Table of Contents
Advertisement
Understanding How DoS Protection Works
MTU Failure
Similar to the TTL failure rate limiter, the rate limiter for MTU failures is supported for both unicast and
multicast traffic. Packets that fail an MTU check are sent to the PISA CPU. This might cause the PISA
to be overwhelmed.
This example shows how to rate limit packets failing the MTU failures from being sent to the PISA to
10000 pps with a burst of 10:
Router(config)# mls rate-limit all mtu 10000 10
Layer 2 Multicast IGMP Snooping
The IGMP snooping rate limiter limits the number of Layer 2 IGMP packets destined for the supervisor
engine. IGMP snooping listens to IGMP messages between the hosts and the supervisor engine. You
cannot enable the Layer 2 PDU rate limiter if the Catalyst 6500 series switch is operating in truncated
mode. The switch uses truncated mode for traffic between fabric-enabled modules when there are both
fabric-enabled and nonfabric-enabled modules installed. In this mode, the switch sends a truncated
version of the traffic (the first 64 bytes of the frame) over the switch fabric channel.
This example shows how to rate limit IGMP-snooping traffic:
Router(config)# mls rate-limit multicast ipv4 igmp 20000 40
Layer 2 PDU
The Layer 2 protocol data unit (PDU) rate limiter allows you to limit the number of Layer 2 PDU
protocol packets (including BPDUs, DTP, PAgP, CDP, STP, and VTP packets) destined for the supervisor
engine and not the PISA CPU. You cannot enable the Layer 2 PDU rate limiter if the Catalyst 6500 series
switch is operating in truncated mode. The switch uses truncated mode for traffic between fabric-enabled
modules when there are both fabric-enabled and nonfabric-enabled modules installed. In this mode, the
switch sends a truncated version of the traffic (the first 64 bytes of the frame) over the switch fabric
channel.
This example shows how to rate limit Layer 2 PDUs to 20000 pps with a burst of 20 packets.
Router(config)# mls rate-limit layer2 pdu 20000 20
Layer 2 Protocol Tunneling
This rate limiter limits the Layer 2 protocol tunneling packets, which include control PDUs, CDP, STP,
and VTP packets destined for the supervisor engine. These packets are encapsulated in software
(rewriting the destination MAC address in the PDU), and then forwarded to a proprietary multicast
address (01-00-0c-cd-cd-d0). You cannot enable the Layer 2 PDU rate limiter if the Catalyst 6500 series
switch is operating in truncated mode. The switch uses truncated mode for traffic between fabric-enabled
modules when there are both fabric-enabled and nonfabric-enabled modules installed. In this mode, the
switch sends a truncated version of the traffic (the first 64 bytes of the frame) over the switch fabric
channel.
This example shows how to rate limit Layer 2 protocol tunneling packets to 10000 pps with a burst of
10 packets:
Router(config)# mls rate-limit layer2 l2pt 10000 10
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
33-10
Chapter 33
Configuring Denial of Service Protection
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module