Cisco 7604 Configuration Manual page 531

Chapter 36 Configuring Denial of Service Protection
•
•
•
Hardware-Based Rate Limiters on the PFC3
The PFC3 supports additional hardware-based rate limiters. The PFC3 provides eight rate-limiter
registers for the new rate limiters, which are configured globally on the router. These rate-limiter
registers are present in the Layer 3 forwarding engine (PFC) and are responsible for containing
rate-limiting information for result packets that match the various available configured rate limiters.
Because eight rate-limiter registers are present on the PFC3, these registers can force different
rate-limiting scenarios to share the same register. The registers are assigned on a first-come, first-serve
basis. If all registers are being utilized, the only way to configure another rate limiter is to free one
register.
The hardware-based rate limiters available on the PFC3 are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
Ingress-Egress ACL Bridged Packets (Unicast Only)
This rate limiter rate limits packets sent to the MSFC because of an ingress/egress ACL bridge result.
The router accomplishes this by altering existing and new ACL TCAM entries with a TCAM bridge
result to a Layer 3 redirect result pointing to the MSFC. Packets hitting the TCAM entries with the
altered Layer 3 redirect rate limit result will be rate limited according to the instructions set in CLI by
the network administrator. Both the ingress and egress values will be the same, as they both share the
same rate-limiter register. If the ACL bridge ingress/egress rate limiting is disabled, the Layer 3 redirect
rate limit results are converted to the bridge result.
Ingress or egress ACL-bridged packet cases share a single rate-limiter register. If the feature is turned
on, ingress and egress ACLs use the same rate-limiter value.
OL-4266-08
Disable unreachables because a platform that supports hardware unreachables, such as the
Cisco 7600 series router, reduces the need for unreachables.
Do not enable the MTU rate limiter if all interfaces have the same MTU.
When configuring the Layer 2 PDU rate limiter, note the following information:
– Calculate the expected or possible number of valid PDUs and double or triple the number.
PDUs include BPDUs, DTP, VTP, PAgP, LACP, UDLD, etc.
–
Rate limiters do not discriminate between good frames or bad frames.
–
Ingress and egress ACL bridged packets
uRPF check failures
FIB receive cases
FIB glean cases
Layer 3 security features
ICMP redirects
ICMP unreachable (ACL drop)
No-route (FIB miss)
VACL log
TTL failure
MTU failure
Multicast IPv4
Multicast IPv6
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding How DoS Protection Works
36-15