Solved

Cisco 3560 TTL Policy

Posted on 2012-03-31
13
252 Views
Last Modified: 2013-04-29
Is there any way to block a trafic from access list depending on ttl  ?
0
Comment
Question by:3XLcom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791755
0
 

Author Comment

by:3XLcom
ID: 37791784
Yes but 3560 does not have a feature as this :


Cisco.xxx.xxx.xx(config-ext-nacl)#deny ip any any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

Open in new window


Is there any way to block specific byte of packeges for ex. 68 byte
or ttl is 117
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791837
What IOS version do you have?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:3XLcom
ID: 37791868
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791893
Ah, this option is available from version 12.4(2)T
:-~
0
 

Author Comment

by:3XLcom
ID: 37791902
where should i download it
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791906
Well, from Cisco. But you need to have a valid smartnet support for that (so you can log in and get to the downloads).
0
 

Author Comment

by:3XLcom
ID: 37791926
I have checked from here :
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp 
there is no supported 12.4 version for 3560
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37791938
Ok, let me rephrase a previous comment.

This option is available from version 12.4(2)T or higher. So anything above 12.4 should have it (I think I saw a 15.0 version).
0
 

Author Comment

by:3XLcom
ID: 37791940
Just SE versions support cat 3560 15.0 is not have a support for ipv4 ttl access list
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791991
I'm afraid you're right :(

Is there any specific reason you want to filter on these properties?
0
 

Author Comment

by:3XLcom
ID: 37792006
Sometimes there comes botnet attacks with 200k + packets all of them has same TTL values.
that cause the fulling of sessions on my firewall so all my network locking

At this time i want to block the TTL values.
I am using Juniper SSG sery transparently after my router .
But as fas as i know it does not have a value to block TTL

I decide to put sth. like mikrotik between juniper and cisco but this time it is locking :D

So the only way the buying a citrix with 30k $ or find a way to block on Cisco

Do you have any alternative idea depending on blocking this type of packages

http://www.experts-exchange.com/Networking/Protocols/Transport/TCP-IP/Q_27657169.html
0
 

Author Closing Comment

by:3XLcom
ID: 39120298
Sorry for late acception
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question