Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
61626364656667686970
69
OL-11615-01
Interface-group—The PFC3 performs the Unicast PRF check in hardware for single-path and
two-path prefixes. The PFC3 also performs the Unicast PRF check for up to four additional
interfaces per prefix through user-configured multipath Unicast PRF check interface groups.
Unicast RPF check is disabled for packets coming from other multipath prefixes that have three or
more reverse-path interfaces (these packets always pass the Unicast PRF check).
For more information on uRPF on Catalyst 6500 Series switches, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/secure.htm
Hardware-Based Rate Limiters on Supervisor 2
The Supervisor Engine 2 for the Catalyst 6500 Series switches implements four hardware-based rate
limiters that can control the rate with which packets are sent to the MSFC, helping mitigate DoS and
other attacks that try to overwhelm the MSFC. These rate limiters use four rate-limiter registers that are
configured globally on the switch. The rate-limiter registers are located in the Layer 3 forwarding engine
(PFC) and are responsible for containing rate-limiting information for packets destined to the MSFC.
The four rate-limiter registers can be shared along different rate-limiting scenarios. The registers are
assigned on a first-come, first-serve basis. If all registers are being used, the only way to configure
another rate limiter is to free one register.
The hardware-based rate limiters available on the Supervisor Engine 2 are as follows:
Ingress-Egress ACL Bridged Packets (Unicast Only), page 69
FIB (CEF) Receive and FIB Glean Cases (Unicast Only), page 70
VACL Log (Unicast Only), page 70
Layer 3 Security Features (Unicast Only), page 71
Routing Protocol Policing, page 71
Note The rate limiters are a very useful tool to protect the MSFC. However, special care should be taken when
deployed. Rate limiters do not discriminate between good frames and bad frames. There is always a
chance good frames are discarded under attack conditions.
Ingress-Egress ACL Bridged Packets (Unicast Only)
This rate limiter rate limits packets sent to the MSFC because of an ingress/egress ACL bridge result.
Example of ACL bridged packets include packets hitting the log keyword, packets requiring special ACL
features and non-supported hardware packet types such as IPX and AppleTalk.
To enable and set the ACL-bridged rate limiter, use the mls rate-limit unicast acl command:
Router(config)# mls rate-limit unicast acl {input | output } {
pps
[
packets-in-burst
]}
Ingress and egress values can be defined independently. However, when used together, both the ingress
and egress values will be the same as they both share the same rate-limiter register.
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to 50000
packets per second, and 50 packets in burst:
Router(config)# mls rate-limit unicast acl input 50000 50
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to the same
rate (50000 pps and 50 packets in burst) for egress ACL bridge results: