Leaflet
71
OL-11615-01
For more information on the mls rate-limit unicast acl vacl-log command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1719874
Layer 3 Security Features (Unicast Only)
Some security features are processed by first being sent to the MSFC. For these security features, you
need to rate limit the number of these packets being sent to the MSFC to reduce any potential
overloading. The security features include authentication proxy (auth-proxy), IPSEC, and inspection. Do
not enable this rate limiter unless you are planning to use any of the aforementioned features.
Authentication proxy is used to authenticate inbound or outbound users or both. These users are
normally blocked by an access list, but with auth-proxy, the users can bring up a browser to go through
the firewall and authenticate on a terminal access controller access control system plus (TACACS+) or
RADIUS server (based on the IP address). The server passes additional access list entries down to the
switch to allow the users through after authentication. These ACLs are stored and processed in software,
and if there are many users using auth-proxy, the MSFC might be overwhelmed. Rate limiting would be
advantageous in this situation.
IPSec and inspection are also done by the MSFC and they might require rate limiting. When the Layer
3 security feature rate limiter is enabled, all Layer 3 rate limiters for auth-proxy, IPSec and inspection
are enabled at the same rate.
To enable and set the Layer 3 security features rate limiter, use the mls rate-limit unicast ip features
command:
Router(config)# mls rate-limit unicast ip features pps [
packets-in-burst
]
This example shows how to rate limit the security features to the MSFC to 100000 pps with a burst of
10 packets:
Router(config)# mls rate-limit unicast ip features 100000 10
For more information on the mls rate-limit unicast ip features command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1500566
Routing Protocol Policing
The Catalyst 6500 Series switches provide specific hardware-based policing mechanisms that can rate
limit routing protocols destined to the switch. These mechanisms help protect the switch from DoS
attacks based on BGP, IGRP, LDP, ND, OSPF, and RIP packets.
Note The routing protocol and ARP policers not only police traffic destined to the switch, but also traffic
crossing the switch.
This rate limiter is enabled by default with a rate burst of 1000 bits per second. To set the routing protocol
and ARP policing, use the mls qos protocol global configuration command.
Router(config)# mls qos protocol
protocol-name
{pass-through | {police
rate burst
} |
{precedence
value
[police
rate burst
]}}
Note This command does not support ARP, ISIS, or EIGRP on Catalyst 6500 Series switches that are
configured with a Supervisor Engine 2.