From: graham@cisco-engineer.com
Date: Sun Dec 09 2007 - 08:00:57 ART
Indeed it details a number of methods for discarding of the packet,
"Classify the traffic and mark it. Use the class-map and policy-map commands
shown in method A.
Use the service-policy command to apply the policy as an inbound policy on
the input interface to mark arriving "Code Red" packets. See method A.
Create an extended IP ACL that matches on the marked "Code Red" packets.
Router(config)#access-list 106 permit ip any any dscp 1
Use the route-map command to build a routing policy.
Router(config)#route-map null_policy_route 10
Router(config-route-map)#match ip address 106
Router(config-route-map)#set interface Null0 Apply the route-map to the
input interface.
Router(config)#interface serial 0/0
Router(config-if)#ip policy route-map null_policy_route"
This method marks the traffic with a custom DSCP and moves it to Null 0, The
problem with this may be what if traffic were arrive using the same DSCP, it
would of course end up in the black hole that is a null interface.
-----------------------
The alternate method
Method C: Use Class-Based Policing
This method generally is the most scalable as it does not depend on either
PBR or output ACLs.
Classify the traffic using the class-map commands shown in method A.
Build a policy using the policy-map command and use the police command to
specify a drop action for this traffic.
Router(config)#policy-map drop-inbound-http-hacks
Router(config-pmap)#class http-hacks
Router(config-pmap-c)#police 1000000 31250 31250
conform-action drop exceed-action drop violate-action drop
Use the service-policy command to apply the policy as an inbound policy on
the input interface to drop the "Code Red" packets.
Router(config)#interface serial 0/0
Router(config-if)#service-policy input drop-inbound-http-hacks
--------
Also works a treat
, however my own general rule of thumb is, if its not in the Doccd I don't
use it
So
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r
/qos_m1h.htm#wp1128712
and this
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r
/qos_a1h.htm#wp1120133
Give you the simplest answer, "the drop command when applied to a
policy-map"
Just don't make the mistake I did in my last session and forget to apply
nbar!
However in my experience its always good to know alternative methods, for
example what if you were asked to drop the traffic without the use of the
drop command!
Equally Cisco may have some reason why the drop command is hidden from view!
For example a bug, or it may be more cpu intensive than sending them to
null0?
I have tested all 3 of these method and all seem to work successfully.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Mike
Stout
Sent: 07 December 2007 23:50
To: Cisco certification
Subject:
Hello
After investigating some security features i stumbled across this reference.
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#methoda
This implies policy maps using NBAR matches against http url are not capable
of droping packets on the input interface?
Has this been the experience of everybody else?
Thanks
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST