Solved

Cisco 3560 TTL Policy

Posted on 2012-03-31
13
246 Views
Last Modified: 2013-04-29
Is there any way to block a trafic from access list depending on ttl  ?
0
Comment
Question by:3XLcom
  • 7
  • 6
13 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791755
0
 

Author Comment

by:3XLcom
ID: 37791784
Yes but 3560 does not have a feature as this :


Cisco.xxx.xxx.xx(config-ext-nacl)#deny ip any any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

Open in new window


Is there any way to block specific byte of packeges for ex. 68 byte
or ttl is 117
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791837
What IOS version do you have?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:3XLcom
ID: 37791868
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791893
Ah, this option is available from version 12.4(2)T
:-~
0
 

Author Comment

by:3XLcom
ID: 37791902
where should i download it
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791906
Well, from Cisco. But you need to have a valid smartnet support for that (so you can log in and get to the downloads).
0
 

Author Comment

by:3XLcom
ID: 37791926
I have checked from here :
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp 
there is no supported 12.4 version for 3560
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37791938
Ok, let me rephrase a previous comment.

This option is available from version 12.4(2)T or higher. So anything above 12.4 should have it (I think I saw a 15.0 version).
0
 

Author Comment

by:3XLcom
ID: 37791940
Just SE versions support cat 3560 15.0 is not have a support for ipv4 ttl access list
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791991
I'm afraid you're right :(

Is there any specific reason you want to filter on these properties?
0
 

Author Comment

by:3XLcom
ID: 37792006
Sometimes there comes botnet attacks with 200k + packets all of them has same TTL values.
that cause the fulling of sessions on my firewall so all my network locking

At this time i want to block the TTL values.
I am using Juniper SSG sery transparently after my router .
But as fas as i know it does not have a value to block TTL

I decide to put sth. like mikrotik between juniper and cisco but this time it is locking :D

So the only way the buying a citrix with 30k $ or find a way to block on Cisco

Do you have any alternative idea depending on blocking this type of packages

http://www.experts-exchange.com/Networking/Protocols/Transport/TCP-IP/Q_27657169.html
0
 

Author Closing Comment

by:3XLcom
ID: 39120298
Sorry for late acception
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ACL Logging Optimization 7 41
2 routers and 1 public IP Address. 10 41
Cisco 5508 WLC software upgrade 2 37
Cisco  3750E switches 1 13
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question