[Contents] [Prev] [Next] [Index] [Report an Error]

Denial of Service (DoS) Protection

A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.

Figure 29 shows an example of the state of a flow with DoS protection using suspicious control flow detection (SCFD).

Figure 29: Typical Control Packet Processing

Image g016446.gif

Suspicious Control Flow Detection

To reduce the chance of a successful denial of service (DoS) attack and to provide diagnostic abilities while undergoing an attack, the system can detect suspicious control flows and keep state on those flows. A flow is a specific control protocol on a specific interface from a particular source. When the system determines that a control flow is suspicious, it can take corrective action on that control flow.

Keeping full state on each control flow can use a large number of resources. Instead, the system detects which flows have suspicious traffic. If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor.

When a distributed DoS attack occurs on a line module, suspicious flow control resources can be exhausted. To provide further counter measures, you can enable the group feature, where flows are grouped together and treated as a whole. If you do not use the group feature, suspicious flows can fill up the suspicious flow table and prevent detection of additional attacking flows.

Suspicious Control Flow Monitoring

Each protocol has a per-protocol rate limit. The rate limiter is used to limit the rate of packets that proceed to the control processor for the specific protocol. Per-protocol rate limiting is also used to begin the process by which flows of the specific protocol are monitored.

Each priority has a per-priority rate limit. The rate limiter limits the rate of packets that proceed to the control processor for the specific priority. It also begins the process by which flows of the specific priority are monitored.

All protocols on each line module have a rate limit. Each protocol is associated with a given priority, which is also provided with a rate limit. When a slot comes under attack, the first lines of defense are the protocol and priority rate limiters. If the line module determines that a specific protocol or priority is under attack (because the rate has been exceeded), it proceeds to monitor all flows from the problem protocol or priority. Initially, a control flow is marked as nonsuspicious.

After a control flow is placed in the suspicious flow table, the system inspects all packets that belong to the flow. The interface controller (IC) and forwarding controller (FC) monitor the table to determine whether the suspicious flow has a packet rate above the suspicious level. If the packet rate is above this level, the flow is marked as suspicious. Marking a control flow as suspicious affects only a particular protocol on a particular interface. When a flow is marked as suspicious, all packets belonging to that flow are marked as suspicious and trapped at the forwarding controller.

Suspicious control flows are continually monitored. The flow can be restored if the flow goes below the low threshold level. The flow can also be restored based on a backoff timer. The flow is removed from the suspicious flow table if the related interface is removed.

Approximately 2000 flows can be monitored as suspicious at any time for each line module. When the suspicious flow table on a particular line module reaches its maximum and the system is not set to group flows, flows that should be marked as suspicious proceed as nonsuspicious. When you return a suspicious flow to a nonsuspicious state or delete it, the flows that did not fit into the table are added to the table.

By default, the system groups flows when the suspicious flow table size is exceeded on a line module. When the flow table is full, instead of marking a specific flow in that group as suspicious and providing information on each flow on that line module, the system groups flows based on group membership and provides information on the group instead of each flow. This flow information is useful under severe distributed DoS attacks. Group membership is based on physical port and control protocol; all flows in that group are considered suspicious.

Configurable Options

You can configure the following options for suspicious flow detection:

Global on or off. When the option is set to off, flows or packets are not marked as suspicious. The default is on.
Actions a line module takes when the suspicious flow table on the line module overflows:
- Overflow—Stop recognizing new suspicious flows
- Group—Group flows into logical groupings where some individual flows are monitored as a group
Suspicious threshold for each protocol. The threshold is the rate in packets per second at which a flow becomes suspicious. A zero setting disables suspicious flow detection for the protocol. Flows are subject to protocol and priority rate limits, but not to suspicious flow detection.
Low threshold for each protocol. The threshold rate determines whether an interface transitions from suspicious back to nonsuspicious. A zero setting means that the flow does not transition back to nonsuspicious based on packet rate.
Backoff time in seconds for each protocol. After this period expires, the flow transitions to nonsuspicious regardless of the current rate. When set to zero, an interface does not return to the nonsuspicious state using a time mechanism.

You can also clear the following:

All suspicious flows from the suspicious flow table for a specific slot.
Suspicious flows from the suspicious flow table for the entire system.
A single suspicious flow; returns the flow to the nonsuspicious state.

Display Options

For monitoring purposes, you can:

Display all suspicious control flows when the system has recognized an attack.
Display the current state and the number of transitions into suspicious state for the protocol and priority.
Display historical counts about the number of flows made suspicious.
View a trap or log generated when a control flow is considered suspicious.
View a trap or log generated when a control flow is no longer suspicious.

Traps and Logs

The system generates a trap and a log message under the following conditions:

A control flow transitions into a suspicious state; another trap and log message is generated on removal from a suspicious state.
A protocol transitions to or from the suspicious state.
A priority transitions to or from the suspicious state.
The suspicious flow control system is overflowing or grouping flows on a line module.

You can control trap and log messages using CLI or SNMP commands.

Suspicious Control Flow Commands

Use the commands described in this section to regulate suspicious control flows.

baseline suspicious-control-flow-detection counts

Use to set a baseline for statistics for suspicious control flow detection.
Examplehost1#baseline suspicious-control-flow-detection counts
There is no no version.
See baseline suspicious-control-flow-detection counts.

clear suspicious-control-flow-detection

Use to clear the active state for suspicious control detection.
If you do not specify a slot or interface, clears all suspicious flows.
If you specify a slot, clears all specified suspicious flows on that slot.
If you specify an interface and protocol, and source mac-address. clears that specific flow.
Examplehost1#clear suspicious-control-flow-detection interface atm 1/0.1 ppp Control address 0000.0001.0002
There is no no version.
See clear suspicious-control-flow-detection.

suspicious-control-flow-detection grouping-off

Use to turn off overflow protection for suspicious control flow detection, enabling flows to be grouped into larger entities when the line module flow table overflows.
Examplehost1(config)#suspicious-control-flow-detection grouping-off
Use the no version to turn on overflow protection.
See suspicious-control-flow-detection grouping-off.

suspicious-control-flow-detection off

Use to turn off the suspicious control flow detection.
Examplehost1(config)#suspicious-control-flow-detection off
Use the no version to turn on suspicious control flow detection, which is the default.
See suspicious-control-flow-detection off.

suspicious-control-flow-detection protocol backoff-time

Use to set the backoff time in seconds for a specific protocol that triggers the suspicious flow to return to a nonsuspicious state.
When set to zero, a suspicious control flow for a protocol does not return to a nonsuspicious state using a time mechanism.
Examplehost1(config)#suspicious-control-flow-detection protocol iposi backoff-time 300
Use the no version to restore the defaults for the protocol, 300 seconds.
See suspicious-control-flow-detection protocol backoff-time.

suspicious-control-flow-detection protocol low-threshold

Use to set a threshold for a specific protocol; if the flow rate falls below this rate, a suspicious flow changes to the nonsuspicious state.
Low threshold is the rate in packets per second at which a suspicious flow becomes no longer suspicious.
When set to zero, a suspicious flow cannot change to the nonsuspicious state by means of a low threshold rate. To clear this flow, you must use the clear suspicious-control-flow-detection command.
Examplehost1(config)#suspicious-control-flow-detection protocol iposi low-threshold 512
Use the no version to restore the defaults for the protocol.
See suspicious-control-flow-detection protocol low-threshold.

suspicious-control-flow-detection protocol threshold

Use to set the threshold in packets per second for a specific protocol, which triggers the flow to become a suspicious flow.
When set to zero, a suspicious flow cannot change to the nonsuspicious state via a threshold rate.
Examplehost1(config)#suspicious-control-flow-detection protocol iposi threshold 1024
Use the no version to restore the defaults for the protocol.
See suspicious-control-flow-detection protocol threshold.

Monitoring Suspicious Control Flow

Use the commands described in this section to monitor suspicious control flows.

show suspicious-control-flow-detection counts

Use to display statistics for suspicious control flow detection. When a slot is specified, displays only information for the specific slot. If no slot is specified, displays information for all slots.
The delta keyword displays statistics for the current baseline.
Field descriptions
- Number of suspicious flows total—Total number of suspicious flows, current and past
- Number of suspicious flows current—Number of suspicious flows currently detected and monitored
- Number of groups total—Total number of groups, current and past
- Number of groups current—Number of groups currently detected and monitored
- Number of false negatives total—Total number of flows monitored that have not become suspicious (exceeded their threshold)
- Number of false negatives current—Current number of flows monitored that have not become suspicious (exceeded their threshold)
- Number of table overflows—Number of times a flow table overflows

Example

host1(config)#show suspicious-control-flow-detection counts
Suspicious Flow Detection System Counts
        Number of suspicious flows total: 0
        Number of suspicious flows current: 0
        Number of groups total: 0
        Number of groups current: 0
        Number of false negatives total: 0
        Number of false negatives current: 0
        Number of table overflows: 0

See show suspicious-control-flow-detection counts.

show suspicious-control-flow-detection flows

Use to display suspicious flows.
Field descriptions
- Interface—Interface for the flow
- Protocol—Control protocol of the flow
- MAC address—Source MAC address of the flow
- InSlot—For certain flows detected on egress, the possible ingress slot of the flow
- Rate (pps)—Rate of the flow
- Peak Rate (pps)—Peak rate of the flow
- Time Since Created—Time since the flow was determined to be suspicious, in hh:mm:sec format

Example

host1(config)# show suspicious-control-flow-detection flows
Suspicious Flow Detection System Flows
                                                          Peak            Time
                                                     In   Rate    Rate    since
Interface             Protocol        MAC address    Slot (pps)   (pps)   Create
-----------------     -------         ------------  ----- ---    -------  -------
GigabitEthernet 1/0/7 Ethernet ARP    0000.0100.0002 ---  1000030 1000050 00:00:32   
*group 3 slot 1       EthernetArpMiss 0000.0100.0003 ---  1000    3000    00:10:10

See show suspicious-control-flow-detection flows.

show suspicious-control-flow-detection info

Use to display information about suspicious flows.
You can specify the following keywords:
- delta—Displays statistics for the current baseline
- brief—Displays only suspicious information
- slot—Displays information for the specific slot
Field descriptions
- Protocol Information
  - Protocol—Control protocol of the flow
  - State
    - OK—Protocol is currently not receiving an excess amount of traffic.
    - Suspicious—Protocol detected as receiving an excess amount of traffic within the last backoff time in number of seconds.
  - Transitions—Number of times this protocol or priority has transitioned to the suspicious state
- Priority Information
  - Priority—Priorities map to a specific queue and color; priority groups are Hi-Green, Hi-Yellow, Lo-Green and Lo-Yellow.
  - State:
    - OK—Protocol is currently not receiving an excess amount of traffic
    - Suspicious—Protocol detected as receiving an excess amount of traffic within the last backoff time in number of seconds.
  - Transitions—Number of times this protocol or priority has transitioned to the suspicious state

Example

host1(config)#show suspicious-control-flow-detection info slot 2
Suspicious Flow Detection System Information
        Suspicious Flow Detection System is enabled
 
        Using Groups
 
The suspicious control flow system is not in overflow state or using groups
Protocol Information
Protocol                                State      Transitions 
--------------------------------------- ---------- -----------
Ppp Echo Request                        OK         0
Ppp Echo Reply                          OK         0
Ppp Echo Reply Fastpath                 OK         0
Ppp Control                             OK         0
Atm Control (ILMI)                      OK         0
Atm OAM                                 OK         0
Atm Dynamic Interface Column Creation   OK         0
Atm Inverse ARP                         OK         0
Frame Relay LMI Control                 OK         0
Frame Relay Inverse Arp                 OK         0
Pppoe Control                           OK         0
Pppoe Config Dynamic Interface Column   OK         0
 Creation
Ethernet ARP Miss                       OK         0
Ethernet ARP                            OK         0
Ethernet LACP packet                    OK         0
Ethernet Dynamic Interface Column       OK         0
 Creation
Slep SLARP                              OK         0
MPLS TTL Exceeded On Receive            OK         0
MPLS TTL Exceeded On Transmit           OK         0
MPLS MTU Exceeded                       OK         0
Ipsec Transport Mode L2tp Control       OK         0
NAT/Firewall Payload                    OK         0
NAT/Firewall Update Table               OK         0
DHCP External                           OK         0
IP OSI                                  OK         0
IP TTL Expired                          OK         0
IP Options Other                        OK         0
IP Options Router Alert                 OK         0
IP Multicast/Broadcast Other            OK         0
IP Multicast DHCP (SC)                  OK         0
IP Multicast Control (SC)               OK         0
IP Multicast Control (IC)               OK         0
IP Multicast VRRP                       OK         0
IP Mulitcast Cache Miss                 OK         0
IP Multicast Cache Miss Auto Reply      OK         0
IP Multicast Wrong Interface            OK         0
IP Local DHCP (SC)                      OK         0
IP Local Dhcp (IC)                      OK         0
IP Local Icmp Echo                      OK         0
IP Local Icmp Other                     OK         0
IP Local LDP                            OK         0
IP Local BGP                            OK         0
IP Local OSPF                           OK         0
IP Local RSVP                           OK         0
IP Local PIM                            OK         0
IP Local COPS                           OK         0
IP Local L2tp Control (SC)              OK         0
IP Local L2tp Control (IC)              OK         0
IP Local Other                          OK         0
IP Local Subscriber Interface Miss      OK         0
IP Route To SRP Ethernet                OK         0
IP Route No Route Exists                OK         0
IP Normal Path MTU                      OK         0
IP Neighbor Discovery                   OK         0
IP Neighbor Discovery Miss              OK         0
IP Search Error                         OK         0
IP MLD                                  OK         0
IP Local PIM Assert                     OK         0
IP Local BFD                            OK         0
IP IKE                                  OK         0
IP Reassembly                           OK         0
IP Local Icmp Frag                      OK         0
IP Local Frag                           OK         0
IP Application Classifier HTTP Redirect OK         0
 
Priority Information
Priority     State    Transitions
------------ ---------- -----------
Hi-Green-IC  OK         0
Hi-Yellow-IC OK         0
Lo-Green-IC  OK         0
Lo-Yellow-IC OK         1
Hi-Green-SC  OK         0
Hi-Yellow-SC OK         0
Lo-Green-SC  OK         0
Lo-Yellow-SC OK         0

See show suspicious-control-flow-detection info.

show suspicious-control-flow-detection protocol

Use to display protocol information for suspicious control flows.
Field descriptions
- Protocol—Control protocol
- Threshold—Threshold in packets per second
- Lo-Threshold—Low threshold in packets per second
- Backoff-Time—Backoff time in seconds

Example

host1(config)#show suspicious-control-flow-detection protocol 
Protocol                       Threshold Lo-Threshold Backoff-Time
------------------------------ --------- ------------ ------------
Ppp Echo Request                      10            5          300
Ppp Echo Reply                        10            5          300
Ppp Echo Reply Fastpath               10            5          300
Ppp Control                           10            5          300
Atm Control (ILMI)                    10            5          300
Atm OAM                               10            5          300
Atm Dynamic Interface Column          10            5          300
 Creation
Atm Inverse ARP                       10            5          300
Frame Relay LMI Control               10            5          300
Frame Relay Inverse Arp               10            5          300
Pppoe Control                        512          256          300
Pppoe Config Dynamic Interface        10            5          300
 Column Creation
Ethernet ARP Miss                    128           64          300
Ethernet ARP                         128           64          300
Ethernet LACP packet                  10            5          300
Ethernet Dynamic Interface           512          256          300
 Column Creation
Slep SLARP                           128           64          300
MPLS TTL Exceeded On Receive          10            5          300
MPLS TTL Exceeded On Transmit         10            5          300
MPLS MTU Exceeded                     10            5          300
Ipsec Transport Mode L2tp           2048         1024          300
 Control
NAT/Firewall Payload                 512          256          300
NAT/Firewall Update Table            512          256          300
DHCP External                       1024          512          300
IP OSI                              2048         1024          300
IP TTL Expired                        10            5          300
IP Options Other                     512          256          300
IP Options Router Alert             2048         1024          300
IP Multicast/Broadcast Other         512          256          300
IP Multicast DHCP (SC)               512          256          300
IP Multicast Control (SC)           2048         1024          300
IP Multicast Control (IC)            512          256          300
IP Multicast VRRP                    512          256          300
IP Mulitcast Cache Miss              128           64          300
IP Multicast Cache Miss Auto Reply   128           64          300
IP Multicast Wrong Interface          10            5          300
IP Local DHCP (SC)                   512          256          300
IP Local Dhcp (IC)                   512          256          300
IP Local Icmp Echo                   512          256          300
IP Local Icmp Other                  128           64          300
IP Local LDP                        2048         1024          300
IP Local BGP                        2048         1024          300
IP Local OSPF                         64           32          300
IP Local RSVP                       2048         1024          300
IP Local PIM                        2048         1024          300
IP Local COPS                       2048         1024          300
IP Local L2tp Control (SC)          2048         1024          300
IP Local L2tp Control (IC)           512          256          300
IP Local Other                       512          256          300
IP Local Subscriber Interface Miss   512          256          300
IP Route To SRP Ethernet             512          256          300
IP Route No Route Exists              10            5          300
IP Normal Path MTU                    10            5          300
IP Neighbor Discovery                128           64          300
IP Neighbor Discovery Miss           128           64          300
IP Search Error                       10            5          300
IP MLD                               512          256          300
IP Local PIM Assert                  512          256          300
IP Local BFD                        1024          512          300
IP IKE                               512          256          300
IP Reassembly                       2048         1024          300
IP Local Icmp Frag                   512          256          300
IP Local Frag                        512          256          300
IP Application Classifier HTTP       128           64          300
 Redirect

See show suspicious-control-flow-detection protocol.

show snmp interfaces

Use to display a list of interface types that are compressed in the interface tables and the interface numbering method configured on the router.
Field descriptions
- Compressed(Removed) Interface Types—List of interface types that are removed from the ifTable and ifStackTable
- Armed Interface Numbering Mode—Interface numbering method configured on the router: RFC1213, RFC2863
- maxIfIndex—Maximum value that the system will allocate to the ifIndex field
- maxIfNumber—Maximum number of interfaces allowed in the ifTable
- Interface Description Setting—Method used to encode the ifDescr and ifName objects: common, legacy, proprietary

Example

host1#show snmp interfaces
Compressed(Removed) Interface Types:
HDLC, FT1, ATM, ATM1483
Armed Interface Numbering Mode:
RFC1213, maxIfIndex=65535, maxIfNumber=65535
Interface Description Setting: proprietary

See show snmp interfaces.

Denial-of-Service Protection Groups

A DoS protection group provides a simple policy that can be applied to interfaces. This policy can specify a complete set of parameters to tune the behavior of the DoS protection groups. The system uses these parameters to determine the priority and rates for various control protocols. The rate of traffic for a particular protocol is unlikely to be the same on all ports in the system. A configuration can have several types of interfaces, such as DHCP access clients, PPPoE access clients, and uplink interfaces. Each of these interfaces requires a different DoS configuration. All interfaces are associated with a default DoS protection group, which has standard system defaults. The maximum rates are per line module, and the drop probability is 100 percent (all suspicious packets are dropped).

Group Parameters

DoS protection groups support the following set of parameters:

Protocol-to-priority mapping enables you to map a protocol to one of four priorities.
Protocol burst enables you to configure the burst level for the protocol. The burst is configurable in packets, and defaults to a value in packets that is one half of the maximum rate.
Protocol maximum rate limit (per line module) enables you to map a protocol to a maximum rate limit. This rate limit applies to all packets for a particular protocol for interfaces belonging to this particular DoS protection group on a line module. By having a DoS protection group on a single line module, the total maximum rate for a protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface. You can set a maximum rate of zero for protocols that are not used. The actual rate never exceeds the maximum rate, but the actual rate allowed can be less than the configured maximum rate because of the weighting of protocols within a DoS protection group and the use of multiple DoS protection groups.
Protocol weight with respect to other protocols in the DoS protection group enables you to balance the priority of the protocols. For each priority grouping, weight determines the effective minimum rate that each protocol receives. Within each priority, the sum of the minimum rates for all protocols using that priority is equal to or less than the priority rate times the over-subscription value. Each priority has a separate rate for each DoS protection group.
Protocol drop probability for suspicious packets enables you to map a protocol to a specific drop probability. The drop probability is the percentage probability that a suspicious packet is dropped.
Protocol skip priority rate limiter enables you to configure the system so that the specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected. The default is off—the protocol is subject to priority rate limiting.
Priority rate sets the rate of the priority in packets per second for the line module. If this rate is exceeded, it triggers DoS suspicious control flow detection.
Priority burst enables you to set the number of packets allowed to exceed the maximum rate before packets are dropped and DoS suspicious control flow detection is triggered.
Priority oversubscription enables you to set an oversubscription factor for the priority rate limiter. In addition to the priority rate, it calculates the minimum rate limits for protocols with a priority grouping and allows for oversubscription of the priority rate. The value indicates a percentage that the priority rate limiter is allowed to be oversubscribed, in the range 100–1000.

Attaching Groups

By default, each interface belongs to the default DoS protection group. The name is the only non-configurable aspect of the default DoS protection group.

The DoS protection group is a configurable parameter for all Layer 2 and IP interfaces. Similar to other configurable interface parameters, the DoS protection group can be set using profiles.

Because all newly created interfaces default to using the default DoS protection group, they do not inherit any DoS protection group association from a higher or lower interface binding.

The DoS group applies to all types of control flows for the specific interface. For example, an IP interface supports a variety of control protocols, each of which can be separately mapped to a priority and drop probability, but to a single DoS protection group.

Protocol Mapping

Table 55 and Table 56 list the protocols mapped within DoS protection groups.

Table 55: Layer 2-Related Protocols

CLI Name	Description of Flow
atmControl	ATM ILMI packets
atmOAM	ATM OAM packets
atmDynamicIf	ATM dynamic interface column creation
atmInverseArp	ATM inverse ARP packets

dhcpExternal	DHCP external packets

ethernetArpMiss	Ethernet/Bridged Ethernet request to send ARP
ethernetArp	Ethernet/Bridged Ethernet reception of ARP packet
ethernetLacp	Ethernet LACP packet
ethernetDynamicIf	Ethernet/Bridged Ethernet dynamic VLAN interface creation

flisInPayload	Firewall/NAT payload
flisInPayloadUpdateTbl	Firewall/NAT payload and update table

frameRelayControl	Frame Relay LMI packets
frameRelayArp	Frame Relay inverse ARP packets

itmL2tpControl	IPSec transport mode L2TP control packets

mplsTtlOnRx	MPLS TTL expired on ingress
mplsTtlOnTx	MPLS TTL expired on egress
mplsMtu	MPLS MTU exceeded

pppEchoRequest	PPP echo request packets destined for the IC
pppEchoReply	PPP echo reply packets destined for the IC
pppEchoReplyFast	PPP echo request packets generating an FC-based reply
pppControl	other PPP control packets

pppoeControl	PPPoE PADx packets
pppoePppConfig	PPPoE handling of PPP LCP packets for dynamic interface creation

slepSlarp	Serial Line Interface SLARP packets

Table 56: IP-Related Protocols

CLI Name	Description of Flow
ipAppClassifierHttpRedirect	IP Application Classifier (HTTP redirect) packets
ipIke	IP IKE packet
ipLocalBfd	IP BFD packets
ipLocalBgp	IP BGP packets
ipLocalCops	IP COPS packets
ipLocalDemuxMiss	IP Subscriber Interface Miss packets
ipLocalDhcpIc	IP DHCP packets destined for the IC (not broadcast)
ipLocalDhcpSc	IP DHCP packets destined for the SC (broadcast and IC not enabled)
ipLocalFrag	IP fragments not classifiable
ipLocalIcmpEcho	IP ICMP echo request and reply
ipLocalIcmpFrag	IP ICMP packets that are not further classifiable (most likely large ping packets)
ipLocalIcmpOther	IP ICMP except echo request and reply
ipLocalL2tpControlIC	IP L2TP control packets for IC
ipLocalL2tpControlSC	IP L2TP control packets for SC
ipLocalLDP	IP LDP packets
ipLocalOspf	IP OSPF packets
ipLocalOther	IP Local packets not otherwise classified
ipLocalPim	IP PIM packets (except typeAssert)
ipLocalPimAssert	IP PIM assert type packets
ipLocalRsvp	IP RSVP packets
ipMld	IP Multicast listener packet
ipMulticastBroadcastOther	Ip Multicast/Broadcast not otherwise classified
ipMulticastCacheMiss	IP Multicast route table misses
ipMulticastCacheMissAutoRp	IP Multicast route table Auto-RP misses
ipMulticastControlIc	IP IGMP packets for the IC
ipMulticastControlSc	IP Multicast control packet not otherwise classified
ipMulticastDhcpSc	IP Multicast DHCP destined for SC
ipMulticastVrrp	IP VRRP packets
ipMulticastWrongIf	IP Multicast on wrong interface
ipNeighborDiscovery	IPv6 Neighbor Discovery
ipNeighborDiscoveryMiss	IPv6 Neighbor Discovery miss
ipNormalPathMtu	IP Path MTU request
ipOptionsOther	IP options not otherwise classified
ipOptionsRouterAlert	IP Router Alert
ipOsi	OSI packets
ipReassembly	IP packets that have been reassembled on a server card
ipRouteNoRoute	IP packets with no route indication
ipRouteToSrpEthernet	Packets routed to the SRP Ethernet
ipTtlExpired	IP TTL expired

DoS Protection Group Configuration Example

Note: To configure a DoS protection group for an interface, you must configure the settings under the default group, which is the only group that is currently supported.

To configure a DoS protection group for an interface:



host1(config)#dos-protection-group default 

host1(config-dos-protection)#protocol AtmOam
rate 512 

host1(config-dos-protection)#protocol PppoeControl
rate 512 

host1(config-dos-protection)#protocol IpLocalOther
rate 512

To display the configuration:



host1#show dos-protection-group default

        default (canned-group: defaultCanned)  *modified -- no references
 
      Protocol       Dest Mod Rate  Burst Weight DropProb Priority  Skip
-------------------- ---- --- ----- ----- ------ -------- --------- ----
Ppp Echo Request     IC     -  2048  1024    100      100 HI green  Y
Ppp Echo Reply       IC     -  2048  1024    100      100 HI green  Y
Ppp Echo Reply Fastp FC     -     0     0    100      100 Data path Y
path
Ppp Control          IC     -  2048  1024    100      100 HI green  N
Atm Control (ILMI)   IC     -  2048  1024    100      100 HI green  Y
Atm OAM              IC     *   512   512    100      100 LO green  N
Atm Dynamic Interfac IC     -  1024   512    100      100 HI yellow N
e Column Creation
Atm Inverse ARP      IC     -   256   128    100      100 LO yellow N
Frame Relay Control  IC     -  2048  1024    100      100 HI green  Y
(LMI)
Frame Relay Inverse  IC     -   256   128    100      100 LO yellow N
Arp
Pppoe Control        IC     *   512   512    100      100 HI yellow N
Pppoe Ppp Config Dyn IC     -  1024   512    100      100 HI yellow N
amic Interface Colum
n Creation
Ethernet ARP Miss    IC     -   256   128    100      100 LO yellow N
Ethernet ARP         IC     -   256   128    100      100 LO yellow N

DoS Protection Group Commands

Use the commands described in this section to create DoS protection groups and attach them to different types of interfacesatm dos-protection-group

Use to attach an ATM DoS protection group to an interface.
Examplehost1(config-if)#atm dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.

bridge1483 dos-protection-group

Use to attach a bridge 1483 DoS protection group to an interface.
Examplehost1(config-if)#bridge1483 dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See bridge1483 dos-protection-group.

dos-protection-group

Use to create a DoS protection group and enter DoS Protection Group Configuration mode.
A group named default always exists.
Examplehost1(coonfig)#dos-protection-group default
Use the no version to remove the DoS protection group.
See dos-protection-group.

ethernet dos-protection-group

Use to attach an Ethernet DoS protection group to an interface.
Examplehost1(config-if)#ethernet dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See ethernet dos-protection-group.

frame-relay dos-protection-group

Use to attach a Frame Relay DoS protection group to an interface.
Examplehost1(config-if)#frame-relay dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See frame-relay dos-protection-group.

hdlc dos-protection-group

Use to attach an HDLC DoS protection group to an interface.
Examplehost1(config-if)#hdlc dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See hdlc dos-protection-group.

ip dos-protection-group

Use to attach an IP DoS protection group to an interface.
Example 1host1(config-if)#ip dos-protection-group group1
Example 2host1(config)#dos-protection-group default host1(config-dos-protection)#protocol AtmOam rate 512 host1(config-dos-protection)#protocol PppoeControl rate 512 host1(config-dos-protection)#protocol IpLocalOther rate 512
Use the no version to remove the attachment of the DoS protection group from the interface.
See ip dos-protection-group.

ipv6 dos-protection-group

Use to attach an IPv6 DoS protection group to an interface.
Examplehost1(config-if)#ipv6 dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See ipv6 dos-protection-group.

lag dos-protection-group

Use to attach a LAG DoS protection group to an interface.
Examplehost1(config-if)#lag dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See lag dos-protection-group.

ppp dos-protection-group

Use to attach a PPP DoS protection group to an interface.
Examplehost1(config-if)#ppp dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See ppp dos-protection-group.

pppoe dos-protection-group

Use to attach a PPPoE DoS protection group to an interface.
Examplehost1(config-if)#pppoe dos-protection-group group1
Use the no version to remove the attachment of the DoS protection group from the interface.
See pppoe dos-protection-group.

priority burst

Use to set the burst size in packets for the priority.
Examplehost1(config-dos-protection)#priority Hi-Green-IC burst 32
Use the no version to return to the default value.
See priority burst.

priority over-subscription-factor

Use to set the oversubscription value for the priority rate limiter.
The oversubscription value and the priority rate are used to calculate the minimum rate limits for port compression.
Allows an oversubscription of the priority rate because all protocols within a priority are not generally used simultaneously.
Examplehost1(config-dos-protection)#priority Hi-Green-IC over-subscription-factor 100
Use the no version to return no oversubscription value.
See priority over-subscription-factor.

priority rate

Use to set the rate in packets-per-second for the priority.
Examplehost1(config-dos-protection)#priority Hi-Green-IC rate 6000
Use the no version to return to the default value of 0.
See priority rate.

protocol burst

Use to set the burst size in packets-per-second for the protocol.
The default value is one half the maximum rate in packets.
Examplehost1(config-dos-protection)#protocol IpLocalDhcpIc burst 65535
Use the no version to set the default value, which is equal to half of the configured maximum rate.
See protocol burst.

protocol drop-probability

Use to map a protocol to a specific drop probability, which is the percentage probability of an exceeded packet being dropped.
Examplehost1(config-dos-protection)#protocol IpLocalDhcpIc drop-probability 100
Use the no version to set the drop probability to the value specified in the associated default group.
See protocol drop-probability.

protocol priority

Use to set the priority for the protocol.
Examplehost1(config-dos-protection)#protocol IpLocalDhcpIc priority hiGreen
Use the no version to set the priority to the value specified in the associated default group.
See protocol priority.

protocol rate

Use to map a protocol to a maximum rate limit.
The rate limit applies to all packets of the protocol for interfaces belonging to the DoS protection group.
A particular protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface.
Use a maximum rate of 0 for protocols that are not used.
The actual rate never exceeds the maximum rate, but can be less than the configured maximum rate due to the weighting of the protocols within a DoS protection group and the use of multiple DoS protection groups.
Examplehost1(config-dos-protection)#protocol IpLocalDhcpIc rate 100
Use the no version to set the value to the value specified in the associated default group.
See protocol rate.

protocol skip-priority-rate-limiter

Use to set the skip priority rate limiter for the protocol.
The specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected.
The default sets the protocol such that it is subject to priority rate limiting.
Examplehost1(config-dos-protection)#protocol IpLocalDhcpIc skip-priority-rate-limiter
Use the no version to set the value to the default, which is not to use skip-priority-rate-limiter.
See protocol skip-priority-rate-limiter.

protocol weight

Use to set the weight for the protocol.
For each port compression, weight determines the effective minimum rate that each protocol receives.
Within each port compression, the sum of the minimum rates for all protocols is equal to or less than the priority rate.
For each priority, there is a separate rate for each DoS protection group.
Examplehost1(config-dos-protection)#protocol IpLocalDhcpIc weight 100
Use the no version to set the weight to the value specified in the associated default group.
See protocol weight.

use canned-group

Use to create a DoS protection group that uses a pre-programmed set of parameters.
Use the revert keyword to return the values to the canned group values
Examplehost1#use canned-group group1
Use the no version to associate the group with the default canned group settings.
See use canned-group.

vlan dos-protection-group

Use to attach a VLAN DoS protection group to an interface.
Examplehost1(config-if)#vlan dos-protection-group
Use the no version to remove the attachment of the DoS protection group from the interface.
See vlan dos-protection-group.

Monitoring DoS Protection Groups

Use the commands described in this section to monitor DoS protection groups.

show dos-protection-group

Use to display DoS protection groups.
If you do not specify a group, displays the names of the currently configured DoS protection groups.
If you specify a group, displays information about the specified group.
If you do not specify the brief keyword, displays a list of references (interfaces and templates) to the DoS protection group,
When *modified* appears next to the name of the DoS protection group. the group or protocol within the group has changed from the preprogrammed value of the associated group.

Example

host1(config)#show dos-protection-group
DOS Protection Groups: 
Default (canned-group: “ default” )  *modified*  
Uplink  (canned-group: “ link”  } 
ATM     (canned-group: “ pppoe”  )   *modified*
VLAN    (canned-group: “ mixed-access” )

See show dos-protection-group.

[Contents] [Prev] [Next] [Index] [Report an Error]