[nsp] MSFC2 protection and rate-limiting

flyman2 at mindspring.net flyman2 at mindspring.net
Fri Feb 27 10:53:54 EST 2004

In an effort to better protect our infrastructure I'd like to rate-limit the
traffic destined to my 6500/7600's MSFC2s.  So far I've found two possible
methods for doing so:


Mls ip cef rate-limit



Control Plane Policing



However, the documentation on these two features isn't very useful.  I have
a number of questions I'm hoping the list members might be able to answer.


1)       In order to set mls ip cef rate-limiting or control plane policing,
one needs to determine what is an acceptable rate-limit to apply.  How can
you view the actual pps that an MSFC is receiving?  I've discovered the
following two commands that 'might' provide this information, but their
output does not match:

a)       sh cef not-cef-switched

b)       sh ibc

Is one of these the correct command?  A pps counter would be preferred over
these incremental counters.


2)       Is there any sort of prioritization deployable with cef
rate-limiting?  As I understand it, control plane traffic is a punt
(=not-cef-switched).  If this traffic is rate-limited during a DOS attack,
then valid control traffic will eventually get choked-off.  Control Plane
Policing appears to address this issue, however is there any other
difference between the two methods?


3)       Is there traffic that reaches and gets processed by the MSFC2 that
is not considered to be a 'punt' by mls cef?  


I appreciate any information you may be able to provide on this topic.






More information about the cisco-nsp mailing list