Want to enable Feature EPFT with “routing-protocols-enable”. However ,it is throwing an error and ask to configure the following command: “non-subscriber-interfaces mac” which once enabled drops the traffic without any penalty.
EPFT for routing-protocols can be enabled with “non-subscriber-interfaces mac” command only which means bad actor identification will be done on mac basis .When a bad actor is identified based on mac there will be complete drop no penalty policing will be done for penalty policing to happen please change the config as “non-subscriber-interfaces”.
The complete drop is for traffic from bad actor. All other mac on the interface should be able to pass traffic via the interface.
My understanding of enabling ‘routing-protcols-enable’ for EPFT is that itpreventsrouting protocols (eg: BGP) from triggering any ‘bad actor’ condition; Is that correct?
Without enabling "routing-protocols-enable" command:
> EPFT functionality bypasses all routing protocols by default. This is done to explicitly avoid dropping of necessary control-plane packets like route updates. Control-plane is already protected via LPTS.
> By default EPFT is not enabled, thus BGP packets <updates> will not fall under penalty as per design. By default LPTS has configured rate for BGP packets to be policed if it goes over the limit.
The correct command to check the same is following:
show lpts pifib hardware police location <>
show lpts pifib dynamic-flows statistics location <>
show lpts pifib hardware entry location <> | be <SIP>
SIP > Source IP with which peering is done and who sent big updates to check the rate of traffic.
Once EPFT for routing protocols is enabled:
lpts punt excessive-flow-trap non-subscriber-interfaces mac^ routing-protocols-enable
> EPFT, if enabled for routing-protocols can cause issues with dropping the traffic frombad actor<which can be updates if sent at a very high rate, and are not expected>. Usually normal updates are never identified as bad actor.
*Bad actoris a term to state a user sending huge amount of “for-us” traffic
My understanding is also that it’s correct behaviour for the above knob to only be useable in conjunction with ‘non-subscriber-interfaces mac’ enabled.
The EPFT feature for routing protocols issupported only with non subscriber mac interfaces.
It only supports source based MAC filtering.
Once a bad actor is identified all the traffic with that particular source will be dropped for penalty-timeout which can be modified as follows:
lpts punt excessive-flow-trap
penalty-rate arp 10
penalty-rate icmp 0
penalty-rate igmp 50
penalty-rate ip 100
penalty-timeout ospf 0
penalty-timeout bgp 0
exclude interface <back_bone_interface> // Can exclude both physical and sub-interface
Want to confirm why the default parameters are set <seen by the output of command “show lpts punt exc info” >though EPFT is not configured?
The output of this command is just to let us know that once EPFT is enabled than following parameters will be set which can be changed by using commands. If we want to see whether EPFT is enabled or not. It can be confirmed via following command:
- Show lpts punt excessive-flow-trap trace | in Elephant
- Show lpts punt excessive-flow-trap trace | in routing_protocol_enable >> it should have value =1
>> The output will show Elephant trap enabled or disabled and it will also show various parameters for which it is enabled once configured.
Hi, I need some help from some cisco folk around about a possible issue im seeing on NCS5508 RP0 is apparently the active RP as can be seen in the below and things mostly work. Except that sometimes the box claims RP0 is standby (but its ly...
Dears i connect SFP 1G to NX3132Q on the interface 1/1/3 and the link still down is this not compatible murad-NX# sho int eth1/1/3 transEthernet1/1/3transceiver is presenttype is 1000base-LHname is CISCOpart number is FTLF1318P3BTL-C...
We are running into an issue with our voicemail services shutting down. When attempting to access voicemail, the phone will ring endlessly. Logging into Cisco Unity Connection Administration, we are seeing these errors: Cisco Unity Connection ca...
I am verifying the routing in a network and i see in the cef table that the field of interface appears as <recursive> so i am not really sure if this is a problem and the router are performing recursive lookups for each packet. The router are receiv...