-
- Downstream Interface Configuration
- Upstream Interface Configuration
- DOCSIS Interface and Fiber Node Configuration
- DOCSIS Load Balancing Groups
- DOCSIS Load Balancing Movements
- DOCSIS 3.0 Downstream Bonding
- DOCSIS 2.0 A-TDMA Modulation Profiles
- Downstream Resiliency Bonding Group
- Downstream Channel ID Assignment
- Upstream Channel Bonding
- Spectrum Management and Advanced Spectrum Management
- Upstream Scheduler Mode
- Generic Routing Encapsulation
- Transparent LAN Service over Cable
- Downgrading Channel Bonding in Battery Backup Mode
- Energy Management Mode
-
- IP Access Control Lists
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Refining an IP Access List
- IP Named Access Control Lists
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- ACL IP Options Selective Drop
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 Template ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
-
- Call Home
- SNMP Support over VPNs—Context-Based Access Control
- SNMP Cache Engine Enhancement
- Onboard Failure Logging
- Control Point Discovery
- IPDR Streaming Protocol
- Usage-Based Billing (SAMIS)
- Frequency Allocation Information for the Cisco CMTS Routers
- Flap List Troubleshooting
- Maximum CPE and Host Parameters
- SNMP Background Synchronization
- Online Offline Diagnostics
- Index
- Hardware Compatibility Matrix for Cisco cBR Series Routers
- Prerequisites for Source-Based Rate Limit
- Restrictions for Source-Based Rate Limit
- Information About Source-Based Rate Limit
- How to Configure Source-Based Rate Limit
- Verifying the Source-Based Rate Limit Configuration
- Configuration Example for Source-Based Rate Limit
- Conversion of Divert Rate Limit Configuration on the Cisco uBR10012 Router to SBRL Configuration on the Cisco cBR Series Routers
- Additional References
- Feature Information for Source-Based Rate Limit
Source-Based Rate Limit
The Source-Based Rate Limit (SBRL) feature prevents congestion of packets on the forwarding processor (FP) to the Route Processor (RP) interface, which can be caused by denial of service (DoS) attacks directed at the Cisco CMTS or by faulty hardware.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
Contents
- Hardware Compatibility Matrix for Cisco cBR Series Routers
- Prerequisites for Source-Based Rate Limit
- Restrictions for Source-Based Rate Limit
- Information About Source-Based Rate Limit
- How to Configure Source-Based Rate Limit
- Verifying the Source-Based Rate Limit Configuration
- Configuration Example for Source-Based Rate Limit
- Conversion of Divert Rate Limit Configuration on the Cisco uBR10012 Router to SBRL Configuration on the Cisco cBR Series Routers
- Additional References
- Feature Information for Source-Based Rate Limit
Hardware Compatibility Matrix for Cisco cBR Series Routers
Note | The hardware components introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified. |
Cisco CMTS Platform |
Processor Engine |
Interface Cards |
---|---|---|
Cisco cBR-8 Converged Broadband Router |
Cisco IOS-XE Release 3.15.0S and Later Releases Cisco cBR-8 Supervisor:
|
Cisco IOS-XE Release 3.15.0S and Later Releases Cisco cBR-8 CCAP Line Cards: Cisco cBR-8 Downstream PHY Modules: Cisco cBR-8 Upstream PHY Modules: |
Prerequisites for Source-Based Rate Limit
Restrictions for Source-Based Rate Limit
-
WAN-IP and Subscriber MAC address entities are identified using a hash, and hash collisions can occur between two (or more) entities.
-
The Cisco cBR router does not perform special processing for hash collisions. The sources that hash-collide are rate-limited as if they are from the same source.
-
The QOS group 99 is reserved for SBRL and cannot be used for other class maps.
Information About Source-Based Rate Limit
Source-Based Rate Limit (SBRL) feature operates on the punt path in CPP. SBRL identifies and rate-limits the packet streams that can overload the punt path or RP.
Punted packets are sent from the FP to the RP through the FP-to-RP queues. Denial of service (DoS) can occur when:
In both cases, the valid punted packets are not processed properly. These situations can be caused deliberately by DoS attacks or by faulty external hardware.
Packet streams identified by SBRL are rate-limited according to configured parameters. Rate-limiting occurs in CPP before the packets reach the FP-to-RP queues. This protects the RP, and also allows other valid punted packets to reach the RP.
By default, SBRL is disabled on the Cisco cBR router. SBRL has a separate configuration for the WAN-side and the subscriber-side.
WAN-Side Source-Based Rate Limit
WAN-side SBRL uses Control Plane Policing (CoPP). CoPP specifies the WAN-side packet streams that are directed for SBRL. Both trusted and untrusted sites can be specified using CoPP. Using CoPP, you can specify unlimited trusted sites. Access control list (ACL) is used to specify the trusted sites.
WAN-side SBRL also supports the quarantine functionality. When a packet stream enters quarantine, all punts from the packet stream are dropped for the configured period.
Subscriber-Side Source-Based Rate Limit
The subscriber-side SBRL configuration is global and does not need to be configured on each cable interface. The Cisco cBR router also supports per-cause subscriber-side configuration for Layer 3 mobility.
Note | The default subscriber-side per-cause rate for Layer 3 mobility is 4 packets per second. The subscriber-side per-cause rate can be modified, however, it cannot be disabled. |
How to Configure Source-Based Rate Limit
This section contains the following:
- Configuring WAN-Side Source-Based Rate Limit
- Configuring Subscriber-Side Source-Based Rate Limit
- Configuring Punt Policing
Configuring WAN-Side Source-Based Rate Limit
You must enable WAN-side SBRL in two parts:
-
Configure Control Plane Policing (CoPP) to specify which packets are subject to SBRL.
-
Configure WAN-side SBRL to set the rate-limiting parameters for the specified punt-causes.
In the CoPP policy map, the special action set qos-group 99 denotes that the packets matching a particular class are subject to WAN-side SBRL. This means that the QOS group 99 is globally reserved for SBRL, and must not be used in other policy-maps.
Packets matching a class without set qos-group 99 bypass WAN-side SBRL. This means that CoPP is also used to specify trusted traffic streams that are not subject to WAN-side SBRL.
All punted packets are subject to CoPP. So, you must ensure that subscriber-side traffic does not match a trusted class.
WAN-side SBRL identifies traffic streams by hashing the punt cause, VRF index, and source IP address. This value is used as the index for rate-limiting. The router does not perform special processing for hash collisions, so hash-colliding streams are treated as if they are from the same stream.
By default, WAN-side SBRL is disabled.
Restrictions
This section contains the following:
- Configuring Control Plane Policing
- Enabling WAN-Side Source-Based Rate Limit
- Configuring WAN-Side Quarantine
Configuring Control Plane Policing
Punted packets matching the trusted class bypass WAN-side SBRL. The rest of the WAN-side punts are sent to WAN-side SBRL.
Note | The following example shows a simple trusted class. |
Enabling WAN-Side Source-Based Rate Limit
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
Example: Router> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
platform punt-sbrl wan
punt-cause
punt-cause
rate
rate
Example: Router(config)# platform punt-sbrl wan punt-cause 10 rate 4 |
Configures WAN-side rate limit. |
Configuring WAN-Side Quarantine
The WAN-side quarantine extends the WAN-side SBRL configuration. When a traffic stream enters quarantine, all punted packets in the stream are dropped for the configured period.
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
Example: Router> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
platform punt-sbrl wan
punt-cause
punt-cause
rate
rate
quarantine-time
time
burst-factor
burst-factor
Example: Router(config)# platform punt-sbrl wan punt-cause 10 rate 4 quarantine-time 10 burst-factor 500 |
Configures quarantine for the WAN-side packet stream.
|
When (burst-factor x rate) packets arrive at a rate faster than rate, the packet stream enters quarantine.
For example, during a DoS attack, when the following occurs:
-
Punted packets from a WAN-side source are arrive at 100 packets per second.
-
WAN-side SBRL is configured with a rate of 4 packets per second, quarantine time of 10 minutes, and burst-factor of 500 packets.
The packet rate is significantly higher than the configured rate. Therefore, when 2000 (4 x 500) packets have arrived, the packet stream enters into quarantine. Quarantine is activated at 20 seconds (2000 packets per 100 packets per second), and all punted packets from the stream are dropped for 10 minutes. After 10 minutes, the quarantine is deactivated.
The quarantine calculations restart immediately. So, if the scanning attack is continuous, quarantine is reactivated after the next 20 seconds.
Configuring Subscriber-Side Source-Based Rate Limit
This section contains the following:
- Configuring Subscriber-Cable Modem Source-Based Rate Limit
- Configuring Subscriber-MAC Address Source-Based Rate Limit
Configuring Subscriber-Cable Modem Source-Based Rate Limit
Subscriber-cable modem SBRL identifies traffic streams by using the slot, MAC domain, and Service ID (SID) associated with the packet (that is, slot/MD/SID). All punts from this slot/MD/SID are aggregated and rate-limited as configured.
By default, subscriber-CM SBRL is disabled.
Restrictions
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
Example: Router> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
platform punt-sbrl
subscriber rate
rate
Example: Router(config)# platform punt-sbrl subscriber rate 4 |
Configures subscriber-cable modem rate in packets per second. The range is from 1 to 256, specified in powers-of-2. |
Configuring Subscriber-MAC Address Source-Based Rate Limit
Subscriber-MAC address SBRL identifies traffic streams by hashing the punt cause and the source MAC address. This value is used as the index for rate-limiting. The Cisco cBR router does not perform special processing for hash collisions. So, the hash-colliding packet streams are rate-limited as if they are from the same packet stream.
The default rate for Layer 3 mobility punts is 4 packets per second.
Restrictions
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
Example: Router> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 | platform punt-sbrl subscriber punt-cause
punt-cause
rate
rate
Example: Router(config)# platform punt-sbrl subscriber punt-cause 99 rate 2 |
Configures subscriber-MAC address SBRL. |
Configuring Punt Policing
The punt policer aggregates all packets (both subscriber-side and WAN-side) with the specified punt cause, and rate-limits them according to the configured parameters.
Command or Action | Purpose |
---|
Verifying the Source-Based Rate Limit Configuration
-
show running-config | include punt-sbrl—Displays the SBRL configuration.
Following is a sample output of the command:
Router# show running-config | include punt-sbrl platform punt-sbrl wan punt-cause 11 rate 8 platform punt-sbrl wan punt-cause 24 rate 4 platform punt-sbrl subscriber rate 8
-
show access-lists —Displays the access list information for verifying CoPP configuration.
Following is a sample output of the command:
Router# show access-lists Extended IP access list 120 10 permit ip any any dscp af31 20 permit ip any any dscp cs2 30 permit ip any any dscp af21 40 permit ip 68.86.0.0 0.1.255.255 any IPv6 access list TRUSTEDV6 permit ipv6 2001:558::/32 any sequence 10
-
show policy-map policy-map-name—Displays the information for the policy map.
Following is a sample output of the command:
Router# show policy-map copp_policy Policy Map copp_policy Class sbrl_trusted police rate 1000 pps conform-action transmit exceed-action transmit Class class-default set qos-group 99
-
show policy-map control-plane—Displays the control plane policy map information.
Following is a sample output of the command:
Router# show policy-map control-plane Control Plane Service-policy input: copp_policy Class-map: sbrl_trusted (match-any) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 120 Match: access-group name TRUSTEDV6 police: rate 1000 pps, burst 244 packets conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit conformed 0 pps, exceeded 0 pps Class-map: class-default (match-any) 28 packets, 4364 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: any QoS Set qos-group 99 Marker statistics: Disabled
-
show platform hardware qfp active infrastructure punt sbrl—Displays the SBRL statistics.
Following is a sample output of the command:
Router# show platform hardware qfp active infrastructure punt sbrl SBRL statistics Subscriber CM drop-cnt evict-cnt SID Interface ------------------------------------------------ 1 1 5 Cable3/0/0 982 982 5 Cable3/0/0 Subscriber MAC-addr nothing to report WAN-IPv4 drop-cnt evict-cnt quar VRF cause IP-address ------------------------------------------------------ 456788 456788 0 0 050 1.2.0.66 WAN-IPv6 drop-cnt evict-cnt quar VRF cause IP-address ---------------------------------------------------------------------------- 129334 129334 1 0 011 3046:1829:fefb::ddd1 965 965 0 0 011 2001:420:2c7f:fc01::3
Note
The value of quar is either 0 or 1. The value 1 indicates that quarantine is activated. The quar value is updated only when a packet from the source is dropped. If a source enters quarantine, and then stops sending packets, the quar value remains 1. However, the drop-cnt does not increment.
Note
The SBRL statistics algorithm stores the data for the worst offenders. Sources that drop only a few packets are displayed in the table initially, but may be overwritten if the drop-cnt does not increase continuously. The evict-cnt increases in tandem with drop-cnt, but begins to decrease when a source is no longer being actively rate-limited. When the evict-cnt drops below 10, the record may be overwritten.
-
show platform hardware qfp active infrastructure punt statistics type global-drop—Displays the global punt policer statistics.
Following is a sample output of the command:
Router# show platform hardware qfp active infrastructure punt statistics type global-drop Global Drop Statistics Number of global drop counters = 22 Counter ID Drop Counter Name Packets --------------------------------------------------------------------- 000 INVALID_COUNTER_SELECTED 0 001 INIT_PUNT_INVALID_PUNT_MODE 0 002 INIT_PUNT_INVALID_PUNT_CAUSE 0 003 INIT_PUNT_INVALID_INJECT_CAUSE 0 004 INIT_PUNT_MISSING_FEATURE_HDR_CALLBACK 0 005 INIT_PUNT_EXT_PATH_VECTOR_REQUIRED 0 006 INIT_PUNT_EXT_PATH_VECTOR_NOT_SUPPORTED 0 007 INIT_INJ_INVALID_INJECT_CAUSE 0 008 INIT_INJ_MISSING_FEATURE_HDR_CALLBACK 0 009 PUNT_INVALID_PUNT_CAUSE 0 010 PUNT_INVALID_COMMON_HDR_VERSION 0 011 PUNT_INVALID_PLATFORM_HDR_VERSION 0 012 PUNT_PATH_NOT_INITIALIZED 0 013 PUNT_GPM_ALLOC_FAILURE 0 014 PUNT_TRANSITION_FAILURE 0 015 PUNT_DELAYED_PUNT_PKT_SB_NOT_IN_USE 0 016 PUNT_CAUSE_GLOBAL_POLICER 0 017 INJ_INVALID_INJECT_CAUSE 0 018 INJ_INVALID_COMMON_HDR_VERSION 0 019 INJ_INVALID_PLATFORM_HDR_VERSION 0 020 INJ_INVALID_PAL_HDR_FORMAT 0 021 PUNT_GPM_TX_LEN_EXCEED 0
-
show platform hardware qfp active infrastructure punt summary [threshold threshold-value]—Displays the punt path rate-limiting summary.
Following is a sample output of the command:
Router# show platform hardware qfp active infrastructure punt summary Punt Path Rate-Limiting summary statistics Subscriber-side ID punt cause CPP punt CoPP ARPfilt/SBRL per-cause global ------------------------------------------------------------------------------------ 017 IPv6 Bad hop limit 22 0 0 0 0 050 IPv6 packet 13 0 0 0 0 080 CM not online 335 0 0 0 0 WAN-side ID punt cause CPP punt CoPP SBRL per-cause global ------------------------------------------------------------------------------------ 017 IPv6 Bad hop limit 471 0 0 0 0 018 IPV6 Hop-by-hop Options 29901 0 0 1430 0 024 Glean adjacency 111 0 0 0 0 025 Mcast PIM signaling 19 0 0 0 0 050 IPv6 packet 11 0 0 0 0
-
show platform software punt-policer—Displays the punt policer configuration and statistics.
Following is a sample output of the command:
Router# show platform software punt-policer Per Punt-Cause Policer Configuration and Packet Counters Punt Configured (pps) Conform Packets Dropped Packets Cause Description Normal High Normal High Normal High ------------------------------------------------------------------------------------- 2 IPv4 Options 4000 3000 0 0 0 0 3 Layer2 control and legacy 40000 10000 16038 0 0 0 4 PPP Control 2000 1000 0 0 0 0 5 CLNS IS-IS Control 2000 1000 0 0 0 0 6 HDLC keepalives 2000 1000 0 0 0 0 7 ARP request or response 2000 1000 0 49165 0 0 8 Reverse ARP request or re... 2000 1000 0 0 0 0 9 Frame-relay LMI Control 2000 1000 0 0 0 0 10 Incomplete adjacency 2000 1000 0 0 0 0 11 For-us data 40000 5000 279977 0 0 0 12 Mcast Directly Connected ... 2000 1000 0 0 0 0 . . .
-
show platform hardware qfp active infrastructure punt policer summary—Displays the punt policer summary.
Following is a sample output of the command:
Router# show platform hardware qfp active infrastructure punt policer summary QFP Punt Policer Config Summary Policer Rate PeakRate ConformBurst ExceedBurst Scaling Handle (pps) (pps) (pps) (pps) Factor --------------------------------------------------------------------- 001 300000 0 2288 2288 0 002 4000 0 4000 0 0 003 3000 0 3000 0 0 004 40000 0 40000 0 0 005 10000 0 10000 0 0 006 2000 0 2000 0 0 007 1000 0 1000 0 0 008 2000 0 2000 0 0 009 1000 0 1000 0 0 010 2000 0 2000 0 0 011 1000 0 1000 0 0 012 2000 0 2000 0 0 013 1000 0 1000 0 0 014 2000 0 2000 0 0 . . .
Configuration Example for Source-Based Rate Limit
Example: WAN-Side SBRL Configuration
access-list 120 permit ip any any dscp af31 access-list 120 permit ip any any dscp cs2 access-list 120 permit ip any any dscp af21 access-list 120 permit ip 192.168.1.10 0.1.255.255 any ipv6 access-list TRUSTEDV6 permit ipv6 any any dscp af31 permit ipv6 any any dscp cs2 permit ipv6 any any dscp af21 permit ipv6 2001:558::/32 any class-map match-all sbrl_trusted_v4 match access-group 120 class-map match-all sbrl_trusted_v6 match access-group name TRUSTEDV6 policy-map copp_policy ! IPv4 trusted: ! Specified rate is irrelevant. ! No special action; these packets bypass WAN-side SBRL. class sbrl_trusted_v4 police rate 1000 pps conform transmit exceed transmit ! IPv6 trusted: ! Specified rate is irrelevant. ! No special action; these packets bypass WAN-side SBRL. class sbrl_trusted_v6 police rate 1000 pps conform transmit exceed transmit ! add other classes here, if necessary ! Special action to activate WAN-side SBRL for this class. class class-default set qos-group 99 control-plane service-policy input copp_policy ! punt-cause 11 is FOR_US, punt-cause 24 is GLEAN_ADJ platform punt-sbrl wan punt-cause 11 rate 4 platform punt-sbrl wan punt-cause 24 rate 4
Example: Subscriber-Side SBRL Configuration
platform punt-sbrl subscriber rate 4
Example: SBRL Configuration
… platform punt-sbrl wan punt-cause 11 rate 4 platform punt-sbrl wan punt-cause 18 rate 16 quarantine-time 10 burst-factor 500 platform punt-sbrl wan punt-cause 24 rate 4 platform punt-sbrl subscriber rate 4 … access-list 120 permit ip any any dscp af31 access-list 120 permit ip any any dscp cs2 access-list 120 permit ip any any dscp af21 access-list 120 permit ip 192.168.1.10 0.1.255.255 any … ipv6 access-list TRUSTEDV6 permit ipv6 any any dscp af31 permit ipv6 any any dscp cs2 permit ipv6 any any dscp af21 permit ipv6 2001:558::/32 any … policy-map copp_policy class sbrl_trusted_v4 police rate 1000 pps conform-action transmit exceed-action transmit class sbrl_trusted_v6 police rate 1000 pps conform-action transmit exceed-action transmit class class-default set qos-group 99 … control-plane service-policy input copp_policy …
Conversion of Divert Rate Limit Configuration on the Cisco uBR10012 Router to SBRL Configuration on the Cisco cBR Series Routers
Divert Rate Limit Configuration on the Cisco uBR10012 Router
The following is a sample Divert Rate Limit (DRL) configuration on the Cisco uBR10012 router:
service divert-rate-limit ip fib_rp_glean rate 4 limit 4 service divert-rate-limit ip fib_rp_dest rate 4 limit 4 service divert-rate-limit ip fib_rp_punt rate 4 limit 4 service divert-rate-limit ipv6 ipv6_rp_dest rate 4 limit 4 service divert-rate-limit ipv6 ipv6_rp_punt rate 4 limit 4 service divert-rate-limit ipv6 ipv6_rp_glean rate 4 limit 4 service divert-rate-limit ipv6 icmpv6 rate 4 limit 4 service divert-rate-limit trusted-site 0.0.0.0 0.0.0.0 tos 0x68 mask 0xFF service divert-rate-limit trusted-site 0.0.0.0 0.0.0.0 tos 0x40 mask 0xFF service divert-rate-limit trusted-site 68.86.0.0 255.254.0.0 tos 0x0 mask 0x0 service divert-rate-limit trusted-site 0.0.0.0 0.0.0.0 tos 0x48 mask 0xFF service divert-rate-limit trusted-site-ipv6 ::/0 traffic-class 0x40 mask 0xFF service divert-rate-limit trusted-site-ipv6 ::/0 traffic-class 0x48 mask 0xFF service divert-rate-limit trusted-site-ipv6 ::/0 traffic-class 0x68 mask 0xFF service divert-rate-limit trusted-site-ipv6 2001:558::/32 traffic-class 0x0 mask 0x0 interface Cablex/y/z cable divert-rate-limit rate 4 limit 30
In Cisco IOS Release 12.2(33)SCH2, the divert-rate-limit max-rate wan command was introduced on the Cisco uBR10012 router. This configuration limits the aggregate rate of diverted packets on the WAN-side, on a per-divert-code basis. The following is the recommended best-practice configuration for the divert-rate-limit max-rate wan command:
service divert-rate-limit max-rate wan fib_rp_glean rate 5000 service divert-rate-limit max-rate wan fib_rp_punt rate 5000 service divert-rate-limit max-rate wan fib_rp_dest rate 40000 service divert-rate-limit max-rate wan ipv6_fib_glean rate 5000 service divert-rate-limit max-rate wan ipv6_fib_punt rate 5000 service divert-rate-limit max-rate wan ipv6_fib_dest rate 40000
SBRL Configuration on the Cisco cBR Series Routers
The DRL functionality is called as Source-Based Rate Limit (SBRL) on the Cisco cBR Series Routers. The punt-path has three layers of protection:
CoPP
CoPP is used to specify the trusted sites and activate WAN-side SBRL. However, since CoPP applies to all punted packets, you must ensure that cable-side punts do not match the trusted sites.
The following is a sample CoPP configuration, which is equivalent to the configuration on the Cisco uBR10012 router:
access-list 120 permit ip any any dscp af31 access-list 120 permit ip any any dscp cs2 access-list 120 permit ip any any dscp af21 access-list 120 permit ip 68.86.0.0 0.1.255.255 any ipv6 access-list TRUSTEDV6 permit ipv6 any any dscp af31 permit ipv6 any any dscp cs2 permit ipv6 any any dscp af21 permit ipv6 2001:558::/32 any class-map match-all sbrl_trusted_v4 match access-group 120 class-map match-all sbrl_trusted_v6 match access-group name TRUSTEDV6 policy-map copp_policy class sbrl_trusted_v4 police rate 1000 pps conform transmit exceed transmit class sbrl_trusted_v6 police rate 1000 pps conform transmit exceed transmit class class-default set qos-group 99 control-plane service-policy input copp_policy
Note |
|
SBRL
The subscriber-side SBRL configuration is a single command in global configuration mode. The limit cannot be configured as the hardware policer is used. Therefore, we recommend that you configure a higher rate initially.
For WAN-side SBRL, the Cisco cBR Series routers do not have separate IPv4 and IPv6 configurations as the punt causes are shared between IPv4 and IPv6. The limit cannot be configured as the hardware policer is used. Therefore, we recommend that you configure a higher rate initially. In the following sample configuration, the punt cause 24 is for Glean adjacency and punt cause 11 is for For-us data, which are equivalent to x_rp_glean and x_rp_dest, respectively on the Cisco uBR10012 router.
platform punt-sbrl subscriber rate 16 platform punt-sbrl wan punt-cause 11 rate 8 platform punt-sbrl wan punt-cause 24 rate 8
Note |
|
Punt Policer
The punt policer operates on all punt causes and is fully configurable. The punt policer is not divided into WAN-side and subscriber-side. All packets with a given punt cause are aggregated and rate-limited as configured.
Following are the default settings (best-practice configuration) for the punt policer on the Cisco cBR Series routers:
punt-cause LO HI CPP_PUNT_CAUSE_GLEAN_ADJ 2000 5000 CPP_PUNT_CAUSE_FOR_US 40000 5000
Note |
|
Additional References
Related Documents
Related Topic | Document Title |
---|---|
Cisco IOS commands | Cisco IOS Master Commands List, All Releases |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Source-Based Rate Limit
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
Note | The below table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. |
Feature Name |
Releases |
Feature Information |
---|---|---|
Source-Based Rate Limit |
Cisco IOS-XE Release 3.15.0S |
This feature was introduced on the Cisco cBR Series Converged Broadband Routers. |