Mailing List Archive: Rate limit ICMP on control plane traffic

Rate limit ICMP on control plane traffic

Feb 23, 2011, 6:19 PM

Post #1 of 3 (5908 views)

Hey gang --

I'm wondering if anyone on the list has implemented a control plane
rate-limiting solution for ICMP similar to the Cisco one outlined in
"draft-ietf-opsec-protect-control-plane"? Just wondering if there is
an analog on Force10 kit.

http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A

Thanks,

-M
_______________________________________________
force10-nsp mailing list
force10-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/force10-nsp

Re: Rate limit ICMP on control plane traffic [ In reply to ]

venkat.elex at gmail

Feb 24, 2011, 4:10 AM

Post #2 of 3 (5796 views)

Permalink

Hey Matt,

What platform are you referring? E-series / C or S?? In-build rate limit
for ICMP is already available to protect CP for ICMP flood.

Thanks,
Venkat

On Thu, Feb 24, 2011 at 7:49 AM, Matt Hite <lists@beatmixed.com> wrote:

> Hey gang --
>
> I'm wondering if anyone on the list has implemented a control plane
> rate-limiting solution for ICMP similar to the Cisco one outlined in
> "draft-ietf-opsec-protect-control-plane"? Just wondering if there is
> an analog on Force10 kit.
>
>
> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A
>
> Thanks,
>
> -M
> _______________________________________________
> force10-nsp mailing list
> force10-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/force10-nsp
>

Re: Rate limit ICMP on control plane traffic [ In reply to ]

lists at beatmixed

Feb 24, 2011, 9:55 AM

Post #3 of 3 (5741 views)

Permalink

On Thu, Feb 24, 2011 at 4:10 AM, venkat <venkat.elex@gmail.com> wrote:

>> I'm wondering if anyone on the list has implemented a control plane
>> rate-limiting solution for ICMP similar to the Cisco one outlined in
>> "draft-ietf-opsec-protect-control-plane"? Just wondering if there is
>> an analog on Force10 kit.
>>
>>
>> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02#appendix-A
> Hey Matt,
> What platform are you referring? E-series / C or S?? In-build rate limit
> for ICMP is already available to protect CP for ICMP flood.

I'm mainly concerned with the E-series. You can find mention of this
built-in rate-limiting scattered throughout various documentation (ie.
https://www.force10networks.com/csportal20/techtips/0040_highcpu.aspx).
What's not clear is if there are any knobs you can turn and their
default values. This is the best description I could find of built-in
capabilities:

Hardware Rate-Limiting
The CPU on the RPM (three CPUs on the E-Series RPM) are protected by
independent hardware and software rate-limiting mechanisms. Hardware
rate-limiting remains enabled for certain types of traffic directed to
the CPU. All traffic bound for a CPU on the RPM is classified on the
line card, where it is received and put into a particular queue based
on a pre-determined priority.
Software Rate-Limiting
Any CPU-bound traffic is subject to an additional software-controlled
scheme for rate limiting. When system monitors detect that CPU usage
has exceeded a high threshold due to a large number of inbound data
plane packets, the CPU issues a pause frame. These frames should lead
to a reduced rate of CPU-bound traffic. The pause frame mechanism is
implemented on all three CPUs of the E-Series RPM.

-M

_______________________________________________
force10-nsp mailing list
force10-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/force10-nsp