How to configure CPP on Ruijie Switch?
You can configure CPP on Ruijie Switch as follows1. Application scenario:
CPP is automatically enabled by default and does not need to be adjusted. For example, in the DAI Defense against ARP spoofing scheme, the access switch needs to adjust the CPP threshold of ARP packets, or the rate of a certain type of protocol packets on the network, such as CDP, is too high. As a result, the CPU is abnormal. Otherwise, you are not advised to change the default CPP value if the CPU is within the normal CPU value range (less than 30%).
2. Functional principle:
CPP: CPU Protect Policy (CPP) is used to prevent the CPU of network devices from receiving unnecessary and malicious data flows on the network, improving the security performance of network devices. You can also set the QoS filtering mechanism to ensure that the Control Plane (CP) of network devices can keep data forwarding and protocol status stable even under attack and high load.
data/attachment/forum/202308/15/130712esk9gotc9tggaffw.png
In the figure above, CPU Protect Policy(CPP) protects switch processor resources and protects important packets through four technologies: packet identification, packet bandwidth control, packet priority queue mapping, and queue scheduling.
1) Message Identification
All packets sent to the switch for protocol processing are classified through the packet identification process, such as ARP, BPDU, and GVRP. (See CPU Protect Default Values for data classification of each product.)
2) Packet bandwidth control
The administrator can configure the bandwidth of each type of packet to effectively suppress high-rate attack packets on the network.
3) Packet priority queue mapping
The switch processor has eight priority queues. By configuring a priority queue for each type of packet, packets can be mapped to the corresponding queue.
4) Queue scheduling
To ensure that protocol packets of different priority queues can be sent to the CPU in time, the current polling scheduling algorithm is used. In the polling scheduling algorithm, the scheduling weight of each queue is equal.
3. Configuration case
A S5750E switch is connected to a S5300 switch through a Layer3 port. The S5300 switch is detected to ping S5750E 18024 bytes packets, and packet loss is found regularly (about 3 packets are lost out of 1000 packets). The situation still occurs when the ICMP-Guard function of NFPP is disabled on two switches. After confirming that the CPP protection on the S5750E causes packet loss, you need to adjust the ICMP PPS value of the CPP in the S5750E.
1)Configuration essentials
Because the configuration and viewing methods of different switch commands vary, the CPP debugging command starts with cpu-protect in global mode. You can enter? For example, to adjust the PPS value of ARP in CPP to 20000. For S5750 series switches, run the following commands:
Ruijie>en
Ruijie#config ter
Ruijie(config)#cpu-protect ?
cpu Set cpu bandwidth
mac-address Mac address storm control
sub-interfaceSet globle control to packet
traffic-classSet traffic-class' configure
type Set packet's configure
Ruijie(config)#cpu-protect type arp-request bandwidth 20000
Ruijie(config)#cpu-protect type arp-reply bandwidth 20000
The command is as follows:
Ruijie#show cpu-protect
%cpu port bandwidth: 10000(pps)
Traffic-class Bandwidth(pps)Rate(pps)
------------- -----------------------
0 1000 0
1 1000 0
2 1500 0
3 8000 0
4 1500 0
5 1500 0
6 3500 0
Packet Type Traffic-class Bandwidth(pps) Rate(pps)Drop(pps)
-------------------------------------------------------------
bpdu 6 1000 0 0
arp-request 2 20000 0 0
2)network topology
data/attachment/forum/202308/15/130726y903366l43e3sc4a.png
3)Configuration procedure
Commands for configuring the S5750 switch:
Ruijie(config)#cpu-protect type icmp bandwidth 5000 ------> Change the PPS value of ICMP to 5000
As a Ruijie(config)#cpu-protect traffic-class id 3 bandwidth 8000 ------> As the corresponding class of ICMP is 3, we also need to adjust the pps value of class 3, which is changed to 8000 here
Ruijie(config)#cpu-protect cpu bandwidth 10000 ------> Change the value of PPS sent to the cpu for processing to 10000
4)functional verification
Check the ICMP information about CPP on the S5750 Switch:
data/attachment/forum/202308/15/130736aex0otzey5okdx10.png
Check the pps value of queue 3:
data/attachment/forum/202308/15/130741uridpwacarlpkwi3.png
Check the maximum PPS sent to CPU per second after CPP is received:
data/attachment/forum/202308/15/130747alk383jybdj33k3j.png
Pages:
[1]