Section 10.0: Security Violations
10.1. Denial of Service—DoS
Configure CAR (rate-limit) on R3 to prevent ICMP flooding:
interface Serial1/0.1 point-to-point ip address 10.50.13.2 255.255.255.240 rate-limit input access-group 110 560000 256000 384000 conform-action continue exceed-action drop ! interface Serial1/0.3 point-to-point ip address 10.50.13.18 255.255.255.240 rate-limit input access-group 110 560000 256000 384000 conform-action continue exceed-action drop ! access-list 110 permit icmp any any
10.2. IP Spoofing
Configure Unicast RPF IP spoofing protection on PIX for inside and outside interfaces:
pix# show ip verify ip verify reverse-path interface outside ip verify reverse-path interface inside
Get CCIE Security Practice Labs now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.