Protocol protection

Protocol protection allows traffic to be discarded for protocols not configured on the router. This helps mitigate DoS attacks by filtering invalid control traffic before it reaches the CPU. This is a feature of CPU Protection and can be enabled or disabled for the entire system.

When using protocol-protection, the system automatically maintains a per-interface list of configured protocols. For example, if an interface does not have IS-IS configured, then protocol protection discards any IS-IS packets received on that interface. Other protocols, such as L2TP, are controlled by protocol-protection at the VPRN service level.

Protocols controlled by the protocol-protection mechanism include:

• GTP

• IGMP

• IS-IS

• MLD

• L2TP control

• OSPFv2

• OSPFv3

• PPPoE

• PIM

• RIP

• PFCP

The following protocols are protected independently from Protocol Protection:

• per-peer-queuing protects BGP, LDP, T-LDP, MSDP, Telnet, and SSH

• BFD control packets are dropped if BFD is not configured on a specific interface