Онлайн-демонстрация
Связаться с нами
11.4. Configuring CPU Traffic
Overview
Function Introduction
CPU traffic limit is a useful mechanism for protecting CPU from malicious flows by injecting huge volume of PDUs into switches.
CPU traffic limit provides two-level protection for CPU.
The low-level traffic limit is performed for each reason, which is realized by queue shaping of each type of PDU.
The high-level traffic limit is performed for all reasons, which is realized by channel shaping at CPU channel.
With this two-level protection, each PDU-to-CPU rate is limited and the overall PDU-to-CPU rate is also limited.
The word “reason”, means this type of packets will be sent to cpu for further processing.
The description of all reason is as following.
Reason |
Description |
|---|---|
arp |
Address Resolution Protocol |
bpdu |
Bridge Protocol Data Unit |
dhcp |
Dynamic Host Configuration Protocol |
eapol |
Extensible Authentication Protocol Over Lan |
erps |
Ethernet Ring Protection Switching |
fwd-to-cpu |
Packets forwarding to cpu |
icmp-redirect |
ICMP Redirect |
igmp |
IGMP Snooping Protocol |
ip-option |
Packets with IP Option |
ipda |
IP Destination to Router-self |
ssh |
SSH protocol packet |
telnet |
Telnet protocol packet |
mlag |
MLAG protocol packet |
tcp |
TCP protocol packet |
ldp |
Label Distribution Protocol |
macsa-mismatch |
Port Security for source mac learned |
mcast-rpf-fail |
Multicast with rpf fail or first multicast packet |
mpls-ttl-fail |
Mpls Packets with ttl fail |
ip-mtu-fail |
IP packet with mtu fail |
ospf |
Open Shortest Path First |
pim |
Protocol Independent Multicast |
port-security-discard |
Port Security for exceeding fdb maxnum |
rip |
Routing Information Protocol |
sflow-egress |
Sampled flow at egress direction |
sflow-ingress |
Sampled flow at ingress direction |
slow-protocol |
Slow Protocol (including EFM, LACP and SYNCE) |
smart-link |
Smart Link Protocol |
ucast-ttl-fail |
Unicast Packets with ttl fail |
udld |
Unidirectional Link Detection Protocol |
vlan-security-discard |
Vlan Security for exceeding fdb maxnum |
vrrp |
Virtual Router Redundancy Protocol |
bfd-learning |
BFD learning packets |
dot1x-mac-bypass |
Mac auth bypass packets |
bgp |
Border gateway protocol packet |
egress-ttl-fail |
Egress ttl fail packet |
icmpv6 |
ICMPv6 packet |
l2protocol-tunnel |
Layer2 protocol tunnel packet |
loopback-detection |
lLoopback detection packet |
mirror-to-cpu |
Mirror to cpu packet |
ndp |
Neighbor discovery protocol packet |
tunnel-gre-keepalive |
Tunnel gre keepalive reply packet |
The default rate and class configuration for all reason is as following.
reason |
rate(pps) |
class |
|---|---|---|
arp |
256 |
1 |
bpdu |
64 |
3 |
dhcp |
128 |
0 |
eapol |
128 |
0 |
erps |
128 |
3 |
fwd-to-cpu |
64 |
0 |
icmp-redirect |
128 |
0 |
igmp |
128 |
2 |
ip-option |
512 |
0 |
ipda |
1000 |
0 |
ssh |
64 |
3 |
telnet |
64 |
3 |
mlag |
1000 |
1 |
tcp |
64 |
2 |
ldp |
512 |
1 |
macsa-mismatch |
128 |
0 |
mcast-rpf-fail |
128 |
1 |
mpls-ttl-fail |
64 |
0 |
ip-mtu-fail |
64 |
0 |
ospf |
256 |
1 |
pim |
128 |
1 |
-port-security-discard |
128 |
0 |
rip |
64 |
1 |
sflow-egress |
128 |
0 |
sflow-ingress |
128 |
0 |
slow-protocol |
256 |
1 |
smart-link |
128 |
2 |
ucast-ttl-fail |
64 |
0 |
udld |
128 |
3 |
-vlan-security-discard |
128 |
0 |
vrrp |
512 |
1 |
bfd-learning |
128 |
1 |
dot1x-mac-bypass |
64 |
2 |
bgp |
256 |
1 |
egress-ttl-fail |
64 |
0 |
icmpv6 |
64 |
2 |
l2protocol-tunnel |
1000 |
0 |
loopback-detection |
64 |
3 |
mirror-to-cpu |
1000 |
0 |
ndp |
64 |
2 |
tunnel-gre-keepalive |
64 |
0 |
Principle Description
Terminology
PDU: Protocol Data Unit
Configuration
step 1 Enter the configure mode
Switch# configure terminal
step 2 Set the total rate
The default value of total rate is 2000, the unit is pps (packet-per-second)
Switch(config)# cpu-traffic-limit total rate 3000
step 3 Set the saparate rate
Use RIP packets for example:
Switch(config)# cpu-traffic-limit reason rip rate 500
step 4 Set the reason class
Switch(config)# cpu-traffic-limit reason rip class 3
The valid range of reason class is 0-3. The larger number indicates the higher priority.
step 5 Exit the configure mode
Switch(config)# end
step 6 Validation
To display the CPU Traffic Limit configuration, use following privileged EXEC commands.
Switch# show cpu traffic-limit
reason rate (pps) class
dot1x-mac-bypass 64 2
bpdu 64 3
slow-protocol 256 1
eapol 128 0
erps 128 3
smart-link 128 2
udld 128 3
loopback-detection 64 3
arp 256 1
dhcp 128 0
rip 500 3
ldp 512 1
ospf 256 1
pim 128 1
bgp 256 1
vrrp 512 1
ndp 64 2
icmpv6 64 2
ssh 64 3
telnet 64 3
mlag 1000 1
tcp 64 2
ipda 1000 0
icmp-redirect 128 0
mcast-rpf-fail 128 1
macsa-mismatch 128 0
port-security-discard 128 0
vlan-security-discard 128 0
egress-ttl-fail 64 0
ip-mtu-fail 64 0
bfd-learning 128 1
ptp 512 2
ip-option 512 0
tunnel-gre-keepalive 64 0
ucast-ttl-fail 64 0
mpls-ttl-fail 64 0
igmp 128 2
sflow-ingress 128 0
sflow-egress 128 0
fwd-to-cpu 64 0
l2protocol-tunnel 1000 0
mirror-to-cpu 1000 0
Total rate: 3000 (pps)
To display the CPU Traffic statistics information, use following privileged EXEC commands.
Switch# show cpu traffic-statistics receive all
statistics rate time is 5 second(s)
reason count(packets) rate(pps)
dot1x-mac-bypass 0 0
bpdu 0 0
slow-protocol 0 0
eapol 0 0
erps 0 0
smart-link 0 0
udld 0 0
loopback-detection 0 0
arp 0 0
dhcp 0 0
rip 0 0
ldp 0 0
ospf 0 0
pim 0 0
bgp 0 0
vrrp 0 0
rsvp 0 0
ndp 0 0
icmpv6 0 0
ssh 0 0
telnet 0 0
mlag 0 0
tcp 0 0
ipda 0 0
icmp-redirect 0 0
mcast-rpf-fail 0 0
macsa-mismatch 0 0
port-security-discard 0 0
vlan-security-discard 0 0
egress-ttl-fail 0 0
ip-mtu-fail 0 0
bfd-learning 0 0
ptp 0 0
ip-option 0 0
tunnel-gre-keepalive 0 0
ucast-ttl-fail 0 0
mpls-ttl-fail 0 0
igmp 0 0
sflow-ingress 0 0
sflow-egress 0 0
fwd-to-cpu 0 0
l2protocol-tunnel 0 0
mirror-to-cpu 0 0
mpls-tp-pwoam 0 0
other 0 0
Total 0 0
Application cases
N/A