HP ProCurve 9304M Security Manual page 144

Security Guide for ProCurve 9300/9400 Series Routing Switches
enters exhausted mode. When the device is in exhausted mode, and the condition drops below the clearing
watermark, the device goes back into normal mode.
Actions
When the declaring watermark defined for a condition has been exceeded, the device enters exhausted mode.
When the device is in exhausted mode, the following actions can be taken:
• Dynamic aging adjustment control – If dynamic aging adjustment control is specified as an action, when
the system enters exhausted mode, the age limit value for CAM entries is dynamically changed to a smaller
value, decreasing from 70 seconds to 35 seconds. When the system re-enters normal mode, the age limit
value for CAM entries goes back to 70 seconds. Dynamic aging adjustment control is supported on both
Standard or Standard (non-EP) and EP devices.
• Unknown unicast flooding/dropping – You can configure the device to perform hardware flooding or
dropping of unknown unicast packets when it enters exhausted mode. Packets with unknown unicast
destination addresses can be either dropped or flooded by hardware to all ports in the VLAN. The unknown
unicast flooding/dropping action is supported on EP devices only.
• Multicast/broadcast flooding/dropping – You can configure the system to drop or perform hardware
flooding for multicast or broadcast packets, instead of sending them to the CPU. The multicast/broadcast
flooding/dropping action is supported on EP devices only.
The hardware flooding actions are not applicable in every configuration, since under certain circumstances the
device needs to send packets to the CPU for processing. For example, if a port on a Routing Switch has an IP
address configured, hardware flooding will not be enabled, so that ARP packets can be sent to the CPU.
Hardware flooding will not be applied on the following kinds of VLANs:
• Layer 2 control VLAN (VLAN ID 4094)
• Management VLAN
• Protocol VLAN
• Private VLAN
On a Routing Switch, hardware flooding will not be enabled on a physical port that has a Layer 3 address
configured. For virtual routing (VE) interfaces, packets are processed by the CPU by default, but hardware
flooding can be enabled. See "Enabling Hardware Flooding on Virtual Routing Interfaces" on page 8-3 for more
information.
Configuring CPU Protection
Configuring CPU protection consists of enabling CPU protection, specifying conditions that place the system into
exhausted mode, and specifying actions to take when the system is in exhausted mode. The following sections
instruct how to enable CPU protection and describe the default conditions and actions on the device, and how to
modify the default conditions and actions.
Enabling CPU Protection
The CPU protection feature is disabled by default. To enable it, enter one or both of the following commands,
depending on whether you want the device to protect the CPU, the CAM, or both.
• The following command enables the HP device to automatically take actions when thresholds related to high
CAM usage are exceeded:
ProCurveRS(config)# cpupro-action hardware-flooding enable
NOTE: Hardware flooding actions are supported on EP devices only.
8 - 2 June 2005