记录一下LPTS EPFT这个feature, LPTS是用来保护Cisco XR 设备CPU的,防止一些ARP/DHCP/DNS/ICMP 等攻击流量punt 到板卡的CPU,那LPTS EPFT这个feature使能后会对这些流量进行一些监控, 超过一定速率就会进行一些惩罚。
配置:
1 2 3 4 5 6 7 | RP/0/RSP0/CPU0:ASR9006-M#show run lpts punt excessive-flow-trapFri Jan 29 16:42:08.014 UTClpts punt excessive-flow-trap penalty-rate arp 100 penalty-timeout arp 1 subscriber-interfaces non-subscriber-interfaces |
对那些流量进行监控:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | RP/0/RSP0/CPU0:ASR9006-M#show lpts punt excessive-flow-trap information Fri Jan 29 16:02:59.820 UTC-------------------------------------------------------------- Police Penalty Rate (pps) Timeout (mins) Protocol Default Config Default Config Punt Reasons -------- -------------- -------------- ---------------- ARP 10 - 15 - ARP Reverse ARP Dynamic ARP Inspection (DAI) ICMP 10 - 15 - ICMP ICMP-local ICMP-app ICMP-control ICMP-default DHCP 10 - 15 - DHCP Snoop Request DHCP Snoop Reply DHCP Broadcast PPPOE 10 - 15 - PPP over Ethernet (PPPoE) PPPoE packets for RSP PPPoE packet/config mismatch PPPoE packet/config mismatch for RSP PPP 10 - 15 - Point-to-Point Protocol (PPP) PPP packets for RSP IGMP 10 - 15 - IGMP IGMP Snoop MLD snooping IPv4/v6 10 - 15 - IP Subscriber (IPSUB) IPv4 options IPv4 FIB IPv4 TTL exceeded IPv4 fragmentation needed IPv4/v6 adjacency IPV4/v6 unknown IFIB UDP-known UDP-listen IPv4 tunnel not configred UDP-default TCP-known TCP-listen TCP-cfg-peer TCP-default Raw-listen Raw-default L2TP 10 - 15 - Layer 2 Tunneling Protocol, version 2 (L2TPv2) L2TPv2-default L2TPv2-known L2TPv3 UNCLASSIFIED 10 - 15 - Unclassified packets Unclassified packets for RSP OSPF 0 - 15 - OSPF-mc-known OSPF-mc-default OSPF-uc-known OSPF-uc-default BGP 0 - 15 - BGP-known BGP-cfg-peer BGP-default |
超过多少速率会被惩罚:
这个监控是基于一种采样算法的, 计算方式如下:(计算公式中有三个参数可调)。也就是说默认速率为1000 packet / 800ms, 可满足一些正常的ARP、SSH DHCP的流量。
1 2 3 4 5 6 7 8 9 10 11 | 100(sample 0.01) x 2(pick 2 packet) x 5(5 times) = 1000 packets/ 800msRP/0/RSP0/CPU0:ASR9006-M#run attach 0/0/cpu0Fri Jan 29 16:17:36.395 UTCattach: Starting session 1 to node 0/0/cpu0# spp_uispp-ui> copp tableEviction threshold: 2 <<< change by "lpts punt exces eviction-threshold <>"Report threshold: 5 <<< change by "lpts punt exces report-threshold <>"Max-IPG: 800 <<< change by "lpts punt exce max-flow-gap <>" |
惩罚方式
主接口
对于主而言,超过速率惩罚措施为15分钟内来自某MAC地址的流量均被DROP,会有如下log显示
这里的问题在于,如下我们下联设备误PING了, 由于ICMP的速率可能会达到2500pps, 和容易处罚该惩罚, 这样就会造成从peer接口过来的流量会被全部drop, 如果起了路由协议,路由协议也会中断。
1 2 3 | RP/0/RP1/CPU0:CORE6-ASR9922-A#show logging | in TRAPWed Jan 13 07:39:01.788 UTCLC/0/1/CPU0:Jan 13 06:48:24.362 : flowtrap[196]: %OS-FLOWTRAP-4-BAD_ACTOR_MAC_DETECTED : Excessive ICMP-app flow detected from source MAC address 78ba.f96b.eb82 on interface TenGigE0/1/0/1. Traffic from this MAC address will be dropped for 15 minutes. |
子接口
对于子接口而言, 超过速率惩罚措施为15分钟内流量会被限制为 10pps , 有如下log 显示
这个惩罚为, 出方向所有流量都被限速10pps, 入方向所有for us 的流量被限速10pps(穿越流量不受)。
1 | LC/0/0/CPU0:Jan 12 00:35:58.370 CST: flowtrap[217]: %OS-FLOWTRAP-4-BAD_ACTOR_INTF_DETECTED : Excessive ICMP-app flow detected on interface TenGigE0/0/0/3.38032178. The interface will be penalty-policed at 10 pps for 15 minutes. |
默认限速是10pps, 可以使用命令“lpts punt excessive-flow-trap penalty-rate xx”修改
默认惩罚时间是15min, 可以使用命令lpts punt excessive-flow-trap penalty-timeout xx 修改
The blog from link: http://imxing.cn/wp-trackback.php?p=1000