If DOS-protect is enabled, the switch monitors the amount of packets per second that are being forwarded by the CPU. Once the number of packets forwarded by the CPU reaches the configured Notify-threshold it will log a message. This message does NOT indicate where this traffic originates from. Most traffic should NOT be forwarded by the CPU.
Normally the CPU is only utilized for processing
- control traffic such as ARP packets (e.g., ARP requests) and routing protocols control packets (e.g., OSPF hellos)
- management traffic such as telnet, SNMP, or SSH destined to the switch
- broadcast packets, some multicast and all unknown unicast packets
As long as the switch has an entry in its hardware tables for the destination (entries such as FDB entry, ARP entry, IGMP entry or a route), traffic will NOT be handled by the CPU. When a new entry is learned, the CPU will program the the switche's hardware tables and the CPU forwarding will stop. CPU forwarding is sometimes referred to as slowpath forwarding.
In some cases the CPU forwarding continues. This is an undesirable state and could be happening due to (among many other causes) an attack on the switch, some misconfigured devices in the network or an intrusive network testing tool. DOS-protect can be configured on the switch to detect this misbehavior.
Making a capture of packets to the CPU with debug packet would be the only method in this case to troubleshoot what is going to the CPU.How to perform a local packet capture on an EXOS switch
DOS protect has 2 thresholds. What is discussed above is Notify-threshold. The other threshold is the Alert-threshold. If the Alert-threshold is reached DOS-protect will install an ACL to block the CPU forwarded packets, it will try to find a match for most of the traffic and install the ACL. This is only done when DOS-protect is enabled (it is enabled by default).
You can also enable DOS-protect in simulated mode, it will then only log which ACL it would install if DOS-protect was actually
enabled but will not install the ACL. This way you can get an idea of the traffic forwarded by the CPU and resolve it.