Cisco 7604 Configuration Manual page 535
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 36
Configuring Denial of Service Protection
Layer 2 Multicast IGMP Snooping
The IGMP snooping rate limiter limits the number of Layer 2 IGMP packets destined for the supervisor
engine. IGMP snooping listens to IGMP messages between the hosts and the supervisor engine. You
cannot enable the Layer 2 PDU rate limiter if the Cisco 7600 series router is operating in truncated
mode. The router uses truncated mode for traffic between fabric-enabled modules when there are both
fabric-enabled and nonfabric-enabled modules installed. In this mode, the router sends a truncated
version of the traffic (the first 64 bytes of the frame) over the switch fabric channel.
This example shows how to rate limit IGMP-snooping traffic:
Router(config)# mls rate-limit multicast ipv4 igmp 20000 40
Layer 2 PDU
The Layer 2 protocol data unit (PDU) rate limiter allows you to limit the number of Layer 2 PDU
protocol packets (including BPDUs, DTP, PAgP, CDP, STP, and VTP packets) destined for the supervisor
engine and not the MSFC CPU. You cannot enable the Layer 2 PDU rate limiter if the Cisco 7600 series
router is operating in truncated mode. The router uses truncated mode for traffic between fabric-enabled
modules when there are both fabric-enabled and nonfabric-enabled modules installed. In this mode, the
router sends a truncated version of the traffic (the first 64 bytes of the frame) over the switch fabric
channel.
This example shows how to rate limit Layer 2 PDUs to 20000 pps with a burst of 20 packets.
Router(config)# mls rate-limit layer2 pdu 20000 20
Layer 2 Protocol Tunneling
This rate limiter limits the Layer 2 protocol tunneling packets, which include control PDUs, CDP, STP,
and VTP packets destined for the supervisor engine. These packets are encapsulated in software
(rewriting the destination MAC address in the PDU), and then forwarded to a proprietary multicast
address (01-00-0c-cd-cd-d0). You cannot enable the Layer 2 PDU rate limiter if the Cisco 7600 series
router is operating in truncated mode. The router uses truncated mode for traffic between fabric-enabled
modules when there are both fabric-enabled and nonfabric-enabled modules installed. In this mode, the
router sends a truncated version of the traffic (the first 64 bytes of the frame) over the switch fabric
channel.
This example shows how to rate limit Layer 2 protocol tunneling packets to 10000 pps with a burst of
10 packets:
Router(config)# mls rate-limit layer2 l2pt 10000 10
IP Errors
This rate limiter limits the packets with IP checksum and length errors. When a packet reaches the PFC3
with an IP checksum error or a length inconsistency error, it must be sent to the MSFC for further
processing. An attacker might use the malformed packets to carry out a DoS attack, but the network
administrator can configure a rate for these types of packets to protect the control path.
This example shows how to rate limit IP errors sent to the MSFC to 1000 pps with a burst of 20 packets:
Router(config)# mls rate-limit unicast ip errors 1000 20
IPv4 Multicast
This rate limiter limits the IPv4 multicast packets. The rate limiters can rate limit the packets that are
sent from the data path in the hardware up to the data path in the software. The rate limiters protect the
control path in the software from congestion and drop the traffic that exceeds the configured rate. Within
OL-4266-08
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding How DoS Protection Works
36-19
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
