Additional Control Plane Traffic Protection Enhancements


Additional Control Plane Traffic Protection (CPTP) enhancements to a new feature that allows the user to impose rate limits on the flow of traffic that arrives on the CPU management port. When control plane traffic arrives out-of-band on the management NIC of the switch, there is currently no such protection. There is the possibility that excessive control plane traffic may saturate the 1G management port or starve the CPU of other critical traffic.


You can restrict the ingress traffic types on a port used as a management interface, and drop packets that exceed a configured bandwidth limit.


Netvisor One now allows you to change the settings for traffic sent to the management NIC. Currently, you can manage the following types of traffic:


  • ARP
  • ICMP
  • SSH
  • SNMP
  • Fabric
  • NFS
  • Web
  • Web-SSL
  • NET-API


This feature is disabled by default.


You can manage the settings using the following new Netvisor One commands:


CLI (network-admin@Leaf1) > cpu-mgmt-class-modify


name arp|icmp|ssh|snmp|fabric|bcast|nfs|web|web-ssl|net-api

Select the class of traffic to modify.

One or more of the following options:

rate-limit unlimited

Specify the ingress rate limit on the management port in bps or unlimited.

burst-size default

Specify the ingress traffic burst size in bytes or default.


CLI (network-admin@Leaf1) > cpu-mgmt-class-show


name arp|icmp|ssh|snmp|fabric|bcast|nfs|web|web-ssl|net-api

Displays the class of traffic.

One or more of the following options:

rate-limit unlimited

Displays the ingress rate limit on the management port in Bps or unlimited.

burst-size default

Displays the ingress traffic burst size in bytes or default.


CLI (network-admin@Leaf1) > cpu-mgmt-class-stats-settings-modify


enable|disable

Specify if you want to enable statistics collection.

interval duration: #d#h#m#s

Specify the interval duration.

disk-space disk-space-number

Specify the amount of disk space for the statistics.


CLI (network-admin@Leaf1) > cpu-mgmt-class-stats-settings-show


enable|disable

Displays if statistics collection is enabled or disabled.

interval duration: #d#h#m#s

Displays the interval duration.

disk-space disk-space-number

Displays the amount of disk space for the statistics.


CLI (network-admin@Leaf1) > cpu-mgmt-class-stats-show


time date/time: yyyy-mm-ddTHH:mm:ss

Displays the time to start collection.

start-time date/time: yyyy-mm-ddTHH:mm:ss

Displays the start time of collection.

end-time date/time: yyyy-mm-ddTHH:mm:ss

Displays the end time of collection.

duration duration: #d#h#m#s

Displays the duration of collection.

interval duration: #d#h#m#s

Displays the interval between collection.

since-start

Displays the statistics collected since the start time.

older-than duration: #d#h#m#s

Displays the statistics older than the specified time.

within-last duration: #d#h#m#s

Displays the statistics collected within last time.

name arp|icmp|ssh|snmp|fabric|bcast|nfs|web|web-ssl|net-api

Displays the CPU management class.

in-bytes in-bytes-number

Displays the ingress bytes processed.

in-pkts in-pkts-number

Displays the ingress packets processed.

drop-pkts drop-pkts-number

Displays the number of ingress packets dropped.


CLI (network-admin@Leaf1) > cpu-mgmt-class-show


name    rate-limit

------- ----------

arp     unlimited

icmp    unlimited

ssh     unlimited

snmp    unlimited

fabric  unlimited

bcast   unlimited

nfs     unlimited

web     unlimited

web-ssl unlimited

net-api unlimited

 

CLI (network-admin@Leaf1) > cpu-mgmt-class-stats-settings-show

 

switch   name    in-bytes in-pkts drop-pkts

-------- ------- -------- ------- ---------

dorado05 arp     0        0       0         

dorado05 icmp    0        0       0         

dorado05 ssh     0        0       0         

dorado05 snmp    0        0       0         

dorado05 fabric  0        0       0         

dorado05 bcast   0        0       0         

dorado05 nfs     0        0       0         

dorado05 web     0        0       0         

dorado05 web-ssl 0        0       0         

dorado05 net-api 0        0       0