Cisco 7604 Configuration Manual page 534

Understanding How DoS Protection Works
Layer 3 Security Features (Unicast Only)
Some security features are processed by first being sent to the MSFC. For these security features, you
need to rate limit the number of these packets being sent to the MSFC to reduce any potential
overloading. The security features include authentication proxy (auth-proxy), IPSEC, and inspection.
Authentication proxy is used to authenticate inbound or outbound users or both. These users are
normally blocked by an access list, but with auth-proxy, the users can bring up a browser to go through
the firewall and authenticate on a terminal access controller access control system plus (TACACS+) or
RADIUS server (based on the IP address). The server passes additional access list entries down to the
router to allow the users through after authentication. These ACLs are stored and processed in software,
and if there are many users utilizing auth-proxy, the MSFC may be overwhelmed. Rate limiting would
be advantageous in this situation.
IPSec and inspection are also done by the MSFC and may require rate limiting. When the Layer 3
security feature rate limiter is enabled, all Layer 3 rate limiters for auth-proxy, IPSec and inspection are
enabled at the same rate.
This example shows how to rate limit the security features to the MSFC to 100000 pps with a burst of
10 packets:
Router(config)# mls rate-limit unicast ip features 100000 10
ICMP Redirect (Unicast Only)
The ICMP-redirect rate limiter allows you to rate limit ICMP traffic. For example, when a host sends
packets through a nonoptimal router, the MSFC sends ICMP-redirect messages to the host to correct its
sending path. If this traffic occurs continuously, and is not rate limited, the MSFC will continuously
generate ICMP-redirect messages.
This example shows how to rate limit the ICMP redirects to 20000 pps, with a burst of 20 packets:
Router(config)# mls rate-limit unicast ip icmp redirect 20000 20
VACL Log (Unicast Only)
Packets that are sent to the MSFC because of VLAN-ACL logging can be rate limited to ensure that the
CPU is not overwhelmed with logging tasks. VACLs are processed in hardware, but the MSFC does the
logging. When VACL logging is configured on the router, IP packets that are denied in the VACL
generate log messages.
This example shows how to rate limit logging requests to 5000 pps (the range for this rate limiter is from
10 to 5000 pps):
Router(config)# mls rate-limit unicast acl vacl-log 5000
MTU Failure
Similar to the TTL failure rate limiter, the rate limiter for MTU failures is supported for both unicast and
multicast traffic. Packets that fail an MTU check are sent to the MSFC CPU. This might cause the MSFC
to be overwhelmed.
This example shows how to rate limit packets failing the MTU failures from being sent to the MSFC to
10000 pps with a burst of 10:
Router(config)# mls rate-limit all mtu 10000 10
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
36-18
Chapter 36 Configuring Denial of Service Protection
OL-4266-08