36-24
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
DoS Protection Configuration Guidelines and Restrictions
•
Configured rate limits is applied to each forwarding engine (except for the Layer 2 hardware rate
limiter which is applied globally).
•
Layer 2 rate limiters are not supported in truncated mode.
•
The following restrictions apply when using the ingress and egress ACL-bridged packet rate
limiters:
–
The ingress and egress ACL-bridged packet rate limiter is available for unicast traffic only.
–
The ingress and egress ACL-bridged packet rate limiters share a single rate-limiter register. If
you enable the ACL-bridge ingress and egress rate limiters, both the ingress and the egress
ACLs must share the same rate-limiter value.
•
Use the
mls rate-limit unicast
command to rate limit unicast traffic.
•
Use the
mls rate-limit multicast
command to rate limit multicast traffic.
•
Use the
mls rate-limit multicast layer 2
command to rate limit Layer 2 multicast traffic.
Monitoring Packet Drop Statistics
You can capture the incoming or outgoing traffic on an interface and send a copy of this traffic to an
external interface for monitoring by a traffic analyzer. To capture traffic and forward it to an external
interface, use the
monitor session
command.
When capturing traffic, these restrictions apply:
•
The incoming captured traffic is not filtered.
•
The incoming captured traffic is not rate limited to the capture destination.
Monitoring Dropped Packets Using Monitor Session Commands
This example shows how to use the
monitor session
command to capture and forward traffic to an
external interface:
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
monitor session 1 source vlan 44 both
Router(config)#
monitor session 1 destination interface g9/1
Router(config)#
end
Router#
2w0d: %SYS-5-CONFIG_I: Configured from console by console
This example shows how to use the
show monitor session
command to display the destination port
location:
Router#
show monitor session 1
Session 1
---------
Source Ports:
RX Only: None
TX Only: None
Both: None
Source VLANs:
RX Only: None
TX Only: None
Both: 44
Destination Ports: Gi9/1
Filter VLANs: None