Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco 3560 TTL Policy

Posted on 2012-03-31
13
Medium Priority
?
257 Views
Last Modified: 2013-04-29
Is there any way to block a trafic from access list depending on ttl  ?
0
Comment
Question by:3XLcom
  • 7
  • 6
13 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791755
0
 

Author Comment

by:3XLcom
ID: 37791784
Yes but 3560 does not have a feature as this :


Cisco.xxx.xxx.xx(config-ext-nacl)#deny ip any any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

Open in new window


Is there any way to block specific byte of packeges for ex. 68 byte
or ttl is 117
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791837
What IOS version do you have?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:3XLcom
ID: 37791868
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791893
Ah, this option is available from version 12.4(2)T
:-~
0
 

Author Comment

by:3XLcom
ID: 37791902
where should i download it
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791906
Well, from Cisco. But you need to have a valid smartnet support for that (so you can log in and get to the downloads).
0
 

Author Comment

by:3XLcom
ID: 37791926
I have checked from here :
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp 
there is no supported 12.4 version for 3560
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37791938
Ok, let me rephrase a previous comment.

This option is available from version 12.4(2)T or higher. So anything above 12.4 should have it (I think I saw a 15.0 version).
0
 

Author Comment

by:3XLcom
ID: 37791940
Just SE versions support cat 3560 15.0 is not have a support for ipv4 ttl access list
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791991
I'm afraid you're right :(

Is there any specific reason you want to filter on these properties?
0
 

Author Comment

by:3XLcom
ID: 37792006
Sometimes there comes botnet attacks with 200k + packets all of them has same TTL values.
that cause the fulling of sessions on my firewall so all my network locking

At this time i want to block the TTL values.
I am using Juniper SSG sery transparently after my router .
But as fas as i know it does not have a value to block TTL

I decide to put sth. like mikrotik between juniper and cisco but this time it is locking :D

So the only way the buying a citrix with 30k $ or find a way to block on Cisco

Do you have any alternative idea depending on blocking this type of packages

http://www.experts-exchange.com/Networking/Protocols/Transport/TCP-IP/Q_27657169.html
0
 

Author Closing Comment

by:3XLcom
ID: 39120298
Sorry for late acception
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question