- New and Changed Information
- Index
- Preface
- Overview
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH and Telnet
- Configuring PKI
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring NAC
- Configuring Cisco TrustSec
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Source Guard
- Configuring Keychain Management
- Configuring Traffic Storm Control
- Configuring Unicast RPF
- Configuring Control Plane Policing
- Configuring Rate Limits
- Information About Rate Limits
- Virtualization Support
- Licensing Requirements for Rate Limits
- Guidelines and Limitations
- Configuring Rate Limits
- Displaying the Rate Limit Statistics
- Clearing the Rate Limit Statistics
- Verifying the Rate Limits Configuration
- Rate Limits Example Configuration
- Default Settings
- Additional References
- Feature History for Rate Limits
Configuring Rate Limits
This chapter describes how to configure rate limits for egress traffic on NX-OS devices.
This chapter includes the following topics:
•
Information About Rate Limits
•Licensing Requirements for Rate Limits
•Verifying the Rate Limits Configuration
•Rate Limits Example Configuration
•Feature History for Rate Limits
Information About Rate Limits
Rate limits can prevent redirected packets for egress exceptions from overwhelming the supervisor module on an NX-OS device. You can configure rate limits in packets per second for the following types of redirected packets:
•Access list logging packets
•Data and control packets copied to the supervisor module
•Layer 2 storm control packets
•Layer 2 port security packets
•Layer 3 glean packets
•Layer 3 maximum transmission unit (MTU) check failure packets
•Layer 3 multicast directly connected packets
•Layer 3 multicast local group packets
•Layer 3 multicast Reverse Path Forwarding (RPF) leak packets
•Layer 3 Time-to-Live (TTL) check failure packets
•Receive packets
You can also configure rate limits for Layer 3 control packets.
Virtualization Support
Licensing Requirements for Rate Limits
The following table shows the licensing requirements for this feature:
Guidelines and Limitations
Rate limits has the following configuration guidelines and limitations:
•You can set rate limits only for supervisor-bound egress exception and egress redirected traffic. Use control plane policing (CoPP) for other types of traffic (see Chapter 21, "Configuring Control Plane Policing").
Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Configuring Rate Limits
You can set rate limits on egress traffic.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command).
SUMMARY STEPS
1. config t
2. hardware rate-limit access-log-list packets
hardware rate-limit copy packets
hardware rate-limit layer-2 port-security packets
hardware rate-limit layer-2 storm-control packets
hardware rate-limit layer-3 control packets
hardware rate-limit layer-3 glean packets
hardware rate-limit layer-3 mtu packets
hardware rate-limit layer-3 multicast {directly-connected | local-groups | rpf-leak} packets
hardware rate-limit layer-3 ttl packets
hardware rate-limit receive packets
3. exit
4. show hardware rate-limit
5. copy running-config startup-config
DETAILED STEPS
Displaying the Rate Limit Statistics
You can display the rate limit statistics.
BEFORE YOU BEGIN
Ensure that you are in the default VDC (or use the switchto vdc command).
SUMMARY STEPS
1. show hardware rate-limit [access-list-log | copy | layer-2 storm-control | layer-3 {control | glean | mtu | multicast {directly-connected | local-groups | rpf-leak} | ttl} | receive]
DETAILED STEPS
For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.1.
Clearing the Rate Limit Statistics
You can clear the rate limit statistics.
BEFORE YOU BEGIN
Ensure that you are in the default VDC (or use the switchto vdc command).
SUMMARY STEPS
1. show hardware rate-limit [access-list-log | copy | layer-2 {port-security | storm-control}| layer-3 {control | glean | mtu | multicast {directly-connected | local-groups | rpf-leak} | ttl} | receive]
2. clear hardware rate-limiter {all | access-list-log | copy | layer-2 storm-control | layer-3 {control | glean | mtu | multicast {directly-connected | local-groups | rpf-leak} | ttl} | receive}
DETAILED STEPS
Verifying the Rate Limits Configuration
To display the rate limits configuration information, perform the following task:
For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.1.
Rate Limits Example Configuration
The following example shows how to configure rate limits:
hardware rate-limit layer-3 control 20000
hardware rate-limit copy 40000
Default Settings
Table 22-1 lists the default settings for rate limits parameters.
Additional References
For additional information related to implementing rate limits, see the following sections:
Related Documents
|
|
|
|---|---|
Licensing |
|
Command reference |
Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.1 |
Feature History for Rate Limits
Table 22-2 lists the release history for this feature.
Feedback