Leaflet
73
OL-11615-01
Note The hardware-based rate limiters don't provide the same level of granularity as CoPP but can be used in
cases where CoPP cannot classify particular types of traffic (for example, packets that fail the MTU
check, and packets with IP options). We recommend that you use CoPP and hardware-based rate limiters
together. However, be aware that some hardware-based rate limiters override the CoPP policy.
Ingress-Egress ACL Bridged Packets (Unicast Only)
This rate limiter rate limits packets sent to the MSFC because of an ingress/egress ACL bridge result.
Example of ACL bridged packets include packets hitting the log keyword, packets requiring special ACL
features and non-supported hardware packet types, such as IPX and AppleTalk.
This rate limiter is disabled by default. To enable and set the ACL-bridged rate limiter, use the mls
rate-limit unicast acl command.
Router(config)# mls rate-limit unicast acl {input | output }
pps
[
packets-in-burst
]
Burst values regulate how many packets can be allowed in a burst. Each allowed packet consumes a token
and a token must be available for a packet to be allowed. One token is generated per millisecond. When
packets are not coming in, tokens can be accumulated up to the burst value. For example, if the burst
value is set to 50, the switch can accumulate up to 50 tokens and absorb a burst of 50 packets.
Ingress and egress values can be defined independently. However, when used together, both the ingress
and egress values will be the same as they both share the same rate-limiter register.
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to 50000
packets per second, and 50 packets in burst:
Router(config)# mls rate-limit unicast acl input 50000 50
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to the same
rate (50000 pps and 50 packets in burst) for egress ACL bridge results:
Router(config)# mls rate-limit unicast acl output 50000 50
Because both ingress and egress limiters share the same rate-limiter register, when one of them is
changed, both values change to the last configured value. In the following example, the output rate is
changed to 40000 pps:
Router(config)# mls rate-limit unicast acl output 40000 50
For more information on the mls rate-limit unicast acl command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1719874
uRPF Check Failure (Unicast Only)
The uRPF check failure rate limiter allows you to configure a rate for the packets that need to be sent to
the MSFC because they failed the uRPF check. The uRPF checks validate that incoming packets on an
interface are from a valid source, which minimizes the potential threat of DoS attacks from users using
spoofed addresses. When spoofed packets fail the uRPF check, those failures can be sent to the MSFC.
The uRPF check rate limiters allow you to rate limit the packets per second that are bridged to the MSFC
CPU when a uRPF check failure occurs.
This rate limiter is enabled by default with a limit of 100pps, and burst of 10 packets. To set the uRPF
Check Failure rate limiter, use the mls rate-limit unicast ip rpf-failure command.
Router(config)# mls rate-limit unicast ip rpf-failure
pps
[
packets-in-burst
]