Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   6500 and DOS (http://www.velocityreviews.com/forums/t365201-6500-and-dos.html)

Gary 08-18-2006 05:50 PM

6500 and DOS
 
I need to find a way to analyse DoS attacks and see where traffic is coming
from and going to or vica-versa. We run Cat 6500's so I need something that
will not kill the CPU of the machine which may already be stressed.

Does the 6500 provide any mechanisms for this.

Thanks
Gary



Merv 08-18-2006 05:57 PM

Re: 6500 and DOS
 

Gary wrote:
> I need to find a way to analyse DoS attacks and see where traffic is coming
> from and going to or vica-versa. We run Cat 6500's so I need something that
> will not kill the CPU of the machine which may already be stressed.
>
> Does the 6500 provide any mechanisms for this.



Start with Cisco doc

Protecting the Cisco Catalyst 6500 Series Switches Against
Denial-Of-Service Attacks

http://www.cisco.com/en/US/products/...802ca5d6.shtml


One of the first things I would suggest is that the 6500's be migrated
to native IOS mode.


Gary 08-18-2006 06:57 PM

Re: 6500 and DOS
 

"Merv" <merv.hrabi@rogers.com> wrote in message
news:1155923820.984441.310340@m79g2000cwm.googlegr oups.com...
>
> Gary wrote:
>> I need to find a way to analyse DoS attacks and see where traffic is
>> coming
>> from and going to or vica-versa. We run Cat 6500's so I need something
>> that
>> will not kill the CPU of the machine which may already be stressed.
>>
>> Does the 6500 provide any mechanisms for this.

>
>
> Start with Cisco doc
>
> Protecting the Cisco Catalyst 6500 Series Switches Against
> Denial-Of-Service Attacks
>
> http://www.cisco.com/en/US/products/...802ca5d6.shtml
>
>
> One of the first things I would suggest is that the 6500's be migrated
> to native IOS mode.
>


Just need something to show IP being targetted inbound or outbound and by
whom?

Gary



Merv 08-19-2006 03:52 PM

Re: 6500 and DOS
 
Depending on the volume of traffic one thing that can be done is to use
the SPAN fetaure to set up a monitoring port for the interface(s) over
which the 6500 receives Internet traffic.

Coonect a PC with Etherreal installed and run a capture. Then use the
analyse report that show connection endpoints.

You could alos look at enabling NETFLOW accounting whic will show
source and destion IP address and port numbers.


Gary 08-20-2006 02:16 AM

Re: 6500 and DOS
 
NETFLOW osunds good. Is it a big overhead and how do I enable it.

Gary
"Merv" <merv.hrabi@rogers.com> wrote in message
news:1156002754.023180.318950@m73g2000cwd.googlegr oups.com...
> Depending on the volume of traffic one thing that can be done is to use
> the SPAN fetaure to set up a monitoring port for the interface(s) over
> which the 6500 receives Internet traffic.
>
> Coonect a PC with Etherreal installed and run a capture. Then use the
> analyse report that show connection endpoints.
>
> You could alos look at enabling NETFLOW accounting whic will show
> source and destion IP address and port numbers.
>




Merv 08-20-2006 09:38 AM

Re: 6500 and DOS
 


> NETFLOW osunds good. Is it a big overhead and how do I enable it.



start with
http://www.cisco.com/en/US/products/...pers_list.html

I believe NETFLOW now supports sampling so you can control how much
data it collects and thus control the associated overhead ( probably
requires a PFC)


Please post show version and show module for the 6500 switch facing the
Internet.


Gary 08-20-2006 11:59 AM

Re: 6500 and DOS
 

"Merv" <merv.hrabi@rogers.com> wrote in message
news:1156066691.181008.43260@b28g2000cwb.googlegro ups.com...
>
>
>> NETFLOW osunds good. Is it a big overhead and how do I enable it.

>
>
> start with
> http://www.cisco.com/en/US/products/...pers_list.html
>
> I believe NETFLOW now supports sampling so you can control how much
> data it collects and thus control the associated overhead ( probably
> requires a PFC)
>
>
> Please post show version and show module for the 6500 switch facing the
> Internet.
>


It has a Supervisor Engine 720 (Active) WS-SUP720-3BXL,
WS-F6K-PFC3BXL, MSFC3 Daughterboard

If you let me have the commands I can test - TIA
Gary



Merv 08-20-2006 12:36 PM

Re: 6500 and DOS
 

> It has a Supervisor Engine 720 (Active) WS-SUP720-3BXL,
> WS-F6K-PFC3BXL, MSFC3 Daughterboard


excellent !!!

what IOS version ???


Merv 08-20-2006 12:57 PM

Re: 6500 and DOS
 

Hopefully this will get you started

! Configure NetFlow on 6500

! 1. enable NetFlow on PFC

mls netflow


! 2. config the type flow mask to be used by NetFlow

mls flow ip full


! 3. display NetFlow flowmask configured

sh mls netflow flowmask

current ip flowmask for unicast: full
current ipv6 flowmask for unicast: null


! 4. check NetFlow cache aging timers

show mls netflow aging

enable timeout packet threshold
------ ------- ----------------
normal aging true 300 N/A
fast aging false 32 100
long aging true 1920 N/A



! 5. display NetFlow accounting infomation for traffic switched by PFC


sh mls netflow ip any

Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f
:AdjPtr
-----------------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
5.38.7.11 223.255.254.254 tcp :45736 :telnet :0x0
0 0 314 08:54:44 L3 - Dynamic
5.38.7.11 5.38.0.2 udp :ntp :ntp :0x0
0 0 527 08:54:29 L3 - Dynamic
0.0.0.0 0.0.0.0 0 :0 :0 :0x0
1238 58508 1817 08:54:34 L3 - Dynam





For configuration of NetFlow sampling see :



http://www.cisco.com/en/US/products/...080160a2b.html


Gary 08-23-2006 02:02 AM

Re: 6500 and DOS
 

"Merv" <merv.hrabi@rogers.com> wrote in message
news:1156078666.937812.195070@74g2000cwt.googlegro ups.com...
>
> Hopefully this will get you started
>
> ! Configure NetFlow on 6500
>
> ! 1. enable NetFlow on PFC
>
> mls netflow
>
>
> ! 2. config the type flow mask to be used by NetFlow
>
> mls flow ip full
>
>
> ! 3. display NetFlow flowmask configured
>
> sh mls netflow flowmask
>
> current ip flowmask for unicast: full
> current ipv6 flowmask for unicast: null
>
>
> ! 4. check NetFlow cache aging timers
>
> show mls netflow aging
>
> enable timeout packet threshold
> ------ ------- ----------------
> normal aging true 300 N/A
> fast aging false 32 100
> long aging true 1920 N/A
>
>
>
> ! 5. display NetFlow accounting infomation for traffic switched by PFC
>
>
> sh mls netflow ip any
>
> Displaying Netflow entries in Supervisor Earl
> DstIP SrcIP Prot:SrcPort:DstPort Src i/f
> :AdjPtr
> -----------------------------------------------------------------------------
> Pkts Bytes Age LastSeen Attributes
> ---------------------------------------------------
> 5.38.7.11 223.255.254.254 tcp :45736 :telnet :0x0
> 0 0 314 08:54:44 L3 - Dynamic
> 5.38.7.11 5.38.0.2 udp :ntp :ntp :0x0
> 0 0 527 08:54:29 L3 - Dynamic
> 0.0.0.0 0.0.0.0 0 :0 :0 :0x0
> 1238 58508 1817 08:54:34 L3 - Dynam
>
>
>
>
>
> For configuration of NetFlow sampling see :
>
>
>
> http://www.cisco.com/en/US/products/...080160a2b.html
>


Worked a treat!

What is the overhead during a DoS

Thanks
Gary




All times are GMT. The time now is 01:49 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.