Leaflet
74
OL-11615-01
This example shows how to rate limit the uRPF check failure packets sent to the MSFC to 100000 pps
with a burst of 100 packets:
Router(config)# mls rate-limit unicast ip rpf-failure 100000 100
Note The ICMP unreachable no route, ICMP unreachable ACL drop, IP errors, and IP RPF failure
rate-limiters share a single rate-limiter register. If any of these limiters are enabled, all of the limiters in
this group will share the same value and sometimes the same state (for example, ON/ON/ON). When
verifying the rate limiters, if the members of this register are enabled through another feature, an
ON-Sharing status (instead of an ON status) is displayed. The exception is the TTL failure rate limiter:
its value shares the same value as the other members in the register if you have manually enabled the
feature.
For more information on the mls rate-limit unicast ip rpf-failure command, refer to the following
URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1500566
ICMP Unreachable (Unicast Only)
In an ICMP overload unreachable attack, the victim device is flooded with a large number of packets
that require the generation of ICMP unreachable packets. By IP standards, a router is required to
generate an ICMP unreachable message to the source of a packet it can't deliver because there is no route
to the destination, or because the packet has to be blocked by an ACL. The ICMP unreachable rate limiter
allows you to rate limit the packets sent to the MSFC that trigger ICMP unreachables.
This rate limiter is enabled by default with a limit of 100pps, and burst of 10 packets. To set the ICMP
Unreachable rate limiter, use the mls rate-limit unicast ip icmp unreachable command.
Router(config)# mls rate-limit unicast ip icmp unreachable {acl-drop
pps
} | no-route
pps
}
[
packets-in-burst
]
This example shows how to rate limit the packets that are sent to the MSFC because of an ACL drop to
10000 pps and a burst of 100:
Router(config)# mls rate-limit unicast ip icmp unreachable acl-drop 10000 100
This example shows how to rate limit the packets that require generation of ICMP-unreachable messages
because of a FIB miss to 80000 pps and burst to 70:
Router(config)# mls rate-limit unicast ip icmp unreachable no-route 80000 70
Note The ICMP unreachable no route, ICMP unreachable ACL drop, IP errors, and IP RPF failure
rate-limiters share a single rate-limiter register. If any of these limiters are enabled, all of the limiters in
this group will share the same value and sometimes the same state (for example, ON/ON/ON). When
verifying the rate limiters, if the members of this register are enabled through another feature, an
ON-Sharing status (instead of an ON status) is displayed. The exception is the TTL failure rate limiter:
its value shares the same value as the other members in the register if you have manually enabled the
feature.
For more information on the mls rate-limit unicast ip icmp unreachable command, refer to the
following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1500566