IPS Signature Rate-Limit Action

One feature which receives just a mere mention, but nothing else, in the Cisco IPS 6.0 training class is IPS Rate-Limiting. Often mentioned within the same context as blocking, this signature action is also implemented in conjunction with an upstream device, in this case the Cisco IOS Router.

This article will focus on both how to configure the IPS sensor to trigger the rate limiting action as well as prepare the router to perform that action. The screenshot below depicts the area within IPS Device Manager (IDM) where Rate Limiting is configured; note that it is done underneath the Blocking section and does not have its own dedicated configuration subarea within IDM. Telnet was chosen as the communication mechanism (vs. a best practice of using SSH) so that we could investigate what the sensor deployed to the router by capturing the communication with a switch SPAN port and Wireshark.

The NoAAA login profile uses only the line password for the sensor telnet to the router, and additional steps were undertaken to specify the fastethernet0/0 interface as the one to which the rate limit would be applied. Once IDM has been used to provide router access and interface information to the sensor, and the Apply button had been clicked, the resulting dialog occurs:

User Access Verification
Password: cisco
PERIM> enable
Password: san-fran
PERIM#term len 0
PERIM# show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 23-Mar-07 18:35 by prod_rel_team
……….<output omitted>…….
PERIM#show running
Building configuration...
Current configuration : 1314 bytes
!
! Last configuration change at 01:46:00 UTC Wed Jan 27 2010 by admin
!
……….<output omitted>…….
!
interface FastEthernet0/0
ip address 100.100.1.2 255.255.255.252
duplex full
speed 100
……….<output omitted>…….

As the above script shows, the sensor is checking the 200.200.1.1 device to see if it is an IOS router and that a FastEthernet0/0 interface exists. Next, the sensor attempts to configure a test service-policy to see if the IOS supports this feature:

PERIM#conf term
Enter configuration commands, one per line. End with CNTL/Z.
PERIM(config)#policy-map IDS_TEST_POLICY_MAP_0
PERIM(config-pmap)#exit
PERIM(config)#interface fa0/0
PERIM(config-if)#service-policy in IDS_TEST_POLICY_MAP_0
PERIM(config-if)#exit
PERIM(config)#exit
PERIM#sh run | include IDS_TEST_POLICY_MAP
policy-map IDS_TEST_POLICY_MAP_0
service-policy input IDS_TEST_POLICY_MAP_0

Now that the sensor verifies that the router supports the service policy, it is removed:

PERIM#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PERIM(config)#interface fa0/0
PERIM(config-if)#no service-policy in IDS_TEST_POLICY_MAP_0
PERIM(config-if)#exit
PERIM(config)#no policy-map  IDS_TEST_POLICY_MAP_0
PERIM(config)#exit

To test the actual implementation of the rate limit, the next screenshot shows IPS Device Manager being used to set a limit of 20% flow for the triggering of an ICMP flood, Signature 2152:

When this was configured and the flood was simulated, the following router configuration script ensued which activated the rate limit:

PERIM#conf term
Enter configuration commands, one per line. End with CNTL/Z.
PERIM(config)#ip access-list ext IDS_RL_ACL_icmp-xxBx-8-20_1
PERIM(config-ext-nacl)#permit icmp any host 172.16.1.15 echo
PERIM(config-ext-nacl)#exit
PERIM(config)#class-map match-any IDS_RL_CLASS_MAP_icmp-xxBx-8-20_1
PERIM(config-cmap)#match access-group name IDS_RL_ACL_icmp-xxBx-8-20_1
PERIM(config-cmap)#exit
PERIM(config)#policy-map IDS_RL_POLICY_MAP_1
PERIM(config-pmap)#class IDS_RL_CLASS_MAP_icmp-xxBx-8-20_1
PERIM(config-pmap-c)#police cir percent 20
PERIM(config-pmap-c-police)#exit
PERIM(config-pmap-c)#exit
PERIM(config-pmap)#interface fa0/0
PERIM(config-if)#service-policy in IDS_RL_POLICY_MAP_1

As seen above, the sensor applies a class map with a name which indicates that this was implemented using a sensor (IDS), using rate limiting (RL) for icmp echo traffic (icmp 8) directed at the same target (xxBx), which, according to the access-list is 172.16.1.15. In addition, the 20% limit is seen in both the class-map label as well as the police command.

The reference document below explains that this limits the flow to 20% of the maximum available bandwidth of the interface.

Author: Doug McKillip

References

  • Cisco IOS Quality of Service Solutions Command Reference, Release 12.2T
In this article

Join the Conversation