Cisco 1605 Access List Entry Limits

Discussion in 'Cisco' started by AC, Jun 22, 2004.

  1. AC

    AC Guest

    As a temporary measure until we can get a proper solution to SMTP dictionary
    attacks, I'm looking at using our border router (a Cisco 1605) to block SMTP
    from hosts attacking our SMTP. The following is what it reports for memory:

    8192K bytes of DRAM onboard
    4096K bytes of processor board PCMCIA flash (Read/Write)

    How many access-list entries can I reasonably put on the outside (ethernet0)
    interface, and what is the best way to dynamically update the access list in
    question (I'm looking at updates every four or five minutes).

    --
    Aaron Clausen
    AC, Jun 22, 2004
    #1
    1. Advertising

  2. AC

    Hansang Bae Guest

    In article <>,
    says...
    > As a temporary measure until we can get a proper solution to SMTP dictionary
    > attacks, I'm looking at using our border router (a Cisco 1605) to block SMTP
    > from hosts attacking our SMTP. The following is what it reports for memory:
    >
    > 8192K bytes of DRAM onboard
    > 4096K bytes of processor board PCMCIA flash (Read/Write)
    >
    > How many access-list entries can I reasonably put on the outside (ethernet0)
    > interface, and what is the best way to dynamically update the access list in
    > question (I'm looking at updates every four or five minutes).


    I'm not sure who much more memory it would take, but I would guess not
    too much..Your problem may be 1) running out of NVRAM if the ACL gets
    too big, 2) CPU goes up chugging through the large ACL on a 1600
    platform, 3) After you modify the ACL so many times, it may become
    useless.

    We've had cases where on a 7500 running 12.1x code, the ACL became
    confused and allowed everything. This after updating the ACL twice a
    week for about a year.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Jun 22, 2004
    #2
    1. Advertising

  3. AC

    AC Guest

    On Tue, 22 Jun 2004 03:30:15 GMT,
    Hansang Bae <> wrote:
    > In article <>,
    > says...
    >> As a temporary measure until we can get a proper solution to SMTP dictionary
    >> attacks, I'm looking at using our border router (a Cisco 1605) to block SMTP
    >> from hosts attacking our SMTP. The following is what it reports for memory:
    >>
    >> 8192K bytes of DRAM onboard
    >> 4096K bytes of processor board PCMCIA flash (Read/Write)
    >>
    >> How many access-list entries can I reasonably put on the outside (ethernet0)
    >> interface, and what is the best way to dynamically update the access list in
    >> question (I'm looking at updates every four or five minutes).

    >
    > I'm not sure who much more memory it would take, but I would guess not
    > too much..Your problem may be 1) running out of NVRAM if the ACL gets
    > too big, 2) CPU goes up chugging through the large ACL on a 1600
    > platform, 3) After you modify the ACL so many times, it may become
    > useless.
    >
    > We've had cases where on a 7500 running 12.1x code, the ACL became
    > confused and allowed everything. This after updating the ACL twice a
    > week for about a year.


    More careful analysis of the logs indicates that if I could block somewhere
    between 50-200 IPs, with updates every five minutes or so, this might be far
    more effective. Does the update frequency and max of around 200 IPs sound
    doable?

    --
    Aaron Clausen
    AC, Jun 22, 2004
    #3
  4. AC wrote:

    > On Tue, 22 Jun 2004 03:30:15 GMT,
    > Hansang Bae <> wrote:
    >> In article <>,
    >> says...
    >>> As a temporary measure until we can get a proper solution to SMTP
    >>> dictionary attacks, I'm looking at using our border router (a Cisco
    >>> 1605) to block SMTP
    >>> from hosts attacking our SMTP. The following is what it reports for
    >>> memory:
    >>>
    >>> 8192K bytes of DRAM onboard
    >>> 4096K bytes of processor board PCMCIA flash (Read/Write)
    >>>
    >>> How many access-list entries can I reasonably put on the outside
    >>> (ethernet0) interface, and what is the best way to dynamically update
    >>> the access list in question (I'm looking at updates every four or five
    >>> minutes).

    >>
    >> I'm not sure who much more memory it would take, but I would guess not
    >> too much..Your problem may be 1) running out of NVRAM if the ACL gets
    >> too big, 2) CPU goes up chugging through the large ACL on a 1600
    >> platform, 3) After you modify the ACL so many times, it may become
    >> useless.
    >>
    >> We've had cases where on a 7500 running 12.1x code, the ACL became
    >> confused and allowed everything. This after updating the ACL twice a
    >> week for about a year.

    >
    > More careful analysis of the logs indicates that if I could block
    > somewhere between 50-200 IPs, with updates every five minutes or so, this
    > might be far
    > more effective. Does the update frequency and max of around 200 IPs sound
    > doable?
    >


    To be honest your easiest way to do this kind of blocking, assuming you just
    want to blackhole the hosts entirely, would be to get a Linux/xBSD box on
    the internal network running Zebra or Bird - routing daemon of some
    description and have it talk BGP/OSPF/whatever routing protocol that isn't
    classful to the 1605.

    Then to blackhole an attacking IP you just add a route on the Linux box
    which will propogate to the 1605 and effectively blackhole the attacker.

    No config changes needed on the 1605 whatsoever and any frequency of updates
    for the block list you want is achievable.

    P.
    Paul S. Brown, Jun 23, 2004
    #4
  5. AC

    Hansang Bae Guest

    In article <>,
    says...
    > More careful analysis of the logs indicates that if I could block somewhere
    > between 50-200 IPs, with updates every five minutes or so, this might be far
    > more effective. Does the update frequency and max of around 200 IPs sound
    > doable?


    DOn't know. We don't use 1600's too much so I don't know what affect
    it will have if you add a 200 line ACL. But I think you're asking the
    router to do something it was not designed to do.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Jun 24, 2004
    #5
  6. AC

    AC Guest

    On Thu, 24 Jun 2004 04:29:37 GMT,
    Hansang Bae <> wrote:
    > In article <>,
    > says...
    >> More careful analysis of the logs indicates that if I could block somewhere
    >> between 50-200 IPs, with updates every five minutes or so, this might be far
    >> more effective. Does the update frequency and max of around 200 IPs sound
    >> doable?

    >
    > DOn't know. We don't use 1600's too much so I don't know what affect
    > it will have if you add a 200 line ACL. But I think you're asking the
    > router to do something it was not designed to do.


    Actually I've changed my strategy a bit. I think I can get away with no
    more than 30 or 40 (and usually about 10) entries in the ACL, but will need
    to update it every few minutes. Is that doable?

    --
    Aaron Clausen
    AC, Jun 24, 2004
    #6
  7. AC

    Hansang Bae Guest

    In article <>,
    says...
    > Actually I've changed my strategy a bit. I think I can get away with no
    > more than 30 or 40 (and usually about 10) entries in the ACL, but will need
    > to update it every few minutes. Is that doable?


    That is certainly doable.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Jun 24, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Butler

    delete an entry from the access list...

    David Butler, Nov 16, 2003, in forum: Cisco
    Replies:
    5
    Views:
    44,017
    Oleg Malkov
    Nov 18, 2003
  2. mclaughlinj

    Access List Entry Ordering

    mclaughlinj, Apr 30, 2004, in forum: Cisco
    Replies:
    1
    Views:
    646
    Barry Margolin
    Apr 30, 2004
  3. Christoph Ehret
    Replies:
    1
    Views:
    4,069
    Walter Roberson
    Jan 5, 2005
  4. paeengi8
    Replies:
    0
    Views:
    795
    paeengi8
    Jun 25, 2007
  5. Tom Linden

    access-list entry

    Tom Linden, Jun 10, 2008, in forum: Cisco
    Replies:
    2
    Views:
    452
    Walter Roberson
    Jun 10, 2008
Loading...

Share This Page