Hi Ted,
The CPU in the PTP 650 controls and monitors the wireless link, and also supports the network management functions like HTTPS and SNMP. It's a powerful CPU and it has plenty of performance under normal circumstances.
If the CPU receives unwanted Ethernet frames it discards them, but processing the received frames still consumes some CPU cycles. It's important that the processing needed to inspect and discard unwanted frames does not use up resources needed for the higher priority tasks associated with keeping the wireless link in service.
The ODU guards against this by detecting the overload and discarding (in hardware) a proportion of the traffic destined for the management agent. This is an effective technique but not at all selective. Consequently, the ODU can appear to be unresponsive when the defenses are triggered.
This protection is essential to prevent a Denial of Service (DoS) attack, where a malicious user attempts to overwhelm the CPU with excessive traffic addressed to the management agent, and by this means to disrupt the end-to-end service.
You can check if the DoS defences have been activated by looking for "event, resource_low" in the syslog record. I appreciate that you can't do this whilst the ODU is non-responsive, so you will necessarily be looking back at an earlier time.
The management agent receives all Ethernet frames directly addressed to the ODU, plus all broadcast and multicast frames. This means that the anti-DoS defenses can be triggered when the link is carrying a large volume of perfectly legitimate broadcast or multicast traffic. This is largely a function of the design of the network in terms of switches, routers, use of PPPoE and such like. For example, a simple link between two routers will not normally need much Ethernet broadcast traffic. On the other hand, a broadcast storm would be a really bad thing.
If the above explanation is confirmed, a good solution would be to introduce a management VLAN. This has the benefit that the only broadcast frames to reach management agent will be the ones already in the management VLAN. The VLAN filtering is in the PTP 650 hardware, so there is then no danger that the CPU will be overloaded.
In addition, we think it is always a good idea to use a management VLAN to minimise the possibility of real DoS attacks from malicious users.
Please let us know how you get on.
Mark