Solved

Cisco 3560 TTL Policy

Posted on 2012-03-31
13
255 Views
Last Modified: 2013-04-29
Is there any way to block a trafic from access list depending on ttl  ?
0
Comment
Question by:3XLcom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791755
0
 

Author Comment

by:3XLcom
ID: 37791784
Yes but 3560 does not have a feature as this :


Cisco.xxx.xxx.xx(config-ext-nacl)#deny ip any any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

Open in new window


Is there any way to block specific byte of packeges for ex. 68 byte
or ttl is 117
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791837
What IOS version do you have?
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:3XLcom
ID: 37791868
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791893
Ah, this option is available from version 12.4(2)T
:-~
0
 

Author Comment

by:3XLcom
ID: 37791902
where should i download it
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791906
Well, from Cisco. But you need to have a valid smartnet support for that (so you can log in and get to the downloads).
0
 

Author Comment

by:3XLcom
ID: 37791926
I have checked from here :
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp 
there is no supported 12.4 version for 3560
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37791938
Ok, let me rephrase a previous comment.

This option is available from version 12.4(2)T or higher. So anything above 12.4 should have it (I think I saw a 15.0 version).
0
 

Author Comment

by:3XLcom
ID: 37791940
Just SE versions support cat 3560 15.0 is not have a support for ipv4 ttl access list
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37791991
I'm afraid you're right :(

Is there any specific reason you want to filter on these properties?
0
 

Author Comment

by:3XLcom
ID: 37792006
Sometimes there comes botnet attacks with 200k + packets all of them has same TTL values.
that cause the fulling of sessions on my firewall so all my network locking

At this time i want to block the TTL values.
I am using Juniper SSG sery transparently after my router .
But as fas as i know it does not have a value to block TTL

I decide to put sth. like mikrotik between juniper and cisco but this time it is locking :D

So the only way the buying a citrix with 30k $ or find a way to block on Cisco

Do you have any alternative idea depending on blocking this type of packages

http://www.experts-exchange.com/Networking/Protocols/Transport/TCP-IP/Q_27657169.html
0
 

Author Closing Comment

by:3XLcom
ID: 39120298
Sorry for late acception
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question