Distributed CPU protection commands

Parent topic: Configuration commands

dist-cpu-protection

Syntax

dist-cpu-protection

Context

config>system>security

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

Commands in this context configure distributed CPU protection.

policy

Syntax

policy policy-name [create]

no policy policy-name

Context

config>sys>security>dist-cpu-protection

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures one of the maximum 16 distributed CPU protection policies. These policies can be applied to objects such as SAPs.

Parameters

policy-name

Specifies the policy name, up to 32 characters.

create

Creates a new policy instance.

description

Syntax

description description-string

no description

Context

config>system>security>dist-cpu-protection>policy

config>system>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command creates a text description stored in the configuration file for a configuration context.

This command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string.

Default

no description

Parameters

string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

protocol

Syntax

protocol name [create]

no protocol name

Context

config>sys>security>dist-cpu-protection>policy

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command creates the protocol for control in the policy.

For RVPLS, DCP rate-limits the packets arriving at the CPU, but for flooded traffic, ingress QoS or ACLs must be used.

When the no form of this command is used, the packets of the specified protocol are not enforced on the objects to which this DCP policy is assigned.

Parameters

names

Specifies the protocol name.

Values

arp, icmp, igmp, vrrp, ntp

create

Creates a new protocol instance.

enforcement

Syntax

enforcement {static policer-name}

Context

config>sys>security>dist-cpu-protection>policy>protocol

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures the enforcement method for the protocol. When the static keyword is used, the protocol is always enforced using a static policer. Multiple protocols can reference the same static policer. When multiple protocols are configured to reference the same policer, each protocol is assigned an independent instance of the policer. The policer is not shared among the multiple protocols that are referencing it.

Default

enforcement dynamic local-mon-bypass

Parameters

static

Specifies that the protocol is always enforced using a static policer.

policer-name

Specifies the name of the static policer, up to 32 characters.

static-policer

Syntax

static-policer policer-name [create]

static-policer policer-name

Context

config>sys>security>dist-cpu-protection>policy

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures a static enforcement policer that can be referenced by one or more protocols in the policy. When the policer name is referenced by a protocol, this policer is instantiated for each protocol and each object (for example, SAP) that is created and references this policy. If there is no policer resource available, the object is blocked from being created. Multiple protocols can use the same static policer. When multiple protocols reference the same policer, each protocol gets an independent instance of the policer. The policer is not shared among the multiple protocols that are referencing it.

Parameters

policer-name

Specifies the name of the policer, up to 32 characters.

create

Keyword to create a new static-policer instance.

exceed-action

Syntax

exceed-action {discard | none}

Context

config>sys>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command controls the action performed upon the extracted control packets when the configured policer rates are exceeded.

Default

exceed-action none

Parameters

discard

Keyword to discards packets that are non-conformant.

none

Keyword to send packets to the CPU instead of discarding them.

log-events

Syntax

log-events [verbose]

no log-events

Context

config>sys>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command controls the creation of log events related to static policer status and activity.

Default

log-events

Parameters

verbose

Keyword to send the same events as just log events. The optional keyword verbose includes events used during debugging, tuning, and investigation.

rate

Syntax

rate {kbps kilobits-per-second | max} {[mbs size] [bytes | kilobytes]}

no rate

Context

config>sys>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures the rate and burst tolerance for the policer in either a packet rate or a bit rate.

The hardware may not be able to rate limit to the exact configured parameters. In this case, the configured parameters are adapted to the closest supported rate. The actual (operational) parameters can be seen in CLI, for example, show service id 33 sap 1/1/3:33 dist-cpu-protection detail.

Default

rate kbps max mbs default

Parameters

kilobits-per-second

Specifies the kilobits per second.

Values

1 to 204800 | max (the max keyword disables the policer (always conformant))

size

Specifies the tolerance for the kbps rate.

Values

size-in-bytes: [512 to 65536]

size-in-kbytes: [1 to 64]

bytes | kilobytes

Specifies that the units of the mbs size parameter are either in bytes or kilobytes.