DoS Protection Configuration Guidelines and Restrictions
DoS Protection Configuration Guidelines and Restrictions
When configuring DoS protection on systems configured with a PFC3B, follow these CPU rate limiter
guidelines and restrictions:
For the CoPP guidelines and restrictions, see the
Note
section on page
•
•
•
•
•
•
•
•
•
•
•
Monitoring Packet Drop Statistics
You can capture the incoming or outgoing traffic on an interface and send a copy of this traffic to an
external interface for monitoring by a traffic analyzer. To capture traffic and forward it to an external
interface, use the monitor session command.
When capturing traffic, these restrictions apply:
•
•
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
33-14
33-19.
These rate limiters are supported:
Unicast IP options
–
Multicast IP options
–
These are Layer 2 rate limiters:
Layer 2 PDUs
–
Layer 2 protocol tunneling
–
Layer 2 Multicast IGMP
–
There are eight Layer 3 registers and two Layer 2 registers that can be used as CPU rate limiters.
Do not use the CEF receive limiter if CoPP is being used. The CEF receive limiter will override the
CoPP traffic.
Rate limiters override the CoPP traffic.
Configured rate limits is applied to each forwarding engine (except for the Layer 2 hardware rate
limiter which is applied globally).
Layer 2 rate limiters are not supported in truncated mode.
The following restrictions apply when using the ingress and egress ACL-bridged packet rate
limiters:
The ingress and egress ACL-bridged packet rate limiter is available for unicast traffic only.
–
The ingress and egress ACL-bridged packet rate limiters share a single rate-limiter register. If
–
you enable the ACL-bridge ingress and egress rate limiters, both the ingress and the egress
ACLs must share the same rate-limiter value.
Use the mls rate-limit unicast command to rate limit unicast traffic.
Use the mls rate-limit multicast command to rate limit multicast traffic.
Use the mls rate-limit multicast layer 2 command to rate limit Layer 2 multicast traffic.
The incoming captured traffic is not filtered.
The incoming captured traffic is not rate limited to the capture destination.
Chapter 33
Configuring Denial of Service Protection
"CoPP Configuration Guidelines and Restrictions"
OL-11439-03