LPTS Excessive Flow Trap - ASR9K

From DocWiki

Jump to: navigation, search

This is a variant of LPTS that can be used to police individual hosts at layer 2 instead off all traffic towards an NP. It can be used to prevent things like:

  • a single host exhausting ARP
  • DHCP attacks
  • ICMP attacks

If this feature is turned on, it affects lots of protocols, not just what has been configured.

Contents

Configuration

LPTS Excessive-flow-trap is not enabled by default. It can be turned on for a variety of protocols.

RP/0/RSP0/CPU0:ASR9000(config)# lpts punt excessive-flow-trap penalty-rate ?
  default  Configure default penalty policing rate for all protocols
  arp      Configure penalty policing rate for arp
  icmp     Configure penalty policing rate for icmp
  dhcp     Configure penalty policing rate for dhcp
  pppoe    Configure penalty policing rate for pppoe
  ppp      Configure penalty policing rate for ppp
  igmp     Configure penalty policing rate for igmp
  ip       Configure penalty policing rate for ipv4/v6
  l2tp     Configure penalty policing rate for l2tp

Adjust allowed rates

This design will limit a host to 15 pps (packets-per-second) for ARP and 15 pps for ICMP. The penalty timeout is the default; 15 minutes.

RP/0/RSP0/CPU0:ASR9000# configure
RP/0/RSP0/CPU0:ASR9000(config)# lpts punt excessive-flow-trap
RP/0/RSP0/CPU0:ASR9000-(config-control-plane-policer)# penalty-rate arp 15
RP/0/RSP0/CPU0:ASR9000-(config-control-plane-policer)# penalty-rate icmp 15  
RP/0/RSP0/CPU0:ASR9000-(config-control-plane-policer)# commit

Turn it on

Now enable it, it can be enabled on subscriber, and non-subscriber interfaces.

Remember: If this feature is turned on, it affects lots of protocols, not just what has been configured.

RP/0/RSP0/CPU0:ASR9000# configure
RP/0/RSP0/CPU0:ASR9001-B(config)# lpts punt excessive-flow-trap non-subscriber-interfaces
RP/0/RSP0/CPU0:ASR9001-B(config)# commit

Verification

We can see the rate for ICMP has changed.

There are rates for ARP, ICMP, DHCP, PPPoE, PPP, IGMP, IPv4/IPv6 and L2TP.

RP/0/RSP0/CPU0:ASR9000# show lpts punt excessive-flow-trap information                            
 
--------------------------------------------------------------
              Police         Penalty
              Rate (pps)     Timeout (mins)
 Protocol   Default Config   Default Config   Punt Reasons
 --------   --------------   --------------   ----------------
 ARP           10     15        15      -     ARP
                                              Reverse ARP
                                              Dynamic ARP Inspection (DAI)

 ICMP          10     15         15      -    ICMP
                                              ICMP-local
                                              ICMP-app
                                              ICMP-control
                                              ICMP-default

 DHCP          10     -         15     -      DHCP Snoop Request
                                              DHCP Snoop Reply

 PPPOE         10     -         15     -      PPP over Ethernet (PPPoE)
                                              PPPoE packets for RSP
                                              PPPoE packet/config mismatch
                                              PPPoE packet/config mismatch for RSP

 PPP           10     -         15     -      Point-to-Point Protocol (PPP)
                                              PPP packets for RSP

 IGMP          10     -         15     -      IGMP
                                              IGMP Snoop
                                              MLD Snoop

 IPv4/v6       10     -         15     -      IP Subscriber (IPSUB)
                                              IPv4 options
                                              IPv4 FIB
                                              IPv4 TTL exceeded
                                              IPv4 fragmentation needed
                                              IPv4/v6 adjacency
                                              IPV4/v6 unknown IFIB
                                              UDP-known
                                              UDP-listen
                                              Generic Routing Encap (GRE) non IPv4
                                              UDP-default
                                              TCP-known
                                              TCP-listen
                                              TCP-cfg-peer
                                              TCP-default
                                              Raw-listen
                                              Raw-default

 L2TP          10     -         15     -      Layer 2 Tunneling Protocol, version 2 (L2TPv2)
                                              L2TPv2-default
                                              L2TPv2-known
                                              L2TPv3

I have a ping running from another host that is above 10pps. We can see this flow has been policed via LPTS Excessive Flow Trap.

RP/0/RSP0/CPU0:ASR9000# show lpts punt excessive-flow-trap all
    Parent Interface: GigabitEthernet0/0/0/4            Src MAC Addr: 6c9c.ed35.8f82                 
         Intf Handle: 0x040002C0                            Location: 0/0/CPU0
            Protocol: ICMP                               Punt Reason: ICMP-local
        Penalty Rate: 0 pps (all packets dropped)    Penalty Timeout: 5 mins                          
      Time Remaining: 4 mins 49 secs

References

BRKARC-2017 Cisco Live! - Packet Journey Inside ASR-9000

Excessive Flow Trap Whitepaper

Rating: 4.7/5 (3 votes cast)

Personal tools