Cisco Systems EA6500 Manual De Usuario
24-5
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 24 Configuring Denial of Service Protection
Configuring DoS Protection
Forwarding Information Base Rate-Limiting
The forwarding information base (FIB) rate-limiting allows all packets that require software processing
to be rate limited.
to be rate limited.
The following FIB rate-limiting usage guidelines apply:
•
FIB rate-limiting does not limit the rate of multicast traffic.
•
FIB rate-limiting does not differentiate between legitimate and illegitimate traffic (for example,
tunnels, Telnet).
tunnels, Telnet).
•
FIB rate-limiting applies aggregate rate-limiting and not per flow rate-limiting.
The following example shows traffic destined for a nonexistent host address on a locally connected
subnet. Normally, the ARP request would result in an ARP reply and the installation of a FIB adjacency
for this traffic. However, the adjacency in the FIB for the destination subnet would continue to receive
traffic that would, in turn, be forwarded for software processing. By applying rate-limiting to this traffic,
the rate of traffic forwarded for software processing can be limited to a manageable amount.
subnet. Normally, the ARP request would result in an ARP reply and the installation of a FIB adjacency
for this traffic. However, the adjacency in the FIB for the destination subnet would continue to receive
traffic that would, in turn, be forwarded for software processing. By applying rate-limiting to this traffic,
the rate of traffic forwarded for software processing can be limited to a manageable amount.
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
0 4.4.4.122 Vl44 11 00:00:26 8 200 0 6534
Router# show ip ospf neighbors
Neighbor ID Pri State Dead Time Address Interface
6.6.6.122 1 FULL/BDR 00:00:36 6.6.6.122 Vlan46
Router#
attack starts
Router# show arp | include 199.2.250.250
Internet 199.2.250.250 0 Incomplete ARPA
Router#
1w6d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor
Down: Dead timer expired
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
Router#
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# mls ip cef rate-limit 1000
traffic rate limited to 1000 pps
Router(config)# end
Router#
1w6d: %SYS-5-CONFIG_I: Configured from console by console
Router#
1w6d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from LOADING to FULL, Loading
Done
Router# show ip eigrp neighbors
IP-EIGRP neighbors for process 200
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
0 4.4.4.122 Vl44 12 00:00:07 12 200 0 6536
Router#
ARP Throttling
ARP throttling limits the rate at which packets destined to a connected network are forwarded to the
route processor. Most of these packets are dropped, but a small number are sent to the router (rate
limited).
route processor. Most of these packets are dropped, but a small number are sent to the router (rate
limited).