Excessive Punt Flow Trap
The Excessive Punt Flow Trap feature attempts to identify and mitigate control packet traffic from remote devices that send more than their allocated share of control packet traffic. A remote device can be a subscriber device, a device on a VLAN interface, or a device identified by its source MAC address.
When remote devices send control packet traffic to the router, the control packets are punted and policed by a local packet transport service (LPTS) queue to protect the router's CPU. If one device sends an excessive rate of control packet traffic, the policer queue fills up, causing many packets to be dropped. If the rate from one "bad actor" device greatly exceeds that of other devices, most of the other devices do not get any of their control packets through to the router. The Excessive Punt Flow Trap feature addresses this situation.
Note |
Even when the Excessive Punt Flow Trap feature is not enabled, the "bad actors" can affect services for only other devices; they cannot bring down the router. |
The Excessive Punt Flow Trap feature is supported on both subscriber interfaces, and non-subscriber interfaces such as L2 and L3 VLAN sub-interfaces and bundle virtual interfaces (BVIs). If the source that floods the punt queue with packets is a device with an interface handle, then all punts from that bad actor interface are penalty policed. The default penalty rate, for each protocol, is 10 protocols per second (pps). Otherwise, if the source is a device that does not have an interface handle, then all packets from this bad actor are dropped.
Note |
In the 4.2.x releases, the Excessive Punt Flow Trap feature was called as "Subscriber Control Plane Policing (CoPP)" that only operated on subscriber interfaces. |
Functioning of Excessive Punt Flow Trap Feature
The Excessive Punt Flow Trap feature monitors control packet traffic arriving from physical interfaces, sub-interfaces, BVI, and subscriber interfaces. It divides interfaces into two categories:
-
"Parent" interfaces, which can have other interfaces under them.
-
"Non-parent" interfaces, which have no interfaces under them.
A physical interface is always a parent interface because it has VLAN sub-interfaces. An L3 VLAN sub-interface can either be a parent or a non-parent interface. If the VLAN sub-interface is enabled for subscribers, then it is a parent interface, otherwise it is a non-parent interface. A subscriber interface (IPoE or PPPoE) is always a non-parent interface.
When a flow is trapped, the Excessive Punt Flow Trap feature tries to identify the source of the flow. The first thing it determines is from which interface the flow came. If this interface is not a "parent" interface, then the feature assumes that it is the end-point source of the flow and penalty policing is applied. The software applies a penalty-policer in the case of a BVI interface also. If the trapped interface is a "parent" interface, then instead of penalizing the entire interface (which would penalize all the interfaces under it), this feature takes the source MAC address of the bad flow and drops all packets from the MAC address under the parent. Due to platform limitation, the penalty policer cannot be applied on a MAC address; therefore all packets are dropped.
For more information about enabling the Excessive Punt Flow Trap feature, see Enabling Excessive Punt Flow Trap Processing.
Note |
The Excessive Punt Flow Trap feature monitors all punt traffic. There is no way to remove a particular interface from the initial monitoring, nor can an interface be prevented from being flagged as bad if it is the source of excessive flows. |
Bad actors are policed for each protocol. The protocols that are supported by the Excessive Punt Flow Trap feature are Broadcast, Multicast, ARP, DHCP, PPP, PPPoE, ICMP, IGMP, L2TP and IP (covers many types of L3 based punts, both IPv4 and IPv6). Each protocol has a static punt rate and a penalty rate. For example, the sum total of all ICMP punts from remote devices is policed at 1500 packets per second (pps) to the router's CPU. If one remote device sends an excessive rate of ICMP traffic and is trapped, then ICMP traffic from that bad actor is policed at 10 pps. The remaining (non-bad) remote devices continue to use the static 1500 pps queue for ICMP.
Note |
The excessive rate required to cause an interface to get trapped has nothing to do with the static punt rate (e.g. 1500 pps for ICMP). The excessive rate is a rate that is significantly higher than the current average rate of other control packets being punted. The excessive rate is not a fixed rate, and is dependent on the current overall punt packet activity. |
Once a bad actor is trapped, it is penalty policed on all its punted protocols (ARP, DHCP, PPP, etc.), irrespective of the protocol that caused it to be identified as a bad actor. A penalty rate of 10 pps is sufficient to allow the other protocols to function normally. However, if the bad actor is trapped by source MAC address, then all its packets are dropped.
When an interface is trapped, it is placed in a "penalty box" for a period of time (a default of 15 minutes). At the end of the penalty timeout, it is removed from penalty policing (or dropping). If there is still an excessive rate of control packet traffic coming from the remote device, then the interface is trapped again.
Restrictions
These restrictions apply to implementing Excessive Punt Flow Trap feature:
-
The A9K-8x100G-LB-SE and A9K-8x100G-LB-TR line cards do not support BNG subscriber interfaces.
-
This feature does not support interfaces on SIP-700 line cards and ASR 9000 Ethernet Line Card.
-
This feature is non-deterministic. In some cases, the Excessive Punt Flow Trap feature can give a false positive, i.e. it could trap an interface that is sending legitimate punt traffic.
-
The Excessive Punt Flow Trap feature traps flows based on the relative rate of different flows; thus, the behavior depends on the ambient punt rates. A flow that is significantly higher than other flows could be trapped as a bad actor. Thus the feature is less sensitive when there are many flows, and more sensitive when there are fewer flows present.
-
Sometimes control packet traffic can occur in bursts. The Excessive Punt Flow Trap has safeguards against triggering on short bursts, but longer bursts could trigger a false positive trap.
MAC-based EPFT on Non-subscriber Interface
This feature supports dropping of the excessive punt packets from a bad actor flow, based on the source MAC address. Prior to Cisco IOS XR Release 5.3.1, EPFT on non-subscriber interfaces was only performed based on the ifhandle (interface handle) of the VLAN sub-interface, wherein all the ingress punt packets on the VLAN sub-interface are penalty policed, irrespective of their source MAC addresses.
In an aggregation scenario, packets may come from multiple source MAC addresses to a VLAN sub-interface. If one particular source MAC sends excessive punt packets, it drains the punt queue; punt packets of other source MAC addresses on that non-subscriber interface may get dropped. MAC-based EPFT on the non-subscriber interface feature performs EPFT (that is, it drops the packets) based on a source MAC address, if the flow is a bad actor flow sending excessive punt packets.
To enable MAC-based EPFT on non-subscriber interface, you must use this command in global configuration mode:
lpts punt excessive-flow-trap non-subscriber-interfaces [ mac]
Note |
If the mac option is not configured, the default behavior is to perform EPFT, based on the ifhandle of the non-subscriber interface. |
Tunable Sampler Parameters for Control Plane Policing
This feature allows configuring various EPFT sampler parameters to fine-tune the Elephant Trap algorithm, to achieve the best behavior for realistic traffic streams, and to reduce situations like false positives to a great extent. Before this release, these parameter values were fixed and read from a configuration file.
The commands available for this feature are privileged (Cisco-support) commands.
This table lists configurable EPFT sampler parameters:
EPFT Sampler Parameter |
Description |
---|---|
Elephant Trap size |
The maximum number of flows that is concurrently stored in Elephant Trap. The range is from 1 to 128; default is 64. The value must be a power of 2, that is 1, 2, 4,8, 16, 32, 64 and 128 are the valid values. |
Sampling probability |
Sampling probability of Elephant Trap; that is, the probability value to sample any particular packet and feed it into the trap. This is a floating point number ranging from 0 to 1 enclosed in double quotes (""). By default, the value is "0.01", which means that 1 out of 100 packets is randomly picked for sampling. |
Report threshold |
Threshold at which a flow is reported as a bad actor. The range is from 1 to 65535; default is 5. |
Eviction threshold |
Threshold below which a flow can be evicted from the Elephant Trap. The range is from 1 to 65535; default is 2. |
Eviction search limit |
Maximum number of entries to check before cancelling an eviction search. The range is from 1 to 128; default is 64. Eviction search limit must not be more than the Elephant Trap size. |
Maximum flow gap |
The maximum time, in milliseconds, that the Elephant Trap allows between successive samples while incrementing the hit counter. The range is from 1 to 60000; default is 800. |
False Positive Suppression
Due to the probabilistic nature of the Elephant Trap algorithm, there is possibility of good flows being trapped as bad flows. This probability is more in scenarios where the number of flows is less. Such false positives can be suppressed using these features:
-
Support of tunable sampler parameters for control plane policing
For details, see Tunable Sampler Parameters for Control Plane Policing.
-
False positive suppression through dampening
This feature allows trapping only repeated bad actor flows. The Flowtrap process maintains a trap similar to the Elephant Trap that stores information about each flow for which the bad actor notification is received by the sampler process. The bad actor notifications for penalty policing the flow, or dropping the packets from the flow, is carried out only if the notification is received twice within a specified time (a configurable time in seconds). Although it extends the duration before which a true bad actor is throttled, it also reduces false positives.
By default, the dampening feature is disabled. To enable this feature, you must use this command in global configuration mode:
lpts punt excessive-flow-trap dampening [ time]
The range of time (in milliseconds) is from 1 to 60000. If the time option is not used after the dampening keyword, a default time value of 30 is used.
EPFT Support for Packet-Triggered Sessions
Before Cisco IOS XR Software Release 5.3.0, punt packets on a packet-triggered subscriber-interface and on a packet-triggered access-interface were policed as per the LPTS rates. The policing rate earlier was high (2000 packets per second) and system wide. With EPFT support for packet triggered sessions, punt packets on packet-triggered interfaces (subscriber and access) go through EPFT node. If identified as bad actor flows, they are penalty-policed according to the EPFT penalty rates (only 20 to 200 packets per second). This is the default behavior from Cisco IOS XR Software Release 5.3.0 and later.
This feature is enabled by default (users need not explicitly configure any command to enable this feature). However, you can use these commands to set the penalty-rate and penalty-timeout for punt packets of unclassified-source type:
lpts punt excessive-flow-trap penalty-rate unclassified rate
The range of rate (in pps - packets per second) is from 2 to 100, the default is 10.
lpts punt excessive-flow-trap penalty-timeout unclassified timeout
The range of timeout (in minutes) is from 1 to 1000, the default is 15.
Interface-based Flow
For the Elephant Trap sampler, the MAC address is one of the key fields used to uniquely identify a flow. Certain cases of DoS attacks have dynamically changing source MAC addresses. An individual flow does not cross the threshold in such cases, and hence the EPFT does not trap the flow. With the interface-based flow feature, Elephant Trap does not consider MAC addresses as a key for uniquely identifying a flow. Hence, all packets received on a non-subscriber interface (irrespective of the source MAC address) are considered to be a part of a single flow. When excessive punts are received on the interface, EPFT does ifhandle -based trap, thereby penalty policing the punt traffic on that particular interface.
To enable interface-based flow, you must use this command in global configuration mode:
lpts punt excessive-flow-trap interface-based-flow
Note |
You cannot enable this command if EPFT is turned on for the subscriber-interfaces and non-subscriber-interfaces MAC, or vice versa. This is because interface-based flow feature is mutually exclusive with MAC-based EPFT on non-subscriber interface feature. |
Enabling Excessive Punt Flow Trap Processing
Perform this task to enable the Excessive Punt Flow Trap feature for both subscriber and non-subscriber interfaces. The task also enables you to set the penalty policing rate and penalty timeout for a protocol.
SUMMARY STEPS
- configure
- lpts punt excessive-flow-trap subscriber-interfaces
- lpts punt excessive-flow-trap non-subscriber-interfaces
- lpts punt excessive-flow-trap penalty-rate protocol penalty_policer_rate
- lpts punt excessive-flow-trap penalty-timeout protocol time
- Use the commit or end command.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure Example:
|
Enters global configuration mode. |
||
Step 2 |
lpts punt excessive-flow-trap subscriber-interfaces Example:
|
Enables the Excessive Punt Flow Trap feature on subscriber interfaces. |
||
Step 3 |
lpts punt excessive-flow-trap non-subscriber-interfaces Example:
|
Enables the Excessive Punt Flow Trap feature on non-subscriber interfaces.
|
||
Step 4 |
lpts punt excessive-flow-trap penalty-rate protocol penalty_policer_rate Example:
|
Sets the penalty policing rate for a protocol. The penalty policer rate is in packets-per-second (pps) and ranges from 2 to 100.
|
||
Step 5 |
lpts punt excessive-flow-trap penalty-timeout protocol time Example:
|
Sets the penalty timeout value, which is a period of time that the interface trapped is placed in the penalty box, for a protocol. The penalty timeout value is in minutes and ranges from 1 to 1000. The default penalty timeout value is 15 minutes. |
||
Step 6 |
Use the commit or end command. |
commit —Saves the configuration changes and remains within the configuration session.
|
Enabling Excessive Punt Flow Trap Processing: Examples
configure
lpts punt excessive-flow-trap subscriber-interfaces
lpts punt excessive-flow-trap penalty-rate ppp 20
lpts punt excessive-flow-trap penalty-rate pppoe 20
end
!!
configure
lpts punt excessive-flow-trap non-subscriber-interfaces
lpts punt excessive-flow-trap penalty-timeout arp 2
end
!!