Leaflet
72
OL-11615-01
This example shows how to define the routing-protocol packet policing:
Router(config)# mls qos protocol bgp police 32000
For more information on the mls qos protocol command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1502440
Hardware-Based Rate Limiters on Supervisors 32 and 720
The Supervisor Engine 32 and Supervisor Engine 720 for the Catalyst 6500 Series switches implement
ten hardware-based rate limiters that can control the rate with which packets are sent to the route or
switch processor CPU, helping mitigate DoS and other attacks that try to overwhelm the CPU. Eight of
these registers are present in the Layer 3 forwarding engine and two of these registers are present in the
Layer 2 forwarding engine.
The ten rate-limiter registers can be shared along different rate-limiting scenarios. The registers are
assigned on a first-come, first-serve basis. If all registers are being used, the only way to configure
another rate limiter is to free one register.
These hardware-based rate limiters are supported on both Supervisor 720 and Supervisor 32 Catalyst OS
and Cisco IOS versions.
Note Rate limiters are a very useful tool to protect the route or switch processor CPU. However, special care
should be taken when deployed. Rate limiters do not discriminate between good frames and bad frames.
There is always a chance good frames are discarded under attack conditions.
The hardware-based rate limiters available on the Supervisor Engines 32 and 720 are as follows:
• Ingress and egress ACL bridged packets
• uRPF check failure
• ICMP unreachable (no route, ACL drop)
• ICMP redirects
• IP Errors
• FIB receive
• FIB glean
• VAC L l o g
• Layer 3 security features
• TTL failure
• MTU failure
• Layer 2 PDU
• Layer 2 protocol tunneling
• Layer 2 multicast IGMP snooping
• Multicast IPv4
• Multicast IPv6
• Routing protocol and ARP policing