system cpu-load-sharing

Description                                                    The CPU Round Robin feature can be used to mitigate the effects of Denial of Service (DoS) attacks that target a single CPU on the ACOS device. You can use this command to configure thresholds for CPU load sharing. If a threshold is exceeded, CPU load sharing is activated, and additional CPUs are enlisted to help process traffic and relieve the burden on the targeted CPU. A round robin algorithm distributes packets across all of the other data CPUs on the device. Load sharing will remain in effect until traffic is no longer exceeding the thresholds that originally activated the feature. (See the “Usage” section below for details.)

Syntax                                                                  [no] system cpu-load-sharing 
{
cpu-usage low percent |
cpu-usage high percent |
disable |
packets-per-second min num-pkts
}

Parameter

Description

cpu-usage low 
percent

Lower CPU utilization threshold. Once the data CPU utilization rate drops below this thresh­old, then CPU round robin redistribution will stop. The default is 60, but you can specify 0-100 percent.

cpu-usage high 
percent

Upper CPU utilization threshold. Once the data CPU utilization rate exceeds this threshold, then CPU round robin redistribution will begin. The default is 75, but you can specify 0-100 percent.

disable

Disables CPU load sharing. The CPU round robin feature is not used, even if a triggering threshold is breached.

packets-per-second
min
 num-pkts

Maximum number of packets per second any CPU can receive, before CPU load sharing is used. You can specify 0-30000000 (30 million) packets per second.

Default                                                                The CPU load sharing feature is enabled. The thresholds have the following default values:

     cpu-usage low – 60 percent

     cpu-usage high – 75 percent

     packets-per-second – 100000

Mode                                                                   Configuration mode

Usage                                                                  If a hacker targets the ACOS device by repeatedly flooding the device with many packets that have the same source and destination ports, this could overwhelm the CPU that is being targeted. However, the CPU load sharing feature (which is enabled by default) protects the device by using a round robin algorithm to distribute the load across multiple CPUs when such an attack is detected.

ACOS will activate this round robin distribution across multiple CPUs if all of the following conditions occur:

1. If the utilization rate of the CPU being targeted exceeds the configured high threshold (which has a default value of 75%), AND

2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum config­ured threshold (the default is 100,000 packets per second), AND

3. If the CPU being targeted is receiving significantly more traffic than the other CPUs on the ACOS device. If all CPUs are under a heavy load, there would be no advantage to using round robin to distribute the traffic. Therefore, the CPU being targeted must have an elevated utilization rate that is at least 50% higher than the median utilization rate of its peer CPUs. (For example, this criterion would be met if the non-targeted CPUs have a median packet flow of 100,000 packets per second, but the targeted CPU is receiving packets at a rate exceeding 150,00 packets per second, in which case it would be 50% higher than the median of the rate of the other processors).

ACOS will de-activate CPU round robin mode and return to normal mode when the first criterion, and either 2 or 3 above are no longer true.

For example, CPU round robin mode will cease:

1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND 

     If the targeted CPU is receiving packets at a rate below the minimum configured packets-per-second threshold, OR 

     If the utilization rate of the targeted CPU is no longer 50% higher than the median of its neighboring CPUs.

Table of Contents

Index

Glossary

-Search-

Back