No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CP-CAR and Host-CAR

CP-CAR and Host-CAR

CP-CAR is a method for traffic policing. The NE40E forwards common user packets directly through its service board. Some special packets, such as routing protocol packets, packets that are generated when users go online or offline, and malformed or error packets, however, need to be sent to the MPU for processing. These packets are also called host packets.

When host packet traffic is too heavy or a user sends a large number of malicious attack host packets on the network, the system may be affected. In this case, you can configure traffic policing on the NE40E to monitor host packet traffic so that the system can work properly.

Host packet traffic policing involves the following modes:
  • The host packet traffic can be monitored using CP-CAR. CP-CAR is used to limit the rate at which host packets are sent to the CPU. You can set the committed information rate (CIR), committed burst size (CBS), and priority for each type of packets. Setting different CAR rules for packets of different types can reduce the impact of packets on each other. The CPU is therefore protected. CP-CAR can also be used to set an overall rate at which packets are sent to the CPU. If the overall rate exceeds the threshold value, these packets will be discarded to free the CPU from overload. If a type of host packet traffic transmitted over a service board on a device is too heavy, the device will become unstable. To ensure device stability, configure CP-CAR to monitor the type of host packet traffic transmitted over the service board.
  • Host-CAR is used to perform rate limit for packets that the user side sends to the CPU, implementing traffic policing for all host packets that each user sends to a router. If a user has heavy host packet traffic or a device is attacked, the device may not work properly. Host-CAR can be configured to police each user's host packet traffic to prevent heavy host packet traffic. CAR limits the maximum number of packets that the user side sends to the CPU in a specified period. To protect against packet attacks, a device implements three levels of CAR: Host-CAR/HTTP-Host-CAR, VLAN-Host-CAR, and CP-CAR.
    • Host-CAR is implemented based on the source MAC addresses, source IP addresses, or session IDs carried in PPPoE/DHCP packets, IP packets for triggering user access, and ARP packets for triggering user access. HTTP-Host-CAR is implemented based on the source MAC addresses and source IP addresses carried in web packets. Both Host-CAR and HTTP-Host-CAR limit the number of packets that the same user host sends to the CPU in a specified period.
    • VLAN-Host-CAR is implemented based on VLAN IDs to limit the maximum number of packets that hosts on the same VLAN send to the CPU in a specified period.
    • CP-CAR is implemented based on user access modes to limit the maximum number of CPU-destined packets from hosts that access the network in the same mode (for example, PPPoE/DHCP) in a specified period.

Relationship between Host-CAR and CP-CAR: For packets that the user side sends to the CPU, Host-CAR is performed before CP-CAR is performed for different types of users. For packets that the network side sends to the CPU, CP-CAR is performed only for protocol packets, and Host-CAR is not performed.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12614

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next