Security
7450 ESS System Mangement Guide Page 45
Distributed CPU Protection (DCP)
SR OS provides several rate limiting mechanisms to protect the CPM/CFM processing
resources of the router:
• CPU Protection: A centralized rate limiting function that operates on the CPM to limit
traffic destined to the CPUs. This feature is described elsewhere in this guide.
• Distributed CPU Protection: A control traffic rate limiting protection mechanism for
the CPM/CFM that operates on the line cards (hence ‘distributed’).
Distributed CPU Protection (DCP) offers a powerful per-protocol-per-object (examples of
objects are SAPs and network interfaces) rate limiting function for control protocol traffic that
is extracted from the data path and sent to the CPM. The DCP function is implemented on the
router line cards that allows for high levels of scaling and granularity of control.
The DCP rate limiting is configured via policies that are applied to objects (for example,
SAPs).
The basic types of policers in DCP are:
• Enforcement Policers — An instance of a policer that is policing a flow of packets
comprised of a single (or small set of) protocols(s) arriving on a single object (for
example, SAP). Enforcement policers perform a configurable action (for example,
discard) on packets that exceed configured rate parameters. There are two basic sub-
types of enforcement policers:
→ Static policers — always instantiate.
→ Dynamic policers — only instantiated (allocated from a free pool of dynamic
policers) when a local monitor detects non-conformance for a set of protocols on
a specific object.
• Local Monitors — A policer that is primarily used to measure the conformance of a
flow comprised of multiple protocols arriving on a single object. Local monitors are
used as a trigger to instantiate dynamic policers.
The use of dynamic policers reduces the number of policers required to effectively monitor
and control a set of protocols across a large set of objects since the per-protocol-per-object
dynamic policers are only instantiated when an attack or misconfiguration occurs, and they are
only instantiated for the affected objects.
To Next Page
Loading...
