SR OS CPU protection is a centralized rate-limiting function that operates on the CPM to limit traffic destined for the CPU. The term ‟centralized CPU protection” is referred to as ‟CPU protection” in this guide and in the CLI to differentiate it from ‟Distributed CPU Protection”.
CPU protection provides interface isolation by rate limiting the total amount of traffic extracted to the CPM per port, interface, or SAP in hardware using a combination of limits configurable at the CPU protection system level or as CPU protection policies assigned to access or network interfaces.
The following limits are configurable at the CPU protection system level:
link-specific rate
Applies to the link-specific protocols LACP (Ethernet LAG control) and Ethernet LMI (ELMI). The rate is a per-link limit (each link in the system has LACP/LMI packets limited to this rate).
port-overall-rate
Applies to all control traffic, the rate is a per-port limit, each port in the system has control traffic destined for the CPM limited to this rate.
protocol-protection
Blocks network control traffic for unconfigured protocols.
The following limits are configurable independently for access or network interfaces using a dedicated CPU protection policy:
overall-rate
Applies to all control traffic destined for the CPM (all sources) received on an interface where the policy is applied. This is a per-interface limit. Control traffic received above this rate is discarded.
per-source-rate
Used to limit the control traffic destined for the CPM from each individual source. This per-source rate is only applied when an object (SAP) is configured with a cpu-protection policy and also with the optional mac-monitoring or ip-src-monitoring keywords. A source is defined as a SAP, Source MAC Address tuple for MAC monitoring and as a SAP, Source IP Address tuple for IP source monitoring. Only specific protocols (as configured under included-protocols in the CPU protection policy) are limited (per source) when the ip-src-monitoring keyword is used.
out-profile-rate
Applies to all control traffic destined for the CPM (all sources) received on an interface where the policy is applied. This is a per-interface limit. Control traffic received above this rate is marked as discard eligible (such as, out-profile/low-priority/yellow) and is more likely to be discarded if there is contention for CPU resources.
There are two default CPU protection policies for access and network interfaces.
Policy 254:
This is the default policy that is automatically applied to access interfaces
Traffic above 6000 pps is discarded
overall-rate = 6000
per-source-rate = max
out-profile-rate = 6000
Policy 255:
This is the default policy that is automatically applied to network interfaces
Traffic above 3000 pps is marked as discard eligible, but is not discarded unless there is congestion in the queuing toward the CPU
overall-rate = max
per-source-rate = max
out-profile-rate = 3000
A three-color marking mechanism uses a green, yellow, and red marking function. This allows greater flexibility in how traffic limits are implemented. A CLI command within the CPU protection policy called out-profile-rate maps to the boundary between the green (accept) and yellow (mark as discard eligible/low priority) regions. The overall-rate command marks the boundary between the yellow and red (drop) regions point for the associated policy (Figure: Profile marking).
If the overall rate is set to 1000 pps and as long as the total traffic that is destined for the CPM and intended to be processed by the CPU is less than or equal to 1000 pps, all traffic is processed. If the rate exceeds 1000 pps, then protocol traffic is discarded (or marked as discard eligible/low priority in the case of the out-profile-rate) and traffic on the interface is affected.
This rate limit protects all the other interfaces and ensures that a violation from one interface does not affect the rest of the system.
CPU protection is not supported on 7750 SR-1, 7750 SR-1s, 7750 SR-2s, 7750 SR-e, 7750 SR-a, and 7750 VSR.