Manualshelf

Troubleshooting guide

ManualsBrandsAlcatel ManualsComputer equipmentSecurity Management Server (SMS) Release 9.4
71727374757677787980
3 — NE user and device security
Alcatel-Lucent 5620 Service Aware Manager 3-5
5620 SAM
System Administrator Guide
DoS protection limits the number of packets that are received each second, and
optionally logs a violation notification if a policy limit is exceeded. You can use the
NE System Security form to view the violations for a specific NE.
DoS protection in the core network
DoS protection in the core network limits the number of link-layer protocol packets
that each network interface on an NE accepts for protocols that are not enabled on
the interface. The interface drops the excessive packets before they are queued or
processed by the CPU.
You can configure global DoS protection on an NE using the NE System Security
form. DoS protection controls the following for unprovisioned link-layer protocols:
the packet arrival rate per source on each network interface
the overall packet arrival rate per source on the NE
whether an NE sends a notification trap if a policy limit is exceeded
An NE that supports DoS protection automatically applies default DoS protection
parameters to each network and access interface. These defaults limit only the
overall packet arrival rate and apply to all of the interfaces on the NE.
DoS protection policies in aggregation networks
In a subscriber aggregation network, an NE typically receives few control-plane
packets from a specific subscriber. If one or more subscribers generate excessive
control-plane traffic, DoS protection policies can help to ensure that NEs do not
become overburdened by these unwanted packets.
You can configure DoS protection policies to control the following on network
interfaces, VPLS L2 access interfaces, and IES and VPRN L3 access interfaces:
the control-plane packet arrival rate per subscriber host
the overall control-plane packet arrival rate for the interface
whether an NE sends a notification trap if a policy limit is exceeded
An NE that supports DoS protection automatically assigns a default DoS protection
policy to each network and access interface. This default policy limits only the
overall packet arrival rate for the interface, and cannot be deleted or modified.
See Procedure 3-3 for information about creating or modifying a DoS protection
policy and assigning the policy to one or more NEs. See the appropriate service
chapter for information about applying DoS protection policies to interfaces.
3.5 DDoS protection
DDoS protection extends DoS protection by controlling traffic destined for IOM or
CPM CPUs on a per-SAP, per-protocol basis. A DDoS protection policy isolates
protocols from each other and, at the same time, isolates subscribers so that attacks
or misconfigurations affect only the source SAP or protocol.
Release 12.0 R6 | November 2014 | 3HE 08861 AAAF TQZZA Edition 01