A three-color marking mechanism uses a green, yellow and red marking function. This allows
greater flexibility in how traffic limits are implemented. A CLI command within the DoS
protection policy called out-profile-rate maps to the boundary between the green (accept) and
yellow (mark as discard eligible) regions. The overall-rate command marks the boundary
between the yellow and red (drop) regions point for the associated policy
There are two default CPU protection policies. They are modifiable, but cannot be deleted.
Policy 254:
Policy 255:
All traffic destined to the CPM and that will be processed by its CPU will be subject to the
limit specified. Therefore, if there is a protocol running on the violating interface, then
protocol traffic on that interface will be affected. The objective of CPU protection is to limit
the amount of traffic that the CPU will process at an early stage, therefore, the good and bad
7950 SR OS System Management Guide
limit. Control traffic received above this rate will be marked as discard eligible and is
more likely to be discarded if there is contention for CPU resources.
Out-profile-rate
Figure 3: Profile Marking
•
This is the default policy that is automatically applied to access interfaces
•
Traffic above 6000 pps is discarded
•
overall-rate = 6000
•
per-source-rate = max
•
out-profile-rate = 6000
•
This is the default policy that is automatically applied to Network interfaces
•
Traffic above 3000 pps is marked as discard eligible, but is not discarded unless there
is congestion in the queueing towards the CPU
•
overall-rate = max
•
per-source-rate = max
•
out-profile-rate = 3000
(Figure
Overall-rate
OSSG339
Security
3).
Page 33