In a subscriber aggregation network, multiple devices such as the 7750 SR or 7450 ESS routers provide access to a DHCP or a RADIUS server. These servers usually do not scale high enough to provide the means to control access to snooping functions through a controlled queue. It is possible, under severe conditions, that the network could become unavailable if the node cannot handle requests from subscribers.
Because the IOMs cannot be scaled to provide a per-subscriber queue to control traffic, a monitoring function, handled by the CPM, is provided. With this monitoring system, the CPM tracks the number of control plane messages set per subscriber and limits the rate to a specified level and provides feedback using event generation to alert a centralized system of a possible DoS attack.
The CPM provides a prioritized access to the CPU. Because the number of control packets expected from a subscriber should have a low rate, and under normal conditions, the system provides a rate limit on a per subscriber or MAC basis and drops a subscriber control packet before it is queued or processed by the CPU. The system is configured with expected arrival rate of per MAC or subscriber control packet rates and optionally total rate per interface or SAP.
The system maintains a per-second running rate monitor per SAP and per MAC. If an entry is using more than the configured rate, the system does not forward that packet to be queued. Every existing subscriber host is monitored. A subscriber host is flagged and the system observed with an excessive rate of control packets. With PPPoE, the CPM monitors subscriber hosts before the IP address is provided by the SAP, MAC, or session-id combination.
The control protocols affected by this mechanism include:
ARP (in arp-reply-agent)
DHCP (for discover and renew)
ICMP
PPPoE
IGMP