Configuring Advanced Control Plane Traffic Protection

To configure this feature, you must first enable it using the system-settings-modify command. The command syntax is:

CLI (network-admin@switch) > system-settings-modify cpu-class-enable|no-cpu-class-enable

After you enable Advanced Control Plane Traffic Protection (with the cpu-class-enable option), Netvisor ONE prompts you to restart the switch with the following message:

Note: nvOSd must be restarted for this setting to take effect.

The same message is also printed when the feature is disabled (with the no-cpu-class-enable option).

Note: The alternative 8-queue mode described in the previous section is applied to the main control plane communication channel when system-settings-modify is set to no-cpu-class-enable. Advanced Control Plane Traffic Protection support is hardware dependent and may not be available on all switch models.

To show the pre-configured Advanced Control Plane Traffic Protection classes, you can use the cpu-class-show command:

CLI (network-admin@switch) > cpu-class-show format all count-output 

name               scope rate-limit hog-protect hog-protect-support buffer-pool-ratio queue 

------------------ ----- ---------- ----------- ------------------- ----------------- ----- 

class0             local 3000       disable     none                3                 0     

dmac-miss          local 1000       disable     none                3                 1     

smac-miss          local 1000       disable     none                3                 2     

l3-miss            local 1000       disable     none                3                 3     

l2mc-miss          local 3000       disable     none                3                 4     

ttl1               local 1000       disable     none                3                 5     

stp                local 1000       disable     supported           3                 6     

lacp               local 1000       disable     supported           3                 7     

system-d           local 1000       disable     none                3                 8     

igmp               local 1000       disable     supported           3                 9     

bcast              local 1000       disable     none                3                 10    

icmpv6             local 1000       disable     supported           3                 11    

tcp-analytics      local 1000       disable     none                3                 12    

kpalv              local 1000       disable     none                3                 13    

ecp                local 1000       disable     none                3                 14    

arp                local 3000       disable     supported           3                 15    

lldp               local 1000       disable     supported           3                 16    

dhcp               local 1000       disable     none                3                 17    

pim                local 1000       disable     supported           3                 18    

local-subnet       local 1000       disable     supported           3                 19    

bgp                local 1000       disable     supported           3                 20    

ospf               local 1000       disable     supported           3                 21    

bfd                local 1000       disable     supported           3                 22    

vrrp               local 1000       disable     supported           3                 23    

control            local 3000       disable     none                3                 24    

dhcp-log-drop      local 1000       disable     none                3                 25    

http-rest          local 3000       disable     none                3                 26    

vport-messages     local 1000       disable     supported           3                 27    

hog-arp            local 100        disable     none                1                 28    

hog-ospf           local 100        disable     none                1                 29    

hog-bgp            local 100        disable     none                1                 30    

hog-bfd            local 100        disable     none                1                 31    

hog-lacp           local 100        disable     none                1                 32    

hog-stp            local 100        disable     none                1                 33    

hog-vrrp           local 100        disable     none                1                 34    

hog-lldp           local 100        disable     none                1                 35    

hog-local-subnet   local 100        disable     none                1                 36    

hog-igmp           local 100        disable     none                1                 37    

hog-pim            local 100        disable     none                1                 38    

hog-icmpv6         local 100        disable     none                1                 39    

hog-vport-messages local 100        disable     none                1                 40

Count: 41

This command shows the different categories of control plane traffic that get protected by this feature (for example, smac-miss and dmac-miss for MAC address learning as part of the vPort database entry creation; or stplacp, and lldp for the Layer 2 protocol classes, etc.). It also shows the respective default rate-limit values (in packets per second), the queue numbers (0-42, where some queue numbers are unused by default) and also whether or not each class supports auto-quarantine (hog-protect-support).

Auto-quarantine queues are labeled with a special name hog-<class name>, such as: hog-arp, hog-ospf, hog-bgp, hog-bfd, hog-lacp, hog-stp, hog-vrrp, hog-lldp, hog-local-subnet, hog-igmp, hog-pim, hog-icmpv6.

Note: Starting with Netvisor ONE version 6.0.0, on certain platforms only (due to hardware dependencies) the l2mc-miss class is available to control the rate of incoming unknown multicast packets when Multicast Fabric VRFs are used. Supported platforms are the Dell S4100 and S5200 Series.

Note: Starting from Netvisor ONE release 5.1.0 two new queues, one for CPU-bound REST API traffic (TCP port 80 and 443) and another for vPort database-related messages (UDP port 23398), are added with the names: http-rest and vport-messages. The default rate-limit values are set to 3000 pps and 1000 pps respectively. An auto-quarantine queue is added for the latter: hog-vport-messages

Furthermore, starting from Netvisor ONE release 5.1.0 the default rate-limit values for arp and control have been conservatively lowered to 3000. When upgrading to this release, existing user configuration changes will be honored; however, in the absence of user modified values, the old default values will be replaced with the new more conservative ones.

Note: The total number of CPU classes available for CPTP is limited by the hardware. In case of conflict, system-created CPU classes are prioritized over user-defined ones at bootup.  Given that, if all available classes are used up, some user-defined classes will not persist across an upgrade if more system classes are added in the new release. In such cases, users should account for any (potential) CPTP system class differences between releases while planning an upgrade.

Settings of pre-configured system classes (except the catch-all class 0) can be modified with the following command:

CLI (network-admin@switch) > cpu-class-modify


Modify a CPU class.

name name-string 

Specify the name of the CPU class.

Specify one of more of the following options

rate-limit rate-limit-number

Specify the cap for the rate limit.

hog-protect disable|enable|enable-and-drop

Specify if you want to enable, enable and drop packets, or disable hog protection.

Note: Starting from Netvisor ONE release 5.1.0 the default cos0-rate value is set to 3000 pps automatically when Advanced CPTP is enabled.

Starting with Netvisor ONE release 5.1.1, the class0 rate can be configured by using the following command:

CLI (network-admin@switch) > cpu-class-modify name class0 rate-limit <rate>