Configuring Committed Access Rate
Why rate limit?
Well it is often a very bad idea to totally deny ICMP traffic, an inbetween from allowing all and denying all
is allowing a certain amount, it is suggested you use some sort of snmp monitor (mrtg et al) to find out
how much ICMP traffic flows across your border/edge routers for a few days before you attempt to do this.
The point is not to disrupt services in any way, and under most conditions most users should not be aware
of ICMP being rated limited, at least this should be the goal.
Both business users and ISP’s will be targeted from time to time, it is a good idea for both parties involved
to know how to deal with the issue and apply quick rules to combat the problem. This is not a manual on
rate limiting, it gives one good and practical example which can be built on and adjusted to your own needs.
CAR is a feature of Cisco Express Forwarding found in all IOS versions about 12.0. It also takes less processing
time because it is checked at the interface before any intensive packet processing, so in many cases
it could save cpu time rather than adding a deny all ICMP on your border/edge router.
! traffic we want to limit
access-list 102 permit icmp any any echo
attackers have started using very high streams of TCP SYN packets in order to harm systems. This example limits TCP SYN packets directed at host 10.0.0.1 to 8 kbps or so:
! We don’t want to limit established TCP sessions — non-SYN packets
access-list 103 deny tcp any host 10.0.0.1 established
! We do want to limit the rest of TCP (this really only includes SYNs)
access-list 103 permit tcp any host 10.0.0.1
! interface configurations for network borders
interface Serial3/0/0
rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop
Committed Access Rate (CAR)
Configuring Committed Access Rate