RE: Rate Limiting for TCP Syn Packets

From: Paul Dardinski (pauld@marshallcomm.com)
Date: Tue Aug 22 2006 - 14:14:51 ART

• Next message: Victor Cappuccio: "RE: When to use frame traffic-shaping"
• Previous message: Brad Ellis: "Re: CCIE Voice Lab PSTN Simulator [bcc][faked-from] [mx]"
• Maybe in reply to: Victor Cappuccio: "Rate Limiting for TCP Syn Packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Agree. I understand that matching on established keyword will match all
non-syn packets (ack/rst). The original acl looks correct to me:

access-list 103 deny tcp any host 10.0.0.1 established
access-list 103 permit tcp any host 10.0.0.1

Generally this used to be the way to match on syn as non-syn packets
drop from the acl leaving just match just on syn. As can also match
syn-set packets with keyword on acl, not really need so much for that
function.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ivan
Sent: Tuesday, August 22, 2006 12:42 PM
To: ccielab@groupstudy.com; Radoslav Vasilev
Cc: Victor Cappuccio
Subject: Re: Rate Limiting for TCP Syn Packets

Are you sure that "established" match SYN and RST ? I think that it
match ACK
and RST. Therefore first line in access list permit full-rate
TCP-session
wich have ACK or RST bits set.
Second line match only first TCP-session packet (SYN). Result to
limiting
quantity session established to destination host.

Briefly, think that this list limit quantity session, but speed
(down/up)load.

> Victor,
>
> I agree with you - the established keyword matches segments with
SYN/RST
> flags set, the ACL being incorrect therefore.
> Going back to the original task, maybe the following :
>
> permit tcp any any syn
>
> would be a beter acl entry if we don't want to rate-limit TCP resets
> segments as well, as we would do otherwise with the established
keyword.
>
> Rado
>
> On 8/22/06, Victor Cappuccio <cvictor@protokolgroup.com> wrote:
> > Hi Guys,
> >
> > Reading today at this link:
> >
> >
> >
http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html#rate_limit_
t
> >cp_ syn
> >
> >
> >
> > I found that maybe the access-list 103 is inversed :S
> >
> > Or Just I wake up with dyslexia this morning.
> >
> > With this configuration
> >
> > access-list 103 deny tcp any host 10.0.0.1 established
> > !--- Let established sessions run fine
> > access-list 103 permit tcp any host 10.0.0.1
> > !--- We are just going to rate limit the initial tcp SYN packet,
> > !-- as the other packets in the TCP session would have hit the prior
> > entry in the ACL
> > interface <interface> <interface #>
> > rate-limit input access-group 103 8000 8000 8000 conform-action
transmit
> > exceed-action drop
> >
> >
> >
> > We are going only to rate-limit TCP Traffic if I'm not wrong
> >
> > I think that the ACL should be only
> >
> > access-list 103 permit tcp any host 10.0.0.1 established
> >
> >
> >
> > Opinions are welcome
> >
> > Thanks
> >
> > Victor.-
> >
> >

• Next message: Victor Cappuccio: "RE: When to use frame traffic-shaping"
• Previous message: Brad Ellis: "Re: CCIE Voice Lab PSTN Simulator [bcc][faked-from] [mx]"
• Maybe in reply to: Victor Cappuccio: "Rate Limiting for TCP Syn Packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART