Cisco 7604 Configuration Manual page 525
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 36
Configuring Denial of Service Protection
Ingress or egress ACL-bridged packet cases share a single rate-limiter register. If the feature is turned
on, ingress and egress ACLs use the same rate-limiter value.
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to 50000
packets per second, and 50 packets in burst:
Router(config)# mls rate-limit unicast acl input 50000 50
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to the same
rate (50000 pps and 50 packets in burst) for egress ACL bridge results:
Router(config)# mls rate-limit unicast acl output 50000 50
If the values of the rate limiter are altered on either the ingress or the egress when both are enabled, both
values are changed to that new value. In the following example, the output rate is changed to 40000 pps:
Router(config)# mls rate-limit unicast acl output 40000 50
When you enter the show mls rate-limit command, both the ACL bridged in and the ACL bridged out
display the new value of 40000 pps:
Router# sh mls rate-limit
Load for five secs: 0%/0%; one minute: 0%; five minutes: 0% Time source is NTP,
10:32:15.584 PDT Fri Aug 5 2005
Rate Limiter Type
-----------------
L3_SEC_FEATURES
FIB (CEF) Receive and FIB Glean Cases (Unicast Only)
The FIB receive rate limiter provides the capability to rate limit all packets that contain the MSFC IP
address as the destination address. The rate limiters do not discriminate between good frames and bad
frames.
Do not enable the FIB receive rate limiter if you are using CoPP. The FIB receive rate limiter overrides
Note
the CoPP policies.
This example shows how to rate limit the traffic to 25000 pps with a burst of 60:
Router(config)# mls rate-limit unicast cef receive 25000 60
The FIB glean rate limiter does not limit ARP traffic, but provides the capability to rate limit traffic that
requires address resolution (ARP) and requires that it be sent to the MSFC. This situation occurs when
traffic enters a port and contains the destination of a host on a subnet that is locally connected to the
MSFC, but no ARP entry exists for that destination host. In this case, because the MAC address of the
destination host will not be answered by any host on the directly connected subnet that is unknown, the
"glean" adjacency is hit and the traffic is sent directly to the MSFC for ARP resolution. This rate limiter
limits the possibility of an attacker overloading the CPU with such ARP requests.
This example shows how to rate limit the rate at which this traffic is sent to the MSFC to 20000 pps and
a burst of 60:
Router(config)# mls rate-limit unicast cef glean 20000 60
OL-4266-08
Status
----------
ACL BRIDGE IN
Off
ACL BRIDGE OUT
Off
Off
VACL LOG
Off
FIB RECEIVE
Off
FIB GLEAN
Off
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Packets/s
---------
-
-
-
-
-
-
Understanding How DoS Protection Works
36-9
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
