Table of Contents
Advertisement
Understanding How DoS Protection Works
Recommended Rate-Limiter Configuration
The recommended rate-limiter configuration is as follows:
•
•
•
•
•
•
Hardware-Based Rate Limiters on the PFC3B
The PFC3B supports additional hardware-based rate limiters. The PFC3B provides eight rate-limiter
registers for the new rate limiters, which are configured globally on the switch. These rate-limiter
registers are present in the Layer 3 forwarding engine (PFC3B) and are responsible for containing
rate-limiting information for result packets that match the various available configured rate limiters.
Because eight rate-limiter registers are present on the PFC3B, these registers can force different
rate-limiting scenarios to share the same register. The registers are assigned on a first-come, first-serve
basis. If all registers are being utilized, the only way to configure another rate limiter is to free one
register.
The hardware-based rate limiters available on the PFC3B are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
33-6
Enable the rate limiters for the traffic types most likely to be used in a DoS attack.
Do not use a rate limiter on VACL logging unless you configure VACL logging.
Disable redirects because a platform that supports hardware forwarding, such as the Catalyst 6500
series switch, reduces the need for redirects.
Disable unreachables because a platform that supports hardware unreachables, such as the
Catalyst 6500 series switch, reduces the need for unreachables.
Do not enable the MTU rate limiter if all interfaces have the same MTU.
When configuring the Layer 2 PDU rate limiter, note the following information:
Calculate the expected or possible number of valid PDUs and double or triple the number.
–
PDUs include BPDUs, DTP, VTP, PAgP, LACP, UDLD, etc.
–
Rate limiters do not discriminate between good frames or bad frames.
–
Ingress and egress ACL bridged packets
uRPF check failures
FIB receive cases
FIB glean cases
Layer 3 security features
ICMP redirects
ICMP unreachable (ACL drop)
No-route (FIB miss)
VACL log
TTL failure
MTU failure
Multicast IPv4
Multicast IPv6
Chapter 33
Configuring Denial of Service Protection
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module