Manualshelf

Troubleshooting guide

ManualsBrandsAlcatel ManualsComputer equipmentSecurity Management Server (SMS) Release 9.4
71727374757677787980
3 — NE user and device security
3-6 Alcatel-Lucent 5620 Service Aware Manager
5620 SAM
System Administrator Guide
Policers are used to enforce a traffic rate-limiting function. Rate limiting is
configurable in packets per second or kb/s. Configurable burst tolerance allows extra
full handshake attempts, as required by some protocols.
When a policer determines that a packet is non-conformant, it discards the packet or
marks it as low-priority. Low-priority traffic is more likely to be discarded at a
downstream queueing point if there is protocol congestion. Traffic marking is also
useful for routing protocols, where an operator may need to offer all packets to the
CPU, and only discard packets if the CPU cannot keep up. A policer can be mapped
to one or more traffic protocols.
The following types of policer can be configured in a DDoS protection policy:
static policers, which permanently instantiate enforcement policers on SAPs
local monitoring policers, which dynamically instantiate enforcement policers on
SAPs
A DDoS protection policy can be applied to a capture SAP or to an MSAP. A DDoS
protection policy that is assigned to a capture SAP typically has higher traffic rate
limiting values than a policy that is assigned to an MSAP.
A DDoS protection policy can be applied to the following objects:
base router network interface other than a system or loopback interface
VPRN network interface a loopback interface
VPRN L3 access interface
VPRN group interface SAP
IES L3 access interface
IES group interface SAP
VPLS L2 access interface
I-VPLS I-L2 access interface
MVPLS L2 access interface
I-MVPLS I-L2 access interface
VLL E-Pipe L2 access interface
VLL I-Pipe L2 access interface
DDoS alarm handling
The alarm messages generated by DDoS protection policies are presented in a unique
manner. Instead of a new alarm message being generated in the Alarm Window
every time a DDoS alarm event occurs for a given object, a single alarm message is
generated and updated periodically as the object generates new DDoS alarm events.
If an Alarm Information window is opened for an alarm message, the Additional
Text field displays the updated alarm information.
The operator can view dynamically updated alarm information, and avoid the
generation of excessive numbers of individual DDoS alarm messages. Figure 3-1
shows the alarm message sequence for a static policer. Figure 3-2 shows the alarm
message sequence for local monitoring policer. Figure 3-3 shows the alarm sequence
for a dynamic policer. In each sequence, the alarm clears when the policer returns to
the Conform state.
Release 12.0 R6 | November 2014 | 3HE 08861 AAAF TQZZA Edition 01