Basic Cisco Intro: Ethernet


Why rate limit?
Well it is often a very bad idea to totally deny ICMP traffic, an inbetween from allowing all and denying all is allowing a certain amount, it is suggested you use some sort of snmp monitor (mrtg et al) to find out how much ICMP traffic flows across your border/edge routers for a few days before you attempt to do this. The point is not to disrupt services in any way, and under most conditions most users should not be aware of ICMP being rated limited, at least this should be the goal.
Both business users and ISP’s will be targeted from time to time, it is a good idea for both parties involved to know how to deal with the issue and apply quick rules to combat the problem. This is not a manual on rate limiting, it gives one good and practical example which can be built on and adjusted to your own needs. CAR is a feature of Cisco Express Forwarding found in all IOS versions about 12.0. It also takes less processing time because it is checked at the interface before any intensive packet processing, so in many cases it could save cpu time rather than adding a deny all ICMP on your border/edge router.

Example 1

A provider has filtered its IRC server from receiving ICMP echo-reply packets in order to protect it. Now many attackers are going after the customer’s devices in order to fill some network segments. The provider above chose to use CAR in order to limit all ICMP echo and echo-reply traffic received at the borders to 256 Kbps. An example follows:

! traffic we want to limit
access-list 102 permit icmp any any echo

Example 2

attackers have started using very high streams of TCP SYN packets in order to harm systems. This example limits TCP SYN packets directed at host to 8 kbps or so:

! We don’t want to limit established TCP sessions — non-SYN packets
access-list 103 deny tcp any host established
! We do want to limit the rest of TCP (this really only includes SYNs)
access-list 103 permit tcp any host
! interface configurations for network borders
interface Serial3/0/0
rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop

More Information:

Committed Access Rate (CAR)
Configuring Committed Access Rate