Kingsley,
The IPS uses the rate-limit command with an access-list under the interface you have selected to apply it to. It uses the legacy method. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, December 01, 2009 5:34 AM To: Stuart Hare Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPS rate limit and request host blocking Hi Stu I repeated many times and it is working for me with both for DES and 3DES. This time, I tried manual host block and then for the signature triggered host block. But the rate limit, is still a problem for me. I have configured a flood host signature and configured the action with rate limit. But I don't see, the QoS policy/class and service policy confgured on the router. But with "sh line" and "sh users" shows that sensor has established the connection with the router (blocking device). The profile, blocking device and interface has been configured. With regards Kings On Tue, Dec 1, 2009 at 2:54 PM, Stuart Hare <[email protected]> wrote: Kings, Take a look through the IPexpert Lab3 detailed solution guide if you have it for the IPS sections. It covers both ASA and IOS blocking devices and includes rate limiting also. Basically either algorithm should work. Where are you testing the SSH from? Double check your logs on the ASA to make sure that the IPS is not being denied. Let me know if you still have issues? Stu 2009/12/1 Kingsley Charles <[email protected]> Hi Stu Even I am facing the issue, where the shun is not initiated on the ASA. The events O/P informs that the ASA is unreachable. But I am able to ping and ssh to the ASA. BTW, what is algorithm that you are using for SSH in the profile - DES or 3DES? With regards Kings On Mon, Nov 30, 2009 at 6:04 PM, Stuart Hare <[email protected]> wrote: Kings, Yes the IPS will try and apply the block or rate limit to all the blocking devices it manages. I have only really seen an issue like this when blocking to both IOS and ASA devices. Double check that all the devices can be managed by the IPS, and that your blocking device profiles are correct. Stu 2009/11/30 Kingsley Charles <[email protected]> Hi Stuart I am just trying to trigger a request block host and rate limit. The request block host is working and I see that the sesnor is configuring ACLs on the router (blocking device). If there are four blocking devices (routers) defined in the list, will the ACL be configured by the sensor on all the four devices interfaces when the signature is triggered? With regards Kings On Mon, Nov 30, 2009 at 1:48 PM, Stuart Hare <[email protected]> wrote: Kings, Do you have a specific issue? If so can you explain further? Generally if you are having trouble with this its always a good idea to check the logs of the blocking device itself, its more likely to give you more info as to whether the IPS can log in or why the block was failing. If you are doing requests to both ASA and IOS device using the sensor, you typically will need to ignore the alerts for the ASA, when and IOS event is triggered, as it will only support the block host / shun requests, hence the possible failures. It would be good to supress these but I never managed to find a way. Stu 2009/11/30 Kingsley Charles <[email protected]> Hi Stuart That's true, same here. I am not able to verify the functionality of request host block/rate limit because always I see login failure issues. I suceeded just once or twice. With regards Kings On Mon, Nov 30, 2009 at 12:03 PM, Stuart Hare <[email protected]> wrote: Kings I found this a little frustrating myself especially considering when you have asa as a blocking device, you get a lot of failure messages in the log due to certain methods being unsupported. Unfortunately I couldn't find a way to bypass this for certain devices. Not sure whether this has changed in the latest code though. Stu Sent from my iPhone On 30 Nov 2009, at 05:57, Kingsley Charles <[email protected]> wrote: Hi all We can configure the sesnor to "Request block host"and "Request Rate limit." If these actions are configured for the signatures and the signatures are triggered, request is sent to routers/switches that are present in the blocking devcies list. My understanding is that the request is sent to all the devices in the blocking device list. In that case, the block request or rate limit will be also sent to devices that are not relevent to the attack. Is there any way where we can tie the blocking request or rate limit request triggered by signature to specific hosts or subset of hosts in the blocking device list defined in the sensor. With regards Kingsley Charles _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
