One feature which receives just a mere mention, but nothing else, in the Cisco IPS 6.0 training class is IPS Rate-Limiting. Often mentioned within the same context as blocking, this signature action is also implemented in conjunction with an upstream device, in this case the Cisco IOS Router.
This article will focus on both how to configure the IPS sensor to trigger the rate limiting action as well as prepare the router to perform that action. The screenshot below depicts the area within IPS Device Manager (IDM) where Rate Limiting is configured; note that it is done underneath the Blocking section and does not have its own dedicated configuration subarea within IDM. Telnet was chosen as the communication mechanism (vs. a best practice of using SSH) so that we could investigate what the sensor deployed to the router by capturing the communication with a switch SPAN port and Wireshark.
The NoAAA login profile uses only the line password for the sensor telnet to the router, and additional steps were undertaken to specify the fastethernet0/0 interface as the one to which the rate limit would be applied. Once IDM has been used to provide router access and interface information to the sensor, and the Apply button had been clicked, the resulting dialog occurs:
User Access Verification Password: cisco
PERIM> enable Password: san-fran
PERIM#term len 0 PERIM# show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Fri 23-Mar-07 18:35 by prod_rel_team ……….<output omitted>…….
Current configuration : 1314 bytes ! ! Last configuration change at 01:46:00 UTC Wed Jan 27 2010 by admin ! ……….<output omitted>……. ! interface FastEthernet0/0 ip address 100.100.1.2 255.255.255.252 duplex full speed 100 ……….<output omitted>…….
As the above script shows, the sensor is checking the 188.8.131.52 device to see if it is an IOS router and that a FastEthernet0/0 interface exists. Next, the sensor attempts to configure a test service-policy to see if the IOS supports this feature:
Enter configuration commands, one per line. End with CNTL/Z. PERIM(config)#policy-map IDS_TEST_POLICY_MAP_0 PERIM(config-pmap)#exit PERIM(config)#interface fa0/0 PERIM(config-if)#service-policy in IDS_TEST_POLICY_MAP_0 PERIM(config-if)#exit PERIM(config)#exit
PERIM#sh run | include IDS_TEST_POLICY_MAP policy-map IDS_TEST_POLICY_MAP_0 service-policy input IDS_TEST_POLICY_MAP_0
Now that the sensor verifies that the router supports the service policy, it is removed:
Enter configuration commands, one per line. End with CNTL/Z. PERIM(config)#interface fa0/0 PERIM(config-if)#no service-policy in IDS_TEST_POLICY_MAP_0 PERIM(config-if)#exit PERIM(config)#no policy-map IDS_TEST_POLICY_MAP_0 PERIM(config)#exit
To test the actual implementation of the rate limit, the next screenshot shows IPS Device Manager being used to set a limit of 20% flow for the triggering of an ICMP flood, Signature 2152:
When this was configured and the flood was simulated, the following router configuration script ensued which activated the rate limit:
Enter configuration commands, one per line. End with CNTL/Z.
PERIM(config)#ip access-list ext IDS_RL_ACL_icmp-xxBx-8-20_1 PERIM(config-ext-nacl)#permit icmp any host 172.16.1.15 echo PERIM(config-ext-nacl)#exit PERIM(config)#class-map match-any IDS_RL_CLASS_MAP_icmp-xxBx-8-20_1 PERIM(config-cmap)#match access-group name IDS_RL_ACL_icmp-xxBx-8-20_1 PERIM(config-cmap)#exit
PERIM(config)#policy-map IDS_RL_POLICY_MAP_1 PERIM(config-pmap)#class IDS_RL_CLASS_MAP_icmp-xxBx-8-20_1 PERIM(config-pmap-c)#police cir percent 20 PERIM(config-pmap-c-police)#exit PERIM(config-pmap-c)#exit PERIM(config-pmap)#interface fa0/0 PERIM(config-if)#service-policy in IDS_RL_POLICY_MAP_1
As seen above, the sensor applies a class map with a name which indicates that this was implemented using a sensor (IDS), using rate limiting (RL) for icmp echo traffic (icmp 8) directed at the same target (xxBx), which, according to the access-list is 172.16.1.15. In addition, the 20% limit is seen in both the class-map label as well as the police command.
The reference document below explains that this limits the flow to 20% of the maximum available bandwidth of the interface.
Author: Doug McKillip
- Cisco IOS Quality of Service Solutions Command Reference, Release 12.2T