd argue that the above is in some sense wrong. There's no need to put all ICMP traffic in the same basket; some ICMP traffic is required for e.g. path MTU discovery to work. So, instead I'd use
access-list 175 permit icmp any any echo-reply
With all the smurf amplifiers available, it is of course easier to generate several Mbps of ICMP Echo Reply than it is to generate large amounts of other ICMP traffic. However, if your network is exposed to several Mbps of inbound ICMP *other* than Echo Reply, it may be equally bad for your network. So I prefer to leave it as 'icmp any any'. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
participants (1)
-
sthaugļ¼ nethelp.no