Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
919293949596979899100
91
OL-11615-01
While deploying hardware-based rate limiters there are some important considerations that should be
taken into account:
CoPP is preferable over the FIB (CEF) Receive rate limiter. Use CoPP rather than this rate limiter
and do not use both mechanisms in conjunction.
Do not use the IP Sec features rate limiter unless you are using authentication proxy, IPSec, or
inspection.
Do not use the VACL log rate limiter unless VACL Log is configured.
None of the Layer 2 rate-limiters (Layer 2 multicast IGMP, Layer 2 protocol tunneling, Layer 2
PDU) is supported in truncated mode. The switch uses truncated mode for traffic between
fabric-enabled modules when there are both fabric-enabled and nonfabric-enabled modules
installed.
Being too aggressive with the Layer 2 PDU rate limiter could have adverse effects on the Layer 2
network stability.
The multicast IGMP rate limiter should be used only when IGMP snooping is enabled.
Additional References
This section provides links and references to information on some of the subjects covered in this
document:
Catalyst 6500 Series switches DoS protection:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter0
9186a0080435872.html
Control Plane Policing White Paper:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080524
46b.html
Virtual LAN Security Best Practices:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315
9f.shtml
Understanding Rapid Spanning Tree Protocol (802.1w):
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml
SAFE: Best Practices for Securing Routing Protocols:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper
09186a008020b51d.shtml
Unneeded Services
Cisco Catalyst switches and other infrastructure devices are typically shipped with many services that
are considered appropriate for most network environments enabled by default. While default services
certainly ease deployment, from a security standpoint there is always a risk that services could
potentially present a vulnerability that could be used maliciously to gain unauthorized access, or
generate a denial of service. For this reason, it is a good practice to disable all unneeded services.