Cisco 1605 Access List Entry Limits

Discussion in 'Cisco' started by AC, Jun 22, 2004.

  1. AC

    AC Guest

    As a temporary measure until we can get a proper solution to SMTP dictionary
    attacks, I'm looking at using our border router (a Cisco 1605) to block SMTP
    from hosts attacking our SMTP. The following is what it reports for memory:

    8192K bytes of DRAM onboard
    4096K bytes of processor board PCMCIA flash (Read/Write)

    How many access-list entries can I reasonably put on the outside (ethernet0)
    interface, and what is the best way to dynamically update the access list in
    question (I'm looking at updates every four or five minutes).
     
    AC, Jun 22, 2004
    #1
    1. Advertisements

  2. AC

    Hansang Bae Guest

    I'm not sure who much more memory it would take, but I would guess not
    too much..Your problem may be 1) running out of NVRAM if the ACL gets
    too big, 2) CPU goes up chugging through the large ACL on a 1600
    platform, 3) After you modify the ACL so many times, it may become
    useless.

    We've had cases where on a 7500 running 12.1x code, the ACL became
    confused and allowed everything. This after updating the ACL twice a
    week for about a year.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 22, 2004
    #2
    1. Advertisements

  3. AC

    AC Guest

    More careful analysis of the logs indicates that if I could block somewhere
    between 50-200 IPs, with updates every five minutes or so, this might be far
    more effective. Does the update frequency and max of around 200 IPs sound
    doable?
     
    AC, Jun 22, 2004
    #3
  4. To be honest your easiest way to do this kind of blocking, assuming you just
    want to blackhole the hosts entirely, would be to get a Linux/xBSD box on
    the internal network running Zebra or Bird - routing daemon of some
    description and have it talk BGP/OSPF/whatever routing protocol that isn't
    classful to the 1605.

    Then to blackhole an attacking IP you just add a route on the Linux box
    which will propogate to the 1605 and effectively blackhole the attacker.

    No config changes needed on the 1605 whatsoever and any frequency of updates
    for the block list you want is achievable.

    P.
     
    Paul S. Brown, Jun 23, 2004
    #4
  5. AC

    Hansang Bae Guest

    DOn't know. We don't use 1600's too much so I don't know what affect
    it will have if you add a 200 line ACL. But I think you're asking the
    router to do something it was not designed to do.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 24, 2004
    #5
  6. AC

    AC Guest

    Actually I've changed my strategy a bit. I think I can get away with no
    more than 30 or 40 (and usually about 10) entries in the ACL, but will need
    to update it every few minutes. Is that doable?
     
    AC, Jun 24, 2004
    #6
  7. AC

    Hansang Bae Guest

    That is certainly doable.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 24, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.