Home » Dell Manuals » Hubs & Switches » Dell S4148U-ON » Manual Viewer

Dell S4148U-ON OS10 Enterprise Edition User Guide Release 10.4.0E R2 - Page 553

Control-plane policing, or rate policing on control-plane

Get Dell S4148U-ON PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 553 highlights

3 Create a qos type policy-map to refer the classes. OS10(config)# policy-map cos-policy 4 Refer the class-maps in the policy-map and define the required action for the flows. OS10(config-pmap-qos)# class cmap OS10(config-pmap-c-qos)# ? OS10(config-pmap-qos)# class cmap OS10(config-pmap-c-qos)# end Exit to the exec Mode exit Exit from current mode no Negate a command or set its defaults police Rate police input traffic set Mark input traffic show show configuration trust Specify dynamic classification to trust[dscp/dot1p] ACL based classification with trust If you have enabled trust based classification and the system has class-maps to install ACL entries in the same policy-map that might conflict with the trust based classification, then by default the trust based classification takes precedence. You can modify the order of precedence by enabling the fallback option of trust dot1p or diffserv (DSCP). 1 Create class-maps. • Create a class-map of type qos to match CoS 5 flow. OS10(config)# class-map cmap-cos5 • Define the fields to be matched on 802.1p CoS 5 values. OS10(config-cmap-qos)# match cos 5 2 Create a policy-map for enabling trust and matching the CoS 5 flow. • Create a qos type policy-map to refer the classes. OS10(config)# policy-map cos-trust • Refer the class-maps in the policy-map and define the required action for the flows. OS10(config-pmap-qos)# class class-trust OS10(config-pmap-c-qos)# trust dot1p fallback OS10(config-pmap-qos)# class cmap-cos5 OS10(config-pmap-c-qos)# set qos-group 7 • Attach the policy-map to interface. OS10(conf-if-eth1/1/1)# service-policy input type qos cos-trust Control-plane policing Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary traffic and giving priority to important control plane and management traffic. CoPP uses a dedicated control plane configuration through the QoS CLIs to set rate-limiting capabilities for control plane packets. If the rate of control packets towards the CPU is higher than the CPU can handle, CoPP provides a method to selectively drop some of the control traffic so that the CPU can process high-priority control traffic. You can use CoPP to rate-limit traffic through each CPU port queue of the network processor (NPU). CoPP applies policy actions on all control-plane traffic. The control-plane class map does not use any match criteria. To enforce rate-limiting or rate policing on control-plane traffic, create policy maps. You can use the control-plane command to attach the CoPP service policies directly to the control-plane. The default rate limits apply to 12 CPU queues and the protocols mapped to each CPU queue. The control packet type to CPU ports control queue assignment is fixed. The only way you can limit the traffic towards the CPU is choose a low priority queue, and apply ratelimits on that queue to find a high rate of control traffic flowing through that queue. Quality of service 553

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.0E(R2)	3
Getting Started	20
Download OS10 image and license	21
Installation	22
Automatic installation	23
Manual installation	23
Log into OS10	24
Install OS10 license	24
Remote access	25
Configure Management IP address	26
Management Route Configuration	26
Configure user name and password	27
Upgrade OS10	27
CLI Basics	27
User accounts	28
Key CLI features	28
CLI command modes	28
CLI command hierarchy	29
CLI command categories	29
CONFIGURATION Mode	29
Command help	30
Check device status	31
Candidate configuration	33
Change to transaction-based configuration	36
Copy running configuration	36
Restore startup configuration	37
Reload system image	37
Filter show commands	38
Alias command	38
Batch mode commands	42
Linux shell commands	43
SSH commands	43
OS9 environment commands	44
Common commands	44
alias	44
alias (multi-line)	45
batch	46
boot	46
commit	47
configure	47
copy	47
default (alias)	49
delete	49
description (alias)	50
dir	50
discard	51
do	51
feature config-os9-style	51
exit	52
license	52
line (alias)	53
lock	53
management route	54
move	54
no	55
reload	55
show alias	55
show boot	57
show candidate-configuration	57
show environment	59
show inventory	60
show ip management-route	60
show ipv6 management-route	61
show license status	61
show running-configuration	62
show startup-configuration	64
show system	65
show version	67
start	67
system	68
system identifier	68
terminal	68
traceroute	69
unlock	70
write	70
Interfaces	71
Ethernet interfaces	71
Unified port groups	71
L2 mode configuration	72
L3 mode configuration	73
Fibre Channel interfaces	73
Management interface	75
VLAN interfaces	75
User-configured default VLAN	76
Loopback interfaces	76
Port-channel interfaces	77
Create port-channel	77
Add port member	78
Minimum links	78
Assign Port Channel IP Address	79
Remove or disable port-channel	79
Load balance traffic	79
Change hash algorithm	80
Configure interface ranges	80
Switch-port profiles	81
S4148-ON series port profiles	82
S4148U-ON port profiles	83
Configure breakout mode	84
Breakout auto-configuration	85
Reset default configuration	85
Forward error correction	87
Energy-efficient Ethernet	87
Enable energy-efficient Ethernet	88
Clear interface counters	88
View EEE status/statistics	88
EEE commands	89
View interface configuration	92
Interface commands	94
channel-group	94
default interface	94
default vlan-id	96
description (Interface)	97
duplex	97
enable auto-breakout	98
fec	98
interface breakout	99
interface ethernet	99
interface loopback	100
interface mgmt	100
interface null	100
interface port-channel	101
interface range	101
interface vlan	102
link-bundle-utilization	102
mgmt	102
mode	103
mtu	103
port-group	104
show interface	104
show link-bundle-utilization	106
show port-channel summary	106
show port-group	107
show switch-port-profile	107
show vlan	108
shutdown	108
speed (Fibre Channel)	109
speed (Management)	109
switch-port-profile	110
switchport access vlan	112
switchport mode	112
switchport trunk allowed vlan	113
Fibre channel	114
Fibre Channel over Ethernet	114
Configure FIP snooping	115
Terminology	116
Virtual fabric	116
Fibre Channel zoning	119
F_Port on Ethernet	120
F_Port, NPG, and FCoE commands	121
clear fcoe database	121
clear fcoe statistics	121
fc alias	122
fc zone	122
fc zoneset	122
fcoe	123
fcoe max-sessions-per-enodemac	123
feature fc	124
feature fc npg	124
feature fip-snooping	124
fip-snooping enable	125
fip-snooping fc-map	125
fip-snooping port-mode fcf	126
member (alias)	126
member (zone)	126
member (zoneset)	127
name	127
show fc alias	128
show fc ns switch	128
show fc statistics	129
show fc switch	130
show fc zone	130
show fc zoneset	131
show fcoe enode	132
show fcoe fcf	132
show fcoe sessions	133
show fcoe statistics	133
show fcoe system	134
show fcoe vlan	134
show npg devices	134
show running-config vfabric	135
show vfabric	136
vfabric	137
vfabric (interface)	137
vlan	137
zone default-zone permit	138
zoneset activate	138
Layer 2	139
802.1X	139
Port authentication	140
EAP over RADIUS	141
Configure 802.1X	141
Enable 802.1X	142
Identity retransmissions	143
Failure quiet period	144
Port control mode	144
Reauthenticate port	145
Configure timeouts	146
802.1X commands	147
Link aggregation control protocol	152
Modes	152
Configuration	152
Interfaces	153
Rates	153
Sample configuration	154
LACP commands	157
Link layer discovery protocol	163
Protocol data units	163
Optional TLVs	164
Organizationally-specific TLVs	165
Media endpoint discovery	166
Network connectivity device	166
LLDP-MED capabilities TLV	166
Network policies TLVs	167
Define network policies	168
Packet timer values	168
Disable and re-enable LLDP	169
Disable and re-enable LLDP on management ports	170
Advertise TLVs	170
Network policy advertisement	171
Fast start repeat count	171
View LLDP configuration	172
Adjacent agent advertisements	173
Time to live	174
LLDP commands	174
Media Access Control	186
Static MAC Address	186
MAC Address Table	187
Clear MAC Address Table	187
MAC Commands	188
Multiple spanning-tree protocol	190
Configure MST protocol	191
Create instances	191
Root selection	193
Non-Dell hardware	193
Region name or revision	193
Modify parameters	194
Interface parameters	195
Forward traffic	195
Spanning-tree extensions	196
Debug configurations	198
MST commands	198
Rapid per-VLAN spanning-tree plus	208
Load balance and root selection	209
Enable RPVST+	209
Select root bridge	210
Root assignment	211
Loop guard	212
Global parameters	212
RPVST+ commands	213
Rapid spanning-tree protocol	221
Enable globally	221
Global parameters	222
Interface parameters	223
Root bridge selection	224
EdgePort forward traffic	225
Spanning-tree extensions	225
RSTP commands	227
Virtual LANs	233
Default VLAN	233
Create or remove VLANs	234
Access mode	235
Trunk mode	236
Assign IP address	236
View VLAN configuration	237
VLAN commands	239
Port monitoring	240
Local port monitoring	240
Remote port monitoring	241
Encapsulated remote port monitoring	243
Flow-based monitoring	244
Remote port monitoring on VLT	245
Port monitoring commands	246
Layer 3	252
Border gateway protocol	252
Sessions and peers	253
Route reflectors	254
Multiprotocol BGP	255
Attributes	255
Selection criteria	255
Weight and local preference	256
Multiexit discriminators	257
Origin	257
AS path and next-hop	258
Best path selection	258
More path support	259
Advertise cost	259
4-Byte AS numbers	260
AS number migration	260
Configure border gateway protocol	261
Enable BGP	261
Configure Dual Stack	263
Peer templates	263
Neighbor fall-over	265
Fast external fallover	266
Passive peering	268
Local AS	268
AS number limit	269
Redistribute routes	270
Additional paths	270
MED attributes	271
Local preference attribute	271
Weight attribute	272
Enable multipath	273
Route-map filters	273
Route reflector clusters	273
Aggregate routes	274
Confederations	275
Route dampening	276
Timers	277
Neighbor soft-reconfiguration	277
BGP commands	278
Equal cost multi-path	303
Load balancing	303
ECMP commands	303
IPv4 routing	306
Assign interface IP address	306
Configure static routing	307
Address resolution protocol	308
IPv4 routing commands	308
IPv6 routing	312
Enable or disable IPv6	312
IPv6 addresses	313
Stateless autoconfiguration	314
Neighbor discovery	315
Duplicate address discovery	316
Static IPv6 routing	317
IPv6 destination unreachable	317
IPv6 hop-by-hop options	318
View IPv6 information	318
IPv6 commands	318
Internet group management protocol	329
IGMP snooping	329
IGMP snooping commands	332
Open shortest path first	337
Autonomous system areas	337
Areas, networks, and neighbors	338
Router types	339
Designated and backup designated routers	340
Link-state advertisements	340
Router priority	341
Shortest path first throttling	342
OSPFv2	343
OSPFv3	374
Object tracking manager	393
Interface tracking	394
Host tracking	395
Set tracking delays	396
Object tracking	396
View tracked objects	396
OTM commands	397
Policy-based routing	400
Policy-based route-maps	400
Access-list to match route-map	400
Set address to match route-map	401
Assign route-map to interface	401
View PBR information	401
PBR commands	402
Virtual routing and forwarding	404
Configure management VRF	405
VRF commands	406
Virtual router redundancy protocol	410
Configuration	411
Create virtual router	412
Group version	412
Virtual IP addresses	413
Configure virtual IP address	413
Set group priority	414
Authentication	415
Disable preempt	415
Advertisement interval	416
Interface/object tracking	417
Configure tracking	417
VRRP commands	418
UFT modes	424
Configure UFT modes	425
UFT commands	425
hardware forwarding-table mode	425
show hardware forwarding-table mode	426
show hardware forwarding-table mode all	426
System management	427
Dynamic host configuration protocol	427
Packet format and options	427
Configure Server	428
Automatic address allocation	429
Hostname resolution	430
Manual binding entries	431
View DHCP Information	432
System domain name and list	432
DHCP commands	433
DNS commands	438
Network time protocol	440
Enable NTP	440
Broadcasts	441
Source IP address	441
Authentication	442
NTP commands	443
System clock	448
System Clock commands	448
User session management	449
User session management commands	449
Telnet server	451
Telnet commands	451
Security	452
User re-authentication	452
Password strength	453
Role-based access control	453
Assign user role	454
RADIUS authentication	454
TACACS+ authentication	455
SSH Server	456
Virtual terminal line	456
Enable login statistics	457
Security commands	457
Simple network management protocol	470
SNMP commands	470
OS10 image upgrade	471
Boot system partition	472
Upgrade commands	473
Access Control Lists	477
IP ACLs	477
MAC ACLs	478
IP fragment handling	478
IP fragments ACL	478
L3 ACL rules	479
Permit ACL with L3 information only	479
Deny ACL with L3 information only	479
Permit all packets from host	479
Permit only first fragments and non-fragmented packets from host	479
Assign sequence number to filter	480
User-provided sequence number	480
Auto-generated sequence number	480
L2 and L3 ACLs	480
Assign and apply ACL filters	481
Ingress ACL filters	482
Egress ACL filters	482
Clear access-list counters	483
IP prefix-lists	483
Route-maps	484
Match routes	485
Set conditions	485
continue Clause	486
ACL flow-based monitoring	486
Flow-based mirroring	486
Enable flow-based monitoring	487
ACL commands	488
clear ip access-list counters	488
clear ipv6 access-list counters	488
clear mac access-list counters	489
deny	489
deny (IPv6)	490
deny (MAC)	490
deny icmp	491
deny icmp (IPv6)	492
deny ip	492
deny ipv6	493
deny tcp	493
deny tcp (IPv6)	494
deny udp	495
deny udp (IPv6)	496
description	497
ip access-group	497
ip access-list	497
ip as-path deny	498
ip as-path permit	498
ip community-list standard deny	499
ip community–list standard permit	499
ip extcommunity-list standard deny	500
ip extcommunity-list standard permit	500
ip prefix-list description	500
ip prefix-list deny	501
ip prefix-list permit	501
ip prefix-list seq deny	502
ip prefix-list seq permit	502
ipv6 access-group	503
ipv6 access-list	503
ipv6 prefix-list deny	503
ipv6 prefix-list description	504
ipv6 prefix-list permit	504
ipv6 prefix-list seq deny	505
ipv6 prefix-list seq permit	505
mac access-group	506
mac access-list	506
permit	506
permit (IPv6)	507
permit (MAC)	508
permit icmp	508
permit icmp (IPv6)	509
permit ip	510
permit ipv6	510
permit tcp	511
permit tcp (IPv6)	512
permit udp	512
permit udp (IPv6)	513
remark	514
seq deny	514
seq deny (IPv6)	515
seq deny (MAC)	516
seq deny icmp	517
seq deny icmp (IPv6)	517
seq deny ip	518

Match case Limit results 1 per page

Create a qos type policy-map to refer the classes.

OS10(config)# policy-map cos-policy

Refer the class-maps in the policy-map and

deﬁne

the required action for the

ﬂows.

OS10(config-pmap-qos)# class cmap

OS10(config-pmap-c-qos)# ?

OS10(config-pmap-qos)# class cmap

OS10(config-pmap-c-qos)#

end

Exit to the exec Mode

exit

Exit from current mode

Negate a command or set its defaults

police

Rate police input traffic

set

Mark input traffic

show

show configuration

trust

Specify dynamic classification to trust[dscp/dot1p]

ACL based

classiﬁcation

with trust

If you have enabled trust based

classiﬁcation

and the system has class-maps to install ACL entries in the same policy-map that might

conﬂict

with the trust based

classiﬁcation,

then by default the trust based

classiﬁcation

takes precedence.

You can modify the order of precedence by enabling the fallback option of trust dot1p or

diﬀserv

(DSCP).

Create class-maps.

•

Create a class-map of type qos to match CoS 5

ﬂow.

OS10(config)# class-map cmap-cos5

•

Deﬁne

the

ﬁelds

to be matched on 802.1p CoS 5 values.

OS10(config-cmap-qos)# match cos 5

Create a policy-map for enabling trust and matching the CoS 5

ﬂow.

•

Create a qos type policy-map to refer the classes.

OS10(config)# policy-map cos-trust

•

Refer the class-maps in the policy-map and

deﬁne

the required action for the

ﬂows.

OS10(config-pmap-qos)# class class-trust

OS10(config-pmap-c-qos)# trust dot1p fallback

OS10(config-pmap-qos)# class cmap-cos5

OS10(config-pmap-c-qos)# set qos-group 7

•

Attach the policy-map to interface.

OS10(conf-if-eth1/1/1)# service-policy input type qos cos-trust

Control-plane policing

Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary

traﬃc

and giving

priority to important control plane and management

traﬃc.

CoPP uses a dedicated control plane

conﬁguration

through the QoS CLIs to set

rate-limiting capabilities for control plane packets.

If the rate of control packets towards the CPU is higher than the CPU can handle, CoPP provides a method to selectively drop some of the

control

traﬃc

so that the CPU can process high-priority control

traﬃc.

You can use CoPP to rate-limit

traﬃc

through each CPU port queue

of the network processor (NPU).

CoPP applies policy actions on all control-plane

traﬃc.

The control-plane class map does not use any match criteria. To enforce rate-limiting

or rate policing on control-plane

traﬃc,

create policy maps. You can use the

control-plane

command to attach the CoPP service

policies directly to the control-plane.

The default rate limits apply to 12 CPU queues and the protocols mapped to each CPU queue. The control packet type to CPU ports

control queue assignment is

ﬁxed.

The only way you can limit the

traﬃc

towards the CPU is choose a low priority queue, and apply rate-

limits on that queue to

ﬁnd

a high rate of control

traﬃc

ﬂowing

through that queue.

Quality of service

553