Layer 2 and layer 3 packet forwarding devices, such as Ethernet switches and IP routers, process packets using a combination of specialized hardware forwarding devices and generalized processing resources. Hardware forwarding devices may include, for example, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), network processing units (NPUs), or some combination thereof, for performing high-density, high-speed (i.e. line-rate) processing of layer 2 and/or layer 3 packets. One drawback to the use of hardware forwarding devices, however, is that they are expensive to implement and may be unable to process all packets received by the packet forwarding device, for example, due to lack of hardware-programmed forwarding for received packets.
Therefore, in addition to including packet forwarding hardware, layer 2 or layer 3 packet forwarding devices may include a multi-purpose central processing unit (CPU) or set of CPUs for performing various tasks for which the packet forwarding hardware cannot be used. For example, the CPU may be used to execute software for accepting user configuration information, managing the switch, and programming the packet forwarding hardware, as well as processing any packets that cannot be processed by the forwarding hardware. Packets that cannot be processed by the forwarding hardware are called exception packets and the processing of exception packets by the CPU is referred to as slowpath processing. Slowpath processing of exception packets is generally undesirable because CPU processing of these packets is slower than processing packets using hardware forwarding. In order to accommodate competitive pricing in the market, conventional layer 2 or layer 3 packet forwarding devices often include CPUs that are not capable of sustaining high packet forwarding rates in addition to their other duties. As a result, processing resources for slowpath forwarding of exception packets in a layer 2 or layer 3 switch may be limited.
One problem associated with conventional methods for slowpath processing of exception packets in layer 2 and layer 3 packet forwarding devices is that elevated rates of exception packets may cause CPU utilization to increase and, as a result, performance of other important functions performed by the CPU may suffer. While an elevated rate of exception packets is often a temporary condition, if the CPU becomes overutilized, the packet forwarding device may be susceptible to security threats and software crashes.
For example, the number of exception packets received by a forwarding device may increase substantially during a denial of service (DoS) attack. During a DoS attack, a targeted computer or device may be flooded with a large number of packets that cannot be processed by the forwarding hardware. As a result, the switch may be forced consume its CPU resources to process these exception packets until it can no longer provide other services, such as user configuration or management.
In another example, exception packets may be generated as the result of network topology rather than a malicious act. For example, a layer 2 or layer 3 packet forwarding device may communicate network routing information to other network nodes by exchanging messages containing network routing information based on a variety of routing protocols. Exemplary routing protocols may include address resolution protocol (ARP), routing information protocol (RIP), border gateway protocol (BGP), and open shortest path first protocol (OSPF) routing protocols. In the event that a large number of network devices are simultaneously connected to a single packet forwarding device, there may be a large spike in the number of routing protocol messages sent to the packet forwarding device by these protocols in order to determine details of the network topology. Such network behavior would be temporary and expected (i.e., not a malicious attack), but may nonetheless result in impairment to the CPUs integrity and services.
One conventional solution to prevent the overloading of a CPU in a layer 2 or layer 3 packet forwarding device associated with processing exception packets is installing a static rate limit on the number of exception packets processed by the CPU over a given time period. Statically rate limiting the processing of exception packets includes limiting the number of exception packets that may be processed by the CPU at all times, regardless of usage conditions and regardless of the CPU's processing capacity. As a result, the CPU is protected from being overloaded during times of elevated exception packets. While static rate limiting may prevent the CPU from being overloaded, it is also an inefficient use of CPU resources during lighter load periods because it artificially reduces the rate of processing of exception packets. Results of statically rate limiting the processing of exception packets may include slower layer 2 media access control (MAC) address learning, slower slowpath forwarding of exception packets, and unexpected protocol packet dropping.
Another disadvantage associated with conventional processing of exception packets is that it does not scale well as faster CPUs become available. For example, a CPU in a layer 2 or 3 forwarding device may be capable of processing a certain number of exception packets per second. If the CPU is upgraded so that more packets may be processed, conventional static rate limiting would either ignore this additional processing capacity or would need to be manually adjusted higher in order to account for the increased processing capacity. In the former scenario, CPU resources may be wasted. In the latter scenario, human administrator resources may be wasted by manually adjusting the rate limit.
Yet another disadvantage associated with conventional processing of exception packets is that static rate limiting cannot be customized on a per packet classification basis. For example, broadcast packets and layer 2 MAC address learning packets may comprise two different classifications of packets processed by a packet forwarding device. It may be desirable to rate limit packet classifications differently from one another.
Accordingly, a need exists for improved methods and systems for dynamically rate limiting slowpath processing of exception packets in a packet forwarding device.