[nsp] MSFC2 protection and rate-limiting

flyman2 at mindspring.net flyman2 at mindspring.net
Fri Feb 27 10:53:54 EST 2004


In an effort to better protect our infrastructure I'd like to rate-limit the
traffic destined to my 6500/7600's MSFC2s.  So far I've found two possible
methods for doing so:

 

Mls ip cef rate-limit

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/software/122sx/
cmdref/m1.htm#75135

 

Control Plane Policing

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guid
e09186a00801afad4.html 

 

However, the documentation on these two features isn't very useful.  I have
a number of questions I'm hoping the list members might be able to answer.

 

1)       In order to set mls ip cef rate-limiting or control plane policing,
one needs to determine what is an acceptable rate-limit to apply.  How can
you view the actual pps that an MSFC is receiving?  I've discovered the
following two commands that 'might' provide this information, but their
output does not match:

a)       sh cef not-cef-switched

b)       sh ibc

Is one of these the correct command?  A pps counter would be preferred over
these incremental counters.

  

2)       Is there any sort of prioritization deployable with cef
rate-limiting?  As I understand it, control plane traffic is a punt
(=not-cef-switched).  If this traffic is rate-limited during a DOS attack,
then valid control traffic will eventually get choked-off.  Control Plane
Policing appears to address this issue, however is there any other
difference between the two methods?

 

3)       Is there traffic that reaches and gets processed by the MSFC2 that
is not considered to be a 'punt' by mls cef?  

 

I appreciate any information you may be able to provide on this topic.

 

Thanks,

Josh

 

 



More information about the cisco-nsp mailing list