From: Radoslav Vasilev (deckland@gmail.com)
Date: Tue Aug 22 2006 - 13:16:51 ART
Victor,
I agree with you - the established keyword matches segments with SYN/RST
flags set, the ACL being incorrect therefore.
Going back to the original task, maybe the following :
permit tcp any any syn
would be a beter acl entry if we don't want to rate-limit TCP resets
segments as well, as we would do otherwise with the established keyword.
Rado
On 8/22/06, Victor Cappuccio <cvictor@protokolgroup.com> wrote:
>
> Hi Guys,
>
> Reading today at this link:
>
>
> http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html#rate_limit_tcp_
> syn
>
>
>
> I found that maybe the access-list 103 is inversed :S
>
> Or Just I wake up with dyslexia this morning.
>
> With this configuration
>
> access-list 103 deny tcp any host 10.0.0.1 established
> !--- Let established sessions run fine
> access-list 103 permit tcp any host 10.0.0.1
> !--- We are just going to rate limit the initial tcp SYN packet,
> !-- as the other packets in the TCP session would have hit the prior entry
> in the ACL
> interface <interface> <interface #>
> rate-limit input access-group 103 8000 8000 8000 conform-action transmit
> exceed-action drop
>
>
>
> We are going only to rate-limit TCP Traffic if I'm not wrong
>
> I think that the ACL should be only
>
> access-list 103 permit tcp any host 10.0.0.1 established
>
>
>
> Opinions are welcome
>
> Thanks
>
> Victor.-
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART