Excessive Punt Flow Trap Commands

This module describes the Cisco IOS XR software commands used to configure the Excessive Punt Flow Trap commands for Broadband Network Gateway (BNG) on the Cisco ASR 9000 Series Router. For details regarding the related configurations, refer to the Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide.


Note

From Release 7.3.1, Excessive Punt Flow Trap feature is deprecated. To control user or subscriber traffic manually, we recommend you to use Access Control List and Access Control List-based Forwarding, Flow Aware QoS, or enable policing through MQC.

To use commands of this module, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using any command, contact your AAA administrator for assistance.

lpts punt excessive-flow-trap

To activate the Excessive Punt Flow Trap feature and to enter the control plane policer configuration mode, use the lpts punt excessive-flow-trap command in Global Configuration mode. To exit the control plane policer configuration mode and disable the Excessive Punt Flow Trap feature, use the no form of this command.

lpts punt excessive-flow-trap {subscriber-interfaces | non-subscriber-interfaces | penalty-rate | penalty-timeout}

Syntax Description

subscriber-interfaces

Enables the Excessive Punt Flow Trap for subscriber interfaces.

non-subscriber-interfaces

Enables the Excessive Punt Flow Trap for non-subscriber interfaces.

penalty-rate

Sets the penalty policing rate for a protocol.

penalty-timeout

Sets the penalty timeout for a protocol.

Command Default

None

Command Modes

Global Configuration mode

Command History

Release

Modification

Release 4.3.0

This command was introduced.

Usage Guidelines

Excessive Punt Flow Trap (EPFT) is not supported with BNG Geo Redundancy.

Task ID

Task ID

Operations

config-services

read, write

Examples

This example shows how to enable the Excessive Punt Flow Trap feature in the Global Configuration mode: 

RP/0/RSP0/CPU0:router(config)# lpts punt excessive-flow-trap
RP/0/RSP0/CPU0:router(config-control-plane-policer)#

Related Commands

Command Description

show lpts punt excessive-flow-trap

Displays the bad actor flows trapped by the Excessive Punt Flow Trap feature.  

lpts punt excessive-flow-trap dampening

To enable false positive suppression through dampening, use the lpts punt excessive-flow-trap dampening command in Global Configuration mode. To remove this configuration, use the no form of this command.

lpts punt excessive flow trap dampening [time]

Syntax Description

time

The time (in milliseconds) within which a second bad actor notification must arrive to consider the flow as a repeated offender.

The range is from 1 to 60000; the default is 30000 milliseconds (30 seconds).

Command Default

By default, the dampening feature is disabled.

Command Modes

Global Configuration mode

Command History

Release Modification

Release 5.3.0

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID Operation

config-services

read, write

Examples

This example shows how to configure a dampening time of 40 milliseconds: 

RP/0/RSP0/CPU0:router#configure
RP/0/RSP0/CPU0:router(config)#lpts punt excessive-flow-trap dampening 40

lpts punt excessive-flow-trap interface-based-flow

To enable interface-based flow (that is, considering all the packets received on a non-subscriber interface, irrespective of the source MAC address, to be a part of a single flow), use the lpts punt excessive-flow-trap interface-based-flow command in Global Configuration mode. To remove this interface-based flow configuration, use the no form of this command.

lpts punt excessive-flow-trap interface-based-flow

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Global Configuration

Command History

Release Modification

Release 5.3.0

This command was introduced.

Usage Guidelines

Users cannot enable this command, if EPFT is turned on for the subscriber-interfaces and non-subscriber-interfaces MAC or vice versa. This is because, interface-based flow feature is mutually exclusive with MAC-based EPFT on non-subscriber interface feature.

Task ID

Task ID Operation

config-services

read, write

Examples

This example show how to enable interface-based flow: 

RP/0/RSP0/CPU0:router#configure
RP/0/RSP0/CPU0:router(config)#lpts punt excessive-flow-trap interface-based-flow

lpts punt excessive-flow-trap non-subscriber-interfaces

To enable the Excessive Punt Flow Trap feature on non-subscriber interfaces, use the lpts punt excessive-flow-trap non-subscriber-interfaces command in Global Configuration mode. To disable the Excessive Punt Flow Trap feature on subscriber interfaces, use the no form of this command.

lpts punt excessive-flow-trap non-subscriber-interfaces [mac]

Syntax Description

mac

Enables MAC-based EPFT on non-subscriber interface.

Command Default

None

Command Modes

Global Configuration mode

Command History

Release

Modification

Release 4.3.0

This command was introduced.

Release 5.3.0

The command was modified to add mac keyword to enable MAC-based EPFT on non-subscriber interfaces.

Usage Guidelines

The user cannot enable lpts punt excessive-flow-trap interface-based-flow command, if EPFT is turned on for the subscriber-interfaces and non-subscriber interfaces mac.

Task ID

Task ID

Operations

config-services

read, write

Examples

This example shows how to enable the Excessive Punt Flow Trap feature on the non-subscriber interfaces in the Global Configuration mode: 

RP/0/RSP0/CPU0:router(config)# lpts punt excessive-flow-trap non-subscriber-interfaces
This example shows how to enable EPFT on a non-subscriber VLAN sub-interface, based on the source MAC address: 

RP/0/RSP0/CPU0:router(config)# lpts punt excessive-flow-trap non-subscriber-interfaces mac

Related Commands

Command Description

show lpts punt excessive-flow-trap

Displays the bad actor flows trapped by the Excessive Punt Flow Trap feature.  

lpts punt excessive-flow-trap penalty-rate

To set the penalty policing rate for a protocol, use the lpts punt excessive-flow-trap penalty-rate command in Global Configuration mode. To restore the default penalty-rate, use the no form of this command.

lpts punt excessive-flow-trap penalty-rate {trace | arp | icmp | dhcp | pppoe | ppp | igmp | ip | l2tp | all | interface | information | unclassified} penalty_rate

Syntax Description

default

Sets the default penalty policing rate for all protocols.

arp

Sets the penalty policing rate for the ARP protocol.

icmp

Sets the penalty policing rate for the ICMP protocol.

dhcp

Sets the penalty policing rate for the DHCP protocol.

pppoe

Sets the penalty policing rate for the PPPoE protocol.

ppp

Sets the penalty policing rate for the PPP protocol.

igmp

Sets the penalty policing rate for the IGMP protocol.

ip

Sets the penalty policing rate for the IPv4 protocol.

l2tp

Sets the penalty policing rate for the L2TP protocol.

unclassified

Sets the penalty police rates for unclassified source MAC.

penalty_rate

Penalty rate in packets per second (pps).

The range, in pps, is from 2 to 100; default is 10.

Command Default

None

Command Modes

Global Configuration mode

Command History

Release

Modification

Release 4.3.0

This command was introduced.

Release 5.3.0

The command was modified to add unclassified keyword to set the penalty police rates for unclassified source MAC.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

config-services

read, write

Examples

This example shows how to set the penalty policing rate of 4 pps for the ARP protocol in the Global Configuration mode: 

RP/0/RSP0/CPU0:router(config)# lpts punt excessive-flow-trap penalty-rate arp 4
RP/0/RSP0/CPU0:router(config)#

Related Commands

Command Description

lpts punt excessive-flow-trap

Enables the Excessive Punt Flow Trap feature.  

lpts punt excessive-flow-trap penalty-timeout

To set the penalty timeout value for a protocol, use the lpts punt excessive-flow-trap penalty-timeout command in Global Configuration mode. To restore the default penalty timeout value, use the no form of this command.

lpts punt excessive-flow-trap penalty-timeout {trace | arp | icmp | dhcp | pppoe | ppp | igmp | ip | l2tp | all | interface | information} timeout

Syntax Description

default

Sets the default penalty timeout for all protocols.

arp

Sets the penalty timeout for the ARP protocol.

icmp

Sets the penalty timeout for the ICMP protocol.

dhcp

Sets the penalty timeout for the DHCP protocol.

pppoe

Sets the penalty timeout for the PPPoE protocol.

ppp

Sets the penalty timeout for the PPP protocol.

igmp

Sets the penalty timeout for the IGMP protocol.

ip

Sets the penalty timeout for the IPv4 protocol.

l2tp

Sets the penalty timeout for the L2TP protocol.

Command Default

The default value in minutes is 15.

Command Modes

Global Configuration mode

Command History

Release

Modification

Release 4.3.0

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

config-services

read, write

Examples

This example shows how to set the penalty timeout value of 70 minutes for the DHCP protocol in the Global Configuration mode: 

RP/0/RSP0/CPU0:router(config)# lpts punt excessive-flow-trap penalty-timeout dhcp 70
RP/0/RSP0/CPU0:router(config)#

Related Commands

Command Description

lpts punt excessive-flow-trap

Enables the Excessive Punt Flow Trap feature.  

lpts punt excessive-flow-trap subscriber-interfaces

To enable the Excessive Punt Flow Trap feature on subscriber interfaces, use the lpts punt excessive-flow-trap subscriber-interfaces command in Global Configuration mode. To disable the Excessive Punt Flow Trap feature on subscriber interfaces, use the no form of this command.

lpts punt excessive-flow-trap subscriber-interfaces

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Global Configuration mode

Command History

Release

Modification

Release 4.3.0

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

config-services

read, write

Examples

This example shows how to enable the Excessive Punt Flow Trap feature for subscriber interfaces in the Global Configuration mode: 

RP/0/RSP0/CPU0:router(config)# lpts punt excessive-flow-trap subscriber-interfaces
RP/0/RSP0/CPU0:router(config)#

Related Commands

Command Description

show lpts punt excessive-flow-trap

Displays the bad actor flows trapped by the Excessive Punt Flow Trap feature.  

show lpts punt excessive-flow-trap

To display the bad actor flows trapped by Excessive Punt Flow Trap (EPFT), use the show lpts punt excessive-flow-trap command in the EXEC mode.

show lpts punt excessive-flow-trap {protocol | interface interface-type interface-path-id | information} [location]

Syntax Description

protocol
Enter the protocol type.

  • arp—Displays ARP bad actors.

  • icmp—Displays ICMP bad actors.

  • dhcp—Displays DHCP bad actors.

  • pppoe—Displays PPPoE bad actors.

  • ppp—Displays PPP bad actors.

  • igmp—Displays IGMP bad actors.

  • ipv4—Displays IPv4 bad actors.

  • l2tp—Displays L2TP bad actors.

  • unclassified—Displays unclassified bad actors.

  • all—Displays bad actors for all protocols.

interface

Displays the bad actors on an interface. For more information on the interface types, use the question mark (?) online help function.

type

Specifies the interface type. For more information, use the question mark (?) online help function.

interface-path-id

Either a physical interface instance or a virtual interface instance as follows:

  • Physical interface instance. Naming notation is rack/slot/module/port and a slash between values is required as part of the notation.

    • rack: Chassis number of the rack.

    • slot: Physical slot number of the modular services card or line card.

    • module: Module number. A physical layer interface module (PLIM) is always 0.

    • port: Physical port number of the interface.

    Note

     

    In references to a Management Ethernet interface located on a route processor card, the physical slot number is alphanumeric (RSP0 ) and the module is CPU0. Example: interface MgmtEth0/RSP0 /CPU0/0.

  • Virtual interface instance. Number range varies depending on interface type.

For more information about the syntax for the router, use the question mark (?) online help function.

information

Displays the Excessive Punt Flow Trap feature information.

location

Displays bad actors on a line card.

Command Default

None

Command Modes

EXEC mode

Command History

Release Modification

Release 4.3.0

This command was introduced.

Release 5.3.0

The command was modified to include unclassified option in the protocol list, to display unclassified bad actors.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID Operation

lpts

read

basic-services

read, write

Examples

The show running-config output for the above show lpts punt excessive-flow-trap command is: 

RP/0/RSP0/CPU0:router# show running-config lpts punt excessive-flow-trap
lpts punt excessive-flow-trap
 penalty-rate arp 15
 penalty-rate pppoe 25
 penalty-timeout arp 2
 non-subscriber-interfaces
This is a sample output for show lpts punt excessive-flow-trap unclassified command: 

Parent Interface: Bundle-Ether1.1                   Src MAC Addr: 0000.6416.0102
Intf Handle: 0x08000260                             Location: 0/0/CPU0
Protocol: UNCLASSIFIED                              Punt Reason: Unclassified packets for RSP
Penalty Rate: 0 pps (all packets dropped)           Penalty Timeout: 15 mins
Time Remaining: 13 mins 54 secs

This table describes the significant fields shown in the display.

Table 1. Field Descriptions of show lpts punt excessive-flow-trap command:

Field

Description

Penalty Rate

The penalty policing rate for a protocol.

The range is from 2 to 100. The example shown here is for MAC- based EPFT, where all packets from the source MAC are dropped. Therefore, penalty rate is zero (0).

Penalty Timeout

The penalty timeout value for a protocol. A bad actor flow trapped for sending excessive protocol packets (arp, ppp or unclassified), is penalty policed for the period of penalty-timeout configured (in minutes). By default, it is 15 minutes.

Related Commands

Command Description

lpts punt excessive-flow-trap

Enables the Excessive Punt Flow Trap feature.  

show lpts punt excessive-flow-trap information

To display the Excessive Punt Flow Trap feature information, use the show lpts punt excessive-flow-trap information command in the EXEC mode.

show lpts punt excessive-flow-trap information

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

EXEC mode

Command History

Release Modification

Release 4.3.0

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID Operation

lpts

read

basic-services

read, write

Examples

This is an example of show lpts punt excessive-flow-trap information command with ARP and PPPoE protocols configured with non-default values: 


RP/0/RSP0/CPU0:router# show lpts punt excessive-flow-trap information

--------------------------------------------------------------
  Global Default Values -
         Police Rate: 10 pps
     Penalty Timeout: 15 mins

--------------------------------------------------------------
              Police         Penalty
              Rate (pps)     Timeout (mins)
 Protocol   Default Config   Default Config   Punt Reasons
 --------   --------------   --------------   ----------------
 ARP           10     15        15      2     ARP
                                              Reverse ARP
                                              Dynamic ARP Inspection (DAI)

 ICMP          10     -         15     -      ICMP
                                              ICMP-local
                                              ICMP-app
                                              ICMP-control
                                              ICMP-default

 DHCP          10     -         15     -      DHCP Snoop Request
                                              DHCP Snoop Reply

 PPPOE         10     25        15     -      PPP over Ethernet (PPPoE)
                                              PPPoE packets for RSP
                                              PPPoE packet/config mismatch
                                              PPPoE packet/config mismatch for RSP

 PPP           10     -         15     -      Point-to-Point Protocol (PPP)
                                              PPP packets for RSP

 IGMP          10     -         15     -      IGMP
                                              IGMP Snoop
                                              MLD Snoop

 IPv4/v6       10     -         15     -      IP Subscriber (IPSUB)
                                              IPv4 options
                                              IPv4 FIB
                                              IPv4 TTL exceeded
                                              IPv4 fragmentation needed
                                              IPv4/v6 adjacency
                                              IPV4/v6 unknown IFIB
                                              UDP-known
                                              UDP-listen
                                              Generic Routing Encap (GRE) bad flags
                                              UDP-default
                                              TCP-known
                                              TCP-listen
                                              TCP-cfg-peer
                                              TCP-default
                                              Raw-listen
                                              Raw-default

 L2TP          10     -         15     -      Layer 2 Tunneling Protocol, version 2 (L2TPv2)
                                              L2TPv2-default
                                              L2TPv2-known
                                              L2TPv3
The corresponding show running-config output for the above show lpts punt excessive-flow-trap information command is: 

RP/0/RSP0/CPU0:router# show running-config lpts punt excessive-flow-trap
lpts punt excessive-flow-trap
 penalty-rate arp 15
 penalty-rate pppoe 25
 penalty-timeout arp 2
 non-subscriber-interfaces

This table describes the significant fields shown in the display.

Table 2. show lpts punt excessive-flow-trap information Field Descriptions

Field

Description

penalty-rate

The penalty policing rate for a protocol. For arp the value is 15 and for pppoe the value is 25.

penalty-timeout

The penalty timeout value for a protocol. For arp the value is 2.

Related Commands

Command Description

lpts punt excessive-flow-trap

Enables the Excessive Punt Flow Trap feature.  

show lpts punt excessive-flow-trap interface

To display the penalty status of an interface for one or all protocols, use the show lpts punt excessive-flow-trap interface command in the EXEC mode.

show lpts punt excessive-flow-trap interface type interface-path-id [ protocol ]

Syntax Description

type

Specifies the interface type. For more information, use the question mark (?) online help function.

interface-path-id

Either a physical interface instance or a virtual interface instance:

  • Physical interface instance. Naming notation is rack/slot/module/port and a slash between values is required as part of the notation.

    • rack: Chassis number of the rack.

    • slot: Physical slot number of the modular services card or line card.

    • module: Module number. A physical layer interface module (PLIM) is always 0.

    • port: Physical port number of the interface.

    Note

     

    In references to a Management Ethernet interface located on a route processor card, the physical slot number is alphanumeric (RSP0 ) and the module is CPU0. Example: interface MgmtEth0/RSP0 /CPU0/0.

  • Virtual interface instance. Number range varies depending on interface type.

For more information about the syntax for the router, use the question mark (?) online help function.

protocol
Specifies the protocol type.

  • arp—Displays ARP bad actors.

  • icmp—Displays ICMP bad actors.

  • dhcp—Displays DHCP bad actors.

  • pppoe—Displays PPPoE bad actors.

  • ppp—Displays PPP bad actors.

  • igmp—Displays IGMP bad actors.

  • ipv4—Displays IPv4 bad actors.

  • l2tp—Displays L2TP bad actors.

  • all—Displays bad actors for all protocols.

Command Default

None

Command Modes

EXEC mode

Command History

Release Modification

Release 4.3.0

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID Operation

lpts

read

basic-services

read, write

Examples

The sample output for the show lpts punt excessive-flow-trap ip command is: 

RP/0/RSP0/CPU0:router# show lpts punt excessive-flow-trap ip
Interface: Bundle-Ether1.100               
         Intf Handle: 0x08000320                            Location: 0/6/CPU0
            Protocol: IPv4/v6                            Punt Reason: Raw-default
        Penalty Rate: 10 pps                         Penalty Timeout: 15 mins                         
      Time Remaining: 14 mins 31 secs

This table describes the significant fields shown in the display.

Table 3. show lpts punt excessive-flow-trap interface Field Descriptions

Field

Description

Intf Handle

The interface handler for the Bundle Ether interface.

location

The location of the interface.

protocol

Specifies if it uses the IPv4 or IPv6 protocol.

punt reason

The reason to punt the excessive flow trap.

penalty-rate

The penalty policing rate for a protocol in pps.

penalty-timeout

The penalty timeout value for a protocol in minutes.

Related Commands

Command Description

lpts punt excessive-flow-trap

Enables the Excessive Punt Flow Trap feature.  

show lpts punt excessive-flow-trap protocol

To display a list of interfaces that are in the penalty box for one or all protocols, use the show lpts punt excessive-flow-trap protocol command in the EXEC mode.

show lpts punt excessive-flow-trap protocol

Syntax Description

protocol
Enter the protocol type.

  • arp—Displays ARP bad actors.

  • icmp—Displays ICMP bad actors.

  • dhcp—Displays DHCP bad actors.

  • pppoe—Displays PPPoE bad actors.

  • ppp—Displays PPP bad actors.

  • igmp—Displays IGMP bad actors.

  • ipv4—Displays IPv4 bad actors.

  • l2tp—Displays L2TP bad actors.

  • all—Displays bad actors for all protocols.

Command Default

None

Command Modes

EXEC mode

Command History

Release Modification

Release 4.3.0

This command was introduced.

Usage Guidelines

The protocol option in the show lpts punt excessive-flow-trap protocol command points to the protocol type. The show output for each of the protocol differs depending on the protocol type you select on the router.

Task ID

Task ID Operation

lpts

read

basic-services

read, write

Examples

The sample output for the show lpts punt excessive-flow-trap ip command is: 

RP/0/RSP0/CPU0:router# show lpts punt excessive-flow-trap ip
Interface: Bundle-Ether1.100               
         Intf Handle: 0x08000320                            Location: 0/6/CPU0
            Protocol: IPv4/v6                            Punt Reason: Raw-default
        Penalty Rate: 10 pps                         Penalty Timeout: 15 mins                         
      Time Remaining: 14 mins 31 secs

This table describes the significant fields shown in the display.

Table 4. show lpts punt excessive-flow-trap interface Field Descriptions

Field

Description

Intf Handle

The interface handler for the Bundle Ether interface.

location

The location of the interface.

protocol

Specifies if it uses the IPv4 or IPv6 protocol.

punt reason

The reason to punt the excessive flow trap.

penalty-rate

The penalty policing rate for a protocol in pps.

penalty-timeout

The penalty timeout value for a protocol in minutes.

Related Commands

Command Description

lpts punt excessive-flow-trap

Enables the Excessive Punt Flow Trap feature.