Skip to main content

LPTS EPFT feature

·435 words·3 mins
Rory
Author
Rory
Step by step the ladder is ascended

记录一下 LPTS EPFT 这个 feature, LPTS 是用来保护 Cisco XR 设备 CPU 的,防止一些 ARP/DHCP/DNS/ICMP 等攻击流量 punt 到板卡的 CPU,那 LPTS EPFT 这个 feature 使能后会对这些流量进行一些监控, 超过一定速率就会进行一些惩罚。

配置:
#

RP/0/RSP0/CPU0:ASR9006-M#show run lpts punt excessive-flow-trap
Fri Jan 29 16:42:08.014 UTC
lpts punt excessive-flow-trap
 penalty-rate arp 100
 penalty-timeout arp 1
 subscriber-interfaces
 non-subscriber-interfaces

对那些流量进行监控:
#

RP/0/RSP0/CPU0:ASR9006-M#show lpts punt excessive-flow-trap  information
Fri Jan 29 16:02:59.820 UTC

--------------------------------------------------------------
              Police         Penalty
              Rate (pps)     Timeout (mins)
 Protocol   Default Config   Default Config   Punt Reasons
 -------- -------------- -------------- ----------------
 ARP           10     - 15     - ARP
                                              Reverse ARP
                                              Dynamic ARP Inspection (DAI)

 ICMP          10     - 15     - ICMP
                                              ICMP-local
                                              ICMP-app
                                              ICMP-control
                                              ICMP-default

 DHCP          10     - 15     - DHCP Snoop Request
                                              DHCP Snoop Reply
                                              DHCP Broadcast

 PPPOE         10     - 15     - PPP over Ethernet (PPPoE)
                                              PPPoE packets for RSP
                                              PPPoE packet/config mismatch
                                              PPPoE packet/config mismatch for RSP

 PPP           10     - 15     - Point-to-Point Protocol (PPP)
                                              PPP packets for RSP

 IGMP          10     - 15     - IGMP
                                              IGMP Snoop
                                              MLD snooping

 IPv4/v6       10     - 15     - IP Subscriber (IPSUB)
                                              IPv4 options
                                              IPv4 FIB
                                              IPv4 TTL exceeded
                                              IPv4 fragmentation needed
                                              IPv4/v6 adjacency
                                              IPV4/v6 unknown IFIB
                                              UDP-known
                                              UDP-listen
                                              IPv4 tunnel not configred
                                              UDP-default
                                              TCP-known
                                              TCP-listen
                                              TCP-cfg-peer
                                              TCP-default
                                              Raw-listen
                                              Raw-default

 L2TP          10     - 15     - Layer 2 Tunneling Protocol, version 2 (L2TPv2)
                                              L2TPv2-default
                                              L2TPv2-known
                                              L2TPv3

 UNCLASSIFIED      10     - 15     - Unclassified packets
                                              Unclassified packets for RSP

 OSPF           0     - 15     - OSPF-mc-known
                                              OSPF-mc-default
                                              OSPF-uc-known
                                              OSPF-uc-default

 BGP            0     - 15     - BGP-known
                                              BGP-cfg-peer
                                              BGP-default

超过多少速率会被惩罚:
#

这个监控是基于一种采样算法的, 计算方式如下:(计算公式中有三个参数可调)。也就是说默认速率为 1000 packet / 800ms, 可满足一些正常的 ARP、SSH DHCP 的流量。

100(sample 0.01) x 2(pick 2 packet) x 5(5 times) = 1000 packets/ 800ms

RP/0/RSP0/CPU0:ASR9006-M#run attach 0/0/cpu0
Fri Jan 29 16:17:36.395 UTC
attach: Starting session 1 to node 0/0/cpu0
# spp_ui
spp-ui> copp table

Eviction threshold:      2              <<< change by "lpts punt exces eviction-threshold <>"
Report threshold:        5              <<< change by "lpts punt exces report-threshold <>"
Max-IPG:                 800            <<< change by "lpts punt exce max-flow-gap <>"

惩罚方式
#

主接口
#

对于主而言,超过速率惩罚措施为 15 分钟内来自某 MAC 地址的流量均被 DROP,会有如下 log 显示

这里的问题在于,如下我们下联设备误 PING 了, 由于 ICMP 的速率可能会达到 2500pps, 和容易处罚该惩罚, 这样就会造成从 peer 接口过来的流量会被全部 drop, 如果起了路由协议,路由协议也会中断。

RP/0/RP1/CPU0:CORE6-ASR9922-A#show logging | in TRAP
Wed Jan 13 07:39:01.788 UTC
LC/0/1/CPU0:Jan 13 06:48:24.362 : flowtrap[196]: %OS-FLOWTRAP-4-BAD_ACTOR_MAC_DETECTED : Excessive ICMP-app flow detected from source MAC address 78ba.f96b.eb82 on interface TenGigE0/1/0/1. Traffic from this MAC address will be dropped for 15 minutes.

子接口
#

对于子接口而言, 超过速率惩罚措施为 15 分钟内流量会被限制为 10pps , 有如下 log 显示

这个惩罚为, 出方向所有流量都被限速 10pps, 入方向所有 for us 的流量被限速 10pps(穿越流量不受)。

LC/0/0/CPU0:Jan 12 00:35:58.370 CST: flowtrap[217]: %OS-FLOWTRAP-4-BAD_ACTOR_INTF_DETECTED : Excessive ICMP-app flow detected on interface TenGigE0/0/0/3.38032178. The interface will be penalty-policed at 10 pps for 15 minutes.

默认限速是 10pps, 可以使用命令“lpts punt excessive-flow-trap penalty-rate xx”修改

默认惩罚时间是 15min, 可以使用命令 lpts punt excessive-flow-trap penalty-timeout xx 修改