Leaflet

OL-11615-01

This example shows how to define the routing-protocol packet policing:

Router(config)# mls qos protocol bgp police 32000

For more information on the mls qos protocol command, refer to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1502440

Hardware-Based Rate Limiters on Supervisors 32 and 720

The Supervisor Engine 32 and Supervisor Engine 720 for the Catalyst 6500 Series switches implement

ten hardware-based rate limiters that can control the rate with which packets are sent to the route or

switch processor CPU, helping mitigate DoS and other attacks that try to overwhelm the CPU. Eight of

these registers are present in the Layer 3 forwarding engine and two of these registers are present in the

Layer 2 forwarding engine.

The ten rate-limiter registers can be shared along different rate-limiting scenarios. The registers are

assigned on a first-come, first-serve basis. If all registers are being used, the only way to configure

another rate limiter is to free one register.

These hardware-based rate limiters are supported on both Supervisor 720 and Supervisor 32 Catalyst OS

and Cisco IOS versions.

Note Rate limiters are a very useful tool to protect the route or switch processor CPU. However, special care

should be taken when deployed. Rate limiters do not discriminate between good frames and bad frames.

There is always a chance good frames are discarded under attack conditions.

The hardware-based rate limiters available on the Supervisor Engines 32 and 720 are as follows:

• Ingress and egress ACL bridged packets

• uRPF check failure

• ICMP unreachable (no route, ACL drop)

• ICMP redirects

• IP Errors

• FIB receive

• FIB glean

• VAC L l o g

• Layer 3 security features

• TTL failure

• MTU failure

• Layer 2 PDU

• Layer 2 protocol tunneling

• Layer 2 multicast IGMP snooping

• Multicast IPv4

• Multicast IPv6

• Routing protocol and ARP policing