Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
61626364656667686970
67
OL-11615-01
!
! Monitoring traffic is limited to a rate of 900,000 bps, if traffic exceeds
! that rate it is dropped
class coppclass-monitoring
police cir 900000 bc 9000 be 9000 conform-action transmit exceed-action drop
!
! Critical-app traffic is limited to a rate of 900,000 bps, if traffic
! exceeds that rate it is dropped
class coppclass-critical-app
police cir 900000 bc 9000 be 9000 conform-action transmit exceed-action drop
!
! This policy drops all traffic categorized as undesirable, regardless
! of rate.
class coppclass-undesirable
police cir 32000 bc 3000 be 3000 conform-action drop exceed-action drop
!
! The default class applies to all IP and non-IP traffic received by the
! control plane that has not been otherwise identified. In this example,
! all default traffic is limited to 500,000 bps and violations of that
! limit are dropped.
class class-default
police cir 500000 bc 5000 be 5000 conform-action transmit exceed-action drop
….
! Applies the defined CoPP policy to the control plane
Router(config)# mls qos
Router(config)# control-plane
Router(config-cp)# service-policy input copp-policy
Additional Catalyst 6500 Infrastructure Protection Features
The Catalyst 6500 Series switches offer an additional set of features, not available on Catalyst 4500
Series switches, and that provide unmatched protection against distributed denial of service (DDoS) and
other types of attacks affecting the switching infrastructure. This section describes the unique
implementation of the following features on Catalyst 6500 Series switches.
Unicast Reverse Path Forwarding (uRPF), page 67
Hardware-Based Rate Limiters on Supervisor 2, page 69
Hardware-Based Rate Limiters on Supervisors 32 and 720, page 72
Unicast Reverse Path Forwarding (uRPF)
Unicast Reverse Path Forwarding (uRPF) is an available feature on Catalyst 6500 Series switches
running Cisco IOS software and that helps prevent attacks based on IP address spoofing. uRPF can be
used as an alternative to ACLs for implementing BCP38/RFC 2827 ingress traffic filtering.
In Catalyst 6500 Series switches uRPF can be enabled on physical and VLAN interfaces. When enabled
on an interface, the switch verifies that all packets received from that interface have a source address that
is reachable via that same interface. To that end, uRPF verifies that there is a reverse path route pointing
to the same interface where the packet came from. If there is one, the packet gets forwarded normally.
Otherwise, the packet is dropped. This ensures that the source addresses of the incoming packets are
consistent with the routing information held on the switch, which in term helps prevent packets with
forged IP addresses.