Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x
Configuring Rate Limits
Downloads: This chapterpdf (PDF - 1.29MB) The complete bookPDF (PDF - 10.31MB) | The complete bookePub (ePub - 3.46MB) | The complete bookMobi (Mobi - 7.66MB) | Feedback

Configuring Rate Limits

Configuring Rate Limits

This chapter describes how to configure rate limits for supervisor-bound traffic on Cisco NX-OS devices.

This chapter includes the following sections:

Information About Rate Limits

Rate limits can prevent redirected packets for exceptions from overwhelming the supervisor module on a Cisco NX-OS device. You can configure rate limits in packets per second for the following types of redirected packets:

  • Access-list log packets

  • Data and control packets copied to the supervisor module

  • F1 Series module packets

  • Layer 2 L2TP packets

  • Layer 2 multicast-snooping packets

  • Layer 2 port-security packets

  • Layer 2 storm-control packets

  • Layer 2 VPC low packets

  • Layer 3 control packets

  • Layer 3 glean packets

  • Layer 3 maximum transmission unit (MTU) check failure packets

  • Layer 3 multicast data packets

  • Layer 3 Time-to-Live (TTL) check failure packets

  • Receive packets

Beginning in Cisco NX-OS Release 5.1, you can also configure rate limits for packets that reach the supervisor module.

Virtualization Support for Rate Limits

You can configure rate limits only in the default virtual device context (VDC), but the rate limits configuration applies to all VDCs on the Cisco NX-OS device. For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.

Licensing Requirements for Rate Limits

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco NX-OS

Rate limits require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Guidelines and Limitations for Rate Limits

Rate limits has the following configuration guidelines and limitations:

  • You can set rate limits for supervisor-bound exception and redirected traffic. Use control plane policing (CoPP) for other types of supervisor-bound traffic.


    Note


    Hardware rate-limiters protect the supervisor CPU from excessive inbound traffic. The traffic rate allowed by the hardware rate-limiters is configured globally and applied to each individual I/O module. The resulting allowed rate depends on the number of I/O modules in the system. CoPP provides more granular supervisor CPU protection by utilizing the modular quality-of-service CLI (MQC).


  • F1 Series modules support up to five rate limiters shared among all control traffic sent to the Supervisor module.


Note


If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


Default Settings for Rate Limits

This table lists the default settings for rate limits parameters.

Table 1 Default Rate Limits Parameters Settings

Parameters

Default

Access-list log packets rate limit

100 packets per second

Copy packets rate limit

30,000 packets per second

F1 Series module rate limit

RL-1: 4,500 packets per second

RL-2: 1,000 packets per second

RL-3: 1,000 packets per second

RL-4: 100 packets per second

RL-5: 1,500 packets per second

Layer 2 L2TP packets rate limit

4,096 packets per second

Layer 2 multicast-snooping packets rate limit

10,000 packets per second

Layer 2 port-security packets rate limit

Disabled

Layer 2 storm-control packets rate limit

Disabled

Layer 2 VPC low packets rate limit

4,000 packets per second

Layer 3 control packets rate limit

10,000 packets per second

Layer 3 glean packets rate limit

100 packets per second

Layer 3 MTU packets rate limit

500 packets per second

Layer 3 Time-to-Live (TTL) packets rate limit

500 packets per second

Receive packets rate limit

30,000 packets per second

Supervisor packets rate limit

10,000 packets per second

Configuring Rate Limits

You can set rate limits on supervisor-bound traffic.

SUMMARY STEPS

    1.    configure terminal

    2.    hardware rate-limiter access-list-log {packets | disable} [module module [port start end]]

    3.    hardware rate-limiter copy {packets | disable} [module module [port start end]]

    4.    hardware rate-limiter f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5 {packets | disable}} [module module [port start end]]

    5.    hardware rate-limiter layer-2 l2pt {packets | disable} [module module [port start end]]

    6.    hardware rate-limiter layer-2 mcast-snooping {packets | disable} [module module [port start end]]

    7.    hardware rate-limiter layer-2 port-security {packets | disable} [module module [port start end]]

    8.    hardware rate-limiter layer-2 storm-control {packets | disable} [module module [port start end]]

    9.    hardware rate-limiter layer-2 vpc-low {packets | disable} [module module [port start end]]

    10.    hardware rate-limiter layer-3 control {packets | disable} [module module [port start end]]

    11.    hardware rate-limiter layer-3 glean {packets | disable} [module module [port start end]]

    12.    hardware rate-limiter layer-3 mtu {packets | disable} [module module [port start end]]

    13.    hardware rate-limiter layer-3 multicast {packets | disable} [module module [port start end]]

    14.    hardware rate-limiter layer-3 ttl {packets | disable} [module module [port start end]]

    15.    hardware rate-limiter receive {packets | disable} [module module [port start end]]

    16.    exit

    17.    (Optional) show hardware rate-limiter [access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast | ttl} | module module | receive]

    18.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 hardware rate-limiter access-list-log {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter access-list-log 200
 

Configures rate limits in packets per second for packets copied to the supervisor module for access list logging. The range is from 0 to 30000.

 
Step 3 hardware rate-limiter copy {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter copy 40000
 

Configures rate limits in packets per second for data and control packets copied to the supervisor module. The range is from 0 to 30000.

Note   

Layer 3 control, multicast direct-connect, and ARP request packets are controlled by the Layer 2 copy rate limiter. The first two types of packets are also controlled by Layer 3 rate limiters, and the last two types are also subject to control plane policing (CoPP).

 
Step 4 hardware rate-limiter f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5 {packets | disable}} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter f1 rl-1 1000
 

Configures rate limits in packets per second for F1 Series module packets. The range is from 0 to 30000.

Note   

The f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} rate limiters are the only rate limiters that are supported on F1 Series modules. The other rate limiters are applicable only to the and M1 Series modules.

 
Step 5 hardware rate-limiter layer-2 l2pt {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-2 l2pt 30000
 

Configures rate limits in packets per second for Layer 2 tunnel protocol packets. The range is from 0 to 30000.

 
Step 6 hardware rate-limiter layer-2 mcast-snooping {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-2 mcast-snooping 20000
 

Configures rate limits in packets per second for Layer 2 multicast-snooping packets. The range is from 0 to 30000.

 
Step 7 hardware rate-limiter layer-2 port-security {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-2 port-security 100000
 

Configures rate limits in packets per second for port-security packets. The range is from 0 to 30000.

 
Step 8 hardware rate-limiter layer-2 storm-control {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-2 storm-control 10000
 

Configures rate limits in packets per second for broadcast, multicast, and unknown unicast storm-control traffic. The range is from 0 to 30000.

 
Step 9 hardware rate-limiter layer-2 vpc-low {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-2 vpc-low 10000
 

Configures rate limits in packets per second for Layer 2 control packets over the VPC low queue. The range is from 0 to 30000.

 
Step 10 hardware rate-limiter layer-3 control {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-3 control 20000
 

Configures rate limits in packets per second for Layer 3 control packets. The range is from 0 to 30000.

 
Step 11 hardware rate-limiter layer-3 glean {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-3 glean 200
 

Configures rate limits in packets per second for Layer 3 glean packets. The range is from 0 to 30000.

 
Step 12 hardware rate-limiter layer-3 mtu {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-3 mtu 1000
 

Configures rate limits in packets per second for Layer 3 MTU failure redirected packets. The range is from 0 to 30000.

 
Step 13 hardware rate-limiter layer-3 multicast {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-3 multicast 20000
 

Configures rate limits in packets per second for Layer 3 multicast packets in packets per second. The range is from 0 to 30000.

 
Step 14 hardware rate-limiter layer-3 ttl {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter layer-3 ttl 1000
 

Configures rate limits in packets per second for Layer 3 failed Time-to-Live redirected packets. The range is from 0 to 30000.

 
Step 15 hardware rate-limiter receive {packets | disable} [module module [port start end]]


Example:
switch(config)# hardware rate-limiter receive 40000
 

Configures rate limits in packets per second for packets redirected to the supervisor module. The range is from 0 to 30000.

 
Step 16 exit


Example:
switch(config)# exit
switch#
 

Exits global configuration mode.

 
Step 17 show hardware rate-limiter [access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast | ttl} | module module | receive]


Example:
switch# show hardware rate-limiter
 
(Optional)

Displays the rate limit configuration.

 
Step 18 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring Rate Limits for Packets that Reach the Supervisor

Beginning in Cisco NX-OS Release 5.1, you can configure rate limits globally on the device for packets that reach the supervisor module. If the rate of incoming or outgoing packets exceeds the configured rate limit, the device logs a system message but does not drop any packets.


Note


You can also configure rate limits for packets that reach the supervisor module on a particular interface. For more information, see the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide.


SUMMARY STEPS

    1.    configure terminal

    2.    [no] rate-limit cpu direction {input | output | both} pps packets action log

    3.    (Optional) exit

    4.    (Optional) show system internal pktmgr internal control sw-rate-limit

    5.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 [no] rate-limit cpu direction {input | output | both} pps packets action log


Example:
switch(config)# rate-limit cpu direction both pps 100 action log
 

Configures rate limits in packets per second for packets that reach the supervisor module and logs a system message if the rate of incoming or outgoing packets exceeds the rate limit. The range is from 1 to 100000. The default rate is 10000.

 
Step 3 exit


Example:
switch(config)# exit
 
(Optional)

Exits global configuration mode.

 
Step 4 show system internal pktmgr internal control sw-rate-limit


Example:
switch# show system internal pktmgr internal control sw-rate-limit
 
(Optional)

Displays the inband and outband global rate limit configuration for packets that reach the supervisor module.

 
Step 5 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Monitoring Rate Limits

You can monitor rate limits.

SUMMARY STEPS

    1.    show hardware rate-limiter [access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast | ttl} | module module | receive]


DETAILED STEPS
 Command or ActionPurpose
Step 1 show hardware rate-limiter [access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast | ttl} | module module | receive]


Example:
switch# show hardware rate-limiter layer-3 glean
 

Displays the rate limit statistics.

 

Clearing the Rate Limit Statistics

You can clear the rate limit statistics.

SUMMARY STEPS

    1.    (Optional) show hardware rate-limiter [access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu |multicast | ttl} | module module | receive]

    2.    clear hardware rate-limiter {all | access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast | ttl} | receive}


DETAILED STEPS
 Command or ActionPurpose
Step 1 show hardware rate-limiter [access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu |multicast | ttl} | module module | receive]


Example:
switch# show hardware rate-limiter layer-3 glean
 
(Optional)

Displays the rate limit statistics.

 
Step 2 clear hardware rate-limiter {all | access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast | ttl} | receive}


Example:
switch# clear hardware rate-limiter 
 

Clears the rate limit statistics.

 

Verifying the Rate Limit Configuration

To display the rate limit configuration information, perform the following tasks:

Command

Purpose

show hardware rate-limiter [access-list-log | copy | f1 {rl-1 | rl-2 | rl-3 | rl-4 | rl-5} | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast | ttl} | module module | receive]

Displays the rate limit configuration.

show system internal pktmgr interface ethernet slot/port

Displays the inband and outband rate limit configuration for packets that reach the supervisor module on a specific interface.

show system internal pktmgr internal control sw-rate-limit

Displays the inband and outband global rate limit configuration for packets that reach the supervisor module.

For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

Configuration Examples for Rate Limits

The following example shows how to configure rate limits:

switch(config)#	hardware rate-limiter layer-3 control 20000 
switch(config)# hardware rate-limiter copy 40000

The following example shows how to configure rate limits globally on the device for packets that reach the supervisor module:

switch(config)#	rate-limit cpu direction both pps 1000 action log
switch(config)# show system internal pktmgr internal control sw-rate-limit
inband pps global threshold 1000  outband pps global threshold 1000

Additional References for Rate Limits

This section includes additional information related to implementing rate limits.

Related Documents

Related Topic

Document Title

Cisco NX-OS Licensing

Cisco NX-OS Licensing Guide

Command reference

Cisco Nexus 7000 Series NX-OS Security Command Reference

Feature History for Rate Limits

This table lists the release history for this feature.

Table 2  Feature History for Rate Limits

Feature Name

Releases

Feature Information

Rate limits

5.2(1)

No change from Release 5.1.

Rate limits

5.1(1)

Added support for F1 Series module packets.

Rate limits

5.1(1)

Added the ability to configure rate limits for packets that reach the supervisor module and to log a system message if the rate limit is exceeded.

Rate limits

5.1(1)

Added options to disable rate limits and to configure rate limits for a specific module and port range.

Rate limits

5.0(2)

Added support for Layer 2 Tunnel Protocol (L2TP) packets.

Rate limits

4.2(1)

No change from Release 4.1.