Access Request Flow
Page 38 7450 ESS System Mangement Guide
traffic coming in cannot be distinguished when it arrives at a rate higher than the user-
configured limit.
If the overall rate is set to 1000 pps and as long as the total traffic that is destined to the CPM
and intended to be processed by the CPU is less than or equal to 1000 pps, all traffic will be
processed. If the rate exceeds 1000 pps, then protocol traffic is discarded (or marked as discard
eligible in the case of the out-profile-rate) and traffic on the interface is affected.
This protects all the other interfaces on the system and make sure that a violation from one
interface does not affect the rest of the box.
The protocol-protection configuration is not a rate (just an enable/disable configuration).
When enabled, this feature causes the network processor on the CPM to discard all packets
received for protocols that are not configured on the particular interface. This helps mitigate
DoS attacks by filtering invalid control traffic before it hits the CPU. The system
automatically populates and maintains a per-interface list of configured (such as valid)
protocols (based on interface config, etc). For example, if an interface does not have IS-IS
configured, then protocol-protection will discard any IS-IS packets received on that interface.
Some protocols are not bound to a specific interface, for example, BGP. SR-OS will discard
packets for these protocols if the protocol is not configured anywhere in the system. Note that
protection for the following protocols is achieved using the per-peer-queueing feature of SR-
OS: BG P, T- L D P, L D P, M S D P.
Protocols controlled by the protocol-protection mechanism include:
• OSPFv2
• OSPFv3
• IS-IS
• RSVP-TE
•RIP
•PIM
•MLD
•IGMP
•L2TP
•PPP
Note: If PIM or PIM snooping is not configured on any interfaces/SAPs then all PIM packets
will be discarded. If PIM or PIM snooping is configured on an interface/SAP, then multicast
PIM messages are filter based on PIM being enabled on that particular interface. All unicast
PIM messages are sent to the CPU to be processed.
To Next Page
Loading...
