In this section:
Use this feature to reset designated offender lists as described below.
This command is executable from both the System-level and Configure modes.
% request system ipPolicing resetOffendersList name <aclOffendersList | aggregateOffendersList | arpOffendersList | badEtherIpHdrOffendersList | discardRuleOffendersList | ipSecDecryptOffendersList | mediaOffendersList | rogueMediaOffendersList | srtpDecryptOffendersList | uFlowOffendersList>
ACL Offenders List – The Access Control List policer offenders list.
Aggregate Offenders List – The aggregate policer offenders list.
ARP Offenders List – The ARP policer offenders list.
Bad Ethernet IP Header Offenders List – The bad Ethernet/IP Header policer offenders list. Ethernet/IP headers are considered bad under the following conditions:
Only broadcast ARP packets are allowed; all other broadcast packets are considered bad.
Anything other than the following unicast/multicast ICMPV6 packets are considered bad.
Anything other than the following unicast ICMPV4 packets are considered bad:
Type 0 Echo Reply
Type 3 Code 4 (Destination unreachable, fragmentation required)
Type 8 Echo Request
Type 11 Code 0 (Time Exceeded, TTL expired)
Only ICMPV6 neighbor discovery packets are allowed under multicast MAC address. Anything else is considered bad.
If DestMAC is zero, it is considered a bad packet.
Anything other than ethertype (IPV4, IPV6, VLAN) is considered bad.
IP Checksum error is considered bad.
IP version other than 4 or 6 is considered bad.
Bad IP Header length
Packet that is not long enough to contain IP header.
TTL == 0 is considered bad.
IPV4 with options set is considered bad.
IPV6 with initial next header field of 0, 60, or 43 is considered bad.
Discard Rule Offenders List – The table of statistics for the discard rule offenders list. For example: ACLi discard rule packets.
IPsec Decrypt Offenders List – The table of statistics for the IPsec Decrypt policer offenders list. For example:
Bad IPsec packet
Authentication error
Invalid SSID
IPsec protocol == AH
Media Offenders List – The table of statistics for the media policer offenders list. For example: Media packets exceeding the policing value.
Rogue Media Offenders List – The table of statistics for the rogue media policer offenders list. For example:
srtpDecryptOffendersList – The table of statistic for SRTP decrypt offenders list. This contains SRTP packets which failed authentication or were flagged as replay packets. This could indicate malicious media packet attacks or it can be used to troubleshoot "no audio" calls using SRTP.
uFlow Offenders List – The table of statistics for the micro flow policer offenders list. For example: Microflow packet exceeding the policing rate.
Contrasting the Rogue Media Offenders List and the Media Offenders List:
Entries in the Media Offenders List are for allocated media packets that violate the policing rules. The associated call is sending too many media packets. This could indicate a possible “Theft of Service” scenario. Entries in the Rogue Media Offenders List are media packets that the SBC is receiving but no resource is allocated for the packet. This may be a Denial of Service attack or indication that a call was terminated but the other end is still sending media packets.
> show table system ipPolicing aclOffendersList INTERFACE SOURCE ADDRESS GROUP INTERFACE SOURCE IP DESTINATION IP DESTINATION IP DISCARD ROLE INDEX CONTEXT NAME NAME ADDRESS IP ADDRESS PORT IP PORT PROTOCOL COUNT ------------------------------------------------------------------------------------------------------------------ active 1 default mgt1 10.10.10.10 10.22.22.22 123 1024 17 1 [ok][2013-07-19 16:52:29] > request system ipPolicing resetOffendersList name aclOffendersList result success reason [ok][2013-07-19 16:53:38] > show table system ipPolicing aclOffendersList INTERFACE SOURCE SOURCE ADDRESS GROUP INTERFACE IP DESTINATION IP DESTINATION IP DISCARD ROLE INDEX CONTEXT NAME NAME ADDRESS IP ADDRESS PORT IP PORT PROTOCOL COUNT ---------------------------------------------------------------------------------------------------------- [ok][2013-07-19 16:53:51]