cpu-class-create

Netvisor’s CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax   cpu-class-create


name name-string

Specify a name for the CPU class.

scope local|fabric

Specify the scope as local or fabric.

rate-limit rate-limit-number

Specify the cap for the rate limit.

hog-protect disable|enable|enable-and-drop

Specify if you want to enable, enable and drop packets, or disable hog protection.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to create CPU protection.

Examples  To create a CPU protection class for the local subnet, use the following syntax:

CLI network-admin@switch > cpu-class-create name local-subnet scope local rate-limit 100 hog-protect enable-and-drop

cpu-class-delete

Netvisor’s CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax   cpu-class-delete


name name-string

Specify a name for the CPU class.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to delete CPU protection.

Examples  To delete a CPU protection class for the local subnet, use the following syntax:

CLI network-admin@switch > cpu-class-delete name local-subnet

cpu-class-modify

Netvisor’s CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax   cpu-class-modify

name name-string

Specify a name for the CPU class.

scope local|fabric

Specify the scope as local or fabric.

rate-limit rate-limit-number

Specify the cap for the rate limit.

hog-protect disable|enable|enable-and-drop

Specify if you want to enable, enable and drop packets, or disable hog protection.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to modify CPU protection.

Examples  To modify a CPU protection class for the local subnet to rate limit 1000, use the following syntax:

CLI network-admin@switch > cpu-class-modify name local-subnet rate-limit 1000

cpu-class-show

Netvisor’s CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax   cpu-class-show

name name-string

Displays the name for the CPU class.

scope local|fabric

Displays the scope as local or fabric.

rate-limit rate-limit-number

Displays the cap for the rate limit.

hog-protect disable|enable|enable-and-drop

Displays if you want to enable, enable and drop packets, or disable hog protection.

hog-protect-support|
no-hog-protect-support

Displays if hog protection is supported or not.

queue queue-number

Displays the queue number.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to display information about CPU class configurations.

Examples  To display CPU class configurations, use the following syntax:

CLI network-admin@switch > cpu-class-show

switch     name             scope rate-limit hog-protect hog-protect-support queue

---------- ---------------- ----- ---------- ----------- ------------------- -----

aquarius06 dmac-miss        local 1000       disable     none                1

aquarius06 smac-miss        local 1000       disable     none                2

aquarius06 l3-miss          local 1000       disable     none                3

aquarius06 ttl1             local 1000       disable     none                4

aquarius06 stp              local 1000       disable     supported           5

aquarius06 lacp             local 1000       disable     supported           6

aquarius06 system-d         local 1000       disable     none                7

aquarius06 dmac-miss        local 1000       disable     none                8

aquarius06 smac-miss        local 1000       disable     none                9

aquarius06 l3-miss          local 1000       disable     none                10

aquarius06 ttl1             local 1000       disable     none                11

aquarius06 stp              local 1000       disable     supported           12

aquarius06 lacp             local 1000       disable     supported           13

aquarius06 system-d         local 1000       disable     none                14

aquarius06 igmp             local 1000       disable     none                15

aquarius06 bcast            local 1000       disable     none                16

aquarius06 icmpv6           local 1000       disable     none                17

aquarius06 tcp-analytics    local 1000       disable     none                18

aquarius06 kpalv            local 1000       disable     none                19

aquarius06 ecp              local 1000       disable     none                20

aquarius06 arp              local 1000       disable     supported           21

aquarius06 lldp             local 1000       disable     supported           22

aquarius06 vport-stats      local 1000       disable     none                23

aquarius06 dhcp             local 1000       disable     none                24

aquarius06 pim              local 1000       disable     none                25

aquarius06 local-subnet     local 1000       disable     supported           26

aquarius06 bgp              local 1000       disable     supported           27

aquarius06 ospf             local 1000       disable     supported           28

aquarius06 bfd              local 1000       disable     supported           29

aquarius06 vrrp             local 1000       disable     supported           30

aquarius06 cluster-control  local 5000       disable     none                31

aquarius06 control          local 5000       disable     none                32

aquarius06 hog-arp          local 100        disable     none                33

aquarius06 hog-ospf         local 100        disable     none                34

aquarius06 hog-bgp          local 100        disable     none                35

aquarius06 hog-bfd          local 100        disable     none                36

aquarius06 hog-lacp         local 100        disable     none                37

aquarius06 hog-stp          local 100        disable     none                38

aquarius06 hog-vrrp         local 100        disable     none                39

aquarius06 hog-lldp         local 100        disable     none                40

aquarius06 hog-local-subnet local 100        disable     none                41

aquarius06 dhcp-log-drop    local 1000       disable     none                42

cpu-class-settings-modify

Netvisor’s CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax CLI network-admin@switch >cpu-class-settings-show

hog-checker-interval hog-checker-interval-number (ms)

Specify the hog checking interval in milliseconds.

hog-max-hosts-per-class hog-max-hosts-per-class-number

Specify the maximum number of active hosts tracked per CPU class.

hog-max-violators-per-port hog-max-violators-per-port-number

Specify the maximum number of hog violators per port.

hog-max-violators-per-port hog-max-violators-per-port-number

Specify the hog warning threshold.

hog-violator-timeout hog-violator-timeout-number (s)

Specify the timeout before restoring the hog violator to normal queue after an idle state.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to modify statistics settings for CPU class.

Examples  To modify CPU class settings for hog-checker-interval from 100 to 150, use the following syntax:

CLI network-admin@switch > cpu-clss-settings-modify hog-checker-interval 150

cpu-class-settings-show

The Netvisor OS CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax   cpu-class-settings-show

hog-checker-interval hog-checker-interval-number (ms)

Specify the hog checking interval in milliseconds.

hog-max-hosts-per-class hog-max-hosts-per-class-number

Specify the maximum number of active hosts tracked per CPU class.

hog-max-violators-per-port hog-max-violators-per-port-number

Specify the maximum number of hog violators per port.

hog-max-violators-per-port hog-max-violators-per-port-number

Specify the hog warning threshold.

hog-violator-timeout hog-violator-timeout-number (s)

Specify the timeout before restoring the hog violator to normal queue after an idle state.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to display statistic settings for CPU hog protection.

Examples  To display statistic settings for CPU hog protection, use the following syntax:

CLI network-admin@switch > cpu-class-settings-show

switch:                     Spine01

hog-checker-interval(ms):   100

hog-max-hosts-per-class:    500

hog-max-violators-per-port: 50

hog-warning-threshold:      5

hog-violator-timeout(s):    20

cpu-class-stats-clear

The Netvisor OS CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax   cpu-class-stats-clear

name name-string

Specify the name of the CPU class to clear statistics.

cos cos-number

Clear the CoS value for the CPU class.

hw-out-pkts hw-out-pkts-number

Clear the hardware transmitted packet count.

hw-drop-pkts hw-drop-pkts-number

Clear the number of hardware dropped packets.

sw-pkts sw-pkts-number

Clear the number of packets processed in software.

sw-drops-pkts sw-drops-pkts-number

Clear the number of packets dropped in software because the queue is full.

hog-violations hog-violations-number

Clear the number of hog protection host violations and moved to separate queue.

hog-warnings hog-warnings-number

Clear the number of hog protection delegated bandwidth warnings.

hog-hosts-in hog-hosts-in-number

Clear the number of added hosts for hog protection.

hog-hosts-out hog-hosts-out-number

Clear the number of hosts removed from hog protection.

hog-max-hosts-drops hog-max-hosts-drops-number

Clear the number of dropped hosts with hog protection because the maximum number of hosts is reached.


Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to clear statistics for CPU hog protection.

Examples  To clear statistics for CPU hog protection, use the following syntax:

CLI network-admin@switch > cpu-class-stats-show

cpu-class-stats-show

The Netvisor OS CPU Control Packet Processing Protection feature allows the CPU control packet processing path be protected against misbehaving and malicious hosts or end-points that may flood control protocol packets. This is also called “CPU hog protection”.

If a host floods a control protocol packet, it floods the to-cpu queue. This prevents lower-rate packets from valid senders from reaching Netvisor, resulting in traffic loss for those hosts. Typically a traffic loss occurs for other hosts on the network. Netvisor can process large streams of both valid and malformed protocol packets for various protocols.

Syntax   cpu-class-stats-show

name name-string

Specify the name of the CPU class to clear statistics.

cos cos-number

Displays the CoS value for the CPU class.


Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to display statistics for CPU hog protection.

Examples  To display statistics for CPU hog protection, use the following syntax:

CLI network-admin@switch > cpu-class-stats-show

switch:                     Spine01

hog-checker-interval(ms):   100

hog-max-hosts-per-class:    500

hog-max-violators-per-port: 50

hog-warning-threshold:      5

hog-violator-timeout(s):    20

cpu-mgmt-class-modify

Informational Note:  This feature is  supported on the following platforms:

Freedom Series

Edge-Core Series

Dell Series

F9272-X

AS5512-54X

S6010-ON

F9232-C

AS6712-32X

Z9100-ON

F9372-T



Control Plane Traffic Protection (CPTP) refers to a new feature that allows the user to impose rate limits on the flow of traffic that arrives on the CPU management port. When control plane traffic arrives out-of-band on the management NIC of the switch, there is currently no such protection. There is the possibility that excessive control plane traffic may saturate the 1G management port or starve the CPU of other critical traffic.

Syntax   cpu-mgmt-class-modify

name arp|icmp|ssh|snmp|fabric|
bcast|nfs|web|web-ssl|net-api

Select the class of traffic to modify.

Specify one or more of the following options:

rate-limit unlimited

Specify the ingress rate limit on the management port in Bps or unlimited.

burst-size default

Specify the ingress traffic burst size in bytes or default.

Defaults   Disabled by default.

Access   Network Administrator

History   Command introduced in Version 3.0.0.

Usage   Use this command to modify management services to the CPU configuration.

Examples  To modify the rate limit for ARP traffic to 100 Bps, use the following syntax:

CLI network-admin@switch > cpu-mgmt-class-modify name arp rate-limit 100 Bps

cpu-mgmt-class-show

Control Plane Traffic Protection (CPTP) refers to a new feature that allows the user to impose rate limits on the flow of traffic that arrives on the CPU management port. When control plane traffic arrives out-of-band on the management NIC of the switch, there is currently no such protection. There is the possibility that excessive control plane traffic may saturate the 1G management port or starve the CPU of other critical traffic.

Syntax   cpu-mgmt-class-show

name arp|icmp|ssh|snmp|fabric|bcast|nfs|web|web-ssl|net-api

Displays the class of traffic.

one or more of the following options:

rate-limit unlimited

Displays the ingress rate limit on the management port in Bps or unlimited.

burst-size default

Displays the ingress traffic burst size in bytes or default.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 3.0.0.

Usage   Use this command to display information about CPU traffic management.

Examples  To display information about CPU management, use the following syntax:

CLI network-admin@switch > cpu-mgmt-class-show

switch  name    rate-limit

------- ------- ----------

draco07 arp     unlimited  

draco07 icmp    unlimited  

draco07 ssh     unlimited  

draco07 snmp    unlimited  

draco07 fabric  unlimited  

draco07 bcast   unlimited  

draco07 nfs     unlimited  

draco07 web     unlimited  

draco07 web-ssl unlimited  

draco07 net-api unlimited

cpu-mgmt-class-stats-settings-modify

This command is used to modify the settings for statistics collection.

Syntax   cpu-mgmt-class-stats-settings-modify

enable|disable

Specify if you want to enable statistics collection.

interval duration: #d#h#m#s

Specify the interval duration.

disk-space disk-space-number

Specify the amount of disk space for the statistics.

Defaults   Disabled.

Access   Network Administrator

History   Command introduced in Version 3.0.0

Usage   Use this command to modify a CPU management class statistics collection configuration.

Examples  To enable statistics collection for the CPU management class configuration, use the following syntax:

CLI network-admin@switch > cpu=mgmt-class-settings-modify enable

cpu-mgmt-class-stats-settings-show

This command is used to display the settings for statistics collection.

Syntax   cpu-mgmt-class-stats-settings-show

Defaults   None.

Access   Network Administrator

History   Command introduced in Version 3.0.0.

Usage   Use this command to display statistics collection settings.

Examples  To display statistics collection settings, use the following syntax:

CLI network-admin@switch > cpu-mgmt-class-stats-settings-show

switch:     draco07

enable:     yes

interval:   30m

disk-space: 50M

cpu-mgmt-class-stats-show

This command is used to display CPU management class statistics.

Syntax   cpu-mgmt-class-stats-show

time date/time: yyyy-mm-ddTHH:mm:ss

Displays the time to start collection.

start-time date/time: yyyy-mm-ddTHH:mm:ss

Displays the start time of collection.

end-time date/time: yyyy-mm-ddTHH:mm:ss

Displays the end time of collection.

duration duration: #d#h#m#s

Displays the duration of collection.

interval duration: #d#h#m#s

Displays the interval between collection.

since-start

Displays the statistics collected since the start time.

older-than duration: #d#h#m#s

Displays the statistics older than the specified time.

within-last duration: #d#h#m#s

Displays the statistics collected within last time.

name arp|icmp|ssh|snmp|fabric|bcast|nfs|web|web-ssl|net-api

Displays the CPU management class.

in-bytes in-bytes-number

Displays the ingress bytes processed.

in-pkts in-pkts-number

Displays the ingress packets processed.

drop-pkts drop-pkts-number

Displays the number of ingress packets dropped.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 3.0.0.

Usage   Use this command to display CPU management class statistics.

Examples  To display statistics, use the following syntax:

CLI network-admin@switch > cpu-mgmt-class-stats-show

switch  name    in-bytes in-pkts drop-pkts

------- ------- -------- ------- ---------

draco07 arp     0        0       0         

draco07 icmp    0        0       0         

draco07 ssh     0        0       0         

draco07 snmp    0        0       0         

draco07 fabric  0        0       0         

draco07 bcast   0        0       0         

draco07 nfs     0        0       0         

draco07 web     0        0       0         

draco07 web-ssl 0        0       0         

draco07 net-api 0        0       0