Description The CPU Round Robin feature can be used to mitigate the effects of Denial of Service (DoS) attacks that target a single CPU on the ACOS device. You can use this command to configure thresholds for CPU load sharing. If a threshold is exceeded, CPU load sharing is activated, and additional CPUs are enlisted to help process traffic and relieve the burden on the targeted CPU. A round robin algorithm distributes packets across all of the other data CPUs on the device. Load sharing will remain in effect until traffic is no longer exceeding the thresholds that originally activated the feature. (See the “Usage” section below for details.)
Syntax [no] system cpu-load-sharing
cpu-usage low percent |
cpu-usage high percent |
packets-per-second min num-pkts
Default The CPU load sharing feature is enabled. The thresholds have the following default values:
• cpu-usage low – 60 percent
• cpu-usage high – 75 percent
• packets-per-second – 100000
Mode Configuration mode
Usage If a hacker targets the ACOS device by repeatedly flooding the device with many packets that have the same source and destination ports, this could overwhelm the CPU that is being targeted. However, the CPU load sharing feature (which is enabled by default) protects the device by using a round robin algorithm to distribute the load across multiple CPUs when such an attack is detected.
ACOS will activate this round robin distribution across multiple CPUs if all of the following conditions occur:
1. If the utilization rate of the CPU being targeted exceeds the configured high threshold (which has a default value of 75%), AND
2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum configured threshold (the default is 100,000 packets per second), AND
3. If the CPU being targeted is receiving significantly more traffic than the other CPUs on the ACOS device. If all CPUs are under a heavy load, there would be no advantage to using round robin to distribute the traffic. Therefore, the CPU being targeted must have an elevated utilization rate that is at least 50% higher than the median utilization rate of its peer CPUs. (For example, this criterion would be met if the non-targeted CPUs have a median packet flow of 100,000 packets per second, but the targeted CPU is receiving packets at a rate exceeding 150,00 packets per second, in which case it would be 50% higher than the median of the rate of the other processors).
ACOS will de-activate CPU round robin mode and return to normal mode when the first criterion, and either 2 or 3 above are no longer true.
For example, CPU round robin mode will cease:
1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND
• If the targeted CPU is receiving packets at a rate below the minimum configured packets-per-second threshold, OR
• If the utilization rate of the targeted CPU is no longer 50% higher than the median of its neighboring CPUs.