Description

Fast packet drop can be used in situations, such as when under DoS attack, to drop unwanted packets as early as possible in the packet processing path. This makes the gateway’s resources available to process legitimate traffic. The Rule Base is in a configuration file that defines which packets should be dropped.

Syntax

sim dropcfg < -l|-f <file>|-r|-y|-h>

Configuration

1. Create the Rule Base configuration file (see details below)
2. Copy the configuration file to all SGMs. Run from gclish:
   
3. Apply Fast packet drop. Run:
   sim dropcfg –f <configuration file>

The Rule Base configuration is specified using the –f CLI option. It contains drop rules, and each line should contain a single rule.

Each rule line must contain one or more of the following parameters:

Notes

If subnet is not specified, a single IP address is used.

Use '*' to specify 'Any'. It is the same as not specifying the parameter.

Use '#' at the beginning of the line to add comments.

Empty lines are ignored.

Examples

Example configuration file:

src 1.1.1.1

dport 80 proto 6

src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17

Verification

To make sure fast packet drop rules are being enforced, run the command:

sim dropcfg –l

The output shows list of active drop rules:

Drop rules (Match after conn lookup):

Source             Destination        DPort PR

------------------ ------------------ ----- ---

        1.1.1.1/32                  *     *   *

                 *                  *    80   6

        1.1.1.0/24         2.2.0.0/16    53  17