Skip to main content

LPTS EPFT feature

·3 mins
Table of Contents

记录一下 LPTS EPFT 这个 feature, LPTS 是用来保护 Cisco XR 设备 CPU 的,防止一些 ARP/DHCP/DNS/ICMP 等攻击流量 punt 到板卡的 CPU,那 LPTS EPFT 这个 feature 使能后会对这些流量进行一些监控, 超过一定速率就会进行一些惩罚。

配置:
#

RP/0/RSP0/CPU0:ASR9006-M#show run lpts punt excessive-flow-trap
Fri Jan 29 16:42:08.014 UTC
lpts punt excessive-flow-trap
 penalty-rate arp 100
 penalty-timeout arp 1
 subscriber-interfaces
 non-subscriber-interfaces

对那些流量进行监控:
#

RP/0/RSP0/CPU0:ASR9006-M#show lpts punt excessive-flow-trap  information
Fri Jan 29 16:02:59.820 UTC

--------------------------------------------------------------
              Police         Penalty
              Rate (pps)     Timeout (mins)
 Protocol   Default Config   Default Config   Punt Reasons
 -------- -------------- -------------- ----------------
 ARP           10     - 15     - ARP
                                              Reverse ARP
                                              Dynamic ARP Inspection (DAI)

 ICMP          10     - 15     - ICMP
                                              ICMP-local
                                              ICMP-app
                                              ICMP-control
                                              ICMP-default

 DHCP          10     - 15     - DHCP Snoop Request
                                              DHCP Snoop Reply
                                              DHCP Broadcast

 PPPOE         10     - 15     - PPP over Ethernet (PPPoE)
                                              PPPoE packets for RSP
                                              PPPoE packet/config mismatch
                                              PPPoE packet/config mismatch for RSP

 PPP           10     - 15     - Point-to-Point Protocol (PPP)
                                              PPP packets for RSP

 IGMP          10     - 15     - IGMP
                                              IGMP Snoop
                                              MLD snooping

 IPv4/v6       10     - 15     - IP Subscriber (IPSUB)
                                              IPv4 options
                                              IPv4 FIB
                                              IPv4 TTL exceeded
                                              IPv4 fragmentation needed
                                              IPv4/v6 adjacency
                                              IPV4/v6 unknown IFIB
                                              UDP-known
                                              UDP-listen
                                              IPv4 tunnel not configred
                                              UDP-default
                                              TCP-known
                                              TCP-listen
                                              TCP-cfg-peer
                                              TCP-default
                                              Raw-listen
                                              Raw-default

 L2TP          10     - 15     - Layer 2 Tunneling Protocol, version 2 (L2TPv2)
                                              L2TPv2-default
                                              L2TPv2-known
                                              L2TPv3

 UNCLASSIFIED      10     - 15     - Unclassified packets
                                              Unclassified packets for RSP

 OSPF           0     - 15     - OSPF-mc-known
                                              OSPF-mc-default
                                              OSPF-uc-known
                                              OSPF-uc-default

 BGP            0     - 15     - BGP-known
                                              BGP-cfg-peer
                                              BGP-default

超过多少速率会被惩罚:
#

这个监控是基于一种采样算法的, 计算方式如下:(计算公式中有三个参数可调)。也就是说默认速率为 1000 packet / 800ms, 可满足一些正常的 ARP、SSH DHCP 的流量。

100(sample 0.01) x 2(pick 2 packet) x 5(5 times) = 1000 packets/ 800ms

RP/0/RSP0/CPU0:ASR9006-M#run attach 0/0/cpu0
Fri Jan 29 16:17:36.395 UTC
attach: Starting session 1 to node 0/0/cpu0
# spp_ui
spp-ui> copp table

Eviction threshold:      2              <<< change by "lpts punt exces eviction-threshold <>"
Report threshold:        5              <<< change by "lpts punt exces report-threshold <>"
Max-IPG:                 800            <<< change by "lpts punt exce max-flow-gap <>"

惩罚方式
#

主接口
#

对于主而言,超过速率惩罚措施为 15 分钟内来自某 MAC 地址的流量均被 DROP,会有如下 log 显示

这里的问题在于,如下我们下联设备误 PING 了, 由于 ICMP 的速率可能会达到 2500pps, 和容易处罚该惩罚, 这样就会造成从 peer 接口过来的流量会被全部 drop, 如果起了路由协议,路由协议也会中断。

RP/0/RP1/CPU0:CORE6-ASR9922-A#show logging | in TRAP
Wed Jan 13 07:39:01.788 UTC
LC/0/1/CPU0:Jan 13 06:48:24.362 : flowtrap[196]: %OS-FLOWTRAP-4-BAD_ACTOR_MAC_DETECTED : Excessive ICMP-app flow detected from source MAC address 78ba.f96b.eb82 on interface TenGigE0/1/0/1. Traffic from this MAC address will be dropped for 15 minutes.

子接口
#

对于子接口而言, 超过速率惩罚措施为 15 分钟内流量会被限制为 10pps , 有如下 log 显示

这个惩罚为, 出方向所有流量都被限速 10pps, 入方向所有 for us 的流量被限速 10pps(穿越流量不受)。

LC/0/0/CPU0:Jan 12 00:35:58.370 CST: flowtrap[217]: %OS-FLOWTRAP-4-BAD_ACTOR_INTF_DETECTED : Excessive ICMP-app flow detected on interface TenGigE0/0/0/3.38032178. The interface will be penalty-policed at 10 pps for 15 minutes.

默认限速是 10pps, 可以使用命令“lpts punt excessive-flow-trap penalty-rate xx”修改

默认惩罚时间是 15min, 可以使用命令 lpts punt excessive-flow-trap penalty-timeout xx 修改




Comments