Table of Contents
Advertisement
Chapter 33
Configuring Denial of Service Protection
PISA, but no ARP entry exists for that destination host. In this case, because the MAC address of the
destination host will not be answered by any host on the directly connected subnet that is unknown, the
"glean" adjacency is hit and the traffic is sent directly to the PISA for ARP resolution. This rate limiter
limits the possibility of an attacker overloading the CPU with such ARP requests.
This example shows how to rate limit the rate at which this traffic is sent to the PISA to 20000 pps and
a burst of 60:
Router(config)# mls rate-limit unicast cef glean 20000 60
Layer 3 Security Features (Unicast Only)
Some security features are processed by first being sent to the PISA. For these security features, you
need to rate limit the number of these packets being sent to the PISA to reduce any potential overloading.
The security features include authentication proxy (auth-proxy), IPSEC, and inspection.
Authentication proxy is used to authenticate inbound or outbound users or both. These users are
normally blocked by an access list, but with auth-proxy, the users can bring up a browser to go through
the firewall and authenticate on a terminal access controller access control system plus (TACACS+) or
RADIUS server (based on the IP address). The server passes additional access list entries down to the
switch to allow the users through after authentication. These ACLs are stored and processed in software,
and if there are many users utilizing auth-proxy, the PISA may be overwhelmed. Rate limiting would be
advantageous in this situation.
IPsec and inspection are also done by the PISA and may require rate limiting. When the Layer 3 security
feature rate limiter is enabled, all Layer 3 rate limiters for auth-proxy, IPsec and inspection are enabled
at the same rate.
This example shows how to rate limit the security features to the PISA to 100000 pps with a burst of 10
packets:
Router(config)# mls rate-limit unicast ip features 100000 10
ICMP Redirect (Unicast Only)
The ICMP-redirect rate limiter allows you to rate limit ICMP traffic. For example, when a host sends
packets through a nonoptimal switch, the PISA sends ICMP-redirect messages to the host to correct its
sending path. If this traffic occurs continuously, and is not rate limited, the PISA will continuously
generate ICMP-redirect messages.
This example shows how to rate limit the ICMP redirects to 20000 pps, with a burst of 20 packets:
Router(config)# mls rate-limit unicast ip icmp redirect 20000 20
VACL Log (Unicast Only)
Packets that are sent to the PISA because of VLAN-ACL logging can be rate limited to ensure that the
CPU is not overwhelmed with logging tasks. VACLs are processed in hardware, but the PISA does the
logging. When VACL logging is configured on the switch, IP packets that are denied in the VACL
generate log messages.
This example shows how to rate limit logging requests to 5000 pps (the range for this rate limiter is from
10 to 5000 pps):
Router(config)# mls rate-limit unicast acl vacl-log 5000
OL-11439-03
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
Understanding How DoS Protection Works
33-9
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module