FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How to limit L2 packet stream to T1020 CPU for security?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to limit L2 packet stream to T1020 CPU for security?

‎04-25-2018 08:15 AM
725 Views
nvbolhuis
Contributor I

We use a T1020 on our board with 4 L2 switch ports connected

(via SGMII) to RJ45 connectors and/or SFP cages. These ports
connect to an outside network.

The L2 switch CPU port (port 8) is used to reach our system.
As known, this port corresponds to linux network interface
"fm1-gb1".

For obvious security and stability reasons we want our system
not to be forced to handle huge L2 MC/BC/UC packet storms.
This causes the system to be non-responsive (at best).

The 4 regular L2 switch ports should forward any L2 traffic at
wire speed.

So I tried to enable the CPU port egress port shaper
and/or CPU port egress queue shapers. I checked out
'T1040 L2Switch Software Support.pdf',
'l2switch/0.1-r0/git/src/cli/cli.c' and 'vtss_qos_api.h'
and tried several things.
Unfortunately I can't get it to work.

Once an egress port shaper or egress queue shapers is configured
for the CPU port it affects all ports.
So in other words, the MC/BC traffic that I'm sending is properly
'limited' for the (egress) CPU port, but it is also limited for all other egress

ports!
I want to limit/shape traffic *only* for the CPU port (in egress
direction).

Maybe egress shaping consumes all (input?) switch buffers
and therefore also affects the forwarding of MC/BC traffic to
the other egress ports. How do I prevent this?

Anyway, the question is obvious: how to limit a UC/MC/BC
packet stream towards T1020 CPU without affecting other ports?

Tags (1)
0 Kudos
Reply
2 Replies

‎05-14-2018 02:43 AM
555 Views
nvbolhuis
Contributor I

Hello Yiping Wang,

Thanks for your answer.

The l2switch commands you mentioned turn off the UC/MC/BC storm controller
(it leads to vtss_qos_conf_set with uc/mc/bc=-1). This doesn't help.
In fact it is the default case already.

Maybe you meant to turn them on (which means setting a certain max global
uc/mc/bc rate)?


This doesn't help either since this limits UC/MC/BC forwarding between
the non-CPU ports also, right?

0 Kudos
Reply

‎05-11-2018 02:18 AM
555 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello Norbert van Bolhuis,

Please try to use the following commands provided in l2switch package.

$ l2switch-cfg storm control unicast off

$ l2switch-cfg storm control multicast off

$ l2switch-cfg storm control broadcast off

 

For details, please refer to the function "parse_storm_control_command" in src/cli/cli.c of "l2switch" package source code.

__help:
        printf( "Usage:\n"
                "storm control show\t\t\t\t\t"
                " - show storm control\n"
                "storm control <unicast|multicast|broadcast> <rate|off>\t"
                " - set storm control rate policer[pps] or turn off for\n"
                "\t\t\t\t\t\t\t   unicast, multicast and broadcast\n\n");


Have a great day,
TIC

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply