public icon indicating copy to clipboard operation
public copied to clipboard
verified publisher icon openconfig

system COPP embedded-limits

Open rszarecki opened this issue 2 years ago • 5 comments

Change Scope

Each platform and vendor has some implementation of embaded protection of control-plane, that is software running on general purpose CPU, against excessive ingress rate of incomming traffic. These implamentations may varry significanly among vendors and platforms.

This container provides vendor-neutral, abstract, coarse, system-level view into packets delivered to control-plane for processing as well as packets droped due to embaded control plane protection rules. It is expected that vendor and platform specific counters will be mapped in N:1 way to above vendor-neutral, abstract, coarse conters. In case vendor and platform specific counter is covering pacte types such can'tbe assigned to one and only one endor-neutral, abstract, coarse conter, it should be assigned to "remaining" counter.

Furthermore, this container provides anchor point for vendor extension that sould provide more detailed vendor and platform specific view and ability to modify some attributes of embaded control plane protection rules (e.g. packet rate limits and burst sizes).

module: openconfig-system
  +--rw system
     +--rw oc-sys-copp:control-plane-traffic
        +--rw oc-sys-copp:ingress
           +--rw oc-sys-copp:built-in-limits
              +--ro oc-sys-copp:state
              |  +--ro oc-sys-copp:counters
              |     +--ro oc-sys-copp:bgp-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:rsvp-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:l3-routing-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:l3-control-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:l2-control-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:trap-exeption-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:sample-redirect-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:management-aggregate
              |     |  +--ro oc-sys-copp:accepted-pkts?     int64
              |     |  +--ro oc-sys-copp:accepted-octets?   int64
              |     |  +--ro oc-sys-copp:dropped-pkts?      int64
              |     |  +--ro oc-sys-copp:dropped-octets?    int64
              |     +--ro oc-sys-copp:remaining-aggregate
              |        +--ro oc-sys-copp:accepted-pkts?     int64
              |        +--ro oc-sys-copp:accepted-octets?   int64
              |        +--ro oc-sys-copp:dropped-pkts?      int64
              |        +--ro oc-sys-copp:dropped-octets?    int64
              +--rw oc-sys-copp:vendor

This change is non-breaking

Platform Implementations

Example mapping of Juniper ddos-protection to embadded-limits counters

OC built-in-limits JUNIPER DDOS-PROTECTION groups
bgp bgp
rsvp rsvp
l3-routing egpv6 isis ldp mcast-snoop msdp ospf ospf-hello pim-ctrl rip
l3-control arp bfd bfdv6 dhcpv4 dhcpv4v6 dhcpv6 icmp igmp igmpv6 l2tp lmp ndpv6 tcc vrrp
l2-control eoam lacp lldp oam-lfm proto-802-1x pvstp stp
trap-exeption l2broadcast l2ucast l3lpmoverflow gre ip-opt pim-data reject resolve ttl
sample-redirect #N/A
management dns ftp ntp snmp ssh telnet uncls
remaining dtcp

Example mapping of Arista COPP to embadded-limits counters

OC built-in-limits ARISTA copp
bgp bgp
rsvp rsvp
l3-routing ldp multicastsnoop OspfIsis
l3-control mpls-arp-suppress arp-inspect bfd igmp linklocal
l2-control dot1x-mba cfm-snoop cfm mvrp vxlan-encapsulation vxlan-vtep-learn mlag bpdu lacp lldp
trap-exeption mpls-label-miss mpls-ttl01 mtu l3ttl1 l3destmiss ipmcmiss ipunicast ipmc ipbroadcast l2broadcast
sample-redirect mirroring sflow
management acllog
remaining ptp-snoop cvx-heartbeat cvx ptp default

rszarecki avatar Oct 16 '23 17:10 rszarecki

No major YANG version changes in commit 45e83021ff870887a1a74095fca2cfd7da971d5b

OpenConfigBot avatar Oct 16 '23 17:10 OpenConfigBot

/gcbrun

dplore avatar Mar 05 '24 18:03 dplore

/gcbrun

dplore avatar Mar 05 '24 23:03 dplore

/gcbrun

rszarecki avatar Mar 05 '24 23:03 rszarecki

/gcbrun

dplore avatar Mar 05 '24 23:03 dplore