-
Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide
-
Index
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch for the First Time
-
Configuring a Supervisor Engine 720
-
Configuring a Supervisor Engine 32
-
Configuring the Supervisor Engine 2 and the Switch Fabric Module
-
Configuring NSF with SSO Supervisor Engine Redundancy
-
Configuring RPR and RPR+ Supervisor Engine Redundancy
-
Configuring Interfaces
-
Configuring Layer 2 Ethernet Interfaces
-
Configuring Flex Links
-
Configuring Layer 3 and Layer 2 EtherChannel
-
Configuring VLAN Trunking Protocol (VTP)
-
Configuring VLANs
-
Configuring Private VLANs (PVLANs)
-
Configuring Cisco IP Phone Support
-
Configuring IEEE 802.1Q Tunneling
-
Configuring Layer 2 Protocol Tunneling (L2PT)
-
Configuring Standard-Compliant IEEE MST
-
Configuring STP and IEEE 802.1s MST
-
Configuring STP Features
-
Configuring Layer 3 Interfaces
-
Configuring UDE and UDLR
-
Configuring PFC3BXL and PFC3B Multiprotocol Label Switching (MPLS)
-
Configuring IPv4 Multicast VPN Support
-
Configuring IP Unicast Layer 3 Switching
-
Configuring IPv6 Multicast Layer 3 Switching
-
Configuring IPv4 Multicast Layer 3 Switching
-
Configuring IGMP Snooping
-
Configuring PIM Snooping
-
Configuring MLDv2 Snooping
-
Configuring Router-Port Group Management Protocol (RGMP)
-
Configuring Network Security
-
Understanding Cisco IOS ACL Support
-
Configuring VLAN ACLs (VACLs)
-
Configuring Denial of Service (DoS) Protection
-
Configuring DHCP Snooping
-
Configuring Dynamic ARP Inspection (DAI)
-
Configuring Traffic-Storm Control
-
Configuring Unknown Unicast Flood Blocking (UUFB)
-
Configuring PFC QoS
-
Configuring PFC3BXL or PFC3B Mode MPLS QoS
-
Configuring PFC QoS Statistics Data Export
-
Configuring the Cisco IOS Firewall Feature Set
-
Configuring Network Admission Control (NAC)
-
Configuring 802.1X Port-Based Authentication
-
Configuring Port Security
-
Configuring Cisco Discovery Protocol (CDP)
-
Configuring UniDirectional Link Detection (UDLD)
-
Configuring the NetFlow Table
-
Configuring NetFlow Data Export (NDE)
-
Configuring Local SPAN, Remote SPAN (RSPAN), and Encapsulated RSPAN
-
Configuring SNMP IfIndex Persistence
-
Power Management and Environmental Monitoring
-
Configuring Online Diagnostics
-
Configuring Web Cache Communication Protocol (WCCP)
-
Configuring Top N Utility Reports
-
Using the Layer 2 Traceroute Utility
-
Online Diagnostic Tests
-
Acronyms
-
Table Of Contents
Configuring Denial of Service Protection
Understanding How DoS Protection Works
Hardware-Based Rate Limiters on the PFC2
Recommended Rate-Limiter Configuration
Hardware-Based Rate Limiters on the PFC3
DoS Protection Default Configuration
DoS Protection Configuration Guidelines and Restrictions
Monitoring Packet Drop Statistics
Displaying Rate-Limiter Information
Understanding How Control Plane Policing Works
CoPP Configuration Guidelines and Restrictions
Defining Traffic Classification
Traffic Classification Overview
Traffic Classification Guidelines
Sample Basic ACLs for CoPP Traffic Classification
Configuring Denial of Service Protection
This chapter contains information on how to protect your Catalyst 6500 series switch against Denial of Service (DoS) attacks. The information covered in this chapter is unique to the Catalyst 6500 series switches, and it supplements the network security information and procedures in the "Configuring Network Security" chapter in this publication as well as the network security information and procedures in these publications:
•
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm
Note
•
http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm
This chapter consists of these sections:
•
•
•
•
•
•
Understanding How DoS Protection Works
The following sections contain an overview of the DoS protection on the Catalyst 6500 series switch and describe some types of DoS attack scenarios:
DoS Protection with a PFC2
This section contains information about the available methods to counteract DoS attacks with a PFC2 and includes configuration examples. The following sections describe these protection methods:
Security ACLs
The Catalyst 6500 series switch can deny DoS packets in hardware using security access control lists (ACLs). Security ACLs are applied in hardware using the TCAM to traffic that can be easily identified using Layer 3 or Layer 4 data. You can apply security ACLs preventively before a DoS attack occurs or after an attack has been identified.
This example shows how a security ACL is used to drop DoS packets:
Router# clear mls ip mod 9Router# show mls ip mod 9Displaying Netflow entries in module 9DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr--------------------------------------------------------------------Pkts Bytes Age LastSeen Attributes---------------------------------------------------192.168.0.0 192.168.1.0 0 :0 :0 0 : 01843 84778 2 02:30:17 L3 - Dynamic192.168.1.0 192.168.0.0 0 :0 :0 0 : 02742416 126151136 2 02:30:17 L3 - Dynamic <== Note: traffic flow identified
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no access-list 199Router(config)# access-list 199 deny ip host 192.168.0.0 anyRouter(config)# access-list 199 permit ip any anyRouter(config)# interface g9/1Router(config-if)# endRouter#1w6d: %SYS-5-CONFIG_I: Configured from console by consoleRouter# clear mls ip mod 9Router# show mls ip mod 9Displaying Netflow entries in module 9DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr--------------------------------------------------------------------Pkts Bytes Age LastSeen Attributes---------------------------------------------------192.168.0.0 192.168.1.0 0 :0 :0 0 : 01542 70932 2 02:31:56 L3 - Dynamic192.168.1.0 192.168.0.0 0 :0 :0 0 : 0Router# show access-list 199Extended IP access list 199Security VACLs
Security virtual access lists (VACLs) are security-enforcement tools based on Layer 2, Layer 3, and Layer 4 information. The result of a security VACL lookup against a packet can be a permit, a deny, a permit and capture, or a redirect. When you associate a security VACL with a particular VLAN, all traffic must be permitted by the security VACL before the traffic is allowed into the VLAN. Security VACLs are enforced in hardware, so there is no performance penalty for applying security VACLs to a VLAN on the Catalyst 6500 series switches.
QoS ACLs
Unlike security ACLs, QoS ACLs can be used to limit the rate of traffic without denying access to all the traffic in a flow.
Router# show ip ospf neighborsNeighbor ID Pri State Dead Time Address Interface6.6.6.122 1 FULL/BDR 00:00:30 6.6.6.122 Vlan46Router# show ip eigrp neighborsIP-EIGRP neighbors for process 200H Address Interface Hold Uptime SRTT RTO Q Seq Type(sec) (ms) Cnt Num0 4.4.4.122 Vl44 11 00:06:07 4 200 0 6555Router# show proc cpu | include CPU utilizationCPU utilization for five seconds: 99%/90%; one minute: 48%; five minutes: 25%Router#2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor Down: Dead timer expiredRouter# show ip eigrp neighborsIP-EIGRP neighbors for process 200Router#Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# access-list 199 permit icmp any any echoRouter(config)# class-map match-any icmpRouter(config-cmap)# match access-group 199Router(config-cmap)# exitRouter(config)# policy-map icmpRouter(config-pmap)# class icmpRouter(config-pmap-c)# police 96000 16000 16000 conform-action transmit exceed-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface range g4/1 - 9Router(config-if-range)# end2w0d: %SYS-5-CONFIG_I: Configured from console by console2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from LOADING to FULL, Loading DoneRouter# show ip eigrp neighborsIP-EIGRP neighbors for process 200H Address Interface Hold Uptime SRTT RTO Q Seq Type(sec) (ms) Cnt Num0 4.4.4.122 Vl44 13 00:00:48 8 200 0 6565Router#FIB Rate Limiting
Note
The forwarding information base (FIB) rate-limiting feature allows all packets that require software processing to be rate limited.
This example shows traffic destined for a nonexistent host address on a locally connected subnet. Normally, the ARP request would result in an ARP reply and the installation of a FIB adjacency for this traffic. However, the adjacency in the FIB for the destination subnet would continue to receive traffic that would be forwarded for software processing. By applying rate-limiting to this traffic, the rate of traffic forwarded for software processing can be limited to a manageable amount.
Router# show ip eigrp neighborsIP-EIGRP neighbors for process 200H Address Interface Hold Uptime SRTT RTO Q Seq Type(sec) (ms) Cnt Num0 4.4.4.122 Vl44 11 00:00:26 8 200 0 6534Router# show ip ospf neighborsNeighbor ID Pri State Dead Time Address Interface6.6.6.122 1 FULL/BDR 00:00:36 6.6.6.122 Vlan46Router# show arp | include 199.2.250.250Internet 199.2.250.250 0 Incomplete ARPARouter#1w6d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor Down: Dead timer expiredRouter# show ip eigrp neighborsIP-EIGRP neighbors for process 200Router#Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# endRouter#1w6d: %SYS-5-CONFIG_I: Configured from console by consoleRouter#1w6d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from LOADING to FULL, Loading DoneRouter# show ip eigrp neighborsIP-EIGRP neighbors for process 200H Address Interface Hold Uptime SRTT RTO Q Seq Type(sec) (ms) Cnt Num0 4.4.4.122 Vl44 12 00:00:07 12 200 0 6536Router#Traffic Storm Control
A traffic storm occurs when packets flood the LAN, which creates excessive traffic and degrades network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces from either mistakes in network configurations or from users issuing a DoS attack. Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1-second traffic storm control interval. During the interval, traffic storm control compares the traffic level with the configured traffic storm control level. The traffic storm control level is a percentage of the total available bandwidth of the port. Each port has a single traffic storm control level that is used for all types of traffic (broadcast, multicast, and unicast).
Traffic storm control is configured on an interface and is disabled by default. The configuration example here enables broadcast address storm control on interface FastEthernet 2/3 to a level of 20 percent. When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the port within a 1-second traffic-storm-control interval, traffic storm control will drop all broadcast traffic until the end of the traffic-storm-control interval.
Router(config-if)# storm-control broadcast level 20The Catalyst 6500 series switch supports broadcast storm control on all LAN ports and multicast and unicast storm control on Gigabit Ethernet ports.
When two or three suppression modes are configured simultaneously, they share the same level settings. If broadcast suppression is enabled, and if multicast suppression is also enabled and configured at a 70-percent threshold, the broadcast suppression will also have a setting for 70 percent.
For more information about configuring traffic storm control see Chapter 39, "Configuring Traffic Storm Control."
ARP Throttling
ARP throttling can be used to automatically install hardware-based FIB and adjacency entries to drop packets during ARP resolution. Most of these packets are dropped, but a small number are sent to the MSFC (rate limited).
uRPF Check
When you enable the unicast reverse path forwarding (uRPF) check, packets that lack a verifiable source IP address, such as spoofed IP source addresses, are discarded. Cisco Express Forwarding (CEF) tables are used to verify that the source addresses and the interfaces on which they were received are consistent with the FIB tables on the supervisor engine.
After you enable uRPF check on an interface (per-VLAN basis), the incoming packet is compared to the CEF tables through a reverse lookup. If the packet is received from one of the reverse path routes, the packet is forwarded. If there is no reverse path route on the interface on which the packet was received, the packet fails the uRPF check and is either dropped or forwarded, depending on whether an ACL is applied to the uRPF check fail traffic. If no ACL is specified in the CEF tables, then the forged packets are immediately dropped.
You can only specify an ACL for the uRPF check for packets that fail the uRPF check. The ACL checks whether the packet should immediately be dropped or forwarded. The uRPF check with ACL is not supported in any PFC3 in hardware. Packets that are denied in the uRPF ACL are forwarded in hardware. Packets that are permitted are sent to the CPU.
The uRPF check with a PFC2 is supported in hardware but with only one return path. However, all packets that fail the uRPF check, and are forwarded because of an applied ACL, can be sent and rate limited to the MSFC to generate ICMP unreachable messages; these actions are all software driven. The uRPF check in hardware is supported for routes with up to two return paths (interfaces) and up to six return paths with interface groups configured (two from the FIB table and four from the interface groups)
TCP Intercept
TCP intercept protects recipients of TCP traffic from TCP SYN-flooding DoS attacks. A normal TCP connection starts with a three-way handshake. Host A sends a SYN request to Host B requesting the start of a new TCP session. Host B responds with a SYN ACK acknowledging the receipt of the SYN request. Host A then returns an ACK for Host B's SYN ACK, and the session commences. A SYN-flooding attack occurs when hackers flood servers with requests for connections that have unreachable return addresses. The three-way handshake is never completed, and the connections cannot be established. The amount of session requests to which the server host is responding can overwhelm the server host and prevent legitimate users from connecting to legitimate services, such as web sites and email servers.
TCP intercept prevents the SYN flooding by intercepting and validating TCP requests. TCP intercept supports the following modes:
•
In the case of illegitimate requests from potential hackers, the software's aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests. When establishing the network security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You also can configure the connection rate and threshold of outstanding connections.
•
Because TCP intercept can operate in either active intercept mode or passive watch mode, it is important to decide which mode is suitable for the network, and to configure your network accordingly. TCP intercept is hardware-assisted on the PFC2 and PFC3 (all types). Configuring many sources and destinations for active intercept mode may overrun the CPU, so it is recommended that only critical servers be protected with active intercept mode.
The default mode of operation is intercept mode. In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with the SYN-ACK, and then waits for the ACK from the client. After the preparation is complete, the original SYN is sent to the server, and the software performs the three-way handshake with the server. The two halves are connected together.
In Watch mode, the connection requests pass through the switch to the server, but are watched until they become established. If they fail to become established within 30 seconds (this value is configurable), the software sends a reset to the server to clear up its state. Configuring switches for watch mode has less CPU impact than intercept mode. In watch mode, the CPU is not performing checks and connects on both halves of the connection. The CPU is passively monitoring the connection and acting on failed connections after the fact.
TCP intercept is configured globally by first creating the extended access list for the traffic to be intercepted, and then creating the TCP intercept list. The type of traffic to be intercepted must be one of the following:
•
•
•
This example defines the source in the access list as any; it does not attempt to filter the source address because it is difficult to know exactly who to intercept packets from. The destination, is specified to protect the destination servers from the TCP SYN-flood attack. If an access list match is not found, traffic is permitted to pass without further action.
Router(config)# access-list 101 permit tcp any 10.1.1.1 0.0.0.255Router(config)# ip tcp intercept list 101Table 36-1 lists the command used to configure the TCP intercept.
Hardware-Based Rate Limiters on the PFC2
The PFC2 supports additional hardware-based rate limiters. The PFC2 provides four rate-limiter registers for the new rate limiters, which are configured globally on the switch. These rate-limiter registers are present in the Layer 3 forwarding engine (PFC) and are responsible for containing rate-limiting information for result packets that match the various available configured rate limiters.
Because four rate-limiter registers are present on the Layer 3 forwarding engine only, these registers can force different rate-limiting scenarios to share the same register. The registers are assigned on a first-come, first-serve basis. If all registers are being utilized, the only way to configure another rate limiter is to free one register.
The hardware-based rate limiters available on the PFC2 are as follows:
•
•
•
•
Ingress-Egress ACL Bridged Packets (Unicast Only)
This rate limiter rate limits packets sent to the MSFC because of an ingress/egress ACL bridge result. The switch accomplishes this by altering existing and new ACL TCAM entries with a TCAM bridge result to a Layer 3 redirect result pointing to the MSFC. Packets hitting the TCAM entries with the altered Layer 3 redirect rate limit result will be rate limited according to the instructions set in CLI by the network administrator. Both the ingress and egress values will be the same, as they both share the same rate-limiter register. If the ACL bridge ingress/egress rate limiting is disabled, the Layer 3 redirect rate limit results are converted to the bridge result.
Ingress or egress ACL-bridged packet cases share a single rate-limiter register. If the feature is turned on, ingress and egress ACLs use the same rate-limiter value.
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to 50000 packets per second, and 50 packets in burst:
Router(config)# mls rate-limit unicast acl input 50000 50This example shows how to rate limit the unicast packets from an ingress ACL bridge result to the same rate (50000 pps and 50 packets in burst) for egress ACL bridge results:
Router(config)# mls rate-limit unicast acl output 50000 50If the values of the rate limiter are altered on either the ingress or the egress when both are enabled, both values are changed to that new value. In the following example, the output rate is changed to 40000 pps:
Router(config)# mls rate-limit unicast acl output 40000 50When you enter the show mls rate-limit command, both the ACL bridged in and the ACL bridged out display the new value of 40000 pps:
Router# sh mls rate-limitLoad for five secs: 0%/0%; one minute: 0%; five minutes: 0% Time source is NTP, 10:32:15.584 PDT Fri Aug 5 2005Rate Limiter Type Status Packets/s----------------- ---------- ---------ACL BRIDGE IN Off -ACL BRIDGE OUT Off -L3_SEC_FEATURES Off -VACL LOG Off -FIB RECEIVE Off -FIB GLEAN Off -FIB (CEF) Receive and FIB Glean Cases (Unicast Only)
The FIB receive rate limiter provides the capability to rate limit all packets that contain the MSFC IP address as the destination address. The rate limiters do not discriminate between good frames and bad frames.
Note
This example shows how to rate limit the traffic to 25000 pps with a burst of 60:
Router(config)# mls rate-limit unicast cef receive 25000 60The FIB glean rate limiter does not limit ARP traffic, but provides the capability to rate limit traffic that requires address resolution (ARP) and requires that it be sent to the MSFC. This situation occurs when traffic enters a port and contains the destination of a host on a subnet that is locally connected to the MSFC, but no ARP entry exists for that destination host. In this case, because the MAC address of the destination host will not be answered by any host on the directly connected subnet that is unknown, the "glean" adjacency is hit and the traffic is sent directly to the MSFC for ARP resolution. This rate limiter limits the possibility of an attacker overloading the CPU with such ARP requests.
This example shows how to rate limit the rate at which this traffic is sent to the MSFC to 20000 pps and a burst of 60:
Router(config)# mls rate-limit unicast cef glean 20000 60VACL Log (Unicast Only)
Packets that are sent to the MSFC because of VLAN-ACL logging can be rate limited to ensure that the CPU is not overwhelmed with logging tasks. VACLs are processed in hardware, but the MSFC does the logging. When VACL logging is configured on the switch, IP packets that are denied in the VACL generate log messages.
This example shows how to rate limit logging requests to 5000 pps (the range for this rate limiter is from 10 to 5000 pps):
Router(config)# mls rate-limit unicast acl vacl-log 5000Layer 3 Security Features (Unicast Only)
Some security features are processed by first being sent to the MSFC. For these security features, you need to rate limit the number of these packets being sent to the MSFC to reduce any potential overloading. The security features include authentication proxy (auth-proxy), IPSEC, and inspection.
Authentication proxy is used to authenticate inbound or outbound users or both. These users are normally blocked by an access list, but with auth-proxy, the users can bring up a browser to go through the firewall and authenticate on a terminal access controller access control system plus (TACACS+) or RADIUS server (based on the IP address). The server passes additional access list entries down to the switch to allow the users through after authentication. These ACLs are stored and processed in software, and if there are many users utilizing auth-proxy, the MSFC may be overwhelmed. Rate limiting would be advantageous in this situation.
IPSec and inspection are also done by the MSFC and may require rate limiting. When the Layer 3 security feature rate limiter is enabled, all Layer 3 rate limiters for auth-proxy, IPSec and inspection are enabled at the same rate.
This example shows how to rate limit the security features to the MSFC to 100000 pps with a burst of 10 packets:
Router(config)# mls rate-limit unicast ip features 100000 10DoS Protection with a PFC3
This section contains information about the available methods to counteract DoS attacks with a PFC3 and includes configuration examples. The PFC3 provides a layered defense against DoS attacks using the following methods:
•
•
These sections describe DoS protection with a PFC3:
•
•
–
–
–
–
–
Security ACLs and VACLs
If the network is under a DoS attack, ACLs can be an efficient method for dropping the DoS packets before they reach the intended target. Use security ACLs if an attack is detected from a particular host. In this example, the host 10.1.1.10 and all traffic from that host is denied:
Router(config)# access-list 101 deny ip host 10.1.1.10 anyRouter(config)# access-list 101 permit ip any anySecurity ACLs also protect against the spoofing of addresses. For example, assume that a source address A is on the inside of a network and a switch interface that is pointing to the Internet. You can apply an inbound ACL on the switch Internet interface that denies all addresses with a source of A (the inside address). This action stops attacks where the attackers spoof inside source addresses. When the packet arrives at the switch interface, it matches on that ACL and drops the packet before it causes damage.
When the Catalyst 6500 series switch is used with a Cisco Intrusion Detection Module (CIDM), you can dynamically install the security ACL as a response to the detection of the attack by the sensing engine.
VACLs are a security enforcement tool based on Layer 2, Layer 3, and Layer 4 information. The result of a VACL lookup against a packet can be a permit, a deny, a permit and capture, or a redirect. When you associate a VACL with a particular VLAN, all traffic must be permitted by the VACL before the traffic is allowed into the VLAN. VACLs are enforced in hardware, so there is no performance penalty for applying VACLs to a VLAN on the Catalyst 6500 series switches.
QoS Rate Limiting
QoS ACLs limit the amount of a particular type of traffic that is processed by the MSFC3. If a DoS attack is initiated against the MSFC, QoS ACLs can prevent the DoS traffic from reaching the MSFC data path and congesting it. The PFC3 performs QoS in hardware, which offers an efficient means of limiting DoS traffic (once that traffic has been identified) to protect the switch from impacting the MSFC.
For example, if the network is experiencing ping-of-death or smurf attacks, the administrator should rate limit the ICMP traffic to counteract the DoS attack and still allow legitimate traffic through the processor, or allow it to be forwarded to the MSFC or host. This rate limiting configuration must be done for each flow that should be rate limited and the rate-limiting policy action should be applied to the interface.
In the following example, the access-list 101 permits and identifies ping (echo) ICMP messages from any source to any destination as traffic. Within the policy map, a policing rule defines a specified committed information rate (CIR) and burst value (96000 bps and 16000 bps) to rate limit the ping (ICMP) traffic through the chassis. The policy map then is applied to an interface or VLAN. If the ping traffic exceeds the specified rate on the VLAN or interface where the policy map is applied, it is dropped as specified in the markdown map (the markdown map for the normal burst configurations is not shown in the example).
Router(config)# access-list 101 permit icmp any any echoRouter(config)# class-map match-any icmp_classRouter(config-cmap)# match access-group 101Router(config-cmap)# exitRouter(config)# policy-map icmp_policerRouter(config-pmap)# class icmp_classRouter(config-pmap-c)# police 96000 16000 conform-action transmit exceed-action policed-dscp-transmit dropRouter(config-pmap-c)# exitRouter(config-pmap)# exituRPF Check
When you enable the unicast reverse path forwarding (uRPF) check, packets that lack a verifiable source IP address, such as spoofed IP source addresses, are discarded. Cisco Express Forwarding (CEF) tables are used to verify that the source addresses and the interfaces on which they were received are consistent with the FIB tables on the supervisor engine.
After you enable uRPF check on an interface (per-VLAN basis), the incoming packet is compared to the CEF tables through a reverse lookup. If the packet is received from one of the reverse path routes, the packet is forwarded. If there is no reverse path route on the interface on which the packet was received, the packet fails the uRPF check and is either dropped or forwarded, depending on whether an ACL is applied to the uRPF check fail traffic. If no ACL is specified in the CEF tables, then the forged packets are immediately dropped.
You can only specify an ACL for the uRPF check for packets that fail the uRPF check. The ACL checks whether the packet should immediately be dropped or forwarded. The uRPF check with ACL is not supported in any PFC3 in hardware. Packets that are denied in the uRPF ACL are forwarded in hardware. Packets that are permitted are sent to the CPU.
The uRPF check with a PFC3 is supported in hardware; it is also supported in hardware with a PFC2, but with only one return path. However, all packets that fail the uRPF check, and are forwarded because of an applied ACL, can be sent and rate limited to the MSFC to generate ICMP unreachable messages; these actions are all software driven. The uRPF check in hardware is supported for routes with up to two return paths (interfaces) and up to six return paths with interface groups configured (two from the FIB table and four from the interface groups).
Traffic Storm Control
A traffic storm occurs when packets flood the LAN, which creates excessive traffic and degrades network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces from either mistakes in network configurations or from users issuing a DoS attack. Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1-second traffic storm control interval. During the interval, traffic storm control compares the traffic level with the configured traffic storm control level. The traffic storm control level is a percentage of the total available bandwidth of the port. Each port has a single traffic storm control level that is used for all types of traffic (broadcast, multicast, and unicast).
Traffic storm control is configured on an interface and is disabled by default. The configuration example here enables broadcast address storm control on interface FastEthernet 2/3 to a level of 20 percent. When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the port within a 1-second traffic-storm-control interval, traffic storm control will drop all broadcast traffic until the end of the traffic-storm-control interval.
Router(config-if)# storm-control broadcast level 20The Catalyst 6500 series switch supports broadcast storm control on all LAN ports and multicast and unicast storm control on Gigabit Ethernet ports.
When two or three suppression modes are configured simultaneously, they share the same level settings. If broadcast suppression is enabled, and if multicast suppression is also enabled and configured at a 70-percent threshold, the broadcast suppression will also have a setting for 70 percent.
Network Under SYN Attack
A network under a SYN attack is easily recognized. The target host becomes unusually slow, crashes, or suspends operation. Traffic returned from the target host can also cause trouble on the MSFC because return traffic goes to randomized source addresses of the original packets, lacks the locality of "real" IP traffic, and may overflow route caches, or CEF tables.
When the network is under a SYN attack, the TCP intercept feature becomes aggressively defensive. Two factors determine when aggressive behavior on the switch begins and ends:
•
•
Both factors are configured with low and high values.
If the number of incomplete connections exceed 1,100, or the number of connections arriving in the last one-minute period exceed 1,100, each new arriving connection causes the oldest partial connection (or a random connection) to be deleted. These are the default values, which can be altered. When either of the thresholds is exceeded, the TCP intercept assumes the server is under attack and goes into aggressive mode with the following reactions:
•
•
•
Note
TCP flows are hardware assisted on both the PFC2 and PFC3 (all PFC3 types).
ARP Policing
During an attack, malicious users may try to overwhelm the MSFC CPU with control packets such as routing protocol or ARP packets. These special control packets can be hardware rate limited using a specific routing protocol and an ARP policing mechanism configurable with the mls qos protocol command. The routing protocols supported include RIP, BGP, LDP, OSPF, IS-IS, IGRP, and EIGRP. For example, the command mls qos protocol arp police 32000 rate limits ARP packets in hardware at 32,000 bps. Although this policing mechanism effectively protects the MSFC CPU against attacks such as line-rate ARP attacks, it does not only police routing protocols and ARP packets to the switch but also polices traffic through the box with less granularity than CoPP.
The policing mechanism shares the root configuration with a policing-avoidance mechanism. The policing-avoidance mechanism lets the routing protocol and ARP packets flow through the network when they reach a QoS policer. This mechanism can be configured using the mls qos protocol protocol pass-through command.
This example shows how to display the available protocols to use with ARP policing.
Router(config)# mls qos protocol ?isiseigrpldpospfripbgpospfv3bgpv2ripngneigh-discoverwlccparpThis example shows how to display the available keywords to use with the mls qos protocol arp command:
Router(config)# mls qos protocol arp ?pass-through pass-through keywordpolice police keywordprecedence change ip-precedence(used to map the dscp to cos value)Recommended Rate-Limiter Configuration
The recommended rate-limiter configuration is as follows:
•
•
•
•
•
•
–
–
–
Hardware-Based Rate Limiters on the PFC3
The PFC3 supports additional hardware-based rate limiters. The PFC3 provides eight rate-limiter registers for the new rate limiters, which are configured globally on the switch. These rate-limiter registers are present in the Layer 3 forwarding engine (PFC) and are responsible for containing rate-limiting information for result packets that match the various available configured rate limiters.
Because eight rate-limiter registers are present on the PFC3, these registers can force different rate-limiting scenarios to share the same register. The registers are assigned on a first-come, first-serve basis. If all registers are being utilized, the only way to configure another rate limiter is to free one register.
The hardware-based rate limiters available on the PFC3 are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
Ingress-Egress ACL Bridged Packets (Unicast Only)
This rate limiter rate limits packets sent to the MSFC because of an ingress/egress ACL bridge result. The switch accomplishes this by altering existing and new ACL TCAM entries with a TCAM bridge result to a Layer 3 redirect result pointing to the MSFC. Packets hitting the TCAM entries with the altered Layer 3 redirect rate limit result will be rate limited according to the instructions set in CLI by the network administrator. Both the ingress and egress values will be the same, as they both share the same rate-limiter register. If the ACL bridge ingress/egress rate limiting is disabled, the Layer 3 redirect rate limit results are converted to the bridge result.
Ingress or egress ACL-bridged packet cases share a single rate-limiter register. If the feature is turned on, ingress and egress ACLs use the same rate-limiter value.
Burst values regulate how many packets can be allowed in a burst. Each allowed packet consumes a token and a token must be available for a packet to be allowed. One token is generated per millisecond. When packets are not coming in, tokens can be accumulated up to the burst value. For example, if the burst value is set to 50, the switch can accumulate up to 50 tokens and absorb a burst of 50 packets.
This example shows how to rate limit the unicast packets from an ingress ACL bridge result to 50000 packets per second, and 50 packets in burst:
Router(config)# mls rate-limit unicast acl input 50000 50This example shows how to rate limit the unicast packets from an ingress ACL bridge result to the same rate (50000 pps and 50 packets in burst) for egress ACL bridge results:
Router(config)# mls rate-limit unicast acl output 50000 50If the values of the rate limiter are altered on either the ingress or the egress when both are enabled, both values are changed to that new value. In the following example, the output rate is changed to 40000 pps:
Router(config)# mls rate-limit unicast acl output 40000 50When you enter the show mls rate-limit command, both the ACL bridged in and the ACL bridged out display the new value of 40000 pps:
Router# show mls rate-limitRate Limiter Type Status Packets/s Burst--------------------- ---------- --------- -----MCAST NON RPF Off - -MCAST DFLT ADJ On 100000 100MCAST DIRECT CON Off - -ACL BRIDGED IN On 40000 50ACL BRIDGED OUT On 40000 50IP FEATURES Off...uRPF Check Failure
The uRPF check failure rate limiter allows you to configure a rate for the packets that need to be sent to the MSFC because they failed the uRPF check. The uRPF checks validate that incoming packets on an interface are from a valid source, which minimizes the potential threat of DoS attacks from users using spoofed addresses. When spoofed packets fail the uRPF check, those failures can be sent to the MSFC. The uRPF check rate limiters allow you to rate limit the packets per second that are bridged to the MSFC CPU when a uRPF check failure occurs.
This example shows how to rate limit the uRPF check failure packets sent to the MSFC to 100000 pps with a burst of 100 packets:
Router(config)# mls rate-limit unicast ip rpf-failure 100000 100TTL Failure
This rate limiter rate limits packets sent to the MSFC because of a time-to-live (TTL) check failure. As indicated by the all keyword in the following example, this rate limiter applies to both multicast and unicast traffic.
Note
This example shows how to rate limit the TTL failures to 70000 pps with a burst of 150:
Router(config)# mls rate-limit all ttl-failure 70000 150ICMP Unreachable (Unicast Only)
In an ICMP unreachable attack, a device is flooded with a large number of packets that contain a destination address that is unreachable from the flooded device (in this case, the MSFC). The ICMP unreachable rate limiter allows you to rate limit the packets that are sent to the MSFC containing unreachable addresses.
This example shows how to rate limit the packets that are sent to the MSFC because of an ACL drop to 10000 pps and a burst of 100:
Router(config)# mls rate-limit unicast ip icmp unreachable acl-drop 10000 100This example shows how to rate limit the packets that require generation of ICMP-unreachable messages because of a FIB miss to 80000 pps and burst to 70:
Router(config)# mls rate-limit unicast ip icmp unreachable no-route 80000 70The four rate limiters, ICMP unreachable no route, ICMP unreachable ACL drop, IP errors, and IP RPF failure, share a single rate-limiter register. If any of these limiters are enabled, all of the limiters in this group will share the same value and sometimes the same state (for example, ON/ON/ON). When verifying the rate limiters, if the members of this register are enabled through another feature, an ON-Sharing status (instead of an ON status) is displayed. The exception is the TTL failure rate limiter: its value shares the same value as the other members in the register if you have manually enabled the feature.
FIB (CEF) Receive Cases (Unicast Only)
The FIB receive rate limiter provides the capability to rate limit all packets that contain the MSFC IP address as the destination address. The rate limiters do not discriminate between good frames and bad frames.
Note
This example shows how to rate limit the traffic to 25000 pps with a burst of 60:
Router(config)# mls rate-limit unicast cef receive 25000 60FIB Glean (Unicast Only)
The FIB glean rate limiter does not limit ARP traffic, but provides the capability to rate limit traffic that requires address resolution (ARP) and requires that it be sent to the MSFC. This situation occurs when traffic enters a port and contains the destination of a host on a subnet that is locally connected to the MSFC, but no ARP entry exists for that destination host. In this case, because the MAC address of the destination host will not be answered by any host on the directly connected subnet that is unknown, the "glean" adjacency is hit and the traffic is sent directly to the MSFC for ARP resolution. This rate limiter limits the possibility of an attacker overloading the CPU with such ARP requests.
This example shows how to rate limit the rate at which this traffic is sent to the MSFC to 20000 pps and a burst of 60:
Router(config)# mls rate-limit unicast cef glean 20000 60Layer 3 Security Features (Unicast Only)
Some security features are processed by first being sent to the MSFC. For these security features, you need to rate limit the number of these packets being sent to the MSFC to reduce any potential overloading. The security features include authentication proxy (auth-proxy), IPSEC, and inspection.
Authentication proxy is used to authenticate inbound or outbound users or both. These users are normally blocked by an access list, but with auth-proxy, the users can bring up a browser to go through the firewall and authenticate on a terminal access controller access control system plus (TACACS+) or RADIUS server (based on the IP address). The server passes additional access list entries down to the switch to allow the users through after authentication. These ACLs are stored and processed in software, and if there are many users utilizing auth-proxy, the MSFC may be overwhelmed. Rate limiting would be advantageous in this situation.
IPSec and inspection are also done by the MSFC and may require rate limiting. When the Layer 3 security feature rate limiter is enabled, all Layer 3 rate limiters for auth-proxy, IPSec and inspection are enabled at the same rate.
This example shows how to rate limit the security features to the MSFC to 100000 pps with a burst of 10 packets:
Router(config)# mls rate-limit unicast ip features 100000 10ICMP Redir
