I think both methods will do, only that the last one with the "rate-limit" is a legacy method.
On 11/28/11, Derek <[email protected]> wrote: > If I want to control icmp traffic inbound (Smurf attacK) based some > bandwidth X and normal burst Y max burst Z....which technology is best > suited? I feel both will suffice but CAR was not originally built for DoS > protection based on Yusuf's Network Security Book...anyone have thoughts on > this? > > access-list extended smurf > permit icmp any any echo-reply (target traffic) > permit icmpy any any echo (reflector traffic) > > > class smurf > match access-list name smurf > > policy-map smurf > class smurf > police x y z conform-action transmit exceed-action drop > violate-action drop > > f0/1 > service-policy input smurf > OR > > > f0/x > rate-limit input access-group smurf x y z conform-action transmit > exceed-action drop > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
