Table of Contents
Advertisement
Chapter 33
Configuring Denial of Service Protection
IP Errors
This rate limiter limits the packets with IP checksum and length errors. When a packet reaches the
PFC3B with an IP checksum error or a length inconsistency error, it must be sent to the PISA for further
processing. An attacker might use the malformed packets to carry out a DoS attack, but the network
administrator can configure a rate for these types of packets to protect the control path.
This example shows how to rate limit IP errors sent to the PISA to 1000 pps with a burst of 20 packets:
Router(config)# mls rate-limit unicast ip errors 1000 20
IPv4 Multicast
This rate limiter limits the IPv4 multicast packets. The rate limiters can rate limit the packets that are
sent from the data path in the hardware up to the data path in the software. The rate limiters protect the
control path in the software from congestion and drop the traffic that exceeds the configured rate. Within
the IPv4 multicast rate limiter, there are three rate limiters that you can also configure: the FIB-miss rate
limiter, the multicast partially switched flows rate limiter, and the multicast directly connected rate
limiter.
The FIB-miss rate limiter allows you to rate limit the multicast traffic that does not match an entry in the
mroute table.
The partially switched flow rate limiter allows you to rate limit the flows destined to the PISA for
forwarding and replication. For a given multicast traffic flow, if at least one outgoing Layer 3 interface
is multilayer switched, and at least one outgoing interface is not multilayer switched (no H-bit set for
hardware switching), the particular flow is considered partially switched, or partial-SC (partial shortcut).
The outgoing interfaces that have the H-bit flag are switched in hardware and the remaining traffic is
switched in software through the PISA. For this reason, it may be desirable to rate limit the flow destined
to the PISA for forwarding and replication, which might otherwise increase CPU utilization.
The multicast directly connected rate limiter limits the multicast packets from directly connected
sources.
This example shows how to rate limit the multicast packets to 30000 pps with a burst of 30:
Router(config)# mls rate-limit multicast ipv4 connected 30000 30
This example shows how to set the rate limiters for the IPv4 multicast packets failing the uRPF check:
Router(config)# mls rate-limit multicast ipv4 non-rpf 100
This example shows how to rate limit the multicast FIB miss packets to 10000 pps with a burst of 10:
Router(config)# mls rate-limit multicast ipv4 fib-miss 10000 10
This example shows how to rate limit the partial shortcut flows to 20000 pps with a burst of 20 packets:
Router(config)# mls rate-limit multicast ipv4 partial 20000 20
This example shows how to rate limit the multicast packets to 30000 pps with a burst of 20:
Router(config)# mls rate-limit multicast ipv4 connected 30000 20
This example shows how to rate limit IGMP-snooping traffic:
Router(config)# mls rate-limit multicast ipv4 igmp 20000 40
IPv6 Multicast
This rate limiter limits the IPv6 multicast packets.
traffic that each rate limiter serves.
OL-11439-03
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
Understanding How DoS Protection Works
Table 33-1
lists the IPv6 rate limiters and the class of
33-11
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module