CPU defend policy limit the rate of the traffic sent to the local CPU, to prevent attack packets and reduce the invalid packets takes, release the burden of CPU.
The summary of deployment for CPU defend policy is, divide the CPU packets into two parts, one part is trusted and the other part is untrusted. Protect the trusted packets (set the larger bandwidth for them) and limit the rate of the untrusted packets (set smaller bandwidth for them).
CPU defend policy uses four modules to insulate or control the trusted traffic and the untrusted packets.
|TCP/IP attack defense||
Directly discards the TCP/IP attack packet. TCP/IP attack defense function is enabled by default.
TCP/IP attack defense supports discarding the following four kinds of attack packets.
Protects the trusted packets. The bandwidth for the packets added to whitelist is assurable. The attack does not impact the service in whitelist.
The following protocols are auto added to the whitelist by default when TCP session established: BGP, LDP, MSDP, FTP-server, SSH-server, Telnet-server, FTP-client, Telnet-client, and SSH-client.
Whitelist is enabled by default. Modifying the default parameters in the whitelist is not recommended. To extend the application, you can use user-defined flows.
Limits the rate of untrusted packets.
The blacklist is enabled by default, but there is no packets added to blacklist by default. You can add the invalid or unknown packets to the blacklist so that the system can minimize the bandwidth for them or directly drop them.
Protects the trusted packets.
User-defined flows allow users to flexibly customize the attack defense policy to protect the CPU against different types of attack packets.
With user-defined flows, you can specify the flows to be protected and control the parameters, such as the bandwidth, priority, and packet length for the flows. In addition, you can send each user-defined flow to a specific channel for granular isolation and precise control.
The whitelist, blacklist, and user-defined flow use ACL to define the characters of the flow.
Each CPU defend policy can be configured with one whitelist, one blacklist, and one or more user-defined flows, as shown in the following figure.
cpu-defend policy 4 whitelist acl 2001 blacklist acl 2002 user-defined-flow 1 acl 2003 user-defined-flow 2 acl 2003 user-defined-flow 3 acl 2004 # cpu-defend policy 5 whitelist acl 2005
In the steps 2, 3 and 4, the "mismatched" includes:
Directly drops the management packets received from the non-management interfaces.