[c-nsp] IOS XR LPTS is it possible to whitelist an IP address
Saku Ytti
saku at ytti.fi
Fri Aug 8 04:12:35 EDT 2025
I don't think so. But I'm not 100% confident.
I don't see a particular problem in the approach you chose, where you
change the policer. Why are you looking into whitelisting specific IPs
rather than just tune the policer?
LPTS rules are dynamically generated, there isn't "any/any -> SNMP
permit" on the box. The policer should not be hit by an unknown IP
address (provided you didn't explicitly allow this in your inband
config), only your configured SNMP addresses should have access to the
policer.
You can review what packets can reach the SNMP policer with 'show lpts
pifib entry location X'.
On Thu, 7 Aug 2025 at 16:26, Drew Weaver via cisco-nsp
<cisco-nsp at puck.nether.net> wrote:
>
> Okay so I've been having an issue where 60% of our SNMP polls are being gleefully dumped by an ASR9902 running IOS XR 24.4.2 due to the default hidden LPTS policer configuration (that you can't see).
>
> I'm not really here to argue about the design I'm mostly just depressed by all of that discussion at this point.
>
> What I really need to know is if it is possible to simply allow an IP address to bypass the policer for SNMP traffic?
>
> I've now asked TAC this question directly 5 times and they won't answer it.
>
> Its funny that simply using the mgmteth ports allow you to bypass all of these very important and very demure policers that need to exist otherwise the box will explode but that there doesn't appear to be any way to simply apply that same level of recklessness to inline traffic.
>
> Thanks if anyone knows.
> Lol
> -Drew
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
++ytti
More information about the cisco-nsp
mailing list