lists at beatmixed
Feb 24, 2011, 9:55 AM
Post #3 of 3
(1365 views)
Permalink
|
|
Re: Rate limit ICMP on control plane traffic
[In reply to]
|
|
On Thu, Feb 24, 2011 at 4:10 AM, venkat <venkat.elex [at] gmail> wrote:
>> I'm wondering if anyone on the list has implemented a control plane
>> rate-limiting solution for ICMP similar to the Cisco one outlined in
>> "draft-ietf-opsec-protect-control-plane"? Just wondering if there is
>> an analog on Force10 kit.
>>
>>
>> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A
> Hey Matt,
> What platform are you referring? E-series / C or S?? In-build rate limit
> for ICMP is already available to protect CP for ICMP flood.
I'm mainly concerned with the E-series. You can find mention of this
built-in rate-limiting scattered throughout various documentation (ie.
https://www.force10networks.com/csportal20/techtips/0040_highcpu.aspx).
What's not clear is if there are any knobs you can turn and their
default values. This is the best description I could find of built-in
capabilities:
Hardware Rate-Limiting
The CPU on the RPM (three CPUs on the E-Series RPM) are protected by
independent hardware and software rate-limiting mechanisms. Hardware
rate-limiting remains enabled for certain types of traffic directed to
the CPU. All traffic bound for a CPU on the RPM is classified on the
line card, where it is received and put into a particular queue based
on a pre-determined priority.
Software Rate-Limiting
Any CPU-bound traffic is subject to an additional software-controlled
scheme for rate limiting. When system monitors detect that CPU usage
has exceeded a high threshold due to a large number of inbound data
plane packets, the CPU issues a pause frame. These frames should lead
to a reduced rate of CPU-bound traffic. The pause frame mechanism is
implemented on all three CPUs of the E-Series RPM.
-M
_______________________________________________
force10-nsp mailing list
force10-nsp [at] puck
https://puck.nether.net/mailman/listinfo/force10-nsp
|
