Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
4
Helpful
4
Replies

Policing Small packets

cisco_lad2004
Level 5
Level 5

‎09-01-2006 03:12 AM

Hi there

is there any way to drop smal packets when they exceed a certain threshold ?

I know I can match on packet length but then can risk to drop legitimate traffic.

TIA

Sam

Labels:
0 Helpful
4 Replies 4

swaroop.potdar
Level 7
Level 7

‎09-02-2006 11:36 AM

Hi Sam,

there are 2 aspects to your query.

1) Dropping small packets after a sertain threshold: You can do this by creating a class-map matching a certain packet length which you presume is small. And using the clas in the policy map where you set the threshold. Now you can police them after a certain threshold or apply queuing with WRED.

The police value or queuing value may be based upon the baseline of such legitimate small packets. (But this doesnt mean you may not drop legitimate packets, but its taken care to a certain extent)

2) Legitimate or Illegitimate small packets traffic. Nothing much can be achieved using cli based methods. Except for using the above method for unknown source addresses. But if you anticipate there may be illgitimate packets form know destination as well then you may want to use DDOS solutions like Anomaly Detector or Anomaly Guard Modules. All this depends on how big this problem of small packets is.

cisco_lad2004
Level 5
Level 5
In response to swaroop.potdar

‎09-02-2006 02:02 PM

Thanks Swaroop

Ur answers makes sense and if I combine both 1 & 2 I can deduct teh following.

I have 3 classes in my design: Voice , business and standard.

I could create a nested policy that in addition to reserving BW it should police based on small packets for which I will set a threshold.

I have not investigated if the small packets that killed my 7206VXR were TCP or UDP, for the latter WRED wont help. and in this case, I guess I have to simply protect other users and police a single customer uploading too many small packets.

I am aware that shaping is CPU taxing, how about policing ?

Best regards

Sam

0 Helpful

swaroop.potdar
Level 7
Level 7
In response to cisco_lad2004

‎09-04-2006 10:12 AM

Hi Sam,

I believe that policing would be less taxing compared to shaping.

HTH-Cheers,

Swaroop

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to swaroop.potdar

‎09-04-2006 11:59 AM

Once again , thanks a million !

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents