Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
1
Replies

Catalyst 6500 DOS Protection HW rate limiter

HUBERT RESCH
Level 3
Level 3

‎04-18-2011 12:10 AM - edited ‎03-06-2019 04:39 PM

Hi I want to make a kind of DOS-Protection on our Cat6500/SUP720-10G

I considered to use following HW rate-limiter and have some questions about it.

to limit only arp-requests which are hitting RP, no other arps which are just L2 switched. ?? whats the max. limit the RP can handle ??

mls qos protocol arp police

to limit packet which would make an arp-request necessary sent by RP, whats the maximum limit RP can handle ?

mls rate-limit unicast cef glean

to limit packets to an RP address (not sure if broadcast are included as well ??) Are there all Routing-Protocol Packets included as well ? whats the maximum limit RP can handle ?

mls rate-limit unicast cef receive

does this also include packets which are to destination RP address with TTL 1

mls rate-limit all ttl-failure

mls rate-limit layer2 unknown

to limit all L2 PDUs (I assume that includes STP,CDP,UDLD, ect) though I have no idea whats the "normal" value, how to find out htis

mls rate-limit layer2  pdu

What is neccessary in addition to these HW policers to configure with CoPP ?

Thx

Hubert

Labels:
0 Helpful
1 Reply 1

philippe.lapere
Level 1
Level 1

‎10-06-2011 03:27 PM

Hi Hubert,

I see your post is some months old and as I asked myself some of your questions, did you fin answers to your questions?

For the moment, here is I expect to implement:

- mls qos protocol arp police
=> as you, difficult to determine the possibilities of sup720. However, I began to measure ARP stats through "sh ip traffic" to determine a base.

- mls rate-limit unicast cef receive

=> as explained in best pratices, not to use with CoPP (in my case, I prefer to use CoPP for its granularity - routing protocols, managements protocols, etc.

-mls rate-limit all ttl-failure

=> I have some a doubt about TTL taken into account. On the following link:

http://www.cisco.com/web/about/security/intelligence/ttl-expiry.html, it is said this command rate-limit TTL 0 & TTL1 (

"The TTL-Failure  General Rate Limiter can be used to rate-limit unicast  or multicast packets  that fail the TTL check (i.e., packets with TTL  values less than or equal to one)"

I am just a bit surprised because it includes IGMP packets for which TTL is 1 (the ttl-failure is shred with 3 others rate-limit, so with the same rate limit value ... it is not easy in this case to have granularity). Additionnaly, there is a IGMP rate limit ... so this one could be oculted by ttl-failure value ... strange

- mls rate-limit layer2 unknown :

I understand it is to limit flood, but ot idea about limit to put

- mls rate-limit layer2  pdu

I expect to us as aslimit: total interfaces *10pps (which seems large enough for all type of packets, whatever conditions)

The others rate-limit I plane to use

- unicast ip option => for me, only extended ping use it, so I reduce to 50pps

- multicast dflt adj: I let default values

- IGMP (but I still have the doubt with TTL rate-limit overlapping)

D.

0 Helpful
Customers Also Viewed These Support Documents