Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: force10

Rate limit ICMP on control plane traffic

 

 

nsp force10 RSS feed   Index | Next | Previous | View Threaded


lists at beatmixed

Feb 23, 2011, 6:19 PM

Post #1 of 3 (2456 views)
Permalink
Rate limit ICMP on control plane traffic

Hey gang --

I'm wondering if anyone on the list has implemented a control plane
rate-limiting solution for ICMP similar to the Cisco one outlined in
"draft-ietf-opsec-protect-control-plane"? Just wondering if there is
an analog on Force10 kit.

http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A

Thanks,

-M
_______________________________________________
force10-nsp mailing list
force10-nsp [at] puck
https://puck.nether.net/mailman/listinfo/force10-nsp


venkat.elex at gmail

Feb 24, 2011, 4:10 AM

Post #2 of 3 (2383 views)
Permalink
Re: Rate limit ICMP on control plane traffic [In reply to]

Hey Matt,

What platform are you referring? E-series / C or S?? In-build rate limit
for ICMP is already available to protect CP for ICMP flood.

Thanks,
Venkat

On Thu, Feb 24, 2011 at 7:49 AM, Matt Hite <lists [at] beatmixed> wrote:

> Hey gang --
>
> I'm wondering if anyone on the list has implemented a control plane
> rate-limiting solution for ICMP similar to the Cisco one outlined in
> "draft-ietf-opsec-protect-control-plane"? Just wondering if there is
> an analog on Force10 kit.
>
>
> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A
>
> Thanks,
>
> -M
> _______________________________________________
> force10-nsp mailing list
> force10-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/force10-nsp
>


lists at beatmixed

Feb 24, 2011, 9:55 AM

Post #3 of 3 (2328 views)
Permalink
Re: Rate limit ICMP on control plane traffic [In reply to]

On Thu, Feb 24, 2011 at 4:10 AM, venkat <venkat.elex [at] gmail> wrote:

>> I'm wondering if anyone on the list has implemented a control plane
>> rate-limiting solution for ICMP similar to the Cisco one outlined in
>> "draft-ietf-opsec-protect-control-plane"? Just wondering if there is
>> an analog on Force10 kit.
>>
>>
>> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A
> Hey Matt,
>  What platform are you referring? E-series / C or S?? In-build rate limit
>  for ICMP is already available to protect CP for ICMP flood.

I'm mainly concerned with the E-series. You can find mention of this
built-in rate-limiting scattered throughout various documentation (ie.
https://www.force10networks.com/csportal20/techtips/0040_highcpu.aspx).
What's not clear is if there are any knobs you can turn and their
default values. This is the best description I could find of built-in
capabilities:

Hardware Rate-Limiting
The CPU on the RPM (three CPUs on the E-Series RPM) are protected by
independent hardware and software rate-limiting mechanisms. Hardware
rate-limiting remains enabled for certain types of traffic directed to
the CPU. All traffic bound for a CPU on the RPM is classified on the
line card, where it is received and put into a particular queue based
on a pre-determined priority.
Software Rate-Limiting
Any CPU-bound traffic is subject to an additional software-controlled
scheme for rate limiting. When system monitors detect that CPU usage
has exceeded a high threshold due to a large number of inbound data
plane packets, the CPU issues a pause frame. These frames should lead
to a reduced rate of CPU-bound traffic. The pause frame mechanism is
implemented on all three CPUs of the E-Series RPM.

-M

_______________________________________________
force10-nsp mailing list
force10-nsp [at] puck
https://puck.nether.net/mailman/listinfo/force10-nsp

nsp force10 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.