Got it

[Insider Sharing]How to deal with CPU defend discards for control plane protocol Highlighted

Latest reply: Jul 30, 2014 13:32:44 4724 1 0 0 0

Hi Guys, 

From time the time, in the logbuffer, you will see some messages like below that tells some protocol packets are discarded because it exceeds the CPCAR:

xx xxxxxxxxxx %%01DEFD/6/CPCAR_DROP_LPU(l)[32]:Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot 1. (Protocol=ospf, ExceededPacketCount=010)

So what CPCAR comes from?

Control Plane Committed Access Rate (CPCAR) limits the rate of protocol packets sent to the control plane and schedules the packets to protect the control plane. CPCAR provides hierarchical device protection: rate limit based on protocols, scheduling and rate limit based on queues, and rate limit for all packets

How it works?

If the traffic volume of a protocol is too large, other protocol packets cannot be processed timely. CPCAR supports the setting of Committed Information Rate (CIR) and Committed Burst Size (CBS) for each protocol. The device discards the protocol packets exceeding the rate limit. This ensures that all protocols can be processed and the protocols do not affect each other.

Below packets shows the hierarchical protection that I was mentioned before.

[Insider Sharing]How to deal with CPU defend discards for control plane protocol-1319435-1

Sorry for the intro, now let's go  back to the case. 

After discard log is spotted into logbuffer, we need to check display cpu-defend statistics to see exactly which protocols are discarded:

display cpu-defend statistics

 Statistics on slot 1:
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)

bgp                   308551605       208952         4251197             375

ospf                32227526758    610727782       237525545         1953770

Drop packet counter was increasing for BGP and OSFP protocols. 

Let's find a solution to deal with this problem. 

1. We can use white-list function to protect and authorize OSPF and BGP packets to be processed first. 

After an ACL is configured to permit the packets from a port or a port is added to the whitelist, the device does not trace the source of or limit the rate of the packets from this port.

We will create a whitelist to permit ospf and bgp peers.

[Switch] acl number 2001
[Switch-acl-basic-2001] rule 5 permit source
[Switch-acl-basic-2001] rule 5 permit source
[Switch-acl-basic-2001] rule 5 permit source
[Switch-acl-basic-2001] rule 5 permit source

Configure the whitelist

[Switch] cpu-defend policy policy1
[Switch-cpu-defend-policy-policy1] whitelist 1 acl 2001

Apply the policy to MPU:

[Switch] cpu-defend-policy policy1

2. Enable ALP for BGP and OSPF sessions. 

The switch enables active link protection (ALP) to protect session-based data on the application layer, including data of FTP sessions, BGP sessions, or OSPF sessions. ALP ensures uninterrupted services when attacks occur. After an FTP, a BGP, or an OSPF connection is set up, the protocol-based rate limit does not take effect. Rate limit is performed based on the application-layer protocols.

[HUAWEI] cpu-defend application-apperceive bgp enable
[HUAWEI] cpu-defend application-apperceive ospf enable

In order for this feature to take effect, you will need to restart BGP/OSPF session. 

Hope you will find this information useful! 

  • x
  • convention:

Created Jul 30, 2014 13:32:44


View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.