January 2021

You are currently browsing the monthly archive for January 2021.

记录一下LPTS EPFT这个feature, LPTS是用来保护Cisco XR 设备CPU的,防止一些ARP/DHCP/DNS/ICMP 等攻击流量punt 到板卡的CPU,那LPTS EPFT这个feature使能后会对这些流量进行一些监控, 超过一定速率就会进行一些惩罚。


RP/0/RSP0/CPU0:ASR9006-M#show run lpts punt excessive-flow-trap
Fri Jan 29 16:42:08.014 UTC
lpts punt excessive-flow-trap
 penalty-rate arp 100
 penalty-timeout arp 1


RP/0/RSP0/CPU0:ASR9006-M#show lpts punt excessive-flow-trap  information 
Fri Jan 29 16:02:59.820 UTC

              Police         Penalty
              Rate (pps)     Timeout (mins)
 Protocol   Default Config   Default Config   Punt Reasons
 --------   --------------   --------------   ----------------
 ARP           10     -         15     -      ARP
                                              Reverse ARP
                                              Dynamic ARP Inspection (DAI)

 ICMP          10     -         15     -      ICMP

 DHCP          10     -         15     -      DHCP Snoop Request
                                              DHCP Snoop Reply
                                              DHCP Broadcast

 PPPOE         10     -         15     -      PPP over Ethernet (PPPoE)
                                              PPPoE packets for RSP
                                              PPPoE packet/config mismatch
                                              PPPoE packet/config mismatch for RSP

 PPP           10     -         15     -      Point-to-Point Protocol (PPP)
                                              PPP packets for RSP

 IGMP          10     -         15     -      IGMP
                                              IGMP Snoop
                                              MLD snooping

 IPv4/v6       10     -         15     -      IP Subscriber (IPSUB)
                                              IPv4 options
                                              IPv4 FIB
                                              IPv4 TTL exceeded
                                              IPv4 fragmentation needed
                                              IPv4/v6 adjacency
                                              IPV4/v6 unknown IFIB
                                              IPv4 tunnel not configred

 L2TP          10     -         15     -      Layer 2 Tunneling Protocol, version 2 (L2TPv2)

 UNCLASSIFIED      10     -         15     -      Unclassified packets
                                              Unclassified packets for RSP

 OSPF           0     -         15     -      OSPF-mc-known

 BGP            0     -         15     -      BGP-known


这个监控是基于一种采样算法的, 计算方式如下:(计算公式中有三个参数可调)。也就是说默认速率为1000 packet / 800ms, 可满足一些正常的ARP、SSH DHCP的流量。

100(sample 0.01) x 2(pick 2 packet) x 5(5 times) = 1000 packets/ 800ms

RP/0/RSP0/CPU0:ASR9006-M#run attach 0/0/cpu0
Fri Jan 29 16:17:36.395 UTC
attach: Starting session 1 to node 0/0/cpu0
# spp_ui
spp-ui> copp table

Eviction threshold:      2              <<< change by "lpts punt exces eviction-threshold <>"
Report threshold:        5              <<< change by "lpts punt exces report-threshold <>"
Max-IPG:                 800            <<< change by "lpts punt exce max-flow-gap <>"




这里的问题在于,如下我们下联设备误PING了, 由于ICMP的速率可能会达到2500pps, 和容易处罚该惩罚, 这样就会造成从peer接口过来的流量会被全部drop, 如果起了路由协议,路由协议也会中断。

RP/0/RP1/CPU0:CORE6-ASR9922-A#show logging | in TRAP
Wed Jan 13 07:39:01.788 UTC
LC/0/1/CPU0:Jan 13 06:48:24.362 : flowtrap[196]: %OS-FLOWTRAP-4-BAD_ACTOR_MAC_DETECTED : Excessive ICMP-app flow detected from source MAC address 78ba.f96b.eb82 on interface TenGigE0/1/0/1. Traffic from this MAC address will be dropped for 15 minutes.

对于子接口而言, 超过速率惩罚措施为15分钟内流量会被限制为 10pps , 有如下log 显示

这个惩罚为, 出方向所有流量都被限速10pps, 入方向所有for us 的流量被限速10pps(穿越流量不受)。

LC/0/0/CPU0:Jan 12 00:35:58.370 CST: flowtrap[217]: %OS-FLOWTRAP-4-BAD_ACTOR_INTF_DETECTED : Excessive ICMP-app flow detected on interface TenGigE0/0/0/3.38032178. The interface will be penalty-policed at 10 pps for 15 minutes. 

默认限速是10pps, 可以使用命令“lpts punt excessive-flow-trap penalty-rate xx”修改

默认惩罚时间是15min, 可以使用命令lpts punt excessive-flow-trap penalty-timeout xx 修改

Read the rest of this entry »
Input error giant    
A giant frame is any frame whose size exceeds the maximum transmission unit (MTU)

Input error runt     
A runt is a frame that is smaller than the minimum frame size for IEEE-802.3 standard frames. In ethernet thats 64 bytes.

Input error jabbers     
A jabber is a frame longer than 1518 octets (which exclude framing bits, but include FCS octets), which does not end with an even number of octets (alignment error) or has a bad FCS error.
Input error fragments    
Shows the number of packets received incorrectly having a CRC error and a noninteger number of octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.       

Input error CRC     
Indicates that the cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data.

Input error collisions     
Collisions are expected when Ethernet is operating in half duplex mode.both devices use the same approach. Either both devices should auto negotiate both speed and duplex or both devices should set both speed and duplex.

Input error symbol     
A Symbol error means the interface detects an undefined (invalid) Symbol received. Small amounts of symbol errors can be ignored. Large amounts of symbol errors can indicate a bad fiber or Optics.
Shows the number of times that the receiver hardware was incapable of handing received data to a hardware buffer because the input rate exceeded the receiver's capability to handle the data.
Shows the number of received packets ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different from the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased.
Read the rest of this entry »

目前还是用WINDOWS作为办公系统, 所以想着记录下目前我在WINDOWS常用有软件,换机的时候可以快速恢复。







Read the rest of this entry »


#yum -y install tcpdump
#tcpdump -i ens32 host -w 332.pcap
Read the rest of this entry »

Upgrade Method

Cisco 8000升级方式和其他XR产品类似可大致分为三类:

  • USB re-image
  • PXE re-image
  • Install command (本文log一下用install command 升级的过程)


下载安装包,以及optional RPM包。并copy到设备主引擎harddisk: 中。

RP/0/RP0/CPU0:ios#dir harddisk: 
Wed Jan 20 06:45:46.006 UTC

Directory of harddisk:
     15 -rw-r--r--. 1    737280 Jan 20 06:44 8000-optional-rpms.7.0.14.tar     <<<<
 524289 drwxrwxrwx. 2      4096 Jan 20 05:00 dumper
     13 -rw-r--r--. 1 987228160 Jan 20 05:53 8000-x64-7.0.14.iso            <<<
     14 -rw-r--r--. 1   1003520 Jan 20 06:44 8000-k9sec-rpms.7.0.14.tar       <<<<
3407873 drwxr-xr-x. 2      4096 Jan 20 05:00 showtech
     11 drwx------. 2     16384 Jan 20 04:49 lost+found
1310721 drwx------. 3      4096 Jan 20 04:58 ima
3670017 drwxrwxrwx. 5      4096 Jan 20 05:25 cisco_support
 655361 drwxr-xr-x. 3      4096 Jan 20 05:00 pam
2883585 drwxrwxrwx. 2      4096 Jan 20 04:54 shutdown
     12 -rw-rw-rw-. 1        31 Jan 20 04:54 debug_shell_client.log
 262145 drwxrwxrwx. 2      4096 Jan 20 04:55 .sppdc
3932161 drwxrwxrwx. 2      4096 Jan 20 04:54 nvram

如上所示, ISO包中已经包含了一些基础的功能包,如BGP ISIS OSPF, 还有些存在于 optional 的tar包中。

Read the rest of this entry »