Cisco 7604 Configuration Manual page 524
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Understanding How DoS Protection Works
Table 36-1 TCP Intercept Configuration (continued)
Command
Router(config)# ip tcp intercept
max-incomplete low number
Router(config)# ip tcp intercept
max-incomplete high number
Router(config)# ip tcp intercept one-minute
low number
Router(config)# ip tcp intercept one-minute
high number
Router# show tcp intercept connections
Router# show tcp intercept statistics
Hardware-Based Rate Limiters on the PFC2
The PFC2 supports additional hardware-based rate limiters. The PFC2 provides four rate-limiter
registers for the new rate limiters, which are configured globally on the router. These rate-limiter
registers are present in the Layer 3 forwarding engine (PFC) and are responsible for containing
rate-limiting information for result packets that match the various available configured rate limiters.
Because four rate-limiter registers are present on the Layer 3 forwarding engine only, these registers can
force different rate-limiting scenarios to share the same register. The registers are assigned on a
first-come, first-serve basis. If all registers are being utilized, the only way to configure another rate
limiter is to free one register.
The hardware-based rate limiters available on the PFC2 are as follows:
•
•
•
•
Ingress-Egress ACL Bridged Packets (Unicast Only)
This rate limiter rate limits packets sent to the MSFC because of an ingress/egress ACL bridge result.
The router accomplishes this by altering existing and new ACL TCAM entries with a TCAM bridge
result to a Layer 3 redirect result pointing to the MSFC. Packets hitting the TCAM entries with the
altered Layer 3 redirect rate limit result will be rate limited according to the instructions set in CLI by
the network administrator. Both the ingress and egress values will be the same, as they both share the
same rate-limiter register. If the ACL bridge ingress/egress rate limiting is disabled, the Layer 3 redirect
rate limit results are converted to the bridge result.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
36-8
Ingress and egress ACL bridged packets
FIB receive and FIB glean cases
VACL log
Layer 3 features
Chapter 36
Configuring Denial of Service Protection
Purpose
Defines the number of incomplete connections
below which the software leaves aggressive mode;
valid values are from 1 to 2147483647
connections.
Defines the maximum number of incomplete
connections allowed before the software enters
aggressive mode; valid values are from 1 to
2147483647 connections.
Defines the number of connection requests below
which the software leaves aggressive mode; valid
values are from 1 to 2147483647 connections.
Defines the number of connection requests
received in the last one-minutes sample period
before the software enters aggressive mode; valid
values are from 1 to 2147483647 connections.
Displays incomplete connections and established
connections.
Displays TCP intercept statistics.
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
