36-34
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
Configuring Sticky ARP
This example shows how to permit SSH access to the router from a subnet:
Router(config)#
access-list 121 permit tcp 10.0.0.0 0.0.0.255 host 10.9.9.9 eq 22
This example shows how to allow full access for Telnet to the router from a host in a specific subnet and
police the rest of the subnet:
Router(config)#
access-list 121 deny tcp host 10.86.183.3 any eq telnet
Router(config)#
access-list 121 permit tcp 10.86.183.0 0.0.0.255 any eq telnet
This example shows how to allow SNMP access from the NMS host to the router:
Router(config)#
access-list 121 permit udp host 1.1.1.2 host 10.9.9.9 eq snmp
This example shows how to allow the router to receive NTP packets from a known clock source:
Router(config)#
access-list 121 permit udp host 1.1.1.3 host 10.9.9.9 eq ntp
This example shows how to define ACL 122 for the normal traffic class:
Router(config)#
access-list 122 remark CoPP normal traffic
This example shows how to permit router-originated traceroute traffic:
Router(config)#
access-list 122 permit icmp any any ttl-exceeded
Router(config)#
access-list 122 permit icmp any any port-unreachable
This example shows how to permit receipt of responses to the router that originated the pings:
Router(config)#
access-list 122 permit icmp any any echo-reply
This example shows how to allow pings to the router:
Router(config)#
access-list 122 permit icmp any any echo
This example shows how to define ACL 123 for the undesirable class.
Router(config)#
access-list 123 remark explicitly defined "undesirable" traffic
Note
In the following example, ACL 123 is a permit entry for classification and monitoring purposes, and
traffic is dropped as a result of the CoPP policy.
This example shows how to permit all traffic destined to UDP 1434 for policing:
Router(config)#
access-list 123 permit udp any any eq 1434
This example shows how to define ACL 124 for all other traffic:
Router(config)#
access-list 124 remark rest of the IP traffic for CoPP
Router(config)#
access-list 124 permit ip any any
Configuring Sticky ARP
Sticky ARP prevents MAC address spoofing by ensuring that ARP entries (IP address, MAC address,
and source VLAN) do not get overridden. The router maintains ARP entries in order to forward traffic
to end devices or other routers. ARP entries are usually updated periodically or modified when ARP
broadcasts are received. During an attack, ARP broadcasts are sent using a spoofed MAC address (with
a legitimate IP address) so that the router learns the legitimate IP address with the spoofed MAC address
and begins to forward traffic to that MAC address. With sticky ARP enabled, the router learns the ARP
entries and does not accept modifications received through ARP broadcasts. If you attempt to override