Cisco 7604 Configuration Manual page 526

Understanding How DoS Protection Works
VACL Log (Unicast Only)
Packets that are sent to the MSFC because of VLAN-ACL logging can be rate limited to ensure that the
CPU is not overwhelmed with logging tasks. VACLs are processed in hardware, but the MSFC does the
logging. When VACL logging is configured on the router, IP packets that are denied in the VACL
generate log messages.
This example shows how to rate limit logging requests to 5000 pps (the range for this rate limiter is from
10 to 5000 pps):
Router(config)# mls rate-limit unicast acl vacl-log 5000
Layer 3 Security Features (Unicast Only)
Some security features are processed by first being sent to the MSFC. For these security features, you
need to rate limit the number of these packets being sent to the MSFC to reduce any potential
overloading. The security features include authentication proxy (auth-proxy), IPSEC, and inspection.
Authentication proxy is used to authenticate inbound or outbound users or both. These users are
normally blocked by an access list, but with auth-proxy, the users can bring up a browser to go through
the firewall and authenticate on a terminal access controller access control system plus (TACACS+) or
RADIUS server (based on the IP address). The server passes additional access list entries down to the
router to allow the users through after authentication. These ACLs are stored and processed in software,
and if there are many users utilizing auth-proxy, the MSFC may be overwhelmed. Rate limiting would
be advantageous in this situation.
IPSec and inspection are also done by the MSFC and may require rate limiting. When the Layer 3
security feature rate limiter is enabled, all Layer 3 rate limiters for auth-proxy, IPSec and inspection are
enabled at the same rate.
This example shows how to rate limit the security features to the MSFC to 100000 pps with a burst of
10 packets:
Router(config)# mls rate-limit unicast ip features 100000 10
DoS Protection with a PFC3
This section contains information about the available methods to counteract DoS attacks with a PFC3
and includes configuration examples. The PFC3 provides a layered defense against DoS attacks using
the following methods:
•
•
These sections describe DoS protection with a PFC3:
•
•
•
•
•
•
•
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
36-10
CPU rate limiters—Controls traffic types.
Control plane policing (CoPP)—Filters and rate limits control plane traffic. For information about
CoPP, see the "Understanding How Control Plane Policing Works" section on page
Security ACLs and VACLs, page 36-11
QoS Rate Limiting, page 36-12
uRPF Check, page 36-12
Traffic Storm Control, page 36-13
Network Under SYN Attack, page 36-13
ARP Policing, page 36-14
Recommended Rate-Limiter Configuration, page 36-14
Chapter 36 Configuring Denial of Service Protection
36-28.
OL-4266-08