Login Register
 Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

Switch Community
Filter
How to configure CPP on Ruijie Switch? Reply

GTAC-Bancroft

Level 1

Back+ Ask a related question
How to configure CPP on Ruijie Switch?
1962 0 2023-8-15 13:08:14
Original
You can configure CPP on Ruijie Switch as follows

1. Application scenario:

CPP is automatically enabled by default and does not need to be adjusted. For example, in the DAI Defense against ARP spoofing scheme, the access switch needs to adjust the CPP threshold of ARP packets, or the rate of a certain type of protocol packets on the network, such as CDP, is too high. As a result, the CPU is abnormal. Otherwise, you are not advised to change the default CPP value if the CPU is within the normal CPU value range (less than 30%).

2. Functional principle:

CPP: CPU Protect Policy (CPP) is used to prevent the CPU of network devices from receiving unnecessary and malicious data flows on the network, improving the security performance of network devices. You can also set the QoS filtering mechanism to ensure that the Control Plane (CP) of network devices can keep data forwarding and protocol status stable even under attack and high load.



In the figure above, CPU Protect Policy(CPP) protects switch processor resources and protects important packets through four technologies: packet identification, packet bandwidth control, packet priority queue mapping, and queue scheduling.

1) Message Identification

All packets sent to the switch for protocol processing are classified through the packet identification process, such as ARP, BPDU, and GVRP. (See CPU Protect Default Values for data classification of each product.)

2) Packet bandwidth control

The administrator can configure the bandwidth of each type of packet to effectively suppress high-rate attack packets on the network.

3) Packet priority queue mapping

The switch processor has eight priority queues. By configuring a priority queue for each type of packet, packets can be mapped to the corresponding queue.

4) Queue scheduling

To ensure that protocol packets of different priority queues can be sent to the CPU in time, the current polling scheduling algorithm is used. In the polling scheduling algorithm, the scheduling weight of each queue is equal.

3. Configuration case

A S5750E switch is connected to a S5300 switch through a Layer3 port. The S5300 switch is detected to ping S5750E 18024 bytes packets, and packet loss is found regularly (about 3 packets are lost out of 1000 packets). The situation still occurs when the ICMP-Guard function of NFPP is disabled on two switches. After confirming that the CPP protection on the S5750E causes packet loss, you need to adjust the ICMP PPS value of the CPP in the S5750E.

1)Configuration essentials

Because the configuration and viewing methods of different switch commands vary, the CPP debugging command starts with cpu-protect in global mode. You can enter? For example, to adjust the PPS value of ARP in CPP to 20000. For S5750 series switches, run the following commands:

Ruijie>en

Ruijie#config ter

Ruijie(config)#cpu-protect ?

  cpu           Set cpu bandwidth

  mac-address    Mac address storm control

  sub-interface  Set globle control to packet

  traffic-class  Set traffic-class' configure

  type          Set packet's configure

Ruijie(config)#cpu-protect type arp-request bandwidth 20000

Ruijie(config)#cpu-protect type arp-reply bandwidth 20000     

The command is as follows:

Ruijie#show cpu-protect      

%cpu port bandwidth: 10000(pps)

Traffic-class   Bandwidth(pps)  Rate(pps)

-------------   --------------  ---------

0              1000           0           

1              1000           0           

2              1500           0           

3              8000           0           

4               1500           0           

5              1500           0           

6              3500           0           

Packet Type      Traffic-class Bandwidth(pps) Rate(pps)  Drop(pps)

----------------  -------------  --------------  ---------  ---------

bpdu             6             1000           0         0         

arp-request    2             20000         0         0     

2)network topology



3)Configuration procedure

Commands for configuring the S5750 switch:

Ruijie(config)#cpu-protect type icmp bandwidth 5000 ------> Change the PPS value of ICMP to 5000

As a Ruijie(config)#cpu-protect traffic-class id 3 bandwidth 8000 ------> As the corresponding class of ICMP is 3, we also need to adjust the pps value of class 3, which is changed to 8000 here

Ruijie(config)#cpu-protect cpu bandwidth 10000 ------> Change the value of PPS sent to the cpu for processing to 10000

4)functional verification

Check the ICMP information about CPP on the S5750 Switch:



Check the pps value of queue 3:



Check the maximum PPS sent to CPU per second after CPP is received:



RG-S5300-48GT4XS-E

Configuration Switch
Reply Helpful(0)
There are no replies.
Related Posts
Product Model
Switch

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd