AnsweredAssumed Answered

How to limit L2 packet stream to T1020 CPU for security?

Question asked by Norbert van Bolhuis on Apr 25, 2018
Latest reply on May 14, 2018 by Norbert van Bolhuis

We use a T1020 on our board with 4 L2 switch ports connected

(via SGMII) to RJ45 connectors and/or SFP cages. These ports
connect to an outside network.

 

The L2 switch CPU port (port 8) is used to reach our system.
As known, this port corresponds to linux network interface
"fm1-gb1".

 

For obvious security and stability reasons we want our system
not to be forced to handle huge L2 MC/BC/UC packet storms.
This causes the system to be non-responsive (at best).

 

The 4 regular L2 switch ports should forward any L2 traffic at
wire speed.

 

So I tried to enable the CPU port egress port shaper
and/or CPU port egress queue shapers. I checked out
'T1040 L2Switch Software Support.pdf',
'l2switch/0.1-r0/git/src/cli/cli.c' and 'vtss_qos_api.h'
and tried several things.
Unfortunately I can't get it to work.

 

Once an egress port shaper or egress queue shapers is configured
for the CPU port it affects all ports.
So in other words, the MC/BC traffic that I'm sending is properly
'limited' for the (egress) CPU port, but it is also limited for all other egress

ports!
I want to limit/shape traffic *only* for the CPU port (in egress
direction).

 

Maybe egress shaping consumes all (input?) switch buffers
and therefore also affects the forwarding of MC/BC traffic to
the other egress ports. How do I prevent this?

 

Anyway, the question is obvious: how to limit a UC/MC/BC
packet stream towards T1020 CPU without affecting other ports?

Outcomes