The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure rate limits for supervisor-bound traffic on Cisco NX-OS devices.
This chapter includes the following sections:
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.
Rate limits can prevent redirected packets for exceptions from overwhelming the supervisor module on a Cisco NX-OS device. You can configure rate limits in packets per second for the following types of redirected packets:
Access-list log packets
Data and control packets copied to the supervisor module
Layer 2 multicast-snooping packets
Layer 2 port-security packets
Layer 2 storm-control packets
Layer 2 virtual port channel (vPC) low packets
Layer 3 control packets
Layer 3 glean packets
Layer 3 glean fast-path packets
Layer 3 maximum transmission unit (MTU) check failure packets
Layer 3 multicast data packets
Layer 3 Time-to-Live (TTL) check failure packets
Receive packets
You can configure rate limits only in the default virtual device context (VDC), but the rate limits configuration applies to all VDCs on the Cisco NX-OS device. For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.
The rate limits feature has the following configuration guidelines and limitations:
You can set rate limits for supervisor-bound exception and redirected traffic. Use control plane policing (CoPP) for other types of supervisor-bound traffic.
 Note |
Hardware rate limiters protect the supervisor CPU from excessive inbound traffic. The traffic rate allowed by the hardware rate-limiters is configured globally and applied to each individual I/O module. The resulting allowed rate depends on the number of I/O modules in the system. CoPP provides more granular supervisor CPU protection by utilizing the modular quality-of-service CLI (MQC). |
Note |
F2 Series modules do not support the five F1 Series module rate limiters. |
Note |
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. In setting hardware rate-limiter for more than one module, the module level rate-limiter has higher precedence over system level. |
This table lists the default settings for rate limits parameters.
|
Parameters |
Default |
|---|---|
|
Access-list log packets rate limit |
100 packets per second |
|
Copy packets rate limit |
30,000 packets per second |
|
Layer 2 multicast-snooping packets rate limit |
10,000 packets per second |
|
Layer 2 port-security packets rate limit |
Disabled |
|
Layer 2 storm-control packets rate limit |
Disabled |
|
Layer 2 VPC low packets rate limit |
4,000 packets per second |
|
Layer 3 control packets rate limit |
10,000 packets per second |
|
Layer 3 glean packets rate limit |
100 packets per second |
|
Layer 3 glean fast-path rate limit |
100 packets per second |
|
Layer 3 MTU packets rate limit |
500 packets per second |
|
Layer 3 Time-to-Live (TTL) packets rate limit |
500 packets per second |
|
Receive packets rate limit |
30,000 packets per second |
You can set rate limits on supervisor-bound traffic.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
hardware rate-limiter access-list-log packets Example: |
Configures rate limits in packets per second for packets copied to the supervisor module for access list logging. The range is from 0 to 30000. |
||
|
Step 3 |
hardware rate-limiter copy packets Example: |
Configures rate limits in packets per second for data and control packets copied to the supervisor module. The range is from 0 to 30000.
|
||
|
Step 4 |
hardware rate-limiter layer-2 mcast-snooping packets Example: |
Configures rate limits in packets per second for Layer 2 multicast-snooping packets. The range is from 0 to 30000. |
||
|
Step 5 |
hardware rate-limiter layer-2 port-security packets Example: |
Configures rate limits in packets per second for port-security packets. The range is from 0 to 30000. |
||
|
Step 6 |
hardware rate-limiter layer-2 storm-control packets Example: |
Configures rate limits in packets per second for broadcast, multicast, and unknown unicast storm-control traffic. The range is from 0 to 30000. |
||
|
Step 7 |
hardware rate-limiter layer-2 vpc-low packets Example: |
Configures rate limits in packets per second for Layer 2 control packets over the VPC low queue. The range is from 0 to 30000. |
||
|
Step 8 |
hardware rate-limiter layer-3 control packets Example: |
Configures rate limits in packets per second for Layer 3 control packets. The range is from 0 to 30000. |
||
|
Step 9 |
hardware rate-limiter layer-3 glean packets Example: |
Configures rate limits in packets per second for Layer 3 glean packets. The range is from 0 to 30000. |
||
|
Step 10 |
hardware rate-limiter layer-3 glean-fast packets Example: |
Configures rate limits in packets per second for Layer 3 glean fast-path packets. This command sends packets to the supervisor from F2e, M1, or M2 Series modules. The range is from 0 to 30000. Glean fast path optimizes the processing of glean packets by the supervisor. Specifically, the line card provides the information needed to trigger an ARP within the packet and relieves the supervisor from having to look up this information. The packets sent to the supervisor using the glean fast path are rate limited
|
||
|
Step 11 |
hardware rate-limiter layer-3 mtu packets Example: |
Configures rate limits in packets per second for Layer 3 MTU failure redirected packets. The range is from 0 to 30000. |
||
|
Step 12 |
hardware rate-limiter layer-3 multicast packets Example: |
Configures rate limits in packets per second for Layer 3 multicast packets in packets per second. The range is from 0 to 30000. |
||
|
Step 13 |
hardware rate-limiter layer-3 ttl packets Example: |
Configures rate limits in packets per second for Layer 3 failed Time-to-Live redirected packets. The range is from 0 to 30000. |
||
|
Step 14 |
hardware rate-limiter receive packets Example: |
Configures rate limits in packets per second for packets redirected to the supervisor module. The range is from 0 to 30000. |
||
|
Step 15 |
exit Example: |
Exits global configuration mode. |
||
|
Step 16 |
(Optional) show hardware rate-limiter [access-list-log | copy | layer-2 {mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | glean-fast | mtu | multicast | ttl} | module module | receive] Example: |
(Optional)
Displays the rate limit configuration. |
||
|
Step 17 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can monitor rate limits.
| Command or Action | Purpose |
|---|---|
|
show hardware rate-limiter [access-list-log | copy | layer-2 {mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | glean-fast | mtu | multicast | ttl} | module module | receive] Example: |
Displays the rate limit statistics. |
You can clear the rate limit statistics.
| Command or Action | Purpose |
|---|---|
|
clear hardware rate-limiter {all | access-list-log | copy | layer-2 {mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | glean-fast | mtu | multicast | ttl} | receive} Example: |
Clears the rate limit statistics. |
To display the rate limit configuration information, perform the following tasks:
|
Command |
Purpose |
|---|---|
|
show hardware rate-limiter [access-list-log | copy | layer-2 {mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | glean-fast | mtu | multicast | ttl} | module module | receive] |
Displays the rate limit configuration. |
For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
The following example shows how to configure rate limits:
switch(config)# hardware rate-limiter layer-3 control 20000
switch(config)# hardware rate-limiter copy 30000
This section includes additional information related to implementing rate limits.
|
Related Topic |
Document Title |
|---|---|
|
Cisco NX-OS Licensing |
Cisco NX-OS Licensing Guide |
|
Command reference |
Cisco Nexus 7000 Series NX-OS Security Command Reference |
This table lists the release history for this feature.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Rate limits |
6.2(2) |
Added support for Layer 3 glean fast-path packets. |
|
Rate limits |
6.0(1) |
Added support for F2 Series modules. |
|
Rate limits |
4.2(1) |
No change from Release 4.1. |
Feedback