Distributed CPU Protection (DCP) is a rate-limiting function distributed to the line cards to rate-limit traffic extracted from the data path and sent to the CPM CPU. DCP is performed in hardware and provides a granular per-interface and per-protocol rate-limit control.
There are two main types of DCP policies for access or network interfaces and ports. The DCP policy defines the protocols and their associated policers. The list of protocols supported depends on the type of DCP policy:
access network
This type of DCP policy is used to rate-limit interface level protocols and supports policing the following protocols: ARP, DHCP, HTTP redirect, ICMP, ICMP ping check, IGMP, MLD, NDIS, PPPoE-PPPoA, MPLS-TTL, BFD-CMP, BGP, ETH-CFM, ISIS, LDP, OSPF, PIM and RSVP. Additionally, traffic from other protocols or unconfigured protocols is classified in the all-unspecified DCP protocol.
port
This type of DCP policy is used to rate-limit the port-level protocols LACP, Dot1X, uBFD, and ELMI. The system supports LACP, BFD-CPM, and ETH-CFM as port-level protocols that can be rate-limited individually. Traffic from unconfigured protocols is classified in the all-unspecified DCP protocol (configure system security dist-cpu-protection policy protocol).
Also, a default DCP policy is assigned automatically to all network interfaces, access interfaces, and ports. These policies, ‟_default-access-policy”, ‟_default-network-policy”, and ‟_default-port-policy” are originally created empty and they can be modified by the user. These default policies can be used, for example, to deploy a new DCP configuration covering all access and network interfaces or ports on the node.
Additional DCP policies can be created for interfaces or ports requiring a dedicated configuration.
If the router interface does not need DCP functionality, the user can create and explicitly assign an empty DCP policy to the router interface using the configure router interface dist-cpu-protection command.