Denial of Service (DoS) Protection
A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.
Figure 29 shows an example of the state of a flow with DoS protection using suspicious control flow detection (SCFD).
Suspicious Control Flow Detection
To reduce the chance of a successful denial of service (DoS) attack and to provide diagnostic abilities while undergoing an attack, the system can detect suspicious control flows and keep state on those flows. A flow is a specific control protocol on a specific interface from a particular source. When the system determines that a control flow is suspicious, it can take corrective action on that control flow.
Keeping full state on each control flow can use a large number of resources. Instead, the system detects which flows have suspicious traffic. If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor.
When a distributed DoS attack occurs on a line module, suspicious flow control resources can be exhausted. To provide further counter measures, you can enable the group feature, where flows are grouped together and treated as a whole. If you do not use the group feature, suspicious flows can fill up the suspicious flow table and prevent detection of additional attacking flows.
Suspicious Control Flow Monitoring
Each protocol has a per-protocol rate limit. The rate limiter is used to limit the rate of packets that proceed to the control processor for the specific protocol. Per-protocol rate limiting is also used to begin the process by which flows of the specific protocol are monitored.
Each priority has a per-priority rate limit. The rate limiter limits the rate of packets that proceed to the control processor for the specific priority. It also begins the process by which flows of the specific priority are monitored.
All protocols on each line module have a rate limit. Each protocol is associated with a given priority, which is also provided with a rate limit. When a slot comes under attack, the first lines of defense are the protocol and priority rate limiters. If the line module determines that a specific protocol or priority is under attack (because the rate has been exceeded), it proceeds to monitor all flows from the problem protocol or priority. Initially, a control flow is marked as nonsuspicious.
After a control flow is placed in the suspicious flow table, the system inspects all packets that belong to the flow. The interface controller (IC) and forwarding controller (FC) monitor the table to determine whether the suspicious flow has a packet rate above the suspicious level. If the packet rate is above this level, the flow is marked as suspicious. Marking a control flow as suspicious affects only a particular protocol on a particular interface. When a flow is marked as suspicious, all packets belonging to that flow are marked as suspicious and trapped at the forwarding controller.
Suspicious control flows are continually monitored. The flow can be restored if the flow goes below the low threshold level. The flow can also be restored based on a backoff timer. The flow is removed from the suspicious flow table if the related interface is removed.
Approximately 2000 flows can be monitored as suspicious at any time for each line module. When the suspicious flow table on a particular line module reaches its maximum and the system is not set to group flows, flows that should be marked as suspicious proceed as nonsuspicious. When you return a suspicious flow to a nonsuspicious state or delete it, the flows that did not fit into the table are added to the table.
By default, the system groups flows when the suspicious flow table size is exceeded on a line module. When the flow table is full, instead of marking a specific flow in that group as suspicious and providing information on each flow on that line module, the system groups flows based on group membership and provides information on the group instead of each flow. This flow information is useful under severe distributed DoS attacks. Group membership is based on physical port and control protocol; all flows in that group are considered suspicious.
Configurable Options
You can configure the following options for suspicious flow detection:
- Global on or off. When the option is set to off, flows or packets are not marked as suspicious. The default is on.
- Actions a line module takes when the suspicious flow table on the line module overflows:
- Overflow—Stop recognizing new suspicious flows
- Group—Group flows into logical groupings where some individual flows are monitored as a group
- Suspicious threshold for each protocol. The threshold is the rate in packets per second at which a flow becomes suspicious. A zero setting disables suspicious flow detection for the protocol. Flows are subject to protocol and priority rate limits, but not to suspicious flow detection.
- Low threshold for each protocol. The threshold rate determines whether an interface transitions from suspicious back to nonsuspicious. A zero setting means that the flow does not transition back to nonsuspicious based on packet rate.
- Backoff time in seconds for each protocol. After this period expires, the flow transitions to nonsuspicious regardless of the current rate. When set to zero, an interface does not return to the nonsuspicious state using a time mechanism.
You can also clear the following:
- All suspicious flows from the suspicious flow table for a specific slot.
- Suspicious flows from the suspicious flow table for the entire system.
- A single suspicious flow; returns the flow to the nonsuspicious state.
Display Options
For monitoring purposes, you can:
- Display all suspicious control flows when the system has recognized an attack.
- Display the current state and the number of transitions into suspicious state for the protocol and priority.
- Display historical counts about the number of flows made suspicious.
- View a trap or log generated when a control flow is considered suspicious.
- View a trap or log generated when a control flow is no longer suspicious.
Traps and Logs
The system generates a trap and a log message under the following conditions:
- A control flow transitions into a suspicious state; another trap and log message is generated on removal from a suspicious state.
- A protocol transitions to or from the suspicious state.
- A priority transitions to or from the suspicious state.
- The suspicious flow control system is overflowing or grouping flows on a line module.
You can control trap and log messages using CLI or SNMP commands.
Suspicious Control Flow Commands
Use the commands described in this section to regulate suspicious control flows.
baseline suspicious-control-flow-detection counts
host1#baseline suspicious-control-flow-detection counts
clear suspicious-control-flow-detection
- Use to clear the active state for suspicious control detection.
- If you do not specify a slot or interface, clears all suspicious flows.
- If you specify a slot, clears all specified suspicious flows on that slot.
- If you specify an interface and protocol, and source mac-address. clears that specific flow.
- Example
host1#clear suspicious-control-flow-detection interface atm 1/0.1 ppp Control address 0000.0001.0002
suspicious-control-flow-detection grouping-off
- Use to turn off overflow protection for suspicious control flow detection, enabling flows to be grouped into larger entities when the line module flow table overflows.
- Example
host1(config)#suspicious-control-flow-detection grouping-off
suspicious-control-flow-detection off
host1(config)#suspicious-control-flow-detection off
suspicious-control-flow-detection protocol backoff-time
- Use to set the backoff time in seconds for a specific protocol that triggers the suspicious flow to return to a nonsuspicious state.
- When set to zero, a suspicious control flow for a protocol does not return to a nonsuspicious state using a time mechanism.
- Example
host1(config)#suspicious-control-flow-detection protocol iposi backoff-time 300
suspicious-control-flow-detection protocol low-threshold
- Use to set a threshold for a specific protocol; if the flow rate falls below this rate, a suspicious flow changes to the nonsuspicious state.
- Low threshold is the rate in packets per second at which a suspicious flow becomes no longer suspicious.
- When set to zero, a suspicious flow cannot change to the nonsuspicious state by means of a low threshold rate. To clear this flow, you must use the clear suspicious-control-flow-detection command.
- Example
host1(config)#suspicious-control-flow-detection protocol iposi low-threshold 512
suspicious-control-flow-detection protocol threshold
- Use to set the threshold in packets per second for a specific protocol, which triggers the flow to become a suspicious flow.
- When set to zero, a suspicious flow cannot change to the nonsuspicious state via a threshold rate.
- Example
host1(config)#suspicious-control-flow-detection protocol iposi threshold 1024
Monitoring Suspicious Control Flow
Use the commands described in this section to monitor suspicious control flows.
show suspicious-control-flow-detection counts
- Use to display statistics for suspicious control flow detection. When a slot is specified, displays only information for the specific slot. If no slot is specified, displays information for all slots.
- The delta keyword displays statistics for the current baseline.
- Field descriptions
- Number of suspicious flows total—Total number of suspicious flows, current and past
- Number of suspicious flows current—Number of suspicious flows currently detected and monitored
- Number of groups total—Total number of groups, current and past
- Number of groups current—Number of groups currently detected and monitored
- Number of false negatives total—Total number of flows monitored that have not become suspicious (exceeded their threshold)
- Number of false negatives current—Current number of flows monitored that have not become suspicious (exceeded their threshold)
- Number of table overflows—Number of times a flow table overflows
host1(config)#show suspicious-control-flow-detection counts
Suspicious Flow Detection System Counts
Number of suspicious flows total: 0
Number of suspicious flows current: 0
Number of groups total: 0
Number of groups current: 0
Number of false negatives total: 0
Number of false negatives current: 0
Number of table overflows: 0
show suspicious-control-flow-detection flows
- Interface—Interface for the flow
- Protocol—Control protocol of the flow
- MAC address—Source MAC address of the flow
- InSlot—For certain flows detected on egress, the possible ingress slot of the flow
- Rate (pps)—Rate of the flow
- Peak Rate (pps)—Peak rate of the flow
- Time Since Created—Time since the flow was determined to be suspicious, in hh:mm:sec format
host1(config)#show suspicious-control-flow-detection flows
Suspicious Flow Detection System Flows
Peak Time
In Rate Rate since
Interface Protocol MAC address Slot (pps) (pps) Create
----------------- ------- ------------ ----- --- ------- -------
GigabitEthernet 1/0/7 Ethernet ARP 0000.0100.0002 --- 1000030 1000050 00:00:32
*group 3 slot 1 EthernetArpMiss 0000.0100.0003 --- 1000 3000 00:10:10
show suspicious-control-flow-detection info
- delta—Displays statistics for the current baseline
- brief—Displays only suspicious information
- slot—Displays information for the specific slot
- OK—Protocol is currently not receiving an excess amount of traffic.
- Suspicious—Protocol detected as receiving an excess amount of traffic within the last backoff time in number of seconds.
- Priority—Priorities map to a specific queue and color; priority groups are Hi-Green, Hi-Yellow, Lo-Green and Lo-Yellow.
- State:
- OK—Protocol is currently not receiving an excess amount of traffic
- Suspicious—Protocol detected as receiving an excess amount of traffic within the last backoff time in number of seconds.
host1(config)#show suspicious-control-flow-detection info slot 2
Suspicious Flow Detection System Information
Suspicious Flow Detection System is enabled
Using Groups
The suspicious control flow system is not in overflow state or using groups
Protocol Information
Protocol State Transitions
--------------------------------------- ---------- -----------
Ppp Echo Request OK 0
Ppp Echo Reply OK 0
Ppp Echo Reply Fastpath OK 0
Ppp Control OK 0
Atm Control (ILMI) OK 0
Atm OAM OK 0
Atm Dynamic Interface Column Creation OK 0
Atm Inverse ARP OK 0
Frame Relay LMI Control OK 0
Frame Relay Inverse Arp OK 0
Pppoe Control OK 0
Pppoe Config Dynamic Interface Column OK 0
Creation
Ethernet ARP Miss OK 0
Ethernet ARP OK 0
Ethernet LACP packet OK 0
Ethernet Dynamic Interface Column OK 0
Creation
Slep SLARP OK 0
MPLS TTL Exceeded On Receive OK 0
MPLS TTL Exceeded On Transmit OK 0
MPLS MTU Exceeded OK 0
Ipsec Transport Mode L2tp Control OK 0
NAT/Firewall Payload OK 0
NAT/Firewall Update Table OK 0
DHCP External OK 0
IP OSI OK 0
IP TTL Expired OK 0
IP Options Other OK 0
IP Options Router Alert OK 0
IP Multicast/Broadcast Other OK 0
IP Multicast DHCP (SC) OK 0
IP Multicast Control (SC) OK 0
IP Multicast Control (IC) OK 0
IP Multicast VRRP OK 0
IP Mulitcast Cache Miss OK 0
IP Multicast Cache Miss Auto Reply OK 0
IP Multicast Wrong Interface OK 0
IP Local DHCP (SC) OK 0
IP Local Dhcp (IC) OK 0
IP Local Icmp Echo OK 0
IP Local Icmp Other OK 0
IP Local LDP OK 0
IP Local BGP OK 0
IP Local OSPF OK 0
IP Local RSVP OK 0
IP Local PIM OK 0
IP Local COPS OK 0
IP Local L2tp Control (SC) OK 0
IP Local L2tp Control (IC) OK 0
IP Local Other OK 0
IP Local Subscriber Interface Miss OK 0
IP Route To SRP Ethernet OK 0
IP Route No Route Exists OK 0
IP Normal Path MTU OK 0
IP Neighbor Discovery OK 0
IP Neighbor Discovery Miss OK 0
IP Search Error OK 0
IP MLD OK 0
IP Local PIM Assert OK 0
IP Local BFD OK 0
IP IKE OK 0
IP Reassembly OK 0
IP Local Icmp Frag OK 0
IP Local Frag OK 0
IP Application Classifier HTTP Redirect OK 0
Priority Information
Priority State Transitions
------------ ---------- -----------
Hi-Green-IC OK 0
Hi-Yellow-IC OK 0
Lo-Green-IC OK 0
Lo-Yellow-IC OK 1
Hi-Green-SC OK 0
Hi-Yellow-SC OK 0
Lo-Green-SC OK 0
Lo-Yellow-SC OK 0
show suspicious-control-flow-detection protocol
- Protocol—Control protocol
- Threshold—Threshold in packets per second
- Lo-Threshold—Low threshold in packets per second
- Backoff-Time—Backoff time in seconds
host1(config)#show suspicious-control-flow-detection protocol
Protocol Threshold Lo-Threshold Backoff-Time
------------------------------ --------- ------------ ------------
Ppp Echo Request 10 5 300
Ppp Echo Reply 10 5 300
Ppp Echo Reply Fastpath 10 5 300
Ppp Control 10 5 300
Atm Control (ILMI) 10 5 300
Atm OAM 10 5 300
Atm Dynamic Interface Column 10 5 300
Creation
Atm Inverse ARP 10 5 300
Frame Relay LMI Control 10 5 300
Frame Relay Inverse Arp 10 5 300
Pppoe Control 512 256 300
Pppoe Config Dynamic Interface 10 5 300
Column Creation
Ethernet ARP Miss 128 64 300
Ethernet ARP 128 64 300
Ethernet LACP packet 10 5 300
Ethernet Dynamic Interface 512 256 300
Column Creation
Slep SLARP 128 64 300
MPLS TTL Exceeded On Receive 10 5 300
MPLS TTL Exceeded On Transmit 10 5 300
MPLS MTU Exceeded 10 5 300
Ipsec Transport Mode L2tp 2048 1024 300
Control
NAT/Firewall Payload 512 256 300
NAT/Firewall Update Table 512 256 300
DHCP External 1024 512 300
IP OSI 2048 1024 300
IP TTL Expired 10 5 300
IP Options Other 512 256 300
IP Options Router Alert 2048 1024 300
IP Multicast/Broadcast Other 512 256 300
IP Multicast DHCP (SC) 512 256 300
IP Multicast Control (SC) 2048 1024 300
IP Multicast Control (IC) 512 256 300
IP Multicast VRRP 512 256 300
IP Mulitcast Cache Miss 128 64 300
IP Multicast Cache Miss Auto Reply 128 64 300
IP Multicast Wrong Interface 10 5 300
IP Local DHCP (SC) 512 256 300
IP Local Dhcp (IC) 512 256 300
IP Local Icmp Echo 512 256 300
IP Local Icmp Other 128 64 300
IP Local LDP 2048 1024 300
IP Local BGP 2048 1024 300
IP Local OSPF 64 32 300
IP Local RSVP 2048 1024 300
IP Local PIM 2048 1024 300
IP Local COPS 2048 1024 300
IP Local L2tp Control (SC) 2048 1024 300
IP Local L2tp Control (IC) 512 256 300
IP Local Other 512 256 300
IP Local Subscriber Interface Miss 512 256 300
IP Route To SRP Ethernet 512 256 300
IP Route No Route Exists 10 5 300
IP Normal Path MTU 10 5 300
IP Neighbor Discovery 128 64 300
IP Neighbor Discovery Miss 128 64 300
IP Search Error 10 5 300
IP MLD 512 256 300
IP Local PIM Assert 512 256 300
IP Local BFD 1024 512 300
IP IKE 512 256 300
IP Reassembly 2048 1024 300
IP Local Icmp Frag 512 256 300
IP Local Frag 512 256 300
IP Application Classifier HTTP 128 64 300
Redirect
show snmp interfaces
- Use to display a list of interface types that are compressed in the interface tables and the interface numbering method configured on the router.
- Field descriptions
- Compressed(Removed) Interface Types—List of interface types that are removed from the ifTable and ifStackTable
- Armed Interface Numbering Mode—Interface numbering method configured on the router: RFC1213, RFC2863
- maxIfIndex—Maximum value that the system will allocate to the ifIndex field
- maxIfNumber—Maximum number of interfaces allowed in the ifTable
- Interface Description Setting—Method used to encode the ifDescr and ifName objects: common, legacy, proprietary
host1#show snmp interfaces
Compressed(Removed) Interface Types:
HDLC, FT1, ATM, ATM1483
Armed Interface Numbering Mode:
RFC1213, maxIfIndex=65535, maxIfNumber=65535
Interface Description Setting: proprietary
Denial-of-Service Protection Groups
A DoS protection group provides a simple policy that can be applied to interfaces. This policy can specify a complete set of parameters to tune the behavior of the DoS protection groups. The system uses these parameters to determine the priority and rates for various control protocols. The rate of traffic for a particular protocol is unlikely to be the same on all ports in the system. A configuration can have several types of interfaces, such as DHCP access clients, PPPoE access clients, and uplink interfaces. Each of these interfaces requires a different DoS configuration. All interfaces are associated with a default DoS protection group, which has standard system defaults. The maximum rates are per line module, and the drop probability is 100 percent (all suspicious packets are dropped).
Group Parameters
DoS protection groups support the following set of parameters:
- Protocol-to-priority mapping enables you to map a protocol to one of four priorities.
- Protocol burst enables you to configure the burst level for the protocol. The burst is configurable in packets, and defaults to a value in packets that is one half of the maximum rate.
- Protocol maximum rate limit (per line module) enables you to map a protocol to a maximum rate limit. This rate limit applies to all packets for a particular protocol for interfaces belonging to this particular DoS protection group on a line module. By having a DoS protection group on a single line module, the total maximum rate for a protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface. You can set a maximum rate of zero for protocols that are not used. The actual rate never exceeds the maximum rate, but the actual rate allowed can be less than the configured maximum rate because of the weighting of protocols within a DoS protection group and the use of multiple DoS protection groups.
- Protocol weight with respect to other protocols in the DoS protection group enables you to balance the priority of the protocols. For each priority grouping, weight determines the effective minimum rate that each protocol receives. Within each priority, the sum of the minimum rates for all protocols using that priority is equal to or less than the priority rate times the over-subscription value. Each priority has a separate rate for each DoS protection group.
- Protocol drop probability for suspicious packets enables you to map a protocol to a specific drop probability. The drop probability is the percentage probability that a suspicious packet is dropped.
- Protocol skip priority rate limiter enables you to configure the system so that the specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected. The default is off—the protocol is subject to priority rate limiting.
- Priority rate sets the rate of the priority in packets per second for the line module. If this rate is exceeded, it triggers DoS suspicious control flow detection.
- Priority burst enables you to set the number of packets allowed to exceed the maximum rate before packets are dropped and DoS suspicious control flow detection is triggered.
- Priority oversubscription enables you to set an oversubscription factor for the priority rate limiter. In addition to the priority rate, it calculates the minimum rate limits for protocols with a priority grouping and allows for oversubscription of the priority rate. The value indicates a percentage that the priority rate limiter is allowed to be oversubscribed, in the range 100–1000.
Attaching Groups
By default, each interface belongs to the default DoS protection group. The name is the only non-configurable aspect of the default DoS protection group.
The DoS protection group is a configurable parameter for all Layer 2 and IP interfaces. Similar to other configurable interface parameters, the DoS protection group can be set using profiles.
Because all newly created interfaces default to using the default DoS protection group, they do not inherit any DoS protection group association from a higher or lower interface binding. The DoS group applies to all types of control flows for the specific interface. For example, an IP interface supports a variety of control protocols, each of which can be separately mapped to a priority and drop probability, but to a single DoS protection group.
Protocol Mapping
Table 55 and Table 56 list the protocols mapped within DoS protection groups.
PPPoE handling of PPP LCP packets for dynamic interface creation |
|
IP DHCP packets destined for the SC (broadcast and IC not enabled) |
|
IP ICMP packets that are not further classifiable (most likely large ping packets) |
|
DoS Protection Group Configuration Example
 |
NOTE: To configure a DoS protection group for an interface, you must configure the settings under the default group, which is the only group that is currently supported. |
To configure a DoS protection group for an interface:
host1(config)#dos-protection-group default
host1(config-dos-protection)#protocol AtmOam rate 512
host1(config-dos-protection)#protocol PppoeControl rate 512
host1(config-dos-protection)#protocol IpLocalOther rate 512
host1#show dos-protection-group default
default (canned-group: defaultCanned) *modified -- no references
Protocol Dest Mod Rate Burst Weight DropProb Priority Skip
-------------------- ---- --- ----- ----- ------ -------- --------- ----
Ppp Echo Request IC - 2048 1024 100 100 HI green Y
Ppp Echo Reply IC - 2048 1024 100 100 HI green Y
Ppp Echo Reply Fastp FC - 0 0 100 100 Data path Y
path
Ppp Control IC - 2048 1024 100 100 HI green N
Atm Control (ILMI) IC - 2048 1024 100 100 HI green Y
Atm OAM IC * 512 512 100 100 LO green N
Atm Dynamic Interfac IC - 1024 512 100 100 HI yellow N
e Column Creation
Atm Inverse ARP IC - 256 128 100 100 LO yellow N
Frame Relay Control IC - 2048 1024 100 100 HI green Y
(LMI)
Frame Relay Inverse IC - 256 128 100 100 LO yellow N
Arp
Pppoe Control IC * 512 512 100 100 HI yellow N
Pppoe Ppp Config Dyn IC - 1024 512 100 100 HI yellow N
amic Interface Colum
n Creation
Ethernet ARP Miss IC - 256 128 100 100 LO yellow N
Ethernet ARP IC - 256 128 100 100 LO yellow N
DoS Protection Group Commands
Use the commands described in this section to create DoS protection groups and attach them to different types of interfacesatm dos-protection-group
host1(config-if)#atm dos-protection-group group1
bridge1483 dos-protection-group
host1(config-if)#bridge1483 dos-protection-group group1
dos-protection-group
- Use to create a DoS protection group and enter DoS Protection Group Configuration mode.
- A group named default always exists.
- Example
host1(coonfig)#dos-protection-group default
ethernet dos-protection-group
host1(config-if)#ethernet dos-protection-group group1
frame-relay dos-protection-group
host1(config-if)#frame-relay dos-protection-group group1
hdlc dos-protection-group
host1(config-if)#hdlc dos-protection-group group1
ip dos-protection-group
host1(config-if)#ip dos-protection-group group1
host1(config)#dos-protection-group default
host1(config-dos-protection)#protocol AtmOam rate 512
host1(config-dos-protection)#protocol PppoeControl rate 512
host1(config-dos-protection)#protocol IpLocalOther rate 512
ipv6 dos-protection-group
host1(config-if)#ipv6 dos-protection-group group1
lag dos-protection-group
host1(config-if)#lag dos-protection-group group1
ppp dos-protection-group
host1(config-if)#ppp dos-protection-group group1
pppoe dos-protection-group
host1(config-if)#pppoe dos-protection-group group1
priority burst
host1(config-dos-protection)#priority Hi-Green-IC burst 32
priority over-subscription-factor
- Use to set the oversubscription value for the priority rate limiter.
- The oversubscription value and the priority rate are used to calculate the minimum rate limits for port compression.
- Allows an oversubscription of the priority rate because all protocols within a priority are not generally used simultaneously.
- Example
host1(config-dos-protection)#priority Hi-Green-IC over-subscription-factor 100
priority rate
host1(config-dos-protection)#priority Hi-Green-IC rate 6000
protocol burst
- Use to set the burst size in packets-per-second for the protocol.
- The default value is one half the maximum rate in packets.
- Example
host1(config-dos-protection)#protocol IpLocalDhcpIc burst 65535
protocol drop-probability
- Use to map a protocol to a specific drop probability, which is the percentage probability of an exceeded packet being dropped.
- Example
host1(config-dos-protection)#protocol IpLocalDhcpIc drop-probability 100
protocol priority
host1(config-dos-protection)#protocol IpLocalDhcpIc priority hiGreen
protocol rate
- Use to map a protocol to a maximum rate limit.
- The rate limit applies to all packets of the protocol for interfaces belonging to the DoS protection group.
- A particular protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface.
- Use a maximum rate of 0 for protocols that are not used.
- The actual rate never exceeds the maximum rate, but can be less than the configured maximum rate due to the weighting of the protocols within a DoS protection group and the use of multiple DoS protection groups.
- Example
host1(config-dos-protection)#protocol IpLocalDhcpIc rate 100
protocol skip-priority-rate-limiter
- Use to set the skip priority rate limiter for the protocol.
- The specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected.
- The default sets the protocol such that it is subject to priority rate limiting.
- Example
host1(config-dos-protection)#protocol IpLocalDhcpIc skip-priority-rate-limiter
protocol weight
- Use to set the weight for the protocol.
- For each port compression, weight determines the effective minimum rate that each protocol receives.
- Within each port compression, the sum of the minimum rates for all protocols is equal to or less than the priority rate.
- For each priority, there is a separate rate for each DoS protection group.
- Example
host1(config-dos-protection)#protocol IpLocalDhcpIc weight 100
use canned-group
- Use to create a DoS protection group that uses a pre-programmed set of parameters.
- Use the revert keyword to return the values to the canned group values
- Example
host1#use canned-group group1
vlan dos-protection-group
host1(config-if)#vlan dos-protection-group
Monitoring DoS Protection Groups
Use the commands described in this section to monitor DoS protection groups.
show dos-protection-group
- Use to display DoS protection groups.
- If you do not specify a group, displays the names of the currently configured DoS protection groups.
- If you specify a group, displays information about the specified group.
- If you do not specify the brief keyword, displays a list of references (interfaces and templates) to the DoS protection group,
- When *modified* appears next to the name of the DoS protection group. the group or protocol within the group has changed from the preprogrammed value of the associated group.
- Example
host1(config)#show dos-protection-group
DOS Protection Groups:
Default (canned-group: "default") *modified*
Uplink (canned-group: "link" }
ATM (canned-group: "pppoe" ) *modified*
VLAN (canned-group: "mixed-access")