Cisco 7604 Configuration Manual page 539

Ios software configuration guide
Hide thumbs Also See for 7604:
Table of Contents

Advertisement

Chapter 36
Configuring Denial of Service Protection
PFC3
When configuring DoS protection on systems configured with a PFC3, follow these CPU rate limiter
guidelines and restrictions:
For the CoPP guidelines and restrictions, see the
Note
section on page
OL-4266-08
When using QoS ACLs to limit the rate of packets, note the following information:
The QoS ACL must specify the traffic flow to be rate limited.
When adding a QoS ACL to limit the rate of packets to an interface that already has a QoS ACL
configured, you can perform one of the following:
* Merge the rate-limiting ACL with the existing QoS ACL.
* Define a separate class that matches the DoS ACL and tie the class to the policy map.
QoS ACLs need to be configured on all external interfaces that require protection. Use the
interface range command to configure an ACL on multiple interfaces.
The CPU rate limiters limit the traffic in aggregate only and do not distinguish between good and
bad packets.
The following FIB rate-limiting usage guidelines apply:
FIB rate limiting does not limit the rate of broadcast or some multicast traffic in hardware.
The PFC3 has separate multicast rate limiters. The Supervisor Engine 2 does not have separate
multicast rate limiters.
FIB rate limiting does not differentiate between legitimate and illegitimate traffic (for example,
tunnels, Telnet).
FIB rate limiting applies aggregate rate limiting and not per-flow rate limiting.
36-28.
Do not use these rate limiters if multicast is enabled in systems configured with a PFC3A:
TTL failure
MTU failure
These rate limiters are supported only in PFC3B or PFC3BXL mode:
Unicast IP options
Multicast IP options
These are Layer 2 rate limiters:
Layer 2 PDUs
Layer 2 protocol tunneling
Layer 2 Multicast IGMP
There are eight Layer 3 registers and two Layer 2 registers that can be used as CPU rate limiters.
Do not use the CEF receive limiter if CoPP is being used. The CEF receive limiter will override the
CoPP traffic.
Rate limiters override the CoPP traffic.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
DoS Protection Configuration Guidelines and Restrictions
"CoPP Configuration Guidelines and Restrictions"
36-23

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

761376067609-s7600 series

Table of Contents