[F10-nsp] Rate limit ICMP on control plane traffic
Matt Hite
lists at beatmixed.com
Thu Feb 24 12:55:59 EST 2011
On Thu, Feb 24, 2011 at 4:10 AM, venkat <venkat.elex at gmail.com> wrote:
>> I'm wondering if anyone on the list has implemented a control plane
>> rate-limiting solution for ICMP similar to the Cisco one outlined in
>> "draft-ietf-opsec-protect-control-plane"? Just wondering if there is
>> an analog on Force10 kit.
>>
>>
>> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A
> Hey Matt,
> What platform are you referring? E-series / C or S?? In-build rate limit
> for ICMP is already available to protect CP for ICMP flood.
I'm mainly concerned with the E-series. You can find mention of this
built-in rate-limiting scattered throughout various documentation (ie.
https://www.force10networks.com/csportal20/techtips/0040_highcpu.aspx).
What's not clear is if there are any knobs you can turn and their
default values. This is the best description I could find of built-in
capabilities:
Hardware Rate-Limiting
The CPU on the RPM (three CPUs on the E-Series RPM) are protected by
independent hardware and software rate-limiting mechanisms. Hardware
rate-limiting remains enabled for certain types of traffic directed to
the CPU. All traffic bound for a CPU on the RPM is classified on the
line card, where it is received and put into a particular queue based
on a pre-determined priority.
Software Rate-Limiting
Any CPU-bound traffic is subject to an additional software-controlled
scheme for rate limiting. When system monitors detect that CPU usage
has exceeded a high threshold due to a large number of inbound data
plane packets, the CPU issues a pause frame. These frames should lead
to a reduced rate of CPU-bound traffic. The pause frame mechanism is
implemented on all three CPUs of the E-Series RPM.
-M
More information about the force10-nsp
mailing list