记录一下 LPTS EPFT 这个 feature, LPTS 是用来保护 Cisco XR 设备 CPU 的,防止一些 ARP/DHCP/DNS/ICMP 等攻击流量 punt 到板卡的 CPU,那 LPTS EPFT 这个 feature 使能后会对这些流量进行一些监控, 超过一定速率就会进行一些惩罚。
配置: #
RP/0/RSP0/CPU0:ASR9006-M#show run lpts punt excessive-flow-trap
Fri Jan 29 16:42:08.014 UTC
lpts punt excessive-flow-trap
penalty-rate arp 100
penalty-timeout arp 1
subscriber-interfaces
non-subscriber-interfaces
对那些流量进行监控: #
RP/0/RSP0/CPU0:ASR9006-M#show lpts punt excessive-flow-trap information
Fri Jan 29 16:02:59.820 UTC
--------------------------------------------------------------
Police Penalty
Rate (pps) Timeout (mins)
Protocol Default Config Default Config Punt Reasons
-------- -------------- -------------- ----------------
ARP 10 - 15 - ARP
Reverse ARP
Dynamic ARP Inspection (DAI)
ICMP 10 - 15 - ICMP
ICMP-local
ICMP-app
ICMP-control
ICMP-default
DHCP 10 - 15 - DHCP Snoop Request
DHCP Snoop Reply
DHCP Broadcast
PPPOE 10 - 15 - PPP over Ethernet (PPPoE)
PPPoE packets for RSP
PPPoE packet/config mismatch
PPPoE packet/config mismatch for RSP
PPP 10 - 15 - Point-to-Point Protocol (PPP)
PPP packets for RSP
IGMP 10 - 15 - IGMP
IGMP Snoop
MLD snooping
IPv4/v6 10 - 15 - IP Subscriber (IPSUB)
IPv4 options
IPv4 FIB
IPv4 TTL exceeded
IPv4 fragmentation needed
IPv4/v6 adjacency
IPV4/v6 unknown IFIB
UDP-known
UDP-listen
IPv4 tunnel not configred
UDP-default
TCP-known
TCP-listen
TCP-cfg-peer
TCP-default
Raw-listen
Raw-default
L2TP 10 - 15 - Layer 2 Tunneling Protocol, version 2 (L2TPv2)
L2TPv2-default
L2TPv2-known
L2TPv3
UNCLASSIFIED 10 - 15 - Unclassified packets
Unclassified packets for RSP
OSPF 0 - 15 - OSPF-mc-known
OSPF-mc-default
OSPF-uc-known
OSPF-uc-default
BGP 0 - 15 - BGP-known
BGP-cfg-peer
BGP-default
超过多少速率会被惩罚: #
这个监控是基于一种采样算法的, 计算方式如下:(计算公式中有三个参数可调)。也就是说默认速率为 1000 packet / 800ms, 可满足一些正常的 ARP、SSH DHCP 的流量。
100(sample 0.01) x 2(pick 2 packet) x 5(5 times) = 1000 packets/ 800ms
RP/0/RSP0/CPU0:ASR9006-M#run attach 0/0/cpu0
Fri Jan 29 16:17:36.395 UTC
attach: Starting session 1 to node 0/0/cpu0
# spp_ui
spp-ui> copp table
Eviction threshold: 2 <<< change by "lpts punt exces eviction-threshold <>"
Report threshold: 5 <<< change by "lpts punt exces report-threshold <>"
Max-IPG: 800 <<< change by "lpts punt exce max-flow-gap <>"
惩罚方式 #
主接口 #
对于主而言,超过速率惩罚措施为 15 分钟内来自某 MAC 地址的流量均被 DROP,会有如下 log 显示
这里的问题在于,如下我们下联设备误 PING 了, 由于 ICMP 的速率可能会达到 2500pps, 和容易处罚该惩罚, 这样就会造成从 peer 接口过来的流量会被全部 drop, 如果起了路由协议,路由协议也会中断。
RP/0/RP1/CPU0:CORE6-ASR9922-A#show logging | in TRAP
Wed Jan 13 07:39:01.788 UTC
LC/0/1/CPU0:Jan 13 06:48:24.362 : flowtrap[196]: %OS-FLOWTRAP-4-BAD_ACTOR_MAC_DETECTED : Excessive ICMP-app flow detected from source MAC address 78ba.f96b.eb82 on interface TenGigE0/1/0/1. Traffic from this MAC address will be dropped for 15 minutes.
子接口 #
对于子接口而言, 超过速率惩罚措施为 15 分钟内流量会被限制为 10pps , 有如下 log 显示
这个惩罚为, 出方向所有流量都被限速 10pps, 入方向所有 for us 的流量被限速 10pps(穿越流量不受)。
LC/0/0/CPU0:Jan 12 00:35:58.370 CST: flowtrap[217]: %OS-FLOWTRAP-4-BAD_ACTOR_INTF_DETECTED : Excessive ICMP-app flow detected on interface TenGigE0/0/0/3.38032178. The interface will be penalty-policed at 10 pps for 15 minutes.
默认限速是 10pps, 可以使用命令“lpts punt excessive-flow-trap penalty-rate xx”修改
默认惩罚时间是 15min, 可以使用命令 lpts punt excessive-flow-trap penalty-timeout xx 修改