Table of Contents
Advertisement
CPU Protection
CPU Protection
SR OS provides several rate limiting mechanisms to protect the CPM/CFM processing
resources of the router:
CPU protection protects the CPU of the node that it is configured on from a DOS attack by
limiting the amount of traffic coming in from one of its ports and destined to the CPM (to be
processed by its CPU) using a combination of the configurable limits.
Some of the limits are configured globally for the node, and some of the limits are configured
in CPU Protection profiles which are assigned to interfaces.
The following limits are configured globally for the node:
The following limits are configured within CPU Protection policies (1-255). CPU Protection
policies are created, configured, and then assigned to interfaces.
Page 32
•
CPU Protection: A centralized rate limiting function that operates on the CPM to limit
traffic destined to the CPUs.
•
Distributed CPU Protection: A control traffic rate limiting protection mechanism for
the CPM/CFM that operates on the line cards (hence 'distributed').
•
link-specific rate — Applies to the link-specific protocol LACP (LAG control).The
rate is a per-link limit (each link in the system will have LACP packets limited to this
rate).
•
port-overall-rate – Applies to all control traffic each port. The rate is a per-port limit
(each port in the system will have control traffic destined to the CPM limited to this
rate).
•
protocol-protection — Blocks network control traffic for unconfigured protocols. If
IS-IS is not configured on an IP interface all IS-IS-related traffic will be dropped and
not reach the CPU.
•
overall-rate — Applies to all control trafficdestined to the CPM (all sources) received
on the interface (only where the policy is applied). This is a per-interface limit.
Control traffic received above this rate will be discarded.
•
per-source-rate — Used to limit the control traffic destined to the CPM from each
individual source. This per-source-rate is only applied when an object (SAP) is
configured with a cpu-protection policy and also with the optional mac-monitoring or
ip-src-monitoring keywords. A source is defined as a SAP, Source MAC Address tuple
for mac-monitoring and as a SAP, Source IP Address tuples for ip-src-monitoring.
Only the DHCP protocol is limited (per source) when the ip-src-monitoring keyword
is used.
•
out-profile-rate – Applies to all control traffic destined to the CPM (all sources)
received on the interface (only where the policy is applied). This is a per-interface
7950 SR OS System Management Guide
Advertisement
Table of Contents
