• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

Cisco 3560 TTL Policy

Is there any way to block a trafic from access list depending on ttl  ?
0
3XLcom
Asked:
3XLcom
  • 7
  • 6
1 Solution
 
Ernie BeekExpertCommented:
0
 
3XLcomAuthor Commented:
Yes but 3560 does not have a feature as this :


Cisco.xxx.xxx.xx(config-ext-nacl)#deny ip any any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

Open in new window


Is there any way to block specific byte of packeges for ex. 68 byte
or ttl is 117
0
 
Ernie BeekExpertCommented:
What IOS version do you have?
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
3XLcomAuthor Commented:
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
0
 
Ernie BeekExpertCommented:
Ah, this option is available from version 12.4(2)T
:-~
0
 
3XLcomAuthor Commented:
where should i download it
0
 
Ernie BeekExpertCommented:
Well, from Cisco. But you need to have a valid smartnet support for that (so you can log in and get to the downloads).
0
 
3XLcomAuthor Commented:
I have checked from here :
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp 
there is no supported 12.4 version for 3560
0
 
Ernie BeekExpertCommented:
Ok, let me rephrase a previous comment.

This option is available from version 12.4(2)T or higher. So anything above 12.4 should have it (I think I saw a 15.0 version).
0
 
3XLcomAuthor Commented:
Just SE versions support cat 3560 15.0 is not have a support for ipv4 ttl access list
0
 
Ernie BeekExpertCommented:
I'm afraid you're right :(

Is there any specific reason you want to filter on these properties?
0
 
3XLcomAuthor Commented:
Sometimes there comes botnet attacks with 200k + packets all of them has same TTL values.
that cause the fulling of sessions on my firewall so all my network locking

At this time i want to block the TTL values.
I am using Juniper SSG sery transparently after my router .
But as fas as i know it does not have a value to block TTL

I decide to put sth. like mikrotik between juniper and cisco but this time it is locking :D

So the only way the buying a citrix with 30k $ or find a way to block on Cisco

Do you have any alternative idea depending on blocking this type of packages

http://www.experts-exchange.com/Networking/Protocols/Transport/TCP-IP/Q_27657169.html
0
 
3XLcomAuthor Commented:
Sorry for late acception
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now