Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
71727374757677787980
77
OL-11615-01
Layer 3 Security Features (Unicast Only)
Some security features are processed by first being sent to the MSFC. For these security features, you
need to rate limit the number of these packets being sent to the MSFC to reduce any potential
overloading. The security features include authentication proxy (auth-proxy), IPSec, and inspection. Do
not enable this rate limiter unless you are planning to use any of these features.
Authentication proxy is used to authenticate inbound or outbound users or both. These users are
normally blocked by an access list, but with auth-proxy, the users can bring up a browser to go through
the firewall and authenticate on a terminal access controller access control system plus (TACACS+) or
RADIUS server (based on the IP address). The server passes additional access list entries down to the
switch to allow users access after authentication. These ACLs are stored and processed in software, and
if there are many users using auth-proxy, the MSFC can be overwhelmed. Rate limiting would be
advantageous in this situation.
IPSec and inspection are also done by the MSFC and might require rate limiting. When the Layer 3
security feature rate limiter is enabled, all Layer 3 rate limiters for auth-proxy, IPSec and inspection are
enabled at the same rate.
This rate limiter is disabled by default. To enable and set the Layer 3 security features rate limiter, use
the mls rate-limit unicast ip features command.
Router(config)# mls rate-limit unicast ip features
pps
[
packets-in-burst
]
This example shows how to rate limit the security features to the MSFC to 100000 pps with a burst of
10 packets:
Router(config)# mls rate-limit unicast ip features 100000 10
For more information on the mls rate-limit unicast ip features command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1500566
TTL Failure (Unicast and Multicast)
This rate limiter rate limits packets sent to the MSFC because of a time-to-live (TTL) check failure. As
indicated by the all keyword in the following example, this rate limiter applies to both multicast and
unicast traffic.
This rate limiter is disabled by default. To enable and set the TTL Failure rate limiter, use the mls
rate-limit all ttl-failure command.
Router(config)# mls rate-limit all ttl-failure
pps
[
packets-in-burst
]
This example shows how to rate limit the TTL failures to 70000 pps with a burst of 150:
Router(config)# mls rate-limit all ttl-failure 70000 150
Note Do not use this rate limiter in conjunction with Layer 2 multicast in a system with PFC3A.
For more information on the mls rate-limit all ttl-failure command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/m1.htm#wp1497651