Dell S3048-ON Configuration Manual page 238

• NDP Packets in VLT peer routing enable
• VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT
link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu. But NDP packets
destined to peer VLT node needs to be taken to CPU and tunneled to the peer VLT node..
• NDP packets in VLT peer routing disable case
• NDP packets intended to peer VLT chassis taken to CPU and tunnel to peer.
The following table describes the protocol to queue mapping with the CPU queues increased to be 12.
Table 13. Redirecting Control Traffic to 12 CPU queues
CPU Queue Weights
0 100
1 1
2 2
3 4
4 127
5 16
6 16
7 64
8 32
9 64
10 32
11 32
Catch-All Entry for IPv6 Packets
Dell Networking OS currently supports configuration of IPv6 subnets greater than /64 mask length, but the agent writes it to the default
LPM table where the key length is 64 bits. The device supports table to store up to 256 subnets of maximum of /128 mask lengths. This
can be enabled and agent can be modified to update the /128 table for mask lengths greater than /64. This will restrict the subnet sizes to
required optimal level which would avoid these NDP attacks. The IPv6 stack already supports handling of >/64 subnets and doesn't require
any additional work. The default catch-all entry is put in the LPM table for IPv4 and IPv6. If this is included for IPv6, you can disable this
capability by using the no ipv6 unknown-unicast command. Typically, the catch-all entry in LPM table is used for soft forwarding
and generating ICMP unreachable messages to the source. If this is in place then irrespective of whether it is </64 subnet or >/64 subnet,
it doesn't have any effect as there would always be LPM hit and traffic are sent to CPU.
Unknown unicast L3 packets are terminated to the CPU CoS queue which is also shared for other types of control-plane packets like ARP
Request, Multicast traffic, L3 packets with Broadcast MAC address. The catch-all route poses a risk of overloading the CPU with unknown
238 Control Plane Policing (CoPP)
Rate (pps)
1300
300
300
400
2000
300
400
400
400
600
300
300
Protocol
BFD
MC
TTL0, TTL1, IP with options, Mac limit violation, Hyper
pull, L3 with Bcast MacDA, Unknown L3, ARP
unresolved, ACL Logging
sFlow, L3 MTU Fail frames
IPC/IRC, VLT Control frames
ARP Request, NS, RS, iSCSI OPT Snooping
ICMP, ARP Reply, NTP, Local terminated L3, NA,
RA,ICMPv6 (other Than NDP and MLD)
xSTP, FRRP, LACP, 802.1x,ECFM,L2PT,TRILL, Open
flow
PVST, LLDP, GVRP, FCOE, FEFD, Trace flow
OSPF, ISIS, RIPv2, BGP
DHCP, VRRP
PIM, IGMP, MSDP, MLD