Re: Rate Limiting for TCP Syn Packets

From: Ivan (ivan@iip.net)
Date: Tue Aug 22 2006 - 13:41:46 ART

• Next message: Brad Ellis: "Re: CCIE Voice Lab PSTN Simulator [bcc][faked-from] [mx]"
• Previous message: Victor Cappuccio: "RE: Rate Limiting for TCP Syn Packets"
• Maybe in reply to: Victor Cappuccio: "Rate Limiting for TCP Syn Packets"
• Next in thread: Paul Dardinski: "RE: Rate Limiting for TCP Syn Packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you sure that "established" match SYN and RST ? I think that it match ACK
and RST. Therefore first line in access list permit full-rate TCP-session
wich have ACK or RST bits set.
Second line match only first TCP-session packet (SYN). Result to limiting
quantity session established to destination host.

Briefly, think that this list limit quantity session, but speed (down/up)load.

> Victor,
>
> I agree with you - the established keyword matches segments with SYN/RST
> flags set, the ACL being incorrect therefore.
> Going back to the original task, maybe the following :
>
> permit tcp any any syn
>
> would be a beter acl entry if we don't want to rate-limit TCP resets
> segments as well, as we would do otherwise with the established keyword.
>
> Rado
>
> On 8/22/06, Victor Cappuccio <cvictor@protokolgroup.com> wrote:
> > Hi Guys,
> >
> > Reading today at this link:
> >
> >
> > http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html#rate_limit_t
> >cp_ syn
> >
> >
> >
> > I found that maybe the access-list 103 is inversed :S
> >
> > Or Just I wake up with dyslexia this morning.
> >
> > With this configuration
> >
> > access-list 103 deny tcp any host 10.0.0.1 established
> > !--- Let established sessions run fine
> > access-list 103 permit tcp any host 10.0.0.1
> > !--- We are just going to rate limit the initial tcp SYN packet,
> > !-- as the other packets in the TCP session would have hit the prior
> > entry in the ACL
> > interface <interface> <interface #>
> > rate-limit input access-group 103 8000 8000 8000 conform-action transmit
> > exceed-action drop
> >
> >
> >
> > We are going only to rate-limit TCP Traffic if I'm not wrong
> >
> > I think that the ACL should be only
> >
> > access-list 103 permit tcp any host 10.0.0.1 established
> >
> >
> >
> > Opinions are welcome
> >
> > Thanks
> >
> > Victor.-
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
Ivan

• Next message: Brad Ellis: "Re: CCIE Voice Lab PSTN Simulator [bcc][faked-from] [mx]"
• Previous message: Victor Cappuccio: "RE: Rate Limiting for TCP Syn Packets"
• Maybe in reply to: Victor Cappuccio: "Rate Limiting for TCP Syn Packets"
• Next in thread: Paul Dardinski: "RE: Rate Limiting for TCP Syn Packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART