Cpu Protection - Alcatel-Lucent 7450 System Management Manual
Ethernet service switch
Hide thumbs
Also See for 7450:
- Quality of service manual (912 pages) ,
- Manual (816 pages) ,
- Configuration manual (778 pages)
Table of Contents
Advertisement
Access Request Flow
CPU Protection
SR OS provides several rate limiting mechanisms to protect the CPM/CFM processing
resources of the router:
CPU protection protects the CPU of the node that it is configured on from a DOS attack by
limiting the amount of traffic coming in from one of its ports and destined to the CPM (to be
processed by its CPU) using a combination of the configurable limits.
Some of the limits are configured globally for the node, and some of the limits are configured
in CPU Protection profiles which are assigned to interfaces.
The following limits are configured globally for the node:
The following limits are configured within CPU Protection policies (1-255). CPU Protection
policies are created, configured, and then assigned to interfaces.
Page 36
•
CPU Protection: A centralized rate limiting function that operates on the CPM to limit
traffic destined to the CPUs.
•
Distributed CPU Protection: A control traffic rate limiting protection mechanism for
the CPM/CFM that operates on the line cards (hence 'distributed').
•
link-specific rate — Applies to the link-specific protocols LACP (ethernet LAG
control) and LMI (ATM, Ethernet and Frame Relay). The rate is a per-link limit (each
link in the system will have LACP/LMI packets limited to this rate).
•
port-overall-rate – Applies to all control traffic each port. The rate is a per-port limit
(each port in the system will have control traffic destined to the CPM limited to this
rate).
•
protocol-protection — Blocks network control traffic for unconfigured protocols. If
IS-IS is not configured on an IP interface all IS-IS-related traffic will be dropped and
not reach the CPU.
•
overall-rate — Applies to all control traffic destined to the CPM (all sources)
received on the interface (only where the policy is applied). This is a per-interface
limit. Control traffic received above this rate will be discarded.
•
per-source-rate — Used to limit the control traffic destined to the CPM from each
individual source. This per-source-rate is only applied when an object (SAP) is
configured with a cpu-protection policy and also with the optional mac-monitoring or
ip-src-monitoring keywords. A source is defined as a SAP, Source MAC Address tuple
for mac-monitoring and as a SAP, Source IP Address tuples for ip-src-monitoring.
Only certain protocols (as configured under included-protocols in the cpu protection
policy) are limited (per source) when the ip-src-monitoring keyword is used.
•
out-profile-rate – Applies to all control traffic destined to the CPM (all sources)
received on the interface (only where the policy is applied). This is a per-interface
7450 ESS System Mangement Guide
Advertisement
Table of Contents
