The rate-limit are configured in the DCP policy using either static or dynamic policers and the exceed-action policer for non-conforming packets can be set to discard, low-priority or none.
Static policers are always instantiated for each endpoint to which the DCP policy is assigned.
The following example provides two simple customized default DCP policies using static policers for access and network interfaces:
access DCP policy configured to drop all access traffic exceeding 6,000 pps
network DCP policy marks all traffic exceeding 3,000 pps as low priority except for BGP and LDP (for example, the BGP and LDP can be rate-limited using per-peer-queuing)
A:7x50>config>sys>security>dist-cpu-protection# info
----------------------------------------------
policy "_default-access-policy" create
static-policer "access" create
rate packets 6000 within 1
exceed-action discard
exit
protocol all-unspecified create
enforcement static "access"
exit
exit
policy "_default-network-policy" create
static-policer "null" create
exit
static-policer "network" create
rate packets 3000 within 1
exceed-action low-priority
exit
protocol all-unspecified create
enforcement static "network"
exit
protocol bgp create
enforcement static "null"
exit
protocol ldp create
enforcement static "null"
exit
exit
----------------------------------------------
The use of local-monitoring-policer and dynamic policers reduces the number of policers required. This can be particularly useful in a large number of endpoints, such as subscribers in ESM networks. Instead of using multiple static policers for various protocols on each endpoints, a single policer (the local-monitoring-policer) is instantiated statically for a specified endpoint and the per-protocol dynamic policers are instantiated when there is a violation of the local-monitoring-policer.
Dynamic policers are instantiated from a pool allocated per line card using the configure>card>fp>ingress>dist-cpu-protection>dynamic-enforcement-policer-pool command. This pool of policers should be greater than the maximum number of dynamic policers expected to be in use on the card at one time.
The following example monitors the rate of ARP, ICMP, IGMP and all-unspecified traffic. If the total rate exceeds 100 packets within 10 seconds, the system creates three dynamic policers for ARP, ICMP and IGMP to rate-limit each protocol to 20 packets within 10 seconds as well as a fourth policer to rate-limit the rest of the traffic to 100 packets within 10 seconds.
*A:Dut-A>config>sys>security>dist-cpu-protection# info
----------------------------------------------
policy "dynamic-policy-example" create
description "Dynamic policing policy"
local-monitoring-policer "local-mon" create
description "Monitor for arp, icmp, igmp and all-unspecified"
rate packets 100 within 10
exit
protocol arp create
enforcement dynamic "local-mon"
dynamic-parameters
rate packets 20 within 10
exceed-action discard
exit
exit
protocol icmp create
enforcement dynamic "local-mon"
dynamic-parameters
rate packets 20 within 10
exceed-action discard
exit
exit
protocol igmp create
enforcement dynamic "local-mon"
dynamic-parameters
rate packets 20 within 10
exceed-action discard
exit
exit
protocol all-unspecified create
enforcement dynamic "local-mon"
dynamic-parameters
rate packets 100 within 10
exceed-action discard
exit
exit
exit