Configuring Advanced Control Plane Traffic Protection
To configure this feature, you must first enable it using the system-settings-modify command. The command syntax is:
CLI (network-admin@switch) > system-settings-modify cpu-class-enable|no-cpu-class-enable
After you enable Advanced Control Plane Traffic Protection (with the cpu-class-enable option), Netvisor ONE prompts you to restart the switch with the following message:
Note: nvOSd must be restarted for this setting to take effect.
The same message is also printed when the feature is disabled (with the no-cpu-class-enable option).
Note: The alternative 8-queue mode described in the previous section is applied to the main control plane communication channel when system-settings-modify is set to no-cpu-class-enable. Advanced Control Plane Traffic Protection support is hardware dependent and may not be available on all switch models.
To show the pre-configured Advanced Control Plane Traffic Protection classes, you can use the cpu-class-show command:
CLI (network-admin@switch) > cpu-class-show format all count-output
name scope rate-limit hog-protect hog-protect-support buffer-pool-ratio queue
------------------ ----- ---------- ----------- ------------------- ----------------- -----
class0 local 3000 disable none 3 0
dmac-miss local 1000 disable none 3 1
smac-miss local 1000 disable none 3 2
l3-miss local 1000 disable none 3 3
l2mc-miss local 3000 disable none 3 4
ttl1 local 1000 disable none 3 5
stp local 1000 disable supported 3 6
lacp local 1000 disable supported 3 7
system-d local 1000 disable none 3 8
igmp local 1000 disable supported 3 9
bcast local 1000 disable none 3 10
icmpv6 local 1000 disable supported 3 11
tcp-analytics local 1000 disable none 3 12
kpalv local 1000 disable none 3 13
ecp local 1000 disable none 3 14
arp local 3000 disable supported 3 15
lldp local 1000 disable supported 3 16
dhcp local 1000 disable none 3 17
pim local 1000 disable supported 3 18
local-subnet local 1000 disable supported 3 19
bgp local 1000 disable supported 3 20
ospf local 1000 disable supported 3 21
bfd local 1000 disable supported 3 22
vrrp local 1000 disable supported 3 23
control local 3000 disable none 3 24
dhcp-log-drop local 1000 disable none 3 25
http-rest local 3000 disable none 3 26
vport-messages local 1000 disable supported 3 27
hog-arp local 100 disable none 1 28
hog-ospf local 100 disable none 1 29
hog-bgp local 100 disable none 1 30
hog-bfd local 100 disable none 1 31
hog-lacp local 100 disable none 1 32
hog-stp local 100 disable none 1 33
hog-vrrp local 100 disable none 1 34
hog-lldp local 100 disable none 1 35
hog-local-subnet local 100 disable none 1 36
hog-igmp local 100 disable none 1 37
hog-pim local 100 disable none 1 38
hog-icmpv6 local 100 disable none 1 39
hog-vport-messages local 100 disable none 1 40
Count: 41
This command shows the different categories of control plane traffic that get protected by this feature (for example, smac-miss and dmac-miss for MAC address learning as part of the vPort database entry creation; or stp, lacp, and lldp for the Layer 2 protocol classes, etc.). It also shows the respective default rate-limit values (in packets per second), the queue numbers (0-42, where some queue numbers are unused by default) and also whether or not each class supports auto-quarantine (hog-protect-support).
Auto-quarantine queues are labeled with a special name hog-<class name>, such as: hog-arp, hog-ospf, hog-bgp, hog-bfd, hog-lacp, hog-stp, hog-vrrp, hog-lldp, hog-local-subnet, hog-igmp, hog-pim, hog-icmpv6.
Note: Starting with Netvisor ONE version 6.0.0, on certain platforms only (due to hardware dependencies) the l2mc-miss class is available to control the rate of incoming unknown multicast packets when Multicast Fabric VRFs are used. Supported platforms are the Dell S4100 and S5200 Series.
Note: Starting from Netvisor ONE release 5.1.0 two new queues, one for CPU-bound REST API traffic (TCP port 80 and 443) and another for vPort database-related messages (UDP port 23398), are added with the names: http-rest and vport-messages. The default rate-limit values are set to 3000 pps and 1000 pps respectively. An auto-quarantine queue is added for the latter: hog-vport-messages.
Furthermore, starting from Netvisor ONE release 5.1.0 the default rate-limit values for arp and control have been conservatively lowered to 3000. When upgrading to this release, existing user configuration changes will be honored; however, in the absence of user modified values, the old default values will be replaced with the new more conservative ones.
Note: The total number of CPU classes available for CPTP is limited by the hardware. In case of conflict, system-created CPU classes are prioritized over user-defined ones at bootup. Given that, if all available classes are used up, some user-defined classes will not persist across an upgrade if more system classes are added in the new release. In such cases, users should account for any (potential) CPTP system class differences between releases while planning an upgrade.
Settings of pre-configured system classes (except the catch-all class 0) can be modified with the following command:
CLI (network-admin@switch) > cpu-class-modify
|
cpu-class-modify |
Modify a CPU class. |
|
name name-string |
Specify the name of the CPU class. |
|
Specify one of more of the following options |
|
|
rate-limit rate-limit-number |
Specify the cap for the rate limit. |
|
hog-protect disable|enable|enable-and-drop |
Specify if you want to enable, enable and drop packets, or disable hog protection. |
Note: Starting from Netvisor ONE release 5.1.0 the default cos0-rate value is set to 3000 pps automatically when Advanced CPTP is enabled.
Starting with Netvisor ONE release 5.1.1, the class0 rate can be configured by using the following command:
CLI (network-admin@switch) > cpu-class-modify name class0 rate-limit <rate>