Cisco 7604 Configuration Manual page 530
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Understanding How DoS Protection Works
Note
TCP flows are hardware assisted on both the PFC2 and PFC3 (all PFC3 types).
ARP Policing
During an attack, malicious users may try to overwhelm the MSFC CPU with control packets such as
routing protocol or ARP packets. These special control packets can be hardware rate limited using a
specific routing protocol and an ARP policing mechanism configurable with the mls qos protocol
command. The routing protocols supported include RIP, BGP, LDP, OSPF, IS-IS, IGRP, and EIGRP. For
example, the command mls qos protocol arp police 32000 rate limits ARP packets in hardware at
32,000 bps. Although this policing mechanism effectively protects the MSFC CPU against attacks such
as line-rate ARP attacks, it does not only police routing protocols and ARP packets to the router but also
polices traffic through the box with less granularity than CoPP.
The policing mechanism shares the root configuration with a policing-avoidance mechanism. The
policing-avoidance mechanism lets the routing protocol and ARP packets flow through the network
when they reach a QoS policer. This mechanism can be configured using the mls qos protocol protocol
pass-through command.
This example shows how to display the available protocols to use with ARP policing.
Router(config)# mls qos protocol ?
isis
eigrp
ldp
ospf
rip
bgp
ospfv3
bgpv2
ripng
neigh-discover
wlccp
arp
This example shows how to display the available keywords to use with the mls qos protocol arp
command:
Router(config)# mls qos protocol arp ?
pass-through
police
precedence
Recommended Rate-Limiter Configuration
The recommended rate-limiter configuration is as follows:
•
•
•
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
36-14
When both thresholds fall below the configured low value, the aggressive behavior ceases
(default value is 900 in both factors). See
configuration.
pass-through keyword
police keyword
change ip-precedence(used to map the dscp to cos value)
Enable the rate limiters for the traffic types most likely to be used in a DoS attack.
Do not use a rate limiter on VACL logging unless you configure VACL logging.
Disable redirects because a platform that supports hardware forwarding, such as the Cisco 7600
series router, reduces the need for redirects.
Chapter 36
Configuring Denial of Service Protection
Table 36-1
for information about TCP intercept
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
