The 7210 SAS provides rate limiting mechanisms to protect the CPM/CFM processing resources of the router. Centralized CPU protection is a centralized rate-limiting function that operates on the CPM to limit traffic destined for the CPUs. The CPU protection mechanism is not user-configurable. It is supported on all 7210 SAS platforms. For historical reasons, the term ‟centralized CPU protection” is called ‟CPU protection” in this user guide.
When it is configured on a node, the CPU protection mechanism protects the CPU from a DoS attack by limiting the amount of ingress port traffic destined for the CPM to be processed by its CPU. On the 7210 SAS, a set of dedicated policers are used to limit the amount of traffic to the software-defined rate (the rate is not user-configurable) before the packets are queued to the CPU queues. A strict policy scheduler schedules packets from the CPU queues. A CPU queue traffic shaper, configured to a pre-defined rate by software, is used to limit the amount of traffic for a protocol or group of protocols using the CPU queue. In most cases, access interfaces and network uplinks do not share the policers and CPU queues used to manage the amount of traffic sent to the CPM. Access interfaces (typically used to deliver customer services) use a dedicated set of policers and CPU queues; a separate set is used for network facing ports (that is, network ports, hybrid ports, and access-uplink ports).