[Insider Sharing]How to deal with CPU defend discards for control plane protocol Highlighted

Created Jul 30, 2014 21:06:09Latest reply Jul 30, 2014 21:32:44 3947 1 0 0

Hi Guys, 


From time the time, in the logbuffer, you will see some messages like below that tells some protocol packets are discarded because it exceeds the CPCAR:


xx xxxxxxxxxx %%01DEFD/6/CPCAR_DROP_LPU(l)[32]:Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot 1. (Protocol=ospf, ExceededPacketCount=010)


So what CPCAR comes from?


Control Plane Committed Access Rate (CPCAR) limits the rate of protocol packets sent to the control plane and schedules the packets to protect the control plane. CPCAR provides hierarchical device protection: rate limit based on protocols, scheduling and rate limit based on queues, and rate limit for all packets


How it works?

If the traffic volume of a protocol is too large, other protocol packets cannot be processed timely. CPCAR supports the setting of Committed Information Rate (CIR) and Committed Burst Size (CBS) for each protocol. The device discards the protocol packets exceeding the rate limit. This ensures that all protocols can be processed and the protocols do not affect each other.

Below packets shows the hierarchical protection that I was mentioned before.



Sorry for the intro, now let's go  back to the case. 


After discard log is spotted into logbuffer, we need to check display cpu-defend statistics to see exactly which protocols are discarded:


display cpu-defend statistics

 Statistics on slot 1:
-------------------------------------------------------------------------------
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)

bgp                   308551605       208952         4251197             375

ospf                32227526758    610727782       237525545         1953770


Drop packet counter was increasing for BGP and OSFP protocols. 

Let's find a solution to deal with this problem. 


1. We can use white-list function to protect and authorize OSPF and BGP packets to be processed first. 

After an ACL is configured to permit the packets from a port or a port is added to the whitelist, the device does not trace the source of or limit the rate of the packets from this port.

We will create a whitelist to permit ospf and bgp peers.

[Switch] acl number 2001
[Switch-acl-basic-2001] rule 5 permit source 1.1.1.0 0.0.0.3
[Switch-acl-basic-2001] rule 5 permit source 1.1.2.0 0.0.0.3
[Switch-acl-basic-2001] rule 5 permit source 1.1.3.0 0.0.0.3
[Switch-acl-basic-2001] rule 5 permit source 1.1.4.0 0.0.0.3

Configure the whitelist

[Switch] cpu-defend policy policy1
[Switch-cpu-defend-policy-policy1] whitelist 1 acl 2001

Apply the policy to MPU:

[Switch] cpu-defend-policy policy1


2. Enable ALP for BGP and OSPF sessions. 

The switch enables active link protection (ALP) to protect session-based data on the application layer, including data of FTP sessions, BGP sessions, or OSPF sessions. ALP ensures uninterrupted services when attacks occur. After an FTP, a BGP, or an OSPF connection is set up, the protocol-based rate limit does not take effect. Rate limit is performed based on the application-layer protocols.

[HUAWEI] cpu-defend application-apperceive bgp enable
[HUAWEI] cpu-defend application-apperceive ospf enable

In order for this feature to take effect, you will need to restart BGP/OSPF session. 


Hope you will find this information useful! 


  • x
  • convention:

fcm  Adept   Created Jul 30, 2014 21:32:44 Helpful(0) Helpful(0)

look!

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top