Table Of Contents
PXF Divert Rate Limit Enhancement on the Cisco CMTS Routers
Prerequisites for PXF DRL Enhancement
Restrictions for PXF DRL Enhancement
Information About PXF DRL Enhancement
PXF DRL Enhancement on a Cable Interface
PXF DRL Enhancement on a WAN Interface
How to Configure PXF DRL Enhancement on the Cisco CMTS Routers
Configuring Cable Divert-Rate-Limit
Configuring WAN-IP Rate and Limit
Configuring WAN Non-IP Rate and Limit
Verifying Cable and WAN-IP Dropped Packets
Verifying WAN Non-IP Dropped Packets
Verifying the Trusted-Site List
Clearing Cable or WAN-IP Statistics
Clearing WAN Non-IP Statistics
Configuration Examples for PXF DRL Enhancement
Configuring Cable Divert-Rate-Limit: Example
Configuring WAN-IP Rate and Limit: Example
Configuring WAN Non-IP Rate and Limit: Example
Configuring a Trusted Site: Example
Feature Information for PXF DRL Enhancement
PXF Divert Rate Limit Enhancement on the Cisco CMTS Routers
First Published: December 18, 2008
This document describes the Parallel eXpress Forwarding (PXF) Divert Rate Limit (DRL) Enhancement on the Cisco Cable Modem Termination System (CMTS). This feature prevents congestion of the forwarding processor (FP) to the Route Processor (RP) interface, which can be caused by Denial-of-Service (DoS) attacks directed at the CMTS or by faulty hardware.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for PXF DRL Enhancement" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for PXF DRL Enhancement
•
•
•
•
•
Prerequisites for PXF DRL Enhancement
The PXF DRL Enhancement feature is supported on the Cisco CMTS routers in Cisco IOS Release 12.2(33)SCB. Table 1 shows the Cisco Cable Modem Termination System (CMTS) hardware compatibility prerequisites for this feature.
Table 1
Cisco uBR10012 Universal Broadband Router
Cisco IOS Release 12.2(33)SCB
•
•
Cisco IOS Release 12.2(33)SCB
•
PXF DRL Enhancement Hardware Compatibility Matrix
Restrictions for PXF DRL Enhancement
•
•
•
•
•
Information About PXF DRL Enhancement
The PXF DRL Enhancement feature prevents congestion of the FP-to-RP interface by identifying and rate-limiting entities that would otherwise cause congestion.
Diverted packets are sent from the forwarding processor to the Route Processor through the FP-to-RP interface. Congestion of this interface occurs when packets (that require diversion) arrive at the FP at a faster rate than they can be transmitted to the RP. Under congested conditions, valid packets in the FP-to-RP queues will be tail-dropped. This situation can be caused deliberately by DoS attacks directed at the CMTS, or inadvertently by faulty external hardware.
The PXF DRL Enhancement feature identifies packet streams that causes congestion on the FP-to-RP interface. Packets in the stream are dropped according to the configured rate-limiting parameters. Rate-limiting occurs before the packets are placed in the FP-to-RP queues, thereby allowing other valid packets to reach the RP.
The PXF DRL Enhancement feature applies to both cable and WAN interfaces.
PXF DRL Enhancement on a Cable Interface
The PXF DRL Enhancement feature applies to upstream packets from a cable interface. In cable, the entities must be rate-limited on a deterministic basis. Because certain entities (for example, VoIP calls) must be able to divert packets successfully, a probabilistic model cannot be used. Using this feature, all the traffic emanating from a subscriber is aggregated and limited. The subscriber is identified by the Media Access Control (MAC)-domain and service identifier (SID).
PXF DRL Enhancement on a WAN Interface
The PXF DRL Enhancement feature applies to packets from a non-cable interface (typically a Gigabit Ethernet line card.) WAN-side entities cannot be rate-limited on a deterministic basis due to the large number of entities that can exist. Therefore, a probabilistic model (that is, a hash) is used to identify packet streams. This means that not all entities will be uniquely identified.
IP packet streams are identified and rate-limited by a hash of the source IP address, the fib-root (for example, the VPN routing and forwarding [VRF] name), and the divert code. Non-IP packet streams are not expected on the WAN interface, and are therefore rate-limited on a divert code basis.
A WAN-side "trusted-site" list can be maintained, with a maximum of four trusted sites. Each entry in the "trusted-site" list contains an IP address and mask, an IP type of service (ToS) value and mask, and a VRF name. Packets matching a trusted site will not be subject to rate-limiting. In addition, packets from trusted sites will not affect the rate-limiting of packets from other entities.
How to Configure PXF DRL Enhancement on the Cisco CMTS Routers
This section describes the following required and optional procedures:
•
•
•
•
•
•
•
•
•
Configuring Cable Divert-Rate-Limit
Cable-side DRL is configured on the physical cable interface. It cannot be configured on a cable bundle interface. To configure cable DRL, use the cable divert-rate-limit command.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring WAN-IP Rate and Limit
To configure DRL for WAN-side IP packet streams, use the service divert-rate-limit ip command.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring WAN Non-IP Rate and Limit
To configure DRL for WAN-side non-IP packet streams, use the service divert-rate-limit non-ip command.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring a Trusted Site
Each entry in the "trusted-site" list contains a source IP address and mask, an IP ToS value and mask, and a VRF name. The "trusted-site" list applies only to WAN-side IPv4 packets. A maximum of four trusted sites can be configured.
To configure a trusted-site list, use the service divert-rate-limit trusted-site command.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying Cable and WAN-IP Dropped Packets
To verify information related to dropped packets for cable and WAN-IP packets, use the show pxf cpu statistics drl cable-wan-ip or show pxf cpu statistics drl cable-wan-ip threshold commands as shown in the following examples:
Router# show pxf cpu statistics drl cable-wan-ipDivert-Rate-Limit Cable/WAN-IP statisticsdropped identifier736 11.12.13.10 VRF: global divert_code: fib_rp_dest190 11.12.13.10 VRF: global divert_code: fib_limited_broadcast3796 Interface: Cable5/0/0 SID: 2Router# show pxf cpu statistics drl cable-wan-ip threshold 1000Divert-Rate-Limit Cable/WAN-IP statistics :: threshold = 1000dropped identifier3796 Interface: Cable5/0/0 SID: 2Verifying WAN Non-IP Dropped Packets
To verify drop counters for WAN non-IP packets, use the show pxf cpu statistics drl wan-non-ip or show pxf cpu statistics drl wan-non-ip threshold commands as shown in the following examples:
Router# show pxf cpu statistics drl wan-non-ipDivert-Rate-Limit WAN-non-IP statisticsdropped divert_code5 cdp17 cgmpRouter# show pxf cpu statistics drl wan-non-ip threshold 10Divert-Rate-Limit WAN-non-IP statistics :: threshold = 10dropped divert_code17 cgmpVerifying the Trusted-Site List
To verify the trusted-site configuration, use the show pxf cpu drl-trusted-sites command as shown in the following example:
Router# show pxf cpu drl-trusted-sitesDivert-Rate-Limit Trusted-Site listIP-addr IP-addr mask ToS ToS mask VRF50.0.0.0 255.255.255.0 0x18 0xF8 global internet50.0.1.0 255.255.0.0 0x01 0xFF all60.0.1.0 255.255.255.0 0x18 0xF8 blueClearing Cable or WAN-IP Statistics
To clear all the entries in the WAN-IP statistics table, use the clear pxf statistics drl cable-wan-ip command.
Clearing WAN Non-IP Statistics
To clear all the entries in the WAN non-IP statistics table, use the clear pxf statistics drl wan-non-ip command.
Configuration Examples for PXF DRL Enhancement
This section provides the following configuration examples:
•
•
•
Configuring Cable Divert-Rate-Limit: Example
In the following example, a cable DRL is configured.
interface C5/0/0cable divert-rate-limit rate 1 limit 4Configuring WAN-IP Rate and Limit: Example
In the following example, a WAN-IP rate and limit is configured.
service divert-rate-limitservice divert-rate-limit ipservice divert-rate-limit ip fib_rp_gleanservice divert-rate-limit ip fib_rp_glean rateservice divert-rate-limit ip fib_rp_glean rate 65530service divert-rate-limit ip fib_rp_glean rate 65530 limitservice divert-rate-limit ip fib_rp_glean rate 65530 limit 4194Configuring WAN Non-IP Rate and Limit: Example
In the following example, a WAN Non-IP rate and limit is configured.
service divert-rate-limitservice divert-rate-limit non-ipservice divert-rate-limit non-ip cgmpservice divert-rate-limit non-ip cgmp rateservice divert-rate-limit non-ip cgmp rate 65535service divert-rate-limit non-ip cgmp rate 65535 limitservice divert-rate-limit non-ip cgmp rate 65535 limit 4100Configuring a Trusted Site: Example
In the following example, a trusted-site is configured.
service divert-rate-limit trusted-site 64.12.13.0 255.255.0.255tos 0xD0 mask 0xF3Additional References
The following sections provide references related to the PXF Divert Rate Limit Enhancement feature.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS CMTS Command Reference at http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html.
•
•
•
•
•
•
•
•
Feature Information for PXF DRL Enhancement
Table 2 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(33)SCB or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 2 Feature Information for PXF DRL Enhancement
PXF DRL Enhancement on the Cisco CMTS Routers
12.2(33)SCB
The PXF DRL Enhancement feature prevents congestion of the FP-to-RP interface by identifying and rate-limiting entities that would otherwise cause congestion.
The following sections provide information about this feature:
•
•
The following commands were introduced or modified: cable divert-rate-limit, service divert-rate-limit ip, service divert-rate-limit non-ip, service divert-rate-limit trusted-site, clear pxf statistics drl cable-wan-ip, clear pxf statistics drl wan-non-ip, show pxf cpu statistics, show pxf cpu drl-trusted-sites
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
Guest
