Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASR9000/XR: Local Packet Transport Services (LPTS) CoPP

Introduction

IOS devices have the concept of control plane policing. IOS-XR doesn't use that concept but instead uses a very comprehensive and powerful Local Packet Transport Services. In this document it is explained how LPTS works and how you can work with it, monitor and verify it.

Core Issue

LPTS is the concept of reflexive ACL's, punt policers and has an "internal" FIB or iFIB that directs certain packets to various nodes. IOS-XR can handle certain traffic on the linecard (such as BFD, Netflow and ARP) and these packets are instructed by LPTS to be handled by the local CPU rather then the RSP CPU.

At the same time, there are ACL's in place that allow for instance the punting of Telnet traffic and then per host if configured so, but another component of LPTS called MPP, the Management Plane Protection.

Generally, the default values for LPTS provide the level of protection you are after. However there are some rare circumstances whereby you want to tune the values of LPTS in order to get the service levels you need. LPTS is very dynamic in nature and pierces holes into the protection system as particular items are configured.

The LPTS policers work on a per NP basis. So if the LPTS police value is set to 1000pps that means that every NP on the LC can punt with 1000pps to the RSP CPU or LC CPU. This is something to take into consideration when evaluating the A9K-8T-x cards who have 8 NPU's per LC.

Take extreme care when changing the LPTS policer values.

High level overview

From a birds eye view, LPTS looks like this:

overview.jpg

The NPU has a table that tells it where to send packet to (LC or RSP) as part of the "internal FIB" or iFIB. These packets are punted at a pre-defined rate, they can be tuned in XR release 4.x and later. Also in the TCAM which is used in the ASR9K for ACLs (amongst others), are lists that define which packets we want to allow and not. This will be discussed in the MPP section of this document.

LPTS is composed of a (set of) dynamic ACL's (which are created as part of user configuration dynamically, or automitcally inserted as peerings establish), an internal "routing table" (iFIB) and a set of policers for different punt reasons.

LPTS Characteristics

0) LPTS has Hardware policers on line cards to limit traffic sent to local or remote nodes
0) LPTS entries in TCAM classifies packets to select a policer to apply
0) The policer value can be tuned to 0 (to drop all packet matching classification criteria)
0) Polices on protocol (BGP, OSPF, SSH) and flow state (BGP established, BGP configured, and BGP listen)
0) Policing done on the LC Hardware ASIC before packets hit RP/LC CPU
0) Filters are automatically and dynamically installed by the IOS XR infrastructure

So for-me packets are undergoing the Pre iFIB classification and policing upon which they are directed by the iFIB, which is the second level of filtering to the destination node.

LPTS Firewalling

One of the great strenghts with LPTS is the dynamic ACL creation. This is configuration driven and no user intervention is required.

In addition to that, LPTS has different flow categories based on the state of the protocol. For instance, BGP has 3 different states:

  1. Unknown
  2. Configured
  3. Established

Unknown is the flow whereby we have TCP port 179 traffic, but we have no neighbor configured from that source. Policed very heavily.

Configured is the entry whereby we know the source address of the peer, but the session is not yet established (no known source port from the peer), Policed moderately.

Established is where we have all the L3 and L4 data from the session. Lightly policed.

The entries for configured is driven by the configuration of the neighbor statement under the router BGP section.

Established is dynamically inserted when the peer establishes.

You could theoretically police the unknown to a rate of zero.

Example:

Router bgp

   neighbor 192.168.1.1

   …

!

The following table can be seen with the output of the command:

show lpts pifib hardware entry brief loc 0/3/cpu0 | i 179

LocalPortRemotePortRateState
any179ANYANY100unknown
any179192.168.1.1ANY1,000configured
192.168.1.2179192.168.1.1222310,000established

If you use the command

RP/0/RSP0/CPU0:A9K-TOP#show lpts pifib hardware entry location 0/3/CPU0 | be 33.33.1  

You can check the detailed entry of the PiFIB (policer)

Source IP         : 33.33.1.1                        the remote address

Is Fragment       : 0                                fragments allowed

Interface         : any                              expected source interface

M/L/T/F           : 0/IPv4_STACK/0/BGP-known

DestNode          : 48                               where the packets are sent to

DestAddr          : 48

L4 Protocol       : TCP

TCP flag byte     : any                              additional security checks at TCP level

Source port       : Port:179

Destination Port  : 11293

Accepted/Dropped  : 117866/0                         packets accepted and denied

# of TCAM entries : 1                                number of tcam entries burnt for this PiFIB entry

HPo/HAr/HBu/Cir   : 1924676/2500pps/2500ms/2500pps

State             : Entry in TCAM                    status of the entry


Configuring LPTS police rates

You can configure the LPTS Policers on a PiFIB bases and also the punt policers can be adjusted.

The following commands apply. Note that this is on a per linecard basis. All NPU's on that linecard will get reconfigured.

RP/0/RSP0/CPU0:A9K-BNG(config)#lpts punt police location 0/0/CPU0 protocol ?

  arp              ARP packets

  bfd              Bidirectional Forwarding Detection packets

  cdp              Cisco Discovery Protocol packets

  cfm              Connectivity Fault Management Protocol packets

  cgmp             Cisco Group Management Protocol packets

  dhcp             Dynamic Host Configuration Protocol packets

  efm              Ethernet in the First Mile Protocol packets

  igmp-snoop       Internet Group Management Protocol Snoop packets

  ipiw-arp         L2VPN IPIW ARP packets

  ipv4             IPv4 packets

  ipv6             IPv6 packets

  lacp             Bundle Protocol packets

  mofrr            Multicast-only FRR packets

  mpls             MPLS punt packets

  mstp             Multiple Spanning Tree Protocol packets

  mvrp             Multiple VLAN Registration Protocol packets

  ppp              Point-to-Point Protocol packets

  pppoe            Point-to-Point Protocol over Ethernet packets

  rarp             Reverse ARP packets

  vccv             Virtual Circuit Connection Verification packets

  vidmon           Video Monitoring packets

  vidmon-flow-add  Video Monitoring flow add packets

Exception packets can be reconfigured by the following command: lpts punt police location 0/0/CPU0 exception

Glean adjacency or ACL-deny packets can be tuned for instance via that command.

The PIFIB can be reconfigured via the following commands:

RP/0/RSP0/CPU0:A9K-BNG(config)#lpts pifib hardware ...

  • In there you can enter the linecard you wish to specifically reconfigure
  • The policer flow values
  • And the TCAM entries (this is new in XR420)   
    • As you've seen LPTS can dynamically create "ACL" entries for dynamic firewalling and for MPP. This command limits the number of TCAM entries that LPTS can use so that space is available for other purposes such as regular ACL's, QOS matching, EFP matching etc.

LPTS static-police and police differences

The command “police” is used to check policer values, accept/drop counts for packets matching LPTS TCAM(mostly L3 packets) entries whereas “static-police” is used to check policer values.

Accept/drop counts for packets matching static punt reasons programmed in search structures (Mostly L2 and exception packets).

policer” is for dynamic flows (like BGP, OSPF, etc protocols directed  by RSP)

static-policer” is for pseudo Static flows (like BFD, CFM directed by the LC) These are hard-coded and include Exception processing packets.

There is a CLI to change few of the exception processing as well (for e.g. ICMP unreachable)

Monitoring LPTS

LPTS is not SNMP enabled (request has been filed and is in the works, no target release defined at time of writing). Though there are very inventive ways to monitor LPTS and generate alerts. There is a TCL script that you can use with EEM in order to get some level of alerting.

Attached to this article is the script package and here is how you set it up:

event manager environment EEM_LPTS_CHECK_INTERVAL 300

event manager environment EEM_LPTS_CHECK_FLOWTYPES BGP-known *

event manager environment EEM_LPTS_CHECK_LOCATIONS 0/0/CPU0 0/4/CPU0

event manager environment EEM_LPTS_CHECK_THRESHOLD 1 50%

event manager directory user policy disk0:/scripts/

event manager policy lpts-threshold-alerting.tcl username scripts

How to clear LPTS statistics

LPTS stats cannot be cleared by LPTS commands or qos counter clearing.

You can clear LPTS stats by clearing hte np controller stats:

"clear controllers np counters all location <>”

MPP: Managed Plane Protection

In the standard configuration all interfaces have access to the Telnet, SSH and SNMP daemons.

Inband vs Out of band

All linecard interfaces are designated to be inband, meaning they can transport user traffic as well as management traffic.

The mgmt interfaces on the RSP are designated out of band. This means that they can't transport user traffic but only management traffic.

Out-of-band interfaces can't "speak" to other interfaces as they are desginated for managment traffic. So eventhough there is a route in the system that would send traffic out of the mgmt interface, Fabric enabled interfaces on the LC can't

Here an example of out of band and the restrictions that it imposes on the forwarding

oob.jpg

Configuring MPP

By default when the service is configured, there are no mpp restrictions. All interfaces are able to accept the mgmt traffic for the service you defined. For example, when the telnet server is configured, LPTS reports the following binding:

RP/0/RSP0/CPU0:A9K-BNG#show lpts bindings brief | i (any.23 )

Tue Feb 28 12:00:55.195 EDT

0/RSP0/CPU0 TCP  LR IPV4 TCP    default   any          any,23 any

This means that every for me packet with port 23 as the dest port will get serviced.

Now when configuring MPP the bindings output changes:

control-plane

management-plane

  inband

   interface TenGigE0/1/0/0

    allow Telnet peer

     address ipv4 3.3.3.3

     address ipv4 5.5.5.0/28

    !

   !

   interface GigabitEthernet0/0/0/10

    allow Telnet

   !

  !

!

In this configuration example I am designating two interfaces as inband, so they will still be able to forward transient traffic and allow inbound telnet traffic. At the same time I allow telnet from any host on Gig0/0/0/10 and only telnet from a few peers on Te0/1/0/0.

The LPTS bindings are dynamically changed as per following output:

RP/0/RSP0/CPU0:A9K-BNG#show lpts bindings brief | i (any.23 )

Tue Feb 28 12:06:48.339 EDT

0/RSP0/CPU0 TCP  LR IPV4 TCP    default   Gi0/0/0/10   any,23 any                 << Any source can access my telnet on this intf

0/RSP0/CPU0 TCP  LR IPV4 TCP    default   Mg0/RSP0/CPU0/0 any,23 any            << Dedicated inband

0/RSP0/CPU0 TCP  LR IPV4 TCP    default   Te0/1/0/0    any,23 3.3.3.3          << /32 host access for telnet on dedicated intf

0/RSP0/CPU0 TCP  LR IPV4 TCP    default   Te0/1/0/0    any,23 5.5.5.0/28    << Hosts from this subnet on this intf

Powerful eh!?!

We can also look at the pre internal fib (piFIB) and check the entries there:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry bri location 0/1/cpu0 | i (.23 )

Tue Feb 28 12:27:46.389 EDT

7      IPV4 default      TCP    Te0/1/0/0       LU(48) any,23 3.3.3.3,any

10     IPV4 default      TCP    Te0/1/0/0       LU(48) any,23 5.5.5.0/28,any


Decoding the Destnode in LPTS entries

In the example above you see the following detail: LU(48). This section explains that number and detail.

The LU means local unicast fabric. The 48 is a very interesting number.

The device that this output is taken from is an ASR9010. Which has 8 LC slots and 2 RSP slots. On both sides of the RSP's in the middle

are the 4 LC's

If I were to decode the 30 into binary it looks like this:

+---+---+---+---+---+---+---+---+

| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |     Position

+---+---+---+---+---+---+---+---+

| 0 | 0 | 1 | 1 | 0 | 0 | 0 | 0 |     Bit value for Decimal 48

+---+---+---+---+---+---+---+---+

|LC |LC |RSP|RSP|LC |LC |LC |LC |     Slot position filling (note 2 left most LC's not drawn)

+---+---+---+---+---+---+---+---+

Now you can see that the 1's are in position 5 and 4, and if you look at the slot numbering of the ASR9006, you can see that these are

the RSP's!! So telnet is delivered to the RSP.

Restrictions for MPP

1) Currently MPP doesn’t keep track of the denied or dropped protocol requests
2) The management protocols need to be enabled explicitly
–MPP configuration doesn’t enable the protocol services.
–MPP is only responsible for making the services available on different interfaces
3) Management requests received on in-band interfaces may not be acknowledged on in-band interfaces
4) RSP Management Ethernet interfaces are by default out-of-band interfaces
5) MPP configuration changes doesn’t affect active sessions established before the changes

6) No MIB Support

Related Information

Cisco Guide to Harden Cisco IOS XR Devices

LPTS Considerations

If you can use only p2p OSPF network type

flow ospf-uc-known rate 0

flow ospf-uc-default rate 0

Note that OSPF p2p network type is the recommended setting even on Ethernet interfaces unless you have multiple routers on the same segment.
Do we really need BGP, LDP-TCP, MSDP, default – for unconfigured sessions

flow bgp-default rate 0

flow ldp-tcp-default rate 0

flow msdp-default rate 0

Xander Thuijs, CCIE #6775

Sr. Tech Lead ASR9000


Comments
Community Member

Hi Xander,

thank you for this useful information (and for all your other contributions ).

I'd have a question about this LPTS point :

I have a network with a configured L3VPN configured the usual way.

A VRF instance is configured in the different routers, and in each router a loopback interface is assigned to that VRF instance.The IP address of the loopback interfaces  is announced by MP-BGP in the MPLS core.

So these IP adresses are reachable (we can ping them from the routers or some workstations). But we can not establish a telnet or ssh session to them. I made some research and found that it is certainly related to the LPTS feature (the command "show lpts ifib statistics" show that everytime I try a telnet/ssh connection, the counter "reject" increments by 1).

I also found that one of MPP requirements is that in case we try to manage a VRF interface, the inband interface we use to join the router must belong to that same VRF, but in the case of L3VPN, inband interfaces are MPLS interfaces, not configured to belong to any VRF instance.

So I believe with MPP configured, there is no way to manage a router through a MPLS interface?

Best regards,

Brahim

Cisco Employee

Hi Brahim! Thank you! And great question!

Check this with standard config:

telnet vrf default ipv4 server max-servers 4

results in :

RP/0/RSP1/CPU0:A9K-BOT#show lpts bindings br | i ,23

Wed Aug 22 15:42:19.160 EDT

0/RSP1/CPU0 TCP  LR IPV4 TCP    default   any          any,23 any

You see where I am going with highlighting this default right?

telnet vrf RED ipv4 server max-servers 4

0/RSP1/CPU0 TCP  LR IPV4 TCP    default   any          any,23 any

0/RSP1/CPU0 TCP  LR IPV4 TCP    RED       any          any,23 any

Now if I add MPP to the mix:

RP/0/RSP1/CPU0:A9K-BOT(config)#control-plane management-plane

RP/0/RSP1/CPU0:A9K-BOT(config-mpp)#inband

RP/0/RSP1/CPU0:A9K-BOT(config-mpp-inband)#interface g0/1/0/0.20

RP/0/RSP1/CPU0:A9K-BOT(config-mpp-inband-if)#allow telnet

RP/0/RSP1/CPU0:A9K-BOT(config-mpp-inband-if)#commit

Now my LPT entries are modified:

0/RSP1/CPU0 TCP  LR IPV4 TCP    default   Mg0/RSP1/CPU0/0 any,23 any

0/RSP1/CPU0 TCP  LR IPV4 TCP    RED       Gi0/1/0/0.20 any,23 any

So without the telnet SERVER for that vrf, the holes are not even pierced to start with.

RP/0/RSP1/CPU0:A9K-BOT(config)#no telnet vrf RED ipv4 server max-servers 4

RP/0/RSP1/CPU0:A9K-BOT(config)#commit

0/RSP1/CPU0 TCP  LR IPV4 TCP    default   Mg0/RSP1/CPU0/0 any,23 any

cheers!

xander

Community Member

Thank you for your answer Xander!

I assume that in your example the interface g0/1/0/0.20 is assigned to vrf RED?

If it is the case, so I think your example and mine are different. I am inserting a diagram for clarification :

LPTS-MPP.JPG

The 4 routers are forming a MPLS backbone ( inter-router links are MPLS links).   I try for example to establish a management session (telnet or ssh) to R2 from the station on the left ( or from any of the other routers , specifying that I am using the vrf RED to establish that session).

In that case, I see the "reject" counter incrementing in the command "show lpts ifib statistics", and  R2 effectively refuses the connection.

But if I try to establish a management session to R1 from the station (or from R3 , but using the LAN link assigned to VRF RED), behaviour is OK, connexions are established. For me, it seems that connections are rejected because the "inband" interface used to reach the loopback interface, and that same loopback interface are not both assigned to vrf RED (inband interface is a MPLS interface, shared between many services).

telnet/ssh services are correctly activated for correct VRFs as you reminded.

I hope my explanation is enough clear

Best regards,

Brahim

Cisco Employee

Aha thanks for that clarification Brahim! The story I have above still applies, but in this picture there is something else in play that I didn't talk about before.

Assuming the picture is complete, and you don't have any PHY interfaces in the vrf on R2, regardless of your telnet vrf RED server statement, the iFIB may not have been programmed for these vrf's because of SVD (Selective VRF Download).

In that mode, the system tries to intelligently determine if an LC is subscriber or core facing and only in limited fashion download vrfs and its programming to the LC.

To "draw" vrf knowledge to the LC, you can either do one of these 2 things:

RP/0/RSP1/CPU0:A9K-BOT(config)#selective-vrf-download disable (commit and reload lc...)

use show SVD [role | status] to track

or you can do what I did to configure any interface on that linecard in that vrf RED which will make the LC pull all vrf RED knowledge.

So to verify check are:

1) check SVD applicability (42+ releases)

2) show lpts bindings brief | i ,23 to see if LPTS holes are pierced and for that vrf

3) make sure that if MPP is configured, interfaces in that VRF are enabled

     Knowing that you may have to create a bogus phy interface as the loopback may not do it on its own)

4) and obviously make sure your telnet server is running in that vrf also.

regards

xander

Community Member

This is becoming more and more interesting..

well I checked those constraints :

      • I am running a 4.1.2 release so for the moment I can not disable SVD. I'll check when I can.

      • But in my topology R1 and R3 already have their "LAN" interface  (assigned to VRF) and their MPLS backbone interface located in the same card (see topology below). And behaviour is the same when I try to manage R3 from the host on the left    (trafic of course flowing through R1... If I try to manage R3 from the LAN, directly to VRF interface, I do not have the problem: telnet/ssh sessions correctly establish)
              • And the same if I try to establish the same remote session from R1 : connections are dropped.

            • I looked for a debug, I used a "debug lpts packet drops" , which gives me this kind of message each time a connection is dropped :

netio[310]: lpts ifib [0xddc545b8/66 if 0x000001a0 VRF 0x60000001 IP4 SOURCE_IP_ADDRESS.62854 -> DESTINATION_IP_ADDRESS
.23 TCP S] to local stack for reject, dropping

I really appreciate your interest !!

Thank you for that,

Regards

Brahim

LPTS-MPP_2.JPG

      Cisco Employee

      Brahim, no prob, if you have 412 then tere is no svd, so we can skip that check.

      if you can telnet from your client to R3 directly, then your telnet server is running in the right vrf.

      since netio sees the packet it means it got punted.

      the problem could either be in ( i )fib, netio or lpts and or could be related to the forwarding from R1 to R3 (label imposition etc).

      One important piece is the nodeID infront of netio (lc or rp and which lc) that might be importnat here too.

      Can you share your show run | i telnet and sh run control-plane.

      And potentially proc restart the 3 procs referenced above and see if that helps.

      if the config comes out clean, I may have to advice you to open a tac case to investigate further.

      thanks

      xander

      Community Member

      Hi Xander,

      I share with you the configuration part you asked for (the vrf RED is the one concerned here).

      I believe loopbak interface doesn't need to be specified in the control-plane. It has been added for testing purposes about this issue

      for the process restarting I'll try to do it when I can, I believe it may be disruptive

      Regards,

      Brahim

      R3#sh run | in telnet

      Building configuration...

      telnet vrf default ipv4 server max-servers 50

      telnet vrf BLUE ipv4 server max-servers 50

      telnet vrf RED ipv4 server max-servers 50

      R3#sh run control-plane

      control-plane

      management-plane

        inband

         interface Loopback1

          allow all

         !

         interface Bundle-Ether1

          allow all

         !

         interface Bundle-Ether2

          allow all

         !

         interface GigabitEthernet0/2/0/19

          allow all

         !

        !

        out-of-band

         vrf BLUE

         interface MgmtEth0/RSP0/CPU0/0

          allow all

         !

        !

      Regards,

      Brahim

      Community Member

      i have read this document. I would like to share my doubts with you.

      In every examples they have mentioned ipv6 address on "out of band" and

      ip adress on "in band" interfaces. Can't we configure ip address on "out of band" and

      ipv6 adress on inband interfaces of ASR 9000. Apart from LPTS and Management plane

      protection, is there any other methods(by using ACL/Routemap/policy-map)

      available in IOS XR for protecting CPU and management plane??

      Cisco Employee

      Just an example...

      RP/0/RSP0/CPU0:A9K-BNG(config)#control-plane

      RP/0/RSP0/CPU0:A9K-BNG(config-ctrl)#management-plane

      RP/0/RSP0/CPU0:A9K-BNG(config-mpp)#inband

      RP/0/RSP0/CPU0:A9K-BNG(config-mpp-inband)#interface all

      RP/0/RSP0/CPU0:A9K-BNG(config-mpp-inband-all)#allow snMP peer address ?

        ipv4  Configure peer IPv4 address on this interface

        ipv6  Configure peer IPv6 address on this interface

      MPP is hardware accelerated security and easier to manage. You can apply access-groups to the service

      (snmp/vty etc) but those packets have then already been processed and handed over to the application where they are denied, so waste of processing cycles. MPP drops them in the hardware as they come in.

      xander

      Community Member

      Hi Alexander,

                    Thanks for your valid information. I would like to share one another doubt.In ASR 9000, can we filter packets based on mac and ip-v6 to protect control and management plane by using LPTS ? Can we use rate-limit of

      queues to limit traffic in ASR also ?? Does LPTS protect both control and management plane or control-plane only?

      Is there any other method available for protecting management-plane?

      Cisco Employee

      Inside XR it is all done by lpts who manages flows, polices them and makes sure they are expected. there is not much to be configured about it. some folks prefer to tune lpts policers, but there is generally no need for it.

      filtering based on mac can be done as part of infrastructure ACL's on the interface.

      But if you have functionality like arp inspection or dhcp snooping then there is little need for that either.

      xander

      Community Member

      Hi Alexander,

                       Thanks for your quick response. In Management plane protection we are configuring "vrf vrf-name" only on out-of-band interfaces. Is this for controlling remote management of the router ?? Is this mandatory ? I am expecting your valid response.

      Community Member

      Hi Xander,

                          I have read this document. But as per my knowlede, there is no " infrastructure ACL's" for MAC filtering available in ASR 9k. Let me know if my knowledge is wrong.

      Cisco Employee

      In fact there is Rakesh! Lucky you

      it's defined like this:

      ethernet-services access-list arpdeny

      10 deny any any 806

      20 permit any any

      xander

      Community Member

      I am trying to allow inband access to the loopback only and created the following configuration

      control-plane

      management-plane

        inband

         interface Loopback0

          allow SSH peer

           address ipv4 10.20.0.21

          !

          allow SNMP

         !

        !

      !

      !

      RP/0/RSP0/CPU0:LAB-B#show lpts bindings brief | i (any.22 )

      Thu Jul 18 06:01:50.248 UTC

      0/RSP0/CPU0 TCP  LR IPV4 TCP    default   Mg0/RSP0/CPU0/0 any,22 any

      0/RSP0/CPU0 TCP  LR IPV4 TCP    default   Lo0          any,22 10.20.0.21

      0/RSP0/CPU0 TCP  LR IPV6 TCP    default   Mg0/RSP0/CPU0/0 any,22 any

      RP/0/RSP0/CPU0:LAB-B#

      so on Lo0 it is listening on the SSH port. However when I try to SSH to the Loopback (from a different ASR Lo0)  I get

      %Error in connect v4 - Connection refused

      These two ASR are connected via a Bundle-Ether and I need to add the Bundle-Ether as well as inband interface to get it to work. However if I do this it also allows me to logon to the interface ip of that Bundle as well.
      can you please explain how this can be prevented.

      Cisco Employee

      yeah I see your intent, but unfortunately mpp doesn't work that way.

      what your hope was that by allowing the loopback we would pierce a hole in all npu's allowing telnet to that address/interface, but mpp only programs it for the "real" interfaces.

      so your addition of the bundle is the right thing to do.

      now I know this is a request from some other folks also and it is being looked at how we can make that requirement from you with limited scale impact (it burns tcam entries for acl like you wont believe) into the 9k sw.

      another option is to use infrastructure ACL's, like regular ACL and apply it to the interfaces.

      xander

      Community Member

      Xander

      thank you for the clarification. I will just allow SSH on all core interfaces leading back to the management systems as well. I can't see any real danger in it and each ASR only has two core interfaces. I was just puzzled about the behaviour of mpp

      eelco

      Community Member

      Hi Xander,

      any impact if we change the default LPTS? understand LPTS entries in TCAM, technically should be any problem as long as not more than TCAM memory, correct me if i am wrong

      Cisco Employee

      hi there,

      the tcam is used for "acl" like matching and flow matching, that is one part of LPTS. the second part, the policing is done in a different stage and acting like regular policers.

      there are reserved tcam spaces and policers for this.

      by changing lpts flow rate values, we're just cnaging the rate of the existing already assigned policers.

      by adding more eg bgp peers, we just burn more tcam entries that would match the bgp-known/default/established entries.

      At some point you may run out of tcam entries, but that should not happen when you remain within quoted scale numbers.

      regards

      xander

      Community Member

      Hi Xander,

      thanks for the answer. from the document said" Take extreme care when changing the LPTS policer values" . when do we know that the threshold of the value of the policer?

      Is there any calculation after we increase policer, how many more ebgp peer can be added.

      for example : HSRP ,default 400 pps, we change to 1000. so how many HSRP can be added in  with 1 sec hello and 3 hold time ?


      Cisco Employee

      that is the precise reason why I mentioned be careful changing timers in LPTS changing the hsrp punt rates doesnt automatically increase your scale from a control plane, that is still a bottleneck.

      for HSRP you are better off using larger timers and then using BFD for fast failure detection this leaves with the highest HSRP scale and the best convergence.

      only values I have seen requiring some change sometimes is:

      ARP for higher arp learning rates

      Fragment (to zero) since we dont allow frag in hw anyway and in sw there are no features

      <routing-protocol> default (egp bgp-default) to zero since we have lpts entries for cfg and established.

      regards

      xander

      Community Member

      so generally when we tune LPTS policer we need to monitor the control plane eg CPU process of the RP? is there theory or calculation the acceptable/recommendation LPTS policer that we can tune?

      Cisco Employee

      fortunately the control plane hosing situations that IOS was susceptible to I have never seen happen in XR.

      even when one process has a runaway situation, the scehduler is totally independent of the processes and there is little point for concern.

      there is also generally no need to tune the default LPTS policer values, unless:

      1) your arp scale and needs are large and you expectneed faster arp learning

      2) you want to harden XR a bit more upon which you can configure the -default policers for routing protocols to zero.

      3) you see a lot of fragmentation punts and you want to eliminate this all together

      4) if you see consistent slow convergence in namely BGP and you have a lot of peers on that same LC/NPU,

      and you want to increase the established policer to allow more packets to go through.

      some tuning might be encessary in BNG for DHCP policers to allow faster session establishment, but this has not been very common and frequent either (to date...).

      health checking of your device is always important, but not more or less after tuning in my view.

      this because a high cpu in one process doesnt cause the same toruble as it does in monolithic OS, also sometimes

      high cpu is something you may want, like during convergence. high cpu in XR just means that the process uses its full time quantum as assigned by the scheduler.

      regards

      xander

      Community Member

      Hi Xander,

      I am tring to configure LPTS alerting with lpts-threshold-alerting.tcl. There are some error about script. I have tried to fix but I'm not expertise on eem scrips and want get another look. 

      Below is my configuration for EEM.

      (admin)

      username eem-scripts
       group root-system
      !

       

      event manager environment EEM_LPTS_CHECK_INTERVAL 30
      event manager environment EEM_LPTS_CHECK_FLOWTYPES *
      event manager environment EEM_LPTS_CHECK_LOCATIONS 0/0/CPU0
      event manager environment EEM_LPTS_CHECK_THRESHOLD 10%
      event manager refresh-time 2000
      event manager directory user policy disk0:/scripts/
      event manager policy lpts-threshold-alerting.tcl username eem-scripts persist-time 3600

      aaa authorization exec eem-scripts none

      aaa authorization commands eem-scripts none

      line template eem-scripts
       accounting exec eem-scripts
       accounting commands eem-scripts
       authorization exec eem-scripts
       authorization commands eem-scripts
       authorization eventmanager default
       login authentication default
       session-timeout 0
       transport input none
       transport output none
      !
      vty-pool eem 100 105 line-template eem-scripts

       1- First I get error for namespace,

      RP/0/RSP0/CPU0:Nov 11 10:00:28.568 : syslog_dev[94]: noscan: unknown namespace in import pattern "::cisco::fm::*" 

      I changed it to ::cisco::eem::

      2 - Secondly it gives error about execution time,

      RP/0/RSP0/CPU0:Nov 11 09:58:04.981 : eem_server[205]: %HA-HA_EM-6-FMS_POLICY_TIMEOUT : Policy 'lpts-threshold-alerting.tcl' has hit its maximum execution time of 20.000000000 seconds, and so has been halted 

      Then i changed maxrun parameter to 60s

      ::cisco::eem::event_register_timer watchdog name lptsCheckTimer time $EEM_LPTS_CHECK_INTERVAL maxrun 60

       

      Cisco Employee

      Hi Deniz,

      the changes you have made are very sound! nice find!

      cheers

      xander

      Community Member

      Thanks a lot but I forgot to ask why its getting more than 20s to get cli out put of lpts pifib? On a regular cli session its not more than 1s and I am testing on a empty test platform.

      Cisco Employee

      Obviously I havent done the analysis as to where the time is spent, whether it is in the cli open, the capture of the info or the parsing of it. But 20 seconds seems or should be more then enough realistically.

      it could be as simple as a "page more" type of thing that can be negated with a pipe include in the show fetch.

      Another option is to put some puts statements in the script so we can see where the time is spent and optimize where possible.

      also try to see if a CLI no term length when the script is started helps there.

      cheers!

      xander

      Community Member

      Hi Xander,

      I am not giving up:)

      I added some puts to the script, I found that it took ~15s to open a CLI session.

      puts "OPENING CLI"

      if [catch {cli_open} result] {
       error $result $errorInfo
      } else {
       array set cli $result
      }

      puts "CLI OPENED"

      Some debug.

      RP/0/RSP0/CPU0:Nov 13 10:31:40.621 : syslog_dev[94]: noscan: OPENING CLI 
      RP/0/RSP0/CPU0:Nov 13 10:31:40.624 : eem_policy_dir[204]: fh_edm_get_fn: Invoked for item_name policy/lpts-threshold-alerting.tcl. vec_entries-> total: 2, valid 1
      RP/0/RSP0/CPU0:Nov 13 10:31:40.624 : eem_policy_dir[204]: fh_edm_get_fn: Sending username eem-scripts for policy lpts-threshold-alerting.tcl
      RP/0/RSP0/CPU0:Nov 13 10:31:40.627 : eem_policy_dir[204]: fh_edm_set_fn called with item_name user/lpts-threshold-alerting.tcl/eem-scripts pid value 205304128
      RP/0/RSP0/CPU0:Nov 13 10:31:40.627 : eem_policy_dir[204]: Updated pid field (205304128) for policy lpts-threshold-alerting.tcl, user eem-scripts
      RP/0/RSP0/CPU0:Nov 13 10:31:43.660 : wdsysmon[441]: fh_process_sync:149 msg type :106 :FH_MSG_WD_SHOW_READ_LEN
      RP/0/RSP0/CPU0:Nov 13 10:31:43.660 : wdsysmon[441]: fh_process_sync: Trying to read len
      RP/0/RSP0/CPU0:Nov 13 10:31:43.667 : wdsysmon[441]: fh_fd_wdsysmon_show_read_len: DB Ready len = 88336
      RP/0/RSP0/CPU0:Nov 13 10:31:43.686 : wdsysmon[441]: fh_process_sync:149 msg type :104 :FH_MSG_WD_SHOW_READ
      RP/0/RSP0/CPU0:Nov 13 10:31:45.654 : eem_ed_timer[201]: fh_fd_timer_get_realtime:  1415867505.654 
      RP/0/RSP0/CPU0:Nov 13 10:31:45.655 : eem_ed_timer[201]: fh_fd_msg_send_event: sending publish data:0:0
      RP/0/RSP0/CPU0:Nov 13 10:31:45.656 : eem_ed_timer[201]: fh_fd_timer_event_expire: re=0x5003d4c0
      RP/0/RSP0/CPU0:Nov 13 10:31:45.656 : eem_server[205]: received async FH_MSG_EVENT_PUBLISH fdid:15
      RP/0/RSP0/CPU0:Nov 13 10:31:45.657 : eem_server[205]: EEM: server processes multi events: esid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:45.657 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fde18 from table 0x80001100successful
      RP/0/RSP0/CPU0:Nov 13 10:31:45.658 : eem_server[205]: EEM: server processes multi events: timewin=1, sync_flag=0, ec_index=0, cmp_occ=1
      RP/0/RSP0/CPU0:Nov 13 10:31:45.658 : eem_server[205]: EEM: server processes multi events: get correlate result esid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:45.658 : eem_server[205]: EEM: ctx=36:(36,1,1)
      RP/0/RSP0/CPU0:Nov 13 10:31:45.658 : eem_server[205]: EEM: server processes multi events: corr_res=1, cur_tcnt=1, cmp_tcnt=1
      RP/0/RSP0/CPU0:Nov 13 10:31:45.658 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fde38 from table 0x80004d00successful
      RP/0/RSP0/CPU0:Nov 13 10:31:45.659 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fde58 from table 0x80004e00successful
      RP/0/RSP0/CPU0:Nov 13 10:31:45.659 : eem_server[205]: EEM: server processes multi events: schedule an event esid=36, corr_id=12471, grpid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:45.660 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fdf58 from table 0x80001a00successful
      RP/0/RSP0/CPU0:Nov 13 10:31:45.660 : eem_server[205]: EEM server schedules scripts
      RP/0/RSP0/CPU0:Nov 13 10:31:45.660 : eem_server[205]: fh_schedule_policy: prev_epc=0x0; epc=0x50546d08
      RP/0/RSP0/CPU0:Nov 13 10:31:45.661 : eem_server[205]: EEM: server has no available thread to service the policy class=default policy_type=script.
      RP/0/RSP0/CPU0:Nov 13 10:31:45.661 : eem_server[205]: EEM: server has no available thread to service the policy class=default policy_type=script.
      RP/0/RSP0/CPU0:Nov 13 10:31:45.661 : eem_server[205]: EEM: server has no available thread to service the policy class=default policy_type=script.
      .....

      RP/0/RSP0/CPU0:Nov 13 10:31:45.680 : eem_server[205]: EEM: server processes multi events: clean correlate data in ec: esid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:45.680 : eem_server[205]: fms_chkpt_tbl_remove: delete chkpt obj 0x800fde18 from table 0x80001100successful
      RP/0/RSP0/CPU0:Nov 13 10:31:53.695 : wdsysmon[441]: fh_process_sync:149 msg type :106 :FH_MSG_WD_SHOW_READ_LEN
      RP/0/RSP0/CPU0:Nov 13 10:31:53.695 : wdsysmon[441]: fh_process_sync: Trying to read len
      RP/0/RSP0/CPU0:Nov 13 10:31:53.696 : wdsysmon[441]: fh_fd_wdsysmon_show_read_len: DB Ready len = 88612
      RP/0/RSP0/CPU0:Nov 13 10:31:53.697 : wdsysmon[441]: fh_process_sync:149 msg type :104 :FH_MSG_WD_SHOW_READ
      RP/0/RSP0/CPU0:Nov 13 10:31:55.655 : eem_ed_timer[201]: fh_fd_timer_get_realtime:  1415867515.655 
      RP/0/RSP0/CPU0:Nov 13 10:31:55.655 : eem_ed_timer[201]: fh_fd_msg_send_event: sending publish data:0:0
      RP/0/RSP0/CPU0:Nov 13 10:31:55.656 : eem_ed_timer[201]: fh_fd_timer_event_expire: re=0x5003d4c0
      RP/0/RSP0/CPU0:Nov 13 10:31:55.656 : eem_server[205]: received async FH_MSG_EVENT_PUBLISH fdid:15
      RP/0/RSP0/CPU0:Nov 13 10:31:55.656 : eem_server[205]: EEM: server processes multi events: esid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:55.657 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fde18 from table 0x80001100successful
      RP/0/RSP0/CPU0:Nov 13 10:31:55.657 : eem_server[205]: EEM: server processes multi events: timewin=1, sync_flag=0, ec_index=0, cmp_occ=1
      RP/0/RSP0/CPU0:Nov 13 10:31:55.657 : eem_server[205]: EEM: server processes multi events: get correlate result esid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:55.657 : eem_server[205]: EEM: ctx=36:(36,1,1)
      RP/0/RSP0/CPU0:Nov 13 10:31:55.657 : eem_server[205]: EEM: server processes multi events: corr_res=1, cur_tcnt=1, cmp_tcnt=1
      RP/0/RSP0/CPU0:Nov 13 10:31:55.657 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fddf8 from table 0x80004d00successful
      RP/0/RSP0/CPU0:Nov 13 10:31:55.658 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fddd8 from table 0x80004e00successful
      RP/0/RSP0/CPU0:Nov 13 10:31:55.658 : eem_server[205]: EEM: server processes multi events: schedule an event esid=36, corr_id=12472, grpid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:55.658 : eem_server[205]: fms_chkpt_tbl_add: add chkpt obj 0x800fddb8 from table 0x80001a00successful
      RP/0/RSP0/CPU0:Nov 13 10:31:55.659 : eem_server[205]: EEM server schedules scripts
      RP/0/RSP0/CPU0:Nov 13 10:31:55.658 : eem_server[205]: fh_schedule_policy: prev_epc=0x0; epc=0x504d42f8
      RP/0/RSP0/CPU0:Nov 13 10:31:55.659 : eem_server[205]: EEM: server has no available thread to service the policy class=default policy_type=script.
      ........

      RP/0/RSP0/CPU0:Nov 13 10:31:55.672 : eem_server[205]: EEM: server processes multi events: clean correlate data in ec: esid=36
      RP/0/RSP0/CPU0:Nov 13 10:31:55.672 : eem_server[205]: fms_chkpt_tbl_remove: delete chkpt obj 0x800fde18 from table 0x80001100successful
      RP/0/RSP0/CPU0:Nov 13 10:31:57.822 : syslog_dev[94]: noscan: CLI OPENED

       

      Regards

      Deniz.

      Cisco Employee

      Nice work Deniz! Ok that explains much of the delay already!

      What version of XR are you using here? That might be important to know, meanwhile I am trying to figure out if this is related to some known issue or what can be done about it.

      cheers!

      xander

      Community Member

      Hi Xander,

      we are using 5.1.2.

      cheers

      Deniz.

      Community Member

      Hi.

      Is Fragment       : 0  

       means there is no fragmented packets allowed or we allow them?

      We use Cacti to monitor ASR by snmp. And when Cacti did bulk.SNMP request at 100 OID - server fragment it and ASR receive this packets fragmented. And we think it drops them.

      Cisco Employee

      hi aleksey,

      this flag identifies whether frags are allowed or not. the issue is with a port level filter, subsequent frags are hard to identify as part of the flow since subsequent frags do not have the port level info anymore.

      you could do a quick debug snmp packets and see if the request is recevied from that mgmt station.

      reassembly would happen in netio, so before it is handed to udp process and subsequently snmp.

      cheers

      xander

      Community Member

      Thank you. Is there is a way to set "Is Fragment       : 0" flag to "1"(enable)?  

      Cisco Employee

      It is a system parameter that is not configurable.

      it is a bit dangerous also because you effectively open everything up towards a particular destination.

      best is to fix the packet fragment from the mgmt station...

      cheers

      xander

      Community Member

      Thanks again! I'l try. 

       

      Community Member

      Hi Xander,

      What is the primary difference between the protocol-Default and protocol-known in the Flow type of the LPTS? Applying the ACL and rate limiting it does not work. Please guide us with in-depth understanding on this. 

      In MPP, the IP address is not accepting with subnet length and shows error 'Stray bits in prefix-length of address' in router running version 5.2.0. Is this is still a bug CSCts11467 which is being hit.

      Warm Regards.

      Cisco Employee

      see also cisco live id 2904 sanfran 2014 with some extensive detail on lpts.

      -default is hit for the protocol for which we have no explicit peer configured.

      -known would be hit in case we have say an ntp server defined, an ssh client, bgp neighbor etc.

      all non configured specific peers will hit the -default rate.

      xander

      Community Member

      Hi Xander,

      according to this link :

      https://supportforums.cisco.com/discussion/12270901/block-traceroute-through-ios-xr

      i wanna block icmp ttl-expired, with setting rate limit lpts policer for specific icmp ttl-expired to zero, and let another icmp type to be processed. is that possible?

      what the difference between flow type ICMP-local, ICMP-app, ICMP-control, ICMP-default, ICMP-app-default?

      Regards,

      Aditya

      Community Member

      Alexander, you said:

      The mgmt interfaces on the RSP are designated out of band. This means that they can't transport user traffic but only management traffic.

      Is it possible to convert these mgmt interfaces to inband, like this?

      control-plane
      management-plane
      inband
      interface MgmtEth0/RSP1/CPU0/0
      !
      !
      !

      And, if not possible, any thoughts on how we can tackle the following problem?

      We want to manage our ASR routers via an out-of-band network on the mgmt interfaces. As the ME switches in the datacenter are too thinly spread to connect their out-of-band interfaces to this dedicated network, we want to manage them inband using a dedicated L3VPN. This requires L3 connectivity between the L3VPN and the mgmt interface...

      Cisco Employee

      hi tom, you can't convert them to inband, but you can allow them to route through, however I would not recommend for this.

      By default the system will NOT route through the mgmt ethernet port.

      Say, you have a static default route pointing out the mgmt ethernet. That means that traffic arriving from a linecard for which we have no destination specifically in the FIB will NOT get forwarded to the RSP for egressing the mgmt port.

      Traffic ingress on LC will get dropped by the NP in that case.

      Same deal for traffic arriving in the MGMT port, it will not get forwarded out to a linecard either.

      You can override that behavior, for testing purposes with the command :

      rp mgmtethernet forwarding

      xander

      Community Member

      Thank you for your quick response! It seems you also explained it here: https://supportforums.cisco.com/discussion/11840376/use-management-ethernet-port-asr9000

      Community Member

      Is it possible to use LPTS (or maybe CoPP / MPP) to reduce the impact of DNS DDoS attacks?  Basically, we want to perform rate limiting in hardware.

      Thanks.

      -ben

      Cisco Employee

      sure thing that is possible Ben!!

      check cisco live id 2904 from sandiego 2015 and sanfran 2014 I had a specific section there on the NTP DDOS, but similar approach exists for DNS (if locally targeted) too.

      if not locally targeted, but transit, then you can use BGP flowSPEC to define a rule and police or redirect that particular traffic very powerful!

      xander

      Community Member

      Found it!  Pages 42-45 from 2014 SanFran.  Thanks Xander!

      -ben

      Community Member

      Hi Xander, thanks for sharing this doc, it's very useful.

      Is it possible to know the LPTS punt police default NPU values for ARP protocol?

      We have to migrate a service with faster arp learning and we need to know if the default it's ok or if we need to configure LPTS before migration.

      Thanks again!

      Juan.

      Cisco Employee

      hey juan,

      ARP can be adjusted as follows:

      RP/0/RSP0/CPU0:A9K-BNG(config)#lpts punt police location 0/0/CPU0 protocol arp

      Currently arp is set for 1000 pps:

      ARP                     ARP                     1000       200        263                  0                    Local               

      Although be conservative increasing this number. we are working on some arp improvements with sanity checks etc as ARP is busting GSP (group service protocol, to distribute arp information) to the max. Some of these improvements have made it in XR533, some of them will follow later in XR6

      cheers!

      xander

      Community Member

      thanks for the quick answer Xander!

      Community Member

      Hy Xander, 

      can you explain a little bit how is LPTS related to protecting from broadcast storms ? In IOS XR we can protect on bridge-domain by introducing storm-control, but we can not do it per physical interface basis. Meaning, what exactly happens when there is a L2 loop which generates broadcast storm on ASR physical interface and how does ASR resolve it ? For example, 7609 platform would regularly crash in similar situations without protection. 

      Thank you very much

      Cisco Employee

      Let me take a stab at it. :)

      LPTS applies to all packets that the router considers a "for us" packet, i.e. a packet that is directed to the router itself. If in the L2 bridge domain you don't have a routed interface (BVI), broadcasts will never be punted so LPTS doesn't come into the picture.

      If you have a BVI in the BD, all broadcast packets will be punted by the NP microcode through LPTS. The specific per-protocol policers that exist by default in LPTS will rate-limit the punted packets, to protect the LC or RP CPU from overload.

      The ARP use-case scenario is explained in https://supportforums.cisco.com/document/12766486/troubleshooting-arp-asr9000-routers. The other protocols work in very similar way.

      hope this helps,

      Aleksandar

      Community Member

      Hello, 

      OK. But let's see following situation. I have ASR9k connected to switch via trunk interface. From that switch broadcast storm happens and it is propagated toward ASR9k interfaces. Interface config on ASR is:

      interface GigabitEthernet0/0/0/2
      description sw-lab-1##Gi0/15#(3400-12)
      cdp
      service-policy output QOS_METRO_OUT
      negotiation auto
      load-interval 30
      transceiver permit pid all
      !
      interface GigabitEthernet0/0/0/2.5
      description IPTV
      ipv4 address 172.26.38.36 255.255.255.224
      shutdown
      load-interval 30
      encapsulation dot1q 5
      !
      interface GigabitEthernet0/0/0/2.1905 l2transport
      description L2VPN-P2P
      encapsulation dot1q 1905
      rewrite ingress tag pop 1 symmetric
      !
      interface GigabitEthernet0/0/0/2.1908 l2transport
      description VPLS
      encapsulation dot1q 1908
      rewrite ingress tag pop 1 symmetric
      service-policy input BS_VPN_2M
      !
      interface GigabitEthernet0/0/0/2.2019
      description L3VPN
      vrf ACS
      ipv4 address 10.128.127.2 255.255.255.240
      encapsulation dot1q 2019

      When we experience broadcast we see global routing flaps, we see NSR log messages and it definitely influences overall performance. Since we can not implement storm-control on physical interface how can we protect against such behaviour. Here are some log messages from affected ASR:

      RP/0/RSP0/CPU0:ASR-9K-LAB#RP/0/RSP0/CPU0:May 18 12:33:32.948 : tcp[445]: %IP-TCP_NSR-5-DISABLED : 85.94.144.18:27998 <-> 85.94.144.13:646:: NSR disabled for TCP connection because Retransmission threshold exceeded
      RP/0/RSP0/CPU0:May 18 12:33:35.051 : mpls_ldp[1192]: %ROUTING-LDP-5-NSR_SYNC_START : Initial synchronization started for 1 peers
      RP/0/RSP0/CPU0:May 18 12:33:56.600 : tcp[445]: %IP-TCP_NSR-5-DISABLED : 85.94.144.18:27998 <-> 85.94.144.13:646:: NSR disabled for TCP connection because Retransmission threshold exceeded
      RP/0/RSP0/CPU0:May 18 12:33:58.704 : mpls_ldp[1192]: %ROUTING-LDP-5-NSR_SYNC_START : Initial synchronization started for 1 peers
      RP/0/RSP0/CPU0:May 18 12:34:00.085 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from FULL to DOWN, Neighbor Down: dead timer expired, vrf default vrfid 0x60000000
      LC/0/0/CPU0:May 18 12:34:00.089 : bfd_agent[125]: %L2-BFD-6-SESSION_REMOVED : BFD session to neighbor 85.94.144.237 on interface GigabitEthernet0/0/0/0 has been removed
      RP/0/RSP0/CPU0:May 18 12:34:01.139 : ipv4_rib[1160]: %ROUTING-RIB-7-SERVER_ROUTING_DEPTH : Recursion loop looking up prefix 195.29.110.201 in Vrf: "default" Tbl: "default" Safi: "Unicast" added by bgp
      RP/0/RSP1/CPU0:May 18 12:34:01.152 : ipv4_rib[1160]: %ROUTING-RIB-7-SERVER_ROUTING_DEPTH : Recursion loop looking up prefix 195.29.110.201 in Vrf: "default" Tbl: "default" Safi: "Unicast" added by bgp
      RP/0/RSP0/CPU0:May 18 12:34:01.354 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from DOWN to INIT, Received Hello, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:01.354 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from INIT to 2WAY, 2-Way Received, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:01.354 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from 2WAY to EXSTART, AdjOK?, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:01.358 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from EXSTART to EXCHANGE, Negotiation Done, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:01.381 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from EXCHANGE to LOADING, Exchange Done, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:01.384 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from LOADING to FULL, Loading Done, vrf default vrfid 0x60000000
      LC/0/0/CPU0:May 18 12:34:01.390 : bfd_agent[125]: %L2-BFD-6-SESSION_DAMPENING_ON : Session to neighbor 85.94.144.237 on interface GigabitEthernet0/0/0/0 entered Dampened state (initial: 2000 ms,secondary: 5000 ms,maximum: 120000 ms).
      RP/0/RSP0/CPU0:May 18 12:34:05.384 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from FULL to DOWN, Neighbor Down: dead timer expired, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:06.113 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from DOWN to INIT, Received Hello, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:06.113 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from INIT to 2WAY, 2-Way Received, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:06.113 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from 2WAY to EXSTART, AdjOK?, vrf default vrfid 0x60000000
      RP/0/RSP0/CPU0:May 18 12:34:06.115 : ospf[1018]: %ROUTING-OSPF-5-ADJCHG : Process 1, Nbr 85.94.144.2 on GigabitEthernet0/0/0/0 in area 0 from EXSTART to EXCHANGE, Negotiation Done, vrf default vrfid 0x60000000

      29770
      Views
      11
      Helpful
      70
      Comments