Home » Dell Manuals » Hubs & Switches » Dell S5148F-ON » Manual Viewer

Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R1 - Page 451

Control-plane policing, Con control-plane policing

Add to My Manuals
Save this manual to your list of manuals

Page 451 highlights

• cir committed-rate-Enter a committed rate value in kilobits per second (kbps) (0 to 40000000). • bc committed-burst-size-(Optional) Enter a committed burst size in packets for control plane and kbps (16 to 200000, default 200). • pir peak-rate-Enter a peak-rate value in kbps (0 to 40000000). • be peak-burst-size-(Optional) Enter a peak burst size in kbps (16 to 200000, default 200). 4 (Optional) Configure traffic policing for a specific queue in POLICY-MAP-CLASS-MAP mode. Queue number range is from 0 to 7 for qos policy map and 0 to 11 for control-plane policy map. set qos-group queue-number Configure policy-based rate policy OS10(config)# policy-map type qos galaxy OS10(conf-pmap-qos)# class bigbang OS10(conf-pmap-c-qos)# police cir 5 bc 30 pir 20 be 40 Configure rate policing on specific queue OS10(config)# policy-map bronze OS10(conf-pmap-qos)# class silver OS10(conf-pmap-c-qos)# set qos-group 7 OS10(conf-pmap-c-qos)# police cir 5 pir 30 View policy-map OS10(conf-pmap-c-qos)# do show policy-map Service-policy (qos) input: galaxy Class-map (qos): bigbang police cir 5 bc 30 pir 20 be 40 Service-policy (qos) input: bronze Class-map (qos): silver police cir 5 bc 100 pir 30 be 100 Control-plane policing Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary traffic and giving priority to important control plane and management traffic. CoPP uses a dedicated control plane configuration through the QoS CLIs to provide filtering and rate-limiting capabilities for the control plane packets. If the rate of control packets towards the CPU is higher than it can handle, CoPP provides a method to selectively drops some of the control traffic so the CPU can process high-priority control traffic. You can use CoPP to rate-limit traffic through each CPU port queue of the NPU. CoPP applies policy actions on all control-plane traffic. The control-plane class map does not use any match criteria. To enforce rate-limiting or rate policing on control-plane traffic, create policy maps. You can use the control-plane command to attach the CoPP service policies directly to the control-plane. The default rate limits apply to 12 CPU queues and the protocols mapped to each CPU queue. The control packet type to CPU ports control queue assignment is fixed. The only way you can limit the traffic towards the CPU is choose a low priority queue, and apply ratelimits on that queue to find a high rate of control traffic flowing through that queue. See show control-plane info for specific information on protocols and rate limits of CPU queues. Configure control-plane policing Rate-limiting the protocol CPU queues requires configuring control-plane type QoS policies. • Create QoS policies (class maps and policy maps) for the desired CPU-bound queue. Quality of service 451

Section	Page
OS10 Enterprise Edition User Guide Release 10.3.2E(R1)	3
Getting Started	17
Download OS10 image and license	17
Installation	19
Automatic installation	19
Manual installation	20
Log into OS10	20
Install OS10 license	21
Remote access	22
Configure Management IP address	22
Management Route Configuration	23
Configure user name and password	23
Upgrade OS10	24
CLI Basics	24
User accounts	24
Key CLI features	24
CLI command modes	25
CLI command hierarchy	25
CLI command categories	25
CONFIGURATION Mode	26
Command help	26
Check device status	28
Candidate configuration	30
Change to transaction-based configuration	33
Back up or restore configuration	33
Reload system image	34
Filter show commands	34
Alias command	35
Batch mode commands	36
Linux shell commands	37
SSH commands	38
OS9 environment commands	38
Common commands	39
alias	39
batch	40
boot	40
commit	41
configure	41
copy	42
delete	43
dir	43
discard	44
do	44
feature config-os9-style	45
exit	45
license	46
lock	46
management route	47
move	47
no	48
reload	48
show alias	48
show boot	49
show candidate-configuration	50
show environment	52
show inventory	53
show ip management-route	53
show ipv6 management-route	54
show license status	54
show running-configuration	55
show startup-configuration	57
show system	58
show version	60
start	61
system	61
system identifier	61
terminal	62
traceroute	62
unlock	63
write	64
Interfaces	65
Ethernet interfaces	65
L2 mode configuration	65
L3 mode configuration	66
Management interface	66
VLAN interfaces	67
Loopback interfaces	67
Port-channel interfaces	68
Create port-channel	68
Add port member	68
Minimum links	69
Assign Port Channel IP Address	69
Remove or disable port-channel	70
Load balance traffic	70
Change hash algorithm	71
Configure interface ranges	71
Forward error correction	72
View interface configuration	73
Interface commands	74
channel-group	74
description (Interface)	75
duplex	75
fec	76
interface breakout	76
interface ethernet	77
interface loopback	77
interface mgmt	77
interface null	78
interface port-channel	78
interface range	79
interface vlan	79
link-bundle-utilization	80
mgmt	80
mtu	80
show interface	81
show link-bundle-utilization	82
show port-channel summary	83
show vlan	83
shutdown	84
speed (Management)	84
switchport access vlan	85
switchport mode	85
switchport trunk allowed vlan	86
Layer 2	87
802.1X	87
Port authentication	88
EAP over RADIUS	89
Configure 802.1X	89
Enable 802.1X	90
Identity retransmissions	91
Failure quiet period	92
Port control mode	92
Reauthenticate port	93
Configure timeouts	94
802.1X commands	95
Link aggregation control protocol	100
Modes	100
Configuration	100
Interfaces	101
Rates	101
Sample configuration	102
LACP commands	105
Link layer discovery protocol	111
Protocol data units	111
Optional TLVs	112
Organizationally-specific TLVs	113
Media endpoint discovery	114
Network connectivity device	114
LLDP-MED capabilities TLV	114
Network policies TLVs	115
Define network policies	116
Packet timer values	116
Disable and re-enable LLDP	117
Advertise TLVs	118
Network policy advertisement	118
Fast start repeat count	119
View LLDP configuration	119
Adjacent agent advertisements	120
Time to live	121
LLDP commands	122
Media Access Control	133
Static MAC Address	134
MAC Address Table	134
Clear MAC Address Table	134
MAC Commands	135
Multiple spanning-tree protocol	137
Configure MST protocol	138
Create instances	139
Root selection	140
Non-Dell hardware	141
Region name or revision	141
Modify parameters	141
Interface parameters	142
Forward traffic	143
Spanning-tree extensions	143
MST commands	145
Rapid per-VLAN spanning-tree plus	153
Load balance and root selection	154
Enable RPVST+	155
Select root bridge	155
Root assignment	157
Loop guard	157
Global parameters	158
RPVST+ commands	158
Rapid spanning-tree protocol	165
Enable globally	165
Global parameters	166
Interface parameters	167
Root bridge selection	168
EdgePort forward traffic	169
Spanning-tree extensions	169
RSTP commands	171
Virtual LANs	176
Default VLAN	177
Create or remove VLANs	177
Access mode	178
Trunk mode	179
Assign IP address	180
View VLAN configuration	181
VLAN commands	182
Port monitoring	183
Local port monitoring	183
Port monitoring commands	184
Layer 3	187
Border gateway protocol	187
Sessions and peers	188
Route reflectors	189
Multiprotocol BGP	190
Attributes	190
Selection criteria	190
Weight and local preference	191
Multiexit discriminators	192
Origin	192
AS path and next-hop	193
Best path selection	193
More path support	194
Advertise cost	194
4-Byte AS numbers	195
AS number migration	195
Configure border gateway protocol	196
Enable BGP	196
Configure Dual Stack	198
Peer templates	198
Neighbor fall-over	200
Fast external fallover	201
Passive peering	203
Local AS	203
AS number limit	204
Redistribute routes	205
Additional paths	205
MED attributes	206
Local preference attribute	206
Weight attribute	207
Enable multipath	208
Route-map filters	208
Route reflector clusters	208
Aggregate routes	209
Confederations	210
Route dampening	211
Timers	212
Neighbor soft-reconfiguration	212
BGP commands	213
Equal cost multi-path	238
Load balancing	238
ECMP commands	238
IPv4 routing	241
Assign interface IP address	241
Configure static routing	242
Address resolution protocol	243
IPv4 routing commands	243
IPv6 routing	247
Stateless autoconfiguration	247
IPv6 addresses	248
Static IPv6 routing	249
View IPv6 information	250
IPv6 commands	250
Open shortest path first	254
Autonomous system areas	254
Areas, networks, and neighbors	254
Router types	255
Designated and backup designated routers	256
Link-state advertisements	256
Router priority	257
OSPFv2	258
OSPFv3	288
Object tracking manager	300
Interface tracking	301
Host tracking	302
Set tracking delays	303
Object tracking	303
View tracked objects	303
OTM commands	304
Policy-based routing	307
Policy-based route-maps	307
Access-list to match route-map	307
Set address to match route-map	307
Assign route-map to interface	308
View PBR information	308
PBR commands	309
Virtual router redundancy protocol	311
Configuration	312
Create virtual router	313
Group version	313
Virtual IP addresses	314
Configure virtual IP address	314
Set group priority	315
Authentication	316
Disable preempt	316
Advertisement interval	317
Interface/object tracking	318
Configure tracking	318
VRRP commands	319
System management	325
Dynamic host configuration protocol	325
Packet format and options	325
Configure Server	326
Automatic address allocation	327
Hostname resolution	328
Manual binding entries	329
View DHCP Information	330
System domain name and list	330
DHCP commands	331
DNS commands	336
Network time protocol	338
Enable NTP	338
Broadcasts	339
Source IP address	339
Authentication	340
NTP commands	341
System clock	345
System Clock commands	345
User session management	346
User session management commands	347
Telnet server	348
Telnet commands	348
Security	349
Role-based access control	349
RADIUS authentication	350
RADIUS server settings	350
System-defined user roles	351
Assign user role	351
SSH Server	352
Security commands	352
Simple network management protocol	360
SNMP commands	360
OS10 image upgrade	362
Boot system partition	363
Upgrade commands	363
Access Control Lists	369
IP ACLs	369
MAC ACLs	370
IP fragment handling	370
IP fragments ACL	370
L3 ACL rules	371
Permit ACL with L3 information only	371
Deny ACL with L3 information only	371
Permit all packets from host	371
Permit only first fragments and non-fragmented packets from host	371
Assign sequence number to filter	372
User-provided sequence number	372
Auto-generated sequence number	372
L2 and L3 ACLs	372
Assign and apply ACL filters	373
Ingress ACL filters	374
Egress ACL filters	374
Clear access-list counters	375
IP prefix-lists	375
Route-maps	376
Match routes	377
Set conditions	377
continue Clause	378
ACL flow-based monitoring	378
Flow-based mirroring	378
Enable flow-based monitoring	379
ACL commands	380
clear ip access-list counters	380
clear ipv6 access-list counters	380
clear mac access-list counters	381
deny	381
deny (IPv6)	382
deny (MAC)	382
deny icmp	383
deny icmp (IPv6)	383
deny ip	384
deny ipv6	384
deny tcp	385
deny tcp (IPv6)	386
deny udp	386
deny udp (IPv6)	387
description	388
ip access-group	388
ip access-list	389
ip as-path deny	389
ip as-path permit	389
ip community-list standard deny	390
ip community–list standard permit	390
ip extcommunity-list standard deny	391
ip extcommunity-list standard permit	391
ip prefix-list description	392
ip prefix-list deny	392
ip prefix-list permit	392
ip prefix-list seq deny	393
ip prefix-list seq permit	393
ipv6 access-group	394
ipv6 access-list	394
ipv6 prefix-list deny	395
ipv6 prefix-list description	395
ipv6 prefix-list permit	395
ipv6 prefix-list seq deny	396
ipv6 prefix-list seq permit	396
mac access-group	397
mac access-list	397
permit	397
permit (IPv6)	398
permit (MAC)	399
permit icmp	399
permit icmp (IPv6)	400
permit ip	400
permit ipv6	401
permit tcp	401
permit tcp (IPv6)	402
permit udp	403
permit udp (IPv6)	403
remark	404
seq deny	405
seq deny (IPv6)	405
seq deny (MAC)	406
seq deny icmp	407
seq deny icmp (IPv6)	407
seq deny ip	408
seq deny ipv6	408
seq deny tcp	409
seq deny tcp (IPv6)	410
seq deny udp	411
seq deny udp (IPv6)	412
seq permit	413
seq permit (IPv6)	413
seq permit (MAC)	414
seq permit icmp	414
seq permit icmp (IPv6)	415
seq permit ip	416
seq permit ipv6	416
seq permit tcp	417
seq permit tcp (IPv6)	418
seq permit udp	419
seq permit udp (IPv6)	420
show access-group	420
show access-lists	421
show ip as-path-access-list	422
show ip community-list	423
show ip extcommunity-list	423
show ip prefix-list	423
Route-map commands	424
continue	424
match as-path	424
match community	425
match extcommunity	425
match interface	425
match ip address	426
match ip next-hop	426
match ipv6 address	427
match ipv6 next-hop	427
match metric	427
match origin	428
match route-type	428
match tag	429
route-map	429
set comm-list delete	429
set community	430
set extcomm-list delete	430
set extcommunity	431
set local-preference	431
set metric	431
set metric-type	432
set next-hop	433
set origin	433
set tag	433
set weight	434
show route-map	434
Quality of service	435
Configure quality of service	435
Class-map configuration	437
Policy-map configuration	437
Interface policy-map	438
Control-plane policy-map	439
System policy-map	439
Ingress traffic classification	439
Queue selection	440
Strict priority queuing	441
Class of service or dot1p classification	442
DSCP classification	443
MAC address classification	443
VLAN classification	444
IP access-group classification	445
IP precedence classification	445
Mark traffic	446
Class of service marking	446
DSCP marking	447
Group marking	447
Traffic metering	448
Bandwidth allocation	448
Service-policy rate-shaping	449
Policy-based rate-policing	450
Control-plane policing	451
Configure control-plane policing	451
Assign service-policy	452
View configuration	453
Queue management	453
Verify configuration	454
Egress queue statistics	455
QoS commands	456
bandwidth	456
class	456
class-map	457
clear interface	457
clear qos statistics	458
clear qos statistics type	458
control-plane	458
flowcontrol	459
match	459
match cos	460
match dscp	460
match precedence	461
match queue	461
match vlan	462
mtu	462
pause	462
police	463
policy-map	464
priority	464

Match case Limit results 1 per page

•

cir

committed-rate

—Enter a committed rate value in kilobits per second (kbps) (0 to 40000000).

•

committed-burst-size

—(Optional) Enter a committed burst size in packets for control plane and kbps (16 to 200000,

default 200).

•

pir

peak-rate

—Enter a peak-rate value in kbps (0 to 40000000).

•

peak-burst-size

—(Optional) Enter a peak burst size in kbps (16 to 200000, default 200).

(Optional)

Conﬁgure

traﬃc

policing for a

speciﬁc

queue in POLICY-MAP-CLASS-MAP mode. Queue number range is from 0 to 7 for

qos policy map and 0 to 11 for control-plane policy map.

set qos-group

queue-number

Conﬁgure

policy-based rate policy

OS10(config)# policy-map type qos galaxy

OS10(conf-pmap-qos)# class bigbang

OS10(conf-pmap-c-qos)# police cir 5 bc 30 pir 20 be 40

Conﬁgure

rate policing on

speciﬁc

queue

OS10(config)# policy-map bronze

OS10(conf-pmap-qos)# class silver

OS10(conf-pmap-c-qos)# set qos-group 7

OS10(conf-pmap-c-qos)# police cir 5 pir 30

View policy-map

OS10(conf-pmap-c-qos)# do show policy-map

Service-policy (qos) input: galaxy

Class-map (qos): bigbang

police cir 5 bc 30 pir 20 be 40

Service-policy (qos) input: bronze

Class-map (qos): silver

police cir 5 bc 100 pir 30 be 100

Control-plane policing

Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary

traﬃc

and giving

priority to important control plane and management

traﬃc.

CoPP uses a dedicated control plane

conﬁguration

through the QoS CLIs to

provide

ﬁltering

and rate-limiting capabilities for the control plane packets.

If the rate of control packets towards the CPU is higher than it can handle, CoPP provides a method to selectively drops some of the

control

traﬃc

so the CPU can process high-priority control

traﬃc.

You can use CoPP to rate-limit

traﬃc

through each CPU port queue of

the NPU.

CoPP applies policy actions on all control-plane

traﬃc.

The control-plane class map does not use any match criteria. To enforce rate-limiting

or rate policing on control-plane

traﬃc,

create policy maps. You can use the

control-plane

command to attach the CoPP service

policies directly to the control-plane.

The default rate limits apply to 12 CPU queues and the protocols mapped to each CPU queue. The control packet type to CPU ports

control queue assignment is

ﬁxed.

The only way you can limit the

traﬃc

towards the CPU is choose a low priority queue, and apply rate-

limits on that queue to

ﬁnd

a high rate of control

traﬃc

ﬂowing

through that queue.

See

show control-plane info

for

speciﬁc

information on protocols and rate limits of CPU queues.

Conﬁgure

control-plane policing

Rate-limiting the protocol CPU queues requires

conﬁguring

control-plane type QoS policies.

•

Create QoS policies (class maps and policy maps) for the desired CPU-bound queue.

Quality of service

451