Table of Contents
Advertisement
Chapter 33
Configuring Denial of Service Protection
Ingress-Egress ACL Bridged Packets (Unicast Only)
This rate limiter rate limits packets sent to the PISA because of an ingress/egress ACL bridge result. The
switch accomplishes this by altering existing and new ACL TCAM entries with a TCAM bridge result
to a Layer 3 redirect result pointing to the PISA. Packets hitting the TCAM entries with the altered
Layer 3 redirect rate limit result will be rate limited according to the instructions set in CLI by the
network administrator. Both the ingress and egress values will be the same, as they both share the same
rate-limiter register. If the ACL bridge ingress/egress rate limiting is disabled, the Layer 3 redirect rate
limit results are converted to the bridge result.
Ingress or egress ACL-bridged packet cases share a single rate-limiter register. If the feature is turned
on, ingress and egress ACLs use the same rate-limiter value.
Burst values regulate how many packets can be allowed in a burst. Each allowed packet consumes a token
and a token must be available for a packet to be allowed. One token is generated per millisecond. When
packets are not coming in, tokens can be accumulated up to the burst value. For example, if the burst
value is set to 50, the switch can accumulate up to 50 tokens and absorb a burst of 50 packets.
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to 50000
packets per second, and 50 packets in burst:
Router(config)# mls rate-limit unicast acl input 50000 50
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to the same
rate (50000 pps and 50 packets in burst) for egress ACL bridge results:
Router(config)# mls rate-limit unicast acl output 50000 50
If the values of the rate limiter are altered on either the ingress or the egress when both are enabled, both
values are changed to that new value. In the following example, the output rate is changed to 40000 pps:
Router(config)# mls rate-limit unicast acl output 40000 50
When you enter the show mls rate-limit command, both the ACL bridged in and the ACL bridged out
display the new value of 40000 pps:
Router# show mls rate-limit
Rate Limiter Type
---------------------
MCAST NON RPF
MCAST DFLT ADJ
MCAST DIRECT CON
ACL BRIDGED IN
ACL BRIDGED OUT
IP FEATURES
...
uRPF Check Failure
The uRPF check failure rate limiter allows you to configure a rate for the packets that need to be sent to
the PISA because they failed the uRPF check. The uRPF checks validate that incoming packets on an
interface are from a valid source, which minimizes the potential threat of DoS attacks from users using
spoofed addresses. When spoofed packets fail the uRPF check, those failures can be sent to the PISA.
The uRPF check rate limiters allow you to rate limit the packets per second that are bridged to the PISA
CPU when a uRPF check failure occurs.
This example shows how to rate limit the uRPF check failure packets sent to the PISA to 100000 pps
with a burst of 100 packets:
Router(config)# mls rate-limit unicast ip rpf-failure 100000 100
OL-11439-03
Status
Packets/s
----------
---------
Off
-
On
100000
Off
-
On
40000
On
40000
Off
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
Understanding How DoS Protection Works
Burst
-----
-
100
-
50
50
33-7
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module