Chapter 36
Configuring Denial of Service Protection
•
•
•
PFC3
When configuring DoS protection on systems configured with a PFC3, follow these CPU rate limiter
guidelines and restrictions:
For the CoPP guidelines and restrictions, see the
Note
section on page
•
•
•
•
•
•
OL-4266-08
When using QoS ACLs to limit the rate of packets, note the following information:
The QoS ACL must specify the traffic flow to be rate limited.
–
When adding a QoS ACL to limit the rate of packets to an interface that already has a QoS ACL
–
configured, you can perform one of the following:
* Merge the rate-limiting ACL with the existing QoS ACL.
* Define a separate class that matches the DoS ACL and tie the class to the policy map.
QoS ACLs need to be configured on all external interfaces that require protection. Use the
–
interface range command to configure an ACL on multiple interfaces.
The CPU rate limiters limit the traffic in aggregate only and do not distinguish between good and
bad packets.
The following FIB rate-limiting usage guidelines apply:
FIB rate limiting does not limit the rate of broadcast or some multicast traffic in hardware.
–
The PFC3 has separate multicast rate limiters. The Supervisor Engine 2 does not have separate
multicast rate limiters.
–
FIB rate limiting does not differentiate between legitimate and illegitimate traffic (for example,
tunnels, Telnet).
–
FIB rate limiting applies aggregate rate limiting and not per-flow rate limiting.
36-28.
Do not use these rate limiters if multicast is enabled in systems configured with a PFC3A:
–
TTL failure
–
MTU failure
These rate limiters are supported only in PFC3B or PFC3BXL mode:
Unicast IP options
–
Multicast IP options
–
These are Layer 2 rate limiters:
Layer 2 PDUs
–
Layer 2 protocol tunneling
–
Layer 2 Multicast IGMP
–
There are eight Layer 3 registers and two Layer 2 registers that can be used as CPU rate limiters.
Do not use the CEF receive limiter if CoPP is being used. The CEF receive limiter will override the
CoPP traffic.
Rate limiters override the CoPP traffic.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
DoS Protection Configuration Guidelines and Restrictions
"CoPP Configuration Guidelines and Restrictions"
36-23